8 Managing Web Services on IBM WebSphere

Oracle Infrastructure Web Services and Oracle Web Services Manager are supported on IBM WebSphere, with some limitations. The tasks required to secure and administer Oracle Infrastructure Web services are described in Oracle Fusion Middleware Security and Administrator's Guide for Web Services. This chapter provides specific information for managing Oracle Fusion Middleware Web services on IBM WebSphere, and describes the limitations.

This chapter contains the following sections:

Section 8.1, "Configuring a Default Administrative User from the LDAP Directory"
Section 8.2, "Configuring Oracle WSM on IBM WebSphere"
Section 8.3, "Differences and Restrictions When Developing Web Services Applications on IBM WebSphere,"
Section 8.4, "Differences and Restrictions When Managing Web Services Components on IBM WebSphere"
Section 8.5, "Using the Web Services wsadmin Commands"

8.1 Configuring a Default Administrative User from the LDAP Directory

On WebSphere, Oracle Platform Security Services (OPSS) supports LDAP-based registries only; in particular, it does not support WebSphere's built-in file-based user registry. For information about configuring an LDAP registry and seeding the registry with users and groups required by Fusion Middleware components such as Oracle WSM, see Chapter 9, "Managing Oracle Fusion Middleware Security on IBM WebSphere.".

By default, the Oracle WSM Policy Manager uses the wasadmin administrative user to communicate with the server. If this user is not available in the LDAP, you must configure the policy manager to use a principle administrative user from the LDAP as described in the following procedure.

Configure the LDAP registry as described in "IBM WebSphere Identity Stores" and restart the server.

Note:

The remaining steps in this procedure use the following sample primary user properties: cn=orcladmin,cn=Users,dc=us,dc=oracle,dc=com and orcladmin-csf-key for the jndi.lookup.csf.key that will be used for the administrator user access. The values for these properties will vary depending on your environment.

Update the credential store cwallet.sso file and the security role mappings using wsadmin commands as follows:

Opss.createCred (map='oracle.wsm.security', key='orcladmin-csf-key',
user='cn=orcladmin,cn=Users,dc=us,dc=oracle,dc=com', password='welcome1',
desc='wsm-pm admin user csf-key')

AdminApp.edit ('wsm-pm', '[-MapRolesToUsers [[policy.Updater
AppDeploymentOption.No AppDeploymentOption.No
cn=orcladmin,cn=Users,dc=us,dc=oracle,dc=com "" AppDeploymentOption.No
"user:cn=orcladmin,cn=Users,dc=us,dc=oracle,dc=com" "" ]]]']

AdminApp.edit('wsm-pm', '[ -MapRolesToUsers [[ policy.Accessor
AppDeploymentOption.No AppDeploymentOption.No
cn=orcladmin,cn=Users,dc=us,dc=oracle,dc=com "" AppDeploymentOption.No " |user:cn=orcladmin,cn=Users,dc=us,dc=oracle,dc=com" "" ]]]' )

AdminApp.edit('wsm-pm', '[ -MapRolesToUsers [[ policy.User
AppDeploymentOption.No AppDeploymentOption.No
cn=orcladmin,cn=Users,dc=us,dc=oracle,dc=com "" AppDeploymentOption.No "
user:cn=orcladmin,cn=Users,dc=us,dc=oracle,dc=com" "" ]]]' )

AdminApp.edit('wsm-pm', '[ -MapRolesToUsers [[ policyViewer AppDeploymentOption.No AppDeploymentOption.No cn=orcladmin,cn=Users,dc=us,dc=oracle,dc=com "" AppDeploymentOption.No " |user:cn=orcladmin,cn=Users,dc=us,dc=oracle,dc=com" "" ]]]' )

AdminConfig.save()

exit

Note:

The syntax for the policyViewer property differs from that of the other properties in that it does not include the separating period. Specifically, the syntax for these properties is policy.Updater, policy.Accessor, policy.User, policyViewer.

Restart the server.

8.2 Configuring Oracle WSM on IBM WebSphere

The following sections describe how to configure Oracle WSM and connect to the policy manager:

Configuring Oracle WSM
Connecting to the Oracle WSM Policy Manager

8.2.1 Configuring Oracle WSM

Oracle WSM is installed by default when you install Oracle Fusion Middleware SOA Suite or Oracle Application Development Runtime. For more information about installation, see Chapter 2, "Installing and Configuring Oracle Fusion Middleware on IBM WebSphere."

To configure Oracle Fusion Middleware in a new IBM WebSphere environment, you use a special version of the Oracle Fusion Middleware Configuration Wizard as described in "Using the Configuration Wizard" in Configuration Guide for IBM WebSphere Application Server.

To configure Oracle WSM when you create or extend a cell using the Configuration Wizard, be sure to select the following options in the Add Products to Cell screen:

Oracle Enterprise Manager for WebSphere
Oracle WSM Policy Manager

If you plan to use asynchronous Web services, select Oracle JRF WebServices Asynchronous services also. For more information, see "Asynchronous Web Services".

Note:

Oracle JRF for WebSphere is automatically selected as a dependency when you select any of the above products.

8.2.2 Connecting to the Oracle WSM Policy Manager

In a WebSphere environment, the Oracle WSM Policy Manager does not run on the same server as Oracle Enterprise Manager. Therefore, the Oracle WSM automatic discovery feature cannot locate and connect to an Oracle WSM Policy Manager. To connect to the policy manager, use the following procedure:

In the navigator pane of Enterprise Fusion Middleware Control, expand WebSphere Cell to view the cells.
Select the cell for which you want to configure the policy manager.
Right-click the name of the cell and from the menu select Web Services then Platform Policy Configuration.

The Platform Policy Configuration page displays, as shown in Figure 8-1.

Figure 8-1 Platform Policy Configuration

Description of "Figure 8-1 Platform Policy Configuration"
Select the Policy Accessor tab.

The Policy Accessor tab enables you to explicitly set a remote JNDI provider URL and corresponding csf-key credentials to access a Policy Manager on a remote server.
Click Add to define the remote JNDI provider.

In the Add New Configure Property window, specify the following values:
1. In the Name field, enter the JNDI provider URL property as java.naming.provider.url.
2. In the Value field, enter the URL for the server on which the policy manager is running. For example:
```
corbaloc:iiop:hostname:rmiport 
```
  where hostname specifies the DNS name or IP address of the WebSphere server and rmiport specifies the port number on which the policy manager is running.
3. Click OK.
Click Add to define a corresponding csf-key credential property.

If the location of the Oracle WSM Policy Manager is provided in the java.naming.provider.url property, the jndi.lookup.csf.key provides the credential configuration.

Note:

The csf-key that you specify in this step must match the csf-key specified for the Policy Manager administrative user in the credential store. For more information about adding an Oracle WSM Policy Manager administrative user to the credential store, see "Configuring a Default Administrative User from the LDAP Directory".

In the Add New Configure Property window, specify the following values:
1. In the Name field, enter the name of the JNDI provider's csf-key credential property as jndi.lookup.csf.key.
2. In the Value field, enter the csf-key credentials.
  
  Because the Policy Manager is security enabled, the csf-key specifies the java.naming.security.principal and java.naming.security.credentials when using the JNDI URL to look up a Policy Manager.
  
  For example, using the sample provided in "Configuring a Default Administrative User from the LDAP Directory", the administrative user is orcladmin and the csf-key is orcladmin-csf-key.
3. Click OK.
  
  Figure 8-2 shows the Policy Accessor tab with the java.naming.provider.url and jndi.lookup.csf.key property settings.
  
  Figure 8-2 Policy Accessor Property Settings
  
  Description of "Figure 8-2 Policy Accessor Property Settings"
For information about additional properties you can set on the Policy Accessor tab, see "Configuring Web Service Policy Retrieval" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.
Optionally, select the Policy Cache tab.

The Policy Cache tab allows you to tune the behavior of the policy cache delay for Web service endpoints, which can help to avoid network calls and increase performance when fetching policies from a remote Oracle WSM Policy Manager.
To modify an existing policy cache property, select it and then click Edit. In the Edit Policy Cache Property window, you can edit the Value field to change the default amount for the property.

You may want to edit the following property:
- cache.tolerance – This ensures that the policy set retrieved from the Web service endpoint policy cache is the most current version (that is, it has not exceeded the cache.tolerance value). If it is determined that the policy set is stale, the updated policy set is retrieved from the Oracle WSM policy manager and refreshed in the Web service endpoint policy cache. The default is 60000 milliseconds (1 minute).
To add another property, click Add, and in the Add New Policy Cache Property window, specify the necessary values.
To delete an existing property, select it and then click Delete.
Click Apply to apply the property updates.

8.3 Differences and Restrictions When Developing Web Services Applications on IBM WebSphere

The following sections describe the differences when developing Web services applications on IBM WebSphere:

High Availability
Asynchronous Web Services
JDeveloper

8.3.1 High Availability

Not all high availability (HA) features may be available at the same quality of service levels as WebLogic Server.

For example, Jython scripts are not available to configure the Java Object Cache in a clustered environment.

8.3.2 Asynchronous Web Services

Asynchronous Web services are supported on platforms other than WebLogic Server. For asynchronous Web services to function, the following JMS default queues must be present:

oracle.j2ee.ws.server.async.DefaultRequestQueue
oracle.j2ee.ws.server.async.DefaultResponseQueue
oracle.j2ee.ws.server.async.DefaultRequestErrorQueue
oracle.j2ee.ws.server.async.DefaultResponseErrorQueue
weblogic.jms.XAConnectionFactory

To create these queues, you must configure Oracle JRF Asynchronous Web Services using the Oracle Fusion Middleware Configuration Wizard. You do so in the Add Products to Cell screen in the Configuration Wizard as described in "Configuring Oracle WSM". Once you have created or extended a cell with this template, the JMS queues are available for use.

8.3.3 JDeveloper

When using JDeveloper, the remote Oracle WSM policy store on a WebSphere server is not available.

8.4 Differences and Restrictions When Managing Web Services Components on IBM WebSphere

The following sections describe the differences and restrictions for managing Web services components on IBM WebSphere:

Automatic Discovery of Oracle WSM Policy Manager
Web Services Atomic Transactions
No Support for Native Web Services
Reliable Messaging
Enterprise Manager Fusion Middleware Control

8.4.1 Automatic Discovery of Oracle WSM Policy Manager

Automatic discovery of the Oracle WSM policy manager is not supported by third-party application servers, such as WebSphere. For details about connecting to the policy manager, see "Configuring Oracle WSM on IBM WebSphere".

8.4.2 Web Services Atomic Transactions

Web Services Atomic Transactions (WSAT) are not supported and will result in runtime errors.

8.4.3 No Support for Native Web Services

Native Web services, such as those that are deployed to a stack other than the Oracle Infrastructure Web Services stack, are not exposed in the WSIL. Only the deployed Oracle Infrastructure Web Services are listed. The WSIL application is deployed on every server as part of the JRF template and the URI to access the application is /inspection.wsil. The wsil application uses basic HTTP authentication to ensure that only authorized users can access the list of Web services.

8.4.4 Reliable Messaging

WS-Reliable Messaging (WS-RM) is supported on IBM WebSphere with the following limitations:

WS-RM includes support for persistent database (DB) message store with Oracle databases only.
WS-RM supports clustering only when Coherence is installed and available. This behavior is the same as WebLogic Server on all the platforms where Coherence is available.

8.4.5 Enterprise Manager Fusion Middleware Control

On IBM WebSphere, you access the Web services pages in Fusion Middleware Control using either of the following methods:

From the main WebSphere Cell menu, select Web Services, then the desired Web services page, as shown in Figure 8-3.

Figure 8-3 Web Services Menu

Description of "Figure 8-3 Web Services Menu"
In the navigation pane, right-click on the target cell name, then select Web Services, then the desired Web services page.

The following limitations and differences apply when managing Web services using Fusion Middleware Control:

You cannot view or manage Web services at the server level.
The bulk policy attachment feature is not available.
The registered sources and services, and publish to UDDI features are not available.
The Application Deployment Summary page does not include the list of Web Services, or the Most Requested table.
Native WebSphere Web services are not supported.
The Usage Analysis page displays the WebSphere cell and server names.

8.5 Using the Web Services wsadmin Commands

The Web services wsadmin commands are identical to the custom Web services WebLogic Scripting Tool (WLST) commands provided for WebLogic Server. The Web services commands are grouped into two categories:

WebServices—These commands consist of the Web service and client management commands, and the policy management commands. For a complete list of these commands, see "WebServices wsadmin Commands".
wsmManage—These commands consist of the policy set management commands, the import/export repository commands, and the Oracle WSM repository maintenance commands. For a complete list of these commands, see "wsmManage wsadmin Commands".

Note:

Because the Oracle WSM Policy Manager is security enabled, you must pass Java system properties, such as username and password, when invoking wsadmin. For details about invoking wsadmin and using the wsadmin commands, see "Using the Oracle Fusion Middleware wsadmin Commands"

Refer to the following sections for more information:

Executing the Web Services wsadmin Commands
WebServices wsadmin Commands
wsmManage wsadmin Commands

8.5.1 Executing the Web Services wsadmin Commands

To execute the wsadmin commands, you must prefix each command with the category name. That is, each command in the WebServices category must be preceded by WebServices, and each command in the wsmManage category must be preceded with wsmManage. For example:

To execute a command in the WebServices category, such as the listWebServices() command, enter the following:

wsadmin>WebServices.listWebServices(None, None, 'true')

/NonTLRCell/OracleAdminServer/j2wbasicPolicy :
        moduleName=j2wbasicPolicy, moduleType=web, serviceName=WssUsernameService
        enableTestPage: true
        enableWSDL: true
 
                JRFWssUsernamePort      http://host.example.com:9002/j2wbasicPolicy/WssUsername
                enable: true
                enableREST: false
                enableSOAP: true
                maxRequestSize: -1
                loggingLevel: NULL
                wsat.flowOption: NEVER
                wsat.version: DEFAULT
                security : oracle/wss_username_token_service_policy, enabled=true, effective=true
                addressing : oracle/wsaddr_policy, enabled=true
                (global) security : oracle/binding_authorization_permitall_policy, enabled=true
                        /policysets/global/app-only-web-service-policies : Application("j2wbasicPolicy")
                Attached policy or policies are valid; endpoint is secure.

To execute a command in the wsmManage category, such as the listPolicySets() command, enter the following:

wsadmin>wsmManage.listPolicySets()

Global Policy Sets in Repository:
  all-cells-default-web-service-policies
  app-only-web-service-policies

8.5.2 WebServices wsadmin Commands

The following table identifies the WebServices management wsadmin commands that are supported on WebSphere, and provides links to the reference documentation in Oracle Fusion Middleware WebLogic Scripting Tool Command Reference. Sample procedures for using the commands are described in the following chapters in Oracle Fusion Middleware Security and Administrator's Guide for Web Services:

Note:

You can use these commands as described in Oracle Fusion Middleware WebLogic Scripting Tool Command Reference and Oracle Fusion Middleware Security and Administrator's Guide for Web Services. However, in a WebSphere environment, you must execute the commands as described in "Executing the Web Services wsadmin Commands".

Table 8-1 WebServices wsadmin Commands Supported on IBM WebSphere

Command	Description
listWebServices	List the Web service information for an application, composite, or cell.
listWebServicePorts	List the Web service ports for a Web service application or SOA composite.
listWebServiceConfiguration	List Web services and port configuration for an application or SOA composite.
listWebServiceClients	List Web service client information for an application, SOA composite, or cell.
listWebServiceClientPorts	List Web service client ports information for an application or SOA composite.
listWebServiceClientStubProperties	List Web service client port stub properties for an application or SOA composite.
setWebServiceConfiguration	Set or change the Web service port configuration for a Web service application or SOA composite.
setWebServiceClientStubProperty	Set, change, or delete a single stub property of a Web service client port for an application or SOA composite.
setWebServiceClientStubProperties	Configure the set of stub properties of a Web service client port for an application or SOA composite.
listAvailableWebServicePolicies	Display a list of all the available Oracle Web Services Manager (WSM) policies by category or subject type.
listWebServicePolicies	List Web service port policy information for a Web service in an application or SOA composite.
listWebServiceClientPolicies	List Web service client port policies information for an application or SOA composite.
attachWebServicePolicy	Attach a policy to a Web service port of an application or SOA composite.
attachWebServicePolicies	Attach multiple policies to a Web service port of an application or SOA composite.
attachWebServiceClientPolicy	Attach an Oracle WSM policy to a Web service client port of an application or SOA composite.
attachWebServiceClientPolicies	Attach multiple policies to a Web service client port of an application or SOA composite.
enableWebServicePolicy	Enable or disable a policy attached to a port of a Web service application or SOA composite.
enableWebServicePolicies	Enable or disable multiple policies attached to a port of a Web service application or SOA composite.
enableWebServiceClientPolicy	Enable or disable a policy of a Web service client port of an application or SOA composite.
enableWebServiceClientPolicies	Enable or disable multiple policies of a Web service client port of an application or SOA composite.
detachWebServicePolicy	Detach an Oracle WSM policy from a Web service port of an application or SOA composite.
detachWebServicePolicies	Detach multiple Oracle WSM policies from a Web service port of an application or SOA composite.
detachWebServiceClientPolicy	Detach a policy from a Web service client port of an application or SOA composite.
detachWebServiceClientPolicies	Detach multiple policies from a Web service client port of an application or SOA composite.
setWebServicePolicyOverride	Configure the Web service port policy override properties of an application or SOA composite.

8.5.3 wsmManage wsadmin Commands

The following table identifies the wsmManage commands that are supported on WebSphere, and provides links to the reference documentation in Oracle Fusion Middleware WebLogic Scripting Tool Command Reference. Sample procedures for using these commands are described in the following chapters in Oracle Fusion Middleware Security and Administrator's Guide for Web Services:

Note:

Table 8-2 wsmManage Commands Supported on IBM WebSphere

Command	Description
beginRepositorySession	Begin a session to modify the Oracle MDS repository.
commitRepositorySession	Write the contents of the current session to the Oracle MDS repository.
abortRepositorySession	Abort the current Oracle MDS repository modification session, discarding any changes that were made to the repository during the session.
describeRepositorySession	Describe the contents of the current repository session.
attachPolicySet	Attach a policy set to the specified resource scope.
attachPolicySetPolicy	Attach a policy to a policy set using the policy's URI.
detachPolicySetPolicy	Detach a policy from a policy set using the policy's URI.
clonePolicySet	Clone a new policy set from an existing policy set.
createPolicySet	Create a new, empty policy set.
deletePolicySet	Delete a specified policy set.
deleteAllPolicySets	Delete all or selected policy sets from within the Oracle WSM repository.
displayPolicySet	Display the configuration of a specified policy set.
enablePolicySet	Enable or disable a policy set.
enablePolicySetPolicy	Enable or disable a policy attachment for a policy set using the policy's URI.
listPolicySets	Lists the policy sets in the repository.
modifyPolicySet	Specify an existing policy set to be modified in the current session.
setPolicySetPolicyOverride	Add a configuration override to a policy reference in the current policy set.
setPolicySetConstraint	Specify a run-time constraint value for a policy set selected within a session.
setPolicySetDescription	Specify a description for the policy set selected within session.
validatePolicySet	Validate existing policy set in the repository or in a session.
migrateAttachments	Migrates direct policy attachments to global policy attachments if they are identical.
importRepository	Import a set of documents from a supported ZIP archive file into the repository. You can provide the location of a file that describes how to map physical information from the source environment to the target environment.
exportRepository	Export a set of documents from the repository into a supported ZIP archive. If the specified archive already exists, you can choose whether to overwrite the archive or merge the documents into the existing archive.
upgradeWSMPolicyRepository	Upgrade the Oracle WSM predefined policies stored in the Oracle MDS repository with any new predefined policies that are provided in the latest installation of the Oracle Fusion Middleware software.
resetWSMPolicyRepository	Delete the existing policies stored in the Oracle MDS repository and refresh it with the latest set of predefined policies that are provided in the new installation of the Oracle Fusion Middleware software.