Configuring Security

This topic includes the following sections:

• Configuring the SSL Protocol and Mutual Authentication

• Configuring Access Control Lists for WebLogic Integration

• Configuring Security for the WebLogic Integration B2B Engine

• Configuring Trading Partner Security

• Configuring Message Encryption

• Configuring Digital Signatures for Nonrepudiation

• Customizing the WLCCertAuthenticator Class

• Configuring a Certificate Verification Provider Interface

• Configuring WebLogic Integration B2B to Use an Outbound HTTP Proxy Server

• Configuring WebLogic Integration with a Web Server and a WebLogic Proxy Plug-In

• Configuring Business Process Management Access to the WebLogic Integration Repository

• Configuring Server-Side Authentication

Before you configure B2B security, make sure you have configured your Keystores as described in Configuring the Keystore. For general information about configuring WebLogic Integration, see Basic Configuration Tasks in Administering B2B Integration.

 

---

Configuring the SSL Protocol and Mutual Authentication

To configure WebLogic Server to use the SSL protocol and mutual authentication, complete the following steps:

1. Obtain a digital certificate for WebLogic Server, as described in Configuring the SSL Protocol in Managing WebLogic Security at the following URL:

   http://download.oracle.com/docs/cd/E13222_01/wls/docs70/secmanage/ssl.html 

2. Start the WebLogic Server Administration Console, as described in "Starting the WebLogic Server Administration Console" in WebLogic Integration Design and Administration Tools in Starting, Stopping, and Customizing BEA WebLogic Integration.

3. In the navigation tree (in the left pane) of the WebLogic Server Administration Console, choose Servers—>myserver for the domain you are configuring, as shown in the following figure.

   Figure 4-1 Choosing a Domain

   
    

   The Configuration page for WebLogic Server is displayed, as shown in the following figure.

   Figure 4-2 WebLogic Server Administration Console Configuration Page

   
    

4. Select the Connections tab. The following page is displayed.

   Figure 4-3 Connections Page

   
    

5. Select the SSL tab to display the Secure Sockets Layer (SSL) configuration page, shown in the following figure.

   Figure 4-4 SSL Configuration Page

   
    

6. The following table describes the information that you enter on the SSL configuration page.

   Table 4-1 SSL Configuration Page Fields  

   Field	Description
   Enabled check box	Enables SSL connections between WebLogic Integration and trading partners.
   Listen Port Enabled check box	Enables use of the SSL protocol on the default port (7002) on the server. You can change the port on which WebLogic Server listens for SSL connections by setting the Listen Port attribute.
   Listen Port	Specifies the dedicated port on which WebLogic Integration listens for SSL connections.
   Server Private Key Alias	Alias for the keystore entry for a server private key.
   Server Private Key Passphrase	Specifies a passphrase for a key in the keystore. (A passphrase is required for every key. In addition, you may also assign a passphrase to the keystore itself.)
   Server Certificate File Name	Specifies the full pathname of the digital certificate for WebLogic Server. This location is also known as the root certificate authority, or root CA.
   Client Certificate Enforced check box	Enables mutual authentication between WebLogic Integration and trading partners accessing WebLogic Integration resources.
   Cert Authenticator	Specifies the certificate authenticator to be used to determine the validity of the trading partner digital certificate.
   Client Certificate Enforced check box	Enables mutual authentication between WebLogic Integration and trading partners accessing WebLogic Integration resources.

   
    

 

---

Configuring Access Control Lists for WebLogic Integration

The access control list (ACL) for a WebLogic Integration resource determines whether a user or group can access that resource. To define ACLs, you do the following:

1. In the WebLogic Server Administration Console, click Create a new ACL and specify the name of the resource.

2. Specify the permission for the resource.

3. Grant the permission to a specified set of users and groups.

For complete information about defining ACLs, see "Defining ACLs in the Compatibility Realm" in Using Compatibility Security in Managing WebLogic Security at the following URL:

http://download.oracle.com/docs/cd/E13222_01/wls/docs70/secmanage/security6.html

For a B2B resource, one or more permissions can be granted.

The sample configuration shipped with WebLogic Integration provides a pre-set ACL for the JDBC connection pool. In this ACL, three permissions are set for the wlcSamplesUser user on this resource: reserve, shrink, and reset.

The following steps provide an example of the procedure you must complete to change the ACL permissions. In this example, we adjust the reset permissions on the JDBC connection pool in the domain WLIdomain:

1. Configure and start the instance of WebLogic Server in the WLI domain. For instructions, see "Configuring and Starting Domains" in Getting Started in Starting, Stopping, and Customizing BEA WebLogic Integration.

2. Start the WebLogic Server Administration Console, if it is not already running. (The default system administrator in WLIdomain has the username system and the password security.)

3. In the navigation tree, choose 6.x Security—>ACLs.

   Figure 4-5 Choosing ACLs in the Navigation Tree

   
    

   The Access Control Lists configuration page is displayed. The ACLs configured for WebLogic Server are listed on this page.

4. Find the row containing the entry for the WebLogic Integration JDBC connection pool ACL, as shown in the following figure.

   Figure 4-6 ACL for the JDBC Connection Pool

   
    

   
    

5. In the Permissions column of that row, click the reset link. A dialog box in which you can adjust the reset permission on the JDBC connection pool ACL is displayed, as shown in the following figure.

   Figure 4-7 ACL Dialog Box

   
    

6. To provide reset permissions for a user or group, enter the name of the user or group in the appropriate field, and click Apply. To remove reset permissions from any of the Grantees listed in the dialog box, select the appropriate user or group name, and click Apply.

For more information about access control lists, see "Defining ACLs in the Compatibility Realm" in Using Compatibility Security in Managing WebLogic Security at the following URL:

http://download.oracle.com/docs/cd/E13222_01/wls/docs70/secmanage/security6.html

 

---

Configuring Security for the WebLogic Integration B2B Engine

The WebLogic Integration repository contains security information about the WebLogic Integration security system and the trading partners that access B2B resources. You can configure repository information either by using the WebLogic Integration B2B Console, or by specifying the information in a data file that you then import into the repository using the Bulk Loader.

Note: Before importing a WebLogic Integration 2.1 or WebLogic Integration 2.1 SP1 repository data file into the WebLogic Integration 7.0 repository, you must change the system-password attribute of the WLC element in the repository data file to reflect the current password of wlisystem. For more information about migrating the repository, see "Step 12. Start and Test Your WebLogic Integration Application" in Migrating WebLogic Integration 2.1 to WebLogic Integration 7.0 in BEA WebLogic Integration Migration Guide.

For the B2B security system, you need to configure the following as required:

• B2B system password

• Audit log class

• Certificate verification class

• Secure timestamp class

• Certificate authority directory

To configure these entities in the B2B security system, complete the following steps:

1. Start the B2B Console.

2. In the main pane of the B2B Console, click the link under WebLogic Integration, as shown in the following figure.

   Figure 4-8 WebLogic Integration B2B Console Main Window

   
    

   The B2B configuration tabs are displayed, as shown in the following figure.

   Figure 4-9 B2B Configuration Tabs

   
    

3. Select the Security tab. The Security configuration page for the WebLogic Integration system is displayed, as shown in the following figure.

   Figure 4-10 WebLogic Integration Security Configuration Page

   
    

4. The following table describes the fields in the Security tab of the Configuration panel that you may need to configure. Note that the new configuration takes effect after the WebLogic Integration system is restarted.

   Table 4-2 Configuring the WebLogic Integration Security System  

   Field	Description
   System Password	Password for the WebLogic Integration system user. This password is set when you install the WebLogic Integration software; by default, it is wlisystem. However, if you want to change it, you can enter a new password in this field.
   Audit Log Class	Java class that implements audit logging, which is used for nonrepudiation. You can use the audit log to reconstruct the sequence of events that have occurred during a conversation, along with the data exchanged. Depending on how you configure the audit log, the audit log may store each business message exchanged among trading partners along with digital signatures, timestamps, and other data. For more information about auditing, see Secure Audit Log Service.
   Certificate Verification Class	Java class that calls out to software that verifies that a digital certificate submitted by a remote trading partner is valid. This class can call out to either the Online Certificate Status Protocol (OCSP) application that WebLogic Integration provides, or certificate verification provider software that you obtain from a trusted security vendor. For more information about the certificate verification class, see Trading Partner Certificate Verification.
   Secure Timestamp Class	Java class that provides secure timestamping of business messages exchanged among trading partners. Timestamping is used for nonrepudiation. For more information about secure timestamping, see Secure Timestamp Service.
   Certificate Authority Directory	Location that contains the Certificate Authorities of all the trading partner certificates configured in the WebLogic Integration repository.

   
    

 

---

Configuring Trading Partner Security

Configuring trading partner security involves setting the following for each trading partner:

• Certificates

• Transport security properties

• Document exchange security

• Delivery channel security

The following subsections describe how to configure trading partner security for each of these components.

Note: If you use the Bulk Loader to import data into the WebLogic Integration repository, the WebLogic Server users that represent each trading partner configured in the repository are not automatically created. You need to create these WebLogic Server users manually. For more information, see Working with the Bulk Loader in Administering B2B Integration.

Configuring Trading Partner Certificates

WebLogic Integration provides a means to configure the following trading partner certificates.

Table 4-3 Trading Partner Certificates Configured in WebLogic Integration

Certificate	Description
Client certificate	Digital certificate of the remote or local trading partner. Configuring the client certificate is required when using the SSL protocol. Certificate is: Type X.509 version 1 or 3 Privacy Enhanced Mail (PEM) or Definite Encoding Rules (DER) encoded. (The filename extension specifies the encoding type: .pem or .der.) Required for all trading partner types when HTTPS with mutual authentication is used. Private Key is: PEM or DER encoded. (The filename extension specifies the encoding type: .pem or .der.) Required only for local trading partner type Password-protected or plain text Note: When importing a plain-text private key using the B2B Console, use the password of the private keystore.
Server certificate	Digital certificate of the remote trading partner. Configuring the server certificate is required when using the SSL protocol. Certificate is: Type X.509 version 1 or 3 PEM or DER encoded. (The filename extension specifies the encoding type: .pem or .der.) Required for remote trading partner types when HTTPS is used with mutual authentication
Signature certificate	Certificate required of each trading partner if digital signature support, a requirement for nonrepudiation, is configured for the e-market. For a description of digital signature support, see Digital Signature Support. Certificate is: Type X.509 version 1 or 3 DER encoded Read by using the RSA CertJ package Required for all trading partner types that use a digital signature service Private Key is: Presented only in PKCS8 format Always password-protected. (You specify the password as a system property in the startWeblogic script.)
Encryption certificate	Certificate required of each trading partner when business message encryption is configured for the e-market. Note that encryption support is available only with the RosettaNet protocols. For a description of message encryption, see Configuring Message Encryption. Certificate is: Type X.509 version 1 or 3 DER encoded Read by using the RSA CertJ package Required for all trading partner types that use an encryption service Private Key is: Presented only in PKCS8 format Always password-protected. (You specify the password as a system property in the startWeblogic script.)

 

Note the following general rules about configuring trading partner certificates:

• Each trading partner may have one client certificate and an unlimited number of encryption and signature certificates. A remote trading partner also has a server certificate for the system on which it is hosted. The name of this server certificate must be specified when you configure that trading partner.

• For each certificate, there is a trading partner type: Local or Remote. The contents of each certificate configuration tab depends on the trading partner type. For example, the tab for configuring a remote trading partner does not contain fields for entering information about private keys because information about private keys should be set only for local trading partners.

• For local trading partners, you do not configure a server certificate.

• When configuring a local trading partner, you do not need to provide a WebLogic Server username for that trading partner. The one exception to this rule is if the local trading partner is a trading partner lightweight client.

• Passwords are required for all private keys for signature and message encryption certificates for a local trading partner. The password for the private key is set when the certificate is imported into the keystore. At run time the password for the private key must match the one specified during the import. The private key password is specified as a system property on the java command line.

The following example shows the java command that starts WebLogic Server for the Hello Partner sample application:

%JAVA_HOME%\bin\java -classic -ms64m -ms64m -classpath %START_WL_CLASSPATH%
 -Dbea.home=%BEA_HOME% -Dweblogic.home=%WL_HOME%
 -Dweblogic.system.home=%WLC_SAMPLES_HOME% -Dweblogic.Domain=samples
 -Dweblogic.management.password=%SYSTEM_PASSWORD%
 -Dweblogic.Name=myserver
 -Djava.security.policy=%WL_HOME%\lib\weblogic.policy
 -DKey.certificate-name.password=%PASSWORD% weblogic.Server

In the preceding example, certificate-name represents the name of the certificate for which a private key password is being specified, and %SYSTEM_PASSWORD% and %PASSWORD% represent values of those two environment variables.

Note: We recommend that you set passwords in environment variables, rather than hard-coding the passwords into scripts, such as startWeblogic. When environment variables are used, the scripts obtain the values for the passwords from the environment in which the scripts run.

To configure trading partner certificates, complete the following steps:

1. Display the main trading partner configuration page, which you can do in one of two ways:

   • Click Trading Partners in the navigation tree of the B2B Console.

     Figure 4-11 Trading Partners Entry in the Navigation Tree

     
      

   • Click the Trading Partners link in the right pane.

     Figure 4-12 Accessing the Trading Partners Configuration Page

     
      

   The main Trading Partners configuration page, on which you can add, modify, and remove trading partners, is shown in the following figure.

   Figure 4-13 Main Trading Partners Configuration Page

   
    

Note: In the instructions that follow, we assume the following:

• The trading partner has already been created and, with the exception of security parameters, it has been configured. For complete details about configuring trading partners, see Basic Configuration Tasks in Administering B2B Integration.

• If you are using a keystore for storing trading partner certificates, we assume that you have created and configured the required keystores on the local system, as explained in Configuring the Keystore.

2. Click the name of the trading partner for which you want to add certificates. The General configuration page for that trading partner is displayed, as shown in the following figure.

   Figure 4-14 General Configuration Page for Trading Partner

   
    

3. Select the Certificates tab. The page on which you configure trading partner certificates is displayed, as shown in the following figure.

   Figure 4-15 Trading Partner Certificates Configuration Page

   
    

   The Certificates page allows you to assign available certificates to each certificate type you are configuring for a trading partner, or to add new certificates for the trading partner.

4. To add a new trading partner certificate, select Create a New Certificate. The page on which you add a new trading partner certificate is displayed, as shown in the following figure.

   Figure 4-16 Adding a New Trading Partner Certificate

   
    

5. To configure each trading partner certificate, complete the steps listed in the following table.

   Table 4-4 Configuring Trading Partner Certificates  

   To configure . . .	Complete the following steps . . .
   Client certificate	If you are configuring a local or remote trading partner: 1. In the Certificate Type selection box, select Client Certificate. 2. In the Certificate Name field, enter the name of the client certificate. 3. In the Certificate Location field, enter the pathname of the client certificate on your WebLogic Integration machine. 4. In the Private Key Location field, enter the pathname, on your WebLogic Integration machine, of the local trading partner's private key. (This step applies only to local trading partners.) 5. Click Add/Apply to add the certificate to the WebLogic Integration repository. 6. Select the check the box for Save Certificate to Keystore. The certificate is added to the private keystore. Note: You may configure only one client certificate for a given trading partner.
   Server certificate	If you are configuring a remote trading partner: 1. In the Certificate Type selection box, select Server Certificate. 2. In the Certificate Name field, enter the name of the server certificate for the remote trading partner's WebLogic Integration system. 3. In the Certificate Location field, enter the pathname, on your machine, of the trading partner's server certificate. 4. Click Add/Apply to add the certificate to the WebLogic Integration repository. 5. Select the check box for Save Certificate to Keystore to add the certificate to the private keystore. Note: You may configure only one server certificate for a given remote trading partner.
   Signature certificate	For trading partners using digital signature support: 1. In the Certificate Type selection box, select Signature Certificate. 2. In the Certificate Name field, enter the name of the signature certificate. 3. In the Certificate Location field, enter the pathname, on your machine, of the signature certificate. 4. In the Private Key Location field, enter the pathname, on your machine, for the local trading partner private key. (This step applies only to local trading partners.) 5. Click Add/Apply to add the certificate to the WebLogic Integration repository. 6. Select the check box for Save Certificate to Keystore to add the certificate to the private keystore. Note: You may configure multiple signature certificates for a given trading partner.
   Encryption certificate	For trading partners using RosettaNet-based business message encryption: 1. In the Certificate Type selection box, select Encryption Certificate. 2. In the Certificate Name field, enter the name of the encryption certificate. 3. In the Certificate Location field, enter the pathname, on your machine, of the encryption certificate. 4. In the Private Key Location field, enter the pathname, on your machine, of the local trading partner's private key. (This step applies only to local trading partners.) 5. Click Add/Apply to add the certificate to the WebLogic Integration repository. 6. Select the check box for Save Certificate to Keystore to add the certificate to the private keystore. Note: You may configure multiple encryption certificates for a given trading partner.

   
    

Notes: When you create a trading partner in WebLogic Integration, a WebLogic Server user is created for that trading partner at run time, with a username that you specify. When you delete a trading partner from the WebLogic Integration repository, however, the corresponding WebLogic Server user is not automatically deleted. When you delete a trading partner, be sure that you also manually delete the corresponding WebLogic Server user.

For a list of resources that you might find helpful in managing WebLogic Integration B2B resources, visit BEA dev2dev Online at the following URL:

http://dev2dev.bea.com/index.jsp

Here you can find links to sites that provide useful utilities, such as tools for manipulating digital certificates and private keys.

Configuring a Secure Transport

When you configure a transport for a trading partner, you bind the trading partner's transport to a transport security protocol. For example, if a trading partner is configured to use SSL certificates, you must bind that trading partner's transport to a transport protocol that uses SSL. When a secure transport is configured, the client certificate is used for outbound SSL. Because WebLogic Integration allows only one client certificate, there is no need to select the client certificate while configuring a secure transport.

To configure a secure transport for a trading partner, complete the following steps:

1. Select the Transport tab. The Transport configuration page is displayed. The top of this page is shown in the following figure.

   Figure 4-17 Trading Partner Transport Configuration Page

   
    

2. Enter the information described in the following table.

   Table 4-5 Configuring the Trading Partner Transport  

   Field	Description
   Transport Name	The name of the trading partner transport. You can enter a name, or choose from the list of available transports displayed in the box labeled Available Transports. Note that each of the available transports has a security protocol bound to it, so if you choose from this list, the transport and security protocols are set automatically. For more information about specifying the transport name, see the online help for the Transport tab by clicking the question mark in the upper right.
   Transport Protocol	The security protocol for the transport. You can choose between HTTP-1.1 and HTTPS-1.1. The HTTPS-1.1 protocol uses SSL. Note that if you choose HTTPS-1.1, the security protocol is displayed in the nonmodifiable field labeled Security Protocol.
   URI Endpoint	The URI for the transport on the trading partner's B2B system. To specify the URI endpoint, you can enter a URI in this field, or choose from one of the available URIs displayed in the box below this field. When you enter the URI endpoint, click Set, to establish the URI, or Remove, to clear an existing entry in the URI Endpoint field. For more information about specifying the URI endpoint, see the online help for the Transport tab by clicking the question mark in the upper right.

   
    

3. Click Add/Apply.

Configuring a Secure Delivery Channel

When you configure a trading partner's delivery channel, you have the option of making the delivery channel secure by binding it to the secure transport configured in Configuring a Secure Transport.

To configure a secure channel, complete the following steps:

1. Select the Delivery Channels tab. The Delivery Channels configuration page is displayed, as shown in the following figure.

   Figure 4-18 Trading Partner Delivery Channels Configuration Page

   
    

2. Enter the information described in the following table.

   Table 4-6 Configuring a Trading Partner Delivery Channel  

   Field	Description
   Delivery Channel Name	The delivery channel name. You can enter a name in this field, or choose from the delivery channels listed in the Available Delivery Channels box below. For more information about specifying a delivery channel name, see the online help for the Delivery Channels page by clicking the question mark in the upper right.
   Transport	The name of the transport configured in the trading partner transport tab. This field gives you an opportunity to bind the delivery channel to a transport that you secured when configuring the transport properties, as described in Configuring a Secure Transport.
   Document Exchange	The name of the document exchange to which you want to bind the delivery channel. For more information about binding a document exchange to a delivery channel, see the online help for the Delivery Channels page by clicking the question mark in the upper right.
   Routing Proxy	Check this box if you want the trading partner delivery to act as a routing proxy (hub). For more information about proxy servers, see Configuring WebLogic Integration B2B to Use an Outbound HTTP Proxy Server.

   
    

3. Click Add/Apply.

Configuring a Secure Document Exchange

When you configure the trading partner document exchange, you can associate a document exchange with a business protocol binding that provides digital signature support or message encryption. Digital signature support is available with all the business protocols supported in WebLogic Integration; however, message encryption is available only with the RosettaNet protocol.

To enable digital signature or message encryption support, complete the following steps:

1. Select the Document Exchange tab. The Document Exchange configuration page is displayed, as shown in the following figure.

   Figure 4-19 Trading Partner Document Exchange Configuration Page

   
    

2. Enter the information described in the following table.

   Table 4-7 Configuring a Trading Partner Document Exchange

   In the field labeled . . .	Choose the following information . . .
   Business Protocol Binding	The business protocol and version that supports the digital signature or message encryption capabilities that you want. The protocol you choose becomes bound to the trading partner document exchange identified at the top of the page.
   Business Protocol Definition	The business protocol associated with the business protocol binding chosen in the preceding selection box.

   
    

3. For information about specifying data in the fields labeled Document Exchange Name, End Point Type, Confirmed Delivery, Message History, and Retries, see the online help for the Document Exchange page by clicking the question mark in the upper right.

4. For information about configuring digital signature information, see Configuring Message Encryption.

5. For information about configuring message encryption information, see Configuring Digital Signatures for Nonrepudiation.

 

---

Configuring Message Encryption

As mentioned in Introducing WebLogic Integration B2B Security, the B2B message encryption service encrypts business messages for the business protocols that require it. Currently, message encryption is supported only for the RosettaNet 2.0 protocol.

How WebLogic Integration Message Encryption Works

Data encryption works by using a combination of the sender's certificate, private key, and the recipient's certificate to encode a business message. The message can then be decrypted only by the recipient using the recipient's private key.

Note: The B2B message encryption feature is controlled by licensing (Encryption/Domestic or Encryption/Export), but the decryption of a business message is not. If WebLogic Integration does not have a valid encryption license, the B2B engine disables the encryption service. However, the B2B engine can always decrypt business messages that are received.

The WebLogic Integration message encryption service supports the following algorithms:

• Rivest-Shamir-Adleman (RSA)

• Data Encryption Standard (DES)

• Triple Data Encryption Standard (3DES)

The following figure shows how data encryption is performed using the public and private keys.

Figure 4-20 WebLogic Integration Message Encryption Service

 

Note: To use message encryption, you must have a valid license for using the encryption service.

Configuring Message Encryption

To configure message encryption for business messages exchanged by trading partners in a RosettaNet 2.0-based conversation definition, complete the following steps:

1. Configure the trading partner as described in Basic Configuration Tasks in Administering B2B Integration.

2. Configure security for the trading partner delivery channel, as described in Configuring a Secure Delivery Channel. Be sure to configure the delivery channel using a transport that uses the appropriate RosettaNet 2.0 protocol binding.

3. Configure the trading partner document exchange, as described in Configuring a Secure Document Exchange. Be sure to configure the document exchange to support the appropriate RosettaNet 2.0 business protocol binding.

   Notice that when you select a RosettaNet business protocol binding on the Doc Exchange configuration tab, the Encryption box is displayed in the lower left corner of the tab. The following figure shows the Doc Exchange configuration tab, with the Encryption box.

   Figure 4-21 Configuration Box for Message Encryption on Doc Exchange Configuration Page

   
    

4. In the Encryption box, select the information described in the following table.

   Table 4-8 Message Encryption Configuration Settings  

   Field	Description
   Encryption Certificate	Enter the name of the encryption certificate configured in Configuring Trading Partner Certificates.
   Encryption Level	Enter the parts of the business message that you want to have encrypted. Choose PAYLOAD if you want to encrypt only the XML business document(s) part of the message. Choose ENTIRE_PAYLOAD if you want to encrypt the business documents and all attachments in the message.
   Cipher Algorithm	A nonmodifiable information field containing the name of the cipher algorithm used. In WebLogic Integration, the available cipher algorithms are: Rivest-Shamir-Adleman (RSA) Data Encryption Standard (DES) Triple Data Encryption Standard (3DES)

   
    

5. Click Add/Apply.

Note: If cipher strength is specified in the repository data file, it is ignored at run time.

 

---

Configuring Digital Signatures for Nonrepudiation

Digital signature support (described in detail in Implementing Nonrepudiation) provides a means to prevent anyone or anything from tampering with the contents of a business message, especially when the business message is in transit between two trading partners. Digital signature support is a requirement for nonrepudiation.

If you are implementing nonrepudiation, you need to configure digital signature support in the B2B engine, which you can do by completing the following steps:

1. Configure the trading partner, as described in Basic Configuration Tasks in Administering B2B Integration.

2. Configure the trading partner signature certificate, as described in Configuring Trading Partner Certificates.

3. Configure the trading partner delivery channel security, as described in Configuring a Secure Delivery Channel. Be sure to configure the delivery channel using a transport that uses the appropriate protocol binding.

4. Configure the trading partner document exchange, as described in Configuring a Secure Document Exchange. Be sure to configure the document exchange to support the appropriate business protocol binding.

5. In the Doc Exchange tab, notice the box labeled Digital Signature (Nonrepudiation) in the lower right. In this box, choose the trading partner signature certificate identified in Configuring Trading Partner Certificates.

   When you choose a signature certificate, notice the data displayed in the nonmodifiable fields that are associated with the signature certificate, as shown in the lower right in the following figure.

   Figure 4-22 Configuring Nonrepudiation

   
    

   These nonmodifiable fields are used for the following purposes.

   • Nonrepudiation protocol—identifies the business protocol associated with the signature certificate.

   • Hash Function—identifies the function used for encrypting passwords exchanged among trading partners. The hash function used by both the RosettaNet and XOCP protocols in WebLogic Integration is SHA1.

   • Signature Algorithm—identifies the algorithm used for encrypting the signature certificates exchanged among trading partners. The signature algorithm used by both the RosettaNet and XOCP protocols in WebLogic Integration is RSA.

 

---

Customizing the WLCCertAuthenticator Class

The WLCCertAuthenticator class is an implementation of the WebLogic Server CertAuthenticator class. The default implementation of the WLCCertAuthenticator class maps the digital certificate of the trading partner to the corresponding trading partner user defined in the WebLogic Integration repository. You may want to extend this functionality to use mutual authentication for users other than trading partners. For example, you may want to modify the class to map a Web browser or Java client to a WebLogic Server user.

The WLCCertAuthenticator class is invoked by WebLogic Server after an SSL connection between the trading partner and WebLogic Server has been established. The class can extract data from a digital certificate to determine the trading partner name that corresponds to the digital certificate.

The following code example, in which the WebLogic default realm for retrieving users is used, shows how the WLCCertAuthenticator class is customized:

public User authenticate(String userName, Certificate[] certs, boolean ssl)
{

String user = null;

// If not using SSL, return
if (ssl == false)
{
return null;
}

// Verify that the certificate is either a c-hub certificate or a trading partner
// certificate, then return the corresponding WLS user.

if ((user = Security.isValidWLCCertificate(certs))!= null)
{
return realm.getUser(user);
}
// Certificate is not a valid WLC certificate.
// Check here for non-WLC certificate and return the corresponding user.
}

 

---

Configuring a Certificate Verification Provider Interface

As explained in Trading Partner Certificate Verification, you use a certificate verification provider to validate a trading partner's digital certificate. If you are using a certificate verification provider (CVP), you need to configure it in the B2B Console, using the steps described in this section.

To configure a CVP:

1. Start the B2B Console.

2. In the main page of the B2B Console, click the link under WebLogic Integration, as described in Configuring Security for the WebLogic Integration B2B Engine.

3. In the B2B Configuration panel, select the Security tab. This displays the page shown in the following figure.

   Figure 4-23 WebLogic Integration System Security Configuration Page

   
    

4. In the field labeled Certificate Verification Class, enter the fully qualified name of the Java class that implements the CVP.

5. Click Apply.

Note: You can load a certificate verification provider via the Bulk Loader. For more information, see Working with the Bulk Loader in Administering B2B Integration.

 

---

Configuring WebLogic Integration B2B to Use an Outbound HTTP Proxy Server

If you are using WebLogic Integration in a security-sensitive environment, you may want to use WebLogic Integration behind a proxy server. A proxy server allows trading partners to communicate across intranets or the Internet without compromising security. A proxy server is used to:

• Hide, from external hackers, the local network addresses of the WebLogic Servers that host WebLogic Integration

• Restrict access to the external network

• Monitor external network access to the WebLogic Servers that host WebLogic Integration

When proxy servers are configured on the local network, network traffic (SSL and HTTP) is tunneled through the proxy server to the external network. The following figure illustrates how a proxy server might be used in the WebLogic Integration environment.

Figure 4-24 Proxy Server

 

To configure a proxy server for WebLogic Integration, complete the following steps:

1. Display the configuration tabs in the right pane of the B2B Console window, as shown in the following figure.

   Figure 4-25 Configuration Tabs in the WebLogic Integration B2B Console

   
    

2. Select the Proxy tab. The Proxy configuration page is displayed, as shown in the following figure.

   Figure 4-26 WebLogic Integration Proxy Server Configuration Page

   
    

3. In the field labeled Host, enter the address of the proxy server used for the WebLogic Integration server, if any. For example:

   myproxy.mycompany.com.

4. In the field labeled Port, enter the port number for the proxy server.

5. Click Apply.

6. Add permissions to read and write the ssl.proxyHost and ssl.proxyPort system properties for the WebLogic Server. These system properties are stored in the weblogic.policy file, which is located in the directory where you installed WebLogic Server. Add the following lines to the grant section of the weblogic.policy file:

permission java.util.PropertyPermission "ssl.proxyHost", "read, write";
permission java.util.PropertyPermission "ssl.proxyPort", "read, write";

 

---

Configuring WebLogic Integration with a Web Server and a WebLogic Proxy Plug-In

You can configure WebLogic Integration with a Web server, such as an Apache server, that is programmed to service business messages from a remote trading partner. A Web server can provide the following services:

• Receive business messages from a remote trading partner

• Authenticate a trading partner digital certificate

The Web server uses the WebLogic proxy plug-in, which you can configure to provide the following services:

• Forward business messages received by the Web server to WebLogic Integration, which is running inside a secure internal network.

• Extract the remote trading partner certificate from the Web server and forward it to WebLogic Server for authentication. WebLogic Integration can then authenticate the trading partner certificate and business message.

The following figure shows the topology of an environment that uses a Web server, the WebLogic proxy plug-in, and WebLogic Integration.

Figure 4-27 Using a Web Server and the WebLogic Proxy Plug-In

 

Notes: Even though the proxy plug-in uses HTTP, you must configure WebLogic Integration to use the HTTPS protocol when using the proxy plug-in to forward business messages.

If a trading partner in a conversation uses Microsoft IIS as a proxy server, all the certificates used in the conversation must be trusted by a well-known Certificate Authority, such as Verisign or Entrust. The use of self-signed certificates will cause a request passed through the IIS proxy server to fail. This is a restriction in IIS, not WebLogic Integration.

Configuring the Web Server

To configure the Web server, see Configuring WebLogic Server Web Components in the BEA WebLogic Server Administration Guide at the following URL:

http://download.oracle.com/docs/cd/E13222_01/wls/docs70/adminguide/web_server.html

The following code example provides the segment of httpd.conf (for an Apache server) needed to configure the proxy plug-in:

# LoadModule foo_module libexec/mod_foo.so
LoadModule weblogic_module    libexec/mod_wl_ssl.<suffix>

<Location /weblogic>
 SetHandler weblogic-handler
 PathTrim /weblogic
 WebLogicHost myhost
 WebLogicPort 80
</Location>

WebLogic Server User Identity for the Trading Partner

The WebLogic Server user identity is optional when you configure the remote trading partner. If a particular WebLogic Integration deployment has stringent security requirements, we recommend the following:

• Configure the ACLs for the transport servlet to enable permissions for the WebLogic Server users that map to the remote trading partner certificates.

• Disable guest users so that users with unknown or invalid certificates are unable to enter the WebLogic Server system.

 

---

Configuring Business Process Management Access to the WebLogic Integration Repository

If you plan to use the business process management (BPM) functionality provided by WebLogic Integration, you need to make sure that BPM users can share access to the WebLogic Integration repository. To support such access, you need to configure BPM with permissions for using the repository: add the WebLogic Server group wlpiUsers to the ACL for the JDBC connection pool used by the WebLogic Integration repository.

In addition, if a user of the WebLogic Integration Studio or Worklist utility needs access to workflow templates stored in the WebLogic Integration repository, you need to add that user to the appropriate ACLs for the WebLogic Server administration MBeans. To do so, specify the following ACLs on the WebLogic Server MBeans for the user. In these settings, replace <user> with the name of the BPM user:

acl.access.weblogic.admin.mbean.MBeanHome=<user>
acl.lookup.weblogic.admin.mbean.MBeanHome=<user>

For information about configuring ACLs for B2B resources, see Configuring Access Control Lists for WebLogic Integration.

 

---

Configuring Server-Side Authentication

By default, WebLogic Integration uses two-way SSL authentication. You might want to use server-side authentication, however, if you do not want to require certificate-based authentication among your trading partners.

To configure server-side authentication, complete the following steps:

1. Stop the server running in your B2B domain.

2. Go to the root directory for the domain. For example:

   c:\bea\user_projects\domain

3. Bring the config.xml file into a text editor.

4. Set the WebLogic Server SSL parameter ClientCertificateEnforced to false.

5. Set the WebLogic Server SSL parameter TwoWaySSLEnabled to true.

6. Save your changes to the config.xml file.

7. Start the server in your B2B domain, and start the B2B Console.

8. Remove the client certificate for each remote trading partner, as described in Removing Certificates and Private Keys from the Keystore.