Posts Tagged 'KSS'

SSL using KSS

Published June 13, 2016 OSB Leave a Comment
Tags: , ,

In this post, we will use KSS (Keystore Service) for SSL setup. The screenshots showed in this post are based on SOA 12.2.1 but these steps remain same for 12.1.3 as well.

Creating Application Stripe:

ks1

ks2

stripe

Creating KSS Keystore:

kscreate

kssadmin

Creating Keypair:

kssmng

genkeypair

keypair

Oracle recommends key size to be more than equal to 1024. If we want to get it signed by any CA, we can generate CSR by clicking Generate CSR which is recommended for Production env. But for Development purpose we can use this keystore as it is.

keypair1

Clicking on alias name will bring up the following screen showing the certificate information.

cert

Configuring 1-Way SSL:

Enable SSL port by navigating to Environment –> Severs-> Admin Sever –> General.

sslport

Go to Keystores tab. Click Change to select Custom Identity and Custom  Trust as shown below and click Save to save the changes.

customkss

Modify Custom Identity and Trust stores as shown below. observe the usage of system trust store kss://system/trust. Oracle recommends this approach to simplify the trusted certificates setup.

customkss2

Go to SSL tab and give the Private key alias as shown below. Here give the password as “password” and click Save. See related note at end of this post.

ssl

Go to Advanced settings and set Hostname verification to None and also set Two way Client Cert Behavior to Clients Certs not Required as we are doing setup for 1-way SSL. This setting will enforce WLS server not to request client certificates.

advc

Restart the server and now we should be able to access admin console using HTTPS URL like http://localhost:7002/console.

Similarly, configure OSB managed server using same Keystore or by creating a new one similar to above as shown in the following screenshots.. Restart the server after changes.

osbssl

customkss2

ssl

Enable HTTPS for OSB proxy service as shown below.

proxyhttps

And now we should be able to access the proxy service WSDL using HTTPS URL like https://localhost:7008/entity/CustomerService?wsdl

Refer to this post for 2-way SSL setup and follow below steps to import the certificate into trust store.

trust

trust1

importcert

importcert1

Note that KSS does not support certificate in binary format which is the default encoding used by JKS. We can use –rfc option of keytool command to export the certificate into printable encoding format as shown below.

keytool -export -keystore .\soakeystore.jks -file cert.cer -alias localsoa -rfc

Note:

When no Private Key Passphrase is mentioned in the SSL tab, em console is not accessible and following errors are shown in the log.

em

References:

https://docs.oracle.com/middleware/1212/owsm/OWSMS/configure-owsm-ssl.htm#OWSMS119

https://docs.oracle.com/middleware/1212/idm/JISEC/kssadm.htm#JISEC9596

Advertisement

Pages

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 379 other subscribers

Enter your email address to follow this blog and receive notifications of new posts by email.

%d bloggers like this: