Oracle® Fusion Middleware Federated Portals Guide for Oracle WebLogic Portal 10g Release 3 (10.3.5) Part Number E14235-06 |
|
|
View PDF |
This chapter describes one technique for establishing a secure communications channel for WSRP transactions between WebLogic Portal and a WebCenter Portal: Framework application. It includes the following sections:
Section 17.4, "Consumer Security for an Unsigned SAML Token Configuation"
Section 17.5, "(Optional) Additional Configuration for a WebLogic Portal Consumer"
For web-based transactions to be secure, the following four components must be addressed:
Authentication – Verification of the sender's identity.
Integrity – Protection against unauthorized changes.
Message Freshness – Protection against replay attacks in which a message is captured and resent.
Confidentiality – Protection against unauthorized viewing of the message.
The following configuration steps will enable integrity, authentication, and message freshness constraints in WSRP transactions between Framework applications and WLP applications, as follows:
Authentication is handled through the SAML 1.1 protocol, with the sender-vouches assertion. This means that the user will authenticate through some unspecified mechanism on the consumer, and the consumer will propagate and "vouch" for the user's identity to the producer.
Integrity is handled by digitally signing the message's body, BST, and SAML assertion with the SHA1 algorithm. This signature asserts that these components of the message have not been modified in transit from the consumer to the producer.
Message freshness is handled by adding a time constraint condition to the SAML assertion. This specifies that the SAML assertion is only valid for a limited window of time. When the SAML assertion is invalidated, the entire message will be rejected. This time window is configurable on the consumer.
Note:
Message confidentiality is not addressed in these steps. If confidentiality is a concern for your WSRP environment, please consider enabling SSL between your producer and consumer.
These security settings are but one possible configuration of Web Service security for WSRP. Many other Web Service security configuration settings can be further adjusted in both the WebLogic Portal and Framework application environments, as long as the settings are enabled and recognized in both environments. For further detailed information, see Oracle Fusion Middleware Securing WebLogic Web Services for Oracle WebLogic Server.
This section explains how to configure SAML security for both a Framework application consumer and a WLP producer. The tasks described in this section are:
This section discusses how to generate a key pair and export the public key certificate on the consumer.
This section explains how to generate a key on the consumer using the keytool utility, a Java utility distributed by Sun Microsystems that manages private keys and certificates. For detailed information on keytool, refer to the Sun Microsystems website.
On the Framework application consumer, open a command window and change directory to the <WEBLOGIC_HOME>/wlserver_10.3/server/bin
directory.
Run the setWLSEnv.cmd/.sh
command to set up the required environment variables.
Run the keytool command to generate a new key pair. For example, the following command generates a key pair, wraps the public key in a certificate, and stores the certificate and the private key in a keystore named mykeystore.jks
, identified by the alias wckey
:
keytool -genkeypair -alias wckey -keypass wckeypass -keyalg rsa -keysize 1024 -keystore mykeystore.jks -storepass mykeystorepass -dname "CN=Oracle Corp, OU=WLP, O=Oracle, L=Boulder, ST=CO, C=US"
Make a note of your new keystore's passphrase, the key pair's alias, and the key pair's passphrase. This data, as well as the keystore file itself (mykeystore.jks
), will be used when configuring the Framework application consumer.
The producer needs the public key certificate (the public half of the "key pair" generated in the previous step) installed in its trust key store. Follow these steps to export the public key certificate to a file, which will then be imported into a trusted key store on the producer.
On the consumer, open a command window and change directory to the <WEBLOGIC_HOME>/wlserver_10.3/server/bin
directory.
Run the setWLSEnv.cmd/.sh
command to set up the required environment variables.
Run the keytool command to export the previously-created certificate to a file. For example, the following command creates a certificate file named wckey.der
from the key pair identified by alias wckey
:
keytool -exportcert -alias wckey -keypass wckeypass -keystore mykeystore.jks -storepass mykeystorepass -file wckey.der
This section explains how to configure the producer. To do this, you import the public key certificate into the SAML asserter, and configure the asserting party properties.
Copy the certificate file created in the previous step to the WebLogic Portal producer's domain directory (for example, <MW_HOME>/user_projects/domains/base_domain
).
On the producer, open a command window and change directory to the <WEBLOGIC_HOME>/server/bin
directory.
Run the setWLSEnv.cmd/.sh
command to set up the required environment variables.
Change directory to the root directory for your producer's domain (for example, <MW_HOME>/user_projects/domains/base_domain
)
Run the keytool command to import the previously-created certificate file to the domain's trust keystore. For example, the following command imports the certificate identified by alias wckey from the certificate file named wckey.der to the DemoTrust.jks keystore:
keytool -importcert -keystore DemoTrust.jks -storepass DemoTrustKeyStorePassPhrase -file wckey.der -alias wckey -keypass wckeypass
If prompted to "Trust this certificate? [no]: ", type yes and press Enter to add the certificate to the keystore.
If your server is currently running, restart it.
Note:
WebLogic Portal is configured with a default identity keystore (DemoIdentity.jks
) and a default trust keystore (DemoTrust.jks
). In addition, WebLogic Portal trusts the CA certificates in the JDK cacerts file. This default keystore configuration is appropriate for testing and development purposes. However, these keystores should not be used in a production environment. For more information, see the WebLogic Server security documentation.
Copy the files wsrp-wsdl-template.wsdl
and wsrp-wsdl-template-v2.wsdl
to your workspace and open them for editing. The procedure for copying files to your workspace is described in "Copying J2EE Library Files Into a Project" in the Oracle Fusion Middleware Portal Development Guide for Oracle WebLogic Portal.
In both files, replace the existing <wsp:Policy>
element with the following XML:
Example 17-1 Replacement wsp:Policy Element
<wsp:Policy wsu:Id="ProducerDefaultPolicy"/> <wsp:Policy wsu:Id="WebCenterPolicy" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"> <sp:AsymmetricBinding> <wsp:Policy> <sp:InitiatorToken> <wsp:Policy> <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient"> <wsp:Policy> <sp:WssX509V3Token10/> </wsp:Policy> </sp:X509Token> </wsp:Policy> </sp:InitiatorToken> <sp:RecipientToken> <wsp:Policy> <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never"> <wsp:Policy> <sp:WssX509V3Token10/> </wsp:Policy> </sp:X509Token> </wsp:Policy> </sp:RecipientToken> <sp:AlgorithmSuite> <wsp:Policy> <sp:Basic128/> </wsp:Policy> </sp:AlgorithmSuite> <sp:Layout> <wsp:Policy> <sp:Lax/> </wsp:Policy> </sp:Layout> <sp:OnlySignEntireHeadersAndBody/> </wsp:Policy> </sp:AsymmetricBinding> <sp:SignedSupportingTokens> <wsp:Policy> <sp:SamlToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient"> <wsp:Policy> <sp:WssSamlV11Token10/> </wsp:Policy> </sp:SamlToken> </wsp:Policy> </sp:SignedSupportingTokens> <sp:Wss10> <wsp:Policy> <sp:MustSupportRefKeyIdentifier/> <sp:MustSupportRefIssuerSerial/> </wsp:Policy> </sp:Wss10> </wsp:Policy>
Save your changes to these two files.
Copy the file WEB-INF/weblogic-webservices-policy.xml
to your workspace and open it for editing. The procedure for copying files to your workspace is described in "Copying J2EE Library Files Into a Project" in the Oracle Fusion Middleware Portal Development Guide for Oracle WebLogic Portal.
Replace the entire contents of the file with the following XML:
Example 17-2 Replacement weblogic-webservices-policy.xml
<?xml version='1.0' encoding='UTF-8'?> <webservice-policy-ref xmlns="http://www.bea.com/ns/weblogic/90" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <!-- Use WebLogic Server Admin Console to add new policies --> <ref-name>WebCenter Policies for the WSRP Producer</ref-name> <port-policy> <port-name>WSRP_v2_Markup_Service</port-name> <ws-policy> <uri>#WebCenterPolicy</uri> <direction>inbound</direction> </ws-policy> </port-policy> <port-policy> <port-name>WSRPBaseService</port-name> <ws-policy> <uri>#WebCenterPolicy</uri> <direction>inbound</direction> </ws-policy> </port-policy> <port-policy> <port-name>WLP_WSRP_Ext_Service</port-name> <ws-policy> <uri>#WebCenterPolicy</uri> <direction>inbound</direction> </ws-policy> </port-policy> </webservice-policy-ref>
Save your changes, and republish your web project.
This section describes the final step in the producer configuration.
Tip:
For more information on asserting party and other topics in this section, see "SAML Framework Concepts" in Oracle Fusion Middleware Understanding Security for Oracle WebLogic Server.
Open the WebLogic Server Administration Console on the producer server and log in.
Select Security Realms.
Select a security realm, such as myrealm.
Select the Providers tab.
Select the Authentication tab.
Select SAMLIdentityAsserter. An identity asserter allows WebLogic Server to establish trust by validating a user.
Select the Management tab.
Select the Asserting Parties tab
In the Asserting Parties table, click New.
In the Profile pulldown menu, select WSS/Sender Vouches.
In the Description field, enter a name to identify the asserting party, and select OK. For example: WebCenter SAML token.
Enable the new asserting party. To do this, click the Partner ID link for the new asserting party (for example, ap_0002).
Set the asserting party values as follows:
Parameter | Value |
---|---|
Enabled |
true (Select the checkbox) |
Target URL |
default |
Issuer URI |
Set on the consumer (for example, |
Click Save. If there were no problems, the message "Settings updated successfully" appears.
Perform the WSRP interoperability steps described in Section 13.1, "Consuming WLP Portlets in WebCenter Portal Applications and Oracle Portal Applications."
The WebLogic Portal producer is now configured for SAML interoperability with a basic Framework application SAML configuration. The next step is to associate the Framework application consumer with the key pair created earlier (see Section 17.2.1.1, "Generate a Key Pair").
Note:
For more detailed information on the following steps, see "Securing a WSRP Producer with WS-Security" in Oracle Fusion Middleware Administrator's Guide for Oracle WebCenter.
Copy the keystore created earlier (see Section 17.2.1.1, "Generate a Key Pair") to your consumer server's filesystem, and note the path.
From Oracle JDeveloper, follow these standard steps for registering a producer using the Register WSRP Portlet Producer wizard, with the following exceptions:
On the Configure Security Attributes page, set the following values:
Parameter | Value |
---|---|
Token Profile |
WSS 1.0 SAML Token with Message Integrity |
Configuration |
Custom |
Default User |
A default username to send when unauthenticated (for example, fmwadmin) |
Issuer Name |
This needs to match the Issuer URI on the producer (for example, www.oracle.com). See Section 17.2.2.4, "Add a New Asserting Party to the SAML Identity Asserter." |
On the Specify Key Store page, set the following values
Parameter | Value |
---|---|
Store Path |
Path on the consumer server to the JKS file. See Section 17.2.2.5, "Register the WebLogic Portal Producer with the WebCenter Portal: Framework Application Consumer." |
Store Password |
The keystore password. See Section 17.2.1.2, "Export the Public Key Certificate." |
Store Type |
JKS |
Signature Key Alias |
The key alias. See Section 17.2.1.2, "Export the Public Key Certificate." |
Signature Key Password |
The key passphrase. See Section 17.2.1.2, "Export the Public Key Certificate." |
Encryption Key Alias |
Leave the field blank. |
Encryption Key Password |
Leave the field blank. |
The easiest way to test the configuration involves three steps:
Create a simple JSP portlet on the producer with the following content:
<%@ page language="java" contentType="text/html;charset=UTF-8" %> <p>Principal: <%=request.getUserPrincipal() %></p> <p>Remote User: <%=request.getRemoteUser() %></p>
This will show the username sent by the consumer when rendered, if the SAML configuration is working properly.
Specify a default authenticated user when you establish your consumer's connection to the producer. (See Section 17.2.2.5, "Register the WebLogic Portal Producer with the WebCenter Portal: Framework Application Consumer.") By doing this, the Framework application consumer will automatically send that username to the WebLogic Portal producer, without requiring the creation of a login mechanism on the consumer-side.
Render the remote portlet on the consumer, and verify that the default username that was specified is rendered in the portlet's body.
This section discusses the producer-side and consumer-side configuration required to set up SAML security between a WLP consumer and a Framework application producer.
The configuration steps include:
Section 17.3.2, "Add an Authentication Mechanism To Your Portal"
Section 17.3.4, "Configuring the WebCenter Portal: Framework Application Producer"
Follow the steps in Section 4.3.3, "Locating and Consuming a Portlet" to register your Framework application producer with the WebLogic Portal consumer. Make a note of the Producer Handle that you specify (for example, my_wc_producer
), as this will be used later.
For information on how to add a programmatic authentication mechanism to your portal, see "Implementing Authentication Programatically" in Oracle Fusion Middleware Security Guide for Oracle WebLogic Portal.
This section explains how to generate a key pair and export the public key certificate on the consumer.
This section explains how to generate a key on the consumer using the keytool utility, a Java utility distributed by Sun Microsystems that manages private keys and certificates. For detailed information on keytool, refer to the Sun Microsystems website.
On the WebLogic Portal consumer, open a command window and change directory to the <WEBLOGIC_HOME>/server/bin
directory.
Run the setWLSEnv.cmd/.sh
command to set up the required environment variables.
Change directory to the root directory for your consumer's domain (for example, <MW_HOME>/user_projects/domains/base_domain
).
Grant write permission to the file DemoIdentity.jks
using chmod 777
DemoIdentity.jks
Run the keytool command to generate a new key pair and add it to the DemoIdentity.jks
keystore. For example, the following command generates a key pair, wraps the public key in a certificate, and stores the certificate and the private key in the DemoIdentity.jks
, identified by the alias wckey
:
keytool -genkeypair -alias wckey -keypass wckeypass -keyalg rsa -keysize 1024 -keystore DemoIdentity.jks -storepass DemoIdentityKeyStorePassPhrase -dname "CN=Oracle Corp, OU=WLP, O=Oracle, L=Boulder, ST=CO, C=US"
Make a note of your key pair's alias, and the key pair's passphrase. This data will be used when configuring the both the WebLogic Portal consumer and the Framework application producer.
Note:
WebLogic Portal is configured with a default identity keystore (DemoIdentity.jks
) and a default trust keystore (DemoTrust.jks
). In addition, WebLogic Portal trusts the CA certificates in the JDK cacerts
file. This default keystore configuration is appropriate for testing and development purposes. However, these keystores should not be used in a production environment. For more information, see Oracle Fusion Middleware Understanding Security for Oracle WebLogic Server.
The producer needs the public key certificate (the public half of the "key pair" generated in the previous step) installed in its trust key store. Follow these steps to export the public key certificate to a file, which will then be imported into a trusted key store on the producer.
On the WebLogic Portal consumer, open a command window and change directory to the <WEBLOGIC_HOME>/server/bin
directory.
Run the setWLSEnv.cmd/.sh
command to set up the required environment variables.
Change directory to the root directory for your consumer's domain (for example, <MW_HOME>/user_projects/domains/base_domain
).
Run the setWLSEnv.cmd/.sh
command to set up the required environment variables.
Run the keytool command to export the previously-created certificate to a file. For example, the following command creates a certificate file named wckey.der
from the key pair identified by alias wckey:
keytool -exportcert -alias wckey -keypass wckeypass -keystore DemoIdentity.jks -storepass DemoIdentityKeyStorePassPhrase -file wckey.der
To import the certificate, follow this procedure. The procedure uses the keytool utility, a Java utility distributed by Sun Microsystems that manages private keys and certificates. For detailed information on keytool, refer to the Sun Microsystems website.
On the WebLogic Portal consumer, open a command window and change directory to the <WEBLOGIC_HOME>/server/bin
directory.
Run the setWLSEnv.cmd/.sh
command to set up the required environment variables.
Change directory to the root directory for your consumer's domain (for example, <MW_HOME>/user_projects/domains/base_domain
).
Run the keytool command to import the previously-created certificate file to the domain's trust keystore. For example, the following command imports the certificate identified by alias wckey
from the certificate file named wckey.der
to the DemoTrust.jks
keystore:
keytool -importcert -keystore DemoTrust.jks -storepass DemoTrustKeyStorePassPhrase -file wckey.der -alias wckey -keypass wckeypass
If prompted to "Trust this certificate? [no]: ", type yes
and press Enter to add the certificate to the keystore.
If your server is currently running, restart it.
Add the following policy definition to your WebLogic Portal consumer to configure it to match the default policy configuration on a Framework application producer.
In your web project, create a directory WEB-INF/classes/policies
.
In that directory, create a file named wcPolicy.xml
, with the following contents:
<wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wssp="http://www.bea.com/wls90/security/policy" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wls="http://www.bea.com/wls90/security/policy/wsee#part"> <wssp:Identity> <wssp:SupportedTokens> <wssp:SecurityToken TokenType="http://docs.oasis-open.org/wss/2004/01/oasis-2004-01-saml-token-profile-1.0#SAMLAssertionID"> <wssp:Claims> <wssp:ConfirmationMethod>sender-vouches</wssp:ConfirmationMethod> </wssp:Claims> </wssp:SecurityToken> </wssp:SupportedTokens> </wssp:Identity> <wssp:Integrity> <wssp:SignatureAlgorithm URI="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <wssp:CanonicalizationAlgorithm URI="http://www.w3.org/2001/10/xml-exc-c14n#"/> <wssp:Target> <wssp:DigestAlgorithm URI="http://www.w3.org/2000/09/xmldsig#sha1" /> <wssp:MessageParts Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body()</wssp:MessageParts> </wssp:Target> <wssp:Target> <wssp:DigestAlgorithm URI="http://www.w3.org/2000/09/xmldsig#sha1" /> <wssp:MessageParts Dialect="http://www.bea.com/wls90/security/policy/wsee#part">wls:SecurityHeader(Assertion)</wssp:MessageParts> </wssp:Target> </wssp:Integrity> </wsp:Policy>
Save your changes to this file.
Copy the file WEB-INF/wsrp-consumer-security-config.xml
to your workspace and open it for editing. The procedure for copying files to your workspace is described in "Copying J2EE Library Files Into a Project" in the Oracle Fusion Middleware Portal Development Guide for Oracle WebLogic Portal.
In wsrp-consumer-security-config.xml
, add the following lines after the <default-policy-name>
tag (or after <consumer-name> if there's no <default-policy-name>
tag):
<default-policy-port>{urn:oasis:names:tc:wsrp:v2:wsdl}WSRP_v2_Markup_Service</default-policy-port> <default-policy-port>{urn:oasis:names:tc:wsrp:v1:wsdl}WSRPBaseService</default-policy-port>
Also in wsrp-consumer-security-config.xml
, add the following lines after the <policy-name>
tag:
<policy-port>{urn:oasis:names:tc:wsrp:v2:wsdl}WSRP_v2_Markup_Service</policy-port> <policy-port>{urn:oasis:names:tc:wsrp:v1:wsdl}WSRPBaseService</policy-port>
Example 17-3 lists the full wsrp-consumer-security-config.xml
file as it looks after the additions are made.
Example 17-3 Complete wsrp-consumer-security-config.xml File
<?xml version="1.0" encoding="UTF-8"?> <wsrp-consumer-security-config xmlns="http://www.bea.com/ns/portal/90/wsrp-consumer-security-config" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.bea.com/ns/portal/90/wsrp-consumer-security-config wsrp-consumer-security-config-9_0.xsd"> <!-- The consumer's name --> <consumer-name>wsrpConsumer</consumer-name> <!-- Defaults: These are used when no matching <producer-security> element is found for the producer. Default: wsrpConsumer --> <!-- The policy to use when the policy is not included in the WSDL. This is intended for 8.1 or third party compatibility. The policy should be placed in WEB-INF/classes/policies/<name>.xml Default: wsrp81compatPolicy --> <default-policy-name>wsrp81compatPolicy</default-policy-name> <default-policy-port>{urn:oasis:names:tc:wsrp:v2:wsdl}WSRP_v2_Markup_Service</default-policy-port> <default-policy-port>{urn:oasis:names:tc:wsrp:v1:wsdl}WSRPBaseService</default-policy-port> <!-- When doing 8.1 compatibility, should the <wsse:security> header be removed. Default: true --> <default-strict-compatibility>true</default-strict-compatibility> <!-- Should 8.1 compatibility be done even if a policy is in the WSDL (9.0 producer). Default: false --> <default-compatibility-forced>false</default-compatibility-forced> <!-- Should 8.1 compatibility be done even if a policy is NOT in the WSDL (8.1 or 3rd party producer). Default: true --> <default-compatibility-enabled>true</default-compatibility-enabled> <!-- Producer specific properties (may be added multiple times) Note: Delete lines starting with with comment in 1st column --> <!-- <producer-security> --> <!-- The producer's handle --><!-- Setup for services producer --> <producer-security> <!-- The producer's handle --> <producer-handle>my_wc_producer</producer-handle> <!-- The policy to use when the policy is not included in the WSDL. --> <policy-name>wcPolicy</policy-name> <policy-port>{urn:oasis:names:tc:wsrp:v2:wsdl}WSRP_v2_Markup_Service</policy-port> <policy-port>{urn:oasis:names:tc:wsrp:v1:wsdl}WSRPBaseService</policy-port> <!-- When doing 8.1 compatibility, should the <wsse:security> header --> <!-- be removed. --> <strict-compatibility>false</strict-compatibility> <!-- Should 8.1 compatibility be done even if a policy is in the WSDL --> <!-- (9.0 producer). --> <compatibility-forced>false</compatibility-forced> <!-- Should 8.1 compatibility be done even if a policy is NOT in the WSDL --> <!-- If both compatibility-forced is true and compatibility-enabled false --> <!-- no compat is sent --> <compatibility-enabled>false</compatibility-enabled> <!-- Should WLP specific handlers be deployed. --> <!-- EXPERT ONLY: Disabling may cause the consumer to act incorrectly. --> <!-- Default: true --> <wlp-handlers-deployed>true</wlp-handlers-deployed> <!-- Should anonymous users be allowed? --> <!-- If disabled only logged in users may use this producer. --> <!-- Default: true --> <anonymous-users-allowed>true</anonymous-users-allowed> </producer-security> <!-- <producer-handle>wseeProducer</producer-handle> --> <!-- The policy to use when the policy is not included in the WSDL. --> <!-- <policy-name>wsrp81compatPolicy</policy-name> --> <!-- When doing 8.1 compatibility, should the <wsse:security> header --> <!-- be removed. --> <!-- <strict-compatibility>false</strict-compatibility> --> <!-- Should 8.1 compatibility be done even if a policy is in the WSDL --> <!-- (9.0 producer). --> <!-- <compatibility-forced>false</compatibility-forced> --> <!-- Should 8.1 compatibility be done even if a policy is NOT in the WSDL --> <!-- If both compatibility-forced is true and compatibility-enabled false --> <!-- no compat is sent --> <!-- <compatibility-enabled>true</compatibility-enabled> --> <!-- Should WLP specific handlers be deployed. --> <!-- EXPERT ONLY: Disabling may cause the consumer to act incorrectly. --> <!-- Default: true --> <!-- <wlp-handlers-deployed>true</wlp-handlers-deployed> --> <!-- Should anonymous users be allowed? --> <!-- If disabled only logged in users may use this producer. --> <!-- Default: true --> <!-- <anonymous-users-allowed>true</anonymous-users-allowed> --> <!-- </producer-security> --> </wsrp-consumer-security-config>
If the server is not running, start it now.
Open the WebLogic Server Administration Console on the producer server and log in.
Select Security Realms.
Select a security realm, such as myrealm.
Select the Providers tab.
Select the Credential Mapping tab.
Select the PKICredentialMapper.
Select Provider Specific.
Supply these values, as appropriate:
Parameter | Value |
---|---|
Keystore Provider |
Keep the default value. |
Keystore Type |
JKS |
Keystore File Name |
DemoIdentity.jks |
Keystore Pass Phrase |
DemoIdentityKeyStorePassPhrase |
Confirm Keystore Pass Phrase |
DemoIdentityKeyStorePassPhrase |
Use Resource Hierarchy |
Keep the default value. |
Use Initiator Group Names |
Keep the default value. |
Restart the server.
In the WebLogic Server Console select Security Realms.
Select myrealm.
Select Providers.
Select Credential Mapping.
Select SAMLCredentialMapper.
Select Provider Specific.
Supply these values, as appropriate:
Parameter | Value |
---|---|
Issuer URI |
This needs to match the Issuer URI on the producer (for example, |
Signing Key Alias |
The key alias. See Section 17.3.3.1, "Generate a Key Pair." |
Signing Key Pass Phrase |
The key passphrase. See Section 17.3.3.1, "Generate a Key Pair." |
Confirm Signing Key Pass Phrase |
The key passphrase. See Section 17.3.3.1, "Generate a Key Pair." |
In the WebLogic Server Console, select Security Realms.
Select myrealm.
Select Credential Mappings.
Select PKI.
Select New and click Next.
Supply these values, as appropriate:
Parameter | Value |
---|---|
Protocol |
Leave this field blank. |
Remote Host |
Leave this field blank. |
Remote Port |
Leave this field blank. |
Path |
Leave this field blank. |
Method |
Leave this field blank. |
Credential Type |
Key Pair |
Principal Name |
Enter the value of the <consumer-name> element in |
Principal Type |
User |
Credential Action |
Leave this field blank. |
Keystore Alias |
The key alias. See Section 17.3.3.1, "Generate a Key Pair." |
Password |
The key passphrase. See Section 17.3.3.1, "Generate a Key Pair." |
Confirm Password |
The key passphrase. See Section 17.3.3.1, "Generate a Key Pair." |
Restart the server.
See the "Configuring WS-Security" in the Oracle Fusion Middleware Administrator's Guide for Oracle WebCenter for detailed information on securing your Framework application producer with SAML. At a minimum, the following steps are required:
Import the public certificate created in Section 17.3.3.2, "Export the Public Key Certificate" into a keystore on your producer.
Add the new keystore to OWSM's keystore service.
Using Fusion Middleware Control, assign the oracle/wss10_saml_token_with_message_integrity_service_policy
policy to all of your web application's WebServices WSRP End Points, and remove the default no authentication service policy
from the non-markup End Points.
To test the configuration, do the following:
Create a portal.
Add the remote portlet from Section 17.3.1, "Register the WebCenter Portal: Framework Application Producer with the WebLogic Portal Consumer"to the portal.
Add the authentication (login) mechanism to the portal, as explained in Section 17.3.2, "Add an Authentication Mechanism To Your Portal."
Run the portal in a browser.
Log in to the portal.
View the portlet.
If the portlet renders correctly, the configuration is working properly.
This section discusses the producer-side and consumer-side configuration required to set up security if the producer has a wss10_saml_token_policy token configured. This token is also called an unsigned SAML or simple SAML token.
The configuration steps include:
Section 17.4.2, "Add an Authentication Mechanism To Your Portal"
Section 17.4.4, "Configuring the WebCenter Portal: Framework Application Producer"
Follow the steps in Section 4.3.3, "Locating and Consuming a Portlet" to register your Framework application producer with the WebLogic Portal consumer. Make a note of the Producer Handle that you specify (for example, my_wc_producer
), as this will be used later.
For information on how to add a programmatic authentication mechanism to your portal, see "Implementing Authentication Programatically" in Oracle Fusion Middleware Security Guide for Oracle WebLogic Portal.
This section explains how to configure the consumer web application.
Add the following policy definition to your WebLogic Portal consumer to configure it to match the default policy configuration on a Framework application producer.
In your web project, create a directory WEB-INF/classes/policies
.
In that directory, create a file named wcPolicy.xml
, with the following contents:
<wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wssp="http://www.bea.com/wls90/security/policy" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wls="http://www.bea.com/wls90/security/policy/wsee#part"> <wssp:Identity> <wssp:SupportedTokens> <wssp:SecurityToken TokenType="http://docs.oasis-open.org/wss/2004/01/oasis-2004-01-saml-token-profile-1.0#SAMLAssertionID"> <wssp:Claims> <wssp:ConfirmationMethod>sender-vouches</wssp:ConfirmationMethod> </wssp:Claims> </wssp:SecurityToken> </wssp:SupportedTokens> </wssp:Identity> </wsp:Policy>
Save your changes to this file.
Copy the file WEB-INF/wsrp-consumer-security-config.xml
to your workspace and open it for editing. The procedure for copying files to your workspace is described in "Copying J2EE Library Files Into a Project" in the Oracle Fusion Middleware Portal Development Guide for Oracle WebLogic Portal.
In wsrp-consumer-security-config.xml
, add the following code to the bottom of the file, inside the <wsrp-consumer-security-config> element:
<!-- Setup for services producer --> <producer-security> <!-- The producer's handle --> <producer-handle>my_wc_producer</producer-handle> <!-- The policy to use when the policy is not included in the WSDL. --> <policy-name>wcPolicy</policy-name> <policy-port>{urn:oasis:names:tc:wsrp:v2:wsdl}WSRP_v2_Markup_Service</policy-port> <policy-port>{urn:oasis:names:tc:wsrp:v1:wsdl}WSRPBaseService</policy-port> <!-- When doing 8.1 compatibility, should the <wsse:security> header --> <!-- be removed. --> <strict-compatibility>false</strict-compatibility> <!-- Should 8.1 compatibility be done even if a policy is in the WSDL --> <!-- (9.0 producer). --> <compatibility-forced>false</compatibility-forced> <!-- Should 8.1 compatibility be done even if a policy is NOT in the WSDL --> <!-- If both compatibility-forced is true and compatibility-enabled false --> <!-- no compat is sent --> <compatibility-enabled>false</compatibility-enabled> <!-- Should WLP specific handlers be deployed. --> <!-- EXPERT ONLY: Disabling may cause the consumer to act incorrectly. --> <!-- Default: true --> <wlp-handlers-deployed>true</wlp-handlers-deployed> <!-- Should anonymous users be allowed? --> <!-- If disabled only logged in users may use this producer. --> <!-- Default: true --> <anonymous-users-allowed>true</anonymous-users-allowed> </producer-security>
Populate the value of the <producer-handle>
element with the handle you created in Section 17.4.1, "Register the WebCenter Portal: Framework Application Producer with the WebLogic Portal Consumer."
Populate the value of the <policy-name>
element with the filename of the policy created Section 17.4.3.1, "Add a New Policy to the Consumer Web-App." Enter the value without its .xml
extension (or example, wcPolicy
).
Note:
The following steps must be completed for a new web application before deploying/publishing the web application to the server.
Open the WebLogic Server Administration Console on the consumer server and log in.
Select Security Realms.
Select a security realm, such as myrealm.
Select the Providers tab.
Select the Credential Mapping tab.
Select the SAML Credential Mapper.
Select Configuration.
Select Provider Specific.
Set the Issuer URI to www.oracle.com, which is the default for Oracle WebCenter Producers.
Click Save.
Now you need to turn off signing. In the WLS Console, select Security Realms.
Select myrealm.
Select Providers.
Select Credential Mapping.
Select SAML Credential Mapper.
Select Management.
Select rp_00001.
Uncheck Sign Assertion.
Click Save.
See the "Configuring WS-Security" in the Oracle Fusion Middleware Administrator's Guide for Oracle WebCenter for detailed information on securing your Framework application producer with SAML. At a minimum, the following steps are required:
Using Fusion Middleware Control, assign the oracle/wss10_saml_token_service_policy
policy to all of your web application's WebServices WSRP End Points, and remove the default no authentication service policy
from the non-markup End Points.
If you have set up your WebLogic Portal producer's security to interoperate with a Framework application consumer (as explained in Section 17.2, "SAML Security Between a WebCenter Portal: Framework Application Consumer and a WebLogic Portal Producer"), and you wish to consume portlets from that producer in a WebLogic Portal consumer, then the following steps are required:
Section 17.5.1, "Register the WebLogic Portal producer with the WebLogic Portal Consumer"
Section 17.5.2, "Update the Producer's Security Policy on the Consumer"
Section 17.5.3, "Create a New PKI Credential Mapping to the Consumer"
Follow the steps in Section 4.3.3, "Locating and Consuming a Portlet" to register your Framework application producer with the WebLogic Portal consumer. Make a note of the Producer Handle that you specify (for example, my_wc_producer
), as this will be used later.
Copy the file WEB-INF/wsrp-consumer-security-config.xml
to your workspace and open it for editing. The procedure for copying files to your workspace is described in "Copying J2EE Library Files Into a Project" in the Oracle Fusion Middleware Portal Development Guide for Oracle WebLogic Portal.
Add a new <producer-security>
element with the following contents:
<producer-security> <!-- The producer's handle --> <producer-handle>my_wlp_producer</producer-handle> <!-- The policy to use when the policy is not included in the WSDL. --> <policy-name>wsrp81compatPolicy</policy-name> <!-- When doing 8.1 compatibility, should the <wsse:security> header --> <!-- be removed. --> <strict-compatibility>false</strict-compatibility> <!-- Should 8.1 compatibility be done even if a policy is in the WSDL --> <!-- (9.0 producer). --> <compatibility-forced>false</compatibility-forced> <!-- Should 8.1 compatibility be done even if a policy is NOT in the WSDL --> <!-- If both compatibility-forced is true and compatibility-enabled false --> <!-- no compat is sent --> <compatibility-enabled>true</compatibility-enabled> <!-- Should WLP specific handlers be deployed. --> <!-- EXPERT ONLY: Disabling may cause the consumer to act incorrectly. --> <!-- Default: true --> <wlp-handlers-deployed>false</wlp-handlers-deployed> <!-- Should anonymous users be allowed? --> <!-- If disabled only logged in users may use this producer. --> <!-- Default: true --> <anonymous-users-allowed>true</anonymous-users-allowed> </producer-security>
Populate the value of the <producer-handle>
element with the handle that was created earlier in Section 17.5.1, "Register the WebLogic Portal producer with the WebLogic Portal Consumer."
Save the changes, and republish the application.
This section explains how to create a new PKI credential mapping to the consumer, if one is not already present.
Follow the instructions "Create PKI Credential Mappings" in the WebLogic Server Administration Console Online Help to create a new security credential map on the consumer for the producer. Supply the following values as appropriate:
Parameter | Value |
---|---|
Protocol |
Leave this field blank. |
Remote Host |
Leave this field blank. |
Remote Port |
Leave this field blank. |
Path |
Leave this field blank. |
Method |
Leave this field blank. |
Credential Type |
Key Pair |
Principal Name |
Enter the value of the |
Principal Type |
User |
Credential Action |
Leave this field blank. |
Keystore Alias |
The key alias. See Section 17.2.1.1, "Generate a Key Pair." |
Password |
The key passphrase. See Section 17.2.1.1, "Generate a Key Pair." |
Confirm Password |
The key passphrase. See Section 17.2.1.1, "Generate a Key Pair." |