Configuring Security

 

This topic includes the following sections:

• Configuring the SSL Protocol and Mutual Authentication

• Configuring Access Control Lists for WebLogic Integration B2B

• Configuring Security for the WebLogic Integration B2B Engine

• Configuring Trading Partner Security

• Configuring Message Encryption

• Configuring Digital Signatures for Nonrepudiation

• Customizing the WLCCertAuthenticator Class

• Configuring a Certificate Verification Provider Interface

• Configuring WebLogic Integration B2B to Use an Outbound HTTP Proxy Server

• Configuring WebLogic Integration with a Webserver and a WebLogic Proxy Plug-In

• Configuring Business Process Management Access to the WebLogic Integration Repository

For general information about configuring WebLogic Integration B2B, see Basic Configuration Tasks in Administering B2B Integration.

 

---

Configuring the SSL Protocol and Mutual Authentication

To configure WebLogic Server to use the SSL protocol and mutual authentication, complete the following steps:

1. Obtain a digital certificate for WebLogic Server as described in "Configuring the SSL Protocol" in Managing Security in the BEA WebLogic Server Administration Guide.

2. Start the WebLogic Server Administration Console as described in "Starting the B2B Console" in WebLogic Integration Design and Administration Tools in Starting, Stopping, and Customizing BEA WebLogic Integration.

3. In the navigation tree (in the left pane) of the WebLogic Server Administration Console, choose Servers—>myserver for the domain you are configuring, as in the following figure.

   Figure 3-1 Choosing a Domain

   
    

   The Configuration page for WebLogic Server is displayed, shown in the following figure.

   Figure 3-2 WebLogic Server Administration Console Configuration Page

   
    

4. Select the SSL tab to display the Secure Sockets Layer (SSL) configuration page, shown in the following figure.

   Figure 3-3 SSL Configuration Page

   
    

5. The following table describes the information that you enter into the SSL configuration page.

   Table 3-1 SSL Configuration Page Fields

   Field	Description
   Enabled check box	If checked, SSL connections are enabled between WebLogic Integration B2B and trading partners.
   SSL Listen Port	Specifies the dedicated port on which WebLogic Integration B2B listens for SSL connections.
   Server Key File Name	Specifies the location of the private key file for WebLogic Server.
   Server Certificate File Name	Specifies the location of the public key file for WebLogic Server. You obtain this file from a trusted security vendor, as described in step 1 in this section.
   Server Certificate Chain File Name	Specifies the full directory location of the digital certificate for WebLogic Server. This location is also known as the root certificate authority.
   Client Certificate Enforced check box	If checked, mutual authentication is enabled between WebLogic Integration B2B and trading partners accessing WebLogic Integration B2B resources.
   Trusted CAFile Name	Specifies the name of the file that contains the digital certificate for the certificate authority trusted by WebLogic Server. Trading partners are required to present digital certificates issued by this certificate authority. You obtain this filename from each trading partner configured in your B2B environment.
   Certificate Authenticator	Specifies the certificate authenticator to be used to determine the validity of the trading partner digital certificate

   
    

 

---

Configuring Access Control Lists for WebLogic Integration B2B

The access control list (ACL) for a resource determines whether a user or group can access a WebLogic Integration resource. To define ACLs, you do the following:

1. Create an ACL for a resource.

2. Specify the permission for the resource.

3. Grant the permission to a specified set of users and groups.

For a B2B resource, one or more permissions can be granted.

The ACL on the WebLogic Integration JDBC connection pool that is preset in the sample configuration shipped with WebLogic Integration has the following permissions set for the user wlcSamplesUser: reserve, shrink, and reset.

For complete information about defining ACLs, see "Defining ACLs" in Managing Security in the BEA WebLogic Server Administration Guide.

To set the ACLs on the WebLogic Integration JDBC connection pool in the samples domain:

1. Configure and start the instance of the WebLogic Server in the samples domain. (Start the RunSamples script and bring up the samples launcher page.) For instructions, see "Configuring and Starting the Samples Domain" in Getting Started in Starting, Stopping, and Customizing BEA WebLogic Integration.

2. Start the WebLogic Server Administration Console, if it is not already running. From the samples launcher page select the WebLogic Server link under Administration Consoles in the left pane. (The default system administration user in the samples domain is system with a password of security.)

3. In the navigation tree, choose Security—>ACLs.

   Figure 3-4 Choosing ACLs in the Navigation Tree

   
    

   The ACLs that are configured in the WebLogic Server are listed in the Access Control Lists configuration page, as shown in the following figure. Note the entry for the ACL for the WebLogic Integration JDBC connection pool.

   Figure 3-5 ACL for the JDBC Connection Pool

   
    

4. Click the name of the ACL for the WebLogic Integration JDBC connection pool (weblogic.jdbc.connectionPool.wliPool). The WebLogic Server Administration Console displays the dialog box in which you can set the required permissions for the WebLogic Integration JDBC connection pool, as shown in the following figure.

   Figure 3-6 Setting Permissions for the WebLogic Integration JDBC Connection Pool

   
    

   
    

5. Click reset. The dialog box in which you can reset the ACLs for the JDBC connection pool is displayed, as shown in the following figure.

   Figure 3-7 ACL Reset Dialog Box

   
    

6. Enter wlcSamplesUser in the Users field, if necessary.

7. Click Grant Permission, if you have made any changes.

For more information about access control lists, see "Defining ACLs" in Managing Security in the BEA WebLogic Server Administration Guide.

 

---

Configuring Security for the WebLogic Integration B2B Engine

The WebLogic Integration repository contains security information about the WebLogic Integration B2B security system and the trading partners that access B2B resources. You can configure repository information either by using the WebLogic Integration B2B Console, or by specifying it in a repository data file that you then import into the repository using the Bulk Loader.

Note: If you use the Bulk Migrator utility to migrate the repository from the 1.0 or 1.0.1 releases of WebLogic Collaborate make sure the user wlcsystem is created and the correct password is included in the Bulk Loader data file. For more information about using the Bulk Migrator utility, see Migrating from WebLogic Collaborate 1.0 or 1.0.1 in Migrating to BEA WebLogic Integration Release 2.1.

For the B2B security system, you need to configure the following as required:

• B2B system password

• Audit log class

• Certificate verification class

• Secure timestamp class

• Certificate authority directory

To configure these entities in the B2B security system, complete the following steps:

1. Start the B2B Console

2. In the main pane of the B2B Console, click the link under WebLogic Integration B2B, as shown in the following figure.

   Figure 3-8 WebLogic Integration B2B Console Main Window

   
    

   The B2B configuration tabs are displayed, as shown in the following figure.

   Figure 3-9 B2B Configuration Tabs

   
    

3. Select the Security tab. The Security configuration page for the WebLogic Integration system is displayed, as shown in the following figure.

   Figure 3-10 WebLogic Integration B2B Security Configuration Page

   
    

4. The following table describes the fields in the Security tab of the Configuration panel that you may need to configure. Note that the new configuration takes effect after the WebLogic Integration system is restarted.

   Table 3-2 Configuring the WebLogic Integration B2B Security System

   Field	Description
   System Password	Password for the WebLogic Integration B2B system user. This is set when you install the WebLogic Integration software, and by default this password is wlcsystem. However, if you want to change it, you can enter a new password in this field.
   Audit Log Class	Java class that implements audit logging, which is used for nonrepudiation. You can use the audit log to reconstruct the sequence of events that have occurred during a conversation, along with the data exchanged. Depending on how you configure the audit log, the audit log may store each business message exchanged among trading partners along with digital signatures, timestamps, and other data. For more information about auditing, see Secure Audit Log Service.
   Certificate Verification Class	Java class that calls out to software that verifies that a digital certificate submitted by a remote trading partner is valid. This class can call out to either the Online Certificate Status Protocol (OCSP) application that WebLogic Integration provides, or certificate verification provider software that you obtain from a trusted security vendor. For more information about the certificate verification class, see Trading Partner Certificate Verification.
   Secure Timestamp Class	Java class that provides secure timestamping of business messages exchanged among trading partners. Timestamping is used for nonrepudiation. For more information about secure timestamping, see Secure Timestamp Service.
   Certificate Authority Directory	Location that contains the Certificate Authorities of all the trading partner certificates configured in the WebLogic Integration repository.

   
    

 

---

Configuring Trading Partner Security

Configuring trading partner security involves setting the following for each trading partner:

• Certificates

• Transport security properties

• Document exchange security

• Delivery channel security

The following subsections describe how to configure trading partner security for each of these components.

Note: If you use the Bulk Loader to import data into the WebLogic Integration repository, the WebLogic Server users that represent each trading partner configured in the repository are not automatically created. You need to create these WebLogic Server users manually. For more information, see Working with the Bulk Loader in Administering B2B Integration.

Configuring Trading Partner Certificates

WebLogic Integration B2B provides a means to configure the following trading partner certificates.

Table 3-3 Trading Partner Certificates Configured in WebLogic Integration B2B

Certificate	Description
Client certificate	Digital certificate of the remote or local trading partner. Configuring the client certificate is required when using the SSL protocol. Certificate Details: Is of type X509 V3. Is Privacy Enhanced Mail (PEM) or Definite Encoding Rules (DER) encoded. (The filename extension specifies the encoding type: .pem or .der.) Is required for all trading partner types while using HTTPS. Private Key Details: Is PEM or DER encoded. (The filename extension specifies the encoding type: .pem or .der.) Is required only for local trading partner type. Password protected private keys are not supported.
Server certificate	Digital certificate of the remote trading partner. Configuring the server certificate is required when using the SSL protocol. Certificate Details: Is of type X509 V3. Is PEM or DER encoded. (The filename extension specifies the encoding type: .pem or .der.) Is required for remote trading partner types while using HTTPS.
Signature certificate	Certificate required of each trading partner if digital signature support, a requirement for nonrepudiation, is configured for the e-market. For a description of digital signature support, see Digital Signature Support. Certificate Details: Is of type X509 V3. Any encoding is allowed. You use the RSA CertJ package to read the certificate. Is required for all trading partner types using digital signature service. Private Key Details: Uses only the PKCS8 format. Is always password protected. (You specify the password as a system property in the startweblogic command.)
Encryption certificate	Certificate required of each trading partner when business message encryption is configured for the e-market. Note that encryption support is available only with the RosettaNet protocols. For a description of message encryption, see Configuring Message Encryption. Certificate Details: Is of type X509 V3. Any encoding is allowed. Use RSA CertJ package to read the certificate. Is required for all trading partner types using encryption service. Private Key Details: Uses only the PKCS8 format. Is always password protected. (You specify the password as a system property in the startweblogic command.)

 

Note the following general rules about configuring trading partner certificates:

• Each trading partner may have one client certificate and one server certificate, and any number of encryption and signature certificates.

• For each certificate, there is a trading partner type: Local or Remote. The contents of each certificate configuration tab depends on the trading partner type. For example, the tab for configuring a remote trading partner does not contain fields for entering information about private keys because information about private keys should be set only for local trading partners.

• For local trading partners, you do not configure a server certificate.

• When configuring a local trading partner, you do not need to provide a WebLogic Server username for that trading partner. The one exception to this rule is if the local trading partner is a trading partner lightweight client.

• Private keys for signature and message encryption certificates require a password. To set a password for a private key, specify the password as a system property on the command line that starts WebLogic Server. The following example shows the command that starts WebLogic Server for the Hello Partner sample application.

%JAVA_HOME%\bin\java -classic -ms64m -ms64m -classpath %START_WL_CLASSPATH%
 -Dbea.home=%BEA_HOME% -Dweblogic.home=%WL_HOME%
 -Dweblogic.system.home=%WLC_SAMPLES_HOME% -Dweblogic.Domain=samples
 -Dweblogic.management.password=security
 -Dcloudscape.system.home=%WLC_SAMPLES_CLOUDSCAPE_HOME% -Dweblogic.Name=myserver
 -Djava.security.policy=%WL_HOME%\lib\weblogic.policy
 -DKey.certificate-name.password=mypassword weblogic.Server

In the preceding example, certificate-name represents the name of the certificate for which a private key password is being specified, and mypassword represents the password.

To configure trading partner certificates, complete the following steps:

1. Display the main trading partner configuration page, which you can do one of the following ways:

   • Click Trading Partners in the navigation tree of the B2B Console.

     Figure 3-11 Trading Partners Entry in the Navigation Tree

     
      

   • Click the Trading Partners link in the right pane.

     Figure 3-12 Accessing the Trading Partner Configuration Page

     
      

   The main Trading Partners configuration page, where you can add, modify, and remove trading partners is shown in the following figure.

   Figure 3-13 Main Trading Partner Configuration Page

   
    

Note: In the instructions that follow, we assume that the trading partner has already been created and configured, with the exception of security parameters. For complete details about configuring trading partners in general, see Basic Configuration Tasks in Administering B2B Integration.

2. Click the name of the trading partner whose security settings you want to configure. The General configuration page for the trading partner is shown in the following figure.

   Figure 3-14 General Configuration Page for Trading Partner

   
    

3. Select the Certificates tab. The page on which you configure trading partner certificates is displayed, as shown in the following figure.

   Figure 3-15 Trading Partner Certificates Configuration Page

   
    

   Note: The preceding figure shows configuring a remote trading partner. If the trading partner were local, an additional field would be displayed showing the private key location for the certificate name.

4. To configure each of the trading partner certificates, complete the steps listed in the following table.

   Table 3-4 Configuring Trading Partner Certificates

   To configure . . .	Complete the following steps . . .
   Client certificate	If you are configuring a local or remote trading partner: In the Certificate Type selection box, select Client Certificate. In the Certificate Name field, enter the client certificate name. In the Certificate Location field, enter the filename and location on your WebLogic Integration machine where the client certificate is stored. In the Private Key Location field, enter the filename and location on your WebLogic Integration machine where the private key of the local trading partner is stored. (This step applies only to local trading partners.) Click Add/Apply.
   Server certificate	If you are configuring a remote trading partner: In the Certificate Type selection box, select Server Certificate. In the Certificate Name field, enter the name of the server certificate for the remote trading partner's WebLogic Integration system. In the Certificate Location field, enter the filename and location on your machine where the trading partner's server certificate is stored. Click Add/Apply.
   Signature certificate	For trading partners using digital signature support: In the Certificate Type selection box, select Signature Certificate. In the Certificate Name field, enter the signature certificate name. In the Certificate Location field, enter the filename and location on your machine where the signature certificate is stored. In the Private Key Location field, enter the filename and location on your machine where the local trading partner private key is stored. (This step applies only to local trading partners.) Click Add/Apply.
   Encryption certificate	For trading partners using RosettaNet-based business message encryption: In the Certificate Type selection box, select Encryption Certificate. In the Certificate Name field, enter the encryption certificate name. In the Certificate Location field, enter the location on your machine where the encryption certificate is stored. In the Private Key Location field, enter the location on your machine where the local trading partner private key is stored. (This step applies only to local trading partners.) Click Add/Apply.

   
    

Notes: When you create a trading partner in WebLogic Integration, a WebLogic Server user is created for that trading partner at run time using the WebLogic Server username that you specify. However, when you delete a trading partner from the WebLogic Integration repository, the corresponding WebLogic Server user is not automatically deleted. When you delete a trading partner, be sure also to manually delete the corresponding WebLogic Server user.

Visit the BEA Developer Center to obtain helpful resources, such as links to sites that provide useful tools for manipulating digital certificates and private keys, which you might find useful in managing WebLogic Integration B2B security. You can reach the BEA Developer Center at the following URL:

http://developer.bea.com/index.jsp

Configuring a Secure Transport

When you configure a transport for a trading partner, you bind the trading partner's transport to a transport security protocol. For example, if a trading partner is configured to use SSL certificates, you must bind that trading partner's transport to a transport protocol that uses SSL. When a secure transport is configured, the client certificate is used for outbound SSL. Because WebLogic Integration allows only one client certificate, there is no need to select the client certificate while configuring a secure transport.

To configure a secure transport for a trading partner, complete the following steps:

1. Select the Transport tab. The Transport configuration page is displayed. The top of this page is shown in the following figure.

   Figure 3-16 Trading Partner Transport Configuration Page

   
    

2. Enter the information described in the following table.

   Table 3-5 Configuring the Trading Partner Transport

   Field	Description
   Transport Name	The name of the trading partner transport. You can enter a name, or choose from the list of available transports displayed in the box labeled Available Transports. Note that each of the available transports has a security protocol bound to it, so if you choose from this list, the transport and security protocols are set automatically. For more information about specifying the transport name, see the online help for the Transport tab by clicking the question mark in the upper right.
   Transport Protocol	The security protocol for the transport. You can choose between HTTP-1.1 and HTTPS-1.1. The HTTPS-1.1 protocol uses SSL. Note that if you choose HTTPS-1.1, the security protocol is displayed in the nonmodifiable field labeled Security Protocol.
   URI Endpoint	The URI for the transport on the trading partner's B2B system. To specify the URI endpoint, you can enter a URI in this field, or choose from one of the available URIs displayed in the box below this field. When you enter the URI endpoint, click Set, to establish the URI, or Remove, to clear an existing entry in the URI Endpoint field. For more information about specifying the URI endpoint, see the online help for the Transport tab by clicking the question mark in the upper right.

   
    

3. Click Add/Apply.

Configuring a Secure Delivery Channel

When you configure a trading partner's delivery channel, you have the option of making the delivery channel secure by binding it to the secure transport configured in Configuring a Secure Transport.

To configure a secure channel, complete the following steps:

1. Select the Delivery Channels tab. The Delivery Channels configuration page is displayed, as shown in the following figure.

   Figure 3-17 Trading Partner Delivery Channels Configuration Page

   
    

2. Enter the information described in the following table.

   Table 3-6 Configuring a Trading Partner Delivery Channel

   Field	Description
   Delivery Channel Name	The delivery channel name. You can enter a name in this field, or choose from the delivery channels listed in the Available Delivery Channels box below. For more information about specifying a delivery channel name, see the online help for the Delivery Channels page by clicking the question mark in the upper right.
   Transport	The name of the transport configured in the trading partner transport tab. This field gives you an opportunity to bind the delivery channel to a transport that you secured when configuring the transport properties, as described in Configuring a Secure Transport.
   Document Exchange	The name of the document exchange to which you want to bind the delivery channel. For more information about binding a document exchange to a delivery channel, see the online help for the Delivery Channels page by clicking the question mark in the upper right.
   Routing Proxy	Check this box if you want the trading partner delivery to act as a routing proxy (hub). For more information about proxy servers, see Configuring WebLogic Integration B2B to Use an Outbound HTTP Proxy Server.

   
    

3. Click Add/Apply.

Configuring a Secure Document Exchange

When you configure the trading partner document exchange, you can associate a document exchange with a business protocol binding that provides digital signature support or message encryption. Digital signature support is available with all the business protocols supported in WebLogic Integration; however, message encryption is available only with the RosettaNet protocol.

To enable digital signature or message encryption support, complete the following steps:

1. Select the Document Exchange tab. The Document Exchange configuration page is displayed, as shown in the following figure.

   Figure 3-18 Trading Partner Document Exchange Configuration Page

   
    

2. Enter the information described in the following table.

   Table 3-7 Configuring a Trading Partner Document Exchange

   In the field labeled . . .	Choose the following information . . .
   Business Protocol Binding	The business protocol and version that supports the digital signature or message encryption capabilities that you want. The protocol you choose becomes bound to the trading partner document exchange identified at the top of the page.
   Business Protocol Definition	The business protocol associated with the business protocol binding chosen in the preceding selection box.

   
    

3. For information about specifying data in the fields labeled Document Exchange Name, End Point Type, Confirmed Delivery, Message History, and Retries, see the online help for the Document Exchange page by clicking the question mark in the upper right.

4. For information about configuring digital signature information, see Configuring Message Encryption.

5. For information about configuring message encryption information, see Configuring Digital Signatures for Nonrepudiation.

 

---

Configuring Message Encryption

As mentioned in Introducing WebLogic Integration B2B Security, the B2B message encryption service encrypts business messages for the business protocols that require it. Currently, message encryption is supported only for the RosettaNet 2.0 protocol.

How WebLogic Integration B2B Message Encryption Works

Data encryption works by using a combination of the sender's certificate, private key, and the recipient's certificate to encode a business message. The message can then be decrypted only by the recipient using the recipient's private key.

Note: The B2B message encryption feature is controlled by licensing (Encryption/Domestic or Encryption/Export), but the decryption of a business message is not. If WebLogic Integration does not have a valid encryption license, the B2B engine disables the encryption service. However, the B2B engine can always decrypt business messages that are received.

The WebLogic Integration Release 2.1 message encryption service supports only the Rivest-Shamir-Adleman (RSA) encryption algorithm.

The following figure shows how data encryption is performed using the public and private keys.

Figure 3-19 WebLogic Integration B2B Message Encryption Service

 

Note: To use message encryption, you must have a valid license for using the encryption service.

Configuring Message Encryption

To configure message encryption for business messages exchanged by trading partners in a RosettaNet 2.0-based conversation definition, complete the following steps:

1. Configure the trading partner as described in Basic Configuration Tasks in Administering B2B Integration.

2. Configure security for the trading partner delivery channel, as described in Configuring a Secure Delivery Channel. Be sure to configure the delivery channel using a transport that uses the appropriate RosettaNet 2.0 protocol binding.

3. Configure the trading partner document exchange, as described in Configuring a Secure Document Exchange. Be sure to configure the document exchange to support the appropriate RosettaNet 2.0 business protocol binding.

   Notice that when you select a RosettaNet business protocol binding on the Doc Exchange configuration page, the Encryption box is displayed in the lower left-hand corner of that configuration page. The following figure shows the Document Exchange configuration page with the Encryption box.

   Figure 3-20 Configuration Box for Message Encryption on Doc Exchange Configuration Page

   
    

4. In the Encryption box, select the information described in the following table.

   Table 3-8 Message Encryption Configuration Settings

   In the field labeled . . .	Select the following . . .
   Encryption Certificate	The name of the encryption certificate configured in Configuring Trading Partner Certificates.
   Encryption Level	The parts of the business message that you want to have encrypted. Choose PAYLOAD if you want to encrypt only the XML business document(s) part of the message. Choose ENTIRE_PAYLOAD if you want to encrypt the business documents and all attachments in the message.
   Cipher Strength	Either 56- or 128-bit encryption. Note that 128-bit encryption is not available in some localities.

   
    

   Note that the field labeled Cipher Algorithm is a nonmodifiable information field containing the name of the algorithm. With Release 2.1 of WebLogic Integration, the only value displayed in this field is RSA.

5. Click Add/Apply.

 

---

Configuring Digital Signatures for Nonrepudiation

Digital signature support (described in detail in Implementing Nonrepudiation) provides a means to prevent anyone or anything from tampering with the contents of a business message, especially when the business message is in transit between two trading partners. Digital signature support is a requirement for nonrepudiation.

If you are implementing nonrepudiation, you need to configure digital signature support in the B2B engine, which you can do by completing the following steps:

1. Configure the trading partner, as described in Basic Configuration Tasks in Administering B2B Integration.

2. Configure the trading partner signature certificate, as described in Configuring Trading Partner Certificates.

3. Configure the trading partner delivery channel security, as described in Configuring a Secure Delivery Channel. Be sure to configure the delivery channel using a transport that uses the appropriate protocol binding.

4. Configure the trading partner document exchange, as described in Configuring a Secure Document Exchange. Be sure to configure the document exchange to support the appropriate business protocol binding.

5. In the Doc Exchange tab, notice the box labeled Digital Signature (Nonrepudiation) in the lower right. In this box, choose the trading partner signature certificate identified in Configuring Trading Partner Certificates.

   When you choose a signature certificate, notice the data displayed in the nonmodifiable fields that are associated with the signature certificate, as shown in the lower right in the following figure.

   Figure 3-21 Configuring Nonrepudiation

   
    

   These nonmodifiable fields are used for the following purposes.

   • Nonrepudiation protocol—identifies the business protocol associated with the signature certificate.

   • Hash Function—identifies the function used for encrypting passwords exchanged among trading partners. The hash function used by both the RosettaNet and XOCP protocols in WebLogic Integration is SHA1.

   • Signature Algorithm—identifies the algorithm used for encrypting the signature certificates exchanged among trading partners. The signature algorithm used by both the RosettaNet and XOCP protocols in WebLogic Integration is RSA.

 

---

Customizing the WLCCertAuthenticator Class

The WLCCertAuthenticator class is an implementation of the WebLogic Server CertAuthenticator class. The default implementation of the WLCCertAuthenticator class maps the digital certificate of the trading partner to the corresponding trading partner user defined in the WebLogic Integration repository. You may want to extend this functionality to use mutual authentication for users other than trading partners. For example, you may want to modify the class to map a Web browser or Java client to a WebLogic Server user.

The WLCCertAuthenticator class is invoked by WebLogic Server after an SSL connection between the trading partner and WebLogic Server has been established. The class can extract data from a digital certificate to determine the trading partner name that corresponds to the digital certificate.

The following code example, in which the WebLogic default realm for retrieving users is used, shows how the WLCCertAuthenticator class is customized:

public User authenticate(String userName, Certificate[] certs, boolean ssl)
{

String user = null;

// If not using SSL, return
if (ssl == false)
{
return null;
}

// Verify that the certificate is either a c-hub certificate or a trading partner
// certificate, then return the corresponding WLS user.

if ((user = Security.isValidWLCCertificate(certs))!= null)
{
return realm.getUser(user);
}
// Certificate is not a valid WLC certificate.
// Check here for non-WLC certificate and return the corresponding user.
}

 

---

Configuring a Certificate Verification Provider Interface

As explained in Trading Partner Certificate Verification, you use a certificate verification provider to validate a trading partner's digital certificate. If you are using a certificate verification provider (CVP), you need to configure it in the B2B Console, using the steps described in this section.

To configure a CVP:

1. Start the B2B Console.

2. In the main page of the B2B Console, click the link under WebLogic Integration B2B, as described in Configuring Security for the WebLogic Integration B2B Engine.

3. In the B2B Configuration panel, select the Security tab. This displays the page shown in the following figure.

   Figure 3-22 WebLogic Integration B2B System Security Configuration Page

   
    

4. In the field labeled Certificate Verification Class, enter the fully qualified name of the Java class that implements the CVP.

5. Click Apply.

Note: You can load a certificate verification provider via the Bulk Loader. For more information, see Working with the Bulk Loader in Administering B2B Integration.

 

---

Configuring WebLogic Integration B2B to Use an Outbound HTTP Proxy Server

If you are using WebLogic Integration in a security-sensitive environment, you may want to use WebLogic Integration behind a proxy server. A proxy server allows trading partners to communicate across intranets or the Internet without compromising security. A proxy server is used to:

• Hide, from external hackers, the local network addresses of the WebLogic Servers that host WebLogic Integration

• Restrict access to the external network

• Monitor external network access to the WebLogic Servers that host WebLogic Integration

When proxy servers are configured on the local network, network traffic (SSL and HTTP) is tunneled through the proxy server to the external network. The following figure illustrates how a proxy server might be used in the WebLogic Integration environment.

Figure 3-23 Proxy Server

 

To configure a proxy server for WebLogic Integration, complete the following steps:

1. Display the configuration tabs in the right pane of the B2B Console window, as shown in the following figure.

   Figure 3-24 Configuration Tabs in the WebLogic Integration B2B Console

   
    

2. Select the Proxy tab. The Proxy configuration page is displayed, as shown in the following figure.

   Figure 3-25 WebLogic Integration Proxy Server Configuration Page

   
    

3. In the field labeled Host, enter the address of the proxy server used for the WebLogic Integration server, if any. For example:

   myproxy.mycompany.com.

4. In the field labeled Port, enter the port number for the proxy server.

5. Click Apply.

6. Add permissions to read and write the ssl.proxyHost and ssl.proxyPort system properties for the WebLogic Server. These system properties are stored in the weblogic.policy file, which is located in the directory where you installed WebLogic Server. Add the following lines to the grant section of the weblogic.policy file:

permission java.util.PropertyPermission "ssl.proxyHost", "read, write";
permission java.util.PropertyPermission "ssl.proxyPort", "read, write";

 

---

Configuring WebLogic Integration with a Webserver and a WebLogic Proxy Plug-In

You can configure WebLogic Integration with a webserver, such as Apache server, that is programmed to service business messages from a remote trading partner. The webserver can provide the following services:

• Receive the business messages from the remote trading partner

• Authenticates the trading partner digital certificate

The webserver uses the WebLogic proxy plug-in, which you can configure to provide the following services:

• Forwards business messages received by the webserver to WebLogic Integration, which is running inside a secure internal network.

• Extract the remote trading partner certificate from the webserver and forward it to WebLogic Server for authentication. WebLogic Integration can then authenticate the trading partner certificate and business message.

The following figure shows the topology of an environment that uses a webserver, the WebLogic proxy plug-in, and WebLogic Integration.

Figure 3-26 Using a Webserver and the WebLogic Proxy Plug-In

 

Configuring the Webserver

To configure the webserver, see Configuring WebLogic Server Web Components in the BEA WebLogic Server Administration Guide.

The following code example provides the segment of httpd.conf (for Apache server) for configuring the proxy plug-in:

# LoadModule foo_module libexec/mod_foo.so
LoadModule weblogic_module    libexec/mod_wl_ssl.<suffix>

<Location /weblogic>
 SetHandler weblogic-handler
 PathTrim /weblogic
 WebLogicHost myhost
 WebLogicPort 80
</Location>

Note that in WebLogic Server 6.0, the proxy plug-in supports only one-way SSL. Because WebLogic Server hosting WebLogic Integration is configured with mutual authentication, it is important that you do not configure the proxy plug-in with SSL.

WebLogic Server User Identity for the Trading Partner

The WebLogic Server user identity is optional when you configure the remote trading partner. If a particular WebLogic Integration B2B deployment has stringent security requirements, we recommend the following:

• Configure the ACLs for the transport servlet to enable permissions for the WebLogic Server users that map to the remote trading partner certificates.

• Disable guest users so that users with unknown or invalid certificates are unable to enter the WebLogic Server system.

 

---

Configuring Business Process Management Access to the WebLogic Integration Repository

If you use WebLogic Integration with the business process management component (BPM) of WebLogic Integration, note the following configuration tasks for sharing access to the WebLogic Integration repository.

• You need to configure BPM to have permissions to use the WebLogic Integration repository. You can do this by adding the WebLogic Server group wlpiUsers to the ACL for the JDBC connection pool used by the WebLogic Integration repository.

• If a user of the WebLogic Integration Studio or Worklist utilities needs access to workflow templates stored in the WebLogic Integration repository, you need to add that user to the appropriate ACLs for the WebLogic Server administration MBeans.

  You can do this by specifying the following ACLs on the WebLogic Server MBeans for the user, where user represents the name of the BPM user:

  acl.access.weblogic.admin.mbean.MBeanHome=<user>
  acl.lookup.weblogic.admin.mbean.MBeanHome=<user>

For information about configuring ACLs for B2B resources, see Configuring Access Control Lists for WebLogic Integration B2B.

 

Copyright © 2002 BEA Systems, Inc. All rights reserved. Required browser: Netscape 4.0 or higher, or Microsoft Internet Explorer 4.0 or higher.