7 Interoperability with Oracle Service Bus 10g Security Environments

Oracle Web Services Manager (OWSM) is interoperable with Oracle Service Bus 10g security environments. Policies that conform to the WS-Security 1.0 standard are attached to web services, to achieve the interoperability between OWSM 12c and Oracle Service Bus 10g.

This chapter includes the following sections:

7.1 Understanding the Interoperability of Oracle Service Bus 10g Security Environments

In Oracle Service Bus 10g, you attach policies to configure your security environment for inbound and outbound requests. Oracle Service Bus uses the underlying WebLogic security framework as building blocks for its security services.

For information about configuring and attaching policies, see "Using WS-Policy in Oracle Service Bus Proxy and Business Services" in Oracle Service Bus Security Guide at http://download.oracle.com/docs/cd/E13159_01/osb/docs10gr3/security/ws_policy.html.

Note:

Ensure that you have downloaded and applied the TYBN and U37Z patches released for Oracle Service Bus 10.3 using the patch tool.

OWSM policies and Oracle Service Bus 10g interoperability scenarios are described in the following sections:

7.1.1 OWSM Policies and Assertions

With OWSM 12c, you attach policies to web service endpoints. Each policy consists of one or more assertions, defined at the domain-level, that define the security requirements. A set of predefined policies and assertions are provided out-of-the-box.

For more information about:

7.1.2 Interoperability Scenarios for Oracle Service Bus 10g

You can review the different scenarios for interoperability between OWSM 12c and Oracle Service Bus 10g.

The Oracle Service Bus 10g interoperability scenarios are based on the following security requirements: authentication, message protection, and transport.

Note:

In the following scenarios, ensure that you are using a keystore with v3 certificates. By default, the JDK 1.5 keytool generates keystores with v1 certificates.

In addition, ensure that the keys use the proper extensions, including DigitalSignature, Non_repudiation, Key_Encipherment, and Data_Encipherment.

The following table describes the OWSM 12c service policy and Oracle Service Bus 10g client policy interoperability scenarios:

Table 7-1 OWSM 12c Service Policy and Oracle Service Bus 10g Client Policy Interoperability

Identity Token WS-Security Version Message Protection Transport Security Service Policy Client Policy

Username

1.0

Yes

No

oracle/wss10_username_token_with_message_protection_service_policy

Encrypt.xml

Sign.xml

SAML

1.0

Yes

No

oracle/wss10_saml_token_with_message_protection_service_policy

Encrypt.xml

Sign.xml

SAML or Username

1.0 and 1.1

No

Yes

oracle/wss_saml_or_username_token_over_ssl_service_policy

Auth.xml

Mutual Authentication

1.0

Yes

No

oracle/wss10_x509_token_with_message_protection_service_policy

Encrypt.xml

Sign.xml

The following table describes the Oracle Service Bus 10g service policy and OWSM 12c client policy interoperability scenarios:

Table 7-2 Oracle Service Bus 10g Service Policy and OWSM 12c Client Policy Interoperability

Identity Token WS-Security Version Message Protection Transport Security Service Policy Client Policy

Username

1.0

Yes

No

Encrypt.xml

Sign.xml

oracle/wss10_username_token_with_message_protection_client_policy

SAML

1.0

Yes

 

Encrypt.xml

Sign.xml

oracle/wss10_saml_token_with_message_protection_client_policy

Mutual Authentication

1.0

Yes

No

Encrypt.xml

Sign.xml

oracle/wss10_x509_token_with_message_protection_client_policy

7.2 Implementing a Username Token with Message Protection (WS-Security 1.0) for Oracle Service Bus 10g Client

The Username Token with Message Protection policy conforms to the WS-Security 1.0 standard. This policy is implemented to achieve the interoperability of OWSM 12c web service with Oracle Service Bus 10g client and the interoperability of Oracle Service Bus 10g web service with OWSM 12c client.

The following interoperability scenarios are supported:

  • OWSM 12c web service with Oracle Service Bus 10g client

  • Oracle Service Bus 10g web service with OWSM 12c client

For either scenario, you must perform prerequisite tasks for the WebLogic Server on which Oracle Service Bus is running. See Configuring Prerequisites for Interoperability (Username token with WS-Security 1.0 Message Protection).

After completing the prerequisite tasks, see the detailed instructions for your supported scenario:

7.2.1 Configuring Prerequisites for Interoperability (Username token with WS-Security 1.0 Message Protection)

Before you implement a username token with WS-Security 1.0 message protection for interoperability between OWSM 12c and Oracle Service Bus 10g, you must complete a number of high-level tasks.

To configure prerequisites for interoperability:

  1. Copy the default-keystore.jks and trust.jks files to your domain directory.

    The default-keystore.jks is used to store public and private keys for SOAP messages within the WebLogic Domain. The trust.jks is used to store private keys, digital certificates, and trusted certificate authority certificates that are used to establish and verify identity and trust in the WebLogic Server environment.

  2. Invoke the WebLogic Administration Console.

  3. Configure the Custom Identity and Custom Trust keystores.

  4. Configure SSL.

  5. Specify the private key alias, as required. For example: oratest.

  6. Configure a credential mapping provider.

    Create a PKICredentialMapper and configure it as follows (leave all other values set to the defaults):

    1. Keystore Provider: N/A

    2. Keystore Type: jks

    3. Keystore File Name: default_keystore.jks

    4. Keystore Pass Phrase: <password>

    5. Confirm Keystore Pass Phrase: <password>

  7. Restart Oracle WebLogic Server.

  8. Invoke the OSB Console. For example:

    http://<host name>:<port number>/servicebus 
    
  9. Create a ServiceKeyProvider.

  10. Specify Encryption Key and Digital Signature Key, as required.

    You must use different keys on the OWSM and Oracle Service Bus servers. You can use the same key for encryption and signing, if desired.

7.2.2 Configuring an OWSM 12c Web Service and an Oracle Service Bus 10g Client (Username Token with Message Protection)

You can implement a username token with message protection (WS-Security 1.0) using an OWSM 12c web service and an Oracle Service Bus 10g client.

The following topics describe how to configure the OWSM 12c web service and then the Oracle Service Bus 10g client:

7.2.2.1 Configuring OWSM 12c Web Service for Oracle Service Bus 10g Client (Username Token with WS-Security 1.0 Message Protection)

You can configure an OWSM 12c web service to implement username token with WS-Security 1.0 message protection for interoperability with an Oracle Service Bus 10g client.

To configure the OWSM 12c web service:

  1. Clone the following policy: wss10_username_token_with_message_protection_service_policy.

    For more information, see "Cloning a Web Service Policy" in Securing Web Services and Managing Policies with Oracle Web Services Manager.

  2. Edit the policy settings, as follows:

    1. Set Encryption Key Reference Mechanism to issuerserial.

    2. Set Algorithm Suite to Basic128Rsa15 to match the algorithm suite used for Oracle Service Bus.

    3. Enable the Include Timestamp configuration setting.

    4. Set Is Encrypted to false for the Username token element only.

  3. Attach the policy to the web service.

    For more information, see "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager.

7.2.2.2 Configuring Oracle Service Bus 10g Client (Username Token with Message Protection)

You can configure an Oracle Service Bus 10g client to implement username token with WS-Security 1.0 message protection for interoperability with an OWSM 12c web service.

To configure the Oracle Service Bus 10g client:

  1. Clone the Encrypt.xml and Sign.xml policy files.

    For example, copy the files to myEncrypt.xml and mySign.xml. It is not recommended to edit the predefined policy files directly.

  2. Edit the encryption algorithm in myEncrypt.xml file to prevent encryption compliance failure, as follows:
    <wssp:Target>
       <wssp:EncryptionAlgorithm 
         URI="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
       <wssp:MessageParts
         Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">
          wsp:Body()
       </wssp:MessageParts>
    </wssp:Target>
    
  3. Edit the mySign.xml policy file attached to the Oracle Service Bus business service request only to sign the Username token by including the following target:
    <wssp:Target>
       <wssp:DigestAlgorithm URI=
        "http://www.w3.org/2000/09/xmldsig#sha1" />
       <wssp:MessageParts Dialect=
        "http://www.bea.com/wls90/security/policy/wsee#part">
          wls:SecurityHeader(wsse:UsernameToken)
       </wssp:MessageParts>
    </wssp:Target>
    
  4. Edit the mySign.xml policy file attached to the Oracle Service Bus business service response only to specify that the security token is unsigned:
    <wssp:Integrity SignToken="false"> 
    

    Also, for SOA clients only, comment out the target for system headers, as shown:

    <!-- wssp:Target>
      <wssp:DigestAlgorithm 
       URI="http://www.w3.org/2000/09/xmldsig#sha1" />
      <wssp:MessageParts 
       Dialect="http://www.bea.com/wls90/security/policy/wsee#part">
       wls:SystemHeaders()
      </wssp:MessageParts>
    </wssp:Target -->
    
  5. Invoke the web service method from the client.

Additional Information

"Cloning a Web Service Policy" in Securing Web Services and Managing Policies with Oracle Web Services Manager

"Using WS-Policy in Oracle Service Bus Proxy and Business Services" in Oracle Service Bus Security Guide at http://download.oracle.com/docs/cd/E13159_01/osb/docs10gr3/security/ws_policy.html

7.2.3 Configuring an Oracle Service Bus 10g Web Service and an OWSM 12c Client (Username Token with Message Protection)

You can implement a username token with WS-Security 1.0 message protection using Oracle Service Bus 10g web service and an OWSM 12c client.

The following topics describe how to configure the Oracle Service Bus 10g web service and then the OWSM 12c client:

7.2.3.1 Configuring Oracle Service Bus 10g Web Service (Username Token with Message Protection)

You can configure an Oracle Service Bus 10g web service to implement username token with message protection for interoperability with an OWSM 12c client.

To configure the Oracle Service Bus 10g web service:

  1. Clone the Encrypt.xml and Sign.xml policy files.

    For example, copy the files to myEncrypt.xml and mySign.xml. It is not recommended to edit the predefined policy files directly.

  2. Edit the encryption algorithm in the myEncrypt.xml file to prevent encryption compliance failure, as follows:

    <wssp:Target>
       <wssp:EncryptionAlgorithm 
         URI="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
       <wssp:MessageParts
         Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">
          wsp:Body()
       </wssp:MessageParts>
    </wssp:Target>
    

    For more information, see "Using WS-Policy in Oracle Service Bus Proxy and Business Services" in Oracle Service Bus Security Guide at http://download.oracle.com/docs/cd/E13159_01/osb/docs10gr3/security/ws_policy.html.

  3. Edit the mySign.xml policy file attached to the proxy service request only to specify that the security token is unsigned:

    <wssp:Integrity SignToken="false"> 
    

    Also, for SOA clients only, comment out the target for system headers, as shown:

    <!-- wssp:Target>
      <wssp:DigestAlgorithm 
       URI="http://www.w3.org/2000/09/xmldsig#sha1" />
      <wssp:MessageParts 
       Dialect="http://www.bea.com/wls90/security/policy/wsee#part">
       wls:SystemHeaders()
      </wssp:MessageParts>
    </wssp:Target -->
    
  4. Create a web service application that invokes the Oracle Service Bus routing service.

7.2.3.2 Configuring OWSM 12c Client for Oracle Service Bus 10g (Username Token with WS-Security 1.0 Message Protection)

You can configure an OWSM 12c client to implement username token with WS-Security 1.0 message protection for interoperability with an Oracle Service Bus 10g web service.

To configure the OWSM 12c client:

  1. Clone the following policy: wss10_username_token_with_message_protection_client_policy.

    Edit the policy settings, as follows:

    1. Set Encryption Key Reference Mechanism to issuerserial.

    2. Set Recipient Encryption Key Reference Mechanism to issuerserial.

    3. Set Algorithm Suite to Basic128Rsa15 to match the algorithm suite used for Oracle Service Bus.

    4. Disable the Include Timestamp configuration setting.

    5. Set Is Encrypted to false.

    6. Leave the default configuration set for message signing and encryption.

    For more information, see "Cloning a Web Service Policy" in Securing Web Services and Managing Policies with Oracle Web Services Manager.

  2. Attach the policy to the web service client.

  3. Invoke the web service from the client.

    For more information, see "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager.

7.3 Implementing a SAML Sender Vouches Token with WS-Security 1.0 Message Protection for Oracle Service Bus 10g Client

The SAML Sender Vouches Token with Message Protection policy conforms to the WS-Security 1.0 standard. This policy is implemented to achieve the interoperability of OWSM 12c web service with Oracle Service Bus 10g client and the interoperability of Oracle Service Bus 10g web service with OWSM 12c client.

The following interoperability scenarios are supported:

  • OWSM 12c web service with Oracle Service Bus 10g client

  • Oracle Service Bus 10g web service with OWSM 12c client

For either scenario, you must complete prerequisite tasks for the WebLogic Server on which Oracle Service Bus is running. For more information on the prerequisites, see Configuring Prerequisites for Interoperability (SAML Sender Vouches Token). After completing the prerequisite tasks, complete one of the following tasks depending upon your specific deployment:

7.3.1 Configuring Prerequisites for Interoperability (SAML Sender Vouches Token)

Before you implement SAML sender vouches token with WS-Security 1.0 message protection for interoperability between OWSM 12c and Oracle Service Bus 10g, you must complete a number of high-level tasks.

To configure prerequisites for interoperability:

  1. Copy the default-keystore.jks and trust.jks files to your domain directory.

    The default-keystore.jks is used to store public and private keys for SOAP messages within the WebLogic Domain. The trust.jks is used to store private keys, digital certificates, and trusted certificate authority certificates that are used to establish and verify identity and trust in the WebLogic Server environment. For more information, see "Configuring Keystores for Message Protection" in Securing Web Services and Managing Policies with Oracle Web Services Manager.

  2. Invoke the WebLogic Administration Console.

    For more information, see "Accessing Oracle WebLogic Administration Console" in Administering Web Services.

  3. Create a SAMLIdentityAsserterV2 authentication provider.

    For more information, see "Configuring Authentication and Identity Assertion providers" in Oracle WebLogic Server Administration Console Online Help.

  4. Restart WebLogic Server to add the new provider to the Administration Server's Runtime MBean server.

  5. Select the authentication provider created in step 3.

  6. Create and configure a SAML asserting party.

    Configure the SAML asserting party as follows (leave other values set to the defaults):

    • Profile: WSS/Sender-Vouches

    • Target URL: <OSB Proxy Service Endpoint URI>

    • Issuer URI: www.oracle.com

    Select the Enabled checkbox and click Save.

  7. Create a SamlCredentialMapperV2 credential mapping provider.

    Select SamlCredentialMapperV2 from the drop-down list and name the credential mapper, for example, UC2_SamlCredentialMapperV2.For more information, see "SAML Identity Asserter V2: Create an Asserting Party" and "SAML Identity Asserter V2: Asserting Party: Configuration" in Oracle WebLogic Server Administration Console Online Help.

  8. Restart WebLogic Server.

  9. Configure the credential mapper as follows (leave other values set to the defaults):

    • Issuer URI: www.oracle.com

      Note:

      This value is specified in the policy file.

    • Name Qualifier: oracle.com

    For more information, see "Configure Credential Mapping Providers" in Oracle WebLogic Server Administration Console Online Help.

  10. Create and configure a SAML relying party.

    Configure the SAML relying party as follows (leave other values set to the defaults):

    • Profile: WSS/Sender-Vouches

    • Target URL: <OWSM 12c Web Service>

    • Description: <your_description>

    Select the Enabled checkbox and click Save. For more information, see "SAML Credential Mapping Provider V2: Create a Relying Party" and "SAML Credential Mapping Provider V2: Relying Party: Configuration" in Oracle WebLogic Server Administration Console Online Help.

  11. Restart WebLogic Server.

7.3.2 Configuring an OWSM 12c Web Service and an Oracle Service Bus 10g Client (SAML Sender Vouches Token)

You can configure implement SAML sender vouches with WS-Security 1.0 message protection using OWSM 12c web service and an Oracle Service Bus 10g client.

The following topics describe how to configure the OWSM 12c web service and then the Oracle Service Bus 10g client:

7.3.2.1 Configuring OWSM 12c Web Service for Oracle Service Bus 10g Client (SAML Sender Vouches Token)

You can configure an OWSM 12c web service to implement SAML sender vouches token for interoperability with an Oracle Service Bus 10g client.

To configure the OWSM 12c web service:

  1. Clone the following policy: oracle/wss10_saml_token_with_message_protection_service_policy.

    For more information, see "Cloning a Web Service Policy" in Securing Web Services and Managing Policies with Oracle Web Services Manager.

    1. Set Encryption Key Reference Mechanism to issuerserial.

    2. Set Algorithm Suite to Basic128Rsa15 to match the algorithm suite used for Oracle Service Bus.

    3. Set Is Encrypted to false for the Username token element only.

    4. Leave the default configuration set for message signing and encryption.

  2. Attach the policy to the web service.

    For more information, see "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager.

7.3.2.2 Configuring Oracle Service Bus 10g Client (SAML Sender Vouches Token)

You can configure an Oracle Service Bus 10g client to implement SAML sender vouches token for interoperability with an OWSM 12c web service.

To configure the Oracle Service Bus 10g client:

  1. Clone the Encrypt.xml and Sign.xml policy files.

    For example, to myEncrypt.xml and mySign.xml. It is not recommended to edit the predefined policy files directly.

  2. Edit the encryption algorithm in the myEncrypt.xml file to prevent encryption compliance failure, as follows:

    <wssp:Target>
       <wssp:EncryptionAlgorithm 
         URI="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
       <wssp:MessageParts
         Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">
          wsp:Body()
       </wssp:MessageParts>
    </wssp:Target>
    

    For more information, see "Using WS-Policy in Oracle Service Bus Proxy and Business Services" in Oracle Service Bus Security Guide at http://download.oracle.com/docs/cd/E13159_01/osb/docs10gr3/security/ws_policy.html.

  3. Edit the mySign.xml file attached to the Oracle Service Bus business service request only to sign the SAML assertion by including the following target:

    <wssp:Target>
       <wssp:DigestAlgorithm URI="http://www.w3.org/2000/09/xmldsig#sha1" />
       <wssp:MessageParts Dialect=
        "http://www.bea.com/wls90/security/policy/wsee#part">
          wls:SecurityHeader(wsse:Assertion)
       </wssp:MessageParts>
    </wssp:Target>
    
  4. Edit the mySign.xml file attached to the Oracle Service Bus business service response only to specify that the security token is unsigned, as follows:

    <wssp:Integrity SignToken="false">
    

    Also, for SOA clients only, comment out the target for system headers, as shown:

    <!-- wssp:Target>
      <wssp:DigestAlgorithm 
       URI="http://www.w3.org/2000/09/xmldsig#sha1" />
      <wssp:MessageParts 
       Dialect="http://www.bea.com/wls90/security/policy/wsee#part">
       wls:SystemHeaders()
      </wssp:MessageParts>
    </wssp:Target -->
    
  5. Use the custom SAML policy file shown in the following Custom SAML Policy sample:

    <?xml version="1.0"?>
    <wsp:Policy
       xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
       xmlns:wssp="http://www.bea.com/wls90/security/policy"
       xmlns:wsu="
    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
       xmlns:wls="http://www.bea.com/wls90/security/policy/wsee#part"
       wsu:Id="custom_saml">
       <wssp:Identity xmlns:wssp="http://www.bea.com/wls90/security/policy">
          <wssp:SupportedTokens>
             <wssp:SecurityToken  
              TokenType=
    "http://docs.oasis-open.org/wss/2004/01/oasis-2004-01-saml-token-profile-1.0#SAMLAssertionID">
                <wssp:Claims>
                   <wssp:ConfirmationMethod>
                      sender-vouches
                   </wssp:ConfirmationMethod>
                </wssp:Claims>
             </wssp:SecurityToken>
          </wssp:SupportedTokens>
       </wssp:Identity>
       </wsp:Policy>
    
  6. Invoke the web service from the client.

7.3.3 Configuring an Oracle Service Bus 10g Web Service and an OWSM 12c Client (SAML Sender Vouches Token)

You can implement SAMLsender vouches with WS-Security 1.0 message protection using an Oracle Service Bus 10g web service and an OWSM 12c client.

The following topics describe how to configure the Oracle Service Bus 10g web service and then the OWSM 12c client:

7.3.3.1 Configuring Oracle Service Bus 10g Web Service (SAML Sender Vouches Token)

You can configure an Oracle Service Bus 10g web service to implement SAML sender vouches token for interoperability with an OWSM 12c client.

To configure the Oracle Service Bus 10g web service:

  1. Clone the Encrypt.xml and Sign.xml policy files.

    For example, to myEncrypt.xml and mySign.xml. It is not recommended to edit the predefined policy files directly.

  2. Edit the encryption algorithm in the myEncrypt.xml policy file to prevent encryption compliance failure, as follows:

    <wssp:Target>
       <wssp:EncryptionAlgorithm 
         URI="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
       <wssp:MessageParts
         Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">
          wsp:Body()
       </wssp:MessageParts>
    </wssp:Target>
    

    For more information, see "Using WS-Policy in Oracle Service Bus Proxy and Business Services" in Oracle Service Bus Security Guide at http://download.oracle.com/docs/cd/E13159_01/osb/docs10gr3/security/ws_policy.html.

  3. Edit the mySign.xml policy file attached to the proxy service request only to specify that the security token is unsigned:

    <wssp:Integrity SignToken="false"> 
    

    Also, for SOA clients only, comment out the target for system headers, as shown:

    <!-- wssp:Target>
      <wssp:DigestAlgorithm 
       URI="http://www.w3.org/2000/09/xmldsig#sha1" />
      <wssp:MessageParts 
       Dialect="http://www.bea.com/wls90/security/policy/wsee#part">
       wls:SystemHeaders()
      </wssp:MessageParts>
    </wssp:Target -->
    
  4. Use the custom SAML policy file shown in the following Custom SAML Policy sample:

    <?xml version="1.0"?>
    <wsp:Policy
       xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
       xmlns:wssp="http://www.bea.com/wls90/security/policy"
       xmlns:wsu="
    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
       xmlns:wls="http://www.bea.com/wls90/security/policy/wsee#part"
       wsu:Id="custom_saml">
       <wssp:Identity xmlns:wssp="http://www.bea.com/wls90/security/policy">
          <wssp:SupportedTokens>
             <wssp:SecurityToken  
              TokenType=
    "http://docs.oasis-open.org/wss/2004/01/oasis-2004-01-saml-token-profile-1.0#SAMLAssertionID">
                <wssp:Claims>
                   <wssp:ConfirmationMethod>
                      sender-vouches
                   </wssp:ConfirmationMethod>
                </wssp:Claims>
             </wssp:SecurityToken>
          </wssp:SupportedTokens>
       </wssp:Identity>
       </wsp:Policy>
    

7.3.3.2 Configuring OWSM 12c Client for Oracle Service Bus 10g (SAML Sender Vouches Token)

You can configure an OWSM 12c client to implement SAML sender vouches token for interoperability with an Oracle Service Bus 10g web service.

To configure the OWSM 12c client:

  1. Clone the following policy: wss10_saml_token_with_message_protection_client_policy.

    Edit the policy settings, as follows:

    1. Set Encryption Key Reference Mechanism to issuerserial.

    2. Set Recipient Encryption Key Reference Mechanism to issuerserial.

    3. Set Algorithm Suite to Basic128Rsa15 to match the algorithm suite used for Oracle Service Bus.

    4. Disable the Include Timestamp configuration setting.

    5. Leave the default configuration set for message signing and encryption.

    For more information, see "Cloning a Web Service Policy" in Securing Web Services and Managing Policies with Oracle Web Services Manager.

  2. Attach the policy to the web service client.

    For more information, see "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager.

  3. Invoke the web service from the client.

7.4 Implementing a SAML or Username Token Over SSL for Oracle Service Bus 10g Client

The SAML or Username Token over SSL policy conforms to the WS-Security 1.0 and 1.1 standards. This policy is implemented to achieve the interoperability between OWSM 12c web service and Oracle Service Bus 10g client.

Note:

The interoperability scenario described in this section also applies to the SAML Token Over SSL and Username Token Over SSL policies.

For this scenario, you must first perform prerequisite tasks for the WebLogic Server on which Oracle Service Bus is running, as described in the following sections:

For configuration instructions of the supported scenario, see Configuring an OWSM 12c Web Service and an Oracle Service Bus 10g Client (SAML or Username Token over SSL).

7.4.1 Configuring SAML prerequisites for Interoperability

Before you implement SAML or Username Token Over SSL for interoperability between OWSM 12c web service and Oracle Service Bus 10g client, you must complete a number of high-level tasks.

To configure SAML prerequisites for interoperability:

  1. Create a SamlCredentialMapperV2 credential mapping provider.

    Select SamlCredentialMapperV2 from the drop-down list and name the credential mapper; for example, UC2_SamlCredentialMapperV2.For more information, see "Configure Credential Mapping Providers" in Oracle WebLogic Server Administration Console Online Help.

  2. Restart WebLogic Server.

  3. Configure the credential mapper as follows (leave other values set to the defaults):

    • Issuer URI: www.oracle.com

      Note:

      This value is specified in the policy file.

    • Name Qualifier: oracle.com

  4. Create and configure a SAML relying party.

    Configure the SAML relying party as follows (leave other values set to the defaults):

    • Profile: WSS/Sender-Vouches

    • Target URL: <OWSM 12c Web Service>

    • Description: <your_description>

    Select the Enabled checkbox and click Save.

    For more information, see "SAML Credential Mapping Provider V2: Create a Relying Party" and "SAML Credential Mapping Provider V2: Relying Party: Configuration" in Oracle WebLogic Server Administration Console Online Help.

  5. Restart WebLogic Server.

7.4.2 Configuring an OWSM 12c Web Service and an Oracle Service Bus 10g Client (SAML or Username Token over SSL)

You can implement the SAML or username token over SSL policy using an OWSM 12c web service and an Oracle Service Bus 10g client. Both the SAML token client and the username token client are supported.

The following topics describe how to configure the OWSM 12c web service and then the Oracle Service Bus 10g client:

7.4.2.1 Configuring OWSM 12c Web Service for Oracle Service Bus 10g Client (SAML or Username Token over SSL)

You can configure an OWSM 12c web service to implement SAML or username token over SSL for interoperability with an Oracle Service Bus 10g client.

To configure the OWSM 12c web service:

  1. Configure the server for two-way SSL.

    • If the service policy is Username Token Over SSL, set Two Way Client Cert Behavior to "Client Certs Requested and Not Enforced."

    • If the service policy is SAML Token Over SSL, set Two Way Client Cert Behavior to "Client Certs Requested and Enforced."

    For more information, see "Configuring SSL on WebLogic Server (Two-Way)" in Securing Web Services and Managing Policies with Oracle Web Services Manager.

  2. Clone the following policy: wss_saml_or_username_token_over_ssl_service_policy.

    • For wss_username_token_over_ssl_service_policy, disable the Create Element and Nonce configuration settings.

    • For wss_saml_token_over_ssl_service_policy, disable the Include Timestamp configuration setting.

    For more information, see "Cloning a Web Service Policy" in Securing Web Services and Managing Policies with Oracle Web Services Manager.

  3. Use JDeveloper to create a simple SOA composite.

  4. Attach the copy of the wss_saml_or_username_token_over_ssl_service_policy policy to the composite and deploy it.

    For more information, see "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager.

7.4.2.2 Configuring Oracle Service Bus 10g Client (SAML or Username Token Over SSL)

You can configure an Oracle Service Bus 10g client to implement SAML or username token over SSL for interoperability with an OWSM 12c web service.

To configure the Oracle Service Bus 10g client:

  1. Configure the server for two-way SSL:

    • If the client policy is the equivalent of Username Token Over SSL, then set Two Way Client Cert Behavior to "Client Certs Requested and Not Enforced."

    • If the client policy is the equivalent of SAML Token Over SSL, then set Two Way Client Cert Behavior to "Client Certs Requested and Enforced."

    For more information, see "Configuring SSL on WebLogic Server (Two-Way)" in Securing Web Services and Managing Policies with Oracle Web Services Manager.

  2. In the Oracle Service Bus console, import the WSDL for the relying party. Make sure that there is no policy attached. (Policy assertions are not allowed on this service.)

  3. For SAML token, create a business service.

    1. Attach the policy to the request.

      Use the custom SAML policy file shown in the following Custom SAML Policy sample:

      <?xml version="1.0"?>
      <wsp:Policy
         xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
         xmlns:wssp="http://www.bea.com/wls90/security/policy"
         xmlns:wsu="
      http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
         xmlns:wls="http://www.bea.com/wls90/security/policy/wsee#part"
         wsu:Id="custom_saml">
         <wssp:Identity xmlns:wssp="http://www.bea.com/wls90/security/policy">
            <wssp:SupportedTokens>
               <wssp:SecurityToken  
                TokenType=
      "http://docs.oasis-open.org/wss/2004/01/oasis-2004-01-saml-token-profile-1.0#SAMLAssertionID">
                  <wssp:Claims>
                     <wssp:ConfirmationMethod>
                        sender-vouches
                     </wssp:ConfirmationMethod>
                  </wssp:Claims>
               </wssp:SecurityToken>
            </wssp:SupportedTokens>
         </wssp:Identity>
         </wsp:Policy>
      
    2. Change the WSDL from HTTP to HTTPS.

  4. For username token, create a business service.

    1. Attach the auth.xml policy to the request.

    2. Change the WSDL from HTTP to HTTPS.

  5. Create a proxy service, and create a route to the business service.

    In HTTP Transport Configuration, set Authentication to "basic."

    On the Security page, associate the Service key provider. This is needed for Oracle Service Bus to send the client cert to SOA.

  6. Run the proxy service from the Oracle Service Bus console with the username and password.

7.5 Implementing a Mutual Authentication with WS-Security 1.0 Message Protection for Oracle Service Bus 10g Client

The Mutual Authentication with Message Protection policy conforms to the WS-Security 1.0 standard. This policy is implemented to achieve the interoperability of OWSM 12c web service with Oracle Service Bus 10g client and the interoperability of Oracle Service Bus 10g web service with OWSM 12c client.

The following scenarios are supported:

  • OWSM 12c web service with Oracle Service Bus 10g client

  • Oracle Service Bus 10g web service with OWSM 12c client

For either scenario, you must first perform prerequisite tasks:

After completing the prerequisite tasks, complete one of the following tasks depending upon your specific deployment:

7.5.1 Configuring Prerequisites for Oracle WebLogic Server

Before you implement mutual authentication with WS-Security 1.0 message protection for interoperability between OWSM 12c and Oracle Service Bus 10g, you must complete a number of high-level tasks for the Oracle WebLogic Server.

To configure prerequisites for the Oracle WebLogic Server:

  1. Copy the default-keystore.jks and trust.jks files to your domain directory.

    The default-keystore.jks is used to store public and private keys for SOAP messages within the WebLogic Domain. The trust.jks is used to store private keys, digital certificates, and trusted certificate authority certificates that are used to establish and verify identity and trust in the Oracle WebLogic Server environment.

    For more information, see "Configuring Keystores for Message Protection" in Securing Web Services and Managing Policies with Oracle Web Services Manager.

  2. Invoke the WebLogic Administration Console.

    For more information, see "Accessing Oracle WebLogic Administration Console" in Administering Web Services.

  3. Configure the Custom Identity and Custom Trust keystores.

    For more information, see "Configure keystores" in Oracle WebLogic Server Administration Console Online Help.

  4. Configure SSL.

    Specify the private key alias, as required. For example: oratest.

    For more information, see "Set up SSL" in Oracle WebLogic Server Administration Console Online Help.

  5. Configure a credential mapping provider.

  6. Create a PKICredentialMapper and configure it as follows (leave all other values set to the defaults):

    • Keystore Provider: N/A

    • Keystore Type: jks

    • Keystore File Name: default_keystore.jks

    • Keystore Pass Phrase: <password>

    • Confirm Keystore Pass Phrase: <password>

    For more information, see "Configure Credential Mapping Providers" in Oracle WebLogic Server Administration Console Online Help.

  7. Select the Authentication tab and configure as follows:

    • Click DefaultIdentityAsserter and add X.509 to Chosen active types

    • Click Provider Specific and configure the following:

      • Default User Name Mapper Attribute Type: CN

      • Active Types: X.509

      • Use Default User Name Mapper: True

      For more information, see "Configure Authentication and Identity Assertion providers" in Oracle WebLogic Server Administration Console Online Help.

  8. Configure a token handler to specify that a client invoking a message-secured web service uses an X.509 certificate to establish their identity. In WebLogic Administration Console, navigate to the Web Service Security page of the domain and configure the inbound and outbound messages as follows:

    Note:

    Only username token with message protection or mutual authentication with message protection is available at any given time. Once you enable mutual authentication with message protection, username authentication will fail.

    • Click _SERVICE_BUS_INBOUND_WEB_SERVICE_SECURITY_MBEAN_ and select the Token Handler tab.

    • Click X.509 token handler and configure the following:

      • Name: UseX509ForIdentity

      • Value: True

    • Perform the same steps for the outbound Oracle Service Bus MBean: _SERVICE_BUS_OUTBOUND_WEB_SERVICE_SECURITY_MBEAN_

  9. If the users are not added, add the Common Name (CN) user specified in the certificate.

    For more information, see "Create users" in Oracle WebLogic Server Administration Console Online Help.

  10. Restart Oracle WebLogic Server.

7.5.2 Configuring prerequisites for OWSM

Before you implement mutual authentication with WS-Security 1.0 message protection for interoperability between OWSM 12c and Oracle Service Bus 10g, you must complete a number of high-level tasks.

To configure prerequisites for OWSM:

  1. Configure authentication.

    Select the Authentication tab and configure as follows:

    • Click DefaultIdentityAsserter and add X.509 to Chosen active types

    • Click Provider Specific and configure the following:

      • Default User Name Mapper Attribute Type: CN

      • Active Types: X.509

      • Use Default User Name Mapper: True

    For more information, see "Configure Authentication and Identity Assertion providers" in Oracle WebLogic Server Administration Console Online Help.

  2. If the users are not added, add the Common Name (CN) user specified in the certificate.

  3. Restart Oracle WebLogic Server.

    For more information, see "Create users" in Oracle WebLogic Server Administration Console Online Help.

7.5.3 Configuring an OWSM 12c Web Service and an Oracle Service Bus 10g Client (Mutual Authentication with WS-Security 1.0 Message Protection)

You can implement mutual authentication with WS-Security 1.0 message protection using an OWSM 12c web service and Oracle Service Bus 10g client. Configure the web service, then configure the client.

To configure the OWSM 12c web service:

  1. Create and deploy a SOA composite.

  2. Clone the following policy: wss10_x509_token_with_message_protection_service_policy.

    Edit the policy settings, as follows:

    1. Set Encryption Key Reference Mechanism to issuerserial.

    2. Set Algorithm Suite to Basic128Rsa15 to match the algorithm suite used for Oracle Service Bus.

    For more information, see "Cloning a Web Service Policy" in Securing Web Services and Managing Policies with Oracle Web Services Manager.

  3. Attach the policy to the web service.

    For more information, see "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager.

  4. To configure Oracle Service Bus 10g Client, create an Oracle Service Bus business service.

  5. Clone the Encrypt.xml and Sign.xml policy files.

    For example, copy the files to myEncrypt.xml and mySign.xml. It is not recommended to edit the predefined policy files directly.

  6. Attach the X.509 policy shown in sample at the end of this procedure, to the Oracle Service Bus business service request.

  7. Attach the Sign.xml policy file to the Oracle Service Bus business service request.

  8. Edit the myEncrypt.xml policy, as shown in sample at the end of this procedure, and attach it to the Oracle Service Bus business service request.

    For more information, see "Using WS-Policy in Oracle Service Bus Proxy and Business Services" in Oracle Service Bus Security Guide at http://download.oracle.com/docs/cd/E13159_01/osb/docs10gr3/security/ws_policy.html.

  9. Edit the mySign.xml policy file attached to the Oracle Service Bus business service response to specify that the security token is unsigned:

    <wssp:Integrity SignToken="false"> 
    

    Also, for SOA clients only, comment out the target for system headers, as shown in sample at the end of this procedure.

  10. Attach the myEncrypt.xml policy file from Step 6 to the Oracle Service Bus business service response.

  11. Create a ServiceKeyProvider.

  12. Specify Encryption Key and Digital Signature Key, as required.

    You must use different keys on the OWSM and Oracle Service Bus servers. You can use the same key for encryption and signing, if desired.

  13. Create a proxy service, and create a route to the business service.

    On the Security page, associate the Service key provider. This is needed for Oracle Service Bus to send the client certificate to SOA.

  14. Run the proxy service from the Oracle Service Bus console.

    See the following X.509 Policy sample:

    <wsp:Policy
      xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
      xmlns:wssp="http://www.bea.com/wls90/security/policy"
      xmlns:s0="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
      s0:Id="X509Auth">
            <wssp:Identity xmlns:wssp="http://www.bea.com/wls90/security/policy">
                <wssp:SupportedTokens>
                    <wssp:SecurityToken TokenType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
                </wssp:SupportedTokens>
            </wssp:Identity>
    </wsp:Policy>
    

    See the following myEncrypt.xml Policy sample:

    <?xml version="1.0"?>
    <wsp:Policy
     xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
     xmlns:wssp="http://www.bea.com/wls90/security/policy"
     xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
     xmlns:wls="http://www.bea.com/wls90/security/policy/wsee#part"
     wsu:Id="X509Encrypt"> 
      <wssp:Confidentiality>
        <wssp:KeyWrappingAlgorithm URI="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
        <wssp:Target>
          <wssp:EncryptionAlgorithm URI="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>    
          <wssp:MessageParts Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body()</wssp:MessageParts>
        </wssp:Target>
        <wssp:KeyInfo/>
      </wssp:Confidentiality>
    </wsp:Policy>
    

    See the following mySign Policy sample:

      <?xml version="1.0"?>
    <wsp:Policy
      xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
      xmlns:wssp="http://www.bea.com/wls90/security/policy"
     
    xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-
    utility-1.0.xsd"
      xmlns:wls="http://www.bea.com/wls90/security/policy/wsee#part"
      wsu:Id="X509Sign">
      <wssp:Integrity SignToken="false">
        <wssp:SignatureAlgorithm URI="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
        <wssp:CanonicalizationAlgorithm
     URI="http://www.w3.org/2001/10/xml-exc-c14n#"/>
        <!--wssp:Target>
          <wssp:DigestAlgorithm URI="http://www.w3.org/2000/09/xmldsig#sha1" />
          <wssp:MessageParts
     Dialect="http://www.bea.com/wls90/security/policy/wsee#part">
            wls:SystemHeaders()
          </wssp:MessageParts>
        </wssp:Target-->
        <wssp:Target>
          <wssp:DigestAlgorithm URI="http://www.w3.org/2000/09/xmldsig#sha1" />
          <wssp:MessageParts
     Dialect="http://www.bea.com/wls90/security/policy/wsee#part">
            wls:SecurityHeader(wsu:Timestamp)
          </wssp:MessageParts>
        </wssp:Target>
        <wssp:Target>
          <wssp:DigestAlgorithm URI="http://www.w3.org/2000/09/xmldsig#sha1" />
          <wssp:MessageParts
     Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">
          wsp:Body()
          </wssp:MessageParts>
        </wssp:Target>
       </wssp:Integrity>
      <wssp:MessageAge/>
    </wsp:Policy>
    
    

7.5.4 Configuring an Oracle Service Bus 10g Web Service and an OWSM 12c Client (Mutual Authentication With WS-Security 1.0 Message Protection)

You can implement mutual authentication with WS-Security 1.0 message protection using Oracle Service Bus 10g web service and an OWSM 12c client.

The following topics describe how to configure the Oracle Service Bus 10g web service and then the OWSM 12c client:

7.5.4.1 Configuring Oracle Service Bus 10g Web Service (Mutual Authentication with WS-Security 1.0 Message Protection)

You can configure an Oracle Service Bus 10g web service to implement mutual authentication with message protection for interoperability with an OWSM 12c client.

To configure the Oracle Service Bus 10g web service:

  1. Create a Oracle Service Bus proxy service.

  2. Clone the Encrypt.xml and Sign.xml policy files.

    For example, to myEncrypt.xml and mySign.xml. It is not recommended to edit the predefined policy files directly.

  3. Attach the X.509 policy to the proxy service request.

  4. Edit the mySign.xml policy file attached to the proxy service request and comment out the target for system headers and timestamp, as shown in the sample at the end of this procedure.

    For more information, see "Using WS-Policy in Oracle Service Bus Proxy and Business Services" in Oracle Service Bus Security Guide at http://download.oracle.com/docs/cd/E13159_01/osb/docs10gr3/security/ws_policy.html.

  5. Edit the encryption algorithm in the myEncrypt.xml file attached to the proxy service request as shown in the sample at the end of this procedure.

  6. Attach mySign.xml and myEncrypt.xml policy files from the previous steps to the proxy service response.

  7. Create a Service Key Provider.

    mySign.xml Policy sample:

    <?xml version="1.0"?>
    <wsp:Policy
      xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
      xmlns:wssp="http://www.bea.com/wls90/security/policy"
      xmlns:s0="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
      s0:Id="X509SignRequest">
      <wssp:Integrity
     xmlns:wls="http://www.bea.com/wls90/security/policy/wsee#part"
     xmlns:wssp="http://www.bea.com/wls90/security/policy"
    xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-
    utility-1.0.xsd">
      <wssp:SignatureAlgorithm URI="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
      <wssp:CanonicalizationAlgorithm URI="http://www.w3.org/2001/10/xml-exc-c14n#"
     />
      <!-- wssp:Target>
      <wssp:DigestAlgorithm URI="http://www.w3.org/2000/09/xmldsig#sha1" />
      <wssp:MessageParts Dialect="http://www.bea.com/wls90/security/policy/wsee#part">wls:SystemHeaders
    ()</wssp:MessageParts>
      </wssp:Target -->
      <!-- wssp:Target>
      <wssp:DigestAlgorithm URI="http://www.w3.org/2000/09/xmldsig#sha1" />
      <wssp:MessageParts
    Dialect="http://www.bea.com/wls90/security/policy/wsee#part">wls:SecurityHeader
    (wsu:Timestamp)</wssp:MessageParts>
      </wssp:Target -->
      <wssp:Target>
      <wssp:DigestAlgorithm URI="http://www.w3.org/2000/09/xmldsig#sha1" />
      <wssp:MessageParts Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body()</wssp:MessageParts>
      </wssp:Target>
    </wsp:Policy>
    

    myEncrypt.xml sample:

    <?xml version="1.0"?>
    <wsp:Policy
     xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
     xmlns:wssp="http://www.bea.com/wls90/security/policy"
     xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
     xmlns:wls="http://www.bea.com/wls90/security/policy/wsee#part"
     wsu:Id="X509Encrypt"> 
      <wssp:Confidentiality>
        <wssp:KeyWrappingAlgorithm URI="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
        <wssp:Target>
          <wssp:EncryptionAlgorithm URI="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>    
          <wssp:MessageParts Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body()</wssp:MessageParts>
        </wssp:Target>
        <wssp:KeyInfo/>
      </wssp:Confidentiality>
     
    </wsp:Policy>
    

7.5.4.2 Configuring OWSM 12c Client for Oracle Service Bus 10g (Mutual Authentication with WS-Security 1.0 Message Protection)

You can configure an OWSM 12c client to implement mutual authentication with WS-Security 1.0 message protection for interoperability with an Oracle Service Bus 10g web service.

To configure the OWSM 12c client:

  1. Clone the following policy: wss10_x509_token_with_message_protection_client_policy.

    In Fusion Middleware Control, edit the policy settings, as follows:

    1. Set Encryption Key Reference Mechanism to issuerserial.

    2. Set Recipient Encryption Key Reference Mechanism to issuerserial.

    3. Set Algorithm Suite to Basic128Rsa15 to match the algorithm suite used for Oracle Service Bus.

    4. Disable the Include Timestamp configuration setting.

    For more information, see "Cloning a Web Service Policy" in Securing Web Services and Managing Policies with Oracle Web Services Manager.

  2. In Fusion Middleware Control, specify keystore.recipient.alias in the client configuration. Ensure that the keystore.recipient.alias keys specified for the client exist as trusted certificate entry in the trust store configured for the web service.

  3. Attach the policy to the web service client.

    For more information, see "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager.

  4. Invoke the web service from the client.