Forum Stats

  • 3,875,495 Users
  • 2,266,929 Discussions
  • 7,912,231 Comments

Discussions

(11g) Keystore & Password config for BPEL composites

Alan3
Alan3 Member Posts: 318 Bronze Badge
edited Sep 14, 2011 2:53AM in SOA Suite Discusssions
Hi all, we are trying to configure a keystore for ONE (and ONLY ONE!) of our composite deployments.
In tracing the wonderful 'INFO' logs I've found that I can put our keystore in the following -
SOA Infrastructure >
SOA Administration >
Common Properties >
More SOA Infra Advanced Configuration Properties... >
KeystoreLocation "The path to the SOA Platform keystore."

So I add my keystore file into that field. It now appears in the logs for every composite... but there are password errors on every one... and I can't find where to enter the keystore password.

So, 3 questions:

1. Am I even putting the keystore in the correct place?

2. If so, WHERE do I specify the password?

3. Do I have to create the keystore with no password to make this work?
Tagged:
user13050128
«1

Answers

  • 687626
    687626 Member Posts: 796 Gold Badge
    Check this link which shows how to create a keystore with password in Fusion Middleware Control.
    http://download.oracle.com/docs/cd/E12839_01/core.1111/e10105/wallets.htm#CIHIEIDE
  • Alan3
    Alan3 Member Posts: 318 Bronze Badge
    Doesn't help.
    That is basically telling me how to create, import, export, etc. keystores which I already know and have in place.
    The menu structure given in the doc doesn't match what I have.
    I have no place in that menu to store a keystore. Here's what I have:
    soa-infra -> Security - gives me Application Policies & Application Roles. No keystore options.

    I have a BPEL composite deployment under soa-infra that calls a secure webservice.

    I can call the service manually (from a browser) on this server, so I know I'm not getting blocked by anything.

    When I try to make the call from the BPEL service, I get this error:
    oracle.fabric.common.FabricInvocationException: Unable to access the following endpoint(s): https://www....
    ...
    ...
    Caused by: javax.xml.ws.WebServiceException: javax.xml.soap.SOAPException: javax.xml.soap.SOAPException: Message send failed: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

    I guessed this was something to do with the keystore.
    If it's not then what is causing it?
  • 687626
    687626 Member Posts: 796 Gold Badge
    This error could be due to the missing of the remote web service's CA certificate in the trust keystore in your soa suite environment.

    Make sure you specify a trust location using a jvm arguement : -Djavax.net.ssl.trustStore=your_truststore_location as discussed here : http://download.oracle.com/docs/cd/E14571_01/integration.1111/e10226/soacompapp_secure.htm#CHDFJEFB and the root and intermediate CA certificates of the remote service is imported into the trust keystore.
  • Alan3
    Alan3 Member Posts: 318 Bronze Badge
    That looks more like the issue I'm facing.
    I'll give it a shot and update accordingly.
    What really gripes me - why isn't there a setup for that within the UI? As big and clumsy as the UI currently is, they still have stuff like this that has to be done within scripts...
  • Alan3
    Alan3 Member Posts: 318 Bronze Badge
    Well...
    What about the password?
    Do I need to create the keystore without a password for this to work?
  • Alan3
    Alan3 Member Posts: 318 Bronze Badge
    Ok, I added that line into JAVA_OPTIONS and can confirm it's trying to open the correct keystore... now just to find how to give it the password...
    INFO: SSLSocketFactoryManagerImpl.getKeystoreLocation SOA Keystore location: /home/oracle/SOAkeyStore/soa.jks
    INFO: SSLSocketFactoryManagerImpl.getKeystorePassword Obtained null or empty keystore password
    INFO: SSLSocketFactoryManagerImpl.getKeyPassword Obtained null or empty key password
    INFO: SSLSocketFactoryManagerImpl.getSSLSocketFactory Could not obtain keystore location or password
  • Alan3
    Alan3 Member Posts: 318 Bronze Badge
    I also added -Djavax.net.ssk.trustStorePassword=<jks password> to the env file - still getting the same errors.
    I see the parameters appearing in the log file under 'Starting WLS with line:...'
    But this is obviously still NOT where it is looking for information for the BPEL composite keystore.
    I am convinced that the BPEL composite keystore is setup in UI under the path I originally posted...
    SOA Infrastructure >
    SOA Administration >
    Common Properties >
    More SOA Infra Advanced Configuration Properties... >
    KeystoreLocation "The path to the SOA Platform keystore."

    BUT WHERE+ DO I ADD THE PASSWORD???
  • I currently have an SR open with Oracle for this exact issue. Their suggestion is to add the jsse params to the "EXTRA_JAVA_PROPERTIES" variable within the setDomainEnv script, such as the following:


    -Djavax.net.ssl.keyStoreType=jks -Djavax.net.ssl.trustStoreType=jks -Djavax.net.ssl.keyStore=full_path_to_your_identity_store.jks -Djavax.net.ssl.keyStorePassword=***** -Djavax.net.ssl.trustStorePassword=**** -Djavax.net.ssl.trustStore=${JAVA_HOME}/jre/lib/security/cacerts

    However, this still results in messages such as the following at server startup and for each composite deployed within /EM

    INFO: SSLSocketFactoryManagerImpl.getKeystoreLocation SOA Keystore location: full_path_to_your_identity_store.jks
    INFO: SSLSocketFactoryManagerImpl.getKeystorePassword Obtained valid keystore password
    INFO: SSLSocketFactoryManagerImpl.getKeyPassword Obtained null or empty key password

    Since the private key password and the keystore password are identical, the "null or empty key password" message is alarming.
  • Alan3
    Alan3 Member Posts: 318 Bronze Badge
    I've already added those.
    On my SR they suggested the following:
    1. Try to add the following properties to the JAVA_OPTIONS in setDomainEnv.sh and try again.
    -Dweblogic.security.SSL.ignoreHostnameVerification=true -Dweblogic.webservice.client.ssl.strictcertchecking=false -Dweblogic.security.SSL.enforceConstraints=off -Dssl.debug=true -Djavax.net.ssl.keyStoreType=jks -Djavax.net.ssl.keyStore=<key store url> -Djavax.net.ssl.keyStorePassword=<keystore password> -Djavax.net.ssl.trustStore=<truststore url> -Djavax.net.ssl.trustStorePassword=<truststore password> -Dweblogic.security.SSL.verbose=true

    (Half of this I had already done.)
    I've added the keystore file path and password into every conceivable location I can find. I still get the same errors and NOTHING works.
    My next step is to simply try the keystore with no password - which is S.T.U.P.I.D. Even if it works that's not a solution.

    I am glad, however, that I'm not the only person who has an issue with this!
  • I also have set the Security Credentials in the /em console ( WebLogic Domain -> domain -> Security -> Credentials.

    I added a credential map named "SOA" and within that added a Key named "KeystorePassword" . The Username is "KeystorePassword" and the value is the actual password.

    The identity keystore is also configured in soa-infra ( soa-infra -> SOA Administration - Common Properties -> More Soa Infra Advanced -> Keystore Location )

    and then restarted every thing.

    But if SOA / BPEL uses JSSE, then it should already know that the key password and the keystore password must match, so it should never have to ask for a key password.

    It should have been designed to uses the WL SSL configuration instead.
This discussion has been closed.