web analytics
free online training

BPEL Security and OPSS

SOA Suite 11g benefits from OPSS (Oracle Platform Security Services) to externalize application security. OPSS provides a unified security layer to Oracle Fusion Middleware products like Weblogic Server, SOA Suite, Webcenter, ADF etc., The major advantage is the single centralized security framework that can be used for both Oracle and non-Oracle environments thus reducing maintenance and integration costs.

In this example, we are going to explore how to secure process using an authentication and encryption policy: “oracle/wss10_username_token_with_message_protection_service_policy”.

Steps to implement this example:

  1. Create key stores for client and server.
  2. Import server key store into Weblogic server.
  3. Attach security policy to BPEL process endpoint
  4. Create Webservice proxy to invoke BPEL process by attaching credentials from client keystore

1. Create key stores for client and server

image

We are going to generate public and private keys for both server and client stores. Client, in our case Java proxy, encrypts webservice message using server’s public key. Server, in this case Weblogic Server, decrypts webservice message using server’s private key.Similarly, server encrypts webservice response using client’s public key. Client decrypts webservice response using cleint’s private key.We are going to generate demo key stores using keytool provided by JDK.

Example command to generate server keypair and store in a keystore is shown below. Replace localhost with your own host name. This command gererates server keypair valid for 365 days or one year.

keytool -genkey -alias serverKey -keyalg “RSA” -sigalg “SHA1withRSA” -dname “CN=localhost, C=UK” -keypass welcome -keystore D:\PROGRAMS\KEYSTORE\server.jks -storepass welcome -validity 365

Example command to generate client keypair and store in a keystore is shown below. Replace localhost with your own host name. This command gererates client keypair valid for 365 days or one year.

keytool -genkey -alias clientKey -keyalg “RSA” -sigalg “SHA1withRSA” -dname “CN=localhost, C=UK” -keypass welcome -keystore D:\PROGRAMS\KEYSTORE\client.jks -storepass welcome  -validity 365

Export public keys from server’s and client’s keystores.

keytool -exportcert -alias serverKey -storepass welcome -keystore D:\PROGRAMS\KEYSTORE\server.jks -file D:\PROGRAMS\KEYSTORE\server.cer
keytool -exportcert -alias clientKey -storepass welcome -keystore D:\PROGRAMS\KEYSTORE\client.jks -file D:\PROGRAMS\KEYSTORE\client.cer

Import client’s public key into server’s keystore.

keytool -import -alias clientKey -file D:\PROGRAMS\KEYSTORE\client.cer -storepass welcome -keystore D:\PROGRAMS\KEYSTORE\server.jks

Similarly, import server’s public key into client’s keystore.

keytool -import -alias serverKey -file D:\PROGRAMS\KEYSTORE\server.cer -storepass welcome -keystore D:\PROGRAMS\KEYSTORE\client.jks

List keystore content to make sure keys are correctly created and imported.

keytool -list -storepass welcome -keystore D:\PROGRAMS\KEYSTORE\server.jks
keytool -list -storepass welcome -keystore D:\PROGRAMS\KEYSTORE\client.jks

2. Import server keystore into Weblogic Server

Copy server.jks to “<Weblogic Home>\user_projects\domains\<domainname>\config\fmwconfig”. In my case, this directory is “D:\PROGRAMS\ORACLEMIDDLEWARE115G\user_projects\domains\orafmwschool\config\fmwconfig”. This will make server.jks available to Weblogic server runtime.

Open Enterprise Manager console using http://localhost:7001/em. Navigate to Security Provider configuration as shown below:

image

Navigate to Keystore section and click on Configure.

image

Enter ./server.jks for keystore path. Key Alias and Crypt Alias would be serverKey. Password is welcome.

image

Click OK to finish import client keystore. Restart Weblogic server.

3. Attach security policy to BPEL process endpoint

Open HelloWorld BPEL process’s dashboard in Enterprise Manager console as shown below. If not already created, follow HelloWorld lesson to create this BPEL process.

image

Click on Policies tab and click “Attach To/Detach From” as shown below and select end point: helloworldbpelprocess_client_ep.

image

Atatch “oracle/wss10_username_token_with_message_protection_service_policy” as shown below.

image

Click OK to finish attaching policy.

4. Create Webservice proxy to invoke BPEL process by attaching credentials from client keystore

Copy HelloWorld BPEL process WSDL from EM console. In my case, it is http://asus-pc:8001/soa-infra/services/default/HelloWorld/helloworldbpelprocess_client_ep?WSDL.

Create a new JDeveloper project using “Web Project” template. Give HelloworldBPELProxy as project name. Click Finish to complete project creation.

image image

Create Webservice proxy based on WSDL as shown below. Enter WSDL url we copied earlier for Helloworld BPEL process.

image image

Provide package names. Click next in step 4 and 5. JDeveloper picks up Webservice authentication policy automatically from the Webservice definition. Corresponding client policy for server policy is shown in step 6. In this example it is “oracle/wss10_username_token_with_message_protection_client_policy”. Click Finish.

image image

This will generate HelloWorldBPELProcess_ptClient.java with following code:

helloworldbpelprocess_client_ep = new Helloworldbpelprocess_client_ep();
SecurityPoliciesFeature securityFeatures =
new SecurityPoliciesFeature(new String[] { “oracle/wss10_username_token_with_message_protection_client_policy” });
HelloWorldBPELProcess helloWorldBPELProcess = helloworldbpelprocess_client_ep.getHelloWorldBPELProcess_pt(securityFeatures);
// Add your code to call the desired methods.

We need to specify authentication and encryption parameters to correctly encrypt and decrypt webservice messages. We do this by modifying request context to provide appropriate parameters.

Specifiy User credentials:

Map reqContext = ((BindingProvider) helloWorldBPELProcess ).getRequestContext();
reqContext.put(BindingProvider.USERNAME_PROPERTY, “weblogic”);
reqContext.put(BindingProvider.PASSWORD_PROPERTY, “oracle123″);

Specify keystore parameters:

reqContext.put(ClientConstants.WSSEC_KEYSTORE_TYPE, “JKS”);
reqContext.put(ClientConstants.WSSEC_KEYSTORE_LOCATION, “D:\\Documents and Settings\\A150321\\Desktop\\WORK\\KEYSTORE\\client.jks”);
reqContext.put(ClientConstants.WSSEC_KEYSTORE_PASSWORD, “welcome”);
reqContext.put(ClientConstants.WSSEC_SIG_KEY_ALIAS, “clientKey”);
reqContext.put(ClientConstants.WSSEC_SIG_KEY_PASSWORD, “welcome”);
reqContext.put(ClientConstants.WSSEC_ENC_KEY_ALIAS, “clientKey”);
reqContext.put(ClientConstants.WSSEC_ENC_KEY_PASSWORD, “welcome”);
reqContext.put(ClientConstants.WSSEC_RECIPIENT_KEY_ALIAS, “clientKey”);

Finally, run bpel proxy to see output:

System.out.println(“output = ” + helloWorldBPELProcess .process(“Amjad”));

Debugging:

As shown below, enable detailed logging to view encrypted Webservice request and response in the SOA diagnostic log file.

image

image

After running BPEL process proxy, examine soa_server1-diagnistics.log to locate “SOAP request” and “SOAP response” strings.

image image

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Related posts

5 Comments
  1. This is regarding the BPEL Security and OPSS session, we can create the key pair by using the following command-

    “keytool -genkey -alias serverKey -keyalg “RSA” -sigalg “SHA1withRSA” -dname “CN=localhost, C=UK” -keypass welcome -keystore D:\PROGRAMS\KEYSTORE\server.jks -storepass welcome -validity 365

    This is for example but my qs is where to type this command.I mean to ask in which directory the command needs to be typed to create the key pair?

    In my case I use the following path to start the web server-

    “C:\Oracle\Middleware\user_projects\domains\base_domain\bin>startWebLogic”

    Can you please advise on this?

    Thanks,

    VA:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
    VA:F [1.9.22_1171]
    Rating: 0 (from 0 votes)
  2. Hi Admin,

    Thank you very much for the information. I have created the public/private key pair and also the certificates and also set the server.jks file in EM console.

    But now the thing is that-
    As per the steps provided herein,I have separately created “HelloWorlBPELProxy” web project and also created the web Service Proxy by right clicking on the “HelloWorlBPELProxy” project in jdev but can’t figure out where(in which class) to add/modify the following segment of code -

    Map reqContext = ((BindingProvider) helloWorldBPELProcess ).getRequestContext();
    reqContext.put(BindingProvider.USERNAME_PROPERTY, “weblogic”);
    reqContext.put(BindingProvider.PASSWORD_PROPERTY, “oracle123″);

    ——————————————————————

    reqContext.put(ClientConstants.WSSEC_KEYSTORE_TYPE, “JKS”);
    reqContext.put(ClientConstants.WSSEC_KEYSTORE_LOCATION, “D:\\Documents and Settings\\A150321\\Desktop\\WORK\\KEYSTORE\\client.jks”);
    reqContext.put(ClientConstants.WSSEC_KEYSTORE_PASSWORD, “welcome”);
    reqContext.put(ClientConstants.WSSEC_SIG_KEY_ALIAS, “clientKey”);
    reqContext.put(ClientConstants.WSSEC_SIG_KEY_PASSWORD, “welcome”);
    reqContext.put(ClientConstants.WSSEC_ENC_KEY_ALIAS, “clientKey”);
    reqContext.put(ClientConstants.WSSEC_ENC_KEY_PASSWORD, “welcome”);
    reqContext.put(ClientConstants.WSSEC_RECIPIENT_KEY_ALIAS, “clientKey”);
    ————————————————————
    Finally, run bpel proxy to see output:

    System.out.println(“output = ” + helloWorldBPELProcess .process(“Amjad”));
    =================================

    Please advise me.

    Thanks,
    Samrat

    VA:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
    VA:F [1.9.22_1171]
    Rating: 0 (from 0 votes)
    • Hi Samrat,
      Did you find where to solve this problem? Since I meet the same problem, I need help too ;)

      VA:F [1.9.22_1171]
      Rating: 0.0/5 (0 votes cast)
      VA:F [1.9.22_1171]
      Rating: 0 (from 0 votes)
      • Ning/Samrat, code needs to be added after “// Add your code to call the desired methods.”.

        VN:F [1.9.22_1171]
        Rating: 0.0/5 (0 votes cast)
        VN:F [1.9.22_1171]
        Rating: 0 (from 0 votes)
Leave a Reply

goin up