bea.com | products | dev2dev | support | askBEA |
|
e-docs > WebLogic Platform > WebLogic Integration > B2B Topics > B2B Security > Configuring the Keystore |
B2B Security |
Configuring the Keystore
This topic includes the following sections:
For general information about configuring WebLogic Integration B2B, see Basic Configuration Tasks in Administering B2B Integration.
About the Keystore
A keystore is a protected database that holds keys and certificates. If you have keys and certificates and use message encryption, digital signatures, or SSL, we recommend that you use a keystore for storing those keys and certificates and make the keystore available to applications that may need it for authentication or signing purposes, such as a B2B application. To create a keystore and make it available, you need a keystore provider, which has been introduced in the WebLogic Server 7.0 security architecture.
The WebLogic Keystore provider uses the reference Keystore implementation supplied by Sun Microsystems in the Java Development Kit. The WebLogic Keystore provider:
Keystores You Create
When you set up a WebLogic Integration domain for B2B collaborations, you configure the WebLogic Keystore provider to create the following keystores:
Stores the trading partners' certificates and private keys, such as for the client, server, signature, and encryption certificates typically required for B2B collaborations. The B2B engine retrieves private keys and certificates from this keystore to use for SSL, message encryption, and digital signatures. You can use the JavaSoft JDK keytool utility or the WebLogic Server ImportPrivateKey utility to create this keystore and to add private keys and their associated certificates to it.
Stores the certificates of all the trusted certificate authorities (CAs). The WebLogic Keystore provider creates a trusted CA keystore that WebLogic Server uses by default to locate the trusted CAs used by SSL to verify client, server, signature, and encryption certificates.
Steps for Creating and Configuring Keystores
Complete the following basic steps to create and configure the keystores required for your B2B collaborations:
This topic also includes a discussion about using keystore files in a multinode cluster.
For background information about keystores, certificates, and keys, see the following:
http://download.oracle.com/docs/cd/E13222_01/wls/docs70/secintro/model.html
Creating the Domain
We recommend that you use the BEA Configuration Wizard to create the WebLogic Integration B2B domain for which you will be configuring security. To create a WebLogic Integration domain, complete the following steps:
http://download.oracle.com/docs/cd/E13196_01/platform/docs70/confgwiz/index.html
DOMAIN_HOME/config.xml
<Application Deployed="false" Name="WLIApplication"
Path="<%WLI_HOME%\lib>" TwoPhase="true">
Creating the Keystores and Inserting the Server Certificates
This section explains how to create the private keystores for storing the server certificates and keys required to use SSL, and the associated CA keystores for CA certificates. For a description of how to add trading partner certificates to the private keystores, see Adding Trading Partner Certificates to the Keystore.
We strongly recommend that you use SSL for trading partner authentication. If you do so, however, you should also configure SSL for each machine in your B2B domain. When you configure SSL, you need to provide a certificate and private key for the local instance of WebLogic Server. This certificate is known as the server certificate. We recommend that you store the server certificate and private key for the local server in the keystore. This section explains how to add the server certificate and private key to the keystore.
During the trading partner authentication and authorization process, the SSL layer in the relevant WebLogic Server instance uses the keystores for obtaining the following:
For instructions on configuring WebLogic Server to use SSL, see Configuring the SSL Protocol and Mutual Authentication.
Because the WebLogic Integration security service is built on WebLogic Server, only JKS-provider based keystores are currently certified for use with WebLogic Integration. To create the keystores you need for B2B collaborations, you can use either of the following utilities:
For information about this utility, see keytool—Key and Certificate Management Tool, published by Sun Microsystems, at the following URL:
http://java.sun.com/products/jdk/1.2
For information about this utility, see Using the WebLogic Java Utilities in the WebLogic Server Administration Guide, at the following URL:
http://edoc.bea.com/wls/docs70/adminguide/utils.html
To create the keystore required for your WebLogic Integration B2B domain, complete the following steps:
c:\> cd bea\user_projects\b2bdomain
A server certificate and private key is required by SSL for authentication and authorization. You can create a server certificate and private key using the CertGen utility. We recommend that you use certificates and keys created by CertGen for testing purposes only; they are not meant to be used in a production environment. For more information about the CertGen utility, see Using the WebLogic Java Utilities in the WebLogic Server Administration Guide, at the following URL:
http://download.oracle.com/docs/cd/E13222_01/wls/docs70//adminguide/utils.html
java utils.ImportPrivateKey keystoreName keystorepass alias
keypass certfile keyfile
Note: When you run the ImportPrivateKey command, make sure that BEA WebLogic Platform is included in your classpath.
The following table describes the arguments available for the ImportPrivateKey utility.
Execute the ImportPrivateKey or keytool command for each server certificate and key you want to add to the private keystore.
keytool -import -keystore keystoreName -trustcacerts -alias
aliasName -file cert_file -storepass keystorepw -noprompt
The following table describes the arguments available for the keytool utility.
http://download.oracle.com/docs/cd/E13222_01/wls/docs70/admin_domain/nodemgr.html
Configuring the WebLogic Keystore Provider
To configure the WebLogic Keystore provider with the keystores you created in Creating the Keystores and Inserting the Server Certificates, complete the following steps:
Figure 3-1 Choosing Keystores in the Navigation Pane
Adding Trading Partner Certificates to the Keystore
To populate the keystore with trading partner certificates, complete the steps described in this section. For complete details about each trading partner certificate, see Configuring Trading Partner Certificates.
Notes: Even if your keystores are already populated with required certificates and private keys, you still need to perform the following tasks to populate the WebLogic Integration repository with the necessary information.
WebLogic Integration does not validate any of the trading partner certificates against a trusted Certificate Authority as you load them into the keystore.
<Application Deployed="true" Name="WLI" Path="<%WLI_HOME%\lib>" TwoPhase="true">
This section presents the following procedures for populating the private keystore for B2B collaborations:
Adding the Certificates and Private Keys for a Local Trading Partner
A local trading partner requires the following certificates and private keys:
To add these certificates and private keys to the private keystore, complete the steps described in this section.
Note: Do not configure a server certificate for a local trading partner. Although the encryption and signature certificates are optional, the client certificate is required if you are using SSL with mutual authentication. For complete details about local trading partner certificates, see Configuring Trading Partner Certificates. For information about using server-side, or one-way authentication, which does not require the use of a client certificate, see Configuring Server-Side Authentication.
Figure 3-4 General Configuration Page for a Local Trading Partner
Figure 3-5 Certificates Configuration Page for a Local Trading Partner
Figure 3-6 Creating a Certificate Entry for a Local Trading Partner
Adding the Certificates for a Remote Trading Partner
A remote trading partner has the following certificates:
Note: Do not specify private keys for remote trading partner certificates. Although the encryption and signature certificates are optional, the client and server certificates are required for using mutual authentication with SSL. For complete details about remote trading partner certificates, see Configuring Trading Partner Certificates. For information about using server-side, or one-way authentication, which does not require the use of a client certificate, see Configuring Server-Side Authentication.
To add these certificates to the private keystore, complete the following steps:
Figure 3-7 Creating a Certificate Entry for a Remote Trading Partner
Bulk Loading and Importing Certificates into the Keystore
When you use the Bulk Loader utility (from either the B2B Console or the command line) to configure certificates in the WebLogic Integration repository, trading partner certificates are not imported into the keystore. However, the repository contains configuration information about the certificates so that it can import the certificates into the keystore during startup of the B2B engine.
Before the B2B engine can import trading partner certificates into the keystore, you must have automatic migration enabled in the startWeblogic script. To enable automatic migration, complete the following steps:
%JAVA_HOME%\bin\java %DB_JVMARGS% -Xmx256m -classpath %WLISERVERCP%
-Dbea.home=%BEA_HOME% -Dwli.bpm.server.evaluator.supportsNull=false
-Dweblogic.Domain=mydomain -Dweblogic.Name=myserver
-Dweblogic.management.username= -Dweblogic.management.password=
-Dweblogic.ProductionModeEnabled=true -Dweblogic.management.discover=false
-Djava.security.policy==%WL_HOME%\lib\weblogic.policy weblogic.Server
-Dwli.keystore.automigrate=true
When WebLogic Server is restarted in the domain, the certificates and keys are imported.
Removing Certificates and Private Keys from the Keystore
When you remove a certificate, and, if applicable, a private key, using the B2B Console, references to that certificate and private key are removed from the WebLogic Integration repository. You can also remove the certificates and their associated keys from the private keystore at the same time.
To remove a certificate, complete the following steps:
Figure 3-8 Removing a Certificate from the Keystore
Configuring the Domain to Use the Keystore
To configure your B2B domain to use the keystores you have created, you need to modify the startWeblogic script that resides in the root directory for your domain. To modify this script, complete the following steps:
%JAVA_HOME%\bin\java %DB_JVMARGS% -Xmx256m -classpath %WLISERVERCP%
-Dbea.home=%BEA_HOME% -Dwli.bpm.server.evaluator.supportsNull=false
-Dweblogic.Domain=mydomain -Dweblogic.Name=myserver
-Dweblogic.management.username= -Dweblogic.management.password=
-Dweblogic.ProductionModeEnabled=true -Dweblogic.management.discover=false
-Djava.security.policy==%WL_HOME%\lib\weblogic.policy weblogic.Server
-DKey.certificate-name.password=key_password *
-Dwli.privateKeystore.password=keystore_pass
-Dwli.caKeystore.password=caKeystore_pass
Note: We recommend that you set passwords in environment variables, rather than hard-coding the passwords into scripts such as startWeblogic. When environment variables are used, scripts can obtain the values for passwords from the environments in which the scripts run.
Using the Keystore in a Multinode Cluster
If you are deploying your B2B domain on a multinode cluster, you need to do the following:
As each managed server in the domain is started, with the help of the administration server, the WebLogic Keystore provider configuration is automatically propagated to it.
For more information about managing B2B security in a multinode cluster, see Deploying BEA WebLogic Integration Solutions.