How to create a x509 token protection message between UCM and SOA

Create a certificate at DOMAINHOME/config/fmwconfig

In my particular environment is /home/oracle/Oracle/Middleware/user_projects/domains/ucm_domain/config/fmwconfig

Use keytool command to create a new certificate

Keytool –genkeypari –keyalg RSA –dname”cn=[user]” –alias signkey –keypass welcome1 –keystore aaronkeystore.jks –storepass welcoem1 –validity 1066

In my particular environment is

[oracle@aaron fmwconfig]$ keytool -genkeypair -keyalg RSA -dname "cn=weblogic" -alias signkey -keypass welcome1 -keystore aaronkeystore.jks -storepass welcome1 -validity 1064

Add policy to UCM. Navigate to Farm_domain >> Application deployments >> Oracle UCM WebServices >> right click >> webservices

Click on GenericSoapPort

Attach oracle/wss11_x509_token_with_message_protection_service_policy

Click on override policy configuration

And add a name for you encryption key “keystore.enc.csf.key”, we will define this key name in the next step

Add certificate to the weblogic server. Weblogic domain >> [your domain name]>> right click >> security >> Security Provider configuration >> click on the configure keystore

Add your new creatley keystore on the keystore path

Add credentials to weblogic. Navigate to Weblogic domain >> [your domain name]>> right click >> security >> Credentials

I create a new key named aaronkey

Username is going to be the alias name for this scenario “signkey” that was created on step 1

Enforce security on BPEL

I created a process that connects to GenericSOAP pointing to http://localhost:16200/idcws/GenericSoapPort?WSDL

Click on Configure WS Policies

Add oracle/ws11_x509_token_with_message_protection_client_policy

Click on edit

Add the kesytore.recipient.alias to the key previously created and keystore.sig.csf.key/keystore.enc.csf.key map the crendentials created in the previous step.

Is not mandatory that signature and encryption keys are the same, actually different keys will be better.