Getting Started with Message-Level Encryption on WebLogic Server 9.2
Pages: 1, 2, 3

Setup

As shown in Figure 1, SOAPSonar and WebLogic Server are installed on different machines. This configuration is recommended but not necessary – both products may be installed on a single resourceful machine.

Figure 1. The setup for getting started with WebLogic Server message-level encryption

In the following steps, we will set up a simple Web service getCreditScore(int ssn) that we load from samples provided with the base WebLogic Server install. The Java class called CreditScoreSerivce.java in package services contains a single operation (WebMethod) as follows:

package services;
import javax.jws.*;
@WebService
public class CreditScoreService {
 static final long serialVersionUID = 1L;
 /**
 * Returns the credit score for a given SSN. 
 * Returns -1 if an invalid SSN is entered.
 */
 @WebMethod
 public int getCreditScore(int ssn) {
    if (ssn > 0 && ssn < 300000000)
        return 500;
    if (ssn >= 300000000 && ssn < 600000000)
        return 600;
    else if (ssn >= 600000000 && ssn <= 999999999)
        return 700;
    else
 return -1;
 }
}

After loading CreditScoreService.java in the WebLogic Server Workshop, we will publish a WSDL for this class. At design time, this WSDL then can be readily consumed by Java or .NET clients to enable SOAP messaging between the clients and the WebLogic Server. We will then enable a message-level security policy that encrypts the SOAP response from the operation getCreditScore(int ssn). To achieve this, we will also load a Java Key Store with the trusted X.509 certificates and inject X.509 certificates in the SOAP request headers.

Step 1: Enabling a sample Web service through Workshop

1. Install WebLogic Server. Workshop will also be installed. Start the server with default settings.
2. File > Import > Existing Projects into Workspace > Select archive file > Browse to the ZIP file BEA_HOME/workshop92/workshop4WP/samples/workspaces/AdvancedWSTutorial/AdvancedWSTutorial.zip and Click Open > Click Finish.
3. Double-click on CreditScoreWS>src>services.>CreditScoreService.java. The Java file contains a Web service with a single operation getCreditScore(int ssn). The operation code should appear as shown in Figure 2.

4. 
   Figure 2. Loading the sample Web service in Workshop for WebLogic Platform

5. In the Package Explorer, right-click on the CreditScoreService.java and select Run As>Run on Server. Select the default runtime server BEA WebLogic v9.2 Server.
6. A window with a test client will open, as shown in Figure 3. You are now ready to send a SOAP request by entering ssn input values for operation getCreditScore.

7. 
   Figure 3. The built-in Web services test client provided with Workshop for WebLogic

8. As an optional item, you can invoke the getCreditScore operation from a browser through the following URL: http://wlshost:7001/CreditScoreWS/CreditScoreService where wlshost is the hostname (or IP address) of your WebLogic Server.

Voila! At the end of Step 1, you are now able to easily publish a Web service and invoke it from within the built-in test client in Workshop or by using a Web browser.

Step 2: Install and configure SOAPSonar

Workshop for WebLogic Platform, shown in Figure 3 above, includes a convenient embedded SOAP client for sending SOAP requests and reviewing SOAP responses from WebLogic Server. However, it does not provide the ability to load an X.509 certificate in the SOAP header. To enable X.509 certificate stuffing in SOAP request headers, we use a simple .NET client SOAPSonar Enterprise Edition from Crosscheck Networks. A trial of SOAPSonar Enterprise Edition can be downloaded from Crosscheck Networks.

After downloading and installing SOAPSonar, launch the product and load the Web Services Endpoint http://wlshost:7001/CreditScoreWS/CreditScoreService?WSDL, where wlshost is the hostname (or IP address) of your WebLogic Server. SOAPSonar parses the WebLogic WSDL and presents the operations in the left navigation panel. The user can populate the operation Request field, press the submit arrow, and review the SOAP response in the Response Panel.

Figure 4. Loading WebLogic Server WSDL in SOAPSonar™ Diagnostic Tool (click the image for a full-size screen shot)

In subsequent steps, SOAPSonar will be used to inject X.509 certificates in SOAP request headers for WebLogic Server to encrypt SOAP responses using the injected X.509 certificates.

Step 3: Download and install Java Key Store

Download keys.zip. It contains:

• A Java Key Store (JKS) DemoTrust.jks. This Java Key Store serves as the "trusted repository" for X.509 certificates such that when an external SOAP client presents these X.509 certificates to the WebLogic Server, they are accepted and trusted by the WebLogic Server for cryptographic operations. If the X.509 client is not present in the DemoTrust.jks, an exception occurs indicating that the X.509 presented by the client is not trusted.
• Two X.509v3 public certificates: cert1024.cer and cert2048.cer. The X.509 certificates are used to encrypt SOAP messages and will be loaded in SOAPSonar in Step 4.
• Two key pairs: keypair1024.pfx and keypair2048.pfx. These key pairs include the private keys and are not required for setting up SOAP encryption. They are added to the keys.zip file for reference.

Note: JKS DemoTrust.jks password is: DemoTrustKeyStorePassPhrase. All key pairs provided in keys.zip have the same password: password. You will not need to use the key pair password since this password is required for accessing the private key in this article. We focus on encryption that requires a public key embedded in the X.509 certificate.

To load DemoTrust.jks:

• Backup the original DemoTrust.jks located in BEA_HOME/weblogic92/server/lib/ and replace it with the DemoTrust.jks that is provided in the keys.zip.
• Restart WebLogic Sever from the Workshop for WebLogic Platform.

Caution: If any changes are made to the JKS, WebLogic Sever should be restarted.

Step 4: Configuring SOAP encryption in WebLogic Server

WebLogic Server provides granular message-level encryption. Any part of the SOAP body can be encrypted. As shown in Figure 1, a SOAP Request with an X.509 certificate embedded in the SOAP header is sent to the WebLogic Server. The SOAP Response Body is returned encrypted.

To enable SOAP response encryption as shown in Figure 1, the Administrator simply enables a WS-Policy-based configuration that tells WebLogic Server to encrypt the SOAP response for the selected Web service. This configuration is accomplished with the following simple steps:

1. Start Admin Console: Log into the WebLogic Administration Console http://localhost:7001/console. The default id and passwords are both set to: weblogic.
2. Navigate to WS-Policy: On the Home Page, Lock & Edit. Then under Domain Structure in the Left Navigation panel, navigate to Deployments > CreditScoreEAR > CreditScoreServiceService > Configuration > WS-Policy.
3. Configure WS-Policy: Expand CreditScoreServiceSoapPort and click on getCreditScore. Click Next to move to the Outbound SOAP Message, then select the Encrypt.xml policy and move it to the chosen policy panel on the right as shown in Figure 5. Click Finish. Select and Save the Deployment Plan Meta-INF and Activate.

4. 
   Figure 5. Configure encryption policy for an outbound message

5. Update: From the Home Page, Lock & Edit. Then under Domain Structure in the Left Navigation panel, navigate to Deployments. Select CreditScoreEAR and click Update. Activate the changes.

At the end of Step 4, your WebLogic Server is ready to encrypt SOAP responses for the getCreditScore operation. Try sending a SOAP request using Workshop as shown in Figure 3. WebLogic Server will complain. It now expects the SOAP request to contain a trusted X.509 certificate that it requires to encrypt the SOAP response.

In addition to the Encrypt.xml policy, WebLogic Server also includes pre-packaged policies such as Auth.xml for specifying client authentication policies, Sign.xml for setting SOAP message signature policies, and DefaultReliability.xml for configuring reliable message properties such retransmission intervals.

Step 5: Configuring SOAPSonar

This step enables SOAPSonar to send SOAP requests with X509 tokens in the SOAP header. The tasks are described below:

1. Load X.509 into SOAPSonar: Move keys.zip file to the client machine running SOAPSonar. Extract X509 certificates to a folder. Click on Tools > PKI Management. Right-click on MY and select Load Certificate. Load certificates cert1024.cer and cert2048.cer.
2. Inject X.509 in SOAP header: In the SOAPSonar Request Panel, select the Tasks Tab. Select the WS-Tokens drop-down and Add WSS X509 Tokens. Click on the WSS X509 Token Task. A panel shown in Figure 6 appears that lets users select an X.509 certificate. Select the cert1024 certificate loaded in the previous step.

Figure 6. Configure X.509 injected in the SOAP request header from SOAPSonar (click the image for a full-size screen shot)