1 Create & configure java key stores (JSKs)

1.1 Create server & client jks files

Oracle Docs: Generating Private Keys and Creating the Java Keystore

1) Go to the domain_home/config/fmwconfig directory, where domain_home is the name and location of the domain for which the keystore is to be used

2) Enter a keytool command such as the following to generate the key pair, and to create the keystore if it does not already exist. Note: all password in this example are welcome1

keytool -genkeypair -keyalg RSA -validity 3600 -alias server-alias -keystore server-keystore.jks 
3) Repeat the previous command also for client keystore:
keytool -genkeypair -keyalg RSA -validity 3600 -alias client-alias -keystore client-keystore.jks 
4) Export the server and client public certificates:
keytool -export -keystore server-keystore.jks -alias server-alias -file server-public.cer keytool -export -keystore client-keystore.jks -alias client-alias -file client-public.cer 
5) Add as trusted the public of each other’s certificate: the server will trust the client public certificate, and the client with trust the server public certificate.
keytool -importcert -trustcacerts -keystore server-keystore.jks -alias client-public -file clientpublic.cer keytool -importcert -trustcacerts -keystore client-keystore.jks -alias server-public -file serverpublic.cer 
6) Optional: you can now delete the *-public.cer files as we will no longer use them directly from the file system.

1.2 Configure OWSM keystore to use JKS

Oracle Docs: Configuring OWSM to Use the JKS Keystore

1) Navigate to the enterprise managerFrom the navigation pane, expand WebLogic Domain and select the domain to be configured.

2) From the WebLogic Domain menu, select Web Services, then WSM Domain Configuration.

3) Select the Message Security tab.

4) In the Keystore section of the page, select JKS as the Keystore Type.

5) Fill in values as described in the table below and click the apply button

Sign Alias
Encrypt Alias

7) Weblogic will create the CSF entries the Security Credentials and disable the password fields. These password & aliases can later be changed from WebLogic Domain > Security > Credentials, under oracle.wsm.security map

8) Restart the managed server on which WSM-PM application is running. Preferably restart the entire domain.

2 Configure OSB proxy service security

1) Login to the Service Bus console

2) Activate an edit session

3) Mavigate to the Proxy Service that needs to be secured

4) Click on the Policies section and select policies From OWSM Policy Store

5) Click the paperclip icon and search for oracle/wss11_message_protection_service_policy

6) Select the row and Click the Attach button and Ok

7) In the Policy Override section, insert the CSF key for the encription credentials: server-enc-csf

8) Click the Save button in the top right and click Activate to save the edit session changes

9) Take note from the Proxy Service details of the URL to access the WSDL. Usually it is the OSB managed server + Endpoint URI from the Transport section + ?WSDL. Save this URL for testing. http://localhost:8001/SBProject/business/SecureEmpDataProxy?WSDL

3 Test web service security using EM WS Test

1) Open Enterprise Manager & login

2) Navigate to WebLogic Domain > Web Services > Test Web Service

3) Paste the OSB Proxy Service WSDL url from the previus chapter and click Parse WSDL or WADL

4) In the Security section select OWSM Security Policies

5) Check the policies under Compatible Client Policies

6) Fill in the JKS Keystore Location with absolute path of the client-keystore.jks and click Load Keys

7) Select the Signature Key Alias client-alias and enter it’s password

8) Select the server’s public certificate server-public

9) Fill in any needed parameters of the soap request in the SOAP body section and click the Test Web Service button

10) Once the request is completed the Response section will be shown and give a Test status of success