8 Replies Latest reply: Aug 16, 2013 1:05 AM by Baan, Jos RSS

    Calling HTTPS service from OSB and how to install certificate

    1002644

      Hi ,

       

      I need to call one HTTPS webservice in osb Trough business service. I already gone through the below link in forum.
      And please find the my requirement below. Any help would be appreciated.

      Calling HTTPS service from OSB

       

      Requirement:-

      --------------------------------------------------------

      Hi,

       

      I am also facing same issue .

       

      Here is the my requirement is also same (We have a requirement where I need to invoke a HTTPS service from OSB ..the end system has given me 3 certificates ..)

       

      Same as above mentioned  error only i am getting (The invocation resulted in an error: [Security:090477]Certificate chain received from - (servername here ) was not trusted causing SSL handshake failure..)

       

      1.Can you please guide me how to create a one certificate with the given 3 certificates . steps and keytool commands.

       

      2.Second point after changing to the given point (Admin console --> <OSB Server> --> keystore tab. Set Keystores to Custom Identity and Java Standard Trust.)


      Changed Keystores as :- Custom Identity and Java Standard Trust

      Under Identity
      -------------------------
      Custom Identity KeyStore:

      Custom Identity KeyStore Type:

      Custom Identity KeyStore PassPhrase:

      Confirm Custom Identity KeyStore PassPhrase:
      ---------------------------------------

      Under Trust

      -------------------------------------

      Java Standard Trust KeyStore: C:\ORACLE~1\MIDDLE~1\JDK160~1\jre\lib\security\cacerts

      Java Standard Trust KeyStore Type:jks

      Java Standard Trust KeyStore PassPhrase:

      Confirm Java Standard Trust KeyStore PassPhrase:
      ---------------------------------------

      Java Standard Trust KeyStore: C:\ORACLE~1\MIDDLE~1\JDK160~1\jre\lib\security\cacerts
      Java Standard Trust KeyStore Type: jks

      are already filled with  the above values

      Can you please let me know what are the values need to be entered in IDENTITY and TRUST for the rest of the values?

      Regards,
      Sri.

        • 1. Re: Calling HTTPS service from OSB and how to install certificate
          Baan, Jos

          Hi, this is probably an issue with Service Key Provider. Can you find out (by contacting provider of SSL certificates) wether you are supposed to use one-way or two-way SSL? Two-way SSL requires that you trust the SSL certificate of the provider AND that the provider trusts the (Client) SSL certificate that you provide. Please let me know which of the options is used.

          • 2. Re: Calling HTTPS service from OSB and how to install certificate
            1002644


            Hi Baan,

             

            Thanks for the reply. Here it is one way SSL. Can you please let me know the how to import the chain certificates and required steps as mentioned above .

             

            Regards,

            Sri

            • 3. Re: Calling HTTPS service from OSB and how to install certificate
              Baan, Jos

              Hi,

               

              you received three SSL certificates. I guess this will be a server, intermediate and a root certificate. Correct?

               

              It can be a matter of sequence.

              Try installing root first, then intermediate and then server certificate.

               

              Also try to restart server (or at least SSL restart).

               

              Another problem can be that the (server) certificate does not match the URL you invoke. This is known as 'hostname' verification.

              For settings look in Weblogic Console.

              Navigate to Environment/Servers/<server>/SSL.

              Then Advanced settings and then check setting: Hostname Verification.

               

              Hope this helps.

              • 4. Re: Calling HTTPS service from OSB and how to install certificate
                1002644

                Hi ,

                 

                As you mentioned i got three certificates.

                1. root Certificate

                2. Intermediate Certificate

                3. Server Certificate.

                 

                Can you please let me know how to install these certificates in the server ( i don't know how to install the certificates).  If you provide the steps it would be great help for me (the commands)

                 

                once the certificates are imported or installed necessary steps or settings need to be taken care in Weblogic console.

                 

                Regards,

                Sri.

                • 5. Re: Calling HTTPS service from OSB and how to install certificate
                  Baan, Jos

                  Hi,

                   

                  a good tool (standard from your JDK/JRE) is keytool.

                   

                  Search in your JRE/JDK for keytool.

                  Either in Linux of Windows open a comman window.

                  Set the directory with the keytool executable in your path (syntax differs whether you use Windows or Linux).

                   

                  Locate the desired keystores. Good practice is to use two stores: one for TRUSTED certificates and ONE for the KEYs. Suppose you use cacerts. Right?

                   

                  keytool -import -keystore cacerts -alias <root> -file <filename of root>

                  keytool -import -keystore cacerts -alias <intermedidate> -file <filename of intermedidate>

                  keytool -import -keystore cacerts -alias <server> -file <filename of server>

                   

                  When asked to trust enter yes.

                  Choose good aliases for the three of them. They have only local meanign (for you). Aliases don't have <> around them:)

                   

                  To show the contents of cacerts: keytool -list -keystore cacerts

                   

                  Thats all.

                  • 6. Re: Calling HTTPS service from OSB and how to install certificate
                    1002644

                    Thanks Baan,

                     

                    Now i am able to invoke the https service.

                    Can you please explain me the below settings we need to choose

                    Hostname Verification: none?

                    And what is the use:

                     

                    --------------------------------------------------------------------------------------------------

                    Another problem can be that the (server) certificate does not match the URL you invoke. This is known as 'hostname' verification.

                    For settings look in Weblogic Console.

                    Navigate to Environment/Servers/<server>/SSL.

                    Then Advanced settings and then check setting: Hostname Verification.

                     

                    Regards,

                    Sri.

                    • 7. Re: Calling HTTPS service from OSB and how to install certificate
                      Baan, Jos

                      Hi Sri,

                       

                      great that it is working! Thats what you told me, isnt it?

                       

                      About the setting of Hostname verification the follwoing.

                       

                      Whe you, as a consumer, invoke an external website, it could be that someone has hacked the website-address and redirects your request to a dummy site that possibly resembles the original one. In that case, the real server name of that fake server will probably be not the same as the one you expect.

                      Because you have earlier exchanged the right certificates with the provider you can be sure that the request will come from that specific server.

                       

                      So, enabling hostname verification gives an extra check to prevent the so called man-in-the-middle attack.

                       

                      Ok, so far so good.

                      Now the reality.

                      If providers are not strickt in using certificates that belong one-to-one to their servers, you can have a problem in enablng hostname verification.

                       

                      If necessary you can write your own hostname verification Java class to be able to support specific SSL certificates that you still trust.

                       

                      Regards,

                       

                      Jos

                      • 8. Re: Calling HTTPS service from OSB and how to install certificate
                        Baan, Jos

                        Was this helpful for you? In that case would you be kind to reward using the options in the forum? Thanks!