Lately we found out -the hard way- that OWSM changed slightly from 11c to 12g. We have migrated OSB project from 11c to 12g and somewhere in the moving process the security settings and policies stopped working. To resolve this issue we applied the following steps.
Import custom policies (optional)
In this specif case custom policies were defined in 11g. These policies had to be imported in the 12c environment.
- In the em right click on the hasinfra12 domain and select ‘Web Services -> WSM Policies’
- Select ‘Import’ and choose the
file policies file from the File Upload window. When finished uploading your new policies should appear:
Custom policies
WSM Policies |
KSS Keystore
In OSB 12c the OPSS keystore (KSS) is introduced. Now there is no need to use the jks file based keystore and truststore. Obtain the 11g jks keystore and keystore password and import the certificates from the keystore to OPSS.
Migrate keystore
To migrate from 11g to 12c and use these kss store we need to import the certificates.
- Start wlst
- Enter the following commands:
connect('weblogic',<your weblogic password>,'t3://<your environment admin server and port>')
svc = getOpssService(name='KeyStoreService')
svc.importKeyStore(appStripe='owsm',name='keystore',password='password',aliases='<alias in jks keystore>',keypasswords='<key password>',type='JKS',permission=true,filepath='/tmp/serverks.jks');
- To check that the certifactes are actually loaded in the kss store:
svc.listKeyStoreAliases(appStripe="owsm",name="keystore", password='',type="*") - Exit from wlst
exit()
Check keystore in em
The proof is in eating the pudding.
Now that the certificates have been loaded we have to certificate to use for message signing and message encryption
- In the em console. Go to your domain under the folder ‘Weblogic Domain’ -> Web Services -> WSM Domain Configuration. Select Tab ‘Message Security’.
- Select Keystore Type ‘KSS’ from the dropdown. For Path enter ‘kss://owsm/keystore’ which corresponds to the stripe and keystore as defined during the wlst import of the certificates.
Signing and encryption alias
(I have the impression that this step sets the default message signing and encryption alias. When applying a security policy to an OSB business Service a certificate alias can also be selected. This allow the use of different aliases for different business service.)
Apply policy to OSB Business Service
- Open the SBConsole. Go to your project and select the Business Service.
- Select the tab 'security'. If not already set, select Polices from OWSM Policy Store. This allows to select your custom security policy or a standard policy.
Business Service - Security