Setting Up Your Environment for Policies 10-21 5. Use the createCred command to create entries in the oracle.wsm.security credential map for the ServiceA and ServiceB aliases. For example, create an entry csfServiceA for the ServiceA alias, using a command such as the following: wls:DefaultDomainserverConfig createCredmap=oracle.wsm.security, key=csfServiceA, user=ServiceA, password=welcome1, desc=Key for ServiceA 6. Repeat step 5 to create an entry for any additional aliases, for example csfServiceB, for the ServiceB alias. 7. Use the createCred command to create entries in the oracle.wsm.security credential map for the any csf-key user credentials, for example basic.credentials. wls:DefaultDomainserverConfig createCredmap=oracle.wsm.security, key=basic.credentials, user=AppID, password=AppPWord, desc=Key for ServiceA 8. View the details about a key in the credential store using the listCred command as shown in the following example: listCredmap=oracle.wsm.security, key=csfServiceA How Oracle WSM Locates Keystore And Key Passwords Oracle WSM expects keystore and key passwords to be in the Credential Store Framework CSF. Here is how it works. ■ A JKS keystore file is protected by a keystore password. ■ A keystore file consists of zero or more private keys, and zero or more trusted certificates. Each private key has its own password, although it is common to set the key passwords to be the same as the keystore password. Oracle WSM needs to know both the keystore password and key password. ■ The CSF consists of many maps, each with a distinct name. Oracle WSM only uses the map oracle.wsm.security. ■ Inside each map is a mapping from multiple csf-key entries to corresponding credentials. A csf-key is just a simple name, but there can be many different types of credentials. The most common type of credential is a password credential which is primarily comprised of a username and a password. Oracle WSM refers to the following csf-keys inside the oracle.wsm.security map: – keystore-csf-key - This key should contain the keystore password. The username is ignored. – enc-csf-key - This key should contain the encryption key alias as the username, and the corresponding key password. – sign-csf-key - This key should contain the signature key alias as the username, and the corresponding key password. In addition to these csf-keys, you should add a csf-key entry for every new private key that you want Oracle WSM to use, for example when you want to specify signature and encryption keys in configuration overrides. 10-22 Oracle Fusion Middleware Security and Administrators Guide for Web Services Figure 10–8 illustrates the relationship between the keystore configuration in the OPSS, the oracle.wsm.security map in the credential store, and the Oracle WSM Java keystore. Figure 10–8 Oracle WSM Keystore Configuration for Message Protection As shown in the figure: ■ The keystore.csf.map property points to the Oracle WSM map in the credential store that contains the CSF aliases. In this case keystore.csf.map is defined as the recommended name oracle.wsm.security, but it can be any value. ■ The keystore.pass.csf.key property points to the CSF alias keystore-csf-key that is mapped to the username and password of the keystore. Only the password is used; username is redundant in the case of the keystore. ■ The keystore.sig.csf.key property points to the CSF alias sign-csf-key that is mapped to the username and password of the private key that is used for signing. ■ The keystore.enc.csf.key property points to the CSF alias enc-csf-key that is mapped to the username and password of the private key that is used for decryption. Configuring Keystores for SSL If you want to use any of the policies listed in Which Policies Require You to Configure SSL? on page 10-23 or Which Policies Require You to Configure Two-Way SSL? on page 10-23, you must configure keystores for SSL. SSL provides secure connections by allowing two applications connecting over a network to authenticate the others identity and by encrypting the data exchanged between the applications. Authentication allows a server, and optionally a client, to verify the identity of the application on the other end of a network connection. Encryption makes data transmitted over the network intelligible only to the intended recipient. A client certificate two-way SSL can be used to authenticate the user. This section describes how to set up a Web service client and the WebLogic Server Web service container to send requests over SSL.