For this sample we will expose the following Java class as a web service and
secure the request payload.
package simplecccws;
import javax.jws.WebService;
@WebService
public class validateCC {
public validateCC() {
super();
}
public String validateCard(String cardNr, String firstName, String lastName, String validUntilDate){
String rtc = "INVALID";
if (cardNr.startsWith("1")){
rtc = "VALID";
}
return rtc;
}
}
Create the Java class and deploy as a Web Service to WLS.
Test
Note the wsdl –
e.g. http://localhost:7001/AAA-validateCC-root/validateCCPort?WSDL
and save to the local file system
Create the OSB Business/Proxy services
Import WSDL to OSB and create a Business Service based on it.
Create a Proxy Service based on the Business Service.
Test Proxy
Secure the Proxy Service
Add username token with message protection policy
The result...
Set up OWSM for OSB and create a test user
Register Keystore using Enterprise Manager. This step is required so OSB test console or SOA reference can use the OWSM csf-key to look up the
username/password to send the ValidateCard Proxy Service secured with the
UserNameToken with Message OWSM policy.
Setup default keystore - Copy your sample keystore file, default-keystore.jks to the domain home’s fmwconfig directory, e.g.
/oracle/soa/mwhome/user_projects/domains/soa-osb/config/fmwconfig.
You can create a default-keystore as follows, if you don't have one -
Open em
In the Security Provider Configuration, find Keystore under Web Services
Manager Authentication Providers. Expand Keystore and Click Configure
Create user in WLS using OSB console. OSB Proxy Service will use WLS Default Authenticator to authenticate the username/password in the WS-Security SOAP Headers received from the client. The user created using OSB console is available to the WLS Default Authenticator.
OSB Console - Click on Security Configuration
Add csf-key for user joe created in step 2. This step is required so the OSB test console/SOA reference can lookup the username/password using the csf-key.
In Enterprise Manager, select soa_osb_domain Weblogic Domain. Expand
Security and select Credentials as shown below.
Create Map with name oracle.wsm.security if it does not already exist.
Create a new key –
joe-key
o User Name: joe
o Password: welcome1
Test the Proxy Service
Set the following values in the OSB test console –
and Execute the test
Hello, thanks for an excellent blog that I help me to understand the usage of keystore for OWSM policy in the OSB.
ReplyDeleteI succeed to test the proxy service from the test page but with at different configuration for the property keystore.recipient.alias.
When I tried to test the proxy service with your configuration of the properties I got the following error:
[OSB Security - OWSM:387257]Invalid Recepient Alias "joe-key" specified.
To succeed I removed the override value joe-key (then the default value orakey is used) from the property
keystore.recipient.alias (still using override value joe-key for property csf-key).
Do you have any explanation for this?
Best Regards
Halvor Larsen
Thanks for the overview, however, I'm not able to get this to work. When I invoke my proxy service through the test console, I get an error stating:
ReplyDelete[OSB Security - OWSM:387257]Invalid Recepient Alias "SecurityTester-key" specified.
SecurityTester-key is the key I setup for the user I created.
Any ideas?
hi guys,
ReplyDeleteI'm currently on vacation but will look at this as soon as I return.
NiallC.
Sorry guys,
ReplyDeletethe screenshot was incorrect. You mustn't override orakey in this case.
I've corrected the blog entry accordingly!
Hi,
ReplyDeleteIn the post you have mentioned that we need to create Map with name oracle.wsm.security.
But when i tried to create a MAP it was just asking the name but not the type.I am unable to create the MAP of this type.
Please suggest me.
chandra.soa@gmail.com
Hi Chandra,
ReplyDeleteyou should have to create the Map. You should simply havve to select it from the list.
Is that not the case with you?
Hi, Thanks for the excellent blog. I tried it and implemented succesfully. In addition to this i am trying to implement below usecases for invalid user and without header.
ReplyDeleteUsecase 1:
I am sending a request from soapUI as below,
Test
TestPassword
Rose
when user is invalid - Seeing error: WSM-00008 : Web service authentication failed in logs
Usecase 2:
Without Header part.
Seeing error: WSM-00069 : The security header is missing in logs.
But the problem is in Proxy Service Error Handler: A common error is giving for both the cases i.e "BEA-386200: General web service security error".
I want to differentiate between these two types and send corresponding error message to client.
How i can do this ?
Is there a way to get OWSM Error code in Proxy service error handler ?
Please advise.
Thanks for the detailed steps. I was able to follow it successfully. I am now trying to invoke it through a BPEL process, but getting errors. Can you also elaborate on how to do that?
ReplyDeleteRegards,
Rakhee
Hi Shailesh,
ReplyDeletewhat errors are you getting?
How are you invoking osb from BPEL?
You will have to pass the security credentials across.
Hello,
ReplyDeleteI created OSB business and proxy services based on a WSDL (as described by you). Attached the 'wss10_username_token_with_message_protection_service_policy ' policy to the proxyservice. Then I created a BPEL process. Created a partner link for the same WSDL and attached the policy 'wss10_username_token_with_message_protection_client_policy'. Also defined the csf key and added credentials (in the domain) through the em console. Now when I try to invoke the proxy service from this BPEL process, I am getting below error.
oracle.sysman.emSDK.webservices.wsdlapi.SoapTestException: oracle.fabric.common.FabricInvocationException: Unable to access the following endpoint(s): http://lnx04.aarisha.com:8011/ValidateCC/ProxyService/ValidateCCProxy at oracle.sysman.emas.model.wsmgt.WSTestModel.invokeOperation(WSTestModel.java:575) at oracle.sysman.emas.view.wsmgt.WSView.invokeOperation(WSView.java:381) at oracle.sysman.emas.view.wsmgt.WSView.invokeOperation(WSView.java:299) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at com.sun.el.parser.AstValue.invoke(AstValue.java:157) at com.sun.el.MethodExpressionImpl.invoke(MethodExpressionImpl.java:283) at org.apache.myfaces.trinidadinternal.taglib.util.MethodExpressionMethodBinding.invoke(MethodExpressionMethodBinding.java:53) at org.apache.myfaces.trinidad.component.UIXComponentBase.broadcastToMethodBinding(UIXComponentBase.java:1259) at
Will appreciate if you could point to me what I am doing wrong or what is missing.
Regards,
Rakhee
stupid question, but is the endpoint
ReplyDeletehttp://lnx04.aarisha.com:8011/ValidateCC/ProxyService/ValidateCCProxy
valid?
Great Post... Just something that I was looking for the whole last week to do...
ReplyDeleteBut encountered an error at the last step of testing it..
OSB Security - OWSM:387253]Failed to initialize Owsm Credential Manager. Please validate the keystore Configuration.
Any help would be greatly appreciated.
-mohan
Hi Mohan,
ReplyDeleteplease refer to http://download.oracle.com/docs/cd/E14571_01/web.1111/b32511/setup_config.htm#WSSEC1401
let me know if the issue persists.
Niall C.
Niall,
ReplyDeleteIt worked for me...thanks for you help...
But I am not sure if creating a user in the OSB Console is required... My test works from the console even after I created the Joe user from Security Configuration.
thanks,
-mohan
Excellent!
ReplyDeleteNiall,
ReplyDeleteIt's possible to catch the policy violation message at the error handler on proxy service? When a policy error occurs the message is always the same: "BEA-386200: General web service security error".
Thanks.
Niall,
ReplyDeleteIt's possible to catch details of the policiy violation error (message) on the proxy service? When a policy violation occurs the error is always the same: "BEA-386200: General web service security error".
Thanks.
I'm traveling this week, but will try this out asap.
ReplyDeleteI was trying with a different user using a different policy and I am not using orakey but I too created my own key and tried overriding it through my code but get the following error-
ReplyDeleteAlso I am using ldap authentication so I don't know if Credential store is required in my case.
oracle/wss11_username_token_with_message_protection_service_
policy
My code is :
CalculatorWS calcservice = service.getCalculatorWSPort(securityFeatures);
Map reqContext = ((BindingProvider)
calcservice).getRequestContext();
// Add the user
reqContext.put(BindingProvider.USERNAME_PROPERTY,
"kumar@test.com" );(not revealing my ldap original id for security reasons)
reqContext.put(BindingProvider.PASSWORD_PROPERTY,
"RHAap5QC" );
//reqContext.put(SecurityConstants.//ClientConstants.WSS_CSF_KEY, //"testcredstore");
reqContext.put(ClientConstants.WSSEC_KEYSTORE_TYPE,
"JKS");
reqContext.put(ClientConstants.WSSEC_KEYSTORE_LOCATION,
"C:/keys/sdi-keystore.jks");
reqContext.put(ClientConstants.WSSEC_KEYSTORE_PASSWORD,
"password");
reqContext.put(ClientConstants.WSSEC_ENC_KEY_ALIAS,
"sdikey");
reqContext.put(ClientConstants.WSSEC_ENC_KEY_PASSWORD,
"password");
reqContext.put(ClientConstants.WSSEC_RECIPIENT_KEY_ALIAS,
"sdikey");
reqContext.put(ClientConstants.WSSEC_SIG_KEY_ALIAS,
"sdikey");
reqContext.put(ClientConstants.WSSEC_SIG_KEY_PASSWORD,
"password");
<An error ocur
red during web service security inbound request processing [error-code: Security
HeaderUnmarshallingError, message-id: 1198234943626868863--33a9afa1.13683054ba4.
-7fdc, proxy: calculator/proxy/calculator, operation: null]
--- Error message:
oracle.wsm.security.SecurityException: WSM-00069 : The security header is missin
g. Ensure that there is a valid security policy attached at the client side, and
the policy is enabled.
at oracle.wsm.security.policy.scenario.processor.Wss11X509TokenProcessor
.verify(Wss11X509TokenProcessor.java:832)
at oracle.wsm.security.policy.scenario.processor.Wss11X509TokenProcessor
.verify(Wss11X509TokenProcessor.java:808)
at oracle.wsm.security.policy.scenario.executor.Wss11UsernameWithCertsSc
enarioExecutor.receiveRequest(Wss11UsernameWithCertsScenarioExecutor.java:134)
at oracle.wsm.security.policy.scenario.executor.SecurityScenarioExecutor
.execute(SecurityScenarioExecutor.java:596)
at oracle.wsm.policyengine.impl.runtime.AssertionExecutor.execute(Assert
ionExecutor.java:41)
Truncated. see log file for complete stacktrace
I am wondering what is going wrong. I attached the policy to my OSB proxy service. Also I am not developing client code using Jdeveloper but doing it on netbeans with the dependent jar files
ws.api_1.1.0.0.jar and wsclient_extended.jar.
Your prompt assistance would be highly appreciated.
Thanks,
Kumar
general web service security error is coming for a particular web service.
ReplyDeleteHow can I fix this issue.
Hi Niall,
ReplyDeleteIn OSB 12c, I see the WLS policies are depricated, while upgrading from 11g to 12c, if there are wls policies implemented in 11g how to delete them, currently it is not permitting to edit the existing wls policy (to delete it), now we are in the process of deleting the existing wls policies planning to make use of OWSM policy (whic is the recommendation in 12c) through scripts if possible ( delete the wls policies referenced in the proxy service and enable the OWSM policy option and add the required policy)
Is WLST script is supported or available to attach the OWSM policy in the OSB proxy service with out manually changing it in the servicebus console. Please suggest on this.
Thanks in advance for our remarks.