This chapter describes one technique for establishing a secure communications channel for WSRP transactions between WebLogic Portal and WebCenter Framework. It includes the following sections:
For web-based transactions to be secure, the following four components must be addressed:
The following configuration steps will enable integrity, authentication, and message freshness constraints in WSRP transactions between WebCenter Framework and WLP applications, as follows:
Note: | Message confidentiality is not addressed in these steps. If confidentiality is a concern for your WSRP environment, please consider enabling SSL between your producer and consumer. |
The security settings described in this chapter are but one possible configuration of Web Service security for WSRP. Many other Web Service security configuration settings can be further adjusted in both the WebLogic Portal and WebCenter Framework environments, as long as the settings are enabled and recognized in both environments. For further detailed information, see the WebLogic Server document “WebLogic Web Services: Security.”
This section explains how to configure SAML security for both a WebCenter Framework consumer and a WLP producer, and includes these topics:
This section discusses how to generate a key pair and export the public key certificate on the consumer. The tasks include:
This section explains how to generate a key on the consumer using the keytool utility, a Java utility distributed by Sun Microsystems that manages private keys and certificates. For detailed information on keytool, refer to the Sun Microsystems website.
<WEBLOGIC_HOME>/server/bin
directory. setWLSEnv.cmd/.sh
command to set up the required environment variables.mykeystore.jks
, identified by the alias wckey
:
keytool -genkeypair -alias wckey -keypass wckeypass -keyalg rsa -keysize 1024 -keystore mykeystore.jks -storepass mykeystorepass -dname "CN=Oracle Corp, OU=WLP, O=Oracle, L=Boulder, ST=CO, C=US"
mykeystore.jks
), will be used when configuring the WebCenter Framework consumer.The producer needs the public key certificate (the public half of the "key pair" generated in the previous step) installed in its trust key store. Follow these steps to export the public key certificate to a file, which will then be imported into a trusted key store on the producer.
<WEBLOGIC_HOME>/server/bin
directory.setWLSEnv.cmd/.sh
command to set up the required environment variables.wckey.der
from the key pair identified by alias wckey
:
keytool -exportcert -alias wckey -keypass wckeypass -keystore mykeystore.jks -storepass mykeystorepass -file wckey.der
This section explains how to configure the producer. To do this, you import the public key certificate into the SAML asserter, and configure the asserting party properties. The tasks include:
<MW_HOME>/user_projects/domains/base_domain
).<WEBLOGIC_HOME>/server/bin
directory.setWLSEnv.cmd/.sh
command to set up the required environment variables.<MW_HOME>/user_projects/domains/base_domain
)wckey
from the certificate file named wckey.der
to the DemoTrust.jks
keystore:
keytool -importcert -keystore DemoTrust.jks -storepass DemoTrustKeyStorePassPhrase -file wckey.der -alias wckey -keypass wckeypass
Note: | WebLogic Portal is configured with a default identity keystore (DemoIdentity.jks ) and a default trust keystore (DemoTrust.jks ). In addition, WebLogic Portal trusts the CA certificates in the JDK cacerts file. This default keystore configuration is appropriate for testing and development purposes. However, these keystores should not be used in a production environment. For more information, see the WebLogic Server document Understanding WebLogic Security. |
wsrp-wsdl-template.wsdl
and wsrp-wsdl-template-v2.wsdl
to your workspace and open them for editing. The procedure for copying files to your workspace is described in
“Copying J2EE Library Files Into a Project” in the Oracle Fusion Middleware Portal Development Guide for Oracle WebLogic Portal.<wsp:Policy>
element with the XML in Listing 17-1:<wsp:Policy wsu:Id="ProducerDefaultPolicy"/>
<wsp:Policy wsu:Id="WebCenterPolicy" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<sp:AsymmetricBinding>
<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
<wsp:Policy>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic128/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Lax/>
</wsp:Policy>
</sp:Layout>
<sp:OnlySignEntireHeadersAndBody/>
</wsp:Policy>
</sp:AsymmetricBinding>
<sp:SignedSupportingTokens>
<wsp:Policy>
<sp:SamlToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssSamlV11Token10/>
</wsp:Policy>
</sp:SamlToken>
</wsp:Policy>
</sp:SignedSupportingTokens>
<sp:Wss10>
<wsp:Policy>
<sp:MustSupportRefKeyIdentifier/>
<sp:MustSupportRefIssuerSerial/>
</wsp:Policy>
</sp:Wss10>
</wsp:Policy>
WEB-INF/weblogic-webservices-policy.xml
to your workspace and open it for editing. The procedure for copying files to your workspace is described in
Copying J2EE Library Files Into a Project in the Oracle Fusion Middleware Portal Development Guide for Oracle WebLogic Portal.<?xml version='1.0' encoding='UTF-8'?>
<webservice-policy-ref xmlns="http://www.bea.com/ns/weblogic/90" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<!-- Use WebLogic Server Admin Console to add new policies -->
<ref-name>WebCenter Policies for the WSRP Producer</ref-name>
<port-policy>
<port-name>WSRP_v2_Markup_Service</port-name>
<ws-policy>
<uri>#WebCenterPolicy</uri>
<direction>inbound</direction>
</ws-policy>
</port-policy>
<port-policy>
<port-name>WSRPBaseService</port-name>
<ws-policy>
<uri>#WebCenterPolicy</uri>
<direction>inbound</direction>
</ws-policy>
</port-policy>
<port-policy>
<port-name>WLP_WSRP_Ext_Service</port-name>
<ws-policy>
<uri>#WebCenterPolicy</uri>
<direction>inbound</direction>
</ws-policy>
</port-policy>
</webservice-policy-ref>
This section describes the final step in the producer configuration.
Tip: | For more information on asserting party and other topics in this section, see SAML Framework Concepts in Oracle Fusion Middleware Understanding Security for Oracle WebLogic Server. |
WebCenter SAML token
.ap_0002
).The WebLogic Portal producer is now configured for SAML interoperability with a basic WebCenter Framework SAML configuration. The next step is to associate the WebCenter Framework consumer with the key pair created earlier (see Generate a Key Pair).
Note: | For more detailed information on the following steps, see "Securing a WSRP Producer with WS-Security" in Oracle Fusion Middleware Administrator's Guide for Oracle WebCenter. |
This needs to match the Issuer URI on the producer (for example,
www.oracle.com ). See Add a New Asserting Party to the SAML Identity Asserter
|
Path on the consumer server to the JKS file. See Register the WebLogic Portal Producer with the WebCenter Consumer
|
|
The keystore password. See Export the Public Key Certificate
|
|
The key passphrase. See Export the Public Key Certificate
|
|
Leave the field blank. See Export the Public Key Certificate
|
|
Leave the field blank. See Export the Public Key Certificate
|
The easiest way to test the configuration involves three steps:
<%@ page language="java" contentType="text/html;charset=UTF-8" %>
<p>Principal: <%=request.getUserPrincipal() %></p>
<p>Remote User: <%=request.getRemoteUser() %></p>
This code will show the username sent by the consumer when rendered, if the SAML configuration is working properly.
This section discusses the producer-side and consumer-side configuration required to set up SAML security between a WLP consumer and a WebCenter Framework producer. This section includes these topics:
Follow the steps in Locating and Consuming a Portlet to register your WebCenter Framework producer with the WebLogic Portal consumer. Make a note of the Producer Handle that you specify (for example, my_wc_producer
), as this will be used later.
For information on how to add a programmatic authentication mechanism to your portal, see Implementing Authentication Programatically in Oracle Fusion Middleware Security Guide for Oracle WebLogic Portal.
This section explains how to generate a key pair and export the public key certificate on the consumer. The tasks include:
This section explains how to generate a key on the consumer using the keytool utility, a Java utility distributed by Sun Microsystems that manages private keys and certificates. For detailed information on keytool, refer to the Sun Microsystems website.
<WEBLOGIC_HOME>/server/bin
directory. setWLSEnv.cmd/.sh
command to set up the required environment variables.<MW_HOME>/user_projects/domains/base_domain
).DemoIdentity.jks
keystore. For example, the following command generates a key pair, wraps the public key in a certificate, and stores the certificate and the private key in the DemoIdentity.jks
, identified by the alias wckey
: keytool -genkeypair -alias wckey -keypass wckeypass -keyalg rsa -keysize 1024 -keystore DemoIdentity.jks -storepass DemoIdentityKeyStorePassPhrase -dname "CN=Oracle Corp, OU=WLP, O=Oracle, L=Boulder, ST=CO, C=US"
Note: | WebLogic Portal is configured with a default identity keystore (DemoIdentity.jks ) and a default trust keystore (DemoTrust.jks ). In addition, WebLogic Portal trusts the CA certificates in the JDK cacerts file. This default keystore configuration is appropriate for testing and development purposes. However, do not use these keystores in a production environment. For more information, see Oracle Fusion Middleware Understanding WebLogic Security for Oracle WebLogic Server. |
The producer needs the public key certificate (the public half of the "key pair" generated in the previous step) installed in its trust key store. Follow these steps to export the public key certificate to a file, which will then be imported into a trusted key store on the producer.
<WEBLOGIC_HOME>/server/bin
directory.setWLSEnv.cmd/.sh
command to set up the required environment variables.<MW_HOME>/user_projects/domains/base_domain
).setWLSEnv.cmd/.sh
command to set up the required environment variables.wckey.der
from the key pair identified by alias wckey
: keytool -exportcert -alias wckey -keypass wckeypass -keystore DemoIdentity.jks -storepass DemoIdentityKeyStorePassPhrase -file wckey.der
To import the certificate, follow this procedure. The procedure uses the keytool utility, a Java utility distributed by Sun Microsystems that manages private keys and certificates. For detailed information on keytool, refer to the Sun Microsystems website.
<WEBLOGIC_HOME>/server/bin
directory.setWLSEnv.cmd/.sh
command to set up the required environment variables.<MW_HOME>/user_projects/domains/base_domain
).wckey
from the certificate file named wckey.der
to the DemoTrust.jks
keystore: keytool -importcert -keystore DemoTrust.jks -storepass DemoTrustKeyStorePassPhrase -file wckey.der -alias wckey -keypass wckeypass
yes
and press Enter to add the certificate to the keystore.Add the following policy definition to your WebLogic Portal consumer to configure it to match the default policy configuration on a WebCenter Framework producer.
WEB-INF/classes/policies
. wcPolicy.xml
, with the following contents: <wsp:Policy
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
xmlns:wssp="http://www.bea.com/wls90/security/policy" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:wls="http://www.bea.com/wls90/security/policy/wsee#part">
<wssp:Identity>
<wssp:SupportedTokens>
<wssp:SecurityToken TokenType="http://docs.oasis-open.org/wss/2004/01/oasis-2004-01-saml-token-profile-1.0#SAMLAssertionID">
<wssp:Claims>
<wssp:ConfirmationMethod>sender-vouches</wssp:ConfirmationMethod>
</wssp:Claims>
</wssp:SecurityToken>
</wssp:SupportedTokens>
</wssp:Identity>
<wssp:Integrity>
<wssp:SignatureAlgorithm URI="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<wssp:CanonicalizationAlgorithm URI="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<wssp:Target>
<wssp:DigestAlgorithm URI="http://www.w3.org/2000/09/xmldsig#sha1" />
<wssp:MessageParts Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body()</wssp:MessageParts>
</wssp:Target>
<wssp:Target>
<wssp:DigestAlgorithm URI="http://www.w3.org/2000/09/xmldsig#sha1" />
<wssp:MessageParts Dialect="http://www.bea.com/wls90/security/policy/wsee#part">wls:SecurityHeader(Assertion)</wssp:MessageParts>
</wssp:Target>
</wssp:Integrity>
</wsp:Policy>
WEB-INF/wsrp-consumer-security-config.xml
to your workspace and open it for editing. The procedure for copying files to your workspace is described in
Copying J2EE Library Files Into a Project in the Oracle Fusion Middleware Portal Development Guide for Oracle WebLogic Portal.<producer-security>
element with the following contents: <producer-security>
<!-- The producer's handle -->
<producer-handle>my_wc_producer</producer-handle>
<!-- The policy to use when the policy is not included in the WSDL. -->
<policy-name>wcPolicy</policy-name>
<!-- When doing 8.1 compatibility, should the <wsse:security> header -->
<!-- be removed. -->
<strict-compatibility>false</strict-compatibility>
<!-- Should 8.1 compatibility be done even if a policy is in the WSDL -->
<!-- (9.0 producer). -->
<compatibility-forced>false</compatibility-forced>
<!-- Should 8.1 compatibility be done even if a policy is NOT in the WSDL -->
<!-- If both compatibility-forced is true and compatibility-enabled false -->
<!-- no compat is sent -->
<compatibility-enabled>false</compatibility-enabled>
<!-- Should WLP specific handlers be deployed. -->
<!-- EXPERT ONLY: Disabling may cause the consumer to act incorrectly. -->
<!-- Default: true -->
<wlp-handlers-deployed>true</wlp-handlers-deployed>
<!-- Should anonymous users be allowed? -->
<!-- If disabled only logged in users may use this producer. -->
<!-- Default: true -->
<anonymous-users-allowed>true</anonymous-users-allowed>
</producer-security>
<producer-handle>
element with the handle you created in Register the WebLogic Portal Producer with the WebCenter Consumer, and populate the value of the <policy-name>
element with the filename of the policy created in Add a New Policy to the Consumer Web-App, without its .xml
extension (for example, wcPolicy
).Follow the instruction in Modify the Consumer’s Security Realm to configure your WebLogic Portal consumer's SAMLCredentialMapper to use the new key pair defined earlier. Supply the following values as appropriate:
The key alias. See Generate a Key Pair.
|
|
The key passphrase. See Generate a Key Pair.
|
|
The key passphrase. See Generate a Key Pair.
|
DemoIdentity.jks (See Generate a Key Pair.)
|
|
DemoIdentityKeyStorePassPhrase (See Generate a Key Pair.)
|
|
DemoIdentityKeyStorePassPhrase (See Generate a Key Pair.)
|
|
The key alias. See Generate a Key Pair
|
|
The key passphrase. See Generate a Key Pair
|
|
The key passphrase. See Generate a Key Pair
|
See the "Securing a WSRP Producer with WS-Security" in the Oracle Fusion Middleware Administrator's Guide for Oracle WebCenter for detailed information on securing your WebCenter Framework producer with SAML. At a minimum, the following steps are required:
oracle/wss10_saml_token_with_message_integrity_service_policy
policy to your web application’s WebServices WSRP markup ports.
If you have set up your WebLogic Portal producer's security to interoperate with a WebCenter Framework consumer (as explained in Configuring the WebCenter Framework Producer), and you wish to consume portlets from that producer in a WebLogic Portal consumer, then the following steps are required:
Follow the steps in Locating and Consuming a Portlet to register your WebCenter Framework producer with the WebLogic Portal consumer. Make a note of the Producer Handle that you specify (for example, my_wc_producer
), as this will be used later.
WEB-INF/wsrp-consumer-security-config.xml
to your workspace and open it for editing. The procedure for copying files to your workspace is described in
Copying J2EE Library Files Into a Project in the Oracle Fusion Middleware Portal Development Guide for Oracle WebLogic Portal.<producer-security>
element with the following contents: <producer-security>
<!-- The producer's handle -->
<producer-handle>my_wlp_producer</producer-handle>
<!-- The policy to use when the policy is not included in the WSDL. -->
<policy-name>wsrp81compatPolicy</policy-name>
<!-- When doing 8.1 compatibility, should the <wsse:security> header -->
<!-- be removed. -->
<strict-compatibility>false</strict-compatibility>
<!-- Should 8.1 compatibility be done even if a policy is in the WSDL -->
<!-- (9.0 producer). -->
<compatibility-forced>false</compatibility-forced>
<!-- Should 8.1 compatibility be done even if a policy is NOT in the WSDL -->
<!-- If both compatibility-forced is true and compatibility-enabled false -->
<!-- no compat is sent -->
<compatibility-enabled>true</compatibility-enabled>
<!-- Should WLP specific handlers be deployed. -->
<!-- EXPERT ONLY: Disabling may cause the consumer to act incorrectly. -->
<!-- Default: true -->
<wlp-handlers-deployed>false</wlp-handlers-deployed>
<!-- Should anonymous users be allowed? -->
<!-- If disabled only logged in users may use this producer. -->
<!-- Default: true -->
<anonymous-users-allowed>true</anonymous-users-allowed>
</producer-security>
<producer-handle>
element with the handle that was created earlier in Register the WebLogic Portal Producer with the WebCenter ConsumerThis section explains how to create a new PKI credential mapping to the consumer, if one is not already present.
The key alias. See Generate a Key Pair.
|
|
The key passphrase. See Generate a Key Pair.
|
|
The key passphrase. See Generate a Key Pair.
|