Configuring Security

Field	Description
Enabled check box	If checked, SSL connections are enabled between WebLogic Integration B2B and trading partners.
SSL Listen Port	Specifies the dedicated port on which WebLogic Integration B2B listens for SSL connections.
Server Key File Name	Specifies the location of the private key file for WebLogic Server.
Server Certificate File Name	Specifies the location of the public key file for WebLogic Server. You obtain this file from a trusted security vendor, as described in step 1 in this section.
Server Certificate Chain File Name	Specifies the full directory location of the digital certificate for WebLogic Server. This location is also known as the root certificate authority.
Client Certificate Enforced check box	If checked, mutual authentication is enabled between WebLogic Integration B2B and trading partners accessing WebLogic Integration B2B resources.
Trusted CAFile Name	Specifies the name of the file that contains the digital certificate for the certificate authority trusted by WebLogic Server. Trading partners are required to present digital certificates issued by this certificate authority. You obtain this filename from each trading partner configured in your B2B environment.
Certificate Authenticator	Specifies the certificate authenticator to be used to determine the validity of the trading partner digital certificate

Field

Description

Enabled check box

If checked, SSL connections are enabled between WebLogic Integration B2B and trading partners.

SSL Listen Port

Specifies the dedicated port on which WebLogic Integration B2B listens for SSL connections.

Server Key File Name

Specifies the location of the private key file for WebLogic Server.

Server Certificate File Name

Specifies the location of the public key file for WebLogic Server. You obtain this file from a trusted security vendor, as described in step 1 in this section.

Server Certificate Chain File Name

Specifies the full directory location of the digital certificate for WebLogic Server. This location is also known as the root certificate authority.

Client Certificate Enforced check box

If checked, mutual authentication is enabled between WebLogic Integration B2B and trading partners accessing WebLogic Integration B2B resources.

Trusted CAFile Name

Specifies the name of the file that contains the digital certificate for the certificate authority trusted by WebLogic Server. Trading partners are required to present digital certificates issued by this certificate authority. You obtain this filename from each trading partner configured in your B2B environment.

Certificate Authenticator

Specifies the certificate authenticator to be used to determine the validity of the trading partner digital certificate

Field	Description
System Password	Password for the WebLogic Integration B2B system user. This is set when you install the WebLogic Integration software, and by default this password is wlcsystem. However, if you want to change it, you can enter a new password in this field.
Audit Log Class	Java class that implements audit logging, which is used for nonrepudiation. You can use the audit log to reconstruct the sequence of events that have occurred during a conversation, along with the data exchanged. Depending on how you configure the audit log, the audit log may store each business message exchanged among trading partners along with digital signatures, timestamps, and other data. For more information about auditing, see Secure Audit Log Service.
Certificate Verification Class	Java class that calls out to software that verifies that a digital certificate submitted by a remote trading partner is valid. This class can call out to either the Online Certificate Status Protocol (OCSP) application that WebLogic Integration provides, or certificate verification provider software that you obtain from a trusted security vendor. For more information about the certificate verification class, see Trading Partner Certificate Verification.
Secure Timestamp Class	Java class that provides secure timestamping of business messages exchanged among trading partners. Timestamping is used for nonrepudiation. For more information about secure timestamping, see Secure Timestamp Service.
Certificate Authority Directory	Location that contains the Certificate Authorities of all the trading partner certificates configured in the WebLogic Integration repository.

Field

Description

System Password

Password for the WebLogic Integration B2B system user. This is set when you install the WebLogic Integration software, and by default this password is wlcsystem. However, if you want to change it, you can enter a new password in this field.

Audit Log Class

Java class that implements audit logging, which is used for nonrepudiation. You can use the audit log to reconstruct the sequence of events that have occurred during a conversation, along with the data exchanged. Depending on how you configure the audit log, the audit log may store each business message exchanged among trading partners along with digital signatures, timestamps, and other data. For more information about auditing, see Secure Audit Log Service.

Certificate Verification Class

Java class that calls out to software that verifies that a digital certificate submitted by a remote trading partner is valid. This class can call out to either the Online Certificate Status Protocol (OCSP) application that WebLogic Integration provides, or certificate verification provider software that you obtain from a trusted security vendor. For more information about the certificate verification class, see Trading Partner Certificate Verification.

Secure Timestamp Class

Java class that provides secure timestamping of business messages exchanged among trading partners. Timestamping is used for nonrepudiation. For more information about secure timestamping, see Secure Timestamp Service.

Certificate Authority Directory

Location that contains the Certificate Authorities of all the trading partner certificates configured in the WebLogic Integration repository.

Table 3-3 Trading Partner Certificates Configured in WebLogic Integration B2B

Certificate	Description
Client certificate	Digital certificate of the remote or local trading partner. Configuring the client certificate is required when using the SSL protocol. Certificate Details: Is of type X509 V3. Is Privacy Enhanced Mail (PEM) or Definite Encoding Rules (DER) encoded. (The filename extension specifies the encoding type: .pem or .der.) Is required for all trading partner types while using HTTPS. Private Key Details: Is PEM or DER encoded. (The filename extension specifies the encoding type: .pem or .der.) Is required only for local trading partner type. Password protected private keys are not supported.
Server certificate	Digital certificate of the remote trading partner. Configuring the server certificate is required when using the SSL protocol. Certificate Details: Is of type X509 V3. Is PEM or DER encoded. (The filename extension specifies the encoding type: .pem or .der.) Is required for remote trading partner types while using HTTPS.
Signature certificate	Certificate required of each trading partner if digital signature support, a requirement for nonrepudiation, is configured for the e-market. For a description of digital signature support, see Digital Signature Support. Certificate Details: Is of type X509 V3. Any encoding is allowed. You use the RSA CertJ package to read the certificate. Is required for all trading partner types using digital signature service. Private Key Details: Uses only the PKCS8 format. Is always password protected. (You specify the password as a system property in the startweblogic command.)
Encryption certificate	Certificate required of each trading partner when business message encryption is configured for the e-market. Note that encryption support is available only with the RosettaNet protocols. For a description of message encryption, see Configuring Message Encryption. Certificate Details: Is of type X509 V3. Any encoding is allowed. Use RSA CertJ package to read the certificate. Is required for all trading partner types using encryption service. Private Key Details: Uses only the PKCS8 format. Is always password protected. (You specify the password as a system property in the startweblogic command.)

%JAVA_HOME%\bin\java -classic -ms64m -ms64m -classpath %START_WL_CLASSPATH%
-Dbea.home=%BEA_HOME% -Dweblogic.home=%WL_HOME%
-Dweblogic.system.home=%WLC_SAMPLES_HOME% -Dweblogic.Domain=samples
-Dweblogic.management.password=security
-Dcloudscape.system.home=%WLC_SAMPLES_CLOUDSCAPE_HOME% -Dweblogic.Name=myserver
-Djava.security.policy=%WL_HOME%\lib\weblogic.policy
-DKey.certificate-name.password=mypassword weblogic.Server

To configure . . .	Complete the following steps . . .
Client certificate	If you are configuring a local or remote trading partner: In the Certificate Type selection box, select Client Certificate. In the Certificate Name field, enter the client certificate name. In the Certificate Location field, enter the filename and location on your WebLogic Integration machine where the client certificate is stored. In the Private Key Location field, enter the filename and location on your WebLogic Integration machine where the private key of the local trading partner is stored. (This step applies only to local trading partners.) Click Add/Apply.
Server certificate	If you are configuring a remote trading partner: In the Certificate Type selection box, select Server Certificate. In the Certificate Name field, enter the name of the server certificate for the remote trading partner's WebLogic Integration system. In the Certificate Location field, enter the filename and location on your machine where the trading partner's server certificate is stored. Click Add/Apply.
Signature certificate	For trading partners using digital signature support: In the Certificate Type selection box, select Signature Certificate. In the Certificate Name field, enter the signature certificate name. In the Certificate Location field, enter the filename and location on your machine where the signature certificate is stored. In the Private Key Location field, enter the filename and location on your machine where the local trading partner private key is stored. (This step applies only to local trading partners.) Click Add/Apply.
Encryption certificate	For trading partners using RosettaNet-based business message encryption: In the Certificate Type selection box, select Encryption Certificate. In the Certificate Name field, enter the encryption certificate name. In the Certificate Location field, enter the location on your machine where the encryption certificate is stored. In the Private Key Location field, enter the location on your machine where the local trading partner private key is stored. (This step applies only to local trading partners.) Click Add/Apply.

To configure . . .

Complete the following steps . . .

Client certificate

If you are configuring a local or remote trading partner:

In the Certificate Type selection box, select Client Certificate.
In the Certificate Name field, enter the client certificate name.
In the Certificate Location field, enter the filename and location on your WebLogic Integration machine where the client certificate is stored.
In the Private Key Location field, enter the filename and location on your WebLogic Integration machine where the private key of the local trading partner is stored. (This step applies only to local trading partners.)
Click Add/Apply.

Server certificate

If you are configuring a remote trading partner:

In the Certificate Type selection box, select Server Certificate.
In the Certificate Name field, enter the name of the server certificate for the remote trading partner's WebLogic Integration system.
In the Certificate Location field, enter the filename and location on your machine where the trading partner's server certificate is stored.
Click Add/Apply.

Signature certificate

For trading partners using digital signature support:

In the Certificate Type selection box, select Signature Certificate.
In the Certificate Name field, enter the signature certificate name.
In the Certificate Location field, enter the filename and location on your machine where the signature certificate is stored.
In the Private Key Location field, enter the filename and location on your machine where the local trading partner private key is stored. (This step applies only to local trading partners.)
Click Add/Apply.

Encryption certificate

For trading partners using RosettaNet-based business message encryption:

In the Certificate Type selection box, select Encryption Certificate.
In the Certificate Name field, enter the encryption certificate name.
In the Certificate Location field, enter the location on your machine where the encryption certificate is stored.
In the Private Key Location field, enter the location on your machine where the local trading partner private key is stored. (This step applies only to local trading partners.)
Click Add/Apply.

Field	Description
Transport Name	The name of the trading partner transport. You can enter a name, or choose from the list of available transports displayed in the box labeled Available Transports. Note that each of the available transports has a security protocol bound to it, so if you choose from this list, the transport and security protocols are set automatically. For more information about specifying the transport name, see the online help for the Transport tab by clicking the question mark in the upper right.
Transport Protocol	The security protocol for the transport. You can choose between HTTP-1.1 and HTTPS-1.1. The HTTPS-1.1 protocol uses SSL. Note that if you choose HTTPS-1.1, the security protocol is displayed in the nonmodifiable field labeled Security Protocol.
URI Endpoint	The URI for the transport on the trading partner's B2B system. To specify the URI endpoint, you can enter a URI in this field, or choose from one of the available URIs displayed in the box below this field. When you enter the URI endpoint, click Set, to establish the URI, or Remove, to clear an existing entry in the URI Endpoint field. For more information about specifying the URI endpoint, see the online help for the Transport tab by clicking the question mark in the upper right.

Field

Description

Transport Name

The name of the trading partner transport. You can enter a name, or choose from the list of available transports displayed in the box labeled Available Transports. Note that each of the available transports has a security protocol bound to it, so if you choose from this list, the transport and security protocols are set automatically. For more information about specifying the transport name, see the online help for the Transport tab by clicking the question mark in the upper right.

Transport Protocol

The security protocol for the transport. You can choose between HTTP-1.1 and HTTPS-1.1. The HTTPS-1.1 protocol uses SSL. Note that if you choose HTTPS-1.1, the security protocol is displayed in the nonmodifiable field labeled Security Protocol.

URI Endpoint

The URI for the transport on the trading partner's B2B system. To specify the URI endpoint, you can enter a URI in this field, or choose from one of the available URIs displayed in the box below this field. When you enter the URI endpoint, click Set, to establish the URI, or Remove, to clear an existing entry in the URI Endpoint field. For more information about specifying the URI endpoint, see the online help for the Transport tab by clicking the question mark in the upper right.

Field	Description
Delivery Channel Name	The delivery channel name. You can enter a name in this field, or choose from the delivery channels listed in the Available Delivery Channels box below. For more information about specifying a delivery channel name, see the online help for the Delivery Channels page by clicking the question mark in the upper right.
Transport	The name of the transport configured in the trading partner transport tab. This field gives you an opportunity to bind the delivery channel to a transport that you secured when configuring the transport properties, as described in Configuring a Secure Transport.
Document Exchange	The name of the document exchange to which you want to bind the delivery channel. For more information about binding a document exchange to a delivery channel, see the online help for the Delivery Channels page by clicking the question mark in the upper right.
Routing Proxy	Check this box if you want the trading partner delivery to act as a routing proxy (hub). For more information about proxy servers, see Configuring WebLogic Integration B2B to Use an Outbound HTTP Proxy Server.

Field

Description

Delivery Channel Name

The delivery channel name. You can enter a name in this field, or choose from the delivery channels listed in the Available Delivery Channels box below. For more information about specifying a delivery channel name, see the online help for the Delivery Channels page by clicking the question mark in the upper right.

Transport

The name of the transport configured in the trading partner transport tab. This field gives you an opportunity to bind the delivery channel to a transport that you secured when configuring the transport properties, as described in Configuring a Secure Transport.

Document Exchange

The name of the document exchange to which you want to bind the delivery channel. For more information about binding a document exchange to a delivery channel, see the online help for the Delivery Channels page by clicking the question mark in the upper right.

Routing Proxy

Check this box if you want the trading partner delivery to act as a routing proxy (hub). For more information about proxy servers, see Configuring WebLogic Integration B2B to Use an Outbound HTTP Proxy Server.

In the field labeled . . .	Choose the following information . . .
Business Protocol Binding	The business protocol and version that supports the digital signature or message encryption capabilities that you want. The protocol you choose becomes bound to the trading partner document exchange identified at the top of the page.
Business Protocol Definition	The business protocol associated with the business protocol binding chosen in the preceding selection box.

In the field labeled . . .

Choose the following information . . .

Business Protocol Binding

The business protocol and version that supports the digital signature or message encryption capabilities that you want. The protocol you choose becomes bound to the trading partner document exchange identified at the top of the page.

Business Protocol Definition

The business protocol associated with the business protocol binding chosen in the preceding selection box.

As mentioned in Introducing WebLogic Integration B2B Security, the B2B message encryption service encrypts business messages for the business protocols that require it. Currently, message encryption is supported only for the RosettaNet 2.0 protocol.

In the field labeled . . .	Select the following . . .
Encryption Certificate	The name of the encryption certificate configured in Configuring Trading Partner Certificates.
Encryption Level	The parts of the business message that you want to have encrypted. Choose PAYLOAD if you want to encrypt only the XML business document(s) part of the message. Choose ENTIRE_PAYLOAD if you want to encrypt the business documents and all attachments in the message.
Cipher Strength	Either 56- or 128-bit encryption. Note that 128-bit encryption is not available in some localities.

In the field labeled . . .

Select the following . . .

Encryption Certificate

The name of the encryption certificate configured in Configuring Trading Partner Certificates.

Encryption Level

The parts of the business message that you want to have encrypted. Choose PAYLOAD if you want to encrypt only the XML business document(s) part of the message. Choose ENTIRE_PAYLOAD if you want to encrypt the business documents and all attachments in the message.

Cipher Strength

Either 56- or 128-bit encryption. Note that 128-bit encryption is not available in some localities.

Digital signature support (described in detail in Implementing Nonrepudiation) provides a means to prevent anyone or anything from tampering with the contents of a business message, especially when the business message is in transit between two trading partners. Digital signature support is a requirement for nonrepudiation.

public User authenticate(String userName, Certificate[] certs, boolean ssl)
{

String user = null;

// If not using SSL, return
if (ssl == false)
{
return null;
}

// Verify that the certificate is either a c-hub certificate or a trading partner
// certificate, then return the corresponding WLS user.

if ((user = Security.isValidWLCCertificate(certs))!= null)
{
return realm.getUser(user);
}
// Certificate is not a valid WLC certificate.
// Check here for non-WLC certificate and return the corresponding user.
}

As explained in Trading Partner Certificate Verification, you use a certificate verification provider to validate a trading partner's digital certificate. If you are using a certificate verification provider (CVP), you need to configure it in the B2B Console, using the steps described in this section.

# LoadModule foo_module libexec/mod_foo.so
LoadModule weblogic_module libexec/mod_wl_ssl.<suffix>

<Location /weblogic>
SetHandler weblogic-handler
PathTrim /weblogic
WebLogicHost myhost
WebLogicPort 80
</Location>


	BEA Home \| Events \| Solutions \| Partners \| Products \| Services \| Download \| Developer Center \| WebSUPPORT
	http://www.oracle.com/technology/documentation/index.html \| Site Map \| Search \| PDF Files \| Contact \| Glossary

WLI Doc Home \| B2B Topics \| B2B Security \| Previous Topic \| Next Topic \| Contents \| Index \| View as PDF