Getting Started with Message-Level Encryption on WebLogic Server 9.2

Abstract

Message-level security is the cornerstone of enterprise-class SOA. Using SOAP encryption and SOAP signatures, confidentiality and integrity remain "always on" by being independent of transport protocols. With security now living within the SOAP messages, it does not matter if the transport pipe – HTTP, FTP, JMS – between Web service consumers, producers, or intermediaries is SSL enabled.

This tutorial will show how to set up SOAP message-level encryption. You will learn how to enable message-level confidentiality starting with enabling selected key stores, turning on message-level encryption, and sending X.509 certificates in a SOAP header. You will see how to diagnose the security policies for functional completeness, performance, and interoperability by sending SOAP messages from a .NET based client. Along the way you will discover that BEA WebLogic Server 9.2 (WLS) provides a mature platform with significant message-level security capabilities for advanced SOA deployments.

Introduction

Web services – a common foundation for modern Service Oriented Architecture (SOA) – has blurred the boundaries between network devices, applications, ESBs, application servers, databases, and other IT assets within an enterprise. Almost every IT asset now advertises its interface as a Web Services Definition Language (WSDL) interface ready for SOAP/XML messaging. Web service interfaces provide unprecedented flexibility in integrating IT assets across internal and external corporate domains. However, it is this flexibility that in turn mandates greater security control across such domains. To ensure that the messages are secured while jumping domains, both protocol and message-based security techniques are widely deployed.

WebLogic Server 9.2 provides a variety of protocol-level and message-level mechanisms for securing SOAP/XML message exchanges across IT assets. WebLogic Server extends the classic SSL transport-level security by providing message-level security provisions with the following additional advantages:

• Granular Security – message-level encryption on any selected part of the SOAP message.
• Always on Security – SSL security features last as long as the SSL session is established. With message-level security, SOAP messages at rest can be encrypted even after the SSL connections are terminated. Security now lives within the message and is independent of the transport.

WebLogic Server provides message-level security through its comprehensive support of the WS-Security 1.0 specification approved by OASIS as a formal standard in March 2004. This specification covers SOAP message-level encryption, decryption, and a number of token profiles for exchanging identity tokens such as user name tokens, X.509 certificates, SAML assertions, and Kerberos tickets embedded within a SOAP header.

To start using message-level encryption in WebLogic Server, it is essential to understand fundamentals of public and private key usage. A practical description of essential PKI concepts is provided in " What is PKI?" by Entrust. Here is a summary of some concepts:

• Public & Private Keys – Public and private keys are complementary: public keys are used for encryption, and private keys are used for message decryption. The public key goes through a provisioning process and is provided to the "public" as an X.509 certificate. An X.509 certificate carries with it detailed information about the certificate owner (for example, name and e-mail address) and additional information about the certificate authority (CA) used to vouch for the validity and integrity of the public key contained in the X.509 certificate. The private key never leaves the enterprise and is the "crown jewel" of the security infrastructure.
• Trusting an X.509 certificate – Whenever an X.509 certificate is presented, the receiver has to establish that the X.509 is trusted. This trust is established by certificate chain traversal, a mechanism where the X.509 receiver verifies that the issuing authority (certificate authority) indeed issued the X.509 certificate presented. An additional check required by the receiver is to check whether the X.509 certificate has been revoked. This check is accomplished by looking up the X.509's serial number in a list of revoked certificates stored in a Certificate Revocation List (CRL). You may chose not to use an issuing certificate authority (CA) and use self-signed certificates. Such certificates have to be registered with the receiver as trusted certificates that do not require certificate chain validation.
• JKS – Java Key Store is a portable repository of X.509 certificates and private keys; it is used by Java-based applications for cryptographic operations.

Let's take a look at how to use these cryptographic components to enable message-level encryption in WebLogic Server.

Required Software

To illustrate message-level encryption, a sample Web service with a single operation getCreditScore(int ssn) is created using the Workshop for WebLogic Platform. This operation is subsequently used to set up message-level encryption.

The following components are required to illustrate message-level encryption:

• BEA WebLogic Portal 9.2: This installer includes WebLogic Server and Workshop for WebLogic Platform (IDE) and will be used to load, publish, and run a simple Web service and set up message-level encryption.
• Crosscheck Networks SOAPSonar Enterprise Edition : A .NET-based SOAP client used for WS-Security 1.0 interoperability testing with the Java-based WebLogic Server.
• keys.zip: Zipped file that contain a Java Key Stores (JKS) DemoTrust.jks and a couple of X.509 certificates. The DemoTrust.jks is used to register trusted X.509 certificates that a client will send to the WebLogic Server for encrypting the SOAP response.