30 Configuring Web Services Security

This chapter describes how to set up Web Services Security (WS-Security) for WebCenter Portal and related services and components.

WS-Security, using an OPSS Key Store Service (KSS) keystore, provides a mechanism for retrieving and managing the security credentials of a WebCenter Portal application and ancillary applications and components across one or more domains. The KSS keystore provides information about available public and private keys that can be used for authentication and data integrity.

The following topics show how to configure a typical topology with WS-Security (where the WebCenter Portal application and the WSRP producers share the same domain, but the BPEL server is in an external SOA domain), and how to extend that configuration for more complex environments (where, for example, a second discussions server is in a separate domain, a BPEL server is in a separate SOA domain, and one WSRP producer is in an external portlet domain):

Permissions

To perform the tasks in this chapter, you must be granted the WebLogic Server Admin role through the Oracle WebLogic Server Administration Console. Users with the Monitor or Operator roles can view security information but cannot make changes.

See also, Understanding Administrative Operations, Roles, and Tools.

30.1 Configuring WS-Security for a Typical Topology

This section describes how to configure WS-Security for a topology where the WebCenter Portal application, WSRP producers, and discussions server share the same domain, but the BPEL (SOA) server is in an external domain.

Typical Topology

  • Domain 1 : WebCenter Portal , Discussions, Portlet Producers

  • Domain 2 : SOA

The steps to configure WS-Security for a typical two-domain topology are described in the following topics:

30.1.1 Creating the WebCenter Portal Domain Keystore

This section describes how to use the OPSS Keystore Service (KSS) to create the WebCenter Portal keystore and keys. A keystore is a file that provides information about available public and private keys. Keys are used for a variety of purposes, including authentication and data integrity. User certificates and the trust points needed to validate the certificates of peers are also stored securely in the keystore. After creating the keystore, the security credentials of WebCenter Portal, discussions server, BPEL servers, and WSRP producers can be retrieved and managed using the KSS. For more information about the OPSS Keystore Service, see Managing Keys and Certificates with the Keystore Service in Securing Applications with Oracle Platform Security Services.

To create the WebCenter Portal domain keystore:

  1. Run the following WLST commands:

    • svc = getOpssService(name='KeyStoreService')

    • svc.createKeyStore(appStripe='owsm', name='keystore', password='')

    • svc.generateKeyPair(appStripe='owsm', name='keystore', password='', dn='CN=RESTOWSMKEY, OU=KEYS FOR REST, O=Oracle, L=CA, ST=CA, C=US', keysize='2048', alias='orakey', keypassword='')

    • svc.exportKeyStoreCertificate(appStripe='system', name='castore', password='', alias='democa', type='TrustedCertificate', filepath='/scratch/certificate/prodtrust.cer')

    • svc.importKeyStoreCertificate(appStripe='owsm', name='keystore', password='', alias='democa', keypassword='', type='TrustedCertificate', filepath='/scratch/certificate/prodtrust.cer')

    • svc.listKeyStoreAliases(appStripe="owsm",name="keystore", password='', type="*")

  2. Create the keystore using the following WLST command:
    svc.createKeyStore(appStripe='appStripe', name='producer', password='password', permission=true/false))

    Where:

    • appstripe — The keystore stripe name. Keys and certificates created in the keystore reside in an application stripe or product, and each stripe in a domain is uniquely named

    • name — Keystore name

    • password — Keystore password

    • permission — false if protected by both permission and password (true if keystore is protected by permission only)

    For example:

    svc.createKeyStore(appStripe='WCPortalStripe', name='producer', password='welcome1', permission=true))
  3. Generate the key pair for this newly created keystore:
    svc.generateKeyPair(appStripe='appstripe', name='name', password='password', dn='CN=Producer, OU=Producer, O=MyOrganization, L=MyTown, ST=MyState, C=US', keysize='2048', alias='producer', keypassword='keypassword')

    Where:

    • appstripe — The keystore stripe name. Keys and certificates created in the keystore reside in an application stripe or product, and each stripe in a domain is uniquely named

    • name — Keystore name

    • password — Keystore password

    • dn — Domain name (for example, dn='CN=webcenter_certificate')

    • alias — Public Key Alias

    • keypassword — Password for new public key

    For example:

    svc.generateKeyPair(appStripe='WCPortalStripe', name='producer', password='welcome1', dn='CN=Producer, OU=Producer, O=MyOrganization, L=MyTown, ST=MyState, C=US', keysize='2048', alias='producer', keypassword='welcome1')
  4. Import the public certificate of the CA into newly created stripe for OWSM (“Producer” is not a self-signed certificate, but signed by Internal CA):
    svc.exportKeyStoreCertificate(appStripe='system',name='castore',password='',alias='democa',type='TrustedCertificate',filepath='filepath')
svc.importKeyStoreCertificate(appStripe='appstripe', name='name', password='password', alias='alias', keypassword='keypassword', type='TrustedCertificate', filepath='filepath')

    Note:

    The keypair generated in the previous step was signed by the Internal CA that ships with KSS, and the validation of the certificate on the service side will fail as OWSM Agent is unable to validate the Certificate path for the signing certificate. Although you will not run into this issue if you use self-signed certificates, since we have used a CA-signed certificate (albeit an Internal CA signed certificate) you must import the CA certificate into the OWSM keystore (that is, import the public certificate of the CA into the OWSM stripe).

    Where:

    • appstripe — The keystore stripe name. Keys and certificates created in the keystore reside in an application stripe or product, and each stripe in a domain is uniquely named

    • name — Keystore name

    • password — Keystore password

    • alias — Public Key Alias

    • keypassword — Password for new public key

    • filepath — Certificate path

    Note:

    The only parameter that you can change for svc.exportKeyStoreCertificate is the filepath. all other values must be entered as above. Note also that

    For example:

    svc.exportKeyStoreCertificate(appStripe='system',name='castore',password='',alias='democa',type='TrustedCertificate',filepath='/workplace/certificate/trustwebcenter.crt')
svc.importKeyStoreCertificate(appStripe='WCPortalStripe', name='producer', password='welcome1', alias='democa', keypassword='welcome1', type='TrustedCertificate', filepath='/workplace/certificate/trustwebcenter.crt')
  5. Export the producer certificate (which will be used by the consumer):
    svc.exportKeyStoreCertificate(appStripe='appstripe', name='name', password='password', alias='alias', type='TrustedCertificate',filepath='filepath')

    Where:

    • appstripe — The keystore stripe name. Keys and certificates created in the keystore reside in an application stripe or product, and each stripe in a domain is uniquely named

    • name — Keystore name

    • password — Keystore password

    • alias — Public Key Alias

    • keypassword — Password for new public key

    • filepath — Certificate path

    For example:

    svc.exportKeyStoreCertificate(appStripe='WCPortalStripe', name='producer', password='welcome1', alias='producer', type='TrustedCertificate',filepath='/scratch/certificate/webcenter.cer')
  6. Export the trusted certificate along with public certificate:
    svc.exportKeyStoreCertificate(appStripe='appstripe', name='name', password='password', alias='alias', filepath='filepath',type='TrustedCertificate')

    Where:

    • appstripe — The keystore stripe name. Keys and certificates created in the keystore reside in an application stripe or product, and each stripe in a domain is uniquely named

    • name — Keystore name

    • password — Keystore password

    • alias — Public Key Alias

    • filepath — Certificate path

    For example:

    svc.exportKeyStoreCertificate(appStripe='WCPortalStripe', name='producer', password='welcome1', alias='democa', filepath='/scratch/certificate/democaprod.cer',type='TrustedCertificate')

30.1.2 Creating the SOA Domain Keystore

This section describes how to create a SOA domain keystore and keys using an OPSS keystore (KSS). For syntax and reference information about the KSS commands, see OPSS Keystore Service Commands in Oracle Fusion Middleware Infrastructure Security WLST Command Reference.

To create the SOA domain keystore:

  1. Using the following WLST command, get an OPSS service command object:
    svc = getOpssService(name='KeyStoreService')
  2. Create the keystore:
    svc.createKeyStore(appStripe='appStripe', name='producer', password='password', permission=true/false))

    Where:

    • appstripe — The keystore stripe name. Keys and certificates created in the keystore reside in an application stripe or product, and each stripe in a domain is uniquely named

    • name — Keystore name

    • password — Keystore password

    • permission — false if protected by both permission and password (true if keystore is protected by permission only)

    For example:

    svc.createKeyStore(appStripe='SOAStripe', name='bpel', password='welcome1', permission=true))
  3. Generate key pair for the newly created keystore: 
    svc.generateKeyPair(appStripe='appstripe', name='name', password='password', dn='CN=Producer, OU=Producer, O=MyOrganization, L=MyTown, ST=MyState, C=US', keysize='2048', alias='producer', keypassword='keypassword')

    Where:

    • appstripe — The keystore stripe name. Keys and certificates created in the keystore reside in an application stripe or product, and each stripe in a domain is uniquely named

    • name — Keystore name

    • password — Keystore password

    • dn — Domain name (for example, dn='CN=webcenter_certificate')

    • alias — Public Key Alias

    • keypassword — Password for new public key

    For example:

    svc.generateKeyPair(appStripe='SOAStripe', name='bpel', password='welcome1', dn='CN=BPEL, OU=Consumer, O=MyOrganization, L=MyTown, ST=MyState, C=US', keysize='2048', alias='bpel', keypassword='welcome1'
  4. Import the public CA certificate to the bpel stripe:
    svc.exportKeyStoreCertificate(appStripe='system',name='castore',password='',alias='democa',type='TrustedCertificate',filepath='filepath')
svc.importKeyStoreCertificate(appStripe='appstripe', name='name', password='password', alias='alias', type='TrustedCertificate', filepath='filepath')

    Where:

    • appstripe — The keystore stripe name. Keys and certificates created in the keystore reside in an application stripe or product, and each stripe in a domain is uniquely named

    • name — Keystore name

    • password — Keystore password

    • alias — Public Key Alias

    • filepath — Certificate path

    For example:

    svc.exportKeyStoreCertificate(appStripe='system',name='castore',password='',alias='democa',type='TrustedCertificate',filepath='/workplace/certificate/trustbpel.crt') svc.importKeyStoreCertificate(appStripe='SOAStripe', name='bpel', password='welcome1', alias='democa', keypassword='welcome1', type='TrustedCertificate', filepath='/workplace/certificate/trustbpel.crt')
  5. Import the certificate exported by the producer:
    svc.importKeyStoreCertificate(appStripe='appStripe', name='name', password='password', alias='webcenter_spaces_ws', keypassword='keypassword', filepath='filepath',type='TrustedCertificate')

    Where:

    • appstripe — The keystore stripe name. Keys and certificates created in the keystore reside in an application stripe or product, and each stripe in a domain is uniquely named

    • name — Keystore name

    • password — Keystore password

    • keypassword — Password for new public key

    • filepath — Certificate path

    Note:

    The alias for the importKeyStoreCertificate command must always be set to webcenter_spaces_ws. Do not attempt to change this alias or creating the keystore will fail.

    For example:

    svc.importKeyStoreCertificate(appStripe='SOAStripe', name='bpel', password='welcome1', alias='webcenter_spaces_ws', keypassword='welcome1', filepath='/workplace/certificate/webcenter.cer',type='TrustedCertificate')
  6. Import the producer ‘democa’ certificate:
    svc.importKeyStoreCertificate(appStripe='appstripe', name='bpel', password='password', alias='alias', keypassword='keypassword', filepath='filepath',type='TrustedCertificate')

    Where:

    • appstripe — The keystore stripe name. Keys and certificates created in the keystore reside in an application stripe or product, and each stripe in a domain is uniquely named

    • name — Keystore name

    • password — Keystore password

    • alias — Public Key Alias

    • keypassword — Password for new public key

    • filepath — Certificate path

    For example:

    svc.importKeyStoreCertificate(appStripe='SOAStripe', name='bpel', password='welcome1', alias='democa1', keypassword='welcome1', filepath='/workplace/certificate/democaprod.cer',type='TrustedCertificate')
  7. Export the public certificate that will be imported by the producer:
    svc.exportKeyStoreCertificate(appStripe='appstripe', name='name', password='password', alias='alias', filepath='filepath',type='TrustedCertificate')

    Where:

    • appstripe — The keystore stripe name. Keys and certificates created in the keystore reside in an application stripe or product, and each stripe in a domain is uniquely named

    • name — Keystore name

    • password — Keystore password

    • alias — Public Key Alias

    • filepath — Certificate path

    For example:

    svc.exportKeyStoreCertificate(appStripe='SOAStripe', name='bpel', password='welcome1', alias='bpel', filepath='/scratch/certificate/bpel.cer',type='TrustedCertificate')
  8. Export the demo certificate that will be used by the producer:
    svc.exportKeyStoreCertificate(appStripe='appstripe', name='name', password='password', alias='alias', filepath='filepath',type='TrustedCertificate')

    Where:

    • appstripe — The keystore stripe name. Keys and certificates created in the keystore reside in an application stripe or product, and each stripe in a domain is uniquely named

    • name — Keystore name

    • password — Keystore password

    • alias — Public Key Alias

    • filepath — Certificate path

    For example:

    svc.exportKeyStoreCertificate(appStripe='SOAStripe', name='bpel', password='welcome1', alias='democa', filepath='/scratch/certificate/democabpel.cer',type='TrustedCertificate')
  9. Register the newly created stripe:
    configureWSMKeystore('/WLS/base_domain','KSS', 'kss://appstripe/bpel', signAlias='bpel', cryptAlias='bpel', signAliasPassword='signAliasPassword',cryptAliasPassword='cryptAliasPassword')

    Where:

    • cryptAlias — The public key alias

    • appstripe — The keystore stripe name. Keys and certificates created in the keystore reside in an application stripe or product, and each stripe in a domain is uniquely named

    • signAliasPassword — The password for the public key

    • cryptAlias — The public key alias

    • cryptAliasPassword — The password for the public key

    For example:

    configureWSMKeystore('/WLS/base_domain','KSS', 'kss://SOAStripe/bpel', signAlias='bpel', cryptAlias='bpel', signAliasPassword='signAliasPassword',cryptAliasPassword='cryptAliasPassword')
  10. Grant keystore permission to newly created bpel stripe:
    grantPermission(permClass="oracle.security.jps.service.keystore.KeyStoreAccessPermission", permTarget="stripeName=SOAStripe,keystoreName=bpel,alias=*", permActions="read")
  11. Import the consumer certificate and consumer democa certificate to WebCenter:
    svc.importKeyStoreCertificate(appStripe='appstripe', name='name', password='password', alias='bpel', keypassword='keypassword', filepath='filepath', type='TrustedCertificate')
svc.importKeyStoreCertificate(appStripe='appstripe', name='name', password='password', alias='democa1', keypassword='keypassword', filepath= 'filepath' ,type='TrustedCertificate')

    Where:

    • appstripe — The keystore stripe name. Keys and certificates created in the keystore reside in an application stripe or product, and each stripe in a domain is uniquely named

    • name — Keystore name

    • password — Keystore password

    • alias — Public Key Alias

    • keypassword — Password for new key

    • filepath — Certificate path

    For example:

    svc.importKeyStoreCertificate(appStripe='SOAStripe', name='producer', password='welcome1', alias='bpel', keypassword='welcome1', filepath='/scratch/certificate/bpel.cer', type='TrustedCertificate')
svc.importKeyStoreCertificate(appStripe='SOAStripe', name='producer', password='welcome1', alias='democa1', keypassword='welcome1', filepath= '/scratch/certificate/democabpel.cer' ,type='TrustedCertificate')
  12. Register the producer stripe:
    configureWSMKeystore('/WLS/wc_domain','KSS', 'kss://appstripe/producer', signAlias='producer', signAliasPassword='signAliasPassword', cryptAlias='cryptAlias', cryptAliasPassword='cryptAliasPassword')

    Where:

    • wc_domain — TheWebCenter Portal domain

    • signAliasPassword — The password for the public key

    • cryptAlias — The public key alias

    • cryptAliasPassword — The password for the public key

  13. Grant KeystorePermission for the newly created stripe:
    grantPermission(permClass="oracle.security.jps.service.keystore.KeyStoreAccessPermission", permTarget="stripeName=SOAStripe,keystoreName=producer,alias=*", permActions="read")

30.1.3 Configuring the Discussions Server

If the discussions server for your topology is in the same domain as the WC_Portal server and is not being used in a production environment, then no extra keystore configuration is needed since the keystore configured for the WebCenter Portal domain is used for the discussions server as well. However, for production environments, you should protect the discussions web service endpoints with an OWSM policy and configure the discussions server connection settings. These configuration steps are described in the following topics:

Note:

Discussions-specific web services messages sent by WebCenter Portal to the discussions server are not encrypted. For message confidentiality, the discussions server URL must be accessed over Secure Socket Layer (SSL). For more information, see Configuring SSL .

30.1.3.1 Attaching Security Policies for WebCenter Portal and Discussions Web Service Endpoints

In a new or patched WebCenter Portal instance, the assigned security policy configuration is set to "no security policy." You must attach Oracle Web Services Manager (OWSM) security policies for the WebCenter Portal web service endpoint and the discussions authenticated web service endpoint. For a production environment, continue by hardening the security by following the steps in Securing the Discussions End Points.

Note:

In a patched WebCenter Portal instance, you must determine the policy names before you patch, then attach the policies after you patch. For required steps, see Patching Oracle WebCenter in Patching Guide for Oracle Identity and Access Management.

To attach the web service security policy configuration in a new instance:

Note:

For clustered environments, repeat these steps for each of the managed servers where WebCenter Portal and discussions are deployed.

  1. Ensure that the WC_Portal and WC_Collaboration managed servers are running.
  2. Run the following WLST command to attach an OWSM policy on the discussions web service endpoint:
    attachWebServicePolicy(application='owc_discussions', moduleName='owc_discussions', moduleType='web', serviceName='OWCDiscussionsServiceAuthenticated', subjectName='OWCDiscussionsServiceAuthenticated', policyURI='oracle/wss10_saml_token_service_policy')
  3. Restart the WC_Portal and WC_Collaboration managed servers.

30.1.3.2 Securing the Discussions End Points

The discussions web service endpoints require user identity to be propagated for calls originating from WebCenter Portal. For a production environment, the web service endpoints must be secured with OWSM policies to ensure that messages are not tampered with, and can't be viewed by others while in transit. To do this, both the public access web service endpoint and authenticated user access endpoint should be secured with the appropriate OWSM policies using either Fusion Middleware Control or WLST.

This section contains the following topics:

30.1.3.2.1 Securing the Discussions Server End Points Using Fusion Middleware Control

To secure the discussions end points using Fusion Middleware Control, follow the steps below:

  1. Log in to Fusion Middleware Control and from the Navigation pane, expand WebCenter> Portal> Discussions and click Discussions (WC_Collaboration).

    The discussions home page displays (see Figure 30-1 ).

    Figure 30-1 Discussions Home Page

    Description of Figure 30-1 follows
    Description of "Figure 30-1 Discussions Home Page"
  2. Click the owc_discussions target.

    The home page for the owc_discussions application displays (see Figure 30-2 ).

    Figure 30-2 owc_discussions Home Page

    Description of Figure 30-2 follows
    Description of "Figure 30-2 owc_discussions Home Page"
  3. From the Application Deployment menu, select Web Services.

    The Web Services page for the owc_discussions application displays (see Figure 30-3 ).

    Figure 30-3 Web Services Page for owc_discussions

    Description of Figure 30-3 follows
    Description of "Figure 30-3 Web Services Page for owc_discussions"
  4. Open the Web Services tab, and click the OWCDiscussionsServiceAuthenticated web service end point.

    The Web Service Endpoint page for owc_discussions displays (see Figure 30-4 ).

    Figure 30-4 Web Service Endpoint Page

    Description of Figure 30-4 follows
    Description of "Figure 30-4 Web Service Endpoint Page"
  5. Click Attach/Detach.

    The Attach Policy page displays (see Figure 30-5 ).

    Figure 30-5 Attach Policy Page

    Description of Figure 30-5 follows
    Description of "Figure 30-5 Attach Policy Page"
  6. Use the Attach and Detach buttons to attach oracle/wss11_saml_token_with_message_protection_service_policy and detach oracle/wss10_saml_token_service_policy.
  7. Click OK.
30.1.3.2.2 Securing the Discussions Server End Points Using WLST

To secure the discussions server endpoints using WLST, detach the wss10_saml_token_service_policy and attach the wss11_saml_token_with_message_protection_service_policy using the following WLST commands:

detachWebServicePolicy(application='owc_discussions', moduleName='owc_discussions', moduleType='web', serviceName='OWCDiscussionsServiceAuthenticated', subjectName='OWCDiscussionsServiceAuthenticated', policyURI='oracle/wss10_saml_token_service_policy')

attachWebServicePolicy(application='owc_discussions', moduleName='owc_discussions', moduleType='web', serviceName='OWCDiscussionsServiceAuthenticated', subjectName='OWCDiscussionsServiceAuthenticated', policyURI='oracle/wss11_saml_token_with_message_protection_service_policy')

30.1.3.3 Configuring the Discussions Server Connection Settings

You must supply the WS-Security client certificate information within the discussions server connection that is configured for your WebCenter Portal application, as described in Registering Discussions Servers. Figure 30-6 shows example connection detail settings for the Edit Discussions and Announcement Connection page.

Figure 30-6 Edit Discussions and Announcement Connection Page

Description of Figure 30-6 follows
Description of "Figure 30-6 Edit Discussions and Announcement Connection Page"

30.2 Configuring WS-Security for Multiple Domains

This section describes how to extend the WS-security configuration for a typical topology for topologies where, for example, the WebCenter Portal application, BPEL (SOA) server, discussions server, and a WSRP producer server are each in their own domain.

Multiple Domain Topology

  • Domain 1 : WebCenter Portal

  • Domain 2 : SOA (BPEL) server

  • Domain 3 : Discussions server

  • Domain 4 : WSRP producers

The steps to configure WS-Security for a topology with multiple domains are described in the following topics:

30.2.1 Setting Up the WebCenter Portal Domain Keystore

To create the WebCenter Portal domain keystore, follow the steps for a configuring WS-security for a typical topology as described in Creating the WebCenter Portal Domain Keystore. After creating the keystore, the security credentials of WebCenter Portal, discussions server, BPEL servers, and WSRP producers can be retrieved and managed using the KSS. For more information about the OPSS Keystore Service, see Managing Keys and Certificates with the Keystore Service in Securing Applications with Oracle Platform Security Services.

30.2.2 Creating the SOA Domain Keystore

Create the SOA domain keystore and keys using an OPSS keystore (KSS) as described in Creating the SOA Domain Keystore. For syntax and reference information about the KSS commands, see OPSS Keystore Service Commands in Oracle Fusion Middleware Infrastructure Security WLST Command Reference.

30.2.3 Configuring an External Discussions Server

If the discussions server is in a different domain than WebCenter Portal, you will need to create and configure a keystore for the discussions server and export the certificate containing the public key and import it into the WebCenter Portal domain. For production environments you will also need to protect the discussions web service end points with an OWSM policy and configure the discussions server connection settings. These configuration steps are described in the following subsections:

30.2.3.1 Securing the Discussions Service End Points

The discussions web service end points require user identity to be propagated for calls originating from WebCenter Portal. Follow the steps in Securing the Discussions End Points to secure the endpoints using either Fusion Middleware Control or WLST.

30.2.3.2 Creating the Discussions Server Keystore

This section describes how to create a keystore for the discussions server that contains the key pair used by OWSM, and export the certificate containing the public key so it can be imported into the WebCenter Portal domain.

To create the owc_discussions keystore:

  1. From the discussions server, run the following WLST command:

    svc = getOpssService(name='KeyStoreService')

  2. Create the keystore:
    svc.createKeyStore(appStripe='appStripe', name='producer', password='password', permission=true/false))

    Where:

    • appstripe — The keystore stripe name. Keys and certificates created in the keystore reside in an application stripe or product, and each stripe in a domain is uniquely named

    • name — Keystore name

    • password — Keystore password

    • permission — false if protected by both permission and password (true if keystore is protected by permission only)

    For example:

    svc.createKeyStore(appStripe='dfstripe', name='discussions', password='welcome1', permission=false)
  3. Generate key pair for the newly created keystore: 
    svc.generateKeyPair(appStripe='appstripe', name='name', password='password', dn='CN=Producer, OU=Producer, O=MyOrganization, L=MyTown, ST=MyState, C=US', keysize='2048', alias='discussions', keypassword='keypassword')

    Where:

    • appstripe — The keystore stripe name. Keys and certificates created in the keystore reside in an application stripe or product, and each stripe in a domain is uniquely named

    • name — Keystore name (in this case “discussions”.

    • password — Keystore password

    • dn — Domain name (for example, dn='CN=webcenter_certificate')

    • alias — Public Key Alias (in this case “discussions”

    • keypassword — Password for new public key

    For example:

    svc.generateKeyPair(appStripe='dfstripe', name='discussions', password='welcome1', dn='CN=DISCUSSIONS, OU=Consumer, O=MyOrganization, L=MyTown, ST=MyState, C=US', keysize='2048', alias='discussions', keypassword='welcome1')
  4. Import the public CA certificate to the discussions stripe:
    svc.exportKeyStoreCertificate(appStripe='system',name='castore',password='',alias='democa',type='TrustedCertificate',filepath='filepath')
svc.importKeyStoreCertificate(appStripe='appstripe', name='name', password='password', alias='alias', type='TrustedCertificate', filepath='filepath')

    Where:

    • appstripe — The keystore stripe name. Keys and certificates created in the keystore reside in an application stripe or product, and each stripe in a domain is uniquely named

    • name — Keystore name

    • password — Keystore password

    • alias — Public Key Alias

    • filepath — Certificate path

    For example:

    svc.exportKeyStoreCertificate(appStripe='system',name='castore',password='',alias='democa',type='TrustedCertificate',filepath='/workplace/certificate/trustdiscussions.crt')
svc.importKeyStoreCertificate(appStripe='dfstripe', name='discussions', password='welcome1', alias='democa', keypassword='welcome1', type='TrustedCertificate', filepath='/scratch/certificate/trustdiscussions.crt')
  5. Import the certificate exported by the producer:
    svc.importKeyStoreCertificate(appStripe='appStripe', name='name', password='password', alias='webcenter_df_ws', keypassword='keypassword', filepath='filepath',type='TrustedCertificate')

    Where:

    • appstripe — The keystore stripe name. Keys and certificates created in the keystore reside in an application stripe or product, and each stripe in a domain is uniquely named

    • name — Keystore name (in this case “discussions”

    • password — Keystore password

    • keypassword — Password for new public key

    • filepath — Certificate path

    Note:

    The alias for the importKeyStoreCertificate command must always be set to webcenter_df_ws. Do not attempt to change this alias or creating the keystore will fail.

    For example:

    svc.importKeyStoreCertificate(appStripe='dfstripe', name='discussions', password='welcome1', alias='webcenter_df_ws', keypassword='welcome1', filepath='/scratch/certificate/webcenter.cer',type='TrustedCertificate')
  6. Import the producer ‘democa’ certificate:
    svc.importKeyStoreCertificate(appStripe='appstripe', name='discussions', password='password', alias='alias', keypassword='keypassword', filepath='filepath',type='TrustedCertificate')

    Where:

    • appstripe — The keystore stripe name. Keys and certificates created in the keystore reside in an application stripe or product, and each stripe in a domain is uniquely named

    • name — Keystore name (in this case “discussions”

    • password — Keystore password

    • alias — Public Key Alias

    • keypassword — Password for new public key

    • filepath — Certificate path

    For example:

    svc.importKeyStoreCertificate(appStripe='dfstripe', name='discussions', password='welcome1', alias='democa1', keypassword='welcome1', filepath='/workplace/certificate/democaprod.cer',type='TrustedCertificate')
  7. Export the public certificate that will be imported by the producer:
    svc.exportKeyStoreCertificate(appStripe='appstripe', name='name', password='password', alias='alias', filepath='filepath',type='TrustedCertificate')

    Where:

    • appstripe — The keystore stripe name. Keys and certificates created in the keystore reside in an application stripe or product, and each stripe in a domain is uniquely named

    • name — Keystore name

    • password — Keystore password

    • alias — Public Key Alias

    • filepath — Certificate path

    For example:

    svc.exportKeyStoreCertificate(appStripe='dfstripe', name='discussions', password='welcome1', alias='discussions', filepath='/workplace/certificate/discussions.cer',type='TrustedCertificate')
  8. Export the demo certificate that will be used by the producer:
    svc.exportKeyStoreCertificate(appStripe='appstripe', name='name', password='password', alias='alias', filepath='filepath',type='TrustedCertificate')

    Where:

    • appstripe — The keystore stripe name. Keys and certificates created in the keystore reside in an application stripe or product, and each stripe in a domain is uniquely named

    • name — Keystore name

    • password — Keystore password

    • alias — Public Key Alias

    • filepath — Certificate path

    For example:

    svc.exportKeyStoreCertificate(appStripe='dfstripe', name='discussions', password='welcome1', alias='democa', filepath='/workplace/certificate/democadiscussions.cer',type='TrustedCertificate')
  9. Register the newly created stripe:
    configureWSMKeystore('/WLS/base_domain','KSS', 'kss://dfstripe/discussions', signAlias='discussions', cryptAlias='discussions', signAliasPassword='signAliasPassword',cryptAliasPassword='cryptAliasPassword')

    Where:

    • signAliasPassword — Password for the signature key alias

    • cryptAliasPassword — Password for the encryption key alias

  10. Grant keystore permission to newly created discussions stripe:
    grantPermission(permClass="oracle.security.jps.service.keystore.KeyStoreAccessPermission", permTarget="stripeName=stripe2,keystoreName=discussions,alias=*", permActions="read")
  11. Restart the managed servers and admin servers.
  12. Import the consumer certificate and consumer democa certificate to WebCenter:
    svc.importKeyStoreCertificate(appStripe='appstripe', name='name', password='password', alias='discussions', keypassword='keypassword', filepath='filepath', type='TrustedCertificate')
svc.importKeyStoreCertificate(appStripe='appstripe', name='name', password='password', alias='democa1', keypassword='keypassword', filepath= 'filepath' ,type='TrustedCertificate')

    Where:

    • appstripe — The keystore stripe name. Keys and certificates created in the keystore reside in an application stripe or product, and each stripe in a domain is uniquely named

    • name — Keystore name

    • password — Keystore password

    • alias — Public Key Alias

    • keypassword — Password for new key

    • filepath — Certificate path

    For example:

    svc.importKeyStoreCertificate(appStripe='stripe2', name='producer', password='welcome1', alias='discussions', keypassword='welcome1', filepath='/workplace/certificate/discussions.cer', type='TrustedCertificate')
svc.importKeyStoreCertificate(appStripe='stripe2', name='producer', password='welcome1', alias='democa2', keypassword='welcome1', filepath= '/workplace/certificate/democadiscussions.cer' ,type='TrustedCertificate')

30.2.3.3 Configuring the Discussions Server Connection Settings

You must supply the WS-Security client certificate information within the discussions server connection that is configured for WebCenter Portal, as described in Registering Discussions Servers. Figure 30-7 shows example connection detail settings for the Edit Discussions and Announcement Connection page.

Figure 30-7 Edit Discussions and Announcement Connection Page

Description of Figure 30-7 follows
Description of "Figure 30-7 Edit Discussions and Announcement Connection Page"

30.2.4 Creating the External Portlet Domain Keystore

To create the external portlet domain keystore:

  1. Go to JDK_HOME/jdk/bin and open a command prompt.
  2. Using keytool, generate the keystore by importing the WebCenter Portal domain's public certificate:
    keytool -importcert -alias webcenter_public -file webcenter_public.cer -keystore producer.jks -storepass keystore_password

    Where:

    • keystore_password is the keystore password

    Example: Importing the Certificate

    keytool -importcert -alias webcenter_public -file webcenter_public.cer -keystore producer.jks -storepass MyPassword
  3. Using keytool, generate a key pair:
    keytool -genkeypair -keyalg RSA -dname "consumer_dname" -alias producer  -keypass key_password -keystore producer.jks -storepass keystore_password  -validity days_valid

    Where:

    • consumer_dname is the name of the consumer (for example, cn=producer,dc=example,dc=com)

    • key_password is the password for the new public key, (for example, MyPassword)

    • keystore is the keystore name, (for example, webcenter.jks)

    • keystore_password is the keystore password, (for example, MyPassword)

    • days_valid is the number of days for which the key password is valid (for example, 1064).

      Example: Generating the Keypair

      keytool -genkeypair -keyalg RSA -dname "cn=producer,dc=example,dc=com" -alias  producer -keypass MyPassword -keystore producer.jks -storepass MyPassword  -validity 1064

    Note:

    You must use the -keyalg parameter and specify RSA as its value as shown above as the default algorithm (DSA) used by keytool for generating the key is incompatible with Oracle Web Services Security Manager requirements.

  4. Export the certificate containing the public key so that it can be imported into the WebCenter Portal domain's keystore:
    keytool -exportcert -v -alias producer -keystore producer.jks -storepasskeystore_password -rfc -file producer_public_key.cer

    Where:

    • keystore_password is the keystore password, (for example, MyPassword)

    Example: Exporting the Certificate Containing the Public Key

    keytool -exportcert -v -alias producer -keystore producer.jks -storepass MyPassword  -rfc -file producer_public_key.cer
  5. Import the certificate to the WebCenter Portal domain with a different alias (choose Yes when prompted whether to overwrite the existing certificate with the alias producer_public_key):
    keytool -importcert -alias producer_public_key -file producer_public_key.cer  -keystore webcenter.jks -storepass keystore_password

    Where:

    • keystore_password is the keystore password (for example, MyPassword)

    Example: Importing the Certificate

    keytool -importcert -alias producer_public_key -file producer_public_key.cer  -keystore webcenter.jks -storepass MyPassword

30.3 Securing WebCenter Portal for Applications Consuming WebCenter Portal Client API with WS-Security

This section describes the administrator tasks required to configure WS-Security for WebCenter Portal so that the communication between an application exposing the WebCenter Portal API (the consumer) and WebCenter Portal (the producer) is secure, and that the identity of the user invoking the API is protected.

This section includes the following topics:

30.3.1 Configuring a Typical Topology for Applications Consuming WebCenter Portal Client API

If your client application is part of the same domain as WebCenter Portal, you only need to specify the following for the GroupSpaceWSContext():

GroupSpaceWSContext context = new GroupSpaceWSContext();
context.setRecipientKeyAlias("webcenter");

Note:

The alias here should always be the public key.

If your client application is JDeveloper and you have access to the WebCenter Portal server's configured keystore, copy the same keystore to JDeveloper's DefaultDomain/config/fmwconfig/dir and configure the JDeveloper domain to use this keystore. The steps are exactly same as those in Creating the WebCenter Portal Domain Keystore, and you would then also need to specify the following on your client stub:

GroupSpaceWSContext context = new GroupSpaceWSContext();
context.setRecipientKeyAlias("webcenter");

30.3.2 Configuring a Multiple Domain Topology for Applications Consuming the WebCenter Portal Client API

If your client application is part of the same domain as WebCenter Portal, you only need to specify the following for the GroupSpaceWSContext():

GroupSpaceWSContext context = new GroupSpaceWSContext();
context.setRecipientKeyAlias("webcenter");

Note:

The alias here should always be the public key.

If your client application is JDeveloper, copy the same keystore to JDeveloper's DefaultDomain/config/fmwconfig/dir and configure the JDeveloper domain to use this keystore. The steps are exactly same as those in Creating the WebCenter Portal Domain Keystore, and you would then also need to specify the following on your client stub:

GroupSpaceWSContext context = new GroupSpaceWSContext();
context.setRecipientKeyAlias("webcenter");

30.4 JKS Command Summary for a Typical Topology

Use the following command summary to quickly configure the keystore for a typical topology.

Generate the Keystore

Use the following keytool commands to generate the keystore, replacing the values in bold with those for your local environment:

keytool -genkeypair -keyalg RSA -dname "cn=spaces,dc=example,dc=com" -alias webcenter -keypass MyPassword -keystore webcenter.jks -storepass MyPassword -validity 1064
keytool -exportcert -v -alias webcenter -keystore webcenter.jks -storepass MyPassword -rfc -file webcenter_public.cer
keytool -importcert -alias webcenter_spaces_ws -file webcenter_public.cer -keystore bpel.jks -storepass MyPassword

When prompted that the certificate already exists, say yes.

keytool -genkeypair -keyalg RSA -dname "cn=bpel,dc=example,dc=com" -alias bpel -keypass MyPassword -keystore bpel.jks -storepass MyPassword -validity 1024
keytool -exportcert -v -alias bpel -keystore bpel.jks -storepass MyPassword -rfc -file orakay.cer
keytool -importcert -alias orakey -file orakay.cer -keystore webcenter.jks -storepass MyPassword

When prompted to trust the certificate, say yes.

keytool -importcert -alias df_webcenter_public -file webcenter_public.cer -keystore owc_discussions.jks -storepass MyPassword

When prompted to trust the certificate, say yes.



Copy the webcenter.jks file to your domain_home/config/fmwconfig directory, and the bpel.jks file to your soa_domain_home/config/fmwconfig directory.


Configure the SOA Domain Keystore


Run the following WLST command to register the keystore:


configureWSMKeystore('/WLS/wc_domain','JKS', 'kss://appstripe/producer', signAlias='producer', signAliasPassword='signAliasPassword', cryptAlias='cryptAlias', cryptAliasPassword='cryptAliasPassword')


Where:


  • wc_domain — TheWebCenter Portal domain
    

    • 

  • signAliasPassword — The password for the public key
    

    • 

  • cryptAlias — The public key alias
    

    • 

  • cryptAliasPassword — The password for the public key
    

    • 










30.5 JKS Command Summary for Extensions to a Typical Topology


Use the following command summary to quickly configure the keystore and DF properties for a multi-domain topology.


Generate the Keystore


Use the following keytool commands to generate the keystore, replacing the values in bold with those for your local environment:


keytool -genkeypair -keyalg RSA -dname "cn=spaces,dc=example,dc=com" -alias webcenter  -keypass MyPassword -keystore webcenter.jks -storepass MyPassword -validity 1064

keytool -exportcert -v -alias webcenter -keystore webcenter.jks -storepass MyPassword -rfc -file webcenter_public.cer

keytool -importcert -alias df_webcenter_public -file webcenter_public.cer -keystore owc_discussions.jks -storepass MyPassword



When prompted to trust the certificate, say yes.


keytool -importcert -alias webcenter_spaces_ws -file webcenter_public.cer -keystore bpel.jks -storepass MyPassword



When prompted to trust the certificate, say yes.


keytool -genkeypair -keyalg RSA -dname "cn=bpel,dc=example,dc=com" -alias bpel -keypass MyPassword -keystore bpel.jks

keytool -exportcert -v -alias bpel -keystore bpel.jks -storepass MyPassword -rfc -file orakay.cer

keytool -importcert -alias orakey -file orakay.cer -keystore webcenter.jks -storepass MyPassword



When prompted to trust the certificate, say yes.


keytool -importcert -alias webcenter_public -file webcenter_public.cer -keystore producer.jks -storepass MyPassword



When prompted to trust the certificate, say yes.


keytool -genkeypair -keyalg RSA -dname "cn=producer,dc=example,dc=com" -alias  producer -keypass MyPassword -keystore producer.jks -storepass MyPassword -validity 1024

keytool -exportcert -v -alias producer -keystore producer.jks  -storepass MyPassword -rfc -file producer_public_key.cer

keytool -importcert -alias webcenter_public -file webcenter_public.cer  -keystore external_webcenter_custom.jks -storepass MyPassword



When prompted to trust the certificate, say yes.


keytool -genkeypair -keyalg RSA -dname "cn=external_webcenter_custom,dc=example,dc=com" -alias external_webcenter_custom -keypass MyPassword -keystore external_webcenter_custom.jks  -storepass MyPassword -validity 1024

keytool -exportcert -v -alias external_webcenter_custom -keystore external_webcenter_custom.jks -storepass MyPassword -rfc -file external_webcenter_custom_public_key.cer

keytool -importcert -alias producer_public_key -file producer_public_key.cer -keystore webcenter.jks -storepass MyPassword



When prompted to trust the certificate, say yes.


keytool -importcert -alias external_webcenter_custom_public_key -file external_webcenter_custom_public_key.cer -keystore webcenter.jks -storepass MyPassword



When prompted to trust the certificate, say yes.




Copy webcenter.jks to your domain_home/config/fmwconfig directory, bpel.jks to your SOA1_domain_home/config/fmwconfig directory, producer.jks to your External_Portlet_domain_home/config/fmwconfig directory, and external_webcenter_custom.jks to your External_WebCenter_domain_home/config/fmwconfig directory.


Configure the External Discussions Server Domain Keystore


Run the following WLST command to register the keystore:


configureWSMKeystore('/WLS/wc_domain','JKS', 'kss://appstripe/producer', signAlias='producer', signAliasPassword='signAliasPassword', cryptAlias='cryptAlias', cryptAliasPassword='cryptAliasPassword')


Where:


  • wc_domain — TheWebCenter Portal domain
    

    • 

  • signAliasPassword — The password for the public key
    

    • 

  • cryptAlias — The public key alias
    

    • 

  • cryptAliasPassword — The password for the public key
    

    • 



Configure the SOA Domain Keystore


Run the following WLST command to register the keystore:


configureWSMKeystore('/WLS/wc_domain','JKS', 'kss://appstripe/producer', signAlias='producer', signAliasPassword='signAliasPassword', cryptAlias='cryptAlias', cryptAliasPassword='cryptAliasPassword')


Where:


  • wc_domain — TheWebCenter Portal domain
    

    • 

  • signAliasPassword — The password for the public key
    

    • 

  • cryptAlias — The public key alias
    

    • 

  • cryptAliasPassword — The password for the public key
    

    • 



Configure the External Portlet Producer Domain Keystore


Run the following WLST command to register the keystore:


configureWSMKeystore('/WLS/wc_domain','JKS', 'kss://appstripe/producer', signAlias='producer', signAliasPassword='signAliasPassword', cryptAlias='cryptAlias', cryptAliasPassword='cryptAliasPassword')


Where:


  • wc_domain — TheWebCenter Portal domain
    

    • 

  • signAliasPassword — The password for the public key
    

    • 

  • cryptAlias — The public key alias
    

    • 

  • cryptAliasPassword — The password for the public key
    

    • 



Configure the Discussions Server Connection


Supply the WS-Security client certificate information within the discussions server connection that is configured for WebCenter Portal, as described in Registering Discussions Servers. Also see Configuring the Discussions Server Connection Settings for example connection detail settings for the Edit Discussions and Announcement Connection page.