Oracle SOA Suite - SAML Authentication with Message Protection

In this blog we will go through the steps required to protect a SOA composite service using a basic SAML authentication and message protection.Message protection involves encrypting the message for message confidentiality and signing the message for message integrity. We will be using the predefined OWSM policy "wss11_saml20_token_with_message_protection_service_policy" as our  server policy. 

By default Messages are protected using WS-Security's Basic 128 suite of symmetric key technologies, specifically RSA key mechanisms for message confidentiality, SHA-1 hashing algorithm for message integrity, and AES-128 bit encryption. If you would like to override any of these defaults take a copy of the policy and override the defaults.The default is to sign and encrypt the entire body for the request the response. You have the option to not do this and to instead specify the specific body elements that you want to sign and encrypt. You can also additionally specify header elements that you want to sign and encrypt. 



We have created a simple SOA composite project using mediator which just echoes the request and attached the policy to that.

Creating Keystore

For any message protection security policies to work  key stores need to be configured which contains the private keys and the certificates associated with those private key.We will be using JKS keystore which is a single OWSM keystore per domain and will be  shared by all Web services and clients running in the domain.

For demonstration purpose we will be using keytool to generate a self signed certificate and use it for our configurations.

keytool -genkeypair -v -keypass ******* -storepass oracle123 -alias orakey -keystore mykeystore.jks -keyalg rsa -keysize 2048 -storetype jks -dname 'CN=SOAtest,C=AE' -validity 365

To configure the keystore login to EM > Weblogic Domain >Web service>Security Provider Configuration > Keystore> Configure

Provide the absolute path of the JKS file if it is not kept in the default location and enter the alias for signature key and encryption key and the respective passwords.When  OWSM  is configured to use the JKS keystore, entries are created in the credential store for the credential map oracle.wsm.security.You must store the password for the decryption key.

Create user in Weblogic

The user in SAML token should be a valid weblogic user. Create the user by logging in to web logic administration console > Security Realms >my realms >Users and Groups and then Users

Server restart is required for the JKS configuration.

Testing the Policy using a Web Service Client

The Web service's base64-encoded public certificate is published in the WSDL for use by the Web service client.Attach a copy of wss11_saml20_token_with_message_protection_client_policy to your Web service client while creating a proxy. Here is a piece of sample code to get started. Tools like TCPMon can be used to intercept requests and see the encryption in action.

 public class Execute_ptClient  
 {  
  @WebServiceRef  
  private static Service1 service1;  
  public static void main(String [] args)  
  {  
   service1 = new Service1();  
     SecurityPoliciesFeature securityFeatures =  
       new SecurityPoliciesFeature(new String[] { "oracle/wss11_saml20_token_with_message_protection_client_policy" });     
     Execute_ptt execute_ptt = service1.getExecute_pt(securityFeatures);  
      Map<String,Object> req=((BindingProvider)execute_ptt).getRequestContext();  
      req.put(BindingProvider.USERNAME_PROPERTY, "samluser");  
      req.put(BindingProvider.PASSWORD_PROPERTY, "*******");  
      req.put(ClientConstants.WSSEC_KEYSTORE_TYPE,"JKS");  
      req.put(ClientConstants.WSSEC_KEYSTORE_LOCATION, "C:\\op\\cert\\mykeystore.jks");  
      req.put(ClientConstants.WSSEC_SIG_KEY_ALIAS,"orakey");  
      req.put(ClientConstants.WSSEC_KEYSTORE_PASSWORD,"*******");  
      ObjectFactory of=new ObjectFactory();  
      execute_ptt.execute(new Holder<String>("hi"));  
      System.out.println("Success");  
  }  
 }  

Oracle SOA - Changing host name or domain name

We had a requirement  to change the network configurations like host name and domain name of the SOA infrastrucutre and startup the servers with new names.This is a SOA 12C environment with  Admin server and seperate managed servers for SOA,OSB,ESS,BAM running on this machine.

Login to the admin console and perform the following steps.

1.Create a new machine pointing to the new host.Alternately you can clone the existing machine and rename to the new one and delete the old machine if its no more required.Add all the servers including the admin server to the newly created machine.(In the Domain Structure section click on Machines > MyMachine >Servers >Add >Select an existing server).

2.If the managed servers are running with different Virtual hostnames the listen address needs to be changed for each and every server.(In the Domain Structure section click Servers > server1 > General > Listen Address and change the host names )

Change the MDS datasources if required.

• In the Change Center, click Lock & Edit.
• In the Domain Structure section, expand Services, then JDBC, and select Data Sources.
  The Summary of JDBC Data Sources page is displayed.
• Select the data source you want to change.
  The Settings page is displayed.
• Select the Connection Pool tab.
• To change the IP address, modify the URL field. For example:

  jdbc:oracle:thin:@hostname.domainname.com:1521/orcl
  

• Click Save.

Repeat the steps for all the MDS related datasources and a server restart is required for the update.

Below files had some references to the old host names which needed for a find and replace.Take a backup of the files and do a search and replace.

$ vi filename

$%s/oldhost/newhost

• config.xml($DOMAIN_HOME/config)
• wsm-ccw-config.xml($DOMAIN_HOME/config/fmwconfig)
• jps-config.xml($DOMAIN_HOME/config/fmwconfig)
• jps-config-jse.xml($DOMAIN_HOME/config/fmwconfig)
• stopWeblogic.sh($DOMAIN_HOME/bin)
• stopManagedWeblogic.sh($DOMAIN_HOME/bin)
• startManagedWeblogic.sh($DOMAIN_HOME/bin)

Search through the directories for any left over references as below and replace them.

$grep -inr /directory -e "oldhost" --exclude *.log*

Before  starting  the node manager change the hostname in the node manager.properties file.

ListenAddress=newHost

In SOA 12C the location of the property file is $DOMAIN_HOME/nodemanager by default or the custom path if changed during installation.

If the admin server is not running on local host and running with a different host name which also got changed you will not be able to start the admin server. In that case the host name should be changed before the server is shut down. If its a clone from existing server, the admin server will need to be brought up with old host name to access the console and change the host names.