This chapter describes interoperability of Oracle Web Services Manager (OWSM) with Oracle Glassfish Server Release 3.0.1.
This chapter contains the following sections:
Section 8.1, "Overview of Interoperability With Oracle GlassFish Security Environments"
Section 8.2, "SAML Token (Sender Vouches) with Message Protection (WS-Security 1.1)"
Oracle GlassFish Server Release 3.0.1 is an open source application server for the Java EE platform. Metro is an open-source Web service stack that is a part of Oracle GlassFish Server.
With OWSM 12c, you attach policies to Web service endpoints. Each policy consists of one or more assertions, defined at the domain-level, that define the security requirements. A set of predefined policies and assertions are provided out-of-the-box.
For more information about:
OWSM predefined policies, see "Predefined Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
Configuring and attaching OWSM 12c policies, see "Securing Web Services" and "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
Configuring Oracle GlassFish, see http://download.oracle.com/docs/cd/E18930_01/index.html
.
Configuring Metro Web services, see http://metro.java.net/guide/
Table 8-1 and Table 8-2 summarize the most common GlassFish Server interoperability scenarios based on the following security requirements: authentication, message protection, and transport.
Table 8-1 OWSM 11g Service Policy and GlassFish Client Interoperability
Identity Token | WS-Security Version | Message Protection | Transport Security | Service Policy | Client Policy |
---|---|---|---|---|---|
SAML |
1.1 |
Yes |
No |
|
The following sections describe how to implement SAML token (sender vouches) with message protection that conforms to the WS-Security 1.1 standard:
To configure GlassFish client and OWSM 12c Web Service, perform the steps described in the following sections:
Perform the following prerequisite steps:
Create a default-keystore.jks
file with the following command:
$JAVA_HOME/bin/keytool -genkeypair -alias orakey -keypass welcome -keyalg RSA -dname "CN=orakey, O=oracle C=us" -keystore default-keystore.jks -storepass welcome
Copy default-keystore.jks
to the domain's fmwconfig
directory.
Create a file user in GlassFish with the following command:
$<GLASSFISHV3_HOME>/glassfish/bin/asadmin create-file-user
For more information, see http://download.oracle.com/docs/cd/E18930_01/html/821-2433/create-file-user-1.html
.
Add the user as described in "Create users" in Oracle WebLogic Server Administration Console Online Help.
Import orakey
from default-keystore.jks
into GlassFish keystore and truststore. These are located in the directory <domain-dir>/config
$JAVA_HOME/bin/keytool -importkeystore -srckeystore <path-to>/default-keystore.jks -destkeystore <path-to-gf-domain>/config/cacerts.jks -srcalias orakey -destalias orakey -srckeypass welcome -destkeypass changeit
Copy jps-config.xml
and default-keystore.jks
from the domain's fmwconfig
directory into a local folder.
Create a Web service.
Attach the following policy to the Web service: oracle/wss11_saml_token_with_message_protection_service_policy
.
For more information about attaching the policy, see "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
Using NetBeans, create a Metro client by selecting New Project > Java > Java Application.Provide a project name and location. Select the server to deploy and select Finish.
Right click on the project. Select New > Web service Client. Follow the wizard and provide WSDL URL for service deployed in WebLogic.
Create a SAML CallbackHandler that can be used with WSIT SAML Security Mechanisms supported by NetBeans.
Place the file in the source folder of the project.
Ensure issuer variable value is the same as in the jps-config.xml
file created in Step 5 of "Configuration Prerequisites for Interoperability".
Set the urn reference to urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
.
Set the user created in Step 3 and Step 4 of "Configuration Prerequisites for Interoperability". For example, to set the user to wlsuser, modify the file as follows:
CN=wlsuser,OU=SU,O=wlsuser,L=Los Angeles,ST=CA,C=US
To configure the JVM, log on to the GlassFish Administration Console. For more information, see the Oracle GlassFish Server 3.1 Administration Guide at: http://download.oracle.com/docs/cd/E18930_01/html/821-2416/gepzd.html
.
In the left pane, expand Configuration and click JVM Setting.
In the right pane, click JVM Option tab.
Click Add JVM Option. A new text field is displayed. Enter -DWSIT_HOME=${com.sun.aas.installRoot}
.
Click Enterprise Server in left pane.
Click Restart in the right pane to restart the server.
Expand Web Services Reference node. Using NetBeans, right click Service Reference and select Edit Web Services Attributes.
For SAML Callback Handler option, click Browse and select the file from Step 3.
Set the alias in Keystore and Truststore.
Open index.jsp file. Right click and select Web Service Client Reference. Select Operation in Select Operation to Invoke dialog box and click ok.
Run the project.
To configure OWSM 12c client and GlassFish Web Service, perform the steps described in the following sections:
Perform the following prerequisite steps:
Create a default-keystore.jks
file with the following command:
$JAVA_HOME/bin/keytool -genkeypair -alias orakey -keypass welcome -keyalg RSA -dname "CN=orakey, O=oracle C=us" -keystore default-keystore.jks -storepass welcome
Copy default-keystore.jks
to the domain's fmwconfig
directory.
Save the credentials in credential store using WLST commands. For example:
$<ORACLE_HOME>/common/bin/wlst.sh > connect() > createCred(map="oracle.wsm.security", key="keystore-csf-key", user="keystore", password="welcome") > createCred(map="oracle.wsm.security", key="sign-csf-key", user="orakey", password="welcome") > createCred(map="oracle.wsm.security", key="enc-csf-key", user="orakey", password="welcome") >createCred(map="oracle.wsm.security", key="glassfish.credentials" , user="wlsUser" , password="welcome1" , description="Glassfish user credentials");
A file cwallet.sso
is created in the directory DOMAIN_HOME/config/fmwconfig
Create a file user in GlassFish with the following command:
$<GLASSFISHV3_HOME>/glassfish/bin/asadmin create-file-user
For more information, see http://download.oracle.com/docs/cd/E18930_01/html/821-2433/create-file-user-1.html
.
Import orakey
from default-keystore.jks
into GlassFish keystore and truststore. These are located in the directory <domain-dir>/config
$JAVA_HOME/bin/keytool -importkeystore -srckeystore <path-to>/default-keystore.jks -destkeystore <path-to-gf-domain>/config/keystore.jks -srcalias orakey -destalias orakey -srckeypass welcome -destkeypass changeit
Copy cwallet.sso
, jps-config.xml
and default-keystore.jks
from the domain's fmwconfig
directory into a local folder.
Create a Metro Web service. For more information, see http://metro.java.net/guide/ch02.html#using_metro-developing_with_nb
.
Configure the appropriate security mechanism. For more information, see http://metro.java.net/guide/ch12.html#ahicu
.
Using JDeveloper, create a Web service proxy for the GlassFish service. Select the policy oracle/wss11_saml_token_with_message_protection_client_policy
in the wizard.
Set the path to jps-config.xml
created in Step 6 of "Configuration Prerequisites for Interoperability".
Set the USERNAME_PROPERTY as follows: ((BindingProvider) sAMLTokenEchoService).getRequestContext().put(BindingProvider.USERNAME_PROPERTY, "wlsUser");
Invoke the Web service.