With OSB supporting X.509 certificates, guarantees that the hosts with which OSB communicates with are the ones that it expects.
Adding X.509 Support to the WebLogic Default Identity Asserter
Since OSB uses the underlying framework that is supplied by WLS, by setting the default identity asserter within WLS to accept X.509 certificates, we can allow users and/or processes to present X.509 certificates to identify themselves. To do this, we need to access the WebLogic Server console and open the Security Realm -> Providers -> Authentication tab.
within the Default Identity Asserter, under the common tab, move the X.509 token type from the available list to the chosen list.
Then under the Provider Specific tab, check the use of the Default Name Mapper. This checks that the certificates mapped to the user has not expired.
Adding WebLogic PKI Credential Mapping Provider
A Credential Mapping provider allows WebLogic Server to log into a remote system on behalf of a subject that has already been authenticated. You must have one Credential Mapping provider in a security realm, and you can configure multiple Credential Mapping providers in a security realm. It is only one of the types of credential mapper that are available. For this example we will need to have a keystore available. To do this you might need to use the keytool command.
The basic steps to create a keystores (jks) using keytool can be referred in the jdk documents, for reference the following are four easily usable commands to create identity, trust stores along with a certificate (self signed)
keytool -genkey -alias test -keyalg RSA -keysize 1024 -dname "cn=L-0219016978.XXX.com,ou=Consulting,o=XXX" -keypass password -keystore identity.jks -storepass password
keytool -selfcert -v -alias test -keypass password -keystore identity.jks -storepass password -storetype JKS
keytool -export -v -alias test -file rootCA.der -keystore identity.jks -storepass password
keytool -import -v -trustcacerts -alias test -file rootCA.der -keystore trust.jks -storepass password
To configure a Credential Mapping Provider, we need to add a new provider in the security realm, under Providers -> Credential Mapping, by clicking “New”
Once, the PKI Credential Mapper is created, configure it as below.
The type of keystore will by JKS and the keystore filename/password will be the ones given while using keytool to create the keystore.
Configuring OSB Inbound WebServices
Within the web services security list, the default_x509_handler is the one that we need to change (to use the newly created keystore).
Nw we need to set up the Token Handler Property of UseX509ForIdentity to be true.
Configuring WebLogic for SSL
The next step is to configure WebLogic Server for SSL, using the same keystore.
Next step is to create an user that is contained within certificate from the keystore. After these dynamic changes, server need to be restarted
Once we complete the above mentioned steps, our OSB system is ready to suppot the X.509 token identity.
Further reference can be pointed to Oracle WebLogic Documentation:
http://docs.oracle.com/cd/E13222_01/wls/docs103/ConsoleHelp/taskhelp/webservices/webservicesecurity/CreateDefaultWSSConfig.html
http://docs.oracle.com/cd/E13222_01/wls/docs103/ConsoleHelp/taskhelp/webservices/webservicesecurity/UseX509ForIdentity.html
detail or another post about the selfsign certificates (Keystores) creation and cofiguring the app server to use it would be very helpful
ReplyDelete