Companies worldwide are actively deploying service-oriented architectures (SOA) using Web services, both in intranet and internet environments. While Web services offer many advantages over traditional alternatives (for example, distributed objects or custom software), deploying networks of interconnected Web services still presents key challenges, particularly in terms of security and administration.
This chapter provides an overview of Web services security and administration in Oracle Fusion Middleware 11g.
Web Services Security and Administration in Oracle Fusion Middleware 11g
Securing and Administering Oracle Infrastructure Web Services
Note:
Oracle Web Services Manager and Oracle Infrastructure Web Services are also supported on IBM WebSphere. Differences in behavior, and any limitations, are described in "Managing Web Services on IBM WebSphere" in Oracle Fusion Middleware Third-Party Application Server Guide.The following highlights the main features of Oracle Fusion Middleware 11g Release 1 (11.1.1):
Oracle Web Services Manager (WSM) security and management has been completely redesigned and rearchitected. The previous release, Oracle WSM 10g, was delivered as a standalone product or as a component of the Oracle SOA Suite. In the 11g release, Oracle WSM has been integrated into the Oracle WebLogic Server. For complete details, see "Examining the Rearchitecture of Oracle WSM in Oracle Fusion Middleware".
Oracle Web services can be classified into the following categories:
WebLogic (Java EE) Web services (see "Securing and Administering WebLogic Web Services")
Oracle Infrastructure Web services—SOA, ADF, and WebCenter services (see "Securing and Administering Oracle Infrastructure Web Services")
For more information about the two Web service categories and the types of Web services and clients in Oracle Fusion Middleware 11g, see Oracle Fusion Middleware Introducing Web Services.
To support the two categories, there are two types of policies that can be attached to Web services, as defined in the following table.
Table 1-1 Types of Web Service Policies
Type of Policy | Description |
---|---|
Oracle Web Services Manager (WSM) Policy |
Policy provided by the Oracle WSM. You can attach Oracle WSM policies to SOA, ADF, and WebCenter Web services. You can attach Oracle WSM security policies only to WebLogic JAX-WS Web services to interface with the SOA/ADF/WebCenter Web services, for example. (You cannot attach Oracle WSM policies to JAX-RPC Web services.) You manage Oracle WSM policies from Oracle Enterprise Manager Fusion Middleware Control and from the command line using custom WebLogic Scripting Tool (WLST) commands. |
WebLogic Web Service Policy |
Policy provided by WebLogic Server. For more information about the WebLogic Web service policies, see Securing WebLogic Web Services for Oracle WebLogic Server. A subset of WebLogic Web service policies interoperate with Oracle WSM policies. For more information, see "Interoperability with Oracle WebLogic Server 11g Web Service Security Environments" in Interoperability Guide for Oracle Web Services Manager. You manage WebLogic Web service policies from WebLogic Administration Console. |
Application developers can use Oracle JDeveloper to leverage the security and management features of the Oracle WSM policy framework. For more information about attaching policies using Oracle JDeveloper, see the following sections:
"Attaching Policies to Binding Components and Service Components" in Oracle Fusion Middleware Developer's Guide for Oracle SOA Suite.
"Securing Web Service Data Controls" in Oracle Fusion Middleware Fusion Developer's Guide for Oracle Application Development Framework.
"Using Oracle Web Services Manager Security Policies" in Securing WebLogic Web Services for Oracle WebLogic Server
"Using Policies with Web Services" in the "Developing with Web Services" section of the Oracle JDeveloper online help
System administrators can use the following tools to secure and administer Web services:
Oracle Enterprise Manager Fusion Middleware Control to secure and administer Oracle Infrastructure Web services, and to secure and test WebLogic (Java EE) Web services.
Oracle WebLogic Administration Console to secure and administer WebLogic (Java EE) Web services.
Oracle WebLogic Scripting Tool (WLST) to view, configure, and secure SOA, ADF, and WebCenter Web services.
The following list provides an example of the tasks required to secure and administer Web services:
Deploy, configure, test, and monitor Web services.
Enable, publish, and register Web services.
Directly attach policies to policy subjects to secure and manage Web services and analyze policy usage.
Attach policies on a global scope to a range of subjects of the same type to secure and manage Web services. Supported scopes include domain, server, application, partition, module, SOA composite, service, SOA reference, port, and component.
Create new policies and assertion templates, and manage and configure existing policies.
Create custom assertions to meet the requirements of your application.
Manage policy lifecycle to transition from a test to production environment.
Manage your file-based and database stores in your development and production environments, respectively.
Test interoperability with other Web services.
Diagnose problems.
The steps to develop, secure, and administer Web services vary based on the Web service category in use. The following sections outline the steps required:
To secure and administer Oracle Infrastructure Web services:
At development time, application developers can attach policies, using Oracle JDeveloper or other IDE, to leverage the security and management features of the Oracle WSM policy framework. For more information about attaching policies using Oracle JDeveloper, see the following sections:
"Attaching Policies to Binding Components and Service Components" in Oracle Fusion Middleware Developer's Guide for Oracle SOA Suite.
"Securing Web Service Data Controls" in Oracle Fusion Middleware Fusion Developer's Guide for Oracle Application Development Framework.
"Using Policies with Web Services" in the "Developing with Web Services" section of the Oracle JDeveloper online help.
System administrators can use the tools described in Table 1-2 to secure and administer Oracle Infrastructure Web services.
Table 1-2 Tools Used to Secure and Administer Oracle Infrastructure Web Services
Use this tool... | To... |
---|---|
Oracle Enterprise Manager Fusion Middleware Control |
Secure and administer SOA, ADF, and WebCenter services, performing the tasks described in "Web Service Security and Administration Tasks". To access Oracle Enterprise Manager Fusion Middleware Control, see "Accessing Oracle Enterprise Manager Fusion Middleware Control". Oracle Enterprise Manager Fusion Middleware Control leverages Oracle Web Services Manager (WSM) to centrally define security and management policies, and enforce them locally at run time. For more information about Oracle WSM, see "Understanding Oracle WSM Policy Framework". For more information about Oracle Enterprise Manager Fusion Middleware Control, see "Getting Started Using Oracle Enterprise Manager Fusion Middleware Control" in Oracle Fusion Middleware Administrator's Guide. |
WebLogic Scripting Tool (WLST) |
Perform Web service configuration and policy management tasks. To access WLST, see "Accessing the Web Services Custom WLST Commands". For more information about using WLST, see "Getting Started Using the Oracle WebLogic Scripting Tool (WLST)" in Oracle Fusion Middleware Administrator's Guide. |
Part II, "Basic Administration" and Part III, "Advanced Administration" describe how to secure and administer SOA, ADF, and WebCenter services in detail.
To secure and administer WebLogic Web services:
At development time, application developers can attach security policies using Oracle JDeveloper or other IDE. For more information, see the following topics:
"Using Policies with Web Services" in the "Developing with Web Services" section of the Oracle JDeveloper online help.
"Using Oracle Web Services Manager Security Policies" in Securing WebLogic Web Services for Oracle WebLogic Server
System administrators can use the tools defined in Table 1-3 to secure and administer WebLogic Web services.
Table 1-3 Tools Used to Secure and Administer WebLogic Web Services
Use this tool . . . | To perform the following tasks . . . |
---|---|
Oracle Enterprise Manager Fusion Middleware Control |
Leverage Oracle WSM to perform the following tasks:
For more information about Oracle WSM, see "Understanding Oracle WSM Policy Framework". To access Oracle Enterprise Manager Fusion Middleware Control, see "Accessing Oracle Enterprise Manager Fusion Middleware Control". For more information about Oracle Enterprise Manager Fusion Middleware Control, see "Getting Started Using Oracle Enterprise Manager Fusion Middleware Control" in Oracle Fusion Middleware Administrator's Guide. Note: The following features are not supported for WebLogic Web services in the 11g release:
|
Oracle WebLogic Server Administration Console |
Secure and manage WebLogic Web services. To access the Oracle WebLogic Server Administration Console, see "Accessing Oracle WebLogic Administration Console". For more information about using the Oracle WebLogic Server Administration Console to secure and administer WebLogic Web services, see "Web Services" in the Oracle WebLogic Server Administration Console Help. |
Part IV, "WebLogic Web Service Administration" provides a roadmap for securing and administering WebLogic Web services.
The following sections describe how to access the security and administration tools described in the previous sections.
To access Oracle Enterprise Manager Fusion Middleware Control:
Start the Oracle WebLogic Server instance.
For more information, see "Start and stop servers" in the Oracle WebLogic Server Administration Console Help.
Open a supported Web browser and navigate to the following URL:
http://hostname:port/em
The Login page displays.
Enter the username and password.
The default user name for the administrator user is weblogic
. This is the account you can use to log in to Fusion Middleware Control for the first time. The password is the one you supplied during the installation of Oracle Fusion Middleware.
Click Login.
For more information, see "Getting Started Using Oracle Enterprise Manager Fusion Middleware Control" in Oracle Fusion Middleware Administrator's Guide.
To access Oracle WebLogic Administration Console:
Start the Oracle WebLogic Server.
For more information, see "Start and stop servers" in the Oracle WebLogic Server Administration Console Help.
Open a supported Web browser and navigate to one of the following URLs:
http://hostname:port/console https://hostname:port/console
hostname
specifies the DNS name or IP address of the Oracle WebLogic Administration Server and port
specifies the address of the port on which the Oracle WebLogic Administration Server is listening for requests (7001 by default).
Use https
if you started the Oracle WebLogic Server using the Secure Sockets Layer (SSL).
For a list of supported browsers, see System Requirements and Supported Platforms for Oracle WebLogic Server at: http://www.oracle.com/technology/software/products/ias/files/fusion_certification.html
.
The Login page displays.
Enter the username and password.
You may have specified the username and password during the installation process. This may be the same username and password that you use to start the Oracle Administration Server. Or, a username that is granted one of the default global security roles.
Click Log In.
For more information, see "Start the Console" in the Oracle WebLogic Server Administration Console Help.
To access the Web services WLST commands:
Go to the Oracle Common home directory for your installation, for example /home/Oracle/Middleware/oracle_common
.
For information about the Oracle Common home directory and installing Oracle Fusion Middleware, see the Oracle Fusion Middleware Installation Planning Guide.
Start WLST using the WLST.sh/cmd
command located in the oracle_common/common/bin
directory. For example:
/home/Oracle/Middleware/oracle_common/common/bin/wlst.sh
(UNIX)
C:\Oracle\Middleware\oracle_common\common\bin\wlst.cmd
(Windows)
When executed, these commands start WLST in offline mode. To use the Web services WLST commands, you must use WLST in online mode.
Start Oracle WebLogic Server.
For more information, see "Start and stop servers" in the Oracle WebLogic Server Administration Console Help.
Connect to the running WebLogic Server instance using the connect()
command. For example, the following command connects WLST to the Admin Server at the URL myAdminServer.oracle.com:7001
using the username/password credentials weblogic/welcome1
:
connect("weblogic","welcome1","t3://myAdminServer.oracle.com:7001")
For more information about using WLST, see "Using the WebLogic Scripting Tool" in Oracle WebLogic Scripting Tool.
For more information about the Web Services WLST commands, see "Web Services Custom WLST Commands" in WebLogic Scripting Tool Command Reference.
Oracle WSM is installed by default when you install Oracle Fusion Middleware SOA Suite or Oracle Application Development Runtime. However, if you have a standalone WebLogic Server environment with JAX-WS Web services and clients deployed, you can install Oracle WSM and use it to secure your Web services and clients.
Note:
Oracle WSM is licensed only through SOA Suite; a standalone license is not available. To secure Web service clients and services using Oracle WSM on base Weblogic Server, you must acquire a SOA Suite license in addition to a Weblogic Server license.To use Oracle WSM with WebLogic Server, you need Java Required Files (JRF) and Oracle Enterprise Manager Fusion Middleware Control. JRF consists of those components, such as Oracle WSM, that provide common functionality for Oracle business applications and application frameworks. Oracle Enterprise Manager Fusion Middleware Control is used to secure and administer WebLogic Web services.
Neither JRF or Fusion Middleware Control are included in the WebLogic Server installation. The following procedure describes the steps required to install and configure Oracle WSM with WebLogic Server.
Prepare for the installation by reviewing the concepts and requirements as described in the Oracle Fusion Middleware Installation Planning Guide.
Download the following Oracle Fusion Middleware software components:
Oracle WebLogic Server
Oracle Application Development Runtime
Oracle Fusion Middleware Repository Creation Utility
For download sites, see "Obtain the Oracle Fusion Middleware Software" in Oracle Fusion Middleware Installation Planning Guide.
Create the MDS schema in your database.
Oracle Application Developer includes Oracle WSM Policy Manager and Oracle WSM-PM Extension. These components require that the MDS schema exists in your database prior to installation. You must run the Repository Creation Utility (RCU) to create the MDS schema in your database. For instructions, see "Creating Schemas" in Oracle Fusion Middleware Repository Creation Utility User's Guide.
Note:
In the Select Components screen, be sure to select Metadata Services under AS Common Schemas.Install WebLogic Server. For detailed instructions, see Installation Guide for Oracle WebLogic Server.
Be sure to take note of the location that you specify for the Middleware Home directory as you will need to provide it during the Application Developer installation.
Install Application Developer. For detailed instructions, see "Installation Instructions" in Oracle Fusion Middleware Installation Guide for Application Developer.
Note:
In the Specify Installation Location screen, specify the Middleware home location that you provided during the WebLogic Server installation.Create a domain that includes Oracle Enterprise Manager, Oracle WSM, and JRF using the Configuration Wizard. For details, see "Configuring Application Developer" in Oracle Fusion Middleware Installation Guide for Application Developer.
Note:
In the Select Domain Source screen of the Configuration Wizard, select Oracle Enterprise Manager and Oracle WSM Policy Manager. Oracle JRF is automatically selected as a dependency.You can now secure and administer WebLogic Web services as described in "Securing and Administering WebLogic Web Services".