Using WebLogic Integration - Business Connect
|
 |
 |
|
|
 |
 |
The following topics describe available security features for communications between the WebLogic Integration - Business Connect Server application and client applications.
WebLogic Integration - Business Connect uses Simple Object Access Protocol (SOAP) to enable the Administrator and Tracker applications to securely send updates to the Server application. WebLogic Integration - Business Connect uses a built-in server for this purpose called the SOAP-RPC HTTPS server.
SOAP is a message-based protocol for accessing services on the Internet. SOAP uses XML syntax to send text commands across the Internet using HTTP. For more information about SOAP, see http://www.w3.org/TR/SOAP/. RPC stands for remote procedure call, which is a common protocol for the client-server model of distributed systems.
The SOAP-RPC HTTPS server has a certificate with a pubic-private key pair. For brevity, this is referred to as the RPC certificate. By default, this is a self-signed certificate with a life of five years that is generated upon installing WebLogic Integration - Business Connect. You can replace the certificate either with another self-signed certificate or with a certificate obtained from a third-party certificate authority. For details see Certificate Tool (certloader).
Administrator and Tracker use the public key in the RPC certificate to encrypt updates to the WebLogic Integration - Business Connect Server application by way of the SOAP-RPC HTTPS server. This security occurs by default; you do not have to do anything to enable it.
Triple DES is the default encryption strength for the SOAP-RPC HTTPS server. Triple DES has a key length of 168 bits.
Figure 12-1 illustrates the default security for the SOAP-RPC HTTPS server.
Figure 12-1 Default SOAP-RPC HTTPS Server Security
Two additional, optional layers of security for authenticating certificates are available:
Configuration for authenticating certificates requires knowledge of Java tools, particularly keytool, which is a key and certificate management utility. It also requires using the WebLogic Integration - Business Connect certloader and soapconfig tools. For details see Certificate Tool (certloader) and SOAP Configuration Tool (soapconfig).
Figure 12-2 illustrates the optional security for the SOAP-RPC HTTPS server.
Figure 12-2 Optional SOAP-RPC HTTPS Server Security
Use this procedure to configure Administrator and Tracker to authenticate a CA certificate for the SOAP-RPC HTTPS server. This authentication validates that the remote Administrator and Tracker applications are communicating with the authorized WebLogic Integration - Business Connect Server application. For details about such authentication, see Optional SOAP-RPC HTTPS Security.
p12. The private key must be exported with the file. Export the certificate to include the entire certificate chain.certloader -rpc -l filename password
You will use the password again in step 7.
For details about the tool, see Certificate Tool (certloader).
keys.db file found in the WebLogic Integration - Business Connect keys directory; it must be another file. If you use Administrator and Tracker on more than one client, you must create a truststore for each computer.-import option to import the certificate and public key to the client truststore. If you use more than one client, you must import the certificate and public key to the truststore of each computer.DB.properties file in the WebLogic Integration - Business Connect installation directory. Scroll to Section 3: Miscellaneous Settings. Type true after the SOAP.Admin.CheckTrust= property.DB.properties file.If you are using the tool from a command line, use the following format:
soapconfig -ts truststore -tp truststorepassword
If are using the tool's graphical user interface, complete the following fields: Trust store, Trust store password and Confirm trust store password.
Use the same password as the one used to import the certificate to the WebLogic Integration - Business Connect keystore in step 2.
For details about the tool, see SOAP Configuration Tool (soapconfig).
Use this procedure to configure the WebLogic Integration - Business Connect Server application to authenticate a CA certificate for Administrator and Tracker. This authentication validates that the Server application is communicating with the authorized remote Administrator and Tracker applications via the SOAP-RPC HTTPS server. For details about such authentication, see Optional SOAP-RPC HTTPS Security.
-certreq command and sending the CSR to the CA.keys.db file found in the WebLogic Integration - Business Connect keys directory; it must be another file. If you use Administrator and Tracker on more than one client, you must create a keystore for each computer.DB.properties file.If you are using the tool from a command line, use the following format:
soapconfig -ks keystore -kp keystorepassword
If are using the tool's graphical user interface, complete the following fields: Key store, Key store password and Confirm key store password. The password is the one you used to export the certificate to a p12 file from a browser or mail client.
For details about the tool, see SOAP Configuration Tool (soapconfig).
WebLogic Integration - Business Connect supports communicating with an application program interface (API) client by way of HTTP and HTTPS servers that are built into the application.
Communicating by way of the HTTP server with an API client does not require special configuration, beyond specifying the API HTTP port on the Ports tab, which is accessed by selecting Tools
Using the HTTPS server, however, requires additional configuration and is explained in the following topics:
WebLogic Integration - Business Connect supports an API client communicating with the Server application. WebLogic Integration - Business Connect has two built-in servers for this purpose. One is an HTTP server. The other is an HTTPS server. The API HTTPS server enables an API client to use a public key to securely encrypt messages to the Server application.
The API HTTPS server must be used with a certificate and a pubic-private key pair. For brevity, this is referred to as the API certificate. This can be a self-signed certificate or a certificate obtained from a third-party certificate authority. For details see Certificate Tool (certloader).
WebLogic Integration - Business Connect supports three security options for communicating with an API client by way of HTTPS, which is HTTP over Secure Sockets Layer protocol. They are:
Implementing these security options requires knowledge of Java tools, particularly keytool, which is a key and certificate management utility. It also requires using the WebLogic Integration - Business Connect certloader tool. For details see Certificate Tool (certloader).
Figure 12-3 illustrates the optional security for the API HTTPS server.
Figure 12-3 Optional API HTTPS Server Security
Use this procedure to configure the API client to use the public key in the API certificate to encrypt messages to the WebLogic Integration - Business Connect Server application. For details about this security, see API HTTPS Security.
jsse.jar file in the API client's class path. The file is in the WebLogic Integration - Business Connect lib directory.The API client should use AlwaysTrustManager as the trust manager and AlwaysTrueVerifier as the host name verifier. AlwaysTrustManager will trust all certificates returned from the server. AlwaysTrustManager is required because the server's certificate is not included in the client's keystore. AlwaysTrueVerifier will allow mismatch of the host name of the request and the common name in the certificate. AlwaysTrueVerifier might be required because of the nature of the self-signed certificate being used. The self-signed certificate is generated upon installation using the host name of the server. A server can have multiple host names. So the host name the API client is connecting with might not be the host name in the generated certificate.
Use this procedure to configure an API client to authenticate a CA certificate for the API HTTPS server. This authentication validates that the remote API client is communicating with the authorized WebLogic Integration - Business Connect Server application. For details about such authentication, see Optional API Security.
You must first configure the API client to use the API HTTPS server before you can do this procedure. See Configuring an API Client to Use HTTPS.
p12. The private key must be exported with the file. Export the certificate to include the entire certificate chain.Use the certloader tool to import the CA certificate to the WebLogic Integration - Business Connect keystore. The certificate you import will replace the current API certificate. Use the following format:
certloader -api -l filename password
For details about the tool, see Certificate Tool (certloader).
keys.db file found in the WebLogic Integration - Business Connect keys directory; it must be another file.
Use this procedure to configure the WebLogic Integration - Business Connect Server application to authenticate a CA certificate for the API client. This authentication validates that the Server application is communicating with the authorized remote API client. For details about such authentication, see Optional API Security.
You must first configure the API client to use the API HTTPS server before you can do this procedure. See Configuring an API Client to Use HTTPS.
-certreq command and sending the CSR to the CA.keys.db file found in the WebLogic Integration - Business Connect keys directory; it must be another file.
Certloader is a command line utility that can perform tasks for enhancing application security. It can generate self-signed certificates containing public-private encryption key pairs. It also can load a certificate containing a public-private key pair that was generated by a third-party certificate authority.
Certloader is used for managing certificates used by two HTTPS servers that are built into WebLogic Integration - Business Connect:
In addition to generating self-signed certificates, certloader can import P12 certificate files containing public-private key pairs that have been obtained from a certificate authority. CA certificates are recommended as the API and RPC certificates when you want the client to authenticate the server certificate or the server to authenticate the client certificate or both. For details see SOAP-RPC HTTPS Security and API HTTPS Security.
You cannot use certloader to delete a certificate used by the API HTTPS server or SOAP-RPC HTTPS server.
The following topics are provided about certloader:
During installation, WebLogic Integration - Business Connect uses the name of the host computer for the Server application and the company name you enter to generate the initial RPC certificate. This is a self-signed certificate. Default values are used for the length of the public-private key and the certificate expiration date. Other values are blank by default.
Listing 12-1 shows the information for a default RPC certificate. Using certloader explains how to display the certificate information using the certloader command. The certificate also is in the WebLogic Integration - Business Connect trusted roots store. You can view the certificate's information by selecting Tools
Listing 12-1 Default RPC Certificate
Name: WORLDWIDE
E-mail address:
Commany: Worldwide Trading
Department:
City:
Country code:
Serial number: 5294f5ece4299c75710582f441b6f63a
Algorithm: sha1WithRSAEncryption
Key length: 512
Valid from: Tue Aug 21 10:13:53 MST 2001
Valid to: Mon Aug 21 10:13:53 MST 2006
MD5 Fingerprint: CA:A2:34:28:CB:0D:CD:64:4E:CE:FD:4F:5B:B9:D4:57
Issuer: O=Worldwide Trading, CN=WORLDWIDE
Administrator and Tracker use the public key in the RPC certificate to communicate with the Server application; you do not have to configure this.
The following shows the usage of certloader and its parameters. The words following parameters are the names of variables that are used with the associated parameter. This command is executed in a console or command window. The certloader tool is in the WebLogic Integration - Business Connect bin directory.
certloader -api|-rpc -g [-c common name] [-o organization name] [-u organization unit name] [-loc locality name] [-cty country code] [-e e-mail address] [-len 512|1024|2048] [-v number[d|m|y]]
Typing certloader without a parameter generates an error message. The command must be used with parameters to function.
The certloader parameters are described in the following table.
The soapconfig tool, which is in the application's bin directory, configures the SOAP truststore and keystore settings for communications between Administrator and Tracker and the Server application. You use the soapconfig tool when setting up the certificate authentication security options described in Optional SOAP-RPC HTTPS Security or Optional API Security.
Using the soapconfig tool is a step in setting up a truststore or keystore or both for each client computer running Administrator and Tracker. The truststore and keystore actually are set up using the Java keytool. The soapconfig tool is used to point Administrator and Tracker to the truststore or keystore that keytool was used to create. The properties soapconfig manages are in the DB.properties file in the WebLogic Integration - Business Connect installation directory.
Keytool manages a keystore of private keys and their associated X.509 certificate chains authenticating the corresponding public keys. It also manages certificates from trusted entities. For information about keytool see http://java.sun.com.
You can use the soapconfig tool with a graphical user interface or from a command line. The following topics explain how to use it both ways:
After using soapconfig, you must restart the Server application for the changes to become effective.
Listing 12-2 shows the section of the DB.properties file that the soapconfig tool manipulates. Specifically, the tool affects some of the properties that begin with the words SOAP.Admin. We recommend that you use the soapconfig tool to change these settings and do not directly edit the DB.properties file, unless advised to do so. The soapconfig tool encrypts the password settings and direct editing does not.
Listing 12-2 DB.properties File
// SECTION 3: MISCELLANEOUS SETTINGS
Cyclone.client.browser=unknown
RMI.Port=
RMIServer=
Debug=0
// SOAP.* settings used by Administrator and Tracker when communicating with
// the controller. These values are not used by the Controller when
// initializing the SOAP Server. The Controller values are set inside the
// Administrator under Tools-Preferences.
SOAP.Admin.Host=
SOAP.Admin.Port=
SOAP.Admin.CheckTrust=
SOAP.Admin.TrustStore=
SOAP.Admin.TrustStorePassword=
SOAP.Admin.KeyStore=
SOAP.Admin.KeyStorePassword=
The following shows the usage of soapconfig and its parameters as a command line tool. The words following parameters are the names of variables that are used with the associated parameter.
DB.properties file that are used by Administrator and Tracker:Typing soapconfig without a parameter opens the Soap Configuration window. This user interface is an alternative to using soapconfig as command line utility. See Using soapconfig with the User Interface.
Note: Before you use the soapconfig tool, use the Java keytool to create the truststore or keystore or both for Administrator and Tracker.
The soapconfig parameters are described in the following table.
To use the soapconfig tool with a graphical user interface, type soapconfig on a command line with no parameters and press Enter. In Windows, you also can double-click the SOAPConfig.bat file in the WebLogic Integration - Business Connect bin directory to open the window. When you complete the fields and click OK, the window closes and the changes appear in the DB.properties file.
Note: Before you use the soapconfig tool, use the Java keytool to create the truststore or keystore or both for Administrator and Tracker.
Figure 12-4 SOAP Configuration Window
The following describes the fields on the Soap Configuration window.
If you are running the tool for the first time, the fields are blank. If you have used the tool before, the default values are the same as the values you entered when you previously used the tool.
The name of the Administrator and Tracker truststore that was created with keytool. A truststore is a keystore that is used to make decisions about trusting entities. A truststore contains trusted certificates information, but not private information.
The truststore password. For security the password appears as asterisks. In DB.properties the password is encrypted.
The name of the Administrator and Tracker keystore that was created with keytool. A keystore is a database of key information that is used for authentication and data integrity. A keystore contains private information, including private keys.
The keystore password. For security the password appears as asterisks. In DB.properties the password is encrypted.
|
|
|
