The sslTool helps with setup of SSL on the client side of Oracle Service Registry. The general usage is:
sslTool [command [options]]
The SSL tool has the following commands:
serverInfo - Prints out security requirements of an SSL server and saves a server certificate to a file.
encrypt - Prints out the encrypted form of a password supplied as plain text. Encrypted passwords are used in the configuration files of Oracle Service Registry.
pstoreEI - Exports and imports a java keystore to or from the Oracle Service Registry Protected Store. Both PKCS12 and JKS keystores are supported. The type of a supplied keystore is automatically detected during import.
Running the sslTool with a command followed by a --help option prints out a complete help for the command. See SSL Tool Examples for the most typical usage.
To print out security requirements of an SSL server:
sslTool serverInfo --url https://localhost:8443
To print out security requirements of an SSL server and save server certificates:
sslTool serverInfo --url https://localhost:8443 --certFile /tmp/sever.cer
To print out an encrypted password for use in Oracle Service Registry configuration files:
sslTool encrypt --password changeit
To import a key entry from a java keystore to Oracle Service Registry client Protected Store:
sslTool pstoreEI -i --keystore /tmp/java.keystore --storepass changeit --alias mykey --keypass changeit --pstore ../conf/clientconf.xml --pstoreAlias registryclient --pstoreKeypass changeit2
To export a key entry from Oracle Service Registry Protected Store to a java keystore:
sslTool pstoreEI -e --keystore /tmp/java.keystore2 --storepass changeit --alias mykey --keypass changeit --pstore ../conf/clientconf.xml --pstoreAlias registryclient --pstoreKeypass changeit2
Instructions on how to associate an SSL client identity with a registry client are explained in Example Client. In this case, a key entry must be imported to registry's client protected store, which is the conf/clientconf.xml file of the registry installation directory and a few system properties must be added to a script that runs the client application.
There are also cases where a registry acts as a client to another registry. These include:
Communication between nodes in a clustered Oracle Service Registry.
Associating an SSL client identity with an Oracle Service Registry server can be done in the app/uddi/conf/security.xml file of a registry installation directory (or deployed package for a deployed registry) by adding the destinationConfig elements. A fragment of the security.xml with example destinationConfig elements is shown in Example 1.
Example 1. Association of client identities with a registry server
<?xml version="1.0" encoding="UTF-8"?> <config name="security" savingPeriod="5000"> ... <security> ... </security> <!-- For communication with other nodes in the cluster --> <destinationConfig> <alias>clusterClient</alias> <password_coded>gNFDFWMNdkU=</password_coded> <destination proxyName="com.systinet.uddi.configurator.cluster.ConfiguratorManagerStub"/> <destination proxyName="com.systinet.uddi.configurator.cluster.ConfiguratorListenerStub"/> </destinationConfig> <!-- For communication via registry client to services accessible at URLs that start with https://pc1.example.com or https://pc2.example.com --> <destinationConfig> <alias>otherClient</alias> <password_coded>Vr+i+UzC2WLJXWg0ih6J+Q==</password_coded> <destination url="https://pc1.example.com/*"/> <destination url="https://pc2.example.com/*"/> </destinationConfig> </config>
There can be more destinationConfig elements. A destinationConfig element is used to associate a particular SSL client identity with a set of destinations. It contains:
alias in the server protected store. A key entry with the same name as the alias must exist in a server's Protected Store. This key entry represents security material used to establish SSL with a destination server. The Oracle Service Registry server Protected Store is in the conf/pstore.xml file of a registry deployment package. Use this file when importing a key entry from a java keystore, as shown in SSL Tool Examples.
password_coded element, which contains the encrypted password that is used to access a private key stored under the alias supplied. See SSL Tool Examples for an example that prints out the encrypted form of a password supplied in plain text.
One or more destination elements each specify a rule. The rule can contain url or proxyName attributes. The rule matches when a client use a proxy class specified by the proxyName attribute or connects to a URL that is specified by the url attribute. The value of the url can end with a wildcard * to specify a match of all URLs that start with the string specified before the wildcard. The whole destinationConfig element matches if at least one rule matches.
The first matching destinationConfig is used.