Adding Security to Oracle Service Bus with Oracle Web Services Manager

Oracle Web Services Manager(OWSM) allows the definition and storage of declarative policies to be applied to web services, enabling enforcement and monitoring of security, management and audit policies. Web Services security has multiple facets (Authentication, Authorization, Confidentiality, Integrity), each with its own standards, which can be defined as service policies, or just plain policies.


In this post we will use a simple WS-Security Username/Token policy to enforce only the users known by our system will be able to execute the service endpoint. In order to do that, we will use the default user from the Weblogic domain.

1. Create the OSB domain with OWSM. 

Please find the below screen shot for reference:
OSB Configuration for OWSM

















You will need DEV_MDS and DEV_SOAINFRA schema created on Oracle 11g database. You can run RCU to create the same.

Have created sample proxy in OSB to get the customer details based on Customer ID.

Request you to download and import the sbconfig.jar in OSB.

The proxy name CustomerService take Customer ID in request and return its details.

Request:

<cus:Request   xmlns:cus="http://www.example.org/Customer">
<cus:customerID>1</cus:customerID>
</cus:Request>

Response:

<tns:Response   xsi:schemaLocation="http://www.example.org/Customer Customer.xsd " xmlns:tns="http://www.example.org/Customer" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">

<tns:firstName>John</tns:firstName>
<tns:lastName>Smith</tns:lastName>
<tns:gender>M</tns:gender>

</tns:Response>

Now Lets, add the policy to our proxy service:
  1. Click on CustomerService proxy under CustomerInfo project. 
  2. Click on Policy tab.
  3. Select "From OWSM policy Store" option.









     4.  Click on Add
     5. Select oracle/wss_username_token_service_policy, click submit.


    













    6. Click on update button.










    7. Activate your session in Change Center.

Try testing the OWSM by passing user/pass in soap header.
Eg.

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:cus="http://www.example.org/Customer">
   <soapenv:Header>
    <wsse:Security xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-
secext-1.0.xsd"
 xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-
1.0.xsd">
         <wsse:UsernameToken>
            <Username>weblogic</Username>
            <Password>welcome1</Password>
         </wsse:UsernameToken>
      </wsse:Security>
   </soapenv:Header>

   <soapenv:Body>
      <cus:Request>
         <cus:customerID>1</cus:customerID>
      </cus:Request>
   </soapenv:Body>
</soapenv:Envelope>


If you get the expected response. Your are done with the exercise.

But if you get below error, you need to follow below steps:

[OSB Security - OWSM:387253]Failed to initialize Owsm Credential Manager. Please validate the Keystore Configuration.

We need to create a keystore and configure the same on weblogic.

1. You can create the keystore with the private key using the portecle ,a GUI tool.
     Use this command to start portecle:   java -jar portecle.jar
     Also refer to previous post on Keystore "Generating keystore using JAVA keytool ". 

Follow below steps to configure keystore on Weblogic:


    • Open the Enterprise Manager console (http://localhost:7001/em)
    • Under the navigator pane, expand Weblogic Domain, right-click on your domain name, select Security and then Security Provider Configuration 
    • Add the keystore details


    After the server startup procedure ends, we have to create the credential to be used by the Service Bus Test Console to validate our configuration:
    1. Open Enterprise Manager console (http://localhost:7001/em)
    2. Under the navigator pane, expand Weblogic Domain, right-click your domain name, select Security, then Credentials
    3. Click the Create Key and enter the following:
      1. Keybasic.credentials
      2. User Nameweblogic (change it to reflect your environment - must be a valid user)
      3. Passwordwelcome1 (change it to reflect your environment)
      4. Confirm Password: same as above (see Figure 23)
      5. Click OK
    Now that we have configured our keystore and credentials, login to sbconsole and test the CustomerService again with Service Bus Test Console. The payload is the same as before:

    <?xml version="1.0"?>
<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/">
  <env:Header />
  <env:Body>
   <cus:Request   xmlns:cus="http://www.example.org/Customer">
    
     <cus:customerID>1</cus:customerID>
    

    
  </cus:Request>
    

    

    

    
  </env:Body>
    
</env:Envelope>

    Since we created the Key on weblogic. We don't need to pass user/pass in SOAP header.













      Will post some more security scenario with respect to OSB.
      Thanks.

      Popular posts from this blog

      JAVA embedding in Oracle SOA 12c

      Image
      In this post we will explore how to EMBED Java or call Java API from Oracle SOA BPEL process. In order to demonstrated this, I have created a simple JAVA project with 3 classes. 1.        Account.java -> This class represent Account DTO       2.       Party.java -> This class represent a party (customer) DTO       3.       GetNumber.java -> This class contains the method that takes Party DTO as input and apply some business logic and return party’s AccountDTO in response. public Account getNumber(Party party) The above classes are created to simulate the calling of actual business logic API’s. Account.java Party.java GetNumber.java public class Account {     public Account() {         super();     }     String account;     public void setAccount(String account) {         this.account = account;     }     public String getAccount() {         return account;     } } public class Party {     public Part
      Read more

      Passing/Receiving HTTP header in SOA BPEL

      Image
      In this example we will explore how to pass or receive the parameters from HTTP header. We will explore below two scenarios, To receive the HTTP header from SOAP request. To pass the HTTP header while calling soap service. SOA version used: 12.1.3c To receive the HTTP header from SOAP request: First we need to add the property “oracle.webservices.http.headers” under binding.ws in Service element in composite.xml. This property contains the comma separated parameters that we are expecting in request. Example,  ENV,VERSION. <binding.ws port="http://xmlns.oracle.com/SOA_Learning/HTTPHeader/HTTPHeaderTest#wsdl.endpoint(httpheadertest_client_ep/HTTPHeaderTest_pt)">          <property name="oracle.webservices.http.headers">ENV,VERSION</property> </binding.ws> Now in BPEL source under receive activity, we need add <fromProperties> element which will copy the parameters from HTTP header to BPEL variable.
      Read more

      Integrating Weblogic with IBM MQ over JMS

      Image
      We can integrate weblogic with IBM MQ over JMS by creating Foreign JMS server with Links in weblogic server. We need to create .binding file which will acts as file based JNDI provider to create JMS binding to MQ resources. Will first explain how to create .binding file and then will configure weblogic to use the same. Steps to create .binding file: Firstly we need to add below jar’s in CLASSPATH jms.jar com.ibm.mq.jar com.ibm.mqjms.jar jta.jar connector.jar jndi.jar providerutil.jar fscontext.jar Create JMSProperties.config file with below properties INITIAL_CONTEXT_FACTORY=com.sun.jndi.fscontext.RefFSContextFactory PROVIDER_URL=file:/tmp/mqm/jndi SECURITY_AUTHENTICATION=none Run below command ./JMSAdmin -v JMSProperties . config InitCtx> def qcf(ForeignCF) TRANSPORT(CLIENT) HOST(localhost) PORT(1414) CHANNEL(MQCHANNEL) QMGR(MQMRG) def q(MQ1) qmgr(MQMRG) queue(MQ1) def q(MQR1) qmgr(MQMRG) queue(MQR1) display ctx
      Read more