1 Reply Latest reply: Jul 1, 2014 4:28 AM by Ankit kalanoria RSS

    OSB (11.1.1.7): Can OSB/Weblogic (11.1.1.7) support multiple PKIs (Public Key Infra-structure)

    user599982

      Hi All,

       

      Would you be able to help me in understanding if OSB/Weblogic (11.1.1.7) can support multiple private key's in the domain to enable 2-SSL W/S calls ?

       

      Solution walk-through :
      A 3rd Party Web Service is only accessible via 2-way SSL http channel. To achieve this, OSB is required to use the private key which is issued by 3rd party. This private key and 3rd party root certificate (CA) need to be installed into OSB’s keystore which is based on Java Keystore format.

      The private key (issued by 3rd Party) will be used by OSB for identity signature. This private key is bound to IP address of the OSB machine calling the 3rd Party web service. Also, 3rd Party root certificate (CA) will be used by OSB to verify the identity of 3rd Party web service.

       

      Given the private key is used as the identity of the system and should be guarded closely by the target system, we believe this approach needs to be reviewed and assessed accordingly.

       

      Limitations and drawbacks with the current solution :  

      1. The private key of OSB system is issued and controlled by an external application vendor.

      2. OSB is enforced to use this private key and its signature algorithm for other external parties’ interactions. The current client certificate issued by 3rd Party is X509v3 certificate which uses RSA, with a 2048-bit key size, signed with a SHA-512 hash.

      3. The SSL is self-signed, not signed by a publicly trusted cert provider (i.e. VeriSign)

      4. Extra dependency on external vendor systems as the key provider. Currently, the keys are bound to server IP address; any changes to the production environment, (i.e. adding new nodes) will require a new key to be generated by 3rd Party system. In case 3rd Party is no more used in the future, the keys can no longer be generated.

       

      Conclusion : OSB does not support multiple PKIs (Public Key Infra-structure) which is a mapping mechanism that OSB uses to provide its certificate for SSL connecitons to the server. Multiple private keys, require multiple PKIs which OSB does not handle.

       

      So, do you agree that OSB/Welblofic (11.1.1.7) could not support multiple private key issued by more than one 3rd party vendor ?

       

      Thanks,

      Kunal Singh

        • 1. Re: OSB (11.1.1.7): Can OSB/Weblogic (11.1.1.7) support multiple PKIs (Public Key Infra-structure)
          Ankit kalanoria

          Hi Kunal,

           

          Although it is recommended to have 1 key pair for 1 identity store as it represents unique identity of your domain but you can:

          • import multiple key-pairs in your identity store
          • Configure PKI credential mapper to use reference of identity store consisting of multiple keys
          • When in your OSB project, you create Service Key provider(SKP) then it loads all the private keys present in identity store referred by PKI mapper. It will browse both the keys.
          • Depending on your requirement, you can choose different key pair for for different SKPs for "Client Authentication key" section(For SSL) and "Signature key" for DigiSign.

           

          Please let me know if i understood your query correctly and above helps.

           

          Regards,

          Ankit