4 Security Considerations for Developers

This chapter provides information for developers about how to secure Oracle Communications ASAP work order messages from order management systems to and from the Java service request processor (JSRP) or the ASAP Web Service implementation, and provides information about developing secure ASAP cartridges.

Securing OSS/J Over JMS Connections

You can secure OSS/J messages over Java messaging service (JMS) connections using WebLogic security policies. These policies can be created to secure JMS destinations. These policies enable only authorized ASAP WebLogic users to send, receive, and browse JMS messages to and from a destination. For more information about configuring WebLogic Server JMS connection security, see the Oracle Fusion Middleware Securing Resources Using Roles and Policies for Oracle WebLogic Server.

Note: Web Service messages can also be sent over JMS.

Securing Web Services Connections

Web Services connections can be established over JMS, HTTP, and HTTPS. Oracle recommends using JMS or HTTPS to insure secure Web Service work order communication between and order management system and ASAP.

ASAP Web Service access control security determines the functionality that each user can access. ASAP uses policies and roles configured within the ASAP WebLogic server to secure Web Service work order messages. Clients that send Web Service work orders must provide an ASAO WebLogic user id that is a member of the ASAP WebLogic group ASAP_WS_USERS_GROUP. The web.xml file defines the security role ASAP_WS_USERS and weblogic.xml file defines the security principal name as ASAP_WS_USERS_GROUP.

Here is a sample security header in a SOAP request:

<?xml version="1.0" encoding="UTF-8"?>
<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<env:Header>
        <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" env:mustUnderstand="1">
            <wsse:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="unt_AF6po7ocfkMUDzde">
                <wsse:Username>username</wsse:Username>
                <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">password</wsse:Password>
            </wsse:UsernameToken>
        </wsse:Security>
    </env:Header>
    <env:Body>
        <m:order_type xmlns:m="http://xmlns.oracle.com/communications/activation/asap/webservices">
 
OSS/J_work_order
 
        </m:order_type>
    </env:Body>
</env:Envelope>

Where:

• username: is the user name for the Web Service user-defined in the ASAP WebLogic server instance.

• password: is the password for the Web Service user-defined in the ASAP WebLogic server instance.

• order_type: is the type of work order sent.

• OSS/J_work_order: is the OSS/J work order information. When you add the work order information, do not include the XML header information (<?xml version="1.0" encoding="UTF-8"?>) since this has already been provided in the sample. Also, ensure that there are no namespace conflicts.

Cartridge Development

When developing an ASAP cartridge, store NE credentials in the Control server secure class B table. You must configure ASAP Java methods to access these credentials from the Control server when you establish connections from the NEP or JNEP to each NE. For more information, see ASAP Cartridge Development Guide.