Monday, August 18, 2014

Tutorial - Service And Client using ws11_username_token_with_message_protection Policy

OWSM comes with pretty extensive list of pre-defined security policy to serve the security needs in SOA and integration domain. These policies can be attached to a service or client as required and the actual implementation remains unaffected.

There are some documents, pages available about how to secure a SCA, bpel and how to write a secured client using "ws11_username_token_with_message_protection" policy but most of them are in bits and pieces. Hence I decided to write a tutorial with step by step information so that one can find all the steps and details at one place. Please go through it and shout out (by commenting :) ) if you see any step missing.

But before we start first understand what ws11_username_token_with_message_protection policy offers. This policy follows WS-Security 1.1 specification to apply authentication and message protection for a given. For authentication credentials (username, token) are passed in plain text and the message is protected by encryption and digitally signing the message.

Securing a service with ws11_username_token_with_message_protection_service_policy

Pre-requisite: A SCA with a bpel. An authentication provider must be configured on the weblogic and it should be first in the list of providers with "SUFFICIENT" control flag.
  • Open the composite and right click on the exposed service. Then select "Configure WS Policies".
  • Select the request binding from drop down (top) in the window that appears.
  • Under "Security" section click add button and select "ws11_username_token_with_message_protection_service_policy".

Next step is to setup Oracle WSM keystore with private keys and configure server to support the message encryption and digital signature of the message.

  • Goto <domain_home>/config/fmwconfig
  • Create a JKS keystore with keytool or any other UI based tool like "KeyStore Explorer". This keytool command below will generate a self signed private key for encryption and digital signature and create a keystore if it doesn't exist or else add it it existing keystore.

keytool -genkeypair -keyalg RSA -alias myalias -keypass welcome2 -keystore default-keystore.jks -storepass welcome1 -validity 3600

  • Next open the EM console, expand Weblogic Domain and right click on domain.
  • Navigate to Security > Security Provider Configuration 
  • Expand Keystore and click Configure button.

  • In next page enter the Keystore path, password, Signature Key Alias, Encryption key Alias and password. From above command the signature, encryption alias and password will be myalias and welcome2 respectively.
  • Restart the server.

Verification - The service wsdl should be changed now to include the security policy.


Configure a client with ws11_username_token_with_message_protection_client_policy

  • Open the composite and right click on the exposed service. Then select "Configure WS Policies".
  • Select the request binding from drop down (top) in the window that appears.
  • Under "Security" section click add button and select "ws11_username_token_with_message_protection_client_policy".
  •  In client's keystore import the server certificate if a self signed certificate is used. If CA issued the server certificate then import the root certificate from CA to client truststore. Below command export the certificate from the server keystore.
 
keytool -exportcert -alias myalias -file root.cer -keystore default-keystore.jks
 -storepass welcome1

  • And this one import the server certificate (public key) into client keystore with the alias provided.
 
keytool -importcert -alias svrcrtalias -trustcacerts -file root.cer -keystore 
client-default-keystore.jks -storepass welcome1
 
With above steps the client's keystore is configured to use the server's public key for encryption and signing the message. The username token policy that we attached in first step needs a username and credential to pass. But from where does this username, credentials will come ? This info will come from the password store in OWSM CSF (Credentials Store Provider). Follow the below steps.

  • Open the EM console, expand Weblogic Domain and right click on domain.Navigate to Security > Credentials.


  • Under map oracle.wsm.security, create a new key with the name you like for e.g. com.sample.test
  • Provide the username, password and press ok.

Now the policy should be pointed to use this credential. Follow below steps to achieve this.

  • Goto JDeveloper and open the composite having the reference of the secured service.
  • Right click and select "Configure WS Policies".
  • Select the pre-attached client policy under security section and click the edit icon. The window will show up like below.


  • Edit the csf-key and enter the key name of OWSM CSF which in our case is - "com.sample.test". 
  • Edit the keystore.recipient.alias and update it with the alias that was provided while importing the server certificate in client keystore. In our case it is - svrcrtalias. It is an indication to the client weblogic to use certificate corresponding to given alias for encryption and signature of messages.

 This completes the client configure to invoke the service secured with username token authentication, message encryption and digital signature.

 

3 comments:

  1. Hai Thanks sir, This blog is very very helpful. Congratulations for your great work. Digital signature Certificate

    ReplyDelete
  2. This is great blog. I am pretty much impressed with your good work. You put really very helpful information. Up keep it.Digital signature in Delhi

    ReplyDelete
  3. I’m a little late reading this blog. It was very useful to me. Eagerly waiting for your future postings. Digital Signature Certificate

    ReplyDelete

Demystifying OIC, OCI and Oracle SOA CS

What is OIC (Oracle integration cloud), OCI (Oracle cloud infrastructure), and SOA cloud service and how they are different? - This has bee...