Pages

Wednesday, September 16, 2009

WSM in Fusion Middleware 11G

Probably you already knew the Web Service Manager of Soa Suite 10.1.3, The 10.1.3 version was mainly used in combination with Soa Suite because this was the only way to secure the BPEL and ESB Services. In FMW 11g Oracle changed WSM so it is fully integrated in all the Fusion Middleware components. Now you can use WSM in ADF, in the Services and References of Soa Suite and in the jax-ws services or proxy clients.
In FMW 11G you can also define your own ws-security policies ( just use a wizard in the EM website) or use the standard policies, So it can always comply to your security requirements.

In this blog entry I will show you how to setup FMW on Weblogic and define security on a BPEL service, call this service with an ADF Web Service Datacontol and a java web service proxy client.

Special thanks to Vishal Jain of Oracle who helped to solve the issues and explained how WSM works with keystores.

First we need to generate a keystore with a self signed certificate. Somehow certificates with generated with OpenSSL fails in FMW.
keytool -genkey -keyalg RSA -keystore C:\test_keystore.jks -storepass password -alias client_key -keypass password -dname "CN=Client, OU=WEB AGE, C=US" -keysize 1024 -validity 1460

Now here comes the trick , copy this keystore to fmwconfig folder ( domain_name/config ) of the soa suite domain

Go the Enterprise Manager Website where we can configure the just created keystore. We have to select the weblogic domain and go to the security menu / credentials.


Here we can change maps or passwords which will be stored in the cwallet.sso file. If you see the oracle.wsm.security map then you can delete this map. This map contains the keystore password.


Go the Security Provider Configuration menu item in the security menu where we will add the keystore to FMW
Press the Configure button in the keystore part of the screen.

Here we can add the keystore details. Use ./ as keystore path. This will fill the oracle.wsm.security map in the credentials menu.

Go back to the Credentials where we will add an extra entry in the wsm map. Create a new key basic.credentials with as username weblogic and with password weblogic1


Restart the Weblogic server.

Next part is to add a wsm policy to a BPEL Service.

Select the server policy you like to use and deploy this to the soa suite server.


Now we can make a jax-ws proxy client so we can test the policy. In this client we will use the matching client policy. If this fails check your libraries.


package nl.whitehorses.wsclient;

import java.util.Map;

import javax.xml.ws.BindingProvider;
import javax.xml.ws.WebServiceRef;

import oracle.webservices.ClientConstants;

import weblogic.wsee.jws.jaxws.owsm.SecurityPolicyFeature;

public class BPELProcess1_ptClient
{
@WebServiceRef
private static Bpelprocess1_client_ep bpelprocess1_client_ep;

public static void main(String [] args)
{
bpelprocess1_client_ep = new Bpelprocess1_client_ep();

SecurityPolicyFeature[] securityFeature = new SecurityPolicyFeature[] {
new SecurityPolicyFeature("oracle/wss10_message_protection_client_policy") };

BPELProcess1 port = bpelprocess1_client_ep.getBPELProcess1_pt(securityFeature);


Map reqContext = ((BindingProvider) port).getRequestContext();
reqContext.put(ClientConstants.WSSEC_KEYSTORE_TYPE, "JKS");
reqContext.put(ClientConstants.WSSEC_KEYSTORE_LOCATION, "C:\\test_keystore.jks");
reqContext.put(ClientConstants.WSSEC_KEYSTORE_PASSWORD, "password");
reqContext.put(ClientConstants.WSSEC_SIG_KEY_ALIAS, "client_key");
reqContext.put(ClientConstants.WSSEC_SIG_KEY_PASSWORD, "password");
reqContext.put(ClientConstants.WSSEC_ENC_KEY_ALIAS, "client_key");
reqContext.put(ClientConstants.WSSEC_ENC_KEY_PASSWORD, "password");
reqContext.put(ClientConstants.WSSEC_RECIPIENT_KEY_ALIAS, "client_key");
System.out.println("output = " + port.process("aaaa"));

}
}



If all went well then we can do same with a ADF Web Service Datacontrol.

To add the client policy select the DataControls.dcx and go to the structure window.

Here we can define web service security

Select the right client policy and in this case we need to override properties, press the button and fill in the recipient with your key alias. Else you will get a orakey error.

And at last deploy this webapplication with a ear profile to the Soa Suite server and test your webapp.

31 comments:

  1. Thanks for excellent posting on WSM and Oracle Fusion Middleware 11g. A very hands-on approach on how to secure web services.

    Seems like a complete repackaging of the WSM product.
    Is the WSM as standalone product still available?
    Suites are fine, but when it comes to security, separating security concern into a dedicated server process would be more flexible.

    ReplyDelete
  2. Hi,

    Is the WSM as standalone product still available?

    No, the wsm like 10.1.3 is gone. you can not deploy agent on servers and the gateway is also gone.
    wsm take place in the services and references of the soa suite and off course on the wls web services.

    and you can use the wsm agent in the adf and jdeveloper java applications.

    thanks Edwin

    ReplyDelete
  3. Would like to know in your ws-client code,
    where does the class Bpelprocess1_client_ep comes from?
    does it automatically generated when the bpel process is created or use the web service proxy wizard provided from jdeveloper to generate the ws-client?

    ReplyDelete
  4. Hi,

    jdeveloper will generate this when you want to expose a mediator or a bpel sca component. Then a service with this name is generated

    thanks Edwin

    ReplyDelete
  5. Excellent Post! My BPEL process makes a call to the webservice which requires encryption. This webservice is running on a different webserver - particularly an OSB (on WLS 10.3). Any ideas how to make it work?

    Thanks

    ReplyDelete
  6. Hi,

    in the fusion help there is a whole chapter about WSM and OSB 10.3, called Interoperability with Oracle Service Bus 10g Security Environments

    http://download.oracle.com/docs/cd/E15523_01/web.1111/e16098/interop_osb.htm#BABJDGJJ

    hope this gives you all the answers

    in the next patchset ( osb11g, coming in a few months ) you can use the rmi binding

    ReplyDelete
  7. Hi,

    Can you explain what is the need for

    Create a new key basic.credentials with as username weblogic and with password weblogic1

    Thanks,
    Jayaprakash

    ReplyDelete
  8. Hi,

    you can use wsm policies that requires an username token.

    thanks

    ReplyDelete
  9. Hi mr. Biemond,
    I'm trying to follow the procedures but I'm creating the client using OEPE 11.1.1.3.0 (Eclipse 3.5.0) but I'm having some problems with the build path to be used. I've only added the weblogic.jar but the ClientConstants Class is not included so I have no idea what other Jars I have to include. Please help ! Thanks

    ReplyDelete
  10. Hi

    You need many libs start by

    oracle_common\modules\oracle.jrf_11.1.1\jrf.jar

    and this jar imports a lot of other libs , so copy oracle_common\modules from jdeveloper to your oepe location

    thanks

    ReplyDelete
  11. Hi mr. Biemond,
    thanks for the answer now I've finally made the code compile. I would also like to ask another question:
    I'm studing about OWSM and I've come up with an intriguing section in this documentation: http://download.oracle.com/docs/cd/E15523_01/web.1111/e13713/owsm_appendix.htm#CHDFEDCA . The section is "Oracle WSM Policies Are Not Advertised in WSDL" . I don't understand why this is the case, because the primary objective of using WSM is to externally administrate the policies without having to manually change the WSDL. Also if these policies are not inserted in the WSDL how are my external clients going to know how to call the web service ? Does this mean WSM is intended only for in-house services ? I'm using OWSM 11gR1 from Soa Suite (11.1.1.2.0).
    Thank you !

    ReplyDelete
  12. Hi,

    what they mean is you dont know it is the oracle/wss10_message_protection_client_policy , this name is not published
    this policy contains some assertions and these are published in the wsdl

    the wsm policy is just a name and does not mean anything outside the oracle world.

    thanks

    ReplyDelete
  13. Hi Edwin

    I need your advise, I am trying to create a webservice proxy with the example but I have this error :

    java.io.FileNotFoundException: /webserviceCliente/./config/jps-config.xml(No such file or directory)

    What it means?

    Thank you.

    ReplyDelete
  14. Hi,

    Did you deploy it on a weblogic installation with an ADF , webcenter or Soa Suite add on.

    And you need to enable enterprise manager on the weblogic domain.

    thanks

    ReplyDelete
  15. Hi Edwin

    Thanks for the answer, what I make is a Generic Project in JDeveloper, I create a java class with a static void main and use the code that I find in the example. I try to run this and I have this error, so I suppose I have to deploy this application in a weblogic domain, I will try it.

    My problem is that I need to make a client to a webservice that have oracle/wss10_message_protection_service_policy, this client have to be use by anyone, how can I do this?

    Thanks for help.

    ReplyDelete
  16. Hi,

    for a secure ws client proxy this should work and you can use my example. Off course you need to generate a new ws proxy against a ws which is deployed on a fmw wls server. This ws must have the server policy.

    thanks

    ReplyDelete
  17. Hi

    Can you said where I can find information about how to deploy and test a ws proxy in a wls server. I have generated that proxy with the main class.

    Thank you so much.

    ReplyDelete
  18. Hi,

    by the way I think it is just a warning.

    but make a new project where you add a java class with some methods and add the WebService annotation.

    deploy this to a weblogic server.

    make a new project where you generate a ws proxy client based on the wsdl..

    and test this, after being successfull you add security to weblogic FMW, then add the server policy to the WS project and deploy it again and the client policy to ws client project.

    thanks

    ReplyDelete
  19. Hello Mr. Biemond,
    I'm following your procedure but I would like to know what is the basic.credentials entry exactly for and if its needed for all policies. Thank you!

    ReplyDelete
  20. Hi Edwin

    Thanks for the answer, I created another webservice and the webservice proxy, I make a test of this and everything is ok. Then when I add the security policy I have an error related with the jps-config.xml

    Anyway, I can use this client in another server, or only in a weblogic server?. If I can use another server, how can I do this?

    Thank you so much.

    ReplyDelete
  21. Hi Lupan,

    basic.credentials is only needed for the wsm policies which requires user name token.

    thanks

    ReplyDelete
  22. Hi Kike,

    Yes, I think you can use this client in another server ( like jboss )

    but you need to use the weblogic jars in your client. and find out which wsm client policy matches with the ws policy on the jboss web service. Probably you need to make your own wsm client policy.

    or you can use netbeans with metro
    http://biemond.blogspot.com/2009/05/weblogic-ws-policies-and-netbeans-metro.html

    thanks

    ReplyDelete
    Replies
    1. Hi Edwin,i am using custom login at IDP end, when i submit the form it does't post to SP but it works fine if use basic auth.Pease advice

      Delete
  23. Edwin, I'm trying to setup encryption on a composite app in SOA Suite using wss10_message_protection_service_policy. I followed your instructions on setting up the keystore. I added the policy to the inbound Service in my composite and deployed it. When I try to invoke the service from the test console, I get an error saying :

    InvalidSecurity : error in processing the WS-Security security header

    security header missing.

    I've tried to add username and password both as properties in the composite.xml as well as through the test page. I'm not sure what else to look at to get this working. Have you come across this problem?

    Thanks

    ReplyDelete
  24. Hi,

    you can test it with the test console. The test is very basic.

    you can generate a java proxy service.

    message protection service is no username (usertoken) protection.

    here you got some more info what to use in which situation.

    http://biemond.blogspot.com/2010/08/things-you-need-to-do-for-owsm-11g.html

    ReplyDelete
  25. Hi Edwin,
    I've created a BPEL process, and i want to protect my WSDL file.
    If i've to add userid-password policy using OWSM to it at Gateway level, how shall i proceed with that.
    Can u provide me with an example or steps to achive the above.

    --Rupesh

    ReplyDelete
  26. Hi,


    Take a look at this and choose your policy http://biemond.blogspot.com/2010/08/things-you-need-to-do-for-owsm-11g.html

    good luck

    ReplyDelete
  27. Hi Edwin,

    I am developing a JAX-WS client to access the web service which has OWSM policy "wss_username_token_service_policy" attached to it. Hence i am trying to add the below code:

    weblogic.wsee.jws.jaxws.owsm.SecurityPolicyFeature[] securityFeature = new weblogic.wsee.jws.jaxws.owsm.SecurityPolicyFeature[] { new weblogic.wsee.jws.jaxws.owsm.SecurityPolicyFeature( "policy:oracle/wss_username_token_service_policy") };

    But I am unable to find the class SecurityPolicyFeature class in weblogic.wsee.jws.jaxws.owsm package of weblogic.jar. It only has PolicySubjectBindingFeature class in it. Hence I am unable to proceed. Can you let me know where I can find this class?

    ReplyDelete
    Replies
    1. Hi,

      in jdeveloper you can add the OWSM policies jars to your project. Or you use the managed libraries option ( a menu item in jdev ) to find the jar by classname.

      thanks

      Delete
  28. Hi Edwin,

    Thanks for the post. It is very useful. We have followed the same steps however we are getting below error. Can you please suggest

    WSM-00276 : Validation failed for the identity published in the WSDL endpoint
    aused By: oracle.wsm.security.SecurityException: WSM-00138 : The path to the certificate is invalid. Validation failed for the certificate "Subject DN:- CN=service, DC=oracleoutsourcing, DC=com, Serial Number:- 1374555321, Issuer DN:- CN=service, DC=oracleoutsourcing, DC=com" Certificates in cert path used for validation are:- "Subject DN:- CN=service, DC=oracleoutsourcing, DC=com, Issuer DN:- CN=service, DC=oracleoutsourcing, DC=com"

    java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors

    ReplyDelete
  29. Hi Edwin,

    Great post. In normal scenarios, same keystore will not be shared by server and client. Can you please explain the steps to configure Web Service datacontrols from ADF to call OWSM secured service with message protection.

    Also, would like to know, if it is necessary to import the certificate with same alias name because the alias name might not be shared by the server.

    Many thanks in advance.

    ReplyDelete