Thursday, February 17, 2011

Setting up the Keystore for Message Protection

Setting up the Keystore for Message Protection

In order to sign and encrypt SOAP messages you must first create and configure the Web Services Manager Keystore for a WebLogic domain. This keystore is used to store public and private keys for SOAP messages within the WebLogic Domain. The default key store is called "./default-keystore.jks" and can be found in the $MIDDLEWARE_HOME/user_projects/domain/base_domain/config directory. The Oracle Web Services Manager (OWSM) does not use the WebLogic Server keystore that is used for SSL (DemoTrust.jks/DemoIdentity.jks). Instead, it has it's own keystores defined and default is default-keystores.jks

  • The signature and encryption keys are used to sign, verify, encrypt, and decrypt the SOAP messages.
  • The keystore configuration is domain wide: all Web services and Web service clients in the domain use this keystore.

To set up the keystore used by Web Services Manager follow these steps:
  1. Using Fusion Middleware Control, click WebLogic Domain, then Security, and then Security Provider Configuration.
    Click the plus sign (+) to expand the Keystore control near the bottom of the page, then click Configure.

  2. Use the keytool to create a Java keystore, using the following steps 
    1. Create a new private key and self-signed certificate. Use the genKey command to create a private key. It will create a new private key if one does not exist. The following command generates an RSA key, with RSA-SHA1 as the signature algorithm, with the alias test in the test.jks keystore.
      keytool -genkey -alias mindtelligent -keyalg "RSA" -dname "CN=mindtelligent-d, dc=us,dc=mindtelligent,dc=com" -keystore mindtelligent.jks
      The keytool utility prompts for the needed key and keystore passwords. DSA key is not supported. Make sure you pass the parameter " -keyalg RSA " in the command.
    2. Display the keystore.
      The following command displays the contents of the keystore. It will prompt you for the keystore password.
      keytool -list -v -keystore test.jks
    3. Import a trusted CA certificate in the keystore.
      Use the -import command to import the certificate. The following command imports a trusted CA certificate into the test.jks keystore. It will create a new keystore if one does not exist. The keytool utility prompts for the needed password.
      keytool -import -alias aliasfortrustedcacert -trustcacerts -file trustedcafilename -keystore test.jks
    4. Generate a certificate request.
      Use the -certreq command to generate the request. The following command generates a certificate request for the test alias. The CA will return a certificate or a certificate chain.
      keytool -certreq -alias test -sigalg "RSAwithSHA1" -file certreq_file -storetype jks -keystore test.jks
    5. Replace the self-signed certificate with the trusted CA certificate.
      You must replace the existing self-signed certificate with the certificate from the CA. To do this, use the -import command. The following command replaces the trusted CA certificate in the test.jks keystore. The keytool utility prompts for the needed password.
      keytool -import -alias test -file trustedcafilename -keystore test.jks

  3. In the navigator pane, expand WebLogic Domain to show the domain for which you need to configure the keystore. Select the domain.
    Description of Figure 9-1 follows
  4. If it is not already enabled, click the Configure Keystore Management check box.
  5. Enter the path and name for the keystore that you created. By default, the keystore name is default-keystore.jks, but you can change this. However, you cannot change the keystore type; it must be JKS.
  6. Enter a password for the keystore and confirm it.
  7. Enter an alias and password for the signature and encryption keys. Confirm the passwords.
    The alias and password for the signature and encryption keys define the string alias and password used to store and retrieve the keys.
  8. Click OK to submit the changes.
    Note that all fields on this page require a restart of Oracle Enterprise Manager Fusion Middleware Control to take effect.

    References Oracle 

The command "importkeystore" is used to import an entire keystore into another keystore, which means all entries from the source keystore, including keys and certificates, are all imported to the destination keystore within a single command. You can use this command to import entries from a different type of keystore. During the import, all new entries in the destination keystore will have the same alias names and protection passwords (for secret keys and private keys). If keytool has difficulties recover the private keys or secret keys from the source keystore, it will prompt you for a password. If it detects alias duplication, it will ask you for a new one, you can specify a new alias or simply allow keytool to overwrite the existing one.
For example, to import entries from a normal JKS type keystore key.jks into a PKCS #11 type hardware based keystore, you can use the command:
keytool -importkeystore
    -srckeystore key.jks -destkeystore NONE
    -srcstoretype JKS -deststoretype PKCS11
    -srcstorepass changeit -deststorepass topsecret
The importkeystore command can also be used to import a single entry from a source keystore to a destination keystore. In this case, besides the options you see in the above example, you need to specify the alias you want to import. With the srcalias option given, you can also specify the desination alias name in the command line, as well as protection password for a secret/private key and the destination protection password you want. In this way, you can issue a keytool command that will never ask you a question. This makes it very convenient to include a keytool command into a script file, like this:
keytool -importkeystore
    -srckeystore key.jks -destkeystore NONE
    -srcstoretype JKS -deststoretype PKCS11
    -srcstorepass changeit -deststorepass topsecret
    -srcalias myprivatekey -destalias myoldprivatekey
    -srckeypass oldkeypass -destkeypass mynewkeypass

  • Delete a certificate from a Java Keytool keystorekeytool -delete -alias mydomain -keystore keystore.jks
  • Change a Java keystore passwordkeytool -storepasswd -new new_storepass -keystore keystore.jks
    For questions, comments and feedback  please contact:
     Harvinder Singh Saluja

      Oracle Customer Care and Billing 2.6 IWS Services to be accessed from SOA 11g running JDK 1.6

      Oracle Customer Care and Billing 2.6 is deployed on WebLogic 12c. Web l ogic 12c uses JDK 1.8, which uses TLS1.2 for Transport Level Sec...