An SSL Incoming Provider
is leveraged and instantiated to create an SSL server socket to which Intradoc
clients (WCC UI, WCP etc) can connect, and whereby traffic is encrypted. The
provider can be configured with or without requiring client authentication (the
WCC UI Managed Server is a client of Content Server). When client
authentication is not required, the JAVA RIDC client making the connection to
the SSL server socket (Intradoc secure-socket port) does not need to present a
valid certificate. This mode is not very different from a normal, non-SSL
Intradoc connection. The main difference, however, is that traffic is encrypted
and cannot be viewed by packet capture, and so on, in the clear. Client
authentication means that the client must supply a valid SSL certificate signed
by an authority that is in the server's trust store.
Pre-requisites
1.
Oracle WebCenter Content (WCC) 12.2.1 is
installed
2.
WCC domain is created and all servers are
running.
3.
RIDC non-SSL port is configured and IDC is
running on 4444.
Steps:
1.
Create the SSL incoming socket provider of sslincoming provider type
Provider Name:
|
sslkeepaliveincomingprovider
|
Provider Description:
|
For RIDC over SSL
|
Provider Type:
|
sslincoming
|
Provider Class:
|
idc.provider.ssl.SSLSocketIncomingProvider
|
Provider Connection:
|
idc.provider.KeepaliveSocketIncomingConnection
|
Server Thread Class:
|
idc.server.KeepaliveIdcServerThread
|
Server Port:
|
4445
|
Request Client Authentication:
|
No
|
Require Client Authentication:
|
No
|
Keystore File Path:
|
/oracle/app/keystores/wcc_keystore.jks
|
Alias:
|
Dev1WCC
|
Truststore File Path:
|
/oracle/app/keystore/wcc_trust.jks
|
Note:
a. Please note that RIDC non-secure port and RIDC secure port should be different and must have required firewalls rules.
b. If you want client authentication then check the “Require Client
Authentication” from the SSL incoming provider. Then you must configure
keystore for your client.
|
2. Restart the WCC managed server. Make sure that sslincoming provider is in good state.
Once you finished with above steps, IDC server is configured
for RIDC secure (SSL) port and you can use idcs protocol for any client.
Verification:
1.
Check SSL is configured
openssl s_client -connect wcchost1:4445
CONNECTED(00000003)
depth=2 C = AU, ST = NSW, L = Sydney, O = myCompany, OU = Digital Certificates Security Services, CN = Imran Mirza
depth=2 C = AU, ST = NSW, L = Sydney, O = myCompany, OU = Digital Certificates Security Services, CN = Imran Mirza
verify error:num=19:self
signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/C=AU/ST=New South Wales/L=Sydney/O= O = myCompany, OU = Digital Certificates Security Services, CN = Imran Mirza
0 s:/C=AU/ST=New South Wales/L=Sydney/O= O = myCompany, OU = Digital Certificates Security Services, CN = Imran Mirza
2.
Check the IDC Service PING_SERVER
You will see output like:
<?hda version="12.2.1.2.0-2017-07-05 09:25:44Z-r155055" jcharset="UTF8" encoding="utf-8"?>
@Properties LocalData
IdcService=PING_SERVER
IsAllowAnonymous=1
IsJava=1
StatusMessage=You are logged in as ‘weblogic’.
3.
You can configure idcs connection url in any
RIDC client for example WCC UI app:
updateRIDCConnection('Oracle
WebCenter Content – Web UI',
'WccAdfServerConnection',connUrl='idcs://wcchost1:4445',
credUsername='sysadmin')
Hi,
ReplyDeleteWhile adding new sslincoming provider in WebCenter Content, It is giving below error though passing the correct password of Keystore file. Please suggest me how can I resolve it?
Could not create SSL context (Reason: !syJavaExceptionWrapper,java.io.IOException: Keystore was tampered with\, or password was incorrect!syJavaExceptionWrapper,java.security.UnrecoverableKeyException: Password verification failed)
Please help me to solve this.
Hi, I verified my KeyStore password and it was correct but still provider was giving error as KeyStore was tampered with \, password was incorrect. Actual issue here is, generation of KeyStore.jks file.
ReplyDeleteIn my case, Initially KeyStore.jks file was generated using openssl command. Now, tried to generate the KeyStore.jks and truststore.jks files using CertGen utility. SSL implementation got success and now we are able to create sslincoming provider in WebCenter Content now. Issue is solved.