Skip Headers
Oracle® Fusion Middleware Administrator's Guide for Oracle SOA Suite
11g Release 1 (11.1.1)
  Go To Table Of Contents
Go To Index


6 Securing SOA Composite Applications

This chapter describes security procedures unique to SOA composite applications.

This chapter includes the following topics:

6.1 Introduction to Securing SOA Composite Applications

This chapter describes security procedures unique to SOA composite applications. Most SOA composite application security procedures do not require SOA-unique steps and can be performed by following the documentation listed in Table 6-1.

Table 6-1 Security Documentation

For Information On... See The Following Guide...

Securing Oracle Fusion Middleware

Oracle Fusion Middleware Security Guide

Securing and administering Web services

Oracle Fusion Middleware Security and Administrator's Guide for Web Services

Understanding Oracle WebLogic Server security

Oracle Fusion Middleware Understanding Security for Oracle WebLogic Server

Securing an Oracle WebLogic Server production environment

Oracle Fusion Middleware Securing a Production Environment for Oracle WebLogic Server

Securing Oracle WebLogic Server

Oracle Fusion Middleware Securing Oracle WebLogic Server

Developing new security providers for use with Oracle WebLogic Serverr

Oracle Fusion Middleware Developing Security Providers for Oracle WebLogic Server

Securing Web service for Oracle WebLogic Server

Oracle Fusion Middleware Securing WebLogic Web Services for Oracle WebLogic Server

Programming security for Oracle WebLogic Server

Oracle Fusion Middleware Programming Security for Oracle WebLogic Server

6.2 Configuring SOA Composite Applications for Two-Way SSL Communication

Oracle SOA Suite uses both the Oracle WebLogic Server and Sun secure socket layer (SSL) stacks for two-way SSL configurations.

Due to this difference, start Oracle WebLogic Server with the following JVM option.

  1. Open the following file:

    • On UNIX operating systems, open $MIDDLEWARE_HOME\user_projects\domains\domain_name\bin\

    • On Window operating systems, open MIDDLEWARE_HOME/user_projects/domains/domain_name/bin/setDomainEnv.bat.

  2. Add the following lines in the JAVA_OPTIONS section, if the server is enabled for one-way SSL (server authorization only):

    For two-way SSL, the keystore information (location and password) is not required.

In addition, perform the following steps to enable two-way SSL for a SOA composite application to invoke another SOA composite application or another non-SOA application.


Both the server and client are assumed to have been configured for SSL with mutual authentication.

  1. On the client side, provide the keystore location.

    1. From the SOA Infrastructure menu, select SOA Administration > Common Properties.

    2. At the bottom of the page, click More SOA Infra Advanced Configuration Properties.

    3. Click KeystoreLocation.

    4. In the Value column, enter the keystore location.

    5. Click Apply.

    6. Click Return.

  2. During design time in Oracle JDeveloper, update the reference section in the composite.xml file with the oracle.soa.two.way.ssl.enabled property.

    <reference name="Service1" 
       ui:wsdlLocation=". . ."> 
       <interface.wsdl interface=". . ."/> 
         < port=". . ."> 
          <property name="oracle.soa.two.way.ssl.enabled">true</property> 
  3. In Oracle Enterprise Manager Fusion Middleware Control Console, select WebLogic Domain > domain_name.

  4. Right-click domain_name and select Security > Credentials.

  5. Click Create Map.

  6. In the Map Name field, enter a name (for example, SOA), and click OK.

  7. Click Create Key.

  8. Enter the following details.

    Field Description
    Select Map Select the map created in Step 6 (for this example, SOA).
    Key Enter the key name (KeystorePassword is the default).
    Type Select Password.
    User Name Enter the keystore user name (KeystorePassword is the default).
    Password Enter the password that you created for the keystore.


    When you set up SSL in Oracle WebLogic Server, a key alias is required. You must enter mykey as the alias value. This value is required.

  9. Set the keystore location in Oracle Enterprise Manager Fusion Middleware Control Console. See Step 1 for instructions.

  10. Modify the composite.xml syntax to use https and sslport to invoke a SOA composite application. For example, change the syntax shown in bold:

    <?xml version="1.0" encoding="UTF-8" ?> 
    <!-- Generated by Oracle SOA Modeler version 1.0 at [4/1/09 11:01 PM]. --> 
    <composite name="InvokeEchoBPELSync" 
      location="BPELProcess1.wsdl" importType="wsdl"/>
    <import namespace="

    to use https and sslport:


6.3 Invoking References in One-Way SSL Environments in Oracle JDeveloper

When invoking a Web service as an external reference from a SOA composite application in one-way SSL environments, ensure that the certificate name (CN) and the host name of the server exactly match. This ensures a correct SSL handshake.

For example, if a Web service is named adfbc and the certificate has a server name of myhost05, the following results in an SSL handshake exception.

  <import namespace="/adfbc1/common/" 
@ location=" 
 <import namespace="/adfbc1/common/" location="Service1.wsdl" 

If you switch the order of import, the SSL handshake passes.

<import namespace="/adfbc1/common/" location="Service1.wsdl" 
  <import namespace="/adfbc1/common/" 
@ location=" 

Note the following restrictions around this issue:

6.4 Configuring Oracle SOA Suite and Oracle HTTP Server for SSL Communication

Follow these steps to configure SSL communication between Oracle SOA Suite and Oracle HTTP Server.

6.4.1 Configuring Oracle HTTP Server for SSL Communication

  1. Update mod_ssl.conf with the <Location /integration/services> location directive.

    LoadModule weblogic_module   ${ORACLE_HOME}/ohs/modules/
    <IfModule mod_weblogic.c>
          WLLogFile <logdir>/ohs_ssl.log
          Debug ALL
          DebugConfigInfo ON
          SecureProxy ON
          MatchExpression *.jsp
          WlSSLWallet <OHS_
    <Location /soa-infra>
          WebLogicPort 8002
          SetHandler weblogic-handler
    <Location /b2bconsole>
          WebLogicPort 8002
          SetHandler weblogic-handler
    <Location /b2b> 
          WebLogicPort 8002 
          SetHandler weblogic-handler 
    <Location /integration/worklistapp>
          WebLogicPort 8002
          SetHandler weblogic-handler
    <Location /integration/services>
          WebLogicPort 8002
          SetHandler weblogic-handler
    <Location /DefaultToDoTaskFlow>
          WebLogicPort 8002
          SetHandler weblogic-handler
    <Location /OracleBAM>
          WebLogicPort 9002
          SetHandler weblogic-handler
    <Location /OracleBAMWS>
    >       WebLogicPort 9002
    >       SetHandler weblogic-handler
    >       ErrorPage
    > </Location>
    <Location /sdpmessaging/userprefs-ui/>
          WebLogicPort 8002
          SetHandler weblogic-handler
  2. Start the Oracle WebLogic Servers as described in Section 6.2, "Configuring SOA Composite Applications for Two-Way SSL Communication."

6.4.2 Configuring Certificates for Oracle Client, Oracle HTTP Server, Oracle WebLogic Server

  1. Export the user certificate from the Oracle HTTP Server wallet.

    orapki wallet export -wallet . -cert cert.txt  -dn 'CN=\"Self-Signed Certificate for ohs1 \",OU=OAS,O=ORACLE,L=REDWOODSHORES,ST=CA,C=US'
  2. Import the above certificate into the Oracle WebLogic Server truststore as a trusted certificate.

    keytool -file cert.txt -importcert -trustcacerts -keystore DemoTrust.jks
  3. Export the certificate from the Oracle WebLogic Server truststore.

    keytool -keystore DemoTrust.jks -exportcert -alias wlscertgencab -rfc -file
  4. Import the above certificate to the Oracle HTTP Server wallet as a trusted certificate.

    orapki wallet add -wallet . -trusted_cert -cert certgencab.crt -auto_login_only
  5. Restart Oracle HTTP Server.

  6. Restart the Oracle WebLogic Servers as described in Section 6.2, "Configuring SOA Composite Applications for Two-Way SSL Communication."

6.5 Automatically Authenticating Oracle BPM Worklist Users in SAML SSO Environments

In order to be automatically authenticated when accessing a second Oracle BPM Worklist from a first Oracle BPM Worklist in Security Assertion Markup Language (SAML) SSO environments, you must perform the following steps. Otherwise, you are prompted to log in again when you access the second Oracle BPM Worklist. In these environments, the first Oracle BPM Worklist is configured as the SAML identity provider and the second Oracle BPM Worklist that you are attempting to access is configured as the SAML service provider.

  1. Add /integration/worklistapp/* as the redirect URL for worklistapp to the SAML service provider site's SAML2IdentityAsserter configuration as follows.

    1. In the Oracle WebLogic Server Administration Console, select Security Realms.

    2. Click the realms for the service providers.

    3. Select the Providers tab, and then the Authentication subtab.

    4. From the provider list, select the provider with the description SAML 2.0 Identity Assertion Provider.

      If you do not see the SAML identity assertion provider configuration, follow the instructions in Oracle Fusion Middleware Securing Oracle WebLogic Server.

    5. Select the Management tab.

    6. Under the Management tab, you can see a list of identity provider partners. These are hosts that have been configured as the SAML identity provider partners for this SAML identity service provider site. Remember that this configuration step is performed on the identity service provider site on which the worklist application is hosted.

    7. Select the identity provider site where you want the user to perform the initial login.

    8. Scroll down the page until you see the field Redirect URIs.

    9. Add /integration/worklistapp/* to the list.

    After performing this step, you can log in to Oracle BPM Worklist at the SAML identity provider site though the regular URL of/integration/worklistapp. If necessary, you can then navigate to the URL /integration/worklistapp/ssologin at the SAML service provider site, where you gain access to Oracle BPM Worklist and are automatically authenticated.

    For more information on SAML2IdentityAsserter and configuring SSO with Web browsers and HTTP clients, see Oracle Fusion Middleware Securing Oracle WebLogic Server.

6.6 Automatically Authenticating Oracle BPM Worklist Users in Windows Native Authentication Environments

For Windows native authentication through Kerberos to work with Oracle BPM Worklist, you must use the /integration/worklistapp/ssologin protected URL. For example, after configuring Windows native authentication, you access Oracle BPM Worklist as follows:


For information on configuring SSO with Microsoft clients, see Oracle Fusion Middleware Securing Oracle WebLogic Server.

6.7 Listing Oracle Internet Directory as the First Authentication Provider

The Oracle BPM Worklist and workflow services use Java Platform Security (JPS) and the User and Role API. For this reason, the Oracle Internet Directory authenticator must be the first provider listed when workflow is used with Oracle Internet Directory. If Oracle Internet Directory is not listed first (for example, it is listed below DefaultAuthenticator), login authentication fails.

For information about changing the order of authentication providers, see Oracle Fusion Middleware Securing Oracle WebLogic Server.

6.8 Switching from Non-SSL to SSL Configurations with Oracle BPM Worklist

Switching from non-SSL to SSL configurations with Oracle BPM Worklist requires the Frontend Host and Frontend HTTPS Port fields to be set in Oracle WebLogic Server Administration Console. Not doing so results in exception errors when you attempt to create to-do tasks.

  1. Log in to Oracle WebLogic Server Administration Console.

  2. In the Environment section, select Servers.

  3. Select the name of the managed server (for example, soa_server1).

  4. Select Protocols, then select HTTP.

  5. In the Frontend Host field, enter the host name on which Oracle BPM Worklist is located.

  6. In the Frontend HTTPS Port field, enter the SSL listener port.

  7. Click Save.

6.9 Configuring Security for Human Workflow WSDL Files

If the WSDL files for human workflow services are not exposed to external consumers, then set the flag that exposes the WSDL to false for each of the services:


For more information, see Oracle Fusion Middleware Developer's Guide for Oracle Web Services.

6.10 Configuring SSL Between SOA Composite Application Instances and Oracle WebCache

The Test Web Service page, in an Oracle WebCache and Oracle HTTP Server environment, may require communication back through Oracle WebCache. Therefore, SSL must be configured between the SOA composite application instance and Oracle WebCache (that is, export the user certificate from the Oracle WebCache wallet and import it as a trusted certificate in the Oracle WebLogic Server truststore).

6.11 Using a Custom Trust Store for One-Way SSL During Design Time

To invoke a SOA composite application from another composite over HTTPS when using a custom trust store created with a tool such as keytool or orapki, perform the following actions in Oracle JDeveloper.

  1. To fetch a WSDL file in the reference section, set the trust store information in Tools > Preferences > Http Analyzer > HTTPS Setup > Client Trusted Certificate Keystore.

  2. During deployment to an SSL-enabled server, use the JSSE property at the command line:


6.12 Enabling an Asynchronous Process Deployed to an SSL-Enabled, Managed Server to Invoke Another Asynchronous Process Over HTTP

Assume you create the following environment:

At run time, the WSDL is looked for over HTTPS, and the callback message from asynchronous BPEL process B fails.

To resolve this issue, the callbackServerURL property must be passed at the reference binding level in the composite.xml file. This explicitly indicates the value of the callback URL for the given reference invocation. If the client composite is running in an SSL-managed server, then the callback defaults to SSL.

<reference name="Service1" 
         <wsp:PolicyReference URI="oracle/wss_username_token_client_policy" 
      <wsp:PolicyReference URI="oracle/wsaddr_policy" 
 <property name="callbackServerURL">http://localhost:8000/</property> 