6 Replies Latest reply: Nov 22, 2012 11:16 AM by 974672 RSS

    How to use X.509 certificates

    974672
      Hello!
      I'm trying to use X.509 certificates, without success. Used policy is: Wssp1.2-Wss1.0-X509-Basic256. I want client and service to sign messages by own private key and encrypt entire message with public key of each other. I think I chose good security policy. Now, I'd like both end points to use their own X.509 certificates. How can I load it on WebLogic Server (Version: 10.3.5.0) and force to use them? I'm looking for the easiest way. I'd like to store both certificates in the same location (where is the good place in WLS?) and assign them to end points respectively. I don't want any external things, only WLS, to simulate CA, keystore.

      Thanks in advance!

      Best regards,
      pb

      Edited by: 971669 on Nov 16, 2012 7:22 AM
        • 1. Re: How to use X.509 certificates
          974672
          I've added key to DemoIdentity.jks:
          keytool -genkey -keystore DemoIdentity.jks -storepass DemoIdentityKeyStorePassPhrase

          and set my credentail provider property:
          IntegrityKeyStore=DemoIdentity.

          But I'm still getting a following error:
          weblogic.wsee.security.configuration.WssConfigurationException: KeyStoreFile does not exist.

          What am I doing wrong?
          • 2. Re: How to use X.509 certificates
            User696-Oracle
            You can configure two ways in weblogic server( SSL Pair)
            1.) Configuring the Identity and Trust inside wls server.
            http://docs.oracle.com/cd/E24329_01/web.1211/e24422/identity_trust.htm#i1202182
            http://docs.oracle.com/cd/E24329_01/web.1211/e24488/message.htm#i210119
            2.) Using Key Pairs Other Than the Out-Of-The-Box SSL Pair
            http://docs.oracle.com/cd/E24329_01/web.1211/e24488/message.htm#i223815

            And here is sample java client code
            http://docs.oracle.com/cd/E24329_01/web.1211/e24488/message.htm#i253120

            If you have support you can refer to complete sample for the note 1297210.1
            https://support.oracle.com/oip/faces/secure/km/DocumentDisplay.jspx?id=1297210.1

            Regards,
            Sunil P
            • 3. Re: How to use X.509 certificates
              974672
              I deleted information about key store and now WLS is fetching keys which I imported to demo key store. Is it a good approach?
              • 4. Re: How to use X.509 certificates
                User696-Oracle
                Demo Key store is only for testing purpose for checking the functionality
                Demo Identity and Demo Trust: The demonstration identity and trust keystores, located in the BEA_HOME\server\lib directory and the JDK cacerts keystore, are configured by default. Use for development only.

                Regards,
                Sunil P
                • 5. Re: How to use X.509 certificates
                  974672
                  I have one problem with service identity. In WSDL there is no BinarySecurityToken. I set recommended configuration of my WSS (ServerBSTCredentialProvider, BinarySecurityTokenHandler) and I can't see any <Identity /> inside <service /> in WSDL. I'm using "policy:Wssp1.2-Wss1.0-X509-Basic256.xml" so I expect that service expose his public key and client will send request with body automaticly encrypted by this public key.

                  Edited by: 971669 on Nov 21, 2012 5:25 AM

                  I can resign from attaching service public key in WSDL. But I still want client to encrypt his message body with service public key. Following code doesn't help.

                  X509Certificate serCer = (X509Certificate) CertUtils.getCertificate("/home/pawbar/Oracle/Middleware/wlserver_10.3/server/lib/demoidentity.der");
                  CredentialProvider cp = new ClientBSTCredentialProvider("/home/pawbar/Oracle/Middleware/wlserver_10.3/server/lib/DemoIdentity.jks",
                  "DemoIdentityKeyStorePassPhrase", "demoidentity", "DemoIdentityPassPhrase", "JKS", serCer);


                  I get error:

                  java.rmi.RemoteException: SOAPFaultException - FaultCode [{http://schemas.xmlsoap.org/soap/envelope/}Server] FaultString [Failed to process signature.null] FaultActor [null]No Detail; nested exception is:
                       weblogic.wsee.jaxrpc.soapfault.WLSOAPFaultException: Failed to process signature.null
                       at org.example.DogService_PortType_Stub.getMother(DogService_PortType_Stub.java:87)
                       at org.example.MyClient.main(MyClient.java:48)
                  Caused by: weblogic.wsee.jaxrpc.soapfault.WLSOAPFaultException: Failed to process signature.null
                       at weblogic.wsee.codec.soap11.SoapCodec.decodeFault(SoapCodec.java:357)

                  Edited by: 971669 on Nov 21, 2012 6:53 PM
                  • 6. Re: How to use X.509 certificates
                    974672
                    At the moment my request looks like this one:
                    http://pastebin.com/Q1WMc7X2

                    2 questions:
                    1. Why isn't my message body encrypted?
                    2. Why does client get error "Failed to process signature.null" in response?

                    Edited.

                    Second issue resolved by using demoidentity.der certificate and DemoIdentity key. I would like to only encrypt request and response. How can I do that?

                    My current policy:
                    Wssp1.2-2007-Wss1.0-X509-Basic256.xml

                    and its description in Oracle Docs:
                    Mutual Authentication with X.509 Certificates. The message is signed and encrypted on both request and response. The algorithm of Basic256 should be used for both sides.

                    Edited by: 971669 on Nov 22, 2012 4:31 PM

                    I must use Protection Assertion Policies. Everything is OK. Thanks for your help!

                    Edited by: 971669 on Nov 22, 2012 6:14 PM