Advertisements

Archive for the 'OSB' Category

Docker Containers for Oracle SOA Suite

In previous blog, we started with brief introduction of docker platform and also saw how to build images and run containers. In this blog, we will see how to setup an Oracle SOA Suite 12.2.1.3 environment with docker containers using Oracle official docker images. The README files available with official images have lot of information and one could easily create the docker images. So i just want to collate all this information here for quick reference.

I used Ubuntu 17.10 (artful) VM with docker version 17.12.1-ce in Windows 10 based laptop.

Installation:

Typical steps to be followed to install Oracle SOA Suite 12.2.1.3 in laptop:

  • Install JRE 8/JDK 8
  • Install the certified database.
  • Install Oracle SOA Suite/BPM Suite/OSB as per requirements.
  • Run RCU to create the required schemas
  • Configure the domain

In the world of docker the above steps translate to the following steps.

  • Build JRE 8 docker image
  • Build Oracle DB docker image
  • Build FMW infrastructure docker image
  • Build SOA Suite docker image
  • Start DB container
  • Start Admin Server container
  • Start Managed Server container

To start with, download official dockerfiles from https://github.com/oracle/docker-images and we use docker images related to OracleJava, OracleDatabase, OracleFMWInfrastructure and OracleSOASuite. Each of these folders have necessary scripts for installation but does not contain executables. Have all these folders copied into docker-images directory.

Build JRE 8 docker image:

  • Download server-jre-8u161-linux-x64.tar.gz  from link and copy into directory OracleJava/java-8.
  • Navigate to the above directory and run sh build.sh. We will observe the docker image oraclelinux:7-slim getting pulled from docker hub as the docker file contains instruction FROM oraclelinux:7-slim.
  • Once the build is complete we can see a new image available with tag oracle/serverjre:8.

  • Note that OracleJava folder also have docker files required to build JRE 9.

Build Oracle DB docker image:

  • Download files linuxamd64_12102_database_1of2.zip and linuxamd64_12102_database_2of2.zip from link and copy into directory OracleDatabase/dockerfiles/12.1.0.2. I had used 12.1.0.2 version though the latest is 12.2.0.1 because of smaller size.
  • Navigate to the directory OracleDatabase/dockerfiles and issue the following command. Option -v indicates the db version and the option -e represents Enterprise Edition.

                              sh buildDockerImage.sh -v 12.1.0.2 -e

  • Open OracleDatabase/dockerfiles/12.1.0.2/Dockerfile.ee to check the instructions that get executed during the image build. Observe oraclelinux:7-slim as the base image in this docker file.
  • Once the build is complete we can see a new image available with tag oracle/database:12.1.0.2-ee.

  • Note that OracleDatabase folder also have docker files required to build images based on versions 12.2.0.1 and 11.2.0.2 (XE).

Build FMWInfrastructure docker image:

  • Download file fmw_12.2.1.3.0_infrastructure_Disk1_1of1.zip from link and copy into directory OracleFMWInfrastructure/dockerfiles/12.2.1.3.
  • Navigate to the directory OracleFMWInfrastructure/dockerfiles and issue the following command. Option -v indicates the version.

                              sh buildDockerImage.sh -v 12.2.1.3

  • Open OracleFMWInfrastructure/dockerfiles/12.2.1.3/Dockerfile to check the instructions that get executed during the image build. Observe that oracle/serverjre:8 is the base image and this is the exact reason why we built jre image first.
  • Once the build is complete we can see a new image available with tag oracle/fmw-infrastructure:12.2.1.3.

  • Note that OracleFMWInfrastructure folder also have docker files required to build images based on versions 12.2.1.2.

Build SOA Suite docker image:

  • Download files fmw_12.2.1.3.0_soa.jar and fmw_12.2.1.3.0_osb.jar from link and copy into directory OracleSOASuite/dockerfiles/12.2.1.3. Note that these installers are not quick start installers.
  • Navigate to the directory OracleSOASuite/dockerfiles and issue the following command. Option -v indicates the version.

                            sh buildDockerImage.sh -v 12.2.1.3

  • Open OracleSOASuite/dockerfiles/12.2.1.3/Dockerfile to check the instructions that get executed during the image build. Observe that oracle/fmw-infrastructure:12.2.1.3 is the base image and this is the exact reason why we built that image first.
  • Once the build is complete we can see a new image available with tag localhost/oracle/soasuite:12.2.1.3.

  • Note that OracleSOASuite folder also have docker files required to build images based on versions 12.2.1.2.

By creating docker images for DB and SOA Suite, we are done with the installation and yet to configure DB instance, run RCU and configure SOA/OSB domain. Note that the image oracle/fmw-infrastructure has one pre-configured domain named base_domain.

We use docker-compose tool to create containers based on the above images. A sample yaml file docker-compose.yml is located in OracleSOASuite/samples directory.

Prerequisite:

  • Edit ../setenv.sh and set or modify the required env variables and do source ../setenv.sh. At minimum, we need to set DC_ORCL_SYSPWD, DC_ADMIN_PWD and DC_RCU_SCHPWD. Note that i had to set DC_HOSTNAME to ip address like 172.18.0.1 instead of hostname and localhost. Do this as first step before starting up any of the containers below.

Start DB container:

  • The docker-compose.yml file defines a service named soadb that can be used to create DB container. Modify this entry as below:

          soadb:
               image: oracle/database:12.1.0.2-ee
               ports:
                       – “${DC_ORCL_PORT}:1521”
                       – “${DC_ORCL_OEM_PORT}:5500”
               environment:
                      – ORACLE_SID=${DC_ORCL_SID}
                      – ORACLE_PDB=${DC_ORCL_PDB}
                      – ORACLE_PWD=${DC_ORCL_SYSPWD}
               container_name: soadb
               volumes:
                     – ${DC_ORCL_DBDATA}:/opt/oracle/oradata

  • Use command docker-compose up -d soadb to start the db container.

  • When DB container starts for first time, it configures the DB instance, TNS listener and creates some dummy password for SYS user. The logs can be seen using command docker logs -f soadb.

  • Execute docker exec <<container id>> /opt/oracle/setPassword.sh <<pwd>> to reset password for SYS user. Make sure that DB container is running before executing this command. The location of this script file can be derived from the instructions found in OracleDatabase/dockerfiles/12.1.0.2/Dockerfile.ee.
  • After the first time, to restart the container we can use either of the below commands. Make sure to run source ../setenv.sh always before using docker-compose commands.

docker-compose up -d soadb

docker start <<container id>>

  • Connect to db using command sqlplus sys/fusion@//172.18.0.1:1521/soadb as sysdba to make sure that DB is up and running.

  • Command docker stop can be used to stop the container.

Start Admin Server container:

  • docker-compose.yml file has soaas as one of the services which can be used to create the container. Use command docker-compose up -d soaas to start the admin server container.
  • When admin server container starts for first time, it runs RCU to create the required schemas by connecting to db container and also configures a new domain ,. The logs can be seen using command docker logs -f soaas.

  • After the first time, to restart the container we can use either of the below commands. Make sure to run source ../setenv.sh always before using docker-compose commands                 docker-compose up -d soaasdocker start <>
  • Verify you are able to access admin console using http://localhost:7001/console and observe that AdminServer is up and running. The password for admin console will be the value given for DC_ADMIN_PWD in setenv.sh.
  • In data sources, observe that prefix SOA01 is used for SOAINFRA, MDS and others which is the value given for DC_RCU_SOAPFX in setenv.sh.
  • Command docker stop can be used to stop the container.

Start Managed Server container:

Note that i had to use  minimum 6 GB RAM for my ubuntu VM to bring DB, Admin and managed server containers.

  • docker-compose.yml file has soams as one of the services which can be used to create the container. Use command docker-compose up -d soams to start the managed server container.

  • The logs generated in managed server container can be seen using command docker logs -f soams.

  • After the first time, to restart the container we can use either of the below commands. Make sure to run source ../setenv.sh always before using docker-compose commands

docker-compose up -d soams

docker start <<container id>>

  • Access admin console using http://localhost:7001/console and observe that soa_server1 is up and running and also we can see a soa_cluster configured.
  • Command docker stop can be used to stop the container.

Observations:

  • If we want to access the admin console from host OS, we need to configure the port forwarding rules for the VM as shown below.

  • When we are installing DB or SOA Suite in laptop the installation wizard guide us through the steps which makes life easier. But when when we want to use docker files to build images we need to come up with script for the installation and configuration. Typically developer may not have this much acquaintance with these kind of installation scripts and i feel admin help is required. I hope Oracle keep updating the their github repository with newer docker files and scripts whenever a new release is available.
  • I feel debugging containers is difficult and need to look more into this aspect. Initially, when i created VM i used 3 GB RAM  and with this RAM i was able to bring up DB and Admin server container. But when i starting managed server it got stuck and docker logs also did not help me to identify this issue. It was a complete guess by me and increased the RAM to 6 GB which made the things smoother.
  • The docker files uses yum tool which is not available in ubuntu that means, we may need to come up different docker files for different  linux distributions and for Windows OS.
  • The oracle official docker images for Java, DB and FMW Infrastrcture has oraclelinux as the base image. Does that mean oracle does not support in other linux distributions like ubuntu etc. I need to check on this and i welcome readers to let me know if anyone has information on this.
Advertisements

Branching in Native REST Services

In previous post, we are introduced to native REST services (Typed and Un-typed) support in 12.2.1. But we can observe following issues there:

  • We used only GET method for demonstration and typically this would not be the case as REST service can also support other HTTP methods (POST, PUT and DELETE).
  • No branching in Typed REST Services when multiple HTTP methods are supported.
  • No branching in Un-Typed REST Services when multiple HTTP methods are supported.

In this post, we will try to cover above aspects. Note that all of this discussion is related to native REST services unless stated otherwise.

Branching in Typed REST Services:

Add POST method support for typedEmployees resource as shown below.

typedbranch

typedbranch1

typedbranch2

typedbranch3

Since Typed REST Service uses WADL and contains Operation name annotated with soa:name, we can simply make use of Operational Branch.

opbranch 

You can use URL like below to access REST Service.

http://localhost:7003/restDemo/typedService/typedEmployees

Branching in Un-Typed REST Services:

Since Un-Typed REST services does not use WADL, we can’t use Operational Branch as above. So in this release, OSB introduced a new node called  REST Branch for this purpose.

restbrnch

Add REST Branch in pipeline by dragging it from Components.

rest1

For each REST branch, give supported Media Types, Resource Path and HTTP method mandatorily.

branch

Use + icon to add media types and give other information as shown below. This means we are creating a REST resource called  untypedEmployees which supports GET and supported media types are  application/xml, application/ json.

rest2

Modify REST branch name in General section of Properties. We can add more branches using highlighted icon below.

rest3

We can add POST method support for same resource path as shown below.

post

post1

post3

Test Proxy as shown below. Note that we had specified required parameters in HTTP headers.

test

test2

You can use URL like below to access this REST Service and make sure that Content-Type is passed without fail.

http://localhost:7003/restDemo/untypedService/untypedEmployees

Observations:

  • OSB parses payload based on  HTTP header Content-Type in request. We can Use Log activity to see $body contents. Refer  to this post to enable logging.
  • When Content-Type is application/xml, $body is logged as below.

PostPipelinePair, request-ab047b9.N47e0f03.0.15591b0ca2c.N7d1d, Stage1, REQUEST] CreateEmployeeLog: <soapenv:Body xmlns:soapenv="http://schemas. xmlsoap.org/soap/envelope/">[[<a><b>1233333</b></a></soapenv:Body>]]

  • When Content-Type is application/json, $body is logged as below.

[PostPipelinePair, request-ab047b9.N47e0f03.0.15591b0ca2c.N7d1d, Stage1, REQUEST] CreateEmployeeLog: <soapenv:Body xmlns:soapenv="http://schemas.xmlsoap.org/ soap/envelope/">{"a":1234,"b":3455}</soapenv:Body>

  • OSB binds a globally-scoped object called process and can be used as process.body or process.var which is similar to $body and $xyz XPath variables. This notation is used for Java Script expressions. Use Log activity as below in Java Script expressions to verify the same.

logjs

logjs1

logjs2

  • When Content-Type is application/xml, process.body is logged as below

[PostPipelinePair, request-ab047b9.N47e0f03.0.15591b0ca2c.N7d1d, Stage1, REQUEST] CreateEmployeeLog: <a>[[<b>1233333</b></a>]]

  • When Content-Type is application/json, process.body is logged as below

     [PostPipelinePair, request-ab047b9.N47e0f03.0.15591b0ca2c.N7d1d, Stage1, REQUEST]         CreateEmployeeLog: {"a":1234,"b":3455}

  • Though REST service supports JSON/XML payload, there is no automatic conversion takes place at runtime and to be done programmatically in native REST services.
  • When using End-to-End XML, use XQuery/XSLT for transformation.
  • When using End-to-End JSON, use Java script for transformation.

References:

https://docs.oracle.com/middleware/1221/osb/develop/GUID-FE2CAC5B-E4DF-49DE-AD3C-36EEAF750BFE.htm#OSBDV-GUID-BAE387C8-F1BE-49CF-8789-EFE220D216DB

Enabling Logging in Service Bus

To enable pipeline logging in Service Bus, steps remain same as below but the location where do we do this activity changed. The screenshots shown in this post

  • Enable logging in Global Settings
  • Enable logging at Pipeline level

Global Settings

Login to EM Console and navigate to SOA –> service-bus (Admin Server) as shown below.

gbtree

Click on Global Settings tab and set Logging Enabled property. We can also enable Monitoring, Alerts, Reporting and Result Cache as shown below.

osbglobal

Pipeline Settings

In EM Console, navigate to SOA –> service-bus –> <<Service Bus Project>>.

proxylog

Go to Operations tab and query for Pipelines. Here we can see all monitoring related properties for Pipelines.

proxylog1

Click on Pipeline and go to Properties tab to enable Logging as shown below. We can set other Monitoring and Tracing related properties as well. We can also set log level so that it will be shown in log files.

pplog

This logging information is shown in <<osbservername>>-diagnostic.log.

Another related blog entry: https://thecattlecrew.net/2015/12/23/oracle-soa-12c-quicktip-enable-servicebus-message-tracing-in-defaultdomain/

Service Bus 12.2.1 – REST Support

In this blog, we will review native REST service support added in 12.2.1. And you can refer to post to find information about same from 12.13 perspective.

Before discussing further, we will first see how 12.2.1 provides the backward compatibility with 12.1.3. In 12.1.3, REST Proxy Service converts native REST payload to SOAP before calling a Pipeline/Split-Join and REST Business Service convert SOAP to REST native payload i.e. the internal communication happen using WSDL interfaces only.

In 12.13, while creating REST binding as Proxy or Business service check the option as shown below and other steps remain same.

We can see WSDL and WADL gets created in your project.

wadl

req1

req2

To access REST resource use url like http://localhost:<<OSB Port>/<<proxy endpoint>>/<<resource name>>  so it will be http://localhost:7003/restDemo/REST1213WayPS/employees

To access design-time WADL use url like http://localhost:<<OSB Port>/sbresource?WADL/<>/<>  so it will be http://localhost:7003/sbresource?WADL/RESTIn1213way/WSDL/REST1213WayPS

To access effective WADL use url like http://localhost:<<OSB Port>/sbresource?(PROXY or BIZ)/<<project path>>/<<proxy or biz service name>>  so it will be http://localhost:7003/sbresource?PROXY/RESTIn1213way/ProxyServices/REST1213WayPS

Now in 12.2.1, we have native REST support and no need of creating WSDL for internal communication. This native support is broadly classified into following categories:

  • Un-typed Proxy/Business Service –  For which method information is available at design time so no WADL is involved.
  • Typed Proxy/Business Service – For which the method information is available at design time so WADL is used/created having this information.

REST binding can be used to create both Proxy and Business services that fall into above categories. In this post, we discuss from Proxy Service perspective and same can be followed for business services.

Creating Typed Proxy Service:

We use REST binding to create native REST service. So drag REST binding from Components to Proxy Services swim lane or right click to choose REST option.

typedbind1

Provide name for REST binding and do not select WSDL interfaces check box as we are creating native REST services. Click Next.

typed1

Create a new REST resource as shown below.

typedemp

typedemp2

Create a REST method using following steps by clicking + icon in Methods.

typedreq

typedresp

typedfinish

Now verify that WADL file is generated automatically with method information as defined above. Now create pipeline using the following steps.

typedpp

typedpp1

typedpp2

typedpp3

Connect Proxy Service, Pipeline and Business Service as shown below. Use the same business service as we used earlier.

sboverview

Finish the message flow as shown below.

ppmflow

routing

Deploy and test your project in Service Bus console. Observe that you can see all media types supported by REST service are shown in Accept choice list.

typedtestreq

typedtestresp

Now we will see how to use an existing WADL to create Typed REST services.

Again drag the REST binding from Components to Proxy Services swim lane or right click in swim lane to choose REST option.

untypedbind1

Provide name for REST binding and do not select WSDL interfaces check box as we are creating native REST services. Click Next.

typedproxy

Choose REST1213WayPS.wadl. This confirms that WADLs generated by 1213 REST services are supported here. Observe that REST methods are populated automatically from selected WADL.

typed

wadlselect

wadloper

Click Finish and verify that new WADL is generated again for this Proxy Service.

wadl

Now finish pipeline message flow as above using WADL created in above step.

typedexistingpp

sboverview1

To access REST resource use url http://localhost:7003/restDemo/typedService/typedEmployees

To access design-time WADL use url http://localhost:7003/sbresource?WADL/RESTTypedServices/TypedRestService

To access effective WADL use url http://localhost:7003/sbresource?PROXY/RESTTypedServices/TypedRestService

Observations:

  • WADL is always created for Typed native REST services when one is not chosen during creation.
  • No where we are able to give the input/output message structure (XML or JSON schema) for REST methods. I think this may be improved in later releases.
  • When a native REST Proxy Service supports multiple content types (XML, JSON), automatic payload conversion (XML to JSON and vice-versa) is not happening as we see in WSDL based REST services. I will try to cover more on this in later posts.
  • Content-Type HTTP header is used by OSB for content parsing and we can see this set automatically when media type is chosen in test console.
  • Value given for soa:name in WADL is populated for $operation context variable in pipeline.
  • 1213 WADL is not supported for creating pipelines but can be used to create Proxy, however a new WADL will be generated by OSB as we saw above.

Creating Un-typed Proxy Service:

Create a Proxy Service using following steps. Observe the usage of Transport and no where we define REST resource or methods.

untypedps

untypedps1

untypedps2

untypedps3

Create pipeline using following steps and observe that we are not selecting any WADL as we did earlier.

untypepp

untypedpp1

Connect all these pieces as shown below and complete Message Flow as we did earlier.

sboverview2

Deploy and test your project in Service Bus console. Observe that you can see all media types supported by REST service are shown in Media Type choice list as we have not specified supported types any where. Service Bus uses the Content-Type HTTP header for parsing the payload and you can see this is set automatically when we choose the media type in Test Console.

typedtest

untypedtestresp

To access REST resource use url http://localhost:7003/restDemo/untypedService

Observations:

  • No WADL is used during creation of Un-typed native REST services.
  • Again, no where we are able to give the input/output message structure (XML or JSON schema) for REST methods.
  • Again, no automatic payload conversion will happen when REST Proxy supports multiple Content Types.
  • Content-Type HTTP header is used by OSB for content parsing and we can see this set automatically when media type is chosen in test console.

In above 2 sections, we created  both Proxy and Pipeline separately and we can observe that WADL is optional for REST based pipelines. So even Pipelines are classified into Typed and Un-typed  depending on usage of WADL.

So now the Q arises about compatibility between Proxy and Pipelines as both of them can be Typed /Un-Typed. Since Typed is more restrictive having REST methods we will be able to call both Un-Typed and Typed pipelines provided they used same WADL. In the same way, Un-Typed will be able to call both Un-typed and Typed Pipelines.

The source code used in this post can be downloaded from here and please note that you need to create DB connection pool to run this project with JNDI eis/DB/LocalDB.

Reference:

https://docs.oracle.com/middleware/1221/osb/develop/GUID-C346DF7D-041D-4E10-BE1C-451F50719106.htm#OSBDV89235

12.2.1 OSB JDev Issues

The following information is related to 12.2.1 release unless stated otherwise.

Issue 1:

OSB projects are being converted to SOA projects after adding a XQuery to workspace. You can confirm this by looking at components window which shows SOA related components after opening a pipeline.

Fortunately, this issue is already documented by in support note 2090174.1 and the solution is applying the patch 22226040. Refer to this post for instructions on applying the patch. Make sure that ORACLE_HOME and MW_HOME are pointing to right locations when you have multiple middleware homes.

Verify that patch is successfully applied by issuing opatch lspatches. Restart jdeveloper after clearing the cache (system directory).

If you still see this issue, verify the jpr files TechnologyScopeConfiguration does not have SOA entry similar to below.

<hash n=”oracle.ide.model.TechnologyScopeConfiguration”>
<list n=”technologyScope”>
<string v=”Maven”/>
<string v=”ServiceBusTechnology”/>
<string v=”WSDL”/>
<string v=”WSPolicy”/>
<string v=”XML”/>
</list>
</hash>

Issue 2:

For the first time, jdeveloper is getting stuck saying ‘Loading Maven…’ when opening any existing Service Bus application. To resolve the issue, modify the version to 12.2.1-0-0 in parent section of pom files of service bus projects including System project. Sample is shown below.

<parent>
<groupId>com.oracle.servicebus</groupId>
<artifactId>sbar-project-common</artifactId>
<version>12.2.1-0-0</version>
</parent>

SSL using KSS

In this post, we will use KSS (Keystore Service) for SSL setup. The screenshots showed in this post are based on SOA 12.2.1 but these steps remain same for 12.1.3 as well.

Creating Application Stripe:

ks1

ks2

stripe

Creating KSS Keystore:

kscreate

kssadmin

Creating Keypair:

kssmng

genkeypair

keypair

Oracle recommends key size to be more than equal to 1024. If we want to get it signed by any CA, we can generate CSR by clicking Generate CSR which is recommended for Production env. But for Development purpose we can use this keystore as it is.

keypair1

Clicking on alias name will bring up the following screen showing the certificate information.

cert

Configuring 1-Way SSL:

Enable SSL port by navigating to Environment –> Severs-> Admin Sever –> General.

sslport

Go to Keystores tab. Click Change to select Custom Identity and Custom  Trust as shown below and click Save to save the changes.

customkss

Modify Custom Identity and Trust stores as shown below. observe the usage of system trust store kss://system/trust. Oracle recommends this approach to simplify the trusted certificates setup.

customkss2

Go to SSL tab and give the Private key alias as shown below. Here give the password as “password” and click Save. See related note at end of this post.

ssl

Go to Advanced settings and set Hostname verification to None and also set Two way Client Cert Behavior to Clients Certs not Required as we are doing setup for 1-way SSL. This setting will enforce WLS server not to request client certificates.

advc

Restart the server and now we should be able to access admin console using HTTPS URL like http://localhost:7002/console.

Similarly, configure OSB managed server using same Keystore or by creating a new one similar to above as shown in the following screenshots.. Restart the server after changes.

osbssl

customkss2

ssl

Enable HTTPS for OSB proxy service as shown below.

proxyhttps

And now we should be able to access the proxy service WSDL using HTTPS URL like https://localhost:7008/entity/CustomerService?wsdl

Refer to this post for 2-way SSL setup and follow below steps to import the certificate into trust store.

trust

trust1

importcert

importcert1

Note that KSS does not support certificate in binary format which is the default encoding used by JKS. We can use –rfc option of keytool command to export the certificate into printable encoding format as shown below.

keytool -export -keystore .\soakeystore.jks -file cert.cer -alias localsoa -rfc

Note:

When no Private Key Passphrase is mentioned in the SSL tab, em console is not accessible and following errors are shown in the log.

em

References:

https://docs.oracle.com/middleware/1212/owsm/OWSMS/configure-owsm-ssl.htm#OWSMS119

https://docs.oracle.com/middleware/1212/idm/JISEC/kssadm.htm#JISEC9596

OWSM 12c–Using WSS10 SAML Policies

In this post, we will see  the required setup for WSS10 SAML policies and we will use SOAP UI to demonstrate client side setup in brief and recommend to refer to previous post for detailed steps to create Outgoing Configuration at client side and server side keystore setup.

SAML Issuer Setup:

wsmdomain

samlissuer

wss10_saml_token_service_ policy:

Create an Outgoing Configuration with SAML Token as shown below.

samlconfig

SAML Token:

image_thumb

samlform

Attach Outgoing Configuration to request as shown below.

attachsaml

wss10_saml_token_with_message_integrity_service_ policy:

Requires both SAML Token and message body to be digitally signed, hence we need to modify above SAML token setup to consider signing and need to add separate Signature setup in Outgoing Configuration.

SAML Token modification:

Check Signed attribute and use the client side keystore and private key alias as shown below.

saml1

Add Signature setup in Outgoing Configuration as shown below.

samlsign

wss10_saml_token_with_message_protection_service_ policy:

Requires to  setup SAML Token, Timestamp, Signature and Encryption in Outgoing Configuration where as SAML Token, Timestamp and Body to be digitally signed and Body to be encrypted.

Timestamp:

tstamp1

tstamp

SAML Token:

  • SAML Verison: 1.1
  • Uncheck Signed
  • Assertion Type: Authentication
  • Confirmation Method: Sender Vouches
  • Issuer: www.oracle.com
  • Subject Name: <<username>>
  • Subject Qualifier: leave it blank

saml

saml1

Signature:

sig1

Encryption:

enc1

enc

Note: we should maintain the order Signature and Encryption in Outgoing Configuration as shown above.

Attach both Outgoing and Incoming configuration as shown below.

attachsaml

Sample SAML1.1 Assertion:

<saml1:Assertion AssertionID="_14F9EF7DC64266B61B144285601642823" IssueInstant="2015-09-21T17:20:16.428Z" Issuer="www.oracle.com" MajorVersion="1" MinorVersion="1" xsi:type="saml1:AssertionType" xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
   <saml1:Conditions NotBefore="2015-09-21T17:20:16.428Z" NotOnOrAfter="2015-09-21T17:25:16.428Z"/>
   <saml1:AuthenticationStatement AuthenticationInstant="2015-09-21T17:20:16.428Z" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password" xsi:type="saml1:AuthenticationStatementType">
      <saml1:Subject>
         <saml1:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">weblogic</saml1:NameIdentifier>
         <saml1:SubjectConfirmation>
            <saml1:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:sender-vouches</saml1:ConfirmationMethod>
         </saml1:SubjectConfirmation>
      </saml1:Subject>
   </saml1:AuthenticationStatement>
</saml1:Assertion>

Notes:

  • With above setup, the request is returning error response when I used SOAP UI5.0.0 but working with SOAP UI 5.2.0. So I would recommend to use SOAP UI 5.2.0.
  • Observe that, we had added Assertion as one of the Parts in Signature setup. This is the only option working for Message Protection policy and it’s not working when signing setup is done in SAML Token by checking Signed.
  • In SOAP UI, i got the saying Error getting response for […]; null even with all this setup. Following solution is given here to resolve this issue.

    Replace the existing xmlsec-1.4.5.jar file in /lib folder with xmlsec-1.5.2.jar.

    Replace the existing wss4j-1.6.16.jar file in /lib folder with wss4j-1.6.2.jar.

wss10_saml20_token_service_ policy:

Required setup is similar to wss10_saml_token_service_ policy except that we have to use SAML Token version 2.0 as shown below.

saml2

Sample SAML2.0 Assertion:

<saml2:Assertion ID="_14F9EF7DC64266B61B144294396204152" IssueInstant="2015-09-22T17:46:02.041Z" Version="2.0" xsi:type="saml2:AssertionType" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
   <saml2:Issuer>www.oracle.com</saml2:Issuer>
   <saml2:Subject>
      <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">weblogic</saml2:NameID>
      <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:sender-vouches"/>
   </saml2:Subject>
   <saml2:Conditions NotBefore="2015-09-22T17:46:02.041Z" NotOnOrAfter="2015-09-22T17:51:02.041Z"/>
   <saml2:AuthnStatement AuthnInstant="2015-09-22T17:46:02.041Z">
      <saml2:AuthnContext>
         <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef>
      </saml2:AuthnContext>
   </saml2:AuthnStatement>
</saml2:Assertion>

wss10_saml20_token_with_message_protection_service_ policy:

Required setup is similar to wss10_saml_token_with_message_protection_ service_ policy except that we have to use SAML Token V2.0 and have to add the following in Parts of Signature setup. Note the namespace change.

  • Assertion urn:oasis:names:tc:SAML:2.0:assertion

saml2ts

saml2

saml2sig

saml2enc

wss10_saml_token_with_message_protection_ski_basic256_service_policy:

Similar setup as OWSM policy wss10_saml_token_with_message_protection _ service_ policy except that different Key Encryption, Encoding algorithms and Key referencing mechanism.

Timestamp:

tstamp

SAML Token:

skitoken

Signature:

skisig

Encryption:

skienc

Note: When we use 256-bit encryption algorithm in SOAP UI, we are seeing the error java.security.InvalidKeyException: Illegal key size or default parameters’. This is because java does not support key sizes greater than 128 by default. To get rid of this error, we need to copy policy files local_policy.jar and US_export_policy.jar to %java_home%/jre/lib/security. The policy files can be downloaded using the following links depending on the JDK you use.

Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 6

Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 7 Download

Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 8 Download

SOAP UI can either use your existing JDK installation or bundled JRE and this information can be found in <<SOAP UI Install Dir>>\bin\soapui.bat. If bundled JRE is used by SOAP UI then we need to copy above policy files to location <<SOAP UI Install Dir>>\jre\lib\security.

You can get the SOAP UI project and keystores used in this post over here.

OWSM 12c–Using Username Message Protection Policy

In this post, I will demonstrate required steps at both server and client side for the OWSM  policy oracle/wss10_username_with_message_protection_ server_policy. I will use SOAP UI to demonstrate the client side setup.

Server Side

Attach OWSM policy to service, here I will be using OSB Proxy Service for demo.

attachpolicy

This OWSM policy requires private keys to be generated at both server and client side. So create clientkeystore.jks for SOAP UI and osbkeystore.jks for server using commands below.

keytool -genkeypair -keyalg RSA -alias localclient -keystore clientkeystore.jks -storepass cljks123 -validity 360 -keysize 2048

keytool -genkeypair -keyalg RSA -alias localosb -keystore osbkeystore.jks -storepass osbjks123 -validity 360 -keysize 2048

Export the public certificate from each keystore using following commands.

keytool -exportcert -alias localclient -keystore clientkeystore.jks -file localclient.cer

keytool -exportcert -alias localosb –keystore osbkeystore.jks -file localosb.cer

Import the certificate into each other using following commands.

keytool -importcert -alias localclient -keystore osbkeystore.jks -file localclient.cer

keytool -importcert -alias localosb –keystore clientkeystore.jks -file localosb.cer

Now add these keys in oracle.wsm.security map using the following steps.

mapcred

mapkey

Create key keystore-csf-key as below.

kscsf

Also create other 2 keys enc-csf-key and sign-csf-key similar to above using the same alias  localosb.

keys

Now navigate to the WSM Domain Configuration as shown below to set the keystore and keys to be used by OWSM runtime.

wsmdomain

keyset

Client Side

The SOAP UI documentation has detailed information related to ws-security setup here so I will keep my description brief and readers are recommended to go through the given link.

Double click on SOAP UI project where we can specify ws-security setup.

ws-sec

Keystores:

Add clientkeystore.jks in Keystores tab and give the key store password as shown below. Status should be shown as OK implies that it’s a valid keystore.

keystore

Incoming WS-Security configuration:

Since clientkeystore.jks has required keys for both encryption and digital signature, we have to just select this keystore in Incoming Configuration as shown below.

incoming

Outgoing WS-Security configuration:

Add Outgoing Configuration with name OutConfig as shown below.

outgoing

Now we have to add the configuration for Timestamp, Username Token, Signature and Encryption in detail tabs of Outgoing Configuration as required.

  • Timestamp
    • Give 20000 as value for Time to live
    • Check Millisecond precision

tstamp1

tstamp

  • Username Token
    • Give Username and Password
    • Check Add Nonce and Add Created
    • Select Password Type as PasswordText

utoken1

utoken

sig1

sig

enc1

enc

Note: we should maintain the order Signature and Encryption in Outgoing Configuration as shown above.

Adding Outgoing/Incoming configuration:

addconfig

With all this setup in place, when I execute the request I was getting the error saying Error getting response for […]; null. Following is the solution given in one of the forum posts here. Note that, I was using SOAP UI 5.0.0.

Replace the existing xmlsec-1.4.5.jar file in /lib folder with xmlsec-1.5.2.jar.

Replace the existing wss4j-1.6.16.jar file in /lib folder with wss4j-1.6.2.jar.

Sample Request

request

Sample Response

response

Note: We also have another way of attaching Outgoing Configuration to the request as shown below by doing right click on request window. When we do this way, don’t select Format XML option on right click which is causing digital signature verification failure.So I always recommend the above mentioned way to attach Outgoing Configuration.

reqright

reqsig

Similarly, for OWSM policy oracle/wss_username_token_service_policy the above Username token setup is enough.

You can get the SOAP UI project and keystores used in this post over here.

SOA 12c – Maven Articles

Using Maven Sync Plugin

Using Maven for SOA Deployment

Using Maven for Service Bus Deployment

Service Bus 12c– Outbound SSL

In the last 2 posts, we have seen how to configure Service Bus to use 1-Way SSL and 2-Way SSL. In both of these scenarios, our Service Bus managed server is acting as Server but our server can also become a Client when talking to external services using the Business Services having SSL enabled. So we will discuss about Outbound SSL in this post.

1-Way SSL

Before getting into the required OSB setup, enable our SOAP UI mock service to use SSL. Go to File –> Preferences –> SSL Settings and set properties as shown below.

soapuissl

Access your mock service as shown below to confirm that SSL is enabled.

mockssl

Now update the business service endpoint URI with this URL in the Service Bus Console as shown below.

bsendpoint

Now test your business service and you can observe following error in server logs. This is because you have not yet updated the OSB server trust store with the certificate of SOAP UI mock service.

sslerror

sslbserror

So now export the Public Certificate from the keystore used for mock service and import into OSB trust store using following commands.

keytool –exportcert -alias localclient -keystore clientkeystore.jks -file localclient.cer

keytool -importcert -alias localclient -keystore osbkeystore.jks -file localclient.cer

Now test your Business Service to see the response as given below.

bstestsucc

2-Way SSL

In case of 2-way SSL, our Proxy Service acts as client and need to send the corresponding Public Certificate when server requests(in our case, it’s SOAP UI Mock Service).

In Service Bus, the resource Service Key Provider is used to retrieve the required PKI credentials that  includes Private key paired with a certificate. Proxy services use this key-pair to authenticate when acting as a client during an outbound SSL i.e. during routing a message to HTTPS business service or proxy service requiring Client Certificate authentication. You can find more information in Service Bus documentation here.

Service Key Provider makes use of PKI credential mapper  to retrieve the PKI credentials which has to be created first.

PKI Credential Mapper

In WLS admin console, navigate to Security Realms –> myrealm –> Providers –> Credential Mapping. Click New.

pkiprovider1_thumb2_thumb_thumb_thum

Give name and select Type as PKICredentialMapper and Click OK.

pkiprovider2_thumb2_thumb_thumb_thum

Verify that new credential mapping provider is created.

pkiprovider4_thumb3_thumb_thumb_thum

Now click SSLPKIProvider and navigate to Provider Specific tab. Mention the Keystore and Pass Phrase specific to OSB managed server and click Save.

pkiprovider3_thumb3_thumb_thumb_thum

Service Key Provider

We will directly use the sbconsole for creating the Service Key Provider and to make other required changes for Business and Proxy Services.

Create a OSB session and select Service Key Provider from drop down menu as shown below once you select the Service Bus Project.

skp1_thumb[2]

Provide the name and click Create.

skp2_thumb[2]

Now the Service Provider Definition look like as below. Since we are using this for SSL purpose click search icon for SSL Client Authentication Key.

skp4_thumb[3]

Choose the Key Alias as shown below and provide the password.

skp5_thumb[3]

Click OK to bring up following screen and Save your changes done for Service Key Provider. Do activate Service Bus session.

skp6_thumb[3]

Soap UI Settings

Before proceeding with Proxy and Business service changes, you have to enable the SOAP UI mock service to request for Client Certificate.

To do this, navigate to File –> Preferences –> SSL Settings and choose Client Authentication as shown below.

soapuiclient_thumb[2]

Now test your Proxy Service to observe the following errors in response tab, jetty log and Service Bus logs respectively. This happens as we have not yet imported OSB server Public Certificate into clientkeystore.jks and also did not configure our Proxy/Business Service to send the client Certificate.

soapuibadcert_thumb[2]

soapuibadcert1_thumb[2]

osberror_thumb[2]

Export OSB server public certificate and import into clientkeystore.jks using following commands.

keytool -exportcert -alias localosb –keystore osbkeystore.jks –file osbcert.cer

keytool -importcert -alias localosb -keystore clientkeystore.jks –file osbcert.cer

keystoreimport_thumb[2]

With this, we are done with the SOAP UI settings and let us proceed  with the changes required for Proxy and Business Services.

Proxy and Business Service changes

Open business service and navigate to Transport Detail tab. Select Client Certificate as shown below for Authentication and save changes.

bsclientcert_thumb[3]

Open proxy service and navigate to Security –> Security Settings tab. Click search icon for Service Key Provider.

proxyskp_thumb[3]

Click Search and select the one that we have created earlier as shown below and click OK.

psskp1_thumb[3]

Now Security tab should show your selection as below.

psskp2_thumb[2]

Remember that you have to create OSB session before making changes and need to activate it once your changes are done.

You should see successful response as shown below, if you test your proxy service now.

success_thumb[3]

Please note that above logs are generated when following JVM options are set in setDomainEnv.cmd file for EXTRA_JAVA_PROPERTIES.

           -Dssl.debug=true -Dweblogic.StdoutDebugEnabled=true


Advertisements

Pages

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 368 other followers

Enter your email address to follow this blog and receive notifications of new posts by email.

Advertisements