Monday, June 21, 2010

Setup SSL Certificate for PayFlow Gateway in Weblogic 10.3

PayFlow Pro is a gateway provided by PayPal Inc for payment transactions, like credit card transaction. To use payFlow gateway in ADF application, you have to install the payFlow SDK from Paypal. You can find info in here.

After installation of payFlow processor you can download the payflow Java Library and write codes to process the transaction.

But before that, you have to set up the SSL on your server to make it work. The SSL is installed on your development server to recognize the PayFlow's transaction process server, therefore the SSL has to be installed into the trust keystore on the weblogic server.

For test and development purpose, the SSL certificate can just added to the default existing keystore in Weblogic server. The steps are here:

1. download the SSL certificate that can recognize PayFlow server. It can be downloaded from either A or C link.The download link is here.

2. Use keytool command to import the certificate into the existing trust keystore for development use. The syntax of the command is (assuming the certificate file is put under jdk directory \jre\lib\security in JDeveloper install directory. This directory is arbitrary):

*JDeveloper_Install_Directory*\jdk*version*\jre\bin\keytool -import -alias paypal -keystore *JDeveloper_Install_Directory*\wlserver_10.3\server\lib\DemoTrust.jks -trustcacerts -file *JDeveloper_Install_Directory*\jdk160_14_R27.6.5-32\jre\lib\security\72fa7371.cer

DemoTrust.jks is the default trust keystore. "72fa7371.cer" is the downloaded certificate. You will be prompted to enter the keystore password to import, the password for DemoTrust keystore is "DemoTrustKeyStorePassPhrase"

3. The DemoTrust Keystore is already use in weblogic server by default so nothing needs to be changed in weblogic admin console. But if you want to see the configuration in weblogic console, go to server, under configuration tab, there are Keystore tab and SSL tab, that's where you setup the identity keystore and trust keystore.

4. Restart the weblogic server and you shall be able to use the paypal payFlow process to process any credit card transaction using your weblogic server.

In case of production instance, the custom keystore has to be created and configured in Weblogic console. Here are steps for production instace:

1. Create the private key for standalone weblogic server and send the key to CA (e.g.: Verisign) for certificate.

2. Create an identity keystore for weblogic server using java keytool command.

3. Import key/certificate pair into the identity keystore using weblogic command ImportPrivateKey (keytool command cannot do this step)

4. Import Verisign certificate which could recognize payflow process server to weblogic trust keystore (The current certificate is noted on paypal’s development site, name is “72fa7371.cer”)

5. Change the settings in Weblogic Console to use the custom identy keystore and trust keystore.

Useful links:
A. ***Important Notice Regarding The Payflow Gateway***
https://www.x.com/docs/DOC-1675

B. ***PayFlow gateway documents***
https://www.x.com/docs/DOC-1444

C. ***Certificate download link from Verisign***
https://www.verisign.com/support/roots.html

D. ***Certificate Install Instructions***
https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=AR212&actp=LIST
http://www.geocerts.com/install/weblogic_8

E. ***Configure keystores in Weblogic Admin Console***
http://download.oracle.com/docs/cd/E14571_01/apirefs.1111/e13952/taskhelp/security/ConfigureKeystoresAndSSL.html

F. ***KeyTool Command***
http://www.sslshopper.com/article-most-common-java-keytool-keystore-commands.html
http://www.informit.com/articles/article.aspx?p=407886&seqNum=2
http://publib.boulder.ibm.com/infocenter/wbihelp/v6rxmx/index.jsp?topic=/com.ibm.wbia_adapters.doc/doc/sap_xi/sapximst85.htm

G. ***No identity key/certificate entry was found***
http://objectmix.com/weblogic/564019-ssl-custom-keystores-question.html

H. ***Weblogic ImportPrivateKey Command***
http://download.oracle.com/docs/cd/E14571_01/web.1111/e13749/utils.htm#i1176073

I. ***Setup Weblogic Server Command Enviorment***
http://download.oracle.com/docs/cd/E14571_01/web.1111/e13749/weblogicserver.htm#i1008498

6 comments:

ev ssl certificate said...

I just finished up reading your blog the first time so I thought I should comment to let you know your stuff is great and you have another follower! Keep the posts coming!

ssl247.com said...

Thanks a lot for the informative post, you've been a great help. It's very detailed and easy to follow, and I've had no problems at all with the steps. Thanks again for the help.

JayJay Zheng said...

Thanks for stopping by... :)

Glad I am helping.

Anonymous said...

Thanks a lot for the post. Good information never is obsolete.

Unknown said...
This comment has been removed by the author.
HongMing said...

We are following your steps and face problems when calling Paypal from development environment. From SSL debug message shows the log below when call setExpressCheckout for token:






<24535044 SSL3/TLS MAC>
<24535044 received HANDSHAKE>










<24535044 SSL3/TLS MAC>
<24535044 received CHANGE_CIPHER_SPEC>



<24535044 SSL3/TLS MAC>
<24535044 received HANDSHAKE>



<19465592 read(offset=0, length=8192)>


<24535044 SSL3/TLS MAC>
<24535044 received APPLICATION_DATA: databufferLen 0, contentLength 2046>
<19465592 read databufferLen 2046>
<19465592 read A returns 2046>


Unable to parse response

Appreciate if you can help