SSL Tool  Locate

The sslTool helps with setup of SSL on the client side of Oracle Service Registry. The general usage is:

sslTool [command [options]]

The SSL tool has the following commands:

Running the sslTool with a command followed by a --help option prints out a complete help for the command. See SSL Tool Examples for the most typical usage.

SSL Tool Examples  Locate

To print out security requirements of an SSL server:

          sslTool serverInfo --url https://localhost:8443
        

To print out security requirements of an SSL server and save server certificates:

          sslTool serverInfo --url https://localhost:8443 --certFile /tmp/sever.cer
        

To print out an encrypted password for use in Oracle Service Registry configuration files:

          sslTool encrypt --password changeit
        

To import a key entry from a java keystore to Oracle Service Registry client Protected Store:

          sslTool pstoreEI -i --keystore /tmp/java.keystore
                                 --storepass changeit --alias mykey --keypass changeit
                              --pstore ../conf/clientconf.xml
                                 --pstoreAlias registryclient --pstoreKeypass changeit2
        

To export a key entry from Oracle Service Registry Protected Store to a java keystore:

          sslTool pstoreEI -e --keystore /tmp/java.keystore2
                                 --storepass changeit --alias mykey --keypass changeit
                              --pstore ../conf/clientconf.xml
                                 --pstoreAlias registryclient --pstoreKeypass changeit2
        

Associating an SSL client identity with a registry client  Locate

Instructions on how to associate an SSL client identity with a registry client are explained in Example Client. In this case, a key entry must be imported to registry's client protected store, which is the conf/clientconf.xml file of the registry installation directory and a few system properties must be added to a script that runs the client application.

There are also cases where a registry acts as a client to another registry. These include:

  • Communication between nodes in a clustered Oracle Service Registry.

Associating an SSL client identity with an Oracle Service Registry server can be done in the app/uddi/conf/security.xml file of a registry installation directory (or deployed package for a deployed registry) by adding the destinationConfig elements. A fragment of the security.xml with example destinationConfig elements is shown in Example 1.

Example 1. Association of client identities with a registry server

<?xml version="1.0" encoding="UTF-8"?>
<config name="security" savingPeriod="5000">
    ...
    <security>
       ...
    </security>
    <!-- For communication with other nodes in the cluster -->
    <destinationConfig>
      <alias>clusterClient</alias>
      <password_coded>gNFDFWMNdkU=</password_coded>
      <destination proxyName="com.systinet.uddi.configurator.cluster.ConfiguratorManagerStub"/>
      <destination proxyName="com.systinet.uddi.configurator.cluster.ConfiguratorListenerStub"/>
    </destinationConfig>
    <!-- For communication via registry client to services accessible 
      at URLs that start with https://pc1.example.com or https://pc2.example.com -->
    <destinationConfig>
      <alias>otherClient</alias>
      <password_coded>Vr+i+UzC2WLJXWg0ih6J+Q==</password_coded>
      <destination url="https://pc1.example.com/*"/>
      <destination url="https://pc2.example.com/*"/>
    </destinationConfig>

</config>

There can be more destinationConfig elements. A destinationConfig element is used to associate a particular SSL client identity with a set of destinations. It contains:

  • alias in the server protected store. A key entry with the same name as the alias must exist in a server's Protected Store. This key entry represents security material used to establish SSL with a destination server. The Oracle Service Registry server Protected Store is in the conf/pstore.xml file of a registry deployment package. Use this file when importing a key entry from a java keystore, as shown in SSL Tool Examples.

  • password_coded element, which contains the encrypted password that is used to access a private key stored under the alias supplied. See SSL Tool Examples for an example that prints out the encrypted form of a password supplied in plain text.

  • One or more destination elements each specify a rule. The rule can contain url or proxyName attributes. The rule matches when a client use a proxy class specified by the proxyName attribute or connects to a URL that is specified by the url attribute. The value of the url can end with a wildcard * to specify a match of all URLs that start with the string specified before the wildcard. The whole destinationConfig element matches if at least one rule matches.

The first matching destinationConfig is used.