By default, WebLogic Server is configured to use one-way SSL (the server passes its identity to the client). When the server needs to authenticate the client, you use two-way SSL. In a two-way SSL connection, the client verifies the identity of the server and then passes its identity certificate to the server. The server then validates the identity certificate of the client before completing the SSL handshake. The server determines whether or not two-way SSL is used.
If you have a need to use two-way SSL between SOA/OSB
and external application, you can follow these steps.
·
Configuring two-way Inbound SSL
·
Configuring two-ways Outbound SSL
Perquisites
1.
Keystore has been
configured for SOA and OSB server.
2.
Identity Certificate for
the SOA server has been added in the Identity Key Store.
3.
Public Certificates of the
partner have been added into the Trust Key Store.
Configuring two-way
Inbound SSL
Change the following SSL properties for SOA and OSB server:
|
SOA_server1
|
1/2 way
|
SSL Port
Enabled
|
True
|
1
|
SSL Port
|
8002
|
1
|
Private
Key Alias
|
PRIVATE-KEY-ALIAS
|
1
|
Private
Key Passphrase
|
<Passphrase>
|
1
|
Use
Server Certs
|
Checked
|
2
|
Two Way
Client Cert Behavior
|
Client Certs
Requested And Enforced
|
2
|
Once you performed above step, two way SSL for inbound connection
is done.
Configuring two-ways Outbound SSL
For two-way outbound SSL connection (i.e.
a SOA composite application to invoke another application), perform the
followings are the additional steps:-
1. Go to Soa-infra->SOA
Administration->Common Properties.
2. Then click at the link at the bottom of
the page: “More SOA Infra Advances Infrastructure Configuration Properties” and
then enter the full path of soa identity keystore in the value field of the
KeyStoreLocation attribute.
3. Now, navigate to the domain->security->credential
4. Click
Create Map. In the Map Name field, enter SOA, and click OK
- Click Create Key. Enter the following details where the
password is the password for the SOA identity keystore.
Field
|
Value
|
Description
|
Select Map
|
SOA
|
Select the map created in
last step.
|
Key
|
KeystorePassword
|
Enter the key name (
KeystorePassword is the default). |
Type
|
Password
|
Select Password.
|
User Name
|
KeystorePassword
|
Enter the keystore user name
(
KeystorePassword is the default). |
Password
|
<Passphrase>
|
Enter the password that you
created for the keystore
|
Description
|
Keystore
for Outbound Webservice binding via SSL
|
Description of the credential
keystore
|
6.
Restart SOA managed
servers.
what specific changes are needed in composite.xml?
ReplyDeleteConfigure your SOA composite's partner link to use 2 way SSL
ReplyDeleteYou do this by modifying the composite.xml in your project, locate the partner's link reference and add the property oracle.soa.two.way.ssl.enabled.
WSDLDriven
true
In OSB, you should have checked the HTTPS required flag in the proxy's transport configuration. After this, rebuilt the composite jar file and ready to deploy in the EM console later.
Reference: https://blogs.oracle.com/ateamsoab2b/entry/2_ways_ssl_between_soa