In FMW 11G you can also define your own ws-security policies ( just use a wizard in the EM website) or use the standard policies, So it can always comply to your security requirements.
In this blog entry I will show you how to setup FMW on Weblogic and define security on a BPEL service, call this service with an ADF Web Service Datacontol and a java web service proxy client.
Special thanks to Vishal Jain of Oracle who helped to solve the issues and explained how WSM works with keystores.
First we need to generate a keystore with a self signed certificate. Somehow certificates with generated with OpenSSL fails in FMW.
keytool -genkey -keyalg RSA -keystore C:\test_keystore.jks -storepass password -alias client_key -keypass password -dname "CN=Client, OU=WEB AGE, C=US" -keysize 1024 -validity 1460
Now here comes the trick , copy this keystore to fmwconfig folder ( domain_name/config ) of the soa suite domain
 Go the Enterprise Manager Website where we can configure the just created keystore. We have to select the weblogic domain and go to the security menu / credentials.
Go the Enterprise Manager Website where we can configure the just created keystore. We have to select the weblogic domain and go to the security menu / credentials. Here we can change maps or passwords which will be stored in the cwallet.sso file. If you see the oracle.wsm.security map then you can delete this map. This map contains the keystore password.
Here we can change maps or passwords which will be stored in the cwallet.sso file. If you see the oracle.wsm.security map then you can delete this map. This map contains the keystore password.
Go the Security Provider Configuration menu item in the security menu where we will add the keystore to FMW
 Press the Configure button in the keystore part of the screen.
Press the Configure button in the keystore part of the screen. Here we can add the keystore details.  Use ./ as keystore path. This will fill the oracle.wsm.security map in the credentials menu.
Here we can add the keystore details.  Use ./ as keystore path. This will fill the oracle.wsm.security map in the credentials menu. Go back to the Credentials where we will add an extra entry in the wsm map. Create a new key basic.credentials with as username weblogic and with password weblogic1
Go back to the Credentials where we will add an extra entry in the wsm map. Create a new key basic.credentials with as username weblogic and with password weblogic1
Restart the Weblogic server.
Next part is to add a wsm policy to a BPEL Service.
 Select the server policy you like to use and deploy this to the soa suite server.
Select the server policy you like to use and deploy this to the soa suite server.
Now we can make a jax-ws proxy client so we can test the policy. In this client we will use the matching client policy. If this fails check your libraries.
package nl.whitehorses.wsclient;
import java.util.Map;
import javax.xml.ws.BindingProvider;
import javax.xml.ws.WebServiceRef;
import oracle.webservices.ClientConstants;
import weblogic.wsee.jws.jaxws.owsm.SecurityPolicyFeature;
public class BPELProcess1_ptClient
{
@WebServiceRef
private static Bpelprocess1_client_ep bpelprocess1_client_ep;
public static void main(String [] args)
{
bpelprocess1_client_ep = new Bpelprocess1_client_ep();
SecurityPolicyFeature[] securityFeature = new SecurityPolicyFeature[] {
new SecurityPolicyFeature("oracle/wss10_message_protection_client_policy") };
BPELProcess1 port = bpelprocess1_client_ep.getBPELProcess1_pt(securityFeature);
MapreqContext = ((BindingProvider) port).getRequestContext(); 
reqContext.put(ClientConstants.WSSEC_KEYSTORE_TYPE, "JKS");
reqContext.put(ClientConstants.WSSEC_KEYSTORE_LOCATION, "C:\\test_keystore.jks");
reqContext.put(ClientConstants.WSSEC_KEYSTORE_PASSWORD, "password");
reqContext.put(ClientConstants.WSSEC_SIG_KEY_ALIAS, "client_key");
reqContext.put(ClientConstants.WSSEC_SIG_KEY_PASSWORD, "password");
reqContext.put(ClientConstants.WSSEC_ENC_KEY_ALIAS, "client_key");
reqContext.put(ClientConstants.WSSEC_ENC_KEY_PASSWORD, "password");
reqContext.put(ClientConstants.WSSEC_RECIPIENT_KEY_ALIAS, "client_key");
System.out.println("output = " + port.process("aaaa"));
}
}
If all went well then we can do same with a ADF Web Service Datacontrol.
 To add the client policy select the DataControls.dcx and go to the structure window.
To add the client policy select the DataControls.dcx and go to the structure window. Here we can define web service security
Here we can define web service security Select the right client policy and in this case we need to override properties, press the button and fill in the recipient with your key alias. Else you will get a orakey error.
Select the right client policy and in this case we need to override properties, press the button and fill in the recipient with your key alias. Else you will get a orakey error. And at last deploy this webapplication with a ear profile to the Soa Suite server and test your webapp.
And at last deploy this webapplication with a ear profile to the Soa Suite server and test your webapp.
Thanks for excellent posting on WSM and Oracle Fusion Middleware 11g. A very hands-on approach on how to secure web services.
ReplyDeleteSeems like a complete repackaging of the WSM product.
Is the WSM as standalone product still available?
Suites are fine, but when it comes to security, separating security concern into a dedicated server process would be more flexible.
Hi,
ReplyDeleteIs the WSM as standalone product still available?
No, the wsm like 10.1.3 is gone. you can not deploy agent on servers and the gateway is also gone.
wsm take place in the services and references of the soa suite and off course on the wls web services.
and you can use the wsm agent in the adf and jdeveloper java applications.
thanks Edwin
Would like to know in your ws-client code,
ReplyDeletewhere does the class Bpelprocess1_client_ep comes from?
does it automatically generated when the bpel process is created or use the web service proxy wizard provided from jdeveloper to generate the ws-client?
Hi,
ReplyDeletejdeveloper will generate this when you want to expose a mediator or a bpel sca component. Then a service with this name is generated
thanks Edwin
Excellent Post! My BPEL process makes a call to the webservice which requires encryption. This webservice is running on a different webserver - particularly an OSB (on WLS 10.3). Any ideas how to make it work?
ReplyDeleteThanks
Hi,
ReplyDeletein the fusion help there is a whole chapter about WSM and OSB 10.3, called Interoperability with Oracle Service Bus 10g Security Environments
http://download.oracle.com/docs/cd/E15523_01/web.1111/e16098/interop_osb.htm#BABJDGJJ
hope this gives you all the answers
in the next patchset ( osb11g, coming in a few months ) you can use the rmi binding
Hi,
ReplyDeleteCan you explain what is the need for
Create a new key basic.credentials with as username weblogic and with password weblogic1
Thanks,
Jayaprakash
Hi,
ReplyDeleteyou can use wsm policies that requires an username token.
thanks
Hi mr. Biemond,
ReplyDeleteI'm trying to follow the procedures but I'm creating the client using OEPE 11.1.1.3.0 (Eclipse 3.5.0) but I'm having some problems with the build path to be used. I've only added the weblogic.jar but the ClientConstants Class is not included so I have no idea what other Jars I have to include. Please help ! Thanks
Hi
ReplyDeleteYou need many libs start by
oracle_common\modules\oracle.jrf_11.1.1\jrf.jar
and this jar imports a lot of other libs , so copy oracle_common\modules from jdeveloper to your oepe location
thanks
Hi mr. Biemond,
ReplyDeletethanks for the answer now I've finally made the code compile. I would also like to ask another question:
I'm studing about OWSM and I've come up with an intriguing section in this documentation: http://download.oracle.com/docs/cd/E15523_01/web.1111/e13713/owsm_appendix.htm#CHDFEDCA . The section is "Oracle WSM Policies Are Not Advertised in WSDL" . I don't understand why this is the case, because the primary objective of using WSM is to externally administrate the policies without having to manually change the WSDL. Also if these policies are not inserted in the WSDL how are my external clients going to know how to call the web service ? Does this mean WSM is intended only for in-house services ? I'm using OWSM 11gR1 from Soa Suite (11.1.1.2.0).
Thank you !
Hi,
ReplyDeletewhat they mean is you dont know it is the oracle/wss10_message_protection_client_policy , this name is not published
this policy contains some assertions and these are published in the wsdl
the wsm policy is just a name and does not mean anything outside the oracle world.
thanks
Hi Edwin
ReplyDeleteI need your advise, I am trying to create a webservice proxy with the example but I have this error :
java.io.FileNotFoundException: /webserviceCliente/./config/jps-config.xml(No such file or directory)
What it means?
Thank you.
Hi,
ReplyDeleteDid you deploy it on a weblogic installation with an ADF , webcenter or Soa Suite add on.
And you need to enable enterprise manager on the weblogic domain.
thanks
Hi Edwin
ReplyDeleteThanks for the answer, what I make is a Generic Project in JDeveloper, I create a java class with a static void main and use the code that I find in the example. I try to run this and I have this error, so I suppose I have to deploy this application in a weblogic domain, I will try it.
My problem is that I need to make a client to a webservice that have oracle/wss10_message_protection_service_policy, this client have to be use by anyone, how can I do this?
Thanks for help.
Hi,
ReplyDeletefor a secure ws client proxy this should work and you can use my example. Off course you need to generate a new ws proxy against a ws which is deployed on a fmw wls server. This ws must have the server policy.
thanks
Hi
ReplyDeleteCan you said where I can find information about how to deploy and test a ws proxy in a wls server. I have generated that proxy with the main class.
Thank you so much.
Hi,
ReplyDeleteby the way I think it is just a warning.
but make a new project where you add a java class with some methods and add the WebService annotation.
deploy this to a weblogic server.
make a new project where you generate a ws proxy client based on the wsdl..
and test this, after being successfull you add security to weblogic FMW, then add the server policy to the WS project and deploy it again and the client policy to ws client project.
thanks
Hello Mr. Biemond,
ReplyDeleteI'm following your procedure but I would like to know what is the basic.credentials entry exactly for and if its needed for all policies. Thank you!
Hi Edwin
ReplyDeleteThanks for the answer, I created another webservice and the webservice proxy, I make a test of this and everything is ok. Then when I add the security policy I have an error related with the jps-config.xml
Anyway, I can use this client in another server, or only in a weblogic server?. If I can use another server, how can I do this?
Thank you so much.
Hi Lupan,
ReplyDeletebasic.credentials is only needed for the wsm policies which requires user name token.
thanks
Hi Kike,
ReplyDeleteYes, I think you can use this client in another server ( like jboss )
but you need to use the weblogic jars in your client. and find out which wsm client policy matches with the ws policy on the jboss web service. Probably you need to make your own wsm client policy.
or you can use netbeans with metro
http://biemond.blogspot.com/2009/05/weblogic-ws-policies-and-netbeans-metro.html
thanks
Hi Edwin,i am using custom login at IDP end, when i submit the form it does't post to SP but it works fine if use basic auth.Pease advice
DeleteEdwin, I'm trying to setup encryption on a composite app in SOA Suite using wss10_message_protection_service_policy. I followed your instructions on setting up the keystore. I added the policy to the inbound Service in my composite and deployed it. When I try to invoke the service from the test console, I get an error saying :
ReplyDeleteInvalidSecurity : error in processing the WS-Security security header
security header missing.
I've tried to add username and password both as properties in the composite.xml as well as through the test page. I'm not sure what else to look at to get this working. Have you come across this problem?
Thanks
Hi,
ReplyDeleteyou can test it with the test console. The test is very basic.
you can generate a java proxy service.
message protection service is no username (usertoken) protection.
here you got some more info what to use in which situation.
http://biemond.blogspot.com/2010/08/things-you-need-to-do-for-owsm-11g.html
Hi Edwin,
ReplyDeleteI've created a BPEL process, and i want to protect my WSDL file.
If i've to add userid-password policy using OWSM to it at Gateway level, how shall i proceed with that.
Can u provide me with an example or steps to achive the above.
--Rupesh
Hi,
ReplyDeleteTake a look at this and choose your policy http://biemond.blogspot.com/2010/08/things-you-need-to-do-for-owsm-11g.html
good luck
Hi Edwin,
ReplyDeleteI am developing a JAX-WS client to access the web service which has OWSM policy "wss_username_token_service_policy" attached to it. Hence i am trying to add the below code:
weblogic.wsee.jws.jaxws.owsm.SecurityPolicyFeature[] securityFeature = new weblogic.wsee.jws.jaxws.owsm.SecurityPolicyFeature[] { new weblogic.wsee.jws.jaxws.owsm.SecurityPolicyFeature( "policy:oracle/wss_username_token_service_policy") };
But I am unable to find the class SecurityPolicyFeature class in weblogic.wsee.jws.jaxws.owsm package of weblogic.jar. It only has PolicySubjectBindingFeature class in it. Hence I am unable to proceed. Can you let me know where I can find this class?
Hi,
Deletein jdeveloper you can add the OWSM policies jars to your project. Or you use the managed libraries option ( a menu item in jdev ) to find the jar by classname.
thanks
Hi Edwin,
ReplyDeleteThanks for the post. It is very useful. We have followed the same steps however we are getting below error. Can you please suggest
WSM-00276 : Validation failed for the identity published in the WSDL endpoint
aused By: oracle.wsm.security.SecurityException: WSM-00138 : The path to the certificate is invalid. Validation failed for the certificate "Subject DN:- CN=service, DC=oracleoutsourcing, DC=com, Serial Number:- 1374555321, Issuer DN:- CN=service, DC=oracleoutsourcing, DC=com" Certificates in cert path used for validation are:- "Subject DN:- CN=service, DC=oracleoutsourcing, DC=com, Issuer DN:- CN=service, DC=oracleoutsourcing, DC=com"
java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors
Hi Edwin,
ReplyDeleteGreat post. In normal scenarios, same keystore will not be shared by server and client. Can you please explain the steps to configure Web Service datacontrols from ADF to call OWSM secured service with message protection.
Also, would like to know, if it is necessary to import the certificate with same alias name because the alias name might not be shared by the server.
Many thanks in advance.