Nice, because in the past I was intensively involved in implementing ebMS with B2B10g. I think the first implementation on Oracle Integration B2B 10g with ebMS in the Netherlands. Unfortunately I was not able to get message encryption and signing working back then. Mainly because of lack of time and lack of knowledge on different certificate formats. Now I had the change to re-try quite the same thing in B2B 11g.
AS2 and ebMS are regarding implementation basically the same: both are transport protocols over HTTP(s). I had to implement SSL and Message Encription and Signing.
My colleague had already found a good starting point: the blog of Anuj Dwivedi on Enabling SSL on Oracle B2B 11g. It's a nice step by step "how-to" to implement transport security.
Unfortunately I missed 2 aspects in the story: how to import a private certificate in a ".p12" file and how to convert a certificate in DER format to PEM. My customer has a certificate in pkcs12 (a .p12 file) format and that one needs to be imported. Then the public certicate is not in PEM format, and that needs to be to get it imported in the JKS keystore using the keytool as described in the blog.
Import private certificate in the keystore
This how-to I found here. This is done by first creating an empty key store:keytool -genkey -alias darwinKey -keystore ~/Keystores/b2bKeyStore.jks - keypass welcome1 -storepass welcome1This creates a JKS-keystore with a key with alias darwinKey. It asks several questions like:
What is your first and last name? [Unknown]: Martien van den Akker What is the name of your organizational unit? [Unknown]: Professionals What is the name of your organization? [Unknown]: Darwin-IT What is the name of your City or Locality? [Unknown]: Amersfoort What is the name of your State or Province? [Unknown]: Utrecht What is the two-letter country code for this unit? [Unknown]: NL Is CN=Martien van den Akker, OU=Professionals, O=Darwin-IT, L=Amersfoort, ST=Utrecht, C=NL correct? [no]: yesSince we want an empty keystore in which we import a private key, we need to delete it:
keytool -delete -alias darwinKey -keystore ~/Keystores/b2bKeyStore.jks - storepass welcome1Now the keystore is empty we can import the pkcs12 certificate:
keytool -v -importkeystore -srckeystore ~/Certificaten/ darwinCustomerCertificate.p12 -srcstoretype PKCS12 -destkeystore ~/ Keystores/b2bKeyStore.jks -deststoretype JKS -storepass welcome1Output:
Enter source keystore password: Entry for alias darwincustomer successfully imported. Import command completed: 1 entries successfully imported, 0 entries failed or cancelled [Storing /home/oracle/Keystores/b2bKeyStore.jks]Now I used as a keystore password "welcome1" in the examples above. Later I found that to enable B2B to read the certificate and actually use it, the password of the keystore had to be the same as the passphrase of the private key. So it is best when using the examples above for your actual implementation to use that password right away. But luckily the password can also be changed:
keytool -storepasswd -keystore ~/Keystores/b2bKeyStore.jksOutput:
Enter keystore password: New keystore password: Re-enter new keystore password:
Convert DER certificate to PEM
When you get a public certificate, you probably get it in a kind of binary format. You can also export it from your private key in your keystore with the keytool utility:keytool -exportcert -alias darwinCustomerCert -file ~/Certificaten/ darwinCustomerPublicCert.cer -keystore ~/Keystores/b2bKeyStore.jks -storepass welcome1Output:
Certificate stored in file </home/oracle/Certificaten/darwinCustomerPublicCert.cer>The exported certificate is stored in DER-format. To create a PEM file out of it, OpenSSL can be used. The command for this, I found here and here.
openssl x509 -inform der -in darwinCustomerPublicCert.cer -outform pem -out darwinCustomerPublicCert.pemThis will deliver a readable certificate that is importable in the keystore.
No comments:
Post a Comment