Sunday, May 2, 2010

WSM in FMW 11g Patch Set 2 and OSB 11g

With all the Fusion Middleware releases of late April 2010 its nice to take a look at the security part of FMW & OSB 11g. You may already know FMW 11g Patch Set 2 is a patch on PS1 which was a full release but OSB 11g is a new release. Lets see if Oracle changed WSM in PS2 and what they did with the Weblogic 9.2 WS-Security policies in OSB 11g.
Lets start with WSM  in PS2, I did some checks and came to the conclusion that it works the same as in PS1, so my WSM in FMW blogpost is still valid. The only thing what changed is that JDeveloper 11g PS2 give you more information about the WSM policies.
OSB11g is a major release and in this 11g release Oracle did not change the WS-Security policies of  Weblogic 9.2, so my OSB blogpost about the security policies in OSB 10.3 is still valid in the 11g version. From this you can conclude Oracle is going full for WSM. With OSB 11g Oracle added support for WSM agents. You can now use the WSM server policies on your OSB Proxy services and the WSM client policies on the OSB Business services. But more inportant, it is now easy to call these secured WSM proxy services from other FMW components ( ADF , Soa Suite & Java )
To use WSM in OSB 11g you need to have a MDS repository and extend the OSB Domain with the WSM components.
When your OSB server is running then you can add the WSM server policy to a Proxy Service. Just select the OWSM policy option and add the right WSM server policy

It works the same for an OSB business service only now you use the client policies.
Before you can test these WSM policies you need to follow the steps of  my FMW WSM blogpost . If you configured the WSM keystore then you can test the proxy service in the service bus console application ( sbconsole) . In the security part of this testpage you only  need to provide the keystore.recipient.alias. Leave the rest empty.

Or you can generate a web service proxy service in JDeveloper and use this in your Proxy client.
public class HelloWorldServiceSoapHttpPortClient
  private static HelloWorldService_Service helloWorldService_Service;

  public static void main(String [] args)
    helloWorldService_Service = new HelloWorldService_Service();
        SecurityPolicyFeature[] securityFeatures =
            new SecurityPolicyFeature[] { new SecurityPolicyFeature("oracle/wss10_message_protection_client_policy") };
        HelloWorldService helloWorldService = helloWorldService_Service.getHelloWorldServiceSoapHttpPort(securityFeatures);
        // Add your code to call the desired methods.

        Map<String, Object> reqContext = ((BindingProvider) helloWorldService).getRequestContext();
        reqContext.put(ClientConstants.WSSEC_KEYSTORE_TYPE, "JKS");
        reqContext.put(ClientConstants.WSSEC_KEYSTORE_LOCATION, "C:\\test_keystore.jks");
        reqContext.put(ClientConstants.WSSEC_KEYSTORE_PASSWORD, "password");
        reqContext.put(ClientConstants.WSSEC_SIG_KEY_ALIAS, "client_key");
        reqContext.put(ClientConstants.WSSEC_SIG_KEY_PASSWORD, "password");
        reqContext.put(ClientConstants.WSSEC_ENC_KEY_ALIAS, "client_key");
        reqContext.put(ClientConstants.WSSEC_ENC_KEY_PASSWORD, "password");
        reqContext.put(ClientConstants.WSSEC_RECIPIENT_KEY_ALIAS, "client_key");




  1. Hi mr. Biemond. I'm trying to use WSM from OSB 11gR1. Thanks for the post. I've come up with 2 questions:

    1- I've created a simple proxy service in OSB 11gR1 with an OWSM Policy to test it but when I try to make the call I receive a generic message BEA-380001: Internal Server Error. So I would like to know if there is an OSB log file in which I can see detail of the error. The only log I found was the Weblogic Domain, it includes the OSB errors too ?

    2- I'm using Weblogic and OSB 11gR1 only. I've not installed Soa Suite and so my EM console does not shows the SOA folder. Since I was able to use OSB and WSM in isolation until now I didn't install Soa Suite. So I would like to know if Soa Suite is required to use OSB and OWSM and so if what i'm doing is wrong.
    Sorry for the lenght of the message.

    Thank you !

  2. Hi Lupan,

    interesting question, Can you send me the wls domain options you have and I will make the same osb domain on my laptop and try the same. Maybe you need a wsm server somewhere in your network.

    Try to start the osb domain in workshop and in the console window you will see the errors.

    2. I will try to find out what wsm client means


  3. Lupan,

    When you go to the em website and select the weblogic domain. Then you can go to security sub menu and select credentials or Security Provider Configuration ( here you can import the keystore )

    that should work even without installing soa


  4. Hi Mr. Biemond,
    I'm using Weblogic and OSB All I did was:

    1- Created a simple dummy WS which returns a string and deployed it on Weblogic.

    2- Created a business service in OSB pointing to it with the same WSDL published by WL.

    3- Create a proxy service in OSB based in the previous business service.

    4- Tested with the OSB web client and naturally it worked.

    5- Went to the proxy service config and added the policy: oracle/wss11_x509_token_with_message_protection_service_policy .

    6- Tried to access the service with a properly configured client. And so I received that generic error I mentioned in the last post.

    Unfortunately the weblogic log simply shows nothing about OSB (I'm running the domain from OEPE).

    This client having the problem is the same that successfuly worked when I attached the same WSM policy directly through Enterprise Manager in the Weblogic Web service, without using OSB. Just as a reminder, I don't have Soa Suite installed.
    Thanks !

  5. Hi,

    and did you configure the keystore in the em.

    else send me your projects and i will try it out.

    biemond at gmail dot com


  6. Hi Edwin,
    I am using MDS repository for my SOA Composites and am planning to use OSB for several components. How to use MDS for OSB ?
    Any help really appreciated

  7. Hi Genji.

    OSB can't use MDS like you used to in SOA Suite 11g, it only uses a MDS repos for the OWSM policies.