6 Replies Latest reply: Jan 12, 2011 4:46 AM by 675595 RSS

    OSB 10gR3 - Configuring two way ssl Encryption - ERROR

    VictorJabur
      I configured in the Oracle Service Bus 10gR3 one proxy that makes use of Encryption two way SSL.

      I followed the steps on the "Adding Service Key Providers" chapter - page 15-2 of consolehelp.book documentation.

      When I try to execute the proxy, putting the Service Key Provider an password (username is blank), the next error message is showed:

      Failed to setup server side credential provider: Server cert not trusted.

      What's wrong in my configuration ?

      This is a common error ?

      Thanks
      Victor Jabur
        • 1. Re: OSB 10gR3 - Configuring two way ssl Encryption - ERROR
          675595
          http://download.oracle.com/docs/cd/E11035_01/wls100/secmanage/identity_trust.html

          Did you configure Trust Store?

          Manoj
          • 2. Re: OSB 10gR3 - Configuring two way ssl Encryption - ERROR
            VictorJabur
            Yes, I configured the Identity and Trust Store.

            For use the Service Key Provider in the Oracle Service Bus, i have created the "Credential Mappings Provider":

            What's difference between the default Identity/Truststore JKS and the JKS used in the "Credential Mappings Provider" ?


            Maybe the problem be :

            In the next page: Home >Summary of Servers >AdminServer >Summary of Security Realms >myrealm >Credential Mappings >Providers >Credential Mappings >Providers

            Keystore Provider: (i don't know to put here)
            Keystore Type: JKS
            Keystore File Name: /app/keystore.jks
            Keystore Pass Phrase: password
            Confirm Keystore Pass Phrase: password
            Use Resource Hierarchy: Checked
            Use Initiator Group Names: Checked

            Inside the keystore.jks, i have:

            Keystore type: JKS
            Keystore provider: SUN

            Your keystore contains 3 entries

            Alias name: alsbserver
            Creation date: May 25, 2010
            Entry type: PrivateKeyEntry
            Certificate chain length: 1
            Certificate[1]:
            Owner: CN=server, OU=IT, O=BEA, L="San Jose ST=California", C=US
            Issuer: CN=server, OU=IT, O=BEA, L="San Jose ST=California", C=US
            Serial number: 4bfc29c5
            Valid from: Tue May 25 16:49:25 BRT 2010 until: Fri May 22 16:49:25 BRT 2020
            Certificate fingerprints:
                 MD5: 72:93:6D:94:21:9A:60:23:89:89:60:CE:58:6C:A0:4A
                 SHA1: BF:57:53:61:D8:04:45:11:C6:BE:35:01:4E:4A:80:10:74:CF:3D:1D
                 Signature algorithm name: SHA1withRSA
                 Version: 3


            *******************************************
            *******************************************


            Alias name: alsbservertrust
            Creation date: May 25, 2010
            Entry type: trustedCertEntry

            Owner: CN=server, OU=IT, O=BEA, L="San Jose ST=California", C=US
            Issuer: CN=server, OU=IT, O=BEA, L="San Jose ST=California", C=US
            Serial number: 4bfc29c5
            Valid from: Tue May 25 16:49:25 BRT 2010 until: Fri May 22 16:49:25 BRT 2020
            Certificate fingerprints:
                 MD5: 72:93:6D:94:21:9A:60:23:89:89:60:CE:58:6C:A0:4A
                 SHA1: BF:57:53:61:D8:04:45:11:C6:BE:35:01:4E:4A:80:10:74:CF:3D:1D
                 Signature algorithm name: SHA1withRSA
                 Version: 3


            *******************************************
            *******************************************


            Alias name: jeff
            Creation date: May 25, 2010
            Entry type: trustedCertEntry

            Owner: CN=jeff, OU=IT, O=BEA, L="San Jose ST=California", C=US
            Issuer: CN=jeff, OU=IT, O=BEA, L="San Jose ST=California", C=US
            Serial number: 4bfc29c6
            Valid from: Tue May 25 16:49:26 BRT 2010 until: Fri May 22 16:49:26 BRT 2020
            Certificate fingerprints:
                 MD5: 36:06:A3:8E:B2:88:87:40:9F:33:C8:F0:93:1C:D6:66
                 SHA1: FB:40:7A:C2:47:E0:AE:F8:A9:F6:83:8C:90:FF:89:FD:2A:13:09:87
                 Signature algorithm name: SHA1withRSA
                 Version: 3


            *******************************************
            *******************************************

            This is correctly ?

            Any thing is wrong ?

            Thanks,

            Victor Jabur
            • 3. Re: OSB 10gR3 - Configuring two way ssl Encryption - ERROR
              VictorJabur
              The problem is partially resolved.

              The error above was resolved.

              Now, i have a question:

              In the Credential Mapper Provider, where i specify JKS File:

              What Structure this JKS should have ?

              I want the proxy in the service bus would be encrypted, like this:

              INFORMATION -> CRYPT INFORMATION -> CLIENT INVOKE PROXY -> SERVER DECRYPT INFORMATION -> SERVER PROCESS THE REQUEST -> SERVER CRYPT THE INFORMATION -> SERVER SENDS REQUEST -> CLIENT DECRYPT RESPONSE -> CLIENT READ INFORMATION -> FINISH

              I want to make using openssl the key pair (private + public) keys:

              But, how structure the jks in the Credential Mapper Provider should have ?

              Thanks,
              Victor
              • 4. Re: OSB 10gR3 - Configuring two way ssl Encryption - ERROR
                VictorJabur
                I resolved the problem. Was the certificate format.
                • 5. Re: OSB 10gR3 - Configuring two way ssl Encryption - ERROR
                  817323
                  Hi ,

                  I am trying to secure the proxy service in OSB.

                  1) I too generated the custom Identity and trust key similar way you have done.
                  2) I configured the same in Admin server .
                  3) I have created a proxy service using following configurations
                  a) policy tab of I have selected WSDL based policy
                  b) in Security tab I have attached the Service Key Provider created from server.
                  Deployed the same and tried to execute the same from SB console -> Proxy Service Testing browser . given followig error.
                  <env:Fault>
                  <faultcode>env:Server</faultcode>
                  <faultstring>
                  Failed to setup server side credential provider: Server cert not trusted.
                  </faultstring>
                  </env:Fault>


                  Can you please me help me out in ?

                  Thanks
                  Ramakrishna
                  • 6. Re: OSB 10gR3 - Configuring two way ssl Encryption - ERROR
                    675595
                    Configure your trust store.

                    http://download.oracle.com/docs/cd/E11035_01/wls100/secmanage/identity_trust.html

                    Thanks
                    Manoj

                    Edited by: Manoj Neelapu on Jan 12, 2011 4:16 PM