|Oracle® Fusion Middleware Administrator's Guide for Oracle Adaptive Access Manager
Release 11g (11.1.1)
Part Number E14568-06
This appendix presents instructions on configuring SOAP Web services access.
Web services let you access Oracle Adaptive Access Manager functionality that is made available on a remote computer. The OAAM web service enables you to make a request to OAAM to perform an action.
The advantage the OAAM web services is that you do not have to recreate application logic that has already been created.
Referencing a remote web service within your application is called consuming web services. You can consume a web service implemented as part of a .NET or Java application.
The requirements for accessing the OAAM web service are the following:
Configuration of the SOAP web access requires the OAAM Extensions Shared Library for Native Integration using SOAP
The configurable properties must be specified in
bharosa_server.properties and this file should be in the Java Classpath of the client application.
An access to a web service is similar to a function call except it references remote functionality over the Internet instead of referencing a library on your computer.
SOAP provides a standard XML structure for sending and receiving web service requests and responses over the Internet. The SOAP messages are sent using HTTP.
Web Services/SOAP clients need to send the username and password for successful communication with OAAM web services.
The password needs to be stored in a KeyStore for security.
Making web services available to others for remote access is called publishing web service.
Out-of-the-box, OAAM publishes Web services at the URL: /oaam_server/services. This URL is secured by HTTP authentication.
Access to this URL is allowed to the users with the OAAMSOAPServicesGroup role/group. You must add a user (a.k.a SOAP User) with the OAAMSOAPServicesGroup role/group to the OAAM Domain.
Note:This step is not required if SOAP Authentication is disabled on the OAAM server
The client side setup is documented below.
To set up security for Native Client web services:
In the $ORACLE_HOME
/oaam/cli directory, create a file, for example,
soap_key.file, and enter the HTTP authentication user password in it. (The password from the user that was added to the OAAMSOAPServicesGroup role/group).
soap_3des_input.properties with the keystore password, the alias password, and password file.
#This is the password for opening the keystore. keystorepasswd= #This is the password reading alias (key) in the keystore keystorealiaspasswd= #File containing from key. Please note, keys in AES could be binary. Also note algorithms like 3DES require minimum 24 characters in the key #keyFile=soap_key.file keyFile=
Generate the keystore.
For Unix/Linux, run
$JAVA_EXE -Djava.security.policy=conf/jmx.policy -classpath $CLSPTH com.bharosa.vcrypt.common.util.KeyStoreUtil updateOrCreateKeyStore readFromFile=soap_3des_input.properties
For Windows, run
KeyStore command was successful, you will see output similar to the following:
updateOrCreateKeyStore done! Keystore file:system_soap.keystore,algorithm=DESede KeyStore Password=ZG92ZTEyMzQ= Alias Password=ZG92ZTEyMw==
Note down the Keystore password and Alias Password print on the screen. You will need to add these to
Save the system_soap.keystore file in your source code control system. Please take adequate security precaution while handling this file. The file contains critical password information. Make sure that only authorized personnel have read access to this file. If you lose it, Oracle Adaptive Access Manager will not be able to recover data encrypted.
Copy system_soap.keystore to the classpath of the Native Client deployment folder.
Delete both the
Add the following properties with the encoded passwords (from step 5) and the authentication username to
vcrypt.soap.auth.keystorePassword=<base64 encoded keystore password> vcrypt.soap.auth.aliasPassword=<based64 encoded password to the alias> vcrypt.soap.auth.username=<user configured for accessing the soap services> vcrypt.soap.auth.keystoreFile=system_soap.keystore
Note: This step is not required if SOAP Authentication is disabled on the OAAM server.
See "Disable SOAP Authentication" section for details on disabling authentication from client side.
To disable or enable, HTTP authentication for Adaptive Strong Authenticator, set the following property to true (enabled) or false (disabled).
Set the vcrypt.common.util.vcryptsoap.impl.classname property.
This setting specifies for the application which libraries to use when creating SOAP messages to exchange with the OAAM services.
The available option is:
This setting is the location of the web services with which the application will communicate.
vcrypt.soap.call.timeout property in milliseconds.
You can enable or disable authentication using Oracle Web Services Manager (OWSM) policies through Enterprise Manager.
If you disable the SOAP Web Service authentication on the server (which is by default enabled), the client can use the web service without having been authenticated.
Log into Enterprise Manager of the IDM domain using the URL
http://<host-name>:7001/em and WebLogic Admin username/password.
Locate oaam_server_server1 in the left hand side menu by expanding WebLogic Domain and the OAAM domain under it.
Right click the oaam_server_server1 and select the Web Services menu option.
Click the Oracle Infrastructure Web Services tab.
Click the Attach Policies link in the top-right area of the page.
Select all the rows related to the OAAM Web services in the next page and click the Next button.
Select the rows oracle/binding_authorization_permitall_policy, oracle/no_authentication_service_policy, oracle/no_authorization_service_policy and click the Next button.
Click the Attach button on the next page.
Restart OAAM Server if required.