Introducing Trading Partner Integration

     Previous  Next    Open TOC in new window  Open Index in new window  View as PDF - New Window  Get Adobe Reader - New Window
Content starts here

Example: ebXML Security Configuration

This example demonstrates how to configure the security settings for ebXML message exchange between trading partners over HTTPS protocol through a proxy server. Although any proxy server can be used in this configuration, the example demonstrates how to configure the iPlanet Web Server 6.0 (Sun ONE 6.0) as the proxy server. A demonstration version of this server is available for download at http://wwws.sun.com/software/download/products/3f186391.html.

In the Figure A-1, the example involves two trading partners. Both the trading partners, Trading Partner 1 and Trading Partner 2 are configured in Oracle WebLogic Integration. The WLI instance that hosts Trading Partner 1 is termed as WLI 1 and the WLI instance that hosts Trading Partner 2 is termed WLI 2.

Figure A-1 Trading Partner Configuration

Trading Partner Configuration

In the preceding figure:

Note: In production scenarios, firewalls are usually configured between Oracle WebLogic Integration 1 and the proxy server and between the proxy server and Oracle WebLogic Integration 2. To keep the IP addresses simple in this sample, the firewalls are left out of the examples.

The following topics are discussed in this section:

Before You Begin

This topic provides links to suggested tutorial which you can complete before starting on this sample if you are unfamiliar with Oracle WebLogic Integration and Oracle WebLogic Server concepts.

Step 1: Generating a Test Certificate

To be able to run this example, you need to generate a test certificate to use as client and server certificate for Oracle WebLogic Integration and Oracle WebLogic Server. This section describes how to generate this certificate using the OpenSSL tool.

Step 2: Configuring Keystores for Oracle WebLogic Integration

Before you can import the test certificate you created in the previous section, you need to configure the keystores accordingly. This section will show you how to do just that.

Step 3: Configuring the Local Trading Partner in Oracle WebLogic Integration 1

In this section, you configure the default trading partner Test_TradingPartner_1 to be your local trading partner in Oracle WebLogic Integration. You then edit the trading partner bindings and add the appropriate certificates to the trading partner and keystore.

Step 4: Configuring the SSL Settings in Oracle WebLogic Server

After you have loaded the certificates into the keystore, you need to go back to the Oracle WebLogic Server Console and configure the SSL settings with the appropriate aliases for the certificates in the keystore. This section provides a step by step procedure for how to configure the correct server SSL settings.

Step 5: Exporting the WebLogic Integration Trading Partner Data

In this section, you export the local trading partner information from Oracle WebLogic Integration 1 into an xml file. Later on, you use this xml file to configure the remote trading partner.

Step 6: Configuring the Local Trading Partner in WebLogic Integration 2

In this step you configure the default trading partner Test_TradingPartner_2 to be your local trading partner with Oracle WebLogic Integration at the other end. You then edit the trading partner bindings and add the appropriate certificates to the trading partner and keystore.

Step 7: Configuring the Remote Trading Partner in WebLogic Integration

In this section, you import the file which you exported from Oracle WebLogic Integration 2 in the preceding section and configure the information imported to be used as the remote trading partner profile.

Step 8: Creating Services and Service Profiles in WebLogic Integration

In this step, you configure the Services and the Service profiles for the local and the remote trading partner profiles in Oracle WebLogic Integration.

Step 9: Configuring the iPlanet Server

In this procedure, you complete the iPlanet proxy server configuration install the appropriate server and trusted certificates needed for the message exchange between your two trading partners.

Related Topics

Managing Oracle WebLogic Security

Trading Partner Integration Security

Guide to Building Business Processes

 

Before You Begin

The instructions in this sample is geared towards users that are already familiar with Oracle WebLogic Integration tasks and procedures.

 

Step 1: Generating a Test Certificate

Before you can configure and run this example, you need to generate a certificate which you will later on import into your Oracle WebLogic Integration keystore. Once the certificate is imported into the keystore, you can use it as an encryption, a signature, or a client certificate for Oracle WebLogic Integration and also as a Oracle WebLogic Server certificate. In a production environment, you would most likely have several certificates, but since this example is for testing only, you use one certificate for both client and server purposes.

You can generate the test certificate using any tool, however, the procedures in this section describe how to generate the certificates using OpenSSL. This is an open source tool which can be downloaded from www.openssl.org.

Before you create the certificate, you need to create the a Public/Private key pair that you then use to create the test certificate. If you are running OpenSSL in a Windows environment, you must first complete the Configuring Windows to Run OpenSSL below, before you can create the key pair. stand

This step includes the following procedures:

Configuring Windows to Run OpenSSL

The following steps should be completed to configure your Windows environment to run OpenSSL:

  1. In a DOS command window, type the following to set the OPENSSL_CONF environment variable to point to the OpenSSL configuration file:

    2. $ set OPENSSL_CONF=c:\openssl-[X.X.X]-src\apps\gencert.conf

    Where [X.X.X] is the version of your OpenSSL installation, for example 0.9.7.

    Note: Due to the fact that Internet Explorer uses files of the type .cnf for Speed Dial configuration files, the OpenSSL configuration file might appear without the .cnf suffix and may have a shortcut icon.
  2. Randomly select any five large files on your hard drive and then copy them to a folder where you intend to create the keys and certificates.
  3. Rename the files to file1, file2, file3, file4, and file5. These files will be used by the OpenSSL facility to create the public/private key pair.
  4. Verify that your path includes c:\openssl\bin.

You are now ready to create a public/private key pair using OpenSSL.

Creating a Public/Private Key Pair

The following section describes how to create 1024-bit RSA public/private key pair using OpenSSL:

In a DOS command window, type the following:

$ openssl genrsa rand file1:file2:file3:file4:file5 out WLCert.key 1024

where file1:file2:file3:file4:file5 represents the five large files you created in Configuring Windows to Run OpenSSL.

You are now ready to create any type of X.509 certificate using OpenSSL.

Generating the Test Certificate

To generate the self-signed test certificate, complete the following procedure:

  1. In a DOS command window, type the following:

    2. $ openssl req new key WLCert.key out WLCert.csr

  2. In a DOS command window, type the following:

    3. $ openssl x509 req days 30 -in WLCert.csr signkey WLCert.key -outWLCert.crt

    You should now have two new files, WLCert.key and WLCert.crt, in your directory.

 

Step 2: Configuring Keystores for Oracle WebLogic Integration

Digital certificates are stored in two types of keystores in Oracle WebLogic Integration:

This example assumes that you have created your own keystores and trusts. However, you can also complete this example by using the demonstration keystore file (DemoIdentity.jks) and the demonstration trust (DemoTrust.jks) that are part of your Oracle WebLogic Server installation and therefore Oracle WebLogic Integration installation. These Java Key Store files are located in the following location:

BEA_HOME\wlserver_<version>\server\lib\

where BEA_HOME is the directory in which you installed your product.

Since the underlying server used by Oracle WebLogic Integration is the Oracle WebLogic Server application, this section demonstrates how to use the Oracle WebLogic Server Administration Console to configure the keystores.

To configure the keystores:

  1. Start your Oracle WebLogic Server.
  2. Open the Oracle WebLogic Server Console.
  3. Login using the username and password specified when you created the Oracle WebLogic Integration domain. (The default username and password for the default domains is weblogic/weblogic.)
  4. In the left pane, navigate to Servers > server_name
    Where server_name is the name of your Oracle WebLogic Server.
  5. Select the Keystores tab.
  6. From the Keystores drop-down menu, select Custom Identity And Custom Trust, as shown in Figure A-2.
    7. Figure A-2 Setting KeyStore Tab


    Setting KeyStore Tab

  7. Click Continue.

    8. The Configure Keystore Properties screen appears.

  8. In the fields described, enter the following information:

    9. Custom Identity

    • Custom Identity Key Store File Name: The fully qualified path to your identity keystore.
      If you are using the demonstration keystores, enter BEA_HOME\wlserver_<version>\server\lib\DemoIdentity.jks

      • Where BEA_HOME is the directory in which you installed Oracle WebLogic Server.

    • Custom Identity Key Store Type: The type of the keystore. Generally, this attribute is JKS. If this attribute is not specified, the default keystore type defined in the security policy file for the JDK is used.
      If you are using the demonstration keystores, enter JKS.
    • Custom Identity Store Pass Phrase: The password defined when creating the keystore. Confirm the password.
      If you are using the demonstration keystores, enter DemoIdentityKeyStorePassPhrase.

      • Note: This attribute is optional or required depending on the type of keystore. All keystores require the passphrase in order to write to the keystore. Some keystores do not require the passphrase to read from the keystore. Whether or not you define this property depends on the requirements of the keystore. For example, Oracle WebLogic Server only reads from the keystore so a passphrase is not required, however, Oracle WebLogic Integration writes to keystores and therefore requires a passphrase.

      Custom Trust

    • Custom Trust Store File Name: The fully qualified path to your trust keystore.
      If you are using the demonstration keystores, enter BEA_HOME\wlserver_<version>\server\lib\DemoTrust.jks.

      • Where BEA_HOME is the directory in which you installed Oracle WebLogic Server.

    • Custom Trust Key Store Type: The type of the keystore. Generally, this attribute is JKS. If this attribute is not specified, the default keystore type defined in the security policy file for the JDK is used.
      If you are using the demonstration keystores, enter JKS.
    • Custom Trust Key Store Pass Phrase: The password defined when creating the keystore. Confirm the password.
      If you are using the demonstration keystores, enter DemoTrustKeyStorePassPhrase.

      • Note: This attribute is optional or required depending on the type of keystore. All keystores require the passphrase in order to write to the keystore. Some keystores do not require the passphrase to read from the keystore. Whether or not you define this property depends on the requirements of the keystore. For example, Oracle WebLogic Server only reads from the keystore so a passphrase is not required, however, Oracle WebLogic Integration writes to keystores and therefore requires a passphrase.

  9. Click Save.
  10. Click SSL tab. You use this screen to configure the SSL configuration for your Oracle WebLogic Server.


    11. Setting KeyStore Tab

Note: However, since you need to load the private key you created in Creating a Public/Private Key Pair into the keystore before you can configure the SSL settings, you can minimize this window for now. Instead restart your Oracle WebLogic Server and continue to the next section, Step 3: Configuring the Local Trading Partner in Oracle WebLogic Integration 1, which includes loading the private key into the keystore.

To learn more about the setting you just entered, see “Configuring Keystores” in Configuring SSL.

 

Step 3: Configuring the Local Trading Partner in Oracle WebLogic Integration 1

Oracle WebLogic Integration contains two default trading partners named Test_TradingPartner_1(TP 1)and Test_TradingPartner_2(TP 2). In this section, you configure Test_TradingPartner_1 to be your local trading partner in Oracle WebLogic Integration 1(WLI 1).

Note: Before you start any of the procedures in this section, you must have configured your keystores as described in Step 2: Configuring Keystores for Oracle WebLogic Integration and restarted your Oracle WebLogic Server after completing the keystore configuration.

This section contains the following procedures:

Configuring the Local Trading Partner

The following procedure describes how to configure the default trading partner Test_TradingPartner_1 to act as the local trading partner in your Oracle WebLogic Integration application:

  1. If it is not already running, start your Oracle WebLogic Server.
  2. Open the Oracle WebLogic Integration Administration Console.
  3. Navigate to Trading Partner Management > Profile Management

    4. The View and Edit Trading Partner Profiles screen appears with the two trading partners Test_TradingPartner_1 and Test_TradingPartner_2 listed, as shown in Figure A-3.

    Figure A-3 Editing Trading partner Profiles

    Since you are going to import the configuration for the remote trading partner from Oracle WebLogic Integration 2, you can delete Test_TradingPartner_2 from the list.

  4. Select Test_TradingPartner_2 by clicking on the option box next to it.
  5. Click Delete.

You now need to add the appropriate certificates to your local trading partner so that they will be imported into the keystore.

Adding the Test Certificate to the Keystore

The following procedure describes how to add the certificate, which you created in Generating the Test Certificate, to your local trading partner configuration:

  1. Click Test_TradingPartner_1.

    2. The details of your trading partner, including general information, bindings, and certificates are displayed. Note that there are no certificates configured for this trading partner.

  2. Click Add Certificate

    3. The Add Certificate (Step 1 of 2) screen appears.

  3. Select the Import certificate from file option.
  4. Click Next

    5. The Add Certificate (Step 2 of 2) screen appears. You use this screen to import a client certificate file to be stored in the key store and used by the local trading partner. However, before you can create the client certificate, you have to create a password alias.

  5. Click Add alias...,


    6. Editing Trading partner Profiles

    The Add New Password Alias screen appears.

  6. In the Password Alias Name field, enter TP1-client.
  7. Enter TP1Client as password to use for this alias and confirm it.
  8. Click Submit.

    9. The Add Certificate (Step 2 of 2) screen appears again, with the alias values you just entered.

  9. In the Name field, enter TP1ClientCert.
  10. From the Type drop-down list, select CLIENT.
  11. Next to the Import Certificate Location, click Browse.
  12. Navigate to the WLCert.crt file which you created in Generating the Test Certificate.
  13. Next to the Private Key Location, click Browse.
  14. Navigate to the WLCert.key file which you created in Generating the Test Certificate.
  15. Make sure that the Import Certificate in Keystore option is selected.
  16. Click Create certificate.

By selecting CLIENT from the Type drop-down list, you specified the certificate to be a client certificate. You can add a signature certificate by using this same procedure, but instead selecting SIGNATURE from the Type drop-down list.

You can review all your configurations of the Test_TradingPartner_1 trading partner by navigating to Trading Partner Management > Profile Management and clicking on the Test_TradingPartner_1 trading partner.

The next step is to edit the protocol bindings for your trading partner.

Editing the Trading Partner Binding

The default trading partner you just configured to be the local trading partner for Oracle WebLogic Integration, contains two ebXML default bindings. The following steps describes how to edit the ebXML 2.0 binding with the correct transport protocol and signature settings:

  1. In the left pane, click Bindings.
  2. From the Name drop-down list, select Test_TradingPartner_1.
  3. Click Go.

    4. The Edit Binding screen appears.

  4. In the list of bindings, click TP1-ebxml20-binding.

    5. The View Binding Details screen appears

  5. Click Edit Binding.
  6. Make the following edits:

    7. Transport Configuration

    • Transport Protocol: HTTPS
    • End Point: specify the URL to use https instead of http protocol and change the port number to the SSL port number to the port number of your Oracle WebLogic Server domain.This is usually the even number immediately following your local port number. For example, for local port number 7001, the SSL port number is 7002.
  7. Click Submit.

Your new binding settings are saved. To learn more about how to configure ebXML bindings including how to configure signatures and signature transforms, see “ Adding Protocol Bindings to a Trading Partner” in Trading Partner Management.

Since you have completed the configuration of the local trading partner and have imported the test certificate into the keystore, you can now return to the Oracle WebLogic Server console and configure the SSL settings.

 

Step 4: Configuring the SSL Settings in Oracle WebLogic Server

Although you specified the certificate you loaded into the keystore as a client certificate when you configured the Oracle WebLogic Integration, for testing purposes you can also use this certificate as the server certificate for Oracle WebLogic Server. You just have to configure the server with the correct alias in the SSL settings.

You configure the SSL settings on the Oracle WebLogic Server in the WebLogic Console:

  1. If the console window you opened in Step 2: Configuring Keystores for Oracle WebLogic Integration is still opened, return to it. If not, complete the following procedure:
    1. If not already started, start your Oracle WebLogic Server:
    2. Open the Oracle WebLogic Server Console.

      3. From Oracle WebLogic Integration, you do this by selecting Tools > WebLogic Server > WebLogic Console.

    3. Login using the username and password specified when you created the WebLogic Integration domain. (The default username and password for the default domains is weblogic/weblogic.)
    4. In the left pane, navigate to Servers > server name
      Where server name is the name of your WebLogic Server.
    5. Select the Keystores & SSL tab.
    6. Scroll down to the SSL Configuration part of the screen and click Change.
    7. From the Identity and Trust Locations drop-down menu, select Key Stores.
    8. Click Continue.
  2. On the Review SSL Private Key Settings screen, enter the following information:
  3. Click Continue.

    4. An alert screen appears, which informs you that you need to restart your server. You can ignore this for now, instead restart your server after you have completed all the SSL configuration steps.

  4. Click Finish.

    5. The Keystore Configuration screen appears.

  5. Scroll to the end of the screen and click Show to display the Advanced Options. The Advanced options is where you configure mutual authentication.
  6. From the Two Way Client Cert Behavior, select Client Certs Requested And Enforced. This option assures mutual authentication behavior.
  7. Click Apply.

    8. To learn more about the settings you just entered, see “Configuring Two-Way SSL” in Configuring SSL.

  8. If you have not already done so, restart the WebLogic Server.
  9. If the keystores are configured correctly, you should see details similar to the following in the WebLogic Sever Log:

    10. <Feb 1, 2007 4:11:45 PM IST> <Notice> <Security> <achepuri02> <examplesServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1170326505038> <BEA-090082> <Security initializing using security realm myrealm.>

    <Feb 1, 2007 4:11:49 PM IST> <Notice> <WebLogicServer> <achepuri02> <examplesServer> <Main Thread> <<WLS Kernel>> <> <> <1170326509604> <BEA-000365> <Server state changed to STANDBY>

    <Feb 1, 2007 4:11:49 PM IST> <Notice> <WebLogicServer> <achepuri02> <examplesServer> <Main Thread> <<WLS Kernel>> <> <> <1170326509604> <BEA-000365> <Server state changed to STARTING>

    <Feb 1, 2007 4:12:04 PM IST> <Warning> <HTTP> <achepuri02> <examplesServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1170326524145> <BEA-101369> <weblogic.servlet.internal.WebAppServletContext@1dab0f0 - appName: 'BEA_WLS_DBMS_ADK', name: 'BEA_WLS_DBMS_ADK_Web', context-path: '/BEA_WLS_DBMS_ADK_Web': The encoding jsp-descriptor param has been deprecated. Consider declaring the encoding in the jsp-config element (web.xml) or as a page directive (pageEncoding) instead.>

    <Feb 1, 2007 4:12:18 PM IST> <Notice> <Log Management> <achepuri02> <examplesServer> <[STANDBY] ExecuteThread: '5' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1170326538816> <BEA-170027> <The server initialized the domain log broadcaster successfully. Log messages will now be broadcasted to the domain log.>

    <Feb 1, 2007 4:12:19 PM IST> <Notice> <WebLogicServer> <achepuri02> <examplesServer> <Main Thread> <<WLS Kernel>> <> <> <1170326539377> <BEA-000365> <Server state changed to ADMIN>

    <Feb 1, 2007 4:12:19 PM IST> <Notice> <WebLogicServer> <achepuri02> <examplesServer> <Main Thread> <<WLS Kernel>> <> <> <1170326539407> <BEA-000365> <Server state changed to RESUMING>

    <Feb 1, 2007 4:12:21 PM IST> <Notice> <Security> <achepuri02> <examplesServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1170326541089> <BEA-090171> <Loading the identity certificate and private key stored under the alias DemoIdentity from the jks keystore file C:\bea_GA\WEBLOG~1\server\lib\DemoIdentity.jks.>

    <Feb 1, 2007 4:12:21 PM IST> <Notice> <Security> <achepuri02> <examplesServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1170326541360> <BEA-090169> <Loading trusted certificates from the jks keystore file C:\bea_GA\WEBLOG~1\server\lib\DemoTrust.jks.>

    <Feb 1, 2007 4:12:21 PM IST> <Notice> <Security> <achepuri02> <examplesServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1170326541370> <BEA-090169> <Loading trusted certificates from the jks keystore file C:\bea_GA\JROCKI~1\jre\lib\security\cacerts.>

    <Feb 1, 2007 4:12:21 PM IST> <Error> <Server> <achepuri02> <examplesServer> <DynamicListenThread[Default[2]]> <<WLS Kernel>> <> <> <1170326541620> <BEA-002606> <Unable to create a server socket for listening on channel "Default[2]". The address 127.0.0.1 might be incorrect or another process is using port 7001: java.net.BindException: Address already in use: JVM_Bind.>
    .
    .
    .

You have now completed the WebLogic Server configuration. To learn more about WebLogic Server SSL configuration, see Configuring SSL. The next step is to export the Test_TradingPartner_1 data so that you can import this data later on when you configure the remote trading partner in WebLogic Integration 2.

 

Step 5: Exporting the WebLogic Integration Trading Partner Data

Instead of configuring both the company profile and partner profile by going through the configuration screens in WLI 2, you can import data that has been exported from WLI 1directly into WLI 2 and have the partner profile automatically configured.

Complete the following procedure to export the WebLogic Integration trading partner data:

  1. If it is not already running, start your WebLogic Server.
  2. Open the WebLogic Integration Administration Console.
  3. Navigate to Trading Partner Management > Profile Management
  4. In the left pane, click Import/Export.
  5. In the Import/Export pane, select Export.
  6. Select the Trading Partner option.
  7. Click Browse next to Trading Partner.
  8. Deselect all but the Test_TradingPartner_1 trading partner.
  9. Click Done.
  10. For the Format option, retain WLI Standard option that is selected by default.
  11. Click Export.
  12. If a File Download dialogue opens, click Save.
  13. In the Save As window navigate to a location in which you want to save the exported file to.
  14. Enter TP1.xml as the filename and click Save.
    15. Note: Remember the navigation path to the file. You need this when you import your trading partner information.

You have completed the WebLogic Integration local trading partner configuration. To learn more about creating, configuring, and managing trading partners in WebLogic Integration, see Trading Partner Management.

You can create your remote trading partner in WLI 1 using the procedures you just completed for Test_TradingPartner_1. However, in this example you take a short cut by importing the company profile settings from WLI 2 and use that as the remote trading partner.

The next step shows you how to configure a trading partner named Test_TradingPartner_2 as the company profile partner in the WLI 2 application and how to export the company profile information into a file that you can then import into WLI 1.

 

Step 6: Configuring the Local Trading Partner in WebLogic Integration 2

In this section, you configure the default trading partner Test_TradingPartner_2 to be your local trading partner with WLI 1 at the other end. You then edit the trading partner bindings and add the appropriate certificates to the trading partner and keystore. Then export TPM data.

To configure the Test_Trading Partner_2 in WebLogic Integration 2, follow the same steps through 2 to 5.

 

Step 7: Configuring the Remote Trading Partner in WebLogic Integration

In this section, you create a remote trading partner in the WLI 1 application by importing the company profile information which you exported from WLI 2 .

In WLI 1, import the TPM file you that you exported from WLI 2 in step 5(TP2.xml). Open the TP2.xml file and change type = Local to type = Remote before importing it in WLI 1. Repeat the same to import the TPM file that you exported from WLI 1.

The following steps describes the importing procedure:

  1. If it is not already running, start your WebLogic Server.
  2. Open the WebLogic Integration Administration Console.
  3. Navigate to Trading Partner Management > Profile Management
  4. In the Import/Export pane, click Import.
  5. In the File Name field, enter the path to TP2.xml location to the file you exported from WebLogic Integration.
  6. Select WLI 2 as the Import Format.
  7. Click Import.

After successfully importing the trading partner information, remember to review the new trading partner profile and make sure that the end point URL is correct. You do this by navigating to Profile Management, clicking on Test_TradingPartner_2, and clicking on its binding. When you click on Test_TradingPartner_2, note that three certificates (client, server, signature) were automatically created in the Company Profile in WLI 2 and imported into WLI 1.

Now that you have configured both the local and the remote trading partner for WLI, the next step is to add services and service profiles to those trading partners.

 

Step 8: Creating Services and Service Profiles in WebLogic Integration

Once the Test_TradingPartner_1 and Test_TradingPartner_2 configurations are completed, you have to create services and corresponding service profiles for those trading partners.

For WLI 2, create a process service with the name as the URL of the participant jpd process. Configure the service profiles for the local and remote trading partner profiles in WebLogic Integration.

In Oracle WebLogic Integration:

To be able to configure the services correctly, the business process which initiates the ebXML message exchange must be currently deployed. This section contains the following procedures:

Creating the Trading Partner Service

Complete the following steps to add a service to your trading partner profile in WLI 1.

  1. Deploy your ebXML initiator business process.

    2. If you are not familiar with how to build and deploy ebXML business processes, consider completing one of the exercises in Tutorials: Building ebXML Solutions.

  2. In the WebLogic Integration Administration Console, navigate to Trading Partner Management > Service Management.
  3. In the left pane, click Create New.

    4. The Add Service screen appears.

  4. Click Browse and navigate to the appropriate service control.
  5. From the Type drop-down menu, select Service Control.
  6. From the Business Protocol drop-down menu, select EBXML.
  7. Click Add Service.

Your service is created and the View And Edit Service Details screen appears on which you add the service profile.

Creating the Process Service

Complete the following steps to add a service to your trading partner profile in WLI 2.

  1. Deploy your ebXML initiator business process.

    2. If you are not familiar with how to build and deploy ebXML business processes, consider completing one of the exercises in Tutorials: Building ebXML Solutions.

  2. In the WebLogic Integration Administration Console, navigate to Trading Partner Management > Service Management.
  3. In the left pane, click Create New.

    4. The Add Service screen appears.

  4. Click Browse and navigate to the appropriate process.
  5. From the Type drop-down menu, select Process.
  6. Type an appropriate JPD URL. For example, /testWeb/processes/Process.jpd
  7. From the Business Protocol drop-down menu, select EBXML.
  8. Click Add Service.

Your process is created and the View And Edit Service Details screen appears on which you add the process service.

Creating the Service Profile

After you have created the trading partner service, you create a service profile which specify the protocol binding and URL endpoints for the local and remote trading partners that offer and call the service. The following procedure describes how to add a service profile:

  1. On the View And Edit Service Details screen, click Add Service Profile.

    2. The Add Service Profile screen is displayed.

  2. From the Name drop-down menus, select your LOCAL and REMOTE trading partners.
  3. Specify your LOCAL and REMOTE trading partners according to the following table:

    4. Table A-1 Local and Remote Trading Partner for WLI 1 
     
    LOCAL
    REMOTE
    Name
    Test_TradingPartner_1
    Test_TradingPartner_2
    Binding
    wli-ebxml20-secure-binding
    wli-ebxml20-secure-binding

    Note: Similarly, for WLI 2, the local trading partner will be Test_TradingPartner_2 and remote trading partner will be Test_TradingPartner_1.
    Note: Also, make sure you change the endpoint URLs to use https, not http. If they are set to the wrong protocol, follow the directions in Editing the Trading Partner Binding to select the correct one.
  4. Click Submit.
  5. On the next screen, click Yes to begin configuring authentication.
  6. From the Choose type of Authentication Mode options, select Mutual for both the LOCAL and REMOTE trading partners.
    7. Note: Although it is not enforced, typically the same type of authentication is selected for both the local and remote trading partner.
  7. Click Next.
  8. On the next screen, select:
    1. TP1-clt as the client certificate for the LOCAL trading partner.
    2. xxxx-client as the client certificate for the REMOTE trading partner.
    3. xxxx-server as the server certificate for the REMOTE trading partner.

      4. Where xxxx is a number which was randomly generated when you imported the WLI 2 self-signed certificate file.

  9. To preview to the configuration, click Preview config.
  10. Click Add.

    11. Authentication is added and the View and Edit Service Details page is displayed.

    Note: If there is an error, the Add Authentication page is redisplayed. A message indicating the problem is displayed above the input requiring correction.
Note: Repeat the same steps for configuring Service Profile in WLI 2.

You have now created a service and its service profile. To learn more about services and service profiles, see “Adding Services” and “Adding Service Profiles to a Service” in Trading Partner Management. The next step is to configure the iPlanet SSL settings and then proceed to complete the configuration of WLI 2.

 

Step 9: Configuring the iPlanet Server

This section describes how to configure your iPlanet Web Server as the proxy server for this sample.

If you do not already have iPlanet Web Server installed, you can download it from Sun’s website the following location: http://www.sun.com/software/download/products/3f186391.html

Refer to the product documentation to install and start the iplanet admin and managed server.

This section contains the following procedures:

Creating the Trust Database

Before you can configure your iPlanet server certificates, you have to create a trust database in which to store the certificates. To do so, complete the following procedure:

  1. Open the iPlanet administration console.
  2. Navigate to Servers > Mange Servers.
  3. Select a managed server and click Manage.

    4. The Managed Server Configuration screen appears.

  4. Select the Security tab.
  5. Click Create Database.
  6. Enter and confirm a password for the database.
  7. Click OK.

A dialog window confirming the successful initialization appears. The next step is to request a trial digital certificate from Verisign which you use as the server certificate for iPlanet and also imported later on into the Partner Profile in WebLogic Integration 2.

Requesting a Trial Digital Certificate from Verisign

You can request a trial digital certificate from Verisign to use for testing purposes. The certificate is valid for a limited number of days. To request a certificate, complete the following steps:

  1. Navigate to Managed Server Console > Security > Request a Certificate.
  2. Select the New certificate option.
  3. From the Submit to Certificate Authority via option, select CA Email Address and enter your email address.
  4. From the Cryptographic Module drop-down list, select internal.
  5. In the Key Pair File Password field, enter the password you want to use as the iPlanet server private key password.
  6. Enter your name and contact information details in the remaining fields.
  7. Click OK.

    8. A confirmation message is displayed in the Managed Server Console.

  8. Copy all the text between -----BEGIN NEW CERTIFICATE REQUEST----- and -----END NEW CERTIFICATE REQUEST----- and paste it into a text file. This is your certificate request which you send to a certificate authority such as Verisign.
  9. Using a web browser, navigate to http://www.verisign.com/products/srv/trial/step1.html.
  10. Follow the directions on the Verisign site.

    11. After you complete the request, Verisign will send you an email with the digital certificate. Copy the content and save it in a file named iPlanetServer.pem. This file is your digital certificate for the iPlanet Server.

You have completed the trial digital certificate request process. The next step is to install the digital trial certificate as the iPlanet server certificate.

Installing the iPlanet Server Certificate

You are now ready to install the server certificate for iPlanet. The following procedure describes the steps to complete:

  1. Navigate to Managed Server Console > Security > Install Certificate

    2. The Install a Server Certificate screen appears.

  2. Enter the following information:
  3. Click OK.

    4. The Add Server Certificate screen appears with the details of the certificate you are adding.

  4. Click Add Server Certificate.

You have successfully added the server certificate. The next step is to download and convert the trusted CA server certificate.

Requesting a Trusted CA Certificate from Verisign

In addition to the server certificate you just installed, you also need a trusted certificate from an Certificate Authority such as Verisign. To request a trusted certificate from Verisign, complete the following procedure:

  1. Using a web browser, navigate to http://www.verisign.com/server/trial/faq/index.html to retrieve a CA certificate for the iPlanet server from Verisign.
  2. Click Accept.
  3. Save the certificate on your local drive as a file named iPlanetCA.der.

The server certificate is in binary format. Before you can use it with iPlanet, you must convert it to PEM format. The der2pem command line utility included with WebLogic Server can be used to convert the certificate. To learn how to use the utility, see “der2pem” in Using the WebLogic Server Java Utilities in the WebLogic Server Command Reference.

Follow the procedure described to convert the iPlanetCA.der file to iPlanetCA.pem.

Note: A DER format file contains binary data and can only be used for a single certificate. A PEM format file supports multiple digital certificates. For example, a certificate chain can be included. The order of the files is important, they should be in the order of trust. The server digital certificate should be the first digital certificate in the file, the issuer of the digital certificate should be next, and so on, until you get to the self-signed root certificate authority certificate.

After you have completed the conversion, the next step is to install the trusted CA certificate.

Installing the Trusted CA Certificate

To install the trusted certificate you just requested, do the following:

  1. Navigate to Managed Server Console > Security > Install Certificate
  2. Enter the following information:
  3. Click OK.

    4. The Add Server Certificate screen appears with the details of the certificate you are adding.

  4. Click Add Server Certificate.

You have successfully installed the trusted CA certificate.

The next step is to install the WebLogic Integration 2 certificate.

Installing the WebLogic Integration 2 certificate

Use the procedures described in Installing the Trusted CA Certificate to import the TP2.xml file which you exported to create WLI 2 CA certificate for your iPlanet server.

You have now successfully installed the necessary iPlanet certificates. There is just one final step required to get the iPlanet configuration to work with SSL.

Configuring iPlanet for SSL

  1. Open the iPlanet administration console.
  2. Navigate to Servers > Mange Servers.
  3. Select Preference > Edit Listen Sockets.
  4. In the Security column, select On.
  5. Click OK.
  6. Click Attributes.
  7. In the Client Authorization column, click Off to change it to On. This assures mutual authentication.
  8. As the final configuration step, you need to modify two of the installed iPlanet configuration files:
    • To your obj.conf file add the following lines of code:

      • <Object name="myProxy" ppath="*">
      PathCheck fn="get-client-cert" method="(GET|POST)" dorequest="1"
      Service fn=wl_proxy FileCaching="OFF" Debug="ALL" KeepAliveEnabled=false DebugConfigInfo="ON" WebLogicHost=172.16.17.183\
      WebLogicPort=7001 WLLogFile="C:/depot/newlog.txt" SecureProxy="OFF" WLProxySSL="ON" RequireSSLHostMatch="False"
      </Object>

    • To your magnus.conf file, add the following lines of code:

      • Init fn="load-modules" shlib="D:/iPlanet/Servers/bin/https/bin/proxy36.dll" funcs="wl_proxy,wl_init"
      Init fn="wl_init"

This concludes the iPlanet configuration step. To learn more about the settings you just configured, see Installing and Configuring the Netscape Enterprise Server Plug-In in Using Web Server Plug-Ins With WebLogic Server.


  Back to Top       Previous  Next