This chapter includes the following sections:
Oracle GlassFish Server Release 3.0.1 is an open source application server for the Java EE platform. Metro is an open-source web service stack that is a part of Oracle GlassFish Server.
More information on OWSM policies and interoperability scenarios are described in the following topics:
With OWSM 12c, you attach policies to web service endpoints. Each policy consists of one or more assertions, defined at the domain-level, that define the security requirements. A set of predefined policies and assertions are provided out-of-the-box.
For more information about:
OWSM predefined policies, see "Predefined Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
Configuring and attaching OWSM 12c policies, see "Securing Web Services" and "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
Configuring Oracle GlassFish, see http://download.oracle.com/docs/cd/E18930_01/index.html.
Configuring Metro web services, see http://metro.java.net/guide/.
You can review the different scenarios for interoperability between OWSM 11g and GlassFish server.
The following table describes the OWSM 11g service policy and GlassFish client policy interoperability scenarios:
Table 9-1 OWSM 11g Service Policy and GlassFish Client Interoperability
| Identity Token | WS-Security Version | Message Protection | Transport Security | Service Policy | Client Policy |
|---|---|---|---|---|---|
|
SAML |
1.1 |
Yes |
No |
|
The following table describes the GlassFish service policy with OWSM 11g client policy interoperability scenarios:
Table 9-2 GlassFish Service and OWSM 11g Client Policy Interoperability
| Identity Token | WS-Security Version | Message Protection | Transport Security | Service Policy | Client Policy |
|---|---|---|---|---|---|
|
SAML |
1.1 |
Yes |
No |
|
You can implement the username token with message protection that conforms to the WS-Security 1.1 standard to achieve the interoperability of an OWSM 12c web service with a GlassFish client and the interoperability of a GlassFish web service with an OWSM 12c client.
The following topics describes how to implement username token with message protection that conforms to the WS-Security 1.1 standard in different interoperability scenarios:
You can implement username token with message protection that conforms to the WS-Security 1.1 standard using an OWSM 12c web service and a GlassFish client.
To configure prerequisites for interoperability:
Create a default-keystore.jks file with the following command:
$JAVA_HOME/bin/keytool -genkeypair -alias orakey -keypass welcome -keyalg RSA
-dname "CN=orakey, O=oracle C=us" -keystore default-keystore.jks -storepass
welcome
Copy default-keystore.jks to the domain's fmwconfig directory.
Create a file user in GlassFish with the following command:
$<GLASSFISHV3_HOME>/glassfish/bin/asadmin create-file-user
For more information, see
http://download.oracle.com/docs/cd/E18930_01/html/821-2433/create-file-user-1.html.
Import orakey from default-keystore.jks into GlassFish keystore and truststore. These are located in the directory <domain-dir>/config
$JAVA_HOME/bin/keytool -importkeystore -srckeystore
<path-to>/default-keystore.jks -destkeystore
<path-to-gf-domain>/config/cacerts.jks -srcalias orakey -destalias orakey
-srckeypass welcome -destkeypass changeit
Copy jps-config.xml and default-keystore.jks from the domain's fmwconfig directory into a local folder.
To configure OWSM 12c web service:
Create a web service.
Attach the following policy to the web service: oracle/wss11_username_token_with_message_protection_service_policy.
For more information, see “Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
To configure GlassFish/Metro client:
Using NetBeans, create a Metro client by selecting New Project > Java > Java Application. Provide a project name and location and select Finish.
Right-click on the project. Select New > Web service Client. Follow the wizard and provide WSDL URL for service deployed in WebLogic.
Select Edit Web Services Attributes.
Check Use Development Defaults to include Metro libraries into the project.
Uncheck Use Development Defaults. Provide username subject and password.
For a Metro SE client:
Edit the truststore configuration. Select the same default-keystore.jks created in Step 5.
Drag and drop the web service operation into main class, main method.
Right click on the project and choose run to execute the project.
For a Metro Java EE client:
Drag and drop the web service operation into EJB or Servlet to invoke.
Deploy the application into GlassFish and invoke the web service.
You can implement username token with message protection that conforms to the WS-Security 1.1 standard using a GlassFish web service and an OWSM 12c client.
To configure prerequisites for interoperability:
Create a default-keystore.jks file with the following command:
$JAVA_HOME/bin/keytool -genkeypair -alias orakey -keypass welcome -keyalg RSA -dname "CN=orakey, O=oracle C=us" -keystore default-keystore.jks -storepass welcome
Copy default-keystore.jks to the domain's fmwconfig directory.
Save the credentials in credential store using WLST commands. For example:
$<ORACLE_HOME>/common/bin/wlst.sh > connect() > createCred(map="oracle.wsm.security", key="keystore-csf-key", user="keystore", password="welcome") > createCred(map="oracle.wsm.security", key="sign-csf-key", user="orakey", password="welcome") > createCred(map="oracle.wsm.security", key="enc-csf-key", user="orakey", password="welcome") >createCred(map="oracle.wsm.security", key="glassfish.credentials" , user="wlsUser" , password="welcome1" , description="Glassfish user credentials");
A file cwallet.sso is created in the directory DOMAIN_HOME/config/fmwconfig
Create a file user in GlassFish with the following command:
$<GLASSFISHV3_HOME>/glassfish/bin/asadmin create-file-user
For more information, see http://download.oracle.com/docs/cd/E18930_01/html/821-2433/create-file-user-1.html.
Import orakey from default-keystore.jks into GlassFish keystore and truststore. These are located in the directory <domain-dir>/config.
$JAVA_HOME/bin/keytool -importkeystore -srckeystore
<path-to>/default-keystore.jks -destkeystore
<path-to-gf-domain>/config/keystore.jks -srcalias orakey -destalias orakey
-srckeypass welcome -destkeypass changeit
Copy cwallet.sso, jps-config.xml and default-keystore.jks from the domain's fmwconfig directory into a local folder.
To configure the GlassFish/Metro web service:
Create a Metro web service. For more information, see http://metro.java.net/guide/ch02.html#using_metro-developing_with_nb.
Configure the appropriate security mechanism. for more information, see http://metro.java.net/guide/ch12.html#ahicu.
To configure an OWSM 11g client:
oracle/wss11_username_token_with_message_protection_client_policy in the wizard.csf-key to glassfish.credentials in the Override Properties option for the web service proxy.oracle.security.jps.config to jps-config.xml from Step 6.Note:
If you are using:
Oracle Service Bus business service, set the property overrides to glassfish.credentials in the Security page. For more information, see "Policy Overrides" in Developing Services with Oracle Service Bus at http://docs.oracle.com/docs/html/E15866_01/owsm.htm.
SOA Web service reference, set the property overrides to glassfish.credentials in the Security page. For more information, see Section 46.2.2 "How to Override Policy Configuration Property Values" in Developer's Guide for SOA Suite at http://docs.oracle.com/middleware/1213/soasuite/develop-soa/soa-security-policies-jdev.htm#SOASE85427.
You can implement SAML token (sender vouches) with message protection that conforms to the WS-Security 1.1 standard to achieve the interoperability of OWSM 12c web service with GlassFish client and the interoperability of GlassFish web service with OWSM 12c client.
The following topics describe how to implement SAML token (sender vouches) with message protection in different interoperability scenarios:
You can implement SAML token (sender vouches) with message protection that conforms to the WS-Security 1.1 standard using OWSM 12c web service and a GlassFish client.
The following topics describe how to configure an OWSM 12c web service and a GlassFish client to implement SAML token (sender vouches) with message protection:
Before you implement SAML token (sender vouches) with message protection for interoperability between an OWSM 12c web service and a GlassFish client, you must complete a number of high-level tasks.
To configure prerequisites for interoperability:
Create a default-keystore.jks file with the following command:
$JAVA_HOME/bin/keytool -genkeypair -alias orakey -keypass welcome -keyalg RSA -dname "CN=orakey, O=oracle C=us" -keystore default-keystore.jks -storepass welcome
Copy default-keystore.jks to the domain's fmwconfig directory.
Create a file user in GlassFish with the following command:
$<GLASSFISHV3_HOME>/glassfish/bin/asadmin create-file-user
For more information, see http://download.oracle.com/docs/cd/E18930_01/html/821-2433/create-file-user-1.html.
Add the user. For more information, see "Create users" in Oracle WebLogic Server Administration Console Online Help.
Import orakey from default-keystore.jks into GlassFish keystore and truststore. These are located in the directory <domain-dir>/config.
$JAVA_HOME/bin/keytool -importkeystore -srckeystore <path-to>/default-keystore.jks -destkeystore <path-to-gf-domain>/config/cacerts.jks -srcalias orakey -destalias orakey -srckeypass welcome -destkeypass changeit
Copy jps-config.xml and default-keystore.jks from the domain's fmwconfig directory into a local folder.
You can create an OWSM 11g web service and attach the SAML token with message protection service policy to achieve interoperability with a GlassFish client.
To configure an OWSM 11g web service:
Create a web service.
Attach the following policy to the web service:
oracle/wss11_saml_token_with_message_protection_service_policy
For more information, see "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
You can configure a GlassFish client to implement SAML token with message protection for interoperability with an OWSM 11g web service.
To configure a GlassFish/Metro client:
Using NetBeans, create a Metro client by selecting New Project > Java > Java Application. Provide a project name and location. Select the server to deploy and select Finish.
Right-click the project. Select New > Web Service Client. Follow the wizard and provide WSDL URL for service deployed in WebLogic.
Create a SAML CallbackHandler that can be used with WSIT SAML Security Mechanisms supported by NetBeans.
Place the file in the source folder of the project.
Ensure issuer variable value is the same as in the jps-config.xml file created in Step 5 of Configuring Prerequisites for Interoperability for GlassFish Client.
Set the urn reference to urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified.
Set the user created in Step 3 and Step 4 of Configuring Prerequisites for Interoperability for GlassFish Client. For example, to set the user to wlsuser, modify the file as follows: CN=wlsuser,OU=SU,O=wlsuser,L=Los Angeles,ST=CA,C=US.
To configure the JVM, log on to the GlassFish Administration Console.
In the left pane, expand Configuration and click JVM Setting.
In the right pane, click JVM Option tab.
Click Add JVM Option. A new text field is displayed. Enter -DWSIT_HOME=${com.sun.aas.installRoot}.
Click Enterprise Server in left pane.
Click Restart in the right pane to restart the server.
For more information, see Oracle GlassFish Server 3.1 Administration Guide at: http://download.oracle.com/docs/cd/E18930_01/html/821-2416/gepzd.html.
Expand Web Services Reference node. Using NetBeans, right click Service Reference and select Edit Web Services Attributes.
For SAML Callback Handler option, click Browse and select the file from Step 3.
Set the alias in Keystore and Truststore.
Open index.jsp file. Right click and select Web Service Client Reference. Select Operation in Select Operation to Invoke dialog box and click ok.
Run the project.
You can implement SAML token (sender vouches) with message protection that conforms to the WS-Security 1.1 standard by using a GlassFish web service and a OWSM 12c client.
The following topics describe how to configure a GlassFish web service and a OWSM 12c client to implement SAML token (sender vouches) with message protection:
Before you implement SAML token (sender vouches) with message protection for interoperability between a GlassFish web service and an OWSM 12c client, you must complete a number of high-level tasks.
To configure prerequisites for interoperability:
Create a default-keystore.jks file with the following command:
$JAVA_HOME/bin/keytool -genkeypair -alias orakey -keypass welcome -keyalg RSA -dname "CN=orakey, O=oracle C=us" -keystore default-keystore.jks -storepass welcome
Copy default-keystore.jks to the domain's fmwconfig directory.
Save the credentials in credential store using WLST commands.
For example:
$<ORACLE_HOME>/common/bin/wlst.sh > connect() > createCred(map="oracle.wsm.security", key="keystore-csf-key", user="keystore", password="welcome") > createCred(map="oracle.wsm.security", key="sign-csf-key", user="orakey", password="welcome") > createCred(map="oracle.wsm.security", key="enc-csf-key", user="orakey", password="welcome") >createCred(map="oracle.wsm.security", key="glassfish.credentials" , user="wlsUser" , password="welcome1" , description="Glassfish user credentials");
A cwallet.sso file is created in the directory DOMAIN_HOME/config/fmwconfig.
Create a file user in GlassFish with the following command:
$<GLASSFISHV3_HOME>/glassfish/bin/asadmin create-file-user
For more information, see http://download.oracle.com/docs/cd/E18930_01/html/821-2433/create-file-user-1.html.
Import orakey from default-keystore.jks into GlassFish keystore and truststore. These are located in the directory <domain-dir>/config.
$JAVA_HOME/bin/keytool -importkeystore -srckeystore <path-to>/default-keystore.jks -destkeystore <path-to-gf-domain>/config/keystore.jks -srcalias orakey -destalias orakey -srckeypass welcome -destkeypass changeit
Copy cwallet.sso, jps-config.xml and default-keystore.jks from the domain's fmwconfig directory into a local folder.
You can create a GlassFish web service and attach the SAML token with message protection service policy to achieve interoperability with an OWSM 11g client.
To configure a GlassFish/Metro web service:
Create a Metro web service.
For more information, see http://metro.java.net/guide/ch02.html#using_metro-developing_with_nb.
Configure the appropriate security mechanism. For more information, see http://metro.java.net/guide/ch12.html#ahicu.
You can configure an OWSM 11g client to implement SAML token (sender vouches) with message protection for interoperability with a GlassFish web service.
To configure the OWSM 11g client:
Using JDeveloper, create a web service proxy for the GlassFish service. Select the policy oracle/wss11_saml_token_with_message_protection_client_policy in the wizard.
For more information, see “Developing and Securing Web Services” in Developing Applications with Oracle JDeveloper.
Set the path to jps-config.xml created in Step 6 of “Configuring Prerequisites for Interoperability for GlassFish Web Service”.
Set the USERNAME_PROPERTY as follows: ((BindingProvider) sAMLTokenEchoService).getRequestContext().put(BindingProvider.USERNAME_PROPERTY, "wlsUser");
Invoke the web service.