35 Configuring SSL

This chapter describes how to secure WebCenter Portal and Portal Framework applications and components with SSL.

This chapter includes the following sections:

Note:

The following can use WS-Security with message protection, and consequently have no hard requirement for SSL:

  • BPEL servers - Worklist

  • WSRP Producers

  • Microsoft Live Communication Server (LCS) - Instant messaging and presence

  • Discussions and announcements

Permissions:

To perform the tasks in this chapter, you must be granted the WebLogic Server Admin role through the Oracle WebLogic Server Administration Console. Users with the Monitor or Operator roles can view security information but cannot make changes.

See also, Section 1.8, "Understanding Administrative Operations, Roles, and Tools."

35.1 Securing the Browser Connection to WebCenter Portal with SSL

Securing the browser connection to WebCenter Portal with SSL consists of the following steps:

35.1.1 Creating the Custom Keystore

The first step is to generate a custom keystore for WebCenter Portal.

To create a custom keystore:

  1. Go to JDK_HOME/bin/ and open a command prompt.

  2. Using keytool, generate a key pair:

    keytool -genkeypair -keyalg RSA -dname "dname" -alias alias -keypass key_password -keystore keystore -storepass keystore_password -validity days_valid
    

    Where:

    • dname is the DN (distinguished name) to use (for example, cn=customidentity,dc=example,dc=com)

    • alias is the alias to use (for example, webcenter_wls)

    • key_password is the password for the new public key, (for example, MyPassword1)

    • keystore is the keystore name, (for example, webcenter_wls.jks)

    • keystore_password is the keystore password, (for example, MyPassword1)

    • days_valid is the number of days for which the key password is valid (for example, 360).

    Note:

    You must use the -keyalg parameter and specify RSA as its value as shown above as the default algorithm (DSA) used by keytool for generating the key is incompatible with Oracle WebServices Security Manager requirements.

  3. Export the certificate containing the public key so WebCenter Portal clients can import it into their trust store:

    keytool -exportcert -v -alias alias -keystore keystore 
    -storepass keystore_password -rfc -file certificate_file
    

    Where:

    • alias is the WebCenter Portal alias (for example, webcenter_wls)

    • keystore is the keystore name, (for example, webcenter_wls.jks)

    • keystore_password is the keystore password, (for example, MyPassword1)

    • certificate_file is the file name for the certificate to export the key to (for example, webcenter_wls.cer)

  4. Determine the trust store to use:

    Since you are using a self-signed certificate, you must update it as a trusted certificate in the server trust store. To do this, you must determine your trust store by going to the server:

    1. Log into the WebLogic Server Administration Console.

      For information on logging into the WebLogic Server Administration Console, see Section 1.13.2, "Oracle WebLogic Server Administration Console."

    2. In the Domain Structure pane, expand Environments and click Servers.

    3. In the list of servers, click WC_Spaces.

    4. Open the Configuration tab, and the Keystores subtab.

      The Keystores Settings pane displays.

    5. Note down the location of the server in the Java Standard Trust Keystore field.

      Note that the cacerts file may be "read only", in which case you must change its permissions so that it's writable.

  5. Import the self-signed certificate generated above in this trust store:

    keytool -importcert -trustcacerts -alias alias -file certificate_file 
    -keystore cacerts -storepass changeit
    

    Where:

    • alias is the WebCenter Portal alias (for example, webcenter_wls)

    • certificate_file is the file name for the certificate to export the key to (for example, webcenter_wls.cer)

    When prompted whether to trust the self-signed certificate, answer yes.

35.1.2 Configuring the Custom Identity and Java Trust Keystores

The next step is to configure the Custom Identity and Java Trust keystores on the WebCenter Portal server.

To configure the identity and trust keystores:

  1. Log in to the WebLogic Server Administration Console.

    For information on logging into the WebLogic Server Administration Console, see Section 1.13.2, "Oracle WebLogic Server Administration Console."

  2. Click the WebCenter Portal server (WC_Spaces) to configure the identity and trust keystores.

    The Settings pane for the WebCenter Portal server displays.

  3. Open the Configuration tab, and then the Keystores subtab.

    The Keystores pane displays.

  4. Click Change.

  5. For Keystores, select Custom Identity and Java Standard Trust and click Save.

  6. Under Identity, enter the path and filename of the Custom Identity Keystore you created in Section 35.1.1, "Creating the Custom Keystore."

  7. Enter JKS as the Custom Identity Keystore Type.

  8. Enter and confirm the Custom Identity Keystore password.

  9. Under Trust, enter and confirm the Java Standard Trust Keystore password (typically set to changeit).

  10. Click Save to save your entries.

  11. Open the SSL tab.

  12. Enter the Private Key Alias (for example, webcenter_wls).

  13. Enter the Private Key Passphrase (for example, MyPassword1)

  14. Click Save to save your entries.

35.1.3 Configuring the SSL Connection

To configure the SSL connection:

  1. On the Settings pane for the WebCenter Portal server (WC_Spaces), open the Configuration tab and then the General subtab.

    The General Configuration pane displays.

  2. Check SSL Listen Port Enabled.

  3. Enter an SSL Listen Port number and click Save.

  4. Open the SSL subtab and expand the Advanced options at the bottom of the page.

  5. Check that the Two Way Client Cert Behavior option is set to Client Certs Not Requested and click Save.

  6. Open the Control tab.

    The Control Settings pane displays.

  7. Click Restart SSL.

  8. Restart the WebLogic Server and open the SSL Portal URL.

    For a development or test environment only (that is, not for a production environment), if the hostname in the certificate does not match the host name, then the server must be started with:

    -Dweblogic.security.SSL.ignoreHostnameVerification=true

  9. Accept the certificate for the session and log in.

35.2 Securing the Browser Connection to a Portal Framework Application with SSL

Securing the browser connection to a Portal Framework application uses the same configuration steps as for securing the browser connection to WebCenter Portal. The only difference is that the configuration occurs on the managed server that is hosting the Portal Framework application deployment rather than the WC_Spaces server. For more information, see Section 35.1, "Securing the Browser Connection to WebCenter Portal with SSL."

35.3 Securing the Connection from Oracle HTTP Server to WebCenter Portal with SSL

Securing the connection between the Oracle HTTP Server (OHS) and WebCenter Portal is described in the following sections:

35.3.1 Configuring the Identity and Trust Keystores

For instructions on how to configure the Identity and Trust keystores, see Section 35.1, "Securing the Browser Connection to WebCenter Portal with SSL."

35.3.2 Configuring the SSL Connection

To configure the SSL Connection:

  1. On the Settings pane for the WebCenter Portal server, open the Configuration tab and then the General subtab.

    The General Configuration pane displays.

  2. Check SSL Listen Port Enabled.

  3. Enter an SSL Listen Port number and click Save.

  4. On the Configuration tab, open the SSL subtab, and then expand the Advanced options at the bottom of the page.

    The SSL advanced options are displayed.

  5. Set the Two Way Client Cert Behavior option to Client Certs Not Requested and click Save.

  6. Open the Control tab on the Settings pane, and select the Start/Stop subtab.

  7. Click Restart SSL.

  8. Open the SSL WebCenter Portal URL.

  9. Accept the certificate for the session and log in.

  10. In the WLS Administration Console, click View Changes and Restarts on the Change Center pane and restart any affected servers or components.

35.3.3 Installing the Oracle HTTP Server

To install the Oracle HTTP Server:

  1. Install the WebTier (see Section 33.2.3, "Installing and Configuring OAM").

    • Do not select WebCache; only select the HTTP Server.

    • Uncheck the checkbox to associate a WebLogic server during install.

  2. Navigate to the WT_ORACLE_HOME/instances/<your_instance>/bin directory and start OHS using the following command:

    ./opmnctl startall
    
  3. Check the status of OHS using the following command:

    ./opmnctl status -l
    

35.3.4 Wiring the WebCenter Portal Ports to the HTTP Server

To wire the WebCenter Portal ports to the HTTP server:

  1. Open the file WT_ORACLE_HOME/instances/<your_instance>/config/OHS/ohs1/mod_wl_ohs.conf.

  2. Add the following entry to mod_wl_ohs.conf to make WebCenter Portal work with OHS:

    <IfModule mod_weblogic.c>
            WebLogicHost host_id
            WebLogicPort port
            Debug OFF
            WLLogFile /tmp/ohs.log
            MatchExpression *.jsp
         </IfModule>
     
         <Location />
           SetHandler weblogic-handler
         </Location>
    

    Replacing host_id and port with the WebCenter Portal server ID and port number.

  3. Open the file WT_ORACLE_HOME/instances/<your_instance>/config/OHS/ohs1/ssl.conf.

  4. Add the following entry to ssl.conf to make WebCenter Portal run on the OHS SSL port:

    <Location />
            WebLogicHost host_id
            WebLogicPort port
            SetHandler weblogic-handler
            SecureProxy ON
            WLLogFile /tmp/ohs_ssl.log
            Debug ALL
            WlSSLWallet SSL_wallet
    </Location>
     
    <Location /webcenter>
          SetHandler weblogic-handler
            WebLogicHost host_id
            WebLogicPort port
          SecureProxy ON
            WLLogFile /tmp/ohs_ssl.log
            Debug ALL
            WlSSLWallet SSL_wallet
    </Location>
    
    <Location /webcenterhelp>
          SetHandler weblogic-handler
            WebLogicHost host_id
            WebLogicPort port
            SecureProxy ON
            WLLogFile /tmp/ohs_ssl.log
            Debug ALL
            WlSSLWallet SSL_wallet
    </Location>
    
    <Location /rsscrawl>
          SetHandler weblogic-handler
            WebLogicHost host_id
            WebLogicPort port
            SecureProxy ON
            WLLogFile /tmp/ohs_ssl.log
            Debug ALL
            WlSSLWallet SSL_wallet
    </Location>
     
    <Location /sesUserAuth>
          SetHandler weblogic-handler
            WebLogicHost host_id
            WebLogicPort port
            SecureProxy ON
            WLLogFile /tmp/ohs_ssl.log
            Debug ALL
            WlSSLWallet SSL_wallet
    </Location>
     
    <Location /rss>
          SetHandler weblogic-handler
            WebLogicHost host_id
            WebLogicPort port
            SecureProxy ON
            WLLogFile /tmp/ohs_ssl.log
            Debug ALL
            WlSSLWallet SSL_wallet
    </Location>
    

    Replacing host_id and port with the WebCenter Portal SSL server ID and port number (typically 8788), and SSL_wallet with the path to the WebLogic SSL wallet (for example, WT_ORACLE_HOME/instances/<your_instance>/config/OHS/ohs1/keystores/default).

    Note:

    SSL should be configured at the server level rather than within the Location/directory sections. So, for example, instead of having:

    <Location /mylocation>
      WLSSLWallet <walletfile>
      SecureProxy ON
    </Location>
    

    use:

    SecureProxy ON
    WlSSLWallet <walletfile>
    

    at the server level (i.e., outside the Location/directory sections).

  5. Go to WT_ORACLE_HOME/instances/<your_instance>/bin and start and check the status of OHS using the following commands:

    ./opmnctl stopall
     
    ./opmnctl startall
    ./opmnctl status -l
    

35.3.5 Configuring the SSL Certificates

To configure the SSL certificates:

  1. For OHS to trust WebCenter Portal's certificate, the WC_Spaces certificate must be imported into the OHS trust store. Export the certificate from the WC_Spaces identity keystore:

    keytool -exportcert -v -alias webcenter_wls -keystore webcenter_wls.jks 
    -storepass <password> -rfc -file webcenter_wls.cer
    
  2. Navigate to WT_ORACLE_HOME/instances/<your_instance>/config/OHS/ohs1/keystores/default and run the following orapki command (typically located in IDM_HOME) to import the certificate into the wallet on the OHS side:

    orapki wallet add -wallet . -trusted_cert -cert webcenter_wls.cer -auto_login_only
    

    Note that JAVA_HOME should be set before running any orapki commands.

  3. Determine the certificate DN by running the following command:

    orapki wallet display -wallet wallet_location
    
  4. For WebCenter Portal to trust OHS certificates, export the user certificate from OHS wallet and import it as a trusted certificate in the WebLogic trust store.

    orapki wallet export -wallet . -cert cert.txt  -dn 'CN=\"Self-signed Certificate for ohs1 \",OU=EXAMPLEORGUNIT,O=EXAMPLEORG,L=EXAMPLELOCATION,ST=CA,C=US'
    
  5. Import the above certificate into the WC_Spaces managed server trust store available in /scratch/wcwlsinstall/0408/wlshome/jrockit_160_05_R27.6.2-20/jre/lib/security/cacerts:

    keytool -file cert.txt -importcert -trustcacerts -alias ohs_cert 
    -keystore cacerts -storepass changeit
    
  6. Restart OHS and the WC_Spaces server.

    You should now be able to access the SSL OHS, as well as the non-SSL OHS.

35.4 Securing the Browser Connection to the Discussions with SSL

Securing the browser connection to discussions with SSL is described in the following sections:

35.4.1 Creating the Custom Keystore

The first step is to generate a custom keystore as shown below:

  1. Go to JDK_HOME/bin/ and open a command prompt.

  2. Using keytool, generate a key pair:

    keytool -genkeypair -keyalg RSA -dname "dname" -alias owc_discussions 
    -keypass key_password -keystore owc_discussions.jks -storepass keystore_password -validity days_valid
    

    Where:

    • dname is the DN (distinguished name) to use (for example, cn=customidentity,dc=owc_discussions,dc=example,dc=com)

    • key_password is the password for the new public key, (for example, MyPassword1)

    • keystore_password is the keystore password, (for example, MyPassword1)

    • days_valid is the number of days for which the key password is valid (for example, 360).

    Note:

    You must use the -keyalg parameter and specify RSA as its value as shown above as the default algorithm (DSA) used by keytool for generating the key is incompatible with Oracle WebServices Security Manager requirements.

  3. Export the certificate containing the public key:

    keytool -exportcert -v -alias owc_discussions -keystore owc_discussions.jks 
    -storepass keystore_password -rfc -file owc_discussions.cer
    

    Where:

    • keystore_password is the keystore password, (for example, MyPassword1)

  4. Determine the trust store to use:

    Since you are using a self-signed certificate, you must update it as a trusted certificate in the server trust store. To do this, you must determine your trust store by going to the server:

    1. Log into the WebLogic Server Administration Console.

    2. In the Domain Structure pane, expand Environments and click Servers.

    3. In the list of servers, click WC_Collaboration.

    4. Open the Configuration tab, and the Keystores subtab.

      The Keystores Settings pane displays.

    5. Note down the location of the server in the Java Standard Trust Keystore field.

      Note that the cacerts file may be "read only," in which case you must change its permissions so that it's writable.

  5. Import the self-signed certificate generated above in this trust store:

    keytool -importcert -trustcacerts -alias owc_discussions 
    -file owc_discussions.cer -keystore cacerts -storepass changeit
    

    Note that the path to the cacerts file should be the absolute path. Otherwise, a new cacerts file will be created in the directory from where keytool is executed (to which the SSL port may not be able to listen).

    When prompted to trust the self-signed certificate, say yes.

35.4.2 Configuring the Identity and Trust Key Stores

To configure the identity and trust key stores:

  1. Log in to the WebLogic Server Administration Console.

    For information on logging into the WebLogic Server Administration Console, see Section 1.13.2, "Oracle WebLogic Server Administration Console."

  2. In the Domain Structure pane, expand Environment and click Servers.

    The Summary of Servers pane displays.

  3. Click the Collaboration server (WC_Collaboration) to configure the identity and trust keystores.

    The Settings pane for the Collaboration server displays.

  4. Open the Configuration tab, and then the Keystores subtab.

    The Keystores pane displays.

  5. For Keystores, select Custom Identity and Java Standard Trust.

  6. Under Identity, specify the keystore as owc_discussions.jks.

  7. Set the keystore type to JKS.

  8. Enter and confirm the keystore passphrase, (for example, MyPassword1)

  9. Under Trust, set the Java Standard Trust Keystore Passphrase to changeit (this is fixed value) and click Save.

  10. From the WLS Administration console, go to Servers -> WC_Collaboration and open the Configuration tab, and then the General subtab.

  11. Check SSL Port enabled, specify a port that you want, and save your settings.

  12. From the WLS Administration console, go to Servers -> WC_Collaboration and open the Configuration tab, and then the SSL subtab.

  13. Specify the private key alias as owc_discussions, and set the password to MyPassword1.

  14. Open the Control tab.

    The Control Settings pane displays.

  15. Click Restart SSL.

35.4.3 Configuring the SSL Connection

To configure the SSL connection:

  1. On the Settings pane for the Collaboration server, open the Configuration tab and then the General subtab.

    The General Configuration pane displays.

  2. Check SSL Listen Port Enabled.

  3. Enter an SSL Listen Port number and click Save.

  4. On the Configuration tab, open the SSL subtab, and then expand the Advanced options at the bottom of the page.

  5. Set the Two Way Client Cert Behavior option to Client Certs Not Requested and click Save.

  6. Restart the WC_Collaboration server and open the SSL discussions URL at https://host:port/owc_discussions.

  7. Accept the certificate for the session and log in.

35.5 Securing the WebCenter Portal Connection to Portlet Producers with SSL

Securing the connection to WSRP and PDK-Java portlet producers with SSL is described in the following sections:

35.5.1 Creating the Custom Keystores

For instructions on how to create the custom keystore, see Section 35.1.1, "Creating the Custom Keystore." Example commands for generating the keypair and exporting and importing the certificate are shown below:

./keytool -genkeypair -keyalg RSA -dname "cn=customidentity,dc=portlet,dc=example,dc=com"
-alias portlet -keypass MyPassword1 -keystore portlet.jks -storepass MyPassword1 -validity 360

./keytool -exportcert -v -alias portlet -keystore portlet.jks -storepass
MyPassword1 -rfc -file portlet.cer

./keytool -importcert -trustcacerts -alias portlet -file portlet.cer 
-keystore cacerts -storepass changeit 

35.5.2 Configuring the Identity and Trust Key Stores

To configure the identity and trust key stores:

  1. Log in to the WebLogic Server Administration Console.

    For information on logging into the WebLogic Server Administration Console, see Section 1.13.2, "Oracle WebLogic Server Administration Console."

  2. In the Domain Structure pane, expand Environment and click Servers.

    The Summary of Servers pane displays.

  3. Click the Portlet server (for example, WC_Portlet) to configure the identity and trust keystores.

    The Settings pane for the Portlet server displays.

  4. Open the Configuration tab, and then the Keystores subtab.

    The Keystores pane displays.

  5. For Keystores, select Custom Identity and Java Standard Trust and click Save.

  6. Open the Control tab.

    The Control Settings pane displays.

  7. Click Restart SSL.

35.5.3 Configuring the SSL Connection

To configure the SSL connection:

  1. In the Domain Structure pane, expand Environment and select Servers.

  2. Click the Portlet server (for example, WC_Portlet) for which you want to configure SSL.

  3. Select Configuration.

  4. Check SSL Listen Port Enable.

  5. Enter a listen port number.

  6. Select Configuration > SSL, and then open the Advanced options at the bottom of the page.

  7. Select the Two Way Client Cert Behavior attribute and choose the Client Certs Not Requested option.

  8. Click Save.

  9. Restart the WebLogic Server and open the SSL URL.

  10. Accept the certificate for the session and log in.

35.5.4 Registering the SSL-enabled WSRP Producer and Running the Portlets

To register the SSL-enabled WSRP producer and run the portlets:

  1. Configure the WC_Spaces managed server to use the Custom Identity and Java Standard Trust store. This also uses the certificates in JDK_HOME/jre/lib/security/cacerts.

  2. Download the certificate of the HTTPS producer URL and save it in .PEM format.

    Use Firefox 3.0 or later to download the certificate directly to .PEM format, or for other browsers use the WebLogic Server der2pem tool to convert to PEM format. For more information about using the der2pem tool, see the "der2pem" section in Oracle Fusion Middleware Command Reference for Oracle WebLogic Server. Note that WebLogic does not recognize any other format other than .PEM format.

  3. Import the certificate into the cacerts file in JDK_HOME/jre/lib/security using the following keytool command:

    keytool -importcert -alias portlet_cert -file HOME/portlet_pem -keystore ./cacerts -storepass password
    

    Where:

    • portlet_cert is the portlet certificate alias

    • portlet_pem is the portlet certificate file (for example, portlet_cert.pem)

    • password is the keystore password

  4. Restart WC_Spaces.

  5. Start WLST as described in Section 1.13.3.1, "Running Oracle WebLogic Scripting Tool (WLST) Commands."

  6. Connect to the Administration Server for the target domain with the following command:

    connect('user_name','password, 'host_id:port')
    

    Where:

    • user_name is the name of the user account with which to access the WC_Spaces server (for example, weblogic)

    • password is the password with which to access the WC_Spaces server

    • host_id is the host ID of the Administration server

    • port is the port number of the Administration server (for example, 7001).

  7. Run the registerWSRPProducer WLST command to register the producer:

    registerWSRPProducer('webcenter', 'sslwsrpprod','producer_wsdl')
    

    Where:

    • sslwsrpprod is the name of the SSL-enabled WSRP producer

    • producer_wsdl is the WSDL URL of the SSL-enabled WSRP producer

    For example:

    registerWSRPProducer('webcenter', 'sslwsrpprod','https://example.com:7004/richtextportlet/portlets/wsrp2?WSDL')
    
  8. Navigate to the HTTP or HTTPS WebCenter Portal URL.

  9. Create a page and go to the Portlets link.

  10. Go to the registered WSRP producer.

  11. Add the portlet to the page.

  12. Go to the view mode of the page and check that the WSRP portlet renders correctly.

35.5.5 Registering the SSL-enabled PDK-Java Producer and Running the Portlets

To register the SSL-enabled PDK-Java Producer and run the portlets:

  1. Configure the WebCenter Portal managed server to use the Demo Identity and Trust store. This also uses the certificates in JDK_HOME/jre/lib/security/cacerts.

  2. Log in to the WebLogic Server Administration Console.

    For information on logging into the WebLogic Server Administration Console, see Section 1.13.2, "Oracle WebLogic Server Administration Console."

  3. On the Domain Structure pane, expand Environment and click Servers.

    The Summary of Servers pane displays.

  4. Click WC_Spaces in the servers list.

    The Settings pane displays.

  5. Open the Configuration tab and select the Keystores tab.

  6. Make sure that the value for Demo Identity and Demo Trust is either jks or left blank.

  7. Click Save.

  8. Download the certificate of the HTTPS producer URL and save it in .PEM format.

    Use Firefox 3.0 or later to download the certificate directly to .PEM format, or for other browsers use the WebLogic Server der2pem tool to convert to PEM format. For more information about using the der2pem tool, see the "der2pem" section in Oracle Fusion Middleware Command Reference for Oracle WebLogic Server. Note that WebLogic does not recognize any other format other than .PEM format.

  9. Import the certificate into the cacerts file in JDK_HOME/jre/lib/security using the following keytool command:

    keytool -importcert HOME/portlet_cert.pem -keystore ./cacerts -storepass changeit
    
  10. Restart WC_Spaces.

  11. Start WLST as described in Section 1.13.3.1, "Running Oracle WebLogic Scripting Tool (WLST) Commands."

  12. Connect to the Administration Server for the target domain with the following command:

    connect('user_name','password, 'host_id:port')
    

    where:

    • user_name is the name of the user account with which to access the WC_Spaces server (for example, weblogic)

    • password is the password with which to access the WC_Spaces server

    • host_id is the host ID of the Administration server

    • port is the port number of the Administration server (for example, 7001).

  13. Run the registerPDKJavaProducer command:

    registerPDKJavaProducer('webcenter', 'ssljpdkprod', 'producer_wsdl')
    

    Where:

    • ssljpdkprod is the name of the SSL-enabled PDK-Java producer

    • producer_wsdl is the WSDL URL of the SSL-enabled PDK-Java producer

    This enables one-way SSL for a Web producer. That is, only the server side (web producer) uses certificates. The Web producer code also uses a shared key feature (discussed later) for client authentication.

  14. Go to the HTTP or HTTPS WebCenter Portal URL.

  15. Create a page and go to the Portlets link.

  16. Go to the registered PDK-Java producer.

  17. Add the portlet to the page.

  18. Go to the view mode of the page and check that the PDK-Java portlet renders correctly.

35.5.6 Consuming SSL-Enabled WSRP Portlets in JDeveloper

If you're consuming SSL-enabled portlets in JDeveloper, enable SSL on the producer's managed server as described in Section 35.5.3, "Configuring the SSL Connection."

  1. For registration, the certificate (since it's a self-signed one) should be trusted by the JDeveloper runtime trust store. This means that you'll have to find out the JDK being used by the JDeveloper instance, and update the cacerts file (which is the trust store used by the JDeveloper instance) and then update the cacerts file using the following sample command:

    <JDK_BIN>/keytool -importcert -trustcacerts -alias portlet_producer_cert -file producer.cert -keystore ./cacerts -storepass changeit
    
  2. The integrated WebLogic server typically uses a different trust store than JDeveloper. This trust store can be identified by accessing the console of the integrated WebLogic server:

    1. Access the WebLogic console.

    2. Expand the Environment node and then click the Servers node.

    3. Click DefaultServer.

    4. Open the Configurations tab, and then open the Keystores tab.

      The value for the Demo Trust Keystore attribute is the trust store used by the integrated WebLogic server.

    The trust store can also be located by looking at the integrated WebLogic server logs. To do this, start the integrated WebLogic server and search for "-Djavax.net.ssl.trustStore" in the logs to locate the trust store.

    If you see this process parameter, then the integrated WebLogic server is using a trust store specified using JVM parameters, and you will need to import the certificate in this trust store using a command as per the following example:

    <JDK6>/bin/keytool -importcert -trustcacerts -alias portlet_producer_cert
    -file producer_cert.cert -keystore
    <JDEV_MW_HOME>/wlserver_10.3/server/lib/DemoTrust.jks -storepass
    DemoTrustKeyStorePassPhrase
    

35.6 Securing the WebCenter Portal Connection to the LDAP Identity Store

To configure the LDAP server port for SSL, refer to the appropriate administration documentation for the LDAP server. For Oracle Internet Directory (OID), an SSL port is installed by default. To use this port for LDAP communication from WebCenter Portal, the identity store should be configured for authentication with the appropriate authenticator. See Chapter 31, "Configuring the Identity Store" for the steps to do this for the identity store.

Note:

When entering the Provider Specific information, be sure to specify an SSL port and to check the SSL Enabled checkbox.

If the CA is unknown to the Oracle WebLogic server, complete the two additional steps described in the following subsections:

35.6.1 Exporting the OID Certificate Authority (CA)

If the CA is unknown to the Oracle WebLogic server (the command prompts the user to enter the keystore password) you must use orapki to create a certificate. The following example shows how to use this command to create the certificate serverTrust.cert:

orapki wallet export -wallet CA -dn "CN=myCA" -cert oid_server_trust.cert

35.6.2 Setting Up the WebLogic Server

If the CA is unknown to the Oracle WebLogic server, use the utility keytool to import the Oracle Internet Directory's CA into the WebLogic trust store. The following example shows how to use keytool to import the file oid_server_trust.cert into the server trust store cacerts:

keytool -importcert -v -trustcacerts -alias oid_server_trust -file 
oid_server_trust.cer -keystore cacerts -storepass changeit

35.7 Securing the WebCenter Portal Connection to Content Server with SSL

If Content Server and the WebCenter Portal application in which you intend to create a repository connection are not on the same system or the same trusted private network, then identity propagation is not secure. To ensure secure identity propagation you must also configure SSL on Content Server.

Securing Content Server with SSL involves the following tasks:

In a production environment, Oracle recommends that you use only real certificates. For information about how to configure keystores when using real certificates, see the "Understanding Content Server Security Providers" chapter in Oracle Fusion Middleware Administering Oracle WebCenter Content.

35.7.1 Configuring a Keystore and Key on the Client Side

To configure a keystore on the WebCenter Portal application (client) side:

  1. Go to the location, for example jdk/bin, where the keytool is located, and open the command prompt.

  2. Generate the client keystore by running the following keytool command:

    keytool -genkey -keyalg RSA -validity 5000 -alias Client private key alias -keystore client-keystore.jks 
    -dname "cn=client" -keypass Private key password -storepass KeyStore password
    
  3. To verify that the keys have been correctly created, you can optionally run the following keytool command:

    keytool -list -keystore client-keystore.jks -storepass KeyStore password
    
  4. To use the key, sign it by running the following keytool command:

    keytool -selfcert -validity 5000 -alias Client private key alias -keystore client-keystore.jks 
    -keypass Private key password -storepass KeyStore password
    
  5. Export the client public key by running the following keytool command:

    keytool -export -alias Client private key alias -keystore client-keystore.jks 
    -file client.pubkey -keypass Private key password -storepass KeyStore password
    

35.7.2 Configuring a Keystore and Key on the Server Side

To configure a keystore on the Content Server side:

  1. Go to the location, for example jdk/bin, where the keytool is located, and open the command prompt.

  2. Generate the server keystore by running the following keytool command:

    keytool -genkey -keyalg RSA -validity 5000 -alias Server public key alias 
    -keystore server-keystore.jks -dname "cn=server" -keypass Private server key password -storepass KeyStore password
    
  3. To verify that the key has been correctly created, run the following keytool command:

    keytool -list -keystore server-keystore.jks -keypass Server private key password -storepass KeyStore password
    
  4. To use the key, sign it by running the following keytool command:

    keytool -selfcert -validity 5000 -alias Server public key alias -keystore server-keystore.jks 
    -keypass Private server key password -storepass KeyStore password
    
  5. Export the server public key to the server keystore by running the following keytool command:

    keytool -export -alias Server public key alias -keystore server-keystore.jks 
    -file server.pubkey -keypass Server private key password -storepass KeyStore password
    

35.7.3 Verifying Signatures of Trusted Clients

To verify signatures of trusted clients, import the client public key into the server keystore:

  1. Go to the location, for example jdk/bin, where the keytool is located, and open the command prompt.

  2. To verify the signature of trusted clients, import the client's public key in to the server keystore by running the following keytool command:

    keytool -import -alias Client public key alias -file client.pubkey -keystore 
    server-keystore.jks -keypass Private server key password -storepass KeyStore password
    
  3. Import the server public key into the client keystore by running the following keytool command:

    keytool -import -alias Server public key alias -file server.pubkey -keystore 
    client-keystore.jks -keypass Private key password -storepass KeyStore password
    

    When the tool prompts you if the key is self-certified, you must enter Yes. Example 35-1 shows a sample output that is generated after this procedure is completed successfully.

    Example 35-1 Sample Output Generated by the Keytool

    [user@server]$ keytool -import -alias client -file client.pubkey
    -keystore server-keystore.jks -keypass Server private key password -storepass Keystore password
    Owner: CN=client
    Issuer: CN=client
    Serial number: serial number, for example, 123a19cb
    Valid from: Date, Year, and Time until: Date, Year, and Time
    Certificate fingerprints:
            ...
    Trust this certificate? [no]:  yes
    Certificate was added to keystore.
    

35.7.4 Securing Identity Propagation

To secure identity propagation, you must configure SSL on Content Server.

  1. Log on to Content Server as an administrator.

  2. From Administration, select Providers.

  3. On the Create a New Provider page, click Add for sslincoming.

  4. On the Add Incoming Provider page, in Provider Name, enter a name for the provider, for example, sslincomingprovider.

    When the new provider is set up, a directory with the provider name is created as a subdirectory of the CONTENT_SERVER_HOME/data/providers directory.

  5. In Provider Description, briefly describe the provider, for example, SSL Incoming Provider for securing the Content Server.

  6. In Provider Class, enter the class of the sslincoming provider, for example, idc.provider.ssl.SSLSocketIncomingProvider.

    Note:

    You can add a new SSL keepalive incoming socket provider or a new SSL incoming socket provider. Using a keepalive socket improves the performance of a session and is recommended for most implementations.

  7. In Connection Class, enter the class of the connection, for example, idc.provider.KeepaliveSocketIncomingConnection.

  8. In Server Thread Class, enter the class of the server thread, for example, idc.server.KeepaliveIdcServerThread.

  9. In Server Port, enter an open server port, for example, 5555.

  10. Select the Require Client Authentication checkbox.

  11. In Keystore password, enter the password to access the keystore.

  12. In Alias, enter the alias of the keystore.

  13. In Alias password, enter the password of the alias.

  14. In Truststore password, enter the password of the trust store.

  15. Click Add.

    The new incoming provider is now added.

  16. Go to the new provider directory that was created in step 4.

  17. To specify truststore and keystore, create a file named sslconfig.hda.

  18. Copy the server keystore to the server.

  19. Configure the sslconfig.hda file. Example 35-2 shows how the .hda file should look after you include the truststore and keystore information.

    Example 35-2 Sample sslconfig.hda File

    @Properties LocalData
    TruststoreFile=/tmp/ssl/server_keystore
    KeystoreFile=/tmp/ssl/server_keystore
    @end
    

35.8 Securing the WebCenter Portal Connection to IMAP and SMTP with SSL

Before reconfiguring the mail server connection, you must first import the certificate into the trust store. Follow the steps below to put the certificate in the trust store and configure WebCenter Portal to use the trust store.

To secure the WebCenter Portal connection to IMAP and SMTP with SSL:

  1. Open a browser and connect to your IMAP server with the following command:

    https://imapserver:ssl_port
    

    For example:

    https:mailserver.example:993 
    
  2. Place your cursor on the page, right-click, and select Properties.

  3. Click Certificate.

  4. In the popup window, click the Details tab and click Copy to File...

    Be sure to use the DER encoded binary(X.509) format and copy to a file.

  5. Convert the .DER format certificate to .PEM format.

    Use Firefox 3.0 or later to download the certificate directly to.PEM format, or for other browsers use the WebLogic Server der2pem tool to convert to PEM format. For more information about using the der2pem tool, see the "der2pem" section in Oracle Fusion Middleware Command Reference for Oracle WebLogic Server. Note that WebLogic does not recognize any other format other than .PEM format.

  6. Import the certificate into the cacerts in the JDK_HOME using the following command:

    keytool -import -alias imap_cer -file cert_file.cer -keystore cacerts -storepass changeit
    

    Where cert_file is the name of the certificate file you downloaded.

  7. Register the mail server connection as described in Section 15.4, "Registering Mail Servers."

  8. Restart WebCenter Portal.

  9. Log into WebCenter Portal and provide your mail credentials.

35.9 Securing a Portal Framework Application's Connection to IMAP and SMTP with SSL

To secure the connection to IMAP and SMTP with SSL for a Portal Framework application:

  1. Follow the steps in Section 35.8, "Securing the WebCenter Portal Connection to IMAP and SMTP with SSL" up to and including step 7.

  2. Add the following property to the truststore:

    -Djavax.net.ssl.trustStore=C:\jive\mailtool\jssecacerts
    -Djavax.net.ssl.trustStorePassword=changeit
    

    For example:

    set JAVA_PROPERTIES=-Dplatform.home=%WL_HOME% -Dwls.home=%WLS_HOME% 
    -Dweblogic.home=%WLS_HOME% 
    -Djavax.net.ssl.trustStore=C:\jive\mailtool\jssecacerts 
    -Djavax.net.ssl.trustStorePassword=changeit
    
  3. Restart the Portal Framework application.

  4. Log into the application and provide your mail credentials.

35.10 Securing the Connection to Oracle SES with SSL

There are two scenarios in which you may want to configure SSL for SES: The first scenario is where WebCenter Portal or a Portal Framework application has already been protected with SSL but SES has not; the second scenario is where SES has been protected with SSL, but WebCenter Portal or the Portal Framework application has not. These two scenarios are described in the following subsections:

35.10.1 Securing Oracle SES with SSL

In this scenario, WebCenter Portal or your Portal Framework application is already protected with SSL, but SES is not. Follow the steps below to secure SES with SSL.

Before registering the SES connection, you must first import the certificate into the Trust Store. Follow the steps below to put the certificate in the Trust Store and register the Oracle Secure Enterprise Search (SES) connection.

To download the certificate of the HTTPS URL and save it:

  1. Configure SSL on the WebCenter side using the following certificate name:

    cn=<myhost>
    

    where <myhost> is the fully qualified name of the host where WebCenter is installed.

    For more information about configuring SSL on WebCenter Portal, see Section 35.1, "Securing the Browser Connection to WebCenter Portal with SSL." For more information about configuring SSL for a Portal Framework application, see Section 35.2, "Securing the Browser Connection to a Portal Framework Application with SSL."

  2. Export the WebCenter certificate in PEM format (i.e., <myhost>.crt).

    You can use Firefox 3.0 or later to download the certificate directly to.PEM format. For other browsers, follow the steps below and then use the WebLogic Server der2pem tool to convert to PEM format.

    1. Click Certificate.

    2. In the popup window, open the Details tab, and click Copy to File...

      Use DER encoded binary(X.509) format and copy the certificate to a file.

    3. Convert the .DER format certificate to .PEM format.

      For more information about using the der2pem tool, see the "der2pem" section in Oracle Fusion Middleware Command Reference for Oracle WebLogic Server. Note that WebLogic does not recognize any other format other than .PEM format.

  3. In SES, import the certificate into the following keystores:

    • <SES Installation Directory>/jdk6/jre/lib/security/cacerts

    • <SES Installation Directory>/seshome/jdk/jre/lib/security/cacerts

    using the following command:

    keytool -importcert -trustcacerts -alias webcenter_wls -file <myhost>.crt -keystore cacerts -storepass changeit
    
  4. In SES, create a source for Oracle WebCenter in which the crawl and authorization endpoints point to the WebCenter Portal or Portal Framework application's HTTPS ports.

  5. Create a schedule and source group for the crawl (see Section 18.5.1.2, "Configuring Search Parameters and Crawlers Using Fusion Middleware Control").

  6. Finish the WebCenter-side configuration for SES and restart SES and WebCenter Portal or your Portal Framework application.

  7. Create some objects in WebCenter Portal or your Portal Framework application and start the crawl.

  8. After the crawl has been completed, search for a keyword and the results should appear in WebCenter.

35.10.2 Securing the Connection to Oracle SES with SSL

In this scenario, WebCenter Portal or your Portal Framework application is not protected with SSL, but SES is.

To download the certificate of the HTTPS URL and save it:

  1. Use your browser to navigate to the Web Services URL that Oracle Secure Enterprise Search exposes to enable search requests at:

    http://host:port/search/query/OracleSearch
    

    For example:

    https://example.com:7777/search/query/OracleSearch
    
  2. Place your cursor on the page, right-click with your mouse, and select Properties.

  3. Click Certificate.

  4. In the popup window, open the Details tab, and click Copy to File...

    Use DER encoded binary(X.509) format and copy the certificate to a file.

  5. Convert the .DER format certificate to .PEM format.

    Use Firefox 3.0 or later to download the certificate directly to.PEM format, or for other browsers use the WebLogic Server der2pem tool to convert to PEM format. For more information about using the der2pem tool, see the "der2pem" section in Oracle Fusion Middleware Command Reference for Oracle WebLogic Server. Note that WebLogic does not recognize any other format other than .PEM format.

  6. Import the certificate into DemoTrustKeyStore.jks or cacerts in the JDK_HOME using the following command:

    keytool -import -alias ses_cer -file cert_file.cer -keystore cacerts -storepass changeit
    

    where cert_file is the name of the certificate file you downloaded.

  7. Register the SES connection as described in Section 18.4.2, "Registering Oracle Secure Enterprise Search Servers."

  8. Restart WebCenter Portal or your Portal Framework application.

35.11 Securing the WebCenter Portal Connection to Microsoft Live Communication Server and Office Communication Server with SSL

To secure the WebCenter Portal connection to Microsoft Live Communication Server (LCS) or Office Communication Server 2007 (OCS) with SSL, follow the steps below to import the certificate into the trust store, and point WebCenter Portal to use the trust store. Note that securing the WebCenter Portal connection to Microsoft Live Communication Server or Office Communication Server with SSL is optional since they can be configured with confidentiality using WS-Security.

Before registering the LCS or OCS connection, you must first import the certificate into the trust store. Follow the steps below to put the certificate in the trust store:

  1. Open your browser and go to the communication server (for example, https://example.com/RTC)

  2. Place your cursor on the page, right-click, and select Properties.

  3. Click Certificate.

  4. In the popup window, open the Details tab and click Copy to File...

    Use Firefox 3.0 or later to download the certificate directly to.PEM format, or for other browsers use the WebLogic Server der2pem tool to convert to PEM format. For more information about using the der2pem tool, see the "der2pem" section in Oracle Fusion Middleware Command Reference for Oracle WebLogic Server. Note that WebLogic does not recognize any other format other than .PEM format.

  5. Import the certificate into the cacerts using the following keytool command:

    keytool -import -alias lcs_cer -file cert_file.cer -keystore cacerts -storepass changeit
    

    where cert_file is the name of the certificate file you downloaded.

  6. Locate the cacerts file used by the communication server in the installation, and also update the communication server referenced cacerts file with this certificate:

    keytool -import -alias lcs_cer -file cert_file.cer -keystore cacerts -storepass changeit
    
  7. Register the communication server connection as described in Section 14.3, "Registering Instant Messaging and Presence Servers."

  8. Restart the WebCenter Portal server.

35.12 Securing the WebCenter Portal Connection to an External BPEL Server with SSL

This section describes how to secure the WebCenter Portal connection to a BPEL server when the BPEL server resides in an external SOA domain.

Note:

When SOA is installed in an external domain, the Identity Asserter and Authenticator should be configured exactly as for WebCenter Portal. For more information on configuring the Identity Asserter and Authenticator for an external LDAP identity store, see Section 31.1, "Reassociating the Identity Store with an External LDAP Server."

To secure the WebCenter Portal connection to an external BPEL server with SSL:

  1. Copy the public certificate (webcenter_wls.cer) from WebCenter Portal into the SOA domain.

  2. Go to JDK_HOME/bin/ and open a command prompt.

  3. Generate a custom keystore on the SOA domain naming the keystore soa_server1.jks, and the alias soa_server1 using the following keytool command:

    keytool -genkeypair -keyalg RSA -dname dname -alias soa_soa_server1 -keypass 
    key_pass -keystore soa_server1.jks -storepass keystore_password -validity days_valid
    

    Where:

    • dname is the DN (distinguished name) to use (for example, cn=customidentity,dc=example,dc=com)

    • key_pass is the password for the new public key, (for example, MyPassword1)

    • keystore_password is the keystore password, (for example, MyPassword1)

    • days_valid is the number of days for which the key password is valid (for example, 360).

  4. Export the certificate from soa_wls.jks using the following command:

    keytool -exportcert -v -alias soa_server1 -keystore soa_server1.jks 
    -storepass keystore_password -rfc -file soa_server1.cer
    

    Where:

    • keystore_password is the keystore password, (for example, MyPassword1)

  5. Log in to the WebLogic Server Administration Console on the SOA domain.

    For information on logging into the WebLogic Server Administration Console, see Section 1.13.2, "Oracle WebLogic Server Administration Console."

  6. In the Navigation pane, expand Environment and click Servers.

    The Summary of Servers pane displays.

  7. From the Configuration tab, click soa_server1 in the list of servers.

    The Settings page for soa_server1 displays.

  8. Open the Keystores tab.

    The Keystore settings for soa_server1 displays.

  9. For Keystores, select Custom Identity and Java Standard Trust.

  10. Specify the path and filename of keystore (soa_server1.jks) created above.

  11. Go to the directory containing the java standard trust (cacerts file) specified in the Java Standard Trust Keystores field and import the SOA and WebCenter Portal public certificates into this file so they may be trusted by the server:

    keytool -importcert -trustcacerts -alias webcenter_wls -file webcenter_wls.cer 
    -keystore cacerts -storepass keystore_password
    
    keytool -importcert -trustcacerts -alias soa_server1 -file soa_server1.cer 
    -keystore cacerts -storepass keystore_password
    

    Where:

    • keystore_password is the keystore password, (for example, MyPassword1)

    Say yes when prompted to trust the certificate.

  12. From the WLS Administration Console on the SOA domain, open the SSL tab.

    The SSL settings for soa_server1 display.

  13. Specify soa_server1 as the Private Key Alias.

  14. Enter and confirm the password for the private key (for example, MyPassword1) and click Save.

  15. Open the General tab.

    The General settings for soa_server1 display.

  16. Make sure that Listen Port Enabled is not selected.

  17. Select SSL Listen Port Enabled, specify the SSL Listen Port, and click Save.

  18. Open the Control tab, and then open the Start/Stop sub-tab.

    The Start/Stop settings for soa_server1 display.

  19. Select soa_server1 from the list of servers, and click Restart SSL.

  20. Restart the soa_server1 Managed Server on the SOA domain.

  21. From the WebCenter Portal domain, import the soa_server1.cer certificate as a trusted certificate to the server trust store (cacerts) using the following keytool commands:

    keytool -importcert -trustcacerts -alias soa_server1 -file soa_server1.cer 
    -keystore cacerts -storepass changeit
    

    Say yes when prompted to trust the certificate.

  22. Add the Worklist connection on the WebCenter Portal domain as described in Section 20.4.2, "Registering Worklist Connections" specifying the host:ssl_port settings for soa_server1 when defining the BPEL URL.

  23. Restart the WC_Spaces server.