WS-Security, using an OPSS Key Store Service (KSS) keystore, provides a mechanism for retrieving and managing the security credentials of a WebCenter Portal application and ancillary applications and components across one or more domains. The KSS keystore provides information about available public and private keys that can be used for authentication and data integrity.
The topics in this chapter show how to configure a typical topology with WS-Security (where WebCenter Portal and the WSRP producers share the same domain, but the BPEL server is in an external SOA domain), and how to extend that configuration for more complex environments (where, for example, a BPEL server is in a separate SOA domain, and one WSRP producer is in an external portlet domain):
Permissions:
To perform the tasks in this chapter, you must be granted the WebLogic Server Admin
role through the Oracle WebLogic Server Administration Console. Users with the Monitor
or Operator
roles can view security information but cannot make changes.
See also Understanding Administrative Operations, Roles, and Tools.
This section describes how to configure WS-Security for a topology where the WebCenter Portal application, WSRP producers, and discussions server share the same domain, but the BPEL (SOA) server is in an external domain.
Typical Topology
Domain 1 : WebCenter Portal , Discussions, Portlet Producers
Domain 2 : SOA
The steps to configure WS-Security for a typical two-domain topology are described in the following topics:
This section describes how to use the OPSS Keystore Service (KSS) to create the WebCenter Portal keystore and keys. A keystore is a file that provides information about available public and private keys. Keys are used for a variety of purposes, including authentication and data integrity. User certificates and the trust points needed to validate the certificates of peers are also stored securely in the keystore. After creating the keystore, the security credentials of WebCenter Portal, discussions server, BPEL servers, and WSRP producers can be retrieved and managed using the KSS. For more information about the OPSS Keystore Service, see Managing Keys and Certificates with the Keystore Service in Oracle Fusion Middleware Securing Applications with Oracle Platform Security Services.
To create the WebCenter Portal domain keystore:
This section describes how to create a SOA domain keystore and keys using an OPSS keystore (KSS). For syntax and reference information about the KSS commands, see OPSS Keystore Service Commands in Oracle Fusion Middleware Infrastructure Security WLST Command Reference.
To create the SOA domain keystore:
If the discussions server for your topology is in the same domain as the WC_Portal
server and is not being used in a production environment, then no extra keystore configuration is needed since the keystore configured for the WebCenter Portal domain is used for the discussions server as well. However, for production environments, you should protect the discussions web service endpoints with an OWSM policy and configure the discussions server connection settings. These configuration steps are described in the following topics:
Note:
Discussions-specific web services messages sent by WebCenter Portal to the discussions server are not encrypted. For message confidentiality, the discussions server URL must be accessed over Secure Socket Layer (SSL). For more information, see Configuring SSL.
In a new or patched WebCenter Portal instance, the assigned security policy configuration is set to "no security policy." You must attach Oracle Web Services Manager (OWSM) security policies for the WebCenter Portal web service endpoint and the discussions authenticated web service endpoint. For a production environment, continue by hardening the security by following the steps in Securing the Discussions End Points.
Note:
In a patched WebCenter Portal instance, you must determine the policy names before you patch, then verify that the policies are the same after an upgrade..
To attach the web service security policy configuration in a new instance:
Note:
For clustered environments, repeat these steps for each of the managed servers where WebCenter Portal and discussions are deployed.
The discussions web service endpoints require user identity to be propagated for calls originating from WebCenter Portal. For a production environment, the web service endpoints must be secured with OWSM policies to ensure that messages are not tampered with, and can't be viewed by others while in transit. To do this, both the public access web service endpoint and authenticated user access endpoint should be secured with the appropriate OWSM policies using either Fusion Middleware Control or WLST.
This section contains the following topics:
To secure the discussions end points using Fusion Middleware Control, follow the steps below:
To secure the discussions server endpoints using WLST, detach the wss10_saml_token_service_policy
and attach the wss11_saml_token_with_message_protection_service_policy
using the following WLST commands:
detachWebServicePolicy(application='owc_discussions', moduleName='owc_discussions', moduleType='web', serviceName='OWCDiscussionsServiceAuthenticated', subjectName='OWCDiscussionsServiceAuthenticated', policyURI='oracle/wss10_saml_token_service_policy')
attachWebServicePolicy(application='owc_discussions', moduleName='owc_discussions', moduleType='web', serviceName='OWCDiscussionsServiceAuthenticated', subjectName='OWCDiscussionsServiceAuthenticated', policyURI='oracle/wss11_saml_token_with_message_protection_service_policy')
You must supply the WS-Security client certificate information within the discussions server connection that is configured for your WebCenter Portal application, as described in Registering Discussions Servers. Figure 30-6 shows example connection detail settings for the Edit Discussions and Announcement Connection page.
Figure 30-6 Edit Discussions and Announcement Connection Page
This section describes how to extend the WS-security configuration for a typical topology for topologies where, for example, the WebCenter Portal application, BPEL (SOA) server, discussions server, and a WSRP producer server are each in their own domain.
Multiple Domain Topology
Domain 1 : WebCenter Portal
Domain 2 : SOA (BPEL) server
Domain 3 : Discussions server
Domain 4 : WSRP producers
The steps to configure WS-Security for a topology with multiple domains are described in the following topics:
To create the WebCenter Portal domain keystore, follow the steps for a configuring WS-security for a typical topology as described in Creating the WebCenter Portal Domain Keystore. After creating the keystore, the security credentials of WebCenter Portal, discussions server, BPEL servers, and WSRP producers can be retrieved and managed using the KSS. For more information about the OPSS Keystore Service, see Managing Keys and Certificates with the Keystore Service in Oracle Fusion Middleware Securing Applications with Oracle Platform Security Services.
Create the SOA domain keystore and keys using an OPSS keystore (KSS) as described in Creating the SOA Domain Keystore. For syntax and reference information about the KSS commands, see OPSS Keystore Service Commands in Oracle Fusion Middleware Infrastructure Security WLST Command Reference.
If the discussions server is in a different domain than WebCenter Portal, you will need to create and configure a keystore for the discussions server and export the certificate containing the public key and import it into the WebCenter Portal domain. For production environments you will also need to protect the discussions web service end points with an OWSM policy and configure the discussions server connection settings. These configuration steps are described in the following subsections:
The discussions web service end points require user identity to be propagated for calls originating from WebCenter Portal. Follow the steps in Securing the Discussions End Points to secure the endpoints using either Fusion Middleware Control or WLST.
This section describes how to create a keystore for the discussions server that contains the key pair used by OWSM, and export the certificate containing the public key so it can be imported into the WebCenter Portal domain.
To create the owc_discussions
keystore:
You must supply the WS-Security client certificate information within the discussions server connection that is configured for WebCenter Portal, as described in Registering Discussions Servers. Figure 30-7 shows example connection detail settings for the Edit Discussions and Announcement Connection page.
Figure 30-7 Edit Discussions and Announcement Connection Page
This section describes the administrator tasks required to configure WS-Security for WebCenter Portal so that the communication between an application exposing the WebCenter Portal API (the consumer) and WebCenter Portal (the producer) is secure, and that the identity of the user invoking the API is protected.
This section includes the following topics:
If your client application is part of the same domain as WebCenter Portal, you only need to specify the following for the GroupSpaceWSContext()
:
GroupSpaceWSContext context = new GroupSpaceWSContext(); context.setRecipientKeyAlias("producer");
Note:
The alias here should always be the public key.
If your client application is JDeveloper and you have access to the WebCenter Portal server's configured keystore, copy the same keystore to JDeveloper's DefaultDomain/config/fmwconfig/dir
and configure the JDeveloper domain to use this keystore. The steps are exactly same as those in Creating the WebCenter Portal Domain Keystore, and you would then also need to specify the following on your client stub:
GroupSpaceWSContext context = new GroupSpaceWSContext(); context.setRecipientKeyAlias("producer");
If your client application is part of the same domain as WebCenter Portal, you only need to specify the following for the GroupSpaceWSContext()
:
GroupSpaceWSContext context = new GroupSpaceWSContext(); context.setRecipientKeyAlias("producer");
Note:
The alias here should always be the public key.
If your client application is JDeveloper, copy the same keystore to JDeveloper's DefaultDomain/config/fmwconfig/dir
and configure the JDeveloper domain to use this keystore. The steps are exactly same as those in Creating the WebCenter Portal Domain Keystore, and you would then also need to specify the following on your client stub:
GroupSpaceWSContext context = new GroupSpaceWSContext(); context.setRecipientKeyAlias("producer");
Use the following command summary to quickly configure the keystore for a typical topology. These commands explain how to configure a JKS keystore.
WebCenter Side
Use the following keytool
commands to generate the keystore, replacing the values in bold with those for your local environment:
keytool -genkeypair -keyalg RSA -dname "cn=spaces,dc=example,dc=com" -alias webcenter -keypass MyPassword -keystore webcenter.jks -storepass MyPassword -validity 1064
keytool -exportcert -v -alias webcenter -keystore webcenter.jks -storepass MyPassword -rfc -file webcenter_public.cer
SOA Side
keytool -genkeypair -keyalg RSA -dname "cn=bpel,dc=example,dc=com" -alias bpel -keypass MyPassword -keystore bpel.jks -storepass MyPassword -validity 1024
keytool -exportcert -v -alias bpel -keystore bpel.jks -storepass MyPassword -rfc -file bpel.cer
keytool -importcert -alias webcenter_spaces_ws -file webcenter_public.cer -keystore bpel.jks -storepass welcome1
WebCenter Side
keytool -importcert -alias bpel -file bpel.cer -keystore webcenter.jks -storepass welcome1
Copy the webcenter.jks file to your domain_home/config/fmwconfig directory, and the bpel.jks file to your soa_domain_home/config/fmwconfig directory.
Configure the SOA Domain Keystore
Run the following WLST command to register the keystore:
configureWSMKeystore('/WLS/WC_Domain',JKS, 'webcenter.jks', signAlias='producer', signAliasPassword='signAliasPassword', cryptAlias='cryptAlias', cryptAliasPassword='cryptAliasPassword')
Where:
WC_Domain
— TheWebCenter Portal domain
signAliasPassword — The password for the public key
cryptAlias — The public key alias
cryptAliasPassword — The password for the public key
configureWSMKeystore(context='/WLS/WC_Domain', keystoreType='JKS', location='./consumer.jks',keystorePassword='welcome1', signAlias='consumer', signAliasPassword='welcome1', cryptAlias='consumer', cryptAliasPassword='welcome1')
Use the following command summary to quickly configure the keystore and DF properties for a multi-domain topology.
WebCenter Side
Use the following keytool
commands to generate the keystore, replacing the values in bold with those for your local environment:
keytool -genkeypair -keyalg RSA -dname "cn=spaces,dc=example,dc=com" -alias webcenter -keypass MyPassword -keystore webcenter.jks -storepass MyPassword -validity 1064
keytool -exportcert -v -alias webcenter -keystore webcenter.jks -storepass MyPassword -rfc -file webcenter_public.cer
SOA Side.
keytool -genkeypair -keyalg RSA -dname "cn=bpel,dc=example,dc=com" -alias bpel -keypass MyPassword -keystore bpel.jks
keytool -exportcert -v -alias bpel -keystore bpel.jks -storepass MyPassword -rfc -file bpel.cer
keytool -importcert -alias webcenter_spaces_ws -file webcenter_public.cer -keystore bpel.jks -storepass welcome1
When prompted to trust the certificate, say yes
.
Discussions
keytool -genkeypair -keyalg RSA -dname "cn=disc,dc=example,dc=com" -alias discussions -keypass MyPassword -keystore discussions.jks
keytool -exportcert -v -alias discussions -keystore discussions.jks -storepass MyPassword -rfc -file disc.cer
keytool -importcert -alias webcenter_public -file webcenter_public.cer -keystore discussions.jks -storepass MyPassword
When prompted to trust the certificate, say yes
.
WebCenter Side
keytool -importcert -alias df_webcenter_public -file disc.cert -keystore discussions.jks -storepass MyPassword
When prompted to trust the certificate, say yes
.
keytool -importcert -alias webcenter_spaces_ws -file bpel.cer -keystore bpel.jks -storepass MyPassword
Note:
Maintain the name of the alias as'webcenter_spaces_ws'
.Configure the External Discussions Server Domain Keystore
Run the following WLST command to register the keystore on the WebCenter Side:
configureWSMKeystore(context='/WLS/wc_domain',keystoreType='JKS',location='./producer.jks',keystorePassword='welcome1',signAlias='producer',signAliasPassword='welcome1',cryptAlias='producer',cryptAliasPassword='welcome1')
Where:
wc_domain — TheWebCenter Portal domain
signAliasPassword — The password for the public key
cryptAlias — The public key alias
cryptAliasPassword — The password for the public key
Configure the SOA Domain Keystore
Run the following WLST command to register the keystore:
configureWSMKeystore(context='/WLS/wc_domain',keystoreType='JKS',location='./bpel.jks',keystorePassword='welcome1',signAlias='producer',signAliasPassword='welcome1',cryptAlias='producer',cryptAliasPassword='welcome1')
Where:
wc_domain — TheWebCenter Portal domain
signAliasPassword — The password for the public key
cryptAlias — The public key alias
cryptAliasPassword — The password for the public key
Registering Discussions keystore
Run the following WLST command to register the keystore:
configureWSMKeystore('/WLS/wc_domain','JKS', discussions.jks, signAlias='producer', signAliasPassword='signAliasPassword', cryptAlias='cryptAlias', cryptAliasPassword='cryptAliasPassword')
Where:
wc_domain — TheWebCenter Portal domain
signAliasPassword — The password for the public key
cryptAlias — The public key alias
cryptAliasPassword — The password for the public key
Configure the Discussions Server Connection
Supply the WS-Security client certificate information within the discussions server connection that is configured for WebCenter Portal, as described in Registering Discussions Servers. Also see Configuring the Discussions Server Connection Settings for example connection detail settings for the Edit Discussions and Announcement Connection page.