Federated Portals Guide

     Previous  Next    Open TOC in new window    View as PDF - New Window  Get Adobe Reader - New Window
Content starts here

Configuring WSRP Security Between WLP and WebCenter Framework

This chapter describes one technique for establishing a secure communications channel for WSRP transactions between WebLogic Portal and WebCenter Framework. It includes the following sections:

 

Introduction

For web-based transactions to be secure, the following four components must be addressed:

The following configuration steps will enable integrity, authentication, and message freshness constraints in WSRP transactions between WebCenter Framework and WLP applications, as follows:

Note: Message confidentiality is not addressed in these steps. If confidentiality is a concern for your WSRP environment, please consider enabling SSL between your producer and consumer.

The security settings described in this chapter are but one possible configuration of Web Service security for WSRP. Many other Web Service security configuration settings can be further adjusted in both the WebLogic Portal and WebCenter Framework environments, as long as the settings are enabled and recognized in both environments. For further detailed information, see the WebLogic Server document “WebLogic Web Services: Security.”

 

SAML Security Between a WebCenter Framework Consumer and a WebLogic Portal Producer

This section explains how to configure SAML security for both a WebCenter Framework consumer and a WLP producer, and includes these topics:

Configuring the Consumer

This section discusses how to generate a key pair and export the public key certificate on the consumer. The tasks include:

Generate a Key Pair

This section explains how to generate a key on the consumer using the keytool utility, a Java utility distributed by Sun Microsystems that manages private keys and certificates. For detailed information on keytool, refer to the Sun Microsystems website.

  1. On the WebCenter Framework consumer, open a command window and change directory to the <WEBLOGIC_HOME>/server/bin directory.
  2. Run the setWLSEnv.cmd/.sh command to set up the required environment variables.
  3. Run the keytool command to generate a new key pair. For example, the following command generates a key pair, wraps the public key in a certificate, and stores the certificate and the private key in a keystore named mykeystore.jks, identified by the alias wckey:

    4. keytool -genkeypair -alias wckey -keypass wckeypass -keyalg rsa -keysize 1024 -keystore mykeystore.jks -storepass mykeystorepass -dname "CN=Oracle Corp, OU=WLP, O=Oracle, L=Boulder, ST=CO, C=US"

  4. Make a note of your new keystore's passphrase, the key pair's alias, and the key pair's passphrase. This data, as well as the keystore file itself (mykeystore.jks), will be used when configuring the WebCenter Framework consumer.

Export the Public Key Certificate

The producer needs the public key certificate (the public half of the "key pair" generated in the previous step) installed in its trust key store. Follow these steps to export the public key certificate to a file, which will then be imported into a trusted key store on the producer.

  1. On the consumer, open a command window and change directory to the <WEBLOGIC_HOME>/server/bin directory.
  2. Run the setWLSEnv.cmd/.sh command to set up the required environment variables.
  3. Run the keytool command to export the previously-created certificate to a file. For example, the following command creates a certificate file named wckey.der from the key pair identified by alias wckey:

    4. keytool -exportcert -alias wckey -keypass wckeypass -keystore mykeystore.jks -storepass mykeystorepass -file wckey.der

Configuring the Producer

This section explains how to configure the producer. To do this, you import the public key certificate into the SAML asserter, and configure the asserting party properties. The tasks include:

Import the Public Key Certificate Into The Producer Domain's Trust Key Store

  1. Copy the certificate file created in the previous step to the WebLogic Portal producer's domain directory (for example, <MW_HOME>/user_projects/domains/base_domain).
  2. On the producer, open a command window and change directory to the <WEBLOGIC_HOME>/server/bin directory.
  3. Run the setWLSEnv.cmd/.sh command to set up the required environment variables.
  4. Change directory to the root directory for your producer's domain (for example, <MW_HOME>/user_projects/domains/base_domain)
  5. Run the keytool command to import the previously-created certificate file to the domain's trust keystore. For example, the following command imports the certificate identified by alias wckey from the certificate file named wckey.der to the DemoTrust.jks keystore:

    6. keytool -importcert -keystore DemoTrust.jks -storepass DemoTrustKeyStorePassPhrase -file wckey.der -alias wckey -keypass wckeypass

  6. If prompted to “Trust this certificate? [no]: ", type yes and press Enter to add the certificate to the keystore.
  7. If your server is currently running, restart it.
Note: WebLogic Portal is configured with a default identity keystore (DemoIdentity.jks) and a default trust keystore (DemoTrust.jks). In addition, WebLogic Portal trusts the CA certificates in the JDK cacerts file. This default keystore configuration is appropriate for testing and development purposes. However, these keystores should not be used in a production environment. For more information, see the WebLogic Server document Understanding WebLogic Security.

Modify the WSDL Templates in the Producer Web-App

  1. Copy the files wsrp-wsdl-template.wsdl and wsrp-wsdl-template-v2.wsdl to your workspace and open them for editing. The procedure for copying files to your workspace is described in “Copying J2EE Library Files Into a Project” in the Oracle Fusion Middleware Portal Development Guide for Oracle WebLogic Portal.
  2. In both files, replace the existing <wsp:Policy> element with the XML in Listing 17-1:
    3. Listing 17-1 Replacement wsp:Policy Element 
    <wsp:Policy wsu:Id="ProducerDefaultPolicy"/>
    <wsp:Policy wsu:Id="WebCenterPolicy" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
        <sp:AsymmetricBinding>
            <wsp:Policy>
                <sp:InitiatorToken>
                    <wsp:Policy>
                        <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
                            <wsp:Policy>
                                <sp:WssX509V3Token10/>
                            </wsp:Policy>
                        </sp:X509Token>
                    </wsp:Policy>
                </sp:InitiatorToken>
                <sp:RecipientToken>
                    <wsp:Policy>
                        <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
                            <wsp:Policy>
                                <sp:WssX509V3Token10/>
                            </wsp:Policy>
                        </sp:X509Token>
                    </wsp:Policy>
                </sp:RecipientToken>
                <sp:AlgorithmSuite>
                    <wsp:Policy>
                        <sp:Basic128/>
                    </wsp:Policy>
                </sp:AlgorithmSuite>
                <sp:Layout>
                    <wsp:Policy>
                        <sp:Lax/>
                    </wsp:Policy>
                </sp:Layout>
                <sp:OnlySignEntireHeadersAndBody/>
            </wsp:Policy>
        </sp:AsymmetricBinding>
        <sp:SignedSupportingTokens>
            <wsp:Policy>
                <sp:SamlToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
                    <wsp:Policy>
                        <sp:WssSamlV11Token10/>
                    </wsp:Policy>
                </sp:SamlToken>
            </wsp:Policy>
        </sp:SignedSupportingTokens>
        <sp:Wss10>
            <wsp:Policy>
                <sp:MustSupportRefKeyIdentifier/>
                <sp:MustSupportRefIssuerSerial/>
            </wsp:Policy>
        </sp:Wss10>
    </wsp:Policy>
  3. Save your changes to these two files.

Modify the Web Services Policy Configuration in the Producer Web-App

  1. Copy the file WEB-INF/weblogic-webservices-policy.xml to your workspace and open it for editing. The procedure for copying files to your workspace is described in Copying J2EE Library Files Into a Project in the Oracle Fusion Middleware Portal Development Guide for Oracle WebLogic Portal.
  2. Replace the entire contents of the file with the XML in Listing 17-2:
    3. Listing 17-2 Replacement weblogic-webservices-policy.xml 
    <?xml version='1.0' encoding='UTF-8'?>
    <webservice-policy-ref xmlns="http://www.bea.com/ns/weblogic/90" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
     
        <!-- Use WebLogic Server Admin Console to add new policies -->
        <ref-name>WebCenter Policies for the WSRP Producer</ref-name>
     
        <port-policy>
            <port-name>WSRP_v2_Markup_Service</port-name>
            <ws-policy>
                <uri>#WebCenterPolicy</uri>
                <direction>inbound</direction>
            </ws-policy>
        </port-policy>
        <port-policy>
            <port-name>WSRPBaseService</port-name>
            <ws-policy>
                <uri>#WebCenterPolicy</uri>
                <direction>inbound</direction>
            </ws-policy>
        </port-policy>
        <port-policy>
            <port-name>WLP_WSRP_Ext_Service</port-name>
            <ws-policy>
                <uri>#WebCenterPolicy</uri>
                <direction>inbound</direction>
            </ws-policy>
        </port-policy>
    </webservice-policy-ref>
  3. Save your changes, and republish your web project.

Add a New Asserting Party to the SAML Identity Asserter

This section describes the final step in the producer configuration.

Tip: For more information on asserting party and other topics in this section, see SAML Framework Concepts in Oracle Fusion Middleware Understanding Security for Oracle WebLogic Server.
  1. Open the WebLogic Server Administration Console on the producer server and log in.
  2. Select Security Realms.
  3. Select a security realm, such as myrealm.
  4. Select the Providers tab.
  5. Select the Authentication tab.
  6. Select SAMLIdentityAsserter. An identity asserter allows WebLogic Server to establish trust by validating a user.
  7. Select the Management tab.
  8. Select the Asserting Parties tab
  9. In the Asserting Parties table, click New.
  10. In the Profile pulldown menu, select WSS/Sender Vouches.
  11. In the Description field, enter a name to identify the asserting party, and select OK. For example: WebCenter SAML token.
  12. Enable the new asserting party. To do this, click the Partner ID link for the new asserting party (for example, ap_0002).
  13. Set the asserting party values as follows:

    14. Parameter
    Value
    Enabled
    true (Select the checkbox)
    Target URL
    default
    Issuer URI
    Set on the consumer (for example, www.oracle.com)

  14. Click Save. If there were no problems, the message "Settings updated successfully" appears.

The WebLogic Portal producer is now configured for SAML interoperability with a basic WebCenter Framework SAML configuration. The next step is to associate the WebCenter Framework consumer with the key pair created earlier (see Generate a Key Pair).

Register the WebLogic Portal Producer with the WebCenter Consumer

Note: For more detailed information on the following steps, see "Securing a WSRP Producer with WS-Security" in Oracle Fusion Middleware Administrator's Guide for Oracle WebCenter.
  1. Copy the keystore created earlier (see Generate a Key Pair) to your consumer server's file system, and note the path.
  2. From Oracle JDeveloper, follow these standard steps for registering a producer using the Register WSRP Portlet Producer wizard, with the following exceptions:
    1. On the Configure Security Attributes page, set the following values:

      2. Parameter
      Value
      Token Profile
      SAML Token with Message Integrity
      Configuration
      Custom
      Default User
      A default username to send when unauthenticated (for example, fmwadmin)
      Issuer Name
      This needs to match the Issuer URI on the producer (for example, www.oracle.com). See Add a New Asserting Party to the SAML Identity Asserter

    2. On the Specify Key Store page, set the following values:

      3. Parameter
      Value
      Store Path
      Path on the consumer server to the JKS file. See Register the WebLogic Portal Producer with the WebCenter Consumer
      Store Password
      The keystore password. See Export the Public Key Certificate
      Store Type
      JKS
      Signature Key Alias
      The key alias
      Signature Key Password
      The key passphrase. See Export the Public Key Certificate
      Encryption Key Alias
      Leave the field blank. See Export the Public Key Certificate
      Encryption Key Password
      Leave the field blank. See Export the Public Key Certificate

Test the Configuration

The easiest way to test the configuration involves three steps:

  1. Create a simple JSP portlet on the producer with the following content:

    2. <%@ page language="java" contentType="text/html;charset=UTF-8" %>

    <p>Principal: <%=request.getUserPrincipal() %></p>

    <p>Remote User: <%=request.getRemoteUser() %></p>

    This code will show the username sent by the consumer when rendered, if the SAML configuration is working properly.

  2. Specify a default authenticated user when you establish your consumer's connection to the producer. (See Register the WebLogic Portal Producer with the WebCenter Consumer.) By doing this, the WebCenter Framework consumer will automatically send that username to the WebLogic Portal producer, without requiring the creation of a login mechanism on the consumer-side.
  3. Render the remote portlet on the consumer, and verify that the default username that was specified is rendered in the portlet's body.

 

SAML Security Between a WebLogic Portal Consumer and a WebCenter Framework Producer

This section discusses the producer-side and consumer-side configuration required to set up SAML security between a WLP consumer and a WebCenter Framework producer. This section includes these topics:

Register the WebCenter Framework Producer with the WebLogic Portal Consumer

Follow the steps in Locating and Consuming a Portlet to register your WebCenter Framework producer with the WebLogic Portal consumer. Make a note of the Producer Handle that you specify (for example, my_wc_producer), as this will be used later.

Add an Authentication Mechanism To Your Portal

For information on how to add a programmatic authentication mechanism to your portal, see Implementing Authentication Programatically in Oracle Fusion Middleware Security Guide for Oracle WebLogic Portal.

Configure the WebLogic Portal Consumer

This section explains how to generate a key pair and export the public key certificate on the consumer. The tasks include:

Generate a Key Pair

This section explains how to generate a key on the consumer using the keytool utility, a Java utility distributed by Sun Microsystems that manages private keys and certificates. For detailed information on keytool, refer to the Sun Microsystems website.

  1. On the WebLogic Portal consumer, open a command window and change directory to the <WEBLOGIC_HOME>/server/bin directory.
  2. Run the setWLSEnv.cmd/.sh command to set up the required environment variables.
  3. Change directory to the root directory for your consumer's domain (for example, <MW_HOME>/user_projects/domains/base_domain).
  4. Run the keytool command to generate a new key pair and add it to the DemoIdentity.jks keystore. For example, the following command generates a key pair, wraps the public key in a certificate, and stores the certificate and the private key in the DemoIdentity.jks, identified by the alias wckey:

    5. keytool -genkeypair -alias wckey -keypass wckeypass -keyalg rsa -keysize 1024 -keystore DemoIdentity.jks -storepass DemoIdentityKeyStorePassPhrase -dname "CN=Oracle Corp, OU=WLP, O=Oracle, L=Boulder, ST=CO, C=US"

  5. Make a note of your key pair's alias, and the key pair's passphrase. This data will be used when configuring the both the WebLogic Portal consumer and the WebCenter Framework producer.
Note: WebLogic Portal is configured with a default identity keystore (DemoIdentity.jks) and a default trust keystore (DemoTrust.jks). In addition, WebLogic Portal trusts the CA certificates in the JDK cacerts file. This default keystore configuration is appropriate for testing and development purposes. However, do not use these keystores in a production environment. For more information, see Oracle Fusion Middleware Understanding WebLogic Security for Oracle WebLogic Server.

Export the Public Key Certificate

The producer needs the public key certificate (the public half of the "key pair" generated in the previous step) installed in its trust key store. Follow these steps to export the public key certificate to a file, which will then be imported into a trusted key store on the producer.

  1. On the WebLogic Portal consumer, open a command window and change directory to the <WEBLOGIC_HOME>/server/bin directory.
  2. Run the setWLSEnv.cmd/.sh command to set up the required environment variables.
  3. Change directory to the root directory for your consumer's domain (for example, <MW_HOME>/user_projects/domains/base_domain).
  4. Run the setWLSEnv.cmd/.sh command to set up the required environment variables.
  5. Run the keytool command to export the previously-created certificate to a file. For example, the following command creates a certificate file named wckey.der from the key pair identified by alias wckey:

    6. keytool -exportcert -alias wckey -keypass wckeypass -keystore DemoIdentity.jks -storepass DemoIdentityKeyStorePassPhrase -file wckey.der

Import the Public Key Certificate Into The Consumer Domain's Trust Key Store

To import the certificate, follow this procedure. The procedure uses the keytool utility, a Java utility distributed by Sun Microsystems that manages private keys and certificates. For detailed information on keytool, refer to the Sun Microsystems website.

  1. On the WebLogic Portal consumer, open a command window and change directory to the <WEBLOGIC_HOME>/server/bin directory.
  2. Run the setWLSEnv.cmd/.sh command to set up the required environment variables.
  3. Change directory to the root directory for your consumer's domain (for example, <MW_HOME>/user_projects/domains/base_domain).
  4. Run the keytool command to import the previously-created certificate file to the domain's trust keystore. For example, the following command imports the certificate identified by alias wckey from the certificate file named wckey.der to the DemoTrust.jks keystore:

    5. keytool -importcert -keystore DemoTrust.jks -storepass DemoTrustKeyStorePassPhrase -file wckey.der -alias wckey -keypass wckeypass

  5. If prompted to "Trust this certificate? [no]: ", type yes and press Enter to add the certificate to the keystore.
  6. If your server is currently running, restart it.

Add a New Policy to the Consumer Web-App

Add the following policy definition to your WebLogic Portal consumer to configure it to match the default policy configuration on a WebCenter Framework producer.

  1. In your web project, create a directory WEB-INF/classes/policies.
  2. In that directory, create a file named wcPolicy.xml, with the following contents: 
    3. <wsp:Policy
      xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
      xmlns:wssp="http://www.bea.com/wls90/security/policy" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
      xmlns:wls="http://www.bea.com/wls90/security/policy/wsee#part">
      <wssp:Identity>
        <wssp:SupportedTokens>
          <wssp:SecurityToken TokenType="http://docs.oasis-open.org/wss/2004/01/oasis-2004-01-saml-token-profile-1.0#SAMLAssertionID">
            <wssp:Claims>
              <wssp:ConfirmationMethod>sender-vouches</wssp:ConfirmationMethod>
            </wssp:Claims>
          </wssp:SecurityToken>
        </wssp:SupportedTokens>
      </wssp:Identity>
      <wssp:Integrity>
        <wssp:SignatureAlgorithm URI="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
        <wssp:CanonicalizationAlgorithm URI="http://www.w3.org/2001/10/xml-exc-c14n#"/>
        <wssp:Target>
          <wssp:DigestAlgorithm URI="http://www.w3.org/2000/09/xmldsig#sha1" />
          <wssp:MessageParts Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body()</wssp:MessageParts>
        </wssp:Target>
        <wssp:Target>
          <wssp:DigestAlgorithm URI="http://www.w3.org/2000/09/xmldsig#sha1" />
          <wssp:MessageParts Dialect="http://www.bea.com/wls90/security/policy/wsee#part">wls:SecurityHeader(Assertion)</wssp:MessageParts>
        </wssp:Target>
      </wssp:Integrity>
    </wsp:Policy>
  3. Save your changes to this file.

Update the Producer's Security Policy on the Consumer

  1. Copy the file WEB-INF/wsrp-consumer-security-config.xml to your workspace and open it for editing. The procedure for copying files to your workspace is described in Copying J2EE Library Files Into a Project in the Oracle Fusion Middleware Portal Development Guide for Oracle WebLogic Portal.
  2. Add a new <producer-security> element with the following contents: 
    3. <producer-security>
            <!-- The producer's handle -->
            <producer-handle>my_wc_producer</producer-handle>
     
            <!-- The policy to use when the policy is not included in the WSDL. -->
                <policy-name>wcPolicy</policy-name>
     
            <!-- When doing 8.1 compatibility, should the <wsse:security> header -->
            <!-- be removed. -->
            <strict-compatibility>false</strict-compatibility>
     
            <!-- Should 8.1 compatibility be done even if a policy is in the WSDL -->
            <!-- (9.0 producer). -->
            <compatibility-forced>false</compatibility-forced>
     
            <!-- Should 8.1 compatibility be done even if a policy is NOT in the WSDL -->
            <!-- If both compatibility-forced is true and compatibility-enabled false -->
            <!-- no compat is sent -->
            <compatibility-enabled>false</compatibility-enabled>
     
            <!-- Should WLP specific handlers be deployed. -->
            <!-- EXPERT ONLY: Disabling may cause the consumer to act incorrectly. -->
            <!-- Default: true -->
            <wlp-handlers-deployed>true</wlp-handlers-deployed>
                
            <!-- Should anonymous users be allowed? -->
            <!-- If disabled only logged in users may use this producer. -->
            <!-- Default: true -->
            <anonymous-users-allowed>true</anonymous-users-allowed>
            </producer-security>
  3. Populate the value of the <producer-handle> element with the handle you created in Register the WebLogic Portal Producer with the WebCenter Consumer, and populate the value of the <policy-name> element with the filename of the policy created in Add a New Policy to the Consumer Web-App, without its .xml extension (for example, wcPolicy).
  4. Save the changes, and republish the application.

Modify the Consumer's SAMLCredentialMapper

Follow the instruction in Modify the Consumer’s Security Realm to configure your WebLogic Portal consumer's SAMLCredentialMapper to use the new key pair defined earlier. Supply the following values as appropriate:

Parameter
Value
Issuer URI
This needs to match the Issuer URI on the producer (for example, www.oracle.com).
Signing Key Alias
The key alias. See Generate a Key Pair.
Signing Key Pass Phrase
The key passphrase. See Generate a Key Pair.
Confirm Signing Key Pass Phrase
The key passphrase. See Generate a Key Pair.

Configure the Consumer's PKI Credential Mapping Provider

  1. Follow the instructions Configuring PKI Credential Mappings in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Online Help to configure your WebLogic Portal consumer's PKICredentialMapper to use the new key pair defined earlier. Supply the following values as appropriate:

    2. Parameter
    Value
    Keystore Provider
    Keep the default value.
    Keystore Type
    JKS
    Keystore File Name
    DemoIdentity.jks (See Generate a Key Pair.)
    Keystore Pass Phrase
    DemoIdentityKeyStorePassPhrase (See Generate a Key Pair.)
    Confirm Keystore Pass Phrase
    DemoIdentityKeyStorePassPhrase (See Generate a Key Pair.)
    Use Resource Hierarchy
    Keep the default value.
    Use Initiator Group Names
    Keep the default value.

  2. Restart your server.

Create a New PKI Credential Mapping to the Consumer

  1. Follow the instructions Configuring PKI Credential Mappings in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Online Help to create a new security credential map on the consumer for the producer. Supply the following values as appropriate:

    2. Parameter
    Value
    Protocol
    Leave this field blank.
    Remote Host
    Leave this field blank.
    Remote Port
    Leave this field blank.
    Path
    Leave this field blank.
    Method
    Leave this field blank.
    Credential Type
    Key Pair
    Principal Name
    Enter the value of the <consumer-name> element in WEB-INF/wsrp-consumer-security-config.xml.
    Principal Type
    User
    Credential Action
    Leave this field blank.
    Keystore Alias
    The key alias. See Generate a Key Pair
    Password
    The key passphrase. See Generate a Key Pair
    Confirm Password
    The key passphrase. See Generate a Key Pair

Configuring the WebCenter Framework Producer

See the "Securing a WSRP Producer with WS-Security" in the Oracle Fusion Middleware Administrator's Guide for Oracle WebCenter for detailed information on securing your WebCenter Framework producer with SAML. At a minimum, the following steps are required:

  1. Import the public certificate created in Export the Public Key Certificate into a keystore on your producer.
  2. Add the new keystore to OWSM's keystore service.
  3. Assign the oracle/wss10_saml_token_with_message_integrity_service_policy policy to your web application’s WebServices WSRP markup ports.

 

(Optional) Additional Configuration for a WebLogic Portal Consumer

If you have set up your WebLogic Portal producer's security to interoperate with a WebCenter Framework consumer (as explained in Configuring the WebCenter Framework Producer), and you wish to consume portlets from that producer in a WebLogic Portal consumer, then the following steps are required:

  1. Register the WebLogic Portal producer with the WebLogic Portal Consumer
  2. Update the Producer's Security Policy on the Consumer
  3. Create a New PKI Credential Mapping to the Consumer

Register the WebLogic Portal producer with the WebLogic Portal Consumer

Follow the steps in Locating and Consuming a Portlet to register your WebCenter Framework producer with the WebLogic Portal consumer. Make a note of the Producer Handle that you specify (for example, my_wc_producer), as this will be used later.

Update the Producer's Security Policy on the Consumer

  1. Copy the file WEB-INF/wsrp-consumer-security-config.xml to your workspace and open it for editing. The procedure for copying files to your workspace is described in Copying J2EE Library Files Into a Project in the Oracle Fusion Middleware Portal Development Guide for Oracle WebLogic Portal.
  2. Add a new <producer-security> element with the following contents: 
    3. <producer-security>
                <!-- The producer's handle -->
                <producer-handle>my_wlp_producer</producer-handle>
     
                <!-- The policy to use when the policy is not included in the WSDL. -->
                <policy-name>wsrp81compatPolicy</policy-name>
     
                <!-- When doing 8.1 compatibility, should the <wsse:security> header -->
                <!-- be removed. -->
                <strict-compatibility>false</strict-compatibility>
     
                <!-- Should 8.1 compatibility be done even if a policy is in the WSDL -->
                <!-- (9.0 producer). -->
                <compatibility-forced>false</compatibility-forced>
     
                <!-- Should 8.1 compatibility be done even if a policy is NOT in the WSDL -->
                <!-- If both compatibility-forced is true and compatibility-enabled false -->
                <!-- no compat is sent -->
                <compatibility-enabled>true</compatibility-enabled>
     
                <!-- Should WLP specific handlers be deployed. -->
                <!-- EXPERT ONLY: Disabling may cause the consumer to act incorrectly. -->
                <!-- Default: true -->
                <wlp-handlers-deployed>false</wlp-handlers-deployed>
                
                <!-- Should anonymous users be allowed? -->
                <!-- If disabled only logged in users may use this producer. -->
                <!-- Default: true -->
                <anonymous-users-allowed>true</anonymous-users-allowed>
            </producer-security>
  3. Populate the value of the <producer-handle> element with the handle that was created earlier in Register the WebLogic Portal Producer with the WebCenter Consumer
  4. Save the changes, and republish the application.

Create a New PKI Credential Mapping to the Consumer

This section explains how to create a new PKI credential mapping to the consumer, if one is not already present.

  1. Follow the instructions Configuring PKI Credential Mappings in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Online Help to create a new security credential map on the consumer for the producer. Supply the following values as appropriate:

    2. Parameter
    Value
    Protocol
    Leave this field blank.
    Remote Host
    Leave this field blank.
    Remote Port
    Leave this field blank.
    Path
    Leave this field blank.
    Method
    Leave this field blank.
    Credential Type
    Key Pair
    Principal Name
    Enter the value of the <consumer-name> element in WEB-INF/wsrp-consumer-security-config.xml.
    Principal Type
    User
    Credential Action
    Leave this field blank.
    Keystore Alias
    The key alias. See Generate a Key Pair.
    Password
    The key passphrase. See Generate a Key Pair.
    Confirm Password
    The key passphrase. See Generate a Key Pair.


  Back to Top       Previous  Next