Introducing Trading Partner Integration
This example demonstrates how to configure the security settings for RosettaNet message exchange between trading partners over HTTPS protocol, using mutual authentication. In this example, both trading partners are configured on WebLogic Integration as shown in the figure below:
The following topics are discussed in this section:
This section discusses the use of keystores in WebLogic Integration and describes the demonstration keystores used in this example.
If you are unfamiliar with WebLogic Integration concepts, you may want to complete the tutorials and read the resources listed in this section before you attempt to complete this example.
Step 1: Configuring the Local Trading Partner for the Trading Partner 1 Setup
In this section, you configure the default trading partner Test_TradingPartner_1 to be the local trading partner for the initiator business process. You then add certificates to the trading partner and configure the binding for that trading partner. Lastly, you export the trading partner data into an XML file which, you later import as the remote trading partner for the Trading Partner 2 setup.
Step 2: Configuring the Local Trading Partner for the Trading Partner 2 Setup
This section describes how to configure all the trading partner data that you completed on the Trading Partner 1 machine, on the Trading Partner 2 machine. Once you have completed this section, both of your remote trading partners are configured.
Instead of going through all the configuration steps that you did for the local trading partners for the remote trading partners, you just import the previously exported trading partner data into your WebLogic Integration application. The importing procedure configure the remote trading partner for you automatically. This section describes how to import your trading partner data files.
Step 4: Creating Services and Service Profiles in WebLogic Integration
Once you have set up all the trading partner configurations, you need to create services and service profiles for the trading partners. The procedures in this section describes how to do just that.
Trading Partner Integration Security
Tutorial: Building RosettaNet Solutions
Guide to Building Business Processes
The procedures in this example uses the demonstration keystore which is included in your WebLogic Integration installation. This keystore file can only to be used for testing purposes. This Java Key Store files is located in the following location:
BEA_HOME
\weblogic81\server\lib\DemoIdentity.jks
where BEA_HOME
is the directory in which you installed your product.
You can use any other keystore to complete the example, however, the demonstration keystore already has some of the certificates necessary loaded into it. If you need details about how to create and load certificates into your custom keystore, see Step 1: Generating a Test Certificate and Step 2: Configuring Keystores for WebLogic Integration in Example: ebXML Security Configuration.
In this sample, the following terminology is used:
Note: WebLogic Integration requires remote trading partners to have both a client and server certificate configured while local trading partners only need a client certificate.
The instructions in this sample is geared towards users that are already familiar with the basic WebLogic Server and WebLogic Integration tasks and procedures. If you are new to these WebLogic applications, consider completing Tutorial: Building Your First Business Process before using this sample. It is further assumed that you are familiar with RosettaNet concepts and how to configure RosettaNet business processes in WebLogic Integration. If you are new to RosettaNet business processes, consider completing Tutorial: Building RosettaNet Solutions before proceeding.
This sample configuration involves a participant process and a initiator process created and deployed in WebLogic Integration, either on two different computers or on two different domains on the same machine. Before you can start the security configuration part of this sample, you must complete the following:
For instructions of how to create a domain, see "Creating and Extending Domains Using the Configuration Wizard" in Creating WebLogic Configurations Using the Configuration Wizard.
When you create a new WebLogic Integration domain using the Configuration Wizard, the Configuration Wizard automatically populates the Trading Partner Management (TPM) repository with default trading partners and bindings. You will use these default trading partners in this sample.
If you are using a point based database, you will have to configure your second domain to point to a different database instance, i.e. use a different port number, since local and remote trading partners are not allowed to use the same database in WebLogic Integration. You do this by changing the default port number from 9093 to, for example, 9090 in the following files:
config.xml
(2 instances)URLS.dat
startWeblogic.cmd
and stopWeblogic.cmd
startWeblogic.sh
and stopWeblogic.sh
.These files are all located in: BEA_HOME
\user_projects\domains\
domainName
where BEA_HOME
is the directory in which you installed WebLogic Integration (such as c:\bea
) and domainName is the name of your second domain (such as tptutorial2).
For instructions on how to create business processes, see Tutorial: Building Your First Business Process. To learn more about RosettaNet processes, see Tutorial: Building RosettaNet Solutions.
If you are running both processes on one computer in different domains, both domains use the same keystores. It is important that you only have the current process and corresponding domain running when you are configuring trading partner information, or simultaneous updates to the keystore may occur and overwrite each other.
In this section, you configure the default trading partner Test_TradingPartner_1 to be the local trading partner for the initiator business process. You then add certificates to the trading partner and configure the binding for that trading partner. Lastly, you export the trading partner data into an XML file which, you later import as the remote trading partner for the participant. This section contains the following procedures:
To configure Test_TradingPartner_1 to be your local trading partner, complete the following procedure:
The View and Edit Trading Partner Profiles screen appears with the two trading partners Test_TradingPartner_1 and Test_TradingPartner_2 listed, as shown in the following figure:
Since you are going to import the configuration for the remote trading partner later on, you delete Test_TradingPartner_2 from the list at this point.
You now need to add the appropriate certificates—client, encryption, and digital signature—to your local trading partner.
To add the appropriate certificates to your local trading partner:
The details of your trading partner, including general information, bindings, and certificates are displayed. Note that there are no certificates configured for this trading partner.
Note: The certificates you create in this sample is only for demo use and should never be used in production mode.
The Add Certificate (Step 2 of 2) screen appears. You use this screen to create a client certificate to be stored in the keystore and used by the local trading partner. However, before you can create the client certificate, you have to create a password alias.
By selecting CLIENT from the Type drop-down list, you specified the certificate to be a client certificate. Using the instructions in step 2-6, create:
You have completed adding the three certificates. The next step is to edit the binding for the Test_TradingPartner_1 trading partner.
To edit the default bindings for your local trading partner:
You have completed editing the binding information. Before you proceed further, make sure that the trading partner profile you just configured is enabled.
Complete the following procedure to enable the trading partner profile that you just created and configured:
Rather than entering all the Test_TradingPartner_1 configuration data again for the participant business process computer/domain, you export the data from the initiator process computer/domain and then import it as the remote trading partner configuration for the participant.
To import the trading partner data from the local trading partner:
Note: Remember the navigation path to the file. You will need this when you import your trading partner information later on.
You have now completed the configuration of your the initiator local trading partner. The next section explains how to use the keytool utility to export the Test_TradingPartner_1 server certificate which, you will import later when setting up services and service profiles for the participant computer/domain.
BEA_HOME
\weblogic81\server\lib
where BEA_HOME
is the directory in which you installed your WebLogic Integration installation.keytool -export -alias demoidentity -file servercert1.crt -keystore DemoIdentity.jks -storepass DemoIdentityKeyStorePassPhrase
This exports your server certificate into a file named servercert1.crt
.
Note: If you are running both business processes on the same computer in different domains, both domains are accessing the same keystore. To avoid any problems associated with this configuration, create a copy of the servercert1.crt
and name it servercert2.crt
which, and use it as the second domains server certificate.
You have now completed the Test_TradingPartner_1 configuration. To learn more about creating, configuring, and managing trading partners in WebLogic Integration, see Trading Partner Management.
The next step is to configure the local trading partner information for the participant side of the sample.
You configure the trading partner profile for the participant side of the sample in much the same way that you created the initiator side. Use the instructions in Step 1: Configuring the Local Trading Partner for the Trading Partner 1 Setup to complete the following:
Note: This step is similar to Adding the Certificates, but you need to use the port numbers of the second computer/domain for your configuration.
You have completed configuring Test_TradingPartner_2. The next step is to import the remote trading partner profiles for the two trading partners.
Rather than recreating the information that you already created for each local trading partners when you create the remote trading partners, you import the XML files that you exported in Step 1: Configuring the Local Trading Partner for the Trading Partner 1 Setup and Step 2: Configuring the Local Trading Partner for the Trading Partner 2 Setup.
This set of instructions are the same for both Trading Partner 1 and Trading Partner 2. Go through this section twice, once for your Trading Partner 1 configuration and once for your Trading Partner 2 configuration.
To import the trading partner data:
After successfully importing the trading partner information, remember to review the new trading partner profile and make sure that the end point URL is correct. If they need to be changed, edit your bindings as described in Editing the Trading Partner Binding.
Once the local and remote trading partner configurations are completed, you have to create services and corresponding service profiles for those trading partners. In WebLogic Integration, a service represents a business process that is either offered by a local trading partner, or a business process that is being called via a control on a remote trading partner. Service profiles specify the protocol binding and URL endpoints for the local and remote trading partners that offer and call the service.
Note: Make sure that the process that you want to create the service and service profile for is deployed before you start this procedure.
This section is the same for both trading partner configuration. Complete the following procedure twice, once for your Trading Partner 1 configuration and once for your Trading Partner 2 configuration:
Note: If you are running both trading partner configurations on the same machine in different domains, it is important that you only have the server that you are currently configuring running. Otherwise, you could end up with simultaneous updates to the keystores that could overwrite each, since both domains access the same keystore.
Note: Although it is not enforced, typically the same type of authentication is selected for both the local and remote trading partner.
The Add Authentication (Step 2 of 2) screen appears. On this screen, you import the server certificate for your remote trading partner.
You have successfully created a service and its service profile. To learn more about services and service profiles, see "Adding Services" and "Adding Service Profiles to a Service" in Trading Partner Management.
This concludes this sample. To test your sample you simply run the two processes that you created in Before You Begin. Before you test your sample, you may want to review Testing Tips.
Before you test your sample, you can use the keytool utility to make sure that your keystore entries are properly configured. If you want to test that your encryption works properly, you can use the Trace Raw Messages option to save the raw messages that are sent to a specific location in your file system.
Note: When you first set up connections to RosettaNet trading partners, it is a good idea to run your configuration in Test mode to take advantage of the additional debugging features provided by this mode. To run your Web Logic Integration RosettaNet configurations in Test mode, you specify two annotations in the setProperties
method:
-Set global-usage-code
to Test
.
For more information about the setProperites
method, see RosettaNet Control Interface, available at: http://download.oracle.com/docs/cd/E13226_01/workshop/docs81/doc/en/integration/java-class/com/bea/control/RosettaNetControl.html
This section contains the following testing tips:
You can use the JDK keytool utility to make sure that your key store entries are properly configured. The keystore used in this sample, is the demo keystore, DemoIdentity.jks
, which is installed automatically when you install your product.
The resulting list should look similar to the following:
Keystore type: jks
Keystore provider: SUN
Your keystore contains 9 entries:
secdomain1-client, Sat Oct 18 15:12:15 PDT 2003, keyEntry,
Certificate fingerprint (MD5): 53:13:78:D4:D0:E1:0D:EA:F4:6F:A1:19:6F:BE:4B:AF
secdomain2-sig, Sat Oct 18 16:44:00 PDT 2003, trustedCertEntry,
Certificate fingerprint (MD5): 97:24:2D:B5:CC:F3:FF:E5:06:E0:BD:CC:B6:E2:EF:E6
secdomain1servcert, Sat Oct 18 17:07:30 PDT 2003, trustedCertEntry,
Certificate fingerprint (MD5): 0F:AB:D0:92:0E:28:20:2C:70:4B:54:3E:84:AC:7F:E7
secdomain1-sig, Sat Oct 18 15:10:11 PDT 2003, keyEntry,
Certificate fingerprint (MD5): AD:9F:BA:80:44:F2:7D:54:65:2C:7B:86:8B:2F:AA:D7
secdomain2-enc, Sat Oct 18 16:44:00 PDT 2003, trustedCertEntry,
Certificate fingerprint (MD5): 3E:6C:A9:E8:5E:03:51:80:AD:6A:76:41:44:76:37:7B
secdomain2servcert, Sat Oct 18 16:46:15 PDT 2003, trustedCertEntry,
Certificate fingerprint (MD5): 0F:AB:D0:92:0E:28:20:2C:70:4B:54:3E:84:AC:7F:E7
secdomain1-enc, Sat Oct 18 15:10:47 PDT 2003, keyEntry,
Certificate fingerprint (MD5): 51:AB:CD:71:A2:E9:26:C8:CC:B2:A8:4C:49:DB:F1:CA
secdomain2-client, Sat Oct 18 16:43:59 PDT 2003, trustedCertEntry,
Certificate fingerprint (MD5): F9:FA:43:6E:DE:00:FB:FB:D5:68:EF:F6:2A:77:FD:01
demoidentity, Sat Oct 18 13:25:12 PDT 2003, keyEntry,
Certificate fingerprint (MD5): 0F:AB:D0:92:0E:28:20:2C:70:4B:54:3E:84:AC:7F:E7
The Trace Raw Messages option enables you to save raw messages in a specified location. You can then open these messages to review your security settings, such as encryption and signatures.
After you have run your processes, check the specified directory for any raw messages.