Oracle® Fusion Middleware Administrator's Guide for Oracle WebCenter 11g Release 1 (11.1.1.5.0) Part Number E12405-14 |
|
|
View PDF |
This chapter describes how to set up WS-Security for WebCenter applications (including WebCenter Spaces and WebCenter Portal applications) and related services and components based on your topology. This section covers the following configurations:
A simple topology, with the WebCenter application and all components sharing the same domain
A typical topology, with the WebCenter application and components divided across two domains
A complex topology, with the WebCenter application and components divided across multiple domains
Within these three topologies, configuration is described for the WebCenter application (WebCenter Spaces, for example), Oracle WebCenter Discussions, the Worklist service, and WSRP producers. These configurations and the steps for securing OWLCS and applications consuming WebCenter Spaces APIs are covered in the following sections:
Section 32.1, "Configuring WS-Security for a Simple Topology"
Section 32.2, "Configuring WS-Security for a Typical Topology"
Section 32.3, "Configuring WS-Security for a Complex Topology"
Section 32.4, "Securing Oracle WebLogic Communication Services (OWLCS) with WS-Security"
Audience
The content of this chapter is intended for Fusion Middleware administrators (users granted the Admin
role through the Oracle WebLogic Server Administration Console). Users with the Monitor
or Operator
roles can view security information but cannot make changes. See also, Section 1.8, "Understanding Administrative Operations, Roles, and Tools."
This section describes how to configure WS-Security for a topology where the WebCenter application, the BPEL server, and WSRP producers share the same domain (Figure 32-1).
Figure 32-1 WS-Security for a Simple Configuration
The steps to configure WS-Security for a simple single-domain WebCenter topology are described in the following sections:
Section 32.1.1, "Roadmap to Configuring WS-Security for a Simple Topology"
Section 32.1.3, "Configuring the Discussions Server for a Simple Topology"
The flow chart (Figure 32-1) and table (Table 32-1) in this section provide an overview of the prerequisites and tasks required to configure WS-Security for a simple single-domain WebCenter topology.
Figure 32-2 Configuring WS-Security for a Simple Topology
Table 32-1 shows the tasks and sub-tasks to configure WS-Security for a simple WebCenter topology.
The security credentials of the WebCenter application, discussions server, BPEL server, and WSRP producers can be retrieved and managed using a Java Keystore (JKS). A keystore is a file that provides information about available public and private keys. Keys are used for a variety of purposes, including authentication and data integrity. User certificates and the trust points needed to validate the certificates of peers are also stored securely in the wallet or keystore. See the Oracle Fusion Middleware Security and Administrator's Guide for Web Services for information about JKS.
This section contains the following subsections:
This section describes how to create a keystore and keys using a Java Keystore (JKS). JKS is the proprietary keystore format defined by Sun Microsystems. To create and manage the keys and certificates in the JKS, use the keytool
utility that is distributed with the Java JDK 6.
To create the WebCenter domain keystore:
Go to JDK_HOME
/jdk/bin
and open a command prompt.
Using keytool, generate a key pair:
keytool -genkeypair -keyalg RSA -dname "consumer_dname" -alias orakey -keypass key_password -keystore keystore -storepass keystore_password -validity days_valid
Where:
consumer_dname
is the name of the consumer. This can be any string as long as it's in the correct format (for example, cn=spaces,dc=example,dc=com
)
key_password
is the password for the new public key, (for example, welcome1
)
keystore
is the keystore name, (for example, default-keystore.jks
)
keystore_password
is the keystore password, (for example, welcome1
)
days_valid
is the number of days for which the key password is valid (for example, 1064
).
Note:
You must use the-keyalg
parameter and specify RSA
as its value as shown above as the default algorithm (DSA) used by keytool
for generating the key is incompatible with Oracle WebServices Security Manager requirements.Export the certificate containing the public key:
keytool -exportcert -v -alias orakey -keystore keystore -storepass keystore_password -rfc -file orakey.cer
Where:
keystore
is the keystore name, (for example, default-keystore.jks
)
keystore_password
is the keystore password, (for example, welcome1
)
Import the certificate with the alias webcenter_spaces_ws
(choose Yes when prompted whether to overwrite the existing certificate with the alias orakey
):
keytool -importcert -alias webcenter_spaces_ws -file orakey.cer -keystore default-keystore.jks -storepass keystore_password
Where:
keystore_password
is the keystore password
Continue by configuring the keystore using either WLST as described in Section 32.1.2.2, "Configuring the Keystore with WLST," or using Fusion Middleware Control as described in Section 32.1.2.3, "Configuring the Keystore Using Fusion Middleware Control."
Table 32-2 shows the keystore contents you should wind up with after creating and configuring the keystore.
Table 32-2 WebCenter Domain Keystore Contents for a Simple Topology
Key Alias | Description |
---|---|
|
Key pair used to sign and encrypt outbound messages from WebCenter Spaces. This key is used by both OWSM (Portlets and Worklist) and Discussions. |
|
Certificate containing the public key for the |
After creating the keystore, configure the keystore service and update the credential store so that OWSM can read the keystore and keys correctly. You can do this using either Fusion Middleware control, as described in Section 32.1.2.3, "Configuring the Keystore Using Fusion Middleware Control," or using WLST as described below.
To configure the credential store:
Go to the <DOMAIN_HOME>
/config/fmwconfig
directory, and open the file jps-config.xml
in an editor.
Locate the <serviceInstance
node for the keystore.provider Provider
:
<serviceInstance name="keystore" provider="keystore.provider" location="./default-keystore.jks">
<description>Default JPS Keystore Service</description>
Make sure that the default-keystore.jks
keystore file is copied to the <DOMAIN_HOME>
/config/fmwconfig
directory, and that the location is specified as ./default-keystore.jks
:
<serviceInstance name="keystore" provider="keystore.provider" location="./default-keystore.jks">
<description>Default JPS Keystore Service</description>
Use the following WLST commands to update the credential store:
updateCred(map="oracle.wsm.security", key="keystore-csf-key", user="owsm", password=keystore_password, desc="Keystore key") updateCred(map="oracle.wsm.security", key="enc-csf-key", user="orakey", password=private_key_password, desc="Encryption key") updateCred(map="oracle.wsm.security", key="sign-csf-key", user="orakey", password=private_key_password, desc="Signing key")
Where:
keystore_password
is the keystore password specified in step 2 of Section 32.1.2.1, "Creating the WebCenter Domain Keystore," (for example, welcome1
)
private_key_password
is the private key password specified in step 2 of Section 32.1.2.1, "Creating the WebCenter Domain Keystore," (for example, welcome1
)
Example 32-4 Updating the Credential Store
updateCred(map="oracle.wsm.security", key="keystore-csf-key", user="owsm", password="welcome1", desc="Keystore key") updateCred(map="oracle.wsm.security", key="enc-csf-key", user="orakey", password="welcome1", desc="Encryption key") updateCred(map="oracle.wsm.security", key="sign-csf-key", user="orakey", password="welcome1", desc="Signing key")
Restart all servers.
After creating the keystore, configure the keystore service and update the credential store so that OWSM can read the keystore and keys correctly. You can do this using either WLST, as described in Section 32.1.2.2, "Configuring the Keystore with WLST," or using Fusion Middleware control as described below.
To configure the keystore provider:
Ensure that the default-keystore.jks
keystore file is copied to the <DOMAIN_HOME>
/config/fmwconfig
directory, and then specify the location as ./default-keystore.jks
.
Open Fusion Middleware Control and log in to the WebCenter domain.
For information on logging in to Fusion Middleware Control, see Chapter 6, "Starting Enterprise Manager Fusion Middleware Control."
In the Navigation pane, expand the WebLogic Domain node and click the WebCenter domain (wc_domain
by default).
From the WebLogic Domain menu, select Security -> Security Provider Configuration.
The Security Provider Configuration page displays (see Figure 32-3).
Figure 32-3 Security Provider Configuration Page
Expand the Keystore section on the Security Provider Configuration page.
Click Configure.
The Keystore Configuration page displays (see Figure 32-4).
Use the following settings to specify the location of the keystore that contains the certificate and private key, and the signature key and encryption key aliases:
Keystore Path: ./default-keystore.jks
Password: Enter and confirm the password for the keystore.
Key Alias: orakey
Signature Password: Enter and confirm the password for the signature key.
Crypt Alias: orakey
Crypt Password: Enter and confirm the password for the encryption key.
Click OK to save your settings.
Restart the Administration server for the domain.
In a simple topology, the discussions server is in the same domain as WebCenter Spaces and consequently no extra keystore configuration is needed since the keystore configured for the WebCenter domain is used for the Discussions service as well. However, for production environments you should protect the Discussion service Web Service end points with an OWSM policy and configure the discussions server connection settings. These configuration steps are described in the following subsections:
Section 32.1.3.1, "Securing the Discussions Service End Points"
Section 32.1.3.2, "Configuring the Discussions Server Connection Settings"
Note:
Discussions-specific Web Services messages sent by WebCenter applications to the Oracle WebCenter Discussions server are not encrypted. For message confidentiality, the discussions server URL must be accessed over Secure Socket Layer (SSL). For more information, see Chapter 31, "Configuring SSL."The WebCenter Discussions service's Web Service end points require user identity to be propagated for calls originating from WebCenter Spaces. Out-of-the-box, the Discussions service Web Service end points are configured with a policy that uses an unsecured SAML token to let you get up and running in a test environment without having to fully implement security. For a production environment, however, the Web Service end points need to be secured with OWSM policies to ensure that messages are not tampered with, and can't be viewed by others while in transit. To do this, both the public access WebService end point and authenticated user access end point should be secured with the appropriate OWSM policies using either Fusion Middleware Control or WLST.
This section contains the following subsections:
Section 32.1.3.1.1, "Securing the Discussions Server End Points Using Fusion Middleware Control"
Section 32.1.3.1.2, "Securing the Discussions Server End Points Using WLST"
To secure the Discussions service end points using Fusion Middleware Control, follow the steps below:
Log in to Fusion Middleware Control and from the Navigation pane, expand the WebCenter node and then the Discussions node and click Discussions(WC_Collaboration)
.
The Discussions home page displays (see Figure 32-5).
Click the owc_discussions
target.
The home page for the owc_discussions
application displays (see Figure 32-6).
From the Application Deployment menu, select Web Services.
The Web Services page for the owc_discussions
application displays (see Figure 32-7).
Figure 32-7 Web Services Page for owc_discussions
Open the Web Services tab, and click the OWCDiscussionsServiceAuthenticated
Web Service end point.
The Web Service Endpoint page for owc_discussions displays (see Figure 32-8).
Click Attach/Detach.
The Attach Policy page displays (see Figure 32-9).
Use the Attach and Detach buttons to attach oracle/wss11_saml_token_with_message_protection_service_policy
and detach oracle/wss10_saml_token_service_policy
.
Click OK.
Return to the Web Services page and click the OWCDiscussionsServicePublic
end point.
Attach oracle/wss11_message_protection_service_policy
so that the public user Web Service end point is also secured.
Click OK.
To secure the Discussions server end points using WLST, detach the wss10_saml_token_service_policy
and attach the wss11_saml_token_with_message_protection_service_policy
using the following WLST commands:
detachWebServicePolicy('owc_discussions', 'owc_discussions', 'web', 'OWCDiscussionsServiceAuthenticated', 'OWCDiscussionsServiceAuthenticated', 'oracle/wss10_saml_token_service_policy') attachWebServicePolicy('owc_discussions', 'owc_discussions', 'web', 'OWCDiscussionsServiceAuthenticated', 'OWCDiscussionsServiceAuthenticated', 'oracle/wss11_saml_token_with_message_protection_service_policy')
You must supply the WS-Security client certificate information within the discussions server connection that is configured for WebCenter Spaces or your WebCenter Portal application, as described in Section 14.3, "Registering Discussions Servers." Figure 32-10 shows example connection detail settings for the Edit Discussions and Announcement Connection page.
Figure 32-10 Edit Discussions and Announcement Connection Page
Use the following command summary to quickly configure the keystore for a simple topology.
Generate the Keystore
Use the following keytool
commands to generate the keystore, replacing the values in bold with those for your local environment:
keytool -genkeypair -keyalg RSA -dname "cn=spaces,dc=example,dc=com" -alias orakey -keypass welcome1 -keystore default-keystore.jks -storepass welcome1 -validity 1064
keytool -exportcert -v -alias orakey -keystore default-keystore.jks -storepass welcome1 -rfc -file orakey.cer
keytool -importcert -alias webcenter_spaces_ws -file orakey.cer -keystore default-keystore.jks -storepass welcome1
When prompted that the certificate already exists, say yes
.
keytool -importcert -alias df_orakey_public -file orakey.cer -keystore owc_discussions.jks -storepass welcome1
Copy the default-keystore.jks
file to your domain_home/config/fmwconfig
directory.
Configure the Keystore
Using WLST, connect to the WebCenter Spaces domain as an administrator and run the following commands:
updateCred(map="oracle.wsm.security", key="keystore-csf-key", user="owsm", password="welcome1", desc="Keystore key") updateCred(map="oracle.wsm.security", key="enc-csf-key", user="orakey", password="welcome1", desc="Encryption key") updateCred(map="oracle.wsm.security", key="sign-csf-key", user="orakey", password="welcome1", desc="Signing key")
This section describes how to configure WS-Security for a topology where the WebCenter application and the WSRP producers share the same domain, but the BPEL server is in an external domain - the SOA domain (see Figure 32-11).
Figure 32-11 WS-Security for a Typical Configuration
The steps to configure WS-Security for a typical two domain WebCenter topology are described in the following sections:
Section 32.2.1, "Roadmap to Configuring WS-Security for a Typical Topology"
Section 32.2.3, "Configuring the Discussions Server for a Typical Topology"
The flow chart (Figure 32-12) and table (Table 32-3) in this section provide an overview of the prerequisites and tasks required to configure WS-Security for a typical WebCenter topology.
Figure 32-12 Configuring WS-Security for a Typical Topology
Table 32-3 shows the tasks and sub-tasks to configure WS-Security for a typical WebCenter topology.
The security credentials of a WebCenter application, discussions server, BPEL server (in a separate domain), and WSRP producers can be retrieved and managed using a Java Keystore (JKS). A keystore is a file that provides information about available public and private keys. Keys are used for a variety of purposes, including authentication and data integrity. User certificates and the trust points needed to validate the certificates of peers are also stored securely in the wallet or keystore. See the Oracle Fusion Middleware Security and Administrator's Guide for Web Services for information about JKS.
This section contains the following subsections:
This section describes how to create a keystore and keys using a Java Keystore (JKS). JKS is the proprietary keystore format defined by Sun Microsystems. To create and manage the keys and certificates in the JKS, use the keytool
utility that is distributed with the Java JDK 6.
To create the WebCenter domain keystore:
Go to JDK_HOME
/jdk/bin
and open a command prompt.
Using keytool, generate a key pair:
keytool -genkeypair -keyalg RSA -dname "consumer_dname" -alias webcenter -keypass key_password -keystore keystore -storepass keystore_password -validity days_valid
Where:
consumer_dname
is the name of the consumer (for example, cn=spaces,dc=example,dc=com
)
key_password
is the password for the new public key, (for example, welcome1
)
keystore
is the keystore name, (for example, webcenter.jks
)
keystore_password
is the keystore password, (for example, welcome1
)
days_valid
is the number of days for which the key password is valid (for example, 1064
).
Note:
You must use the-keyalg
parameter and specify RSA
as its value as shown above as the default algorithm (DSA) used by keytool
for generating the key is incompatible with Oracle WebServices Security Manager requirements.Export the certificate containing the public key:
keytool -exportcert -v -alias webcenter -keystore keystore -storepass keystore_password -rfc -file webcenter_public.cer
Where:
keystore
is the keystore name, (for example, webcenter.jks
)
keystore_password
is the keystore password, (for example, welcome1
)
Continue by configuring the keystore using either WLST, as described in Section 32.2.2.2, "Configuring the Keystore Using WLST," or Fusion Middleware Control, as described in Section 32.2.2.3, "Configuring the Keystore Using Fusion Middleware Control."
Table 32-4 shows the keystore contents you should wind up with after creating and configuring the keystore.
Table 32-4 WebCenter Domain Keystore Contents for a Typical Topology
Key Alias | Description |
---|---|
|
Key pair used to sign and encrypt outbound messages from WebCenter Spaces. This key is used by both OWSM (Portlets and Worklist) and Discussions. |
|
Certificate containing the public key for the |
After creating the WebCenter domain keystore, configure the keystore service and update the credential store so that OWSM can read the keystore and keys correctly. You can do this either using Fusion Middleware Control, as described in Section 32.2.2.3, "Configuring the Keystore Using Fusion Middleware Control," or using WLST as described below.
To configure the keystore service:
Go to the <DOMAIN_HOME>
/config/fmwconfig
directory, and open the file jps-config.xml
in an editor.
Locate the <serviceInstance
node for the keystore.provider Provider
Ensure that the webcenter.jks
keystore file is copied to the <DOMAIN_HOME>
/config/fmwconfig
directory, and then specify the location as ./webcenter.jks
.
Use the following WLST commands to update the credential store:
updateCred(map="oracle.wsm.security", key="keystore-csf-key", user="owsm", password=keystore_password, desc="Keystore key") updateCred(map="oracle.wsm.security", key="enc-csf-key", user="webcenter", password=private_key_password, desc="Encryption key") updateCred(map="oracle.wsm.security", key="sign-csf-key", user="webcenter", password=private_key_password, desc="Signing key")
Where:
keystore_password
is the keystore password specified in step 2 of Section 32.2.2.1, "Creating the WebCenter Domain Keystore," (for example, welcome1
)
private_key_password
is the private key password specified in step 2 of Section 32.2.2.1, "Creating the WebCenter Domain Keystore," (for example, welcome1
)
Example 32-7 Updating the Credential Store
updateCred(map="oracle.wsm.security", key="keystore-csf-key", user="owsm", password="welcome1", desc="Keystore key") updateCred(map="oracle.wsm.security", key="enc-csf-key", user="webcenter", password="welcome1", desc="Encryption key") updateCred(map="oracle.wsm.security", key="sign-csf-key", user="webcenter", password="welcome1", desc="Signing key")
Restart all servers.
After creating the keystore, configure the keystore service and update the credential store so that OWSM can read the keystore and keys correctly. You can do this either using WLST, as described in Section 32.2.2.2, "Configuring the Keystore Using WLST," or using Fusion Middleware Control as described below.
To configure the keystore provider:
Open Fusion Middleware Control and log in to the WebCenter domain.
For information on logging in to Fusion Middleware Control, see Chapter 6, "Starting Enterprise Manager Fusion Middleware Control."
In the Navigation pane, expand the WebLogic Domain node and click the WebCenter domain (webcenter
by default).
From the WebLogic Domain menu, select Security -> Security Provider Configuration.
The Security Provider Configuration page displays (see Figure 32-13).
Figure 32-13 Security Provider Configuration Page
Expand the Keystore section on the Security Provider Configuration page.
Click Configure.
The Keystore Configuration page displays (see Figure 32-14).
Use the following settings to specify the location of the keystore that contains the certificate and private key, and the signature key and encryption key aliases:
Keystore Path: ./webcenter.jks
Password: Enter and confirm the password for the keystore.
Key Alias: webcenter
Signature Password: Enter and confirm the password for the signature key.
Crypt Alias: webcenter
Crypt Password: Enter and confirm the password for the encryption key.
Click OK to save your settings.
Restart the Administration server for the domain.
Configuring the discussions server for a typical topology is exactly the same as for a simple topology. For more information, see Section 32.1.3, "Configuring the Discussions Server for a Simple Topology."
This section describes how to set up the SOA domain keystore and contains the following subsections:
This section describes how to create a SOA domain keystore and keys using a Java Keystore (JKS).
To create the SOA domain keystore:
Go to JDK_HOME
/jdk/bin
and open a command prompt.
Create a keystore by importing the public certificate (webcenter_public.cer
) from the WebCenter domain:
keytool -importcert -alias webcenter_spaces_ws -file webcenter_public.cer -keystore bpel.jks -storepass keystore_password
Where:
keystore_password
is the keystore password, (for example, welcome1
)
Using keytool, create a keypair to be used in the SOA domain for signing and encrypting messages:
keytool -genkeypair -keyalg RSA -dname "consumer_dname" -alias bpel -keypass key_password -keystore keystore -storepass keystore_password -validity days_valid
Where:
consumer_dname
is the name of the consumer (for example, cn=bpel,dc=example,dc=com
)
key_password
is the password for the new public key, (for example, welcome1
)
keystore
is the keystore name, (for example, bpel.jks
)
keystore_password
is the keystore password, (for example, welcome1
)
days_valid
is the number of days for which the key password is valid (for example, 1064
).
Note:
You must use the-keyalg
parameter and specify RSA
as its value as shown above as the default algorithm (DSA) used by keytool
for generating the key is incompatible with Oracle WebServices Security Manager requirements.Export the certificate so it can be imported in the WebCenter domain using the orakey
alias:
keytool -exportcert -v -alias bpel -keystore keystore -storepass keystore_password -rfc -file orakey.cer
Where:
keystore
is the keystore name, (for example, webcenter.jks
)
keystore_password
is the keystore password, (for example, welcome1
)
Import the certificate with a different alias (choose Yes when prompted whether to overwrite the existing certificate with the alias orakey
):
keytool -importcert -alias orakey -file orakey.cer -keystore webcenter.jks -storepass keystore_password
Where:
keystore_password
is the keystore password
After creating the SOA domain keystore, configure the keystore service and update the credential store so that OWSM can read the keystore and keys correctly. You can do this either with Fusion Middleware Control, as described in Section 32.2.4.3, "Configuring the Keystore Using Fusion Middleware Control," or using WLST as described below.
To configure the keystore service:
Go to the <DOMAIN_HOME>
/config/fmwconfig
directory, and open the file jps-config.xml
in an editor.
Locate the <serviceInstance
node for the keystore.provider Provider
Ensure that the bpel.jks
keystore file is copied to the <DOMAIN_HOME>
/config/fmwconfig
directory, and then specify the location as ./bpel.jks
.
Use the following WLST commands to configure the credential store:
updateCred(map="oracle.wsm.security", key="keystore-csf-key", user="owsm", password="welcome1", desc="Keystore key") updateCred(map="oracle.wsm.security", key="enc-csf-key", user="bpel", password="welcome1", desc="Encryption key") updateCred(map="oracle.wsm.security", key="sign-csf-key", user="bpel", password="welcome1", desc="Signing key")
Restart all servers.
After creating the keystore, configure the keystore service and update the credential store so that OWSM can read the keystore and keys correctly. You can do this either with WLST, as described in Section 32.2.4.2, "Configuring the Keystore Using WLST," or using Fusion Middleware Control as described below.
To configure the keystore provider:
Open Fusion Middleware Control and log in to the SOA domain.
For information on logging in to Fusion Middleware Control, see Chapter 6, "Starting Enterprise Manager Fusion Middleware Control."
In the Navigation pane, expand the WebLogic Domain node and click the SOA domain.
From the WebLogic Domain menu, select Security -> Security Provider Configuration.
Expand the Keystore section on the Security Provider Configuration page.
Click Configure.
The Keystore Configuration page displays (see Figure 32-15).
Use the following settings to specify the location of the keystore that contains the certificate and private key, and the signature key and encryption key aliases:
Keystore Path: ./bpel.jks
Password: Enter and confirm the password for the keystore.
Key Alias: bpel
Signature Password: Enter and confirm the password for the signature key.
Crypt Alias: bpel
Crypt Password: Enter and confirm the password for the encryption key.
Click OK to save your settings.
Restart the Administration server for the domain.
Use the following command summary to quickly configure the keystore for a typical topology.
Generate the Keystore
Use the following keytool
commands to generate the keystore, replacing the values in bold with those for your local environment:
keytool -genkeypair -keyalg RSA -dname "cn=spaces,dc=example,dc=com" -alias webcenter -keypass welcome1 -keystore webcenter.jks -storepass welcome1 -validity 1064
keytool -exportcert -v -alias webcenter -keystore webcenter.jks -storepass welcome1 -rfc -file webcenter_public.cer
keytool -importcert -alias webcenter_spaces_ws -file webcenter_public.cer -keystore bpel.jks -storepass welcome1
When prompted that the certificate already exists, say yes
.
keytool -genkeypair -keyalg RSA -dname "cn=bpel,dc=example,dc=com" -alias bpel -keypass welcome1 -keystore bpel.jks -storepass welcome1 -validity 1024
keytool -exportcert -v -alias bpel -keystore bpel.jks -storepass welcome1 -rfc -file orakay.cer
keytool -importcert -alias orakey -file orakay.cer -keystore webcenter.jks -storepass welcome1
When prompted to trust the certificate, say yes
.
keytool -importcert -alias df_webcenter_public -file webcenter_public.cer -keystore owc_discussions.jks -storepass welcome1
When prompted to trust the certificate, say yes
.
Copy the webcenter.jks
file to your domain_home/config/fmwconfig
directory, and the bpel.jks
file to your soa_domain_home/config/fmwconfig
directory.
Configure the WebCenter Domain Keystore
Follow the steps below to configure the service instance reference for the WebCenter domain:
Navigate to the <DOMAIN_HOME>/config/fmwconfig
directory.
Copy webcenter.jks
to the <DOMAIN_HOME>/config/fmwconfig
directory if you haven't already done so.
Open jps-config.xml
in an editor.
Locate <serviceInstance node for keystore.provider Provider
.
Specify the location as ./webcenter.jks
.
Using WLST, connect to the WebCenter Spaces domain as an admin user and run the following commands:
updateCred(map="oracle.wsm.security", key="keystore-csf-key", user="owsm", password="welcome1", desc="Keystore key") updateCred(map="oracle.wsm.security", key="enc-csf-key", user="webcenter", password="welcome1", desc="Encryption key") updateCred(map="oracle.wsm.security", key="sign-csf-key", user="webcenter", password="welcome1", desc="Signing key")
Configure the SOA Domain Keystore
Follow the steps below to configure service instance reference for the SOA domain:
Navigate to the <SOA_DOMAIN_HOME>/config/fmwconfig
directory.
Copy bpel.jks
to the <SOA_DOMAIN_HOME>/config/fmwconfig
directory if you haven't done already done so.
Open jps-config.xml
in an editor.
Locate <serviceInstance node for keystore.provider Provider
.
Specify the location as ./bpel.jks
.
Using WLST, connect to the SOA domain as an admin user and run the following commands:
updateCred(map="oracle.wsm.security", key="keystore-csf-key", user="owsm", password="welcome1", desc="Keystore key") updateCred(map="oracle.wsm.security", key="enc-csf-key", user="bpel", password="welcome1", desc="Encryption key") updateCred(map="oracle.wsm.security", key="sign-csf-key", user="bpel", password="welcome1", desc="Signing key")
This section describes how to configure WS-Security for a complex topology where the WebCenter application, the discussions server (Jive), and a WSRP producer are in the same domain, two BPEL servers are in separate SOA domains, and one WSRP producer is in an external portlet domain (see Figure 32-16).
Figure 32-16 WS-Security for a Complex Configuration
The steps to configure WS-Security for a complex WebCenter topology with multiple domains are described in the following sections:
Section 32.3.1, "Roadmap to Configuring WS-Security for a Complex Topology"
Section 32.3.3, "Configuring the Discussions Server for a Complex Topology"
Section 32.3.6, "Setting Up the External Portlet Domain Keystore"
Section 32.3.7, "Setting Up the External WebCenter Domain Keystore"
The flow chart (Figure 32-17) and table (Table 32-5) in this section provide an overview of the prerequisites and tasks required to configure WS-Security for a complex multiple-domain WebCenter topology.
Figure 32-17 Configuring WS-Security for a Complex Topology
Table 32-5 shows the tasks and sub-tasks to configure WS-Security for a complex WebCenter topology.
The security credentials of WebCenter Spaces, discussions server, BPEL servers (in separate domains), and WSRP producers (also in separate domains) can be retrieved and managed using a Java Keystore (JKS). A keystore is a file that provides information about available public and private keys. Keys are used for a variety of purposes, including authentication and data integrity. User certificates and the trust points needed to validate the certificates of peers are also stored securely in the wallet or keystore. See the Oracle Fusion Middleware Security and Administrator's Guide for Web Services for information about JKS.
This section contains the following subsections:
This section describes how to create the keystores and keys using a Java Keystore (JKS). JKS is the proprietary keystore format defined by Sun Microsystems. To create and manage the keys and certificates in the JKS, use the keytool
utility that is distributed with the Java JDK 6.
To create the WebCenter domain keystores:
Go to JDK_HOME
/jdk/bin
and open a command prompt.
Using keytool, generate a key pair for the webcenter
keystore:
keytool -genkeypair -keyalg RSA -dname "consumer_dname" -alias webcenter -keypass key_password -keystore keystore -storepass keystore_password -validity days_valid
Where:
consumer_dname
is the name of the consumer (for example, cn=spaces,dc=example,dc=com
)
key_password
is the password for the new public key, (for example, welcome1
)
keystore
is the keystore name, (for example, webcenter.jks
)
keystore_password
is the keystore password, (for example, welcome1
)
days_valid
is the number of days for which the key password is valid (for example, 1064
).
Note:
You must use the-keyalg
parameter and specify RSA
as its value as shown above as the default algorithm (DSA) used by keytool
for generating the key is incompatible with Oracle WebServices Security Manager requirements.Export the certificate containing the public key:
keytool -exportcert -v -alias webcenter -keystore wecenter.jks -storepass keystore_password -rfc -file webcenter_public.cer
Where:
keystore_password
is the keystore password, (for example, welcome1
)
Import the orakey
certificate:
keytool -importcert -alias orakey -file orakey.cer -keystore webcenter.jks -storepass keystore_password
Where:
keystore_password
is the keystore password, (for example, welcome1
)
Continue by configuring the keystore using either WLST, as described in Section 32.3.2.2, "Configuring the Keystore Using WLST," or using Fusion Middleware Control, as described in Section 32.3.2.3, "Configuring the Keystore Using Fusion Middleware Control."
Table 32-6 shows the keystore contents you should wind up with after creating and configuring the keystore.
Table 32-6 WebCenter Domain Keystore Contents for a Complex Topology
Key Alias | Description |
---|---|
|
Key pair used to sign and encrypt outbound messages from WebCenter Spaces. This key is used by both OWSM (Portlets and Worklist) and Discussions. |
|
Certificate containing the public key for the |
|
Certificate containing the public key for the soa_server3 private key used in the SOA 2 domain. The certificate is used to encrypt outbound messages from the Worklist service to BPEL Server2 in SOA 2 domain. |
|
Certificate containing public key for the producer private key used in the external portlet domain that hosts the WSRP Producer 1 application. This certificate is used to encrypt outbound messages from WebCenter Spaces to WSRP Producer 1 registered in the WebCenter Spaces application. |
|
Certificate containing the public key for the external_webcenter_custom private key used in the external WebCenter domain that hosts the WebCenter Portal application that makes WebService call to the WebCenter Spaces WebService. This certificate is used to encrypt outbound messages from WebCenter Spaces to WebCenter Portal applications in the external WebCenter domain. |
|
Certificate containing public key for the external owc_discussions private key used in the external Discussions domain that hosts the Discussions application. This certificate is used by WebCenter Spaces and WebCenter Portal applications make WebService calls to the Discussions WebService. |
After creating the WebCenter domain keystore, configure the keystore service and update the credential store so that OWSM can read the keystore and keys correctly.
To configure the keystore service:
Go to the <DOMAIN_HOME>
/config/fmwconfig
directory, and open the file jps-config.xml
in an editor.
Locate the <serviceInstance
node for the keystore.provider
Provider
Ensure that the webcenter.jks
keystore file is copied to the <DOMAIN_HOME>
/config/fmwconfig
directory, and then specify the location as ./webcenter.jks
.
Use the following WLST commands to update the credential store:
updateCred(map="oracle.wsm.security", key="keystore-csf-key", user="owsm", password="welcome1", desc="Keystore key") updateCred(map="oracle.wsm.security", key="enc-csf-key", user="webcenter", password="welcome1", desc="Encryption key") updateCred(map="oracle.wsm.security", key="sign-csf-key", user="webcenter", password="welcome1", desc="Signing key")
Restart all servers.
After creating the keystore, configure the keystore service and update the credential store so that OWSM can read the keystore and keys correctly.
To configure the keystore provider:
Open Fusion Middleware Control and log in to the WebCenter domain.
For information on logging in to Fusion Middleware Control, see Chapter 6, "Starting Enterprise Manager Fusion Middleware Control."
In the Navigation pane, expand the WebLogic Domain node and click the WebCenter domain (wc_domain
by default).
From the WebLogic Domain menu, select Security -> Security Provider Configuration.
The Security Provider Configuration page displays (see Figure 32-18).
Figure 32-18 Security Provider Configuration Page
Expand the Keystore section on the Security Provider Configuration page.
Click Configure.
The Keystore Configuration page displays (see Figure 32-19).
Use the following settings to specify the location of the keystore that contains the certificate and private key, and the signature key and encryption key aliases:
Keystore Path: ./webcenter.jks
Password: Enter and confirm the password for the keystore.
Key Alias: webcenter
Signature Password: Enter and confirm the password for the signature key.
Crypt Alias: webcenter
Crypt Password: Enter and confirm the password for the encryption key.
Click OK to save your settings.
Restart the Administration server for the domain.
In a complex topology, the discussions server is in a different domain than WebCenter Spaces and consequently you will need to create and configure a keystore for the discussions server and export the certificate containing the public key and import it into the WebCenter domain. For production environments you will also need to protect the Discussion service Web Service end points with an OWSM policy and configure the discussions server connection settings. These configuration steps are described in the following subsections:
Section 32.3.3.1, "Securing the Discussions Service End Points"
Section 32.3.3.2, "Creating the Discussions Server Keystore"
Section 32.3.3.4, "Configuring the Discussions Server Connection Settings"
Note:
Discussions-specific Web Services messages sent by WebCenter applications to the Oracle WebCenter Discussions server are not encrypted. For message confidentiality, the discussions server URL must be accessed over Secure Socket Layer (SSL). For more information, see Chapter 31, "Configuring SSL."The WebCenter Discussions service Web Service end points require user identity to be propagated for calls originating from WebCenter Spaces. Follow the steps in Section 32.1.3.1, "Securing the Discussions Service End Points" to secure the endpoints using either Fusion Middleware Control or WLST.
This section describes how to create a keystore for the discussions server that contains the key pair used by OWSM, and export the certificate containing the public key so it can be imported into the WebCenter domain.
To create the owc_discussions
keystore:
Go to JDK_HOME
/jdk/bin
and open a command prompt.
Using keytool, generate a key pair for the owc_discussions
keystore:
keytool -genkeypair -keyalg RSA -dname "consumer_dname" -alias owc_discussions -keypass key_password -keystore keystore -storepass keystore_password -validity days_valid
Where:
consumer_dname
is the name of the consumer (for example, cn=owc_discussions,dc=example,dc=com
)
key_password
is the password for the new public key, (for example, welcome1
)
keystore
is the keystore name, (for example, owc_discussions.jks
)
keystore_password
is the keystore password, (for example, welcome1
)
days_valid
is the number of days for which the key password is valid (for example, 1064
).
Note:
You must use the-keyalg
parameter and specify RSA
as its value as shown above as the default algorithm (DSA) used by keytool
for generating the key is incompatible with Oracle WebServices Security Manager requirements.Export the certificate containing the public key:
keytool -exportcert -v -alias owc_discussions -keystore owc_discussions.jks -storepass keystore_password -rfc -file owc_discussions_public.cer
Where:
keystore_password
is the keystore password, (for example, welcome1
)
Import the webcenter_public
certificate:
keytool -importcert -alias webcenter_public -file webcenter_public.cer -keystore owc_discussions.jks -storepass keystore_password
Where:
keystore_password
is the keystore password, (for example, welcome1
)
Import the owc_discussions_public
certificate:
keytool -importcert -alias owc_discussions_public -file owc_discussions_public.cer -keystore webcenter.jks -storepass keystore_password
Where:
keystore_password
is the keystore password, (for example, welcome1
)
Continue by updating the credential store using WLST as described in Section 32.3.3.3, "Updating the Credential Store."
After creating the WebCenter domain keystore, configure the keystore service and update the credential store so that OWSM can read the keystore and keys correctly.
To configure the keystore service:
Go to the <DOMAIN_HOME>
/config/fmwconfig
directory, and open the file jps-config.xml
in an editor.
Locate the <serviceInstance
node for the keystore.provider
Provider:
<!-- KeyStore Service Instance -->
<serviceInstance name="keystore" provider="keystore.provider" location="./default-keystore.jks">
<description>Default JPS Keystore Service</description>
Make sure that the webcenter.jks
keystore file is copied to the <DOMAIN_HOME>
/config/fmwconfig
directory, and then specify the location as ./webcenter.jks
.
<serviceInstance name="keystore" provider="keystore.provider" location="./webcenter.jks">
<description>Default JPS Keystore Service</description>
Use the following WLST commands to update the credential store:
updateCred(map="oracle.wsm.security", key="keystore-csf-key", user="owsm", password="welcome1", desc="Keystore key") updateCred(map="oracle.wsm.security", key="enc-csf-key", user="owc_discussions", password="welcome1", desc="Encryption key") updateCred(map="oracle.wsm.security", key="sign-csf-key", user="owc_discussions", password="welcome1", desc="Signing key")
Restart all servers.
You must supply the WS-Security client certificate information within the discussions server connection that is configured for WebCenter Spaces or your WebCenter Portal application, as described in Section 14.3, "Registering Discussions Servers." Figure 32-20 shows example connection detail settings for the Edit Discussions and Announcement Connection page.
Figure 32-20 Edit Discussions and Announcement Connection Page
This section describes how to set up the SOA domain keystore and contains the following subsections:
This section describes how to create a SOA domain keystore and keys using a Java Keystore (JKS).
To create the SOA domain keystore:
Go to JDK_HOME
/jdk/bin
and open a command prompt.
Create a keystore by importing the public certificate (webcenter_public.cer
) from the WebCenter domain:
keytool -importcert -alias webcenter_spaces_ws -file webcenter_public.cer -keystore bpel.jks -storepass keystore_password
Where:
keystore_password
is the keystore password, (for example, welcome1
)
Using keytool, create a keypair to be used in the SOA domain for signing and encrypting messages:
keytool -genkeypair -keyalg RSA -dname "consumer_dname" -alias bpel -keypass key_password -keystore bpel.jks -storepass keystore_password -validity days_valid
Where:
consumer_dname
is the name of the consumer (for example, cn=bpel,dc=example,dc=com
)
key_password
is the password for the new public key, (for example, welcome1
)
keystore_password
is the keystore password, (for example, welcome1
)
days_valid
is the number of days for which the key password is valid (for example, 1064
).
Note:
You must use the-keyalg
parameter and specify RSA
as its value as shown above as the default algorithm (DSA) used by keytool
for generating the key is incompatible with Oracle WebServices Security Manager requirements.Export the certificate so it can be imported in the WebCenter domain using the orakey
alias:
keytool -exportcert -v -alias bpel -keystore bpel.jks -storepass keystore_password -rfc -file orakey.cer
Where:
keystore_password
is the keystore password (for example, welcome1
)
Import the certificate to the WebCenter domain again with a different alias (choose Yes when prompted whether to overwrite the existing certificate with the alias orakey
):
keytool -importcert -alias orakey -file orakey.cer -keystore webcenter.jks -storepass keystore_password
Where:
keystore_password
is the keystore password (for example, welcome1
)
Import the certificate to the into the SOA domain:
keytool -importcert -alias soa_server3_public_key -file soa_server3_public_key.cer -keystore webcenter.jks -storepass keystore_password
Where:
keystore_password
is the keystore password (for example, welcome1
)
Continue by configuring the keystore using either WLST, as described in Section 32.3.4.2, "Configuring the Keystore Using WLST," or using Fusion Middleware Control as described in Section 32.3.4.3, "Configuring the Keystore Using Fusion Middleware Control."
Table 32-7 shows the keystore contents you should wind up with after creating and configuring the SOA 1 domain keystore.
Table 32-7 SOA 1 Domain Keystore Contents for a Complex Topology
Key Alias | Description |
---|---|
|
Private key used to sign outbound messages from the SOA 1 domain servers. This key is used by the Worklist application deployed on the SOA 1 domain's SOA server. |
|
Certificate containing the public key for the |
After creating the SOA domain keystore, configure the keystore service and update the credential store so that OWSM can read the keystore and keys correctly. You can do this using either Fusion Middleware Control, as described in Section 32.3.4.3, "Configuring the Keystore Using Fusion Middleware Control," or using WLST as described below.
To configure the keystore service:
Go to the <DOMAIN_HOME>
/config/fmwconfig
directory, and open the file jps-config.xml
in an editor.
Locate the <serviceInstance
node for the keystore.provider Provider
Ensure that the bpel.jks
keystore file is copied to the <DOMAIN_HOME>
/config/fmwconfig
directory, and then specify the location as ./bpel.jks
.
Use the following WLST commands to update the credential store:
updateCred(map="oracle.wsm.security", key="keystore-csf-key", user="owsm", password="welcome1", desc="Keystore key") updateCred(map="oracle.wsm.security", key="enc-csf-key", user="bpel", password="welcome1", desc="Encryption key") updateCred(map="oracle.wsm.security", key="sign-csf-key", user="bpel", password="welcome1", desc="Signing key")
Restart all servers.
After creating the keystore, configure the keystore service and update the credential store so that OWSM can read the keystore and keys correctly. You can do this using either WLST, as described in Section 32.3.4.2, "Configuring the Keystore Using WLST," or using Fusion Middleware Control as described below.
To configure the keystore provider:
Open Fusion Middleware Control and log in to the WebCenter domain.
For information on logging in to Fusion Middleware Control, see Chapter 6, "Starting Enterprise Manager Fusion Middleware Control."
In the Navigation pane, expand the WebLogic Domain node and click the SOA domain.
From the SOA Domain menu, select Security -> Security Provider Configuration.
Expand the Keystore section on the Security Provider Configuration page.
Click Configure.
The Keystore Configuration page displays (see Figure 32-21).
Use the following settings to specify the location of the keystore that contains the certificate and private key, and the signature key and encryption key aliases:
Keystore Path: ./bpel.jks
Password: Enter and confirm the password for the keystore.
Key Alias: bpel
Signature Password: Enter and confirm the password for the signature key.
Crypt Alias: bpel
Crypt Password: Enter and confirm the password for the encryption key.
Click OK to save your settings.
Restart the Administration server for the domain.
This section describes how to set up a second SOA domain keystore and contains the following subsections:
Section 32.3.5.3, "Configuring the Keystore Using Fusion Middleware Control"
Section 32.3.5.4, "Configuring the WebCenter Spaces Worklist Connection for the Second SOA Server"
This section describes how to create a SOA domain keystore and keys using a Java Keystore (JKS).
To create the SOA domain keystore:
Go to JDK_HOME
/jdk/bin
and open a command prompt.
Using keytool, create a keypair to be used in the SOA domain for signing and encrypting messages:
keytool -genkeypair -keyalg RSA -dname "consumer_dname" -alias soa_server3 -keypass key_password -keystore soa_server3.jks -storepass keystore_password -validity days_valid
Where:
consumer_dname
is the name of the consumer (for example, cn=soa_server3,dc=example,dc=com
)
key_password
is the password for the new public key, (for example, welcome1
)
keystore_password
is the keystore password, (for example, welcome1
)
days_valid
is the number of days for which the key password is valid (for example, 1064
).
Note:
You must use the-keyalg
parameter and specify RSA
as its value as shown above as the default algorithm (DSA) used by keytool
for generating the key is incompatible with Oracle WebServices Security Manager requirements.Export the certificate so it can be imported in the WebCenter domain using the orakey
alias:
keytool -exportcert -v -alias soa_server3 -keystore soa_server3.jks -storepass keystore_password -rfc -file soa_server3_public_key.cer
Where:
keystore_password
is the keystore password, (for example, welcome1
)
Import the certificate to the WebCenter domain with a different alias (choose Yes when prompted whether to overwrite the existing certificate with the alias soa_server3_public_key
):
keytool -importcert -alias soa_server3_public_key -file soa_server3_public_ key.cer -keystore webcenter.jks -storepass keystore_password
Where:
keystore_password
is the keystore password (for example, welcome1
)
Import the soa_server3_public_key
certificate:
keytool -importcert -alias soa_server3_public_key -file soa_server3_public_key.cer -keystore webcenter.jks -storepass keystore_password
Where:
keystore_password
is the keystore password, (for example, welcome1
)
Import the producer_public_key
certificate:
keytool -importcert -alias producer_public_key -file producer_public_key.cer -keystore webcenter.jks -storepass keystore_password
Where:
keystore_password
is the keystore password, (for example, welcome1
)
Import the external_webcenter_custom_public_key
certificate:
keytool -importcert -alias external_webcenter_custom_public_key -file external_webcenter_custom_public_key.cer -keystore webcenter.jks -storepass keystore_password
Where:
keystore_password
is the keystore password, (for example, welcome1
)
Continue by configuring the keystore using either WLST, as described in Section 32.3.5.2, "Configuring the Keystore Using WLST," or using Fusion Middleware Control as described in Section 32.3.5.3, "Configuring the Keystore Using Fusion Middleware Control."
Table 32-8 shows the keystore contents you should wind up with after creating and configuring the SOA 2 domain keystore.
Table 32-8 SOA 2 Domain Keystore Contents for a Complex Topology
Key Alias | Description |
---|---|
|
Key pair used to sign and encrypt outbound messages from WebCenter Spaces. This key is used by both OWSM (Portlets and Worklist) and Discussions. |
|
Certificate containing the public key for the |
|
Certificate containing the public key for the soa_server3 private key used in the SOA 2 domain. The certificate is used to encrypt outbound messages from the Worklist service to BPEL Server2 in SOA 2 domain. |
|
Certificate containing public key for the producer private key used in the external portlet domain that hosts the WSRP Producer 1 application. This certificate is used to encrypt outbound messages from WebCenter Spaces to WSRP Producer 1 registered in the WebCenter Spaces application. |
|
Certificate containing the public key for the external_webcenter_custom private key used in the external WebCenter domain that hosts the WebCenter Portal application that makes WebService call to the WebCenter Spaces WebService. This certificate is used to encrypt outbound messages from WebCenter Spaces to WebCenter Portal applications in the external WebCenter domain. |
After creating the second SOA domain keystore, configure the keystore service and update the credential store so that OWSM can read the keystore and keys correctly. You can do this using either Fusion Middleware Control, as described in Section 32.3.5.3, "Configuring the Keystore Using Fusion Middleware Control," or using WLST as described below.
To configure the keystore service:
Go to the <DOMAIN_HOME>
/config/fmwconfig
directory, and open the file jps-config.xml
in an editor.
Locate the <serviceInstance
node for the keystore.provider Provider
Ensure that the soa_server3.jks
keystore file is copied to the <DOMAIN_HOME>
/config/fmwconfig
directory, and then specify the location as ./soa_server3.jks
.
Use the following WLST commands to update the credential store:
updateCred(map="oracle.wsm.security", key="keystore-csf-key", user="owsm", password="welcome1", desc="Keystore key") updateCred(map="oracle.wsm.security", key="enc-csf-key", user="soa_server3", password="welcome1", desc="Encryption key") updateCred(map="oracle.wsm.security", key="sign-csf-key", user="soa_server3", password="welcome1", desc="Signing key")
Restart all servers.
After creating the keystore, configure the keystore service and update the credential store so that OWSM can read the keystore and keys correctly. You can do this using either WLST, as described in Section 32.3.5.2, "Configuring the Keystore Using WLST," or using Fusion Middleware Control as described below.
To configure the keystore provider:
Open Fusion Middleware Control and log in to the WebCenter domain.
For information on logging in to Fusion Middleware Control, see Chapter 6, "Starting Enterprise Manager Fusion Middleware Control."
In the Navigation pane, expand the WebLogic Domain node and click the SOA domain.
From the SOA Domain menu, select Security -> Security Provider Configuration.
Expand the Keystore section on the Security Provider Configuration page.
Click Configure.
The Keystore Configuration page displays (see Figure 32-22).
Use the following settings to specify the location of the keystore that contains the certificate and private key, and the signature key and encryption key aliases:
Keystore Path: ./soa_server3.jks
Password: Enter and confirm the password for the keystore.
Key Alias: soa_server3
Signature Password: Enter and confirm the password for the signature key.
Crypt Alias: soa_server3
Crypt Password: Enter and confirm the password for the encryption key.
Click OK to save your settings.
Restart the Administration server for the domain.
Ordinarily, the WebCenter Spaces Worklist connections uses the oracle/wss10_saml_token_with_message_protection_client_policy
policy to secure outbound SOAP messages to SOA Server. However, in a complex deployment where the WebCenter domain uses two or more Worklist connections simultaneously we need to create an additional OWSM policy and configure it so that the recipient key alias matches the alias of the certificate of the intended SOA server on the WebCenter Spaces side.
Follow the steps below to use multiple Worklist connections simultaneously:
Export the certificate from the external SOA domain and import it into the WebCenter domain under a new alias (soa_server3_key
in the following example).
Use Fusion Middleware Control to create a new OWSM policy, and override the recipient key alias to use the same alias as above.
In Fusion Middleware Control, from the WebLogic domain menu select Web Services -> Policies.
The Web Services Policies page displays (see Figure 32-23).
Select a client policy to use as a base for creating the new policy and click Create Like.
The Create Policy page displays (see Figure 32-24).
Enter a name for the new policy (for example, oracle_wss10_saml_token_with_message_protection_client_policy_soa_server3
) and click Save.
The new policy should now be listed on the Web Services Policies page.
From the Web Services Policy page, select the new policy and click Edit.
On the Edit Policy page, open the Configuration tab and click Edit.
Override the recipient key alias with the value soa_server3_key
and click Save.
Create the BPEL connection to set the security policy to the policy created above using the following WLST command:
setBPELConnection(appName='webcenter', name='WebCenter-Worklist-SOAServer3',url='<your_url>', policy='oracle/wss10_saml_token_with_message_protection_client_policy_soa_server3')
This section describes how to set up the keystore for the external portlet domain used by one of the WSRP producers for this complex topology.
This section contains the following subsections:
Section 32.3.6.1, "Creating the External Portlet Domain Keystore"
Section 32.3.6.3, "Configuring the Keystore Using Fusion Middleware Control"
To create the external portlet domain keystore:
Go to JDK_HOME
/jdk/bin
and open a command prompt.
Using keytool, generate the keystore by importing the WebCenter domain's public certificate:
keytool -importcert -alias webcenter_public -file webcenter_public.cer -keystore producer.jks -storepass keystore_password
Where:
keystore_password
is the keystore password
Using keytool, generate a key pair:
keytool -genkeypair -keyalg RSA -dname "consumer_dname" -alias producer -keypass key_password -keystore producer.jks -storepass keystore_password -validity days_valid
Where:
consumer_dname
is the name of the consumer (for example, cn=producer,dc=example,dc=com
)
key_password
is the password for the new public key, (for example, welcome1
)
keystore
is the keystore name, (for example, webcenter.jks
)
keystore_password
is the keystore password, (for example, welcome1
)
days_valid
is the number of days for which the key password is valid (for example, 1064
).
Note:
You must use the-keyalg
parameter and specify RSA
as its value as shown above as the default algorithm (DSA) used by keytool
for generating the key is incompatible with Oracle WebServices Security Manager requirements.Export the certificate containing the public key so that it can be imported into the WebCenter Spaces domain's keystore:
keytool -exportcert -v -alias producer -keystore producer.jks -storepass keystore_password -rfc -file producer_public_key.cer
Where:
keystore_password
is the keystore password, (for example, welcome1
)
Import the certificate to the WebCenter domain with a different alias (choose Yes when prompted whether to overwrite the existing certificate with the alias producer_public_key
):
keytool -importcert -alias producer_public_key -file producer_public_key.cer -keystore webcenter.jks -storepass keystore_password
Where:
keystore_password
is the keystore password (for example, welcome1
)
Continue by configuring the keystore using either WLST as described in Section 32.3.6.2, "Configuring the Keystore Using WLST," or using Fusion Middleware Control as described in Section 32.3.6.3, "Configuring the Keystore Using Fusion Middleware Control."
After creating the external portlet domain keystore, configure the keystore service and update the credential store so that OWSM can read the keystore and keys correctly. You can do this using either Fusion Middleware Control, as described in Section 32.3.6.3, "Configuring the Keystore Using Fusion Middleware Control," or using WLST as described below.
To configure the keystore service:
Go to the <DOMAIN_HOME>
/config/fmwconfig
directory, and open the file jps-config.xml
in an editor.
Locate the <serviceInstance
node for the keystore.provider Provider
Ensure that the producer.jks
keystore file is copied to the <DOMAIN_HOME>
/config/fmwconfig
directory, and then specify the location as ./producer.jks
.
Use the following WLST commands to update the credential store:
updateCred(map="oracle.wsm.security", key="keystore-csf-key", user="owsm", password="welcome1", desc="Keystore key") updateCred(map="oracle.wsm.security", key="enc-csf-key", user="producer", password="welcome1", desc="Encryption key") updateCred(map="oracle.wsm.security", key="sign-csf-key", user="producer", password="welcome1", desc="Signing key")
Restart all servers.
After creating the keystore, configure the keystore service and update the credential store so that OWSM can read the keystore and keys correctly. You can do this using either WLST, as described in Section 32.3.6.2, "Configuring the Keystore Using WLST," or using Fusion Middleware Control as described below.
To configure the keystore provider:
Open Fusion Middleware Control and log in to the WebCenter domain.
For information on logging in to Fusion Middleware Control, see Chapter 6, "Starting Enterprise Manager Fusion Middleware Control."
In the Navigation pane, expand the WebLogic Domain node and click the WebCenter domain (webcenter
by default).
From the WebLogic Domain menu, select Security -> Security Provider Configuration.
Expand the Keystore section on the Security Provider Configuration page.
Click Configure.
The Keystore Configuration page displays (see Figure 32-25).
Use the following settings to specify the location of the keystore that contains the certificate and private key, and the signature key and encryption key aliases:
Keystore Path: ./producer.jks
Password: Enter and confirm the password for the keystore.
Key Alias: producer
Signature Password: Enter and confirm the password for the signature key.
Crypt Alias: producer
Crypt Password: Enter and confirm the password for the encryption key.
Click OK to save your settings.
Restart the Administration server for the domain.
This section describes how to set up an external WebCenter domain used by a WebCenter Portal application making WebCenter Spaces WebService calls.
This section contains the following subsections:
Section 32.3.7.1, "Creating the External WebCenter Domain Keystore"
Section 32.3.7.3, "Configuring the Keystore Using Fusion Middleware Control"
To create the external WebCenter domain keystore:
Go to JDK_HOME
/jdk/bin
and open a command prompt.
Using keytool, generate the keystore by importing the WebCenter domain's public certificate:
keytool -importcert -alias webcenter_public -file webcenter_public.cer -keystore external_webcenter_custom.jks -storepass keystore_password
Where:
keystore_password
is the keystore password
Using keytool, generate a key pair:
keytool -genkeypair -keyalg RSA -dname "consumer_dname" -alias external_webcenter_custom -keypass key_password -keystore external_webcenter_custom.jks -storepass keystore_password -validity days_valid
Where:
consumer_dname
is the name of the consumer (for example, cn=external_webcenter_custom,dc=example,dc=com
)
key_password
is the password for the new public key, (for example, welcome1
)
keystore_password
is the keystore password, (for example, welcome1
)
days_valid
is the number of days for which the key password is valid (for example, 1064
).
Note:
You must use the-keyalg
parameter and specify RSA
as its value as shown above as the default algorithm (DSA) used by keytool
for generating the key is incompatible with Oracle WebServices Security Manager requirements.Export the certificate containing the public key so that it can be imported into the WebCenter Spaces domain's keystore:
keytool -exportcert -v -alias external_webcenter_custom -keystore external_ webcenter_custom.jks -storepass keystore_password -rfc -file external_ webcenter_custom_public_key.cer
Where:
keystore_password
is the keystore password, (for example, welcome1
)
Import the certificate to the WebCenter domain with a different alias (choose Yes when prompted whether to overwrite the existing certificate with the alias external_webcenter_custom_public_key):
keytool -importcert -alias external_webcenter_custom_public_key -file external_ webcenter_custom_public_key.cer -keystore webcenter.jks -storepass keystore_password
Where:
keystore_password
is the keystore password (for example, welcome1
)
Continue by configuring the keystore using either WLST as described in Section 32.3.7.2, "Configuring the Keystore Using WLST," or using Fusion Middleware Control as described in Section 32.3.7.3, "Configuring the Keystore Using Fusion Middleware Control."
After creating the external WebCenter domain keystore, configure the keystore service and update the credential store so that OWSM can read the keystore and keys correctly. You can do this using either Fusion Middleware Control, as described in Section 32.3.7.3, "Configuring the Keystore Using Fusion Middleware Control," or using WLST as described below.
To configure the keystore service:
Go to the <DOMAIN_HOME>
/config/fmwconfig
directory, and open the file jps-config.xml
in an editor.
Locate the <serviceInstance
node for the keystore.provider Provider
Ensure that the webcenter.jks
keystore file is copied to the <DOMAIN_HOME>
/config/fmwconfig
directory, and then specify the location as ./webcenter.jks
.
Use the following WLST commands to update the credential store:
updateCred(map="oracle.wsm.security", key="keystore-csf-key", user="owsm", password="welcome1", desc="Keystore key") updateCred(map="oracle.wsm.security", key="enc-csf-key", user="external_webcenter_custom", password="welcome1", desc="Encryption key") updateCred(map="oracle.wsm.security", key="sign-csf-key", user="external_webcenter_custom", password="welcome1", desc="Signing key")
Restart all servers.
After creating the keystore, configure the keystore service and update the credential store so that OWSM can read the keystore and keys correctly. You can do this using either WLST, as described in Section 32.3.7.2, "Configuring the Keystore Using WLST," or using Fusion Middleware Control as described below.
To configure the keystore provider:
Open Fusion Middleware Control and log in to the WebCenter domain.
For information on logging in to Fusion Middleware Control, see Chapter 6, "Starting Enterprise Manager Fusion Middleware Control."
In the Navigation pane, expand the WebLogic Domain node and click the WebCenter domain (webcenter
by default).
From the WebLogic Domain menu, select Security -> Security Provider Configuration.
Expand the Keystore section on the Security Provider Configuration page.
Click Configure.
The Keystore Configuration page displays (see Figure 32-26).
Use the following settings to specify the location of the keystore that contains the certificate and private key, and the signature key and encryption key aliases:
Keystore Path: ./external_webcenter_custom.jks
Password: Enter and confirm the password for the keystore.
Key Alias: external_webcenter_custom
Signature Password: Enter and confirm the password for the signature key.
Crypt Alias: external_webcenter_custom
Crypt Password: Enter and confirm the password for the encryption key.
Click OK to save your settings.
Restart the Administration server for the domain.
Use the following command summary to quickly configure the keystore and DF properties for a complex topology.
Generate the Keystore
Use the following keytool
commands to generate the keystore, replacing the values in bold with those for your local environment:
keytool -genkeypair -keyalg RSA -dname "cn=spaces,dc=example,dc=com" -alias webcenter -keypass welcome1 -keystore webcenter.jks -storepass welcome1 -validity 1064
keytool -exportcert -v -alias webcenter -keystore webcenter.jks -storepass welcome1 -rfc -file webcenter_public.cer
keytool -importcert -alias df_webcenter_public -file webcenter_public.cer -keystore owc_discussions.jks -storepass welcome1
When prompted to trust the certificate, say yes
.
keytool -importcert -alias webcenter_spaces_ws -file webcenter_public.cer -keystore bpel.jks -storepass welcome1
When prompted to trust the certificate, say yes
.
keytool -genkeypair -keyalg RSA -dname "cn=bpel,dc=example,dc=com" -alias bpel -keypass welcome1 -keystore bpel.jks
keytool -exportcert -v -alias bpel -keystore bpel.jks -storepass welcome1 -rfc -file orakay.cer
keytool -importcert -alias orakey -file orakay.cer -keystore webcenter.jks -storepass welcome1
When prompted to trust the certificate, say yes
.
keytool -genkeypair -keyalg RSA -dname "cn=soa_server3,dc=example,dc=com" -alias soa_server3 -keypass welcome1 -keystore soa_server3.jks -storepass welcome1 -validity 1024
keytool -exportcert -v -alias soa_server3 -keystore soa_server3.jks -storepass welcome1 -rfc -file soa_server3_public_key.cer
keytool -importcert -alias soa_server3_public_key -file soa_server3_public_key.cer -keystore webcenter.jks -storepass welcome1
When prompted to trust the certificate, say yes
.
keytool -importcert -alias webcenter_public -file webcenter_public.cer -keystore producer.jks -storepass welcome1
When prompted to trust the certificate, say yes
.
keytool -genkeypair -keyalg RSA -dname "cn=producer,dc=example,dc=com" -alias producer -keypass welcome1 -keystore producer.jks -storepass welcome1 -validity 1024
keytool -exportcert -v -alias producer -keystore producer.jks -storepass welcome1 -rfc -file producer_public_key.cer
keytool -importcert -alias webcenter_public -file webcenter_public.cer -keystore external_webcenter_custom.jks -storepass welcome1
When prompted to trust the certificate, say yes
.
keytool -genkeypair -keyalg RSA -dname "cn=external_webcenter_custom,dc=example,dc=com" -alias external_webcenter_custom -keypass welcome1 -keystore external_webcenter_custom.jks
-storepass welcome1 -validity 1024
keytool -exportcert -v -alias external_webcenter_custom -keystore external_webcenter_custom.jks -storepass welcome1 -rfc -file external_webcenter_custom_public_key.cer
keytool -importcert -alias producer_public_key -file producer_public_key.cer -keystore webcenter.jks -storepass welcome1
When prompted to trust the certificate, say yes
.
keytool -importcert -alias external_webcenter_custom_public_key -file external_ webcenter_custom_public_key.cer -keystore webcenter.jks -storepass welcome1
When prompted to trust the certificate, say yes
.
Copy webcenter.jks
to your domain_home/config/fmwconfig
directory, bpel.jks
to your SOA1_domain_home/config/fmwconfig
directory, soa_server3.jks
to your SOA_2_domain_home/config/fmwconfig
directory, producer.jks
to your External_Portlet_domain_home/config/fmwconfig
directory, and external_webcenter_custom.jks
to your External_WebCenter_domain_home/config/fmwconfig
directory.
Configure the WebCenter Domain Keystore
Follow the steps below to configure the service instance reference for the WebCenter domain:
Navigate to the <DOMAIN_HOME>/config/fmwconfig
directory.
Copy webcenter.jks
to the <DOMAIN_HOME>/config/fmwconfig
directory if you haven't already done so.
Open jps-config.xml
in an editor.
Locate <serviceInstance node for keystore.provider Provider
.
Specify the location as ./webcenter.jks
.
Using WLST, connect to the WebCenter domain as an administrator and run the following commands:
updateCred(map="oracle.wsm.security", key="keystore-csf-key", user="owsm", password="welcome1", desc="Keystore key") updateCred(map="oracle.wsm.security", key="enc-csf-key", user="webcenter", password="welcome1", desc="Encryption key") updateCred(map="oracle.wsm.security", key="sign-csf-key", user="webcenter", password="welcome1", desc="Signing key")
Configure the External Discussions Server Domain Keystore
Follow the steps below to configure the service instance reference for the discussions server:
Navigate to the <DOMAIN_HOME>/config/fmwconfig
directory.
Copy webcenter.jks
to the <DOMAIN_HOME>/config/fmwconfig
directory if you haven't already done so.
Open jps-config.xml
in an editor.
Locate <serviceInstance node for keystore.provider Provider
.
Specify the location as ./owc_discussions.jks
.
Using WLST, connect to the WebCenter domain as an administrator and run the following commands:
updateCred(map="oracle.wsm.security", key="keystore-csf-key", user="owsm", password="welcome1", desc="Keystore key") updateCred(map="oracle.wsm.security", key="enc-csf-key", user="owc_discussions", password="welcome1", desc="Encryption key") updateCred(map="oracle.wsm.security", key="sign-csf-key", user="owc_discussions", password="welcome1", desc="Signing key")
Configure the SOA1 Domain Keystore
Follow the steps below to configure the service instance reference for the SOA1 domain:
Navigate to the <DOMAIN_HOME>/config/fmwconfig
directory.
Copy bpel.jks
to the <DOMAIN_HOME>/config/fmwconfig
directory if you haven't done already done so.
Open jps-config.xml
in an editor.
Locate <serviceInstance node for keystore.provider Provider
.
Specify the location as ./bpel.jks
.
Using WLST, connect to the SOA1 domain as an admin user and run the following commands:
updateCred(map="oracle.wsm.security", key="keystore-csf-key", user="owsm", password="welcome1", desc="Keystore key") updateCred(map="oracle.wsm.security", key="enc-csf-key", user="bpel", password="welcome1", desc="Encryption key") updateCred(map="oracle.wsm.security", key="sign-csf-key", user="bpel", password="welcome1", desc="Signing key")
Configure the SOA2 Domain Keystore
Follow the steps below to configure the service instance reference for the SOA2 domain:
Navigate to the <DOMAIN_HOME>/config/fmwconfig
directory.
Copy soa_server3.jks
to the <DOMAIN_HOME>/config/fmwconfig
directory if you haven't done already done so.
Open jps-config.xml
in an editor.
Locate <serviceInstance node for keystore.provider Provider
.
Specify the location as ./soa_server3.jks
.
Using WLST, connect to the SOA2 domain as an admin user and run the following commands:
updateCred(map="oracle.wsm.security", key="keystore-csf-key", user="owsm", password="welcome1", desc="Keystore key") updateCred(map="oracle.wsm.security", key="enc-csf-key", user="soa_server3", password="welcome1", desc="Encryption key") updateCred(map="oracle.wsm.security", key="sign-csf-key", user="soa_server3", password="welcome1", desc="Signing key")
Configure the External Portlet Producer Domain Keystore
Follow the steps below to configure the service instance reference for the External Portlet Producer and External WebCenter domain keystores:
Navigate to the <DOMAIN_HOME>/config/fmwconfig
directory of the External Portlet Producer domain.
Copy producer.jks
to the <DOMAIN_HOME>/config/fmwconfig
directory if you haven't done already done so.
Open jps-config.xml
in an editor.
Locate <serviceInstance node for keystore.provider Provider
.
Specify the location as ./producer.jks
.
Using WLST, connect to the External Portlet Producer domain as an administrator and run the following commands:
updateCred(map="oracle.wsm.security", key="keystore-csf-key", user="owsm", password="welcome1", desc="Keystore key") updateCred(map="oracle.wsm.security", key="enc-csf-key", user="producer", password="welcome1", desc="Encryption key") updateCred(map="oracle.wsm.security", key="sign-csf-key", user="producer", password="welcome1", desc="Signing key")
Navigate to the <DOMAIN_HOME>/config/fmwconfig
directory of the External WebCenter domain.
Copy producer.jks
to the <DOMAIN_HOME>/config/fmwconfig
directory if you haven't done already done so.
Open jps-config.xml
in an editor.
Locate <serviceInstance node for keystore.provider Provider
.
Specify the location as ./external_webcenter_custom.jks
.
Using WLST, connect to the External Portlet Producer domain as an administrator and run the following commands:
updateCred(map="oracle.wsm.security", key="keystore-csf-key", user="owsm", password="welcome1", desc="Keystore key") updateCred(map="oracle.wsm.security", key="enc-csf-key", user="external_webcenter_custom", password="welcome1", desc="Encryption key") updateCred(map="oracle.wsm.security", key="sign-csf-key", user="external_webcenter_custom", password="welcome1", desc="Signing key")
Configure the Discussions Server Connection
Supply the WS-Security client certificate information within the discussions server connection that is configured for WebCenter Spaces or your WebCenter Portal application, as described in Section 14.3, "Registering Discussions Servers." Also see Section 32.3.3.4, "Configuring the Discussions Server Connection Settings" for example connection detail settings for the Edit Discussions and Announcement Connection page.
Follow the steps below to configure WS-Security for Oracle WebLogic Communication Services (OWLCS):
Provide the policyURI when creating the Instant Messaging and Presence (IMP) connection.
When you create the connection to the WS-Security enabled OWLCS server, you must provide the policyURI
. The value of policyURI
should be set to oracle/wss11_saml_token_with_message_protection_client_policy
. If no policyURI
is supplied, the application uses a non-secure connection. See also Section 16.1, "What You Should Know About Instant Messaging and Presence Connections."
Supply an alias name for the private key to the IMP connection.
Provide an additional property in the WebCenter IMP connection named recipient.alias
. Set the value of this property to the alias under which to import the OWLCS certificate. Ensure that this value is unique and is not used already by some other service. If no alias name is supplied, the application uses the default value webcenter_owlcs
. See also Section 16.3, "Registering Instant Messaging and Presence Servers."
Determine the private key in the OWLCS keystore (located on the OWLCS instance at DOMAIN_HOME/config/fmwconfig
).
Use the following command to list the keystore contents:
keytool -list -v -keystore Serversidekeystore.jks -storepass password
Find the entry with the Entry type set to keyEntry
. The alias name of this entry is the private key (orakey
by default).
Export the private key from the OWLCS server keystore.
Use the following command to export orakey
to a certificate file (for example, orakey.cer
).
keytool -exportcert -v -alias orakey -keystore Serversidekeystore.jks -storepass welcome -rfc -file orakey.cer
Determine the private key in the WebCenter keystore (on the WebCenter instance at DOMAIN_HOME/config/fmwconfig
).
If no keystore is found, proceed to step 6. Otherwise, use the following command to list the keystore contents:
keytool -list -v -keystore default-keystore.jks -storepass welcome
Find the entry with Entry type set to keyEntry
or PrivateKeyEntry
. The alias name of this entry is the private key.
If no such entry is found, proceed to step 6. Otherwise, continue at step 7.
Generate a private key on WebCenter.
Go to DOMAIN_HOME/config/fmwconfig
in your WebCenter installation and run the following command to add a key pair to the keystore. The command creates a keystore named default-keystore.jks
if it does not exist, and adds a new private key entry with alias orasig
and the password set to welcome1
. You can optionally change the alias, password and domain name command when you run the command.
keytool -genkeypair -keyalg RSA -dname "cn=consumer,dc=example,dc=com" -alias orasig -keypass welcome1 -keystore default-keystore.jks -storepass welcome1 -validity 360
Configure OWLCS on your WebCenter instance to use the private key.
Run the WLST updateCred
command substituting the values for user
and password
in the first two commands with your private key alias and password.
updateCred(map='oracle.wsm.security', key='enc-csf-key', user='orasig', password='welcome1', desc='EncryptionKey') updateCred(map='oracle.wsm.security', key='sign-csf-key', user='orasig', password='welcome1', desc='SigningKey') updateCred(map='oracle.wsm.security', key='keystore-csf-key', user='owsm', password='welcome1', desc='KeystoreKey')
Export the private key pair to a certificate.
Export the private key found in step 5 or created in step 6 to a certificate file using the following command:
keytool -exportcert -v -alias orasig -keystore default-keystore.jks -storepass welcome1 -rfc -file orasig.cer
Import the certificate generated on the OWLCS Server to the WebCenter keystore.
Copy the certificate generated in step 4 to a temporary location on the WebCenter instance. Import the certificate in the WebCenter instance using the alias name from step 2.
Use the following command to import the certificate in the WebCenter keystore:
keytool -importcert -alias webcenter_owlcs -file orakey.cer -keystore default-keystore.jks -storepass welcome1
Import the WebCenter certificate on the OWLCS instance.
Copy the certificate created in step 8 to a temporary location on the OWLCS instance. Go to DOMAIN_HOME/config/fmwconfig
and import the certificate in the keystore under a meaningful alias (for example, webcenter_key
) using the following command:
keytool -importcert -alias webcenter_key -file orasig.cer -keystore Serversidekeystore.jks -storepass welcome
This section describes the administrator tasks required to configure WS-Security for WebCenter Spaces so that the communication between the an application exposing WebCenter Spaces APIs (the consumer) and WebCenter Spaces (the producer) is secure, and that the identity of the user invoking the APIs is protected.
For information about the developer tasks for developing applications that consume WebCenter Spaces client APIs, see "How to Set Up Your WebCenter Portal application to Use the WebCenter Spaces APIs" in the Oracle Fusion Middleware Developer's Guide for Oracle WebCenter.
This section includes the following subsections:
Section 32.5.1, "Configuring a Simple Topology for Applications Consuming Spaces Client APIs"
Section 32.5.2, "Configuring a Typical Topology for Applications Consuming Spaces Client APIs"
Section 32.5.3, "Configuring a Complex Topology for Applications Consuming Spaces Client APIs"
If your client application is part of the same domain as WebCenter Spaces, you only need to specify the following for the GroupSpaceWSContext()
:
GroupSpaceWSContext context = new GroupSpaceWSContext(); context.setRecipientKeyAlias("orakey");
If your client application is JDeveloper and you have access to the WebCenter Spaces server's configured keystore, copy the same keystore to JDeveloper's DefaultDomain/config/fmwconfig/dir
and configure the JDeveloper domain to use this keystore. The steps here would be exactly same as those in Section 32.1.2.2, "Configuring the Keystore with WLST", and you would then also need to specify the following on your client stub:
GroupSpaceWSContext context = new GroupSpaceWSContext(); context.setRecipientKeyAlias("orakey");
If your client application is part of the same domain as WebCenter Spaces, you only need to specify the following for the GroupSpaceWSContext()
:
GroupSpaceWSContext context = new GroupSpaceWSContext(); context.setRecipientKeyAlias("webcenter");
If your client application is JDeveloper and you have access to the WebCenter Spaces server's configured keystore, copy the same keystore to JDeveloper's DefaultDomain/config/fmwconfig/dir
and configure the JDeveloper domain to use this keystore. The steps here would be exactly same as those in Section 32.2.2.2, "Configuring the Keystore Using WLST", and you would then also need to specify the following on your client stub:
GroupSpaceWSContext context = new GroupSpaceWSContext(); context.setRecipientKeyAlias("webcenter");
If your client application is part of the same domain as WebCenter Spaces, you only need to specify the following for the GroupSpaceWSContext()
:
GroupSpaceWSContext context = new GroupSpaceWSContext(); context.setRecipientKeyAlias("webcenter");
If your client application is JDeveloper, copy the same keystore to JDeveloper's DefaultDomain/config/fmwconfig/dir
and configure the JDeveloper domain to use this keystore. The steps here would be exactly same as those in Section 32.3.2.2, "Configuring the Keystore Using WLST", and you would then also need to specify the following on your client stub:
GroupSpaceWSContext context = new GroupSpaceWSContext(); context.setRecipientKeyAlias("webcenter");