Wednesday 29 August 2012

Implement message transport security in B2B11g

One of my current customers is in the transition of migrating from sending/receiving EDI messages to XML over AS2. The choice of B2B-product is Oracle SoaSuite-Integration B2B11g.

Nice, because in the past I was intensively involved in implementing ebMS with B2B10g. I think the first implementation on Oracle Integration B2B 10g with ebMS in the Netherlands. Unfortunately I was not able to get message encryption and signing working back then. Mainly because of lack of time and lack of knowledge on different certificate formats. Now I had the change to re-try quite the same thing in B2B 11g.

AS2 and ebMS are regarding implementation basically the same: both are transport protocols over HTTP(s). I had to implement SSL and Message Encription and Signing.

My colleague had already found a good starting point: the blog of Anuj Dwivedi on Enabling SSL on Oracle B2B 11g. It's a nice step by step "how-to" to implement transport security.

Unfortunately I missed 2 aspects in the story: how to import a private certificate in a ".p12" file and how to convert a certificate in DER format to PEM. My customer has a certificate in pkcs12 (a .p12 file) format and that one needs to be imported. Then the public certicate is not in PEM format, and that needs to be to get it imported in the JKS keystore using the keytool as described in the blog.

Import private certificate in the keystore

This how-to I found here. This is done by first creating an empty key store:
keytool -genkey -alias darwinKey -keystore ~/Keystores/b2bKeyStore.jks -
keypass welcome1 -storepass welcome1
This creates a JKS-keystore with a key with alias darwinKey. It asks several questions like:
What is your first and last name?
[Unknown]: Martien van den Akker
What is the name of your organizational unit?
[Unknown]: Professionals
What is the name of your organization?
[Unknown]: Darwin-IT
What is the name of your City or Locality?
[Unknown]: Amersfoort
What is the name of your State or Province?
[Unknown]: Utrecht
What is the two-letter country code for this unit?
[Unknown]: NL
Is CN=Martien van den Akker, OU=Professionals, O=Darwin-IT, L=Amersfoort,
ST=Utrecht, C=NL correct?
[no]: yes
Since we want an empty keystore in which we import a private key, we need to delete it:
keytool -delete -alias darwinKey -keystore ~/Keystores/b2bKeyStore.jks -
storepass welcome1
Now the keystore is empty we can import the pkcs12 certificate:
keytool -v -importkeystore -srckeystore ~/Certificaten/
darwinCustomerCertificate.p12 -srcstoretype PKCS12 -destkeystore ~/
Keystores/b2bKeyStore.jks -deststoretype JKS -storepass welcome1
Enter source keystore password:
Entry for alias darwincustomer successfully imported.
Import command completed: 1 entries successfully imported, 0 entries
failed or cancelled
[Storing /home/oracle/Keystores/b2bKeyStore.jks]
Now I used as a keystore password "welcome1" in the examples above. Later I found that to enable B2B to read the certificate and actually use it, the password of the keystore had to be the same as the passphrase of the private key. So it is best when using the examples above for your actual implementation to use that password right away. But luckily the password can also be changed:
keytool -storepasswd -keystore ~/Keystores/b2bKeyStore.jks
Enter keystore password:
New keystore password:
Re-enter new keystore password:

Convert DER certificate to PEM

When you get a public certificate, you probably get it in a kind of binary format. You can also export it from your private key in your keystore with the keytool utility:
keytool -exportcert -alias darwinCustomerCert -file ~/Certificaten/
darwinCustomerPublicCert.cer -keystore ~/Keystores/b2bKeyStore.jks -storepass
Certificate stored in file </home/oracle/Certificaten/darwinCustomerPublicCert.cer> 
The exported certificate is stored in DER-format. To create a PEM file out of it, OpenSSL can be used. The command for this, I found here and here.
openssl x509 -inform der -in darwinCustomerPublicCert.cer -outform pem -out
This will deliver a readable certificate that is importable in the keystore.

No comments :