Pages

Saturday, August 21, 2010

The things you need to do for OWSM 11g policies

In Fusion Middleware 11g it is not so difficult to protect your JAX-WS Web services or your Composite Services. You just need to add an Oracle Web Service Manager service policy to this Web Service. So that's all the work for the developer or release manager. And now the work starts for the Administrator. This persons need to be familiar with the Enterprise Manager, WebLogic Console, OpenSLL and with the keytool utility of the JDK. In this blogpost I will show what you need to do if you choose for a particular OWSM Policy.


Let's start simple with one of the following policies
oracle/wss_http_token_service_policy
oracle/wss_username_token_service_policy

These policies can be used for HTTP Basic Authentication or for an Username Token in a SOAP message. The only thing you need to do for these policies is to add some Users to the myrealm Security Realm in the WebLogic Console.
On the client side you need to do the following.
execute = new Execute();
SecurityPolicyFeature[] securityFeatures =
            new SecurityPolicyFeature[] { new SecurityPolicyFeature("oracle/wss_username_token_client_policy") };
Request_Response_ptt request_Response_ptt = execute.getRequest_Response_pt(securityFeatures);
    
// Add your code to call the desired methods.
Map<String, Object> reqContext = ((BindingProvider) request_Response_ptt).getRequestContext();
reqContext.put(BindingProvider.USERNAME_PROPERTY, "test" );
reqContext.put(BindingProvider.PASSWORD_PROPERTY, "weblogic1" );
       
Request req = new Request();
req.setName("edwin");
req.setMessage("hi");
Response resp = request_Response_ptt.requestResponse(req);


The Message protection policies
oracle/wss10_message_protection_service_policy
oracle/wss11_message_protection_service_policy
When you choose for one of these policies you need to generate a Server certificate for encryption and put this in a Java keystore and for the Client side you also need to make a Keystore but this contains only the public key of this Server encryption certificate ( this is in case of the wss11, for the wss10 you also need to generate a client certificate besides the public key of server, see the x509_token_with_message_protection policies how to do this. ).

To add your Server keystore to FMW, you need to go to the Enterprise Manager and select your Weblogic Domain. In the menu go to the Security / Security Provider Configuration page. And on this page you can import your Java keystore. Before you start you need to copy your keystore to your domain folder and put this in the config/fmwconfig folder.

In this example I used two certificates one for the signature and one for the encryption. For the wss11 Message protection Service policies you only need the encryption certificate.
On the client side you need to load the client keystore and the public key of server encryption certificate. 
execute = new Execute();
SecurityPolicyFeature[] securityFeatures =
    new SecurityPolicyFeature[] { new SecurityPolicyFeature("oracle/wss11_message_protection_client_policy") };
Request_Response_ptt request_Response_ptt = execute.getRequest_Response_pt(securityFeatures);
// Add your code to call the desired methods.
Map<String, Object> reqContext = ((BindingProvider) request_Response_ptt).getRequestContext();

reqContext.put(ClientConstants.WSSEC_KEYSTORE_TYPE, "JKS");
reqContext.put(ClientConstants.WSSEC_KEYSTORE_LOCATION, "C:/client_keystore.jks");
reqContext.put(ClientConstants.WSSEC_KEYSTORE_PASSWORD, "welcome");

reqContext.put(ClientConstants.WSSEC_ENC_KEY_ALIAS, "server_encr");
reqContext.put(ClientConstants.WSSEC_ENC_KEY_PASSWORD, "welcome");
reqContext.put(ClientConstants.WSSEC_RECIPIENT_KEY_ALIAS, "server_encr");

Request req = new Request();
req.setName("edwin");
req.setMessage("hi");
Response resp = request_Response_ptt.requestResponse(req);
For the wss10_message_protection_service_policy you need to do the following.
execute = new Execute();
SecurityPolicyFeature[] securityFeatures =
    new SecurityPolicyFeature[] { new SecurityPolicyFeature("oracle/wss10_message_protection_client_policy") };
Request_Response_ptt request_Response_ptt = execute.getRequest_Response_pt(securityFeatures);
// Add your code to call the desired methods.
Map<String, Object> reqContext = ((BindingProvider) request_Response_ptt).getRequestContext();

reqContext.put(ClientConstants.WSSEC_KEYSTORE_TYPE, "JKS");
reqContext.put(ClientConstants.WSSEC_KEYSTORE_LOCATION, "C:/client_keystore.jks");
reqContext.put(ClientConstants.WSSEC_KEYSTORE_PASSWORD, "welcome");

reqContext.put(ClientConstants.WSSEC_ENC_KEY_ALIAS, "client1");
reqContext.put(ClientConstants.WSSEC_ENC_KEY_PASSWORD, "welcome");
reqContext.put(ClientConstants.WSSEC_RECIPIENT_KEY_ALIAS, "server_encr");

reqContext.put(ClientConstants.WSSEC_SIG_KEY_ALIAS, "client1");  
reqContext.put(ClientConstants.WSSEC_SIG_KEY_PASSWORD, "welcome");

Request req = new Request();
req.setName("edwin");
req.setMessage("hi");
Response resp = request_Response_ptt.requestResponse(req);

The above policies can also be combined. Like in these policies.
oracle/wss10_username_token_with_message_protection_service_policy
oracle/wss11_username_token_with_message_protection_service_policy


For these policies you need to a create user in the WebLogic Console for the username token and generate a server and client keystore for the message protection part.
On the client side you need to the following.
execute = new Execute();
SecurityPolicyFeature[] securityFeatures =
    new SecurityPolicyFeature[] { new SecurityPolicyFeature("oracle/wss11_username_token_with_message_protection_client_policy") };
Request_Response_ptt request_Response_ptt = execute.getRequest_Response_pt(securityFeatures);
// Add your code to call the desired methods.
Map<String, Object> reqContext = ((BindingProvider) request_Response_ptt).getRequestContext();
reqContext.put(BindingProvider.USERNAME_PROPERTY, "test" );
reqContext.put(BindingProvider.PASSWORD_PROPERTY, "weblogic1" );

reqContext.put(ClientConstants.WSSEC_KEYSTORE_TYPE, "JKS");
reqContext.put(ClientConstants.WSSEC_KEYSTORE_LOCATION, "C:/client_keystore.jks");
reqContext.put(ClientConstants.WSSEC_KEYSTORE_PASSWORD, "welcome");

reqContext.put(ClientConstants.WSSEC_ENC_KEY_ALIAS, "server_encr");
reqContext.put(ClientConstants.WSSEC_ENC_KEY_PASSWORD, "welcome");
reqContext.put(ClientConstants.WSSEC_RECIPIENT_KEY_ALIAS, "server_encr");

Request req = new Request();
req.setName("edwin");
req.setMessage("hi");
Response resp = request_Response_ptt.requestResponse(req);
For the wss10_username_token_with_message_protection_service_policy you need to do the following. ( and a need a client certificate and the public key of the server )
execute = new Execute();
SecurityPolicyFeature[] securityFeatures =
    new SecurityPolicyFeature[] { new SecurityPolicyFeature("oracle/wss10_username_token_with_message_protection_client_policy") };
Request_Response_ptt request_Response_ptt = execute.getRequest_Response_pt(securityFeatures);
// Add your code to call the desired methods.
Map<String, Object> reqContext = ((BindingProvider) request_Response_ptt).getRequestContext();

reqContext.put(BindingProvider.USERNAME_PROPERTY, "test" );
reqContext.put(BindingProvider.PASSWORD_PROPERTY, "weblogic1" );

reqContext.put(ClientConstants.WSSEC_KEYSTORE_TYPE, "JKS");
reqContext.put(ClientConstants.WSSEC_KEYSTORE_LOCATION, "C:/client_keystore.jks");
reqContext.put(ClientConstants.WSSEC_KEYSTORE_PASSWORD, "welcome");

reqContext.put(ClientConstants.WSSEC_ENC_KEY_ALIAS, "client1");
reqContext.put(ClientConstants.WSSEC_ENC_KEY_PASSWORD, "welcome");
reqContext.put(ClientConstants.WSSEC_RECIPIENT_KEY_ALIAS, "server_encr");

reqContext.put(ClientConstants.WSSEC_SIG_KEY_ALIAS, "client1");  
reqContext.put(ClientConstants.WSSEC_SIG_KEY_PASSWORD, "welcome");

Request req = new Request();
req.setName("edwin");
req.setMessage("hi");
Response resp = request_Response_ptt.requestResponse(req);

The last part of this blogpost I will explain the following policies
oracle/wss10_x509_token_with_message_protection_service_policy
oracle/wss11_x509_token_with_message_protection_service_policy

These policies will use the client certificate for the signature and the public key of the server encryption certificate for the encryption.
So we start by making some keystores with some certificates. I don't use self signed certificates because then for every new client I need to update the server keystore and reboot the FMW server. Now I only have to import the CA public certificate in the Server keystore. This is how my Server keystore looks like

It got a private certificate for the server signature and for encryption. The CA public key is trusted.

For the client I have this keystore. ( Every customer / application can have its own client keystore )

The CA and Server encryption certificates are public certificates and are trusted.
Because the FMW Server does not know this client certificate ( it only knows the CA ) you need to add a new user in the myrealm Secuirty Realm in the WebLogic Console. The password of this user is not important, the only requirement is that the common name of this client certificate is the same as the WebLogic Username.

And as last the Client code, where we need to provide the client signature certificate details.
execute = new Execute();
SecurityPolicyFeature[] securityFeatures =
    new SecurityPolicyFeature[] { new SecurityPolicyFeature("oracle/wss11_x509_token_with_message_protection_client_policy") };
Request_Response_ptt request_Response_ptt = execute.getRequest_Response_pt(securityFeatures);
// Add your code to call the desired methods.
Map<String, Object> reqContext = ((BindingProvider) request_Response_ptt).getRequestContext();

reqContext.put(ClientConstants.WSSEC_KEYSTORE_TYPE, "JKS");
reqContext.put(ClientConstants.WSSEC_KEYSTORE_LOCATION, "C:/client_keystore.jks");
reqContext.put(ClientConstants.WSSEC_KEYSTORE_PASSWORD, "welcome");

reqContext.put(ClientConstants.WSSEC_SIG_KEY_ALIAS, "client1");
reqContext.put(ClientConstants.WSSEC_SIG_KEY_PASSWORD, "welcome");

reqContext.put(ClientConstants.WSSEC_ENC_KEY_ALIAS, "server_encr");
reqContext.put(ClientConstants.WSSEC_ENC_KEY_PASSWORD, "welcome");
reqContext.put(ClientConstants.WSSEC_RECIPIENT_KEY_ALIAS, "server_encr");

Request req = new Request();
req.setName("edwin");
req.setMessage("hi");
Response resp = request_Response_ptt.requestResponse(req);

For OWSM SAML policies see this blogpost

For OWSM kerberos policies see this blogpost

93 comments:

  1. Hi Edwin,
    A completely different question from the topic of your post

    I have a simple SOA Composite in which a Human Task is created and assigned to a Group.I have to deploy this composite to 3 different environments (ie) DEV,TEST & PROD. In Active Directory we have the following setup

    1. FixedAssets-DEV
    2. FixedAssets-TA
    3. FixedAssets-PROD

    While deploying the composite to DEV , the task should be routed to the group 'FixedAssets-DEV' . Similarly in TEST the task should be routed to 'FixedAssets-TA' and in PROD the task should be routed to 'FixedAssets-PROD'.

    I am not able to do this using a config plan as the config plan would only act on 'service' and 'reference' elements and the Human Task is a 'component'.

    I have also tried the following

    1. Added a GroupName Property to the .componentType file of the Human Task
    2. In the Assignment Tab of the Human Task Editor, used XPATH expression
    3. Used ora:getPreference('GroupName') to get the group name

    But the ora:getPreference() function does not seem to be available in this context.

    Does anyone have any ideas on how to solve this issue

    PS: Please copy me on the replies as I am not a member of this group

    Thanks in advance,
    Prasanna

    ReplyDelete
  2. Hi,

    Can't you use an inputparameter to the HumanTask and use this param for your group assignment. That should work. This inputparameter / payload can be controlled from BPEL.

    hope this helps.

    ReplyDelete
  3. Hi Edwin, this is a great article. I have followed it but I am getting an error as follows:

    SEVERE: WSM-00145 Keystore location or path can not be null or empty; it must be configured through JPS configuration or policy configuration override.
    SEVERE: WSM-00111 Keystore is not properly configured in JPS config.

    I have called the getBSTCredentialProvider with all the keystore information I have setup but it still seems to want me to provide these through jps-config.xml.

    ReplyDelete
  4. Hi,

    these jps-config.xml error can be ignored ,it has something todo with opps.

    thanks

    ReplyDelete
  5. Hi Edwin,

    Have you tried SAML token insertion policies on OWSM 11g?

    I wanted to know how to validate SAML token against siteminder for user authentication. I appreciate your help

    Regrads,
    Sri

    ReplyDelete
  6. Any Step by step document for implementing

    oracle/wss10_x509_token_with_message_protection_service_policy

    As this blog looks like more of Documentation stuffs , which have to debug

    ReplyDelete
  7. Hi,

    I did not do much with the SAML OWSM policies ,only with the WebLogic ones

    For
    oracle/wss10_x509_token_with_message_protection_service_policy
    oracle/wss11_x509_token_with_message_protection_service_policy

    See the last part of this blogpost,
    make a client and server keystore , import the CA and exchange the public keys, import that in the keystores and add a user in the security realm with the same name as the common name of the client cert.


    thanks

    ReplyDelete
  8. Hi Edwin, a really useful guide.

    Could you please post the steps you followed to generate the server and client keystore for x509 token policies???
    that would be awesome.....

    thanks in advance

    ReplyDelete
  9. Hi,

    read this blogpost http://biemond.blogspot.com/2009/06/ws-security-in-osb.html

    this contains , how you can generate your own CA and create some keystores.

    thanks

    ReplyDelete
  10. Hi Edwin,
    I am developing a service that needs to taken an input message and return the encrypted format of that message.
    We want to host this as a generic message? can you please let me know if these policy would help me that?? As these policies are applied on endpoint, I am not able to return a encrypted message as a response.
    Basically, I want to have a request reply service that would take a xml message and return an encrypted message in response. Please help me out with your suggest as how should I proceed.

    ReplyDelete
  11. Hello Edwin,
    Please let me know if we can use policies to return an Encrypted message in 11g for a given message as we do in 10G. I would like to host a service that would return an encrypted message back for a given text message.

    ReplyDelete
  12. Hi,

    I think it is possible, you need to make a custom XSD with a content part (anyxml) where you put in the data/xml just like in 10g

    but I think you want the oracle/wss11_message_protection_service_policy on the response message. Dont know if that is easy
    you can copy and change this policy so only the response is encrypted.

    else you can make a Async jax-ws service and only put the policy on the response, like this
    http://biemond.blogspot.com/2011/02/building-asynchronous-web-service-with.html

    else maybe
    the new xml enterprise gateway can help.

    thanks and let me know or blog about it.

    ReplyDelete
  13. Hi

    Thank you for your very useful blog.

    I'm working on a web service client proxy to which I have attached owsm policy oracle/wss10_x509_token_with_message_protection_client_policy. I have also programmatically defined the keystore, alias and password settings as you have shown in your good examples.

    I have tested my creations in JDeveloper. According http analyzer I have sent a request and I'm getting response, but it fails with wsm-00030 key wrap error. The decrypting expects oaep, but gets Rsa-15. How to fix ?

    Thanks in advance

    BR
    Marko

    ReplyDelete
  14. Hi,

    What for owsm server policy do you use on the server side.

    does your client and server policy match

    thanks

    ReplyDelete
  15. Hi and thank you for quick answer

    The server is from different world.
    It is Sun GlassFish Enterprise Server v2.1 and according to service provider, they don't use any formal policy. But the policy we are using does the job till this key wrap mismatch.

    I've found the documentation, which says the key wrap algorithm can be changed at our end.

    I have tried to find programmatic way and tried alter the policy, no luck.

    Below the err from weblogic server where my client runs as proxy. The proxy is deployed as web service to our local usage.

    javax.xml.rpc.JAXRPCException: WSM-00030 : The encryption method key wrap algorithms do not match : Expected : http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p, , Actual : http://www.w3.org/2001/04/xmlenc#rsa-1_5.

    BR
    Marko

    ReplyDelete
  16. Hi,

    in the EM you can copy and the change client policy, may you can change it in one of the assertions.

    thanks

    ReplyDelete
  17. Hi

    Thanks for advise.
    I've done that.

    One thing still:
    I did export the custom policy and pointed it in JDeveloper, attached it to my proxy and tried to run my test program. Program did not understand the policy, gave errors.

    Does this custom policy need registration/import/spell to be accepted by JDev ?

    Thank you for your valuable help.

    BR
    Marko

    ReplyDelete
  18. Hi,

    did you do this, I copied a existing policy from DefaultDomain\oracle\store\gmds\owsm\policies\oracle ( be aware you copy the right client or server policy -> ws and client -> proxy client ) to the DefaultDomain\oracle\store\gmds\owsm\policies\policy_file folder

    and changed the following attributes of the wsp:Policy element ( top ) to a unique name, so I can see them in jdeveloper

    wsu:Id="edwin_service_policy"
    orawsp:displayName="edwin_service_policy"
    orawsp:description="edwin"
    Name="edwin_service_policy"

    ReplyDelete
  19. Hi

    I did all of your mods to my custom policy. I attached it to my client proxy, compiled it and deployed to my local integrated WLS. Not working.

    I tried to run my proxy in JDev with my test class, no luck.

    Error message:
    SEVERE: WSMAgentHook: An Exception is thrown: WSM-06102 The policy referenced by URI "oracle/wss10_x509_token_with_message_protection_client_policy_om" could not be retrieved.

    Some kind of importing step for custom policy is missing here, I think.

    BR
    Marko

    ReplyDelete
  20. Hi

    I skipped the idea to test in JDev.
    I'm now using only my copied and modified custom policy on WLS.

    No key wrap error anymore.

    Now I'm having problems with my WSSEC_RECIPIENT_KEY_ALIAS.
    It says WSM-00056 : The key, om, is not retrieved. Now what ?

    (makes me think: is someone really using these security things ? Or does the security mean, that nobody is able acces the data)

    BR
    Marko

    ReplyDelete
  21. Hi,

    did you configure the keystores in EM. this is necessary in wls

    you need to have a map with some key entries

    thanks

    ReplyDelete
  22. Hi

    Keystores in plural ?
    The server side is remote and I'm not handling that, lucky me.

    I have only one keystore with my private key and their public key like this:

    Keystore type: JKS
    Keystore provider: SUN

    Your keystore contains 2 entries

    om, 18.5.2011, trustedCertEntry,
    Certificate fingerprint (MD5): 2B:37:6F:1E:A2:23:6B:24:6E:E9:AC:7D:65:F2:23:99
    ij, 16.5.2011, PrivateKeyEntry,
    Certificate fingerprint (MD5): D1:41:16:E3:14:CF:B1:DB:51:1E:44:7B:CA:9C:AF:CE

    In my code I'm using these like this:

    reqContext.put(ClientConstants.WSSEC_KEYSTORE_TYPE, "JKS");
    reqContext.put(ClientConstants.WSSEC_KEYSTORE_LOCATION, "/oraweb/user_projects/domains/intrum/config/fmwconfig/default-keystore.jks");
    reqContext.put(ClientConstants.WSSEC_KEYSTORE_PASSWORD, "xx");

    reqContext.put(ClientConstants.WSSEC_SIG_KEY_ALIAS, "ij");
    reqContext.put(ClientConstants.WSSEC_SIG_KEY_PASSWORD, "xx");

    reqContext.put(ClientConstants.WSSEC_ENC_KEY_ALIAS, "om");
    reqContext.put(ClientConstants.WSSEC_ENC_KEY_PASSWORD, "xx");
    reqContext.put(ClientConstants.WSSEC_RECIPIENT_KEY_ALIAS, "om");

    I suppose I will need something more ?

    BR
    Marko

    ReplyDelete
  23. Hi,

    can you remove your keystore entries and leave it to the weblogic server and the EM
    only need to set the OWSM client policy

    like this
    http://biemond.blogspot.com/2009/09/wsm-in-fusion-middleware-11g.html

    thanks

    ReplyDelete
  24. Hi

    Thank you for your patience.

    Do you mean, that I can configure the proxy part separately and still be able to keep the locally used web service clear?

    At least with WLS's console that wasn't possible. The policy could be attached to web service.

    I'll examine that, thanks.

    BR
    Marko

    ReplyDelete
  25. Hi,

    you can remove this
    reqContext.put(ClientConstants.WSSEC_KEYSTORE_TYPE, "JKS");
    reqContext.put(ClientConstants.WSSEC_KEYSTORE_LOCATION, "/oraweb/user_projects/domains/intrum/config/fmwconfig/default-keystore.jks");
    reqContext.put(ClientConstants.WSSEC_KEYSTORE_PASSWORD, "xx");

    reqContext.put(ClientConstants.WSSEC_SIG_KEY_ALIAS, "ij");
    reqContext.put(ClientConstants.WSSEC_SIG_KEY_PASSWORD, "xx");

    reqContext.put(ClientConstants.WSSEC_ENC_KEY_ALIAS, "om");
    reqContext.put(ClientConstants.WSSEC_ENC_KEY_PASSWORD, "xx");
    reqContext.put(ClientConstants.WSSEC_RECIPIENT_KEY_ALIAS, "om");

    and configure the keys in the EM

    For EM use /em instead of /console

    thanks

    thanks

    ReplyDelete
  26. Hi Edwin

    i have some problem when using oracle/wss11_x509_token_with_message_protection_service_policy.
    can you give me some suggestion please.

    here is the infromation of my case.

    Server keystore looks like
    ------------------------------------------------------------------------------------------
    キーストアのタイプ: JKS
    キーストアのプロバイダ: SUN

    キーストアには 2 エントリが含まれます。

    orakey, 2011/06/02, PrivateKeyEntry,
    証明書のフィンガープリント (MD5): BC:DC:EB:02:D9:C2:6E:CA:3C:3A:CA:46:E6:A7:18:9E
    soa_infra, 2011/06/02, trustedCertEntry,
    証明書のフィンガープリント (MD5): BC:DC:EB:02:D9:C2:6E:CA:3C:3A:CA:46:E6:A7:18:9E
    -----------------------------------------------------------------------------------------

    Client keystore looks like
    ------------------------------------------------------------------------------------------
    キーストアのタイプ: JKS
    キーストアのプロバイダ: SUN

    キーストアには 2 エントリが含まれます。

    orakey_public, 2011/06/02, trustedCertEntry,
    証明書のフィンガープリント (MD5): BC:DC:EB:02:D9:C2:6E:CA:3C:3A:CA:46:E6:A7:18:9E
    jcooper, 2011/06/06, PrivateKeyEntry,
    証明書のフィンガープリント (MD5): 3A:1E:1F:D3:66:A6:F5:1E:86:84:0B:22:8D:AD:D6:BE
    -----------------------------------------------------------------------------------------

    New user in the myrealm Secuirty Realm
    -----------------------------------------------------------------------------------------
    dn: uid=jcooper,ou=people,ou=myrealm,dc=soa_domain
    -----------------------------------------------------------------------------------------

    and i got the following exception in soa_server1-diagnostic.log
    -----------------------------------------------------------------------------------------
    Caused by: oracle.wsm.security.SecurityException: WSM-00062 : The path to the certificate used for the signature is invalid.
    at oracle.wsm.security.policy.scenario.processor.Wss11X509TokenProcessor.verifyRequest(Wss11X509TokenProcessor.java:956)
    at oracle.wsm.security.policy.scenario.processor.Wss11X509TokenProcessor.verify(Wss11X509TokenProcessor.java:839)
    at oracle.wsm.security.policy.scenario.processor.Wss11X509TokenProcessor.verify(Wss11X509TokenProcessor.java:803)
    at oracle.wsm.security.policy.scenario.executor.Wss11MutualAuthWithCertsScenarioExecutor.receiveRequest(Wss11MutualAuthWithCertsScenarioExecutor.java:131)
    ... 43 more
    -----------------------------------------------------------------------------------------

    ReplyDelete
  27. Hi,

    Did you import the public key of jcooper in the server keystore, don't know if the CA key is enough.

    and the common name of jcooper cert should be a user in the myrealm security realm.

    thanks

    ReplyDelete
  28. Hello Edwin, Thanks a lot!
    After import the public key of jcooper into the server keystore then it's working fine.
    Here i have an other request,Would you show us how to using saml token under soa 11g,

    By then way I am a big fan of your blogs.

    Thanks,
    Jalen

    ReplyDelete
  29. Hello Edwin,

    Using Oracle WebServices Manager, I'm forcing to the client to use Oracle libraries like weblogic.jar, jrf.jar. Is this true?

    These libraries are licensed?

    Thanks in Advance.

    ReplyDelete
  30. Hi,

    Don't force the client , because it is licensed stuff and it's java.

    In the fmw documentation there are great big guide how you can use OWSM with .net . And this should not be necessary because it is all web services. Even with soapui you can do a lot. Or use the new XML gateway product at the client.

    But with security it works or not , nothing in between so it can take a while of testing at the clients before it works.

    Thanks

    ReplyDelete
  31. Hi

    Do you have the full commands to create client_keystore.jks and server_keystore.jks.

    I am not strong in this area and would like keytool commands to create these.

    ReplyDelete
  32. Hi,

    here they are.

    Generate a new Java Keystore with a self signed server key.
    keytool -genkey -alias serverKey -keyalg "RSA" -sigalg "SHA1withRSA" -dname "CN=server, C=US" -keypass welcome -keystore c:\server.jks -storepass welcome

    a new client certificate with client as common name (CN) attribute and store it in the client_2.jks keystore.
    keytool -genkey -alias clientKey -keyalg "RSA" -sigalg "SHA1withRSA" -dname "CN=client, C=US" -keypass welcome -keystore c:\client_2.jks -storepass welcome

    Export the public key of the server certificate.
    keytool -exportcert –alias serverKey -storepass welcome –keystore c:\server.jks –file c:\server.cer

    Import the public key.
    keytool -import -file c:\server.cer -alias serverKey -keystore c:\client_2.jks -storepass welcome -keypass welcome

    Export the public key of the client certificate.
    keytool -exportcert -alias clientKey -storepass welcome -keystore c:\client_2.jks -file c:\client_2.cer

    Import the key in the server Java keystore.
    keytool -import -file c:\client_2.cer -alias clientKey -keystore c:\server.jks -storepass welcome -keypass welcome

    ReplyDelete
  33. Hello Edwin,

    I have a BPEL composite deployment under soa-infra that calls a WSSEOASIS2004Compliant secure webservice.

    I can call the service from SOAPUI by providing the username and password

    When I try to make the call from the BPEL service, I get this error:
    oracle.fabric.common.FabricInvocationException: Unable to access the following endpoint(s): https://www....
    We are using SOA 11.1.1.4.

    I was following your blog and OTN forum(https://forums.oracle.com/forums/thread.jspa?threadID=2148565&start=0&tstart=0)

    Here they have suggested to use Keystore/certficate/Keys..etc

    I have Securewebservice WSDL file/URL with username/password.

    From here would like to know the steps require to Inovke secure ws.
    and How to use Keys/keytool/Certificates

    ReplyDelete
  34. Hello Edwin,

    I have a BPEL composite deployment under soa-infra that calls a WSSEOASIS2004Compliant secure webservice.

    I can call the service from SOAPUI by providing the username and password

    When I try to make the call from the BPEL service, I get this error:
    oracle.fabric.common.FabricInvocationException: Unable to access the following endpoint(s): https://www....
    We are using SOA 11.1.1.4.

    I was following your blog and OTN forum(https://forums.oracle.com/forums/thread.jspa?threadID=2148565&start=0&tstart=0)

    Here they have suggested to use Keystore/certficate/Keys..etc

    I have Securewebservice WSDL file/URL with username/password.

    From here would like to know the steps require to Inovke secure ws.
    and How to use Keys/keytool/Certificates


    Thanks,
    AB

    ReplyDelete
  35. Hi,

    here you got some info about how to generate some self signed keys and use it in OWSM

    http://biemond.blogspot.com/2011/09/calling-owsm-protected-service-with.html

    for only using some keys in 1 composite , you can add those keys in the credentials map of owsm and override the default keys of the composite at deployment time.

    hope this helps and for the truststore of owsm you dont have to do anything , just add the ca and public keys to the keystore used in owsm.

    good luck

    ReplyDelete
  36. Hi Edwin,

    I followed your instructions in order to configure the oracle/wss11_x509_token_with_message_protection_client_policy policy but I'm getting this error:

    Exception in thread "main" javax.xml.ws.soap.SOAPFaultException: FailedAuthentication : The security token cannot be authenticated.

    Do you have any idea whats wrong with my configuration??

    ReplyDelete
    Replies
    1. Hi

      Do you have an user in weblogic which has the same name as the common name of your client certificate.

      thanks

      Delete
  37. Hi Edwin, my name is Silvia. I'm trying to put a ws security, but to make the complete sample the following error occurs:

    30/04/2012 12:29:24 PM oracle.security.jps.internal.config.xml.XmlConfigurationFactory initDefaultConfiguration
    GRAVE: java.io.FileNotFoundException: C:\JDeveloper\mywork\SecurityBuena\Security\.\config\jps-config.xml (El sistema no puede encontrar la ruta especificada)
    INFO: WSM-09004 No se puede inicializar la auditoría del componente.
    INFO: WSMAgent is initialized for category=security, function=agent.function.client, topologyNodePath=null, isJ2EE=false
    INFO: Configuration property keystore.enc.csf.key value is null
    ADVERTENCIA: keystore passwords must not be used in the clear! Please use CSF to secure passwords
    ADVERTENCIA: signature key passwords must not be used in the clear! Please use CSF to secure passwords
    ADVERTENCIA: encryption password must not be used in the clear! Please use CSF to secure passwords
    INFO: Successfully loaded keystore [ path:{0}, type:{1}, sign-alias:{2}, crypt-alias:{3}, recipientAlias:{4}, recipientCert:{5}] Successfully loaded keystore [ path:C:\Certificado\ospru.jks, type:JKS, sign-alias:osbpru, crypt-alias:osbpru, recipientAlias:osbpru, recipientCert:null]
    ADVERTENCIA: keystore passwords must not be used in the clear! Please use CSF to secure passwords
    ADVERTENCIA: signature key passwords must not be used in the clear! Please use CSF to secure passwords
    ADVERTENCIA: encryption password must not be used in the clear! Please use CSF to secure passwords


    Can you help me please???

    ReplyDelete
    Replies
    1. Hi,

      when you see this in a java client then you can ignore it ( cause it is not running on a weblogic server ) .

      Inside a webapp , osb or soa suite it won't give you these errors.

      thanks

      Delete
  38. Hi Edwin
    your article I have been very helpful.

    But, i need to understand how the certificate expiration day are validate and how to know if the certificate was revoked?.

    Thanks

    ReplyDelete
    Replies
    1. Hi,

      This is handled by the java jvm. you will get a certificate exception and OWSM gives you an error.

      thanks

      Delete
  39. Hi Edwin
    is it possible to test this example with SOAPUI?
    I have some troubles with the configuration of SOAPUI (4.5.0) to test the wss11_x509_token_with_message_protection_client_policy

    Thanks!

    ReplyDelete
    Replies
    1. Hi,

      It is possible but you need to know what you are doing. What order of timestamp, signing, encryption etc.

      Start simple with your own owsm policy with for example only message protection
      Get it working with a java client
      Add a proxy client in between to intercept the http calls and compare this with soapui.

      good luck

      Delete
    2. Were you successful in getting SoapUI 4.5 to test a web service that enforce the wss11_x509_token_with_message_protection_service_policy? I get close but not successful. My SoapUI outgoing ws-security configuration has a Timestamp, a Signature for Timestamp and Body using the client private key, the Encryption on Body using the server public key, and finally a Signature on the BinarySecurityToken again using the client private key. Unfortunately, the owsm/msglogging/diagnostic.log shows WSMException: GenericFault caused by java.lang.RuntimeException: ERROR: Unsupported Type: [ and then the client certificate ]. This is a simple HelloWorldWebService implemented in OSB. I also have a simple HelloWorldWebClient in OSB that uses the same client certificate SUCCESSFULLY. Any ideas on how to test the service with SoapUI? Thanks.

      Delete
    3. Hi,

      That is very hard, I know many people tried it but somehow it is impossible
      maybe this blogpost can you help you
      http://biemond.blogspot.nl/2011/10/calling-owsm-protected-service-with.html

      thanks

      Delete
  40. Is it possible to create a message protection, username_token over ssl policy?

    ReplyDelete
  41. Hi Edwin,
    It is a nice post. How would I get the code attached to this post. I tried seraching in the github but could not find it. Please suggest

    ReplyDelete
    Replies
    1. Hi,

      in my OSB developer cookbook there are complete examples,

      but basically you add an OWSM server policy to a SOA composite or OSB proxy.
      Generate keystores and configure OWSM in the Enterprise Manager.
      Generate a web service proxy which use the wsdl of the service. Add the right OWSM client policy. and then add above code to the java code and invoke it.

      thanks

      Delete
  42. Hi Edwin,
    This is an extremely helpful article. But it would be of great help if you kindly guide me through implementing the same. Let me explain you the scenario. I have a ProviderABCS which calls a webservice that requires HTTP basic authentication. Till now I have used only WSS Username Token. Please guide me in implementing HTTP basic Authentication.
    Regards,
    Chandrika

    ReplyDelete
  43. Hi Edwin,
    This is an extremely helpful article. But it would be of great help if you kindly guide me through implementing the same. Let me explain you the scenario. I have a ProviderABCS which calls a webservice that requires HTTP basic authentication. Till now I have used only WSS Username Token. Please guide me in implementing HTTP basic Authentication.
    Regards,
    Chandrika

    ReplyDelete
  44. I have a scenario where I need to decrypt a 3rd party message on the OSB. I only have their publick key, How would I go about this?

    ReplyDelete
    Replies
    1. Hi,

      Then you should use or modify an OWSM message protection client policy and add this to the business service. And off course add this public key to your own keystore , add this to EM and in the owsm client policy make a reference to the public key alias.

      thanks

      Delete
  45. Hi Biemond

    Thank you for this. I am quite new to OWSM. Can you perhaps take me through how you would practically do this? thanks.

    ReplyDelete
    Replies
    1. Hi,

      just follow my owsm tag in my blog and read them all and then try it your self, generate keys , configure em and do some testing.

      good luck.

      Delete
  46. Hi Edwin, your blog has helped me understand the basic OWSM policies. I created a blog in effort to simplify the OWSM understanding for users, wanted to let you know.

    http://oracleadfhowto.blogspot.in/2012/11/configuring-server-and-client-for-using.html

    ReplyDelete
  47. Hi Edwin, hope you remember me.
    I have typical requirement where in salesforce sends message to oracle through oracle soa 11g.
    Currently SFDC team applying CA(versign/goDaddy) certificate to outgoing message.

    Can you please help me to understand, what would be the steps in SOA layer to accept this certificate message from SFDC.
    It would be great if you provide detailed steps.

    Thanks in advance.

    ReplyDelete
  48. Hi,

    First find out what ws-security policy there are using, like signing , time token, encryption etc.
    select the right client owsm policy and maybe adjust the policy.
    load the public key of the salesforce in the EM and maybe add an username to weblogic.

    good luck

    ReplyDelete
    Replies
    1. Thanks for quick response.
      Salesforce using certificates signed by publicly trusted CA's.

      In that case, I have below understanding and few questions, looking for your response.
      1) exposed service in composite is attached with OWSM policy, Please let me know what is the policy name in set of standard policies.
      2) How we load public key of salesforce in EM console.
      3) why do we need to create user in weblogic.

      Thanks Edwin for your support.

      Delete
    2. Hi,

      First you need to find out what policy you need or have, and then do the right actions. do you need encryption, signing , user token or timestamp token etc.

      thanks

      Delete
    3. Hi Edwin,

      I am facing a particular scenario.
      I need to encrypt some data in a link, this data must sent via get method.
      An OSB proxy service will accept this request, and decrypt this data and continue with the process.

      encrypted link sample: http://myweb.com?data=OIEWRU232O4H2H42H42H2LJJSJJ
      decrypted get parameter: data = custName=me&custNumber=23444&custAddress=mystreet23

      Could I use policies to encrypt and decrypt parameters passed via get method in the http header?

      Thanks!

      Delete
    4. Hi,

      Not possible with a policy, ws security only supports it on the soap body.
      You can do a java callout in OSB and decrypt with your private key
      Can't you use a GUID token and the receiver does a call back with this one time token to retrieve the data with ws security or https.

      thanks

      Delete
  49. Hi Edwin,

    Thanks for sharing this article!

    I am trying to consume Web Services of our Fusion application using the following web service policy "oracle/wss11_username_token_with_message_protection_client_policy". What are the steps I must follow to create a Client Java Application using Apache CXF with XMLbeans or ADF-WS Proxy?

    Using both frameworks I have already generated the code. But now I am stuck around the area of key stores... Do I need to configure a handler (ADF-WS Proxy)? Or interceptors (Apache CXF)?

    Thank you

    Greetings,
    Mark

    ReplyDelete
    Replies
    1. Hi,

      I know for ADF you only need to have the public key of the fusion app server for encryption purpose. Configure this in the EM.
      and provide a username , password , You can add these entries on ADF WS Datacontrol / pojo configuration or use ADF Security ( authenticate in the application ) and when there are 2 domains then you need to add a trust between these domains.

      thanks


      Delete
  50. Hi Biemond,
    I'm trying to call a web service secured with oracle/wss11_username_token_with_message_protection_client_policy" using "Dispatch" object.

    I can call using static client. But the same service throws error with Dispatch client.

    I'm not sure what needs to be put into "reqContext". The server throws only internal system error , so debugging is hard. Could you please share some sample code. Thanks.




    ReplyDelete
    Replies
    1. Hi,

      you need to set these values ( username + plus the public key of the server )
      thanks

      SecurityPolicyFeature[] securityFeatures =
      new SecurityPolicyFeature[] { new SecurityPolicyFeature("oracle/wss11_username_token_with_message_protection_client_policy") };
      Request_Response_ptt request_Response_ptt = execute.getRequest_Response_pt(securityFeatures);
      // Add your code to call the desired methods.
      Map reqContext = ((BindingProvider) request_Response_ptt).getRequestContext();


      reqContext.put(BindingProvider.USERNAME_PROPERTY, "test" );
      reqContext.put(BindingProvider.PASSWORD_PROPERTY, "weblogic1" );

      reqContext.put(ClientConstants.WSSEC_KEYSTORE_TYPE, "JKS");
      reqContext.put(ClientConstants.WSSEC_KEYSTORE_LOCATION, "C:/client_keystore.jks");
      reqContext.put(ClientConstants.WSSEC_KEYSTORE_PASSWORD, "welcome");

      reqContext.put(ClientConstants.WSSEC_ENC_KEY_ALIAS, "server_encr");
      reqContext.put(ClientConstants.WSSEC_ENC_KEY_PASSWORD, "welcome");
      reqContext.put(ClientConstants.WSSEC_RECIPIENT_KEY_ALIAS, "server_encr");

      Request req = new Request();
      req.setName("edwin");
      req.setMessage("hi");
      Response resp = request_Response_ptt.requestResponse(req);

      Delete
  51. Hi Edwin,

    We would like to enforce authentication on an HTTP binding service exposed to an external service. However the certificate stuff is not required. We require only authentication through credentials(username and pwd) and no extra security?

    Is it supported in 11g and if its supported which policies should we use?

    Thanks,
    Suresh

    ReplyDelete
    Replies
    1. Hi,

      you can use these policies
      oracle/wss_http_token_service_policy
      oracle/wss_username_token_service_policy

      Thanks

      Delete
    2. Hi Edwin, Great post. Follow up with this question, if we use these policies, let's say for a SOA composite service to access UCM, we would need to provide the username and password as properties in the composite and thus expose in the SOAP header. But for security reasons, we don't want to expose the password, then how would you approach it ?

      Delete
  52. Hi Edwin,

    I have a requirement to call secured webservice passing username and passwrd as passowrd+securitytoken. I tried using wss_username_token_service_policy but getting as INVALID username,passowrd,security token. Please let me know what policy i should be using.

    Thanks
    Bhagya

    ReplyDelete
    Replies
    1. Hi,

      Strange, This should work when you create and test this user in the weblogic internal LDAP.

      Thanks

      Delete
  53. Hi Edwin

    In my case, I am using a message_protection_client_policy on the business service. It encrypts and sign the request fine but it fails on the response. IT seems it is trying to apply the policy on the response leg as well. I have turned that option off on the policy level via wsm but the behavior is till the same.

    Regards,
    Tumi Mametsa

    ReplyDelete
    Replies
    1. Hi,

      So the response is not encrypted ( what is on the server side also OWSM ) and if you change and copied the new OWSM client policy and attach this to the BS then it should work.

      Thanks

      Delete
  54. Hi Edwin,

    I am having a requirement to use oracle/wss11_x509_token_with_message_protection_service_policy policy without any message encryption i.e. a custom policy.

    From Em Console i have created a custom policy of oracle/wss11_x509_token_with_message_protection_service_policy without message encryption i.e. i have unchecked the option of body encryption in EM Console.And then attached the policy to the webservice(say helloWorld).

    Similar way i have created a client for the same custom policy and attached to the Jdeveloper proxy.

    But when i am trying to invoke the webservice secured with the custom policy from Jdeveloper proxy service I am getting error like:
    INFO: WSM-09004 Component auditing cannot be initialized.
    SEVERE: WSM-07620 Agent cannot enforce policies due to either failure in retrieving polices or error in validations, detail= "WSM-06102 The policy reference URI "wss11_x509_token_without_message_protection_client_policy" is not valid.
    ".
    SEVERE: WSM-07501 Failure in Oracle WSM Agent processRequest, category=security_and_management, function=agent.function.client, application=null, composite=null, modelObj=helloWorldService, policy=null, policyVersion=null, assertionName=null.
    oracle.wsm.common.sdk.WSMException: WSM-07620 : Agent cannot enforce policies due to either failure in retrieving polices or error in validations, detail= "WSM-06102 The policy reference URI "wss11_x509_token_without_message_protection_client_policy" is not valid.
    ".


    I have created the two keystores one for server and other for client.

    In my client code I am setting these values also:
    reqContext.put(ClientConstants.WSSEC_KEYSTORE_TYPE, "JKS");
    reqContext.put(ClientConstants.WSSEC_KEYSTORE_LOCATION, "D:\\KEYSTORE\\client.jks");
    reqContext.put(ClientConstants.WSSEC_KEYSTORE_PASSWORD, "welcome");
    reqContext.put(ClientConstants.WSSEC_SIG_KEY_ALIAS, "clientKey");
    reqContext.put(ClientConstants.WSSEC_SIG_KEY_PASSWORD, "welcome");
    reqContext.put(ClientConstants.WSSEC_ENC_KEY_ALIAS, "clientKey");
    reqContext.put(ClientConstants.WSSEC_ENC_KEY_PASSWORD, "welcome");
    reqContext.put(ClientConstants.WSSEC_RECIPIENT_KEY_ALIAS, "clientKey");

    But I am not sure why secured server with custom policy in not getting invoked.

    Can you please help me with that,Its basically invoking a custom policy oracle/wss11_x509_token_with_message_protection_service_policy without message encryption from Jdev or SOAPUI.

    Thanks,
    Ashish

    ReplyDelete
    Replies
    1. Hi,

      did you also create a matching client policy and when testing from Jdeveloper you alsio need to add this to a folder. ( don't know exactly which one )

      Thanks

      Delete
  55. Hi Edwin,

    The UCM server side I setup a ws with oracle/wss_username_token_over_ssl_service_policy and add a credential pair in my domain, Then I create a new conten repo connection in jdeveloper with jaxws socket type, fill in the client policy and credential. However there always is an error like "The request must be over SSL". Any help for that?

    Thx & BR

    ReplyDelete
  56. Hi Edwin,
    I am consuming a webservice which is enabled with wss11_saml_or_username_token_with_message_protection_service_policy and wss11_saml_token_with_message_protection_client_policy policies using proxy client and data control in ADF. But i have following questions in consuming them
    1) Can i use the certificate from the browser of server url to configure as public key in my client keystore.
    2) How to get WSSEC_ENC_KEY_PASSWORD. Is it encryption password configured in server?

    Thanks,
    Shyam

    ReplyDelete
    Replies
    1. Hi ,

      probably you need a pub and private key for this client.
      for 2 it is probaby or you need to do this in the EM , here you have a credentials store where you can add this password entry.


      Thanks

      Delete
    2. Hi Shyam,

      How did you manage to consume the webservice which is enabled with wss11_saml_or_username_token_with_message_protection_service_policy and wss11_saml_token_with_message_protection_client_policy policies

      ????

      Delete
    3. Can you please illustrate how to go with it as shown with other policies above.

      Delete
  57. Hi Edwin,

    Do you have any blogs which details on creating Policy Sets?
    I have created a new policy set and added policies to it. Now when I deploy my composite I expect it to attach Policies but it doesnot. Any pointers what could be wrong?

    Thanks

    ReplyDelete
    Replies
    1. Hi,

      Did you do this in the EM or in jdeveloper.

      Thanks

      Delete
  58. Hi Edwin,

    I am trying to use policy Sets so that the policies attach to the composite on deployment.
    Can you share any steps/way to do that?

    Thanks

    ReplyDelete
  59. Hi Edwin,

    I am trying to use policy Sets so that the policies attach to the composite on deployment.
    Can you share any steps/way to do that?

    Thanks

    ReplyDelete
  60. Hi I tried consuming a Rest Service (https GET) with self-signed certificates without hostnames through BPEL.

    When I try to call the service returns this error:

    java.net.ProtocolException: missing header WWW-Authenticate

    Could you please tell me that I can do to call a service with these features

    ReplyDelete
  61. Hi ,
    Can you please provide the configuraton for : this policy : wss11_saml_token_with_message_protection_client_policy

    Reg
    Sridhar

    ReplyDelete
  62. Hi Edwin,
    I am a newby. The code samples you provide are for a Java SE standalone client, right? And your IDE is Jdev, I suppose.
    I would like to implement your samples with Eclipse OEPE. Is it feasible? May you please summarize the main steps and mainly the jars I have to put in the classpath?

    Thanks

    ReplyDelete
  63. Hi Edwin,
    I am using FMW 12.1.3. Misteriously, I can't anymore attach OWSM policies to my Web Service via EM. In the page showing the details of my Endpoint, the tab "WSM Policies" is missing and in its place there is a tab "WebLogic Policies violations". It looks like there is some WebLogic policy attached to my WS, but I checked and there is none. I tryied to redeploy, but no change.
    Any suggestion?
    Regards
    Livio

    ReplyDelete
  64. Hello Edwin,

    I was trying to resolve an issue with oracle/wss10_x509_token_with_message_protection_service_policy, maybe you came across it too.

    If I add the CN as a user the policy goes well although when I then remove the user the policy is still allowed. Seems like the username is cached. Any ideas?

    ReplyDelete
  65. Hi Edwin,

    How to configure the following jks in weblogic server to deploy and run the client web application in application server? I am able to run the code with standalone java file. But what all the configuration changes which needs to be done to deploy the client code in weblogic server.

    reqContext.put(ClientConstants.WSSEC_KEYSTORE_LOCATION, "C:/client_keystore.jks");

    ReplyDelete
  66. Hi Edwin,
    I did use OWSM in 10g long back in year 2008 since then I didn't use OWSM, during that time it was having its own console wherein we can develop wrapper service on top of actual service and can specify all sort of rules.

    But in SOA11g and 12c I can't find similar console. Is the architecture of OWSM been completely changed in SOA 11g and 12c.

    ReplyDelete