bea.com | products | dev2dev | support | askBEA |
|
e-docs > WebLogic Integration - Business Connect > Using WebLogic Integration - Business Connect > Application Security |
Using WebLogic Integration - Business Connect |
Application Security
The following topics describe available security features for communications between the WebLogic Integration - Business Connect Server application and client applications.
Concepts
Procedures
Tools
SOAP-RPC HTTPS Security
WebLogic Integration - Business Connect uses Simple Object Access Protocol (SOAP) to enable the the Administrator and Tracker applications to securely send updates to the Server application. WebLogic Integration - Business Connect uses a built-in server for this purpose called the SOAP-RPC HTTPS server.
SOAP is a message-based protocol for accessing services on the Internet. SOAP uses XML syntax to send text commands across the Internet using HTTP. For more information about SOAP, see http://www.w3.org/TR/SOAP/. RPC stands for remote procedure call, which is a common protocol for the client-server model of distributed systems.
The SOAP-RPC HTTPS server has a certificate with a pubic-private key pair. For brevity, this is referred to as the RPC certificate. By default, this is a self-signed certificate with a life of five years that is generated upon installing WebLogic Integration - Business Connect. You can replace the certificate either with another self-signed certificate or with a certificate obtained from a third-party certificate authority. For details see Certificate Tool (certloader).
Default SOAP-RPC HTTPS Security
Administrator and Tracker use the public key in the RPC certificate to encrypt updates to the WebLogic Integration - Business Connect Server application by way of the SOAP-RPC HTTPS server. This security occurs by default; you do not have to do anything to enable it.
Triple DES is the default encryption strength for the SOAP-RPC HTTPS server. Triple DES has a key length of 168 bits.
Figure 11-1 illustrates the default security for the SOAP-RPC HTTPS server.
Figure 11-1 Default SOAP-RPC HTTPS Server Security
Optional SOAP-RPC HTTPS Security Two additional, optional layers of security for authenticating certificates are available:
Configuration for authenticating certificates requires knowledge of Java tools, particularly keytool, which is a key and certificate management utility. It also requires using the WebLogic Integration - Business Connect certloader and soapconfig tools. For details see Certificate Tool (certloader) and SOAP Configuration Tool (soapconfig).
Figure 11-2 illustrates the optional security for the SOAP-RPC HTTPS server.
Figure 11-2 Optional SOAP-RPC HTTPS Server Security
Configuring Administrator and Tracker to Authenticate the SOAP-RPC Server
Use this procedure to configure Administrator and Tracker to authenticate a CA certificate for the SOAP-RPC HTTPS server. This authentication validates that the remote Administrator and Tracker applications are communicating with the authorized WebLogic Integration - Business Connect Server application. For details about such authentication, see Optional SOAP-RPC HTTPS Security.
Steps
If you are using the tool from a command line, use the following format:
soapconfig -ts truststore -tp truststorepassword
If are using the tool's graphical user interface, complete the following fields: Trust store, Trust store password and Confirm trust store password.
Use the same password as the one used to import the certificate to the WebLogic Integration - Business Connect keystore in step 2.
For details about the tool, see SOAP Configuration Tool (soapconfig).
Configuring the SOAP-RPC Server to Authenticate Administrator or Tracker
Use this procedure to configure the WebLogic Integration - Business Connect Server application to authenticate a CA certificate for Administrator and Tracker. This authentication validates that the Server application is communicating with the authorized remote Administrator and Tracker applications via the SOAP-RPC HTTPS server. For details about such authentication, see Optional SOAP-RPC HTTPS Security.
Steps
If you are using the tool from a command line, use the following format:
soapconfig -ks keystore -kp keystorepassword
If are using the tool's graphical user interface, complete the following fields: Key store, Key store password and Confirm key store password. The password is the one you used to export the certificate to a p12 file from a browser or mail client.
For details about the tool, see SOAP Configuration Tool (soapconfig).
API HTTPS Security
WebLogic Integration - Business Connect supports communicating with an application program interface (API) client by way of HTTP and HTTPS servers that are built into the application.
Communicating by way of the HTTP server with an API client does not require special configuration, beyond specifying the API HTTP port on the Ports tab, which is accessed by selecting Tools
Using the HTTPS server, however, requires additional configuration and is explained in the following topics:
API Security Summary
WebLogic Integration - Business Connect supports an API client communicating with the Server application. WebLogic Integration - Business Connect has two built-in servers for this purpose. One is an HTTP server. The other is an HTTPS server. The API HTTPS server enables an API client to use a public key to securely encrypt messages to the Server application.
The API HTTPS server must be used with a certificate and a pubic-private key pair. For brevity, this is referred to as the API certificate. This can be a self-signed certificate or a certificate obtained from a third-party certificate authority. For details see Certificate Tool (certloader).
Optional API Security
WebLogic Integration - Business Connect supports three security options for communicating with an API client by way of HTTPS, which is HTTP over Secure Sockets Layer protocol. They are:
Implementing these security options requires knowledge of Java tools, particularly keytool, which is a key and certificate management utility. It also requires using the WebLogic Integration - Business Connect certloader tool. For details see Certificate Tool (certloader).
Figure 11-3 illustrates the optional security for the API HTTPS server.
Figure 11-3 Optional API HTTPS Server Security
Configuring an API Client to Use HTTPS
Use this procedure to configure the API client to use the public key in the API certificate to encrypt messages to the WebLogic Integration - Business Connect Server application. For details about this security, see API HTTPS Security.
Steps
Configuring an API Client to Authenticate the API Server
Use this procedure to configure an API client to authenticate a CA certificate for the API HTTPS server. This authentication validates that the remote API client is communicating with the authorized WebLogic Integration - Business Connect Server application. For details about such authentication, see Optional API Security.
You must first configure the API client to use the API HTTPS server before you can do this procedure. See Configuring an API Client to Use HTTPS.
Steps
Use the certloader tool to import the CA certificate to the WebLogic Integration - Business Connect keystore. The certificate you import will replace the current API certificate. Use the following format:
certloader -api -l filename password
For details about the tool, see Certificate Tool (certloader).
Configuring the API Server to Authenticate an API Client
Use this procedure to configure the WebLogic Integration - Business Connect Server application to authenticate a CA certificate for the API client. This authentication validates that the Server application is communicating with the authorized remote API client. For details about such authentication, see Optional API Security.
You must first configure the API client to use the API HTTPS server before you can do this procedure. See Configuring an API Client to Use HTTPS.
Steps
Certificate Tool (certloader)
Certloader is a command line utility that can perform tasks for enhancing application security. It can generate self-signed certificates containing public-private encryption key pairs. It also can load a certificate containing a public-private key pair that was generated by a third-party certificate authority.
Certloader is used for managing certificates used by two HTTPS servers that are built into WebLogic Integration - Business Connect:
In addition to generating self-signed certificates, certloader can import P12 certificate files containing public-private key pairs that have been obtained from a certificate authority. CA certificates are recommended as the API and RPC certificates when you want the client to authenticate the server certificate or the server to authenticate the client certificate or both. For details see SOAP-RPC HTTPS Security and API HTTPS Security.
You cannot use certloader to delete a certificate used by the API HTTPS server or SOAP-RPC HTTPS server.
The following topics are provided about certloader:
The Default RPC Certificate
During installation, WebLogic Integration - Business Connect uses the name of the host computer for the Server application and the company name you enter to generate the initial RPC certificate. This is a self-signed certificate. Default values are used for the length of the public-private key and the certificate expiration date. Other values are blank by default.
Listing 11-1 shows the information for a default RPC certificate. Using certloader explains how to display the certificate information using the certloader command. The certificate also is in the WebLogic Integration - Business Connect trusted roots store. You can view the certificate's information by selecting Tools
Listing 11-1 Default RPC Certificate
Name: WORLDWIDE
E-mail address:
Commany: Worldwide Trading
Department:
City:
ISO country code:
Serial number: 5294f5ece4299c75710582f441b6f63a
Algorithm: sha1WithRSAEncryption
Key length: 512
Valid from: Tue Aug 21 10:13:53 MST 2001
Valid to: Mon Aug 21 10:13:53 MST 2006
MD5 Fingerprint: CA:A2:34:28:CB:0D:CD:64:4E:CE:FD:4F:5B:B9:D4:57
Issuer: O=Worldwide Trading, CN=WORLDWIDE
Administrator and Tracker use the public key in the RPC certificate to communicate with the Server application; you do not have to configure this.
Using certloader
The following shows the usage of certloader and its parameters. The words following parameters are the names of variables that are used with the associated parameter. This command is executed in a console or command window.
certloader -?|-help
certloader -api|-rpc -g [-c common name] [-o organization name] [-u organization unit name] [-loc locality name] [-cty country code] [-e e-mail address] [-len 512|1024|2048] [-v number[d|m|y]]
certloader -api|-rpc -l filename password
certloader -api|-rpc -dump
Typing certloader without a parameter generates an error message. The command must be used with parameters to function.
Description of certloader Parameters
The certloader parameters are described in the following table.
SOAP Configuration Tool (soapconfig)
The soapconfig tool, which is in the application's bin directory, configures the SOAP truststore and keystore settings for communications between Administrator and Tracker and the Server application. You use the soapconfig tool when setting up the certificate authentication security options described in Optional SOAP-RPC HTTPS Security or Optional API Security.
Using the soapconfig tool is a step in setting up a truststore or keystore or both for each client computer running Administrator and Tracker. The truststore and keystore actually are set up using the Java keytool. The soapconfig tool is used to point Administrator and Tracker to the truststore or keystore that keytool was used to create. The properties soapconfig manages are in the DB.properties file in the WebLogic Integration - Business Connect installation directory.
Keytool manages a keystore of private keys and their associated X.509 certificate chains authenticating the corresponding public keys. It also manages certificates from trusted entities. For information about keytool see http://java.sun.com/.
You can use the soapconfig tool with a graphical user interface or from a command line. The following topics explain how to use it both ways:
After using soapconfig, you must restart the Server application for the changes to become effective.
Listing 11-2 shows the section of the DB.properties file that the soapconfig tool manipulates. Specifically, the tool affects some of the properties that begin with the words SOAP.Admin. We recommend that you use the soapconfig tool to change these settings and do not directly edit the DB.properties file, unless advised to do so. The soapconfig tool encrypts the password settings and direct editing does not.
Listing 11-2 DB.properties File
// SECTION 3: MISCELLANEOUS SETTINGS
Cyclone.client.browser=unknown
RMI.Port=
RMIServer=
Debug=0
// SOAP.* settings used by Administrator and Tracker when communicating with
// the controller. These values are not used by the Controller when
// initializing the SOAP Server. The Controller values are set inside the
// Administrator under Tools-Preferences.
SOAP.Admin.Host=
SOAP.Admin.Port=
SOAP.Admin.CheckTrust=
SOAP.Admin.TrustStore=
SOAP.Admin.TrustStorePassword=
SOAP.Admin.KeyStore=
SOAP.Admin.KeyStorePassword=
Using soapconfig as a Command Line Tool
The following shows the usage of soapconfig and its parameters as a command line tool. The words following parameters are the names of variables that are used with the associated parameter.
soapconfig -?|-h|-help
soapconfig [-ts truststore] [-tp truststorepassword] [-ks keystore] [-kp keystorepassword]
Typing soapconfig without a parameter opens the Soap Configuration window. This user interface is an alternative to using soapconfig as command line utility. See Using soapconfig with the User Interface.
Note: Before you use the soapconfig tool, use the Java keytool to create the truststore or keystore or both for Administrator and Tracker.
Description of Command Line Parameters
The soapconfig parameters are described in the following table.
Using soapconfig with the User Interface To use the soapconfig tool with a graphical user interface, type soapconfig on a command line with no parameters and press Enter. In Windows, you also can double-click the SOAPConfig.bat file in the WebLogic Integration - Business Connect bin directory to open the window. When you complete the fields and click OK, the window closes and the changes appear in the DB.properties file. Note: Before you use the soapconfig tool, use the Java keytool to create the truststore or keystore or both for Administrator and Tracker. Figure 11-4 SOAP Configuration Window
Description of Soap Configuration Window The following describes the fields on the Soap Configuration window. If you are running the tool for the first time, the fields are blank. If you have used the tool before, the default values are the same as the values you entered when you previously used the tool.