Tuesday, October 26, 2010

Enabling SSL on Oracle B2B 11g

In this post I will discuss that how do we enable SSL on Oracle B2B 11g and how do we configure keystore (known as “Wallet” in 10g era) for message security (signing & encryption)


First of all you need digital certificates for enabling security. You may use self-signed certificates for development purpose but it is recommended to use a certificate signed by a trusted certificate-issuing authority (CA) like Verisign, Thwate etc. for higher environments (Test, Pre-prod and Prod)



Step #1 – Generating certificates and Preparing Keystore

As I mentioned earlier that you may use both self-signed and third party issued certificates so I will show you that how to create both.

In Oracle Fusion Middleware 11g stack, we use keytool utility for certificate management. Keytool utility gets shipped with JDK installation itself.

So let us start with certificates generation-

a) Create a directory to store all the certificates and keystore in it. I create one directory D:\b2bkeystores

b) Open a command prompt and execute $MW_HOME/user_projects/domains//bin/setDomainEnv.cmd to set the environment (setting proper JDK in PATH will also do but it is recommended to execute above command to make sure that you are using right JDK and you are generating certificates on the server machine itself)

c) Run below command to create a new keystore and generate a new self-signed key-pair (public and private key) in it –

keytool -genkeypair -alias serverCert -keyalg RSA -keysize 1024 -validity 365 –dname "CN=localhost.myCompany.com,OU=Support,O=myCompany,L=Gandhinagar,ST=Gujrat,C=IN" -keypass welcome1 -keystore keystore.jks -storepass welcome1

where localhost.myCompany.com (HostName.Domain) is name of certificate holder, “Support” is organizational unit, “myCompany” is name of the organization , “Gandhinagar” is city/locality, “Gujrat” is State/Province, “IN” is the two-letter country code for this unit

Above command will create a keystore with name “keystore.jks” and it will add a self-signed key-pair in the keystore. You may directly use this self-signed certificate or may get it signed by a third party CA.

Note that the PEM (Privacy Enhanced Mail) format is the preferred format for private keys, digital certificates, and trusted certificate authorities (CAs) and the preferred keystore format is the JKS (Java KeyStore) format in Weblogic server.

Remember that when you use the Keytool utility, the default key pair generation algorithm is Digital Signature Algorithm (DSA) but WebLogic Server does not support DSA so specify another key pair generation and signature algorithm when using WebLogic Server. Here we are using RSA (which stands for Rivest, Shamir and Adleman who first publicly described it) algorithm.

To view the content of the keystore anytime, you may run below command –

keytool -list -keystore keystore.jks -storepass welcome1

If you run above command just after generating the certificates, then below would be shown –


Keystore type: JKS


Keystore provider: SUN


Your keystore contains 1 entry


servercert, Oct 25, 2010, PrivateKeyEntry,


Certificate fingerprint (MD5): CE:38:E1:29:56:72:5F:26:DB:92:27:16:FD:74:5B:DE



If you want to use self-signed certificate (do not want to get your cert signed by any CA) then skip the steps d,e and f



d) Now run below command to generate a CSR (Certificate Signing Request) –

keytool -certreq -v -alias serverCert -file serverCert.csr -keypass welcome1 -storepass welcome1 -keystore keystore.jks

You should see below lines on prompt –

Certification request stored in file


Submit this to your CA


This command will generate a CSR with name “serverCert.csr”. You have to pass this CSR to the third party CA to get it signed by them. The content of the CSR looks like below –

-----BEGIN NEW CERTIFICATE REQUEST-----


MIIBvDCCASUCAQAwfDELMAkGA1UEBhMCSU4xDzANBgNVBAgTBkd1anJhdDEUMBIGA1UEBxMLR2Fu


ZGhpbmFnYXIxEjAQBgNVBAoTCW15Q29tcGFueTEQMA4GA1UECxMHU3VwcG9ydDEgMB4GA1UEAxMX


bG9jYWxob3N0Lm15Q29tcGFueS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKSt9gLC


TcRU5DynNuAO1Clp/3ygzH1Vdqf4RlQg7p9B5xuNX8ZqhpaN5Ua7pmp9LcLDLUFu3Kzqv6oD7Wa+


nUWvaHKK6Xmz6lclOiapR029FheTx+iZ06qAoi1P/OYu8PVOO+Ldzalz5+dJE9fC51ofRcSJ9xFx


mYsqH9oznUFxAgMBAAGgADANBgkqhkiG9w0BAQUFAAOBgQB560z7cUiaNLI4mN6IqtqfgVsLgp29


86rV+5Xi3PqGgJaVTqpKotR5gMRUMMcvDETdhsY6feTnYkUHlGYXNdLjkGEkIG2qHXiWzZDjxXym


tDIDlToa3FzWEYAyGWshJaoHXzXbicvY3abHcK8ZgADAZgJXjMF8xKMOJ1ua5aI8fw==


-----END NEW CERTIFICATE REQUEST-----


Make sure to take a backup of keystore because once it gets lost/damaged, then you will not be able to recover it and remember that CSR can be imported back into the same keystore (or in it’s backup copy) only after getting signed.


e) Once you get the signed certificate back from third party CA, you have to import it into your keystore along with the certificate of CA who signed your certificate.

Convert the CA certificates and signed certificate received from CA, into PEM format and store them in the same directory where our keystore is (D:\b2bkeystores). As there may be a chain of CA certs so store each and every certificate of the chain, separately.

Now run below command to import the top certificate in the chain (Root CA cert – this must be a self-signed certificate of the CA) –

keytool -importcert -v -noprompt -trustcacerts -alias rootCA -file rootCA.pem -keystore keystore.jks -storepass welcome1

where “rootCA” is the alias of this certificate and “rootCA.pem” is the file which contains the Root CA certificate.

You should see below line if certificate gets added to keystore successfully –

Certificate was added to keystore

Now repeat this step for each and every CA certificate in the certificate chain with different and meaningful alias each time.

For Verisign issued certificates, there may be two CA certs in the chain – Root CA Certificate & Intermediate CA Certificate. So you have to execute above command once for Root CA and after that once for Intermediate CA

f) If you are done with importing the CA certificates then now import the signed reply certificate by using below command –

keytool -importcert -v -alias serverCert -file serverCert.pem -keystore keystore.jks -keypass welcome1 -storepass welcome1

where “serverCert” is the alias of the certificate we generated, “serverCert.pem” is the signed certificate sent by the CA (in PEM format)

If it gets imported successfully then you would see below line –

Certificate reply was installed in keystore

Make sure that you use same alias as what you used while generating certificate and generating CSR (step C and D)

Now if you will run the list command then it will show you all the CA certs you imported as “trustedCertEntry” and the certificate you generated (and got it signed) as a “keyEntry” -

keytool -list -keystore keystore.jks -storepass welcome1


Keystore type: jks


Keystore provider: SUN

Your keystore contains 3 entries


verisignintermediate, Oct 18, 2010, trustedCertEntry,


Certificate fingerprint (MD5): BA:B0:65:B4:3B:9C:E8:40:30:21:7D:C5:C6:CD:3F:EB


serverCert, Oct 18, 2010, keyEntry,


Certificate fingerprint (MD5): 89:C3:19:1D:17:43:76:0A:C3:2E:FB:1F:1F:35:74:D1


verisignroot, Oct 18, 2010, trustedCertEntry,


Certificate fingerprint (MD5): CB:17:E4:31:67:3E:E2:09:FE:45:57:93:F3:0A:FA:1C


g) Run below command to export the public certificate of your server from the kesytore -

keytool -exportcert -alias serverCert -file serverCert.cer -keystore keystore.jks -storepass welcome1


You should see below line on prompt -

Certificate stored in file

Above command will create a file with name “serverCert.cer” which is actually the public certificate of your server which you may share with your Trading Partners.

h) Now import the certificate of all your Remote Trading Partners along with their CA certificates, in the keystore we created. First of all store your TP’s certificate and their respective CA’s certificate in separate files in PEM format (as we did in step ‘e’). After that import all the Root CA certificates (if any) with different alias and then import all the intermediate CA certificates (if any) with different alias and after that import the certificates of all your TP’s with different alias, in the keystore we created.

To add first root CA cert in the keystore, you may use below command –

keytool -importcert -v -noprompt -trustcacerts -alias VerisignRootCA -file VerisignRootCA.pem -keystore keystore.jks -storepass welcome1

where “VerisignRootCA.pem” is a file which holds the VerisignRootCA certificate in PEM format

You should see below lines on prompt –

Certificate was added to keystore


[Storing keystore.jks]

Repeat this process and re-run the above mentioned importcert command for all the certificates.


Step #2 – Configuring Keystore on SOA Server


Now we have to configure the keystore we created on, SOA server. Open the Oracle Weblogic Admin console (by default http://localhost:7001/console) and login into it.

Go to Environment --> Servers and click on the SOA server name (by default soa_server1). Select the checkbox against “SSL Listen Port Enabled” and provide the value for “SSL Listen Port” (by default 8002). Now click on “Save” to save the changes.






Now go to “keystore” sub-tab of “Configuration” tab and click on “Change” button against setting “Keystores”  and select the “Custom Identity and Custom Trust” from the “Keystores” dropdown –



Click on “Save” and it will ask you to provide keystore location (absolute path and filename), type and password for both Trust and Identity. Provide the information of kesytore we created in both the sections (Identity & Trust) –


Click on “Save” to save the configuration. Now go to SSL sub-tab, provide the private key alias and password and save the configuration –


Now you are done with the configuration on SOA server. Now to check whether keystore and SSL configuration is behaving properly open Oracle B2B console over HTTPS in any browser (by default https://localhost:8002/b2b where 8002 is SSL listen port of SOA server). If it opens properly, then it means that configuration is working and you may also see the certificate it is presenting on Microsoft Internet Explorer (IE7/IE8)



You may see a warning related to certificate on IE if your certificate has not been signed by a trusted third party CA and you have not installed it yet on windows. You may safely ignore this warning.




Another test case is to access the Oracle B2B default HTTP delivery channel over HTTPS (https://localhost:8002/b2b/httpreceiver) in any web-browser. If it is accessible over HTTPS then on web-browser you should see below text –

B2B Server

B2B Server is ready to accept HTTP messages from the Trading Partner






Step #3 – Configuring Keystore on Oracle B2B Console


Now we have to configure the keystore for Host Trading Partner on Oracle B2B console (by default http://localhost:8001/b2b or http://localhost:8001/b2bconsole)

First of all open the b2b console and login into it. Now navigate to “Profile” tab of Host Trading Partner. Scroll downward and you would see “Key Store” configuration section there. Provide the location of keystore (absolute path with name) and it’s password –





Click on “Save” button to save the configuration –



You are done with the configuration and guess what, you may now use message security and transport security with Oracle B2B 11g!!!

26 comments:

  1. Very detailed post - Keep up the good work you're doing for the community

    ReplyDelete
  2. Hi - I am unable to access my webapplication hosted on weblogic 11g, using Internet Explorer. FireFox works just fine.

    Any insights appreciated?

    ReplyDelete
  3. Hi Anuj,

    I always had 1 confusion while sharing our certificates with trading partners. I got my certificated signed, imported RootCA and all other intermediate certificates.Now should i export my server certificate (alias) and share with trading partners. Or should i export my RootCA (alias) and share with partners.

    Please answer me. Thanks.

    ReplyDelete
  4. Hello Siva,

    Ideally you should share both CA certs and the leaf server cert but if CA is a well known third party CA like Verisign or Thwate then your partner may already have their certs so in that case you may share only your server cert's copy.

    ReplyDelete
  5. While saving the Channel setup in b2b, the channel saves but with Error: Fail to access key store.Cannot recover key. The Security information allows me to access the keystore and choose both the Digital signature and Encryption certificates? Why do I get this error?

    ReplyDelete
  6. It seems your private key password and keystore password are not same and that's why you got this error. Make sure that both private key and keystore have same password.

    ReplyDelete
  7. Great Post...

    We are doing ebMS 2.0 B2B and trying to use Digital Signature.

    I created an outbound channel and managed to specify alias serverCert in the Digital Signature security.

    We are currently getting an error receiving the TP message and complaining about validation error.

    My assumption is that it was using the serverCert to validate the signature, not the rtpCert.

    I created an inbound channel in which I want to specify rtpCert in the Digital Signature security. Is this the way to explicitly specify to use the TP public key as the key to validate the message?

    ReplyDelete
  8. Hi Robert,

    Are you getting a signature validation error? From configuration perspective, you should create one ebMS 2.0 channel under remote TP configuration (channels tab) and select appropriate certificates there. Add this channel in the inbound agreement you create. B2B will take care of using appropriate cert at runtime. If you still face issue, please raise a thread on OTN B2B forum and we may discuss it there in detail.

    ReplyDelete
  9. thanks for post !

    ReplyDelete
  10. Very brief post ! Read it thoroughly and found it interesting one. I just read it and try to implement it on oracle on my system and I did everything without single error. It is only because of you..Thanks dear..you are genius.

    ReplyDelete
  11. You post is very useful. I would like to ask one question where i don't get any answer.

    How can I convert .cer file to .pem file using keytool utility.

    I guess answer to this question can solve my entire certificate issue.

    ReplyDelete
  12. @How can I convert .cer file to .pem file using keytool utility.

    Easiest way is to import the cer into IE by installing the certificate and then export it back from IE in Base64 Encoded format (again .cer file will be created). Just rename the exported Base64 encoded file to ".pem". All the certificates which are Base64 encoded can be opened in notepad and you can see their text content (ASCII) which starts from "-----BEGIN CERTIFICATE-----" and ends with "-----END CERTIFICATE-----". You may also use Firefox to export in PEM format. If you are looking for a tool then use OpenSSL.

    ReplyDelete
  13. hi

    How can generate cerficates in Cluster environment? Do I need create 2 Certificates, one on server1 and one on server2, if so how we configure the b2b. Please help me ASAP.

    Regards
    Kumar

    ReplyDelete
    Replies
    1. Kumar,

      Usually, one certificate is used for all the servers which belong to same cluster/domain depending upon the implementation however technically it is possible to configure different certificate for each server. For using common certificate, you may generate certificate with wild card in CN, for e.g. - CN=*.mycompany.com

      Once you are ready with the certificate, configure that in the same manner as described here

      Delete
  14. Your articles don’t beat around the bushes exact t to the point.
    Event Ready

    ReplyDelete
  15. Great blog you people have maintained there, I totally appreciate the work.
    payday cash advance

    ReplyDelete
  16. Anuj, your articles are so well-written and easy to follow. They are quite possibly the best that I've ever seen. You use your expertise to make a complicated subject simple and you have the skill to be able to communicate well to others. I'm very impressed and equally grateful. Keep up the good work!
    -Matt

    ReplyDelete
  17. You guys make it really easy for all the folks out there.
    dwi lawyers

    ReplyDelete
  18. Hi Anuj,

    I am very novice to B2B. I was asked to create custom XML via AS2 exchange protocol in B2B 11g for a trading partner. Can you please explain me what needs to be setup for accepting AS2 messages in B2B.

    Thanks,
    Bob.

    ReplyDelete
  19. Hi Anuj,

    Good post to learn b2b in easy way.............

    Thanks a lot
    Satheesh goud

    ReplyDelete
  20. Hi anuj ,

    I am getting the below error after i added the keystore loation and password .Can you please suggest on this .

    B2B-51202: No certificate in the directory for this user

    ReplyDelete
  21. Hi Anuj,

    Could you please suggest me , is it possible to receive mesages from TP to B2B host over Generic HTTP channel over Http, messages are reaching to b2b but, its not identifying the Agreements and Document.

    pushing messages from tp to Host (http://localhost:8001/b2b/transportServlet) for custom XML..

    Oracle b2b version is : 11.1.1.6 version
    Regards,
    Rajesh

    ReplyDelete
  22. Hi Anuj,

    What username and password we should give for the authentication

    ReplyDelete
  23. Hi Anuj,

    My Trading partner is trying to send the messages and it is being timedout .Thay are asking me to give the username and password for the URL .When i created the keystore i didn't add any username or password .How can i give the username and password to them .How to enable the authentication ?

    ReplyDelete
  24. Hi Anuj,
    Is there a way to implement 2 way SSL with Oracle B2B.

    ReplyDelete