9 Interoperability with Oracle GlassFish Server Release 3.0.1

This chapter describes interoperability of Oracle Web Services Manager (OWSM) with Oracle Glassfish Server Release 3.0.1.

This chapter includes the following sections:

9.1 Overview of Interoperability With Oracle GlassFish Security Environments

Oracle GlassFish Server Release 3.0.1 is an open source application server for the Java EE platform. Metro is an open-source web service stack that is a part of Oracle GlassFish Server.

With OWSM 12c, you attach policies to web service endpoints. Each policy consists of one or more assertions, defined at the domain-level, that define the security requirements. A set of predefined policies and assertions are provided out-of-the-box.

For more information about:

Table 9-1 and Table 9-2 summarize the most common GlassFish Server interoperability scenarios based on the following security requirements: authentication, message protection, and transport.

Table 9-1 OWSM 11g Service Policy and GlassFish Client Interoperability

Identity Token WS-Security Version Message Protection Transport Security Service Policy Client Policy

SAML

1.1

Yes

No

oracle/wss11_saml_token_with_message_protection_service_policy

See "Configuring an OWSM 12c Web Service and a GlassFish Client"

Table 9-2 GlassFish Service and OWSM 11g Client Policy Interoperability

Identity Token WS-Security Version Message Protection Transport Security Service Policy Client Policy

SAML

1.1

Yes

No

See "Configuring a GlassFish Web Service and an OWSM 12c Client"

oracle/wss11_saml_token_with_message_protection_client_policy

9.2 Username Token with Message Protection (WS-Security 1.1)

This section describes how to implement username token with message protection that conforms to the WS-Security 1.1 standard, in the following interoperability scenarios:

9.2.1 Configuring an OWSM 12c Web Service and a GlassFish Client

The following instructions tell how to configure an OWSM 12c web service and a GlassFish client to implement username token with message protection that conforms to the WS-Security 1.1 standard:

Table 9-3 Configuration Prerequisites for Interoperability

Task Description More Information

1

Create a default-keystore.jks file with the following command:

$JAVA_HOME/bin/keytool -genkeypair -alias orakey -keypass welcome -keyalg RSA
 -dname "CN=orakey, O=oracle C=us" -keystore default-keystore.jks -storepass
 welcome

--

2

Copy default-keystore.jks to the domain's fmwconfig directory.

--

3

Create a file user in GlassFish with the following command:

$<GLASSFISHV3_HOME>/glassfish/bin/asadmin create-file-user

http://download.oracle.com/docs/cd/E18930_01/html/821-2433/create-file-user-1.html

4

Import orakey from default-keystore.jks into GlassFish keystore and truststore. These are located in the directory <domain-dir>/config

$JAVA_HOME/bin/keytool -importkeystore -srckeystore
 <path-to>/default-keystore.jks -destkeystore
 <path-to-gf-domain>/config/cacerts.jks -srcalias  orakey -destalias orakey
 -srckeypass welcome -destkeypass changeit

--

5

Copy jps-config.xml and default-keystore.jks from the domain's fmwconfig directory into a local folder.

--

Table 9-4 Configuring OWSM 12c Web Service

Task Description More Information

1

Create a Web service.

--

2

Attach the following policy to the Web service: oracle/wss11_username_token_with_message_protection_service_policy.

"Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager

Table 9-5 Configuring GlassFish/Metro Client

Task Description More Information

1

Using NetBeans, create a Metro client by selecting New Project > Java > Java Application. Provide a project name and location and select Finish.

--

2

Right-click on the project. Select New > Web service Client. Follow the wizard and provide WSDL URL for service deployed in WebLogic.

--

3

Select Edit Web Services Attributes.

--

4

Check Use Development Defaults to include Metro libraries into the project.

--

5

Uncheck Use Development Defaults. Provide username subject and password.

--

6

For a Metro SE client:

  1. Edit the truststore configuration. Select the same default-keystore.jks created in Table 9-3, "Configuration Prerequisites for Interoperability".

  2. Drag and drop the Web service operation into main class, main method.

  3. Right click on the project and choose run to execute the project.

--

7

For a Metro Java EE client:

  1. Drag and drop the Web service operation into EJB or Servlet to invoke.

  2. Deploy the application into GlassFish and invoke the Web service.

--

9.2.2 Configuring a GlassFish Web Service and an OWSM 12c Client

The following instructions tell how to configure a GlassFish web service and an OWSM 12c client to implement username token with message protection that conforms to the WS-Security 1.1 standard:

Table 9-6 Configuration Prerequisites for Interoperability

Task Description More Information

1

Create a default-keystore.jks file with the following command:

$JAVA_HOME/bin/keytool -genkeypair -alias orakey -keypass welcome -keyalg RSA
 -dname "CN=orakey, O=oracle C=us" -keystore default-keystore.jks -storepass
 welcome

--

2

Copy default-keystore.jks to the domain's fmwconfig directory.

--

3

Save the credentials in credential store using WLST commands. For example:

$<ORACLE_HOME>/common/bin/wlst.sh
> connect()
> createCred(map="oracle.wsm.security", key="keystore-csf-key",
 user="keystore", password="welcome")
> createCred(map="oracle.wsm.security", key="sign-csf-key", user="orakey",
 password="welcome")
> createCred(map="oracle.wsm.security", key="enc-csf-key", user="orakey",
 password="welcome")
>createCred(map="oracle.wsm.security", key="glassfish.credentials" ,
 user="wlsUser" , password="welcome1" , description="Glassfish user
 credentials");

A file cwallet.sso is created in the directory DOMAIN_HOME/config/fmwconfig

--

4

Create a file user in GlassFish with the following command:

$<GLASSFISHV3_HOME>/glassfish/bin/asadmin create-file-user

http://download.oracle.com/docs/cd/E18930_01/html/821-2433/create-file-user-1.html

5

Import orakey from default-keystore.jks into GlassFish keystore and truststore. These are located in the directory <domain-dir>/config

$JAVA_HOME/bin/keytool -importkeystore -srckeystore
 <path-to>/default-keystore.jks -destkeystore
 <path-to-gf-domain>/config/keystore.jks -srcalias  orakey -destalias orakey
 -srckeypass welcome -destkeypass changeit

--

6

Copy cwallet.sso, jps-config.xml and default-keystore.jks from the domain's fmwconfig directory into a local folder.

--

Table 9-7 Configuring the GlassFish/Metro Web Service

Task Description More Information

1

Create a Metro Web service.

http://metro.java.net/guide/ch02.html#using_metro-developing_with_nb

2

Configure the appropriate security mechanism.

http://metro.java.net/guide/ch12.html#ahicu

Table 9-8 Configuring the OWSM 11g Client

Task Description More Information

1

Using JDeveloper, create a Web service proxy for the GlassFish service. Select the policy oracle/wss11_username_token_with_message_protection_client_policy in the wizard.

--

2

Set the csf-key to glassfish.credentials in the Override Properties option for the Web service proxy.

--

3

In the Web service proxy main class, set the system property of oracle.security.jps.config to jps-config.xml from Step 6 of Table 9-6, "Configuration Prerequisites for Interoperability".

--

Note:

If you are using:

9.3 SAML Token (Sender Vouches) with Message Protection (WS-Security 1.1)

This section tells how to implement SAML token (sender vouches) with message protection that conforms to the WS-Security 1.1 standard, in the following interoperability scenarios:

9.3.1 Configuring an OWSM 12c Web Service and a GlassFish Client

The following instructions tell how to configure an OWSM 12c web service and a GlassFish client to implement SAML token (sender vouches) with message protection that conforms to the WS-Security 1.1 standard:

Table 9-9 Configuration Prerequisites for Interoperability

Task Description More Information

1

Create a default-keystore.jks file with the following command:

$JAVA_HOME/bin/keytool -genkeypair -alias orakey -keypass welcome -keyalg RSA
 -dname "CN=orakey, O=oracle C=us" -keystore default-keystore.jks -storepass
 welcome

--

2

Copy default-keystore.jks to the domain's fmwconfig directory.

--

3

Create a file user in GlassFish with the following command:

$<GLASSFISHV3_HOME>/glassfish/bin/asadmin create-file-user

http://download.oracle.com/docs/cd/E18930_01/html/821-2433/create-file-user-1.html

4

Add the user.

"Create users" in Oracle WebLogic Server Administration Console Online Help

5

Import orakey from default-keystore.jks into GlassFish keystore and truststore. These are located in the directory <domain-dir>/config

$JAVA_HOME/bin/keytool -importkeystore -srckeystore
 <path-to>/default-keystore.jks -destkeystore
 <path-to-gf-domain>/config/cacerts.jks -srcalias  orakey -destalias orakey
 -srckeypass welcome -destkeypass changeit

--

6

Copy jps-config.xml and default-keystore.jks from the domain's fmwconfig directory into a local folder.

--

Table 9-10 Configuring the OWSM 11g Web Service

Task Description More Information

1

Create a web service.

--

2

Attach the following policy to the web service: oracle/wss11_saml_token_with_message_protection_service_policy.

"Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager

Table 9-11 Configuring the GlassFish/Metro Client

Task Description More Information

1

Using NetBeans, create a Metro client by selecting New Project > Java > Java Application. Provide a project name and location. Select the server to deploy and select Finish.

--

2

Right-click the project. Select New > Web Service Client. Follow the wizard and provide WSDL URL for service deployed in WebLogic.

--

3

Create a SAML CallbackHandler that can be used with WSIT SAML Security Mechanisms supported by NetBeans.

  1. Place the file in the source folder of the project.

  2. Ensure issuer variable value is the same as in the jps-config.xml file created in Step 5 of Table 9-9, "Configuration Prerequisites for Interoperability".

  3. Set the urn reference to urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified.

  4. Set the user created in Step 3 and Step 4 of Table 9-12, "Configuration Prerequisites for Interoperability". For example, to set the user to wlsuser, modify the file as follows: CN=wlsuser,OU=SU,O=wlsuser,L=Los Angeles,ST=CA,C=US

--

4

To configure the JVM, log on to the GlassFish Administration Console.

  1. In the left pane, expand Configuration and click JVM Setting.

  2. In the right pane, click JVM Option tab.

  3. Click Add JVM Option. A new text field is displayed. Enter -DWSIT_HOME=${com.sun.aas.installRoot}.

  4. Click Enterprise Server in left pane.

  5. Click Restart in the right pane to restart the server.

Oracle GlassFish Server 3.1 Administration Guide at: http://download.oracle.com/docs/cd/E18930_01/html/821-2416/gepzd.html

5

Expand Web Services Reference node. Using NetBeans, right click Service Reference and select Edit Web Services Attributes.

--

6

For SAML Callback Handler option, click Browse and select the file from Step 3.

--

7

Set the alias in Keystore and Truststore.

--

8

Open index.jsp file. Right click and select Web Service Client Reference. Select Operation in Select Operation to Invoke dialog box and click ok.

--

9

Run the project.

--

9.3.2 Configuring a GlassFish Web Service and an OWSM 12c Client

The following instructions tell how to configure an GlassFish web service and a OWSM 12c client to implement SAML token (sender vouches) with message protection that conforms to the WS-Security 1.1 standard:

Table 9-12 Configuration Prerequisites for Interoperability

Task Description More Information

1

Create a default-keystore.jks file with the following command:

$JAVA_HOME/bin/keytool -genkeypair -alias orakey -keypass welcome -keyalg RSA
 -dname "CN=orakey, O=oracle C=us" -keystore default-keystore.jks -storepass
 welcome

--

2

Copy default-keystore.jks to the domain's fmwconfig directory.

--

3

Save the credentials in credential store using WLST commands. For example:

$<ORACLE_HOME>/common/bin/wlst.sh
> connect()
> createCred(map="oracle.wsm.security", key="keystore-csf-key",
 user="keystore", password="welcome")
> createCred(map="oracle.wsm.security", key="sign-csf-key", user="orakey",
 password="welcome")
> createCred(map="oracle.wsm.security", key="enc-csf-key", user="orakey",
 password="welcome")
>createCred(map="oracle.wsm.security", key="glassfish.credentials" ,
 user="wlsUser" , password="welcome1" , description="Glassfish user
 credentials");

A file cwallet.sso is created in the directory DOMAIN_HOME/config/fmwconfig

--

4

Create a file user in GlassFish with the following command:

$<GLASSFISHV3_HOME>/glassfish/bin/asadmin create-file-user

http://download.oracle.com/docs/cd/E18930_01/html/821-2433/create-file-user-1.html

5

Import orakey from default-keystore.jks into GlassFish keystore and truststore. These are located in the directory <domain-dir>/config

$JAVA_HOME/bin/keytool -importkeystore -srckeystore
 <path-to>/default-keystore.jks -destkeystore
 <path-to-gf-domain>/config/keystore.jks -srcalias  orakey -destalias orakey
 -srckeypass welcome -destkeypass changeit

--

6

Copy cwallet.sso, jps-config.xml and default-keystore.jks from the domain's fmwconfig directory into a local folder.

--

Table 9-13 Configuring GlassFish/Metro Web Service

Task Description More Information

1

Create a Metro web service.

http://metro.java.net/guide/ch02.html#using_metro-developing_with_nb

2

Configure the appropriate security mechanism

http://metro.java.net/guide/ch12.html#ahicu

Table 9-14 Configuring OWSM 11g Client

Task Description More Information

1

Using JDeveloper, create a web service proxy for the GlassFish service. Select the policy oracle/wss11_saml_token_with_message_protection_client_policy in the wizard.

"Developing and Securing Web Services" in Developing Applications with Oracle JDeveloper.

2

Set the path to jps-config.xml created in Step 6 of Table 9-12, "Configuration Prerequisites for Interoperability".

--

3

Set the USERNAME_PROPERTY as follows: ((BindingProvider) sAMLTokenEchoService).getRequestContext().put(BindingProvider.USERNAME_PROPERTY, "wlsUser");

--

4

Invoke the web service.

--