Securing an OSB Service with OWSM


In this post I will show how to secure a web service used by OSB ( Oracle Service Bus ) by authenticating it against an OWSM (Oracle Web Services manager) policy.

We will add a User Name Token service OWSM policy to secure the Proxy Service in OSB.

Below are steps in using a simple web service in OSB and applying it with OWSM policy.

oracle/wss_username_token_service_policy

 

 

OSB Business/Proxy services

The OSB project is firstly created, then the web service is imported into OSB. Following this is creating the OSB Business and Proxy Services.

Create Project

  • Select Project Explorer.
  • Project Explorer: press Projects link.
  • Change Center section: press [Create] or [Edit].
  • Projects screen. Enter new project name i.e. “OWSM-Demo” and press [Add Project].

  • Change Center section: press [Activate] and submit details.

Import Web Service

  • Change Center section: press [Create].
  • Project Explorer: select “OWSM-Demo”
  • Resources section: Create Resource field select: Bulk->Resources from URL.
  • Load Resources wizard | Load Resources From URL screen: enter the following.
  • Review Loaded Resources screen: accept defaults and press [Import].
  • Change Center section: press [Activate] and submit details.

Create Business Service

  • Change Center section: press [Create].
  • Project Explorer: select “OWSM-Demo”
  • From the Create Resources drop-down, select Business Service.
  • Create a Business Service (OWSM-Demo/) wizard:General Configuration screen:
    • Service Name field: enter “validateCardService”
    • Description field: enter anything i.e. “Business Service to validate CC”
    • Service Type section select ‘WSDL Web Service’ and press [Browse].
    • Select a WSDL window: select wsdl validateCC and press [Submit]
    • Select a WSDL definition: select entry in Port i.e. validateCCPort and press [Submit].
    • WSDL Web Service field populates entries
    • Press [Last] then [Save] in the Summary screen, and then activate changes.

Test Business Service

  • Project Explorer: select “OWSM-Demo”
  • Resources section: for the new Business service just created press the ‘Launch Test Console’ icon.

  • Business Service Testing – validateCardService window: Request Document section: Modify the XML so it returns a valid value and press [Execute].
  • The response will depend on the web service you are using. Since we are not testing OWSM policies at this stage there is no need to add any security in the header.

Create Proxy Service

  • Change Center section: press [Create].
  • Project Explorer: select “OWSM-Demo”
  • From the Create Resources drop-down, select Proxy Service.
  • Create a Proxy Service (OWSM-Demo/) wizard: General Configuration screen:
    • Service Name field: enter “validateCardProxy”
    • Description field: enter anything i.e. “Proxy Service to validate CC”
    • Service Type section select ‘Business Service’ Press [Browse].
    • Select Business Service window: select a business service i.e. “validateCardService” and press [Submit].
    • Business Service field is populated with the selected business service.
    • WSDL Web Service field populates entries.
  • Press [Last] then [Save] in the Summary screen, and then activate changes.

Test Proxy

  • Test the Proxy Service the same well the Business Service was tested by pressing the ‘Launch Test Console’ icon for the Proxy Service.

Secure the Proxy Service

Will provide authentication for the Proxy Service by adding OWSM policy i.e. oracle/wss_username_token_service_policy.

Add OWSM Policy

  • Change Center section: press [Create].
  • In the OWSM-DEMO project select the Proxy Service.
  • View a Proxy Service screen: select Policies tab.
  • Service Policy Configuration section: select OWSM Policy Bindings and expand proxy name i.e. validateCardProxy.
  • Press [Add].
  • Select OWSM Policy screen: select oracle/wss_username_token_service_policy and press [Submit].
  • The OWSM policy is registered with the Proxy Service.
  • Press [Update].
  • Select Security tab
  • Web Services Security Configuration section: Process WS-Security Header field: press [Yes].
  • Press [Update] and activate changes.

Create a Keystore File

  • Proceed to folder.
    $WLS_HOME/user_projects/domains/<domain>/config/fmwconfig
  • Run the following command to create the default keystore.
    keytool -genkeypair -keyalg RSA -alias orakey -keypass welcome1 -keystore default-keystore.jks -storepass welcome1 -validity 3600

    What is your first and last name?
    [Unknown]: weblogic
    What is the name of your organizational unit?
    [Unknown]: Support
    What is the name of your organization?
    [Unknown]: Oracle
    What is the name of your City or Locality?
    [Unknown]: US
    What is the name of your State or Province?
    [Unknown]: US
    What is the two-letter country code for this unit?
    [Unknown]: US
    Is CN=weblogic, OU=Support, O=Oracle, L=US, ST=US, C=US correct?
    [no]: yes

 

Configure Keystore Configuration in EM

  • Log into EM and expand node Weblogic Domain.
  • Right-click domain name and select Security | Security Provide Configuration.
  • Security Provider Configuration screen: Expand Keystore.
  • Press [Configure].
  • Keystore Configuration screen: Add the following keystore information.
    • Keystore Path: Do not need to change this since the default-keystore.jks file is in the fmwconfig directory.
    • Password: welcome1
    • Key Alias: orakey
    • Signature Password: welcome1
    • Crypt Alias: orakey
    • Crypt Password: welcome1
  • Save changes.

 

Configure Security Credentials in EM

  • Still in EM, right-click domain name and select Security | Credentials.
  • Credentials screen: expand/select oracle.wsm.security
  • Press [Create Key].
  • Create Key dialog: add the following.
    • Map: oracle.wsm.security (default)
    • Key: joe-key
    • Type: Password
    • User Name: joe (this will be the same username that will be used OSB console).
    • Password: welcome1 (this will be the same password that will be used OSB console)
    • Press [OK].

Add a User in OSB

  • In OSB Console select Security Configuration | Users.
  • Summary of Users screen: press [Add New].
  • Create New User screen:
    • User Name field: enter “joe”
    • New Password/Confirm Password fields: “welcome1”.
    • Press [Save]. The user “joe” will appear in list of users.

 

Test OWSM Policy in OSB

 

Reference: Oracle Knowledge Base (Doc ID 1265548.1)

One comment

  1. Hi Nitin,

    All your blogs are very helpful and nice to understand.
    Did you come across this when doing the upgradefrom older version to latst version of 12c on OSB services, while migratign from 11g to 12c, in oracle service bus wls policies are depricated and recommended to use OWSM, now we want to do the same thing, but dont want to make the changes manually in the sbconsole by creating the session ( till prod the changes are to be made and there are all most all project proxies request operations are using wls policy, which is common one for all, same thing now to be moved into OWSM oracle/wss_username_token_service_policy) want to do that using the scripts, Could you please tell about this how can it be done.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s