Thursday, April 21, 2011

Implementing Message Security in Oracle B2B 11g

I have already blogged about how to enable SSL on weblogic and configure keystores on Oracle B2B 11g. In this blog I will show you that how to use message security with Oracle B2B.

First of all let me explain that what comes under message security. As part of message security you may-

1. Encrypt an outgoing message so that no one other than the intended recipient can read that message
2. Sign an outgoing message so that receiver can verify that message is actually sent by a trusted party and it has not been modified/manipulated in between the transmission

Encryption is always done using the public key (or public certificate) of the party to whom the message is being sent. Signing is always done using the private key of the party who is sending the message.

Now after understanding this fact that you need a pair of certificates/keys (private key and public key) for message security, you should also understand that two parties communicating with each-other MUST NOT use the same pair of keys or in other words they CAN NOT use the same pair of keys. Both the parties must have different keystores configured on their servers.

I will use two B2B domains and hence two B2B servers – b2bserver1 and b2bserver2 which are configured with two different keystores. Each server has a keystore which holds it’s private key and other server’s public key. I used below keytool commands to create the keystores and export/import each other’s certificate into the respective keystores –

D:\>keytool -genkeypair -alias serverCert -keyalg RSA -keysize 1024 -validity 365 -keypass welcome1 -keystore keystore.jks -storepass welcome1

What is your first and last name?
[Unknown]: localhost.myCompany.com
What is the name of your organizational unit?
[Unknown]: Support
What is the name of your organization?
[Unknown]: MyCompany
What is the name of your City or Locality?
[Unknown]: Hyderabad
What is the name of your State or Province?
[Unknown]: AndhraPradesh
What is the two-letter country code for this unit?
[Unknown]: IN
Is CN=localhost.myCompany.com, OU=Support, O=MyCompany, L=Hyderabad, ST=AndhraPradesh, C=IN correct?
[no]: yes

D:\>keytool -list -keystore keystore.jks
Enter keystore password:

Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
servercert, Apr 21, 2011, PrivateKeyEntry,
Certificate fingerprint (MD5): 02:70:1E:A4:CD:86:3C:F3:6B:88:4F:F0:F6:8F:B2:ED

D:\>keytool -exportcert -alias serverCert -file serverCert.cer -keystore keystore.jks -storepass welcome1
Certificate stored in file


D:\>keytool -genkeypair -alias SOAServerCert -keyalg RSA -keysize 1024 -validity 365 -keypass welcome1 -keystore soakeystore.jks -storepass welcome1
What is your first and last name?
[Unknown]: soaserver.myCompany.com
What is the name of your organizational unit?
[Unknown]: Support
What is the name of your organization?
[Unknown]: MyCompany
 What is the name of your City or Locality?
[Unknown]: Hyderabad
What is the name of your State or Province?
[Unknown]: AndhraPradesh
What is the two-letter country code for this unit?
[Unknown]: IN
Is CN=soaserver.myCompany.com, OU=Support, O=MyCompany, L=Hyderabad, ST=AndhraPradesh, C=IN correct?
[no]: yes


D:\>keytool -exportcert -alias SOAServerCert -file SOAServerCert.cer -keystore soakeystore.jks -storepass welcome1
Certificate stored in file


D:\>keytool -importcert -trustcacerts -alias SOAServerCert –file SOAServerCert.cer -keystore keystore.jks -storepass welcome1
Owner: CN=soaserver.myCompany.com, OU=Support, O=MyCompany, L=Hyderabad, ST=AndhraPradesh, C=IN
Issuer: CN=soaserver.myCompany.com, OU=Support, O=MyCompany, L=Hyderabad, ST=AndhraPradesh, C=IN
Serial number: 4dafd400
Valid from: Thu Apr 21 12:21:44 IST 2011 until: Fri Apr 20 12:21:44 IST 2012
Certificate fingerprints:
MD5: 70:7E:86:6A:03:E8:54:31:04:9D:3B:97:69:50:2E:ED
SHA1: 9C:69:D6:47:27:11:27:BE:72:9E:3A:0C:8E:F0:F0:80:AB:D0:D5:99
Signature algorithm name: SHA1withRSA
Version: 3
Trust this certificate? [no]: yes
Certificate was added to keystore

D:\>keytool -importcert -trustcacerts -alias serverCert -file serverCert.cer -keystore soakeystore.jks -storepass welcome1
Owner: CN=localhost.myCompany.com, OU=Support, O=MyCompany, L=Hyderabad, ST=AndhraPradesh, C=IN
Issuer: CN=localhost.myCompany.com, OU=Support, O=MyCompany, L=Hyderabad, ST=AndhraPradesh, C=IN
Serial number: 4dafd232
Valid from: Thu Apr 21 12:14:02 IST 2011 until: Fri Apr 20 12:14:02 IST 2012
Certificate fingerprints:
MD5: 02:70:1E:A4:CD:86:3C:F3:6B:88:4F:F0:F6:8F:B2:ED
SHA1: 6E:49:33:62:BF:76:27:8A:74:44:DB:73:27:69:80:D3:ED:3B:E7:6B
Signature algorithm name: SHA1withRSA
Version: 3
Trust this certificate? [no]: yes
Certificate was added to keystore

Now configure the keystore keystore.jks on b2b server1 and keystore soakeystore.jks on b2bserver2 –



You can now use these keystores for message security on Oracle B2B.


Now configure the MarketInc AS2 channel (Remote TP Channel) with message security on b2bserver1 -


In “Exchange Protocol Parameters” of same channel I also enabled the “Signed and Compressed” setting.


Now configure the OracleServices AS2 channel (Remote TP Channel) with message security on b2bserver2 -


In “Exchange Protocol Parameters” of same channel I also enabled the “Signed and Compressed” setting.


Now configure the agreements on both the servers with respective channels and deploy them.
On B2B server 1-



On B2B server2 –


Now you are ready to test your configuration. Push a message to b2bserver1 from middleware and it must sign and encrypt the message before sending it to b2bserver2 and b2bserver2 must be able to decrypt the message and verify the signature. Similarly, b2bserver2 must sign and encrypt the message before sending it to b2bserver1 and b2bserver1 must be able to decrypt the message and verify the signature. In Business Message reports you can see the status of the messages and in wire message report you can see the “Message Digest” and “Digest Algorithm” which proves that message has been signed and when you will try to see the “Packed Message”, you will get below message –


Data is encrypted and can not be displayed.

This proves that message has been encrypted. Advanced users can also see the logs and verify whether signing and encryption is happening properly. Go ahead and experiment more with it.

16 comments:

  1. Excellent Piece of information..Awesome..Keep Rocking..

    ReplyDelete
  2. Hi Anuj

    not sure if you have tried using Version 3 certificate?
    it seems it do not work with 11G

    the keytool is only able to generate version 1 certificate, and weblogic 11g have no problem with it.


    please let me know if you have a work around


    cheers

    ReplyDelete
  3. @not sure if you have tried using Version 3 certificate?

    Yes, I worked with V3 certificate only and it is working perfectly. May I know what is the exact issue you are facing?

    Regards,
    Anuj

    ReplyDelete
  4. Nice post !!! It works perfectly for me..

    ReplyDelete
  5. I read the earlier post too and it was excellent. Even the above article that you have posted to implement the message security is of great help to me. It worked perfectly well for me.
    sap project system

    ReplyDelete
  6. This comment has been removed by the author.

    ReplyDelete
    Replies
    1. Message Security is independent of Transport Security (HTTPS) and hence it will work without https as well.

      Delete
  7. Rosettanet-v02 protocol - under security tab Encryption second drop does not show any value. IS any special changes needed for Rosettanet.

    steps i follwed
    1) server1
    created .jks (say jks1) and cer (say cer1) and copied server2 cert (say cer2) and generated .jks (say jks2) fils

    2) server2
    same as above (copied cer1 and generated jsk2)
    3) one B2B console configures .jks file
    4)Rosettanet security tab selected serverCert for Digitial Signature

    Nonthing is available for Encryption

    ReplyDelete
  8. What would be the consequences of having 2 Private keys in the same b2bkeystore.jks file. In other words can there be two host configured in Oracle B2B. Please share your views on this.

    ReplyDelete
  9. This is really a great tips given in here and a good information to shared with. Thanks for this input.Oracle Goldengate

    ReplyDelete
  10. Excellent post Anuj. I have doubt, if we have more one trading partners and we have imported all of their digital certificates on the same keystore, then at runtime while executing a particular AS2 outbound channel of one of the TP, how b2b will come know to use the correct digital certificate associated with that trading partner.

    --
    Syam

    ReplyDelete
  11. Hi! I am a digital marketer. The previous seo guy working for my client has left a spammy comment at your blog with the username Soledad Knight which links to my client's site.
    Such comments are causing serious damage to my client's site with respect to SEO which is why I am request you here by to remove it asap.
    If you don't remove it by 11:59 pm, Pacific Standard Time, 3rd January 2014, we will have use Google's Disavow Tool to get back-link removed and, sorry to say this, but Google may not look too nicely upon you either for not having removed the comment.
    Thanks in advance for your cooperation.

    ReplyDelete
  12. Hi!
    Thanks for sharing your forum. I really appreciate your tips and I will be waiting for your further write. thanks once again.


    Certificates Attestation Hyderabad

    ReplyDelete
  13. HI Anuj,

    I have configured AS2 over https, Host and TP have shared their certs with each other and imported them into their keystore. I have configured at B2B console with TP's https url on AS2 listening channel but getting BAD certificate error while testing outbound service.

    ReplyDelete
  14. Hi Anuj,
    We are facing problem in communication , Customer sending some files but we didn't receive all. for example customer sent 48 files and we received only 30 files for rest 18 files they received time out error. When I asked what is the wait time then they are are saying I have no idea what is wait time (even they don't know the default wait time). They just told us we configure 5 retry.
    So do you have any idea what is wait time and how can get increase the default wait time?
    Thanks ,
    Rajesh

    ReplyDelete