Let's start simple with one of the following policies
oracle/wss_http_token_service_policy
oracle/wss_username_token_service_policy
These policies can be used for HTTP Basic Authentication or for an Username Token in a SOAP message. The only thing you need to do for these policies is to add some Users to the myrealm Security Realm in the WebLogic Console.
execute = new Execute();
SecurityPolicyFeature[] securityFeatures =
new SecurityPolicyFeature[] { new SecurityPolicyFeature("oracle/wss_username_token_client_policy") };
Request_Response_ptt request_Response_ptt = execute.getRequest_Response_pt(securityFeatures);
// Add your code to call the desired methods.
Map<String, Object> reqContext = ((BindingProvider) request_Response_ptt).getRequestContext();
reqContext.put(BindingProvider.USERNAME_PROPERTY, "test" );
reqContext.put(BindingProvider.PASSWORD_PROPERTY, "weblogic1" );
Request req = new Request();
req.setName("edwin");
req.setMessage("hi");
Response resp = request_Response_ptt.requestResponse(req);
The Message protection policies
oracle/wss10_message_protection_service_policy
oracle/wss11_message_protection_service_policy
When you choose for one of these policies you need to generate a Server certificate for encryption and put this in a Java keystore and for the Client side you also need to make a Keystore but this contains only the public key of this Server encryption certificate ( this is in case of the wss11, for the wss10 you also need to generate a client certificate besides the public key of server, see the x509_token_with_message_protection policies how to do this. ).
To add your Server keystore to FMW, you need to go to the Enterprise Manager and select your Weblogic Domain. In the menu go to the Security / Security Provider Configuration page. And on this page you can import your Java keystore. Before you start you need to copy your keystore to your domain folder and put this in the config/fmwconfig folder.
In this example I used two certificates one for the signature and one for the encryption. For the wss11 Message protection Service policies you only need the encryption certificate.
On the client side you need to load the client keystore and the public key of server encryption certificate.
execute = new Execute();
SecurityPolicyFeature[] securityFeatures =
new SecurityPolicyFeature[] { new SecurityPolicyFeature("oracle/wss11_message_protection_client_policy") };
Request_Response_ptt request_Response_ptt = execute.getRequest_Response_pt(securityFeatures);
// Add your code to call the desired methods.
Map<String, Object> reqContext = ((BindingProvider) request_Response_ptt).getRequestContext();
reqContext.put(ClientConstants.WSSEC_KEYSTORE_TYPE, "JKS");
reqContext.put(ClientConstants.WSSEC_KEYSTORE_LOCATION, "C:/client_keystore.jks");
reqContext.put(ClientConstants.WSSEC_KEYSTORE_PASSWORD, "welcome");
reqContext.put(ClientConstants.WSSEC_ENC_KEY_ALIAS, "server_encr");
reqContext.put(ClientConstants.WSSEC_ENC_KEY_PASSWORD, "welcome");
reqContext.put(ClientConstants.WSSEC_RECIPIENT_KEY_ALIAS, "server_encr");
Request req = new Request();
req.setName("edwin");
req.setMessage("hi");
Response resp = request_Response_ptt.requestResponse(req);
For the wss10_message_protection_service_policy you need to do the following.
execute = new Execute();
SecurityPolicyFeature[] securityFeatures =
new SecurityPolicyFeature[] { new SecurityPolicyFeature("oracle/wss10_message_protection_client_policy") };
Request_Response_ptt request_Response_ptt = execute.getRequest_Response_pt(securityFeatures);
// Add your code to call the desired methods.
Map<String, Object> reqContext = ((BindingProvider) request_Response_ptt).getRequestContext();
reqContext.put(ClientConstants.WSSEC_KEYSTORE_TYPE, "JKS");
reqContext.put(ClientConstants.WSSEC_KEYSTORE_LOCATION, "C:/client_keystore.jks");
reqContext.put(ClientConstants.WSSEC_KEYSTORE_PASSWORD, "welcome");
reqContext.put(ClientConstants.WSSEC_ENC_KEY_ALIAS, "client1");
reqContext.put(ClientConstants.WSSEC_ENC_KEY_PASSWORD, "welcome");
reqContext.put(ClientConstants.WSSEC_RECIPIENT_KEY_ALIAS, "server_encr");
reqContext.put(ClientConstants.WSSEC_SIG_KEY_ALIAS, "client1");
reqContext.put(ClientConstants.WSSEC_SIG_KEY_PASSWORD, "welcome");
Request req = new Request();
req.setName("edwin");
req.setMessage("hi");
Response resp = request_Response_ptt.requestResponse(req);
The above policies can also be combined. Like in these policies.
oracle/wss10_username_token_with_message_protection_service_policy
oracle/wss11_username_token_with_message_protection_service_policy
For these policies you need to a create user in the WebLogic Console for the username token and generate a server and client keystore for the message protection part.
On the client side you need to the following.
execute = new Execute();
SecurityPolicyFeature[] securityFeatures =
new SecurityPolicyFeature[] { new SecurityPolicyFeature("oracle/wss11_username_token_with_message_protection_client_policy") };
Request_Response_ptt request_Response_ptt = execute.getRequest_Response_pt(securityFeatures);
// Add your code to call the desired methods.
Map<String, Object> reqContext = ((BindingProvider) request_Response_ptt).getRequestContext();
reqContext.put(BindingProvider.USERNAME_PROPERTY, "test" );
reqContext.put(BindingProvider.PASSWORD_PROPERTY, "weblogic1" );
reqContext.put(ClientConstants.WSSEC_KEYSTORE_TYPE, "JKS");
reqContext.put(ClientConstants.WSSEC_KEYSTORE_LOCATION, "C:/client_keystore.jks");
reqContext.put(ClientConstants.WSSEC_KEYSTORE_PASSWORD, "welcome");
reqContext.put(ClientConstants.WSSEC_ENC_KEY_ALIAS, "server_encr");
reqContext.put(ClientConstants.WSSEC_ENC_KEY_PASSWORD, "welcome");
reqContext.put(ClientConstants.WSSEC_RECIPIENT_KEY_ALIAS, "server_encr");
Request req = new Request();
req.setName("edwin");
req.setMessage("hi");
Response resp = request_Response_ptt.requestResponse(req);
For the wss10_username_token_with_message_protection_service_policy you need to do the following. ( and a need a client certificate and the public key of the server )
execute = new Execute();
SecurityPolicyFeature[] securityFeatures =
new SecurityPolicyFeature[] { new SecurityPolicyFeature("oracle/wss10_username_token_with_message_protection_client_policy") };
Request_Response_ptt request_Response_ptt = execute.getRequest_Response_pt(securityFeatures);
// Add your code to call the desired methods.
Map<String, Object> reqContext = ((BindingProvider) request_Response_ptt).getRequestContext();
reqContext.put(BindingProvider.USERNAME_PROPERTY, "test" );
reqContext.put(BindingProvider.PASSWORD_PROPERTY, "weblogic1" );
reqContext.put(ClientConstants.WSSEC_KEYSTORE_TYPE, "JKS");
reqContext.put(ClientConstants.WSSEC_KEYSTORE_LOCATION, "C:/client_keystore.jks");
reqContext.put(ClientConstants.WSSEC_KEYSTORE_PASSWORD, "welcome");
reqContext.put(ClientConstants.WSSEC_ENC_KEY_ALIAS, "client1");
reqContext.put(ClientConstants.WSSEC_ENC_KEY_PASSWORD, "welcome");
reqContext.put(ClientConstants.WSSEC_RECIPIENT_KEY_ALIAS, "server_encr");
reqContext.put(ClientConstants.WSSEC_SIG_KEY_ALIAS, "client1");
reqContext.put(ClientConstants.WSSEC_SIG_KEY_PASSWORD, "welcome");
Request req = new Request();
req.setName("edwin");
req.setMessage("hi");
Response resp = request_Response_ptt.requestResponse(req);
The last part of this blogpost I will explain the following policies
oracle/wss10_x509_token_with_message_protection_service_policy
oracle/wss11_x509_token_with_message_protection_service_policy
These policies will use the client certificate for the signature and the public key of the server encryption certificate for the encryption.
So we start by making some keystores with some certificates. I don't use self signed certificates because then for every new client I need to update the server keystore and reboot the FMW server. Now I only have to import the CA public certificate in the Server keystore. This is how my Server keystore looks like
For the client I have this keystore. ( Every customer / application can have its own client keystore )
Because the FMW Server does not know this client certificate ( it only knows the CA ) you need to add a new user in the myrealm Secuirty Realm in the WebLogic Console. The password of this user is not important, the only requirement is that the common name of this client certificate is the same as the WebLogic Username.
And as last the Client code, where we need to provide the client signature certificate details.
execute = new Execute();
SecurityPolicyFeature[] securityFeatures =
new SecurityPolicyFeature[] { new SecurityPolicyFeature("oracle/wss11_x509_token_with_message_protection_client_policy") };
Request_Response_ptt request_Response_ptt = execute.getRequest_Response_pt(securityFeatures);
// Add your code to call the desired methods.
Map<String, Object> reqContext = ((BindingProvider) request_Response_ptt).getRequestContext();
reqContext.put(ClientConstants.WSSEC_KEYSTORE_TYPE, "JKS");
reqContext.put(ClientConstants.WSSEC_KEYSTORE_LOCATION, "C:/client_keystore.jks");
reqContext.put(ClientConstants.WSSEC_KEYSTORE_PASSWORD, "welcome");
reqContext.put(ClientConstants.WSSEC_SIG_KEY_ALIAS, "client1");
reqContext.put(ClientConstants.WSSEC_SIG_KEY_PASSWORD, "welcome");
reqContext.put(ClientConstants.WSSEC_ENC_KEY_ALIAS, "server_encr");
reqContext.put(ClientConstants.WSSEC_ENC_KEY_PASSWORD, "welcome");
reqContext.put(ClientConstants.WSSEC_RECIPIENT_KEY_ALIAS, "server_encr");
Request req = new Request();
req.setName("edwin");
req.setMessage("hi");
Response resp = request_Response_ptt.requestResponse(req);
For OWSM SAML policies see this blogpost
For OWSM kerberos policies see this blogpost
Hi Edwin,
ReplyDeleteA completely different question from the topic of your post
I have a simple SOA Composite in which a Human Task is created and assigned to a Group.I have to deploy this composite to 3 different environments (ie) DEV,TEST & PROD. In Active Directory we have the following setup
1. FixedAssets-DEV
2. FixedAssets-TA
3. FixedAssets-PROD
While deploying the composite to DEV , the task should be routed to the group 'FixedAssets-DEV' . Similarly in TEST the task should be routed to 'FixedAssets-TA' and in PROD the task should be routed to 'FixedAssets-PROD'.
I am not able to do this using a config plan as the config plan would only act on 'service' and 'reference' elements and the Human Task is a 'component'.
I have also tried the following
1. Added a GroupName Property to the .componentType file of the Human Task
2. In the Assignment Tab of the Human Task Editor, used XPATH expression
3. Used ora:getPreference('GroupName') to get the group name
But the ora:getPreference() function does not seem to be available in this context.
Does anyone have any ideas on how to solve this issue
PS: Please copy me on the replies as I am not a member of this group
Thanks in advance,
Prasanna
Hi,
ReplyDeleteCan't you use an inputparameter to the HumanTask and use this param for your group assignment. That should work. This inputparameter / payload can be controlled from BPEL.
hope this helps.
Hi Edwin, this is a great article. I have followed it but I am getting an error as follows:
ReplyDeleteSEVERE: WSM-00145 Keystore location or path can not be null or empty; it must be configured through JPS configuration or policy configuration override.
SEVERE: WSM-00111 Keystore is not properly configured in JPS config.
I have called the getBSTCredentialProvider with all the keystore information I have setup but it still seems to want me to provide these through jps-config.xml.
Hi,
ReplyDeletethese jps-config.xml error can be ignored ,it has something todo with opps.
thanks
Hi Edwin,
ReplyDeleteHave you tried SAML token insertion policies on OWSM 11g?
I wanted to know how to validate SAML token against siteminder for user authentication. I appreciate your help
Regrads,
Sri
Any Step by step document for implementing
ReplyDeleteoracle/wss10_x509_token_with_message_protection_service_policy
As this blog looks like more of Documentation stuffs , which have to debug
Hi,
ReplyDeleteI did not do much with the SAML OWSM policies ,only with the WebLogic ones
For
oracle/wss10_x509_token_with_message_protection_service_policy
oracle/wss11_x509_token_with_message_protection_service_policy
See the last part of this blogpost,
make a client and server keystore , import the CA and exchange the public keys, import that in the keystores and add a user in the security realm with the same name as the common name of the client cert.
thanks
Hi Edwin, a really useful guide.
ReplyDeleteCould you please post the steps you followed to generate the server and client keystore for x509 token policies???
that would be awesome.....
thanks in advance
Hi,
ReplyDeleteread this blogpost http://biemond.blogspot.com/2009/06/ws-security-in-osb.html
this contains , how you can generate your own CA and create some keystores.
thanks
Hi Edwin,
ReplyDeleteI am developing a service that needs to taken an input message and return the encrypted format of that message.
We want to host this as a generic message? can you please let me know if these policy would help me that?? As these policies are applied on endpoint, I am not able to return a encrypted message as a response.
Basically, I want to have a request reply service that would take a xml message and return an encrypted message in response. Please help me out with your suggest as how should I proceed.
Hello Edwin,
ReplyDeletePlease let me know if we can use policies to return an Encrypted message in 11g for a given message as we do in 10G. I would like to host a service that would return an encrypted message back for a given text message.
Hi,
ReplyDeleteI think it is possible, you need to make a custom XSD with a content part (anyxml) where you put in the data/xml just like in 10g
but I think you want the oracle/wss11_message_protection_service_policy on the response message. Dont know if that is easy
you can copy and change this policy so only the response is encrypted.
else you can make a Async jax-ws service and only put the policy on the response, like this
http://biemond.blogspot.com/2011/02/building-asynchronous-web-service-with.html
else maybe
the new xml enterprise gateway can help.
thanks and let me know or blog about it.
Hi
ReplyDeleteThank you for your very useful blog.
I'm working on a web service client proxy to which I have attached owsm policy oracle/wss10_x509_token_with_message_protection_client_policy. I have also programmatically defined the keystore, alias and password settings as you have shown in your good examples.
I have tested my creations in JDeveloper. According http analyzer I have sent a request and I'm getting response, but it fails with wsm-00030 key wrap error. The decrypting expects oaep, but gets Rsa-15. How to fix ?
Thanks in advance
BR
Marko
Hi,
ReplyDeleteWhat for owsm server policy do you use on the server side.
does your client and server policy match
thanks
Hi and thank you for quick answer
ReplyDeleteThe server is from different world.
It is Sun GlassFish Enterprise Server v2.1 and according to service provider, they don't use any formal policy. But the policy we are using does the job till this key wrap mismatch.
I've found the documentation, which says the key wrap algorithm can be changed at our end.
I have tried to find programmatic way and tried alter the policy, no luck.
Below the err from weblogic server where my client runs as proxy. The proxy is deployed as web service to our local usage.
javax.xml.rpc.JAXRPCException: WSM-00030 : The encryption method key wrap algorithms do not match : Expected : http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p, , Actual : http://www.w3.org/2001/04/xmlenc#rsa-1_5.
BR
Marko
Hi,
ReplyDeletein the EM you can copy and the change client policy, may you can change it in one of the assertions.
thanks
Hi
ReplyDeleteThanks for advise.
I've done that.
One thing still:
I did export the custom policy and pointed it in JDeveloper, attached it to my proxy and tried to run my test program. Program did not understand the policy, gave errors.
Does this custom policy need registration/import/spell to be accepted by JDev ?
Thank you for your valuable help.
BR
Marko
Hi,
ReplyDeletedid you do this, I copied a existing policy from DefaultDomain\oracle\store\gmds\owsm\policies\oracle ( be aware you copy the right client or server policy -> ws and client -> proxy client ) to the DefaultDomain\oracle\store\gmds\owsm\policies\policy_file folder
and changed the following attributes of the wsp:Policy element ( top ) to a unique name, so I can see them in jdeveloper
wsu:Id="edwin_service_policy"
orawsp:displayName="edwin_service_policy"
orawsp:description="edwin"
Name="edwin_service_policy"
Hi
ReplyDeleteI did all of your mods to my custom policy. I attached it to my client proxy, compiled it and deployed to my local integrated WLS. Not working.
I tried to run my proxy in JDev with my test class, no luck.
Error message:
SEVERE: WSMAgentHook: An Exception is thrown: WSM-06102 The policy referenced by URI "oracle/wss10_x509_token_with_message_protection_client_policy_om" could not be retrieved.
Some kind of importing step for custom policy is missing here, I think.
BR
Marko
Hi
ReplyDeleteI skipped the idea to test in JDev.
I'm now using only my copied and modified custom policy on WLS.
No key wrap error anymore.
Now I'm having problems with my WSSEC_RECIPIENT_KEY_ALIAS.
It says WSM-00056 : The key, om, is not retrieved. Now what ?
(makes me think: is someone really using these security things ? Or does the security mean, that nobody is able acces the data)
BR
Marko
Hi,
ReplyDeletedid you configure the keystores in EM. this is necessary in wls
you need to have a map with some key entries
thanks
Hi
ReplyDeleteKeystores in plural ?
The server side is remote and I'm not handling that, lucky me.
I have only one keystore with my private key and their public key like this:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 2 entries
om, 18.5.2011, trustedCertEntry,
Certificate fingerprint (MD5): 2B:37:6F:1E:A2:23:6B:24:6E:E9:AC:7D:65:F2:23:99
ij, 16.5.2011, PrivateKeyEntry,
Certificate fingerprint (MD5): D1:41:16:E3:14:CF:B1:DB:51:1E:44:7B:CA:9C:AF:CE
In my code I'm using these like this:
reqContext.put(ClientConstants.WSSEC_KEYSTORE_TYPE, "JKS");
reqContext.put(ClientConstants.WSSEC_KEYSTORE_LOCATION, "/oraweb/user_projects/domains/intrum/config/fmwconfig/default-keystore.jks");
reqContext.put(ClientConstants.WSSEC_KEYSTORE_PASSWORD, "xx");
reqContext.put(ClientConstants.WSSEC_SIG_KEY_ALIAS, "ij");
reqContext.put(ClientConstants.WSSEC_SIG_KEY_PASSWORD, "xx");
reqContext.put(ClientConstants.WSSEC_ENC_KEY_ALIAS, "om");
reqContext.put(ClientConstants.WSSEC_ENC_KEY_PASSWORD, "xx");
reqContext.put(ClientConstants.WSSEC_RECIPIENT_KEY_ALIAS, "om");
I suppose I will need something more ?
BR
Marko
Hi,
ReplyDeletecan you remove your keystore entries and leave it to the weblogic server and the EM
only need to set the OWSM client policy
like this
http://biemond.blogspot.com/2009/09/wsm-in-fusion-middleware-11g.html
thanks
Hi
ReplyDeleteThank you for your patience.
Do you mean, that I can configure the proxy part separately and still be able to keep the locally used web service clear?
At least with WLS's console that wasn't possible. The policy could be attached to web service.
I'll examine that, thanks.
BR
Marko
Hi,
ReplyDeleteyou can remove this
reqContext.put(ClientConstants.WSSEC_KEYSTORE_TYPE, "JKS");
reqContext.put(ClientConstants.WSSEC_KEYSTORE_LOCATION, "/oraweb/user_projects/domains/intrum/config/fmwconfig/default-keystore.jks");
reqContext.put(ClientConstants.WSSEC_KEYSTORE_PASSWORD, "xx");
reqContext.put(ClientConstants.WSSEC_SIG_KEY_ALIAS, "ij");
reqContext.put(ClientConstants.WSSEC_SIG_KEY_PASSWORD, "xx");
reqContext.put(ClientConstants.WSSEC_ENC_KEY_ALIAS, "om");
reqContext.put(ClientConstants.WSSEC_ENC_KEY_PASSWORD, "xx");
reqContext.put(ClientConstants.WSSEC_RECIPIENT_KEY_ALIAS, "om");
and configure the keys in the EM
For EM use /em instead of /console
thanks
thanks
Hi Edwin
ReplyDeletei have some problem when using oracle/wss11_x509_token_with_message_protection_service_policy.
can you give me some suggestion please.
here is the infromation of my case.
Server keystore looks like
------------------------------------------------------------------------------------------
キーストアのタイプ: JKS
キーストアのプロバイダ: SUN
キーストアには 2 エントリが含まれます。
orakey, 2011/06/02, PrivateKeyEntry,
証明書のフィンガープリント (MD5): BC:DC:EB:02:D9:C2:6E:CA:3C:3A:CA:46:E6:A7:18:9E
soa_infra, 2011/06/02, trustedCertEntry,
証明書のフィンガープリント (MD5): BC:DC:EB:02:D9:C2:6E:CA:3C:3A:CA:46:E6:A7:18:9E
-----------------------------------------------------------------------------------------
Client keystore looks like
------------------------------------------------------------------------------------------
キーストアのタイプ: JKS
キーストアのプロバイダ: SUN
キーストアには 2 エントリが含まれます。
orakey_public, 2011/06/02, trustedCertEntry,
証明書のフィンガープリント (MD5): BC:DC:EB:02:D9:C2:6E:CA:3C:3A:CA:46:E6:A7:18:9E
jcooper, 2011/06/06, PrivateKeyEntry,
証明書のフィンガープリント (MD5): 3A:1E:1F:D3:66:A6:F5:1E:86:84:0B:22:8D:AD:D6:BE
-----------------------------------------------------------------------------------------
New user in the myrealm Secuirty Realm
-----------------------------------------------------------------------------------------
dn: uid=jcooper,ou=people,ou=myrealm,dc=soa_domain
-----------------------------------------------------------------------------------------
and i got the following exception in soa_server1-diagnostic.log
-----------------------------------------------------------------------------------------
Caused by: oracle.wsm.security.SecurityException: WSM-00062 : The path to the certificate used for the signature is invalid.
at oracle.wsm.security.policy.scenario.processor.Wss11X509TokenProcessor.verifyRequest(Wss11X509TokenProcessor.java:956)
at oracle.wsm.security.policy.scenario.processor.Wss11X509TokenProcessor.verify(Wss11X509TokenProcessor.java:839)
at oracle.wsm.security.policy.scenario.processor.Wss11X509TokenProcessor.verify(Wss11X509TokenProcessor.java:803)
at oracle.wsm.security.policy.scenario.executor.Wss11MutualAuthWithCertsScenarioExecutor.receiveRequest(Wss11MutualAuthWithCertsScenarioExecutor.java:131)
... 43 more
-----------------------------------------------------------------------------------------
Hi,
ReplyDeleteDid you import the public key of jcooper in the server keystore, don't know if the CA key is enough.
and the common name of jcooper cert should be a user in the myrealm security realm.
thanks
Hello Edwin, Thanks a lot!
ReplyDeleteAfter import the public key of jcooper into the server keystore then it's working fine.
Here i have an other request,Would you show us how to using saml token under soa 11g,
By then way I am a big fan of your blogs.
Thanks,
Jalen
Hello Edwin,
ReplyDeleteUsing Oracle WebServices Manager, I'm forcing to the client to use Oracle libraries like weblogic.jar, jrf.jar. Is this true?
These libraries are licensed?
Thanks in Advance.
Hi,
ReplyDeleteDon't force the client , because it is licensed stuff and it's java.
In the fmw documentation there are great big guide how you can use OWSM with .net . And this should not be necessary because it is all web services. Even with soapui you can do a lot. Or use the new XML gateway product at the client.
But with security it works or not , nothing in between so it can take a while of testing at the clients before it works.
Thanks
Hi
ReplyDeleteDo you have the full commands to create client_keystore.jks and server_keystore.jks.
I am not strong in this area and would like keytool commands to create these.
Hi,
ReplyDeletehere they are.
Generate a new Java Keystore with a self signed server key.
keytool -genkey -alias serverKey -keyalg "RSA" -sigalg "SHA1withRSA" -dname "CN=server, C=US" -keypass welcome -keystore c:\server.jks -storepass welcome
a new client certificate with client as common name (CN) attribute and store it in the client_2.jks keystore.
keytool -genkey -alias clientKey -keyalg "RSA" -sigalg "SHA1withRSA" -dname "CN=client, C=US" -keypass welcome -keystore c:\client_2.jks -storepass welcome
Export the public key of the server certificate.
keytool -exportcert –alias serverKey -storepass welcome –keystore c:\server.jks –file c:\server.cer
Import the public key.
keytool -import -file c:\server.cer -alias serverKey -keystore c:\client_2.jks -storepass welcome -keypass welcome
Export the public key of the client certificate.
keytool -exportcert -alias clientKey -storepass welcome -keystore c:\client_2.jks -file c:\client_2.cer
Import the key in the server Java keystore.
keytool -import -file c:\client_2.cer -alias clientKey -keystore c:\server.jks -storepass welcome -keypass welcome
Hello Edwin,
ReplyDeleteI have a BPEL composite deployment under soa-infra that calls a WSSEOASIS2004Compliant secure webservice.
I can call the service from SOAPUI by providing the username and password
When I try to make the call from the BPEL service, I get this error:
oracle.fabric.common.FabricInvocationException: Unable to access the following endpoint(s): https://www....
We are using SOA 11.1.1.4.
I was following your blog and OTN forum(https://forums.oracle.com/forums/thread.jspa?threadID=2148565&start=0&tstart=0)
Here they have suggested to use Keystore/certficate/Keys..etc
I have Securewebservice WSDL file/URL with username/password.
From here would like to know the steps require to Inovke secure ws.
and How to use Keys/keytool/Certificates
Hi,
ReplyDeletehere you got some info about how to generate some self signed keys and use it in OWSM
http://biemond.blogspot.com/2011/09/calling-owsm-protected-service-with.html
for only using some keys in 1 composite , you can add those keys in the credentials map of owsm and override the default keys of the composite at deployment time.
hope this helps and for the truststore of owsm you dont have to do anything , just add the ca and public keys to the keystore used in owsm.
good luck
Hi Edwin,
ReplyDeleteI followed your instructions in order to configure the oracle/wss11_x509_token_with_message_protection_client_policy policy but I'm getting this error:
Exception in thread "main" javax.xml.ws.soap.SOAPFaultException: FailedAuthentication : The security token cannot be authenticated.
Do you have any idea whats wrong with my configuration??