Setting Up Your Environment for Policies 10-29 Configuring SSL on Oracle HTTP Server The HTTPS protocol uses an industry standard protocol called Secure Sockets Layer SSL to establish secure connections between clients and servers. You can use the HTTPSSSL support offered by the Oracle HTTP Server as one of the communication protocols to communicate between the client and the Web service. This section describes how to set up a Web service client and a Web service using Oracle WSM policies to send requests over SSL. Oracle HTTP Server is configured as a Web proxy that intermediates between the client and Oracle WebLogic Server. SSL is enabled at Oracle HTTP Server and SSL transport is turned on between the client and Oracle HTTP Server. Communication remains non-SSL between Oracle HTTP Server and WebLogic Server. This section describes how to configure the policies that require one-way SSL and two-way SSL. For more information, see: ■ Configuring SSL in Oracle Fusion Middleware, in Oracle Fusion Middleware Administrators Guide ■ Configuring SSL in Securing Oracle WebLogic Server ■ Set Up SSL in the Oracle WebLogic Server Administration Console Help ■ Configuring Secure Sockets Layer in Oracle Fusion Middleware Administrators Guide for Oracle HTTP Server One-Way SSL For more information on the Oracle WSM policies that require one-way SSL configuration, see Which Policies Require You to Configure SSL? on page 10-23. To use one-way SSL, you need to: 1. Configure the Oracle HTTP Server as follows: a. In the file ORACLE_INSTANCEconfigOHSohs_namessl.conf, configure Oracle HTTP Server as a Web proxy and specify the list of URLs you want to access, as shown in Example 10–1 . Example 10–1 Specifying URLs in ssl.conf added properties for configuring OHS as webproxy IfModule weblogic_module WebLogicHost host WebLogicPort port SecureProxy Off WlProxySSL On Debug ALL WlLogFile tmpweblogic.log the location attributes list the urls you want to access via OHS Location myWlsService SetHandler weblogic-handler WebLogicHost host WeblogicPort port Location b. In the same file, set the following properties under virtual host configuration to ensure the client certificate information is sent to WebLogic Server: SSLVerifyClient optional 10-30 Oracle Fusion Middleware Security and Administrators Guide for Web Services c. By default, SSL in enabled on Oracle HTTP Server. The default https port is 4443. For more information on configuring this port, see Configuring SSL in Oracle Fusion Middleware in Oracle Fusion Middleware Administrators Guide. d. Restart Oracle HTTP Server. For more information, see Configuring SSL in Oracle Fusion Middleware in Oracle Fusion Middleware Administrators Guide. 2. Create a wallet as described at Managing Keystores, Wallets, and Certificates in Oracle Fusion Middleware Administrators Guide and replace the default wallet. The default wallet is located in the ORACLE_INSTANCEconfigOHSohs_ namekeystoresdefault directory. See Example 10–2 for sample commands for creating a wallet. Example 10–2 Sample Commands for One-Way SSL .orapki wallet create -wallet wallet_location -pwd welcome1 -auto_login .orapki wallet display -wallet wallet_location -pwd welcome1 .orapki cert display -cert wallet_locationohs.crt .orapki wallet add -wallet wallet_location -keysize 512 -dn CN=host_ name ,OU=st,O=owsm,L=N,ST=delhi,C=IN -self_signed -validity 700 -serial_num 20 -cert wallet_locationohs.crt -user_ cert -pwd welcome1 .orapki wallet display -wallet wallet_location -pwd welcome1 JAVA_HOME binkeytool -import -trustcacerts -file ohs.crt -alias sslcert -keystore client_keystore.jks -storepass welcome1 3. In the Oracle WebLogic Administration Console, perform the following: a. Navigate to the Servers page in the Environment tab. b. Click Adminserver and in Configuration, select General. c. In the Advanced section, check the following: WebLogic Plug-In Enabled, and Client Cert Proxy Enabled. d. Save the changes. e. Set the same parameters for the SOA server. For more information, see Server: Configuration: General in the Oracle WebLogic Server Administration Console Help. To modify the client to use one-way server authentication mode, create a JSE client from the Web service using JDeveloper. Modify the parameters and properties as described in Example 10–3 . Example 10–3 JSE Client Using SSL public static void mainString [] args { class1Service = new Class1Service; SecurityPolicyFeature[] securityFeatures = new SecurityPolicyFeature[] { new SecurityPolicyFeatureoraclewss_ saml_token_over_ssl_client_policy }; Class1 class1 = class1Service.getClass1PortsecurityFeatures; BindingProvider class1.getRequestContext.putBindingProvider.ENDPOINT_ ADDRESS_PROPERTY,