SOAP UI, WebService, Keystore, Certificate

Most of the time, we are dealing with secured web services that use certificates. I created just a simple step by step scenario to help you when you have to invoke an web service that has a certificate attached.

Solution:

Suppose we have files: SvapTestRootCA.crt and 2020MOBILETEST.pfx for authenticating a WebService.

Steps for configure SoapUI security (Windows Machine):

1. 1. Install SvapTestRootCA.crt

2. 2. In SoapUI, create a project named Vodafone. Open project and open tab Security Configurations. On Keystore/Certificates in the Source Add file2020MOBILETEST.pfx, with specified password that you have for this file = 2020MOBILETEST. Add also a default alias and a default password that matches your password from 2020MOBILETEST.pfx = 2020MOBILETEST.

In Output WS-Security Configurations add a new row with Name = 2020MOBILE and password = 2020MOBILETEST. Also, here add Signature , choose keystore 2020MOBILETEST.pfx, choose alias, enter password 2020MOBILETEST.

In SoapUI, configure Incoming WS-Security Configurations. Add row with Name=2020Mobile, decrypt Keystore=2020MOBILETEST.pfx, Signature Keystore=2020MOBILETEST.pfx, Password=2020MOBILETEST

3. 3. Add WSDL into SoapUI.

4. 4. Open the request, and at Authenticate set Outgoing WSS = 2020MOBILE and Incoming WSS = 2020Mobile. In the request, payload, click right and Outgoing WSS -> Apply 2020MOBILE.

5. 5. Execute the request.

Steps for configure WEBLOGIC Server:

1. Exporting the Different Certificates from PFX to PEM

Run the openssl binary from the <OpenSSL>/bin folder. It will start the OpenSSL command prompt. Execute the following command:

pkcs12 -in 2020MOBILETEST.pfx –out 2020MOBILETESTPEM.pem -nodes

This will convert the data in the 2020MOBILETEST.pfx file to the PEM format, placing the result in the 2020MOBILETESTPEM.pem file. The resulting file will have all the certificates in the following order:

  • Private key
  • Identity certificate
  • Root certificate
  • Intermediate certificate

Note that all the certificates (Private Key, Identity certificate, Root certificate, Intermediate certificate) are wrapped within some headers, and these headers are part of the certificates.

2. Creating the Trust Java Key Store

Now you need to extract the root certificate from the resulting PEM file and use it to create the Trust JKS:

  1. Open the 2020MOBILETESTPEM.pem file in a text editor, copy the root certificate and paste it to a new file, say SvapTestRootCA.pem. You can easily find the root certificate since its issuer and subject headers must be same.
  2. Use the Java key tool utility and import the above SvapTestRootCA.pem file to a JKS file:

keytool -import -trustcacerts -file SvapTestRootCA.pem -alias SvapTestRootCA

-keystore SvapTestRootCA.jks -storepass 2020MOBILETEST

The resulting JKS can be used as a Trust Key Store in WebLogic Server.

3. Creating the Identity Java Key Store

  1. From the 2020MOBILETESTPEM.pem file, copy the private key and paste it in different file, say 2020MOBILETEST.pem. It is very easy to identify the private key as it is wrapped with in the following two headers:

b. -----BEGIN RSA PRIVATE KEY-----

c.

d. -----END RSA PRIVATE KEY-----

  1. From the 2020MOBILETESTPEM.pem file, copy the following certificates and paste them in new text file, say SvapTestRootRCACRT.pem:
    • Identity certificate
    • Intermediate certificate
    • Root certificate

Note that the certificates must be in the order listed above. The identity certificate can be located easily in 2020MOBILETESTPEM.pem since there must be header that shows the identity--information such as the name of a person or an organization, their address, and so forth. The intermediate certificate will be the last certificate in the 2020MOBILETESTPEM.pem file.

  1. Now set the WebLogic environment and run following command:

g. java utils.ImportPrivateKey -keystore SvapVodafone.jks -storepass

2020MOBILETEST -storetype JKS -keypass 2020MOBILETEST -alias

SvapVodafone.jks -certfile SvapTestRootRCACRT.pem -keyfile 2020MOBILETEST.pem

-keyfilepass 2020MOBILETEST

This will create a JKS file that can be used in WebLogic Server. Note that you can import many private keys into a key store using the utils.ImportPrivateKey command as mentioned above.

4. Adding keystore and SSL weblogic

Weblogic console -> Admin server -> Keystores -> Change on Custom Identity and Custom Trust

Enter values for :

Custome Identity Keystore: <path>/SvapVodafone.jks

Custome Indetity keystore Type: JKS

Custom Identity Keystore Passphrase:2020MOBILETEST

Confirm Custom Identity Keystore Passphrase:

Custom Trust Keystore:<path>/SvapTestRootRCA.keystore

Custom Trust Keystore Type:JKS

Custom Trust Keystore Passphrase:2020MOBILETEST

Confirm Custom Trust Keystore Passphrase:2020MOBILETEST

Then enter SSL:

PrivateKey Alias: SvapVodafone

And password : 2020MOBILETEST

5. Restart admin server

6. Configure credential mappings

Weblogic Console -> Security Realms-> myrealm -> Credential Mapings >Providers

New Provider of type PKI Credential Mapping Provider and enter name SvapVdfProvider for it.

In Provider Specific enter values:

Keystore Type = JKS

Keystore File Name = <path>/SvapVodafone.jks

And password : 2020MOBILETEST

Save configuration.

7. Restart admin server

Configure OSB webservice console:

Create service key provider in your project and choose svapvodafone.jks as SSL Client Authentication Key: