lab_7

SOA 11g Workshop – Lab 7 1

Adding Message Security using Fusion Middleware Policy Manager

Because of its nature (Loosely coupled connections) and its use of open access (Mainly

HTTP), SOA implemented by Web services adds a new set of requirements to the

security landscape. Web services security includes several aspects:

Authentication—Verifying that the user is who she claims to be. A user's identity

is verified based on the credentials presented by that user

Authorization (or Access Control)—Granting access to specific resources based

on an authenticated user's entitlements. Entitlements are defined by one or several

attributes. An attribute is the property or characteristic of a user, for example, if

"Marc" is the user, "conference speaker" is the attribute.

Confidentiality, privacy—Keeping information secret. Accesses a message, for

example a web service request or an email, as well as the identity of the sending

and receiving parties in a confidential manner. Confidentiality and privacy can be

achieved by encrypting the content of a message and obfuscating the sending and

receiving parties' identities.

Integrity, non repudiation—Making sure that a message remains unaltered

during transit by having the sender digitally sign the message. A digital signature

is used to validate the signature and provides non-repudiation. The timestamp in

the signature prevents anyone from replaying this message after the expiration.

Oracle Web Services Manager (WSM) provides a policy framework to manage and

secure Web services consistently across your organization. Oracle WSM can be used by

developers at design time, and system administrators in production environments.

The policy framework is built using the WS-Policy standard. Policies describe the

capabilities and requirements of a Web service such as whether and how a message must

be secured, whether and how a message must be delivered reliably, and so on.

Oracle Fusion Middleware 11g Release 1 (11.1.1) supports the following types of

policies:

Oracle® SOA Suite 11

Hands-On Workshop Lab 7

Lab 1

L


WS-ReliableMessaging – Reliable messaging policies that implement the WS-

ReliableMessaging standard describes a wire-level protocol that allows

guaranteed delivery of SOAP messages, and can maintain the order of sequence

in which a set of messages are delivered.

Management—Management policies that log request, response, and fault

messages to a message log. Management policies may include custom policies.

WS-Addressing—WS-Addressing policies that verify that SOAP messages

include WS-Addressing headers in conformance with the WS-Addressing

specification. Transport-level data is included in the XML message rather than

relying on the network-level transport to convey this information.

Security—Security policies that implement the WS-Security 1.0 and 1.1

standards. They enforce message protection (message integrity and message

confidentiality), and authentication and authorization of Web service requesters

and providers. The following token profiles are supported: username token, X.509

certificate, Kerberos ticket, and Security Assertion Markup Language (SAML)

assertion.

Message Transmission Optimization Mechanism (MTOM)—Binary content,

such as an image in JPEG format, can be passed between the client and the Web

service.

In this lab we’ll be attaching an out of the box policy which adds the capability of the

web service client (Permit Composite) to digitally sign and encrypt our message to our

web service (CreditScore). We’ll also be adding a policy to the CreditScore web service

to verify that the message came from a trusted consumer and decrypt the message. The

response will go through the same process in reverse. The wss11_message_protection

policy supports XML Signature and XML Encryption in accordance with the WS-

Security 1.1 specification.


Attach Policy to CreditScore Web Service

First we’ll be attaching the polcy to our CreditScore web service. To do this we’ll use the

WebLogic Server administration console.

1. Open Firefox and click on the link for the Admin Console.

2. Enter Username:weblogic and Password:welcome1 and click Log In


3. On the left navigation bar click Deployments

4. Click the + sign next to CreditScore-CreditScore-context-root to expand the

node.


5. Click the link for CreditScoreService under the Web Services branch.

6. Click on the Configuration tab.

7. Click on the WS-Policy tab


8. Click on the link CreditScorePort

9. Make sure the OWSM radio button is selected and click Next.


10. Highlight the policy:oracle/wss11_message_protection_service_policy (Take

care to make sure you select the correct one) under the Available Endpoint

Policies box on the left and click the > arrow to shuttle to the Chosen Endpoint

Policies box.

11. Then click Finish


12. On the Save Deployment Plan Assistant page just click OK.

13. You should now see some messages near the top of the page. Make sure they look

similar to the screenshot below.


14. Again click on the Deployments link on the left navigation bar.

15. First, select the checkbox (Do not click the link) next to CreditScore-CreditScore-

context-root. Once selected click the Update button.


16. On the next page just click Finish

17. Verify that you see two green messages as below and click Logout.

Our policy is now applied to our CreditScore web service. Next we’ll do the same for our

client (Permit Composite).


Attach Policy to Permit Composite

We’re now going to attach the client side version of this policy to Permit Compositie.

We’ll be attaching it through Enterprise Manager.

1. Open Firefox if not already open and click on the link for Enterprise Manager

use weblogic and password welcome1


2. Expand the SOA and soa-infra (AdminServer) nodes and click on the

PermitAppComposite[1.0] link.

3. Click on the Policies tab


4. Select the down arrow next to Attach To/Detach From box and select

CreditScore.


5. First, highlight the oracle/wss11_message_protection_client_policy (Take care

to make sure you select the correct one) by clicking on it. Then click the Attach

button.

6. Click OK


7. Once the Policy shows up in the list, click the Test button.

8. At this point we will cut a paste a ―test‖ payload into the browser. Minimize the

broswer and open a terminal window on the Linux desktop using the icon.

9. Change directory into MyFiles ( cd My* ) and type: gedit SamplePermitWS.xml

<hit Return/Enter>

10. From the gedit window select EditSelect All and then select EditCopy.

Minimize the terminal window.


11. Go back to the browser and scroll down towards the bottom were you see the

―Input Arguments‖ section. In this section choose XML View.

12. Right click anywhere inside the argument pane and choose Select All. The test

payload will be highlighted.

13. Hold down the <Ctrl> key on the keyboard and type ―v‖. This will paste the

contents you copied from within the gedit session.. Click the

button.


14. As in our previous testing you should get back a succesfully return. NOTE: If

you did receive an error retry the test, sometimes the policy may not be

intialized on the first try.

15. At this point we’ll look at our Message Log to view the client messages both prior

to and after the signature and encryption have been applied. Minimize the

browser and double click the Message Log icon on the desktop.


16. Our first log entry shows the message prior to the policy being applied. Note that

the SSN is still in plain text.

17. If we scroll down to the next entry we’ll see the WS-Security header added with

our attributes for the signature and encryption. Note the SSN is now encrypted.

lab_7

Documents

message security

message confidentiality

message log

xml message

web services security

managementmanagement

custom policies

securitysecurity policies