Wednesday, April 18, 2012

Securing OSB 11g proxy services with OWSM 11g

Oracle Web Service Manager (OWSM) 11g is a standards-based solution that allows administrators to implement web services security declaratively (no coding is required, and security is separate from the web services to be protected). Web services security and management policies are defined centrally in OWSM 11g's Policy Manager and executed locally at runtime.

This blog post describes how to implement WS-BASIC for authentication.


Prerequisites

In order to allow OWSM 11g policies to secure OSB 11g proxy services, you must extend your domain to include Oracle Service Bus and the Oracle Service Bus OWSM Extension.

 
Creating Authentication User Accounts

User accounts used for authentication can be created either from the OSB Console or the WebLogic Administration Console. Here, I describe how to do so from the OSB Console.

1. Login to the OSB console

2. Click on 'Security Configuration'

3. Click on 'Add New'

4. Enter the following to create an account that the service will authenticate against:
        User Name:                    <username>
        Password:                      <password>
        Authentication Provider:    DefaultAuthenticator


Securing the OSB Proxy Service

1. Log in to the OSB Console

2. Click on your OSB project

3. Click on the proxy service

4. Click on the 'Policies' tab

5. Select 'From OWSM Policy Store'

6. Click 'Add'

7. Select the policy 'oracle/wss_username_token_service_policy'

8. Update, activate, and submit the changes




Testing

When testing, add the following to the SOAP request header to your payload:

<soap:Header xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <wsse:Security soap:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
    <wsse:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
      <wsse:Username>oratest</wsse:Username>
      <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">welcome1</wsse:Password>
    </wsse:UsernameToken>
  </wsse:Security>
</soap:Header>



Applicable Versions
  • Oracle Service Bus 11g (11.1.1.5)
  • Oracle Web Services Manager 11g (11.1.1.5)


Ahmed Aboulnaga

6 comments:

Life has a twist said...

Hi.. we tried to follow the same steps but we still get an error and not able to trace the root cause of the issue. IT would be of great help if you could suggest something.now we are trying the below link.
http://tim.blackamber.org.uk/?p=825

Life has a twist said...

We followed the below link to set up OWSM security on OSB 11 g.


http://jvzoggel.wordpress.com/2011/08/09/using-usernametoken-authorisation-authentication-osb/

We get the errors below when we try to test it.


*Request we are using:*





userA
Tigo1234









*Errors::*

An error ocurred during web service security outbound request processing [error-code: SecurityHeaderMarshallingError, message-id: , proxy: , target: GetBalanceInfo/proxyservice/GetBalanceInfo, operation: process]
--- Error message:

Life has a twist said...

oracle.wsm.security.SecurityException: WSM-00015 : The user name is missing.
at oracle.wsm.security.policy.scenario.processor.UsernameTokenProcessor.build(UsernameTokenProcessor.java:450)
at oracle.wsm.security.policy.scenario.executor.WssUsernameTokenScenarioExecutor.sendRequest(WssUsernameTokenScenarioExecutor.java:212)
at oracle.wsm.security.policy.scenario.executor.SecurityScenarioExecutor.execute(SecurityScenarioExecutor.java:577)
at oracle.wsm.policyengine.impl.runtime.AssertionExecutor.execute(AssertionExecutor.java:41)
at oracle.wsm.policyengine.impl.runtime.WSPolicyRuntimeExecutor.executeSimpleAssertion(WSPolicyRuntimeExecutor.java:669)
at oracle.wsm.policyengine.impl.runtime.WSPolicyRuntimeExecutor.executeAndAssertion(WSPolicyRuntimeExecutor.java:346)
at oracle.wsm.policyengine.impl.runtime.WSPolicyRuntimeExecutor.execute(WSPolicyRuntimeExecutor.java:294)
at oracle.wsm.policyengine.impl.PolicyExecutionEngine.execute(PolicyExecutionEngine.java:102)
at oracle.wsm.agent.WSMAgent.processCommon(WSMAgent.java:1001)
at oracle.wsm.agent.WSMAgent.processRequest(WSMAgent.java:470)
at oracle.wsm.agent.handler.WSMEngineInvoker.handleRequest(WSMEngineInvoker.java:373)
at com.bea.wli.sb.security.wss.wsm.WsmOutboundHandler$1.run(WsmOutboundHandler.java:217)
at com.bea.wli.sb.security.wss.wsm.WsmOutboundHandler$1.run(WsmOutboundHandler.java:215)
at java.security.AccessController.doPrivileged(Native Method)
at oracle.security.jps.util.JpsSubject.doAs(JpsSubject.java:208)
at com.bea.wli.sb.security.wss.wsm.WsmOutboundHandler.processRequest(WsmOutboundHandler.java:214)
at com.bea.wli.sb.test.service.wss.WssHandler.processRequest(WssHandler.java:279)
at com.bea.wli.sb.test.service.ServiceMessageBuilder.buildMessage(ServiceMessageBuilder.java:468)
at com.bea.wli.sb.test.service.ServiceMessageBuilder.buildMessage(ServiceMessageBuilder.java:116)
at com.bea.wli.sb.test.service.ServiceMessageSender.send0(ServiceMessageSender.java:261)
at com.bea.wli.sb.test.service.ServiceMessageSender.access$000(ServiceMessageSender.java:79)
at com.bea.wli.sb.test.service.ServiceMessageSender$1.run(ServiceMessageSender.java:137)
at com.bea.wli.sb.test.service.ServiceMessageSender$1.run(ServiceMessageSender.java:135)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:363)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:146)
at com.bea.wli.sb.security.WLSSecurityContextService.runAs(WLSSecurityContextService.java:55)
at com.bea.wli.sb.test.service.ServiceMessageSender.send(ServiceMessageSender.java:140)
at com.bea.wli.sb.test.service.ServiceProcessor.invoke(ServiceProcessor.java:454)
at com.bea.wli.sb.test.TestServiceImpl.invoke(TestServiceImpl.java:172)
at com.bea.wli.sb.test.client.ejb.TestServiceEJBBean.invoke(TestServiceEJBBean.java:167)
at com.bea.wli.sb.test.client.ejb.TestService_sqr59p_EOImpl.__WL_invoke(Unknown Source)
at weblogic.ejb.container.internal.SessionRemoteMethodInvoker.invoke(SessionRemoteMethodInvoker.java:40)
at com.bea.wli.sb.test.client.ejb.TestService_sqr59p_EOImpl.invoke(Unknown Source)
at com.bea.wli.sb.test.client.ejb.TestService_sqr59p_EOImpl_WLSkel.invoke(Unknown Source)
at weblogic.rmi.internal.BasicServerRef.invoke(BasicServerRef.java:667)
at weblogic.rmi.cluster.ClusterableServerRef.invoke(ClusterableServerRef.java:230)
at weblogic.rmi.internal.BasicServerRef$1.run(BasicServerRef.java:522)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:363)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:146)
at weblogic.rmi.internal.BasicServerRef.handleRequest(BasicServerRef.java:518)
at weblogic.rmi.internal.wls.WLSExecuteRequest.run(WLSExecuteRequest.java:118)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:256)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:221)


*If we delete the override policies..(oracle/wss_username_token_client_policy) while testing in the console

Life has a twist said...

we get the below error:*

The invocation resulted in an error: com.bea.wli.sb.security.AccessNotAllowedException.

Now after that we followed the below link which has keystore config.

http://tim.blackamber.org.uk/?p=825

http://blog.ipnweb.com/2012/04/securing-osb-11g-proxy-services-with.html

OSB Security - OWSM:387256]Invalid CSF Key 'userA' set for override 'csf-key'. This CSF Key does not exist in the Credential Store.


Any suggestions could be of great help

Thanks

Ahmed Aboulnaga said...

Let's focus on your first issue, which is this error: "The user name is missing."

1. Can you paste a sample of your input payload?

2. Can you test your scenario through SoapUI, not the OSB Console, and use the payload shown in this blog post as a reference?

Unknown said...

Hello,

Is it possible to restrict a user password for each service? With the steps that you provide us, all users configured in the security configuration are valid to test.

Thanks in advance