10-22 Oracle Fusion Middleware Security and Administrators Guide for Web Services Figure 10–8 illustrates the relationship between the keystore configuration in the OPSS, the oracle.wsm.security map in the credential store, and the Oracle WSM Java keystore. Figure 10–8 Oracle WSM Keystore Configuration for Message Protection As shown in the figure: ■ The keystore.csf.map property points to the Oracle WSM map in the credential store that contains the CSF aliases. In this case keystore.csf.map is defined as the recommended name oracle.wsm.security, but it can be any value. ■ The keystore.pass.csf.key property points to the CSF alias keystore-csf-key that is mapped to the username and password of the keystore. Only the password is used; username is redundant in the case of the keystore. ■ The keystore.sig.csf.key property points to the CSF alias sign-csf-key that is mapped to the username and password of the private key that is used for signing. ■ The keystore.enc.csf.key property points to the CSF alias enc-csf-key that is mapped to the username and password of the private key that is used for decryption. Configuring Keystores for SSL If you want to use any of the policies listed in Which Policies Require You to Configure SSL? on page 10-23 or Which Policies Require You to Configure Two-Way SSL? on page 10-23, you must configure keystores for SSL. SSL provides secure connections by allowing two applications connecting over a network to authenticate the others identity and by encrypting the data exchanged between the applications. Authentication allows a server, and optionally a client, to verify the identity of the application on the other end of a network connection. Encryption makes data transmitted over the network intelligible only to the intended recipient. A client certificate two-way SSL can be used to authenticate the user. This section describes how to set up a Web service client and the WebLogic Server Web service container to send requests over SSL. Setting Up Your Environment for Policies 10-23 To use SSL in a Web service application, you need to: ■ Configure the WebLogic Server keystore and SSL settings. ■ Configure the Web service client keystore and SSL settings. These steps are described in the sections that follow. Which Policies Require You to Configure SSL? The predefined policies that require you to configure SSL are as follows: ■ oraclewss_http_token_over_ssl_service_policy ■ oraclewss_http_token_over_ssl_client_policy ■ oraclewss_saml_token_bearer_over_ssl_server_policy ■ oraclewss_saml_token_bearer_over_ssl_client_policy ■ oraclewss_saml_token_over_ssl_service_policy ■ oraclewss_saml_token_over_ssl_client_policy ■ oraclewss_sts_issued_saml_bearer_token_over_ssl_client_template ■ oraclewss_sts_issued_saml_bearer_token_over_ssl_service_template ■ oraclewss_username_token_over_ssl_service_policy ■ oraclewss_username_token_over_ssl_client_policy In addition, you can create a new policy that requires SSL by using the following templates: ■ oraclewss_http_token_over_ssl_service_template ■ oraclewss_http_token_over_ssl_client_template ■ oraclewss_saml_token_bearer_over_ssl_service_template ■ oraclewss_saml_token_bearer_over_ssl_client_template ■ oraclewss_saml_token_over_ssl_service_template ■ oraclewss_saml_token_over_ssl_client_template ■ oraclewss_sts_issued_saml_bearer_token_over_ssl_client_template ■ oraclewss_sts_issued_saml_bearer_token_over_ssl_service_template ■ oraclewss_username_token_over_ssl_service_template ■ oraclewss_username_token_over_ssl_client_template See Appendix C, Predefined Assertion Templates and Appendix B, Predefined Policies for more information on these assertions and policies. Which Policies Require You to Configure Two-Way SSL? The predefined policies that require you to configure two-way SSL are as follows: ■ oraclewss_saml_token_over_ssl_client_policy ■ oraclewss_saml_token_over_ssl_service_policy ■ oraclewss_username_token_over_ssl_client_policy, when mutual authentication is selected. 10-24 Oracle Fusion Middleware Security and Administrators Guide for Web Services ■ oraclewss_username_token_over_ssl_service_policy, when mutual authentication is selected. ■ oraclewss_http_token_over_ssl_client_policy, when mutual authentication is selected. ■ oraclewss_http_token_over_ssl_service_policy, when mutual authentication is selected. In addition, you can create a new policy that requires two-way SSL by using the following templates: ■ oraclewss_saml_token_over_ssl_client_template ■ oraclewss_saml_token_over_ssl_service_template How to Configure a Keystore on WebLogic Server Private keys, digital certificates, and trusted certificate authority certificates establish and verify identity and trust in the WebLogic Server environment. This section briefly summarizes the steps that are required to configure the keystore in WebLogic Server. See the following two sources for complete information: ■ Oracle WebLogic Server Administration Console Help for complete information, particularly the topic Servers: Configuration: Keystores. ■ Securing Oracle WebLogic Server, particularly Configuring Identity and Trust. WebLogic Server is configured with a default identity keystore DemoIdentity.jks and a default trust keystore DemoTrust.jks. In addition, WebLogic Server trusts the certificate authorities in the cacerts file in the JDK. This default keystore configuration is appropriate for testing and development purposes. However, these keystores should not be used in a production environment. To configure identity and trust for a server: 1. Obtain digital certificates, private keys, and trusted CA certificates from Sun Microsystem’s keytool utility, or a reputable vendor such as Entrust or Verisign, and include them in the keystore. To get the certificate, you must create a Certificate Request and submit it to the CA. The CA will authenticate the certificate requestor and create a digital certificate based on the request. The PEM Privacy Enhanced Mail format is the preferred format for private keys, digital certificates, and trusted certificate authorities CAs. If you use the keytool utility, the default key pair generation algorithm is Digital Signature Algorithm DSA. WebLogic Server does not support DSA. Specify another key pair generation and signature algorithm such as RSA when using WebLogic Server. For more information about Suns keytool utility, see the keytool-Key and Certificate Management Tool description at http:download.oracle.comjavase6docstechnotestoolswind owskeytool.html . You can also use the digital certificates, private keys, and trusted CA certificates provided by the WebLogic Server kit. The demonstration digital certificates, private keys, and trusted CA certificates should be used only in a development environment. 2. Create one keystore for identity and one for trust. The preferred keystore format is JKS Java KeyStore. Setting Up Your Environment for Policies 10-25 3. Load the private keys and trusted CAs into the keystores.

4. In the left pane of the Console, expand Environment and select Servers.

5. Click the name of the server for which you want to configure the identity and trust keystores.

6. Select Configuration, and then Keystores.

7. In the Keystores field, select the method for storing and managing private keysdigital certificate pairs and trusted CA certificates. These options are available: ■ Custom Identity and Custom Trust: Identity and trust keystores you create. ■ Demo Identity and Demo Trust: The demonstration identity and trust keystores, located in the ..\server\lib directory and the JDK cacerts keystore, are configured by default. Use for development only. ■ Custom Identity and Java Standard Trust: A keystore you create and the trusted CAs defined in the cacerts file in the JAVA_HOME\jre\lib\security directory. ■ Custom Identity and Command Line Trust: An identity keystore you create and command-line arguments that specify the location of the trust keystore. 8. In the Identity section, define attributes for the identity keystore. ■ Custom Identity Keystore: The fully qualified path to the identity keystore. ■ Custom Identity Keystore Type: The type of the keystore. Generally, this attribute is Java KeyStore JKS; if left blank, it defaults to JKS. ■ Custom Identity Keystore Passphrase: The password you will enter when reading or writing to the keystore. This attribute is optional or required depending on the type of keystore. All keystores require the passphrase to write to the keystore. However, some keystores do not require the passphrase to read from the keystore. WebLogic Server only reads from the keystore so whether or not you define this property depends on the requirements of the keystore. 9. In the Trust section, define properties for the trust keystore. If you chose Java Standard Trust as your keystore, specify the password defined when creating the keystore. Confirm the password. If you chose Custom Trust, define the following attributes: ■ Custom Trust Keystore: The fully qualified path to the trust keystore. ■ Custom Trust Keystore Type: The type of the keystore. Generally, this attribute is JKS; if left blank, it defaults to JKS. ■ Custom Trust Keystore Passphrase: The password you will enter when reading or writing to the keystore. This attribute is optional or required depending on the type of keystore. All keystores require the passphrase to write to the keystore. However, some keystores do not require the passphrase to read from the keystore. WebLogic Server only reads from the keystore, so Note: The passphrase for the Demo Identity keystore is DemoIdentityKeyStorePassPhrase. 10-26 Oracle Fusion Middleware Security and Administrators Guide for Web Services whether or not you define this property depends on the requirements of the keystore. 10. The changes are automatically activated. Configuring SSL on WebLogic Server One-Way With one-way SSL, the server is required to present a certificate to the client but the client is not required to present a certificate to the server. After you configure identity and trust keystores for a WebLogic Server instance as described in Configuring Keystores for SSL on page 10-22, you configure its SSL attributes. These attributes describe the location of the identity key and certificate in the keystore specified on the Configuration: Keystores page. Use the Configuration: SSL page to specify this information. This section summarizes the steps required to configure SSL on WebLogic Server. For complete information, see Securing Oracle WebLogic Server. To configure SSL: 1. In the left pane of the WebLogic Server Administration Console, expand Environment and select Servers. 2. Click the name of the server for which you want to configure SSL.

3. Select Configuration, and then the SSL page, and choose the location of identity

certificate and private key and trust trusted CAs for WebLogic Server. 4. Set SSL attributes for the private key alias and password.

5. At the bottom of the page, click Advanced.

6. Set Hostname Verification to None. 7. Indicate the number of times WebLogic Server can use an exportable key between a domestic server and an exportable client before generating a new key. The more secure you want WebLogic Server to be, the fewer times the key should be used before generating a new key. 8. Set the Two Way Client Cert Behavior control to Client Certs Not Requested. 9. Specify the inbound and outbound SSL certificate validation methods. These options are available: ■ Builtin SSL Validation Only: Uses the built-in trusted CA-based validation. This is the default. ■ Built-in SSL Validation and Cert Path Validators: Uses the built-in trusted CA-based validation and uses configured CertPathValidator providers to perform extra validation. Configuring SSL on WebLogic Server Two-Way With two-way SSL, the server presents a certificate to the client and the client presents a certificate to the server. WebLogic Server can be configured to require clients to submit valid and trusted certificates before completing the SSL handshake. After you configure identity and trust keystores for a WebLogic Server instance as described in Configuring Keystores for SSL on page 10-22, you can configure its two-way SSL attributes if the policy or template you are using requires it, as described in Which Policies Require You to Configure Two-Way SSL? on page 10-23. Setting Up Your Environment for Policies 10-27 This section summarizes the steps required to configure SSL on WebLogic Server. For complete information, see Securing Oracle WebLogic Server. To configure two-way SSL: 1. In the left pane of the WebLogic Server Administration Console, expand Environment and select Servers.