Wednesday 29 August 2012

Implement message transport security in B2B11g

One of my current customers is in the transition of migrating from sending/receiving EDI messages to XML over AS2. The choice of B2B-product is Oracle SoaSuite-Integration B2B11g.

Nice, because in the past I was intensively involved in implementing ebMS with B2B10g. I think the first implementation on Oracle Integration B2B 10g with ebMS in the Netherlands. Unfortunately I was not able to get message encryption and signing working back then. Mainly because of lack of time and lack of knowledge on different certificate formats. Now I had the change to re-try quite the same thing in B2B 11g.

AS2 and ebMS are regarding implementation basically the same: both are transport protocols over HTTP(s). I had to implement SSL and Message Encription and Signing.

My colleague had already found a good starting point: the blog of Anuj Dwivedi on Enabling SSL on Oracle B2B 11g. It's a nice step by step "how-to" to implement transport security.

Unfortunately I missed 2 aspects in the story: how to import a private certificate in a ".p12" file and how to convert a certificate in DER format to PEM. My customer has a certificate in pkcs12 (a .p12 file) format and that one needs to be imported. Then the public certicate is not in PEM format, and that needs to be to get it imported in the JKS keystore using the keytool as described in the blog.

Import private certificate in the keystore

This how-to I found here. This is done by first creating an empty key store:
keytool -genkey -alias darwinKey -keystore ~/Keystores/b2bKeyStore.jks -
keypass welcome1 -storepass welcome1
This creates a JKS-keystore with a key with alias darwinKey. It asks several questions like:
What is your first and last name?
[Unknown]: Martien van den Akker
What is the name of your organizational unit?
[Unknown]: Professionals
What is the name of your organization?
[Unknown]: Darwin-IT
What is the name of your City or Locality?
[Unknown]: Amersfoort
What is the name of your State or Province?
[Unknown]: Utrecht
What is the two-letter country code for this unit?
[Unknown]: NL
Is CN=Martien van den Akker, OU=Professionals, O=Darwin-IT, L=Amersfoort,
ST=Utrecht, C=NL correct?
[no]: yes
Since we want an empty keystore in which we import a private key, we need to delete it:
keytool -delete -alias darwinKey -keystore ~/Keystores/b2bKeyStore.jks -
storepass welcome1
Now the keystore is empty we can import the pkcs12 certificate:
keytool -v -importkeystore -srckeystore ~/Certificaten/
darwinCustomerCertificate.p12 -srcstoretype PKCS12 -destkeystore ~/
Keystores/b2bKeyStore.jks -deststoretype JKS -storepass welcome1
Output:
Enter source keystore password:
Entry for alias darwincustomer successfully imported.
Import command completed: 1 entries successfully imported, 0 entries
failed or cancelled
[Storing /home/oracle/Keystores/b2bKeyStore.jks]
Now I used as a keystore password "welcome1" in the examples above. Later I found that to enable B2B to read the certificate and actually use it, the password of the keystore had to be the same as the passphrase of the private key. So it is best when using the examples above for your actual implementation to use that password right away. But luckily the password can also be changed:
keytool -storepasswd -keystore ~/Keystores/b2bKeyStore.jks
Output:
Enter keystore password:
New keystore password:
Re-enter new keystore password:

Convert DER certificate to PEM

When you get a public certificate, you probably get it in a kind of binary format. You can also export it from your private key in your keystore with the keytool utility:
keytool -exportcert -alias darwinCustomerCert -file ~/Certificaten/
darwinCustomerPublicCert.cer -keystore ~/Keystores/b2bKeyStore.jks -storepass
welcome1
Output:
Certificate stored in file </home/oracle/Certificaten/darwinCustomerPublicCert.cer> 
The exported certificate is stored in DER-format. To create a PEM file out of it, OpenSSL can be used. The command for this, I found here and here.
openssl x509 -inform der -in darwinCustomerPublicCert.cer -outform pem -out
darwinCustomerPublicCert.pem
This will deliver a readable certificate that is importable in the keystore.

Monday 20 August 2012

Change Subversion Password in Jdeveloper 11g

At one of my customers I use JDeveloper 11g also as a subversion client. It is actually my first experience of the SVN implementation of JDeveloper, because I'm not able to install a tool like TortoiseSVN on this computer.

I'm pretty positive on the svn-client in Jdev. But unfortunately I haven't found any means to change the password in the UI. At this customer my windows-password has to be changed monthly, and the svn-password depends on it.

Jdeveloper stores the subversion connect info in the file

$APPLICATION_DATA\Roaming\JDeveloper\system11.1.1.6.38.61.92\o.jdeveloper.subversion\repositories.xml
(where "system11.1.1.6.38.61.92" depends on the Jdeveloper build).
The file looks like:
<?xml version = '1.0' encoding = 'UTF-8'?>
<svn-repositories xmlns="http://xmlns.oracle.com/jdeveloper/1013/svn/repositories">
   <svn-repository>
      <url>https://svn.customer.nl/svn/odc/odc-cmr/APPLICATION/source/trunk</url>
      <alias>Application Trunk</alias>
      <user-name>makker</user-name>
      <password>PlainOrEncryptedPasword</password>
   </svn-repository>
</svn-repositories>
Remarkable is the version number in the namespace (1013), since it really comes from my Jdev11g install.

When you first create the connection and give in your username/password via the UI, the password will be stored in here encrypted. But you can also give in an unencrypted password. So I entered my new password in plain format. And it works.

I haven't found how I can encrypt the password, what would, of course, be better. If anyone has a tip, then I'm interested.

You can also rename or delete the file,  then JDeveloper will ask for the new server connection.

Friday 17 August 2012

Database 11g: change hostname

Sometimes I want to duplicate or reuse a Virtual Machine for another purpose. This week I had to start with a setup for a B2B communication for a client. So I pick one, duplicate them and change the particular hostname and corresponding network settings (/etc/hosts) to reflect the particular situation. So that I can communicate to the instance with its own host-alias.

It is not exactly necessary, but it is neat to have the hostname of the server changed to the particular situation. But if you have installed an Oracle 11g database, you'll encounter that you can't login at it anymore.
Some how the database checks the hostname and with the ip-address of the server its installed on.
I found the solution here in the doc, see paragraph 3.3.2.2. Network.

You'll have to make sure that the name of your host (see cat /etc/sysconfig/network) is in the /etc/hosts file with the ip address of the machine.
So my first network adapter is a host-only with a fixed address of 10.0.0.1. As such I installed the database. If I change my hostname to 'darwin-vce-soa', for instance then in the /etc/hosts there should be a line like:

10.0.0.1          darwin-vce-soa.darwin-it.local    darwin-vce-soa

Also make sure that you change the listner.ora and tnsnames.ora in $ORACLE_HOME/network/admin.

Oh, and if you are on a demo/development server, you may want to have password expiry turned off. See my blog-entry here.

Wednesday 15 August 2012

Change hostname of weblogic server

If you change the host name of the server that runs your weblogic server, then connecting to a page in the weblogic server (/console, /em, etc) may cause page load errors.
When installing the weblogic server, it registers the current hostname as the name of the server in the domain config. It will do a URL-rewrite to that hostname when connecting to a webapplications.

To change the weblogic-hostname, go to config folder of the domain home and edit the config.xml.
under //server/web-server/frontend-host you find the host that is used for the url rewrite. Edit it according to your hostname settings:
<?xml version='1.0' encoding='UTF-8'?>
<domain xmlns="http://xmlns.oracle.com/weblogic/domain" xmlns:sec="http://xmlns.oracle.com/weblogic/security" xmlns:wls="http://xmlns.oracle.com/weblogic/security/wls" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.oracle.com/weblogic/security/xacml http://xmlns.oracle.com/weblogic/security/xacml/1.0/xacml.xsd http://xmlns.oracle.com/weblogic/security/providers/passwordvalidator http://xmlns.oracle.com/weblogic/security/providers/passwordvalidator/1.0/passwordvalidator.xsd http://xmlns.oracle.com/weblogic/domain http://xmlns.oracle.com/weblogic/1.0/domain.xsd http://xmlns.oracle.com/weblogic/security http://xmlns.oracle.com/weblogic/1.0/security.xsd http://xmlns.oracle.com/weblogic/security/wls http://xmlns.oracle.com/weblogic/security/wls/1.0/wls.xsd">
  <name>fmw_domain</name>
  <domain-version>10.3.5.0</domain-version>
...
  <server>
    <name>AdminServer</name>
 ...  
    <listen-port>7001</listen-port>
    <listen-port-enabled>true</listen-port-enabled>
    <web-server>
      <!--<frontend-host>old-host</frontend-host>-->
      <frontend-host>fmwhost-vm</frontend-host>

Host only network in VMware player on Window7 not working

Today I was to setup a B2B configuration. So I wanted to have two SOASuite11g VM's working together on my laptop. My colleague created a VM for this particular client in VMWare Player, so I wanted to use that one, in stead of one of my VirtualBox VM's.

One of the features I rely on in this setup is the host-only network. Since it is a B2B setup, I need the two VM's to communicate together, so they have to be able to ping each other over the same network. Although internally in the VM the particular network adapter will get an ip-address. But it was not "pingable" from the host.

I was about to uninstall VMWare Player and re-install it to get it defaulted again. But probably it would not make a difference in this. Luckily I found this terrific post that helped me out. Thanks Tino. And it gives some tips about how to do some VMnet changes on the commandline that cannot be done UI-wise in VMware Player.

It turns out that in Windows 7 the VMNet1 adapter on the host was set on manual setings having a an auto-ip address (eg. 169.254.x.x).

This can be solved by going to the "Network and Sharing Center" (the English name for the German "Netzwerk- und Freigabecenter"). Click on the "VMware Network Adapter VMnet1". And then:
  • Click on the button Properties
  • Disable "Internet Protocol Version 6 (TCP/IPv6)". 
  • Select "Internet Protocol Version 4 (TCP/IPv4)" and click on the button "Properties"
  • Set the radio button on "Obtain an IP address automatically"
Then it solved my problem.