> Introducing Trading Partner Integration > Example: ebXML Security Configuration

Introducing Trading Partner Integration

     Previous  Next    Open TOC in new window  Open Index in new window  View as PDF - New Window  Get Adobe Reader - New Window
Content starts here

Example: ebXML Security Configuration

This example demonstrates how to configure the security settings for ebXML message exchange between trading partners over HTTPS protocol through a proxy server. Although any proxy server can be used in this configuration, the example demonstrates how to configure the iPlanet Web Server 6.0 (Sun ONE 6.0) as the proxy server. A demonstration version of this server is available for download at http://wwws.sun.com/software/download/products/3f186391.html.

This example involves two trading partners. Trading Partner 1 is configured in WebLogic Integration and Trading Partner 2 is configured in WebLogic Integration - Business Connect as shown in the following figure:

In the preceding figure:

Note: In production scenarios, firewalls are usually configured between WebLogic Integration and the proxy server and between the proxy server and WebLogic Integration - Business Connect. To keep the IP addresses simple in this sample, the firewalls are left out of the examples.

The following topics is discussed in this section:

Before You Begin

This topic provides links to suggested tutorial which you can complete before starting on this sample if you are unfamiliar with WebLogic Integration and WebLogic Server concepts.

Step 1: Generating a Test Certificate

To be able to run this example, you need to generate a test certificate to use as client and server certificate for WebLogic Integration and WebLogic Server. This section describes how to generate this certificate using the OpenSSL tool.

Step 2: Configuring Keystores for WebLogic Integration

Before you can import the test certificate you created in the previous section, you need to configure the keystores accordingly. This section will show you how to do just that.

Step 3: Configuring the Local Trading Partner in WebLogic Integration

In this section, you configure the default trading partner Test_TradingPartner_1 to be your local trading partner in WebLogic Integration. You then edit the trading partner bindings and add the appropriate certificates to the trading partner and keystore. Lastly, you export the trading partner information into a file which you later on use to configure the Partner Profile in WebLogic Integration - Business Connect.

Step 4: Configuring the SSL Settings in WebLogic Server

After you have loaded the certificates into the keystore, you need to go back to the WebLogic Server Console and configure the SSL settings with the appropriate aliases for the certificates in the keystore. This section provides a step by step procedure for how to configure the correct server SSL settings.

Step 5: Exporting the WebLogic Integration Trading Partner Data

In this section, you export the local trading partner information from WebLogic Integration into an xml file. Later on, you use this xml file to configure the remote trading partner in WebLogic Integration - Business Connect.

Step 6: Configuring the Company Profile in WebLogic Integration - Business Connect

In this step, you create a Company Profile in WebLogic Integration - Business Connect and configure that profile with local trading partner information. You then export the Company Profile into a file which you later on use to configure the remote trading partner in WebLogic Integration.

Step 7: Configuring the Remote Trading Partner in WebLogic Integration

In this section, you import the file which you exported from WebLogic Integration - Business Connect in the preceding section and configure the information imported to be used as the remote trading partner profile.

Step 8: Creating Services and Service Profiles in WebLogic Integration

In this step, you configure the Services and the Service profiles for the local and the remote trading partner profiles in WebLogic Integration.

Step 9: Configuring the iPlanet Server

In this procedure, you complete the iPlanet proxy server configuration install the appropriate server and trusted certificates needed for the message exchange between your two trading partners.

Step 10: Configuring the Partner Profile in WebLogic Integration - Business Connect

In this last step, you complete the configuration of the WebLogic Integration - Business Connect by importing the trading partner profile which you previously exported from WebLogic Integration. You then import the appropriate client, server, and trusted certificates needed for the message exchange between your two trading partners.

Related Topics

Managing WebLogic Security

Using WebLogic Integration - Business Connect

Trading Partner Integration Security

Guide to Building Business Processes

Using WebLogic Integration - Business Connect

 

Before You Begin

The instructions in this sample is geared towards users that are already familiar with WebLogic Integration tasks and procedures.

 

Step 1: Generating a Test Certificate

Before you can configure and run this example, you need to generate a certificate which you will later on import into your WebLogic Integration keystore. Once the certificate is imported into the keystore, you can use it as an encryption, a signature, or a client certificate for WebLogic Integration and also as a WebLogic Server certificate. In a production environment, you would most likely have several certificates, but since this example is for testing only, you use one certificate for both client and server purposes.

You can generate the test certificate using any tool, however, the procedures in this section describe how to generate the certificates using OpenSSL. This is an open source tool which can be downloaded from www.openssl.org.

Before you create the certificate, you need to create the a Public/Private key pair that you then use to create the test certificate. If you are running OpenSSL in a Windows environment, you must first complete the Configuring Windows to Run OpenSSL below, before you can create the key pair.

This step includes the following procedures:

Configuring Windows to Run OpenSSL

The following steps should be completed to configure your Windows environment to run OpenSSL:

  1. In a DOS command window, type the following to set the OPENSSL_CONF environment variable to point to the OpenSSL configuration file:

    2. $ set OPENSSL_CONF=c:\openssl-[X.X.X]-src\apps\gencert.conf

    Where [X.X.X] is the version of your OpenSSL installation, for example 0.9.7.

    Note: Due to the fact that Internet Explorer uses files of the type .cnf for Speed Dial configuration files, the OpenSSL configuration file might appear without the .cnf suffix and may have a shortcut icon.
  2. Randomly select any five large files on your hard drive and then copy them to a folder where you intend to create the keys and certificates.
  3. Rename the files to file1, file2, file3, file4, and file5. These files will be used by the OpenSSL facility to create the public/private key pair.
  4. Verify that your path includes c:\openssl\bin.

You are now ready to create a public/private key pair using OpenSSL.

Creating a Public/Private Key Pair

The following section describes how to create 1024-bit RSA public/private key pair using OpenSSL:

In a DOS command window, type the following:

$ openssl genrsa rand file1:file2:file3:file4:file5 out WLCert.key 1024

where file1:file2:file3:file4:file5 represents the five large files you created in Configuring Windows to Run OpenSSL.

You are now ready to create any type of X.509 certificate using OpenSSL.

Generating the Test Certificate

To generate the self-signed test certificate, complete the following procedure:

  1. In a DOS command window, type the following:

    2. $ openssl req new key WLCert.key out WLCert.csr

  2. In a DOS command window, type the following:

    3. $ openssl x509 req days 30 -in WLCert.csr signkey WLCert.key -outWLCert.crt

    You should now have two new files, WLCert.key and WLCert.crt, in your directory.

 

Step 2: Configuring Keystores for WebLogic Integration

Digital certificates are stored in two types of keystores in WebLogic Integration:

This example assumes that you have created your own keystores and trusts. However, you can also complete this example by using the demonstration keystore file (DemoIdentity.jks) and the demonstration trust (DemoTrust.jks) that are part of your WebLogic Server installation and therefore WebLogic Integration installation. These Java Key Store files are located in the following location:

BEA_HOME\weblogic92\server\lib\

where BEA_HOME is the directory in which you installed your product.

Since the underlying server used by WebLogic Integration is the WebLogic Server application, this section demonstrates how to use the WebLogic Server Administration Console to configure the keystores.

To configure the keystores:

  1. Start your WebLogic Server:
  2. Open the WebLogic Server Console.

    3. From WebLogic Integration, you do this by selecting ToolsArrow symbolWebLogic ServerArrow symbolWebLogic Console.

  3. Login using the username and password specified when you created the WebLogic Integration domain. (The default username and password for the default domains is weblogic/weblogic.)
  4. In the left pane, navigate to ServersArrow symbolserver_name
    Where server_name is the name of your WebLogic Server.
  5. Select the Keystores tab.
  6. From the Keystores drop-down menu, select Custom Identity And Custom Trust, as shown in the following figure:



  7. Click Continue.

    8. The Configure Keystore Properties screen appears.

  8. In the fields described, enter the following information:

    9. Custom Identity

    • Custom Identity Key Store File Name: The fully qualified path to your identity keystore.
      If you are using the demonstration keystores, enter BEA_HOME\weblogic92\server\lib\DemoIdentity.jks

      • Where BEA_HOME is the directory in which you installed WebLogic Server.

    • Custom Identity Key Store Type: The type of the keystore. Generally, this attribute is JKS. If this attribute is not specified, the default keystore type defined in the security policy file for the JDK is used.
      If you are using the demonstration keystores, enter JKS.
    • Custom Identity Store Pass Phrase: The password defined when creating the keystore. Confirm the password.
      If you are using the demonstration keystores, enter DemoIdentityKeyStorePassPhrase.

      • Note: This attribute is optional or required depending on the type of keystore. All keystores require the passphrase in order to write to the keystore. Some keystores do not require the passphrase to read from the keystore. Whether or not you define this property depends on the requirements of the keystore. For example, WebLogic Server only reads from the keystore so a passphrase is not required, however, WebLogic Integration writes to keystores and therefore requires a passphrase.

      Custom Trust

    • Custom Trust Store File Name: The fully qualified path to your trust keystore.
      If you are using the demonstration keystores, enter BEA_HOME\weblogic92\server\lib\DemoTrust.jks.

      • Where BEA_HOME is the directory in which you installed WebLogic Server.

    • Custom Trust Key Store Type: The type of the keystore. Generally, this attribute is JKS. If this attribute is not specified, the default keystore type defined in the security policy file for the JDK is used.
      If you are using the demonstration keystores, enter JKS.
    • Custom Trust Key Store Pass Phrase: The password defined when creating the keystore. Confirm the password.
      If you are using the demonstration keystores, enter DemoTrustKeyStorePassPhrase.

      • Note: This attribute is optional or required depending on the type of keystore. All keystores require the passphrase in order to write to the keystore. Some keystores do not require the passphrase to read from the keystore. Whether or not you define this property depends on the requirements of the keystore. For example, WebLogic Server only reads from the keystore so a passphrase is not required, however, WebLogic Integration writes to keystores and therefore requires a passphrase.

  9. Click Save.
  10. Click SSL tab. You use this screen to configure the SSL configuration for your WebLogic Server.



Note: However, since you need to load the private key you created in Creating a Public/Private Key Pair into the keystore before you can configure the SSL settings, you can minimize this window for now. Instead restart your WebLogic Server and continue to the next section, Step 3: Configuring the Local Trading Partner in WebLogic Integration, which includes loading the private key into the keystore.

To learn more about the setting you just entered, see "Configuring Keystores" in Configuring SSL.

 

Step 3: Configuring the Local Trading Partner in WebLogic Integration

WebLogic Integration contains two default trading partners named Test_TradingPartner_1 and Test_TradingPartner_2. In this section, you configure Test_TradingPartner_1 to be your local trading partner in WebLogic Integration. You then export the trading partner data into a WebLogic Integration - Business Connect format file. This file, you use later to configure the remote trading partner in WebLogic Integration - Business Connect.

Note: Before you start any of the procedures in this section, you must have configured your keystores as described in Step 2: Configuring Keystores for WebLogic Integration and restarted your WebLogic Server after completing the keystore configuration.

This section contains the following procedures:

Configuring the Local Trading Partner

The following procedure describes how to configure the default trading partner Test_TradingPartner_1 to act as the local trading partner in your WebLogic Integration application:

  1. If it is not already running, start your WebLogic Server.
  2. Open the WebLogic Integration Administration Console.
  3. Navigate to Trading Partner ManagementArrow symbolProfile Management

    4. The View and Edit Trading Partner Profiles screen appears with the two trading partners Test_TradingPartner_1 and Test_TradingPartner_2 listed, as shown in the following figure:

    Since you are going to import the configuration for the remote trading partner from WebLogic Integration - Business Connect later on, you can delete Test_TradingPartner_2 from the list.

  4. Select Test_TradingPartner_2 by clicking on the option box next to it.
  5. Click Delete.

You now need to add the appropriate certificates to your local trading partner so that they will be imported into the keystore.

Adding the Test Certificate to the Keystore

The following procedure describes how to add the certificate, which you created in Generating the Test Certificate, to your local trading partner configuration:

  1. Click Test_TradingPartner_1.

    2. The details of your trading partner, including general information, bindings, and certificates are displayed. Note that there are no certificates configured for this trading partner.

  2. Click Add Certificate

    3. The Add Certificate (Step 1 of 2) screen appears.

  3. Select the Import certificate from file option.
  4. Click Next >

    5. The Add Certificate (Step 2 of 2) screen appears. You use this screen to import a client certificate file to be stored in the key store and used by the local trading partner. However, before you can create the client certificate, you have to create a pass word alias.

  5. Click Add alias..., as shown in the following figure.



    6. The Add New Password Alias screen appears.

  6. In the Password Alias Name field, enter TP1-client.
  7. Enter TP1Client as password to use for this alias and confirm it.
  8. Click Submit.

    9. The Add Certificate (Step 2 of 2) screen appears again, with the alias values you just entered.

  9. In the Name field, enter TP1ClientCert.
  10. From the Type drop-down list, select CLIENT.
  11. Next to the Import Certificate Location, click Browse.
  12. Navigate to the WLCert.crt file which you created in Generating the Test Certificate.
  13. Next to the Private Key Location, click Browse.
  14. Navigate to the WLCert.key file which you created in Generating the Test Certificate.
  15. Make sure that the Import Certificate in Keystore option is selected.
  16. Click Create certificate.

By selecting CLIENT from the Type drop-down list, you specified the certificate to be a client certificate. You can add a signature certificate by using this same procedure, but instead selecting SIGNATURE from the Type drop-down list.

You can review all your configurations of the Test_TradingPartner_1 trading partner by navigating to Trading Partner ManagementArrow symbolProfile Management and clicking on the Test_TradingPartner_1 trading partner.

The next step is to edit the protocol bindings for your trading partner.

Editing the Trading Partner Binding

The default trading partner you just configured to be the local trading partner for WebLogic Integration, contains two ebXML default bindings. The following steps describes how to edit the ebXML 2.0 binding with the correct transport protocol and signature settings:

  1. In the left pane, click Bindings.
  2. From the Name drop-down list, select Test_TradingPartner_1.
  3. Click Go.

    4. The Edit Binding screen appears.

  4. In the list of bindings, click TP1-ebxml20-binding.

    5. The View Binding Details screen appears

  5. Click Edit Binding.
  6. Make the following edits:

    7. Transport Configuration

    • Transport Protocol: HTTPS
    • End Point: specify the URL to use https instead of http protocol and change the port number to the SSL port number to the port number of your WebLogic Server domain.This is usually the even number immediately following your local port number. For example, for local port number 7001, the SSL port number is 7002.
  7. Click Submit.

Your new binding settings are saved. To learn more about how to configure ebXML bindings including how to configure signatures and signature transforms, see "Adding Protocol Bindings to a Trading Partner" in Trading Partner Management.

Since you have completed the configuration of the local trading partner and have imported the test certificate into the keystore, you can now return to the WebLogic Server console and configure the SSL settings.

 

Step 4: Configuring the SSL Settings in WebLogic Server

Although you specified the certificate you loaded into the keystore as a client certificate when you configured the WebLogic Integration, for testing purposes you can also use this certificate as the server certificate for WebLogic Server. You just have to configure the server with the correct alias in the SSL settings.

You configure the SSL settings on the WebLogic Server in the WebLogic Console:

  1. If the console window you opened in Step 2: Configuring Keystores for WebLogic Integration is still opened, return to it. If not, complete the following procedure:
    1. If not already started, start your WebLogic Server:
    2. Open the WebLogic Server Console.

      3. From WebLogic Integration, you do this by selecting ToolsArrow symbolWebLogic ServerArrow symbolWebLogic Console.

    3. Login using the username and password specified when you created the WebLogic Integration domain. (The default username and password for the default domains is weblogic/weblogic.)
    4. In the left pane, navigate to ServersArrow symbolserver name
      Where server name is the name of your WebLogic Server.
    5. Select the Keystores & SSL tab.
    6. Scroll down to the SSL Configuration part of the screen and click Change.
    7. From the Identity and Trust Locations drop-down menu, select Key Stores.
    8. Click Continue.
  2. On the Review SSL Private Key Settings screen, enter the following information:
  3. Click Continue.

    4. An alert screen appears, which informs you that you need to restart your server. You can ignore this for now, instead restart your server after you have completed all the SSL configuration steps.

  4. Click Finish.

    5. The Keystore Configuration screen appears.

  5. Scroll to the end of the screen and click Show to display the Advanced Options. The Advanced options is where you configure mutual authentication.
  6. From the Two Way Client Cert Behavior, select Client Certs Requested And Enforced. This option assures mutual authentication behavior.
  7. Click Apply.

    8. To learn more about the settings you just entered, see "Configuring Two-Way SSL" in Configuring SSL.

  8. If you have not already done so, restart the WebLogic Server.
  9. If the keystores are configured correctly, you should see details similar to the following in the WebLogic Sever Log:

    10. <Feb 1, 2007 4:11:45 PM IST> <Notice> <Security> <achepuri02> <examplesServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1170326505038> <BEA-090082> <Security initializing using security realm myrealm.>

    <Feb 1, 2007 4:11:49 PM IST> <Notice> <WebLogicServer> <achepuri02> <examplesServer> <Main Thread> <<WLS Kernel>> <> <> <1170326509604> <BEA-000365> <Server state changed to STANDBY>

    <Feb 1, 2007 4:11:49 PM IST> <Notice> <WebLogicServer> <achepuri02> <examplesServer> <Main Thread> <<WLS Kernel>> <> <> <1170326509604> <BEA-000365> <Server state changed to STARTING>

    <Feb 1, 2007 4:12:04 PM IST> <Warning> <HTTP> <achepuri02> <examplesServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1170326524145> <BEA-101369> <weblogic.servlet.internal.WebAppServletContext@1dab0f0 - appName: 'BEA_WLS_DBMS_ADK', name: 'BEA_WLS_DBMS_ADK_Web', context-path: '/BEA_WLS_DBMS_ADK_Web': The encoding jsp-descriptor param has been deprecated. Consider declaring the encoding in the jsp-config element (web.xml) or as a page directive (pageEncoding) instead.>

    <Feb 1, 2007 4:12:18 PM IST> <Notice> <Log Management> <achepuri02> <examplesServer> <[STANDBY] ExecuteThread: '5' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1170326538816> <BEA-170027> <The server initialized the domain log broadcaster successfully. Log messages will now be broadcasted to the domain log.>

    <Feb 1, 2007 4:12:19 PM IST> <Notice> <WebLogicServer> <achepuri02> <examplesServer> <Main Thread> <<WLS Kernel>> <> <> <1170326539377> <BEA-000365> <Server state changed to ADMIN>

    <Feb 1, 2007 4:12:19 PM IST> <Notice> <WebLogicServer> <achepuri02> <examplesServer> <Main Thread> <<WLS Kernel>> <> <> <1170326539407> <BEA-000365> <Server state changed to RESUMING>

    <Feb 1, 2007 4:12:21 PM IST> <Notice> <Security> <achepuri02> <examplesServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1170326541089> <BEA-090171> <Loading the identity certificate and private key stored under the alias DemoIdentity from the jks keystore file C:\bea_GA\WEBLOG~1\server\lib\DemoIdentity.jks.>

    <Feb 1, 2007 4:12:21 PM IST> <Notice> <Security> <achepuri02> <examplesServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1170326541360> <BEA-090169> <Loading trusted certificates from the jks keystore file C:\bea_GA\WEBLOG~1\server\lib\DemoTrust.jks.>

    <Feb 1, 2007 4:12:21 PM IST> <Notice> <Security> <achepuri02> <examplesServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1170326541370> <BEA-090169> <Loading trusted certificates from the jks keystore file C:\bea_GA\JROCKI~1\jre\lib\security\cacerts.>

    <Feb 1, 2007 4:12:21 PM IST> <Error> <Server> <achepuri02> <examplesServer> <DynamicListenThread[Default[2]]> <<WLS Kernel>> <> <> <1170326541620> <BEA-002606> <Unable to create a server socket for listening on channel "Default[2]". The address 127.0.0.1 might be incorrect or another process is using port 7001: java.net.BindException: Address already in use: JVM_Bind.>
    .
    .
    .

You have now completed the WebLogic Server configuration. To learn more about WebLogic Server SSL configuration, see Configuring SSL. The next step is to export the Test_TradingPartner_1 data so that you can import this data later on when you configure the remote trading partner in WebLogic Integration-Business Connect.

 

Step 5: Exporting the WebLogic Integration Trading Partner Data

Instead of configuring both the company profile and partner profile by going through the configuration screens in WebLogic Integration-Business Connect, you can import data that has been exported from WebLogic Integration directly into WebLogic Integration-Business Connect and have the partner profile automatically configured To export the WebLogic Integration trading partner data into a WebLogic Integration-Business Connect compatible format, complete the following procedure:

  1. If it is not already running, start your WebLogic Server.
  2. Open the WebLogic Integration Administration Console.
  3. Navigate to Trading Partner ManagementArrow symbolProfile Management
  4. In the left pane, click Import/Export.
  5. In the Import/Export pane, select Export.
  6. Select the Trading Partner option.
  7. Click Browse next to Trading Partner.
  8. Deselect all but the Test_TradingPartner_1 trading partner.
  9. Click Done.
  10. For the Format option, select Business Connect.
  11. Click Export.
  12. If a File Download dialogue opens, click Save.
  13. In the Save As window navigate to a location in which you want to save the exported file to.
  14. Enter TP1.xml as the filename and click Save.
    15. Note: Remember the navigation path to the file. You will need this when you import your trading partner information into the WebLogic Integration - Business Connect application.

You have completed the WebLogic Integration local trading partner configuration. To learn more about creating, configuring, and managing trading partners in WebLogic Integration, see Trading Partner Management.

You can create your remote trading partner in WebLogic Integration using the procedures you just completed for Test_TradingPartner_1. However, in this example you take a short cut by importing the company profile settings from WebLogic Integration - Business Connect and use that as the remote trading partner.

The next step shows you how to configure a trading partner named Test_TradingPartner_2 as the company profile partner in the WebLogic Integration - Business Connect application and how to export the company profile information into a file that you can then import into WebLogic Integration.

 

Step 6: Configuring the Company Profile in WebLogic Integration - Business Connect

In WebLogic Integration - Business Connect, creating trading partners involves setting up a company profile and then configure certificates for that profile. You can then export the profile to be used later when you configure the remote trading partner in WebLogic Integration. This section contains the following procedures:

Creating and Configuring a Company Profile in WebLogic Integration - Business Connect

In this section, you create and configure a company profile of in the WebLogic Integration - Business Connect:

  1. Start the Weblogic Integration - Business Connect Administration tool by selecting StartArrow symbolProgramsArrow symbolBEA WebLogic Integration - Business Connect 8.1Arrow symbolAdministrator.
  2. Log in.
  3. On the Administrator bar, click Company Profiles.

    4. The Company Profiles information viewer opens.

  4. Click New

    5. The New Company Profile dialog window opens.

  5. Enter the following:
    • Name: Test_TradingPartner_2
    • ID: 000000002
  6. Click OK.

    7. The Company Profile window opens with the Identity tab selected.

  7. Configure the company profile with the details shown in the following figure:



  8. Select the Inbound Protocols tab.
  9. Click Add.

    10. The Add Protocol window opens.

  10. From the Select the protocol to add drop-down menu, select ebXML.
  11. From the Select the transport to use drop-down menu, select HTTPS.
  12. Click OK.

    13. The HTTPS Transport Options window opens with the following values displayed:

    • Port— is the port number where the WebLogic Integration - Business Connect HTTPS server is listening for inbound HTTPS documents. You must have a separate HTTPS port for each company profile that uses bundled HTTPS. The default port is 1443.
    • Authenticate— enables two-way SSL. That is, this option require your partners' HTTPS clients to authenticate the SSL connection with you using their certificates.
    • URL—is the system-defined alias for the bundled HTTPS server in WebLogic Integration - Business Connect. You cannot change the value in the field. The alias is used for security for your system. If WebLogic Integration - Business Connect is installed behind a firewall, see "Editing URLs to compensate for firewalls" in Company Profiles in Using WebLogic Integration - Business Connect.
      • Note: WebLogic Integration - Business Connect obtains the computer name in the URL from the host name field on the General tab in ToolsArrow symbolPreferences. The host name is the computer that is running the Server application.
  13. Click OK.

    14. The New Company Certificate dialog window opens.

  14. Click Yes.

    15. The New Certificate window opens.

  15. Select Generate self-signed certificates to generate a certificate that can be used both as the WebLogic Integration - Business Connect server and client certificate. Since it is self-signed, CA is embedded in the certificate.
  16. Click Next.

    17. The New Certificate Key, Select Key Type window opens.

  17. Accept the defaults and click Next.

    18. The New Certificate, Summary Window opens.

  18. Click Finish.

You have completed the company profile configuration. The next step is to export the company profile information so that you can use this to create the remote trading partner in WebLogic Integration and the server certificate in the iPlanet proxy server.

Exporting the Company Profile Information

The following steps describes the exporting procedure:

  1. On the Administrator bar, click Company Profiles.

    2. The Company Profiles information viewer opens.

  2. Right-click on the Test_TradingPartner_2 profile and select Export from the menu.

    3. The Export Company Profile window opens.

  3. Select XML partner profile.
  4. Enter TP2.xml as the export file name and remember the path to the export file location. You will need this when you import the information into WebLogic Integration and iPlanet.
  5. Click OK.

You have successfully exported the company profile from WebLogic Integration - Business Connect. To learn more about WebLogic Integration - Business Connect company profiles and certificates, see Using WebLogic Integration - Business Connect.

Before you can configure the remote trading partner information in a Partner Profile for WebLogic Integration - Business Connect, you need to install and configure the iPlanet Proxy Server. This is because some of the certificates you need for the Partner Profile are created during the iPlanet configuration. So for now, you leave WebLogic Integration - Business Connect and complete the WebLogic Integration remote trading partner configuration and then proceed to the iPlanet configuration.

 

Step 7: Configuring the Remote Trading Partner in WebLogic Integration

In this section, you create a remote trading partner in the WebLogic Integration application by importing the company profile information which you exported from WebLogic Integration - Business Connect in Exporting the Company Profile Information .

The following steps describes the importing procedure:

  1. If it is not already running, start your WebLogic Server.
  2. Open the WebLogic Integration Administration Console.
  3. Navigate to Trading Partner ManagementArrow symbolProfile Management
  4. In the Import/Export pane, click Import.
  5. In the File Name field, enter the path to TP2.xml location to the file you exported from WebLogic Integration - Business Connect in Exporting the Company Profile Information.
  6. Select Business Connect as the Import Format.
  7. Click Import.

After successfully importing the trading partner information, remember to review the new trading partner profile and make sure that the end point URL is correct. You do this by navigating to Profile Management, clicking on Test_TradingPartner_2, and clicking on its binding. When you click on Test_TradingPartner_2, note that three certificates (client, server, signature) were automatically created in the Company Profile in WebLogic Integration - Business Connect and imported into WebLogic Integration.

Now that you have configured both the local and the remote trading partner for WebLogic Integration, the next step is to add services and service profiles to those trading partners.

 

Step 8: Creating Services and Service Profiles in WebLogic Integration

Once the Test_TradingPartner_1 and Test_TradingPartner_2 configurations are completed, you have to create services and corresponding service profiles for those trading partners.

In WebLogic Integration:

To be able to configure the services correctly, the business process which initiates the ebXML message exchange must be currently deployed. This section contains the following procedures:

Creating the Trading Partner Service

Complete the following steps to add a service to your trading partner profiles.

  1. Deploy your ebXML initiator business process.

    2. If you are not familiar with how to build and deploy ebXML business processes, consider completing one of the exercises in Tutorials: Building ebXML Solutions.

  2. In the WebLogic Integration Administration Console, navigate to Trading Partner ManagementArrow symbolService Management.
  3. In the left pane, click Create New.

    4. The Add Service screen appears.

  4. Click Browse and navigate to the appropriate service control.
  5. From the Type drop-down menu, select Service Control.
  6. From the Business Protocol drop-down menu, select EBXML.
  7. Click Add Service.

Your service is created and the View And Edit Service Details screen appears on which you add the service profile.

Creating the Service Profile

After you have created the trading partner service, you create a service profile which specify the protocol binding and URL endpoints for the local and remote trading partners that offer and call the service. The following procedure describes how to add a service profile:

  1. On the View And Edit Service Details screen, click Add Service Profile.

    2. The Add Service Profile screen is displayed.

  2. From the Name drop-down menus, select your LOCAL and REMOTE trading partners.
  3. Specify your LOCAL and REMOTE trading partners according to the following table:

    4. Table 4-5 Local and Remote Trading Partners 
     
    LOCAL
    REMOTE
    Name
    Test_TradingPartner_1
    Test_TradingPartner_2
    Binding
    wli-ebxml20-secure-binding
    wli-ebxml20-secure-binding

    Note: Make sure you change the endpoint URLs to use https, not http. If they are set to the wrong protocol, follow the directions in Editing the Trading Partner Binding to select the correct one.
  4. Click Submit.
  5. On the next screen, click Yes to begin configuring authentication.
  6. From the Choose type of Authentication Mode options, select Mutual for both the LOCAL and REMOTE trading partners.
    7. Note: Although it is not enforced, typically the same type of authentication is selected for both the local and remote trading partner.
  7. Click Next.
  8. On the next screen, select:
    1. TP1-clt as the client certificate for the LOCAL trading partner.
    2. xxxx-client as the client certificate for the REMOTE trading partner.
    3. xxxx-server as the server certificate for the REMOTE trading partner.

      4. Where xxxx is a number which was randomly generated when you imported the WebLogic Integration-Business Connect self-signed certificate file.

  9. To preview to the configuration, click Preview config.
  10. Click Add.

    11. Authentication is added and the View and Edit Service Details page is displayed.

    Note: If there is an error, the Add Authentication page is redisplayed. A message indicating the problem is displayed above the input requiring correction.

You have now created a service and its service profile. To learn more about services and service profiles, see "Adding Services" and "Adding Service Profiles to a Service" in Trading Partner Management. The next step is to configure the iPlanet SSL settings and then proceed to complete the configuration of WebLogic Integration - Business Connect.

 

Step 9: Configuring the iPlanet Server

This section describes how to configure your iPlanet Web Server as the proxy server for this sample.

If you do not already have iPlanet Web Server installed, you can download it from Sun's website the following location: http://wwws.sun.com/software/download/products/3f186391.html

Refer to the product documentation to install and start the iplanet admin and managed server.

This section contains the following procedures:

Creating the Trust Database

Before you can configure your iPlanet server certificates, you have to create a trust database in which to store the certificates. To do so, complete the following procedure:

  1. Open the iPlanet administration console.
  2. Navigate to ServersArrow symbolMange Servers.
  3. Select a managed server and click Manage.

    4. The Managed Server Configuration screen appears.

  4. Select the Security tab.
  5. Click Create Database.
  6. Enter and confirm a password for the database.
  7. Click OK.

A dialog window confirming the successful initialization appears. The next step is to request a trial digital certificate from Verisign which you use as the server certificate for iPlanet and also imported later on into the Partner Profile in WebLogic Integration - Business Connect.

Requesting a Trial Digital Certificate from Verisign

You can request a trial digital certificate from Verisign to use for testing purposes. The certificate is valid for a limited number of days. To request a certificate, complete the following steps:

  1. Navigate to Managed Server ConsoleArrow symbolSecurityArrow symbolRequest a Certificate.
  2. Select the New certificate option.
  3. From the Submit to Certificate Authority via option, select CA Email Address and enter your email address.
  4. From the Cryptographic Module drop-down list, select internal.
  5. In the Key Pair File Password field, enter the password you want to use as the iPlanet server private key password.
  6. Enter your name and contact information details in the remaining fields.
  7. Click OK.

    8. A confirmation message is displayed in the Managed Server Console.

  8. Copy all the text between -----BEGIN NEW CERTIFICATE REQUEST----- and -----END NEW CERTIFICATE REQUEST----- and paste it into a text file. This is your certificate request which you send to a certificate authority such as Verisign.
  9. Using a web browser, navigate to http://www.verisign.com/products/srv/trial/step1.html.
  10. Follow the directions on the Verisign site.

    11. After you complete the request, Verisign will send you an email with the digital certificate. Copy the content and save it in a file named iPlanetServer.pem. This file is your digital certificate for the iPlanet Server.

You have completed the trial digital certificate request process. The next step is to install the digital trial certificate as the iPlanet server certificate.

Installing the iPlanet Server Certificate

You are now ready to install the server certificate for iPlanet. The following procedure describes the steps to complete:

  1. Navigate to Managed Server ConsoleArrow symbolSecurityArrow symbolInstall Certificate

    2. The Install a Server Certificate screen appears.

  2. Enter the following information:
  3. Click OK.

    4. The Add Server Certificate screen appears with the details of the certificate you are adding.

  4. Click Add Server Certificate.

You have successfully added the server certificate. The next step is to download and convert the trusted CA server certificate.

Requesting a Trusted CA Certificate from Verisign

In addition to the server certificate you just installed, you also need a trusted certificate from an Certificate Authority such as Verisign. To request a trusted certificate from Verisign, complete the following procedure:

  1. Using a web browser, navigate to http://www.verisign.com/server/trial/faq/index.html to retrieve a CA certificate for the iPlanet server from Verisign.
  2. Click Accept.
  3. Save the certificate on your local drive as a file named iPlanetCA.der.

The server certificate is in binary format. Before you can use it with iPlanet, you must convert it to PEM format. The der2pem command line utility included with WebLogic Server can be used to convert the certificate. To learn how to use the utility, see "der2pem" in Using the WebLogic Server Java Utilities in the WebLogic Server Command Reference at the following URL:

http://download.oracle.com/docs/cd/E13222_01/wls/docs92/admin_ref/utils.html

Follow the procedure described to convert the iPlanetCA.der file to iPlanetCA.pem.

Note: A DER format file contains binary data and can only be used for a single certificate. A PEM format file supports multiple digital certificates. For example, a certificate chain can be included. The order of the files is important, they should be in the order of trust. The server digital certificate should be the first digital certificate in the file, the issuer of the digital certificate should be next, and so on, until you get to the self-signed root certificate authority certificate.

After you have completed the conversion, the next step is to install the trusted CA certificate.

Installing the Trusted CA Certificate

To install the trusted certificate you just requested, do the following:

  1. Navigate to Managed Server ConsoleArrow symbolSecurityArrow symbolInstall Certificate
  2. Enter the following information:
  3. Click OK.

    4. The Add Server Certificate screen appears with the details of the certificate you are adding.

  4. Click Add Server Certificate.

You have successfully installed the trusted CA certificate.

The next step is to install the WebLogic Integration - Business Connect certificate.

Installing the WebLogic Integration - Business Connect certificate

Use the procedures described in Installing the Trusted CA Certificate to import the TP2.xml file which you exported in Exporting the Company Profile Information to create WebLogic Integration - Business Connect CA certificate for your iPlanet server.

You have now successfully installed the necessary iPlanet certificates. There is just one final step required to get the iPlanet configuration to work with SSL.

Configuring iPlanet for SSL

  1. Open the iPlanet administration console.
  2. Navigate to ServersArrow symbolMange Servers.
  3. Select PreferenceArrow symbolEdit Listen Sockets.
  4. In the Security column, select On.
  5. Click OK.
  6. Click Attributes.
  7. In the Client Authorization column, click Off to change it to On. This assures mutual authentication.
  8. As the final configuration step, you need to modify two of the installed iPlanet configuration files:
    • To your obj.conf file add the following lines of code:

      • <Object name="myProxy" ppath="*">
      PathCheck fn="get-client-cert" method="(GET|POST)" dorequest="1"
      Service fn=wl_proxy FileCaching="OFF" Debug="ALL" KeepAliveEnabled=false DebugConfigInfo="ON" WebLogicHost=172.16.17.183\
      WebLogicPort=7001 WLLogFile="C:/depot/newlog.txt" SecureProxy="OFF" WLProxySSL="ON" RequireSSLHostMatch="False"
      </Object>

    • To your magnus.conf file, add the following lines of code:

      • Init fn="load-modules" shlib="D:/iPlanet/Servers/bin/https/bin/proxy36.dll" funcs="wl_proxy,wl_init"
      Init fn="wl_init"

This concludes the iPlanet configuration step. To learn more about the settings you just configured, see Installing and Configuring the Netscape Enterprise Server Plug-In in Using Web Server Plug-Ins With WebLogic Server at the following URL:

http://download.oracle.com/docs/cd/E13222_01/wls/docs81/plugins/nsapi.html

The next step is to configure a remote trading partner in WebLogic Integration - Business Connect by importing the trading partner information that you exported from WebLogic Integration in Step 5: Exporting the WebLogic Integration Trading Partner Data into a Partner Profile and then configure the appropriate client, server, and trusted certificates for that Partner Profile.

 

Step 10: Configuring the Partner Profile in WebLogic Integration - Business Connect

Instead of creating a new partner profile for Test_TradingPartner_1, you import the file you previously exported from the WebLogic Integration application into your WebLogic Integration Business Connect application. When you import the trading partner information, the company profile and the corresponding client certificate is automatically created for you.

Since you are using iPlanet as a proxy server, iPlanet takes care of the mutual authentication when WebLogic Integration - Business Connect sends a message. Therefore, you have to configure an iPlanet server certificate and also load the corresponding CA certificates.

This section contains the following procedures:

Importing the WebLogic Integration Partner Profile

This procedure describes how to import the WebLogic Integration trading partner data directly into a partner profile:

  1. Start the Weblogic Integration - Business Connect Administration tool by selecting StartArrow symbolProgramsArrow symbolBEA WebLogic Integration - Business Connect 8.1Arrow symbolAdministrator.
  2. Log in.
  3. On the Administrator bar, click Partner Profiles.

    4. The Partner Profiles information viewer opens.

  4. In the Partner Profiles information viewer, select FileArrow symbolImport.

    5. The Import Partner Profile window opens.

  5. Navigate to and select the TP1.xml file you exported from the WebLogic Integration application in Step 5: Exporting the WebLogic Integration Trading Partner Data.
  6. Click Open.

    7. A message displays when the partner profile imports successfully.

  7. Click OK.
  8. If not already selected, click the Outbound Protocol Tab.
  9. Click Add.
  10. From the Select the protocol to add drop-down menu, select ebXML.
  11. From the Select the transport to add drop-down menu, select HTTPS.
  12. Click OK.
  13. Enter the iPlanet proxy server's IP address and port for the partner profile endpoint URL. For example: https://iplanet_ip:iplanet_ssl_port/ebxml2.0/Test_TradingPartner_1
    where iplanet_ip is the IP address of your iPlanet server and iplanet_ssl_port is the port number.
  14. Click OK.

You have now completed creating the remote trading partner company profile. The next step is to import a server certificate for iPlanet and load the corresponding CA certificates.

Importing the iPlanet Server Certificate

Complete the following procedure to import an iPlanet server certificate for your WebLogic Integration-Business Connect application:

  1. In the WebLogic Integration - Business Connect, navigate to CertificatesArrow symbolPartner ProfilesArrow symbolTest_TradingPartner_1.
  2. Right click on the profile and select Import... from the menu, as show in the following figure:
  3. Navigate to the iPlanetServer.pem file which you created in Requesting a Trial Digital Certificate from Verisign and click Import.

You have now installed the iPlanet server certificate. The next step is to load the CA certificates for iPlanet and for WebLogic Integration - Business Connect.

Importing the Certificate Authority Certificates

This procedure describes how to import the CA certificates into WebLogic Integration-Business Connect:

  1. In the WebLogic Integration - Business Connect, navigate to CertificatesArrow symbolPartner ProfilesArrow symbolTest_TradingPartner_1.
  2. Right click on the profile and select Trusted Roots... from the menu, as shown in the following figure:



    3. The Trusted Roots window opens.

  3. Select the BEA Signature and Trusted Key and the Verisign Test Root Signature and Trusted Key certificates and click Import.

You have completed WebLogic Integration - Business Connect remote trading partner configuration. To learn more about configuring certificates in WebLogic Integration - Business Connect, see Keys and Certificates in Using WebLogic Integration - Business Connect.

This concludes this security example. Before you run the example, it is a good idea to restart all your servers.


  Back to Top       Previous  Next