Chapter 11. Handling Message-level Security Requirements
In this chapter, we will cover:
Preparing OSB server to work with OWSM
Configuring OSB server for OWSM
Securing a proxy service by Username Token authentication
Securing a proxy service by protecting the message
Securing a proxy service by using Username Token authentication and protecting the message
Securing a proxy service by using certificate authentication and protecting the message
Securing a proxy service with authorization through Message Access Control
Using JDeveloper to test a secured service
Calling a secured service from OSB
Security has always played and still plays an important role in today's information-driven business processes. Consumers of information must know who sent the information and whether it has not been changed or read by others. Only then can they trust the message and do the transaction.
When thinking about security it's important to distinguish between Transport and Message-level security.
Transport-level security represents a technique where the underlying operating system or application servers are handling security features. Recipes for transport-level security are covered in the next chapter
Message-level security represents a technique where all information related to security is encapsulated in the message. This is what WS-Security specifies for web services. Securing messages using message-level security instead of using transport-level security has several advantages that includ:
Preparing OSB server to work with OWSM
Before OWSM can be used, we need to create a Metadata Service (MDS) database repository. The OWSM policies will be stored in the MDS and these policies can be used at design time by Eclipse OEPE or the Service Bus console, and at runtime by the OSB server. The second step is to extend our OSB domain with the OWSM and the Enterprise Manager optons.
This recipe will show how to create an OWSM-enabled OSB domain.
For this recipe, you will need the following in place. A WebLogic domain which has the OSB version 11g R1 option will need to be enabled.
An Oracle Database in version 10g R2, 11g R1, or 11g R2. The database should be on the latest patch set.
A database schema user which has the sysdba
privilege that can be used by the Repository Creation Utility (RCU).
Download the Repository Creation Utility. It can be downloaded from http://www.oracle.com/technetwork/middleware/soasuite/downloads/index.html, here we should accept license agreement...
Configuring OSB server for OWSM
After installing the OWSM component to our WebLogic domain, we will be configuring the OSB server for OWSM. For this, we need to generate a custom Java keystore which contains the server certificates and configure it in Enterprise Manager (EM).
First, let's create a Java keystore which will be used by OWSM. On the command line, perform the following steps:
Navigate to the bin
folder of the JDK used by the OSB:
Generate a new Java keystore with a self-signed server key:
Copy the Java keystore server.jks
located at c:\
to the config\fmwconfig
folder of the OSB domain:
Next, we have to import the Java keystore into Enterprise Manager. Open Enterprise Manager in...
Securing a proxy service by Username Token authentication
In this recipe, we will secure a proxy service with an OWSM server policy using Eclipse OEPE.
For this recipe, we will use a simple OSB project with one proxy. Import the getting-ready
project into Eclipse OEPE from \chapter-11\getting-ready\\securing-a-proxy-service-with-username-token
.
The OSB Server must be up and running and configured using the first two recipes of this chapter. This server needs to be defined in the Eclipse OEPE for this recipe to work.
In Eclipse OEPE, perform the following steps to add an OWSM policy to a proxy service:
Open the CustomerManagement.proxy in the proxy
folder of the securing-a-proxy-service-with-username-token project.
Navigate to the Policy tab.
Enable From OWSM Policy Store.
Click Service Level Policies, which will enable the Add button.
Click Add and the OWSM Policy Configuration window will open.
Click Browse.
In the Select OWSM Policy window we need to choose a security...
Securing a proxy service by protecting the message
Apart from requiring the user to authenticate themselves to the proxy service, we can also enforce that a message be encrypted and signed using the message protection policies. In this recipe, we will enable the message protection to guarantee message integrity through digital signature and message confidentiality through XML encryption.
For this to work, we need to have te public key of the server certificate.
For this we will use the same simple OSB project as in the previous Securing a proxy service using Username Token authentication recipe.
Import the getting-ready
project into Eclipse from \chapter-11\getting-ready\securing-a-proxy-service-with-message-protection
.
The steps to execute in this recipe are the same as in the previous Securing a proxy service using Username Token Authentication recipe, only another policy needs to be selected. In the Eclipse OEPE, perform the following steps:
Open the CustomerManagement...
Securing a proxy service by using Username Token authentication and protecting the message
In this recipe, we will combine message protection with user authentication. For this we can reuse the client Java keystore and the osbbook
user from the precedingrecipes.
For this we will use the same simple OSB project as in the previous Securing a proxy service using username and password authentication through OWSM recipe.
Import the getting-ready
project into Eclipse OEPE from \chapter-11\getting-ready\securing-a-proxy-service-with-auth-and-message-protection
.
The steps to execute in this recipe are the same as in the previous Securing a proxy service using username and password authentication through OWSM recipe, only another policy needs to be selected. In the Eclipse OEPE, perform the following steps:
Open the CustomerManagement.proxy in the proxy
folder of the securing-a-proxy-service-with-auth-and-message-protection project.
Navigate to the Policy tab.
Enable From...
Securing a proxy service by using certificate authentication and protecting the message
In this recipe, we will also use the message protection similar to the previous recipes but replace the username/password authentication with a client certificate authentication. For this, we need to generate a client certificate and add the public key of the client certificate to the server Java keystore. This way, OWSM can verify the client signature which is added tothe SOAP message.
For this recipe, we will use the same simple OSB project as in the previous Securing a proxy service using username and password authentication through OWSM recipe.
Import the getting-ready
project into Eclipse OEPE from \chapter-11\getting-ready\securing-a-proxy-service-with-cert-auth-and-msg-protect
.
The steps to execute in this recipe are the same as in the previous Securing a proxy service using username and password authentication through OWSM recipe, only another policy needs to be selected...
Securing a proxy service with authorization through Message Access Control
In the Securing a proxy service by Username Token authentication recipe we have made sure that only authenticated users have access to services through the use of OWSM. With this recipe, we will extend this security configuration with authorization to make sure that only selected users, roles, or groups hav access to the proxy service.
For this we will need the OSB project from the previous Securing a proxy service by Username Token authentication recipe.
The finished solution can be imported into Eclipse OEPE from \chapter-11\solution\securing-a-proxy-service-with-username-token
.
In the Service Bus console, perform the following steps to cnfigure Message Access Control:
In the menu to the left, click Project Explorer.
Navigate to the CustomerManagement proxy service.
Navigate to the Security tab.
Click Create in the Change Center on the upper-left corner to create a new change session.
Make...
Using JDeveloper to test a secured service
In this recipe, we will create a JDeveloper client for testing the secured OSB service created in the previous recipe. We will use the client certificate store created in the previous recipe.
For this we will need the OSB project from the previous Securing a proxy service using certificate authentication and protecting the message recipe.
The finished solution can be imported into Eclipse OEPE from \chapter-11\solution\securing-a-proxy-service-with-cert-auth-and-msg-protect
.
In JDeveloper, we will create a new application workspace with a generic project. The generic project will be used to generate a web service proxy based on the WSDL of the customer proxy service.
In JDeveloper, perform the following steps:
Click File | New....
Choose Generic Application in the General category.
Enter OWSM
into the Application Name field.
Click Browse, right to the Directory field and select the workspace
folder.
Enter osb.cookbook.owsm
into...
Calling a secured service from OSB
In this recipe, we will call a secured web service by adding an OWSM client policy to a business service. For this we create a new business service that uses the WSDL of our previous recipe. This WSDL contains the OWSM server policy.
For this we will use a simple OSB project with one proxy. Import the getting-ready
project into Eclipse OEPE from \chapter-11\getting-ready\calling-a-secured-service-form-OSB
. Make sure that the solution from the Securing a proxy service using username and password authentication through OWSM recipe is deployed to the OSB server.
Open the WSDL of the secured proxy service and check whether the WSDL contains some WS-Security policies. In Eclipse OEPE, perform the following steps:
Expand the wsdl
folder of the calling-a-secured-service-from-osb project.
Double-click on the CustomerManagement.wsdl. This is the WSDL consumed from the service provider.
Check that the WSDL has a wsp:Policy element.
Also check...