Introducing Trading Partner Integration

     Previous  Next    Open TOC in new window  Open Index in new window  View as PDF - New Window  Get Adobe Reader - New Window
Content starts here

Example: RosettaNet Security Configuration

This example demonstrates how to configure the security settings for RosettaNet message exchange between trading partners over HTTPS protocol, using mutual authentication. In this example, both trading partners are configured on Oracle WebLogic Integration as shown in the figure below:

Trading Partner Profiles

In the preceding figure:

The following topics are discussed in this section:

Keystores Used in the Example

This section discusses the use of keystores in Oracle WebLogic Integration and describes the demonstration keystores used in this example.

Before You Begin

If you are unfamiliar with Oracle WebLogic Integration concepts, you may want to complete the tutorials and read the resources listed in this section before you attempt to complete this example.

Step 1: Configuring the Local Trading Partner for the Trading Partner 1 Setup

In this section, you configure the default trading partner Test_TradingPartner_1 to be the local trading partner for the initiator business process. You then add certificates to the trading partner and configure the binding for that trading partner. Lastly, you export the trading partner data into an XML file which, you later import as the remote trading partner for the Trading Partner 2 setup.

Step 2: Configuring the Local Trading Partner for the Trading Partner 2 Setup

This section describes how to configure all the trading partner data that you completed on the Trading Partner 1 machine, on the Trading Partner 2 machine. Once you have completed this section, both of your remote trading partners are configured.

Step 3: Importing the Remote Trading Partner Information

Instead of going through all the configuration steps that you did for the local trading partners for the remote trading partners, you just import the previously exported trading partner data into your Oracle WebLogic Integration application. The importing procedure configure the remote trading partner for you automatically. This section describes how to import your trading partner data files.

Step 4: Creating Services and Service Profiles in Oracle WebLogic Integration

Once you have set up all the trading partner configurations, you need to create services and service profiles for the trading partners. The procedures in this section describes how to do just that.

Testing Tips

This section contains useful tips and tools that you can use when you test your RosettaNet applications.

Related Topics

Managing Oracle WebLogic Security

Trading Partner Integration Security

Tutorial: Building RosettaNet Solutions

Building Your First Business Processes

 

Keystores Used in the Example

The procedures in this example uses the demonstration keystore which is included in your Oracle WebLogic Integration installation. This keystore file can only to be used for testing purposes. This Java Key Store files is located in the following location:

BEA_HOME\wlserver_<version>\server\lib\DemoIdentity.jks

where BEA_HOME is the directory in which you installed your product.

You can use any other keystore to complete the example, however, the demonstration keystore already has some of the certificates necessary loaded into it. If you need details about how to create and load certificates into your custom keystore, see Step 1: Generating a Test Certificate and Step 2: Configuring Keystores for Oracle WebLogic Integration in Example: ebXML Security Configuration.

In this sample, the following terminology is used:

Note: Oracle WebLogic Integration requires remote trading partners to have both a client and server certificate configured while local trading partners only need a client certificate.

 

Before You Begin

The instructions in this sample is geared towards users that are already familiar with the basic Oracle WebLogic Server and Oracle WebLogic Integration tasks and procedures. If you are new to these Oracle WebLogic applications, consider completing Tutorial: Building Your First Business Process before using this sample. It is further assumed that you are familiar with RosettaNet concepts and how to configure RosettaNet business processes in Oracle WebLogic Integration. If you are new to RosettaNet business processes, consider completing Tutorial: Building RosettaNet Solutions before proceeding.

This sample configuration involves a participant process and a initiator process created and deployed in Oracle WebLogic Integration, either on two different computers or on two different domains on the same machine. Before you can start the security configuration part of this sample, you must complete the following:

  1. If you are going to run the Trading Partner 1 and the Trading Partner 2 processes on the same computer, create two domains with different port numbers. Be sure to make the domains SSL enabled.

    2. For instructions of how to create a domain, see Creating Oracle WebLogic Domains Using the Configuration Wizard.

    When you create a new Oracle WebLogic Integration domain using the Configuration Wizard, the Configuration Wizard automatically populates the Trading Partner Management (TPM) repository with default trading partners and bindings. You will use these default trading partners in this sample.

    If you are using a point based database, you will have to configure your second domain to point to a different database instance, i.e. use a different port number, since local and remote trading partners are not allowed to use the same database in Oracle WebLogic Integration. You do this by changing the default port number from 9093 to, for example, 9090 in the following files:

    • config.xml (2 instances)
    • URLS.dat
    • If you are using a Windows operating system: startWeblogic.cmd and stopWeblogic.cmd
    • If you are using an Unix operating system: startWeblogic.sh and stopWeblogic.sh.

      • These files are all located in: BEA_HOME\user_projects\domains\domainName
      where BEA_HOME is the directory in which you installed Oracle WebLogic Integration and domainName is the name of your second domain (such as tptutorial2).

  2. Create the initiator process.
  3. Create the participant process.

    4. For instructions on how to create business processes, see Tutorial: Building Your First Business Process. To learn more about RosettaNet processes, see Tutorial: Building RosettaNet Solutions.

    If you are running both processes on one computer in different domains, both domains use the same keystores. It is important that you only have the current process and corresponding domain running when you are configuring trading partner information, or simultaneous updates to the keystore may occur and overwrite each other.

 

Step 1: Configuring the Local Trading Partner for the Trading Partner 1 Setup

In this section, you configure the default trading partner Test_TradingPartner_1 to be the local trading partner for the initiator business process. You then add certificates to the trading partner and configure the binding for that trading partner. Lastly, you export the trading partner data into an XML file which, you later import as the remote trading partner for the participant. This section contains the following procedures:

Configuring the Local Trading Partner

To configure Test_TradingPartner_1 to be your local trading partner, complete the following procedure:

  1. Start Oracle Workshop for WebLogic.
  2. Open the application which contains the initiator process that you created in Before You Begin
  3. If you are running both processes on the same computer in different domains, navigate to Tools > Application Properties....

    4. The Application Properties window opens.

  4. Select the domain that you want to use from the Server Home Directory drop-down menu or by using the Browse... button.
  5. Click OK.
  6. If it is not already running, start your Oracle WebLogic Server.
  7. Open the Oracle WebLogic Integration Administration Console.
  8. Navigate to Trading Partner Management > Profile Management.

    9. The View and Edit Trading Partner Profiles screen appears with the two trading partners Test_TradingPartner_1 and Test_TradingPartner_2 listed, as shown in Figure B-1

    Figure B-1 Trading Partner Profiles


    Trading Partner Profiles

    Since you are going to import the configuration for the remote trading partner later on, you delete Test_TradingPartner_2 from the list at this point.

  9. Select Test_TradingPartner_2 by clicking on the option box next to it.
  10. Click Delete.

You now need to add the appropriate certificates—client, encryption, and digital signature—to your local trading partner.

Adding the Certificates

To add the appropriate certificates to your local trading partner:

  1. Click Test_TradingPartner_1.

    2. The details of your trading partner, including general information, bindings, and certificates are displayed. Note that there are no certificates configured for this trading partner.

  2. Click Add Certificate

    3. The Add Certificate (Step 1 of 2) screen appears.

  3. Select the Generate a certificate for TEST USE only option.
    4. Note: The certificates you create in this sample is only for demo use and should never be used in production mode.
  4. Click Next

    5. The Add Certificate (Step 2 of 2) screen appears. You use this screen to create a client certificate to be stored in the keystore and used by the local trading partner. However, before you can create the client certificate, you have to create a password alias.

  5. Click Add alias..., as shown below.


    6. Trading Partner Profiles

    The Add New Password Alias screen appears.

  6. In the Password Alias Name field, enter init-rn20-clt.
  7. Enter and confirm a password to use for this alias.
  8. Click Submit.

    9. The Add Certificate (Step 2 of 2) screen appears again, with the alias values you just entered.

  9. In the Name field, enter init-clt.
  10. If not already selected, from the Type drop-down list, select CLIENT.
  11. If not already selected, select the Import Certificate in Keystore option.
  12. Click Create certificate.

By selecting CLIENT from the Type drop-down list, you specified the certificate to be a client certificate. Using the instructions in step 2-6, create:

You have completed adding the three certificates. The next step is to edit the binding for the Test_TradingPartner_1 trading partner.

Editing the Trading Partner Binding

To edit the default bindings for your local trading partner:

  1. In the left pane, click Bindings.
  2. From the Name drop-down list, select Test_TradingPartner_1.
  3. Click Go.

    4. The Edit Binding screen appears.

  4. In the list of bindings, click TP1-rn20-binding.

    5. The View Binding Details screen appears

  5. Click Edit Binding.
  6. Make the following edits:

    7. Transport Configuration

    • Transport Protocol: HTTPS
    • End Point: specify the URL to use https instead of http protocol and change the port number to the SSL port number you specified in Before You Begin when you created your domain.This is usually the even number immediately following your local port number. For example, for local port number 7001, the SSL port number is 7002.

      • Message Level Encryption Configuration

    • Encryption Certificate: init-enc
    • Encryption Level: Entire Payload
    • Cipher Algorithm: 3DES

      • Digital Signature Configuration for Non Repudiation

    • Signature Certificate: init-sig
    • Signature Required: select this option
    • Signature Receipt Required: select this option
    • Hash Function: SHA1
  7. Click Submit.

You have completed editing the binding information. Before you proceed further, make sure that the trading partner profile you just configured is enabled.

Enabling the Trading Partner Profile

Complete the following procedure to enable the trading partner profile that you just created and configured:

  1. Navigate to Trading Partner Management > Profile Management.
  2. In the Status column, make sure that a green ball is displayed:


    3. Trading Partner Profiles

  3. If a red ball is showing in the Status column, select the trading partner and click Enable.

Rather than entering all the Test_TradingPartner_1 configuration data again for the participant business process computer/domain, you export the data from the initiator process computer/domain and then import it as the remote trading partner configuration for the participant.

Exporting the Trading Partner Data

To import the trading partner data from the local trading partner:

  1. In the left pane, click Import/Export.
  2. In the Import/Export pane, select Export.
  3. Select the Trading Partner option.
  4. Click Browse next to Trading Partner.
  5. Deselect all but the Test_TradingPartner_1 trading partner.
  6. Click Done.
  7. For the Format option, select WLI Standard.
  8. Click Export.
  9. If a File Download dialog opens, click Save.
  10. In the Save As window navigate to the location which you want to save the exported file to.
  11. Enter TradingPartner1 as a filename and click Save.
    12. Note: Remember the navigation path to the file. You will need this when you import your trading partner information later on.
  12. Open TradingPartner1.xml in a text editor.
  13. Change all instances of LOCAL to REMOTE.
  14. In the trading-partner element, set the is-default attribute to false.
  15. Save and close the file.

You have now completed the configuration of your the initiator local trading partner. The next section explains how to use the keytool utility to export the Test_TradingPartner_1 server certificate which, you will import later when setting up services and service profiles for the participant computer/domain.

Exporting the Server Certificate

  1. At the command line prompt, navigate to BEA_HOME\wlserver_<version>\server\lib where BEA_HOME is the directory in which you installed your Oracle WebLogic Integration installation.
  2. Enter the following: keytool -export -alias demoidentity -file servercert1.crt -keystore DemoIdentity.jks -storepass DemoIdentityKeyStorePassPhrase

    3. This exports your server certificate into a file named servercert1.crt.

    Note: If you are running both business processes on the same computer in different domains, both domains are accessing the same keystore. To avoid any problems associated with this configuration, create a copy of the servercert1.crt and name it servercert2.crt which, and use it as the second domains server certificate.

You have now completed the Test_TradingPartner_1 configuration. To learn more about creating, configuring, and managing trading partners in Oracle WebLogic Integration, see Trading Partner Management.

The next step is to configure the local trading partner information for the participant side of the sample.

 

Step 2: Configuring the Local Trading Partner for the Trading Partner 2 Setup

You configure the trading partner profile for the participant side of the sample in much the same way that you created the initiator side. Use the instructions in Step 1: Configuring the Local Trading Partner for the Trading Partner 1 Setup to complete the following:

  1. If you are running two domains on the same computer, stop the Oracle WebLogic Server which is running on your initiator domain.
  2. Open the participant business process that you created in Before You Begin .
  3. If you are running both processes on the same computer, make sure that the participant process is configured to use the domain that is not the one used by the initiator process.
  4. Start your Oracle WebLogic Server.
  5. Deploy your participant process.
  6. Open the Oracle WebLogic Administration Console.
  7. Navigate to Trading Partner Management > Profile Management.
  8. Delete Test_TradingPartner_1.
  9. Select Test_TradingPartner_2 to be the default trading partner:
    1. Click on Test_TradingParnter_2 to view its profile settings.
    2. If Default Trading Partner is not already set to true, click Edit Profile and select the Default Trading Partner option.
  10. In the Test_TradingPartner_2 profile create the following test certificates:
    • A CLIENT certificate named part-clt
    • A digital SIGNATURE certificate named part-sig.
    • An ENCRYPTION certificate named part-enc
      • Note: This step is similar to Adding the Certificates , but you need to use the port numbers of the second computer/domain for your configuration.
  11. Configure the binding for Test_TradingPartner_2.
  12. Make sure that the trading partner is enabled.
  13. Export the trading partner information to a file named TradingPartner2.xml.
  14. In the TradingPartner2.xml file, change all instances of LOCAL to REMOTE and in the trading-partner element, set the is-default attribute to false.
  15. If you are using a two computer configuration, use the JDK keytool utility to export the Test_TradingPartner_2 server certificate.

You have completed configuring Test_TradingPartner_2. The next step is to import the remote trading partner profiles for the two trading partners.

 

Step 3: Importing the Remote Trading Partner Information

Rather than recreating the information that you already created for each local trading partners when you create the remote trading partners, you import the XML files that you exported in Step 1: Configuring the Local Trading Partner for the Trading Partner 1 Setup and Step 2: Configuring the Local Trading Partner for the Trading Partner 2 Setup.

This set of instructions are the same for both Trading Partner 1 and Trading Partner 2. Go through this section twice, once for your Trading Partner 1 configuration and once for your Trading Partner 2 configuration.

To import the trading partner data:

  1. Navigate to Trading Partner Management > Profile Management.
  2. In the left pane, click Import/Export.

    3. The Import Trading Partner Management Data screen is displayed.

  3. Click Browse and navigate to the file which corresponds to your trading partner according to the following table:

    4. Table 4-7 Local and Remote Trading Partners 
    Current Local Trading Partner Import File
    Test_TradingPartner_1
    TradingPartner2.xml
    Test_TradingPartner_2
    TradingPartner1.xml

  4. Select WLI Standard as the Import Format.
  5. Click Import.

After successfully importing the trading partner information, remember to review the new trading partner profile and make sure that the end point URL is correct. If they need to be changed, edit your bindings as described in Editing the Trading Partner Binding.

 

Step 4: Creating Services and Service Profiles in Oracle WebLogic Integration

Once the local and remote trading partner configurations are completed, you have to create services and corresponding service profiles for those trading partners. In Oracle WebLogic Integration, a service represents a business process that is either offered by a local trading partner, or a business process that is being called via a control on a remote trading partner. Service profiles specify the protocol binding and URL endpoints for the local and remote trading partners that offer and call the service.

Note: Make sure that the process that you want to create the service and service profile for is deployed before you start this procedure.

This section is the same for both trading partner configuration. Complete the following procedure twice, once for your Trading Partner 1 configuration and once for your Trading Partner 2 configuration:

  1. Deploy the process that has the trading partner you want to configure and open your administration console.
    2. Note: If you are running both trading partner configurations on the same machine in different domains, it is important that you only have the server that you are currently configuring running. Otherwise, you could end up with simultaneous updates to the keystores that could overwrite each, since both domains access the same keystore.
  2. In the Oracle WebLogic Integration Administration Console, navigate to Trading Partner Management > Service Management.
  3. In the left pane, click Create New.

    4. The Add Service screen appears.

  4. Click Browse and navigate to one of the following:
    • If you are configuring Test_TradingPartner_1, the service control which corresponds to your initiator process,
    • If you are configuring Test_TradingPartner_2, your deployed participant process,
  5. From the Type drop-down menu select one of the following:
    • Service Control, if you are configuring Test_TradingPartner_1.
    • Process, if you are configuring Test_TradingPartner_2.
  6. From the Business Protocol drop-down menu, select RosettaNet.
  7. Click Add Service.

    8. The View and Edit Service Details screen appears.

  8. Click Add Service Profile.

    9. The Add Service Profile screen appears.

  9. From the Name drop-down menus, select your LOCAL and REMOTE trading partners according toTable 4-8.

    10. Table 4-8 Local and Remote Trading Partners 
    Process Currently Deployed
    Local Trading Partner
    Remote Trading Partner
    Initiator Process
    Test_TradingPartner_1
    Test_TradingPartner_2
    Participant Process
    Test_TradingPartner_2
    Test_TradingPartner_1

  10. From the Binding drop-down menus, select your LOCAL and REMOTE bindings according to Table 4-9.

    11. Table 4-9 Local and Remote Bindings 
    Process Currently Deployed
    Local Binding
    Remote Binding
    Initiator Process
    TP1-rn20-binding
    TP2-rn20-binding
    Participant Process
    TP2-rn20-binding
    TP1-rn20-binding

  11. Click Submit.
  12. On the next screen, click Yes.

    13. The Add Authentication (Step 1 of 2) screen appears.

  13. From the Choose type of Authentication Mode options, select Mutual for both the REMOTE and LOCAL trading partner.
    14. Note: Although it is not enforced, typically the same type of authentication is selected for both the local and remote trading partner.
  14. Click Next.

    15. The Add Authentication (Step 2 of 2) screen appears. On this screen, you import the server certificate for your remote trading partner.

  15. Next to the Server Certificate drop-down list, click Add Certificate....
  16. Select Import certificate from file.
  17. Click Next.
  18. Click Add alias....

    19. The Add New Password Alias screen appears.

  19. In the Password Alias Name field, enter any name.
  20. Enter and confirm a password to use for this alias.
  21. Click Submit.
  22. Next to the Import Certificate Location field, click Browse.
  23. Navigate to one of the following:
    • servercert1.crt, if you are configuring Test_TradingPartner_2
    • servercert2.crt, if you are configuring Test_TradingPartner_1.
  24. Click Create Certificate.

    25. Authentication is added and the View and Edit Service Details page is displayed.

    Note: If there is an error, the Add Authentication page is redisplayed. A message indicating the problem is displayed above the input requiring correction.
  25. Make sure that all of your trading partners and your service profiles are enabled.

You have successfully created a service and its service profile. To learn more about services and service profiles, see Trading Partner Management.

This concludes this sample. To test your sample you simply run the two processes that you created in Before You Begin. Before you test your sample, you may want to review Testing Tips.

 

Testing Tips

Before you test your sample, you can use the keytool utility to make sure that your keystore entries are properly configured. If you want to test that your encryption works properly, you can use the Trace Raw Messages option to save the raw messages that are sent to a specific location in your file system.

Note: When you first set up connections to RosettaNet trading partners, it is a good idea to run your configuration in Test mode to take advantage of the additional debugging features provided by this mode. To run your Web Logic Integration RosettaNet configurations in Test mode, you specify two annotations in the setProperties method:
Note: -Set global-usage-code to Test.
Note: -Set debug-mode to true.
Note: For more information about the setProperites method, see RosettaNet Control Interface.

This section contains the following testing tips:

Listing the Keystore Content

You can use the JDK keytool utility to make sure that your key store entries are properly configured. The keystore used in this sample, is the demo keystore, DemoIdentity.jks, which is installed automatically when you install your product.

  1. At the command line prompt, navigate to BEA_HOME\wlserver_<version>\server\lib\
    where BEA_HOME is the directory in which you installed Oracle WebLogic Server
  2. Enter the following keytool command: keytool -list -keystore DemoIdentity.jks -storepass DemoIdentityKeyStorePassPhrase

The resulting list should look similar to the following:

Keystore type: jks
Keystore provider: SUN

Your keystore contains 9 entries:

secdomain1-client, Sat Oct 18 15:12:15 PDT 2003, keyEntry,
Certificate fingerprint (MD5): 53:13:78:D4:D0:E1:0D:EA:F4:6F:A1:19:6F:BE:4B:AF
secdomain2-sig, Sat Oct 18 16:44:00 PDT 2003, trustedCertEntry,
Certificate fingerprint (MD5): 97:24:2D:B5:CC:F3:FF:E5:06:E0:BD:CC:B6:E2:EF:E6
secdomain1servcert, Sat Oct 18 17:07:30 PDT 2003, trustedCertEntry,
Certificate fingerprint (MD5): 0F:AB:D0:92:0E:28:20:2C:70:4B:54:3E:84:AC:7F:E7
secdomain1-sig, Sat Oct 18 15:10:11 PDT 2003, keyEntry,
Certificate fingerprint (MD5): AD:9F:BA:80:44:F2:7D:54:65:2C:7B:86:8B:2F:AA:D7
secdomain2-enc, Sat Oct 18 16:44:00 PDT 2003, trustedCertEntry,
Certificate fingerprint (MD5): 3E:6C:A9:E8:5E:03:51:80:AD:6A:76:41:44:76:37:7B
secdomain2servcert, Sat Oct 18 16:46:15 PDT 2003, trustedCertEntry,
Certificate fingerprint (MD5): 0F:AB:D0:92:0E:28:20:2C:70:4B:54:3E:84:AC:7F:E7
secdomain1-enc, Sat Oct 18 15:10:47 PDT 2003, keyEntry,
Certificate fingerprint (MD5): 51:AB:CD:71:A2:E9:26:C8:CC:B2:A8:4C:49:DB:F1:CA
secdomain2-client, Sat Oct 18 16:43:59 PDT 2003, trustedCertEntry,
Certificate fingerprint (MD5): F9:FA:43:6E:DE:00:FB:FB:D5:68:EF:F6:2A:77:FD:01
demoidentity, Sat Oct 18 13:25:12 PDT 2003, keyEntry,
Certificate fingerprint (MD5): 0F:AB:D0:92:0E:28:20:2C:70:4B:54:3E:84:AC:7F:E7

Enabling the Trace Raw Messages Option

The Trace Raw Messages option enables you to save raw messages in a specified location. You can then open these messages to review your security settings, such as encryption and signatures.

  1. In the Oracle WebLogic Integration Administration Console, navigate to Trading Partner Management > Configuration.

    2. The General Configuration screen appears.

  2. Specify the Message Tracking Level and Mode by selecting from the drop-down menu.
  3. In the Directory field, enter the path to the folder which you want the raw messages to be written to.
  4. From the Trace Raw Messages options, select Yes.
  5. Click Submit.

After you have run your processes, check the specified directory for any raw messages.


  Back to Top       Previous  Next