Set Up Oracle SOA Suite to Use CA-Verified SSL Certificates (without load balancer)

You can replace the identity and trust of Oracle SOA Suite with custom identity and custom trust and register the Oracle SOA Suite server with digital certificates procured from public certificate authorities like digicert or any other third party authority.

As a prerequisite, register Oracle SOA Suite domain with the public DNS for CA verification. For the documentation purposes, the public IP of the Oracle SOA Suite domain is registered with mydomain.com and takes the CA signed certificates from mydomain. 

The Enterprise Manager (EM) console needs to be accessible using the public domain name.

Topics:

• Register a Domain Name for Oracle SOA Suite

• Create Custom Identity and Custom Trust Keystores and Generate a CSR

• Share the CSR with CA to Get CA-Signed Certificates

• Import CA Certificates

• Synchronize the Local Keystore with the Security Store

• Update WebLogic Keystores with Custom Identity and Trust

• Update the Node Manager and boot.properties File

• Verify the Environment

• Set Two-Way SSL Authentication

Register a Domain Name for Oracle SOA Suite

To register a domain name for Oracle SOA Suite:

1. Register a domain for Oracle SOA Suite server with a public DNS server. You can register your domain with any public DNS Server of your choice, mapping it to the public IP of Oracle SOA Suite. For example register soacs.oraclecloud.co.in domain in mydomain.com, mapping to the public IP of Oracle SOA Suite server.
2. Test access to the Enterprise Manager (EM) Console and the WebLogic Server Console through the domain name registered.

Create Custom Identity and Custom Trust Keystores and Generate a CSR

To create custom identity and custom trust keystores and generate a Certificate Signing Request (CSR):

1. Log in to the Enterprise Manager (EM) Console and access the Keystores page by opening WebLogic domain > Security > Keystore.   
2. Under the system stripe, click Create Keystore.
3. Provide the following details for custom identity:
   1. Keystore Name: custIdentity
   2. Protection: select the Password option
   3. Keystore Password: enter the password
   4. Confirm Password: reenter the password
4. Click Create Keystore to create another new keystore.
5. Provide the following details for custom trust:
   1. Keystore Name: custTrust
   2. Protection: select the Password option
   3. Keystore Password: enter the password
   4. Confirm Password: reenter the password
   
   Description of the illustration custome_trust_identity.png
6. Click Manage on the custIdentity keystore name, click Generate Keypair to create a new key pair, and provide the following details:
   1. Alias Name: custIdentity
   2. Common Name: common name; for example, soacs.mydomain.com (domain name registered with public DNS)
   3. Organizational Unit: name of the organizational unit
   4. Organization: organization name
   5. Enter City, State, and Country names
   6. Key Type: RSA
   7. Key Size: 2048
7. Click OK to generate the key pair.
8. Select the newly created key pair and click Generate CSR.
9. Export the created CSR, share it with Certificate Authority, such as digicert CA, and get root, intermediate, and signed certificates.

   The certificate is generated for the domain name you specified in the Common Name field.

10. Download the certificates shared in the zip file from CA.
    It is not mandatory to create identity and trust keystore under the system stripe that comes with Oracle SOA Cloud Service provisioning by default. You can create a new custom stripe and create identity and trust keystores under it.

Share the CSR with CA to Get CA-Signed Certificates

To share the CSR with CA to get CA-signed certificates:

1. Select the new key pair you created under the custIdentity and click Generate CSR.
2. Export the created CSR and share it with the Certificate Authority and get root, intermediate, and signed certificates. The certificate is generated for the domain name you specified in the Common Name field.
   
   Description of the illustration cert_details.png
3. Download the certificates shared in the zip file from the CA.
   The zip file contains either of the following:

   • the three certificates individually - root, intermediate, and signed certificates
   • two root and intermediate certificates in one chain and the signed certificate separately
4. Double-click the certificate chain for the root and intermediate certificates. You can see the full chain when you click on certification path.
5. Extract the root and intermediate certificates individually by going to the certification path, select the certificate to be extracted (root or intermediate), and click View Certificate. 
6. In the View Certificates popup, select the Details tab and click Copy to File. 
7. In the Certificate Export wizard, click Next, select Base 64 encoded X.509 (CER), then click Next. Export the certificate. 
8. Name the exported certificate as root and intermediate certificates respectively.

Import CA Certificates

Certificate Authority (CA) certificates must be imported in the following order: first the signed server certificate, then the intermediate certificate, and then the root certificate.

To import CA certificates:

1. Use WLST commands to import the certificate chain into the identity keystore (custIdentity):
   1. Combine the three certificates into a single text file called chain.pem in the following order: signed server certificate, followed by intermediate certificate, followed by root certificate:

      -----BEGIN CERTIFICATE-----
      <signed server certificate>
      -----END CERTIFICATE-----
      -----BEGIN CERTIFICATE-----
      <intermediate certificate>
      -----END CERTIFICATE-----
      -----BEGIN CERTIFICATE-----
      <root certificate>
      -----END CERTIFICATE-----

   2. As the opc user, use an FTP client such as WinSCP to copy chain.pem to the /tmp directory of the Administration Server VM.
   3. Enter the following command to change the file ownership to the oracle:oracle user/group:

      sudo chown oracle:oracle /tmp/chain.pem

   4. Use the ssh command to connect to the Administration Server VM:

      ssh -i private_key opc@AdminServerVM_IP_address

   5. Change to the oracle user:

      sudo su - oracle

   6. Start WLST and access the Oracle Platform Security Services (OPSS) key store service:

      /u01/app/oracle/middleware/oracle_common/common/bin/wlst.sh
      connect('username','password','t3s://SOACS_hostname:7002')
      svc = getOpssService(name='KeyStoreService')

      Note:

      If connecting to port 7002 does not work, try port 9071 or 9074 with the SOACS_hostname, or alternatively the internal hostname (as reported by the uname -n command at the Linux prompt).
   7. Use the WLST importKeyStoreCertificate command to import chain.pem:

      svc.importKeyStoreCertificate(appStripe='stripe', name='keystore', password='password', alias='alias', keypassword='keypassword', type='entrytype',filepath='absolute_file_path')
      

      For example:

      svc.importKeyStoreCertificate(appStripe='system', name='custIdentity', password=welcome1, alias='custIdentity', keypassword='welcome1, type='CertificateChain', filepath='/tmp/chain.pem')

   8. Exit WLST:

      exit()

2. Use Oracle Enterprise Manager to import the certificate chain into the trust keystore (custTrust):
   1. Log in to the Enterprise Manager Console and access the Keystores page by opening WebLogic domain > Security > Keystore.
   2. Select the trust keystore (custTrust) and click Manage.
   3. Click Import Certificate and import the certificates in this order:
      1. the signed server certificate as a trusted certificate (alias mySignedCert)
      2. the intermediate certificate from CA as a trusted certificate (alias myInterCA)
      3. the root certificate from CA as a trusted certificate (alias myRootCA)
3. Set up cacerts:
   1. Use the ssh command to connect to the Administration Server VM:

      ssh -i private_key opc@AdminServerVM_IP_address

   2. Open /u01/jdk/jre/lib/security.
   3. Import the root and intermediate certificates into cacerts using the following commands:

      keytool -import -keystore cacerts -storepass keystorepassword -file rootCA.crt
      keytool -import -keystore cacerts -storepass keystorepassword -file interCA.crt

   4. Take a backup of the cacerts file for future use (for example, in case of JDK upgrade).
      Whenever there is an upgrade in the JDK, the backup copy needs to be copied back after upgrade as cacerts. Since all the upgrades are handled automatically, this is a critical step and all the upgrades need to be tracked.

Synchronize the Local Keystore with the Security Store

Synchronize keystores to synchronize information between the domain home and the Oracle Platform Security Services (OPSS) store in the database.

To synchronize keystores:

1. Use the ssh command to connect to the Administration Server VM:

   ssh -i private_key opc@AdminServerVM_IP_address

2. Change to the oracle user:

   sudo su - oracle

3. Start WLST and access the Oracle Platform Security Services (OPSS) key store service:

   /u01/app/oracle/middleware/oracle_common/common/bin/wlst.sh
   connect('username','password','t3s://hostname:7002')
   svc = getOpssService(name='KeyStoreService')

   Note:

   If connecting to port 7002 does not work, try port 9071 or 9074 with the hostname, or alternatively the internal hostname (as reported by the uname -n command at the Linux prompt).
4. Enter the following commands to synchronize the custom identity and custom trust keystores:

   Note:

   This step is necessary only if you are using the system stripe. You do not need to synchronize the keystores if you are using a custom stripe:

   svc. listKeyStoreAliases (appStripe="system”, name="custIdentity”, password=”*****”, type="*") 
   syncKeyStores(appStripe='system',keystoreFormat='KSS') 
   svc. listKeyStoreAliases (appStripe="system”, name="myKSSTrust”, password='****’, type="*") 
   syncKeyStores(appStripe='system',keystoreFormat='KSS')

Update WebLogic Keystores with Custom Identity and Trust

To update the WebLogic keystores with custom identity and custom trust:

1. Log in to the WebLogic Server Administration Console.
2. Navigate to Servers > Admin Server > Configurations > Keystores tab.
3. Change the Keystores to Custom Identity and Custom Trust and Save.
4. Provide the values for Custom Identity:
   • Custom Identity Keystore: kss://system/custidentity
   • Custom Identity KeyStore Type: KSS
   • Custom Identity PassPhrase: enter the password given while creating the custIdentity keystore
   • Confirm Custom Identity PassPhrase: reenter the password
5. Provide the values for Custom Trust:
   • Custom Trust Keystore: kss://system/custTrust
   • Custom Trust KeyStore Type: KSS
   • Custom Trust PassPhrase: enter the password given while creating the custIdentity keystore
   • Confirm Custom Trust PassPhrase: reenter the password
6. Click Save and then activate changes.
   
   Description of the illustration keystores.png
7. On the SSL tab, provide the following details:
   • Private Key Alias: custIdentity (this is the alias given while creating keypair in the custIdentity keystore)
   • Private Key PassPhrase: enter the password given while creating the key pair under the custIdentity keystore.
   • Confirm Private Key PassPhrase: reenter the password.
8. In the Advanced section, change Hostname Verification to None. Click Save and activate changes.
   The Managed Server steps do not require a restart. Therefore, after activating the changes, you can check if the SSL URLs that open on Managed Server ports show the updated certificates. 
9. Repeat steps 1 to 7 for the Administration Server. Administration Server changes require a restart. 
10. Stop the Administration Server, Managed Server, and Node Manager.
    Before restart, make sure that the Node Manager changes are done.

Update the Node Manager and boot.properties File

To update the Node Manager and boot.properties file:

1. Access the Node Manager:

   cd /u01/data/domains/DomainName/nodemanager

2. Edit nodemanager.properties and add the following properties:

   # added for custom identity and custom trust 
   KeyStores=CustomIdentityAndCustomTrust 
   CustomIdentityAlias=custIdentity 
   CustomIdentityKeyStoreFileName=kss://system/custIdentity 
   CustomIdentityKeyStorePassPhrase=********* 
   CustomIdentityKeyStoreType=KSS 
   CustomIdentityPrivateKeyPassPhrase=********* 
   CustomTrustKeyStoreFileName=kss://system/custTrust

3. Edit startNodeManager.sh under /u01/data/domains/YourDomain/bin/ to add the following properties during startup in JAVA_OPTIONS:

   JAVA_OPTIONS="${JAVA_OPTIONS} 
   -Dweblogic.nodemanager.sslHostNameVerificationEnabled=false -Djava.security.egd=file:/dev/./urandom"

The JAVA_OPTIONS for a 12.2.1.2 environment is as follows:

JAVA_OPTIONS="${JAVA_OPTIONS} 
-Doracle.security.jps.config=/u01/data/domains/TPLSOADE_domain/config/fmwconfig/jps-config-jse.xml 
-Dcommon.components.home=/u01/app/oracle/middleware/oracle_common -Dopss.version=12.2.1.2 
-Dweblogic.nodemanager.sslHostNameVerificationEnabled=false -Djava.security.egd=file:/dev/./urandom"

4. Use the ssh command to connect to the VM as the opc user:

   ssh -i private_key opc@VM_IP_address

5. Change to the oracle user:

   sudo su - oracle

6. Access the boot.properties file:

   cd /u01/data/domains/YourDomain/servers/YourManagedServer/security

7. Take a backup of boot.properties.
8. Open boot.properties and comment the line #TrustKeyStore=DemoTrust (if present) and save.
9. Update the managedServer boot properties by accessing the nodemanager:

   cd /u01/data/domains/YourDomain/servers/YourManagedServer/data/nodemanager

10. Take a backup of boot.properties.
11. Edit the boot.properties file, comment the line #TrustKeyStore=DemoTrust
12. Add the following lines at the end of boot.properties in the Managed Server:

    CustomTrustKeyStoreFileName=kss://system/custTrust 
    TrustKeyStore=CustomTrust 
    CustomTrustKeyStorePassPhrase=**** 
    CustomTrustKeyStoreType=KSS

13. Save boot.properties.
14. To make changes in SetDomainEnv.sh, remove the following property: Djavax.net.ssl.trustStore=%WL_HOME%\server\lib\DemoTrust.jks
15. To update the Frontend Host Port, update the host and port in the WebLogic Server Console to reflect the domain name and ports:
    1. In the WebLogic Server Console, navigate to Environments > Clusters > Cluster Name > HTTP tab.
    2. Update the Frontend Host as the domain name.
    3. Update the Frontend HTTP Port, default is port 80.
    4. Update the Frontend HTTPS Port, default is port 443.
       
       Description of the illustration host_port.png
16. Start the Node Manager, Administration Server, and Managed Server, in this order.

Verify the Environment

When you restart the environment, the Aministration Server and Managed Server user interface shows the certificates as trusted:

Description of the illustration verify_envt.png

To verify the environment:

1. Deploy a HelloWorld composite and verify that the client endpoint URL can be opened on https host and port.

   The valid certificate chain is present on the client endpoint URL:

   
   Description of the illustration verify_certificate.png

2. To invoke the client end point from any other composite, import all the certificates (signed server, intermediate, and root) present in the WSDL into the truststore of the server from where the parent composite is deployed.

Set Two-Way SSL Authentication

Two-way SSL authentication creates a truststore and a keystore on both the client and the server. It is not mandatory to set the two-way authentication.

To set the two-way authentication:

1. Log in to the WebLogic Server Administration Console.
2. On the Managed Server, select the SSL tab and click Advanced.
3. Select Lock and Edit.
4. For Two Way Client Cert Behavior, select Client Certs Requested and Enforced from the drop-down list.
5. Click Save and activate the changes.
   This change in the property does not require a WebLogic Server restart.