Archive for September, 2015

OWSM 12c–Using WSS10 SAML Policies

Published September 20, 2015 OSB Comments
Tags: , ,

In this post, we will see  the required setup for WSS10 SAML policies and we will use SOAP UI to demonstrate client side setup in brief and recommend to refer to previous post for detailed steps to create Outgoing Configuration at client side and server side keystore setup.

SAML Issuer Setup:

wsmdomain

samlissuer

wss10_saml_token_service_ policy:

Create an Outgoing Configuration with SAML Token as shown below.

samlconfig

SAML Token:

image_thumb

samlform

Attach Outgoing Configuration to request as shown below.

attachsaml

wss10_saml_token_with_message_integrity_service_ policy:

Requires both SAML Token and message body to be digitally signed, hence we need to modify above SAML token setup to consider signing and need to add separate Signature setup in Outgoing Configuration.

SAML Token modification:

Check Signed attribute and use the client side keystore and private key alias as shown below.

saml1

Add Signature setup in Outgoing Configuration as shown below.

samlsign

wss10_saml_token_with_message_protection_service_ policy:

Requires to  setup SAML Token, Timestamp, Signature and Encryption in Outgoing Configuration where as SAML Token, Timestamp and Body to be digitally signed and Body to be encrypted.

Timestamp:

tstamp1

tstamp

SAML Token:

  • SAML Verison: 1.1
  • Uncheck Signed
  • Assertion Type: Authentication
  • Confirmation Method: Sender Vouches
  • Issuer: www.oracle.com
  • Subject Name: <<username>>
  • Subject Qualifier: leave it blank

saml

saml1

Signature:

sig1

Encryption:

enc1

enc

Note: we should maintain the order Signature and Encryption in Outgoing Configuration as shown above.

Attach both Outgoing and Incoming configuration as shown below.

attachsaml

Sample SAML1.1 Assertion:

<saml1:Assertion AssertionID="_14F9EF7DC64266B61B144285601642823" IssueInstant="2015-09-21T17:20:16.428Z" Issuer="www.oracle.com" MajorVersion="1" MinorVersion="1" xsi:type="saml1:AssertionType" xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
   <saml1:Conditions NotBefore="2015-09-21T17:20:16.428Z" NotOnOrAfter="2015-09-21T17:25:16.428Z"/>
   <saml1:AuthenticationStatement AuthenticationInstant="2015-09-21T17:20:16.428Z" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password" xsi:type="saml1:AuthenticationStatementType">
      <saml1:Subject>
         <saml1:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">weblogic</saml1:NameIdentifier>
         <saml1:SubjectConfirmation>
            <saml1:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:sender-vouches</saml1:ConfirmationMethod>
         </saml1:SubjectConfirmation>
      </saml1:Subject>
   </saml1:AuthenticationStatement>
</saml1:Assertion>

Notes:

  • With above setup, the request is returning error response when I used SOAP UI5.0.0 but working with SOAP UI 5.2.0. So I would recommend to use SOAP UI 5.2.0.
  • Observe that, we had added Assertion as one of the Parts in Signature setup. This is the only option working for Message Protection policy and it’s not working when signing setup is done in SAML Token by checking Signed.
  • In SOAP UI, i got the saying Error getting response for […]; null even with all this setup. Following solution is given here to resolve this issue.

    Replace the existing xmlsec-1.4.5.jar file in /lib folder with xmlsec-1.5.2.jar.

    Replace the existing wss4j-1.6.16.jar file in /lib folder with wss4j-1.6.2.jar.

wss10_saml20_token_service_ policy:

Required setup is similar to wss10_saml_token_service_ policy except that we have to use SAML Token version 2.0 as shown below.

saml2

Sample SAML2.0 Assertion:

<saml2:Assertion ID="_14F9EF7DC64266B61B144294396204152" IssueInstant="2015-09-22T17:46:02.041Z" Version="2.0" xsi:type="saml2:AssertionType" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
   <saml2:Issuer>www.oracle.com</saml2:Issuer>
   <saml2:Subject>
      <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">weblogic</saml2:NameID>
      <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:sender-vouches"/>
   </saml2:Subject>
   <saml2:Conditions NotBefore="2015-09-22T17:46:02.041Z" NotOnOrAfter="2015-09-22T17:51:02.041Z"/>
   <saml2:AuthnStatement AuthnInstant="2015-09-22T17:46:02.041Z">
      <saml2:AuthnContext>
         <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef>
      </saml2:AuthnContext>
   </saml2:AuthnStatement>
</saml2:Assertion>

wss10_saml20_token_with_message_protection_service_ policy:

Required setup is similar to wss10_saml_token_with_message_protection_ service_ policy except that we have to use SAML Token V2.0 and have to add the following in Parts of Signature setup. Note the namespace change.

  • Assertion urn:oasis:names:tc:SAML:2.0:assertion

saml2ts

saml2

saml2sig

saml2enc

wss10_saml_token_with_message_protection_ski_basic256_service_policy:

Similar setup as OWSM policy wss10_saml_token_with_message_protection _ service_ policy except that different Key Encryption, Encoding algorithms and Key referencing mechanism.

Timestamp:

tstamp

SAML Token:

skitoken

Signature:

skisig

Encryption:

skienc

Note: When we use 256-bit encryption algorithm in SOAP UI, we are seeing the error java.security.InvalidKeyException: Illegal key size or default parameters’. This is because java does not support key sizes greater than 128 by default. To get rid of this error, we need to copy policy files local_policy.jar and US_export_policy.jar to %java_home%/jre/lib/security. The policy files can be downloaded using the following links depending on the JDK you use.

Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 6

Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 7 Download

Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 8 Download

SOAP UI can either use your existing JDK installation or bundled JRE and this information can be found in <<SOAP UI Install Dir>>\bin\soapui.bat. If bundled JRE is used by SOAP UI then we need to copy above policy files to location <<SOAP UI Install Dir>>\jre\lib\security.

You can get the SOAP UI project and keystores used in this post over here.

Advertisement

OWSM 12c–Using Username Message Protection Policy

Published September 19, 2015 OSB Comments
Tags: ,

In this post, I will demonstrate required steps at both server and client side for the OWSM  policy oracle/wss10_username_with_message_protection_ server_policy. I will use SOAP UI to demonstrate the client side setup.

Server Side

Attach OWSM policy to service, here I will be using OSB Proxy Service for demo.

attachpolicy

This OWSM policy requires private keys to be generated at both server and client side. So create clientkeystore.jks for SOAP UI and osbkeystore.jks for server using commands below.

keytool -genkeypair -keyalg RSA -alias localclient -keystore clientkeystore.jks -storepass cljks123 -validity 360 -keysize 2048

keytool -genkeypair -keyalg RSA -alias localosb -keystore osbkeystore.jks -storepass osbjks123 -validity 360 -keysize 2048

Export the public certificate from each keystore using following commands.

keytool -exportcert -alias localclient -keystore clientkeystore.jks -file localclient.cer

keytool -exportcert -alias localosb –keystore osbkeystore.jks -file localosb.cer

Import the certificate into each other using following commands.

keytool -importcert -alias localclient -keystore osbkeystore.jks -file localclient.cer

keytool -importcert -alias localosb –keystore clientkeystore.jks -file localosb.cer

Now add these keys in oracle.wsm.security map using the following steps.

mapcred

mapkey

Create key keystore-csf-key as below.

kscsf

Also create other 2 keys enc-csf-key and sign-csf-key similar to above using the same alias  localosb.

keys

Now navigate to the WSM Domain Configuration as shown below to set the keystore and keys to be used by OWSM runtime.

wsmdomain

keyset

Client Side

The SOAP UI documentation has detailed information related to ws-security setup here so I will keep my description brief and readers are recommended to go through the given link.

Double click on SOAP UI project where we can specify ws-security setup.

ws-sec

Keystores:

Add clientkeystore.jks in Keystores tab and give the key store password as shown below. Status should be shown as OK implies that it’s a valid keystore.

keystore

Incoming WS-Security configuration:

Since clientkeystore.jks has required keys for both encryption and digital signature, we have to just select this keystore in Incoming Configuration as shown below.

incoming

Outgoing WS-Security configuration:

Add Outgoing Configuration with name OutConfig as shown below.

outgoing

Now we have to add the configuration for Timestamp, Username Token, Signature and Encryption in detail tabs of Outgoing Configuration as required.

  • Timestamp
    • Give 20000 as value for Time to live
    • Check Millisecond precision

tstamp1

tstamp

  • Username Token
    • Give Username and Password
    • Check Add Nonce and Add Created
    • Select Password Type as PasswordText

utoken1

utoken

sig1

sig

enc1

enc

Note: we should maintain the order Signature and Encryption in Outgoing Configuration as shown above.

Adding Outgoing/Incoming configuration:

addconfig

With all this setup in place, when I execute the request I was getting the error saying Error getting response for […]; null. Following is the solution given in one of the forum posts here. Note that, I was using SOAP UI 5.0.0.

Replace the existing xmlsec-1.4.5.jar file in /lib folder with xmlsec-1.5.2.jar.

Replace the existing wss4j-1.6.16.jar file in /lib folder with wss4j-1.6.2.jar.

Sample Request

request

Sample Response

response

Note: We also have another way of attaching Outgoing Configuration to the request as shown below by doing right click on request window. When we do this way, don’t select Format XML option on right click which is causing digital signature verification failure.So I always recommend the above mentioned way to attach Outgoing Configuration.

reqright

reqsig

Similarly, for OWSM policy oracle/wss_username_token_service_policy the above Username token setup is enough.

You can get the SOAP UI project and keystores used in this post over here.

Creating Ubuntu VM in Oracle Virtual Box

Published September 19, 2015 VM Leave a Comment
Tags: ,

In this post, will describe steps required to install Ubuntu64 virtual machine in Oracle VM Virtual Box. Most of the people may be aware of it so here I am just listing down the required steps.

Note that, here I am using Oracle VM Virtual Box 4.3.24 and installing Ubuntu 14.04.3 (64-bit) VM for demonstration.

  • Open Oracle VM VirtualBox and select File –> New.
  • Give name as  Ubuntu64 or any meaningful name and select type as Linux and version as Ubuntu (64 bit).
  • Click Next and use  slider to select required RAM. We may want to select 1GB for better performance with min of 512 MB.
  • Click Next. Choose the option Create a virtual hard drive now and click Create.
  • Select hard drive type as VDI and click Next.
  • Select Fixed or Dynamic option based on requirements and click Next.
  • Give file name for virtual hard drive file and Click Create. Here you have the option to choose the required hard drive size. This will create new VM and will be shown in the Virtual Box Manager. Note that VM is not yet configured to use Ubuntu OS.
  • To configure, start VM by selecting Machine –> Start and select startup disk file ubuntu-14.04.3-desktop-amd64.iso which we can download it from Ubuntu website.
  • After selecting iso image click Start to initiate the Ubuntu OS creation.
  • Select the language and click  Install Ubuntu.
  • Check Download updates while installing and click Continue.
  • Choose the default option Erase disk and install Ubuntu and click Install now. Click Continue if you see any warning related to formatting disk.
  • Select your location and click Continue.
  • Select keyboard layout and click Continue.
  • Provide details for Name, Computer’s Name and enter the required credentials for VM. and click Continue.
  • Select Log in automatically if you do not want to enter a password each time you log in or select Require my password to log in.  Click Continue.
  • It will take a while for the installation of Ubuntu OS. Once that’s done, click Restart now for the changes to be effective.

We can use any of these commands file /sbin/init or uname –i to make sure that 64-bit OS has been installed.

We can find the OS version using command lsb_release –a.

If you observe that VM is not shown in the full screen mode, then we have to install Virtual Box Guest Additions using steps mentioned below and use the admin password wherever it asks during installation.

guestadd

guestadd1

guestadd2

Now restart the VM and now you would see the VM in full screen mode.

To access internet, make sure that you have following settings for adapter:

settings

nat

If you are behind proxy, you can set proxy by going to System Settings –> Network –> Network Proxy as shown below. Click Apply System Wide and give admin credentials if you are asked for authentication.

proxy

From command prompt, you can set using the following command:

                   export http_proxy=>:”>http://<<host>>:<<port>>

Doing SSH into VM from Host:

  • First install SSH server using the command sudo apt-get install openssh-server.
  • Setup a port forwarding in your VM settings as below and restart the VM. Navigate to VM->Settings->Network->Adapter 1-> Advanced->Port Forwarding.

  • We can connect to this VM using winscp as shown below.

SOA 12c – Maven Articles

Published September 1, 2015 Maven , OSB Leave a Comment
Tags: , , ,

Using Maven Sync Plugin

Using Maven for SOA Deployment

Using Maven for Service Bus Deployment

Pages

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 379 other subscribers

Enter your email address to follow this blog and receive notifications of new posts by email.

%d bloggers like this: