Skip Headers
Oracle® Fusion Middleware Application Adapter for Siebel User's Guide for Oracle WebLogic Server
11g Release 1 (11.1.1.4.0)

Part Number E17056-04
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Master Index
Master Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
View PDF

10 Advanced User Tools

This chapter describes advanced user tools. It contains the following topics:

Web Services Policy-Based Security

Application Explorer provides a security model called Web services policy-based security. The following topics describe how the feature works and how to configure it.

Web services provide a layer of abstraction between the back-end business logic and the user or application running the Web service. Easy application integration is enabled. However, the issue of controlling the use and implementation of critical and sensitive business logic that is run as a Web service is raised.

Application Explorer controls the use of Web services that use adapters, using a feature called policy-based security. This feature enables an administrator to apply "policies" to Business Services (Web services) to deny or permit their execution.

A policy is a set of privileges dealing with the execution of a Business Service (iBS) that can be applied to an existing or new iBS. When you set specific rights or privileges inside a policy, you do not have to re-create privileges for every iBS that has security concerns in common with other Business Services. Instead, you reuse a policy on multiple Business Services.

The goal of the feature is to secure requests at both the transport and the SOAP request level transmitted on the wire. Some of the policies do not deal with security issues directly, but do effect the run-time behavior of the Web services to which they have been applied.

The iBS administrator creates an "instance" of a policy type, names it, associates individual users or groups (a collection of users), and then applies that policy to one or more Business Services.

You can assign a policy to an iBS, or to a method within an iBS. If a policy is only applied to a method, then other methods in that iBS is not governed by it. However, if a policy is applied to the iBS, all methods are governed by it. At run-time, the user ID and password that are sent to BSE in the SOAP request message are checked against the list of users for all policies applied to that specific iBS. The policy type that is supported is Resource Execution, which dictates who can or cannot execute the iBS.

When a policy is not applied, the default value for an iBS is to "grant all". For example, anybody can execute the iBS, until the Resource Execution policy is associated to the iBS. At that time, only those granted execution permissions, or users not part of the group that has been denied execution permissions, have access to the iBS.

Configuring Web Services Policy-Based Security

The following procedures describe how to configure Web services policy-based security.

Creating and Associating a User with a Policy

Before you create instances of policies, you must have a minimum of one user or one group to associate to an instance. You can create users and groups using Application Explorer.

  1. Start Application Explorer.

  2. Right-click the configuration to which you want to connect, for example, SampleConfig. For information on creating a new configuration, see Chapter 2, "Configuring Oracle Application Server Adapter for Siebel".

  3. Select Connect.

    As shown in Figure 10-1, nodes appear for Adapters and Business Services (also known as Web services).

    Figure 10-1 Siebel Configuration, SampleConfig

    New Siebel configuration.
    Description of "Figure 10-1 Siebel Configuration, SampleConfig"

    Perform the following steps:

    1. Expand the Business Services node.

    2. Expand the Configuration node.

    3. Expand the Security node.

    4. Expand the Users and Groups node.

  4. As shown in Figure 10-2, right-click Users and then New User.

    Figure 10-2 New User Option

    User's node selected with New User option available.
    Description of "Figure 10-2 New User Option"

    The New User dialog box is displayed, as shown in Figure 10-3.

    Figure 10-3 New User Dialog Box

    New User dialog box.
    Description of "Figure 10-3 New User Dialog Box"

    Perform the following steps:

    1. In the Name field, enter a user ID.

    2. In the Password field, enter the password associated with the user ID.

    3. In the Description field, enter a description of the user (optional).

  5. Click OK.

    The new user is added under the Users node, as shown in Figure 10-4.

    Figure 10-4 New User Added Under the Users Node

    New user
    Description of "Figure 10-4 New User Added Under the Users Node"

Creating a Group to Use With a Policy

To create a group to use with a policy:

  1. Start Application Explorer.

  2. Right-click the configuration to which you want to connect, for example, SampleConfig. For information on creating a new configuration, see Chapter 2, "Configuring Oracle Application Server Adapter for Siebel".

  3. Select Connect.

    As shown in Figure 10-5, nodes appear for Adapters and Business Services (also known as Web services).

    Figure 10-5 Adapters and Business Services Nodes

    New Siebel configuration.
    Description of "Figure 10-5 Adapters and Business Services Nodes"

    Perform the following steps:

    1. Expand the Business Services node.

    2. Expand the Configurations node.

    3. Expand the Security node.

    4. Expand the Users and Groups node.

  4. Right-click Groups and select New Group, as shown in Figure 10-6.

    Figure 10-6 New Group Option

    Groups node with the add new group option selected.
    Description of "Figure 10-6 New Group Option"

    The New Group dialog box is displayed, as shown in Figure 10-7.

    Figure 10-7 New Group Dialog

    New Group dialog box.
    Description of "Figure 10-7 New Group Dialog"

    Perform the following steps:

    1. In the Name field, enter a name for the group.

    2. In the Description field, enter a description for the group (optional).

    3. From the available list of users in the left pane, select one or more users and add them to the Selected list by clicking the double right facing arrow.

  5. When you have selected at least one user, click OK.

    Figure 10-8 New Group Added to Groups Node

    New group
    Description of "Figure 10-8 New Group Added to Groups Node"

    As shown in Figure 10-8, the new group is added under the Group node.

Creating an Execution Policy

An execution policy governs who can execute the Business Services to which the policy is applied.

To create an execution policy:

  1. Start Application Explorer.

  2. Right-click the configuration to which you want to connect, for example, SampleConfig. For information on creating a new configuration, see Chapter 2, "Configuring Oracle Application Server Adapter for Siebel".

  3. Select Connect.

    As shown in Figure 10-9, nodes appear for Adapters and Business Services (also known as Web services).

    Figure 10-9 Adapters and Business Services Nodes

    New Siebel configuration.
    Description of "Figure 10-9 Adapters and Business Services Nodes"

    Perform the following steps:

    1. Expand the Business Services node.

    2. Expand the Configurations node.

    3. Expand the Security node.

    4. Expand the Policies node.

  4. As shown in Figure 10-10, right-click Policies and select New Policy.

    Figure 10-10 New Policy Option

    Policies node.
    Description of "Figure 10-10 New Policy Option"

    The New policy dialog box is displayed, as shown in Figure 10-11.

    Figure 10-11 New Policy Dialog

    New policy dialog box.
    Description of "Figure 10-11 New Policy Dialog"

    Perform the following steps:

    1. In the Name field, enter a name for the policy.

    2. From the Type list, select Execution.

    3. In the Description field, enter a description for the policy (optional).

    4. From the available list of users in the left pane, select one or more users and add them to the Selected list by clicking the double right facing arrow.

      Note:

      This user ID is checked against the value in the user ID element of the SOAP header sent to BSE in a SOAP request.
  5. When you have selected at least one user, click OK.

  6. Click Next.

    The New Policy permissions dialog box is displayed.

  7. When you have selected at least one user, click OK.

  8. Click Next.

    The New Policy permissions dialog box is displayed, as shown in Figure 10-12.

    Figure 10-12 New Policy Permissions Dialog

    New Policy permissions dialog box.
    Description of "Figure 10-12 New Policy Permissions Dialog"

    • To grant permission to a user or group to execute an iBS, select the user or group and move them into the Execution Granted list by selecting the double left facing arrow.

    • To deny permission to a user or group to execute an iBS, select the user or group and move them into the Execution Denied list by selecting the double right facing arrow.

  9. Click OK.

    The following pane summarizes your configuration, as shown in Figure 10-13.

    Figure 10-13 Summary of Policy Configuration

    Summary of your policy configuration.
    Description of "Figure 10-13 Summary of Policy Configuration"

Using the IP and Domain Restrictions Policy Type

You configure the IP and Domain Restriction policy type slightly differently from other policy types. The IP and Domain Restriction policy type controls connection access to BSE and therefore need not be applied to individual Web services. You need not create a policy, however, you must enable the Security Policy option in Application Explorer.

  1. Start Application Explorer.

  2. Right-click the configuration to which you want to connect, for example, SampleConfig. For information on creating a new configuration, see Chapter 2, "Configuring Oracle Application Server Adapter for Siebel".

  3. Select Connect.

    As shown in Figure 10-14, nodes appear for Adapters and Business Services (also known as Web services).

    Figure 10-14 Adapters and Business Services Nodes

    New Siebel configuration.
    Description of "Figure 10-14 Adapters and Business Services Nodes"

    Perform the following steps:

    1. Expand the Business Services node.

    2. Expand the Configurations node.

    3. Expand the Security node.

  4. As shown in Figure 10-15, right-click IP and Domain and select New IP and Domain Restriction.

    Figure 10-15 New IP and Domain Restriction Option

    New IP and Domain Restriction option.
    Description of "Figure 10-15 New IP and Domain Restriction Option"

    The New IP and Domain Restriction dialog box is displayed, as shown in Figure 10-16.

    Figure 10-16 New IP and Domain Restriction Dialog

    New IP and Domain Restriction dialog box.
    Description of "Figure 10-16 New IP and Domain Restriction Dialog"

    Perform the following steps:

    1. In the IP(Mask)/Domain field, enter the IP or domain name using the following guidelines:

      If you select Single (Computer) from the Type list, then you must provide the IP address for that computer. If you only know the DNS name for the computer, then click DNS Lookup to obtain the IP Address based on the DNS name.

      If you select Group (of Computers), then you must provide the IP address and subnet mask for the computer group.

      If you select Domain, then you must provide the domain name.

    2. From the Type list, select the type of restriction.

    3. In the Description field, enter a description (optional).

    4. To grant access, select the Grant Access check box.

  5. Click OK.

    The new domain is added under the IP and Domain node.

    The following pane summarizes your configuration, as shown in Figure 10-17.

    Figure 10-17 Summary of IP and Domain Configuration

    Summary of your IP and domain configuration.
    Description of "Figure 10-17 Summary of IP and Domain Configuration"

Migrating Repositories

During design time, the Oracle repository is used to store metadata created when using Application Explorer to configure adapter connections, browse EIS objects, configure services, and configure listeners to listen for EIS events. The information in the repository is also referenced at run-time. For management purposes, you can migrate BSE and J2CA repositories that are configured for Oracle to new destinations without affecting your existing configuration. For example, you may want to migrate a repository from a test environment to a production environment.

Migrating a BSE Repository

To migrate a BSE repository:

  1. Copy the BSE control service URL, for example:

    http://localhost:8001/ibse/IBSEServlet/admin/iwcontrol.ibs
    
  2. Open a third party XML editor, for example, XMLSPY.

  3. From the menu bar, click SOAP.

    A list of options appears, as shown in Figure 10-18.

    Figure 10-18 Create new SOAP request Option

    Create new SOAP request
    Description of "Figure 10-18 Create new SOAP request Option"

  4. Select Create new SOAP request.

    The WSDL file location dialog box is displayed, as shown in Figure 10-19.

    Figure 10-19 WSDL File Location Dialog

    WSDL file location dialog box
    Description of "Figure 10-19 WSDL File Location Dialog"

    Perform the following steps:

    1. In the Choose a file field, paste the BSE control service URL.

    2. Append ?wsdl to the URL, for example:

      http://localhost:8001/ibse/IBSEServlet/admin/iwcontrol.ibs?wsdl
      
  5. Click OK.

    The soap operation name dialog box displays the available control methods, as shown in Figure 10-20.

    Figure 10-20 Soap Operation Name Dialog

    SOAP operation name dialog box
    Description of "Figure 10-20 Soap Operation Name Dialog"

  6. Select the MIGRATEREPO(MIGRATEREPO parameters) control method and click OK.

    Note:

    The MIGRATEREPO(MIGRATEREPO parameters) control method is available from the BSE administration console. This control method migrates all Web services to the new (empty) repository. You can choose to migrate select Web services only.

    The following window is displayed, showing the structure of the SOAP envelope, as shown in Figure 10-21.

    Figure 10-21 Structure of the SOAP Envelope

    SOAP envelope (structure view)
    Description of "Figure 10-21 Structure of the SOAP Envelope"

  7. Locate the Text view icon in the toolbar, as shown in Figure 10-22.

    Figure 10-22 Text View Icon

    Text view icon
    Description of "Figure 10-22 Text View Icon"

  8. To display the structure of the SOAP envelope as text, click the Text view icon.

    The <SOAP-ENV:Header> tag is not required and can be deleted from the SOAP envelope.

  9. Locate the following section:

    <m:MIGRATEREPO xmlns:m="urn:schemas-iwaysoftware-com:jul2003:ibse:config" version="">
      <m:repositorysetting>
        <m:rname>oracle</m:rname>
        <m:rconn>String</m:rconn>
        <m:rdriver>String</m:rdriver>
        <m:ruser>String</m:ruser>
        <m:rpwd>String</m:rpwd>
      </m:repositorysetting>
      <m:servicename>String</m:servicename>
    </m:MIGRATEREPO>
    

    Perform the following steps:

    1. For the <m:rconn> tag, replace the String placeholder with a repository URL where you want to migrate your existing BSE repository.

      The Oracle repository URL has the following format:

      jdbc:oracle:thin:@[host]:[port]:[sid]
      
    2. For the <m:rdriver> tag, replace the String placeholder with the location of your Oracle driver.

    3. For the <m:ruser> tag, replace the String placeholder with a valid user name to access the Oracle repository.

    4. For the <m:rpwd> tag, replace the String placeholder with a valid password to access the Oracle repository.

  10. Perform one of the following migration options.

    • If you want to migrate a single Web service from the current BSE repository, then enter the Web service name in the <m:servicename> tag, for example:

      <m:servicename>SiebelService1</m:servicename>
      
    • If you want to migrate multiple Web services from the current BSE repository, then duplicate the <m:servicename> tag for each Web service, for example:

      <m:servicename>SiebelService1</m:servicename>
      <m:servicename>SiebelService2</m:servicename>
      
    • If you want to migrate all Web services from the current BSE repository, then remove the <m:servicename> tag.

  11. From the menu bar, click SOAP and select Send request to server, as shown in Figure 10-23.

    Figure 10-23 Send request to server Option

    Send request to server
    Description of "Figure 10-23 Send request to server Option"

    Your BSE repository and any Web services you selected are now migrated to the new Oracle repository URL you specified.

Migrating a J2CA Repository

To migrate a J2CA repository:

  1. Navigate to the location of your J2CA configuration directory where the repository schemas and other information is stored, for example:

    <ADAPTER_HOME>\soa\thirdparty\ApplicationAdapters\config\JCA_CONFIG
    

    Where JCA_CONFIG is the name of your J2CA configuration.

  2. Locate and copy the repository.xml file.

  3. Place this file in a new J2CA configuration directory to migrate the existing repository.

    Your J2CA repository is migrated to the new J2CA configuration directory.