This discussion is archived
6 Replies Latest reply: Nov 22, 2012 9:16 AM by 974672 RSS

How to use X.509 certificates

974672 Newbie
Currently Being Moderated
Hello!
I'm trying to use X.509 certificates, without success. Used policy is: Wssp1.2-Wss1.0-X509-Basic256. I want client and service to sign messages by own private key and encrypt entire message with public key of each other. I think I chose good security policy. Now, I'd like both end points to use their own X.509 certificates. How can I load it on WebLogic Server (Version: 10.3.5.0) and force to use them? I'm looking for the easiest way. I'd like to store both certificates in the same location (where is the good place in WLS?) and assign them to end points respectively. I don't want any external things, only WLS, to simulate CA, keystore.

Thanks in advance!

Best regards,
pb

Edited by: 971669 on Nov 16, 2012 7:22 AM
  • 1. Re: How to use X.509 certificates
    974672 Newbie
    Currently Being Moderated
    I've added key to DemoIdentity.jks:
    keytool -genkey -keystore DemoIdentity.jks -storepass DemoIdentityKeyStorePassPhrase

    and set my credentail provider property:
    IntegrityKeyStore=DemoIdentity.

    But I'm still getting a following error:
    weblogic.wsee.security.configuration.WssConfigurationException: KeyStoreFile does not exist.

    What am I doing wrong?
  • 2. Re: How to use X.509 certificates
    user696 Explorer
    Currently Being Moderated
    You can configure two ways in weblogic server( SSL Pair)
    1.) Configuring the Identity and Trust inside wls server.
    http://docs.oracle.com/cd/E24329_01/web.1211/e24422/identity_trust.htm#i1202182
    http://docs.oracle.com/cd/E24329_01/web.1211/e24488/message.htm#i210119
    2.) Using Key Pairs Other Than the Out-Of-The-Box SSL Pair
    http://docs.oracle.com/cd/E24329_01/web.1211/e24488/message.htm#i223815

    And here is sample java client code
    http://docs.oracle.com/cd/E24329_01/web.1211/e24488/message.htm#i253120

    If you have support you can refer to complete sample for the note 1297210.1
    https://support.oracle.com/oip/faces/secure/km/DocumentDisplay.jspx?id=1297210.1

    Regards,
    Sunil P
  • 3. Re: How to use X.509 certificates
    974672 Newbie
    Currently Being Moderated
    I deleted information about key store and now WLS is fetching keys which I imported to demo key store. Is it a good approach?
  • 4. Re: How to use X.509 certificates
    user696 Explorer
    Currently Being Moderated
    Demo Key store is only for testing purpose for checking the functionality
    Demo Identity and Demo Trust: The demonstration identity and trust keystores, located in the BEA_HOME\server\lib directory and the JDK cacerts keystore, are configured by default. Use for development only.

    Regards,
    Sunil P
  • 5. Re: How to use X.509 certificates
    974672 Newbie
    Currently Being Moderated
    I have one problem with service identity. In WSDL there is no BinarySecurityToken. I set recommended configuration of my WSS (ServerBSTCredentialProvider, BinarySecurityTokenHandler) and I can't see any <Identity /> inside <service /> in WSDL. I'm using "policy:Wssp1.2-Wss1.0-X509-Basic256.xml" so I expect that service expose his public key and client will send request with body automaticly encrypted by this public key.

    Edited by: 971669 on Nov 21, 2012 5:25 AM

    I can resign from attaching service public key in WSDL. But I still want client to encrypt his message body with service public key. Following code doesn't help.

    X509Certificate serCer = (X509Certificate) CertUtils.getCertificate("/home/pawbar/Oracle/Middleware/wlserver_10.3/server/lib/demoidentity.der");
    CredentialProvider cp = new ClientBSTCredentialProvider("/home/pawbar/Oracle/Middleware/wlserver_10.3/server/lib/DemoIdentity.jks",
    "DemoIdentityKeyStorePassPhrase", "demoidentity", "DemoIdentityPassPhrase", "JKS", serCer);


    I get error:

    java.rmi.RemoteException: SOAPFaultException - FaultCode [{http://schemas.xmlsoap.org/soap/envelope/}Server] FaultString [Failed to process signature.null] FaultActor [null]No Detail; nested exception is:
         weblogic.wsee.jaxrpc.soapfault.WLSOAPFaultException: Failed to process signature.null
         at org.example.DogService_PortType_Stub.getMother(DogService_PortType_Stub.java:87)
         at org.example.MyClient.main(MyClient.java:48)
    Caused by: weblogic.wsee.jaxrpc.soapfault.WLSOAPFaultException: Failed to process signature.null
         at weblogic.wsee.codec.soap11.SoapCodec.decodeFault(SoapCodec.java:357)

    Edited by: 971669 on Nov 21, 2012 6:53 PM
  • 6. Re: How to use X.509 certificates
    974672 Newbie
    Currently Being Moderated
    At the moment my request looks like this one:
    http://pastebin.com/Q1WMc7X2

    2 questions:
    1. Why isn't my message body encrypted?
    2. Why does client get error "Failed to process signature.null" in response?

    Edited.

    Second issue resolved by using demoidentity.der certificate and DemoIdentity key. I would like to only encrypt request and response. How can I do that?

    My current policy:
    Wssp1.2-2007-Wss1.0-X509-Basic256.xml

    and its description in Oracle Docs:
    Mutual Authentication with X.509 Certificates. The message is signed and encrypted on both request and response. The algorithm of Basic256 should be used for both sides.

    Edited by: 971669 on Nov 22, 2012 4:31 PM

    I must use Protection Assertion Policies. Everything is OK. Thanks for your help!

    Edited by: 971669 on Nov 22, 2012 6:14 PM

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points