Integration Guide

     Previous  Next    Open TOC in new window    View as PDF - New Window  Get Adobe Reader - New Window
Content starts here

Securing Oracle Service Bus Runtime Resources

This section covers the following topics:

 

Overview

The WLS SSM can be used to manage access control to Oracle Service Bus runtime resources. Oracle Service Bus is a configuration-based, policy-driven Enterprise Service Bus. It allows a loosely coupled architecture, facilitates enterprise-wide reuse of services, and centralizes management.

Only the runtime service bus resources are secured, meaning those resources that are passed to isAccessAllowed(). It does not secure the resources used during Oracle Service Bus configuration, such as the OSB console.

 

Prerequisites

This document assumes the following:

 

Initial Configuration

Perform the following tasks to provide an SSM configuration and define an initial policy set for securing Oracle Service Bus resources. At the conclusion of these steps, you can refine this information as described in the remaining sections of this document.

  1. Stop any running servers.
  2. Start the Administration Server.
  3. Configure the WLS SSM to protect an Oracle Service Bus domain as follows:
    1. Open a command window in BEA_HOME/ales32-ssm/wls-ssm/adm.
    2. Make a copy of myssm_config.properties and name it alsb_ssm_config.properties.
    3. Open alsb_ssm_config.properties in an editor. Set ssm.type=wls-alsb-ssm and specify other entries as needed.
    4. Execute ConfigTool -process alsb_ssm_config.properties.
  4. Start Oracle Service Bus domain server and access its console (typically, http://host:port/sbconsole).

    5. You can now use the facilities, including creating/managing projects.

Sample Properties File

This is a sample of the properties files used to establish the initial configuration for securing Oracle Service Bus resources.

For instructions on completing this file, see the SSM Installation and Configuration Guide. 

### This file lists properties for the SSM configuration tool
### ConfigTool will interactively prompt for values which
### are commented out

### This is the weblogic domain directory
### Use / (and not \ ) for the path
wls.domain.dir = C:/BEAProducts/alsb300_wls100/user_projects/domains/alsb_domain_3

### SSM's config-id
### You can use the name of your application for this value
ssm.conf.id = SimpleApp2

### Database password
db.password = password

### OES Admin password
ales.admin.password = password

### SSM Username and password
### Note : This is the admin user's username/password of the domain being
### protected. In this case the target domain is the ALSB domain
ssm.admin.name = system
ssm.admin.password = weblogic

### The type of SSM defined by the type of domain against which it 
### is configured. The tool will load policies and configuration from 
### BEAHOME/ales*-ssm/wls-ssm/config/<ssm.type> where <ssm.type> is one of:
###       wls-ssm	 (for WebLogic Server domain)
###       wls-portal-ssm (for WebLogic Portal domain)
###       wls-alsb-ssm   (for AquaLogic Service Bus domain)
### Note : For ALSB domain this is'wls-alsb-ssm'.
ssm.type = wls-alsb-ssm

#############################################################
### If you have not installed Admin and SSM in the same BEA-HOME, 
### specify the values below. The ConfigTool will interactively prompt for
### values that are commented out
#############################################################

### Database user name
# db.login = db_user

### OES Admin username
# ales.admin.name = admin

### name of the SSM instance directory
# ssm.instance.name = MySsm

### the OES application node name
### This is like the root resource for the SSM
# ales.resource.root = //app/policy/MyApp

### OES identity directory name
# ales.identity.dir = ALSBdir

### Database JDBC URL:
### Oracle -> jdbc:oracle:thin:@<server>:<port>:<sid> 
### Sybase -> jdbc:sybase:Tds:<server>:<port> 
### Sql Server -> jdbc:sqlserver://<server>:<port> 
### Pointbase -> jdbc:pointbase:server://<server>/ales 
### 
### values: 
### <server>: name or IP address of database machine 
### <port>: port where the database listener is running 
### <sid>: SID for oracle database 
# db.jdbc.url = jdbc:oracle:thin:@db_server:1521:db_sid

### Database JDBC Driver:
### Oracle: oracle.jdbc.driver.OracleDriver
### Sybase: com.sybase.jdbc3.jdbc.SybDriver
### Sql: com.microsoft.sqlserver.jdbc.SQLServerDriver
### Pointbase: com.pointbase.jdbc.jdbcUniversalDriver
### DB2: com.ibm.db2.jcc.DB2Driver 
# db.jdbc.driver = oracle.jdbc.driver.OracleDriver

### ARME's port number, by default this is 8000
# arme.port = 8000

 

Security Providers

Note: Providers for WebLogic 9.x/10.0 are defined using the WebLogic console. For details, see “WebLogic 9.x/10.0 Security Providers” on page 3-4.

To secure Service Bus resources, create a security realm and define the following provider types:

Notes: User could specify resource types that only use the decision from ASI Authorizer or XACML Authorizer. Multiple resource types are separated by a comma. By default, a resource type of ‘wlsb-console’ only uses the decision from XACML Authorizer, and a resource type of ‘alsb-proxy-service’ only uses the decision from ASI Authorizer.

When creating the realm, use the following settings:

 

OSB Resources

Policy definitions include the Oracle Service Bus resources to which the policy applies. These resources must be defined in Oracle Entitlements Server.

Regular Resource

To create a regular resource named abc:

  1. In the Administration Console, open the resource tree.
  2. Right-click the parent of abc and select Add Resource.
  3. In the Name field, enter abc and click OK.

Virtual Resource

To create a virtual resource named xyz:

  1. Create a resource as described in Regular Resource.
  2. Right-click the xyz resource and select Configure Resource.
  3. Check the Allow Virtual Resources box and click OK.

OSB Proxy Service Resources

Create resources in OES corresponding to the OSB Proxy Services. An OSB Proxy Service has up to four key/value properties:

Resource definitions for Oracle Service Bus use this format: 

//app/policy/<binding app>/<Proxy Service App name>/ProxyService/<Project Name>/[Folder name]/<Proxy Service Name>

Table 8-1 describes how Oracle Service Bus Proxy Service reference elements map to OES resource and privilege elements

Table 8-1 OSB Proxy Service Elements Represented in OES Resources and Privileges
Resource/Privilege Element
Description
binding app
The OES binding node name.
Proxy Service app name
The default application name, shared.
ProxyService
The OES resource type.
Folder name
The OSB Proxy Service folder name.
//priv/<operation>
The operation field of the OSB Proxy Service, representing one of the Web Services operations provided.

Here is an example of how to convert an Oracle Service Bus transport level access control to a policy. In OSB: 

type=type=<alsb-proxy-service>, path=project/folder, proxy=myProxy, action=invoke

is converted to: 

//app/policy/<binding app node>/shared/ProxyService/project/folder/myProxy

with a default privilege of //priv/access, since with action=invoke, there is no operation defined.

Here is an example of how to convert OSB access control during inbound web-service-security request processing: 

type=<alsb-proxy-service>, path=project/folder, proxy=myProxy, action=wss-invoke, operation=ProcessPO

is converted in OES to: 

//app/policy/<binding app node>/shared/ProxyService/project/folder/myProxy

with a privilege of //priv/ProcessPO.

Resource Binding Application and Distribution Point

To make a resource binding application and distribution point named def:

  1. Right click the mouse on parent of def, and select Add Resource.
  2. In the Name field, enter def.
  3. From the Type dropdown field, select Binding and check the Distribution Point box.
  4. After the resource is created, right-click the resource and select Configure Resource.
  5. Select Binding application from the pull-down menu and click OK.

Resource Tree

Select Resources on the left pane and create a resource tree as shown in Listing 8-1:

  1. Make myrealm a resource binding application and distribution point.
  2. Make the consoleapp and ProxyService resources virtual.
    3. Listing 8-1 Resource Tree 
    myrealm
       |---- consoleapp
       |---- shared
             |----- adm
             |----- eis
             |----- ejb
             |----- jdbc
             |----- jms
             |----- jndi
             |----- ProxyService
             |       |----- MortgageBroker
             |               |----- ProxyService
             |                      |---- loanGateway1
             |                      |---- loanGateway2
             |                      |---- loanGateway3
             |----- svr
             |----- url
             |----- webservices
             |----- workcontext

Discovering Services

When developing policies, you can use the Discovery mode feature to help define your policy components. Instructions for using Discovery mode are provided in the Resource Discovery section in the Policy Managers Guide.

 

Service Bus Identities

The ConfigTool will create an OES Identity directory and the OSB administrative user. This user’s password is used to start the OSB application. Assuming the OSB Identity directory name is ALSBdir and the administrative user name is weblogic, follow these steps to maintain the password:

  1. In the Entitlements Administration Application, select the organization containing the OSB identity directory and select the Identities tab in the right pane.
  2. In the Identity Directories list, select the ALSBdir directory.
  3. On the Users tab, weblogic user and click Modify at the bottom of the pane.
  4. Specify the password as required and click OK.

Additional users and groups may be required. For background information, see Identities in the Policy Managers Guide.

 

Policies for OSB

The ConfigTool will create an initial set of policies using the files located in BEA_HOME/ales32-admin/examples/policy/alsb_sample_policy. You may import and use them as a starting point for developing a full set of policies to secure OSB resources. For information about how to import the sample policies, see the README file in the sample directory and see also Importing Policy Data in the Policy Managers Guide.

This section includes examples of policy creation:

Authorization Policies

The following policy grants any user with the role Admin all privileges over the resources adm and svr resources: 

grant(any, //app/policy/myrealm/shared/adm, //role/Admin)if true;
grant(any, //app/policy/myrealm/shared/svr, //role/Admin) if true;

To add this policy:

  1. Select the application in the left pane. Then and click the Policies tab in the right pane and select Authorization Policies.
  2. Click New at the bottom of the pane and complete the policy definition as follows:

    3. Effect — grant
    Actions — any
    Resources — adm, svr
    Subjects — Admin

  3. Repeat these steps to create a policy that grants all users all privileges over the eis, ejb, jdbc, jms, jndi, url, webservices and workcontext resources:
    4. grant(any, //app/policy/myrealm/shared/eis, //role/Everyone) if true;
    grant(any, //app/policy/myrealm/shared/ejb, //role/Everyone) if true;
    grant(any, //app/policy/myrealm/shared/jdbc, //role/Everyone) if true;
    grant(any, //app/policy/myrealm/shared/jms, //role/Everyone) if true;
    grant(any, //app/policy/myrealm/shared/jndi, //role/Everyone) if true;
    grant(any, //app/policy/myrealm/shared/url, //role/Everyone) if true;
    grant(any, //app/policy/myrealm/shared/webservices, //role/Everyone) if true;
    grant(any, //app/policy/myrealm/shared/workcontext, //role/Everyone) if true;
  4. Repeat these steps to create a policy that grants all users access to the ProxyService resource:
    5. grant(access, //app/policy/myrealm/shared/ProxyService/MortgageBroker/ProxyService, 
    //role/Everyone)if true;

Role Mapping Policies

The following policy grants the user weblogic the role Admin over the resource myrealm: 

grant(//role/Admin, //app/policy/myrealm, //user/asi/weblogic/) if true;

To add this policy:

  1. Select the application in the left pane. Then and click the Policies tab in the right pane and select Role Policies.
  2. Click New at the bottom of the pane and complete the policy definition as follows:

    3. Effect — grant
    Roles — Admin
    Resources — myrealm
    Subjects — weblogic user

  3. Repeat these steps to create a policy that grants the user anonymous the role Anonymous over the resource myrealm:
    4. grant(//role/Anonymous, //app/policy/myrealm, //user/asi/anonymous/) if true;
  4. Repeat these steps to create a policy that grants the group of all users the role Everyone over the resource myrealm:
    5. grant(//role/Everyone, //app/policy/myrealm, //sgrp/asi/allusers/) if true;

 

Distributing Changes

After you have made changes to the configuration and policies in the Entitlements Administration Application, distribute the policies to the SSM by clicking the Distribute tab at the top of the console.

After the policies are distributed, start both the myrealm ARME instance used to protect the Oracle Service Bus domain and the domain itself.

 

Verifying SSM Configuration Using PerfDBAuditor

It is possible to use the performance auditing provider to verify that the SSM has been properly configured to protect Oracle Service Bus.

To use the PerfDBAuditor to verify the SSM configuration, follow these steps:

  1. In the WebLogic Server Administration Console, select Security Realms > myrealm > Providers > Auditing and click New.
  2. In the Name field, enter PerfDBAuditor. Then select PerfDBAuditor from the Type field and click OK.
  3. On the Configuration: Provider-Specific page for the PerfDBAuditor security provider, enter the JDBC connection information. For Oracle databases, the JDBCDriver Class Name is oracle.jdbc.driver.OracleDriver and the JDBC Connection URL is jdbc:oracle:thin:@oracle-host:1521:listener-name, where oracle-host is the name or IP address of the system running the Oracle database and listener-name is the name of the database listener.

    4. Optionally, set the Performance Statistics Interval attribute to 1 to collect data at 1 minute intervals (instead of the default 5 minutes).

  4. Click on Save and then activate changes.
  5. Stop and restart the domain.
  6. Generate some data by:
    1. Opening (http://localhost:7021/examplesWebApp/index.jsp) and reloading the application.
    2. Under Run the Service Bus Examples, click Run the Example.
    3. Click Submit Loan Application.
  7. After a few minutes, check the PERF_ATZ_STAT database table. You should see a non-zero value under TOTALREQ. This indicates that the SSM is configured correctly to secure the application.

  Back to Top       Previous  Next