Configure OSB Business Service to Call an External HTTPS Service

This writing shows the specific steps on how to configure an OSB business service to make an external HTTPS service call.

1.      Let’s start with the HTTPS site that you need call from OSB. You can retrieve the certificate(s) of the web site with Firefox. Follow the 7 steps (red marked circles on the screen shots) listed in the two screen shots (I used a bank site as an example)

Remember to repeat the 7 steps for each of certificate in the hierarchy in the 2^nd screen shot. After these, you should have 3 certificate files. One for the site, one is intermediate CA, and finally a root CA.

Note:

·        You can harvest certificate files from IE or Chrome, the exported file maybe in “.cer” format. Although you can import those “.cer” file into the key store successfully, I was told that it may not work. So you need to make sure your certificate file output in PEM format!

 

 

2.      Import certificates into DemoTrust  (or you designed trust store) store

keytool -import -keystore C:\Oracle\Middleware\wlserver_10.3\server\lib\DemoTrust.jks  -storepass DemoTrustKeyStorePassPhrase -trustcacertificates -file  certX.crt -alias certX 

where “certX.crt” is the certificate file.

Note: 

·        There are two key stores in WSL.

The “trust key store” is for storing external certificates that you “trust”, so WSL can talk to them.

The “identity key store” keeps both public/private key that identifies you, so external parties can identify you.

You can find your key store locations from “Environment->Servers”, click on your server, for example, osb_server1 in the sample screen below:

3.      What if the certificate is a wildcard certificate like *.example.com?

WLS doesn’t support wildcard certificate out of box. For WLS version before 10.3.6, you need to apply a patch. For 10.3.6, you need to follow this link http://docs.oracle.com/cd/E23943_01/web.1111/e13707/ssl.htm#CHDIEIEE

Steps summary: login to WLS console, go to environment, servers, then OSB server, click on configuration, then SSL, then advanced, set custom host verifier, then set the custom verifier class to “weblogic.security.utils.SSLWLSWildcardHostnameVerifier”.

4. If the target service also require WS-name token, then you need to attach the wss-user-token-client-policy to the business service. Check the “security” tab, and make sure you have the matching create “basic.credentials” by default. Or you can use “overrides” to set a different credential, such as “idm.credentials”, technically you can name it anything, you need to make sure “idm.credentials” exits on “em” (under "weblogic domain", your domain name, right click, then select Security, Credentials) console just like “basic.crentials”.