Using SSL certificates for web service communication

web service communication

In a SOA integration the web service communication may need to cross network boundaries between integration partners. To secure this communication a digital certificate can be used.

Generate SSL certificate

1. First we generate a privatekey publickey pair, using openssl.
the output says generating private key. But it is actually generating a pair of private key and public key.
the key pair is saved in an encoded format called PEM. The private key should not be shared, and it is generally recommended to store the RSA keys in an encrypted form.

$ openssl.exe genrsa -out server_rsa.pem 2048
Generating RSA private key, 2048 bit long modulus

2. Create a certificate signing request, if you intend to have the SSL certificate signed from a proper certificate vendor/CA like Verisign, Thawte, Go Daddy…

Keystore
Note that from within a Oracle ESB environment it is the JRE validating the connection, so the certificate will be validated by the JRE, and a valid chain of certificates need to be available in the JRE keystore, $ORACLE_HOME/jdk/jre/lib/security/cacerts.

If the SSL certificate is signed from a proper certificate vendor/CA there will be no need for further config, as these certificate vendors already are available in the root keystore (within the cacerts).
Very often, especially during development, it is more convenient to work with self-signed certificates.
1. One can then import the newly created certificate into the default certificate store, within the ORACLE_HOME for the Application server.
Note that a restart is required after updating the keystore with the self-signed certificate.
$ORACLE_HOME/jdk/jre/lib/security/cacerts
keytool -list -keystore $JAVA_HOME/jre/lib/security/cacerts will list the certificates in keystore.
(default password: changeit)
$home\gwr>keytool -list -keystore c:\Java\jdk1.6.0_21
\jre\lib\security\cacerts
Enter keystore password:

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 75 entries

digicertassuredidrootca, 07-Jan-2008, trustedCertEntry,
Certificate fingerprint (MD5): 87:CE:0B:7B:2A:0E:49:00:E1:58:71:9B:37:A8:93:72
trustcenterclass2caii, 07-Jan-2008, trustedCertEntry,
Certificate fingerprint (MD5): CE:78:33:5C:59:78:01:6E:18:EA:B9:36:A0:B9:2E:23

$keytool -list -alias digicertassuredidrootca -keystore c:\Java\jdk1.6.0_21\jre\lib\security\cacerts
Enter keystore password:
digicertassuredidrootca, 07-Jan-2008, trustedCertEntry,
Certificate fingerprint (MD5): 87:CE:0B:7B:2A:0E:49:00:E1:58:71:9B:37:A8:93:72

$keytool -import -alias oslsoahad1 -file cert_oslsoahad1.pem -keystore c:\product\10.1.3.1\OracleAS_1\jdk\jre\lib\security\cacerts
Enter keystore password:
Do you still want to add it? [no]: yes
Certificate was added to keystore

$home/gwr>

C:\product\10.1.3.1\OracleAS_1\jdk\jre\lib\security>

keytool -list -keystore cacerts

keytool -printcert -file rootcacert.pem

keytool -import -file rootcacert.pem -alias Cisco_CesiumRoot -keystore cacerts

2. Add a keystore location using jvm argument -Djavax.net.ssl.trustStore=/path/to/customtruststore
Inside the keystore there will be a “cacerts” file representing a system-wide keystore with CA certificates.

For the verification to pass, the keystore should contain the actual certificate as well as the root and any intermediate certificates.

Certificate missing in keystore

Message send failed: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

exception during SOAP invoke: Server was unable to process request. —> Object reference not set to an instance of an object.; nested exception is: javax.xml.rpc.soap.SOAPFaultException: Server was unable to process request. —> Object reference not set to an instance of an object.

References

Cryptography Tutorials – Herong’s Tutorial ExamplesPublic key certificate
Regarding ESB and certificates
java keytool

patching

one thing to consider is to put the keystore outside default location, as the keystore might be replaced during patching.

Comment are closed.