When you create a Web Services SSM instance, it accessible via HTTP. This is appropriate for development and for debugging purposes, but production environments should use SSL.
This section contains procedures to enable one-way SSL communication or two-way SSL communication between a Web Services SSM and its client. It is assumed that the reader has basic knowledge of the SSL protocol, certificate authorities, X.509 certificates and Java keystores (JKS). The procedures are:
Configuring One-Way SSLIn these procedures, the following applies:
%SSM_INST_HOME%
represents the installation folder of the Web Services SSM, for example, c:\bea\ales32-ssm\webservice-ssm\instance\wsssm
.trust.jks
or peer.jks
are the trusted certificate authority store and trusted peer store of the WS-SSM, respectively. Do not delete the trust.jks
or peer.jks
files as they are configured for communication between the WS-SSM server and other ALES servers. The best practice when adding new information to the files is to modify them and reference the new information with unique aliases.
With one-way SSL, the SSM sends its identity certificate to the client, therefore the client must trust the certificate authority (CA) that signed the identity certificate. (The client does not have to have its own certificate as it is not authenticated by the Web Services SSM.)
To configure a Web Services SSM to use one-way SSL:
After performing the above, copy the trust.jks
to the client and specify the following system properties when running the client:
-Djavax.net.ssl.trustStore=C:\jks\trust.jks
-Djavax.net.ssl.trustStorePassword="secretword"
To set up two-way SSL communication, both the Web Services SSM server and the client must trust each other. Follow the procedures to configure both the server side and the client side. Additionally, the client has to supply its certificate upon the Web Services SSM server's request. The JKS that stores the certificate is defined as the value of the javax.net.ssl.keyStore
system property and the password of the JKS is defined as the value of the javax.net.ssl.keyStorePassword
system property.
To Configure a Client For SSL
javax.net.ssl.trustStore
. The truststore's password is defined as the value of the javax.net.ssl.trustStorePassword
property.
keytool
utility shipped with the standard Java Development Kit (JDK). See the JDK documentation for more information.
keytool -genkey -keyalg RSA
-alias "WS-SSM Client" -keystore clientkeystore.jks
-validity 365
keytool -certreq -alias "WS-SSM Client"
-file WS-SSM-Client.csr -keystore clientkeystore.jks
WS-SSM-Client.csr
file to a certificate authority for signing..crt
file. Alternately, you can sign it as your own certificate authority. See Using OpenSSL To Become A Certificate Authority.
clientkeystore.jks
with the certificate authority's root certificate and the signed certificate returned by the certificate authority.
clientkeystore.jks
.keytool
. We will remove it after importing the signed certificate.
keytool -import -file CA.crt -alias Trusted-CA
-keystore clientkeystore.jks
clientkeystore.jks
.keytool -import -file WS-SSM-Client.crt -keystore clientkeystore.jks -alias "WS-SSM Client"
clientkeystore.jks
.
keytool -delete -alias Trusted-CA -keystore clientkeystore.jks
keytool -list -keystore clientkeystore.jks -v
You should see something similar to this output.
Keystore type: JKS Keystore provider: SUN Your keystore contains 1 entry Alias name: wsssmclient Creation date: Mar 11, 2010 Entry type: PrivateKeyEntry Certificate chain length: 2 Certificate[1]: Owner: CN=wsssm_client, OU=ORACLE, O=ORACLE, L=BJ, ST=BJ, C=CN Issuer: CN=TEMP_CA, OU=ORACLE, O=ORACLE, L=BJ, ST=BJ, C=CN Serial number: 1 Valid from: Thu Mar 11 10:24:01 CST 2010 until: Fri Mar 11 10:24:01 CST 2011 Certificate fingerprints: MD5: 2A:E5:BB:DF:93:8E:5C:8A:F7:AA:FB:9B:F4:0D:BE:70 SHA1: 9F:A3:1E:5F:64:DF:62:E9:CD:CF:EC:A7:D8:0C:3F:77:87:70:59:E9 Signature algorithm name: MD5withRSA Version: 3 Extensions: #1: ObjectId: 2.5.29.15 Criticality=true KeyUsage [ DigitalSignature Key_Encipherment ] #2: ObjectId: 2.5.29.19 Criticality=false BasicConstraints:[ CA:false PathLen: undefined ] Certificate[2]: Owner: CN=TEMP_CA, OU=ORACLE, O=ORACLE, L=BJ, ST=BJ, C=CN Issuer: CN=TEMP_CA, OU=ORACLE, O=ORACLE, L=BJ, ST=BJ, C=CN Serial number: c22a7e48f34351bd Valid from: Thu Mar 11 10:10:52 CST 2010 until: Fri Mar 11 10:10:52 CST 2011 Certificate fingerprints: MD5: F1:0D:D7:86:04:96:00:8F:6C:81:F1:42:0F:B1:08:7A SHA1: 2E:8D:CA:2E:62:B4:3B:FA:15:E4:93:88:B5:B9:C6:16:47:E0:46:3C Signature algorithm name: MD5withRSA Version: 3 Extensions: #1: ObjectId: 2.5.29.15 Criticality=true KeyUsage [ Key_CertSign ] #2: ObjectId: 2.5.29.19 Criticality=true BasicConstraints:[ CA:true PathLen:2 ]
To Configure the Web Services SSM Server for SSL
keytool -import -file cacert.crt -alias Trusted-CA
-keystore %ALES32-SHARED%/keys/trust.jks
%SSM_INST_HOME%\apps\ssmws-asi\SAR-INF\config.xml
file. By default, this is %ALES32-SHARED%/keys/trust.jks
.
keytool -import -file WS-SSM-Client.crt
-alias Trusted-WS-Client -keystore %ALES32-SHARED%/keys/peer.jks
%SSM_INST_HOME%\apps\ssmws-asi\SAR-INF\config.xml
file. By default, this is the %ALES32-SHARED%/keys/peer.jks
file.
%SSM_INST_HOME%\apps
directory.
%SSM_INST_HOME%\adm\ssmwsInstance.bat -s
command to regenerate the contents of the apps
directory.
Following is the procedure to become your own certificate authority using OPENSSL. After completion, you can sign the CSR for the Web Services SSM client and generate a signed .crt
file..
openssl.conf
file with the X.509 extensions that are compatible with the WS-SSM server.
[ v3_ca ] basicConstraints = critical,CA:true, pathlen:2 keyUsage = critical, keyCertSign
[ v3_req ] basicConstraints = CA:FALSE keyUsage = critical, digitalSignature, keyEncipherment
.pem
format.openssl genrsa -out keys\cakey.pem 1024
.pem
format.openssl req -config openssl.conf -new -x509 -days 365 -key keys/cakey.pem -out certs/cacert.pem
WS-SSM-Client.csr
request using the certificate authority root certificate created in the previous step.
openssl ca -policy policy_anything -config openssl.conf -cert certs/cacert.pem -in WS-SSM-Client.csr -keyfile keys/cakey.pem -days 365 -out certs/WS-SSM-Client.pem
.pem
format to the .crt
(DER) format for use with keytool
.
openssl x509 -outform der -in certs\cacert.pem -out certs\cacert.crt
openssl x509 -outform der -in certs\WS-SSM-Client.pem -out certs\WS-SSM-Client.crt