How Oracle WSM Locates Keystore And Key Passwords

How Oracle WSM (Oracle Web Service Manager) Locates Keystore And Key Passwords

Oracle WSM expects keystore and key passwords to be in the Credential Store Framework (CSF). Here is how it works.

• A JKS keystore file is protected by a keystore password.
• A keystore file consists of zero or more private keys, and zero or more trusted certificates. Each private key has its own password, (although it is common to set the key passwords to be the same as the keystore password). Oracle WSM needs to know both the keystore password and key password.
• The CSF consists of many maps, each with a distinct name. Oracle WSM only uses the map oracle.wsm.security.
• Inside each map is a mapping from multiple csf-key entries to corresponding credentials. A csf-key is just a simple name, but there can be many different types of credentials. The most common type of credential is a password credential which is primarily comprised of a username and a password.
  Oracle WSM refers to the following csf-keys inside the oracle.wsm.security map:
  
  • keystore-csf-key - This key should contain the keystore password. The username is ignored.
  • enc-csf-key - This key should contain the encryption key alias as the username, and the corresponding key password.
  • sign-csf-key - This key should contain the signature key alias as the username, and the corresponding key password.
  In addition to these csf-keys, you should add a csf-key entry for every new private key that you want Oracle WSM to use, for example when you want to specify signature and encryption keys in configuration overrides.

Figure  illustrates the relationship between the keystore configuration in the OPSS, the oracle.wsm.security map in the credential store, and the Oracle WSM Java keystore.

Figure 10-8 Oracle WSM Keystore Configuration for Message Protection

As shown in the figure:

• The keystore.csf.map property points to the Oracle WSM map in the credential store that contains the CSF aliases. In this case keystore.csf.map is defined as the recommended name oracle.wsm.security, but it can be any value.
• The keystore.pass.csf.key property points to the CSF alias keystore-csf-key that is mapped to the username and password of the keystore. Only the password is used; username is redundant in the case of the keystore.
• The keystore.sig.csf.key property points to the CSF alias sign-csf-key that is mapped to the username and password of the private key that is used for signing.
• The keystore.enc.csf.key property points to the CSF alias enc-csf-key that is mapped to the username and password of the private key that is used for decryption.