In this post, we will see how to configure Service Bus to use One way SSL.
Here, we are not discussing about the SSL concepts and people who want to go through quick introduction of SSL can go through this.
In Summary, following are the steps to be followed:
- Generate Custom Identity and Trust stores.
- Enable SSL port.
- Setting up the keystores.
- Configure private keys for SSL
Please note that, JSSE (Java Secure Socket Extension) is the only supported SSL implementation. The Certicom-based SSL implementation is removed and is no longer supported in WebLogic Server.
Create a folder keystores %FMW_HOME% to store all of your keystores used and issue the following command to generate a keystore for Admin server use as shown below.
keytool -genkeypair -keyalg RSA -alias localadmin -keystore adminkeystore.jks -storepass adjks123 -validity 360 -keysize 2048
This creates keystore adminkeystore.jks having both public and the private keys with alias localadmin. You can observe the contents of keystore using the following command.
keytool -list -v -keystore adminkeystore.jks
Similarly, create other keystores to use for OSB and SOA managed servers and also a keystore to use for the client as shown below.
Enable SSL port by navigating to Environment –> Severs-> Admin Sever –> General.
By Default, WLS uses the Demo Identity and Trust keystores and you can find them in %DOMAIN_HOME/security and %WLS_HOME%/server/lib. Oracle strictly recommends to use the Custom keystores at least for the Production environments. Hence we will use the custom keystores in this post.
Go to Keystores tab and click Change.
Select Custom Identity and Custom Trust as shown below and click Save.
Modify Custom Identity and Trust stores as shown below and here you also need to give keystore password. Click Save.
Go to SSL tab and give the Private key alias as shown below.
Go to Advanced settings and set Hostname verification to None and also set Two way Client Cert Behavior to Clients Certs not Required as we are doing setup for 1-way SSL. This setting will enforce WLS server not to request client certificates.
Modify EXTRA_JAVA_PROPERTIES in setDomainEnv.cmd to use following parameters and restart the admin server. This is required as to instruct WLS server to load trusted certificates.
-Dweblogic.security.SSL.trustedCAkeystore=C:\Oracle\Middleware\FMW1213New \keystores\adminkeystore.jks -Djavax.net.ssl.trustStorePassword=adjks123
Now you should be able to access WLS admin console using following URL and this confirm the SSL is configured on your admin server.
You can refer to WLS documentation here for more information on this.
The following error is observed when we use a keystore as Trust store with zero trust certificates.
<[Thread[DynamicJSSEListenThread[DefaultSecure3]],9,WebLogicServer]weblogic.security.SSL.jsseadapter: TRUSTSTORE_MANAGER: No certs to
copy.>
<[Thread[DynamicJSSEListenThread[DefaultSecure3]],9,WebLogicServer]weblogic.security.SSL.jsseadapter: TRUSTSTORE_MANAGER: No trusted
CAs available to populate trust anchors.>
<[Thread[DynamicJSSEListenThread[DefaultSecure3]],9,WebLogicServer]weblogic.security.SSL.jsseadapter: TRUSTSTORE_MANAGER: Error initi
alizing trust manager factory: the trustAnchors parameter must be non-empty.
java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
at java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:200)
at java.security.cert.PKIXParameters.<init>(PKIXParameters.java:120)
at java.security.cert.PKIXBuilderParameters.<init>(PKIXBuilderParameters.java:104)
at weblogic.security.SSL.jsseadapter.JaTrustManager.<init>(JaTrustManager.java:57)
at weblogic.security.SSL.jsseadapter.JaSSLContextImpl.initializeContext(JaSSLContextImpl.java:654)
To debug SSL, modify EXTRA_JAVA_PROPERTIES in setDomainEnv.cmd to include the following parameters.
-Dssl.debug=true -Dweblogic.StdoutDebugEnabled=true
To enable javax.net debugging include the following parameter.
-Djavax.net.debug=all
To eliminate this error, you can install any trust certificate into localadmin.jks or use cacerts keystore (available in %WLS_HOME%/server/lib) as Trust store. Here i have exported Public Certificate from clientkeystore.jks and got that imported into localadmin.jks.
Use the following command to export:
keytool -exportcert -alias localclient -keystore clientkeystore.jks -file localclient.cer
Use the following command to import:
keytool -importcert -alias localclient -keystore adminkeystore.jks -file localclient.cer
Now verify the contents of your keystore as below.
keytool -list -v -keystore adminkeystore.jks
Similarly, configure OSB managed server using keystore osbkeystore.jks and use 7005 as the SSL port. Restart the OSB server after your changes.
To enable your proxy services to be accessed only by SSL, you have to enable HTTPS option as below.
Now if you try to access your Proxy Service WSDL from browser, it will be automatically uses SSL as shown below.
Most of the people uses SOAP UI to test their webservices. If you try to access this WSDL, you will be able to access from SOAP UI even without adding the required certificates to trust store. This is because SOAP UI trusts all by default as per this forum post.
To confirm the enablement of SSL on the Proxy Service, let us try to create a Webservice Proxy in JDeveloper that prompts to accept/trust the certificate.
Observation:
When you enable SSL debugging, you might observe the following exception in server log though your 1-way SSL works as expected. As per Oracle Support note 1606295.1, this is not a harmful exception.
<1425221899641> <BEA-000000> <Exception processing certificates: peer not authenticated javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
at sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:397)
at weblogic.servlet.provider.WlsSecurityProvider.getSSLAttributes(WlsSecurityProvider.java:222)
at weblogic.servlet.internal.VirtualConnection.initSSLAttributes(VirtualConnection.java:165)
at weblogic.servlet.internal.VirtualConnection.init(VirtualConnection.java:75)
at weblogic.servlet.internal.ServletRequestImpl.initFromRequestParser(ServletRequestImpl.java:312)
at weblogic.servlet.internal.HttpConnectionHandler.dispatch(HttpConnectionHandler.java:577)
at weblogic.servlet.internal.MuxableSocketHTTP.dispatch(MuxableSocketHTTP.java:131)
at weblogic.socket.JSSEFilterImpl.dispatch(JSSEFilterImpl.java:216)
at weblogic.socket.MuxableSocketDiscriminator.dispatch(MuxableSocketDiscriminator.java:186)
at weblogic.socket.JSSEFilterImpl.dispatch(JSSEFilterImpl.java:216)
at weblogic.socket.SocketMuxer.readReadySocketOnce(SocketMuxer.java:970)
at weblogic.socket.SocketMuxer.readReadySocket(SocketMuxer.java:907)
at weblogic.socket.NIOSocketMuxer.process(NIOSocketMuxer.java:495)
at weblogic.socket.NIOSocketMuxer.processSockets(NIOSocketMuxer.java:461)
at weblogic.socket.SocketReaderRequest.run(SocketReaderRequest.java:30)
at weblogic.socket.SocketReaderRequest.execute(SocketReaderRequest.java:43)
at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:147)
at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:119)
Siva's Blog 
Hi There,
Your post is really helpful. I have tried above steps. When i tried to access the proxy service via browser, i am getting an error as “Webpage is not available”. Please could you help me resolve this error?
Thanks,
Rajesh
Can u check the url once again..also make sure that you enabled ssl for your proxy service..
Hello,
We followed yous steps but it seems we couldn’t tell in your keystore steps whan path you provided for the . we provided the path to the admin keystore we created earlier in the post but that didn’t work.
Custom Identity Keystore: D:\webapps\scommon\jdk\jdk1.8\bin\keystore\adminkeystore.jks
Custom Trust Keystore:
D:\webapps\scommon\jdk\jdk1.8\bin\keystore\adminkeystore.jks
We can’t load the console with port 7002. Any reason why?