Thursday, April 7, 2016

Configuring Two-way SSL for Oracle SOA Suite

By default, WebLogic Server is configured to use one-way SSL (the server passes its identity to the client). When the server needs to authenticate the client, you use two-way SSL. In a two-way SSL connection, the client verifies the identity of the server and then passes its identity certificate to the server. The server then validates the identity certificate of the client before completing the SSL handshake. The server determines whether or not two-way SSL is used.

If you have a need to use two-way SSL between SOA/OSB and external application, you can follow these steps.
·         Configuring two-way Inbound SSL
·         Configuring two-ways Outbound SSL

Perquisites

1.    Keystore has been configured for SOA and OSB server.
2.    Identity Certificate for the SOA server has been added in the Identity Key Store.
3.    Public Certificates of the partner have been added into the Trust Key Store.

Configuring two-way Inbound SSL
Change the following SSL properties for SOA and OSB server:


SOA_server1
1/2 way
SSL Port Enabled
True
1
SSL Port
8002
1
Private Key Alias
PRIVATE-KEY-ALIAS

1
Private Key Passphrase
<Passphrase>
1
Use Server Certs
Checked
2
Two Way Client Cert Behavior
Client Certs Requested And Enforced
2

Once you performed above step, two way SSL for inbound connection is done.   

Configuring two-ways Outbound SSL

For two-way outbound SSL connection (i.e. a SOA composite application to invoke another application), perform the followings are the additional steps:-
1.    Go to Soa-infra->SOA Administration->Common Properties.
2.    Then click at the link at the bottom of the page: “More SOA Infra Advances Infrastructure Configuration Properties” and then enter the full path of soa identity keystore in the value field of the KeyStoreLocation attribute.

3.    Now, navigate to the domain->security->credential
4.    Click Create Map. In the Map Name field, enter SOA, and click OK
  1. Click Create Key.  Enter the following details where the password is the password for the SOA identity keystore.

Field
Value
Description
Select Map
SOA
Select the map created in last step.
Key
KeystorePassword
Enter the key name (KeystorePassword is the default).
Type
Password
Select Password.
User Name
KeystorePassword
Enter the keystore user name (KeystorePassword is the default).
Password
<Passphrase>
Enter the password that you created for the keystore
Description
Keystore for Outbound Webservice binding via SSL
Description of the credential keystore

6.    Restart SOA  managed servers.


2 comments:

  1. what specific changes are needed in composite.xml?

    ReplyDelete
  2. Configure your SOA composite's partner link to use 2 way SSL

    You do this by modifying the composite.xml in your project, locate the partner's link reference and add the property oracle.soa.two.way.ssl.enabled.




    WSDLDriven
    true


    In OSB, you should have checked the HTTPS required flag in the proxy's transport configuration. After this, rebuilt the composite jar file and ready to deploy in the EM console later.

    Reference: https://blogs.oracle.com/ateamsoab2b/entry/2_ways_ssl_between_soa

    ReplyDelete