Configure WebSocket Secure

By default the WebSocket (WS) protocol is used by the Intelligent AI Connector (IAC). If you want to upgrade to WebSocket Secure (WSS), you can generate a certificate, create a keystore, update the application settings, restart the service, and verify secure connectivity.

Enable WSS

1. Generate a self-signed certificate.

   openssl req -x509 -newkey rsa:4096 \
      -keyout key.pem -out cert.pem \
      -days 365 -nodes \
      -subj "C=<Country Code>/ST=<State>/L=<Location>/O=Oracle/OU=OCCAS/CN=<AIC_IP>" \
      -addext "subjectAltName=IP:<AIC_IP>"

   The key.pem file is the private key, and the cert.pem file is the certificate.

2. Verify the output.

   openssl x509 -in cert.pem -text -noout

   If the output is correctly formed, the command returns no error.

3. Convert the certificate to a JKS Keystore.

   openssl pkcs12 -export \
      -in cert.pem -inkey key.pem \
      -out keystore.p12 \
      -name aic-wss \
      -passout pass:<passphrase>

   keytool -importkeystore \
   -srckeystore keystore.p12 -srcstoretype PKCS12 -srcstorepass <passphrase> \
   -destkeystore keystore.jks -deststorepass <passphrase> \
   -deststoretype JKS

4. Update the keystore-password in the application configuration.

   server:
     sockets:
       ws-secure:
         port: 9443
         keystore-path: "/home/sdp/aic_certs/keystore.jks"
         keystore-password: "<passphrase>"

5. Restart the IAC server.

   cd $AIC_HOME/bin
   sh startAIC.sh

   You can verify the WSS endpoint was created by finding this line in the logs.

   Keystore file found: <path>. WSS endpoint will be available.

   If you see Keystore file not found, check the file permissions.

6. Copy the cert.pem file generated on the IAC server to the Converged Application Server server.
7. Import the certificate with the following command, modified to your needs.

   sudo keytool -import \
      -alias aic-wss-cert \
      -file /home/occas/cert.pem \
      -keystore $ORACLE_HOME/client-truststore.jks \
      -storepass <passphrase> \
      -noprompt

8. Add the below flag in $DOMAIN_HOME/bin/startWeblogic.sh as part of SAVE_JAVA_OPTIONS.

   -Djavax.net.ssl.trustStore=$ORACLE_HOME/client-truststore.jks -Djavax.net.ssl.trustStorePassword=changeit -Djavax.net.ssl.trustStoreType=JKS

   Note:

   This client-truststore.jks should be same the TLS will also use, if both are enabled.
9. Verify the certificate import.

   keytool -list -keystore <$ORACLE_HOME/client-truststore.jks> -storepass <passphrase> | grep aic-wss-cert

Disable WSS

1. In the ws-secure socket block, disable the keystore-path field. The keystore-path field should be either:
   • empty
   • deleted
   • commented out

server:
  sockets:
    ws-secure:
      port: 9443
      keystore-path: "" # Can also delete or comment this key
      keystore-password: "<passphrase>"