Design Patterns

Securing an OSB Service with OWSM


In this post I will show how to secure a web service used by OSB ( Oracle Service Bus ) by authenticating it against an OWSM (Oracle Web Services manager) policy.

We will add a User Name Token service OWSM policy to secure the Proxy Service in OSB.

Below are steps in using a simple web service in OSB and applying it with OWSM policy.

oracle/wss_username_token_service_policy

 

 

OSB Business/Proxy services

The OSB project is firstly created, then the web service is imported into OSB. Following this is creating the OSB Business and Proxy Services.

Create Project

  • Select Project Explorer.
  • Project Explorer: press Projects link.
  • Change Center section: press [Create] or [Edit].
  • Projects screen. Enter new project name i.e. “OWSM-Demo” and press [Add Project].

  • Change Center section: press [Activate] and submit details.

Import Web Service

  • Change Center section: press [Create].
  • Project Explorer: select “OWSM-Demo”
  • Resources section: Create Resource field select: Bulk->Resources from URL.
  • Load Resources wizard | Load Resources From URL screen: enter the following.
  • Review Loaded Resources screen: accept defaults and press [Import].
  • Change Center section: press [Activate] and submit details.

Create Business Service

  • Change Center section: press [Create].
  • Project Explorer: select “OWSM-Demo”
  • From the Create Resources drop-down, select Business Service.
  • Create a Business Service (OWSM-Demo/) wizard:General Configuration screen:
    • Service Name field: enter “validateCardService”
    • Description field: enter anything i.e. “Business Service to validate CC”
    • Service Type section select ‘WSDL Web Service’ and press [Browse].
    • Select a WSDL window: select wsdl validateCC and press [Submit]
    • Select a WSDL definition: select entry in Port i.e. validateCCPort and press [Submit].
    • WSDL Web Service field populates entries
    • Press [Last] then [Save] in the Summary screen, and then activate changes.

Test Business Service

  • Project Explorer: select “OWSM-Demo”
  • Resources section: for the new Business service just created press the ‘Launch Test Console’ icon.

  • Business Service Testing – validateCardService window: Request Document section: Modify the XML so it returns a valid value and press [Execute].
  • The response will depend on the web service you are using. Since we are not testing OWSM policies at this stage there is no need to add any security in the header.

Create Proxy Service

  • Change Center section: press [Create].
  • Project Explorer: select “OWSM-Demo”
  • From the Create Resources drop-down, select Proxy Service.
  • Create a Proxy Service (OWSM-Demo/) wizard: General Configuration screen:
    • Service Name field: enter “validateCardProxy”
    • Description field: enter anything i.e. “Proxy Service to validate CC”
    • Service Type section select ‘Business Service’ Press [Browse].
    • Select Business Service window: select a business service i.e. “validateCardService” and press [Submit].
    • Business Service field is populated with the selected business service.
    • WSDL Web Service field populates entries.
  • Press [Last] then [Save] in the Summary screen, and then activate changes.

Test Proxy

  • Test the Proxy Service the same well the Business Service was tested by pressing the ‘Launch Test Console’ icon for the Proxy Service.

Secure the Proxy Service

Will provide authentication for the Proxy Service by adding OWSM policy i.e. oracle/wss_username_token_service_policy.

Add OWSM Policy

  • Change Center section: press [Create].
  • In the OWSM-DEMO project select the Proxy Service.
  • View a Proxy Service screen: select Policies tab.
  • Service Policy Configuration section: select OWSM Policy Bindings and expand proxy name i.e. validateCardProxy.
  • Press [Add].
  • Select OWSM Policy screen: select oracle/wss_username_token_service_policy and press [Submit].
  • The OWSM policy is registered with the Proxy Service.
  • Press [Update].
  • Select Security tab
  • Web Services Security Configuration section: Process WS-Security Header field: press [Yes].
  • Press [Update] and activate changes.

Create a Keystore File

  • Proceed to folder.
    $WLS_HOME/user_projects/domains/<domain>/config/fmwconfig
  • Run the following command to create the default keystore.
    keytool -genkeypair -keyalg RSA -alias orakey -keypass welcome1 -keystore default-keystore.jks -storepass welcome1 -validity 3600

    What is your first and last name?
    [Unknown]: weblogic
    What is the name of your organizational unit?
    [Unknown]: Support
    What is the name of your organization?
    [Unknown]: Oracle
    What is the name of your City or Locality?
    [Unknown]: US
    What is the name of your State or Province?
    [Unknown]: US
    What is the two-letter country code for this unit?
    [Unknown]: US
    Is CN=weblogic, OU=Support, O=Oracle, L=US, ST=US, C=US correct?
    [no]: yes

 

Configure Keystore Configuration in EM

  • Log into EM and expand node Weblogic Domain.
  • Right-click domain name and select Security | Security Provide Configuration.
  • Security Provider Configuration screen: Expand Keystore.
  • Press [Configure].
  • Keystore Configuration screen: Add the following keystore information.
    • Keystore Path: Do not need to change this since the default-keystore.jks file is in the fmwconfig directory.
    • Password: welcome1
    • Key Alias: orakey
    • Signature Password: welcome1
    • Crypt Alias: orakey
    • Crypt Password: welcome1
  • Save changes.

 

Configure Security Credentials in EM

  • Still in EM, right-click domain name and select Security | Credentials.
  • Credentials screen: expand/select oracle.wsm.security
  • Press [Create Key].
  • Create Key dialog: add the following.
    • Map: oracle.wsm.security (default)
    • Key: joe-key
    • Type: Password
    • User Name: joe (this will be the same username that will be used OSB console).
    • Password: welcome1 (this will be the same password that will be used OSB console)
    • Press [OK].

Add a User in OSB

  • In OSB Console select Security Configuration | Users.
  • Summary of Users screen: press [Add New].
  • Create New User screen:
    • User Name field: enter “joe”
    • New Password/Confirm Password fields: “welcome1”.
    • Press [Save]. The user “joe” will appear in list of users.

 

Test OWSM Policy in OSB

 

Reference: Oracle Knowledge Base (Doc ID 1265548.1)

Implementing sequencing solutions with OSB when using JMS messaging


I Came across this post when I was looking for option on how to implement sequencing solutions with OSB when using messaging (JMS)

https://forums.oracle.com/thread/2138854 Which talks about Using Message Unit-of-Order with JMS

 

Using Message Unit-of-Order

Message Unit-of-Order is a WebLogic Server value-added feature that enables a stand-alone message producer, or a group of producers acting as one, to group messages into a single unit with respect to the processing order. This single unit is called a Unit-of-Order and requires that all messages from that unit be processed sequentially in the order they were created.

Oracle documentation   http://docs.oracle.com/cd/E12840_01/wls/docs103/jms/uoo.html

Doesn’t give us an as is solution but is definitely worth exploring on these lines…

Youtube Video presentation http://youtu.be/B9J7q5NbXag

Other references http://weblogic-wonders.com/weblogic/2011/03/11/unit-of-order-with-distributed-destinations/

Watch this space for updates on how I get on with this.

 

 

Moving and managing messages in JMS Queues


When dealing with several JMS Queues it is apparent that one would need to move messages across these queues and manage them. e.e. moving messages from error queues to source queues, destination to source to replay etc.

So the question is how can you move a message from one JMS Queue to another? Well there are a few options one has for that.

Option 1 using the out of the box OSB Console

Go to the weblogic console->JMS Modules-JMSResouces-> YourQueue ->Monitor->show messages and select move

Option 2 Using Hermes JMS for managing JMS resources

Use open source tool HermesJMS

Initial configuration steps video to Configure Hermes with Weblogic Server available at

http://hermesjms.com/demos/ConfigureHermesWithWLS.html

Once you have configured you can click discover on the session to load all the available Queues and Topics for that connection or one can manually add the destinations you want to use

Browse the queues/topics for messages

Option 3 – Custom java client for moving messages on JMS queues using the JMS API

Mark Nelson has written something on these lines http://redstack.wordpress.com/2010/02/17/an-updated-simple-weblogic-jms-client/  but I would possibly look to take it a step further – details to follow