1.
Let’s start with the HTTPS site that you need
call from OSB. You can retrieve the certificate(s) of the web site with
Firefox. Follow the 7 steps (red marked circles on the screen shots) listed in the two screen shots (I used a bank site
as an example)
Remember to repeat the 7 steps for each of
certificate in the hierarchy in the 2nd screen shot. After these,
you should have 3 certificate files. One for the site, one is intermediate CA,
and finally a root CA.
Note:
·
You can harvest certificate files from IE or
Chrome, the exported file maybe in “.cer” format. Although you can import those
“.cer” file into the key store successfully, I was told that it may not work.
So you need to make sure your certificate file output in PEM format!
2.
Import certificates into DemoTrust (or you designed trust store) store
keytool -import -keystore
C:\Oracle\Middleware\wlserver_10.3\server\lib\DemoTrust.jks -storepass DemoTrustKeyStorePassPhrase -trustcacertificates
-file certX.crt -alias certX
where “certX.crt” is the certificate file.
Note:
·
There are two key stores in WSL.
The “trust key store” is for storing external certificates that you
“trust”, so WSL can talk to them.
The
“identity key store” keeps both public/private key that identifies you, so
external parties can identify you.
You can find your key store locations from
“Environment->Servers”, click on your server, for example, osb_server1 in
the sample screen below:
3.
What if the certificate is a wildcard certificate
like *.example.com?
WLS doesn’t support wildcard certificate out of box. For WLS
version before 10.3.6, you need to apply a patch. For 10.3.6, you need to
follow this link http://docs.oracle.com/cd/E23943_01/web.1111/e13707/ssl.htm#CHDIEIEE
Steps
summary: login to WLS console, go to environment, servers, then OSB server,
click on configuration, then SSL, then advanced, set custom host verifier, then
set the custom verifier class to “weblogic.security.utils.SSLWLSWildcardHostnameVerifier”.
4. If
the target service also require WS-name token, then you need to attach the wss-user-token-client-policy
to the business service. Check the “security” tab, and make sure you have the
matching create “basic.credentials” by default. Or
you can use “overrides” to set a different credential, such as
“idm.credentials”, technically you can name it anything, you need to make sure
“idm.credentials” exits on “em” (under "weblogic domain", your domain name, right click, then select Security, Credentials) console just like “basic.crentials”.