Skip Headers
Oracle® Fusion Middleware Developer's Guide for Oracle Service Bus
11g Release 1 (11.1.1.3)
E15866-01
  Go To Table Of Contents
Contents

Previous
Previous
 
Next
Next
 

50 Securing Oracle Service Bus with Oracle Web Services Manager

Using Oracle Service Bus in conjunction with Oracle Web Services Manager provides scalable, standards-based, centrally managed approach to securing your SOA environment with WS-Security policies while leveraging your existing security providers.

Oracle Web Services Manager is a run-time framework for security policy creation, management, and governance. You create policies, attach them to services in Oracle Service Bus, and enforce those policies at various points in the messaging life cycle with Oracle Web Service Manager agents.


Note:

In future releases of Oracle Service Bus, Oracle Web Services Manager policies will replace and enhance the functionality of WLS 9.2 security policies. While this version of Oracle Service Bus continues to support WLS 9.2 policies, you should consider using Oracle Web Services Manager policies for new service creation to prepare for the eventual deprecation of WLS 9.2 policy support.

This section includes the following topics:

For more information about Oracle Web Services Manager, see the Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

50.1 About Oracle Web Services Manager Integration with Oracle Service Bus

Oracle Web Services Manager is a component of the Oracle Enterprise Manager Fusion Middleware Control, a run-time framework that provides centralized management and governance of Oracle SOA Suite environments and applications. You create and configure Oracle Web Services Manager policies in Oracle Enterprise Manager, and those policies are persisted in a policy store (a database is recommended). Oracle Web Services Manager lets you define policies against an LDAP directory and generate standard security tokens (such as SAML tokens) to propagate identities across multiple Web services used in a single transaction.

In Oracle Service Bus, when defining a business or proxy service that lets you attach security policies, you can attach available "OWSM" policies.

Because Oracle Web Services Manager is a run-time component, attaching policies to Oracle Service Bus services requires a connection to an Oracle Service Bus domain that has Oracle Web Services Manager enabled. For example, when creating and managing services that use Oracle Web Services Manager policies in Eclipse, your Oracle Service Bus configuration must be deployed on an Oracle Web Services Manager-enabled domain to attach the policies. With no run-time connection to Oracle Web Services Manager from the development environment, you can only view or remove policies previously attached to services.

Oracle Web Services Manager support in Oracle Service Bus is not available automatically. Enable Oracle Web Services Manager support in Oracle Service Bus by selecting the "Oracle Service Bus OWSM Extension" template when you create or extend an Oracle Service Bus domain. Once Oracle Web Services Manager support is enabled in an Oracle Service Bus domain, you cannot disable it. See Section 50.2.1, "Adding Oracle Web Services Manager and Oracle Enterprise Manager to an Oracle Service Bus Domain."

50.1.1 Security Providers

This section describes the security services that Oracle Service Bus and Oracle Web Services Manager use for authentication and authorization.

Oracle Web Service Manager uses Java Platform Security (JPS), so Oracle Service Bus uses JPS providers for Oracle Web Services Manager policies. Oracle Service Bus also uses Oracle Common Security Services (CSS) for other aspects of message security.

The following points describe which security providers Oracle Service Bus and Oracle Web Services Manager use for different security areas.

50.1.1.1 JPS Providers

When using Oracle Web Services Manager policies:

  • Oracle Web Services Manager policies use SAML providers from JPS and not from Oracle WebLogic Server. For information on configuring SAML for Oracle Web Services Manager policies, see Section 50.2.3, "Configuring SAML."

  • For authentication, Oracle Web Services Manager uses the JPS Login Module, which in turn calls authentication providers configured on Oracle WebLogic Server.

  • For Oracle Web Services Manager policies, a best practice is to configure the keystore on JPS, with both the Oracle WebLogic Server and the JPS keystore file referencing the same JKS file. For example, when a proxy service with WLS 9.2 policies routes to a business service that has Oracle Web Services Manager policies, the same keystore file should be referenced. For more information, see Section 50.2.1, "Adding Oracle Web Services Manager and Oracle Enterprise Manager to an Oracle Service Bus Domain."

  • A JPS keystore serves as both a keystore and a truststore for Oracle Web Services Manager policies.

50.1.1.2 CSS Providers

Oracle Service Bus uses CSS providers in the following ways:

  • To enforce WLS 9.2 policies

  • To enforce transport security

  • Oracle WebLogic Server authorization providers for authorization policies

  • Custom Oracle WebLogic Server authentication providers and identity asserters for custom authentication policies

  • Oracle WebLogic Server credential providers and mappers

  • Oracle WebLogic Server keystore and truststore for WLS 9.2 policies

  • Authentication and identity assertion through Oracle Web Services Manager agents

50.2 Setting Up and Using Oracle Web Services Manager with Oracle Service Bus

This section includes the following topics:

50.2.1 Adding Oracle Web Services Manager and Oracle Enterprise Manager to an Oracle Service Bus Domain

To use Oracle Web Services Manager policies in Oracle Service Bus, you must create the proper database schemas for the Oracle Web Services Manager policy store, then extend an Oracle Service Bus domain to include Oracle Web Services Manager.


Note:

After you add Oracle Web Services Manager to an Oracle Service Bus domain, you cannot disable Oracle Web Services Manager in the domain.

  1. Use the Oracle Repository Creation Utility (RCU) to create the Oracle Web Services Manager database schemas in a supported database. Select the following schemas to create:

    • SOA Infrastructure

    • Metadata Services and AS Common Schemas are automatically selected when you select SOA Infrastructure


      Note:

      After you select SOA Infrastructure, you can optionally deselect Business Activity Monitoring and User Messaging Services if you do not want to enable reporting.

    For more information on running RCU, see the Oracle Fusion Middleware Repository Creation Utility User's Guide.

  2. Extend your Oracle Service Bus domain with Oracle Web Services Manager and Oracle Enterprise Manager. Select the following domain templates when running the Oracle Fusion Middleware Configuration Wizard:

    • Oracle Service Bus OWSM Extension

    • Oracle WSM Policy Manager (automatically selected when you select the OWSM Extension)

    • Oracle Enterprise Manager (optional, needed for creating and managing Oracle Web Services Manager policies)

    As part of the domain extension, the Oracle Configuration Wizard creates an OWSM MDS Schema in the JDBC configuration window. Select the schema and set the database information based on the RCU settings used to create the Oracle Web Services Manager schemas in the previous step.

    For more information, see "Creating a Domain" in the Oracle Fusion Middleware Enterprise Deployment Guide for Oracle SOA Suite.

  3. As a best practice, configure the keystore for Oracle Web Services Manager on JPS, with both the Oracle WebLogic Server and the JPS keystore file referencing the same JKS file. For example, when a proxy service with WLS 9.2 policies routes to a business service that has Oracle Web Services Manager policies, the same keystore file should be referenced.

    For information on creating the keystore, see "Setting up the Keystore for Message Protection" in the Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

After successful extension of the domain and creation of the keystore for Oracle Web Services Manager, you can create Oracle Web Services Manager policies using the Oracle Enterprise Manager Fusion Middleware Control and attach policies to services in Oracle Service Bus. Oracle Web Services Manager automatically provides commonly used policies.

With the domain running, you can access Oracle Enterprise Manager with the following URL:

http://host:port/em

For more information on managing Oracle Web Services Manager policies, see "Managing Web Service Policies" in the Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

50.2.2 Attaching Oracle Web Services Manager Policies to Oracle Service Bus Services

After you extend your Oracle Service Bus domain to include Oracle Web Services Manager and create policies using Oracle Enterprise Manager, you can attach those policies to the following types of proxy and business services in Oracle Service Bus on the Policies page:

  • WSDL

  • Any SOAP

You can attach Oracle Web Services Manager policies only at the service level, and you cannot embed them in service WSDLs. For a given service, you must use either Oracle Web Services Manager policies or WLS 9.2 policies, but not both. You can, however, use one type of policy in a proxy service and another type in a corresponding business service.

In Eclipse, when adding Oracle Web Services Manager policies to services, you must be connected to a running domain that has Oracle Web Services Manager enabled. If you are not connected to a running server in the development environment, you can only view and remove previously added Oracle Web Services Manager policies, and Oracle Service Bus shows a warning that the Oracle Web Services Manager policies will be validated only on publish.


Note:

When working with multiple servers in Eclipse, Eclipse chooses the first valid Oracle Service Bus server in the list of servers for retrieval of Oracle Web Services Manager policies.

When attaching policies in the development environment, keep in mind that services in the development environment can be out of sync with services in the Oracle Service Bus console, so take care when updating services from Eclipse to the console.

If you copy a service to create a same type of service (for example, copy a business service to create a new business service), be sure to review your Oracle Web Services Manager policies in the new service and make any necessary adjustments.

50.2.2.1 Policy Overrides

After adding Oracle Web Services Manager policies to a service, you can provide policy overrides on the Security page.

For the policies used, the user interface displays the override keys (properties) and their default values. The key names come from the policy binding. If allowed, a text box appears next to a key's default value where you can provide an override value.

Oracle Service Bus does not provide well-known keys for override, such as sign key alias or CSF key, which points to user credentials in a CSF store. (Oracle Service Bus provides user credentials in the service account.)

Override keys you provide are passed to the Oracle Web Service Manager agent during invocation.

50.2.3 Configuring SAML

Configuring SAML is different between WLS 9.2 policies and Oracle Web Services Manager policies. For information on configuring SAML with Oracle Web Services Manager, see "Configuring SAML" in the Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

50.2.4 Deployment Considerations

When you export Oracle Service Bus configurations that contain services with Oracle Web Services Manager policy references, the references are maintained. You must ensure that the referenced policies also exist in the target environment. If the target environment is the IDE, warnings are displayed saying that policies will be validated on publish.

50.2.5 Auditing

To audit policy events in Oracle Enterprise Manager, you must set up an audit data repository and set up event collection. For more information, see the following topics in the Oracle Fusion Middleware Security and Administrator's Guide for Web Services:

You can audit the following policy-level events:

  • Policy creation, deletion, or modification

  • Assertion template creation, deletion, or modification

50.2.6 Monitoring Statistics

For this release, Oracle Enterprise Manager policy monitoring statistics and usage/impact analysis for Oracle Service Bus are not available. Therefore, you are not able to see the impact of policy modifications on the services those policies are attached to. However, Oracle Service Bus collects WS-Security error statistics for Oracle Web Services Manager policy enforcement errors as it does for WLS 9.2 policies, and those statistics are available in the Oracle Service Bus service monitoring dashboard.

50.2.7 Unsupported Assertions and Seed Policies

Table 50-1 and Table 50-2 list the Oracle Web Services Manger assertions and seed policies that Oracle Service Bus does not support. Any assertions or seed policies not listed in tables is automatically supported, including user-defined assertions. The assertion or policy enabled/disabled option does not determine whether or not an assertion or policy is supported in Oracle Service Bus.

Table 50-1 Unsupported Oracle Web Services Manager Assertions

Assertion Assertion Types

ExactlyOnce

N/A

binding-authorization

Authorization

binding-permission-authorization

Authorization

http-security

N/A

OptimizedMimeSerialization

MTOM

RMAssertion

Reliable Messaging

sca-component-authorization

Authorization

sca-component-permission-authorization

Authorization

UsingAddressing

N/A

wss-saml-token-bearer-over-ssl

Authentication

wss-saml-token-over-ssl

Authentication

wss-usernametoken-over-ssl

Authentication


Table 50-2 Unsupported Oracle Web Services Manager Seed Policies

Policy Policy Type

component_authorization_denyall_policy

Security/Authorization

component_authorization_permitall_policy

Security/Authorization

component_permission_authorization_policy

Security/Authorization

wsaddr_policy

Addressing

wsmtom_policy

MTOM

wsrm10_policy

Reliable Messaging

wsrm11_policy

Reliable Messaging

Wss_oam_token_client_policy

Security/Authentication

Wss_oam_token_service_policy

Security/Authentication



Note:

In the development environment, when using policies that are not one of the supported seed policies:
  • An effective WSDL generated in the development environment will skip non-seed policies.

  • Validation is performed on service publish.


50.3 Use Cases: Oracle Service Bus and WLS 9.2 Policies with Oracle Web Services Manager

This section provides use cases that highlight the interaction between Oracle Service Bus services using WLS 9.2 policies and Oracle Web Services Manager features in providing security throughout the service pipeline.

When using Oracle Web Services Manager with WLS 9.2 policies in Oracle Service Bus services, no configuration is required, and you do not have to extend an Oracle Service Bus domain with Oracle Web Services Manager. You implement Oracle Web Services Manager features at the desired client and service locations, and the interaction and enforcement occurs automatically.


Note:

In future releases of Oracle Service Bus, Oracle Web Services Manager policies will replace and enhance the functionality of WLS 9.2 security policies. While this version of Oracle Service Bus continues to support WLS 9.2 policies, you should consider using Oracle Web Services Manager policies for new service creation to prepare for the eventual deprecation of WLS 9.2 policy support.

For more information about Oracle Web Services Manager, see:

This document describes the following security use cases with Oracle Web Services Manager:


Note:

There is no equivalent of Gateway in Oracle Web Services Manager 11.1.1.

50.3.1 Message Protection

This section describes the following use cases:

50.3.1.1 Message Protection with Client Agent

You can implement this use case with the following versions of Oracle Web Services Manager:

  • 11.1.1.x

  • 10.1.3.x

Figure 50-1 illustrates using the Oracle Web Services Manager Client Agent for message protection.

Figure 50-1 Message Protection With an Oracle Web Services Manager Client Agent

Description of Figure 50-1 follows
Description of "Figure 50-1 Message Protection With an Oracle Web Services Manager Client Agent"

The proxy service has an inbound message protection policy. The Oracle Web Services Manager Client Agent sends a signed and encrypted request to the proxy service. The proxy service receives the secured request and, acting as an active intermediary, decrypts and verifies signature and routes the request to the business service. The business service invokes the Web service, gets the response back, and sends it to the proxy service. The proxy service signs and encrypts the response and sends it to the Oracle Web Services Manager Client Agent. The Client Agent receives the secure response, decrypts and verifies the signature, and passes the response to the client.

50.3.1.2 Message Protection with Server Agent

You can implement this use case with the following versions of Oracle Web Services Manager:

  • 11.1.1.x

  • 10.1.3.x

Figure 50-2 illustrates using the Oracle Web Services Manager Server Agent for message protection.

Figure 50-2 Message Protection With an Oracle Web Services Manager Server Agent

Description of Figure 50-2 follows
Description of "Figure 50-2 Message Protection With an Oracle Web Services Manager Server Agent"

The client sends a plain request through the proxy and business services in Oracle Service Bus. The business service signs and encrypt the request and sends the message to the Oracle Web Services Manager Server Agent. The Server Agent decrypts and verifies the request. The plain message response is passed back to the client.

50.3.1.3 Message Protection with Client and Server Agents

You can implement this use case with the following versions of Oracle Web Services Manager:

  • 11.1.1.x

  • 10.1.3.x

Figure 50-3 illustrates using the Oracle Web Services Manager Client and Server Agents for message protection.

Figure 50-3 Message Protection With an Oracle Web Services Manager Client and Server Agents

Description of Figure 50-3 follows
Description of "Figure 50-3 Message Protection With an Oracle Web Services Manager Client and Server Agents"

The Oracle Web Services Manager Client Agent signs and encrypts a client request and sends the request through to the proxy service. The proxy service decrypts and verifies the signature and passes the request to the business service, which signs and encrypts the request. The Web service has a Server Agent injected in it. The Server Agent has an inbound message protection policy that decrypts and verifies the signature, then signs and encrypts the response. The response is sent back to the business service, which verifies the message and passes the response to the proxy service. The proxy service generates a signed and encrypted response and sends it to the Client Agent. The Client Agent decrypts and verifies the response, then returns the plain response to the client.

50.3.1.4 Message Protection with Gateway

You can implement this use case with the following versions of Oracle Web Services Manager:

  • 10.1.3.x

Figure 50-4 illustrates using the Oracle Web Services Manager Gateway for message protection.

Figure 50-4 Message Protection With an Oracle Web Services Manager Gateway

Description of Figure 50-4 follows
Description of "Figure 50-4 Message Protection With an Oracle Web Services Manager Gateway"

The client sends a plain request through the proxy and business services in Oracle Service Bus. The business service signs and encrypts the request and sends the message to the Oracle Web Services Manager Gateway. The Gateway decrypts and verifies the request. The plain message response is passed back to the client.

50.3.2 Authentication

You can implement this use case with the following versions of Oracle Web Services Manager:

  • 11.1.1.x

  • 10.1.3.x

Figure 50-5 illustrates using the Oracle Web Services Manager Client Agent for authentication.

Figure 50-5 Authentication with an Oracle Web Services Manager Client Agent

Description of Figure 50-5 follows
Description of "Figure 50-5 Authentication with an Oracle Web Services Manager Client Agent"

The proxy service has a user name token policy. The client, through Oracle Web Services Manager Client Agent, sends a request to the proxy service with user credentials at the message level in a user name token. The proxy service maps the user credential from the user name token using credential mapping and sends it through the business service to the Web service for authentication. The Web service is protected using an Oracle Web Services Manager service agent with an inbound user name token policy. The Oracle Web Services Manager Service Client Agent extracts and authenticates the user credentials. The response is then sent back through the business service and the proxy service to the client.

50.3.3 Perimeter Security

You can implement this use case with the following versions of Oracle Web Services Manager:

  • 10.1.3.x

Figure 50-6 illustrates using Oracle Web Services Manager Gateway for enforcing perimeter security.

Figure 50-6 Perimeter Security with Oracle Web Services Manager Gateway

Description of Figure 50-6 follows
Description of "Figure 50-6 Perimeter Security with Oracle Web Services Manager Gateway"

Oracle Web Services Manager Gateway virtualizes the service exposed by the Oracle Service Bus proxy service. The inbound request to the Oracle Web Services Manager Gateway has a message protection policy. The client sends a secure request to the Oracle Web Services Manager Gateway virtualized service, which is signed and encrypted.

The Oracle Web Services Manager Gateway acts as a security enforcement point and decrypts and verifies the signature. Oracle Web Services Manager Gateway then routes the plain request to the proxy service over SSL. The proxy service forwards the request to the business service, which invokes the Web service and gets the plain response back. The response moves back through the proxy service and Oracle Web Services Manager Gateway to the client.

50.3.4 Identity Propagation

You can implement this use case with the following versions of Oracle Web Services Manager:

  • 10.1.3.x

Figure 50-7 illustrates using the Oracle Web Services Manager Gateway for identity propagation using SAML (Security Assertion Markup Language) token version 1.1.

Figure 50-7 Identity Propagation with Oracle Web Services Manager Gateway

Description of Figure 50-7 follows
Description of "Figure 50-7 Identity Propagation with Oracle Web Services Manager Gateway"

The client sends a basic HTTP authentication request to the Oracle Web Services Manager Gateway. Oracle Web Services Manager Gateway authenticates the user using the user name and password from the HTTP header. Oracle Web Services Manager Gateway generates a SAML sender voucher assertion with the authenticated user identity (token mediation), inserts the SAML token, and sends the assertion to the proxy service. The proxy service receives the SAML assertion with the user identity and, acting as an active intermediary, verifies the user identity. The proxy service then passes the request to the business service. The response travels back through the business service, proxy service, and Oracle Web Services Manager Gateway to the client.