4 Securing Web Services Manager with OAuth2

This chapter provides information about securing Web Services Manager with the OAuth2 authorization framework.

The OAuth2 authorization framework enables you to secure clients' access to Oracle Communications Billing and Revenue Management (BRM) web services. When you set up Web Services Manager with OAuth2 authorization, client applications use a token to obtain authorization. Web Services Manager validates the token to authorize users' access to BRM web services. Web Services Manager supports the Authorization Code Grant flow to secure access to web services. Authorization Code Grant flow enables servers to protect the client application's secret (password). Web Services Manager requires and uses Oracle Identity and Access Management to manage the identity and access of clients that access BRM web services.

To set up Web Services Manager with OAuth2 authorization:

  1. Install Oracle Identity and Access Management. For installation instructions, see Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.

  2. Configure Oracle Access Manager. See "Configuring Oracle Access Manager" for instructions.

  3. Configure Web Services Manager. See "Configuring Web Services Manager" for instructions.

  4. Enable OAuth validation for Web Services Manager. See "Enabling OAuth Validation for Web Services Manager" for instructions.

Configuring Oracle Access Manager

Oracle Access Manager is a component of Oracle Identity and Access Management.

To configure Oracle Access Manager:

  1. Create a resource. See "Creating a Resource" for instructions.

  2. Create a validation client. See "Creating an OAuth Validation Client" for instructions.

  3. Create a web client. See "Creating Web Service Clients" for instructions.

Creating a Resource

To create a resource:

  1. Log in to Oracle Access Manager Console.

  2. In your default identity domain, create a resource with any name. See Oracle Access Manager Console Help for instructions on creating resources.

  3. Add all the BRM web services as scopes.

  4. Specify the token settings to override the default settings.

Creating an OAuth Validation Client

An OAuth validation client acts as an internal client and runs within Web Services Manager. The validation client validates clients' access tokens. When a BRM web service is accessed from a web service client, the OAuth validation client validates it.

To create an OAuth validation client:

  1. In Oracle Access Manager Console, in your default identity domain, create a client with the following specifications:

    • Name: ServiceTokenValidator

    • Client ID: ServiceTokenValidator

  2. Specify the settings to allow token attributes retrieval.

  3. Generate a client secret, which you will enter in the BRM_home/deploy/web_services/Infranet.properties file when you configure Web Services Manager.

Creating Web Service Clients

You can create a single client for all available services or one client for each service.

To create a web service client:

  1. In Oracle Access Manager Console, in your default identity domain, create a web client with the following specifications:

    • Name: BRMOAuthClient

    • Client ID: BRMOAuthClient

  2. Specify the settings to allow token attributes retrieval.

  3. Specify the URL of your client. For example, if you use a servlet test client to call BRMBalWebService, specify the URL of your servlet.

  4. Add all the BRM web services as scopes.

  5. Specify the Grant Type to use Authorization Code.

Configuring Web Services Manager

To configure Web Services Manager:

  1. Copy the BRM_home/deploy/web_services/Infranet.properties file to the directory of the server where the web server is installed.

  2. Open the copied Infranet.properties file in a text editor.

  3. Specify the following parameters:

    infranet.OAuthAccessTokenUrl=URL
infranet.OAuthClientId=ServiceTokenValidator
infranet.OAuthClientSecret=clientSecret
infranet.OAuthGrantType=grantType
infranet.OAuthTokenAction=validate
infranet.OAuthTokenAttributes=tokenAttribute
infranet.ResourceScopePrefix=scopePrefix

    where:

    • URL is the IP address and port number of the Oracle Access Manager server.

    • ServiceTokenValidator is the ID of the client that you added as the service token validator.

    • clientSecret is the client secret that you generated when you created the OAuth validation client.

      Note:

      The client secret can be added as plain text. However, you can encrypt this secret using the pin_crypt_app utility and add the encrypted secret to the file.

    • grantType is the type of grant. The default is: oracle-idm%3A%2Foauth%2Fgrant-type%2Fresource-access-token%2Fjwt.

    • tokenAttribute is the token attribute. The default is: oracle_token_attrs_retrieval=iss%20aud%20exp%20prn%20jti%20exp%20iat%20oracle.oauth.scope%20oracle.oauth.client_origin_id%20oracle.oauth.user_origin_id%20oracle.oauth.user_origin_id_type%20oracle.oauth.tk_context%20oracle.oauth.id_d_id%20oracle.oauth.svc_p_n

    • scopePrefix is your resource name. The resource name is a default prefix for all the available scopes of a certain resource. For example, if the resource scope is created as BRMWSM.BRMBalServices_v2, BRMWSM is the scope prefix.

  4. Save and close the file.

  5. Restart the WebLogic server.

Note:

When you restart the WebLogic server, ensure that the libportal.so BRM library is set in LD_LIBRARY_PATH.

For JRE on 64-bit environments, rename libportal64.so to libportal.so.

Enabling OAuth Validation for Web Services Manager

By default, OAuth validation is disabled.

To enable OAuth validation for BRM web services:

  1. Open the local_dir/BrmWebServices.war file in a text editor, where local_dir is the directory that contains the BrmWebServices.war file.

  2. Uncomment the following text:

    <filter>
      <filter-name>OAuthTokenValidationFilter</filter-name>
      <filter-class>com.portal.jax.OAuthTokenValidationFilter</filter-class>
</filter>
<filter-mapping>
   <filter-name>OAuthTokenValidationFilter</filter-name>
   <servlet-name>BrmWebServices</servlet-name>
   <url-pattern>/BrmWebServices/*</url-pattern>
   <url-pattern>/BRMPricingServices_v2/</url-pattern>
   <url-pattern>/BRMBalServices_v2/</url-pattern>
   <url-pattern>/BRMARServices_v2</url-pattern>
   <url-pattern>/BRMBillServices_v2</url-pattern>   <url-pattern>/BRMCustServices_v2</url-pattern>
   <url-pattern>/BRMCustcareServices_v2</url-pattern>
   <url-pattern>/BRMInvServices_v2</url-pattern>
   <url-pattern>/BRMPymtServices_v2</url-pattern>
   <url-pattern>/BRMCollectionServices_v2</url-pattern>
   <url-pattern>/BRMReadServices_v2</url-pattern>
   <url-pattern>/BRMActServices_v2</url-pattern>
   <url-pattern>/BRMSubscriptionServices_v2</url-pattern>
   <dispatcher>FORWARD</dispatcher>
   <dispatcher>REQUEST</dispatcher>
</filter-mapping>

  3. Save and close the file.

  4. Regenerate the BrmWebServices.war file.