This again is one of the topic for which you will find lot of blogs and article that tells different steps to invoke a webservice over SSL. Some mentions adding a certificate in default-keystore.jks, some says about adding the certificates in cacerts.jks and others about enabling JSSE SSL. Basically confusion all over the place which one is correct and which step is irrelevant.
And so I decided to try it out and explain each of the step why it is required. Lets start then -
1. First you will be given a webservice or wsdl url which looks something like this -
https://abc.xyz.com/soa-infra/services/default/CreateAdvancedElectronicInvoiceSignatureReqABCS/CreateAdvancedElectronicInvoiceSignature?wsdl
2. To retrieve the certificate open this url in a browser say in IE. Click on a lock icon and then click on view certificates. Goto certification path. That will show the entire certificate chain usually like this -
Root certificate
SubCA certificate
LB/Server cerrtificate
3. Export each one of them by selecting and View Certificate > Details > Copy to File. Save them in "DER encoded binary X.509" format.
4. We are going to import all the certificates in WebLogic truststore because its a public key that we are importing as a trusted certificate which will be sent by WebLogic to the host server to establish SSL connection.
5. By default WebLogic uses DemoTrust.jks which can be found on /opt/oracle/middleware/wlserver_10.3/server/lib/DemoTrust.jks. Some blogs talks about importing certificates in cacerts or default-keystore.jks. But this is not required because cacerts is a java keystore and when weblogic has its own separate trust store then why to mix the things. Further default-keystore.jks is used to store the certificates required for message encryption and digital signature.
6.Import all the certificate in DemoTrust.jks as trusted certifcates using the command
keytool -importcert -alias ikeadt -trustcacerts -file /u01/deployment/Root.cer -keystore DemoTrust.jks
7. Next enable JSSE SSL from admin console for the SOA managed servers and then restart. JSSE is to allow WebLogic to support stronger cipher suite and MAC algorithm. If JSSE is not enabled then WebLogic will throw error - FATAL Alert:BAD_CERTIFICATE - A corrupt or unuseable certificate was received.
8. Finally add the credential key under credential maps from EM console. The key name must be same as what used in csf-key value. Enter user name and password that will be used for authentication.
By following all the above steps you should be good to invoke a webservice over SSL. If there are question and queries or something you found not correct then shout out in comments !
And so I decided to try it out and explain each of the step why it is required. Lets start then -
1. First you will be given a webservice or wsdl url which looks something like this -
https://abc.xyz.com/soa-infra/services/default/CreateAdvancedElectronicInvoiceSignatureReqABCS/CreateAdvancedElectronicInvoiceSignature?wsdl
2. To retrieve the certificate open this url in a browser say in IE. Click on a lock icon and then click on view certificates. Goto certification path. That will show the entire certificate chain usually like this -
Root certificate
SubCA certificate
LB/Server cerrtificate
3. Export each one of them by selecting and View Certificate > Details > Copy to File. Save them in "DER encoded binary X.509" format.
4. We are going to import all the certificates in WebLogic truststore because its a public key that we are importing as a trusted certificate which will be sent by WebLogic to the host server to establish SSL connection.
5. By default WebLogic uses DemoTrust.jks which can be found on /opt/oracle/middleware/wlserver_10.3/server/lib/DemoTrust.jks. Some blogs talks about importing certificates in cacerts or default-keystore.jks. But this is not required because cacerts is a java keystore and when weblogic has its own separate trust store then why to mix the things. Further default-keystore.jks is used to store the certificates required for message encryption and digital signature.
6.Import all the certificate in DemoTrust.jks as trusted certifcates using the command
keytool -importcert -alias ikeadt -trustcacerts -file /u01/deployment/Root.cer -keystore DemoTrust.jks
7. Next enable JSSE SSL from admin console for the SOA managed servers and then restart. JSSE is to allow WebLogic to support stronger cipher suite and MAC algorithm. If JSSE is not enabled then WebLogic will throw error - FATAL Alert:BAD_CERTIFICATE - A corrupt or unuseable certificate was received.
8. Finally add the credential key under credential maps from EM console. The key name must be same as what used in csf-key value. Enter user name and password that will be used for authentication.
By following all the above steps you should be good to invoke a webservice over SSL. If there are question and queries or something you found not correct then shout out in comments !
No comments:
Post a Comment