Wednesday, September 16, 2009

WSM in Fusion Middleware 11G

Probably you already knew the Web Service Manager of Soa Suite 10.1.3, The 10.1.3 version was mainly used in combination with Soa Suite because this was the only way to secure the BPEL and ESB Services. In FMW 11g Oracle changed WSM so it is fully integrated in all the Fusion Middleware components. Now you can use WSM in ADF, in the Services and References of Soa Suite and in the jax-ws services or proxy clients.
In FMW 11G you can also define your own ws-security policies ( just use a wizard in the EM website) or use the standard policies, So it can always comply to your security requirements.

In this blog entry I will show you how to setup FMW on Weblogic and define security on a BPEL service, call this service with an ADF Web Service Datacontol and a java web service proxy client.

Special thanks to Vishal Jain of Oracle who helped to solve the issues and explained how WSM works with keystores.

First we need to generate a keystore with a self signed certificate. Somehow certificates with generated with OpenSSL fails in FMW.
keytool -genkey -keyalg RSA -keystore C:\test_keystore.jks -storepass password -alias client_key -keypass password -dname "CN=Client, OU=WEB AGE, C=US" -keysize 1024 -validity 1460

Now here comes the trick , copy this keystore to fmwconfig folder ( domain_name/config ) of the soa suite domain

Go the Enterprise Manager Website where we can configure the just created keystore. We have to select the weblogic domain and go to the security menu / credentials.


Here we can change maps or passwords which will be stored in the cwallet.sso file. If you see the oracle.wsm.security map then you can delete this map. This map contains the keystore password.


Go the Security Provider Configuration menu item in the security menu where we will add the keystore to FMW
Press the Configure button in the keystore part of the screen.

Here we can add the keystore details. Use ./ as keystore path. This will fill the oracle.wsm.security map in the credentials menu.

Go back to the Credentials where we will add an extra entry in the wsm map. Create a new key basic.credentials with as username weblogic and with password weblogic1


Restart the Weblogic server.

Next part is to add a wsm policy to a BPEL Service.

Select the server policy you like to use and deploy this to the soa suite server.


Now we can make a jax-ws proxy client so we can test the policy. In this client we will use the matching client policy. If this fails check your libraries.


package nl.whitehorses.wsclient;

import java.util.Map;

import javax.xml.ws.BindingProvider;
import javax.xml.ws.WebServiceRef;

import oracle.webservices.ClientConstants;

import weblogic.wsee.jws.jaxws.owsm.SecurityPolicyFeature;

public class BPELProcess1_ptClient
{
 @WebServiceRef
 private static Bpelprocess1_client_ep bpelprocess1_client_ep;

 public static void main(String [] args)
 {
   bpelprocess1_client_ep = new Bpelprocess1_client_ep();
  
     SecurityPolicyFeature[] securityFeature = new SecurityPolicyFeature[] {
                      new SecurityPolicyFeature("oracle/wss10_message_protection_client_policy") };

     BPELProcess1 port = bpelprocess1_client_ep.getBPELProcess1_pt(securityFeature);
    
    
     Map reqContext = ((BindingProvider) port).getRequestContext();
     reqContext.put(ClientConstants.WSSEC_KEYSTORE_TYPE, "JKS");
     reqContext.put(ClientConstants.WSSEC_KEYSTORE_LOCATION, "C:\\test_keystore.jks");
     reqContext.put(ClientConstants.WSSEC_KEYSTORE_PASSWORD, "password");
     reqContext.put(ClientConstants.WSSEC_SIG_KEY_ALIAS, "client_key");
     reqContext.put(ClientConstants.WSSEC_SIG_KEY_PASSWORD, "password");
     reqContext.put(ClientConstants.WSSEC_ENC_KEY_ALIAS, "client_key");
     reqContext.put(ClientConstants.WSSEC_ENC_KEY_PASSWORD, "password");
     reqContext.put(ClientConstants.WSSEC_RECIPIENT_KEY_ALIAS, "client_key");
     System.out.println("output = " + port.process("aaaa"));
 
 }
}



If all went well then we can do same with a ADF Web Service Datacontrol.

To add the client policy select the DataControls.dcx and go to the structure window.

Here we can define web service security

Select the right client policy and in this case we need to override properties, press the button and fill in the recipient with your key alias. Else you will get a orakey error.

And at last deploy this webapplication with a ear profile to the Soa Suite server and test your webapp.

Posted by Edwin Biemond at 11:12 PM
Labels: , ,

4 comments:

GeeWee said...

Thanks for excellent posting on WSM and Oracle Fusion Middleware 11g. A very hands-on approach on how to secure web services.

Seems like a complete repackaging of the WSM product.
Is the WSM as standalone product still available?
Suites are fine, but when it comes to security, separating security concern into a dedicated server process would be more flexible.

September 29, 2009 8:50 AM
Edwin Biemond said...

Hi,

Is the WSM as standalone product still available?

No, the wsm like 10.1.3 is gone. you can not deploy agent on servers and the gateway is also gone.
wsm take place in the services and references of the soa suite and off course on the wls web services.

and you can use the wsm agent in the adf and jdeveloper java applications.

thanks Edwin

September 29, 2009 7:47 PM
not.a.road said...

Would like to know in your ws-client code,
where does the class Bpelprocess1_client_ep comes from?
does it automatically generated when the bpel process is created or use the web service proxy wizard provided from jdeveloper to generate the ws-client?

October 15, 2009 4:36 AM
Edwin Biemond said...

Hi,

jdeveloper will generate this when you want to expose a mediator or a bpel sca component. Then a service with this name is generated

thanks Edwin

October 16, 2009 8:25 AM

Post a Comment

Subscribe to: Post Comments (Atom)