Introducing WebLogic Integration B2B Security

Table 1-1 Components in the WebLogic Integration B2B Security Model

Component	Description
Conversation authorization	When a business message arrives for a trading partner, the B2B engine, as part of the business message authorization process, examines the contents of the business message to validate it against the collaboration agreement. That is, the collaboration agreement defines the business messages a given trading partner may send and receive. The B2B engine verifies that the content of the incoming business message is consistent with the business messages that the trading partner is bound, by role and conversation definition in the collaboration agreement, to either send or receive. This authorization scheme makes sure that only the business messages that are consistent with the relevant collaboration agreement have access to B2B engine resources.
Data encryption service	The data encryption service encrypts business messages for the business protocols that require it. Data encryption works by using a combination of the sender's certificate, private key, and the recipient's certificate to encode the business message. The message can then be decrypted only by the recipient using the recipient's private key. For details about using the data encryption service, see Configuring Message Encryption.
Authentication in the transport servlet	A transport servlet is a WebLogic Integration-specific servlet that serves as the entry point for both HTTP and HTTPS access to B2B resources, including the following: WebLogic Integration repository WebLogic Integration workflow templates and definitions JDBC connection pool JMS destinations A transport servlet is dynamically registered in the WebLogic Server environment for trading partners bound to a specific collaboration agreement.
Authentication for outbound request via the SSL protocol	The B2B engine authenticates the recipient for all outbound messages using the SSL certificate obtained in the SSL handshake to ensure that the messages are consistent with the relevant collaboration agreement to which they are bound.
WLCCertAuthenticator class	The WLCCertAuthenticator class maps trading partner certificates to the corresponding WebLogic Server users that have been configured for the trading partner. The WLCCertAuthenticator class implements the weblogic.security.acl.CertAuthenticator interface. You can configure this class to invoke your own or a trusted third-party vendor's implementation that verifies trading partner certificates. For more information, see Authenticating and Authorizing Trading Partners.
Nonrepudiation framework	The B2B security system provides a means to implement nonrepudiation support. Nonrepudiation is the ability of a trading partner to prove or disprove having previously sent or received a particular business message to or from another trading partner. Nonrepudiation requires the following services: Data encryption Digital signatures Secure timestamps Secure audit log WebLogic Integration provides out-of-the-box implementations for nonrepudiation and Service Provider Interfaces (SPIs) that allow you to incorporate your own or a trusted third-party's implementation. For more information about nonrepudiation, see Implementing Nonrepudiation.
Private keystore	File in which you can store the private keys, along with passwords, and certificates that are used in trading partner collaborations. These keys and passwords are embedded in the following certificates: The client certificate—Digital certificate of the remote or local trading partner. The server certificate—Digital certificate of the remote trading partner. The signature certificate—Used for each trading partner business message if digital signature support is required. The encryption certificate—Used for each trading partner if business message encryption is required.
Root CA keystore	File in which you store all the trusted CA certificates associated with each trading partner and server certificate used in the B2B collaborations.
Authentication for inbound requests via SSL protocol	When an inbound trading partner message arrives, both the trading partner and the WebLogic Server system exchange certificates to establish each other's identity. When the SSL handshake is completed, the trading partner's network connection to the WebLogic Server system is established. For information about configuring the SSL protocol in WebLogic Server to provide mutual authentication, see Configuring the SSL Protocol and Mutual Authentication.
ACLs for WebLogic resources	ACLs are data structures with multiple entries that guard access to WebLogic Integration B2B resources. An ACL grants permission on a resource, or class of resources, to a list of users and groups. An ACL includes a list of AclEntries, each with the set of permissions for a particular user or group. Permissions represent privileges required for accessing a resource and are specific to the resource they protect. The exact permissions available depend on the type of resource the ACL protects. For example, there are permissions to send and receive files, delete files, read and write files, and load servlets. For information about configuring the ACLs for the JDBC connection pool, see Configuring Access Control Lists for WebLogic Integration.
WebLogic Keystore provider Service Provider Interfaces (SPIs)	Set of interfaces that implement a means to insert and maintain private keys and certificates in a keystore. The WebLogic Keystore provider uses the reference Keystore implementation supplied by Sun Microsystems in the Java Development Kit. It utilizes the standard "JKS" keystore type, which implements each keystore as a file.