J Configuring SOAP Web Services Access

This appendix presents instructions on configuring SOAP Web services access.

J.1 Web Services Access

Web services let you access Oracle Adaptive Access Manager functionality that is made available on a remote computer. The OAAM web service enables you to make a request to OAAM to perform an action.

The advantage the OAAM web services is that you do not have to recreate application logic that has already been created.

Referencing a remote web service within your application is called consuming web services. You can consume a web service implemented as part of a .NET or Java application.

J.2 Requirements

The requirements for accessing the OAAM web service are the following:

  • Configuration of the SOAP web access requires the OAAM Extensions Shared Library for Native Integration using SOAP

  • The configurable properties must be specified in bharosa_server.properties and this file should be in the Java Classpath of the client application.

J.3 OAAM Server Side Setup

An access to a web service is similar to a function call except it references remote functionality over the Internet instead of referencing a library on your computer.

SOAP provides a standard XML structure for sending and receiving web service requests and responses over the Internet. The SOAP messages are sent using HTTP.

Web Services/SOAP clients need to send the username and password for successful communication with OAAM web services.

The password needs to be stored in a KeyStore for security.

Making web services available to others for remote access is called publishing web service.

Out-of-the-box, OAAM publishes Web services at the URL: /oaam_server/services. This URL is secured by HTTP authentication.

Access to this URL is allowed to the users with the OAAMSOAPServicesGroup role/group. You must add a user (a.k.a SOAP User) with the OAAMSOAPServicesGroup role/group to the OAAM Domain.


This step is not required if SOAP Authentication is disabled on the OAAM server

J.4 Client Side Setup

The client side setup is documented below.

J.4.1 Setup Client Keystore with Password of the SOAP User

To set up security for Native Client web services:

  1. In the $ORACLE_HOME/oaam/cli directory, create a file, for example, soap_key.file, and enter the HTTP authentication user password in it. (The password from the user that was added to the OAAMSOAPServicesGroup role/group).

  2. Copy sample.config_3des_input.properties to soap_3des_input.properties.

    cp sample.config_3des_input.properties soap_3des_input.properties
  3. Update soap_3des_input.properties with the keystore password, the alias password, and password file.

    #This is the password for opening the keystore. 
    #This is the password reading alias (key) in the keystore 
    #File containing from key. Please note, keys in AES could be binary. Also note algorithms like 3DES require minimum 24 characters in the key 
  4. Set ORACLE_MW_HOME and JAVA_HOME and source setCliEnv.sh.

  5. Generate the keystore.

    • For Unix/Linux, run

      $JAVA_EXE -Djava.security.policy=conf/jmx.policy -classpath $CLSPTH com.bharosa.vcrypt.common.util.KeyStoreUtil updateOrCreateKeyStore readFromFile=soap_3des_input.properties
    • For Windows, run

      genkeystore.cmd soap_3des_input.properties

    If the KeyStore command was successful, you will see output similar to the following:

    updateOrCreateKeyStore done!
    Keystore file:system_soap.keystore,algorithm=DESede
    KeyStore Password=ZG92ZTEyMzQ=
    Alias Password=ZG92ZTEyMw==
  6. Note down the Keystore password and Alias Password print on the screen. You will need to add these to bharosa_server.properties.

  7. Save the system_soap.keystore file in your source code control system. Please take adequate security precaution while handling this file. The file contains critical password information. Make sure that only authorized personnel have read access to this file. If you lose it, Oracle Adaptive Access Manager will not be able to recover data encrypted.

  8. Copy system_soap.keystore to the classpath of the Native Client deployment folder.

  9. Delete both the soap_key.file and soap_3des_input.properties files.

  10. Add the following properties with the encoded passwords (from step 5) and the authentication username to bharosa_server.properties.

    vcrypt.soap.auth.keystorePassword=<base64 encoded keystore password>
    vcrypt.soap.auth.aliasPassword=<based64 encoded password to the alias>
    vcrypt.soap.auth.username=<user configured for accessing the soap services>

Note: This step is not required if SOAP Authentication is disabled on the OAAM server.

See "Disable SOAP Authentication" section for details on disabling authentication from client side.

J.4.2 Disable SOAP Authentication

To disable or enable, HTTP authentication for Adaptive Strong Authenticator, set the following property to true (enabled) or false (disabled).


J.4.3 Specify SOAP Class

Set the vcrypt.common.util.vcryptsoap.impl.classname property.

This setting specifies for the application which libraries to use when creating SOAP messages to exchange with the OAAM services.

The available option is:


J.4.4 Specify SOAP Server Side URL

Set the vcrypt.tracker.soap.url property.

For example,


This setting is the location of the web services with which the application will communicate.

J.4.5 Specify SOAP Call Timeout

Set the vcrypt.soap.call.timeout property in milliseconds.

For example,


J.5 Disabling SOAP Service Authentication on the Server

You can enable or disable authentication using Oracle Web Services Manager (OWSM) policies through Oracle Enterprise Manager Fusion Middleware Control.

If you disable the SOAP Web Service authentication on the server (which is by default enabled), the client can use the web service without having been authenticated.

  1. Log in to Oracle Enterprise Manager Fusion Middleware Control of the Identity Management domain using the URL http://<host-name>:7001/em and WebLogic Admin user name and password.

  2. Locate oaam_server_server1 in the left hand side menu by expanding WebLogic Domain and the OAAM domain under it.

  3. Right click the oaam_server_server1 and select the Web Services menu option.

  4. Click the Oracle Infrastructure Web Services tab.

  5. Click the Attach Policies link in the top-right area of the page.

  6. Select all the rows related to the OAAM Web services in the next page and click the Next button.

  7. Select the rows oracle/no_authentication_service_policy and oracle/no_authorization_service_policy and click the Next button.

  8. Click the Attach button in the next page.

  9. Restart OAAM Server if required.