Securing a proxy service by using certificate authentication and protecting the message

In this recipe, we will also use the message protection similar to the previous recipes but replace the username/password authentication with a client certificate authentication. For this, we need to generate a client certificate and add the public key of the client certificate to the server Java keystore. This way, OWSM can verify the client signature which is added tothe SOAP message.

Getting ready

For this recipe, we will use the same simple OSB project as in the previous Securing a proxy service using username and password authentication through OWSM recipe.

Import the getting-ready project into Eclipse OEPE from chapter-11getting-readysecuring-a-proxy-service-with-cert-auth-and-msg-protect.

How to do it...

The steps to execute in this recipe are the same as in the previous Securing a proxy service using username and password authentication through OWSM recipe, only another policy needs to be selected. In the Eclipse OEPE, perform the following steps:

  1. Open the CustomerManagement.proxy in the proxy folder of the securing-a-proxy-service-with-cert-auth-and-msg-protect project.
  2. Navigate to the Policy tab.
  3. Enable From OWSM Policy Store.
  4. Click Service Level Policies, which will enable the Add button.
  5. Click Add and the OWSM Policy Configuration window will open.
  6. Click Browse.
  7. In the Select OWSM Policy window, we need to choose a security or management policy.
  8. Enter *x509* into the Name field and click Search.
  9. Select the /wss11_x509_token_with_message_protection_service_policy from the list of policies.
  10. Click OK.
  11. The Username Token policy will be displayed in the Policy tab of the proxy service.
    How to do it...
  12. Save the project and deploy it to the OSB server.

    Instead of the oracle/wss11_x509_token_with_message_protection_service_policy we could also use oracle/wss10_x509_token_with_message_protection_service_policy on this proxy service.

    Now, we have to generate a client certificate and exchange the public certificates of the client and the server. Open a command line window and perform the following steps:

  13. Navigate to the bin folder of the JDK used by the OSB:
    cd  c:[FMWHome]jrockit-jdk1.6.0_20-R28.1in
  14. Generate a new client certificate with client as common name (CN) attribute and store it in the client_2.jks keystore:
    keytool -genkey -alias clientKey -keyalg "RSA" -sigalg   "SHA1withRSA" -dname "CN=client, C=US" -keypass welcome   -keystore c:client_2.jks -storepass welcome
  15. Export the public key of the server certificate:
    keytool -exportcert –alias serverKey -storepass welcome –keystore   c:server.jks –file c:server.cer
  16. Import the public key:
    keytool -import -file c:server.cer -alias serverKey  -keystore   c:client_2.jks -storepass welcome -keypass welcome
  17. Choose yes for the question about whether you trust the certificate:
  18. Export the public key of the client certificate:
    keytool -exportcert -alias clientKey -storepass welcome -keystore   c:client_2.jks -file c:client_2.cer
  19. Import the key in the server Java keystore:
    keytool -import -file c:client_2.cer -alias clientKey -keystore   c:server.jks -storepass welcome -keypass welcome
  20. Copy the updated Java keystore server.jks located at c: to the configfmwconfig folder of the OSB domain:
    cd ....cd user_projectsdomainsosb_cookbook_domainconfigfmwconfigcopy c:server.jks .
  21. Confirm the overwrite warning by entering yes.
  22. Restart the WebLogic servers so that the updated server Java keystore is loaded.

    Next we have to add the user called client to the myrealm security realm of the WebLogic server. The name of the user must match with the common name (CN=client) of the client certificate.

    In the Service Bus console, perform the following steps:

  23. Navigate to the Security Configuration using the menu on the left side.
  24. Select the Users menu item and click Add New.
  25. Enter client into the User Name field and welcome1 into the New Password and Confirm Password fields.
  26. Leave DefaultAuthenticator for the Authentication Provider.
  27. Click Save.

The password of the client user is not important because we will use the public key of the client certificate to verify the SOAP signature.

We can use the next recipe, Using JDeveloper to test a secured service to test the implementation.

How it works...

The X509 Token authentication together with message protection policy authenticates the service consumer using a client certificate.

The public key of the server is used to encrypt the SOAP body and the private key of the client is used to sign the SOAP body. The signature of the SOAP message can be verified by OWSM because it has the public key of the client and OWSM will use the private key of the server to decrypt the SOAP body.

The common name of the client certificate is also checked against the users of the WebLogic security realm.

See also

Check the Using JDeveloper to test a secured service recipe for how to test the service with JDeveloper.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset