This chapter contains the following sections:
Overview of Interoperability with Oracle Service Bus 10g Security Environments
SAML Token (Sender Vouches) with Message Protection (WS-Security 1.0)
In Oracle Service Bus 10g, you attach policies to configure your security environment for inbound and outbound requests. Oracle Service Bus uses the underlying WebLogic security framework as building blocks for its security services. For information about configuring and attaching policies, see "Using WS-Policy in Oracle Service Bus Proxy and Business Services" in Oracle Service Bus Security Guide at http://download.oracle.com/docs/cd/E13159_01/osb/docs10gr3/security/ws_policy.html
.
Note:
Ensure that you have downloaded and applied the TYBN and U37Z patches released for Oracle Service Bus 10.3 using the patch tool.In Oracle WSM 11g, you attach policies to Web service endpoints. Each policy consists of one or more assertions, defined at the domain-level, that define the security requirements. A set of predefined policies and assertions are provided out-of-the-box.
For more details about the predefined policies, see "Predefined Policies" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.
For more information about configuring and attaching policies, see "Configuring Policies" and "Attaching Policies to Web Services" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.
Table 6-1 summarizes the most common Oracle Service Bus 10g interoperability scenarios based on the following security requirements: authentication, message protection, and transport.
For more information about:
Configuring and attaching Oracle WSM 11g policies, see "Configuring Policies" and "Attaching Policies to Web Services" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.
Configuring and attaching Oracle Service Bus 10g policies, see "Using WS-Policy in Oracle Service Bus Proxy and Business Services" in Oracle Service Bus Security Guide at http://download.oracle.com/docs/cd/E13159_01/osb/docs10gr3/security/ws_policy.html
.
Note:
In the following scenarios, ensure that you are using a keystore with v3 certificates. By default, the JDK 1.5 keytool generates keystores with v3 certificates.In addition, ensure that the keys use the proper extensions, including DigitalSignature, Non_repudiation, Key_Encipherment, and Data_Encipherment.
Table 6-1 Interoperability With Oracle Service Bus 10g Security Environments
Interoperability Scenario | Client—>Web Service | Oracle WSM 11g Policies | Oracle Service Bus 10g Policies |
---|---|---|---|
Oracle Service Bus 10g—>Oracle WSM 11g |
wss10_username_token_with_message_protection_service_policy |
See Table 6-2 |
|
Oracle WSM 11g—>Oracle Service Bus 10g |
wss10_username_token_with_message_protection_client_policy |
See Table 6-3 |
|
"SAML Token (Sender Vouches) with Message Protection (WS-Security 1.0)" |
Oracle Service Bus 10g—>Oracle WSM 11g |
oracle/wss10_saml_token_with_message_protection_service_policy |
See Table 6-4 |
"SAML Token (Sender Vouches) with Message Protection (WS-Security 1.0)" |
Oracle WSM 11g—>Oracle Service Bus 10g |
oracle/wss10_saml_token_with_message_protection_client_policy |
See Table 6-5 |
Oracle Service Bus 10g—>Oracle WSM 11g |
oracle/wss_saml_or_username_token_over_ssl_service_policy |
See Table 6-6 |
The following sections describe how to implement username token with message protection that conforms to the WS-Security 1.0 standard, describing the following interoperability scenarios:
Configuration Prerequisites for Interoperability
Perform the following prerequisite steps for the WebLogic Server on which Oracle Service Bus is running:
Copy the default-keystore.jks and trust.jks files to your domain directory.
The default-keystore.jks is used to store public and private keys for SOAP messages within the WebLogic Domain. The trust.jks is used to store private keys, digital certificates, and trusted certificate authority certificates that are used to establish and verify identity and trust in the WebLogic Server environment.
Invoke the WebLogic Administration Console, as described in Accessing Oracle WebLogic Administration Console.
Configure the Custom Identity and Custom Trust keystores, as described in "Configuring keystores" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help.
Configure SSL, as described in "Set up SSL" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help.
Specify the private key alias, as required. For example: oratest
.
Configure a credential mapping provider, as described in "Configure Credential Mapping Providers" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help.
Create a PKICredentialMapper and configure it as follows (leave all other values set to the defaults):
Keystore Provider: N/A
Keystore Type: jks
Keystore File Name: default_keystore.jks
Keystore Pass Phrase: <password>
Confirm Keystore Pass Phrase: <password>
Restart WebLogic Server.
Invoke the OSB Console. For example:
http://localhost:7001/sbconsole
Create a ServiceKeyProvider.
Specify Encryption Key and Digital Signature Key, as required.
You must use different keys on the Oracle WSM and Oracle Service Bus servers. You can use the same key for encryption and signing, if desired.
Perform the steps described in the following table.
Table 6-2 Username Token with Message Protection (WS-Security 1.0)—Oracle Service Bus 10g Client —> Oracle WSM 11g Web Service
Web Service/Client | Steps |
---|---|
Web Service—Oracle WSM 11g |
Perform the steps described in the following sections.
|
Client—Oracle Service Bus 10g |
Perform the following steps:
|
Perform the steps described in the following table.
Table 6-3 Username Token with Message Protection (WS-Security 1.0)—Oracle WSM 11g Client —> Oracle Service Bus 10g Web Service
Web Service/Client | Steps |
---|---|
Web Service—Oracle Service Bus 10g |
Perform the following steps:
|
Client—Oracle WSM 11g Client |
Perform the steps described in the following sections.
|
The following sections describe how to implement SAML token (sender vouches) with message protection that conforms to the WS-Security 1.0 standard, describing the following interoperability scenarios:
Configuration Prerequisites for Interoperability
Perform the following prerequisite steps for the WebLogic Server on which Oracle Service Bus is running:
Copy the default-keystore.jks and trust.jks files to your domain directory.
The default-keystore.jks is used to store public and private keys for SOAP messages within the WebLogic Domain. The trust.jks is used to store private keys, digital certificates, and trusted certificate authority certificates that are used to establish and verify identity and trust in the WebLogic Server environment.
Invoke the WebLogic Administration Console, as described in Accessing Oracle WebLogic Administration Console.
Create a SAMLIdentityAsserterV2 authentication provider, as described in "Configuring Authentication and Identity Assertion providers" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help.
Restart WebLogic Server to add the new provider to the Administration Server's Runtime MBean server.
Select the authentication provider created in step 3.
Create and configure a SAML asserting party, as described in "SAML Identity Asserter V2: Create an Asserting Party" and "SAML Identity Asserter V2: Asserting Party: Configuration" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help.
Configure the SAML asserting party as follows (leave other values set to the defaults):
Profile: WSS/Sender-Vouches
Target URL: <OSB Proxy Service Endpoint URI>
Issuer URI: www.oracle.com
Select the Enabled checkbox and click Save.
Create a SamlCredentialMapperV2 credential mapping provider, as described in "Configure Credential Mapping Providers" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help.
Select SamlCredentialMapperV2 from the drop-down list and name the credential mapper, for example, UC2_SamlCredentialMapperV2.
Restart WebLogic Server.
Configure the credential mapper as follows (leave other values set to the defaults):
Issuer URI: www.oracle.com
Note: This value is specified in the policy file.
Name Qualifier: oracle.com
Create and configure a SAML relying party, as described in "SAML Credential Mapping Provider V2: Create a Relying Party" and "SAML Credential Mapping Provider V2: Relying Party: Configuration" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help.
Configure the SAML relying party as follows (leave other values set to the defaults):
Profile: WSS/Sender-Vouches
Target URL: <Oracle WSM 11g Web Service>
Description: <your_description>
Select the Enabled checkbox and click Save.
Restart WebLogic Server.
Perform the steps described in the following table.
Table 6-4 SAML Token (Sender Vouches) with Message Protection (WS-Security 1.0)—Oracle Service Bus 10g Client —> Oracle WSM 11g Web Service
Web Service/Client | Steps |
---|---|
Web Service—Oracle WSM 11g |
Perform the steps described in the following sections.
|
Client—Oracle Service Bus 10g |
Perform the following steps:
|
The following defines the custom SAML policy to be used:
Example 6-1 Custom SAML Policy
<?xml version="1.0"?> <wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wssp="http://www.bea.com/wls90/security/policy" xmlns:wsu=" http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wls="http://www.bea.com/wls90/security/policy/wsee#part" wsu:Id="custom_saml"> <wssp:Identity xmlns:wssp="http://www.bea.com/wls90/security/policy"> <wssp:SupportedTokens> <wssp:SecurityToken TokenType= "http://docs.oasis-open.org/wss/2004/01/oasis-2004-01-saml-token-profile-1.0#SAMLAssertionID"> <wssp:Claims> <wssp:ConfirmationMethod> sender-vouches </wssp:ConfirmationMethod> </wssp:Claims> </wssp:SecurityToken> </wssp:SupportedTokens> </wssp:Identity> </wsp:Policy>
Perform the steps described in the following sections.
Table 6-5 SAML Token (Sender Vouches) with Message Protection (WS-Security 1.0)—Oracle WSM 11g Client —> Oracle Service Bus 10g Web Service
Web Service/Client | Steps |
---|---|
Web Service—Oracle Service Bus 10g |
Perform the following steps:
|
Client—Oracle WSM 11g |
Perform the steps described in the following sections.
|
The following section describes how to implement the SAML or username token over SSL policy, describing the following interoperability scenario:
Note:
The interoperability scenario described in this section also applies to the SAML Token Over SSL and Username Token Over SSL policies.Configuration Prerequisites for Interoperability
See "Configuration Prerequisites for Interoperability" for configuration information on the username token.
See "Configuration Prerequisites for Interoperability" for configuration information on the SAML token.
SAML Prerequisites for Interoperability
For SAML, perform the following prerequisite steps for the WebLogic Server on which Oracle Service Bus is running:
Create a SamlCredentialMapperV2 credential mapping provider, as described in "Configure Credential Mapping Providers" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help.
Select SamlCredentialMapperV2 from the drop-down list and name the credential mapper; for example, UC2_SamlCredentialMapperV2.
Restart WebLogic Server.
Configure the credential mapper as follows (leave other values set to the defaults):
Issuer URI: www.oracle.com
Note: This value is specified in the policy file.
Name Qualifier: oracle.com
Create and configure a SAML relying party, as described in "SAML Credential Mapping Provider V2: Create a Relying Party" and "SAML Credential Mapping Provider V2: Relying Party: Configuration" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help.
Configure the SAML relying party as follows (leave other values set to the defaults):
Profile: WSS/Sender-Vouches
Target URL: <Oracle WSM 11g Web Service>
Description: <your_description>
Select the Enabled checkbox and click Save.
Restart WebLogic Server.
Perform the steps described in the following table.
Table 6-6 SAML or Username Token Over SSL—Oracle Service Bus 10g Client —> Oracle WSM 11g Web Service
Web Service/Client | Steps |
---|---|
Web Service—Oracle WSM 11g |
Perform the steps described in the following sections.
|
Client—Oracle Service Bus 10g |
Both the SAML token client and the username token client are supported Perform the following steps:
|