1. Administering Oracle WebCenter Portal
  2. Administering Security
  3. Configuring Web Services Security

28 Configuring Web Services Security

Configure Web Services Security (WS-Security) for WebCenter Portal and related services and components.

Note:

Oracle WebCenter Portal has deprecated the support for Jive features (announcements and discussions). If you have upgraded from a prior release to Release 12c (12.2.1.4.0), Jive features remain available in your upgraded instance but Oracle support is not provided for these features. In the next release, Jive features will not be available even in the upgraded instances

WS-Security, using an OPSS Key Store Service (KSS) keystore, provides a mechanism for retrieving and managing the security credentials of a WebCenter Portal application and ancillary applications and components across one or more domains. The KSS keystore provides information about available public and private keys that can be used for authentication and data integrity.

The following topics show how to configure a typical topology with WS-Security (where the WebCenter Portal application and the WSRP producers share the same domain, but the BPEL server is in an external SOA domain), and how to extend that configuration for more complex environments (where, for example, a second discussions server is in a separate domain, a BPEL server is in a separate SOA domain, and one WSRP producer is in an external portlet domain):

Permissions:

To perform the tasks in this chapter, you must be granted the WebLogic Server Admin role through the Oracle WebLogic Server Administration Console. Users with the Monitor or Operator roles can view security information but cannot make changes.

See also Understanding Administrative Operations, Roles, and Tools.

Topics:

Configuring WS-Security for a Typical Topology

This section describes how to configure WS-Security for a topology where the WebCenter Portal application, WSRP producers, and discussions server share the same domain, but the BPEL (SOA) server is in an external domain.

Typical Topology

  • Domain 1 : WebCenter Portal , Discussions, Portlet Producers

  • Domain 2 : SOA

The steps to configure WS-Security for a typical two-domain topology are described in the following topics:

Creating the WebCenter Portal Domain Keystore

This section describes how to use the OPSS Keystore Service (KSS) to create the WebCenter Portal keystore and keys. A keystore is a file that provides information about available public and private keys. Keys are used for a variety of purposes, including authentication and data integrity. User certificates and the trust points needed to validate the certificates of peers are also stored securely in the keystore. After creating the keystore, the security credentials of WebCenter Portal, discussions server, BPEL servers, and WSRP producers can be retrieved and managed using the KSS. For more information about the OPSS Keystore Service, see Managing Keys and Certificates with the Keystore Service in Securing Applications with Oracle Platform Security Services.

To create the WebCenter Portal domain keystore:

  1. Run the following WLST commands:
    svc = getOpssService(name='KeyStoreService')
  2. Create the keystore using the following WLST command:
    svc.createKeyStore(appStripe='appStripe', name='producer', password='password', permission=true/false))

    Where:

    • appstripe — The keystore stripe name. Keys and certificates created in the keystore reside in an application stripe or product, and each stripe in a domain is uniquely named

    • name — Keystore name

    • password — Keystore password

    • permission — false if protected by both permission and password (true if keystore is protected by permission only)

    For example:

    svc.createKeyStore(appStripe='WCPortalStripe', name='producer', password='welcome1', permission=true))
  3. Generate the key pair for this newly created keystore:
    svc.generateKeyPair(appStripe='appstripe', name='name', password='password', dn='CN=Producer, OU=Producer, O=MyOrganization, L=MyTown, ST=MyState, C=US', keysize='2048', alias='producer', keypassword='keypassword')

    Where:

    • appstripe — The keystore stripe name. Keys and certificates created in the keystore reside in an application stripe or product, and each stripe in a domain is uniquely named

    • name — Keystore name

    • password — Keystore password

    • dn — Domain name (for example, dn='CN=webcenter_certificate')

    • alias — Public Key Alias

    • keypassword — Password for new public key

    For example:

    svc.generateKeyPair(appStripe='WCPortalStripe', name='producer', password='welcome1', dn='CN=Producer, OU=Producer, O=MyOrganization, L=MyTown, ST=MyState, C=US', keysize='2048', alias='producer', keypassword='welcome1')
  4. Export the producer certificate (which will be used by the consumer):
    svc.exportKeyStoreCertificate(appStripe='appstripe', name='name', password='password', alias='alias', type='TrustedCertificate',filepath='filepath')

    Where:

    • appstripe — The keystore stripe name. Keys and certificates created in the keystore reside in an application stripe or product, and each stripe in a domain is uniquely named

    • name — Keystore name

    • password — Keystore password

    • alias — Public Key Alias

    • keypassword — Password for new public key

    • filepath — Certificate path

    For example:

    svc.exportKeyStoreCertificate(appStripe='WCPortalStripe', name='producer', password='welcome1', alias='producer', type='TrustedCertificate',filepath='/scratch/certificate/webcenter.cer')

Creating the SOA Domain Keystore

This section describes how to create a SOA domain keystore and keys using an OPSS keystore (KSS). For syntax and reference information about the KSS commands, see OPSS Keystore Service Commands in Oracle Fusion Middleware Infrastructure Security WLST Command Reference.

To create the SOA domain keystore:

  1. Using the following WLST command, get an OPSS service command object:
    svc = getOpssService(name='KeyStoreService')
  2. Create the keystore:
    svc.createKeyStore(appStripe='appStripe', name='name', password='password', permission=true/false))

    Where:

    • appstripe — The keystore stripe name. Keys and certificates created in the keystore reside in an application stripe or product, and each stripe in a domain is uniquely named

    • name — Keystore name

    • password — Keystore password

    • permission — false if protected by both permission and password (true if keystore is protected by permission only)

    For example:

    svc.createKeyStore(appStripe='SOAStripe', name='bpel', password='welcome1', permission=true))
  3. Generate key pair for the newly created keystore: 
    svc.generateKeyPair(appStripe='appstripe', name='name', password='password', dn='CN=Producer, OU=Producer, O=MyOrganization, L=MyTown, ST=MyState, C=US', keysize='2048', alias='bpel', keypassword='keypassword')

    Where:

    • appstripe — The keystore stripe name. Keys and certificates created in the keystore reside in an application stripe or product, and each stripe in a domain is uniquely named

    • name — Keystore name

    • password — Keystore password

    • dn — Domain name (for example, dn='CN=webcenter_certificate')

    • alias — Public Key Alias

    • keypassword — Password for new public key

    For example:

    svc.generateKeyPair(appStripe='SOAStripe', name='bpel', password='welcome1', dn='CN=BPEL, OU=Consumer, O=MyOrganization, L=MyTown, ST=MyState, C=US', keysize='2048', alias='bpel', keypassword='welcome1')
  4. Import the certificate exported by the producer:
    svc.importKeyStoreCertificate(appStripe='appStripe', name='name', password='password', alias='webcenter_spaces_ws', keypassword='keypassword', filepath='filepath',type='TrustedCertificate')

    Where:

    • appstripe — The keystore stripe name. Keys and certificates created in the keystore reside in an application stripe or product, and each stripe in a domain is uniquely named

    • name — Keystore name

    • password — Keystore password

    • keypassword — Password for new public key

    • filepath — Certificate path

    Note:

    The alias for the importKeyStoreCertificate command must always be set to webcenter_spaces_ws. Do not attempt to change this alias or the SOA usecases will fail.

    For example:

    svc.importKeyStoreCertificate(appStripe='SOAStripe', name='bpel', password='welcome1', alias='webcenter_spaces_ws', keypassword='welcome1', filepath='/scratch/certificate/webcenter.cer',type='TrustedCertificate')
  5. Export the public certificate that will be imported by the producer:
    svc.exportKeyStoreCertificate(appStripe='appstripe', name='name', password='password', alias='alias', filepath='filepath',type='TrustedCertificate')

    Where:

    • appstripe — The keystore stripe name. Keys and certificates created in the keystore reside in an application stripe or product, and each stripe in a domain is uniquely named

    • name — Keystore name

    • password — Keystore password

    • alias — Public Key Alias

    • filepath — Certificate path

    For example:

    svc.exportKeyStoreCertificate(appStripe='SOAStripe', name='bpel', password='welcome1', alias='bpel', filepath='/scratch/certificate/bpel.cer',type='TrustedCertificate')
  6. Register the newly created stripe in SOA domain:
    configureWSMKeystore('/WLS/base_domain','KSS', 'kss://appstripe/bpel', signAlias='bpel', cryptAlias='bpel', signAliasPassword='signAliasPassword',cryptAliasPassword='cryptAliasPassword')

    Where:

    • WLS/base_domain — The domain name and should follow the format: WLS/<domainName>

    • kss://appstripe/bpel — The KSS keystore name

    • cryptAlias — The public key alias

    • appstripe — The keystore stripe name. Keys and certificates created in the keystore reside in an application stripe or product, and each stripe in a domain is uniquely named

    • signAliasPassword — The password for the public key

    • cryptAlias — The public key alias

    • cryptAliasPassword — The password for the public key

    For example:

    configureWSMKeystore('/WLS/base_domain','KSS', 'kss://SOAStripe/bpel', signAlias='bpel', cryptAlias='bpel', signAliasPassword='signAliasPassword',cryptAliasPassword='cryptAliasPassword')
  7. Grant keystore permission to newly created bpel stripe in the SOA domain:
    grantPermission(permClass="oracle.security.jps.service.keystore.KeyStoreAccessPermission", permTarget="stripeName=SOAStripe,keystoreName=bpel,alias=*", permActions="read")
  8. Import the consumer certificate to WebCenter:
    svc.importKeyStoreCertificate(appStripe='appstripe', name='name', password='password', alias='bpel', keypassword='keypassword', filepath='filepath', type='TrustedCertificate')

    Where:

    • appstripe — The keystore stripe name. Keys and certificates created in the keystore reside in an application stripe or product, and each stripe in a domain is uniquely named

    • name — Keystore name

    • password — Keystore password

    • alias — Public Key Alias

    • keypassword — Password for new key

    • filepath — Certificate path

    For example:

    svc.importKeyStoreCertificate(appStripe='WCPortalStripe', name='producer', password='welcome1', alias='bpel', keypassword='welcome1', filepath='/scratch/certificate/bpel.cer', type='TrustedCertificate')
  9. Register the producer stripe:
    configureWSMKeystore('/WLS/wc_domain','KSS', 'kss://appstripe/producer', signAlias='producer', signAliasPassword='signAliasPassword', cryptAlias='cryptAlias', cryptAliasPassword='cryptAliasPassword')

    Where:

    • wc_domain — The WebCenter Portal domain

    • signAliasPassword — The password for the public key

    • cryptAlias — The public key alias

    • cryptAliasPassword — The password for the public key

    For example:

    configureWSMKeystore('/WLS/WLS_SOAWC','KSS', 'kss://WCPortalStripe/producer', signAlias='producer', signAliasPassword='welcome1', cryptAlias='producer', cryptAliasPassword='welcome1')
  10. Grant Keystore Permission for the newly created stripe:
    grantPermission(permClass="oracle.security.jps.service.keystore.KeyStoreAccessPermission", permTarget="stripeName=WCPortalStripe,keystoreName=producer,alias=*", permActions="read")

Configuring the Discussions Server

If the discussions server for your topology is in the same domain as the WC_Portal server and is not being used in a production environment, then no extra keystore configuration is needed since the keystore configured for the WebCenter Portal domain is used for the discussions server as well. However, for production environments, you should protect the discussions web service endpoints with an OWSM policy and configure the discussions server connection settings. These configuration steps are described in the following topics:

Note:

Discussions-specific web services messages sent by WebCenter Portal to the discussions server are not encrypted. For message confidentiality, the discussions server URL must be accessed over Secure Socket Layer (SSL). For more information, see Configuring SSL.

Attaching Security Policies for WebCenter Portal and Discussions Web Service Endpoints

In a new or patched WebCenter Portal instance, the assigned security policy configuration is set to "no security policy." You must attach Oracle Web Services Manager (OWSM) security policies for the WebCenter Portal web service endpoint and the discussions authenticated web service endpoint. For a production environment, continue by hardening the security by following the steps in Securing the Discussions End Points.

Note:

In a patched WebCenter Portal instance, you must determine the policy names before you patch, then verify that the policies are the same after an upgrade..

To attach the web service security policy configuration in a new instance:

Note:

For clustered environments, repeat these steps for each of the managed servers where WebCenter Portal and discussions are deployed.

  1. Ensure that the WC_Portal and WC_Collaboration managed servers are running.
  2. Run the following WLST command to attach an OWSM policy on the discussions web service endpoint:
    attachWebServicePolicy(application='owc_discussions', moduleName='owc_discussions', moduleType='web', serviceName='OWCDiscussionsServiceAuthenticated', subjectName='OWCDiscussionsServiceAuthenticated', policyURI='oracle/wss10_saml_token_service_policy')
  3. Restart the WC_Portal and WC_Collaboration managed servers.
Securing the Discussions End Points

The discussions web service endpoints require user identity to be propagated for calls originating from WebCenter Portal. For a production environment, the web service endpoints must be secured with OWSM policies to ensure that messages are not tampered with, and can't be viewed by others while in transit. To do this, both the public access web service endpoint and authenticated user access endpoint should be secured with the appropriate OWSM policies using either Fusion Middleware Control or WLST.

This section contains the following topics:

Securing the Discussions Server End Points Using Fusion Middleware Control

To secure the discussions end points using Fusion Middleware Control, follow the steps below:

  1. Log in to Fusion Middleware Control and from the Navigation pane, expand WebCenter> Portal> Discussions and click Discussions (WC_Collaboration).

    The discussions home page displays (see Figure 28-1).

    Figure 28-1 Discussions Home Page

    Description of Figure 28-1 follows
    Description of "Figure 28-1 Discussions Home Page"
  2. Click the owc_discussions target.

    The home page for the owc_discussions application displays (see Figure 28-2).

    Figure 28-2 owc_discussions Home Page

    Description of Figure 28-2 follows
    Description of "Figure 28-2 owc_discussions Home Page"
  3. From the Application Deployment menu, select Web Services.

    The Web Services page for the owc_discussions application displays (see Figure 28-3).

    Figure 28-3 Web Services Page for owc_discussions

    Description of Figure 28-3 follows
    Description of "Figure 28-3 Web Services Page for owc_discussions"
  4. Open the Web Services tab, and click the OWCDiscussionsServiceAuthenticated web service end point.

    The Web Service Endpoint page for owc_discussions displays (see Figure 28-4).

    Figure 28-4 Web Service Endpoint Page

    Description of Figure 28-4 follows
    Description of "Figure 28-4 Web Service Endpoint Page"
  5. Click Attach/Detach.

    The Attach Policy page displays (see Figure 28-5).

    Figure 28-5 Attach Policy Page

    Description of Figure 28-5 follows
    Description of "Figure 28-5 Attach Policy Page"
  6. Use the Attach and Detach buttons to attach oracle/wss11_saml_token_with_message_protection_service_policy and detach oracle/wss10_saml_token_service_policy.
  7. Click OK.
Securing the Discussions Server End Points Using WLST

To secure the discussions server endpoints using WLST, detach the wss10_saml_token_service_policy and attach the wss11_saml_token_with_message_protection_service_policy using the following WLST commands: 

detachWebServicePolicy(application='owc_discussions', moduleName='owc_discussions', moduleType='web', serviceName='OWCDiscussionsServiceAuthenticated', subjectName='OWCDiscussionsServiceAuthenticated', policyURI='oracle/wss10_saml_token_service_policy')

attachWebServicePolicy(application='owc_discussions', moduleName='owc_discussions', moduleType='web', serviceName='OWCDiscussionsServiceAuthenticated', subjectName='OWCDiscussionsServiceAuthenticated', policyURI='oracle/wss11_saml_token_with_message_protection_service_policy')
Configuring the Discussions Server Connection Settings

You must supply the WS-Security client certificate information within the discussions server connection that is configured for your WebCenter Portal application, as described in Registering Discussions Servers. Figure 28-6 shows example connection detail settings for the Edit Discussions and Announcement Connection page.

Figure 28-6 Edit Discussions and Announcement Connection Page

Description of Figure 28-6 follows
Description of "Figure 28-6 Edit Discussions and Announcement Connection Page"

Configuring WS-Security for Multiple Domains

This section describes how to extend the WS-security configuration for a typical topology for topologies where, for example, the WebCenter Portal application, BPEL (SOA) server, discussions server, and a WSRP producer server are each in their own domain.

Multiple Domain Topology

  • Domain 1 : WebCenter Portal

  • Domain 2 : SOA (BPEL) server

  • Domain 3 : Discussions server

  • Domain 4 : WSRP producers

The steps to configure WS-Security for a topology with multiple domains are described in the following topics:

Setting Up the WebCenter Portal Domain Keystore

To create the WebCenter Portal domain keystore, follow the steps for a configuring WS-security for a typical topology as described in Creating the WebCenter Portal Domain Keystore. After creating the keystore, the security credentials of WebCenter Portal, discussions server, BPEL servers, and WSRP producers can be retrieved and managed using the KSS. For more information about the OPSS Keystore Service, see Managing Keys and Certificates with the Keystore Service in Securing Applications with Oracle Platform Security Services.

Creating the SOA Domain Keystore

Create the SOA domain keystore and keys using an OPSS keystore (KSS) as described in Creating the SOA Domain Keystore. For syntax and reference information about the KSS commands, see OPSS Keystore Service Commands in Oracle Fusion Middleware Infrastructure Security WLST Command Reference.

Configuring an External Discussions Server

If the discussions server is in a different domain than WebCenter Portal, you will need to create and configure a keystore for the discussions server and export the certificate containing the public key and import it into the WebCenter Portal domain. For production environments you will also need to protect the discussions web service end points with an OWSM policy and configure the discussions server connection settings. These configuration steps are described in the following subsections:

Securing the Discussions Service End Points

The discussions web service end points require user identity to be propagated for calls originating from WebCenter Portal. Follow the steps in Securing the Discussions End Points to secure the endpoints using either Fusion Middleware Control or WLST.

Creating the Discussions Server Keystore

This section describes how to create a keystore for the discussions server that contains the key pair used by OWSM, and export the certificate containing the public key so it can be imported into the WebCenter Portal domain.

To create the owc_discussions keystore:

  1. From the discussions server, run the following WLST command:

    svc = getOpssService(name='KeyStoreService')

  2. Create the keystore:
    svc.createKeyStore(appStripe='appStripe', name='discussions', password='password', permission=true/false))

    Where:

    • appstripe — The keystore stripe name. Keys and certificates created in the keystore reside in an application stripe or product, and each stripe in a domain is uniquely named

    • name — Keystore name

    • password — Keystore password

    • permission — false if protected by both permission and password (true if keystore is protected by permission only)

    For example:

    svc.createKeyStore(appStripe='dfstripe', name='discussions', password='welcome1', permission=false)
  3. Generate key pair for the newly created keystore: 
    svc.generateKeyPair(appStripe='appstripe', name='name', password='password', dn='CN=Producer, OU=Producer, O=MyOrganization, L=MyTown, ST=MyState, C=US', keysize='2048', alias='discussions', keypassword='keypassword')

    Where:

    • appstripe — The keystore stripe name. Keys and certificates created in the keystore reside in an application stripe or product, and each stripe in a domain is uniquely named

    • name — Keystore name (in this case “discussions”.

    • password — Keystore password

    • dn — Domain name

    • alias — Public Key Alias (in this case “discussions”

    • keypassword — Password for new public key

    For example:

    svc.generateKeyPair(appStripe='dfstripe', name='discussions', password='welcome1', dn='CN=DISCUSSIONS, OU=Consumer, O=MyOrganization, L=MyTown, ST=MyState, C=US', keysize='2048', alias='discussions', keypassword='welcome1')
  4. Import the certificate exported by the producer:
    svc.importKeyStoreCertificate(appStripe='appStripe', name='name', password='password', alias='webcenter_df_ws', keypassword='keypassword', filepath='filepath',type='TrustedCertificate')

    Where:

    • appstripe — The keystore stripe name. Keys and certificates created in the keystore reside in an application stripe or product, and each stripe in a domain is uniquely named

    • name — Keystore name (in this case “discussions”

    • password — Keystore password

    • keypassword — Password for new public key

    • filepath — Certificate path

    For example:

    svc.importKeyStoreCertificate(appStripe='dfstripe', name='discussions', password='welcome1', alias='webcenter_df_ws', keypassword='welcome1', filepath='/scratch/certificate/webcenter.cer',type='TrustedCertificate')
  5. Export the public certificate that will be imported by the producer:
    svc.exportKeyStoreCertificate(appStripe='appstripe', name='name', password='password', alias='alias', filepath='filepath',type='TrustedCertificate')

    Where:

    • appstripe — The keystore stripe name. Keys and certificates created in the keystore reside in an application stripe or product, and each stripe in a domain is uniquely named

    • name — Keystore name

    • password — Keystore password

    • alias — Public Key Alias

    • filepath — Certificate path

    For example:

    svc.exportKeyStoreCertificate(appStripe='dfstripe', name='discussions', password='welcome1', alias='discussions', filepath='/workplace/certificate/discussions.cer',type='TrustedCertificate')
  6. Register the newly created stripe:
    configureWSMKeystore('/WLS/base_domain','KSS', 'kss://dfstripe/discussions', signAlias='discussions', cryptAlias='discussions', signAliasPassword='signAliasPassword',cryptAliasPassword='cryptAliasPassword')

    Where:

    • signAliasPassword — Password for the signature key alias

    • cryptAliasPassword — Password for the encryption key alias

  7. Grant keystore permission to newly created discussions stripe:
    grantPermission(permClass="oracle.security.jps.service.keystore.KeyStoreAccessPermission", permTarget="stripeName=dfstripe,keystoreName=discussions,alias=*", permActions="read")
  8. Restart the managed servers and admin servers.
  9. Import the discussion public certificate to WebCenter:
    svc.importKeyStoreCertificate(appStripe='appstripe', name='name', password='password', alias='discussions', keypassword='keypassword', filepath='filepath', type='TrustedCertificate')

    Where:

    • appstripe — The keystore stripe name. Keys and certificates created in the keystore reside in an application stripe or product, and each stripe in a domain is uniquely named

    • name — Keystore name

    • password — Keystore password

    • alias — Public Key Alias

    • keypassword — Password for new key

    • filepath — Certificate path

    For example:

    svc.importKeyStoreCertificate(appStripe='WCPortalStripe', name='producer', password='welcome1', alias='discussions', keypassword='welcome1', filepath='/workplace/certificate/discussions.cer', type='TrustedCertificate')

Configuring the Discussions Server Connection Settings

You must supply the WS-Security client certificate information within the discussions server connection that is configured for WebCenter Portal, as described in Registering Discussions Servers. Figure 28-7 shows example connection detail settings for the Edit Discussions and Announcement Connection page.

Figure 28-7 Edit Discussions and Announcement Connection Page

Description of Figure 28-7 follows
Description of "Figure 28-7 Edit Discussions and Announcement Connection Page"

Creating the External Portlet Domain Keystore

To create the external portlet domain keystore:

  1. Go to JDK_HOME/jdk/bin and open a command prompt.
  2. Using keytool, generate the keystore by importing the WebCenter Portal domain's public certificate:
    keytool -importcert -alias webcenter_public -file webcenter_public.cer -keystore producer.jks -storepass keystore_password

    Where:

    • keystore_password is the keystore password

    Example: Importing the Certificate

    keytool -importcert -alias webcenter_public -file webcenter_public.cer -keystore producer.jks -storepass MyPassword
  3. Using keytool, generate a key pair:
    keytool -genkeypair -keyalg RSA -dname "consumer_dname" -alias producer  -keypass key_password -keystore producer.jks -storepass keystore_password  -validity days_valid

    Where:

    • consumer_dname is the name of the consumer (for example, cn=producer,dc=example,dc=com)

    • key_password is the password for the new public key, (for example, MyPassword)

    • keystore is the keystore name, (for example, webcenter.jks)

    • keystore_password is the keystore password, (for example, MyPassword)

    • days_valid is the number of days for which the key password is valid (for example, 1064).

      Example: Generating the Keypair

      keytool -genkeypair -keyalg RSA -dname "cn=producer,dc=example,dc=com" -alias  producer -keypass MyPassword -keystore producer.jks -storepass MyPassword  -validity 1064

    Note:

    You must use the -keyalg parameter and specify RSA as its value as shown above as the default algorithm (DSA) used by keytool for generating the key is incompatible with Oracle Web Services Security Manager requirements.

  4. Export the certificate containing the public key so that it can be imported into the WebCenter Portal domain's keystore:
    keytool -exportcert -v -alias producer -keystore producer.jks -storepasskeystore_password -rfc -file producer_public_key.cer

    Where:

    • keystore_password is the keystore password, (for example, MyPassword)

    Example: Exporting the Certificate Containing the Public Key

    keytool -exportcert -v -alias producer -keystore producer.jks -storepass MyPassword  -rfc -file producer_public_key.cer
  5. Import the certificate to the WebCenter Portal domain with a different alias (choose Yes when prompted whether to overwrite the existing certificate with the alias producer_public_key):
    keytool -importcert -alias producer_public_key -file producer_public_key.cer  -keystore webcenter.jks -storepass keystore_password

    Where:

    • keystore_password is the keystore password (for example, MyPassword)

    Example: Importing the Certificate

    keytool -importcert -alias producer_public_key -file producer_public_key.cer  -keystore webcenter.jks -storepass MyPassword

Securing WebCenter Portal for Applications Consuming WebCenter Portal Client API with WS-Security

This section describes the administrator tasks required to configure WS-Security for WebCenter Portal so that the communication between an application exposing the WebCenter Portal API (the consumer) and WebCenter Portal (the producer) is secure, and that the identity of the user invoking the API is protected.

This section includes the following topics:

Configuring a Typical Topology for Applications Consuming WebCenter Portal Client API

If your client application is part of the same domain as WebCenter Portal, you only need to specify the following for the GroupSpaceWSContext(): 

GroupSpaceWSContext context = new GroupSpaceWSContext();
context.setRecipientKeyAlias("producer");

Note:

The alias here should always be the public key.

If your client application is JDeveloper and you have access to the WebCenter Portal server's configured keystore, copy the same keystore to JDeveloper's DefaultDomain/config/fmwconfig/dir and configure the JDeveloper domain to use this keystore. The steps are exactly same as those in Creating the WebCenter Portal Domain Keystore, and you would then also need to specify the following on your client stub: 

GroupSpaceWSContext context = new GroupSpaceWSContext();
context.setRecipientKeyAlias("producer");

Configuring a Multiple Domain Topology for Applications Consuming the WebCenter Portal Client API

If your client application is part of the same domain as WebCenter Portal, you only need to specify the following for the GroupSpaceWSContext(): 

GroupSpaceWSContext context = new GroupSpaceWSContext();
context.setRecipientKeyAlias("producer");

Note:

The alias here should always be the public key.

If your client application is JDeveloper, copy the same keystore to JDeveloper's DefaultDomain/config/fmwconfig/dir and configure the JDeveloper domain to use this keystore. The steps are exactly same as those in Creating the WebCenter Portal Domain Keystore, and you would then also need to specify the following on your client stub: 

GroupSpaceWSContext context = new GroupSpaceWSContext();
context.setRecipientKeyAlias("producer");

JKS Command Summary for a Typical Topology

Use the following command summary to quickly configure the keystore for a typical topology. These commands explain how to configure a JKS keystore.

WebCenter Side

Use the following keytool commands to generate the keystore, replacing the values in bold with those for your local environment: 

keytool -genkeypair -keyalg RSA -dname "cn=spaces,dc=example,dc=com" -alias webcenter -keypass MyPassword -keystore webcenter.jks -storepass MyPassword -validity 1064
keytool -exportcert -v -alias webcenter -keystore webcenter.jks -storepass MyPassword -rfc -file webcenter_public.cer

SOA Side

keytool -genkeypair -keyalg RSA -dname "cn=bpel,dc=example,dc=com" -alias bpel -keypass MyPassword -keystore bpel.jks -storepass MyPassword -validity 1024
keytool -exportcert -v -alias bpel -keystore bpel.jks -storepass MyPassword -rfc -file bpel.cer
keytool -importcert -alias webcenter_spaces_ws -file webcenter_public.cer -keystore bpel.jks -storepass welcome1

WebCenter Side

keytool -importcert -alias bpel -file bpel.cer -keystore webcenter.jks -storepass welcome1

Copy the webcenter.jks file to your domain_home/config/fmwconfig directory, and the bpel.jks file to your soa_domain_home/config/fmwconfig directory.

Configure the SOA Domain Keystore

Run the following WLST command to register the keystore:

configureWSMKeystore('/WLS/WC_Domain',JKS, 'webcenter.jks', signAlias='producer', signAliasPassword='signAliasPassword', cryptAlias='cryptAlias', cryptAliasPassword='cryptAliasPassword')

Where:

  • WC_Domain — TheWebCenter Portal domain

  • signAliasPassword — The password for the public key

  • cryptAlias — The public key alias

  • cryptAliasPassword — The password for the public key

For example:
configureWSMKeystore(context='/WLS/WC_Domain', keystoreType='JKS', location='./consumer.jks',keystorePassword='welcome1', signAlias='consumer', signAliasPassword='welcome1', cryptAlias='consumer', cryptAliasPassword='welcome1')

JKS Command Summary for Extensions to a Typical Topology

Use the following command summary to quickly configure the keystore and DF properties for a multi-domain topology.

WebCenter Side

Use the following keytool commands to generate the keystore, replacing the values in bold with those for your local environment: 

keytool -genkeypair -keyalg RSA -dname  "cn=spaces,dc=example,dc=com" -alias webcenter -keypass MyPassword -keystore webcenter.jks -storepass MyPassword -validity 1064

keytool -exportcert -v -alias webcenter -keystore webcenter.jks -storepass MyPassword -rfc -file webcenter_public.cer

SOA Side. 

keytool -genkeypair -keyalg RSA -dname "cn=bpel,dc=example,dc=com" -alias bpel -keypass MyPassword -keystore bpel.jks

keytool -exportcert -v -alias bpel -keystore bpel.jks -storepass MyPassword -rfc -file bpel.cer

keytool -importcert -alias webcenter_spaces_ws -file webcenter_public.cer -keystore bpel.jks -storepass welcome1

When prompted to trust the certificate, say yes.

Discussions

keytool -genkeypair -keyalg RSA -dname "cn=disc,dc=example,dc=com" -alias discussions -keypass MyPassword -keystore discussions.jks

keytool -exportcert -v -alias discussions -keystore discussions.jks -storepass MyPassword -rfc -file disc.cer

keytool -importcert -alias webcenter_public -file webcenter_public.cer -keystore discussions.jks -storepass MyPassword

When prompted to trust the certificate, say yes.

WebCenter Side

keytool -importcert -alias df_webcenter_public -file disc.cert -keystore discussions.jks -storepass MyPassword

When prompted to trust the certificate, say yes. 

keytool -importcert -alias webcenter_spaces_ws -file bpel.cer -keystore bpel.jks -storepass MyPassword

Note:

Maintain the name of the alias as 'webcenter_spaces_ws'.

Configure the External Discussions Server Domain Keystore

Run the following WLST command to register the keystore on the WebCenter Side: 

configureWSMKeystore(context='/WLS/wc_domain',keystoreType='JKS',location='./producer.jks',keystorePassword='welcome1',signAlias='producer',signAliasPassword='welcome1',cryptAlias='producer',cryptAliasPassword='welcome1')

Where:

  • wc_domain — TheWebCenter Portal domain

  • signAliasPassword — The password for the public key

  • cryptAlias — The public key alias

  • cryptAliasPassword — The password for the public key

Configure the SOA Domain Keystore

Run the following WLST command to register the keystore:

configureWSMKeystore(context='/WLS/wc_domain',keystoreType='JKS',location='./bpel.jks',keystorePassword='welcome1',signAlias='producer',signAliasPassword='welcome1',cryptAlias='producer',cryptAliasPassword='welcome1')

Where:

  • wc_domain — TheWebCenter Portal domain

  • signAliasPassword — The password for the public key

  • cryptAlias — The public key alias

  • cryptAliasPassword — The password for the public key

Registering Discussions keystore

Run the following WLST command to register the keystore:

configureWSMKeystore('/WLS/wc_domain','JKS', discussions.jks, signAlias='producer', signAliasPassword='signAliasPassword', cryptAlias='cryptAlias', cryptAliasPassword='cryptAliasPassword')

Where:

  • wc_domain — TheWebCenter Portal domain

  • signAliasPassword — The password for the public key

  • cryptAlias — The public key alias

  • cryptAliasPassword — The password for the public key

Configure the Discussions Server Connection

Supply the WS-Security client certificate information within the discussions server connection that is configured for WebCenter Portal, as described in Registering Discussions Servers. Also see Configuring the Discussions Server Connection Settings for example connection detail settings for the Edit Discussions and Announcement Connection page.