Print Page

Friday, January 9, 2009

Security Configuration in Oracle AS Integration B2B

Practice Lesson
Security Configuration in Oracle AS Integration B2B


Security Configuration In Integration B2B


Introduction:

There are three ways of providing security in Oracle AS Integration B2B.
      1. Encryption
      2. Digital Signature (Sign).
      3. SSL



Security Setup:

Step1 : Create a self signed certificate for the host using the Oracle Certificate Authority, the tutorial for the same is as below.
http://www.oracle.com/technology/products/oid/oidhtml/sec_idm_training/html_masters/devapp06.htm

Alternatively it is possible to obtain a certificate from the CA(certificate Authority like Verisign or Thwarte) . Certificate extension should not matter, as long as you use x.509 compliant certificate.

Step2: Import the host certificate into the Oracle Wallet along with the Root certificate.

Step 3: Make sure you have specify the wallet location properly (folder name) in the file /ip/configuration/tip.properties.

E.g. oracle.tip.adapter.b2b.WalletLocation = c:/tmp/soa/b2b

Step 4: Using Oracle Integration B2b, The following are the steps to configure for secured way of transferring messages between trading partners.

      -> Select Partners
            -> Select Trading Partner
                  ->Select Acme
                        -> Click on “Update”


Enter the following information

General Page: Enter the wallet Password information
New Wallet Password
Confirm New Password

->Click Apply

step 5: Setting up the Host Delivery Channel:

For providing the Security Information for Host Trading Partner (Acme)
Create Communication Capability
      -> Select Trading Partners
            -> Select Acme
                  -> Select Capabilities
                        -> Select
                              -> Select Create Communication Capability

Delivery Channel Page

Prompts to define the following delivery channel details for the secure exchange of messages between trading partners:
     · Delivery channel name
     · Acknowledgment mode
     · Global usage code
     · If nonrepudiation of receipt and nonrepudiation of origin are Required
     · If encryption, transport security, and compression are enabled
     · Time to acknowledgment value
     · Retry count value

Note: The selections you make on this page for nonrepudiation of receipt, nonrepudiation of origin, encryption, and transport security determine the fields that display and the transport protocols that are selectable on subsequent pages of this wizard.

Document Exchange Page

Prompts to define the following document exchange characteristics for exchanging messages between trading partners

     · Document exchange name
     · Exchange protocol revision and parameter values.
     · Document exchange protocol parameters
     · Digital signature, signing credential, and certificate file if you Selected        “Yes” for nonrepudiation of receipt and nonrepudiation of origin on the        Delivery Channel page.
     · Digital envelope, encryption credential, and certificate file if you selected        “Yes” to enable encryption on the Delivery Channel
       page.


In the Document Exchange window, enter the following information,


Encryption:
There is a need to select Digital Envelope algorithm depending on whether encryption is enabled.

New encryption credential can be created using create new or use the existing Encryption credentials. For new credentials use Browse button to locate Host certificate as it is used to decrypt the message. Make sure this certificate should be available in the e-wallet.

Non-Repudiation: If Non-Repudiation is enabled then select the Digital Signature and Signing credentials. Use Browse button to locate Host certificate for Digitally Signing the outbound Message. Make sure this certificate should be available in the e-wallet.

B2B engine uses the certificate from the repository for both signing and encryption and also a lookup to the wallet for Private key, hence there is a need to import the host certificate into the wallet as well.

Note: There is another way to specify the Certificates,

     -> Select Partners
          -> Select Trading Partner
               -> Select Acme
                    -> Click on “Create” under Certificate


Enter the following information
     Name: <Any valid Name>
     Certificate File: <Using browse to locate the certificate >
          ->Click Apply

Use this certificate while creating the Delivery Channel by selecting “Use Existing”.

Step 6: Setting up the Trading Partner Delivery Channel:

Providing the Security Information for Remote Trading Partner (GlobalChips)
Create Communication Capabilities
     ->Select Trading Partners
          ->Select GlobalChips
               ->Select Capabilities
                    ->Select <Business protocol>
                         ->Select Create Communication Capability

Delivery Channel Page

Prompts to define the following delivery channel details for the secure exchange of messages between trading partners:

     · Delivery channel name
     · Acknowledgment mode
     · Global usage code
     · If nonrepudiation of receipt and nonrepudiation of origin are Required
     · If encryption, transport security, and compression are enabled
     · Time to acknowledgment value
     · Retry count value

Note: The selections you make on this page for nonrepudiation of receipt, nonrepudiation of origin, encryption, and transport security determine the fields that display and the transport protocols that are selectable on subsequent pages of this wizard.

Document Exchange Page

Prompts to define the following document exchange characteristics for exchanging messages between trading partners

     · Document exchange name
     · Exchange protocol revision and parameter values
     · Document exchange protocol parameters
     · Digital signature, signing credential, and certificate file if you Selected        “Yes” for nonrepudiation of receipt and nonrepudiation of origin on the        Delivery Channel page
     · Digital envelope, encryption credential, and certificate file if You selected        “Yes” to enable encryption on the Delivery Channel
       Page

In the Document Exchange window, enter the following information,



Encryption:
There is a need to select Digital Envelope algorithm depending on whether encryption is enabled.

New encryption credential can be created using create new or use the existing Encryption credentials. For new credentials use Browse button to locate Trading Partner certificate as it is used to encrypt the outbound message.

Non-Repudiation: If Non-Repudiation is enabled then select the Digital Signature and Signing credentials. Use Browse button to locate Trading Partner certificate for Digital signature verification for the inbound message.


SSL - Security

Configure SSL:

1. Edit Oracle_Home\opmn\conf\opmn.xml. Search for ssl-disabled and change it to ssl-enabled.
2. Startup Oracle Wallet Manager. Open the default wallet* in Oracle_Home\Apache\Apache\conf\ssl.wlt\default. Password is welcome.
3. Right click on “Trusted Certificates” Node and import the Remote Trading Partners Certificate.
4. Save the wallet in location Oracle_Home\ip as b2bwallet.txt
5. Edit Oracle_Home\ip\config\tip.properties
6. Search for wallet location and change it to Oracle_Home\\ip\\b2bwallet.txt.
7. Stop and start opmn – opmnctl stopall / opmnctl startall

* Note: Usage of default wallet is recommended only for Test. Request for a Server Certificate from a CA for actual usage.

Test SSL Configuration:

1. Access Oracle Enterprise Manager.
2. Find the SSL port
3. Access the B2B Transport Servlet through the following the URL: https://hostname:sslport/b2b/transportServlet

Configure SSL for Trading Partners.
1. Log into the B2B UI Tool.
2. Click on Partners>>Trading Partners>>Select the Trading Partner>>Capabilities>>Select the Business Protocol>>Communication Capabilities>>Select Delivery Channel
3. Update Delivery Channel to enable Transport Security.
4. Update Transports details to select HTTPS 1.1 secure as the Transport Protocol.
5. Update Transport Server details to include the SSL port.

Repeat the same for all remaining Trading Partners.
Create a Configuration and Deploy.

No comments: