Tuesday, October 21, 2008

Securing B2B Integration Server Instance

Oracle B2B Integration Server Security

First step in the process is to create a Certificate Request. 

1. Open the Wallet Manager Application from Start-> Programs-> Oracle-oracleas-> Integrated Management Tools-> WalletManager.
2. Now click Wallet-> New from the Menu bar in the WalletManager Application

3. Provide a password for Wallet, say “admin123”

4. The application would prompt you if you want to create a certificate Request, now. Click Yes and provide the details in the box.

5. Once the certificate request is created, you need to submit this request to a Certificate Authority (CA).

6. Now select the Certificate:[Requested], which shows details of the certificate in the adjacent frame and click Operations-> Export Certificate Request, this would open a file browser, Select appropriate folder and save this request, with a file name “certificateRequestB2BSOA.cert”

 7. The above steps can be seen in the viewlet at the following location: http://www.oracle.com/technology/products/oid/oidhtml/sec_idm_training/html_masters/flash/ocasslsetuppart1_viewlet_swf.html

Repeat the above steps for the other B2B Integration Server as well.

Next Step is to get this Certificate Authorized from Oracle Certificate Authority. We need the OCA installed on one of the machines. Follow the steps below to process the certificate request.

8. Send the CertificateFile to the OCA machine.
9. Now open the Oracle Certificate Authority User Page to submit the Certificate Request, by clicking the Server/SubCA Certificates>Request a Certificate

10. Now in the subsequent screen paste the contents of your certificate request, and do not forget to mention that the certificate would be used for Authentication, Encryption and Signing.


11. Note down the reference number provided on the subsequent screen this would be required in the admin console to approve the certificate.  


12. Now open the admin console using the admin url, https://localhost:/oca/admin, and jump to “Certificate Management”. Select the certificate of interest and click “View Details”

13. In the details page, the certificate can either be approved or rejected. Click the “Approve” button here. 

14. Take a note of sequence number generated in the subsequent screen.


15. Now go back to the https://localhost:/oca/user and click the Server/SubCA Certificates, now specify the sequence number noted above and click go.


16. Now check the desired row and click view details to check the certificate


17. In the following screen, copy the certificate information including “Begin Certificate” and “End Certificate” from under the heading “BASE64-Encoded Certificate”


18. Paste the above information in a text editor, and save it under a comprehensive filename.
19. Now we need to follow the same step to get the issuing authority’s certificate. Under the “Server/SubCA Certificates, click the button, “Save CA Certificate”


20. On the following screen, click the “Advanced” button.


21. Now again copy the certificate information including “Begin Certificate” and “End Certificate” from under the heading “BASE64-Encoded Certificate”.


22. Paste the above information as well under a comprehensive file name and transfer these two files to the B2B Machine. 

Repeat the above steps for the trading partner’s B2B Server, as well.

Now the wallet, which was in “requested” state is to be brought in the “ready” state. For this open the Wallet Manager and follow the steps below.

23. Open the wallet, which was used to create certificate request, by selecting the wallet location and providing the password.
24. Now click “Import Trusted Certificate” and import the CA certificate file, created earlier.
25. Similarly, click the “Import User Certificate” and import the signed host certificate file. This would change the state of certificate from “requested” to “ready”.
26. Now for the host and trading partner to communicate, we would need to import the trading partner’s certificate in the wallet, as well, by clicking “Import Trusted Certificate”.
27. Now save the wallet, additionally also export the wallet to the same location to a file named “.txt” Preferably the location should not contain a directory name with spaces.

In this section, we would configure the Oracle B2B Integration Server for enabling SSL security. It is highly preferred that you have a running set up for atleast one collaboration instance, which is tested effectively to run in a non-secured http mode.

28. The first step is to check the https port number of opmn, use the command “opmnctl status -l” to check the port number. This port number would be used in step 34 to specify the https port. This is a very important step not every one gets default 443 as https port.

28. The first step, is to begin with creation of a secured Delivery Channel for the host trading partner. Select the “Trading Partners” under the “Partners” tab and click the host name.


29. Now click open the “Rosettanet over RNIF” under the capabilities tab.


30. In the following screen, open the “Create Communication Capability”


31. Now provide the details for creating the delivery channel, for the purpose of this document, the area of interest is only Transport security, the document doesnot focus on non-repudiation and encryption.


32. In the following screen, the existing Document Exchange settings could be reused, as shown in the figure below.

33. Now provide the details for transport, here we need to specify the HTTPS, as preferred transport protocol, SSL port as mentioned under the HTTP Server SSL Port as checked in Step #28, and use existing b2b/transportServlet as endpoint.


34. Save the current settings, by clicking apply.

Next we need to create the Secured Delivery channel for the trading partner, as well.

35. Select the “Trading Partners” under the “Partners” tab and click the name of trading partner, in this case (when GlobalChips is host), the trading partner is Acme. 


36. Open the “Rosettanet over RNIF” protocol under the Capabilities head.


37. In the following screen, open the “Create Communication Capability”. Now provide the details for creating the delivery channel, for the purpose of this document, the area of interest is only Transport security, the document doesnot focus on non-repudiation and encryption.


38. Reuse the existing Document Exchange, since we do not need any additional information here to enable security.


39. Provide appropriate details for the Transport settings, to enable security.

40. Click Apply and save the changes.

This step is to be performed similarly on the trading partner's system, as well.

The server is now required to be updated and specified the location of certificate. The steps below would elaborate on how the certificate be configured.

41. Now open the Enterprise Manager Console, http://b2bsoa.yashdc.com:18100/emd/console/ specify the ias_admin as user and its usual password “admin123”. Click open the B2B server by clicking the “B2B” link, on the home page.


42. Now open the “server properties” under the Administration tab of B2B Server Instance.


43. In the subsequent page, provide for the path of .txt file, where the wallet file imported in text format, as specified in previous step is located.

44. The above property is stored in, tip.properties file in \ip\config directory.
45. To enable SSL, it is required that the opmn.xml file be modified, open the \opmn\conf\opmn.xml, search for ssl-disabled and replace it with ssl-enabled 
46. Now restart the opmn, using opmnctl stopall/ opmnctl startall, for the changes to take effect.
47. Once both the B2B server instances, host & trading partner, have been configured and restarted, the following screens should be traverse-able from either systems,
https://b2bsoa.yashdc.com:4444/b2b/transportServlet and https://soab2b:4444/b2b/transportServlet

48. Now the respective certificate location is to be specified to the Trading partners, both Host and Remote Partner.

49. Open Partners->Trading Partner (Host) -> Certificates > Create

50. In the following screen provide the specified information. In this case the information provided is Name as “B2BSOACertificate” and the certificateFile as “C:\Certificates\issuedB2BSOACertificate.txt”, to stress further, it is not the wallet file, but the certificate file created in step no. 17 & 18.

51. Perform the above operation for Trading Partner (Remote Partner) as well. This ensures that the certificate is known during the inbound messages.

52. Now configure the agreement and set the configuration on both the systems and deploy.

53. Now restart the opmn, using opmnctl stopall/ opmnctl startall, for the changes to take effect and trigger the BPEL process to post appropriate document. 

54. Very Important Note: Whenever any change is made to Trading partner configuration, like Delivery Channel, Document Exchange, Transport etc. Be sure that you re-deploy your agreement for the changes to take effect.

Check the thread below for some of the errors that may occur.

1 comment:

mahakk01 said...

I don't have much knowledge about this topic but security B2B integration servers are very popular these days so I am excited to learn about them. i find them quite interesting. All the steps are very clearly mentioned. I am trying to implement it. Let's see how it work.
sap upgrade testing