dinsdag 28 juni 2016

X509 message protection, migrate from OSB 11g to 12c


Lately we found out -the hard way- that OWSM changed slightly from 11c to 12g. We have migrated OSB project from 11c to 12g and somewhere in the moving process the security settings and policies stopped working. To resolve this issue we applied the following steps.

Import custom policies (optional)

In this specif case custom policies were defined in 11g. These policies had to be imported in the 12c environment.
    WSM Policies
  1. In the em right click on the hasinfra12 domain and select ‘Web Services -> WSM Policies’
  2. Select ‘Import’ and choose the file policies file from the File Upload window. When finished uploading your new policies should appear:
    Custom policies

KSS Keystore

In OSB 12c the OPSS keystore (KSS) is introduced. Now there is no need to use the jks file based keystore and truststore. Obtain the 11g jks keystore and keystore password and import the certificates from the keystore to OPSS.

Migrate keystore

 To migrate from 11g to 12c and use these kss store we need to import the certificates.

  1. Start wlst
  2. Enter the following commands:
    connect('weblogic',<your weblogic password>,'t3://<your environment admin server and port>')

    svc = getOpssService(name='KeyStoreService')

    svc.importKeyStore(appStripe='owsm',name='keystore',password='password',aliases='<alias in jks keystore>',keypasswords='<key password>',type='JKS',permission=true,filepath='/tmp/serverks.jks');
  3. To check that the certifactes are actually loaded in the kss store:
    svc.listKeyStoreAliases(appStripe="owsm",name="keystore", password='',type="*") 
  4. Exit from wlst
    exit()

Check keystore in em

The proof is in eating the pudding.
  1. In the em go to your domain and under the folder ‘Weblogic Domain’ -> Security -> Keystore.
    Stripe and keystore
  2. You will now see the newly created keystore 'keystore' under the stripe 'owsm'. Select and click Manage:
    Certificate details

Select Message Security signing and encrypt alias


Now that the certificates have been loaded we have to certificate to use for message signing and message encryption
  1. In the em console. Go to your domain under the folder ‘Weblogic Domain’ -> Web Services -> WSM Domain Configuration. Select Tab ‘Message Security’.
  2. Select Keystore Type ‘KSS’ from the dropdown. For Path enter ‘kss://owsm/keystore’ which corresponds to the stripe and keystore as defined during the wlst import of the certificates.
    Signing and encryption alias
(I have the impression that this step sets the default message signing and encryption alias. When applying a security policy to an OSB business Service a certificate alias can also be selected. This allow the use of different aliases for different business service.)

Apply policy to OSB Business Service

  1. Open the SBConsole. Go to your project and select the Business Service.
  2. Select the tab 'security'. If not already set, select Polices from OWSM Policy Store. This allows to select your custom security policy or a standard policy.
    Business Service - Security