Documented below are the steps/tips I have employed to get JDeveloper 11g1, embedded WebLogic Server, and WSM to play nicely (on Windows).
Tip 1 - Ensure the ‘User Home Directory’ is free of whitespace.
The user home directory contains the user's preferences for Oracle JDeveloper (in the system subdirectory).On my XP machine, the user home directory for JDeveloper gets created under the %USERPROFILE% directory. For example “C:\Documents and Settings\Administrator\Application Data\JDeveloper”
The whitespace in the directory path above I have found out can be bad news and may lead to an error such as:
java.net.URISyntaxException: Illegal character in path at index 18: file:/C:/Documents and Settings/....
To determine existing value from within Oracle JDeveloper, go to the Help menu, select About, go to Properties tab, and view the value of ide.user.dir.
There are a number of different ways to override the JDeveloper user home directory; I chose to leverage the JDEV_USER_HOME environment variable, and set it to “C:\JDeveloper”
You can explicitly set the home environment variable by adding the following line in the <Middleware Home>\jdeveloper\jdev\bin/jdev.boot file:
ide.user.dir = <Path to preferred user directory>
The user home directory can also be specified from the command line using this command:
jdev.exe -J-Dide.user.dir=<Path>
The home directory can also be set based on the value of an environment variable.
MW_HOME/jdeveloper/jdev/bin/jdev.boot contains an entry such as:
ide.user.dir.var = JDEV_USER_HOME, JDEV_USER_DIR
This is the default variable(s) that Oracle JDeveloper will look for at startup to determine the home directory.
You can define or add any environment variable that Oracle JDeveloper should use.
To set the value of an environment variable from Windows:
1. From Control Panel, select System, Select the Advanced tab, and then click Environment Variables.
3. In the User Variables section, click New.
4. Add JDEV_USER_HOME, or the name you chose for ide.user.dir.var, as a user variable.
5. Set the value of this variable to your home directory (for example, N:\users\jdoe), and click OK.
Tip 2 – Embedded / Integrated WebLogic Server (Re)Creation
The first time a JEE project is run/debug from JDeveloper, the integrated WebLogic Server starts and provisions a domain named “DefaultDomain”.
You can find it under the JDeveloper user home directory in the systemXXXXXX folder; for example:
C:\JDeveloper\system11.1.1.3.37.56.60\DefaultDomain
If you ever mess things up, or want to start from fresh (reverting any changes you may have performed– including users / groups / credential store settings / deployments etc), you just just remove the DefaultDomain directory.
1. Shutdown your IntegratedWeblogicServer (if running) and exit JDeveloper2. Delete the systemXXXXXX/DefaultDomain directory
The next time you run a JEE application, JDeveloper will recreate a fresh DefaultDomain for you.
Alternatively, rather than waiting for a JEE application to get run, you can get JDeveloper to create the default domain straight up.
1. From the View menu, choose ApplicationServerNavigator
2. Right click on Application Servers / IntegratedWeblogicServer, select "Create Default Domain..."
The Integrated WebLogic server domain in JDeveloper is by default configured with:
adrs_template
jsf_template
jrf_template
adf_logging_fine
oracle.ucm.ridc_template
wsmpm-config-template
wsmpm-template
oracle.wc_adrs_template_11.1.1
Tip 3 – Credential Store and Keystore configuration in DefaultDomain of integrated WebLogic Server
Note, DOMAIN_HOME below refers to %JDEV_USER_HOME%\system11.1.1.3.37.56.60\DefaultDomain
The file %DOMAIN_HOME%\config\fmwconfig\jps-config.xml contains the various service provider types and actual instance/implementations of these configured for the domain.
<serviceProviders>
<serviceProvider type="CREDENTIAL_STORE" name="credstoressp" class="oracle.security.jps.internal.credstore.ssp.SspCredentialStoreProvider">
<description>SecretStore-based CSF Provider</description>
</serviceProvider>
…
<serviceProvider type="KEY_STORE" name="keystore.provider" class="oracle.security.jps.internal.keystore.KeyStoreProvider">
<description>PKI Based Keystore Provider</description>
<property name="provider.property.name" value="owsm"/>
</serviceProvider>
…
</serviceProviders>
<serviceInstances>
<!-- JPS Credential Store Service Instance -->
<serviceInstance name="credstore" provider="credstoressp" location="./">
<description>File Based Credential Store Service Instance</description>
</serviceInstance>
…
<!-- KeyStore Service Instance -->
<serviceInstance name="keystore" provider="keystore.provider" location="./default-keystore.jks">
<description>Default JPS Keystore Service</description>
<property name="keystore.type" value="JKS"/>
<property name="keystore.csf.map" value="oracle.wsm.security"/>
<property name="keystore.pass.csf.key" value="keystore-csf-key"/>
<property name="keystore.sig.csf.key" value="sign-csf-key"/>
<property name="keystore.enc.csf.key" value="enc-csf-key"/>
</serviceInstance>
…
</serviceInstances>
<jpsContexts default="default">
<!-- This is the default JPS context. All the mendatory services and Login Modules must be configured in this default context -->
<jpsContext name="default">
<serviceInstanceRef ref="credstore"/>
<serviceInstanceRef ref="keystore"/>
<serviceInstanceRef ref="policystore.xml"/>
<serviceInstanceRef ref="audit"/>
<serviceInstanceRef ref="idstore.ldap"/>
</jpsContext>
…
</jpsContexts>
The credential store instance referenced above, is a wallet-based credential store (also referred to as a file-based credential store), and will essentially be referring to a file named cwallet.sso in the same directory as the jps-config.xml file (%DOMAIN_HOME%\config\fmwconfig)
The keystore instance referenced above is a “JKS” file-based keystore, named default-keystore.jks , and found in the same directory as the jps-config.xml file (%DOMAIN_HOME%\config\fmwconfig)
When DefaultDomain in the integrated WebLogic server is provisioned, cwallet.sso is created, whereas default-keystore.jks is not created!!
You can leverage the orapki command to get a basic listing of the cwallet.sso contents:
C:\JDeveloper\system11.1.1.3.37.56.60\DefaultDomain\config\fmwconfig>
c:\Oracle\Middleware\oracle_common\bin\orapki wallet display -wallet cwallet.sso
Oracle PKI Tool : Version 11.1.1.2.0
Copyright (c) 2004, 2009, Oracle and/or its affiliates. All rights reserved.
Requested Certificates:
User Certificates:
Oracle Secret Store entries:
Trusted Certificates:
Subject: OU=Class 1 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US
Subject: OU=Secure Server Certification Authority,O=RSA Data Security\, Inc.,C=US
Subject: CN=Entrust.net Secure Server Certification Authority,OU=(c) 1999 Entrust.net Limited,OU=www.entrust.net/CPS incorp. by ref. (limits liab.),O=Entrust.net,C=US
Subject: CN=GTE CyberTrust Global Root,OU=GTE CyberTrust Solutions\, Inc.,O=GTE Corporation,C=US
Subject: OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US
Subject: CN=Entrust.net Secure Server Certification Authority,OU=(c) 2000 Entrust.net Limited,OU=www.entrust.net/SSL_CPS incorp. by ref. (limits liab.),O=Entrust.net
Subject: OU=Class 2 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US
Subject: CN=Entrust.net Certification Authority (2048),OU=(c) 1999 Entrust.net Limited,OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.),O=Entrust.net
Tip 4 – Oracle WSM – SAML Policies (wss11_saml_token_with_message_protection_service_policy) / leveraging DefaultDomain of JDeveloper integrated WebLogic Server for testing
http://download.oracle.com/docs/cd/E14571_01/web.1111/b32511/setup_config.htm#BABJJBFF
Ultimately both the Web Service, and the Web Service client need their own private/public key pair.
Additionally, both client and service need to be able to verify each other's respective public certificate by traversing the certification path until a valid root CA certificate is obtained.
Note:
- the client sends its public key to the service as part of the request.
- the client must obtain the server's public certificate; It can either be published in the WSDL with latest 11g OWSM release ( http://download.oracle.com/docs/cd/E14571_01/web.1111/b32511/setup_config.htm#BABJCGBC ), or, manually added to client's keystore and referenced through recipient key alias (ClientConstants.WSS_RECIPIENT_KEY_ALIAS).
- with SAML Policy, we must use the RSA key mechanism, the SHA-1 algorithm, and AES-128 bit encryption to satisfy the policy requirements for the key.
Three Approaches for generating private/public key pair:
- Self-Signed Certificate (1)
- Signed using Oracle Demo Certificate Authority (2)
- Signed using traditional Certificate Authority (3) (such that, one whom is present in the JVM's cacerts [java keystore file])
1) A self-signed certificate is a certificate in which the "issuer" entity and actual "subject" entity are the same.
In other words, a seft-signed certificate is a certificate where the "issuer" signs his own public key with his private key.
2) Oracle Provides a Demo Certificate Authority (CertGenCA - also self-signed as all root CAs are)
$WL_HOME/server/lib/CertGenCA.der (public certificate)
$WL_HOME/server/lib/CertGenCAKey.der (private key)
keytool -printcert -file C:\Oracle\Middleware\wlserver_10.3\server\lib\CertGenCA.der
Owner: CN=CertGenCAB, OU=FOR TESTING ONLY, O=MyOrganization, L=MyTown, ST=MyState, C=US
Issuer: CN=CertGenCAB, OU=FOR TESTING ONLY, O=MyOrganization, L=MyTown, ST=MyState, C=US
Serial number: 234b5559d1fa0f3ff5c82bdfed032a87
Valid from: Fri Oct 25 01:54:45 EST 2002 until: Wed Oct 26 01:54:45 EST 2022
Certificate fingerprints:
MD5: A2:18:4C:E0:1C:AB:82:A7:65:86:86:03:D0:B3:D8:FE
SHA1: F8:5D:49:A4:12:54:78:C7:BA:42:A7:14:3E:06:F5:1E:A0:D4:C6:59
Signature algorithm name: MD5withRSA
Version: 3
...
3) JDK 1.6 out of the box ships with support for most of the standard/traditional Certificate Authorities (similar to what you would find in the Browser - VeriSign etc).
The public certificate of the CAs can be found in the cacerts file.
Additionally, one can import their own CA in to the cacerts (keystore) file.
To view the list of CAs ...
%JAVA_HOME%\bin\keytool -list -keystore %JAVA_HOME%\jre\lib\security\cacerts -storepass "changeit" –v
Taking the following scenario:
1) Web Service deployed to an appropriate WebLogic server on some central Linux server
2) Testing a Web Service client app running from JDeveloper integrated WebLogic server on local Windows machine
3) Using the Oracle Demo Certificate Authority
the following steps would be required:
From Server Domain (where the Web Service is running)
1) source $DOMAIN_HOME/bin/setDomainEnv.sh
2) cd $DOMAIN_HOME/config/fmwconfig
3) Create service key-certificate pair signed by the demo CA cert "CertGenCA"
java utils.CertGen -certfile ServerPublicCertificate -keyfile ServerPrivateKey -keyfilepass welcome1 -cn "`hostname -f`"
4) Create service keystore with service key-certificate pair
java utils.ImportPrivateKey -keystore default-keystore.jks -storepass welcome1 -certfile ServerPublicCertificate.der -keyfile ServerPrivateKey.der -keyfilepass welcome1 -alias serverkey -keypass welcome1
5) Now add the root CA to the service keystore
keytool -importcert -file $WL_HOME/server/lib/CertGenCA.der -keystore default-keystore.jks -storepass welcome1
6) Add options to credential store (CWALLET.SSO) so as to access keys/certificates from keystore
$MW_HOME/Oracle_ECM1/common/bin/wlst.sh (or $MW_HOME/oracle_common/common/bin/wlst.sh)
connect('weblogic','welcome1','t3://localhost:7001')
createCred(map="oracle.wsm.security", key="keystore-csf-key", user="n/a", password="welcome1")
createCred(map="oracle.wsm.security", key="sign-csf-key", user="serverkey", password="welcome1")
createCred(map="oracle.wsm.security", key="enc-csf-key", user="serverkey", password="welcome1")
Optional:
listCred(map="oracle.wsm.security", key="keystore-csf-key")
listCred(map="oracle.wsm.security", key="sign-csf-key")
listCred(map="oracle.wsm.security", key="enc-csf-key")
7) Restart
-------------------------------------------------------------------------------------------------------------------------------------
>From Client Domain - JDeveloper integrated WebLogic Server (where the client is running)
1) SET DOMAIN_HOME=%JDEV_USER_HOME%\system11.1.1.3.37.56.60\DefaultDomain
2) %DOMAIN_HOME%\bin\setDomainEnv.cmd
3) cd %DOMAIN_HOME%\config\fmwconfig
4) Create client key-certificate pair signed by the demo CA cert "CertGenCA"
java utils.CertGen -certfile ClientPublicCertificate -keyfile ClientPrivateKey -keyfilepass welcome1
Note
-cn is optional argument, which determines the common name to which the certificate is issued to.
If this argument is skipped, the certificate is issued in the name of the hostname of the machine from which the certificate is generated
5) Create client keystore with client key-certificate pair
java utils.ImportPrivateKey -keystore default-keystore.jks -storepass welcome1 -certfile ClientPublicCertificate.der -keyfile ClientPrivateKey.der -keyfilepass welcome1 -alias clientkey -keypass welcome1
6) Now add the root CA to the client keystore
keytool -importcert -file %WL_HOME%\server\lib\CertGenCA.der -keystore default-keystore.jks -storepass welcome1
7) Add the service's public certificate to the client keystore.
(You must copy the server public certificate across to client)
keytool -importcert -file ServerPublicCertificate.der -alias serverkey -keystore default-keystore.jks -storepass welcome1
(Note
Latest version of OWSM can expose public certificate of service directly in the service WSDL through its Service Identity Certificate Extension
http://download.oracle.com/docs/cd/E14571_01/web.1111/b32511/setup_config.htm#BABJCGBC
Hence, this step may not be required.
In older releases, the service's public certificate had to be added to the client keystore;
If the recipient alias property on the client was not explicitly set, then this certificate would need to have been added under the the alias "orakey"
It appears that a client based on the JRF WS stack supports retrieving service certificate from WSDL, whereas as client based on WLS WS stack does not!
)
8) Add options to credential store (CWALLET.SSO) so as to access keys/certificates from keystore
%MW_HOME%\oracle_common\common\bin\wlst
connect('weblogic','weblogic1','t3://localhost:7101')
createCred(map="oracle.wsm.security", key="keystore-csf-key", user="n/a", password="welcome1", desc="keystore access password")
createCred(map="oracle.wsm.security", key="sign-csf-key", user="clientkey", password="welcome1", desc="signing key alias and password")
createCred(map="oracle.wsm.security", key="enc-csf-key", user="clientkey", password="welcome1", desc="encryption key alias and password")
Optional:
listCred(map="oracle.wsm.security", key="keystore-csf-key")
listCred(map="oracle.wsm.security", key="sign-csf-key")
listCred(map="oracle.wsm.security", key="enc-csf-key")
Verify cwallet.sso was updated… (note the addition of the oracle.wsm.security Secret Store entries) :-
C:\JDeveloper\system11.1.1.3.37.56.60\DefaultDomain\config\fmwconfig>
c:\Oracle\Middleware\oracle_common\bin\orapki wallet display -wallet cwallet.sso
Oracle PKI Tool : Version 11.1.1.2.0
Copyright (c) 2004, 2009, Oracle and/or its affiliates. All rights reserved.
Requested Certificates:
User Certificates:
Oracle Secret Store entries:
oracle.wsm.security@#3#@enc-csf-key
oracle.wsm.security@#3#@keystore-csf-key
oracle.wsm.security@#3#@sign-csf-key
Trusted Certificates:
Subject: OU=Class 1 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US
Subject: OU=Secure Server Certification Authority,O=RSA Data Security\, Inc.,C=US
Subject: CN=Entrust.net Secure Server Certification Authority,OU=(c) 1999 Entrust.net Limited,OU=www.entrust.net/CPS incorp. by ref. (limits liab.),O=Entrust.net,C=US
Subject: CN=GTE CyberTrust Global Root,OU=GTE CyberTrust Solutions\, Inc.,O=GTE Corporation,C=US
Subject: OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US
Subject: CN=Entrust.net Secure Server Certification Authority,OU=(c) 2000 Entrust.net Limited,OU=www.entrust.net/SSL_CPS incorp. by ref. (limits liab.),O=Entrust.net
Subject: OU=Class 2 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US
Subject: CN=Entrust.net Certification Authority (2048),OU=(c) 1999 Entrust.net Limited,OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.),O=Entrust.net
No comments:
Post a Comment