Administration Console Online Help

Previous Next Open TOC in new window
Content starts here

Specify the key pair used to encrypt SOAP messages

Before you begin

You must first create the Web service security configuration that is associated with a Web service before you can configure specific features.

See Create a Web service security configuration for details about creating a security configuration.

You must also have already obtained a private key and X.509 certificate pair and added it to an existing keystore in WebLogic Server. You will specify the name and password of the keystore, as well as the name and password of the key pair, in the following procedure. For details, see Obtaining Private Keys, Digital Certificates, and Trusted Certificate Authorities.


The core security realm of WebLogic Server includes a default keystore configured with a key and certificate pair, which message-level secured Web services can use to encrypt and digitally sign SOAP message. This is useful when developing and testing your application. However, when you move your application to production, it is a good practice to use different key and certificate pairs for different tasks. The following procedure shows how to specify that the WebLogic Web services runtime use a specific key and certificate pair (different from the default) to encrypt SOAP messages.

  1. If you have not already done so, in the Change Center of the Administration Console, click Lock & Edit (see Use the Change Center).
  2. In the left pane of the Console, select your domain. This is the top-level node of the navigation tree.
  3. In the right pane, select Web Service Security.
  4. In the table, click the name of the Web service security configuration for which you want to create a keystore used by SOAP message encryption.

    Web services programmers associate a Web service security configuration using the @WssConfiguration JWS annotation; the value attribute specifies the associated configuration name. If the programmer does not specify the value attribute, the Web service is associated with the default security configuration: default_wss.

  5. Click Web Service Security > Credential Provider.
  6. Click New.
  7. Enter the following values in the required fields:
    • Name: A name for your credential provider. This can be anything you want.
    • Class Name: Enter the following exact value: weblogic.wsee.security.bst.ServerBSTCredentialProvider.
    • Token Type: Enter the following exact value: x509.
  8. Click Finish.
  9. In the Credential Providers table, click the name of the credential provider you just created.
  10. At the bottom of the page in the Credential Provider Properties table, click New.
  11. Enter the following values in the fields:
    • Name: Enter the following exact value: ConfidentialityKeyStore.
    • Value: Enter tthe name of the key store that contains the key pair which will be used for encrypting.

    Ensure the Is Encrypted check box is not checked.

  12. Click OK.
  13. In the Credential Provider Properties table, click New again.
  14. Enter the following values in the fields:
    • Name: Enter the following exact value: ConfidentialityKeyStorePassword.
    • Value: Enter the password of the key store that contains the key pair which will be used for encrypting.

    Check the Is Encrypted check box.

  15. Click OK.
  16. In the Credential Provider Properties table, click New again.
  17. Enter the following values in the fields:
    • Name: Enter the following exact value: ConfidentialityKeyAlias.
    • Value: Enter the name of the private key-X.509 certificate pair (stored in the keystore) which will be used for encrypting.

    Ensure the Is Encrypted check box is not checked.

  18. Click OK.
  19. In the Credential Provider Properties table, click New again.
  20. Enter the following values in the fields:
    • Name: Enter the following exact value: ConfidentialityKeyPassword.
    • Value: Enter the password of the private key-X.509 certificate pair (stored in the keystore) which will be used for encrypting.

    Check the Is Encrypted check box.

  21. Click OK.
  22. To activate these changes, in the Change Center of the Administration Console, click Activate Changes.
    Not all changes take effect immediately—some require a restart (see Use the Change Center).

After you finish

You must redeploy any Web service which is associated with this security configuration for the security changes to take effect.


Back to Top