Monday, July 19, 2010

OSB 11g and WSM

Scenario - I need to secure a proxy service (username/pwd), and sign/encrypt the payload.

For this sample we will expose the following Java class as a web service and
secure the request payload.

package simplecccws;

import javax.jws.WebService;

@WebService
public class validateCC {
public validateCC() {
super();
}
public String validateCard(String cardNr, String firstName, String lastName, String validUntilDate){
String rtc = "INVALID";
if (cardNr.startsWith("1")){
rtc = "VALID";
}
return rtc;
}
}

Create the Java class and deploy as a Web Service to WLS.

Test








Note the wsdl –

e.g. http://localhost:7001/AAA-validateCC-root/validateCCPort?WSDL

and save to the local file system

Create the OSB Business/Proxy services

Import WSDL to OSB and create a Business Service based on it.




Create a Proxy Service based on the Business Service.




Test Proxy






Secure the Proxy Service

Add username token with message protection policy



The result...



Set up OWSM for OSB and create a test user

Register Keystore using Enterprise Manager. This step is required so OSB test console or SOA reference can use the OWSM csf-key to look up the
username/password to send the ValidateCard Proxy Service secured with the
UserNameToken with Message OWSM policy.

Setup default keystore - Copy your sample keystore file, default-keystore.jks to the domain home’s fmwconfig directory, e.g.
/oracle/soa/mwhome/user_projects/domains/soa-osb/config/fmwconfig.

You can create a default-keystore as follows, if you don't have one -




Open em







In the Security Provider Configuration, find Keystore under Web Services
Manager Authentication Providers. Expand Keystore and Click Configure




Create user in WLS using OSB console. OSB Proxy Service will use WLS Default Authenticator to authenticate the username/password in the WS-Security SOAP Headers received from the client. The user created using OSB console is available to the WLS Default Authenticator.

OSB Console - Click on Security Configuration






Add csf-key for user joe created in step 2. This step is required so the OSB test console/SOA reference can lookup the username/password using the csf-key.

In Enterprise Manager, select soa_osb_domain Weblogic Domain. Expand
Security and select Credentials as shown below.



Create Map with name oracle.wsm.security if it does not already exist.

Create a new key –

joe-key
o User Name: joe
o Password: welcome1





Test the Proxy Service

Set the following values in the OSB test console –


and Execute the test

View the result -

21 comments:

Halvor said...

Hello, thanks for an excellent blog that I help me to understand the usage of keystore for OWSM policy in the OSB.

I succeed to test the proxy service from the test page but with at different configuration for the property keystore.recipient.alias.

When I tried to test the proxy service with your configuration of the properties I got the following error:

[OSB Security - OWSM:387257]Invalid Recepient Alias "joe-key" specified.

To succeed I removed the override value joe-key (then the default value orakey is used) from the property
keystore.recipient.alias (still using override value joe-key for property csf-key).

Do you have any explanation for this?


Best Regards

Halvor Larsen

Rob said...

Thanks for the overview, however, I'm not able to get this to work. When I invoke my proxy service through the test console, I get an error stating:

[OSB Security - OWSM:387257]Invalid Recepient Alias "SecurityTester-key" specified.

SecurityTester-key is the key I setup for the user I created.

Any ideas?

Niall Commiskey said...

hi guys,

I'm currently on vacation but will look at this as soon as I return.

NiallC.

Niall Commiskey said...

Sorry guys,

the screenshot was incorrect. You mustn't override orakey in this case.

I've corrected the blog entry accordingly!

chandra@SOA said...

Hi,
In the post you have mentioned that we need to create Map with name oracle.wsm.security.

But when i tried to create a MAP it was just asking the name but not the type.I am unable to create the MAP of this type.

Please suggest me.
chandra.soa@gmail.com

Niall Commiskey said...

Hi Chandra,

you should have to create the Map. You should simply havve to select it from the list.

Is that not the case with you?

Raj said...

Hi, Thanks for the excellent blog. I tried it and implemented succesfully. In addition to this i am trying to implement below usecases for invalid user and without header.

Usecase 1:

I am sending a request from soapUI as below,





Test
TestPassword





Rose




when user is invalid - Seeing error: WSM-00008 : Web service authentication failed in logs



Usecase 2:

Without Header part.

Seeing error: WSM-00069 : The security header is missing in logs.

But the problem is in Proxy Service Error Handler: A common error is giving for both the cases i.e "BEA-386200: General web service security error".

I want to differentiate between these two types and send corresponding error message to client.

How i can do this ?

Is there a way to get OWSM Error code in Proxy service error handler ?

Please advise.

shailesh said...

Thanks for the detailed steps. I was able to follow it successfully. I am now trying to invoke it through a BPEL process, but getting errors. Can you also elaborate on how to do that?

Regards,
Rakhee

Niall Commiskey said...

Hi Shailesh,

what errors are you getting?
How are you invoking osb from BPEL?

You will have to pass the security credentials across.

Rakhee said...

Hello,

I created OSB business and proxy services based on a WSDL (as described by you). Attached the 'wss10_username_token_with_message_protection_service_policy ' policy to the proxyservice. Then I created a BPEL process. Created a partner link for the same WSDL and attached the policy 'wss10_username_token_with_message_protection_client_policy'. Also defined the csf key and added credentials (in the domain) through the em console. Now when I try to invoke the proxy service from this BPEL process, I am getting below error.


oracle.sysman.emSDK.webservices.wsdlapi.SoapTestException: oracle.fabric.common.FabricInvocationException: Unable to access the following endpoint(s): http://lnx04.aarisha.com:8011/ValidateCC/ProxyService/ValidateCCProxy at oracle.sysman.emas.model.wsmgt.WSTestModel.invokeOperation(WSTestModel.java:575) at oracle.sysman.emas.view.wsmgt.WSView.invokeOperation(WSView.java:381) at oracle.sysman.emas.view.wsmgt.WSView.invokeOperation(WSView.java:299) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at com.sun.el.parser.AstValue.invoke(AstValue.java:157) at com.sun.el.MethodExpressionImpl.invoke(MethodExpressionImpl.java:283) at org.apache.myfaces.trinidadinternal.taglib.util.MethodExpressionMethodBinding.invoke(MethodExpressionMethodBinding.java:53) at org.apache.myfaces.trinidad.component.UIXComponentBase.broadcastToMethodBinding(UIXComponentBase.java:1259) at


Will appreciate if you could point to me what I am doing wrong or what is missing.

Regards,
Rakhee

Niall Commiskey said...

stupid question, but is the endpoint
http://lnx04.aarisha.com:8011/ValidateCC/ProxyService/ValidateCCProxy

valid?

Mohan said...

Great Post... Just something that I was looking for the whole last week to do...

But encountered an error at the last step of testing it..

OSB Security - OWSM:387253]Failed to initialize Owsm Credential Manager. Please validate the keystore Configuration.

Any help would be greatly appreciated.

-mohan

Niall Commiskey said...

Hi Mohan,

please refer to http://download.oracle.com/docs/cd/E14571_01/web.1111/b32511/setup_config.htm#WSSEC1401

let me know if the issue persists.

Niall C.

McNairStation said...

Niall,
It worked for me...thanks for you help...
But I am not sure if creating a user in the OSB Console is required... My test works from the console even after I created the Joe user from Security Configuration.

thanks,
-mohan

Niall Commiskey said...

Excellent!

bgbauer said...

Niall,

It's possible to catch the policy violation message at the error handler on proxy service? When a policy error occurs the message is always the same: "BEA-386200: General web service security error".

Thanks.

bgbauer said...

Niall,

It's possible to catch details of the policiy violation error (message) on the proxy service? When a policy violation occurs the error is always the same: "BEA-386200: General web service security error".

Thanks.

Niall Commiskey said...

I'm traveling this week, but will try this out asap.

Kumar said...

I was trying with a different user using a different policy and I am not using orakey but I too created my own key and tried overriding it through my code but get the following error-

Also I am using ldap authentication so I don't know if Credential store is required in my case.



oracle/wss11_username_token_with_message_protection_service_
policy

My code is :

CalculatorWS calcservice = service.getCalculatorWSPort(securityFeatures);

Map reqContext = ((BindingProvider)
calcservice).getRequestContext();
// Add the user
reqContext.put(BindingProvider.USERNAME_PROPERTY,
"kumar@test.com" );(not revealing my ldap original id for security reasons)
reqContext.put(BindingProvider.PASSWORD_PROPERTY,
"RHAap5QC" );

//reqContext.put(SecurityConstants.//ClientConstants.WSS_CSF_KEY, //"testcredstore");
reqContext.put(ClientConstants.WSSEC_KEYSTORE_TYPE,
"JKS");
reqContext.put(ClientConstants.WSSEC_KEYSTORE_LOCATION,
"C:/keys/sdi-keystore.jks");
reqContext.put(ClientConstants.WSSEC_KEYSTORE_PASSWORD,
"password");

reqContext.put(ClientConstants.WSSEC_ENC_KEY_ALIAS,
"sdikey");
reqContext.put(ClientConstants.WSSEC_ENC_KEY_PASSWORD,
"password");
reqContext.put(ClientConstants.WSSEC_RECIPIENT_KEY_ALIAS,
"sdikey");
reqContext.put(ClientConstants.WSSEC_SIG_KEY_ALIAS,
"sdikey");
reqContext.put(ClientConstants.WSSEC_SIG_KEY_PASSWORD,
"password");







<An error ocur
red during web service security inbound request processing [error-code: Security
HeaderUnmarshallingError, message-id: 1198234943626868863--33a9afa1.13683054ba4.
-7fdc, proxy: calculator/proxy/calculator, operation: null]
--- Error message:

oracle.wsm.security.SecurityException: WSM-00069 : The security header is missin
g. Ensure that there is a valid security policy attached at the client side, and
the policy is enabled.
at oracle.wsm.security.policy.scenario.processor.Wss11X509TokenProcessor
.verify(Wss11X509TokenProcessor.java:832)
at oracle.wsm.security.policy.scenario.processor.Wss11X509TokenProcessor
.verify(Wss11X509TokenProcessor.java:808)
at oracle.wsm.security.policy.scenario.executor.Wss11UsernameWithCertsSc
enarioExecutor.receiveRequest(Wss11UsernameWithCertsScenarioExecutor.java:134)
at oracle.wsm.security.policy.scenario.executor.SecurityScenarioExecutor
.execute(SecurityScenarioExecutor.java:596)
at oracle.wsm.policyengine.impl.runtime.AssertionExecutor.execute(Assert
ionExecutor.java:41)
Truncated. see log file for complete stacktrace

I am wondering what is going wrong. I attached the policy to my OSB proxy service. Also I am not developing client code using Jdeveloper but doing it on netbeans with the dependent jar files

ws.api_1.1.0.0.jar and wsclient_extended.jar.

Your prompt assistance would be highly appreciated.

Thanks,
Kumar

Anonymous said...

general web service security error is coming for a particular web service.
How can I fix this issue.

subash said...

Hi Niall,
In OSB 12c, I see the WLS policies are depricated, while upgrading from 11g to 12c, if there are wls policies implemented in 11g how to delete them, currently it is not permitting to edit the existing wls policy (to delete it), now we are in the process of deleting the existing wls policies planning to make use of OWSM policy (whic is the recommendation in 12c) through scripts if possible ( delete the wls policies referenced in the proxy service and enable the OWSM policy option and add the required policy)

Is WLST script is supported or available to attach the OWSM policy in the OSB proxy service with out manually changing it in the servicebus console. Please suggest on this.

Thanks in advance for our remarks.