Let's start simple with one of the following policies
oracle/wss_http_token_service_policy
oracle/wss_username_token_service_policy
These policies can be used for HTTP Basic Authentication or for an Username Token in a SOAP message. The only thing you need to do for these policies is to add some Users to the myrealm Security Realm in the WebLogic Console.
On the client side you need to do the following.
execute = new Execute(); SecurityPolicyFeature[] securityFeatures = new SecurityPolicyFeature[] { new SecurityPolicyFeature("oracle/wss_username_token_client_policy") }; Request_Response_ptt request_Response_ptt = execute.getRequest_Response_pt(securityFeatures); // Add your code to call the desired methods. Map<String, Object> reqContext = ((BindingProvider) request_Response_ptt).getRequestContext(); reqContext.put(BindingProvider.USERNAME_PROPERTY, "test" ); reqContext.put(BindingProvider.PASSWORD_PROPERTY, "weblogic1" ); Request req = new Request(); req.setName("edwin"); req.setMessage("hi"); Response resp = request_Response_ptt.requestResponse(req);
The Message protection policies
oracle/wss10_message_protection_service_policy
oracle/wss11_message_protection_service_policy
When you choose for one of these policies you need to generate a Server certificate for encryption and put this in a Java keystore and for the Client side you also need to make a Keystore but this contains only the public key of this Server encryption certificate ( this is in case of the wss11, for the wss10 you also need to generate a client certificate besides the public key of server, see the x509_token_with_message_protection policies how to do this. ).
To add your Server keystore to FMW, you need to go to the Enterprise Manager and select your Weblogic Domain. In the menu go to the Security / Security Provider Configuration page. And on this page you can import your Java keystore. Before you start you need to copy your keystore to your domain folder and put this in the config/fmwconfig folder.
In this example I used two certificates one for the signature and one for the encryption. For the wss11 Message protection Service policies you only need the encryption certificate.
On the client side you need to load the client keystore and the public key of server encryption certificate.
execute = new Execute(); SecurityPolicyFeature[] securityFeatures = new SecurityPolicyFeature[] { new SecurityPolicyFeature("oracle/wss11_message_protection_client_policy") }; Request_Response_ptt request_Response_ptt = execute.getRequest_Response_pt(securityFeatures); // Add your code to call the desired methods. Map<String, Object> reqContext = ((BindingProvider) request_Response_ptt).getRequestContext(); reqContext.put(ClientConstants.WSSEC_KEYSTORE_TYPE, "JKS"); reqContext.put(ClientConstants.WSSEC_KEYSTORE_LOCATION, "C:/client_keystore.jks"); reqContext.put(ClientConstants.WSSEC_KEYSTORE_PASSWORD, "welcome"); reqContext.put(ClientConstants.WSSEC_ENC_KEY_ALIAS, "server_encr"); reqContext.put(ClientConstants.WSSEC_ENC_KEY_PASSWORD, "welcome"); reqContext.put(ClientConstants.WSSEC_RECIPIENT_KEY_ALIAS, "server_encr"); Request req = new Request(); req.setName("edwin"); req.setMessage("hi"); Response resp = request_Response_ptt.requestResponse(req);For the wss10_message_protection_service_policy you need to do the following.
execute = new Execute(); SecurityPolicyFeature[] securityFeatures = new SecurityPolicyFeature[] { new SecurityPolicyFeature("oracle/wss10_message_protection_client_policy") }; Request_Response_ptt request_Response_ptt = execute.getRequest_Response_pt(securityFeatures); // Add your code to call the desired methods. Map<String, Object> reqContext = ((BindingProvider) request_Response_ptt).getRequestContext(); reqContext.put(ClientConstants.WSSEC_KEYSTORE_TYPE, "JKS"); reqContext.put(ClientConstants.WSSEC_KEYSTORE_LOCATION, "C:/client_keystore.jks"); reqContext.put(ClientConstants.WSSEC_KEYSTORE_PASSWORD, "welcome"); reqContext.put(ClientConstants.WSSEC_ENC_KEY_ALIAS, "client1"); reqContext.put(ClientConstants.WSSEC_ENC_KEY_PASSWORD, "welcome"); reqContext.put(ClientConstants.WSSEC_RECIPIENT_KEY_ALIAS, "server_encr"); reqContext.put(ClientConstants.WSSEC_SIG_KEY_ALIAS, "client1"); reqContext.put(ClientConstants.WSSEC_SIG_KEY_PASSWORD, "welcome"); Request req = new Request(); req.setName("edwin"); req.setMessage("hi"); Response resp = request_Response_ptt.requestResponse(req);
The above policies can also be combined. Like in these policies.
oracle/wss10_username_token_with_message_protection_service_policy
oracle/wss11_username_token_with_message_protection_service_policy
For these policies you need to a create user in the WebLogic Console for the username token and generate a server and client keystore for the message protection part.
On the client side you need to the following.
execute = new Execute(); SecurityPolicyFeature[] securityFeatures = new SecurityPolicyFeature[] { new SecurityPolicyFeature("oracle/wss11_username_token_with_message_protection_client_policy") }; Request_Response_ptt request_Response_ptt = execute.getRequest_Response_pt(securityFeatures); // Add your code to call the desired methods. Map<String, Object> reqContext = ((BindingProvider) request_Response_ptt).getRequestContext(); reqContext.put(BindingProvider.USERNAME_PROPERTY, "test" ); reqContext.put(BindingProvider.PASSWORD_PROPERTY, "weblogic1" ); reqContext.put(ClientConstants.WSSEC_KEYSTORE_TYPE, "JKS"); reqContext.put(ClientConstants.WSSEC_KEYSTORE_LOCATION, "C:/client_keystore.jks"); reqContext.put(ClientConstants.WSSEC_KEYSTORE_PASSWORD, "welcome"); reqContext.put(ClientConstants.WSSEC_ENC_KEY_ALIAS, "server_encr"); reqContext.put(ClientConstants.WSSEC_ENC_KEY_PASSWORD, "welcome"); reqContext.put(ClientConstants.WSSEC_RECIPIENT_KEY_ALIAS, "server_encr"); Request req = new Request(); req.setName("edwin"); req.setMessage("hi"); Response resp = request_Response_ptt.requestResponse(req);For the wss10_username_token_with_message_protection_service_policy you need to do the following. ( and a need a client certificate and the public key of the server )
execute = new Execute(); SecurityPolicyFeature[] securityFeatures = new SecurityPolicyFeature[] { new SecurityPolicyFeature("oracle/wss10_username_token_with_message_protection_client_policy") }; Request_Response_ptt request_Response_ptt = execute.getRequest_Response_pt(securityFeatures); // Add your code to call the desired methods. Map<String, Object> reqContext = ((BindingProvider) request_Response_ptt).getRequestContext(); reqContext.put(BindingProvider.USERNAME_PROPERTY, "test" ); reqContext.put(BindingProvider.PASSWORD_PROPERTY, "weblogic1" ); reqContext.put(ClientConstants.WSSEC_KEYSTORE_TYPE, "JKS"); reqContext.put(ClientConstants.WSSEC_KEYSTORE_LOCATION, "C:/client_keystore.jks"); reqContext.put(ClientConstants.WSSEC_KEYSTORE_PASSWORD, "welcome"); reqContext.put(ClientConstants.WSSEC_ENC_KEY_ALIAS, "client1"); reqContext.put(ClientConstants.WSSEC_ENC_KEY_PASSWORD, "welcome"); reqContext.put(ClientConstants.WSSEC_RECIPIENT_KEY_ALIAS, "server_encr"); reqContext.put(ClientConstants.WSSEC_SIG_KEY_ALIAS, "client1"); reqContext.put(ClientConstants.WSSEC_SIG_KEY_PASSWORD, "welcome"); Request req = new Request(); req.setName("edwin"); req.setMessage("hi"); Response resp = request_Response_ptt.requestResponse(req);
The last part of this blogpost I will explain the following policies
oracle/wss10_x509_token_with_message_protection_service_policy
oracle/wss11_x509_token_with_message_protection_service_policy
These policies will use the client certificate for the signature and the public key of the server encryption certificate for the encryption.
So we start by making some keystores with some certificates. I don't use self signed certificates because then for every new client I need to update the server keystore and reboot the FMW server. Now I only have to import the CA public certificate in the Server keystore. This is how my Server keystore looks like
It got a private certificate for the server signature and for encryption. The CA public key is trusted.
For the client I have this keystore. ( Every customer / application can have its own client keystore )
The CA and Server encryption certificates are public certificates and are trusted.
Because the FMW Server does not know this client certificate ( it only knows the CA ) you need to add a new user in the myrealm Secuirty Realm in the WebLogic Console. The password of this user is not important, the only requirement is that the common name of this client certificate is the same as the WebLogic Username.
And as last the Client code, where we need to provide the client signature certificate details.
execute = new Execute(); SecurityPolicyFeature[] securityFeatures = new SecurityPolicyFeature[] { new SecurityPolicyFeature("oracle/wss11_x509_token_with_message_protection_client_policy") }; Request_Response_ptt request_Response_ptt = execute.getRequest_Response_pt(securityFeatures); // Add your code to call the desired methods. Map<String, Object> reqContext = ((BindingProvider) request_Response_ptt).getRequestContext(); reqContext.put(ClientConstants.WSSEC_KEYSTORE_TYPE, "JKS"); reqContext.put(ClientConstants.WSSEC_KEYSTORE_LOCATION, "C:/client_keystore.jks"); reqContext.put(ClientConstants.WSSEC_KEYSTORE_PASSWORD, "welcome"); reqContext.put(ClientConstants.WSSEC_SIG_KEY_ALIAS, "client1"); reqContext.put(ClientConstants.WSSEC_SIG_KEY_PASSWORD, "welcome"); reqContext.put(ClientConstants.WSSEC_ENC_KEY_ALIAS, "server_encr"); reqContext.put(ClientConstants.WSSEC_ENC_KEY_PASSWORD, "welcome"); reqContext.put(ClientConstants.WSSEC_RECIPIENT_KEY_ALIAS, "server_encr"); Request req = new Request(); req.setName("edwin"); req.setMessage("hi"); Response resp = request_Response_ptt.requestResponse(req);
For OWSM SAML policies see this blogpost
For OWSM kerberos policies see this blogpost
Hi Edwin,
ReplyDeleteA completely different question from the topic of your post
I have a simple SOA Composite in which a Human Task is created and assigned to a Group.I have to deploy this composite to 3 different environments (ie) DEV,TEST & PROD. In Active Directory we have the following setup
1. FixedAssets-DEV
2. FixedAssets-TA
3. FixedAssets-PROD
While deploying the composite to DEV , the task should be routed to the group 'FixedAssets-DEV' . Similarly in TEST the task should be routed to 'FixedAssets-TA' and in PROD the task should be routed to 'FixedAssets-PROD'.
I am not able to do this using a config plan as the config plan would only act on 'service' and 'reference' elements and the Human Task is a 'component'.
I have also tried the following
1. Added a GroupName Property to the .componentType file of the Human Task
2. In the Assignment Tab of the Human Task Editor, used XPATH expression
3. Used ora:getPreference('GroupName') to get the group name
But the ora:getPreference() function does not seem to be available in this context.
Does anyone have any ideas on how to solve this issue
PS: Please copy me on the replies as I am not a member of this group
Thanks in advance,
Prasanna
Hi,
ReplyDeleteCan't you use an inputparameter to the HumanTask and use this param for your group assignment. That should work. This inputparameter / payload can be controlled from BPEL.
hope this helps.
Hi Edwin, this is a great article. I have followed it but I am getting an error as follows:
ReplyDeleteSEVERE: WSM-00145 Keystore location or path can not be null or empty; it must be configured through JPS configuration or policy configuration override.
SEVERE: WSM-00111 Keystore is not properly configured in JPS config.
I have called the getBSTCredentialProvider with all the keystore information I have setup but it still seems to want me to provide these through jps-config.xml.
Hi,
ReplyDeletethese jps-config.xml error can be ignored ,it has something todo with opps.
thanks
Hi Edwin,
ReplyDeleteHave you tried SAML token insertion policies on OWSM 11g?
I wanted to know how to validate SAML token against siteminder for user authentication. I appreciate your help
Regrads,
Sri
Any Step by step document for implementing
ReplyDeleteoracle/wss10_x509_token_with_message_protection_service_policy
As this blog looks like more of Documentation stuffs , which have to debug
Hi,
ReplyDeleteI did not do much with the SAML OWSM policies ,only with the WebLogic ones
For
oracle/wss10_x509_token_with_message_protection_service_policy
oracle/wss11_x509_token_with_message_protection_service_policy
See the last part of this blogpost,
make a client and server keystore , import the CA and exchange the public keys, import that in the keystores and add a user in the security realm with the same name as the common name of the client cert.
thanks
Hi Edwin, a really useful guide.
ReplyDeleteCould you please post the steps you followed to generate the server and client keystore for x509 token policies???
that would be awesome.....
thanks in advance
Hi,
ReplyDeleteread this blogpost http://biemond.blogspot.com/2009/06/ws-security-in-osb.html
this contains , how you can generate your own CA and create some keystores.
thanks
Hi Edwin,
ReplyDeleteI am developing a service that needs to taken an input message and return the encrypted format of that message.
We want to host this as a generic message? can you please let me know if these policy would help me that?? As these policies are applied on endpoint, I am not able to return a encrypted message as a response.
Basically, I want to have a request reply service that would take a xml message and return an encrypted message in response. Please help me out with your suggest as how should I proceed.
Hello Edwin,
ReplyDeletePlease let me know if we can use policies to return an Encrypted message in 11g for a given message as we do in 10G. I would like to host a service that would return an encrypted message back for a given text message.
Hi,
ReplyDeleteI think it is possible, you need to make a custom XSD with a content part (anyxml) where you put in the data/xml just like in 10g
but I think you want the oracle/wss11_message_protection_service_policy on the response message. Dont know if that is easy
you can copy and change this policy so only the response is encrypted.
else you can make a Async jax-ws service and only put the policy on the response, like this
http://biemond.blogspot.com/2011/02/building-asynchronous-web-service-with.html
else maybe
the new xml enterprise gateway can help.
thanks and let me know or blog about it.
Hi
ReplyDeleteThank you for your very useful blog.
I'm working on a web service client proxy to which I have attached owsm policy oracle/wss10_x509_token_with_message_protection_client_policy. I have also programmatically defined the keystore, alias and password settings as you have shown in your good examples.
I have tested my creations in JDeveloper. According http analyzer I have sent a request and I'm getting response, but it fails with wsm-00030 key wrap error. The decrypting expects oaep, but gets Rsa-15. How to fix ?
Thanks in advance
BR
Marko
Hi,
ReplyDeleteWhat for owsm server policy do you use on the server side.
does your client and server policy match
thanks
Hi and thank you for quick answer
ReplyDeleteThe server is from different world.
It is Sun GlassFish Enterprise Server v2.1 and according to service provider, they don't use any formal policy. But the policy we are using does the job till this key wrap mismatch.
I've found the documentation, which says the key wrap algorithm can be changed at our end.
I have tried to find programmatic way and tried alter the policy, no luck.
Below the err from weblogic server where my client runs as proxy. The proxy is deployed as web service to our local usage.
javax.xml.rpc.JAXRPCException: WSM-00030 : The encryption method key wrap algorithms do not match : Expected : http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p, , Actual : http://www.w3.org/2001/04/xmlenc#rsa-1_5.
BR
Marko
Hi,
ReplyDeletein the EM you can copy and the change client policy, may you can change it in one of the assertions.
thanks
Hi
ReplyDeleteThanks for advise.
I've done that.
One thing still:
I did export the custom policy and pointed it in JDeveloper, attached it to my proxy and tried to run my test program. Program did not understand the policy, gave errors.
Does this custom policy need registration/import/spell to be accepted by JDev ?
Thank you for your valuable help.
BR
Marko
Hi,
ReplyDeletedid you do this, I copied a existing policy from DefaultDomain\oracle\store\gmds\owsm\policies\oracle ( be aware you copy the right client or server policy -> ws and client -> proxy client ) to the DefaultDomain\oracle\store\gmds\owsm\policies\policy_file folder
and changed the following attributes of the wsp:Policy element ( top ) to a unique name, so I can see them in jdeveloper
wsu:Id="edwin_service_policy"
orawsp:displayName="edwin_service_policy"
orawsp:description="edwin"
Name="edwin_service_policy"
Hi
ReplyDeleteI did all of your mods to my custom policy. I attached it to my client proxy, compiled it and deployed to my local integrated WLS. Not working.
I tried to run my proxy in JDev with my test class, no luck.
Error message:
SEVERE: WSMAgentHook: An Exception is thrown: WSM-06102 The policy referenced by URI "oracle/wss10_x509_token_with_message_protection_client_policy_om" could not be retrieved.
Some kind of importing step for custom policy is missing here, I think.
BR
Marko
Hi
ReplyDeleteI skipped the idea to test in JDev.
I'm now using only my copied and modified custom policy on WLS.
No key wrap error anymore.
Now I'm having problems with my WSSEC_RECIPIENT_KEY_ALIAS.
It says WSM-00056 : The key, om, is not retrieved. Now what ?
(makes me think: is someone really using these security things ? Or does the security mean, that nobody is able acces the data)
BR
Marko
Hi,
ReplyDeletedid you configure the keystores in EM. this is necessary in wls
you need to have a map with some key entries
thanks
Hi
ReplyDeleteKeystores in plural ?
The server side is remote and I'm not handling that, lucky me.
I have only one keystore with my private key and their public key like this:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 2 entries
om, 18.5.2011, trustedCertEntry,
Certificate fingerprint (MD5): 2B:37:6F:1E:A2:23:6B:24:6E:E9:AC:7D:65:F2:23:99
ij, 16.5.2011, PrivateKeyEntry,
Certificate fingerprint (MD5): D1:41:16:E3:14:CF:B1:DB:51:1E:44:7B:CA:9C:AF:CE
In my code I'm using these like this:
reqContext.put(ClientConstants.WSSEC_KEYSTORE_TYPE, "JKS");
reqContext.put(ClientConstants.WSSEC_KEYSTORE_LOCATION, "/oraweb/user_projects/domains/intrum/config/fmwconfig/default-keystore.jks");
reqContext.put(ClientConstants.WSSEC_KEYSTORE_PASSWORD, "xx");
reqContext.put(ClientConstants.WSSEC_SIG_KEY_ALIAS, "ij");
reqContext.put(ClientConstants.WSSEC_SIG_KEY_PASSWORD, "xx");
reqContext.put(ClientConstants.WSSEC_ENC_KEY_ALIAS, "om");
reqContext.put(ClientConstants.WSSEC_ENC_KEY_PASSWORD, "xx");
reqContext.put(ClientConstants.WSSEC_RECIPIENT_KEY_ALIAS, "om");
I suppose I will need something more ?
BR
Marko
Hi,
ReplyDeletecan you remove your keystore entries and leave it to the weblogic server and the EM
only need to set the OWSM client policy
like this
http://biemond.blogspot.com/2009/09/wsm-in-fusion-middleware-11g.html
thanks
Hi
ReplyDeleteThank you for your patience.
Do you mean, that I can configure the proxy part separately and still be able to keep the locally used web service clear?
At least with WLS's console that wasn't possible. The policy could be attached to web service.
I'll examine that, thanks.
BR
Marko
Hi,
ReplyDeleteyou can remove this
reqContext.put(ClientConstants.WSSEC_KEYSTORE_TYPE, "JKS");
reqContext.put(ClientConstants.WSSEC_KEYSTORE_LOCATION, "/oraweb/user_projects/domains/intrum/config/fmwconfig/default-keystore.jks");
reqContext.put(ClientConstants.WSSEC_KEYSTORE_PASSWORD, "xx");
reqContext.put(ClientConstants.WSSEC_SIG_KEY_ALIAS, "ij");
reqContext.put(ClientConstants.WSSEC_SIG_KEY_PASSWORD, "xx");
reqContext.put(ClientConstants.WSSEC_ENC_KEY_ALIAS, "om");
reqContext.put(ClientConstants.WSSEC_ENC_KEY_PASSWORD, "xx");
reqContext.put(ClientConstants.WSSEC_RECIPIENT_KEY_ALIAS, "om");
and configure the keys in the EM
For EM use /em instead of /console
thanks
thanks
Hi Edwin
ReplyDeletei have some problem when using oracle/wss11_x509_token_with_message_protection_service_policy.
can you give me some suggestion please.
here is the infromation of my case.
Server keystore looks like
------------------------------------------------------------------------------------------
キーストアのタイプ: JKS
キーストアのプロバイダ: SUN
キーストアには 2 エントリが含まれます。
orakey, 2011/06/02, PrivateKeyEntry,
証明書のフィンガープリント (MD5): BC:DC:EB:02:D9:C2:6E:CA:3C:3A:CA:46:E6:A7:18:9E
soa_infra, 2011/06/02, trustedCertEntry,
証明書のフィンガープリント (MD5): BC:DC:EB:02:D9:C2:6E:CA:3C:3A:CA:46:E6:A7:18:9E
-----------------------------------------------------------------------------------------
Client keystore looks like
------------------------------------------------------------------------------------------
キーストアのタイプ: JKS
キーストアのプロバイダ: SUN
キーストアには 2 エントリが含まれます。
orakey_public, 2011/06/02, trustedCertEntry,
証明書のフィンガープリント (MD5): BC:DC:EB:02:D9:C2:6E:CA:3C:3A:CA:46:E6:A7:18:9E
jcooper, 2011/06/06, PrivateKeyEntry,
証明書のフィンガープリント (MD5): 3A:1E:1F:D3:66:A6:F5:1E:86:84:0B:22:8D:AD:D6:BE
-----------------------------------------------------------------------------------------
New user in the myrealm Secuirty Realm
-----------------------------------------------------------------------------------------
dn: uid=jcooper,ou=people,ou=myrealm,dc=soa_domain
-----------------------------------------------------------------------------------------
and i got the following exception in soa_server1-diagnostic.log
-----------------------------------------------------------------------------------------
Caused by: oracle.wsm.security.SecurityException: WSM-00062 : The path to the certificate used for the signature is invalid.
at oracle.wsm.security.policy.scenario.processor.Wss11X509TokenProcessor.verifyRequest(Wss11X509TokenProcessor.java:956)
at oracle.wsm.security.policy.scenario.processor.Wss11X509TokenProcessor.verify(Wss11X509TokenProcessor.java:839)
at oracle.wsm.security.policy.scenario.processor.Wss11X509TokenProcessor.verify(Wss11X509TokenProcessor.java:803)
at oracle.wsm.security.policy.scenario.executor.Wss11MutualAuthWithCertsScenarioExecutor.receiveRequest(Wss11MutualAuthWithCertsScenarioExecutor.java:131)
... 43 more
-----------------------------------------------------------------------------------------
Hi,
ReplyDeleteDid you import the public key of jcooper in the server keystore, don't know if the CA key is enough.
and the common name of jcooper cert should be a user in the myrealm security realm.
thanks
Hello Edwin, Thanks a lot!
ReplyDeleteAfter import the public key of jcooper into the server keystore then it's working fine.
Here i have an other request,Would you show us how to using saml token under soa 11g,
By then way I am a big fan of your blogs.
Thanks,
Jalen
Hello Edwin,
ReplyDeleteUsing Oracle WebServices Manager, I'm forcing to the client to use Oracle libraries like weblogic.jar, jrf.jar. Is this true?
These libraries are licensed?
Thanks in Advance.
Hi,
ReplyDeleteDon't force the client , because it is licensed stuff and it's java.
In the fmw documentation there are great big guide how you can use OWSM with .net . And this should not be necessary because it is all web services. Even with soapui you can do a lot. Or use the new XML gateway product at the client.
But with security it works or not , nothing in between so it can take a while of testing at the clients before it works.
Thanks
Hi
ReplyDeleteDo you have the full commands to create client_keystore.jks and server_keystore.jks.
I am not strong in this area and would like keytool commands to create these.
Hi,
ReplyDeletehere they are.
Generate a new Java Keystore with a self signed server key.
keytool -genkey -alias serverKey -keyalg "RSA" -sigalg "SHA1withRSA" -dname "CN=server, C=US" -keypass welcome -keystore c:\server.jks -storepass welcome
a new client certificate with client as common name (CN) attribute and store it in the client_2.jks keystore.
keytool -genkey -alias clientKey -keyalg "RSA" -sigalg "SHA1withRSA" -dname "CN=client, C=US" -keypass welcome -keystore c:\client_2.jks -storepass welcome
Export the public key of the server certificate.
keytool -exportcert –alias serverKey -storepass welcome –keystore c:\server.jks –file c:\server.cer
Import the public key.
keytool -import -file c:\server.cer -alias serverKey -keystore c:\client_2.jks -storepass welcome -keypass welcome
Export the public key of the client certificate.
keytool -exportcert -alias clientKey -storepass welcome -keystore c:\client_2.jks -file c:\client_2.cer
Import the key in the server Java keystore.
keytool -import -file c:\client_2.cer -alias clientKey -keystore c:\server.jks -storepass welcome -keypass welcome
Hello Edwin,
ReplyDeleteI have a BPEL composite deployment under soa-infra that calls a WSSEOASIS2004Compliant secure webservice.
I can call the service from SOAPUI by providing the username and password
When I try to make the call from the BPEL service, I get this error:
oracle.fabric.common.FabricInvocationException: Unable to access the following endpoint(s): https://www....
We are using SOA 11.1.1.4.
I was following your blog and OTN forum(https://forums.oracle.com/forums/thread.jspa?threadID=2148565&start=0&tstart=0)
Here they have suggested to use Keystore/certficate/Keys..etc
I have Securewebservice WSDL file/URL with username/password.
From here would like to know the steps require to Inovke secure ws.
and How to use Keys/keytool/Certificates
Hello Edwin,
ReplyDeleteI have a BPEL composite deployment under soa-infra that calls a WSSEOASIS2004Compliant secure webservice.
I can call the service from SOAPUI by providing the username and password
When I try to make the call from the BPEL service, I get this error:
oracle.fabric.common.FabricInvocationException: Unable to access the following endpoint(s): https://www....
We are using SOA 11.1.1.4.
I was following your blog and OTN forum(https://forums.oracle.com/forums/thread.jspa?threadID=2148565&start=0&tstart=0)
Here they have suggested to use Keystore/certficate/Keys..etc
I have Securewebservice WSDL file/URL with username/password.
From here would like to know the steps require to Inovke secure ws.
and How to use Keys/keytool/Certificates
Thanks,
AB
Hi,
ReplyDeletehere you got some info about how to generate some self signed keys and use it in OWSM
http://biemond.blogspot.com/2011/09/calling-owsm-protected-service-with.html
for only using some keys in 1 composite , you can add those keys in the credentials map of owsm and override the default keys of the composite at deployment time.
hope this helps and for the truststore of owsm you dont have to do anything , just add the ca and public keys to the keystore used in owsm.
good luck
Hi Edwin,
ReplyDeleteI followed your instructions in order to configure the oracle/wss11_x509_token_with_message_protection_client_policy policy but I'm getting this error:
Exception in thread "main" javax.xml.ws.soap.SOAPFaultException: FailedAuthentication : The security token cannot be authenticated.
Do you have any idea whats wrong with my configuration??
Hi
DeleteDo you have an user in weblogic which has the same name as the common name of your client certificate.
thanks
Hi Edwin, my name is Silvia. I'm trying to put a ws security, but to make the complete sample the following error occurs:
ReplyDelete30/04/2012 12:29:24 PM oracle.security.jps.internal.config.xml.XmlConfigurationFactory initDefaultConfiguration
GRAVE: java.io.FileNotFoundException: C:\JDeveloper\mywork\SecurityBuena\Security\.\config\jps-config.xml (El sistema no puede encontrar la ruta especificada)
INFO: WSM-09004 No se puede inicializar la auditoría del componente.
INFO: WSMAgent is initialized for category=security, function=agent.function.client, topologyNodePath=null, isJ2EE=false
INFO: Configuration property keystore.enc.csf.key value is null
ADVERTENCIA: keystore passwords must not be used in the clear! Please use CSF to secure passwords
ADVERTENCIA: signature key passwords must not be used in the clear! Please use CSF to secure passwords
ADVERTENCIA: encryption password must not be used in the clear! Please use CSF to secure passwords
INFO: Successfully loaded keystore [ path:{0}, type:{1}, sign-alias:{2}, crypt-alias:{3}, recipientAlias:{4}, recipientCert:{5}] Successfully loaded keystore [ path:C:\Certificado\ospru.jks, type:JKS, sign-alias:osbpru, crypt-alias:osbpru, recipientAlias:osbpru, recipientCert:null]
ADVERTENCIA: keystore passwords must not be used in the clear! Please use CSF to secure passwords
ADVERTENCIA: signature key passwords must not be used in the clear! Please use CSF to secure passwords
ADVERTENCIA: encryption password must not be used in the clear! Please use CSF to secure passwords
Can you help me please???
Hi,
Deletewhen you see this in a java client then you can ignore it ( cause it is not running on a weblogic server ) .
Inside a webapp , osb or soa suite it won't give you these errors.
thanks
Hi Edwin
ReplyDeleteyour article I have been very helpful.
But, i need to understand how the certificate expiration day are validate and how to know if the certificate was revoked?.
Thanks
Hi,
DeleteThis is handled by the java jvm. you will get a certificate exception and OWSM gives you an error.
thanks
Hi Edwin
ReplyDeleteis it possible to test this example with SOAPUI?
I have some troubles with the configuration of SOAPUI (4.5.0) to test the wss11_x509_token_with_message_protection_client_policy
Thanks!
Hi,
DeleteIt is possible but you need to know what you are doing. What order of timestamp, signing, encryption etc.
Start simple with your own owsm policy with for example only message protection
Get it working with a java client
Add a proxy client in between to intercept the http calls and compare this with soapui.
good luck
Were you successful in getting SoapUI 4.5 to test a web service that enforce the wss11_x509_token_with_message_protection_service_policy? I get close but not successful. My SoapUI outgoing ws-security configuration has a Timestamp, a Signature for Timestamp and Body using the client private key, the Encryption on Body using the server public key, and finally a Signature on the BinarySecurityToken again using the client private key. Unfortunately, the owsm/msglogging/diagnostic.log shows WSMException: GenericFault caused by java.lang.RuntimeException: ERROR: Unsupported Type: [ and then the client certificate ]. This is a simple HelloWorldWebService implemented in OSB. I also have a simple HelloWorldWebClient in OSB that uses the same client certificate SUCCESSFULLY. Any ideas on how to test the service with SoapUI? Thanks.
DeleteHi,
DeleteThat is very hard, I know many people tried it but somehow it is impossible
maybe this blogpost can you help you
http://biemond.blogspot.nl/2011/10/calling-owsm-protected-service-with.html
thanks
Is it possible to create a message protection, username_token over ssl policy?
ReplyDeleteHi Edwin,
ReplyDeleteIt is a nice post. How would I get the code attached to this post. I tried seraching in the github but could not find it. Please suggest
Hi,
Deletein my OSB developer cookbook there are complete examples,
but basically you add an OWSM server policy to a SOA composite or OSB proxy.
Generate keystores and configure OWSM in the Enterprise Manager.
Generate a web service proxy which use the wsdl of the service. Add the right OWSM client policy. and then add above code to the java code and invoke it.
thanks
Hi Edwin,
ReplyDeleteThis is an extremely helpful article. But it would be of great help if you kindly guide me through implementing the same. Let me explain you the scenario. I have a ProviderABCS which calls a webservice that requires HTTP basic authentication. Till now I have used only WSS Username Token. Please guide me in implementing HTTP basic Authentication.
Regards,
Chandrika
Hi,
DeleteDid you see this blogpost http://biemond.blogspot.nl/2010/08/http-basic-authentication-with-soa.html
thanks
Hi Edwin,
ReplyDeleteThis is an extremely helpful article. But it would be of great help if you kindly guide me through implementing the same. Let me explain you the scenario. I have a ProviderABCS which calls a webservice that requires HTTP basic authentication. Till now I have used only WSS Username Token. Please guide me in implementing HTTP basic Authentication.
Regards,
Chandrika
I have a scenario where I need to decrypt a 3rd party message on the OSB. I only have their publick key, How would I go about this?
ReplyDeleteHi,
DeleteThen you should use or modify an OWSM message protection client policy and add this to the business service. And off course add this public key to your own keystore , add this to EM and in the owsm client policy make a reference to the public key alias.
thanks
Hi Biemond
ReplyDeleteThank you for this. I am quite new to OWSM. Can you perhaps take me through how you would practically do this? thanks.
Hi,
Deletejust follow my owsm tag in my blog and read them all and then try it your self, generate keys , configure em and do some testing.
good luck.
Hi Edwin, your blog has helped me understand the basic OWSM policies. I created a blog in effort to simplify the OWSM understanding for users, wanted to let you know.
ReplyDeletehttp://oracleadfhowto.blogspot.in/2012/11/configuring-server-and-client-for-using.html
Thanks
DeleteGreat work.
Hi Edwin, hope you remember me.
ReplyDeleteI have typical requirement where in salesforce sends message to oracle through oracle soa 11g.
Currently SFDC team applying CA(versign/goDaddy) certificate to outgoing message.
Can you please help me to understand, what would be the steps in SOA layer to accept this certificate message from SFDC.
It would be great if you provide detailed steps.
Thanks in advance.
Hi,
ReplyDeleteFirst find out what ws-security policy there are using, like signing , time token, encryption etc.
select the right client owsm policy and maybe adjust the policy.
load the public key of the salesforce in the EM and maybe add an username to weblogic.
good luck
Thanks for quick response.
DeleteSalesforce using certificates signed by publicly trusted CA's.
In that case, I have below understanding and few questions, looking for your response.
1) exposed service in composite is attached with OWSM policy, Please let me know what is the policy name in set of standard policies.
2) How we load public key of salesforce in EM console.
3) why do we need to create user in weblogic.
Thanks Edwin for your support.
Hi,
DeleteFirst you need to find out what policy you need or have, and then do the right actions. do you need encryption, signing , user token or timestamp token etc.
thanks
Hi Edwin,
DeleteI am facing a particular scenario.
I need to encrypt some data in a link, this data must sent via get method.
An OSB proxy service will accept this request, and decrypt this data and continue with the process.
encrypted link sample: http://myweb.com?data=OIEWRU232O4H2H42H42H2LJJSJJ
decrypted get parameter: data = custName=me&custNumber=23444&custAddress=mystreet23
Could I use policies to encrypt and decrypt parameters passed via get method in the http header?
Thanks!
Hi,
DeleteNot possible with a policy, ws security only supports it on the soap body.
You can do a java callout in OSB and decrypt with your private key
Can't you use a GUID token and the receiver does a call back with this one time token to retrieve the data with ws security or https.
thanks
Hi Edwin,
ReplyDeleteThanks for sharing this article!
I am trying to consume Web Services of our Fusion application using the following web service policy "oracle/wss11_username_token_with_message_protection_client_policy". What are the steps I must follow to create a Client Java Application using Apache CXF with XMLbeans or ADF-WS Proxy?
Using both frameworks I have already generated the code. But now I am stuck around the area of key stores... Do I need to configure a handler (ADF-WS Proxy)? Or interceptors (Apache CXF)?
Thank you
Greetings,
Mark
Hi,
DeleteI know for ADF you only need to have the public key of the fusion app server for encryption purpose. Configure this in the EM.
and provide a username , password , You can add these entries on ADF WS Datacontrol / pojo configuration or use ADF Security ( authenticate in the application ) and when there are 2 domains then you need to add a trust between these domains.
thanks
Hi Biemond,
ReplyDeleteI'm trying to call a web service secured with oracle/wss11_username_token_with_message_protection_client_policy" using "Dispatch" object.
I can call using static client. But the same service throws error with Dispatch client.
I'm not sure what needs to be put into "reqContext". The server throws only internal system error , so debugging is hard. Could you please share some sample code. Thanks.
Hi,
Deleteyou need to set these values ( username + plus the public key of the server )
thanks
SecurityPolicyFeature[] securityFeatures =
new SecurityPolicyFeature[] { new SecurityPolicyFeature("oracle/wss11_username_token_with_message_protection_client_policy") };
Request_Response_ptt request_Response_ptt = execute.getRequest_Response_pt(securityFeatures);
// Add your code to call the desired methods.
Map reqContext = ((BindingProvider) request_Response_ptt).getRequestContext();
reqContext.put(BindingProvider.USERNAME_PROPERTY, "test" );
reqContext.put(BindingProvider.PASSWORD_PROPERTY, "weblogic1" );
reqContext.put(ClientConstants.WSSEC_KEYSTORE_TYPE, "JKS");
reqContext.put(ClientConstants.WSSEC_KEYSTORE_LOCATION, "C:/client_keystore.jks");
reqContext.put(ClientConstants.WSSEC_KEYSTORE_PASSWORD, "welcome");
reqContext.put(ClientConstants.WSSEC_ENC_KEY_ALIAS, "server_encr");
reqContext.put(ClientConstants.WSSEC_ENC_KEY_PASSWORD, "welcome");
reqContext.put(ClientConstants.WSSEC_RECIPIENT_KEY_ALIAS, "server_encr");
Request req = new Request();
req.setName("edwin");
req.setMessage("hi");
Response resp = request_Response_ptt.requestResponse(req);
Hi Edwin,
ReplyDeleteWe would like to enforce authentication on an HTTP binding service exposed to an external service. However the certificate stuff is not required. We require only authentication through credentials(username and pwd) and no extra security?
Is it supported in 11g and if its supported which policies should we use?
Thanks,
Suresh
Hi,
Deleteyou can use these policies
oracle/wss_http_token_service_policy
oracle/wss_username_token_service_policy
Thanks
Hi Edwin, Great post. Follow up with this question, if we use these policies, let's say for a SOA composite service to access UCM, we would need to provide the username and password as properties in the composite and thus expose in the SOAP header. But for security reasons, we don't want to expose the password, then how would you approach it ?
DeleteHi Edwin,
ReplyDeleteI have a requirement to call secured webservice passing username and passwrd as passowrd+securitytoken. I tried using wss_username_token_service_policy but getting as INVALID username,passowrd,security token. Please let me know what policy i should be using.
Thanks
Bhagya
Hi,
DeleteStrange, This should work when you create and test this user in the weblogic internal LDAP.
Thanks
Hi Edwin
ReplyDeleteIn my case, I am using a message_protection_client_policy on the business service. It encrypts and sign the request fine but it fails on the response. IT seems it is trying to apply the policy on the response leg as well. I have turned that option off on the policy level via wsm but the behavior is till the same.
Regards,
Tumi Mametsa
Hi,
DeleteSo the response is not encrypted ( what is on the server side also OWSM ) and if you change and copied the new OWSM client policy and attach this to the BS then it should work.
Thanks
Hi Edwin,
ReplyDeleteI am having a requirement to use oracle/wss11_x509_token_with_message_protection_service_policy policy without any message encryption i.e. a custom policy.
From Em Console i have created a custom policy of oracle/wss11_x509_token_with_message_protection_service_policy without message encryption i.e. i have unchecked the option of body encryption in EM Console.And then attached the policy to the webservice(say helloWorld).
Similar way i have created a client for the same custom policy and attached to the Jdeveloper proxy.
But when i am trying to invoke the webservice secured with the custom policy from Jdeveloper proxy service I am getting error like:
INFO: WSM-09004 Component auditing cannot be initialized.
SEVERE: WSM-07620 Agent cannot enforce policies due to either failure in retrieving polices or error in validations, detail= "WSM-06102 The policy reference URI "wss11_x509_token_without_message_protection_client_policy" is not valid.
".
SEVERE: WSM-07501 Failure in Oracle WSM Agent processRequest, category=security_and_management, function=agent.function.client, application=null, composite=null, modelObj=helloWorldService, policy=null, policyVersion=null, assertionName=null.
oracle.wsm.common.sdk.WSMException: WSM-07620 : Agent cannot enforce policies due to either failure in retrieving polices or error in validations, detail= "WSM-06102 The policy reference URI "wss11_x509_token_without_message_protection_client_policy" is not valid.
".
I have created the two keystores one for server and other for client.
In my client code I am setting these values also:
reqContext.put(ClientConstants.WSSEC_KEYSTORE_TYPE, "JKS");
reqContext.put(ClientConstants.WSSEC_KEYSTORE_LOCATION, "D:\\KEYSTORE\\client.jks");
reqContext.put(ClientConstants.WSSEC_KEYSTORE_PASSWORD, "welcome");
reqContext.put(ClientConstants.WSSEC_SIG_KEY_ALIAS, "clientKey");
reqContext.put(ClientConstants.WSSEC_SIG_KEY_PASSWORD, "welcome");
reqContext.put(ClientConstants.WSSEC_ENC_KEY_ALIAS, "clientKey");
reqContext.put(ClientConstants.WSSEC_ENC_KEY_PASSWORD, "welcome");
reqContext.put(ClientConstants.WSSEC_RECIPIENT_KEY_ALIAS, "clientKey");
But I am not sure why secured server with custom policy in not getting invoked.
Can you please help me with that,Its basically invoking a custom policy oracle/wss11_x509_token_with_message_protection_service_policy without message encryption from Jdev or SOAPUI.
Thanks,
Ashish
Hi,
Deletedid you also create a matching client policy and when testing from Jdeveloper you alsio need to add this to a folder. ( don't know exactly which one )
Thanks
Hi Edwin,
ReplyDeleteThe UCM server side I setup a ws with oracle/wss_username_token_over_ssl_service_policy and add a credential pair in my domain, Then I create a new conten repo connection in jdeveloper with jaxws socket type, fill in the client policy and credential. However there always is an error like "The request must be over SSL". Any help for that?
Thx & BR
Hi Edwin,
ReplyDeleteI am consuming a webservice which is enabled with wss11_saml_or_username_token_with_message_protection_service_policy and wss11_saml_token_with_message_protection_client_policy policies using proxy client and data control in ADF. But i have following questions in consuming them
1) Can i use the certificate from the browser of server url to configure as public key in my client keystore.
2) How to get WSSEC_ENC_KEY_PASSWORD. Is it encryption password configured in server?
Thanks,
Shyam
Hi ,
Deleteprobably you need a pub and private key for this client.
for 2 it is probaby or you need to do this in the EM , here you have a credentials store where you can add this password entry.
Thanks
Hi Shyam,
DeleteHow did you manage to consume the webservice which is enabled with wss11_saml_or_username_token_with_message_protection_service_policy and wss11_saml_token_with_message_protection_client_policy policies
????
Can you please illustrate how to go with it as shown with other policies above.
DeleteHi Edwin,
ReplyDeleteDo you have any blogs which details on creating Policy Sets?
I have created a new policy set and added policies to it. Now when I deploy my composite I expect it to attach Policies but it doesnot. Any pointers what could be wrong?
Thanks
Hi,
DeleteDid you do this in the EM or in jdeveloper.
Thanks
Hi Edwin,
ReplyDeleteI am trying to use policy Sets so that the policies attach to the composite on deployment.
Can you share any steps/way to do that?
Thanks
Hi Edwin,
ReplyDeleteI am trying to use policy Sets so that the policies attach to the composite on deployment.
Can you share any steps/way to do that?
Thanks
Hi I tried consuming a Rest Service (https GET) with self-signed certificates without hostnames through BPEL.
ReplyDeleteWhen I try to call the service returns this error:
java.net.ProtocolException: missing header WWW-Authenticate
Could you please tell me that I can do to call a service with these features
Hi ,
ReplyDeleteCan you please provide the configuraton for : this policy : wss11_saml_token_with_message_protection_client_policy
Reg
Sridhar
Hi Edwin,
ReplyDeleteI am a newby. The code samples you provide are for a Java SE standalone client, right? And your IDE is Jdev, I suppose.
I would like to implement your samples with Eclipse OEPE. Is it feasible? May you please summarize the main steps and mainly the jars I have to put in the classpath?
Thanks
Hi Edwin,
ReplyDeleteI am using FMW 12.1.3. Misteriously, I can't anymore attach OWSM policies to my Web Service via EM. In the page showing the details of my Endpoint, the tab "WSM Policies" is missing and in its place there is a tab "WebLogic Policies violations". It looks like there is some WebLogic policy attached to my WS, but I checked and there is none. I tryied to redeploy, but no change.
Any suggestion?
Regards
Livio
Hello Edwin,
ReplyDeleteI was trying to resolve an issue with oracle/wss10_x509_token_with_message_protection_service_policy, maybe you came across it too.
If I add the CN as a user the policy goes well although when I then remove the user the policy is still allowed. Seems like the username is cached. Any ideas?
Hi Edwin,
ReplyDeleteHow to configure the following jks in weblogic server to deploy and run the client web application in application server? I am able to run the code with standalone java file. But what all the configuration changes which needs to be done to deploy the client code in weblogic server.
reqContext.put(ClientConstants.WSSEC_KEYSTORE_LOCATION, "C:/client_keystore.jks");
Hi Edwin,
ReplyDeleteI did use OWSM in 10g long back in year 2008 since then I didn't use OWSM, during that time it was having its own console wherein we can develop wrapper service on top of actual service and can specify all sort of rules.
But in SOA11g and 12c I can't find similar console. Is the architecture of OWSM been completely changed in SOA 11g and 12c.