In this recipe, we will configure the OSB to use SSL. The WebLogic server standard installation already comes with a default certificate and keystore, but in this recipe we will use the custom keystore that we created in Chapter 11, Handling Message-level Security Requirements.
We will need access to Eclipse OEPE, soapUI client, and the server.jks and client.jks files.
First, we will configure the OSB server to use the server.jks keystore we created earlier.
In WebLogic console, perform the following steps:
- Click on Environment in the tree on the left and select Servers | AdminServer(admin) on the detail view.
- Navigate to the Configuration | Keystores tab.
- Click Change and change the value to Custom Identity and Custom Trust for the Keystores field.
- Enter
./config/fmwconfig/server.jksinto the Custom Identity Keystore field. - Enter
JKSinto the Custom Identity Keystore Type field. - Enter
welcomeinto the Custom Identity Keystore Passphrase field. - Enter
welcomeinto the Confirm Custom Identity Keystore Passphrase field. - Enter
./config/fmwconfig/server.jksinto the Custom Trust Keystore field. - Enter
JKSinto the Custom Trust Keystore Type field. - Enter
welcomeinto the Custom Trust Keystore Passphrase field. - Enter
welcomeinto the Confirm Custom Trust Keystore Passphrase field. - Click Save.
Next, we have to configure the SSL identity of the server.
- Click on Environment in the tree on the left and select Servers | AdminServer(admin).
- Navigate to the Configuration | SSL tab.
- Enter
serverKeyinto the Private Key Alias field. - Enter
welcomeinto the Private Key Passphrase field. - Enter
welcomeinto the Confirm Private Key Passphrase field and click Save. - Click on the Advanced link.
- Select None for Hostname Verification.
- Click Save.
Next, we will configure the Admin Server in order to enable HTTPS traffic.
- Click on Environment in the tree on the left and select Servers | AdminServer(admin).
- Navigate to the Configuration | General tab.
- Check the option SSL Listen Port Enabled.
- Leave the SSL Listen Port on the default of 7002.
- Click Save.
Next we need to create a PKICredentialProvider in the WebLogic security realm.
- Click Security Realm in the tree on the left and select myRealm.
- Navigate to the Providers | Credential Mapping tab.
- Click New.
- Enter
PKICredentialMapperinto the Name field. - Select PKICredentialMapper from the Type drop-down listbox.
- Click OK.
- Click on the new PKICredentialMapper.
- Navigate to the Configuration | Provider Specific tab.
- Enter
JKSinto the Keystore Type field. - Enter
./config/fmwconfig/server.jksinto the Keystore File Name field. - Enter
welcomeinto the Keystore Pass Phrase field. - Enter
welcomeinto the Confirm Keystore Pass Phrase field. - Click Save.
- Restart the server.
Due to the fact that OSB uses the WebLogic security framework for SSL transport security, the whole configuration takes place in the WebLogic console. First, we need to configure the server to activate the SSL traffic. For the OSB cookbook, we use a development installation with the OSB installed on the Admin Server. If the OSB Server is installed on its own Managed Server, which will be the case in a production environment, then SSL needs to be enabled on all Managed Servers, where it is required. After that we configure the PKICredentialMapper on WebLogic for using key pair or certificate credential mappings.