You need to create a service key provider and attach it to the business service.
Thanks for your reply.
I know to create service key provider in BS. But the thing is I couldn't see any thing for Encryption key in my sbconsole.I created the PKI credential mapper in console using trust store and I restarted admin and managed servers.But I am not seeing anything in sbconsole when I click on browse for Encryption key.Please point me to the right direction.
Can any one suggest me on this: Do we nee to use trust store or identity store for PKI-Provider Speicfic. I know its trust store, but when I am using trust store I am not seeing anything for encryption key in sbconsole.
Can you please let us know the steps you followed.
You need to configure a Credential Mapping Provider(Will also need to create a trust store, usually a JKS created using Keytool), a Credential Mapping in Weblogic console and then restart OSB environment before you can create service key provider using above in sbconsole.
Thanks for your reply. Steps I followed are:
1.Importing certs of third party into trust store(.jks using keytool)
3.Creating PKI credential mapper-Provider specific with details of trust store
5.I tried to create Service key Provider from sbconsole. But when I browsed for encryption key I dont see anything.
But I when I tried to create service key provider with identity store(.jks), I was able to see some keys for encryption.Since my identity store doesnt have my third party certs, I was not able to invoke BS. Please let me know if I am missing any thing.
After step 4, you also need to create a Credential Mapping (Different From Credential Mapping Provider). Credential Mapping Provider is configured as a source where credentials mappings are stored. Credential Mapping will refer a Credential Mapping Provider to retrieve a mapped credential. After you create the Credential Mapping, you should be able to see the Credential Mapping listed under SSL Client Authentication Key while creating Service Key Provider from sbconsole.
Configuring PKI credential mapping is not required for 1 way SSL.
This is how SSL typically works:
- Third party certificates(public key) goes into your trust store
- When connection request is initiated by weblogic then it retrieves certificate from third party which is validated against the one present in trust store. This confirms the identity of thord party to weblogic. After this some weblogic environment specific validation happens like hostname verification/constraint validation etc depending on your weblogic setup and this is where 1 way SSL ends.
If it is 2 way SSL(depends on security contracts between 2 parties) then below is how story goes further ahead:
ServiceKeyProvider in osb and PKI mapper in weblogic together is used when weblgic wants to represent its identity to third party. You can assume it like this time, third party storing public key of weblogic server in their trust store. Which means weblogic generated a key-pair(public-private key pair) and shared public key with third party. Keypair is stored in identity store and you need to specify your private key details in Server configuration -> SSL tab of admin console. After doing this primary setup, you need to select Authentication as "Client certificate" in business service configuration.(SKP configured in Calling proxy service) . Again, all this is only required if it is 2 way SSL other wise storing public key in trust store should be sufficient.
Can you please provide below information:
- Which version of weblogic you are using?
- Which SSL library(Certicom or JSSE)?
- Verify the connection first in 2 ways: Enter endpoint followed by ?wsdl in web browser and hit enter(see if the site is containing certificate).
- As you said that you tried the endpoint of external https service in soap ui without configuring any truststore, this is something which doesn't makes sense. Ideally it should have failed for SSL handshake failure. Please verify the url being used in soap ui is https(not http) and it is same as that being used in osb(nothing like typos). This step is just to be sure that we are not doing elementary level mistake.
- Once you are sure about connection settings then please enable SSL debugging logs. You need to set parameters in setDomainEnv.sh depending on which SSL library you are using. Once you are done then please restart the server and post SSL stacktrace here(you will find it in managed server logs).
Hope this helps.