| Oracle® BPEL Process Manager Administrator's Guide 10g (10.1.3.1.0) Part Number B28982-03 |
|
|
View PDF |
| Oracle® BPEL Process Manager Administrator's Guide 10g (10.1.3.1.0) Part Number B28982-03 |
|
|
View PDF |
It is critical to control access to BPEL processes and to the Web services they use. Preventing unauthorized users from breaking into your system is required to protect both the integrity of your processes and the personal information of your customers. This chapter describes the methods available for securing BPEL processes and invoking secured Web services with Oracle BPEL Process Manager.
This chapter contains the following topics:
Oracle BPEL Control and Oracle BPEL Admin Console Users and Roles
Using Oracle Web Services Manager for Authorization, Message Encryption, and Digital Signatures
Security in Oracle BPEL Process Manager is implemented as follows:
Securing a BPEL process in which interaction is initiated by an inbound client service request sent to Oracle BPEL Server. The following transport security and authentication methods are available:
SSL (HTTP/S)
J2EE basic authentication (HTTP)
BPEL security extensions
Invoking secured services in which interaction is initiated by an outbound client request sent from Oracle BPEL Server to the server on which the partner link Web service is running. The following transport security and authentication methods are available:
SSL (HTTP/S)
WS-Security-compliant services
Axis services
J2EE basic authentication (HTTP)
Java and Enterprise Java Bean (EJB) binding
Figure 1-1 provides an overview of these transport security and authentication methods available for securing BPEL processes (inbound) and invoking secured services (outbound):
Figure 1-1 Inbound and Outbound Transport Security and Authentication Methods
This section provides an overview of the following security features in the context of Oracle BPEL Process Manager. References are also provided to sections that describe these features in more detail:
WS-Security provides a mechanism for adding three levels of security to simple object access protocol (SOAP) messages. These security levels are as follows:
Authentication tokens – Used for passing user name and password information, as well as X.509 certificates, within the SOAP message headers.
XML encryption – Used for message confidentiality.
XML digital signatures – Used for message integrity, source and origin validation, and nonrepudiation.
See Also:
Web Services Security (WS-Security) Specifications available at the following URL:
http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=wss
Authentication is the process of proving the identity of a user. Oracle BPEL Process Manager supports basic authentication (HTTP), certificate-based authentication (HTTP/S), and native BPEL security extension authentication.
See Also:
The following sections:"Securing BPEL Processes (Inbound)" for instructions on securing a BPEL process
"Invoking Secured Services (Outbound)" for instructions on invoking secured services from BPEL
Authorization is the evaluation of security constraints to send a message or make a request. Authorization uses specific criteria to determine whether to permit the request. The criteria are authentication and restriction. Oracle BPEL Process Manager has no current native support for inbound authorization. Oracle Web Services Manager can instead be used to provide this capability.
See Also:
"Authorization"Encryption is the practice of encoding (encrypting) data in such a way that only an intended recipient can decode (decrypt) and read the data. Oracle BPEL Process Manager has no current native support for XML encryption. Oracle Web Services Manager can instead be used to provide this capability.
See Also:
"Message Encryption and Decryption"Secure Socket Layer (SSL) is a standard for the secure transmission of documents over the Internet using HTTP/S (secure HTTP). SSL uses digital signatures to prevent data from being compromised.
See Also:
"Using SSL for Certificate-Based Authentication" for details about using SSL to secure BPEL processes
"Using SSL for Certificate-Based Authentication" for details about using SSL to invoke secured services
A digital signature is a code attached to an electronic document that reliably identifies the author or sender, and verifies that the document has not been compromised. Oracle BPEL Process Manager has no current native support for digital signatures. Oracle Web Services Manager can instead be used to provide digital signatures and signature verification capabilities.
See Also:
"Digital Signatures"BPEL security extensions are fully integrated into Oracle BPEL Process Manager.
Regardless of which channel you use to invoke a process (such as HTTP, SOAP, Java API, and so on), the same security constraints apply. However, the way credentials are passed differs amongst channels.
BPEL security extensions are intended for BPEL developers who want to enhance the security of Oracle BPEL Process Manager. These extensions are technical and require a good understanding of Oracle BPEL Server, including the various technologies used for invoking processes (for example, SOAP and HTTP). There are also many references to the Oracle BPEL Java API, so a good knowledge of Java is required.
Oracle BPEL Process Manager's API includes BPEL security extensions that enable developers to create custom security. This is necessary in secure environments where users must be authenticated and authorized to use certain BPEL processes.
See Also:
Oracle BPEL Process Manager Workflow Services API Reference, which is also located in
SOA_Oracle_Home\bpel\docs\apidocs
You can secure a BPEL process in which interaction is initiated by an inbound client service request sent to Oracle BPEL Server.
Figure 1-2 provides a high-level overview of the transport security and authentication methods available for securing BPEL processes (inbound).
This section describes how to provide BPEL process security through the following methods:
Note:
Oracle recommends that you create an environment in which one or more instances of a server are dedicated to secure business processes and other instances are set up to host nonsecure processes.BPEL processes are usually invoked using SOAP over HTTP. While basic authentication ensures that only authenticated users access BPEL processes, user names and password are prone to identification by network packet sniffers. Therefore, the need exists for securing the network connection through use of HTTP/S instead of HTTP. If you use HTTP/S as the authentication schema, both the client and server can be configured to exchange certificates. A successful SSL handshake confirms authentication.
The following types of certification authentication can be used:
Server certificate authentication
In this scenario, the client asks the server for the certificate and authenticates the trustworthiness of the server. The client does not present its certificate unless it is requested by the server to do so. The type of server presenting the certificate is based upon the Oracle BPEL Process Manager installation type you are using:
For Oracle BPEL Process Manager for OracleAS Middle Tier, the server is Oracle Application Server (and its version of OC4J)
For Oracle BPEL Process Manager for Developers, the server is the standalone OC4J in which Oracle BPEL Process Manager is deployed.
Server and client certificate authentication
In this scenario, both the client and server exchange certificates and a successful SSL handshake confirms authentication. This is called client authentication mode. The server (either the standalone OC4J in which Oracle BPEL Process Manager is deployed or Oracle Application Server (and its version of OC4J)) must be configured to request the client's certificate during the SSL handshake and authenticate the trustworthiness of the client. In the context of securing BPEL processes, this means that a client invoking a service presents a valid certificate issued by a mutually-trusted certificate authority. Server and client certificate authentication is not as frequently used.
The following sections describe the SSL configuration method to use based on the Oracle BPEL Process Manager installation type you are using:
SSL configuration for Oracle BPEL Process Manager for OracleAS Middle Tier is a two-step process:
Use Oracle Wallet Manager to enable certificate-based authentication with the Oracle BPEL Process Manager for OracleAS Middle Tier installation type. (See Figure 1-2.) Oracle Wallet Manager is an application for managing and editing security credentials in Oracle wallets. A wallet is a password-protected container that stores authentication and signing credentials, including private keys, certificates, and trusted certificates, all of which are used by SSL for strong authentication.
Note:
Do not use the default certificate included with Oracle Wallet (named
test). The default certificate does not use the proper server host name. Instead, obtain a certificate from a certificate authority. This certificate must contain the proper server host name in the CN entry.See Also:
Oracle Application Server Administrator's Guide for the following SSL configuration details:Setting up a wallet and using Oracle Wallet Manager
Obtaining a certificate from a certificate authority
Oracle BPEL Server must be configured with the SOAP server URL and SOAP callback URL.
Log in to Oracle BPEL Admin Console.
http://localhost:port/BPELAdmin
Enter the oc4jadmin username and password.
Set the following two parameters under the Configuration tab:
Delete the default .bpel_TaskManager_1.0.jar and .bpel_TaskActionHandler_1.0.jar directories under SOA_Oracle_Home\bpel\domains\domain_name\tmp.
where domain_name is the name of the domain in which the BPEL process to secure is located.
Restart Oracle BPEL Server.
This recreates the correct service bindings and WSDL files for the TaskManager and TaskActionHandler processes and makes them available from HTTP/S-based endpoints. Processes deployed into Oracle BPEL Process Manager are now securely hosted at the new HTTP/S endpoint.
SSL configuration for Oracle BPEL Process Manager for Developers is a two-step process:
See the Oracle Containers for J2EE Security Guide for the following SSL configuration instructions:
Using keytool to enable certificate-based authentication. This tool generates a keystore and a self-signed certificate. A keystore is a protected database that holds keys and certificates for an enterprise. Access to a keystore is guarded by a password. The password is defined at the time the keystore is created by the user who creates the keystore, and is changeable only when providing the current password.
Configuring OC4J to use SSL. When complete, OC4J listens for SSL requests on one port and non-SSL requests on another.
Notes:
Ensure that you shut down and restart OC4J after configuring SSL. This is accomplished by shutting down and restarting Oracle BPEL Server.
Instead of a self–signed certificate for production environments, use a certificate from a trusted certificate authority like Verisign/Thawte by submitting a certificate request generated by keytool.
The steps to configure Oracle BPEL Server for the Oracle BPEL Process Manager for Developers installation type are the same as with the Oracle BPEL Process Manager for OracleAS Middle Tier installation type.
See "Step 2: Configuring Oracle BPEL Server" for instructions on configuring Oracle BPEL Server.
J2EE basic authentication involves authentication through unsigned tokens, namely a user name and password.
Table 1-1 describes the supported features of this method.
Table 1-1 J2EE Basic Authentication Supported Features
| Authentication Schemas | Service Access Protocols | User Repository | Customization Permitted | Granularity |
|---|---|---|---|---|
| Basic authentication (user name and password) | HTTP only | Oracle Application Server JAZN repository types:
|
JAAS custom authorization plug-in | Individual process level security |
The following sections describe the configuration method to use based on the Oracle BPEL Process Manager installation type:
J2EE basic authentication with the Oracle BPEL Process Manager for OracleAS Middle Tier installation type involves delegating authentication to Oracle Application Server. (See Figure 1-2.) The following steps describe this process.
Oracle HTTP Server receives a service request.
Oracle HTTP Server forwards the request to OC4J.
OC4J validates the user name and password received in the HTTP headers against the configured identity service user repository:
Oracle Internet Directory (OID)
Oracle Application Server Java Authentication and Authorization Service (JAAS) Provider (JAZN) XML
Custom JAAS plug-in
If the user name and password are authenticated, the request is sent to Oracle BPEL Server for servicing.
See Also:
Oracle Containers for J2EE Security Guide for configuration instructionsJ2EE basic authentication with the Oracle BPEL Process Manager for Developers installation type involves delegating authentication to the OC4J in which Oracle BPEL Process Manager is deployed. (See Figure 1-2.) The following steps describe this process.
Set up new users and roles in the JAZN repository:
For example, for users in JAZN XML, configure a new user and role in SOA_Oracle_Home\bpel\system\appserver\oc4j\j2ee\home\config\system-jazn-data.xml as follows:
<user> <name>jsmith</name> <credentials>{903}9XRK6pyPRTVYN7bW5dkG1Z06C2pkBRW6</credentials> </user> . . . . . . <role> <name>jsmithrole</name> <members> <member> <type>user</type> <name>jsmith</name> </member> </members> </role>
Configure the SOA_Oracle_Home\bpel\system\appserver\oc4j\j2ee\home\applications\orabpel_ear\META-INF\orion-application.xml file.
Map the physical security roles maintained in OC4J (for example, JAAS principals and realms) to logical J2EE groups and users by adding the following sections:
<security-role-mapping name="jsmithrole"> <group name=" jsmithrole" /> </security-role-mapping>
Configure the SOA_Oracle_Home\bpel\system\appserver\oc4j\j2ee\home\applications\orabpel_ear\startup_war\WEB-INF\web.xml file to protect the BPEL service endpoint URLs.
A code segment from web.xml protecting an endpoint URL http://localhost/orabpel/default/HelloWorld/1.0) is as follows:
<security-constraint>
<web-resource-collection>
<web-resource-name>Default Domain Pages</web-resource-name>
<description>These pages are only accessible by authenticated
users.</description>
<url-pattern>*/orabpel/default/HelloWorld/1.0</url-pattern>
<url-pattern>*/orabpel/default/HelloSecureWorld/1.0</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>jsmithrole</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>jazn.com</realm-name>
</login-config>
<security-role>
<description>BPEL PM User</description>
<role-name>jsmithrole</role-name>
</security-role>
Native BPEL security extensions code can also handle authentication. (See Figure 1-2.) The following steps describe this process.
Oracle HTTP Server receives a service request.
Oracle HTTP Server forwards the request, part of which is intercepted by Oracle BPEL Process Manager.
The BPEL security extension code of Oracle BPEL Process Manager validates the message received against the configured identity service user repository:
OID
JAZN XML
Custom JAAS plug-in
If the user name and password are authenticated, Oracle BPEL Server services the request.
Table 1-2 describes the supported features of this method.
Table 1-2 Native BPEL Security Extensions Supported Features
| Authentication Schemas | Service Access Protocols | User Repository | Customization Permitted | Granularity |
|---|---|---|---|---|
| Basic authentication (user name and password) | HTTP | Oracle Application Server JAZN repository types:
|
Custom user repository using the custom validator class
See Also: "Creating a Custom Validator" |
Fine grained:
|
| Normalized message properties |
|
|||
| WS-Security (in accordance with the WS-Security Web Services Security Specification) | SOAP |
This section contains the following topics:
Within Oracle BPEL Server, a message handler framework is used to control and modify inbound (calls to Oracle BPEL Server) and outbound (calls from Oracle BPEL Server) message flows. One of these plug-in handlers is the security interceptor. The security interceptor provides two levels of security:
Domain level security
If only this level is set, enables you to secure all processes running in a specific domain.
Process level security
If this level is also set, enables you to specify which processes to secure, and which not to secure, in a specific domain.
Note:
The following section only explains the configuration of the security interceptor, and not the framework itself.By default, domain and process security is not enabled. However, both security levels can be easily enabled by modifying the SOA_Oracle_Home\bpel\domains\domain_name\config\message-handlers.xml file.
If you want to enable domain level security, remove the comment markers shown in bold from around the security attribute (for this example, the domain is named default):
<inbound-flow> <message-handler id="default" /> <!-- uncomment for inbound security <message-handler id="security" /> --> </inbound-flow>
This enables the security chain:
<message-handler id="security">
<classname>com.collaxa.cube.security.Authenticator</classname>
<comment>
<![CDATA[This is the handler for security interception]]>
</comment>
<property id="ACLManager">
<value>com.oracle.bpel.security.validator.bpmid.
BPMIdentityValidator</value>
<comment>BPMIdentityValidator uses the server configured security
such as JAAS to validate the user against</comment>
</property>
<!--
<property id="SecuredProcesses">
<value>CreditRatingService</value>
<comment>Processes can be secured explicitely without having effect
on the whole domain, put their names in here and comma
separate them
</comment>
</property>
-->
</message-handler>
If you also want to enable security at the process level, remove the comment markers shown in bold from around the SecuredProcesses attribute in the same file. The section contains a value element that consists of a comma-separated list of process names:
<!-- <property id="SecuredProcesses"> <value>CreditRatingService</value> <comment>Processes can be secured explicitely without having effect on the whole domain, put their names in here and comma separate them</comment> </property> --> </message-handler>
Specify the processes to secure in the value element of the SecuredProcesses section. For example:
<value>CreditRatingService, HelloWorldService</value>
Any other processes in this domain that are not specified in the value element are not secured.
Restart Oracle BPEL Server.
This enables the default validator bridge to be used for authentication and authorization.
See Also:
"Using the Default Validator" for information about the validator bridgeFor invocation of a process, use the DeliveryService. However, the normalized message (com.oracle.bpel.client.NormalizedMessage) needs the following properties (through NormalizedMessage:setProperty(key, value)) added:
secured = username username = password
where username equals the user name that is sent, and the second pair consists of the username and the desired credential. For example:
secured = Clemens Clemens = pwForClemens
Note:
You can also send an empty password; in this case, add only the first pair:secured = Clemens
When you use direct HTTP binding to invoke a process, there are multiple ways of specifying the credentials:
As HTTP request parameters:
<input type="hidden" name="bpelUser" value="clemens"> <input type="hidden" name="bpelCredential" value="clemens">
As basic authentication HTTP headers (base64-encoded):
Authentication=BASIC <BASE64-HASH>
As normal name-value HTTP header pairs, where the key for the user is bpelUser and the key for the password is bpelCredential
When using SOAP binding, the only currently supported method for passing a user name credential is as a WS-Security compliant SOAP header. For example:
<wsse:Security soapenv:actor="http://schemas.xmlsoap.org/soap/actor/next"
soapenv:mustUnderstand="1"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-
wss-wssecurity-secext-1.0.xsd"
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<wsse:UsernameToken
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-
wss-wssecurity-utility-1.0.xsd"><wsse:Username>Clemens
</wsse:Username><wsse:Password Type=
"http://docs.oasis-open.org/wss/2004/01/oasis-200401-
wss-username-token-profile-1.0#PasswordText">pwForClemens
</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
When using Java to call a service endpoint through SOAP, the class com.oracle.bpel.client.util.WSSecurityUtils can generate a header element of the namespace. For example:
/**
* Create a WSSecurity compliant token from username and password -
UsernameToken!!
* @throws javax.xml.soap.SOAPException in case the element cannot be
constructed
* @return the headerElement needed for the header of the call
* @param pCredential the credential
* @param pUsername the username
*/
public static SOAPHeaderElement createWSSecurityHeader (String pUsername,
String pCredential)
Note that createWSSecurityHeader represents the older Java standard. Since the change to the WS-Security standard in 2004, you must apply the new namespace or else it defaults to the http://schemas.xmlsoap.org/ws/2002/07/secext namespace. To create a WSSE header element with the new namespace, use this method located in the WSSecurityUtils class:
public static SOAPHeaderElement createOASISWSSecurityHeader
(String pUsername,
String pCredential,
boolean pIsWSPolicyCompliant) throws SOAPException
{
You can invoke secured services in which interaction is initiated by an outbound client request sent from Oracle BPEL Server to the server on which the partner link Web service is running. The configuration procedures for invoking secured services are the same for either Oracle BPEL Process Manager installation type:
Oracle BPEL Process Manager for Developers
Oracle BPEL Process Manager for OracleAS Middle Tier
Figure 1-3 provides an overview of the transport security and authentication methods available for invoking secured services (outbound):
This section contains the following topics:
If a partner exposes an HTTP/S-based service, the WSDL of that service contains the information in the service binding. You can invoke services from Oracle BPEL Process Manager that have a SOAP or HTTP binding.
Oracle BPEL Process Manager support for SSL is Java Secure Socket Extension (JSSE)-standards based and relies on the default SunJSSE provider for cryptographic services. For configuring the keystore and truststore, Oracle BPEL Process Manager relies on standard JSSE keytool and JSSE mechanisms. (See Figure 1-3.)
The following types of certification authentication can be used:
Server certificate authentication
During the SSL handshake process, Oracle BPEL Process Manager, which acts as a client to the secured service of the partner link server, is required to verify the trustworthiness of the partner link (server authentication). Verifying the certificate presented by the partner link server satisfies this requirement. To do this, the default SunJSEE functionality is used by Oracle BPEL Process Manager and the truststore used in the process must contain the appropriate certificate entries. If the partner link server uses a self-signed certificate, this certificate must be placed as a trusted entry in the truststore. If the partner link server presents a certificate chain, then the root certificate of that chain must be part of the truststore.
Server and client certificate authentication
During the handshaking process, a partner link server can sometimes require that the client (in this scenario, Oracle BPEL Process Manager) present its certificate for verification. This is called client authentication mode. For these situations, you must also set up a certificate for Oracle BPEL Process Manager. The certificate can be self-signed or provided by a certificate authority. The keytool can be used to save that certificate and keys in the keystore and truststore.
Note that it is not possible to know from the WSDL of the service if the partner link service requires this. This requirement is not in wide practice.
It is beneficial to set up a truststore in which trusted certificate entries are placed. This is different from the keystore, in which private and public key entries are present.
The default keystore and truststore files located in the jre\lib\security directory for your JDK installation are used:
The jssecacerts file (if present) is the truststore file. If jssecacerts is not present, cacerts also serves as the truststore.
Keystore and truststore files are created and managed with JDK's keytool. This tool is useful for performing operations such as the following:
Creating new keystores and truststores
Reading and listing information present in the stores
Updating and deleting existing entries in keystores and truststore
Notes:
Do not use Oracle Wallet Manager to create a security certificate for communication between the client Oracle BPEL Server and the server on which the partner link Web service is running.
No Oracle BPEL Server configuration is required when invoking secured services. This is because Oracle BPEL Server is the client in this type of interaction.
See Also:
http://java.sun.com/j2se/1.4.2/docs/guide/security/jsse/JSSERefGuide.html for details about SSL, such as understanding how SSL works, creating keystores and truststores to use with JSSE, and debugging and troubleshooting issues
http://java.sun.com/products/jsse/ for JSSE details
http://java.sun.com/j2se/1.4.2/docs/tooldocs/tools.html#security for details about using keytool
Oracle Containers for J2EE Security Guide for details about using keytool
To access secured WSDLs, Oracle JDeveloper must be configured at design time just like Oracle BPEL Server.
This section describes how to configure HTTP/S with the partner link Web service server and the Oracle BPEL Server client side certificates.
Follow these steps to configure Oracle BPEL Process Manager for this environment:
Ensure that the keystore is configured appropriately to invoke the mutually-trusted certificate or the server certificate of the partner link.
Connect through the Web browser to the endpoint URL of the service to invoke. After connecting to the server, a pop-up window displays the following message (if you have not already updated your browser's store with this certificate):
Security Alert: Do you trust this certificate or not?
Enter yes because you trust this server certificate.
After the page is loaded on Internet Explorer, a lock displays in the status bar in the bottom right corner of your browser window.
Click the lock to display a window that provides details about the certificate.
Click the Details tab and copy the certificate to a file (for example, named TestServiceServerCert.cer). You can use the base64-encoded format.
Use that file to import the server certificate to your default truststore. You can use keytool to help with this process.
If the default truststore and keystore are the same, the command to import this certificate into the default cacerts keystore is as follows:
SOA_Oracle_Home\jdk\bin\keytool -import -v -file TestServiceServerCert.cer -keypass keystore_password -keystore cacerts
If you do not want to store the server certificate of the partner link server, you can ensure that a mutually-trusted root and certificate authority certificate is in your truststore or keystore.
Ensure that the correct keystore is used by OC4J and Oracle BPEL Process Manager:
If your keystore is the default cacerts file keystore located in SOA_Oracle_Home\jdk\jre\lib\security directory, no changes are required. If not, then edit obsetenv.bat (or obsetenv.sh for UNIX installations) to include the following lines:
–Djavax.net.ssl.keyStore=path_to_your_certificate_store -Djavax.net.ssl.keyStorePassword=your_keystore_password
Note:
While you can also edit the
startorabpel.bat file (or startorabpel.sh file for UNIX installations) to include these lines, Oracle recommends that you instead edit the obsetenv.* file for your operating system.If you are using a different truststore from the default, you should enter the following:
-Djavax.net.ssl.trustStore=path_to_truststore -Djavax.net.ssl.trustStorePassword=your_truststore_password
See Also:
http://java.sun.com/j2se/1.4.2/docs/tooldocs/tools.html#security for details about using keytoolThis section describes how to configure the Oracle BPEL Server client. The steps to configure the client to invoke partner links that require client authentication are similar to the steps to invoke partner links with only server side authentication enabled. The difference is the keystore that BPEL uses for this environment has the following certificates in the following locations:
Its own (that is, the host OC4J server certificate in the keystore)
The client certificate or a mutually-trusted CA certificate in the keystore and truststore
The high level steps involved are as follows:
Set up OC4J to use SSL, as described in "Step 1: Configuring OC4J".
Ensure that a mutually-trusted certification authority certificate is in the truststore and keystore.
Ensure that the correct keystore and truststore are used by OC4J and BPEL, as described in Step 2 of "HTTP/S with Partner Link Server Certificate Authentication Only".
If a partner link expects WS-Security-compliant authentication tokens, BPEL can be configured to invoke the partner link with these. (See Figure 1-3.) Table 1-3 shows the relevant properties. These properties are configurable at the individual partner link level.
Table 1-3 Properties
See Also:
Oracle BPEL Process Manager Developer's Guide for additional details about these deployment descriptor properties
Web Services Security (WS-Security) Specifications available at the following URL:
http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=wss
When using SOAP binding, there are four possible cases:
Case 1
Propagation of the credentials over a partner link (if the process is invoked securely over any API) for WS-Security headers
Case 2
Propagation of the credentials over a partner link (if the process is invoked securely over any API) for basic authentication
Case 3
Static definition of a user name and password put into a WS-Security compliant user name token, and sent out
Case 4
Static definition of a user name and password that is used for http-basic-authentication, and sent out
By default, Oracle BPEL Server does not propagate any credentials, even if the process is invoked securely. All partner links that are used within a BPEL process are defined in bpel.xml (found in the BPEL suitcase).
<partnerLinkBindings> <partnerLinkBinding name="client"> <property name="wsdlLocation">CreditRatingService.wsdl</property> </partnerLinkBinding> </partnerLinkBindings>
For case 1, add the following property (which causes BPEL to add the process-credentials to the outgoing call):
<property name="wsseHeaders">propagate</property>
For case 2, add the following (attached to the SOAP call(setUsername, setPassword)):
<property name="basicHeaders">propagate</property>
For case 3, add the following (which builds a WS-Security Header):
<property name="wsseHeaders">credentials</property> <property name="wsseUsername">your_user</property> <property name="wssePassword">your_password</property>
For case 4, add the following (attached to the SOAP call(setUsername, setPassword)):
<property name="basicHeaders">credentials</property> <property name="basicUsername">your_user</property> <property name="basicPassword">your_password</property>
Note:
All these properties are on a per partner link basis, so they do not affect any other partner links as long as they are not specified on this specific binding.Since the change to the WS-Security standard in 2004, you need to apply the new namespace or else it defaults to the http://schemas.xmlsoap.org/ws/2002/07/secext namespace. To apply the new namespace, add the following property:
<property name="wsseOASIS2004Compliant">true</property>
Table 1-4 shows the configurable properties at the partner link level for Axis services.
Table 1-4 Properties
This section describes HTTP basic authentication.
The section contains the following topics:
Table 1-5 shows the deployment descriptor properties configurable at the partner link level. These properties can be set to authenticate services that use HTTP headers for authentication in 10.1.2.0.2.
Starting with Oracle BPEL Process Manager release 10.1.3, all partner link properties are automatically propagated into the HTTP header. However, when outbound HTTP binding is used, credentials can be used for basic authentication, if configured:
<property name="httpBasicHeaders">credentials</property> <property name="httpBasicUsername">your_username</property> <property name="httpBasicPassword">your_password</property>
Or they can simply be propagated from the process instance:
<property name="httpBasicHeaders">propagate</property>
Starting with Oracle BPEL Process Manager release 10.1.3, partner link properties can be propagated into the implementing class or EJB by implementing this interface:
com.oracle.bpel.client.wsif.IjavaEjbPlnkBindingInfo
It contains the following method:
/** * This method will be called immediately after the new instance * of the class/bean has been created * * @param pProperties the map containing name/value pairs */ public void setPlnkProperties(HashMap pProperties);
This method is called directly after the class or bean has been created, and the map contains all partner link properties.
The Oracle Application Server oc4jadmin administrator account enables you to log into Oracle BPEL Control and Oracle BPEL Admin Console and manage BPEL processes. Beginning with this release, both consoles are fully integrated with Oracle Application Server J2EE and JAAS security features.
In addition, Oracle BPEL Process Manager automatically includes a set of users, roles, and domains for performing BPEL process management from Oracle BPEL Control and Oracle BPEL Admin Console. Table 1-6 describes these features:
Table 1-6 Oracle BPEL Process Manager Roles, Users, and Domains
| Users | Roles | Domains |
|---|---|---|
default — Enables you to partition and manage instances of your processes. You can create additional domains, as necessary. |
||
The Oracle Application Server oc4jadmin administrator account also includes the BPMSystemAdmin role.
Passwords for the oc4jadmin, bpeladmin, and default users can be changed through Oracle Enterprise Manager 10g Application Server Control Console. Oracle recommends that you change the passwords for the bpeladmin and default users after installation.
Use the oc4jadmin user account when creating application server connections in the Connection Navigator of Oracle JDeveloper. Other user accounts, such as bpeladmin, default, or any new user accounts you created, do not have the RMI permissions and cannot be used when creating application server connections in Oracle JDeveloper.
You can create new users and groups and assign them to new domains or the default domain automatically included with Oracle BPEL Process Manager.
This section provides the following examples:
Example 1: Creating New Users and Groups to Access New BPEL Domains
Example 2: Creating a New User to Access the Default BPEL Domain
Notes:
These examples usea:/home/oc4j/bpel/lib as the directory location for orabpel-boot.jar. Substitute this path with the one appropriate to your environment.See Also:
Appendix A, "Demo User Community" for additional details about the BPMSystemAdmin and BPMDefaultDomainAdmin roles
Oracle BPEL Process Manager Developer's Guide for additional details about the BPMSystemAdmin and BPMDefaultDomainAdmin roles and domain management
Oracle Application Server Administrator's Guide for instructions on changing the oc4jadmin, bpeladmin, and default passwords
Oracle Containers for J2EE Security Guide for information about Java SSO (JSSO), OracleAS JAAS Provider Admintool examples, and additional security management tools available for file-based providers and Oracle identity management providers
This section describes how to create a new user and group to access a new BPEL domain. In this example, you use Oracle Internet Directory to create the user and group and the OracleAS JAAS Provider Admintool of the XML-based JAZN provider to grant the necessary domain permissions to the new user and group. The management tool to use to create the user and group is based on the type of identity service provider you are using.
Configure the 10.1.3.1.0 identity service with 10.1.2 Oracle Internet Directory as described in "Configuring Identity Service 10.1.3.1.0 with 10.1.2 Oracle Internet Directory".
Create a new domain in the Oracle BPEL Admin Console named soaAdmin.
Create a new user named soaAdmin and group named BPMsoaAdminDomainAdmin in Oracle Internet Directory.
Use the JAZN Admin tool to grant domain permissions to user soaAdmin or group BPMsoaAdminDomainAdmin:
java -Xbootclasspath/a:/home/oc4j/bpel/lib/orabpel-boot.jar -jar jazn.jar -shell -grantperm jazn.com -user soaAdmin com.collaxa.security.DomainPermission soaAdmin all
or
java -Xbootclasspath/a:/home/oc4j/bpel/lib/orabpel-boot.jar -jar jazn.jar -shell -grantperm jazn.com -role BPMsoaAdminDomainAdmin com.collaxa.security.DomainPermission soaAdmin all
where:
com.collaxa.security.DomainPermission — Is the name of the permission class. This permission class does not provide access to Oracle BPEL Admin Console.
soaAdmin — Is a parameter to the permission class. This parameter indicates the name of the domain to which the user has access.
all — Is a parameter to the permission class. This parameter indicates the level of actions the user or group can perform.
Note:
The usersoaAdmin or group BPMsoaAdminDomainAdmin receives either all or no privileges in the soaAdmin domain. You cannot assign specific actions to a user or group, such as specifying read-only permissions, update permissions, and so on.Log into Oracle BPEL Control.
This section describes how to create a new user to access the default BPEL domain automatically included with Oracle BPEL Process Manager. In this example, you use the OracleAS JAAS Provider Admintool to create a user and grant the BPMDefaultDomainAdmin role to the user. The management tool to use to create the user is based on the type of identity service provider you are using.
Create a user named mike in realm jazn.com with a password of welcome.
% java -Xbootclasspath/a:/home/oc4j/bpel/lib/orabpel-boot.jar -jar jazn.jar -shell -adduser jazn.com mike welcome
Grant the role BPMDefaultDomainAdmin to user mike in realm jazn.com.
% java -Xbootclasspath/a:/home/oc4j/bpel/lib/orabpel-boot.jar -jar jazn.jar -shell -grantrole BPMDefaultDomainAdmin jazn.com mike
Log into Oracle BPEL Control.
This section describes how to create a new user to access all BPEL domains. In this example, you use the OracleAS JAAS Provider Admintool to create a user and grant the BPMSystemAdmin role to the user. The management tool to use to create the user is based on the type of identity service provider you are using. This user also receives the com.collaxa.security.ServerPermission permission. This permission provides access to all domains and to Oracle BPEL Admin Console. This permission also automatically includes the default (com.collaxa.security.DomainPermission) permission.
Create a user named mike in realm jazn.com with a password of welcome.
% java -Xbootclasspath/a:/home/oc4j/bpel/lib/orabpel-boot.jar -jar jazn.jar -shell -adduser jazn.com mike welcome
Grant the role BPMSystemAdmin to user mike in realm jazn.com.
% java -Xbootclasspath/a:/home/oc4j/bpel/lib/orabpel-boot.jar -jar jazn.jar -shell -grantrole BPMSystemAdmin jazn.com mike
Log into Oracle BPEL Control.
Two types of identity store validators are available for authenticating users:
Oracle BPEL Process Manager provides a bridge to your identity store through the BPEL Identity Service. For example, in Oracle Application Server you can use JAZN, Oracle Internet Directory (OID), or a custom repository plug-in as your identity store.
If you want to invoke a BPEL process, your user name must be in the configured store, or, in the case of JAZN, created in SOA_Oracle_Home\j2ee\home\config\system-jazn-data.xml (for the Oracle BPEL Process Manager for OracleAS Middle Tier installation type). For example:
<user> <name>Clemens</name> <credentials>!yourpassword</credentials> </user>
BPEL security validation is evaluated in the following order:
If the BPEL suitcase contains the credentials within the configurations tag in bpel.xml. For example:
<property name="user">Clemens</property>
<property name="pw">your_password</property>
If a role is specified in the BPEL suitcase, the user specified in the request must exist in the identity management store and must belong to that group.
<property name="role">administrators</property>
This method is useful when many processes are used and identity management cannot be reconfigured with a new role for each process.
If neither of the security validators described above are found, BPEL concatenates the process name and ExecutionRole and expects the supplied user to belong to a role of that name. For example, if user Clemens invokes the CreditRatingService process, he must belong to a group named CreditRatingServiceExecutionRole as defined in your identity store (for example, system-jazn-data.xml if you are using JAZN):
<role>
<name>CreditRatingServiceExecutionRole</name>
<members>
<member>
<type>user</type>
<name>Clemens</name>
</member>
</members>
</role>
See Also:
Oracle BPEL Process Manager Developer's Guide for additional details about BPEL identity services
It is sometimes necessary to implement a custom validator when the default does not meet your requirements. To accomplish this, the following interface must be implemented and the message handler reconfigured.
/**
* This source is proprietary to ORACLE CORPORATION
* 2005, All rights reserved
*/
package com.oracle.bpel.security;
import com.oracle.bpel.client.ServerException;
import com.oracle.bpel.client.NormalizedMessage;
import com.oracle.bpel.client.BPELProcessId;
/**
* Public abstract class that has to be implemented
* for having a valid ACLManager that is used by the BPEL server
* for authentication & authorization
*
* @version 1.1
*/
public abstract class ACLManager extends BaseACLManager {
/**
* Public constructor that should use a cache for connections
* and care about other stuff.
* @throws com.oracle.bpel.client.ServerException
* @since 1.0
*/
public ACLManager() throws ServerException
{
}
/**
* Checks if a user is valid in the context of a secured Process
*
* @return valid or not
* @param pMessage the message will hold all information, including
* the domain information and headers
* @throws ServerException in case something breaks
*/
public abstract boolean validateUser
(BPELProcessId pProcessID, NormalizedMessage pMessage) throws
ServerException;
/**
* Checks if a user is allowed to execute (=invoke) a certain revision
* (if given) of a process.
*
* @return true if he is otherwise false
* @param pProcessId the name, domain and revision of the process
* @param pMessage the message will hold all information, including
* the domain information and headers
* @throws ServerException in case something breaks
*/
public abstract boolean isAllowedToExecuteProcess
(BPELProcessId pProcessID, NormalizedMessage pMessage)
throws ServerException;
/**
* Checks if a user is allowed to execute (=invoke) a certain activity
* of a process.
*
* @return true if he is otherwise false
* @param pProcessId the name, domain and revision of the process
* @param pActivityName the name of the Activity
* @param pMessage the message will hold all information, including
* the domain information and headers
* @throws ServerException in case something breaks
*/
public abstract boolean isAllowedToExecuteActivity
(BPELProcessId pProcessID, NormalizedMessage pMessage, String pActivityName)
throws ServerException;
/**
* Checks if a user is allowed to lookup a certain revision
* (if given) of a process.
*
* @return true if he is otherwise false
* @param pMessage the message will hold all information, including
* the domain information and headers
* @param pProcessId the name, domain and revision of the process
* @throws ServerException in case something breaks
*/
public abstract boolean isAllowedToLookupProcess
(BPELProcessId pProcessID, NormalizedMessage pMessage)
throws ServerException;
/**
* Checks if a user is allowed to lookup a certain activity of a process.
*
* @return true if he is otherwise false
* @param pActivityName the name of the Activity
* @param pProcessId the name, domain and revision of the process
* @throws ServerException in case something breaks
*/
public abstract boolean isAllowedToLookupActivity
(BPELProcessId pProcessID, NormalizedMessage pMessage, String pActivityName)
throws ServerException;
}
After implementation, the class must reside in SOA_Oracle_Home\bpel\system\classes to be reached by the class loader. The second step is to reconfigure the following property in message-handlers.xml:
<property id="ACLManager">
<value>com.oracle.bpel.security.validator.bpmid.BPMIdentityValidator</value>
<comment>BPMIdentityValidator uses the server configured security such
as JAAS to validate the user against
</comment>
</property>
where value must point to the classname (including the package) of the implemented validator class.
You can configure Oracle BPEL Process Manager to invoke a partner Web service through a proxy server.
For example, assume Oracle BPEL Process Manager is installed on a host named internal123.company.com and one of your deployed BPEL processes must invoke a synchronous Web service hosted outside the fire wall at http://services.myPartner.com. All the outbound HTTP traffic must be routed through an HTTP proxy server located at myproxy004.company.com on port 8090.
Perform the following steps to configure ant tasks and Oracle BPEL Process Manager to invoke the partner Web service through an HTTP proxy server.
Open the SOA_Oracle_Home\bpel\bin\obsetenv.bat file on Windows or SOA_Oracle_Home/bpel/bin/obsetenv.sh file on Unix or Linux.
Modify the line set OB_JAVA_PROPERTIES= as follows:
set OB_JAVA_PROPERTIES="-Dhttp.proxySet=true" "-Dhttp.proxyHost=myproxy004.company.com" "-Dhttp.proxyPort=8090" "-Dhttp.nonProxyHosts=internal123.company.com"
By setting http.proxySet to true, you activate the client proxy and redirect all the outbound traffic through http.proxyHost and http.proxyPort. By setting the http.nonProxyHosts to the server that hosts Oracle BPEL Server, you prevent the local request from going through the proxy. You may want to expand the nonProxyHosts list to include other servers inside your corporate network or other logical names for the internal123 host by using | as a delimiter.
There are several security features for which Oracle BPEL Process Manager does not currently provide native support. For those features, Oracle Web Services Manager can be used. Oracle Web Services Manager provides sophisticated authentication capabilities. Oracle Web Services Manager supports authentication using HTTP basic authentication, COREid, Netegrity, LDAP, and X.509 Certificates, and WS-Security.
This section contains the following topics:
See Also:
Outbound authorization in the context of BPEL invoking a service is within the responsibility of the service provider and its implementation of authorization. While Oracle BPEL Process Manager has no current native support for inbound authorization, Oracle Web Services Manager provides the following capabilities to let authorized users access BPEL processes:
Supports authorization based on the information contained in any part of the XML message or body
Provides the following fine-grained access control:
Access control at the service level
Access control at the SOAP method level
Supports WS-Security
This section describes the actual message encryption. XML encryption is covered by the WS-Security profile. While Oracle BPEL Process Manager has no current native support for XML encryption, Oracle Web Services Manager provides the following encryption and decryption features:
WS-security compliant message and content encryption and decryption
Full or partial message encryption, enabling you to specify an XPath expression to the part of the message that requires encryption.
While Oracle BPEL Process Manager has no current native support for digital signatures, Oracle Web Services Manager provides digital signatures and signature verification capabilities. When a client invokes a service, Oracle Web Services Manager performs the following tasks:
Intercepts this request
Checks if the service has a digital signature verification policy to be honored
Verifies the signature
Passes this request to BPEL to be serviced
Similarly, when BPEL invokes a partner link, Oracle Web Services Manager attaches a digital signature to the SOAP header of the message.
This chapter describes how to perform the following procedures:
Secure a BPEL process in which interaction is initiated by an inbound client service request sent to Oracle BPEL Server. The following security methods are described: SSL authentication, J2EE basic authentication, and native BPEL security extension authentication.
Invoke secured services in which interaction is initiated by an outbound client request sent from Oracle BPEL Server to the server on which the partner link Web service is running. The following security methods are described: SSL authentication, WS-Security-compliant services, HTTP basic authentication protected services, Axis services with custom authentication handlers, and native BPEL security extensions.
This chapter also provides details about the default and custom identity store providers available with Oracle BPEL Process Manager. An overview of Oracle Web Service Manager is also provided. Oracle Web Service Manager can be used to provide authorization, message encryption and decryption, and digital signature support with Oracle BPEL Process Manager.
