28 Configuring WS-Security for WebCenter Applications and Components

This chapter describes how to set up WS-Security for WebCenter applications (including WebCenter Spaces and custom WebCenter applications) and related services and components based on your topology. This section covers the following configurations:

• a simple topology, with the WebCenter application and all components sharing the same domain,

• a typical topology, with the WebCenter application and components divided across two domains, and

• a complex topology, with the WebCenter application and components divided across multiple domains.

Within these three topologies, configuration is described for the WebCenter application (WebCenter Spaces, for example), Oracle WebCenter Discussions, the Worklist service, and WSRP producers. These configurations and the steps for securing OWLCS and applications consuming WebCenter Spaces APIs are covered in the following sections:

• Section 28.1, "Configuring WS-Security for a Simple Topology"

• Section 28.2, "Configuring WS-Security for a Typical Topology"

• Section 28.3, "Configuring WS-Security for a Complex Topology"

• Section 28.4, "Securing Oracle WebLogic Communication Services (OWLCS) with WS-Security"

• Section 28.5, "Securing WebCenter Spaces for Applications Consuming Spaces Client APIs with WS-Security"

Audience

The content of this chapter is intended for Fusion Middleware administrators (users granted the Admin role through the Oracle WebLogic Server Administration Console). Users with the Monitor or Operator roles can view security information but cannot make changes. See also, Section 1.8, "Understanding Administrative Operations, Roles, and Tools."

28.1 Configuring WS-Security for a Simple Topology

This section describes how to configure WS-Security for a topology where the WebCenter application, the BPEL server, and WSRP producers share the same domain (Figure 28-1).

Figure 28-1 WS-Security for a Simple Configuration

Description of "Figure 28-1 WS-Security for a Simple Configuration"

The steps to configure WS-Security for a simple single-domain WebCenter topology are described in the following sections:

• Section 28.1.1, "Setting Up the WebCenter Domain Keystore"

• Section 28.1.2, "Configuring the Discussions Server for a Simple Topology"

• Section 28.1.3, "Configuring the BPEL Server for a Simple Topology"

• Section 28.1.4, "Command Summary for a Simple Topology"

28.1.1 Setting Up the WebCenter Domain Keystore

The security credentials of the WebCenter application, discussions server, BPEL server, and WSRP producers can be retrieved and managed using a Java Keystore (JKS). A keystore is a file that provides information about available public and private keys. Keys are used for a variety of purposes, including authentication and data integrity. User certificates and the trust points needed to validate the certificates of peers are also stored securely in the wallet or keystore. See the Oracle Fusion Middleware Security and Administrator's Guide for Web Services for information about JKS.

This section contains the following subsections:

• Section 28.1.1.1, "Creating the WebCenter Domain Keystore"

• Section 28.1.1.2, "Configuring the Keystore with WLST"

• Section 28.1.1.3, "Configuring the Keystore Using Fusion Middleware Control"

• Section 28.1.1.4, "Unconfiguring a Keystore Provider Using Fusion Middleware Control"

28.1.1.1 Creating the WebCenter Domain Keystore

This section describes how to create a keystore and keys using a Java Keystore (JKS). JKS is the proprietary keystore format defined by Sun Microsystems. To create and manage the keys and certificates in the JKS, use the keytool utility that is distributed with the Java JDK 6.

To create the WebCenter domain keystore:

1. Go to JDK_HOME/jdk/bin and open a command prompt.

2. Using keytool, generate a key pair:

   keytool -genkeypair -keyalg RSA -dname "consumer_dname" -alias orakey  -keypass key_password -keystore keystore -storepass keystore_password -validity days_valid
   

   Where:

   • consumer_dname is the name of the consumer (for example, cn=spaces,dc=example,dc=com)

   • key_password is the password for the new public key, (for example, welcome1)

   • keystore is the keystore name, (for example, webcenter.jks)

   • keystore_password is the keystore password, (for example, welcome1)

   • days_valid is the number of days for which the key password is valid (for example, 1064).

     Example 28-1 Generating the Keypair

     keytool -genkeypair -keyalg RSA -dname "cn=spaces,dc=example,dc=com" -alias orakey  -keypass welcome1 -keystore webcenter.jks -storepass welcome1 -validity 1064
     

   Note:

   You must use the -keyalg parameter and specify RSA as its value as shown above as the default algorithm (DSA) used by keytool for generating the key is incompatible with Oracle WebServices Security Manager requirements.

3. Export the certificate containing the public key:

   keytool -exportcert -v -alias orakey -keystore keystore -storepass keystore_password -rfc -file orakey.cer
   

   Where:

   • keystore is the keystore name, (for example, webcenter.jks)

   • keystore_password is the keystore password, (for example, welcome1)

   Example 28-2 Exporting the Certificate Containing the Public Key

   keytool -exportcert -v -alias orakey -keystore webcenter.jks -storepass welcome1 -rfc -file orakey.cer
   

4. Import the certificate with the alias webcenter_spaces_ws (choose Yes when prompted whether to overwrite the existing certificate with the alias orakey):

   keytool -importcert -alias webcenter_spaces_ws -file orakey.cer  -keystore webcenter.jks -storepass keystore_password
   

   Where:

   • keystore_password is the keystore password

   Example 28-3 Importing the Certificate

   keytool -importcert -alias webcenter_spaces_ws -file orakey.cer -keystore webcenter.jks -storepass welcome1
   

5. Continue by configuring the keystore using either WLST as described in Section 28.1.1.2, "Configuring the Keystore with WLST," or using Fusion Middleware Control as described in Section 28.1.1.3, "Configuring the Keystore Using Fusion Middleware Control."

   Table 28-1 shows the keystore contents you should wind up with after creating and configuring the keystore.

   Table 28-1 WebCenter Domain Keystore Contents for a Simple Topology

   Key Alias	Description
   orakey	Key pair used to sign and encrypt outbound messages from WebCenter Spaces. This key is used by both OWSM (Portlets and Worklist) and Discussions.
   webcenter_spaces_ws	Certificate containing the public key for the orakey private key used in the WebCenter domain. The certificate is used to encrypt outbound WebService messages from the Workflow application on BPEL Server1 in the WebCenter domain, to the WebService APIs on WebCenter domain.

   
   

28.1.1.2 Configuring the Keystore with WLST

After creating the keystore, configure the keystore service and update the credential store so that OWSM can read the keystore and keys correctly.

To configure the credential store:

1. Go to the <DOMAIN_HOME>/config/fmwconfig directory, and open the file jps-config.xml in an editor.

2. Locate the <serviceInstance node for the keystore.provider Provider

3. Ensure that the webcenter.jks keystore file is copied to the <DOMAIN_HOME>/config/fmwconfig directory, and then specify the location as ./webcenter.jks.

4. Use the following WLST commands to update the credential store:

   createCred(map="oracle.wsm.security", key="keystore-csf-key", user="owsm", password=keystore_password, desc="Keystore key")
   createCred(map="oracle.wsm.security", key="enc-csf-key", user="orakey", password=private_key_password, desc="Encryption key")
   createCred(map="oracle.wsm.security", key="sign-csf-key", user="orakey", password=private_key_password, desc="Signing key")
   

   Where:

   • keystore_password is the keystore password specified in step 2 of Section 28.1.1.1, "Creating the WebCenter Domain Keystore," (for example, welcome1)

   • private_key_password is the private key password specified in step 2 of Section 28.1.1.1, "Creating the WebCenter Domain Keystore," (for example, welcome1)

   Example 28-4 Updating the Credential Store

   createCred(map="oracle.wsm.security", key="keystore-csf-key", user="owsm", password="welcome1", desc="Keystore key")
   createCred(map="oracle.wsm.security", key="enc-csf-key", user="orakey", password="welcome1", desc="Encryption key")
   createCred(map="oracle.wsm.security", key="sign-csf-key", user="orakey", password="welcome1", desc="Signing key")
   

5. Restart all servers.

28.1.1.3 Configuring the Keystore Using Fusion Middleware Control

If a keystore provider is already configured, you must first unconfigure the existing keystore provider as described in Section 28.1.1.4, "Unconfiguring a Keystore Provider Using Fusion Middleware Control." Otherwise, continue with the steps below.

To configure the keystore provider:

1. Ensure that the webcenter.jks keystore file is copied to the <DOMAIN_HOME>/config/fmwconfig directory, and then specify the location as ./webcenter.jks.

2. Open Fusion Middleware Control and log in to the WebCenter domain.

   For information on logging in to Fusion Middleware Control, see Section 6, "Starting Enterprise Manager Fusion Middleware Control."

3. In the Navigation pane, expand the WebLogic Domain node and click the WebCenter domain (webcenter by default).

4. From the WebLogic Domain menu, select Security -> Security Provider Configuration.

   The Security Provider Configuration page displays (see Figure 28-2).

   Figure 28-2 Security Provider Configuration Page

   
   Description of "Figure 28-2 Security Provider Configuration Page"
   
   

5. Expand the Keystore section on the Security Provider Configuration page.

6. Click Configure.

   The Keystore Configuration page displays (see Figure 28-3).

   Figure 28-3 Keystore Configuration Page

   
   Description of "Figure 28-3 Keystore Configuration Page"
   
   

7. Check Configure Keystore Management and use the following settings to specify the location of the keystore that contains the certificate and private key, and the signature key and encryption key aliases:

   • Keystore Path: ./webcenter.jks

   • Password: Enter and confirm the password for the keystore.

   • Key Alias: orakey

   • Signature Password: Enter and confirm the password for the signature key.

   • Crypt Alias: orakey

   • Crypt Password: Enter and confirm the password for the encryption key.

8. Click OK to save your settings.

9. Restart the Administration server for the domain.

28.1.1.4 Unconfiguring a Keystore Provider Using Fusion Middleware Control

If a keystore provider is already configured, you must unconfigure the existing keystore provider before configuring a new provider. If a keystore provider is not already configured, ignore this section and continue with the steps to configure the keystore in Section 28.1.1.3, "Configuring the Keystore Using Fusion Middleware Control."

To unconfigure a keystore provider using Fusion Middleware Control:

1. Open Fusion Middleware Control and log in to the target domain.

   For information on logging in to Fusion Middleware Control, see Section 6, "Starting Enterprise Manager Fusion Middleware Control."

2. From the WebLogic Domain menu, select Security -> Security Provider Configuration.

   The Security Provider Configuration page displays (see Figure 28-4).

   Figure 28-4 Security Provider Configuration Page

   
   Description of "Figure 28-4 Security Provider Configuration Page"
   
   

3. Expand the Keystore section on the Security Provider Configuration page.

4. Click Configure.

   The Keystore Configuration page displays (see Figure 28-5).

   Figure 28-5 Keystore Configuration Page

   
   Description of "Figure 28-5 Keystore Configuration Page"
   
   

5. Uncheck Configure Keystore Management.

6. Click OK.

28.1.2 Configuring the Discussions Server for a Simple Topology

To use the Oracle WebCenter Discussions with WebCenter Spaces or a custom WebCenter application, you must enable Web Services Security (WS-Security) trusted authentication. WS-Security establishes a trust relationship between your WebCenter application and Oracle WebCenter Discussions so that the application can pass the user identity information to the discussions server without knowing the user's credentials.

Note:

Discussions-specific Web Services messages sent by WebCenter applications to the Oracle WebCenter Discussions server are not encrypted. For message confidentiality, the discussions server URL must be accessed over Secure Socket Layer (SSL). For more information, see Chapter 27, "Securing WebCenter Applications and Components with SSL."

To set WS-Security-related properties on the discussions server connection that is configured for WebCenter Spaces or your custom WebCenter application, refer to Table 12-4, "Additional Discussion Connection Properties" in Section 12.3.1, "Registering Discussions Servers Using Fusion Middleware Control."

To configure WS-Security on the discussions server side, you must create a keystore certificate properties file, specify it for the ClassLoader, and modify the webservices.soap.custom.crypto.fileName system property. These configuration steps are described in the following sub-sections:

• Section 28.1.2.1, "Importing the WebCenter Domain Certificate"

• Section 28.1.2.2, "Creating the Keystore Certificate Properties File"

• Section 28.1.2.3, "Specifying the Properties File for ClassLoader"

• Section 28.1.2.4, "Updating the System Properties for WS-Security"

28.1.2.1 Importing the WebCenter Domain Certificate

Create a keystore by importing the certificate containing the public key of the WebCenter domain.

To import the WebCenter domain certificate:

1. Go to JDK_HOME/jdk/bin and open a command prompt.

2. Using keytool, import the certificate containing the public key of the WebCenter domain:

   keytool -importcert -alias df_orakey_public -file orakey.cer  -keystore owc_discussions.jks -storepass keystore_password
   

   Where:

   • keystore_password is the keystore password, (for example, welcome1)

   • Example 28-5 Importing the WebCenter Domain Certificate

     keytool -importcert -alias df_orakey_public -file orakey.cer  -keystore owc_discussions.jks -storepass welcome1
     

3. At the prompt "Trust this certificate?", choose yes.

28.1.2.2 Creating the Keystore Certificate Properties File

The server-side keystore certificate configuration must be stored in a properties file (keystore.properties) and specified as a system property on the discussions server. The properties file must then be loaded in the ClassLoader for the WS-Secure Handler to pick it up.

Note:

When you are updating the properties file, be sure to remove any spaces from the property names and values. The properties file should not contain any extraneous spaces.

To create the properties file:

1. Create a properties file with the following entries:

   org.apache.ws.security.crypto.provider= <Specify your crypto provider (typically org.apache.ws.security.components.crypto.Merlin)>
   org.apache.ws.security.crypto.merlin.keystore.type=jks
   org.apache.ws.security.crypto.merlin.keystore.password=<Specify the keystore  password of your server certificate. 
    Note that the password stored in this file is in clear text because of a limitation of the Ws-Security provider WSS4J used in Oracle Discussions Server.>
   org.apache.ws.security.crypto.merlin.keystore.alias=df_orakey_public
   org.apache.ws.security.crypto.merlin.file=<Absolute path of directory  containing the certificate file created above>/owc_discussions.jks 
   

2. Save the file as keystore.properties.

28.1.2.3 Specifying the Properties File for ClassLoader

There are two ways you can choose to specify your keystore.properties file based on your setup. Using the same file mounted across different servers is recommended when using a Clustered Discussions Server installation in Linux.

To specify the properties file for ClassLoader, do one of the following:

• Specify the properties file as the CLASSPATH in setDomainEnv.sh.

  For Linux:

  1. Place the keystore.properties file in a directory (for example, . /home/user/keystore/)

  2. Open DOMAIN_HOME/bin/setDomainEnv.sh.

  3. Towards the end of the file, add the following lines to specify this directory as the CLASSPATH.

     if [ "${CLASSPATH}" != "" ] ; then
       CLASSPATH="${CLASSPATH}${CLASSPATHSEP}/home/user/keystore/"
       export CLASSPATH
     else
       CLASSPATH="/home/user/keystore/"
       export CLASSPATH
     fi
     

     Note that the CLASSPATH directory name must end with "/".

  For Windows:

  1. Place the keystore.properties file in a directory (for example, c:\keystore\).

  2. Open DOMAIN_HOME\bin\setDomainEnv.cmd.

  3. Towards the end of the file, add the following lines to specify this directory in CLASSPATH.

       if NOT "%CLASSPATH%"=="" (
         set CLASSPATH=%CLASSPATH%;c:\keystore\
       ) else (
         set CLASSPATH=c:\keystore\
       )
     

     Note that the CLASSPATH directory name must end with "\".

• Or, add the keystore.properties file to a .JAR file and place the .JAR file in your DOMAIN_HOME/lib directory. Be sure to also set the system property webservices.soap.custom.crypto.fileName to keystore.properties as described in Section 28.1.2.4, "Updating the System Properties for WS-Security."

28.1.2.4 Updating the System Properties for WS-Security

To update your system properties:

1. Log in to the Oracle WebCenter Discussions Administration Console at the following URL:

   http://host:port/owc_discussions/admin

   Where host and port are the address and the port number of the server where you deployed Oracle WebCenter Discussions (for example, http://localhost:7001/owc_discussions).

2. Click System Properties under Forum System to display the Jive Properties page.

3. Modify the system property webservices.soap.custom.crypto.fileName and specify the properties file that you created (that is, keystore.properties).

   Ensure that you specify the name of the file, and not the directory or .JAR name.

4. Click OK.

5. Restart the WLS_Services Managed Server.

28.1.2.5 Configuring the Discussions Server Connection Settings

After setting the system properties, you must supply the WS-Security client certificate information within the discussions server connection that is configured for WebCenter Spaces or your custom WebCenter application, as described in Section 12.3, "Registering Discussions Servers." Figure 28-6 shows example settings for the Edit Discussions and Announcement Connection page.

Figure 28-6 Edit Discussions and Announcement Connection Page

Description of "Figure 28-6 Edit Discussions and Announcement Connection Page"

28.1.3 Configuring the BPEL Server for a Simple Topology

The BPEL server's Worklist connection must be configured to use message protected SAML service policy. The BPEL server's oracle-webservices.xml file must also be edited so that the server-side SAML policy matches that of the client's policy.

To configure the BPEL server:

1. To configure the Worklist connection on the BPEL server to use the SAML policy with message protection, follow the steps in Section 20.3.2, "Registering Worklist Connections" selecting SAML Token With Message Client Policy in Fusion Middleware Control, or entering oracle/wss10_saml_token_with_message_protection_client_policy as the policy value if using WLST.

2. Use grep to find the strings TaskQueryServicePortSAML and provider-name in all the BPEL server's oracle-webservices.xml files. For example:

   cd <domain home>
   find . | grep webservices.xml | xargs grep TaskQueryServicePortSAML | grep provider-name
   ./servers/BPEL Server 1/tmp/_WL_user/soa-infra/ugh7wb/war/WEB-INF/oracle-webservices.xml: 
   <provider-name>TaskQueryServicePortSAML</provider-name>
   

3. Back up the file. For example:

   cp
   ./servers/BPEL Server 1/tmp/_WL_user/soa-infra/ugh7wb/war/WEB-INF/oracle-webservices.xml
   ./servers/BPEL Server 1/tmp/_WL_user/soa-infra/ugh7wb/war/WEB-INF/oracle-webservices.xml.original
   

4. Edit the file, replacing:

   <policy-reference uri="oracle/wss10_saml_token_service_policy" category="security" enabled="true"/>
   

   with:

   <policy-reference uri="oracle/wss10_saml_token_with_message_protection_service_policy" category="security" enabled="true"/>
   

5. Save the file and restart the Managed Servers. The message protected SAML access is now configured. Examine the managed server diagnostic logs for exception stack information should the worklist service still not work to obtain information about configuration issues.

28.1.4 Command Summary for a Simple Topology

Use the following command summary to quickly configure the keystore and DF properties for a simple topology.

Generate the Keystore

Use the following keytool commands to generate the keystore, replacing the values in bold with those for your local environment:

keytool -genkeypair -keyalg RSA -dname "cn=spaces,dc=example,dc=com" -alias orakey  -keypass welcome1 -keystore default-keystore.jks -storepass welcome1 -validity 1064

keytool -exportcert -v -alias orakey -keystore default-keystore.jks -storepass welcome1 -rfc -file orakey.cer

keytool -importcert -alias webcenter_spaces_ws -file orakey.cer  -keystore default-keystore.jks -storepass welcome1

When prompted that the certificate already exists, say yes.

keytool -importcert -alias df_orakey_public -file orakey.cer  -keystore owc_discussions.jks -storepass welcome1

When prompted to trust the certificate, say yes.

Copy the default-keystore.jks file to your domain_home/config/fmwconfig directory.

Configure the Keystore

Using WLST, connect to the WebCenter Spaces domain as an admin user and run the following commands:

createCred(map="oracle.wsm.security", key="keystore-csf-key", user="owsm", password="welcome1", desc="Keystore key")
createCred(map="oracle.wsm.security", key="enc-csf-key", user="orakey", password="welcome1", desc="Encryption key")
createCred(map="oracle.wsm.security", key="sign-csf-key", user="orakey", password="welcome1", desc="Signing key")

Configure the DF Keystore Properties File

Using WLST, connect to the WebCenter Spaces domain as an admin user and run the following commands:

org.apache.ws.security.crypto.merlin.keystore.type=jks
org.apache.ws.security.crypto.merlin.keystore.password=welcome1
org.apache.ws.security.crypto.merlin.keystore.alias=df_orakey_public
org.apache.ws.security.crypto.merlin.file=<dir_containing_keystore>/owc_discussions.jks

Note:

Be sure to trim any spaces from the line endings. If you are working in a Windows environment, also be sure to use "\\" as the file path separator.

Additional DF Connection properties are shown in Table 28-2.

Table 28-2 Additional DF Connection Properties

Property Name	Property Value	Secured
keystore.location	<doamin_home>/config/fmwconfig/default-keystore.jks	No
keystore.type	jks	No
keystore.password	welcome1	Yes
encryption.key.alias	orakey	No
encryption.key.password	welcome1	Yes
group.mapping	category	No

28.2 Configuring WS-Security for a Typical Topology

This section describes how to configure WS-Security for a topology where the WebCenter application and the WSRP producers share the same domain, but the BPEL server is in an external domain - the SOA domain (see Figure 28-7).

Figure 28-7 Typical WS-Security Configuration

Description of "Figure 28-7 Typical WS-Security Configuration"

The steps to configure WS-Security for a typical two domain WebCenter topology are described in the following sections:

• Section 28.2.1, "Setting Up the WebCenter Domain Keystore"

• Section 28.2.2, "Configuring the Discussions Server for a Typical Topology"

• Section 28.2.4, "Configuring the BPEL Server for a Typical Topology"

• Section 28.2.5, "Command Summary for a Typical Topology"

28.2.1 Setting Up the WebCenter Domain Keystore

The security credentials of a WebCenter application, discussions server, BPEL server (in a separate domain), and WSRP producers can be retrieved and managed using a Java Keystore (JKS). A keystore is a file that provides information about available public and private keys. Keys are used for a variety of purposes, including authentication and data integrity. User certificates and the trust points needed to validate the certificates of peers are also stored securely in the wallet or keystore. See the Oracle Fusion Middleware Security and Administrator's Guide for Web Services for information about JKS.

This section contains the following subsections:

• Section 28.2.1.1, "Creating the WebCenter Domain Keystore"

• Section 28.2.1.2, "Configuring the Keystore Using WLST"

• Section 28.2.1.4, "Unconfiguring a Keystore Provider"

• Section 28.2.1.3, "Configuring the Keystore Using Fusion Middleware Control"

• Section 28.2.5, "Command Summary for a Typical Topology"

28.2.1.1 Creating the WebCenter Domain Keystore

This section describes how to create a keystore and keys using a Java Keystore (JKS). JKS is the proprietary keystore format defined by Sun Microsystems. To create and manage the keys and certificates in the JKS, use the keytool utility that is distributed with the Java JDK 6.

To create the WebCenter domain keystore:

1. Go to JDK_HOME/jdk/bin and open a command prompt.

2. Using keytool, generate a key pair:

   keytool -genkeypair -keyalg RSA -dname "consumer_dname" -alias webcenter -keypass key_password -keystore keystore -storepass keystore_password -validity days_valid
   

   Where:

   • consumer_dname is the name of the consumer (for example, cn=spaces,dc=example,dc=com)

   • key_password is the password for the new public key, (for example, welcome1)

   • keystore is the keystore name, (for example, webcenter.jks)

   • keystore_password is the keystore password, (for example, welcome1)

   • days_valid is the number of days for which the key password is valid (for example, 1064).

     Example 28-6 Generating the Keypair

     keytool -genkeypair -keyalg RSA -dname "cn=spaces,dc=example,dc=com" -alias  webcenter -keypass welcome1 -keystore webcenter.jks -storepass welcome1  -validity 1064
     

   Note:

   You must use the -keyalg parameter and specify RSA as its value as shown above as the default algorithm (DSA) used by keytool for generating the key is incompatible with Oracle WebServices Security Manager requirements.

3. Export the certificate containing the public key:

   keytool -exportcert -v -alias webcenter -keystore keystore  -storepass keystore_password -rfc -file webcenter_public.cer
   

   Where:

   • keystore is the keystore name, (for example, webcenter.jks)

   • keystore_password is the keystore password, (for example, welcome1)

   Example 28-7 Exporting the Certificate Containing the Public Key

   keytool -exportcert -v -alias webcenter -keystore webcenter.jks  -storepass welcome1 -rfc -file webcenter_public.cer
   

4. Continue by configuring the keystore using either WLST, as described in Section 28.2.1.2, "Configuring the Keystore Using WLST," or Fusion Middleware Control, as described in Section 28.2.1.3, "Configuring the Keystore Using Fusion Middleware Control."

   Table 28-3 shows the keystore contents you should wind up with after creating and configuring the keystore.

   Table 28-3 WebCenter Domain Keystore Contents for a Typical Topology

   Key Alias	Description
   webcenter	Key pair used to sign and encrypt outbound messages from WebCenter Spaces. This key is used by both OWSM (Portlets and Worklist) and Discussions.
   orakey	Certificate containing the public key for the BPEL private key used in the SOA domain. The certificate is used to encrypt outbound WebService messages from the Workflow application on BPEL Server1 in the WebCenter domain, to the Worklist service to the SOA server on the SOA domain.

   
   

28.2.1.2 Configuring the Keystore Using WLST

After creating the WebCenter domain keystore, configure the keystore service and update the credential store so that OWSM can read the keystore and keys correctly.

To configure the keystore service:

1. Go to the <DOMAIN_HOME>/config/fmwconfig directory, and open the file jps-config.xml in an editor.

2. Locate the <serviceInstance node for the keystore.provider Provider

3. Ensure that the webcenter.jks keystore file is copied to the <DOMAIN_HOME>/config/fmwconfig directory, and then specify the location as ./webcenter.jks.

4. Use the following WLST commands to update the credential store:

   createCred(map="oracle.wsm.security", key="keystore-csf-key", user="owsm", password=keystore_password, desc="Keystore key")
   createCred(map="oracle.wsm.security", key="enc-csf-key", user="webcenter", password=private_key_password, desc="Encryption key")
   createCred(map="oracle.wsm.security", key="sign-csf-key", user="webcenter", password=private_key_password, desc="Signing key")
   

   Where:

   • keystore_password is the keystore password specified in step 2 of Section 28.2.1.1, "Creating the WebCenter Domain Keystore," (for example, welcome1)

   • private_key_password is the private key password specified in step 2 of Section 28.2.1.1, "Creating the WebCenter Domain Keystore," (for example, welcome1)

   Example 28-8 Updating the Credential Store

   createCred(map="oracle.wsm.security", key="keystore-csf-key", user="owsm", password="welcome1", desc="Keystore key")
   createCred(map="oracle.wsm.security", key="enc-csf-key", user="webcenter", password="welcome1", desc="Encryption key")
   createCred(map="oracle.wsm.security", key="sign-csf-key", user="webcenter", password="welcome1", desc="Signing key")
   

5. Restart all servers.

28.2.1.3 Configuring the Keystore Using Fusion Middleware Control

If a keystore provider is already configured, you must first unconfigure the existing keystore provider as described in Section 28.2.1.4, "Unconfiguring a Keystore Provider." Otherwise, continue with the steps below.

To configure the keystore provider:

1. Open Fusion Middleware Control and log in to the WebCenter domain.

   For information on logging in to Fusion Middleware Control, see Section 6, "Starting Enterprise Manager Fusion Middleware Control."

2. In the Navigation pane, expand the WebLogic Domain node and click the WebCenter domain (webcenter by default).

3. From the WebLogic Domain menu, select Security -> Security Provider Configuration.

   The Security Provider Configuration page displays (see Figure 28-8).

   Figure 28-8 Security Provider Configuration Page

   
   Description of "Figure 28-8 Security Provider Configuration Page"
   
   

4. Expand the Keystore section on the Security Provider Configuration page.

5. Click Configure.

   The Keystore Configuration page displays (see Figure 28-9).

   Figure 28-9 Keystore Configuration Page

   
   Description of "Figure 28-9 Keystore Configuration Page"
   
   

6. Check Configure Keystore Management and use the following settings to specify the location of the keystore that contains the certificate and private key, and the signature key and encryption key aliases:

   • Keystore Path: ./webcenter.jks

   • Password: Enter and confirm the password for the keystore.

   • Key Alias: webcenter

   • Signature Password: Enter and confirm the password for the signature key.

   • Crypt Alias: webcenter

   • Crypt Password: Enter and confirm the password for the encryption key.

7. Click OK to save your settings.

8. Restart the Administration server for the domain.

28.2.1.4 Unconfiguring a Keystore Provider

If a keystore provider is already configured, you must unconfigure the existing keystore provider before configuring a new provider. If a keystore provider is not already configured, continue with the steps to configure the keystore in Section 28.2.1.3, "Configuring the Keystore Using Fusion Middleware Control."

To unconfigure a keystore provider using Fusion Middleware Control:

1. Open Fusion Middleware Control and log in to the target domain.

   For information on logging in to Fusion Middleware Control, see Section 6, "Starting Enterprise Manager Fusion Middleware Control."

2. From the WebLogic Domain menu, select Security -> Security Provider Configuration.

   The Security Provider Configuration page displays (see Figure 28-10).

   Figure 28-10 Security Provider Configuration Page

   
   Description of "Figure 28-10 Security Provider Configuration Page"
   
   

3. Expand the Keystore section on the Security Provider Configuration page.

4. Click Configure.

   The Keystore Configuration page displays (see Figure 28-11).

   Figure 28-11 Keystore Configuration Page

   
   Description of "Figure 28-11 Keystore Configuration Page"
   
   

5. Uncheck Configure Keystore Management.

6. Click OK.

28.2.2 Configuring the Discussions Server for a Typical Topology

To use Oracle WebCenter Discussions with WebCenter Spaces or custom WebCenter applications, you must enable Web Services Security (WS-Security) trusted authentication. WS-Security establishes a trust relationship between your WebCenter application and Oracle WebCenter Discussions so that the application can pass the user identity information to the discussions server without knowing the user's credentials.

Note:

Discussions-specific Web Services messages sent by WebCenter applications to the Oracle WebCenter Discussions server are not encrypted. For message confidentiality, the Discussions server URL must be accessed over Secure Socket Layer (SSL). For more information, see Chapter 27, "Securing WebCenter Applications and Components with SSL."

This section describes how to add the WS-Security-related properties within the discussions server connection that is configured for WebCenter Spaces or your custom WebCenter application. For information on how to add new properties, see Table 12-4, "Additional Discussion Connection Properties" in Section 12.3.1, "Registering Discussions Servers Using Fusion Middleware Control."

To configure WS-Security on the discussions server side, you must create a keystore certificate properties file, specify it for the ClassLoader, and modify the webservices.soap.custom.crypto.fileName system property.

These configuration steps are described in the following sub-sections:

• Section 28.2.2.1, "Importing the WebCenter Domain Certificate"

• Section 28.2.2.2, "Creating the Keystore Certificate Properties File"

• Section 28.2.2.3, "Specifying the Properties File for ClassLoader"

• Section 28.2.2.4, "Updating the System Properties for WS-Security"

• Section 28.2.2.5, "Configuring the Discussions Server Connection Settings"

28.2.2.1 Importing the WebCenter Domain Certificate

Create a keystore by importing the certificate containing public key of the WebCenter domain.

To import the WebCenter domain certificate:

1. Go to JDK_HOME/jdk/bin and open a command prompt.

2. Using keytool, import the certificate containing the public key of the WebCenter domain:

   keytool -importcert -alias df_webcenter_public -file webcenter_public.cer -keystore owc_discussions.jks -storepass keystore_password
   

   Where:

   • keystore_password is the keystore password, (for example, welcome1)

   • Example 28-9 Importing the WebCenter Domain Certificate

     keytool -importcert -alias df_webcenter_public -file webcenter_public.cer  -keystore owc_discussions.jks -storepass welcome1
     

28.2.2.2 Creating the Keystore Certificate Properties File

The server-side keystore certificate configuration must be stored in a properties file (keystore.properties) and specified as a system property on the discussions server. The properties file must then be loaded in the ClassLoader for the WS-Secure Handler to pick it up.

Note:

When you are updating the properties file, be sure to remove any spaces from the property names and values. The properties file should not contain any extraneous spaces.

To create the properties file:

1. Create a properties file with the following entries:

   org.apache.ws.security.crypto.provider=<Specify your crypto provider (typically org.apache.ws.security.components.crypto.Merlin)>
   org.apache.ws.security.crypto.merlin.keystore.type=jks
   org.apache.ws.security.crypto.merlin.keystore.password=<Specify the keystore  password of your server certificate. 
    Note that the password stored in this file is in clear text because of a limitation of the Ws-Security provider WSS4J used in Oracle Discussions Server.>
   org.apache.ws.security.crypto.merlin.keystore.alias=df_orakey_public
   org.apache.ws.security.crypto.merlin.file=<Absolute path of directory  containing the keystore (owc_discussions.jks) created above.>
   

2. Save the file as keystore.properties.

28.2.2.3 Specifying the Properties File for ClassLoader

There are two ways you can choose to specify your keystore.properties file based on your setup. Using the same file mounted across different servers is recommended when using a Clustered Discussions Server installation in Linux.

To specify the properties file for ClassLoader, do one of the following:

• Specify the properties file as the CLASSPATH in setDomainEnv.sh.

  For Linux:

  1. Place the keystore.properties file in a directory (for example, . /home/user/keystore/)

  2. Open DOMAIN_HOME/bin/setDomainEnv.sh.

  3. Towards the end of the file, add the following lines to specify this directory as the CLASSPATH.

     if [ "${CLASSPATH}" != "" ] ; then
       CLASSPATH="${CLASSPATH}${CLASSPATHSEP}/home/user/keystore/"
       export CLASSPATH
     else
       CLASSPATH="/home/user/keystore/"
       export CLASSPATH
     fi
     

     Note that the CLASSPATH directory name must end with "/".

  For Windows:

  1. Place the keystore.properties file in a directory (for example, c:\keystore\).

  2. Open DOMAIN_HOME\bin\setDomainEnv.cmd.

  3. Towards the end of the file, add the following lines to specify this directory in CLASSPATH.

       if NOT "%CLASSPATH%"=="" (
         set CLASSPATH=%CLASSPATH%;c:\keystore\
       ) else (
         set CLASSPATH=c:\keystore\
       )
     

     Note that the CLASSPATH directory name must end with "\".

• Or, add the keystore.properties file to a .JAR file and place the .JAR file in your DOMAIN_HOME/lib directory. Be sure to also set the system property webservices.soap.custom.crypto.fileName to keystore.properties as described in Section 28.2.2.4, "Updating the System Properties for WS-Security."

28.2.2.4 Updating the System Properties for WS-Security

To update your system properties:

1. Log in to the Oracle WebCenter Discussions Admin Console at the following URL:

   http://host:port/owc_discussions/admin

   Where host and port are the address and the port number of the server where you deployed Oracle WebCenter Discussions (for example, http://localhost:7001/owc_discussions).

2. Click System Properties under Forum System to display the Jive Properties page.

3. Modify the system property webservices.soap.custom.crypto.fileName and specify the properties file that you created (that is, keystore.properties).

   Be sure to specify the name of the file, and not the directory or .JAR name.

4. Click OK.

5. Restart the WLS_Services Managed Server.

28.2.2.5 Configuring the Discussions Server Connection Settings

After setting the system properties, you must supply the WS-Security client certificate information within the discussion server connection settings, as described in Section 12.3, "Registering Discussions Servers." Figure 28-12 shows example settings for the Edit Discussions and Announcement Connection page.

Figure 28-12 Edit Discussions and Announcement Connection Page

Description of "Figure 28-12 Edit Discussions and Announcement Connection Page"

28.2.3 Setting Up the SOA Domain

This section describes how to set up the SOA domain keystore and contains the following subsections:

• Section 28.2.3.1, "Creating the SOA Domain Keystore"

• Section 28.2.3.2, "Configuring the Keystore Using WLST"

• Section 28.2.3.4, "Unconfiguring a Keystore Provider"

• Section 28.2.3.3, "Configuring the Keystore Using Fusion Middleware Control"

28.2.3.1 Creating the SOA Domain Keystore

This section describes how to create a SOA domain keystore and keys using a Java Keystore (JKS).

To create the SOA domain keystore:

1. Go to JDK_HOME/jdk/bin and open a command prompt.

2. Create a keystore by importing the public certificate (webcenter_public.cer) from the WebCenter domain:

   keytool -importcert -alias webcenter_spaces_ws -file webcenter_public.cer  -keystore bpel.jks -storepass keystore_password
   

   Where:

   • keystore_password is the keystore password, (for example, welcome1)

   • Example 28-10 Importing the Public Certificate

     keytool -importcert -alias webcenter_spaces_ws -file webcenter_public.cer -keystore bpel.jks -storepass welcome1
     

3. Using keytool, create a keypair to be used in the SOA domain for signing and encrypting messages:

   keytool -genkeypair -keyalg RSA -dname "consumer_dname" -alias bpel  -keypass key_password -keystore keystore -storepass keystore_password -validity days_valid
   

   Where:

   • consumer_dname is the name of the consumer (for example, cn=bpel,dc=example,dc=com)

   • key_password is the password for the new public key, (for example, welcome1)

   • keystore is the keystore name, (for example, bpel.jks)

   • keystore_password is the keystore password, (for example, welcome1)

   • days_valid is the number of days for which the key password is valid (for example, 1064).

     Example 28-11 Generating the Keypair

     keytool -genkeypair -keyalg RSA -dname "cn=bpel,dc=example,dc=com" -alias bpel  -keypass welcome1 -keystore bpel.jks -storepass welcome1 -validity 1064
     

   Note:

   You must use the -keyalg parameter and specify RSA as its value as shown above as the default algorithm (DSA) used by keytool for generating the key is incompatible with Oracle WebServices Security Manager requirements.

4. Export the certificate so it can be imported in the WebCenter domain using the orakey alias:

   keytool -exportcert -v -alias orakey -keystore keystore -storepass keystore_password -rfc -file orakey.cer
   

   Where:

   • keystore is the keystore name, (for example, webcenter.jks)

   • keystore_password is the keystore password, (for example, welcome1)

   Example 28-12 Exporting the Certificate Containing the Public Key

   keytool -exportcert -v -alias bpel -keystore bpel.jks -storepass welcome1 -rfc -file orakay.cer
   

5. Import the certificate with a different alias (choose Yes when prompted whether to overwrite the existing certificate with the alias orakey):

   keytool -importcert -alias orakey -file orakey.cer -keystore webcenter.jks -storepass keystore_password
   

   Where:

   • keystore_password is the keystore password

   Example 28-13 Importing the Certificate

   keytool -importcert -alias orakey -file orakay.cer -keystore webcenter.jks -storepass welcome1
   

28.2.3.2 Configuring the Keystore Using WLST

After creating the SOA domain keystore, configure the keystore service and update the credential store so that OWSM can read the keystore and keys correctly.

To configure the keystore service:

1. Go to the <DOMAIN_HOME>/config/fmwconfig directory, and open the file jps-config.xml in an editor.

2. Locate the <serviceInstance node for the keystore.provider Provider

3. Ensure that the bpel.jks keystore file is copied to the <DOMAIN_HOME>/config/fmwconfig directory, and then specify the location as ./bpel.jks.

4. Use the following WLST commands to configure the credential store:

   createCred(map="oracle.wsm.security", key="keystore-csf-key", user="owsm", password="welcome1", desc="Keystore key")
   createCred(map="oracle.wsm.security", key="enc-csf-key", user="bpel", password="welcome1", desc="Encryption key")
   createCred(map="oracle.wsm.security", key="sign-csf-key", user="bpel", password="welcome1", desc="Signing key")
   

5. Restart all servers.

28.2.3.3 Configuring the Keystore Using Fusion Middleware Control

If a keystore provider is already configured, you must first unconfigure the existing keystore provider as described in Section 28.2.3.4, "Unconfiguring a Keystore Provider." Otherwise, continue with the steps below.

To configure the keystore provider:

1. Open Fusion Middleware Control and log in to the WebCenter domain.

   For information on logging in to Fusion Middleware Control, see Section 6, "Starting Enterprise Manager Fusion Middleware Control."

2. In the Navigation pane, expand the WebLogic Domain node and click the WebCenter domain (webcenter by default).

3. From the WebLogic Domain menu, select Security -> Security Provider Configuration.

4. Expand the Keystore section on the Security Provider Configuration page.

5. Click Configure.

   The Keystore Configuration page displays (see Figure 28-13).

   Figure 28-13 Keystore Configuration Page

   
   Description of "Figure 28-13 Keystore Configuration Page"
   
   

6. Check Configure Keystore Management and use the following settings to specify the location of the keystore that contains the certificate and private key, and the signature key and encryption key aliases:

   • Keystore Path: ./webcenter.jks

   • Password: Enter and confirm the password for the keystore.

   • Key Alias: orakey

   • Signature Password: Enter and confirm the password for the signature key.

   • Crypt Alias: orakey

   • Crypt Password: Enter and confirm the password for the encryption key.

7. Click OK to save your settings.

8. Restart the Administration server for the domain.

28.2.3.4 Unconfiguring a Keystore Provider

If a keystore provider is already configured, you must unconfigure the existing keystore provider before configuring a new provider. If a keystore provider is not already configured, continue with the steps to configure the keystore in Section 28.2.3.3, "Configuring the Keystore Using Fusion Middleware Control."

To unconfigure a keystore provider using Fusion Middleware Control:

1. Open Fusion Middleware Control and log in to the target domain.

   For information on logging in to Fusion Middleware Control, see Section 6, "Starting Enterprise Manager Fusion Middleware Control."

2. From the WebLogic Domain menu, select Security -> Security Provider Configuration.

3. Expand the Keystore section on the Security Provider Configuration page.

4. Click Configure.

   The Keystore Configuration page displays (see Figure 28-14).

   Figure 28-14 Keystore Configuration Page

   
   Description of "Figure 28-14 Keystore Configuration Page"
   
   

5. Uncheck Configure Keystore Management.

6. Click OK.

28.2.4 Configuring the BPEL Server for a Typical Topology

The BPEL server's Worklist connection must be configured to use message protected SAML service policy. The BPEL server's oracle-webservices.xml file must also be edited so that the server-side SAML policy matches that of the client's policy.

To configure the BPEL server:

1. To configure the Worklist connection on the BPEL server to use the SAML policy with message protection, follow the steps in Section 20.3.2, "Registering Worklist Connections," selecting SAML Token With Message Client Policy in Fusion Middleware Control, or entering oracle/wss10_saml_token_with_message_protection_client_policy as the policy value if using WLST.

2. Use grep to find the strings TaskQueryServicePortSAML and provider-name in all the BPEL server's oracle-webservices.xml files. For example:

   cd <domain home>
   find . | grep webservices.xml | xargs grep TaskQueryServicePortSAML | grep provider-name
   ./servers/BPEL Server 1/tmp/_WL_user/soa-infra/ugh7wb/war/WEB-INF/oracle-webservices.xml: 
   <provider-name>TaskQueryServicePortSAML</provider-name>
   

3. Back up the file. For example:

   cp
   ./servers/BPEL Server 1/tmp/_WL_user/soa-infra/ugh7wb/war/WEB-INF/oracle-webservices.xml
   ./servers/BPEL Server 1/tmp/_WL_user/soa-infra/ugh7wb/war/WEB-INF/oracle-webservices.xml.original
   

4. Edit the file, replacing:

   <policy-reference uri="oracle/wss10_saml_token_service_policy" category="security" enabled="true"/>
   

   with:

   <policy-reference uri="oracle/wss10_saml_token_with_message_protection_service_policy" category="security" enabled="true"/>
   

5. Save the file and restart the Managed Servers. The message protected SAML access is now configured. Examine the managed server diagnostic logs for exception stack information should the worklist service still not work to obtain information about configuration issues.

28.2.5 Command Summary for a Typical Topology

Use the following command summary to quickly configure the keystore and DF properties for a typical topology.

Generate the Keystore

Use the following keytool commands to generate the keystore, replacing the values in bold with those for your local environment:

keytool -genkeypair -keyalg RSA -dname "cn=spaces,dc=example,dc=com" -alias  webcenter -keypass welcome1 -keystore webcenter.jks -storepass welcome1 -validity  1064

keytool -exportcert -v -alias webcenter -keystore webcenter.jks  -storepass welcome1 -rfc -file webcenter_public.cer

keytool -importcert -alias webcenter_spaces_ws -file webcenter_public.cer  -keystore bpel.jks -storepass welcome1

When prompted that the certificate already exists, say yes.

keytool -genkeypair -keyalg RSA -dname "cn=bpel,dc=example,dc=com" -alias bpel  -keypass welcome1 -keystore bpel.jks -storepass welcome1 -validity 1024

keytool -exportcert -v -alias bpel -keystore bpel.jks -storepass welcome1  -rfc -file orakay.cer

keytool -importcert -alias orakey -file orakay.cer -keystore webcenter.jks  -storepass welcome1

When prompted to trust the certificate, say yes.

keytool -importcert -alias df_webcenter_public -file webcenter_public.cer  -keystore owc_discussions.jks -storepass welcome1

When prompted to trust the certificate, say yes.

Copy the webcenter.jks file to your domain_home/config/fmwconfig directory, and the bpel.jks file to your soa_domain_home/config/fmwconfig directory.

Configure the WebCenter Domain Keystore

Follow the steps below to configure the service instance reference for the WebCenter domain:

1. Navigate to the <DOMAIN_HOME>/config/fmwconfig directory.

2. Copy webcenter.jks to the <DOMAIN_HOME>/config/fmwconfig directory if you haven't already done so.

3. Open jps-config.xml in an editor.

4. Locate <serviceInstance node for keystore.provider Provider.

5. Specify the location as ./webcenter.jks.

6. Using WLST, connect to the WebCenter Spaces domain as an admin user and run the following commands:

   createCred(map="oracle.wsm.security", key="keystore-csf-key", user="owsm", password="welcome1", desc="Keystore key")
   createCred(map="oracle.wsm.security", key="enc-csf-key", user="webcenter", password="welcome1", desc="Encryption key")
   createCred(map="oracle.wsm.security", key="sign-csf-key", user="webcenter", password="welcome1", desc="Signing key")
   

Configure the SOA Domain Keystore

Follow the steps below to configure service instance reference for the SOA domain:

1. Navigate to the <SOA_DOMAIN_HOME>/config/fmwconfig directory.

2. Copy bpel.jks to the <SOA_DOMAIN_HOME>/config/fmwconfig directory if you haven't done already done so.

3. Open jps-config.xml in an editor.

4. Locate <serviceInstance node for keystore.provider Provider.

5. Specify the location as ./bpel.jks.

6. Using WLST, connect to the SOA domain as an admin user and run the following commands:

   createCred(map="oracle.wsm.security", key="keystore-csf-key", user="owsm", password="welcome1", desc="Keystore key")
   createCred(map="oracle.wsm.security", key="enc-csf-key", user="bpel", password="welcome1", desc="Encryption key")
   createCred(map="oracle.wsm.security", key="sign-csf-key", user="bpel", password="welcome1", desc="Signing key")
   

Configure the DF Keystore Properties File

Using WLST, connect to the WebCenter Spaces domain as an admin user and run the following commands:

org.apache.ws.security.crypto.merlin.keystore.type=jks
org.apache.ws.security.crypto.merlin.keystore.password=welcome1
org.apache.ws.security.crypto.merlin.keystore.alias=df_webcenter_public
org.apache.ws.security.crypto.merlin.file=<dir_containing_keystore>/owc_discussions.jks

Note:

Be sure to trim any spaces from the line endings. If you are working in a Windows environment, also be sure to use "\\" as the file path separator.

Additional DF Connection properties are shown in Table 28-2.

Table 28-4 Additional DF Connection Properties

Property Name	Property Value	Secured
keystore.location	<doamin_home>/config/fmwconfig/webcenter.jks	No
keystore.type	jks	No
keystore.password	welcome1	Yes
encryption.key.alias	webcenter	No
encryption.key.password	welcome1	Yes
group.mapping	category	No

28.3 Configuring WS-Security for a Complex Topology

This section describes how to configure WS-Security for a complex topology where the WebCenter application, the discussions server (Jive), and a WSRP producer are in the same domain, two BPEL servers are in separate SOA domains, and one WSRP producer is in an external portlet domain (see Figure 28-15).

Figure 28-15 Complex Configuration

Description of "Figure 28-15 Complex Configuration"

The steps to configure WS-Security for a typical two domain WebCenter topology are described in the following sections:

• Section 28.3.1, "Setting Up the WebCenter Domain Keystore"

• Section 28.3.2, "Configuring the Discussions Server for a Complex Topology"

• Section 28.3.3, "Setting Up the First SOA Domain"

• Section 28.3.4, "Setting Up the Second SOA Domain"

• Section 28.3.5, "Configuring the BPEL Server for a Complex Topology"

• Section 28.3.6, "Setting Up the External Portlet Domain Keystore"

• Section 28.3.7, "Setting Up the External WebCenter Domain Keystore"

• Section 28.3.8, "Command Summary for a Complex Topology"

28.3.1 Setting Up the WebCenter Domain Keystore

The security credentials of WebCenter Spaces, discussions server, BPEL servers (in separate domains), and WSRP producers (also in separate domains) can be retrieved and managed using a Java Keystore (JKS). A keystore is a file that provides information about available public and private keys. Keys are used for a variety of purposes, including authentication and data integrity. User certificates and the trust points needed to validate the certificates of peers are also stored securely in the wallet or keystore. See the Oracle Fusion Middleware Security and Administrator's Guide for Web Services for information about JKS.

This section contains the following subsections:

• Section 28.3.1.1, "Creating the WebCenter Domain Keystore"

• Section 28.3.1.2, "Configuring the Keystore Using WLST"

• Section 28.3.1.3, "Configuring the Keystore Using Fusion Middleware Control"

• Section 28.3.1.4, "Unconfiguring a Keystore Provider"

28.3.1.1 Creating the WebCenter Domain Keystore

This section describes how to create a keystore and keys using a Java Keystore (JKS). JKS is the proprietary keystore format defined by Sun Microsystems. To create and manage the keys and certificates in the JKS, use the keytool utility that is distributed with the Java JDK 6.

To create the WebCenter domain keystore:

1. Go to JDK_HOME/jdk/bin and open a command prompt.

2. Using keytool, generate a key pair:

   keytool -genkeypair -keyalg RSA -dname "consumer_dname" -alias webcenter -keypass key_password -keystore keystore -storepass keystore_password -validity days_valid
   

   Where:

   • consumer_dname is the name of the consumer (for example, cn=spaces,dc=example,dc=com)

   • key_password is the password for the new public key, (for example, welcome1)

   • keystore is the keystore name, (for example, webcenter.jks)

   • keystore_password is the keystore password, (for example, welcome1)

   • days_valid is the number of days for which the key password is valid (for example, 1064).

     Example 28-14 Generating the Keypair

     keytool -genkeypair -keyalg RSA -dname "cn=spaces,dc=example,dc=com" -alias webcenter -keypass welcome1 -keystore webcenter.jks -storepass welcome1 -validity 1064
     

   Note:

   You must use the -keyalg parameter and specify RSA as its value as shown above as the default algorithm (DSA) used by keytool for generating the key is incompatible with Oracle WebServices Security Manager requirements.

3. Export the certificate containing the public key:

   keytool -exportcert -v -alias webcenter -keystore wecenter.jks -storepass keystore_password -rfc -file webcenter_public.cer
   

   Where:

   • keystore_password is the keystore password, (for example, welcome1)

   Example 28-15 Exporting the Certificate Containing the Public Key

   keytool -exportcert -v -alias webcenter -keystore webcenter.jks -storepass welcome1 -rfc -file webcenter_public.cer
   

4. Continue by configuring the keystore using either WLST, as described in Section 28.3.1.2, "Configuring the Keystore Using WLST," or using Fusion Middleware Control, as described in Section 28.3.1.3, "Configuring the Keystore Using Fusion Middleware Control."

   Table 28-5 shows the keystore contents you should wind up with after creating and configuring the keystore.

   Table 28-5 WebCenter Domain Keystore Contents for a Complex Topology

   Key Alias	Description
   webcenter	Key pair used to sign and encrypt outbound messages from WebCenter Spaces. This key is used by both OWSM (Portlets and Worklist) and Discussions.
   orakey	Certificate containing the public key for the BPEL private key used in the SOA 1 domain. The certificate is used to encrypt outbound messages from the Worklist service to SOA_Server3 in the SOA 1 domain.
   soa_server3_public_key	Certificate containing the public key for the soa_server3 private key used in the SOA 2 domain. The certificate is used to encrypt outbound messages from the Worklist service to BPEL Server2 in SOA 2 domain.
   producer_public_key	Certificate containing public key for the producer private key used in the external portlet domain that hosts the WSRP Producer 1 application. This certificate is used to encrypt outbound messages from WebCenter Spaces to WSRP Producer 1 registered in the WebCenter Spaces application.
   external_webcenter_custom_public_key	Certificate containing the public key for the external_webcenter_custom private key used in the external WebCenter domain that hosts the custom WebCenter application that makes WebService call to the WebCenter Spaces WebService. This certificate is used to encrypt outbound messages from WebCenter Spaces to custom WebCenter applications in the external WebCenter domain.

   
   

28.3.1.2 Configuring the Keystore Using WLST

After creating the WebCenter domain keystore, configure the keystore service and update the credential store so that OWSM can read the keystore and keys correctly.

To configure the keystore service:

1. Go to the <DOMAIN_HOME>/config/fmwconfig directory, and open the file jps-config.xml in an editor.

2. Locate the <serviceInstance node for the keystore.provider Provider

3. Ensure that the webcenter.jks keystore file is copied to the <DOMAIN_HOME>/config/fmwconfig directory, and then specify the location as ./webcenter.jks.

4. Use the following WLST commands to update the credential store:

   createCred(map="oracle.wsm.security", key="keystore-csf-key", user="owsm", password="welcome1", desc="Keystore key")
   createCred(map="oracle.wsm.security", key="enc-csf-key", user="webcenter", password="welcome1", desc="Encryption key")
   createCred(map="oracle.wsm.security", key="sign-csf-key", user="webcenter", password="welcome1", desc="Signing key")
   

5. Restart all servers.

28.3.1.3 Configuring the Keystore Using Fusion Middleware Control

If a keystore provider is already configured, you must first unconfigure the existing keystore provider as described in Section 28.3.1.4, "Unconfiguring a Keystore Provider." Otherwise, continue with the steps below.

To configure the keystore provider:

1. Open Fusion Middleware Control and log in to the WebCenter domain.

   For information on logging in to Fusion Middleware Control, see Section 6, "Starting Enterprise Manager Fusion Middleware Control."

2. In the Navigation pane, expand the WebLogic Domain node and click the WebCenter domain (wc_domain by default).

3. From the WebLogic Domain menu, select Security -> Security Provider Configuration.

   The Security Provider Configuration page displays (see Figure 28-16).

   Figure 28-16 Security Provider Configuration Page

   
   Description of "Figure 28-16 Security Provider Configuration Page"
   
   

4. Expand the Keystore section on the Security Provider Configuration page.

5. Click Configure.

   The Keystore Configuration page displays (see Figure 28-17).

   Figure 28-17 Keystore Configuration Page

   
   Description of "Figure 28-17 Keystore Configuration Page"
   
   

6. Check Configure Keystore Management and use the following settings to specify the location of the keystore that contains the certificate and private key, and the signature key and encryption key aliases:

   • Keystore Path: ./webcenter.jks

   • Password: Enter and confirm the password for the keystore.

   • Key Alias: webcenter

   • Signature Password: Enter and confirm the password for the signature key.

   • Crypt Alias: webcenter

   • Crypt Password: Enter and confirm the password for the encryption key.

7. Click OK to save your settings.

8. Restart the Administration server for the domain.

28.3.1.4 Unconfiguring a Keystore Provider

If a keystore provider is already configured, you must unconfigure the existing keystore provider before configuring a new provider. If a keystore provider is not already configured, continue with the steps to configure the keystore in Section 28.3.1.3, "Configuring the Keystore Using Fusion Middleware Control."

To unconfigure a keystore provider using Fusion Middleware Control:

1. Open Fusion Middleware Control and log in to the target domain.

   For information on logging in to Fusion Middleware Control, see Section 6, "Starting Enterprise Manager Fusion Middleware Control."

2. From the WebLogic Domain menu, select Security -> Security Provider Configuration.

   The Security Provider Configuration page displays (see Figure 28-18).

   Figure 28-18 Security Provider Configuration Page

   
   Description of "Figure 28-18 Security Provider Configuration Page"
   
   

3. Expand the Keystore section on the Security Provider Configuration page.

4. Click Configure.

   The Keystore Configuration page displays (see Figure 28-19).

   Figure 28-19 Keystore Configuration Page

   
   Description of "Figure 28-19 Keystore Configuration Page"
   
   

5. Uncheck Configure Keystore Management.

6. Click OK.

28.3.2 Configuring the Discussions Server for a Complex Topology

To use the Oracle WebCenter Discussions with WebCenter Spaces or custom WebCenter applications, you must enable Web Services Security (WS-Security) trusted authentication. WS-Security establishes a trust relationship between your WebCenter application and Oracle WebCenter Discussions so that the application can pass the user identity information to the discussions server without knowing the user's credentials.

Note:

Discussions-specific Web Services messages sent by WebCenter applications to the Oracle WebCenter Discussions server are not encrypted. For message confidentiality, the Discussions server URL must be accessed over Secure Socket Layer (SSL). For more information, see Chapter 27, "Securing WebCenter Applications and Components with SSL."

This section describes how to add WS-Security-related properties to the discussion server connection that is configured for WebCenter Spaces or your custom WebCenter application. For information on how to add new properties, see Table 12-4, "Additional Discussion Connection Properties" in Section 12.3.1, "Registering Discussions Servers Using Fusion Middleware Control."

To configure WS-Security on the discussions server side, you must create a keystore certificate properties file, specify it for the ClassLoader, and modify the webservices.soap.custom.crypto.fileName system property. These configuration steps are described in the following sub-sections:

• Section 28.3.2.1, "Importing the WebCenter Domain Certificate"

• Section 28.3.2.2, "Creating the Keystore Certificate Properties File"

• Section 28.3.2.3, "Specifying the Properties File for ClassLoader"

• Section 28.3.2.4, "Updating the System Properties for WS-Security"

28.3.2.1 Importing the WebCenter Domain Certificate

Create a keystore by importing the certificate containing public key of the WebCenter domain.

To import the WebCenter domain certificate:

1. Go to JDK_HOME/jdk/bin and open a command prompt.

2. Using keytool, import the certificate containing the public key of the WebCenter domain:

   keytool -importcert -alias df_orakey_public -file webcenter_public.cer -keystore owc_discussions.jks -storepass keystore_password
   

   Where:

   • keystore_password is the keystore password, (for example, welcome1)

   • Example 28-16 Importing the WebCenter Domain Certificate

     keytool -importcert -alias df_webcenter_public -file webcenter_public.cer -keystore owc_discussions.jks -storepass welcome1
     

28.3.2.2 Creating the Keystore Certificate Properties File

The server-side keystore certificate configuration must be stored in a properties file (keystore.properties) and specified as a system property on the discussions server. The properties file must then be loaded in the ClassLoader for the WS-Secure Handler to pick it up.

Note:

When you are updating the properties file, be sure to remove any spaces from the property names and values. The properties file should not contain any extraneous spaces.

To create the properties file:

1. Create a properties file with the following entries:

   org.apache.ws.security.crypto.provider= <Specify your crypto provider (typically org.apache.ws.security.components.crypto.Merlin)>
   org.apache.ws.security.crypto.merlin.keystore.type=jks
   org.apache.ws.security.crypto.merlin.keystore.password=<Specify the keystore password of your server certificate. 
   Note that the password stored in this file is in clear text because of a limitation of the Ws-Security provider WSS4J used in Oracle Discussions Server.>
   org.apache.ws.security.crypto.merlin.keystore.alias=df_webcenter_public
   org.apache.ws.security.crypto.merlin.file=<Absolute path of directory  containing the keystore created above.> 
   

2. Save the file as keystore.properties.

28.3.2.3 Specifying the Properties File for ClassLoader

There are two ways you can choose to specify your keystore.properties file based on your setup. Using the same file mounted across different servers is recommended when using a Clustered Discussions Server installation in Linux.

To specify the properties file for ClassLoader, do one of the following:

• Specify the properties file as the CLASSPATH in setDomainEnv.sh.

  For Linux:

  1. Place the keystore.properties file in a directory (for example, . /home/user/keystore/)

  2. Open DOMAIN_HOME/bin/setDomainEnv.sh.

  3. Towards the end of the file, add the following lines to specify this directory as the CLASSPATH.

     if [ "${CLASSPATH}" != "" ] ; then
       CLASSPATH="${CLASSPATH}${CLASSPATHSEP}/home/user/keystore/"
       export CLASSPATH
     else
       CLASSPATH="/home/user/keystore/"
       export CLASSPATH
     fi
     

     Note that the CLASSPATH directory name must end with "/".

  For Windows:

  1. Place the keystore.properties file in a directory (for example, c:\keystore\).

  2. Open DOMAIN_HOME\bin\setDomainEnv.cmd.

  3. Towards the end of the file, add the following lines to specify this directory in CLASSPATH.

       if NOT "%CLASSPATH%"=="" (
         set CLASSPATH=%CLASSPATH%;c:\keystore\
       ) else (
         set CLASSPATH=c:\keystore\
       )
     

     Note that the CLASSPATH directory name must end with "\".

• Or, add the keystore.properties file to a .JAR file and place the .JAR file in your DOMAIN_HOME/lib directory. Be sure to also set the system property webservices.soap.custom.crypto.fileName to keystore.properties as described in Section 28.3.2.4, "Updating the System Properties for WS-Security."

28.3.2.4 Updating the System Properties for WS-Security

To update your system properties:

1. Log in to the Oracle WebCenter Discussions Administration Console at the following URL:

   http://host:port/owc_discussions/admin

   Where host and port are the address and the port number of the server where you deployed Oracle WebCenter Discussions (for example, http://localhost:7001/owc_discussions).

2. Click System Properties under Forum System to display the Jive Properties page.

3. Modify the system property webservices.soap.custom.crypto.fileName and specify the properties file that you created (that is, keystore.properties).

   Be sure to specify the name of the file, and not the directory or .JAR name.

4. Click OK.

5. Restart the WLS_Services Managed Server.

28.3.2.5 Configuring the Discussions Server Connection Settings

After setting the system properties, you must supply the WS-Security client certificate information within the discussion server connection settings, as described in Section 12.3, "Registering Discussions Servers." Figure 28-20 shows example settings for the Edit Discussions and Announcement Connection page.

Figure 28-20 Edit Discussions and Announcement Connection Page

Description of "Figure 28-20 Edit Discussions and Announcement Connection Page"

28.3.3 Setting Up the First SOA Domain

This section describes how to set up the SOA domain keystore and contains the following subsections:

• Section 28.3.3.1, "Creating the SOA Domain Keystore"

• Section 28.3.3.2, "Configuring the Keystore Using WLST"

• Section 28.3.3.3, "Configuring the Keystore Using Fusion Middleware Control"

• Section 28.3.3.4, "Unconfiguring a Keystore Provider"

28.3.3.1 Creating the SOA Domain Keystore

This section describes how to create a SOA domain keystore and keys using a Java Keystore (JKS).

To create the SOA domain keystore:

1. Go to JDK_HOME/jdk/bin and open a command prompt.

2. Create a keystore by importing the public certificate (webcenter_public.cer) from the WebCenter domain:

   keytool -importcert -alias webcenter_spaces_ws -file webcenter_public.cer  -keystore bpel.jks -storepass keystore_password
   

   Where:

   • keystore_password is the keystore password, (for example, welcome1)

   • Example 28-17 Importing the Public Certificate

     keytool -importcert -alias webcenter_spaces_ws -file webcenter_public.cer -keystore bpel.jks -storepass welcome1
     

3. Using keytool, create a keypair to be used in the SOA domain for signing and encrypting messages:

   keytool -genkeypair -keyalg RSA -dname "consumer_dname" -alias bpel -keypass key_password -keystore bpel.jks -storepass keystore_password -validity days_valid
   

   Where:

   • consumer_dname is the name of the consumer (for example, cn=bpel,dc=example,dc=com)

   • key_password is the password for the new public key, (for example, welcome1)

   • keystore_password is the keystore password, (for example, welcome1)

   • days_valid is the number of days for which the key password is valid (for example, 1064).

     Example 28-18 Generating the Keypair

     keytool -genkeypair -keyalg RSA -dname "cn=bpel,dc=example,dc=com" -alias bpel  -keypass welcome1 -keystore bpel.jks -storepass welcome1 -validity 1064
     

   Note:

   You must use the -keyalg parameter and specify RSA as its value as shown above as the default algorithm (DSA) used by keytool for generating the key is incompatible with Oracle WebServices Security Manager requirements.

4. Export the certificate so it can be imported in the WebCenter domain using the orakey alias:

   keytool -exportcert -v -alias bpel -keystore bpel.jks -storepass keystore_password -rfc -file orakey.cer
   

   Where:

   • keystore_password is the keystore password (for example, welcome1)

   Example 28-19 Exporting the Certificate Containing the Public Key

   keytool -exportcert -v -alias bpel -keystore bpel.jks -storepass welcome1 -rfc -file orakay.cer
   

5. Import the certificate to the WebCenter domain again with a different alias (choose Yes when prompted whether to overwrite the existing certificate with the alias orakey):

   keytool -importcert -alias orakey -file orakey.cer -keystore webcenter.jks -storepass keystore_password
   

   Where:

   • keystore_password is the keystore password (for example, welcome1)

   Example 28-20 Importing the Certificate

   keytool -importcert -alias orakey -file orakay.cer -keystore webcenter.jks -storepass welcome1
   

6. Continue by configuring the keystore using either WLST as described in Section 28.3.3.2, "Configuring the Keystore Using WLST,", or using Fusion Middleware Control as described in Section 28.3.3.3, "Configuring the Keystore Using Fusion Middleware Control."

   Table 28-6 shows the keystore contents you should wind up with after creating and configuring the SOA 1 domain keystore.

   Table 28-6 SOA 1 Domain Keystore Contents for a Complex Topology

   Key Alias	Description
   bpel	Private key used to sign outbound messages from the SOA 1 domain servers. This key is used by the Worklist application deployed on the SOA 1 domain's SOA server.
   webcenter_spaces_ws	Certificate containing the public key for the webcenter private key used in the WebCenter domain. The certificate is used to encrypt outbound Workflow messages on BPEL Server1 in the SOA 1 domain to WebService APIs on the Spaces domain.

   
   

28.3.3.2 Configuring the Keystore Using WLST

After creating the SOA domain keystore, configure the keystore service and update the credential store so that OWSM can read the keystore and keys correctly.

To configure the keystore service:

1. Go to the <DOMAIN_HOME>/config/fmwconfig directory, and open the file jps-config.xml in an editor.

2. Locate the <serviceInstance node for the keystore.provider Provider

3. Ensure that the bpel.jks keystore file is copied to the <DOMAIN_HOME>/config/fmwconfig directory, and then specify the location as ./bpel.jks.

4. Use the following WLST commands to update the credential store:

   createCred(map="oracle.wsm.security", key="keystore-csf-key", user="owsm", password="welcome1", desc="Keystore key")
   createCred(map="oracle.wsm.security", key="enc-csf-key", user="bpel", password="welcome1", desc="Encryption key")
   createCred(map="oracle.wsm.security", key="sign-csf-key", user="bpel", password="welcome1", desc="Signing key")
   

5. Restart all servers.

28.3.3.3 Configuring the Keystore Using Fusion Middleware Control

If a keystore provider is already configured, you must first unconfigure the existing keystore provider as described in Section 28.3.3.4, "Unconfiguring a Keystore Provider." Otherwise, continue with the steps below.

To configure the keystore provider:

1. Open Fusion Middleware Control and log in to the WebCenter domain.

   For information on logging in to Fusion Middleware Control, see Section 6, "Starting Enterprise Manager Fusion Middleware Control."

2. In the Navigation pane, expand the WebLogic Domain node and click the SOA domain.

3. From the SOA Domain menu, select Security -> Security Provider Configuration.

4. Expand the Keystore section on the Security Provider Configuration page.

5. Click Configure.

   The Keystore Configuration page displays (see Figure 28-21).

   Figure 28-21 Keystore Configuration Page

   
   Description of "Figure 28-21 Keystore Configuration Page"
   
   

6. Check Configure Keystore Management and use the following settings to specify the location of the keystore that contains the certificate and private key, and the signature key and encryption key aliases:

   • Keystore Path: ./bpel.jks

   • Password: Enter and confirm the password for the keystore.

   • Key Alias: bpel

   • Signature Password: Enter and confirm the password for the signature key.

   • Crypt Alias: bpel

   • Crypt Password: Enter and confirm the password for the encryption key.

7. Click OK to save your settings.

8. Restart the Administration server for the domain.

28.3.3.4 Unconfiguring a Keystore Provider

If a keystore provider is already configured, you must unconfigure the existing keystore provider before configuring a new provider. If a keystore provider is not already configured, continue with the steps to configure the keystore in Section 28.3.3.3, "Configuring the Keystore Using Fusion Middleware Control."

To unconfigure a keystore provider using Fusion Middleware Control:

1. Open Fusion Middleware Control and log in to the target domain.

   For information on logging in to Fusion Middleware Control, see Section 6, "Starting Enterprise Manager Fusion Middleware Control."

2. From the SOA Domain menu, select Security -> Security Provider Configuration.

3. Expand the Keystore section on the Security Provider Configuration page.

4. Click Configure.

   The Keystore Configuration page displays (see Figure 28-22).

   Figure 28-22 Keystore Configuration Page

   
   Description of "Figure 28-22 Keystore Configuration Page"
   
   

5. Uncheck Configure Keystore Management.

6. Click OK.

28.3.4 Setting Up the Second SOA Domain

This section describes how to set up a second SOA domain keystore and contains the following subsections:

• Section 28.3.4.1, "Creating the SOA Domain Keystore"

• Section 28.3.4.2, "Configuring the Keystore Using WLST"

• Section 28.3.4.3, "Configuring the Keystore Using Fusion Middleware Control"

• Section 28.3.4.4, "Unconfiguring a Keystore Provider"

28.3.4.1 Creating the SOA Domain Keystore

This section describes how to create a SOA domain keystore and keys using a Java Keystore (JKS).

To create the SOA domain keystore:

1. Go to JDK_HOME/jdk/bin and open a command prompt.

2. Using keytool, create a keypair to be used in the SOA domain for signing and encrypting messages:

   keytool -genkeypair -keyalg RSA -dname "consumer_dname" -alias soa_server3  -keypass key_password -keystore soa_server3.jks -storepass keystore_password -validity days_valid
   

   Where:

   • consumer_dname is the name of the consumer (for example, cn=soa_server3,dc=example,dc=com)

   • key_password is the password for the new public key, (for example, welcome1)

   • keystore_password is the keystore password, (for example, welcome1)

   • days_valid is the number of days for which the key password is valid (for example, 1064).

     Example 28-21 Generating the Keypair

     keytool -genkeypair -keyalg RSA -dname "cn=soa_server3,dc=example,dc=com" -alias  soa_server3 -keypass welcome1 -keystore soa_server3.jks -storepass welcome1  -validity 1064
     

   Note:

   You must use the -keyalg parameter and specify RSA as its value as shown above as the default algorithm (DSA) used by keytool for generating the key is incompatible with Oracle WebServices Security Manager requirements.

3. Export the certificate so it can be imported in the WebCenter domain using the orakey alias:

   keytool -exportcert -v -alias soa_server3 -keystore soa_server3.jks  -storepass keystore_password -rfc -file soa_server3_public_key.cer
   

   Where:

   • keystore_password is the keystore password, (for example, welcome1)

   Example 28-22 Exporting the Certificate Containing the Public Key

   keytool -exportcert -v -alias soa_server3 -keystore soa_server3.jks  -storepass welcome1 -rfc -file soa_server3_public_key.cer
   

4. Import the certificate to the WebCenter domain with a different alias (choose Yes when prompted whether to overwrite the existing certificate with the alias soa_server3_public_key):

   keytool -importcert -alias soa_server3_public_key -file soa_server3_public_ key.cer  -keystore webcenter.jks -storepass keystore_password
   

   Where:

   • keystore_password is the keystore password (for example, welcome1)

   Example 28-23 Importing the Certificate

   keytool -importcert -alias soa_server3_public_key -file soa_server3_public_key.cer  -keystore webcenter.jks -storepass welcome1
   

5. Continue by configuring the keystore using either WLST as described in Section 28.3.4.2, "Configuring the Keystore Using WLST,", or using Fusion Middleware Control as described in Section 28.3.4.3, "Configuring the Keystore Using Fusion Middleware Control."

   Table 28-7 shows the keystore contents you should wind up with after creating and configuring the SOA 2 domain keystore.

   Table 28-7 SOA 2 Domain Keystore Contents for a Complex Topology

   Key Alias	Description
   webcenter	Key pair used to sign and encrypt outbound messages from WebCenter Spaces. This key is used by both OWSM (Portlets and Worklist) and Discussions.
   orakey	Certificate containing the public key for the BPEL private key used in the SOA 1 domain. The certificate is used to encrypt outbound messages from the Worklist service to SOA_Server3 in the SOA 1 domain.
   soa_server3_public_key	Certificate containing the public key for the soa_server3 private key used in the SOA 2 domain. The certificate is used to encrypt outbound messages from the Worklist service to BPEL Server2 in SOA 2 domain.
   producer_public_key	Certificate containing public key for the producer private key used in the external portlet domain that hosts the WSRP Producer 1 application. This certificate is used to encrypt outbound messages from WebCenter Spaces to WSRP Producer 1 registered in the WebCenter Spaces application.
   external_webcenter_custom_public_key	Certificate containing the public key for the external_webcenter_custom private key used in the external WebCenter domain that hosts the custom WebCenter application that makes WebService call to the WebCenter Spaces WebService. This certificate is used to encrypt outbound messages from WebCenter Spaces to custom WebCenter applications in the external WebCenter domain.

   
   

28.3.4.2 Configuring the Keystore Using WLST

After creating the second SOA domain keystore, configure the keystore service and update the credential store so that OWSM can read the keystore and keys correctly.

To configure the keystore service:

1. Go to the <DOMAIN_HOME>/config/fmwconfig directory, and open the file jps-config.xml in an editor.

2. Locate the <serviceInstance node for the keystore.provider Provider

3. Ensure that the soa_server3.jks keystore file is copied to the <DOMAIN_HOME>/config/fmwconfig directory, and then specify the location as ./soa_server3.jks.

4. Use the following WLST commands to update the credential store:

   createCred(map="oracle.wsm.security", key="keystore-csf-key", user="owsm", password="welcome1", desc="Keystore key")
   createCred(map="oracle.wsm.security", key="enc-csf-key", user="soa_server3", password="welcome1", desc="Encryption key")
   createCred(map="oracle.wsm.security", key="sign-csf-key", user="soa_server3", password="welcome1", desc="Signing key")
   

5. Restart all servers.

28.3.4.3 Configuring the Keystore Using Fusion Middleware Control

If a keystore provider is already configured, you must first unconfigure the existing keystore provider as described in Section 28.3.4.4, "Unconfiguring a Keystore Provider." Otherwise, continue with the steps below.

To configure the keystore provider:

1. Open Fusion Middleware Control and log in to the WebCenter domain.

   For information on logging in to Fusion Middleware Control, see Section 6, "Starting Enterprise Manager Fusion Middleware Control."

2. In the Navigation pane, expand the WebLogic Domain node and click the SOA domain.

3. From the SOA Domain menu, select Security -> Security Provider Configuration.

4. Expand the Keystore section on the Security Provider Configuration page.

5. Click Configure.

   The Keystore Configuration page displays (see Figure 28-23).

   Figure 28-23 Keystore Configuration Page

   
   Description of "Figure 28-23 Keystore Configuration Page"
   
   

6. Check Configure Keystore Management and use the following settings to specify the location of the keystore that contains the certificate and private key, and the signature key and encryption key aliases:

   • Keystore Path: ./soa_server3.jks

   • Password: Enter and confirm the password for the keystore.

   • Key Alias: soa_server3

   • Signature Password: Enter and confirm the password for the signature key.

   • Crypt Alias: soa_server3

   • Crypt Password: Enter and confirm the password for the encryption key.

7. Click OK to save your settings.

8. Restart the Administration server for the domain.

28.3.4.4 Unconfiguring a Keystore Provider

If a keystore provider is already configured, you must unconfigure the existing keystore provider before configuring a new provider. If a keystore provider is not already configured, continue with the steps to configure the keystore in Section 28.3.4.3, "Configuring the Keystore Using Fusion Middleware Control."

To unconfigure a keystore provider using Fusion Middleware Control:

1. Open Fusion Middleware Control and log in to the target domain.

   For information on logging in to Fusion Middleware Control, see Section 6, "Starting Enterprise Manager Fusion Middleware Control."

2. From the SOA Domain menu, select Security -> Security Provider Configuration.

3. Expand the Keystore section on the Security Provider Configuration page.

4. Click Configure.

   The Keystore Configuration page displays (see Figure 28-24).

   Figure 28-24 Keystore Configuration Page

   
   Description of "Figure 28-24 Keystore Configuration Page"
   
   

5. Uncheck Configure Keystore Management.

6. Click OK.

28.3.5 Configuring the BPEL Server for a Complex Topology

WebCenter Spaces Worklist connections use oracle/wss10_saml_token_with_message_protection_client_policy as the secure OWSM policy for generating outbound SOAP messages to the SOA server. However, by default, this policy uses orakey to encrypt outbound messages.

When the WebCenter domain (where WebCenter Spaces is installed) is configured to use two or more Worklist connections simultaneously, and those connections use a secure message propagation OWSM policy, an additional OWSM policy must be created. This policy must be configured so that the recipient key alias matches the alias by which the certificate of the intended SOA server is stored on the WebCenter Spaces side.

The following steps are required to use more than one external SOA Domain configuration simultaneously on the WebCenter Spaces server:

1. Export the certificate from the external SOA domain and import it into the WebCenter domain under a specific alias (soa_server3_key in the following example).

2. Use Fusion Middleware Control to create a new OWSM policy, and override the recipient key alias to use the same alias as in step 1 above.

3. Create a connection to a BPEL server and use WLST to set the security policy to the policy created in step 2 above.

The following steps show how to perform steps 2 and 3 above. Note that the keystore should already have been created in Section 28.3.4, "Setting Up the Second SOA Domain."

To configure the BPEL server for multiple Worklist connections:

1. Create an OWSM security policy and register the new policy in WebCenter Spaces using Fusion Middleware Control.

   1. Open Fusion Middleware Control and log in to the target domain.

      For information on logging in to Fusion Middleware Control, see Section 6, "Starting Enterprise Manager Fusion Middleware Control."

   2. From the WebLogic Domain menu, select Web Services > Policies.

      The Web Services Policies page displays (see Figure 28-25).

      Figure 28-25 Web Services Policies Page

      
      Description of "Figure 28-25 Web Services Policies Page"
      
      

   3. Select a client policy to use as a base for creating a new policy and click Create Like.

      The Create Policy page displays (see Figure 28-26).

      Figure 28-26 Create Policy Page

      
      Description of "Figure 28-26 Create Policy Page"
      
      

   4. Name the policy oracle_wss10_saml_token_with_message_protection_client_policy_soa_server3.

   5. On the Configuration tab, select the row for recipient.key.alias and click Edit.

   6. Enter soa_server3_key as the Value and click OK.

   7. On the Create Policy page, click Save. The new policy should now be listed on the Web Services Policies page.

2. Create a BPEL connection that uses the new security policy with the following WLST command:

   setBPELConnection(appName='webcenter', name='WebCenter-Worklist-SOAServer3',url='<your_url>',  policy='oracle/wss10_saml_token_with_message_protection_client_policy_soa_server3')
   

28.3.6 Setting Up the External Portlet Domain Keystore

This section describes how to set up the keystore for the external portlet domain used by one of the WSRP producers for this complex topology.

This section contains the following subsections:

• Section 28.3.6.1, "Creating the External Portlet Domain Keystore"

• Section 28.3.6.2, "Configuring the Keystore Using WLST"

• Section 28.3.6.3, "Configuring the Keystore Using Fusion Middleware Control"

• Section 28.3.6.4, "Unconfiguring a Keystore Provider"

28.3.6.1 Creating the External Portlet Domain Keystore

To create the external portlet domain keystore:

1. Go to JDK_HOME/jdk/bin and open a command prompt.

2. Using keytool, generate the keystore by importing the WebCenter domain's public certificate:

   keytool -importcert -alias webcenter_public -file webcenter_public.cer -keystore producer.jks -storepass keystore_password
   

   Where:

   • keystore_password is the keystore password

   Example 28-24 Importing the Certificate

   keytool -importcert -alias webcenter_public -file webcenter_public.cer -keystore producer.jks -storepass welcome1
   

3. Using keytool, generate a key pair:

   keytool -genkeypair -keyalg RSA -dname "consumer_dname" -alias producer  -keypass key_password -keystore producer.jks -storepass keystore_password -validity days_valid
   

   Where:

   • consumer_dname is the name of the consumer (for example, cn=producer,dc=example,dc=com)

   • key_password is the password for the new public key, (for example, welcome1)

   • keystore is the keystore name, (for example, webcenter.jks)

   • keystore_password is the keystore password, (for example, welcome1)

   • days_valid is the number of days for which the key password is valid (for example, 1064).

     Example 28-25 Generating the Keypair

     keytool -genkeypair -keyalg RSA -dname "cn=producer,dc=example,dc=com" -alias  producer -keypass welcome1 -keystore producer.jks -storepass welcome1 -validity  1064
     

   Note:

   You must use the -keyalg parameter and specify RSA as its value as shown above as the default algorithm (DSA) used by keytool for generating the key is incompatible with Oracle WebServices Security Manager requirements.

4. Export the certificate containing the public key so that it can be imported into the WebCenter Spaces domain's keystore:

   keytool -exportcert -v -alias producer -keystore producer.jks -storepass keystore_password -rfc -file producer_public_key.cer
   

   Where:

   • keystore_password is the keystore password, (for example, welcome1)

   Example 28-26 Exporting the Certificate Containing the Public Key

   keytool -exportcert -v -alias producer -keystore producer.jks -storepass welcome1  -rfc -file producer_public_key.cer
   

5. Import the certificate to the WebCenter domain with a different alias (choose Yes when prompted whether to overwrite the existing certificate with the alias producer_public_key):

   keytool -importcert -alias producer_public_key -file producer_public_key.cer  -keystore webcenter.jks -storepass keystore_password
   

   Where:

   • keystore_password is the keystore password (for example, welcome1)

   Example 28-27 Importing the Certificate

   keytool -importcert -alias producer_public_key -file producer_public_key.cer  -keystore webcenter.jks -storepass welcome1
   

6. Continue by configuring the keystore using either WLST as described in Section 28.3.6.2, "Configuring the Keystore Using WLST,", or using Fusion Middleware Control as described in Section 28.3.6.3, "Configuring the Keystore Using Fusion Middleware Control."

28.3.6.2 Configuring the Keystore Using WLST

After creating the external portlet domain keystore, configure the keystore service and update the credential store so that OWSM can read the keystore and keys correctly.

To configure the keystore service:

1. Go to the <DOMAIN_HOME>/config/fmwconfig directory, and open the file jps-config.xml in an editor.

2. Locate the <serviceInstance node for the keystore.provider Provider

3. Ensure that the producer.jks keystore file is copied to the <DOMAIN_HOME>/config/fmwconfig directory, and then specify the location as ./producer.jks.

4. Use the following WLST commands to update the credential store:

   createCred(map="oracle.wsm.security", key="keystore-csf-key", user="owsm", password="welcome1", desc="Keystore key")
   createCred(map="oracle.wsm.security", key="enc-csf-key", user="producer", password="welcome1", desc="Encryption key")
   createCred(map="oracle.wsm.security", key="sign-csf-key", user="producer", password="welcome1", desc="Signing key")
   

5. Restart all servers.

28.3.6.3 Configuring the Keystore Using Fusion Middleware Control

If a keystore provider is already configured, you must first unconfigure the existing keystore provider as described in Section 28.3.6.4, "Unconfiguring a Keystore Provider." Otherwise, continue with the steps below.

To configure the keystore provider:

1. Open Fusion Middleware Control and log in to the WebCenter domain.

   For information on logging in to Fusion Middleware Control, see Section 6, "Starting Enterprise Manager Fusion Middleware Control."

2. In the Navigation pane, expand the WebLogic Domain node and click the WebCenter domain (webcenter by default).

3. From the WebLogic Domain menu, select Security -> Security Provider Configuration.

4. Expand the Keystore section on the Security Provider Configuration page.

5. Click Configure.

   The Keystore Configuration page displays (see Figure 28-27).

   Figure 28-27 Keystore Configuration Page

   
   Description of "Figure 28-27 Keystore Configuration Page"
   
   

6. Check Configure Keystore Management and use the following settings to specify the location of the keystore that contains the certificate and private key, and the signature key and encryption key aliases:

   • Keystore Path: ./producer.jks

   • Password: Enter and confirm the password for the keystore.

   • Key Alias: producer

   • Signature Password: Enter and confirm the password for the signature key.

   • Crypt Alias: producer

   • Crypt Password: Enter and confirm the password for the encryption key.

7. Click OK to save your settings.

8. Restart the Administration server for the domain.

28.3.6.4 Unconfiguring a Keystore Provider

If a keystore provider is already configured, you must unconfigure the existing keystore provider before configuring a new provider. If a keystore provider is not already configured, continue with the steps to configure the keystore in Section 28.3.6.3, "Configuring the Keystore Using Fusion Middleware Control."

To unconfigure a keystore provider using Fusion Middleware Control:

1. Open Fusion Middleware Control and log in to the target domain.

   For information on logging in to Fusion Middleware Control, see Section 6, "Starting Enterprise Manager Fusion Middleware Control."

2. From the WebLogic Domain menu, select Security -> Security Provider Configuration.

   The Security Provider Configuration page displays (see Figure 28-28).

   Figure 28-28 Security Provider Configuration Page

   
   Description of "Figure 28-28 Security Provider Configuration Page"
   
   

3. Expand the Keystore section on the Security Provider Configuration page.

4. Click Configure.

   The Keystore Configuration page displays (see Figure 28-29).

   Figure 28-29 Keystore Configuration Page

   
   Description of "Figure 28-29 Keystore Configuration Page"
   
   

5. Uncheck Configure Keystore Management.

6. Click OK.

28.3.7 Setting Up the External WebCenter Domain Keystore

This section describes how to set up an external WebCenter domain used by a custom WebCenter application making WebCenter Spaces WebService calls.

This section contains the following subsections:

• Section 28.3.7.1, "Creating the External WebCenter Domain Keystore"

• Section 28.3.7.2, "Configuring the Keystore Using WLST"

• Section 28.3.7.3, "Configuring the Keystore Using Fusion Middleware Control"

• Section 28.3.7.4, "Unconfiguring a Keystore Provider"

28.3.7.1 Creating the External WebCenter Domain Keystore

To create the external WebCenter domain keystore:

1. Go to JDK_HOME/jdk/bin and open a command prompt.

2. Using keytool, generate the keystore by importing the WebCenter domain's public certificate:

   keytool -importcert -alias webcenter_public -file webcenter_public.cer  -keystore external_webcenter_custom.jks -storepass keystore_password
   

   Where:

   • keystore_password is the keystore password

   Example 28-28 Importing the Certificate

   keytool -importcert -alias webcenter_public -file webcenter_public.cer -keystore  external_webcenter_custom.jks -storepass welcome1
   

3. Using keytool, generate a key pair:

   keytool -genkeypair -keyalg RSA -dname "consumer_dname" -alias external_webcenter_custom -keypass key_password -keystore external_webcenter_custom.jks
    -storepass keystore_password -validity days_valid
   

   Where:

   • consumer_dname is the name of the consumer (for example, cn=external_webcenter_custom,dc=example,dc=com)

   • key_password is the password for the new public key, (for example, welcome1)

   • keystore_password is the keystore password, (for example, welcome1)

   • days_valid is the number of days for which the key password is valid (for example, 1064).

     Example 28-29 Generating the Keypair

     keytool -genkeypair -keyalg RSA -dname "cn=external_webcenter_custom, dc=example,dc=com" -alias external_webcenter_custom -keypass welcome1 
     -keystore external_webcenter_custom.jks -storepass welcome1 -validity 1064
     

   Note:

   You must use the -keyalg parameter and specify RSA as its value as shown above as the default algorithm (DSA) used by keytool for generating the key is incompatible with Oracle WebServices Security Manager requirements.

4. Export the certificate containing the public key so that it can be imported into the WebCenter Spaces domain's keystore:

   keytool -exportcert -v -alias external_webcenter_custom -keystore external_ webcenter_custom.jks -storepass keystore_password -rfc -file external_ webcenter_custom_public_key.cer
   

   Where:

   • keystore_password is the keystore password, (for example, welcome1)

   Example 28-30 Exporting the Certificate Containing the Public Key

   keytool -exportcert -v -alias external_webcenter_custom -keystore external_ webcenter_custom.jks -storepass welcome1 -rfc -file external_webcenter_custom_ public_key.cer
   

5. Import the certificate to the WebCenter domain with a different alias (choose Yes when prompted whether to overwrite the existing certificate with the alias external_webcenter_custom_public_key):

   keytool -importcert -alias external_webcenter_custom_public_key -file external_ webcenter_custom_public_key.cer -keystore webcenter.jks -storepass keystore_password
   

   Where:

   • keystore_password is the keystore password (for example, welcome1)

   Example 28-31 Importing the Certificate

   keytool -importcert -alias external_webcenter_custom_public_key -file external_ webcenter_custom_public_key.cer -keystore webcenter.jks -storepass welcome1
   

6. Continue by configuring the keystore using either WLST as described in Section 28.3.7.2, "Configuring the Keystore Using WLST,", or using Fusion Middleware Control as described in Section 28.3.7.3, "Configuring the Keystore Using Fusion Middleware Control."

28.3.7.2 Configuring the Keystore Using WLST

After creating the external WebCenter domain keystore, configure the keystore service and update the credential store so that OWSM can read the keystore and keys correctly.

To configure the keystore service:

1. Go to the <DOMAIN_HOME>/config/fmwconfig directory, and open the file jps-config.xml in an editor.

2. Locate the <serviceInstance node for the keystore.provider Provider

3. Ensure that the webcenter.jks keystore file is copied to the <DOMAIN_HOME>/config/fmwconfig directory, and then specify the location as ./webcenter.jks.

4. Use the following WLST commands to update the credential store:

   createCred(map="oracle.wsm.security", key="keystore-csf-key", user="owsm", password="welcome1", desc="Keystore key")
   createCred(map="oracle.wsm.security", key="enc-csf-key", user="external_webcenter_custom", password="welcome1", desc="Encryption key")
   createCred(map="oracle.wsm.security", key="sign-csf-key", user="external_webcenter_custom", password="welcome1", desc="Signing key")
   

5. Restart all servers.

28.3.7.3 Configuring the Keystore Using Fusion Middleware Control

If a keystore provider is already configured, you must first unconfigure the existing keystore provider as described in Section 28.3.7.4, "Unconfiguring a Keystore Provider." Otherwise, continue with the steps below.

To configure the keystore provider:

1. Open Fusion Middleware Control and log in to the WebCenter domain.

   For information on logging in to Fusion Middleware Control, see Section 6, "Starting Enterprise Manager Fusion Middleware Control."

2. In the Navigation pane, expand the WebLogic Domain node and click the WebCenter domain (webcenter by default).

3. From the WebLogic Domain menu, select Security -> Security Provider Configuration.

4. Expand the Keystore section on the Security Provider Configuration page.

5. Click Configure.

   The Keystore Configuration page displays (see Figure 28-30).

   Figure 28-30 Keystore Configuration Page

   
   Description of "Figure 28-30 Keystore Configuration Page"
   
   

6. Check Configure Keystore Management and use the following settings to specify the location of the keystore that contains the certificate and private key, and the signature key and encryption key aliases:

   • Keystore Path: ./external_webcenter_custom.jks

   • Password: Enter and confirm the password for the keystore.

   • Key Alias: external_webcenter_custom

   • Signature Password: Enter and confirm the password for the signature key.

   • Crypt Alias: external_webcenter_custom

   • Crypt Password: Enter and confirm the password for the encryption key.

7. Click OK to save your settings.

8. Restart the Administration server for the domain.

28.3.7.4 Unconfiguring a Keystore Provider

If a keystore provider is already configured, you must unconfigure the existing keystore provider before configuring a new provider. If a keystore provider is not already configured, continue with the steps to configure the keystore in Section 28.3.7.3, "Configuring the Keystore Using Fusion Middleware Control."

To unconfigure a keystore provider using Fusion Middleware Control:

1. Open Fusion Middleware Control and log in to the target domain.

   For information on logging in to Fusion Middleware Control, see Section 6, "Starting Enterprise Manager Fusion Middleware Control."

2. From the WebLogic Domain menu, select Security -> Security Provider Configuration.

3. Expand the Keystore section on the Security Provider Configuration page.

4. Click Configure.

   The Keystore Configuration page displays (see Figure 28-31).

   Figure 28-31 Keystore Configuration Page

   
   Description of "Figure 28-31 Keystore Configuration Page"
   
   

5. Uncheck Configure Keystore Management.

6. Click OK.

28.3.7.5 Calling WebCenter Spaces WebServices

In your client project, where you are setting up the GroupSpaceWSContext, set the recipient key alias to be the same as the WebCenter Spaces certificate alias as shown below:

GroupSpaceWSContext context = new GroupSpaceWSContext();
context.setRecipientKeyAlias("webcenter_public");

28.3.8 Command Summary for a Complex Topology

Use the following command summary to quickly configure the keystore and DF properties for a complex topology.

Generate the Keystore

Use the following keytool commands to generate the keystore, replacing the values in bold with those for your local environment:

keytool -genkeypair -keyalg RSA -dname "cn=spaces,dc=example,dc=com" -alias  webcenter  -keypass welcome1 -keystore webcenter.jks -storepass welcome1 -validity 1064

keytool -exportcert -v -alias webcenter -keystore webcenter.jks -storepass  welcome1 -rfc -file webcenter_public.cer

keytool -importcert -alias df_webcenter_public -file webcenter_public.cer  -keystore owc_discussions.jks -storepass welcome1

When prompted to trust the certificate, say yes.

keytool -importcert -alias webcenter_spaces_ws -file webcenter_public.cer  -keystore bpel.jks -storepass welcome1

When prompted to trust the certificate, say yes.

keytool -genkeypair -keyalg RSA -dname "cn=bpel,dc=example,dc=com" -alias bpel  -keypass welcome1 -keystore bpel.jks

keytool -exportcert -v -alias bpel -keystore bpel.jks -storepass welcome1 -rfc -file orakay.cer

keytool -importcert -alias orakey -file orakay.cer -keystore webcenter.jks -storepass welcome1

When prompted to trust the certificate, say yes.

keytool -genkeypair -keyalg RSA -dname "cn=soa_server3,dc=example,dc=com" -alias   soa_server3 -keypass welcome1 -keystore soa_server3.jks -storepass welcome1  -validity 1024

keytool -exportcert -v -alias soa_server3 -keystore soa_server3.jks -storepass  welcome1 -rfc -file soa_server3_public_key.cer

keytool -importcert -alias soa_server3_public_key -file soa_server3_public_key.cer  -keystore webcenter.jks -storepass welcome1

When prompted to trust the certificate, say yes.

keytool -importcert -alias webcenter_public -file webcenter_public.cer -keystore  producer.jks -storepass welcome1

When prompted to trust the certificate, say yes.

keytool -genkeypair -keyalg RSA -dname "cn=producer,dc=example,dc=com" -alias  producer -keypass welcome1 -keystore producer.jks -storepass welcome1 -validity 1024

keytool -exportcert -v -alias producer -keystore producer.jks -storepass welcome1  -rfc -file producer_public_key.cer

keytool -importcert -alias webcenter_public -file webcenter_public.cer  -keystore external_webcenter_custom.jks -storepass welcome1

When prompted to trust the certificate, say yes.

keytool -genkeypair -keyalg RSA -dname "cn=external_webcenter_custom,dc=example,dc=com" -alias external_webcenter_custom -keypass welcome1 -keystore external_webcenter_custom.jks 
-storepass welcome1 -validity 1024

keytool -exportcert -v -alias external_webcenter_custom -keystore  external_webcenter_custom.jks -storepass welcome1 -rfc -file  external_webcenter_custom_public_key.cer

keytool -importcert -alias producer_public_key -file producer_public_key.cer  -keystore webcenter.jks -storepass welcome1

When prompted to trust the certificate, say yes.

keytool -importcert -alias external_webcenter_custom_public_key -file external_ webcenter_custom_public_key.cer -keystore webcenter.jks -storepass welcome1

When prompted to trust the certificate, say yes.

Copy webcenter.jks to your domain_home/config/fmwconfig directory, bpel.jks to your SOA1_domain_home/config/fmwconfig directory, soa_server3.jks to your SOA_2_domain_home/config/fmwconfig directory, producer.jks to your External_Portlet_domain_home/config/fmwconfig directory, and external_webcenter_custom.jks to your External_WebCenter_domain_home/config/fmwconfig directory.

Configure the WebCenter Domain Keystore

Follow the steps below to configure the service instance reference for the WebCenter domain:

1. Navigate to the <DOMAIN_HOME>/config/fmwconfig directory.

2. Copy webcenter.jks to the <DOMAIN_HOME>/config/fmwconfig directory if you haven't already done so.

3. Open jps-config.xml in an editor.

4. Locate <serviceInstance node for keystore.provider Provider.

5. Specify the location as ./webcenter.jks.

6. Using WLST, connect to the WebCenter Spaces domain as an admin user and run the following commands:

   createCred(map="oracle.wsm.security", key="keystore-csf-key", user="owsm", password="welcome1", desc="Keystore key")
   createCred(map="oracle.wsm.security", key="enc-csf-key", user="webcenter", password="welcome1", desc="Encryption key")
   createCred(map="oracle.wsm.security", key="sign-csf-key", user="webcenter", password="welcome1", desc="Signing key")
   

Configure the SOA1 Domain Keystore

Follow the steps below to configure the service instance reference for the SOA1 domain:

1. Navigate to the <DOMAIN_HOME>/config/fmwconfig directory.

2. Copy bpel.jks to the <DOMAIN_HOME>/config/fmwconfig directory if you haven't done already done so.

3. Open jps-config.xml in an editor.

4. Locate <serviceInstance node for keystore.provider Provider.

5. Specify the location as ./bpel.jks.

6. Using WLST, connect to the SOA1 domain as an admin user and run the following commands:

   createCred(map="oracle.wsm.security", key="keystore-csf-key", user="owsm", password="welcome1", desc="Keystore key")
   createCred(map="oracle.wsm.security", key="enc-csf-key", user="bpel", password="welcome1", desc="Encryption key")
   createCred(map="oracle.wsm.security", key="sign-csf-key", user="bpel", password="welcome1", desc="Signing key")
   

Configure the SOA2 Domain Keystore

Follow the steps below to configure the service instance reference for the SOA2 domain:

1. Navigate to the <DOMAIN_HOME>/config/fmwconfig directory.

2. Copy soa_server3.jks to the <DOMAIN_HOME>/config/fmwconfig directory if you haven't done already done so.

3. Open jps-config.xml in an editor.

4. Locate <serviceInstance node for keystore.provider Provider.

5. Specify the location as ./soa_server3.jks.

6. Using WLST, connect to the SOA2 domain as an admin user and run the following commands:

   createCred(map="oracle.wsm.security", key="keystore-csf-key", user="owsm", password="welcome1", desc="Keystore key")
   createCred(map="oracle.wsm.security", key="enc-csf-key", user="soa_server3", password="welcome1", desc="Encryption key")
   createCred(map="oracle.wsm.security", key="sign-csf-key", user="soa_server3", password="welcome1", desc="Signing key")
   

Configure the External Portlet Producer Domain Keystore

Follow the steps below to configure the service instance reference for the External Portlet Producer domain:

1. Navigate to the <DOMAIN_HOME>/config/fmwconfig directory.

2. Copy producer.jks to the <DOMAIN_HOME>/config/fmwconfig directory if you haven't done already done so.

3. Open jps-config.xml in an editor.

4. Locate <serviceInstance node for keystore.provider Provider.

5. Specify the location as ./producer.jks.

6. Using WLST, connect to the External Portlet Producer domain as an admin user and run the following commands:

   createCred(map="oracle.wsm.security", key="keystore-csf-key", user="owsm", password="welcome1", desc="Keystore key")
   createCred(map="oracle.wsm.security", key="enc-csf-key", user="external_webcenter_custom", password="welcome1", desc="Encryption key")
   createCred(map="oracle.wsm.security", key="sign-csf-key", user="external_webcenter_custom", password="welcome1", desc="Signing key")
   

Configure the DF Keystore Properties File

Using WLST, connect to the WebCenter Spaces domain as an admin user and run the following commands:

org.apache.ws.security.crypto.merlin.keystore.type=jks
org.apache.ws.security.crypto.merlin.keystore.password=welcome1
org.apache.ws.security.crypto.merlin.keystore.alias=df_webcenter_public
org.apache.ws.security.crypto.merlin.file=<dir_containing_keystore>/owc_discussions.jks

Note:

Be sure to trim any trailing spaces from the line endings. If you are working in a Windows environment, also be sure to use "\\" as the file path separator.

Additional DF Connection properties are shown in Table 28-2.

Table 28-8 Additional DF Connection Properties

Property Name	Property Value	Secured
keystore.location	<webcenter_spaces_doamin_home>/config/fmwconfig/webcenter.jks	No
keystore.type	jks	No
keystore.password	welcome1	Yes
encryption.key.alias	webcenter	No
encryption.key.password	welcome1	Yes
group.mapping	category	No

28.4 Securing Oracle WebLogic Communication Services (OWLCS) with WS-Security

Follow the steps below to configure WS-Security for Oracle WebLogic Communication Services (OWLCS):

1. Provide the policyURI when creating the Instant Messaging and Presence (IMP) connection.

   When you create the connection to the WS-Security enabled OWLCS server, you must provide the policyURI. The value of policyURI should be set to oracle/wss11_saml_token_with_message_protection_client_policy. If no policyURI is supplied, the application uses a non-secure connection. See also Section 14.1, "What You Should Know About Instant Messaging and Presence Connections."

2. Supply an alias name for the private key to the IMP connection.

   Provide an additional property in the WebCenter IMP connection named recipient.alias. Set the value of this property to the alias under which to import the OWLCS certificate. Ensure that this value is unique and is not used already by some other service. If no alias name is supplied, the application uses the default value webcenter_owlcs. See also Section 14.3, "Registering Instant Messaging and Presence Servers."

3. Determine the private key in the OWLCS keystore (located on the OWLCS instance at DOMAIN_HOME/config/fmwconfig).

   Use the following command to list the keystore contents:

   keytool -list -v -keystore Serversidekeystore.jks -storepass password
   

   Find the entry with the Entry type set to keyEntry. The alias name of this entry is the private key (orakey by default).

4. Export the private key from the OWLCS server keystore.

   Use the following command to export orakey to a certificate file (for example, orakey.cer).

   keytool -exportcert -v -alias orakey -keystore Serversidekeystore.jks  -storepass welcome -rfc -file orakey.cer
   

5. Determine the private key in the WebCenter keystore (on the WebCenter instance at DOMAIN_HOME/config/fmwconfig).

   If no keystore is found, proceed to step 6. Otherwise, use the following command to list the keystore contents:

   keytool -list -v -keystore default-keystore.jks -storepass welcome
   

   Find the entry with Entry type set to keyEntry or PrivateKeyEntry. The alias name of this entry is the private key.

   If no such entry is found, proceed to step 6. Otherwise, continue at step 7.

6. Generate a private key on WebCenter.

   Go to DOMAIN_HOME/config/fmwconfig in your WebCenter installation and run the following command to add a key pair to the keystore. The command creates a keystore named default-keystore.jks if it does not exist, and adds a new private key entry with alias orasig and the password set to welcome1. You can optionally change the alias, password and domain name command when you run the command.

   keytool -genkeypair -keyalg RSA -dname "cn=consumer,dc=example,dc=com"  -alias orasig -keypass welcome1 -keystore default-keystore.jks  -storepass welcome1 -validity 360
   

7. Configure OWLCS on your WebCenter instance to use the private key.

   Run the WLST createCred command substituting the values for user and password in the first two commands with your private key alias and password.

   createCred(map='oracle.wsm.security', key='enc-csf-key', user='orasig', password='welcome1', desc='EncryptionKey')
   
   createCred(map='oracle.wsm.security', key='sign-csf-key', user='orasig', password='welcome1', desc='SigningKey')
   
   createCred(map='oracle.wsm.security', key='keystore-csf-key', user='owsm', password='welcome1', desc='KeystoreKey')
   

8. Export the private key pair to a certificate.

   Export the private key found in step 5 or created in step 6 to a certificate file using the following command:

   keytool -exportcert -v -alias orasig -keystore default-keystore.jks -storepass  welcome1 -rfc -file orasig.cer
   

9. Import the certificate generated on the OWLCS Server to the WebCenter keystore.

   Copy the certificate generated in step 4 to a temporary location on the WebCenter instance. Import the certificate in the WebCenter instance using the alias name from step 2.

   Use the following command to import the certificate in the WebCenter keystore:

   keytool -importcert -alias webcenter_owlcs -file orakey.cer -keystore  default-keystore.jks -storepass welcome1 
   

10. Import the WebCenter certificate on the OWLCS instance.

    Copy the certificate created in step 8 to a temporary location on the OWLCS instance. Go to DOMAIN_HOME/config/fmwconfig and import the certificate in the keystore under a meaningful alias (for example, webcenter_key) using the following command:

    keytool -importcert -alias webcenter_key -file orasig.cer -keystore  Serversidekeystore.jks -storepass welcome
    

28.5 Securing WebCenter Spaces for Applications Consuming Spaces Client APIs with WS-Security

This section describes the administrator tasks required to configure WS-Security for WebCenter Spaces so that the communication between the an application exposing WebCenter Spaces APIs (the consumer) and WebCenter Spaces (the producer) is secure, and that the identity of the user invoking the APIs is protected.

You must create a Java keystore and update the credential store so that WebCenter Spaces can verify the authenticity of the SAML-based security tokens received from your application. You must then register this keystore and update the credential store. For information about the developer tasks for developing applications that consume WebCenter Spaces client APIs, see "How to Set Up Your Custom WebCenter Application to Use the WebCenter Spaces APIs" in the Oracle Fusion Middleware Developer's Guide for Oracle WebCenter.

This section includes the following subsections:

• Section 28.5.1, "Generating the Keystores"

• Section 28.5.2, "Providing the Keystores and Keystore Information to the Application Developer"

• Section 28.5.3, "Registering the Keystores"

• Section 28.5.4, "Updating the Credential Stores"

28.5.1 Generating the Keystores

Follow the steps below to generate Java keystores for the consumer (the custom WebCenter application) and producer (WebCenter Spaces).

To generate keystores for the consumer and producer:

1. Go to JDK_HOME/jdk/bin and open a command prompt.

2. Using keytool, generate a key pair:

   keytool -genkeypair -keyalg RSA -dname "consumer_dname" -alias consumer_alias -keypass key_password 
   -keystore keystore -storepass keystore_password -validity days_valid
   

   Where:

   • consumer_dname is the distinguished name of the consumer (for example, cn=consumer,dc=example,dc=com). The value could be anything but typically matches the distinguished name (DN) of the machine on which the keystore would reside.

   • consumer_alias is the alias of the consumer (for example, consumer)

   • key_password is the password for the new public key, (for example, welcome1)

   • keystore is the keystore name, (for example, consumer.jks)

   • keystore_password is the keystore password, (for example, welcome1)

   • days_valid is the number of days for which the key password is valid (for example, 360).

   Note:

   You must use the -keyalg parameter and specify RSA as its value as shown above as the default algorithm (DSA) used by keytool for generating the key is incompatible with Oracle WebServices Security Manager requirements.

3. Export the public key for the consumer:

   keytool -exportcert -v -alias consumer_alias -keystore keystore -storepass keystore_password -rfc -file certificate_file
   

   Where:

   • consumer_alias is the alias of the consumer (for example, consumer)

   • keystore is the keystore name, (for example, consumer.jks)

   • keystore_password is the keystore password, (for example, welcome1)

   • certificate_file is the file name for the certificate to export the key to (for example, consumer.cer)

4. Generate the producer keystore by importing the trusted certificate of the consumer:

   keytool -importcert -alias consumer_alias -file certificate_file -keystore keystore -storepass keystore_password
   

   Where:

   • consumer_alias is the alias of the consumer

   • certificate_file is the certificate file name

   • keystore is the keystore name

   • keystore_password is the keystore password

5. Generate the key pair for the producer:

   keytool -genkeypair -keyalg RSA -dname "producer_dname" -alias producer_alias  -keypass key_password -keystore keystore -storepass keystore_password -validity days_valid
   

   Where:

   • producer_dname is the name of the producer (for example, cn=producer,dc=example,dc=com)

   • producer_alias is the alias of the producer (for example, producer)

   • key_password is the password for the new public key, (for example, welcome1)

   • keystore is the keystore name, (for example, producer.jks)

   • keystore_password is the keystore password, (for example, welcome1)

   • days_valid is the number of days for which the key password is valid (for example, 1024)

   Note:

   You must use the -keyalg parameter and specify RSA as its value as shown above as the default algorithm (DSA) used by keytool for generating the key will not work.

6. List the contents of the keystore:

   keytool -list -v -keystore keystore_name -storepass password
   

   Where:

   • keystore_name is the name of the consumer keystore file (for example, portal.jks)

   • password is the keystore password.

   The keystore should now have two key entries.

7. Export the public key of the producer:

   keytool -exportcert -v -alias producer_alias -keystore keystore -storepass keystore_password -rfc -file certificate_file
    
   

   Where:

   • producer_alias is the alias of the producer (for example, producer)

   • keystore is the keystore name (for example, producer.jks)

   • keystore_password is the keystore password, (for example,welcome1

   • certificate_file is the certificate file name (for example, producer.cer)

8. Import the trusted certificate of the producer:

   keytool -importcert -alias producer_alias -file certificate_file -keystore keystore_name -storepass keystore_password
   

   Where:

   • producer_alias is the alias of the producer (for example, producer)

   • certificate_file is the file name or path for the producer's certificate file (for example,../producer/producer.cer)

   • keystore_name is the keystore name (for example, consumer.jks)

   • keystore_password is the keystore password, (for example, welcome1)

28.5.2 Providing the Keystores and Keystore Information to the Application Developer

Before registering the keystores, ensure that you have provided the following to the developer who is creating the application that will be consuming the WebCenter Spaces APIs:

• The consumer keystore to be used to secure the connection. This is a .jks file (for example, consumer.jks).

• The consumer public alias key stored in the keystore (for example, consumer).

• The password of the consumer public alias key (for example, welcome1).

• The producer public alias key stored in the consumer keystore (for example, producer). This is the alias used when importing the trusted certificate of the producer, and created in step 8 of Section 28.5.1, "Generating the Keystores."

• The consumer keystore password (for example, welcome1).

28.5.3 Registering the Keystores

After you have created the keystores, configure the keystore for WS-Security by performing the following steps. If a keystore provider is already configured, unconfigure the existing keystore provider before proceeding as described in Section 28.1.1.4, "Unconfiguring a Keystore Provider Using Fusion Middleware Control."

To register the keystore provider:

1. Copy the producer.jks file to the file system where your producer application is running (for example, DOMAIN_HOME/config/fmwconfig).

2. Log in to Fusion Middleware Control.

   For information on logging in to Fusion Middleware Control, see Section 6, "Starting Enterprise Manager Fusion Middleware Control."

3. In the Navigation pane, expand the WebLogic Domain node and click the domain (for example, webcenter).

4. From the WebLogic Domain menu, select Security -> Security Provider Configuration.

   The Security Provider Configuration page displays (see Figure 28-32).

   Figure 28-32 Security Provider Configuration Page

   
   Description of "Figure 28-32 Security Provider Configuration Page"
   
   

5. Expand the Keystore section on the Security Provider Configuration page.

6. Click Configure.

   The Keystore Configuration page displays (see Figure 28-33).

   Figure 28-33 Keystore Configuration Page

   
   Description of "Figure 28-33 Keystore Configuration Page"
   
   

7. In the Keystore Path field, specify the location of the keystore that contains the certificate and private key that is used for signing some parts (security token and SOAP message body) of the SOAP message, and enter and confirm the keystore Password.

8. In the Signature Key section, enter sign-csf-key as the Key Alias, and enter and confirm the signature key Password (the value used for <key_password> above) for the new public key, (for example, welcome1).

9. In the Encryption Key section, enter enc-csf-key in the Crypt Alias field, and enter and confirm the encryption key Password (the value used for <key_password> above) for the new public key, (for example, welcome1).

10. Click OK to save your settings.

11. Restart the Administration server for the domain.

28.5.4 Updating the Credential Stores

Follow the steps below to update the credential stores from the command line using WLST, or using Fusion Middleware Control.

This section contains the following subsections:

• Section 28.5.4.1, "Updating the Credential Store Using WLST"

• Section 28.5.4.2, "Updating the Credential Store Using Fusion Middleware Control"

28.5.4.1 Updating the Credential Store Using WLST

Update the credential store using the WLST createCred command. Use the following example values to add the keystore-csf-key, enc-csf-key, and sign-csf-key encryption keys. Before running the command, be sure to back up the cwallet.sso file.

Example 28-32 keystore-csf-key

createCred(map="oracle.wsm.security",key="keystore-csf-key",user="keystore-csf-key",password="welcome1",desc="Keystore Password")

Example 28-33 enc-csf-key

createCred(map="oracle.wsm.security",key="enc-csf-key",user="producer",password="welcome1",desc="Enc Password")

Example 28-34 sign-csf-key

createCred(map="oracle.wsm.security",key="sign-csf-key",user="producer",password="welcome1",desc="Enc Password")

28.5.4.2 Updating the Credential Store Using Fusion Middleware Control

1. Log in to Fusion Middleware Control.

   For information on logging in to Fusion Middleware Control, see Section 6, "Starting Enterprise Manager Fusion Middleware Control."

2. In the Navigation pane, expand the WebLogic Domain node and click the domain (for example, webcenter).

3. From the WebLogic Domain menu, select Security -> Credentials.

   The Credentials page displays (see Figure 28-34).

   Figure 28-34 Credentials Page

   
   Description of "Figure 28-34 Credentials Page"
   
   

4. Click Create Map.

5. On the Create Map pop-up, enter oracle.wsm.security as the map name and click OK.

6. Click Create Key.

7. On the Create Key pop-up, select oracle.wsm.security as the map, enter keystore-csf-key as the Key, select Password as the Type, enter keystore-csf-key as the User Name, supply the Password (in this case, the keystore password of producer.jks) from when you created the keystores (for example, welcome1), enter an optional description, and click OK.

8. Click Create Key.

9. On the Create Key pop-up, select oracle.wsm.security as the map, enter sign-csf-key as the Key, select Password as the Type, enter the public key alias of the keystore used in the custom WebCenter application as the User Name, enter the password of the public key used in the custom WebCenter application as the Password, enter an optional description, and click OK.

10. Click Create Key.

11. On the Create Key pop-up, select oracle.wsm.security as the map, enter enc-csf-key as the Key, select Password as the Type, enter the public key alias of the keystore used in the WebCenter instance (for example, webcenter) as the User Name, enter the password of the public key used in the custom WebCenter application as the Password, enter an optional description, and click OK.

12. Restart the Administration server and WLS_Custom or managed server on which the custom WebCenter application is hosted.