Deploying WebLogic Integration Solutions

Using WebLogic Integration Security

The following sections describe how to set up and manage security for WebLogic Integration solution deployments:

Before you proceed with the remainder of this topic, be sure to read Introducing WebLogic Platform 8.1 Security in Introducing Security.

Overview of WebLogic Integration Security

The foundation of every secure deployment of a WebLogic Integration solution is the set of security features provided by WebLogic Server. After you configure security for the underlying WebLogic Server layer of your environment, you need to configure and manage security for those WebLogic Server entities that are specific to WebLogic Integration:

Users of the WebLogic Integration solution and WebLogic Integration Administration Console, the groups to which they belong, and the roles they are assigned.
Trading partners for which security management is particularly important, because trading partners are required to produce digital certificates for sending and receiving business messages in a secure environment.

As the security administrator for your environment, you need to focus your efforts on a set of predefined principals and resources that are created along with a WebLogic Integration domain.

This introduction presents the following topics to give you a high-level view of WebLogic Integration security:

Note: For a secure deployment, avoid running WebLogic Integration in the same WebLogic Server instance as any applications for which security is not provided. Internal WebLogic Integration API calls are not protected from such collocated applications.

Security and WebLogic Integration Domains

When you create a WebLogic Integration domain using the Domain Configuration Wizard, the domain is configured to include:

Default WebLogic Integration roles and groups. Default security policies define the roles authorized to access specific WebLogic Integration resources. For more information, see "Default Groups, Roles, and Security Policies" in User Management in Managing WebLogic Integration Solutions.
PasswordStore, which is described in WebLogic Integration PasswordStore for Encrypted Passwords.
Default identity and trust keystores, which are described in Keystore for Private Keys and Certificates.
B2BDefaultWebAppApplication, on which you can configure policies to authorize access to Trading Partner Integration.

For information about using the Configuration Wizard, see Creating WebLogic Configurations Using the Configuration Wizard.

WebLogic Integration PasswordStore for Encrypted Passwords

All passwords are kept in encrypted form in the PasswordStore. WebLogic Integration does not require clear-text passwords. The PasswordStore the uses Sun JCE provider for password-based encryption. Access to passwords is controlled through an MBean API and passwords are accessed using password-aliases.

You use the WebLogic Integration Administration Console to manage passwords in the PasswordStore. For more information, see the following topics in Trading Partner Management in Managing WebLogic Integration Solutions:

Adding Passwords to the PasswordStore
Listing and Locating Password Aliases
Changing the Password for a Password Alias
Deleting Passwords from the PasswordStore

Keystore for Private Keys and Certificates

WebLogic Integration requires that you use keystores to store all private keys and certificates. A keystore is a protected database that holds keys and certificates. If you have keys and certificates and use message encryption, digital signatures, or SSL, you must use a keystore for storing those keys and certificates and make the keystore available to applications that might need it for authentication or signing purposes.

Types of Keystores

When you set up a WebLogic Integration domain for trading partner integration collaborations, the following keystores are configured.

Table 6-1 Types of Certificates Used in WebLogic Integration

Type of KeyStore	Description
Identity keystore	Stores private keys for local trading partners and certificates for both the local trading partner and remote trading partners. Certificates are of the following types: client server signature encryption WebLogic Integration retrieves private keys and certificates from this keystore to use for SSL, message encryption, and digital signatures. For more information about certificates, see About Digital Certificates.
Trust keystore	WebLogic Server uses the trust keystore to locate trusted CAs for SSL. WebLogic Integration uses it to locate the trusted CAs while verifying signature and encryption.

Type of KeyStore

Description

Identity keystore

Stores private keys for local trading partners and certificates for both the local trading partner and remote trading partners. Certificates are of the following types:

client

server

signature

encryption

WebLogic Integration retrieves private keys and certificates from this keystore to use for SSL, message encryption, and digital signatures. For more information about certificates, see About Digital Certificates.

Trust keystore

WebLogic Server uses the trust keystore to locate trusted CAs for SSL. WebLogic Integration uses it to locate the trusted CAs while verifying signature and encryption.

Default Keystores for the Test Environment

When you create a new domain using the WebLogic Platform Configuration Wizard and the WebLogic Integration template, the new domain contains Demo Keystores of type JKS. The Demo KeyStores performs the following actions:

Utilizes the JDK bundled Java KeyStore (JKS) provider, which implements the keystore as a file.
Protects each private key with an individual password.
Protects the entire keystore with a password.

Keystores in a Production Environment

You can use the Demo keystores in a development or testing environment, but you must either create or use existing identity and trust keystores suitable for production environment. To create a keystore and make it available for trading partner integration:

If the identity and trust keystores do not already exist in your domain, create them according to the instructions in "Storing Private Keys, Digital Certificates, and Trusted Certificate Authorities" in Configuring SSL in Managing WebLogic Security.

Configure the keystores using the WebLogic Server Administration Console according to the instructions in "Configuring KeyStores" in Configuring SSL in Managing WebLogic Security.

Add trading partner certificates to the identity keystore. For more information, see Step 3: Configure Application Integration Security.

Add trusted certificate authority certificates to the trust keystore.

For information about refreshing the keystore using the WebLogic Integration Administration Console, see "Refreshing the Keystore" in Trading Partner Management in Managing WebLogic Integration Solutions.

In a clustered domain, you need to create and configure a separate keystore for each WebLogic Server.

WebLogic Server Security Principals and Resources Used in WebLogic Integration

WebLogic Integration supports role-based authorization. Although the specific users (principals) that require access to the components that make up your WebLogic Integration application may change depending on the deployment environment, the roles that require access are typically more stable. Authorization involves granting an entity permissions and rights to perform certain actions on a resource.

In role-based authorization, security policies define the roles that are authorized to access the resource. In addition to the built-in roles that are associated with certain administrative and monitoring privileges, security policies that control access to the following resources can be configured from the WebLogic Integration Administration Console:

Process operations

Policies define the role required to invoke the process operations. For more information on the policies you can set, see "Process Security Policies" under "About Process Configuration" in Processes Configuration in Managing WebLogic Integration Solutions.

Message Broker channels

Policies define the roles required to subscribe and publish to a given channel. For more information, see "About Message Broker Channels" in Message Broker in Managing WebLogic Integration Solutions.

Application Views

Policies define the roles required to execute services and subscribe for events on an application view. For more information, see "Managing Security" in Application Integration in Managing WebLogic Integration Solutions.

Trading Partner Integration Transport

Policies define the roles required to accept messages from remote trading partners at URIs in B2BDefaultWebAppApplication.

Once the roles required for access are set, the administrator can map users or groups to the roles as required.

Unlike membership in a group, which is directly assigned, membership in a security role is dynamically calculated based on the set of conditions that define the role statement. Each condition specifies user names, group names, or time of day. When a principal (user) is "in" a role based on the evaluation of the role statement, the access permissions of the role are conferred on the principal.

Considerations for Configuring Security

Before you configure the security for your WebLogic Integration domain, consider the following:

The following sections present a high-level discussion of these considerations and describe how they affect your WebLogic Integration security configuration.

About Digital Certificates

Digital certificates are electronic documents used to identify principals and objects as unique entities over networks such as the internet. A digital certificate securely binds the identity of a user or object, as verified by a trusted third party known as a certificate authority, to a particular public key. The combination of the public key and the private key provides a unique identity for the owner of the digital certificate.

When you set up a WebLogic Integration environment as the foundation of your inter-enterprise commerce, using Trading Partner Integration capabilities, you need to obtain and configure a specific set of digital certificates and keys. This set includes the following:

Server certificate—Required for SSL for the WebLogic Server instance on the local machine.
Root Certificate Authority—Trusted third-party organization or company that is willing to vouch for the identities of those to whom it issues digital certificates and public keys. Verisign and Baltimore are examples of CAs.
Trading partner certificates—Required for each local and remote trading partner that is involved in Trading Partner Integration collaborations. These certificates include the client certificate; they may also include encryption and signature certificates, as well. They are used for authentication, authorization, signature support, and message encryption.

Digital Certificate Formats

Make sure that the formats and packaging standards of your digital certificates are compatible with WebLogic Server. Digital certificates have various encoding schemes, including the following:

Privacy Enhanced Mail (PEM)
Definite Encoding Rules (DER)
Public Key Cryptography Standards 7 and 12 (PKCS7 and PKCS12)

The public key infrastructure (PKI) in WebLogic Server recognizes digital certificates that comply with either versions 1 and 3 of X.509, X.509v1 and X.509v3. We recommend obtaining digital certificates from a certificate authority, such as Verisign or Entrust.

Note: If a trading partner in a conversation uses Microsoft IIS as a proxy server, all the certificates used in the conversation must be trusted by a well-known Certificate Authority, such as Verisign or Entrust. The use of self-signed certificates will cause a request passed through the IIS proxy server to fail. This is a restriction in IIS, not WebLogic Integration.

For more details, see "Transport-Level Security" in Trading Partner Integration Security in Introducing Trading Partner Integration.

Using the Secure Sockets Layer (SSL) Protocol

The SSL protocol provides secure connections by supporting two functions:

It enables each of two applications linked through a network connection to authenticate the other's identity
It encrypts the data exchanged between the applications for each trading partner using SSL.

An SSL connection begins with a handshake during which the applications exchange digital certificates, agree on the encryption algorithms to be used, and generate encryption keys that are then used for the remainder of the session.

If you are using SSL for trading partner authentication and authorization, which we strongly recommend for Trading Partner Integration collaborations, you need to configure the following:

SSL for each machine in your WebLogic Integration domain.
Set of digital certificates and private keys for each trading partner
Server certificate for each machine in the WebLogic Integration domain
Certificates of trusted Certificate Authorities (CA)

Not required by SSL, but strongly recommended, is the creation and use of identity and trust keystores for storing all the certificates and keys used in your WebLogic Integration domain. For more information about SSL, certificates, and keystores, see Configuring SSL in Managing WebLogic Security.

Using an Outbound Proxy Server or Proxy Plug-In

This section discusses the implications of using either an outbound proxy server or the WebLogic proxy plug-in.

Using an Outbound Proxy Server

A proxy server allows trading partners to communicate across intranets or the Internet without compromising security. If you are using WebLogic Integration in a security-sensitive environment, you may want to use WebLogic Integration behind a proxy server. Specifically, a proxy server is used to:

Hide, from external hackers, the local network addresses of the WebLogic Server instances that host WebLogic Integration
Restrict access to the external network
Monitor external network access to the local instances of WebLogic Server that host WebLogic Integration

When proxy servers are configured on the local network, network traffic (sent with the SSL and HTTP protocols) is tunneled through the proxy server to the external network.

If an outbound proxy server is used in your environment, be careful when specifying the transport URI endpoints for the local trading partner. If you are using an HTTPS proxy, then you need to specify the ssl.ProxyHost and ssl.ProxyPort Java system properties. For details, see "Configuring Trading Partner Integration to Use an Outbound HTTP Proxy Server" in Trading Partner Integration Security in Introducing Trading Partner Integration.

Using a Web Server with the WebLogic Proxy Plug-In

As an alternative to using an outbound proxy server, you may want to configure WebLogic Integration with a Web server, such as an Apache server, that is programmed to handle business messages from a remote trading partner. The Web server can provide the following services:

Receive business messages from a remote trading partner
Authenticate digital certificates from the trading partner

The Web server then uses the WebLogic proxy plug-in, which you can configure to provide the following services:

Forwarding of business messages received by the Web server to WebLogic Integration, which is running inside a secure internal network.
Extraction of the remote trading partner certificate from the Web server and delivery of it to WebLogic Server for authentication. WebLogic Integration can then authenticate the trading partner certificate and business message.

To configure the WebLogic proxy plug-in, perform the following actions:

Make sure you configure the proxy server with the WebLogic proxy plug-in to direct requests to WebLogic Server.
Decide which protocol you want to use for the network connection between the proxy server and the WebLogic Integration domain. The default protocol is HTTP. Configure the proxy plug-in to use one-way SSL only if you prefer to use SSL.
When configuring the transport for remote trading partners, specify the remote URI endpoint with the HTTPS protocol, even though the HTTP protocol is used in the network connection between the WebLogic proxy plug-in and the WebLogic Integration domain.
When relaying a business message from one trading partner to another, some proxy servers include only the leaf certificate, instead of the entire CA certificate chain. In such instances, trading partner authentication may fail. To prevent such failures, we recommend you specify the leaf certificate as the trusted CA certificate. (For more information about leaf certificates, see "Certificate Authorities" in Trading Partner Integration Security in Introducing Trading Partner Integration.)
If the local trading partner site uses a Web server configured with a WebLogic proxy plug-in, specify the trading partner transport URI endpoints in the usual manner.
If the remote trading partner is also using WebLogic Integration, but is using a proxy server other than the WebLogic proxy server, then it is likely that the remote site is configured with the WebLogic proxy plug-in. When you are configuring a remote trading partner under these circumstances, you must specify the host and port of the trading partner's proxy server as the transport URI endpoints. The WebLogic proxy plug-in performs the necessary URL transformations to business messages received for that remote trading partner.

Using a Firewall

If your WebLogic Integration environment is configured with a firewall, make sure your firewall is configured properly so that business messages can flow freely to and from local trading partners via the HTTP or HTTPS protocols.

Setting Up a Secure Deployment

The following sections provide instructions for the tasks you must complete to set up a secure deployment:

Step 1: Create the Domain

Create the WebLogic Integration domain using the Domain Configuration Wizard, as described in Configuring a Single-Server Deployment or Configuring a Clustered Deployment.

Note: We recommend that you configure your domain with SSL enabled.

The WebLogic Server Administration Console enables you to make additional customizations to your WebLogic Integration domain and default security realm. For information about customizing security features using the WebLogic Server Administration Console, see "Customizing the Default Security Configuration" in Managing WebLogic Security.

For a description of how to add firewall information to your domain configuration file, see Adding Proxy Server or Firewall Information to your Domain Configuration.

Step 2: Configure WebLogic Server Security

When configuring WebLogic Server security, be sure to do the following:

Obtain the server certificates for the local and remote trading partners. For SSL, server certificates are required for each instance of WebLogic Server involved in a trading partner request.

Consider the following questions and take the appropriate actions for your environment:

Does the common name of the certificate match the host name of the machine on which the corresponding instance of WebLogic Server is running?

If the two names are not the same, then the local WebLogic Server instance must be configured with hostname verification disabled. This requirement applies to the server certificate for any trading partner in any Trading Partner Integration. You can disable hostname verification in the WebLogic Server Administration Console by checking the Hostname Verification Ignored attribute on the SSL tab for the Server node.

Note: We do not recommend configurations that require you to disable hostname verification. Hostname verification prevents some types of security attacks.

Are the formats of the server certificate and private key for a remote trading partner supported by WebLogic Server?

About Digital Certificates lists the supported certificate formats. For server certificates, PEM encoded X.509 V1 or V3 is the most commonly accepted format by SSL servers.
For private keys, PKCS8, which is the password-encrypted private key, is the most common format. Be sure to set the private key password so that WebLogic Server can read the private key.

What is the CA certificate chain for the WebLogic Server server certificate?

A certificate chain is an array of digital certificates for trusted CAs, each of which is the issuer of the previous digital certificate.
You may specify one file containing all the intermediate and root CA certificates. (Note that if the file contains more than one CA certificate, WebLogic Server requires a PEM encoded file.) If you use the trust keystore to store trusted CA certificates, be sure to import the whole chain in to the trust keystore.

Configure the WebLogic identity and trust keystores. For information on creating and configuring keystores, see Configuring SSL in Managing WebLogic Security.

Note: Note the following considerations for using keystores:

One caveat to using a keystore is that once you import a key and certificate with an alias into a keystore, overwriting that certificate file with a new certificate does not import the new certificate into the keystore.
Make sure that your keystore is up-to-date with your current set of certificates and keys, and make sure that the WebLogic Integration repository reflects the relevant content of your keystore.

Step 3: Configure Application Integration Security

WebLogic Integration provides the following security mechanisms for those parts of an integration solution that are created and maintained with application integration functionality:

To connect to an Enterprise Information System (EIS), an application might need to provide certain credentials, such as a login name and password.

For more information, see "Scenario 1: Connecting Using Specific Credentials" in Using Application Views by Writing Custom Code in Using the Application Integration Design Console.

When deploying an application view, you can configure security settings to grant or revoke read and write access to the application view by a WebLogic Server user or group.

For more information, see "Steps for Defining an Application View" in Defining an Application View in Using the Application Integration Design Console.

Step 4: Configure Web Application and Web Service Security-Related Deployment Descriptors

Using WebLogic Workshop, a developer can edit Web application settings and Web service security-related deployment descriptors in the following three XML files before building and packaging the EAR file that contains your WebLogic Integration application:

web.xml
weblogic.xml
wlw-config.xml

A system administrator at deployment time may have more information regarding the production environment and security requirements. Under these circumstances, you can reconfigure the Web application settings and Web service security-related deployment descriptors in your EAR file as necessary by performing the following procedure.

Note: A developer typically adds any Service Broker control, Process control or callback selector annotations that are necessary for security to jcx or jpd files before packaging the EAR for deployment. However, these annotations can also be added or changed during this procedure.

Explode the EAR file that contains your WebLogic Integration application, and verify the configuration of the following items:

In web.xml and weblogic.xml, security-related deployment descriptors for Web applications that contain JPDs should be set to appropriate user credentials, method of authentication, and location of resources.

For information about these deployment descriptors, see the following:

"Web Application Security-Related Deployment Descriptors" in Securing Web Applications in Programming WebLogic Security
"Defining a Protected Web Resource" in Security in the WebLogic Workshop Help.

In wlw-config.xml, the web service exposure protocol should be set to HTTPS.

For information about configuring security options in wlw-config.xml, see "wlw-config.xml Configuration Files" in the WebLogic Workshop Help.

Repackage the EAR, and deploy it to the production WebLogic Integration domain using the WebLogic Server Administration Console.

Warning: Redeploying an application from WebLogic Workshop causes a loss of security authorizations. Deploy the EAR file using the WebLogic Server Administration Console to preserve your security authorizations.

For information about packaging and deploying EAR files, see "How Do I: Deploy WebLogic Workshop Web Services to a Production Server" in the WebLogic Workshop Help.

Step 5: Configure Security Policies and Manage Users

Once the WebLogic Integration application has been deployed on your production hardware, you can use the WebLogic Integration Administration Console to configure security policies and manage users.

For the procedure to start the WebLogic Server Administration Console see "Starting the Administration Console" in Introducing the WebLogic Integration Administration Console in Managing WebLogic Integration Solutions.

The following sections provide instructions for the tasks you must complete to configure security policies and manage users:

Configuring Security Policies for Business Processes

On the home page of the WebLogic Integration Administration Console, click Process Configuration.

The Process Property Summary page lists every business process in the WebLogic Integration application.

Click the display name of a process to access the Process Type Details page.

From the Process Type Details page, you can configure the following security settings for the business process:

Dynamic Client Callback Properties
Execution Policy
Process Authorization Policy
Method Authorization Policy
Control Callback Authorization Policy

For descriptions of these settings and the procedures to configure them, see "Viewing and Changing Process Details" in Processes Configuration in Managing WebLogic Integration Solutions.

Click View Process Summary to return to the Process Property Summary page, and repeat step 2 for each business process.

After configuring each business process, click View Dynamic Controls.

The View Dynamic Controls Summary page lists every dynamic control in the WebLogic Integration application.

Select the Edit link to the right of a selector value to display the Edit Service Broker Control Selector or Edit Process Control Selector page, depending on the type of the control.

On these pages, you can configure the client certificate or username/password settings used in outbound calls by the selected service broker or process control. For descriptions of these settings and the procedures to configure them, see "Adding or Changing Dynamic Control Selectors" in Processes Configuration in Managing WebLogic Integration Solutions.

Click View Dynamic Controls to return to the View Dynamic Controls Summary page, and repeat step 5 for each dynamic control.

After configuring the security settings for each business process and dynamic control, click

in the module navigation bar to return to the home page.

Configuring Security Policies for Message Broker Channels

On the home page of the WebLogic Integration Administration Console, click Message Broker.

The Channel Summary List page displays every channel in the Message Broker.

Click a channel name to access the View Channel Details page, and then click Edit Security Details.

On the Edit Channel Subscribe and Publish Policies page, you can configure the following security settings for the channel:

Publish Roles
Subscribe Roles
Dispatch As (the user under which messages are sent to subscribers)

For descriptions of these settings and the procedures to configure them, see "Viewing and Changing Process Details" in Processes Configuration in Managing WebLogic Integration Solutions.

Click View All to return to the Channel Summary List page, and repeat step 2 for each channel.

After configuring the security settings for each channel, click

in the module navigation bar to return to the home page.

Configuring Security Policies for Application Views

On the home page of the WebLogic Integration Administration Console, click Application Integration, and then choose the Application Views tab to list the AppViewID for each application view in the WebLogic Integration application.

Click an AppViewID to access the Application View Details page.

From the Application View Details page, you can configure the following security settings:

Roles authorized to execute services and subscribe for events for the application view.

For the procedure to configure these security policies, see "Updating Security Policies" in Application Integration in Managing WebLogic Integration Solutions.

Container-managed sign-on.

Enabling container-managed sign-on for an Application View allows Application Views to utilize any principal map that has been configured for the service connection. If container-managed sign-on is enabled for an Application View and the service connection it uses has been configured with a principal map, then at runtime the services invoked on the Application View will execute within the EIS instance with the identity of the EIS principal that maps to the WebLogic Server principal in effect when the service was invoked. If container-managed sign-on is disabled or no principal map exists on the service connection, then the authentication properties in the service connection itself (if any) are used to connect to the EIS instance
For the procedure to configure this setting, see "Enabling or Disabling Container-Managed Sign-On" in Application Integration in Managing WebLogic Integration Solutions.

Click View All to return to the Application View Summary page, and repeat step 2 for each application view.

After configuring the security settings for each application view, click

in the module navigation bar to return to the home page.

Configuring Security Policies for Adapter Instances

On the home page of the WebLogic Integration Administration Console, click Application Integration, and then choose the Adapter Instances tab.

The Adapter Instance Summary page lists the ID for each adapter instance in the WebLogic Integration application.

Click an ID to access the Adapter Instance Details page, and then click Select Service Connection to display the Adapter Instance Service Connection page.

The Adapter Instance Service Connection page lists the name of each service connection for the adapter instance.

Click the name of a service connection to access the Adapter Instance Service Connection Details page.

From the Adapter Instance Service Connection Details page, you can configure the following security settings:

Roles authorized to obtain service connections from the connection factory

For the procedure to configure these security policies, see "Updating Security Policies" in Application Integration in Managing WebLogic Integration Solutions.

WebLogic Server to EIS principal mappings

For the procedure to configure this map, see "Viewing and Changing WebLogic Server to EIS Principal Mappings" in Application Integration in Managing WebLogic Integration Solutions.

Repeat step 3 for each service connection.

After configuring the security settings for each service connection, click View All to return to the Adapter Instance Summary page, and repeat steps 2, 3, and 4 for each adapter instance.

After configuring the security settings for each channel, click

in the module navigation bar to return to the home page.

Managing Production Users

On the home page of the WebLogic Integration Administration Console, click User Management.

The View and Edit Users page displays a list of all users within WebLogic Integration. From this page you can create new users, delete users, or access details—including group membership—for a selected user.
For information about managing users, see the following topics in User Management in Managing WebLogic Integration Solutions:

Adding a User
Viewing and Changing User Properties

Choose the Groups tab.

The View and Edit Groups page displays a list of all groups within WebLogic Integration. From this page you can create new groups, delete groups, or access details—including group membership—for a selected group.
For information about managing groups, see the following topics in User Management in Managing WebLogic Integration Solutions:

Adding a Group
Viewing and Changing Group Properties

Choose the Roles tab.

The View and Edit Roles page displays a list of all roles within WebLogic Integration. From this page you can create new roles, delete roles, or access details—including role conditions—for a selected role.
For information about managing roles, see the following topics in User Management in Managing WebLogic Integration Solutions:

Adding a Role
Viewing and Setting Role Conditions

Step 6: Configure Worklist Security

WebLogic Integration domains includes the following default WebLogic Integration groups and roles that have access to worklist functionality:

IntegrationUser—All users performing worklist tasks must be assigned to the IntegrationUser role. Users automatically inherit the IntegrationUser role through their default membership in the IntegrationUsers group.
TaskCreationRole—Users and groups creating worklist tasks must be manually assigned to the TaskCreationRole.

The process of configuring worklist security is basically one of assigning users to groups, groups to roles, and ensuring that those roles have appropriate permission levels by defining policies. (For information on how to make these assignments, see Managing Production Users.) Once you have configured worklist security, you can manage owners for tasks in a worklist.

The WebLogic Integration Administration Console provides tools that allow you to manage users, groups, roles, and policies, along with worklist task ownership. For more information about configuring worklist security, see User Management and Worklist Administration in Managing WebLogic Integration Solutions.

Step 7: Configure Trading Partner Integration Security

WebLogic Integration solutions that involve the exchange of messages between trading partners across firewalls have special security requirements, including trading partner authentication and authorization, as well as nonrepudiation.

To configure Trading Partner Integration security, you must perform the following tasks:

Obtain the certificates and keys required for conducting Trading Partner Integration collaborations. Required certificates include those for the trusted CAs, as well as the trading partner certificates and keys mentioned earlier, and the server certificate and key for each instance of WebLogic Server used in your environment.
Configure keystores to store certificates and private keys used in a WebLogic Integration environment.
Configure local trading partners.
Configure remote trading partners.
Configure security for the business protocols used including transport level security and message level security.
Implement the security requirements for the business protocols used.

For detailed information and procedures regarding configuration of Trading Partner Integration, see Trading Partner Integration Security in Introducing Trading Partner Integration.