User's Guide
Application Connection - Web Services
The following sections describe connecting to BEA WebLogic Network Gatekeeper through Web Services:
About Web Services applications
For an application to connect to BEA WebLogic Network Gatekeeper through Web Services, the application must have access to the Extended API or Parlay X WSDL files deployed in BEA WebLogic Network Gatekeeper's web server. Both the Extended API and Parlay X WSDL consist of one file for each service and the file's are deployed in BEA WebLogic Network Gatekeeper's web server at BEA WebLogic Network Gatekeeper installation.
If the application have been implemented using WSDL files with the same version but from another source than BEA WebLogic Network Gatekeeper to connect to, the application developer has to re-generate the Java (or other programming language) interface with WSDL files from BEA WebLogic Network Gatekeeper the application will connect to.
Distributing the WSDL files
The Parlay X WSDL files, can be downloaded from :
http:/<IP-address>/parlayx/servlet/AxisServlet
The Extended Web Services WSDL files can be downloaded from:
http:/<IP-address>/wespa/servlet/AxisServlet
The Parlay X WSDL files for the notification interfaces can be downloaded from:
http:/<IP-address>/parlayX/wsdl
The Extended APIs Web Services WSDL files for the notification interfaces can be downloaded from:
http:/<IP-address>/wespa/wsdl
Where <IP-address>
is the IP address of BEA WebLogic Network Gatekeeper host where the axis servlet engine executes. The files are named <serviceName>Listener.wsdl
and parlayx_<serviceName>.wsdl
.
Registering service providers and applications
See Service Provider and Application Administration.
Enabling a secure SSL connection to an application
The connection between BEA WebLogic Network Gatekeeper and an application can be encrypted using SSL.
Two variants are supported:
- One-way authenticated connections
- Two-way authenticated connections
Both variants use X.509 certificates, with a private key and a public certificate.
One-way authenticated connections
When an application uses a Web Service provided by BEA WebLogic Network Gatekeeper, the WebLogic Network Gatekeeper must import it's own private key and the application needs the WebLogic Network Gatekeeper's public certificate.
When an application provides a Web Service, the application's public certificate must be imported to the WebLogic Network Gatekeeper and the application needs it's own private key.
The WebLogic Network Gatekeeper acts as a...
|
WebLogic Network Gatekeeper must import
|
An Application needs
|
Server (provides a Web Service)
|
WebLogic Network Gatekeeper's private key
|
WebLogic Network Gatekeeper's public certificate
|
Client (uses a Web Service)
|
Application's public certificate
|
Application's private key
|
Table 4-1 Certificate exchange for one-way authenticated sessions
Two-way authenticated connections
In addition to the setup necessary for one-way authenticated sessions, the following must also be configured for two-way authenticated sessions.
When an application uses a Web Service provided by BEA WebLogic Network Gatekeeper, the WebLogic Network Gatekeeper must import the application's certificate and the application needs it's own private key.
When an application provides a Web Service, the WebLogic Network Gatekeeper's private key must be imported to the WebLogic Network Gatekeeper and the application needs the WebLogic Network Gatekeeper's public certificate.
The WebLogic Network Gatekeeper acts as a...
|
WebLogic Network Gatekeeper must import
|
An Application needs
|
Server (provides a Web Service)
|
WebLogic Network Gatekeeper's private key
Application's public certificate
|
WebLogic Network Gatekeeper's public certificate
Application's private key
|
Client (uses a Web Service)
|
WebLogic Network Gatekeeper's private key
Application's public certificate
|
Application's private key
Application's public certificate
|
Table 4-2 Certificate exchange for two-way authenticated sessions
About the certificate builder
The certificate builder is a tool for generating user certificates and private keys. It can be used stand alone and through an Network Gatekeeper Management Tool. The same functions are provided in both cases. The stand alone version of the certificate builder is shown in Figure 4-1.
Some fields in the certificate builder are used differently depending on what function the user certificate and private key is generated for. The specific usage of all fields are described in Table 4-3.
Table 4-3 Description of the Fields in the Certificate Builder
Field
|
Description
|
Filename
|
Specifies the file names of the generated user certificate and private key pair.
Example:
If Filename is set to myApplication , your files will be named:
|
Domain ID
|
A descriptive name.
|
Country
|
The country BEA WebLogic Network Gatekeeper is located in.
|
Province
|
The province or state BEA WebLogic Network Gatekeeper is located in.
|
City
|
The city BEA WebLogic Network Gatekeeper is located in.
|
Name
|
Contact person at your organization.
|
E-mail
|
The contact person's e-mail address.
|
Start date
|
The first date (YYYY-MM-DD) the certificate will be valid.
|
End date
|
The last date (YYYY-MM-DD) the certificate will be valid.
|
Path
|
The path to the directory where the user certificate and private key will be stored. Only existing directories can be specified.
When importing a private key from a directory there must be only two files in the directory. That is, the private key and its user certificate. Therefore, it is recommended that you create a new directory for each pair of private key and user certificate you create.
|
Password
|
Defines a password that will be needed when importing the private key. Keep a note of the password, you will need it later.
Note that this is the private key's password. When you import the private key in the keystore, you will also need the keystore's password. The keystore's password is defined the first time you import a private key or user certificate in the keystore.
|
Using the certificate builder stand alone
Follow the instruction below to generate a user certificate and private key pair.
If you perform the task through an Network Gatekeeper Management Tool, remember that the user certificate and private key will be stored on the server the Network Gatekeeper Management Tool is connected to. That is, where the SLEE runs.
- Start the certificate builder.
- Go to the
/usr/local/slee/bin/
directory.
- Start the certificate builder. Enter command:
./runCertBuilder.sh
- Enter the user certificate and private key data according to Table 4-3.
- Generate the user certificate and private key. Click the Build button.
The user certificate and private key files are stored in the specified directory.
Using the certificate builder through an Network Gatekeeper Management Tool
Follow the instruction below to generate a user certificate and private key pair.
If you perform the task through an Network Gatekeeper Management Tool, remember that the user certificate and private key will be stored on the server the Network Gatekeeper Management Tool is connected to. That is, where the SLEE runs.
- Start an Network Gatekeeper Management Tool and log in.
- Double-click the cert_builder service.
- Double-click the buildCertificate method.
- Enter the user certificate and private key data according to Table 4-3.
The user certificate and private key files are stored in the specified directory.
Configuring the WebLogic Network Gatekeeper for SSL connections
Follow the instruction below to configure the WebLogic Network Gatekeeper for SSL. The task includes generating certificates an private keys.
Create certificates
Import the private key of the WebLogic Network Gatekeeper
- Double-click the Embedded_Tomcat service.
- Double-click the importServerKey method.
- Enter the password for the key, as defined when it was generated, in the
keyPassword field.
- Enter the path to where the private key is located in the directory field.
Now the WebLogic Network Gatekeeper's private key is imported to the WebLogic Network Gatekeeper's keystore and the WebLogic Network Gatekeeper is configured for SSL. In order setup an SSL connection for an individual application, continue with Setting up a one-way authenticated SSL connection or Setting up a two-way authenticated SSL connection, depending on the type of connection to use.
Setting up a one-way authenticated SSL connection
Follow the instruction below to setup a one-way authenticated secure SSL connection between an application and BEA WebLogic Network Gatekeeper. The task includes generating certificates an private keys, exchanging necessary certificates and to setup a HTTPS connection.
Configure the SSL connection when the WebLogic Network Gatekeeper acts as a server
This step is only necessary if the WebLogic Network Gatekeeper acts a server (provider of a a Web service). This is done for each application that shall use SSL connections.
Distribute certificates
- Distribute the WebLogic Network Gatekeeper's public certificate to the service provider hosting the application.
Add an HTTPS connector
- Double-click the Embedded_Tomcat service.
- Double-click the addHTTPSConnector method.
- Enter parameters according to the table below.
Field
|
Type
|
Explanation
|
port
|
int
|
Port number for the HTPPS connection. Default port for HTTPS is 443.
|
acceptCount
|
int
|
Maximum number of connections to accept.
|
minThreads
|
int
|
Minimum number of threads to assign to Embedded Tomcat.
Recommended value is 20.
|
maxThreads
|
int
|
Maximum number of threads to assign to Embedded Tomcat.
Recommended value is 50.
|
sslClientAuth
|
boolean
|
If the SSLclient should be authenticated.
In the case of one-way authentication use FALSE.
In the case of two-way authentication use TRUE.
|
Configure the SSL connection when the WebLogic Network Gatekeeper acts as a client
This step is only necessary if the WebLogic Network Gatekeeper acts a client (user of a a Web service). This is done for each application that shall use SSL connections.
Retieve certificates from the application
- Retrieve the application's public certificate.
Note: The Certificate Builder can be used to generate the applications private key and public certificate.
Import the application's certificate
- Start an Network Gatekeeper Management Tool and log in.
- Double-click the Embedded_Tomcat service.
- Double-click the importSingleUserCertificate method.
- Enter the path to where the application's public certificate is located in the directory field.
Note: The directory must contain only the certificate.
- Enter the alias for the application's public certificate in the alias field. The alias must be unique.
Register HTTPS endpoints (Parlay X only)
Setting up a two-way authenticated SSL connection
This is done for each application that shall use two-way authenticated SSL connectons.
Enable one-way authentication
Retrieve the application's certificate
- Retrieve the file with the application's public certificate and store it in a directory that the WebLogic Network Gatekeeper has access to.
Import the application's certificate
- Start an Network Gatekeeper Management Tool and log in.
- Double-click the Embedded_Tomcat service.
- Double-click the importSingleUserCertificate method.
- Enter the path to where the application's public certificate is located in the directory field.
Note: The directory must contain only the certificate.
- Enter the alias for the application's public certificate in the alias field. The alias must be unique.
Note: Make sure that the application import it's own private key.