Securing an OSB Service with OWSM

Securing an OSB Service with OWSM

In this post I will show how to secure a web service used by OSB ( Oracle Service Bus ) by authenticating it against an OWSM (Oracle Web Services manager) policy.

We will add a User Name Token service OWSM policy to secure the Proxy Service in OSB.

Below are steps in using a simple web service in OSB and applying it with OWSM policy.

oracle/wss_username_token_service_policy

 

  • Firstly create a simple Java web service (or BPEL service) and deploy it to WebLogic server.
  • Log into OSB console.
    http://localhost:7001/sbconsole

 

OSB Business/Proxy services

The OSB project is firstly created, then the web service is imported into OSB. Following this is creating the OSB Business and Proxy Services.

Create Project

  • Select Project Explorer.
  • Project Explorer: press Projects link.
  • Change Center section: press [Create] or [Edit].
  • Projects screen. Enter new project name i.e. “OWSM-Demo” and press [Add Project].

  • Change Center section: press [Activate] and submit details.

Import Web Service

  • Change Center section: press [Create].
  • Project Explorer: select “OWSM-Demo”
  • Resources section: Create Resource field select: Bulk->Resources from URL.
  • Load Resources wizard | Load Resources From URL screen: enter the following.
    • URL/Path field: Enter the URL of the deployed web service i.e.
      http://localhost:7001/OSB-OWSMTest-SimpleWS-context-root/validateCCPort?WSDL
    • Resource Name field: “validateCC”
    • Resource Type field: accept default ‘WSDL’
    • Press [Next].
  • Review Loaded Resources screen: accept defaults and press [Import].
  • Change Center section: press [Activate] and submit details.

Create Business Service

  • Change Center section: press [Create].
  • Project Explorer: select “OWSM-Demo”
  • From the Create Resources drop-down, select Business Service.
  • Create a Business Service (OWSM-Demo/) wizard:General Configuration screen:
    • Service Name field: enter “validateCardService”
    • Description field: enter anything i.e. “Business Service to validate CC”
    • Service Type section select ‘WSDL Web Service’ and press [Browse].
    • Select a WSDL window: select wsdl validateCC and press [Submit]
    • Select a WSDL definition: select entry in Port i.e. validateCCPort and press [Submit].
    • WSDL Web Service field populates entries
    • Press [Last] then [Save] in the Summary screen, and then activate changes.

Test Business Service

  • Project Explorer: select “OWSM-Demo”
  • Resources section: for the new Business service just created press the ‘Launch Test Console’ icon.

  • Business Service Testing – validateCardService window: Request Document section: Modify the XML so it returns a valid value and press [Execute].
  • The response will depend on the web service you are using. Since we are not testing OWSM policies at this stage there is no need to add any security in the header.

Create Proxy Service

  • Change Center section: press [Create].
  • Project Explorer: select “OWSM-Demo”
  • From the Create Resources drop-down, select Proxy Service.
  • Create a Proxy Service (OWSM-Demo/) wizard: General Configuration screen:
    • Service Name field: enter “validateCardProxy”
    • Description field: enter anything i.e. “Proxy Service to validate CC”
    • Service Type section select ‘Business Service’ Press [Browse].
    • Select Business Service window: select a business service i.e. “validateCardService” and press [Submit].
    • Business Service field is populated with the selected business service.
    • WSDL Web Service field populates entries.
  • Press [Last] then [Save] in the Summary screen, and then activate changes.

Test Proxy

  • Test the Proxy Service the same well the Business Service was tested by pressing the ‘Launch Test Console’ icon for the Proxy Service.

Secure the Proxy Service

Will provide authentication for the Proxy Service by adding OWSM policy i.e. oracle/wss_username_token_service_policy.

Add OWSM Policy

  • Change Center section: press [Create].
  • In the OWSM-DEMO project select the Proxy Service.
  • View a Proxy Service screen: select Policies tab.
  • Service Policy Configuration section: select OWSM Policy Bindings and expand proxy name i.e. validateCardProxy.
  • Press [Add].
  • Select OWSM Policy screen: select oracle/wss_username_token_service_policy and press [Submit].
  • The OWSM policy is registered with the Proxy Service.
  • Press [Update].
  • Select Security tab
  • Web Services Security Configuration section: Process WS-Security Header field: press [Yes].
  • Press [Update] and activate changes.

Create a Keystore File

  • Proceed to folder.
    $WLS_HOME/user_projects/domains/<domain>/config/fmwconfig
  • Run the following command to create the default keystore.
    keytool -genkeypair -keyalg RSA -alias orakey -keypass welcome1 -keystore default-keystore.jks -storepass welcome1 -validity 3600

    What is your first and last name?
    [Unknown]: weblogic
    What is the name of your organizational unit?
    [Unknown]: Support
    What is the name of your organization?
    [Unknown]: Oracle
    What is the name of your City or Locality?
    [Unknown]: US
    What is the name of your State or Province?
    [Unknown]: US
    What is the two-letter country code for this unit?
    [Unknown]: US
    Is CN=weblogic, OU=Support, O=Oracle, L=US, ST=US, C=US correct?
    [no]: yes

 

Configure Keystore Configuration in EM

  • Log into EM and expand node Weblogic Domain.
  • Right-click domain name and select Security | Security Provide Configuration.
  • Security Provider Configuration screen: Expand Keystore.
  • Press [Configure].
  • Keystore Configuration screen: Add the following keystore information.
    • Keystore Path: Do not need to change this since the default-keystore.jks file is in the fmwconfig directory.
    • Password: welcome1
    • Key Alias: orakey
    • Signature Password: welcome1
    • Crypt Alias: orakey
    • Crypt Password: welcome1
  • Save changes.

 

Configure Security Credentials in EM

  • Still in EM, right-click domain name and select Security | Credentials.
  • Credentials screen: expand/select oracle.wsm.security
  • Press [Create Key].
  • Create Key dialog: add the following.
    • Map: oracle.wsm.security (default)
    • Key: joe-key
    • Type: Password
    • User Name: joe (this will be the same username that will be used OSB console).
    • Password: welcome1 (this will be the same password that will be used OSB console)
    • Press [OK].

Add a User in OSB

  • In OSB Console select Security Configuration | Users.
  • Summary of Users screen: press [Add New].
  • Create New User screen:
    • User Name field: enter “joe”
    • New Password/Confirm Password fields: “welcome1”.
    • Press [Save]. The user “joe” will appear in list of users.

 

Test OWSM Policy in OSB

  • Select Project Explorer | OWSM-Demo.
  • Resources section: for the Proxy service, press the ‘Launch Test Console’ icon.
  • Proxy Service Testing: Request Document section: Modify the XML so it returns a valid value.
  • Security section: For the policy oracle/wss_username_token_client_policy, Override Value column: enter “joe-key

  • Press [Execute].
  • The SOAP message will contain user name token information in security header, i.e.
    <soapenv:Envelope xmlns:soapenv=”http://schemas.xmlsoap.org/soap/envelope/”>
    <soap:Header xmlns:soap=”http://schemas.xmlsoap.org/soap/envelope/”>
    <wsse:Security soap:mustUnderstand=”1″ xmlns:wsse=”http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd”>
    <wsse:UsernameToken wsu:Id=”UsernameToken-03reYQL1uSrzWfQ6tcjwkQ22″ xmlns:wsu=”http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd”>
    <wsse:Username>joe</wsse:Username>
    <wsse:Password Type=”http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText”>welcome1</wsse:Password>
    </wsse:UsernameToken>
    </wsse:Security>
    </soap:Header>

 

Reference: Oracle Knowledge Base (Doc ID 1265548.1)

Post Tagged with

Leave a Reply

Your email address will not be published. Required fields are marked *