Monday, October 30, 2017

How to configure secure RIDC port in WebCenter Content?

An SSL Incoming Provider is leveraged and instantiated to create an SSL server socket to which Intradoc clients (WCC UI, WCP etc) can connect, and whereby traffic is encrypted. The provider can be configured with or without requiring client authentication (the WCC UI Managed Server is a client of Content Server). When client authentication is not required, the JAVA RIDC client making the connection to the SSL server socket (Intradoc secure-socket port) does not need to present a valid certificate. This mode is not very different from a normal, non-SSL Intradoc connection. The main difference, however, is that traffic is encrypted and cannot be viewed by packet capture, and so on, in the clear. Client authentication means that the client must supply a valid SSL certificate signed by an authority that is in the server's trust store. 
Pre-requisites
1.       Oracle WebCenter Content (WCC) 12.2.1 is installed
2.       WCC domain is created and all servers are running.
3.       RIDC non-SSL port is configured and IDC is running on 4444.
Steps:
1.       Create the SSL incoming socket provider of sslincoming provider type



Provider Name:
sslkeepaliveincomingprovider
Provider Description:
For RIDC over SSL


Provider Type:
sslincoming
Provider Class:
idc.provider.ssl.SSLSocketIncomingProvider
Provider Connection:
idc.provider.KeepaliveSocketIncomingConnection 
Server Thread Class:
idc.server.KeepaliveIdcServerThread
Server Port:
4445


Request Client Authentication:
No
Require Client Authentication:
No


Keystore File Path:
/oracle/app/keystores/wcc_keystore.jks
Alias:
Dev1WCC
Truststore File Path:
/oracle/app/keystore/wcc_trust.jks



Note:
a. Please note that RIDC non-secure port and RIDC secure port should be different and must have required firewalls rules.
b. If you want client authentication then check the “Require Client Authentication” from the SSL incoming provider. Then you must configure keystore for your client.

2.       Restart the WCC managed server. Make sure that sslincoming provider is in good state.
Once you finished with above steps, IDC server is configured for RIDC secure (SSL) port and you can use idcs protocol for any client.
Verification:
1.       Check SSL is configured
openssl s_client -connect wcchost1:4445

CONNECTED(00000003)
depth=2 C = AU, ST = NSW, L = Sydney, O = myCompany, OU = Digital Certificates Security Services, CN = Imran Mirza
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/C=AU/ST=New South Wales/L=Sydney/O= O = myCompany, OU = Digital Certificates Security Services, CN = Imran Mirza

2.       Check the IDC Service PING_SERVER
You will see output like:
<?hda version="12.2.1.2.0-2017-07-05 09:25:44Z-r155055" jcharset="UTF8" encoding="utf-8"?>
@Properties LocalData
IdcService=PING_SERVER
IsAllowAnonymous=1
IsJava=1
StatusMessage=You are logged in as ‘weblogic’.

3.       You can configure idcs connection url in any RIDC client for example WCC UI app:

updateRIDCConnection('Oracle WebCenter Content – Web UI',
'WccAdfServerConnection',connUrl='idcs://wcchost1:4445',
credUsername='sysadmin')

2 comments:

  1. Hi,

    While adding new sslincoming provider in WebCenter Content, It is giving below error though passing the correct password of Keystore file. Please suggest me how can I resolve it?

    Could not create SSL context (Reason: !syJavaExceptionWrapper,java.io.IOException: Keystore was tampered with\, or password was incorrect!syJavaExceptionWrapper,java.security.UnrecoverableKeyException: Password verification failed)

    Please help me to solve this.

    ReplyDelete
  2. Hi, I verified my KeyStore password and it was correct but still provider was giving error as KeyStore was tampered with \, password was incorrect. Actual issue here is, generation of KeyStore.jks file.

    In my case, Initially KeyStore.jks file was generated using openssl command. Now, tried to generate the KeyStore.jks and truststore.jks files using CertGen utility. SSL implementation got success and now we are able to create sslincoming provider in WebCenter Content now. Issue is solved.

    ReplyDelete