This chapter describes how to use Service Bus in conjunction with Oracle Web Services Manager (OWSM) to provide a scalable, standards-based, centrally managed approach to securing your service integration environment with WS-Security policies while leveraging your existing security providers.
OWSM is a runtime framework for policy creation for security, management, and governance. You create policies, attach them to services in Service Bus, and enforce those policies at various points in the messaging life cycle with OWSM agents.
OWSM policies enable WS-AT, WS-RM and WS-Security/WS-SC. WSDL-embedded policies cannot be used.
Note:
Oracle Web Services Manager (OWSM) is the Web Services security mechanism used by Service Bus. All newly created resources, such as business services and proxy services, use OWSM policies for security. WLS 9 policies are deprecated, and cannot be used to configure security for a new Service Bus resource.
However, you can import resources already configured with WLS 9 policies into your Service Bus project. You cannot edit or modify these WLS 9policies, but you can replace them with OWSM policies.
This chapter includes the following sections:
For more information about Oracle Web Services Manager, see Securing Web Services and Managing Policies with Oracle Web Services Manager.
OWSM is a component of the Oracle Enterprise Manager Fusion Middleware Control, a runtime framework that provides centralized management and governance of Oracle SOA Suite environments and applications. You create and configure OWSM policies in Oracle Enterprise Manager, and those policies are persisted in a policy store (a database is recommended). OWSM lets you define policies against an LDAP directory and generate standard security tokens (such as SAML tokens) to propagate identities across multiple web services used in a single transaction.
In Service Bus, when defining a business or proxy service that lets you attach security policies, you can attach available OWSM policies.
Service Bus and Oracle Web Services Manager (OWSM) use certain services for authentication and authorization. OWSM uses Java Platform Security (JPS), so Service Bus uses JPS providers for OWSM policies. Service Bus also uses Common Security Services (CSS), which is a part of Oracle Platform Security Services (OPSS), for other aspects of message security.
For more information about Oracle security services, see "Introduction to Oracle Platform Security Services" in the Securing Applications with Oracle Platform Security Services.
The following topics describe which security providers Service Bus and OWSM use for different security areas.
When using Oracle Web Services Manager policies, the following apply:
OWSM policies use SAML providers from JPS and not from WebLogic Server. For information on configuring SAML with OWSM, see "Configuring SAML" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
For authentication, OWSM uses the JPS Login Module, which in turn calls authentication providers configured on WebLogic Server.
OWSM and Service Bus support the Java Keystore (JKS) and the Keystore Service (KSS) provided by Oracle Platform Security Services. For OWSM policies, a best practice is to configure the keystore on JPS, with both the WebLogic Server and the JPS keystore referencing the same kind of keystore. For example, if you use a JKS file keystore, JPS and WebLogic Server should point to the same file. If you use an KSS keystore, JPS and WebLogic Server should point to the same KSS configuration.
For information on creating the keystore, see "Configuring Keystores for Message Protection" in the Securing Web Services and Managing Policies with Oracle Web Services Manager.
A JPS keystore serves as both a keystore and a truststore for OWSM policies.
Service Bus uses the following providers:
CSS providers to enforce WLS 9 policies
CSS providers to enforce transport security
WebLogic Server authorization providers for authorization policies
Custom WebLogic Server authentication providers and identity asserters for custom authentication policies
WebLogic Server credential providers and mappers
WebLogic Server keystore and truststore for WLS 9 policies
Authentication and identity assertion through Oracle Web Services Manager agents
This section includes the following topics:
You can attach OWSM policies to the following types of proxy and business services in Service Bus on the Policies page:
WSDL
Any SOAP
Any XML
Messaging
REST
You can attach OWSM policies only at the service level, and you cannot embed them in service WSDL files. Note that policy support for non-SOAP services is limited.
When attaching policies in the development environment, keep in mind that services in the development environment can be out of sync with services in the Oracle Service Bus Console, so take care when updating services from JDeveloper to the Console. If you copy a service to create a same type of service (for example, copy a business service to create a new business service), be sure to review your OWSM policies in the new service and make any necessary adjustments.
After adding OWSM policies to a service, you can provide policy overrides on the Security page. For the policies used, the user interface displays the override keys (properties) and their default values. The key names come from the policy binding. If allowed, a text box appears next to a key's default value where you can provide an override value. Service Bus does not provide well-known keys for override, such as sign key alias or CSF key, which points to user credentials in a CSF store. (Service Bus provides user credentials in the service account.) Override keys you provide are passed to the Oracle Web Services Manager agent during invocation.
For information on configuring SAML for use with Service Bus, see Using SAML with Oracle Service Bus. For information on configuring SAML with OWSM, see "Configuring SAML" in the Securing Web Services and Managing Policies with Oracle Web Services Manager.
When WSDL files contain embedded Oracle Web Services Manager policies, you can advertise the policies to be compatible with the following policy standards, supported by Oracle Service Bus and Oracle SOA Suite:
WS-Policy 1.2 (default) and 1.5
WS-Security Policy 1.1 (default), 1.2, and 1.3
Using special query parameters in URLs to access WSDL files embedded with OWSM policies, Service Bus generates WSDL files that comply with the required standards. For more information on accessing WSDL files with a URL, see Viewing Service Bus Resources in a Web Browser.
Note:
This feature is not available in the Service Bus "Export WSDL" or "Generate WSDL" functionality.
The special query parameters are &wsp (WS-Policy) and &wssp (WS-Security Policy), and you can use them in conjunction with the WSDL, PROXY, and BIZ URL patterns for retrieving WSDL files. For example:
http://localhost:7001/proxy/myProxy?WSDL&wsp=1.5&wssp=1.2
Returns the WSDL file for myProxy, a WSDL-based proxy service, so that the OWSM policy reference conforms to WS-Policy 1.5 and WS-Security Policy 1.2.
Note:
In the previous URL, /proxy/myProxy is the endpoint URI for the proxy service.
http://localhost:7001/sbresource?PROXY/myProject/myProxy&wsp=1.5&wssp=1.2
Returns the WSDL file for myProxy, a WSDL-based proxy service, so that the OWSM policy reference conforms to WS-Policy 1.5 and WS-Security Policy 1.2.
http://localhost:7001/sbresource?BIZ/myProject/myBiz&wsp=1.5&wssp=1.3
Returns the WSDL file for myBiz, a WSDL-based business service, so that the OWSM policy reference conforms to WS-Policy 1.5 and WS-Security Policy 1.3.
http://localhost:7001/sbresource?WSDL/proxy/myProxy
Returns the WSDL file for myProxy, a WSDL-based proxy service, so that the OWSM policy reference conforms to WS-Policy 1.2 and WS-Security Policy 1.1. Because no query parameters are used, Service Bus uses the defaults.
http://localhost:7001/proxy/myProxy?WSDL&wssp=1.3
Because WS-Security Policy 1.3 is compatible only with WS-Policy 1.5, this returns the WSDL file for myProxy so that the OWSM policy reference conforms to WS-Security Policy 1.3 and WS-Policy 1.5.
Invalid Values/Combinations
WS-Security Policy 1.2 and 1.3 are compatible only with WS-Policy 1.5. For invalid value examples, see Table 52-1.
Tip:
In a web browser, try different query parameter versions see how the returned WSDL changes.
For a quick reference of query parameter combinations, see the following section, WSDL Query Parameter Reference for WS Policies.
This section provides a quick reference showing valid and invalid combinations of the &wsp and &wssp query parameters described in the previous section, Advertising WSDL Files to Support WS Standards. The examples use ?WSDL to retrieve the WSDL file. You can also use the ?PROXY and ?BIZ methods of WSDL file retrieval, as described in Viewing Service Bus Resources in a Web Browser.
As shown in Table 52-1, when one or more parameters is omitted, Service Bus provides the valid default. For the invalid value exceptions, WS-Security Policy 1.2 and 1.3 are compatible with only WS-Policy 1.5, and vice versa.
Table 52-1 Valid and Invalid Combinations of the &wsp and &wssp Query Parameters
| Query Parameter Combinations | WS-Policy Version | WS-Security Policy Version |
|---|---|---|
|
...?WSDL |
1.2 |
1.1 |
|
...?WSDL&wsp=1.2 |
1.2 |
1.1 |
|
...?WSDL&wsp=1.5 |
1.5 |
1.3 |
|
...?WSDL&wssp=1.1 |
1.2 |
1.1 |
|
...?WSDL&wssp=1.2 |
1.5 |
1.2 |
|
...?WSDL&wssp=1.3 |
1.5 |
1.3 |
|
...?WSDL&wsp=1.2&wssp=1.1 |
1.2 |
1.1 |
|
...?WSDL&wsp=1.5&wssp=1.2 |
1.5 |
1.2 |
|
...?WSDL&wsp=1.5&wssp=1.3 |
1.5 |
1.3 |
|
...?WSDL&wsp=1.2&wssp=1.2 |
Invalid value exception |
Invalid value exception |
|
...?WSDL&wsp=1.2&wssp=1.3 |
Invalid value exception |
Invalid value exception |
|
...?WSDL&wsp=1.5&wssp=1.1 |
Invalid value exception |
Invalid value exception |
|
...?WSDL&wsp=3.0&wssp=1.2 |
Invalid value exception |
Invalid value exception |
|
...?WSDL&wsp=1.2&wssp=2.0 |
Invalid value exception |
Invalid value exception |
When you export Service Bus configurations that contain services with OWSM policy references, the references are maintained. You must ensure that the referenced policies also exist in the target environment. If the target environment is the IDE, warnings are displayed saying that policies will be validated on publish.
To audit policy events in Oracle Enterprise Manager, you must set up an audit data repository and set up event collection. For more information, see the following topics in Administering Web Services:
"Viewing Audit Reports" – Pre-defined audit reports for OWSM in Oracle Business Intelligence Publisher include statistics for Service Bus.
You can audit the following policy-level events:
Policy creation, deletion, or modification
Assertion template creation, deletion, or modification
Fusion Middleware Control lets you monitor and manage policies attached to your Service Bus services, including their usage and violation metrics. You can also attach policy sets globally, define policy overrides, and attach and detach policies from your services. See "Monitoring and Managing Security Policies" in Administering Oracle Service Bus for details on monitoring and managing these policies.
Service Bus collects WS-Security error statistics for OWSM policy enforcement errors as it does for WLS 9 policies, and those statistics are available in the Service Bus service monitoring dashboard.
This section lists, and provides links to, the OWSM predefined policies and assertions that Service Bus supports and does not support. Custom assertions are supported.
Note:
The assertion or policy "enabled/disabled" option in the Oracle Enterprise Manager Fusion Middleware Control user interface does not determine whether or not an assertion or policy is supported in Service Bus. Supported policies and assertions are listed in this section.
See the following topics for information about which OWSM policies are supported with Service Bus:
SOAP Services: See "Determining Which Predefined Policies to Use" in Securing Web Services and Managing Policies with Oracle Web Services Manager, which provides information about the predefined policies available in the current release.
Non-SOAP Services: See Table 52-2, which lists the supported OWSM predefined policies for business and proxy services that are configured with the WSDL (non-SOAP), XML, or Messaging service type using the HTTP Transport. User-defined policies are also supported.
REST Services: See "Which OWSM Policies Are Supported for RESTful Web Services and Clients?" in Securing Web Services and Managing Policies with Oracle Web Services Manager, which lists supported OWSM predefined policies for services configured with the REST service type.
JCA Services: See "Which OWSM Policies Are Supported for JCA Adapters?" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
Note:
In the development environment, if you use unsupported seed policies:
An effective WSDL file generated in the development environment will skip unsupported policies.
Validation is performed on service publish.
For more information on the following policies, see "Predefined Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
Table 52-2 Supported OWSM Predefined Policies for WSDL (non-SOAP), XML, and Messaging Service Service Types with HTTP Transport
| Type | Client Policy | Service Policy |
|---|---|---|
|
Authentication only |
oracle/wss_http_token_client_policy Basic authentication only. For more information on this policy, see wss_http_token_*_policy Guidelines and OWSM Authentication Policy Guidelines. |
oracle/wss_http_token_service_policy Basic authentication only. For more information on this policy, see wss_http_token_*_policy Guidelines and OWSM Authentication Policy Guidelines. |
|
Authentication and Message Protection |
oracle/wss_http_token_over_ssl_client_policy For more information on this policy, see wss_http_token_*_policy Guidelines and OWSM Authentication Policy Guidelines. |
oracle/wss_http_token_over_ssl_service_policy For more information on this policy, see wss_http_token_*_policy Guidelines and OWSM Authentication Policy Guidelines. |
|
Authorization only |
N/A |
oracle/whitelist_authorization_policy |
|
Authorization only |
N/A |
oracle/binding_authorization_denyall_policy |
|
Authorization only |
N/A |
oracle/binding_authorization_permitall_policy |
This section provides guidance on using the wss_http_token policies with Service Bus.
Note:
When using the HTTP transport with an OWSM policy, set the Authentication property for the transport to None. Setting it to any other value conflicts with the OWSM policy.
When you enable specific options on the policies in OWSM, certain guidelines apply. The options are:
Authentication Mode – OWSM and Service Bus support only "Basic" authentication mode in the policy. Any other mode causes an exception.
Transport Security – This option indicates that the invocation has to be done on the SSL channel. At runtime:
Proxy Services: If you enable this option on the policy, you must enable the HTTPS Required option on the proxy service containing the policy.
Business Services: No validation occurs on the business service configuration when you enable this option on the policy, so be sure that the business service endpoint addresses use HTTPS. A runtime error is thrown if an endpoint does not use HTTPS.
Mutual Authentication Required – This option indicates two-way SSL.
Proxy Services: This option is not supported for use on proxy services. Clear this option when using the wss_*_over_ssl_* _policy policies provided by OWSM.
Business Services: Because OWSM ignores this option on outbound messages, this option has no effect when used with business services.
Include Timestamp – This option enforces the inclusion of timestamp in the SOAP header.
Proxy Services: When you enable this option with proxy services, OWSM ensures the timestamp is available and valid in the SOAP header.
Business Services: When you enable this option with business services, OWSM adds a timestamp to the SOAP header if a timestamp does not already exist.
Note:
When applying wss_http_token policies to proxy and business services that use non-SOAP service types with the HTTP transport, the Include Timestamp option in the OWSM policy must be disabled.
When you use token transport policies on a Service Bus service, such as wss_http_token_over_ssl_client_policy or wss_username_token_over_ssl_client_policy, the Authentication property on the service's transport configuration page to None. You can use either an OWSM token policy or handle authentication through the transport, but not both.
You can attach any of the supported OWSM policies to proxy and business services that include support for SOAP with Attachments (SwA). In addition to securing the message body, you can configure message protection policies to include SwA attachments and MIME headers for message signing or message encryption.
You can attach OWSM policies to proxy and business services that include support for MTOM-formatted SOAP messages and use the HTTP, Local, or SB Transport. Message processing for all supported policies is the same for SOAP messages in MTOM format as for any other SOAP message, with the exception of message protection policies.
For a message protection policy that encrypts any part of the message body, the <xop:Include> elements of incoming messages are inlined prior to decryption. On decryption, the <xop:Include> elements are replaced by the base64Binary representation of the data. The message contents do not change.
Note:
When applying OWSM policies to services that support messages in MTOM format:
For proxy services, the incoming message must first be encrypted using an equivalent client policy.
Set the Authentication property for the transport to None when configuring the service. Setting it to any other value conflicts with the OWSM policy.
Table 52-3 lists unsupported OWSM assertions for both SOAP and non-SOAP services, shows which policies contain the assertions, and describes the affected capabilities and alternatives to achieve the capabilities.
Table 52-3 Unsupported assertions
| Unsupported Assertion | OWSM Policies Containing the Assertion | Capability Affected and Alternative |
|---|---|---|
|
binding-permission-authorization |
oracle/binding_permission_authorization_policy |
Permission-based access control to service. Alternative: Use XACML authorization policies. |
|
OptimizedMimeSerialization (MTOM) |
oracle/wsmtom_policy |
MTOM Alternative: Use MTOM configuration directly on proxy/business service. |
|
RMAssertion |
oracle/wsrm10_policy oracle/wsrm11_policy |
WS-RM 1.0/1.1 Alternative: Use the WS transport directly in Service Bus for WS-RM 1.0. |
|
sca-component-authorization |
oracle/component_authorization_denyall_policy oracle/component_authorization_permitall_policy |
Role-based access control to deny/permit all to access the component. Alternative: Not applicable |
|
sca-component-permission-authorization |
oracle/component_permission_authorization_policy |
Permission based Access Control to component Alternative: Not applicable |
|
UsingAddressing |
oracle/wsaddr_policy |
To require WS-Addressing Alternative: Configure WS-Addressing on business services that use the SOA-DIRECT transport; or add WS-Addressing to messages in a Service Bus pipeline. |
Oracle Service Bus provides support for the execution of a set of predefined policies and assertion templates that are delivered by OWSM. When a specific functionality is not provided with the standard policies available with the product, users can develop custom assertions.
See "About Custom Assertions" in Developing Extensible Applications for Oracle Web Services Manager for more information on custom assertions.
See "Creating Custom Assertions" in Developing Extensible Applications for Oracle Web Services Manager for more information on creating custom assertions.