Oracle Infrastructure Web Services and Oracle Web Services Manager are supported on IBM WebSphere, with some limitations. The tasks required to secure and administer Oracle Infrastructure Web services are described in Oracle Fusion Middleware Security and Administrator's Guide for Web Services. This chapter provides specific information for managing Oracle Fusion Middleware Web services on IBM WebSphere, and describes the limitations.
This chapter contains the following sections:
Section 5.1, "Configuring a Default Administrative User from the LDAP Directory"
Section 5.4, "Differences and Restrictions When Managing Web Services Components on IBM WebSphere"
On WebSphere, Oracle Platform Security Services (OPSS) supports LDAP-based registries only; in particular, it does not support WebSphere's built-in file-based user registry. For information about configuring an LDAP registry and seeding the registry with users and groups required by Fusion Middleware components such as Oracle WSM, see Chapter 6, "Managing Oracle Fusion Middleware Security on IBM WebSphere.".
By default, the Oracle WSM Policy Manager uses the wasadmin
administrative user to communicate with the server. If this user is not available in the LDAP, you must configure the policy manager to use a principle administrative user from the LDAP as described in the following procedure.
Configure the LDAP registry as described in "IBM WebSphere Identity Stores" and restart the server.
Note:
The remaining steps in this procedure use the following sample primary user properties:cn=orcladmin,cn=Users,dc=us,dc=oracle,dc=com
and orcladmin-csf-key
for the jndi.lookup.csf.key
that will be used for the administrator user access. The values for these properties will vary depending on your environment.Update the credential store cwallet.sso
file and the security role mappings using wsadmin commands as follows:
Opss.createCred (map='oracle.wsm.security', key='orcladmin-csf-key', user='cn=orcladmin,cn=Users,dc=us,dc=oracle,dc=com', password='welcome1', desc='wsm-pm admin user csf-key') AdminApp.edit ('wsm-pm', '[-MapRolesToUsers [[policy.Updater AppDeploymentOption.No AppDeploymentOption.No cn=orcladmin,cn=Users,dc=us,dc=oracle,dc=com "" AppDeploymentOption.No "user:cn=orcladmin,cn=Users,dc=us,dc=oracle,dc=com" "" ]]]'] AdminApp.edit('wsm-pm', '[ -MapRolesToUsers [[ policy.Accessor AppDeploymentOption.No AppDeploymentOption.No cn=orcladmin,cn=Users,dc=us,dc=oracle,dc=com "" AppDeploymentOption.No " |user:cn=orcladmin,cn=Users,dc=us,dc=oracle,dc=com" "" ]]]' ) AdminApp.edit('wsm-pm', '[ -MapRolesToUsers [[ policy.User AppDeploymentOption.No AppDeploymentOption.No cn=orcladmin,cn=Users,dc=us,dc=oracle,dc=com "" AppDeploymentOption.No " user:cn=orcladmin,cn=Users,dc=us,dc=oracle,dc=com" "" ]]]' ) AdminApp.edit('wsm-pm', '[ -MapRolesToUsers [[ policyViewer AppDeploymentOption.No AppDeploymentOption.No cn=orcladmin,cn=Users,dc=us,dc=oracle,dc=com "" AppDeploymentOption.No " |user:cn=orcladmin,cn=Users,dc=us,dc=oracle,dc=com" "" ]]]' ) AdminConfig.save() exit
Note:
The syntax for thepolicyViewer
property differs from that of the other properties in that it does not include the separating period. Specifically, the syntax for these properties is policy.Updater
, policy.Accessor
, policy.User,
policyViewer
.Restart the server.
The following sections describe how to configure Oracle WSM and connect to the policy manager:
Oracle WSM is installed by default when you install Oracle Fusion Middleware SOA Suite or Oracle Application Development Runtime. For more information about installation, see Chapter 2, "Installing and Configuring Oracle Fusion Middleware on IBM WebSphere."
To configure Oracle Fusion Middleware in a new IBM WebSphere environment, you use a special version of the Oracle Fusion Middleware Configuration Wizard as described in "Using the Configuration Wizard" in Configuration Guide for IBM WebSphere Application Server.
To configure Oracle WSM when you create or extend a cell using the Configuration Wizard, be sure to select the following options in the Add Products to Cell screen:
Oracle Enterprise Manager for WebSphere
Oracle WSM Policy Manager
If you plan to use asynchronous Web services, select Oracle JRF WebServices Asynchronous services also. For more information, see "Asynchronous Web Services".
Note:
Oracle JRF for WebSphere is automatically selected as a dependency when you select any of the above products.In a WebSphere environment, the Oracle WSM Policy Manager does not run on the same server as Oracle Enterprise Manager. Therefore, the Oracle WSM automatic discovery feature cannot locate and connect to an Oracle WSM Policy Manager. To connect to the policy manager, use the following procedure:
In the navigator pane of Enterprise Fusion Middleware Control, expand WebSphere Cell to view the cells.
Select the cell for which you want to configure the policy manager.
Right-click the name of the cell and from the menu select Web Services then Platform Policy Configuration.
The Platform Policy Configuration page displays, as shown in Figure 5-1.
Select the Policy Accessor tab.
The Policy Accessor tab enables you to explicitly set a remote JNDI provider URL and corresponding csf-key credentials to access a Policy Manager on a remote server.
Click Add to define the remote JNDI provider.
In the Add New Configure Property window, specify the following values:
In the Name field, enter the JNDI provider URL property as java.naming.provider.url
.
In the Value field, enter the URL for the server on which the policy manager is running. For example:
corbaloc:iiop:hostname:rmiport
where hostname
specifies the DNS name or IP address of the WebSphere server and rmiport
specifies the port number on which the policy manager is running.
Click OK.
Click Add to define a corresponding csf-key credential property.
If the location of the Oracle WSM Policy Manager is provided in the java.naming.provider.url
property, the jndi.lookup.csf.key
provides the credential configuration.
Note:
The csf-key that you specify in this step must match the csf-key specified for the Policy Manager administrative user in the credential store. For more information about adding an Oracle WSM Policy Manager administrative user to the credential store, see "Configuring a Default Administrative User from the LDAP Directory".In the Add New Configure Property window, specify the following values:
In the Name field, enter the name of the JNDI provider's csf-key credential property as jndi.lookup.csf.key
.
In the Value field, enter the csf-key credentials.
Because the Policy Manager is security enabled, the csf-key specifies the java.naming.security.principal
and java.naming.security.credentials
when using the JNDI URL to look up a Policy Manager.
For example, using the sample provided in "Configuring a Default Administrative User from the LDAP Directory", the administrative user is orcladmin
and the csf-key is orcladmin-csf-key
.
Click OK.
Figure 5-2 shows the Policy Accessor tab with the java.naming.provider.url
and jndi.lookup.csf.key
property settings.
Figure 5-2 Policy Accessor Property Settings
For information about additional properties you can set on the Policy Accessor tab, see "Configuring Web Service Policy Retrieval" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.
Optionally, select the Policy Cache tab.
The Policy Cache tab allows you to tune the behavior of the policy cache delay for Web service endpoints, which can help to avoid network calls and increase performance when fetching policies from a remote Oracle WSM Policy Manager.
To modify an existing policy cache property, select it and then click Edit. In the Edit Policy Cache Property window, you can edit the Value field to change the default amount for the property.
You may want to edit the following property:
cache.tolerance
– This ensures that the policy set retrieved from the Web service endpoint policy cache is the most current version (that is, it has not exceeded the cache.tolerance
value). If it is determined that the policy set is stale, the updated policy set is retrieved from the Oracle WSM policy manager and refreshed in the Web service endpoint policy cache. The default is 60000 milliseconds (1 minute).
To add another property, click Add, and in the Add New Policy Cache Property window, specify the necessary values.
To delete an existing property, select it and then click Delete.
Click Apply to apply the property updates.
The following sections describe the differences when developing Web services applications on IBM WebSphere:
Not all high availability (HA) features may be available at the same quality of service levels as WebLogic Server.
For example, Jython scripts are not available to configure the Java Object Cache in a clustered environment.
Asynchronous Web services are supported on platforms other than WebLogic Server. For asynchronous Web services to function, the following JMS default queues must be present:
oracle.j2ee.ws.server.async.DefaultRequestQueue
oracle.j2ee.ws.server.async.DefaultResponseQueue
oracle.j2ee.ws.server.async.DefaultRequestErrorQueue
oracle.j2ee.ws.server.async.DefaultResponseErrorQueue
weblogic.jms.XAConnectionFactory
To create these queues, you must configure Oracle JRF Asynchronous Web Services using the Oracle Fusion Middleware Configuration Wizard. You do so in the Add Products to Cell screen in the Configuration Wizard as described in "Configuring Oracle WSM". Once you have created or extended a cell with this template, the JMS queues are available for use.
When using JDeveloper, the remote Oracle WSM policy store on a WebSphere server is not available.
The following sections describe the differences and restrictions for managing Web services components on IBM WebSphere:
Automatic discovery of the Oracle WSM policy manager is not supported by third-party application servers, such as WebSphere. For details about connecting to the policy manager, see "Configuring Oracle WSM on IBM WebSphere".
Web Services Atomic Transactions (WSAT) are not supported and will result in runtime errors.
Native Web services, such as those that are deployed to a stack other than the Oracle Infrastructure Web Services stack, are not exposed in the WSIL. Only the deployed Oracle Infrastructure Web Services are listed. The WSIL application is deployed on every server as part of the JRF template and the URI to access the application is /inspection.wsil. The wsil application uses basic HTTP authentication to ensure that only authorized users can access the list of Web services.
WS-Reliable Messaging (WS-RM) is supported on IBM WebSphere with the following limitations:
WS-RM includes support for persistent database (DB) message store with Oracle databases only.
WS-RM supports clustering only when Coherence is installed and available. This behavior is the same as WebLogic Server on all the platforms where Coherence is available.
On IBM WebSphere, you access the Web services pages in Fusion Middleware Control using either of the following methods:
From the main WebSphere Cell menu, select Web Services, then the desired Web services page, as shown in Figure 5-3.
In the navigation pane, right-click on the target cell name, then select Web Services, then the desired Web services page.
The following limitations and differences apply when managing Web services using Fusion Middleware Control:
You cannot view or manage Web services at the server level.
The bulk policy attachment feature is not available.
The registered sources and services, and publish to UDDI features are not available.
The Application Deployment Summary page does not include the list of Web Services, or the Most Requested table.
Native WebSphere Web services are not supported.
The Usage Analysis page displays the WebSphere cell and server names.
The Web services wsadmin commands are identical to the custom Web services WebLogic Scripting Tool (WLST) commands provided for WebLogic Server. The Web services commands are grouped into two categories:
WebServices—These commands consist of the Web service and client management commands, and the policy management commands. For a complete list of these commands, see "WebServices wsadmin Commands".
wsmManage—These commands consist of the policy set management commands, the import/export repository commands, and the Oracle WSM repository maintenance commands. For a complete list of these commands, see "wsmManage wsadmin Commands".
Note:
Because the Oracle WSM Policy Manager is security enabled, you must pass Java system properties, such as username and password, when invoking wsadmin. For details about invoking wsadmin and using the wsadmin commands, see "Using the Oracle Fusion Middleware wsadmin Commands"Refer to the following sections for more information:
To execute the wsadmin commands, you must prefix each command with the category name. That is, each command in the WebServices category must be preceded by WebServices
, and each command in the wsmManage category must be preceded with wsmManage
. For example:
To execute a command in the WebServices category, such as the listWebServices()
command, enter the following:
wsadmin>WebServices.listWebServices(None, None, 'true')
/NonTLRCell/OracleAdminServer/j2wbasicPolicy :
moduleName=j2wbasicPolicy, moduleType=web, serviceName=WssUsernameService
enableTestPage: true
enableWSDL: true
JRFWssUsernamePort http://host.us.oracle.com:9002/j2wbasicPolicy/WssUsername
enable: true
enableREST: false
enableSOAP: true
maxRequestSize: -1
loggingLevel: NULL
wsat.flowOption: NEVER
wsat.version: DEFAULT
security : oracle/wss_username_token_service_policy, enabled=true
addressing : oracle/wsaddr_policy, enabled=true
(global) security : oracle/binding_authorization_permitall_policy, enabled=true
/policysets/global/app-only-web-service-policies : Application("j2wbasicPolicy")
Attached policy or policies are valid; endpoint is secure.
To execute a command in the wsmManage category, such as the listPolicySets()
command, enter the following:
wsadmin>wsmManage.listPolicySets()
Global Policy Sets in Repository:
all-cells-default-web-service-policies
app-only-web-service-policies
The following table identifies the WebServices management wsadmin commands that are supported on WebSphere, and provides links to the reference documentation in Oracle Fusion Middleware WebLogic Scripting Tool Command Reference. Sample procedures for using the commands are described in the following chapters in Oracle Fusion Middleware Security and Administrator's Guide for Web Services:
Note:
You can use these commands as described in Oracle Fusion Middleware WebLogic Scripting Tool Command Reference and Oracle Fusion Middleware Security and Administrator's Guide for Web Services. However, in a WebSphere environment, you must execute the commands as described in "Executing the Web Services wsadmin Commands".Table 5-1 WebServices wsadmin Commands Supported on IBM WebSphere
Command | Description |
---|---|
List the Web service information for an application, composite, or cell. |
|
List the Web service ports for a Web service application or SOA composite. |
|
List Web services and port configuration for an application or SOA composite. |
|
List Web service client information for an application, SOA composite, or cell. |
|
List Web service client ports information for an application or SOA composite. |
|
List Web service client port stub properties for an application or SOA composite. |
|
Set or change the Web service port configuration for a Web service application or SOA composite. |
|
Set, change, or delete a single stub property of a Web service client port for an application or SOA composite. |
|
Configure the set of stub properties of a Web service client port for an application or SOA composite. |
|
Display a list of all the available Oracle Web Services Manager (WSM) policies by category or subject type. |
|
List Web service port policy information for a Web service in an application or SOA composite. |
|
List Web service client port policies information for an application or SOA composite. |
|
Attach a policy to a Web service port of an application or SOA composite. |
|
Attach multiple policies to a Web service port of an application or SOA composite. |
|
Attach an Oracle WSM policy to a Web service client port of an application or SOA composite. |
|
Attach multiple policies to a Web service client port of an application or SOA composite. |
|
Enable or disable a policy attached to a port of a Web service application or SOA composite. |
|
Enable or disable multiple policies attached to a port of a Web service application or SOA composite. |
|
Enable or disable a policy of a Web service client port of an application or SOA composite. |
|
Enable or disable multiple policies of a Web service client port of an application or SOA composite. |
|
Detach an Oracle WSM policy from a Web service port of an application or SOA composite. |
|
Detach multiple Oracle WSM policies from a Web service port of an application or SOA composite. |
|
Detach a policy from a Web service client port of an application or SOA composite. |
|
Detach multiple policies from a Web service client port of an application or SOA composite. |
|
Configure the Web service port policy override properties of an application or SOA composite. |
The following table identifies the wsmManage commands that are supported on WebSphere, and provides links to the reference documentation in Oracle Fusion Middleware WebLogic Scripting Tool Command Reference. Sample procedures for using these commands are described in the following chapters in Oracle Fusion Middleware Security and Administrator's Guide for Web Services:
Note:
You can use these commands as described in Oracle Fusion Middleware WebLogic Scripting Tool Command Reference and Oracle Fusion Middleware Security and Administrator's Guide for Web Services. However, in a WebSphere environment, you must execute the commands as described in "Executing the Web Services wsadmin Commands".Table 5-2 wsmManage Commands Supported on IBM WebSphere
Command | Description |
---|---|
Begin a session to modify the Oracle MDS repository. |
|
Write the contents of the current session to the Oracle MDS repository. |
|
Abort the current Oracle MDS repository modification session, discarding any changes that were made to the repository during the session. |
|
Describe the contents of the current repository session. |
|
Attach a policy set to the specified resource scope. |
|
Attach a policy to a policy set using the policy's URI. |
|
Detach a policy from a policy set using the policy's URI. |
|
Clone a new policy set from an existing policy set. |
|
Create a new, empty policy set. |
|
Delete a specified policy set. |
|
Display the configuration of a specified policy set. |
|
Enable or disable a policy set. |
|
Enable or disable a policy attachment for a policy set using the policy's URI. |
|
Lists the policy sets in the repository. |
|
Specify an existing policy set to be modified in the current session. |
|
Specify a description for the policy set selected within session. |
|
Validate existing policy set in the repository or in a session. |
|
Migrates direct policy attachments to global policy attachments if they are identical. |
|
Import a set of documents from a supported ZIP archive file into the repository. You can provide the location of a file that describes how to map physical information from the source environment to the target environment. |
|
Export a set of documents from the repository into a supported ZIP archive. If the specified archive already exists, you can choose whether to overwrite the archive or merge the documents into the existing archive. |
|
Upgrade the Oracle WSM predefined policies stored in the Oracle MDS repository with any new predefined policies that are provided in the latest installation of the Oracle Fusion Middleware software. |
|
Delete the existing policies stored in the Oracle MDS repository and refresh it with the latest set of predefined policies that are provided in the new installation of the Oracle Fusion Middleware software. |