How to authenticate to a WebService using a CSF Key

In order to do this you need to first set up a Java Keystore. Here are the steps to do this.

Step 1 : Creating the Java Keystore

Go to the domain_home/config/fmwconfig directory, where domain_home is the name and location of the domain for which the keystore is to be used.

Enter a keytool command such as the following to generate the key pair, and to create the keystore if it does not already exist:

keytool -genkeypair -keyalg RSA -alias orakey -keypass welcome1 -keystore default-keystore.jks -storepass welcome1 -validity 3600

You may need to add the jdk/bin directory to your PATH variable definition to invoke the keytool command.

In this command:

  • genkeypair creates a new public/private key pair that is stored in an entry specified by the alias parameter
  • keyalg specifies the algorithm to be used to generate the key pair, in this example RSA
    Note: The default key pair generation algorithm is Digital Signature Algorithm (DSA). DSA keys can only be used for signing, whereas RSA keys can be used for both signing and encryption. Therefore, if you are using the same key for encryption and signing (which is a typical scenario), make sure you explicitly specify -keyalg RSA, otherwise keytool will default to DSA.
  • alias specifies the alias name orakey to use when referring to the keypair
  • keypass specifies that the password welcome1 be used to protect the private key of the generated key pair
  • keystore creates a keystore named default-keystore.jks. If the keystore already exists, the key pair will be added to the keystore.
  • storepass specifies welcome1 as the password used to protect the integrity of the keystore.
  • validity indicates that the keypair is valid for 3600 days.

The keytool utility prompts for the name, organizational unit and organization, locality (city, state, country) to be used to create the key:

What is your first and last name?
  [Unknown]:  weblogic
What is the name of your organizational unit?
  [Unknown]:  Fusion Applied Engineering
What is the name of your organization?
  [Unknown]:  Fusion Applied
What is the name of your City or Locality?
  [Unknown]:  US
What is the name of your State or Province?
  [Unknown]:  US
What is the two-letter country code for this unit?
  [Unknown]:  US
Is CN=orcladmin, OU=Doc, O=Oracle, L=US, ST=US, C=US correct?
  [no]:  y

Now , log into Fusion Middleware Control (EM Console), click on your domain ->Security->Security Provider Configuration.


Go to the ‘Keystore’ section and click configure.


Provide the same values as you provided when you used the Keytool to create the keystore and save it.


Step 2 : Adding a Credential to the Credential Store Framework

I’m describing this here using Fusion Middleware Control ( EM Console). You can also do this using WLST. Navigate to your domain->Security-> Credentials


click on ‘Create Key’ in the map that should exist there.


Create a key called ‘basic.credentials’, select type as password, and set a username and password that would be used to authenticate to the WebService you intend to call.



Step 3 Java code that uses the key defined in the Credential Store Framework for authentication to the Webservice.

Refer to this post to see how to generate the Java Web Service Proxy.

Here’s the code you can use in your Webservice Java proxy to authenticate using the Credential Store Framework key we just set up.

        userNamePasswordStartService = new UserNamePasswordStartService();
        SecurityPoliciesFeature securityFeatures =
            new SecurityPoliciesFeature(
                   new String[] { "oracle/wss_username_token_client_policy" });
        UserNamePasswordStartPortType userNamePasswordStartPortType =
        // Add your code to call the desired methods.


Oracle Fusion Middleware Security and Administrator’s Guide for Webservices