Posts Tagged 'SOA'

Docker Containers for Oracle SOA Suite

Published March 12, 2018 Docker , OSB 18 Comments
Tags: , ,

In previous blog, we started with brief introduction of docker platform and also saw how to build images and run containers. In this blog, we will see how to setup an Oracle SOA Suite 12.2.1.3 environment with docker containers using Oracle official docker images. The README files available with official images have lot of information and one could easily create the docker images. So i just want to collate all this information here for quick reference.

I used Ubuntu 17.10 (artful) VM with docker version 17.12.1-ce in Windows 10 based laptop.

Installation:

Typical steps to be followed to install Oracle SOA Suite 12.2.1.3 in laptop:

  • Install JRE 8/JDK 8
  • Install the certified database.
  • Install Oracle SOA Suite/BPM Suite/OSB as per requirements.
  • Run RCU to create the required schemas
  • Configure the domain

In the world of docker the above steps translate to the following steps.

  • Build JRE 8 docker image
  • Build Oracle DB docker image
  • Build FMW infrastructure docker image
  • Build SOA Suite docker image
  • Start DB container
  • Start Admin Server container
  • Start Managed Server container

To start with, download official dockerfiles from https://github.com/oracle/docker-images and we use docker images related to OracleJava, OracleDatabase, OracleFMWInfrastructure and OracleSOASuite. Each of these folders have necessary scripts for installation but does not contain executables. Have all these folders copied into docker-images directory.

Build JRE 8 docker image:

  • Download server-jre-8u161-linux-x64.tar.gz  from link and copy into directory OracleJava/java-8.
  • Navigate to the above directory and run sh build.sh. We will observe the docker image oraclelinux:7-slim getting pulled from docker hub as the docker file contains instruction FROM oraclelinux:7-slim.
  • Once the build is complete we can see a new image available with tag oracle/serverjre:8.

  • Note that OracleJava folder also have docker files required to build JRE 9.

Build Oracle DB docker image:

  • Download files linuxamd64_12102_database_1of2.zip and linuxamd64_12102_database_2of2.zip from link and copy into directory OracleDatabase/dockerfiles/12.1.0.2. I had used 12.1.0.2 version though the latest is 12.2.0.1 because of smaller size.
  • Navigate to the directory OracleDatabase/dockerfiles and issue the following command. Option -v indicates the db version and the option -e represents Enterprise Edition.

                              sh buildDockerImage.sh -v 12.1.0.2 -e

  • Open OracleDatabase/dockerfiles/12.1.0.2/Dockerfile.ee to check the instructions that get executed during the image build. Observe oraclelinux:7-slim as the base image in this docker file.
  • Once the build is complete we can see a new image available with tag oracle/database:12.1.0.2-ee.

  • Note that OracleDatabase folder also have docker files required to build images based on versions 12.2.0.1 and 11.2.0.2 (XE).

Build FMWInfrastructure docker image:

  • Download file fmw_12.2.1.3.0_infrastructure_Disk1_1of1.zip from link and copy into directory OracleFMWInfrastructure/dockerfiles/12.2.1.3.
  • Navigate to the directory OracleFMWInfrastructure/dockerfiles and issue the following command. Option -v indicates the version.

                              sh buildDockerImage.sh -v 12.2.1.3

  • Open OracleFMWInfrastructure/dockerfiles/12.2.1.3/Dockerfile to check the instructions that get executed during the image build. Observe that oracle/serverjre:8 is the base image and this is the exact reason why we built jre image first.
  • Once the build is complete we can see a new image available with tag oracle/fmw-infrastructure:12.2.1.3.

  • Note that OracleFMWInfrastructure folder also have docker files required to build images based on versions 12.2.1.2.

Build SOA Suite docker image:

  • Download files fmw_12.2.1.3.0_soa.jar and fmw_12.2.1.3.0_osb.jar from link and copy into directory OracleSOASuite/dockerfiles/12.2.1.3. Note that these installers are not quick start installers.
  • Navigate to the directory OracleSOASuite/dockerfiles and issue the following command. Option -v indicates the version.

                            sh buildDockerImage.sh -v 12.2.1.3

  • Open OracleSOASuite/dockerfiles/12.2.1.3/Dockerfile to check the instructions that get executed during the image build. Observe that oracle/fmw-infrastructure:12.2.1.3 is the base image and this is the exact reason why we built that image first.
  • Once the build is complete we can see a new image available with tag localhost/oracle/soasuite:12.2.1.3.

  • Note that OracleSOASuite folder also have docker files required to build images based on versions 12.2.1.2.

By creating docker images for DB and SOA Suite, we are done with the installation and yet to configure DB instance, run RCU and configure SOA/OSB domain. Note that the image oracle/fmw-infrastructure has one pre-configured domain named base_domain.

We use docker-compose tool to create containers based on the above images. A sample yaml file docker-compose.yml is located in OracleSOASuite/samples directory.

Prerequisite:

  • Edit ../setenv.sh and set or modify the required env variables and do source ../setenv.sh. At minimum, we need to set DC_ORCL_SYSPWD, DC_ADMIN_PWD and DC_RCU_SCHPWD. Note that i had to set DC_HOSTNAME to ip address like 172.18.0.1 instead of hostname and localhost. Do this as first step before starting up any of the containers below.

Start DB container:

  • The docker-compose.yml file defines a service named soadb that can be used to create DB container. Modify this entry as below:

          soadb:
               image: oracle/database:12.1.0.2-ee
               ports:
                       – “${DC_ORCL_PORT}:1521”
                       – “${DC_ORCL_OEM_PORT}:5500”
               environment:
                      – ORACLE_SID=${DC_ORCL_SID}
                      – ORACLE_PDB=${DC_ORCL_PDB}
                      – ORACLE_PWD=${DC_ORCL_SYSPWD}
               container_name: soadb
               volumes:
                     – ${DC_ORCL_DBDATA}:/opt/oracle/oradata

  • Use command docker-compose up -d soadb to start the db container.

  • When DB container starts for first time, it configures the DB instance, TNS listener and creates some dummy password for SYS user. The logs can be seen using command docker logs -f soadb.

  • Execute docker exec <<container id>> /opt/oracle/setPassword.sh <<pwd>> to reset password for SYS user. Make sure that DB container is running before executing this command. The location of this script file can be derived from the instructions found in OracleDatabase/dockerfiles/12.1.0.2/Dockerfile.ee.
  • After the first time, to restart the container we can use either of the below commands. Make sure to run source ../setenv.sh always before using docker-compose commands.

docker-compose up -d soadb

docker start <<container id>>

  • Connect to db using command sqlplus sys/fusion@//172.18.0.1:1521/soadb as sysdba to make sure that DB is up and running.

  • Command docker stop can be used to stop the container.

Start Admin Server container:

  • docker-compose.yml file has soaas as one of the services which can be used to create the container. Use command docker-compose up -d soaas to start the admin server container.
  • When admin server container starts for first time, it runs RCU to create the required schemas by connecting to db container and also configures a new domain ,. The logs can be seen using command docker logs -f soaas.

  • After the first time, to restart the container we can use either of the below commands. Make sure to run source ../setenv.sh always before using docker-compose commands                 docker-compose up -d soaasdocker start <>
  • Verify you are able to access admin console using http://localhost:7001/console and observe that AdminServer is up and running. The password for admin console will be the value given for DC_ADMIN_PWD in setenv.sh.
  • In data sources, observe that prefix SOA01 is used for SOAINFRA, MDS and others which is the value given for DC_RCU_SOAPFX in setenv.sh.
  • Command docker stop can be used to stop the container.

Start Managed Server container:

Note that i had to use  minimum 6 GB RAM for my ubuntu VM to bring DB, Admin and managed server containers.

  • docker-compose.yml file has soams as one of the services which can be used to create the container. Use command docker-compose up -d soams to start the managed server container.

  • The logs generated in managed server container can be seen using command docker logs -f soams.

  • After the first time, to restart the container we can use either of the below commands. Make sure to run source ../setenv.sh always before using docker-compose commands

docker-compose up -d soams

docker start <<container id>>

  • Access admin console using http://localhost:7001/console and observe that soa_server1 is up and running and also we can see a soa_cluster configured.
  • Command docker stop can be used to stop the container.

Observations:

  • If we want to access the admin console from host OS, we need to configure the port forwarding rules for the VM as shown below.

  • When we are installing DB or SOA Suite in laptop the installation wizard guide us through the steps which makes life easier. But when when we want to use docker files to build images we need to come up with script for the installation and configuration. Typically developer may not have this much acquaintance with these kind of installation scripts and i feel admin help is required. I hope Oracle keep updating the their github repository with newer docker files and scripts whenever a new release is available.
  • I feel debugging containers is difficult and need to look more into this aspect. Initially, when i created VM i used 3 GB RAM  and with this RAM i was able to bring up DB and Admin server container. But when i starting managed server it got stuck and docker logs also did not help me to identify this issue. It was a complete guess by me and increased the RAM to 6 GB which made the things smoother.
  • The docker files uses yum tool which is not available in ubuntu that means, we may need to come up different docker files for different  linux distributions and for Windows OS.
  • The oracle official docker images for Java, DB and FMW Infrastrcture has oraclelinux as the base image. Does that mean oracle does not support in other linux distributions like ubuntu etc. I need to check on this and i welcome readers to let me know if anyone has information on this.

Human Workflow Participant Types Behavior

Published May 17, 2017 BPM Leave a Comment
Tags: ,

Recently I got a chance to work on one of the interesting assignments where I had explored BPM APIs, mainly Human workflow related. I want to share my learning in this blog through a series of articles. This article assumes the basic terminology associated with Human workflow, otherwise one can read the documentation here.

The main focus of this article is to present how notifications will be sent and how many approvals are required for different participant types Single, Parallel, Serial and FYI.I used business rules with Named User, Application Role, Approval Group and Hierarchies (Supervisor/Job/Position) and used 12.2.1.2 version for demonstration. Please note that you should have BPM (just not SOA Suite) installed to try with a few of the assignment types described here.

Assignment Type Participant Type Behavior
Named User

Note that, multiple assignment users can be given for value based setup too.

 Single Notifications will be sent at same time to all the users derived in rule evaluation. Only one approval is enough for completion.  A user may have to claim before providing approval.
Parallel Notifications will be sent at same time to all the users derived in rule evaluation. The number of approvals for completion depends on the voting percentage.
Chain/Serial Notifications will be sent at same time to all the users derived in rule evaluation as there is no serial relationship defined among users. Approvals from all assignees are required for completion.
FYI Notifications will be sent at same time to all the users derived in rule evaluation and no approval is required.
Application Role Single Notifications will be sent at same time to all the users having the application role used in rules. Only one approval is enough for completion. A user may have to claim before providing approval.
Parallel
Chain/Serial
FYI Notifications will be sent at same time to all the users having the application role used in rules and no approval is required.
Approval Group Single Notifications will be sent at same time to all the users of approval group. Only one approval is enough for completion.  A user may have to claim before providing approval.
Parallel Notifications will be sent at same time to all the users of approval group. The number of approvals for completion depends on the voting percentage.
Chain/Serial Notification will be sent in sequential manner as setup in approval groups i.e. if approval group has user1 and user2 first notification will be sent to user1 and then to user 2. Approvals from all assignees are required for completion.
FYI Notifications will be sent at same time to all the users of approval group and no approval is required.
Supervisor Hierarchy

Position Hierarchy

Job Hierarchy

 Single Notifications will be sent at same time to users part of hierarchy used in rules. Only one approval is enough for completion.  A user may have to claim before providing approval.
Parallel Notifications will be sent at same time to users part of hierarchy used in rules. The number of approvals for completion depends on the voting percentage.
Chain/Serial Notification will be sent in sequential manner as setup in hierarchy i.e. if hierarchy is user1 and user2 first notification will be sent to user1 and then to user 2. Approvals from all assignees are required for completion.
FYI Notifications will be sent at same time to users part of hierarchy and no approval is required.

Observations:

  • The behavior of single participant type is same irrespective of assignment type user, role etc… i.e. only one approval is required for completion. To verify this, do multiple user assignment for single participant type, run human workflow and query WFTASK table. Here we can observe that the ASSIGNEES column having all these users with ‘,’ as separator.
  • The behavior of using application role is same irrespective of participant type i.e. only one user can provide the approval having that application role.
  • To get Chain/Serial behavior we should always go for approval groups or hierarchies. In all other scenarios the serial participant behavior is same as parallel with 100% voting.

Installing Cloud Adapters

Published January 14, 2016 SOA Leave a Comment
Tags: , ,

When JDeveloper 12.1.3 is installed, the Sales force adapter is shown and available by default but the other cloud adapters like Sales Cloud, Right Now, HCM Cloud etc.. will not be available. In this post, I will show how to install these adapters through patches provided by Oracle.

These integration adapters can be downloaded from here and available on top of 12.1.3.0.1 (BP1). Do download Oracle Cloud Adapters 12.1.3.0.1.

Installation:

  • Install Oracle SOA 12.1.3 using quick installer.
  • Apply p19707784 using OPatch  to bring it to BP1. Refer to this post for additional help on OPatch utility.
  • Unzip the above download and observe the following patches available.

patch

  • Apply p20680367* and p20780464* in same middleware home.
  • Create JDeveloper shortcut from below location and open to observe the cloud adapters Eloqua Adapter, Oracle HCM Cloud, Oracle RightNow and Oracle Sales Cloud available in Cloud section. You will get to see this section when you create new SOA or Service Bus Application.
       MW_HOME/jdeveloper/jdeveloper.exe

cloud

  • If you are not seeing these adapters, add –clean** option as shown below in your desktop shortcut and re-open JDeveloper.  

MW_HOME\jdeveloper\jdeveloper.exe -clean

* Always read the patch README files and follow the available instructions.

** I thank my colleague who helped me by providing this workaround.

SOA 12c – Maven Articles

Published September 1, 2015 Maven , OSB Leave a Comment
Tags: , , ,

Using Maven Sync Plugin

Using Maven for SOA Deployment

Using Maven for Service Bus Deployment

SOA 12c – ESS Articles

Published June 24, 2015 ESS Comments
Tags: , , ,

Creating ESS Job metadata using EM Console

Creating ESS Job metadata using JDeveloper

Creating ESS Schedule metadata

Creating ESS Incompatibility metadata

Creating ESS Job Sets metadata

Retry functionality in ESS Jobs

Creating Async ESS Job Definition

Using Schedule Job activity in BPEL

SOA 12c – Creating ESS Async Job Definition

Published June 9, 2015 ESS Comment
Tags: , , ,

In the post, we have seen creating ESS Job Definition using synchronous web service. Now, we will look at creating Job Definition using  Asynchronous BPEL web service having 5 min Wait activity to simulate the delayed response.

We will also take a look at other changes required for deployment when new job definition is created in existing ESS application in new package structure.

Create Async Job Definition with help of following screenshots. Make sure that you always use the concrete WSDL.

asyncbpeljob

projexplore

tab

selectwsdl

selectwsdl1

asyncws

asyncws1

You need to modify MAR profile to include the new job definition and also adf-config.xml file to include the valid namespace as shown below.

marchanges

adfconfig

Now deploy ESS application and submit a new request using this job definition. You would observe that ESS job status is in Running state but waiting for the response from BPEL web service as shown below.

waitjob

Once ESS job receives the response from asynchronous BPEL web service the job will be finished and shows status as Succeeded as shown below.

aftersuccess

You will see the similar behavior as above even when you use ADF BC service.

SOA 12c–Creating ESS Job Set metadata

Published June 7, 2015 ESS Comments
Tags: , , ,

Often, we may have to run multiple jobs to finish some functional process. ESS lets you do this using Job Set where we can add multiple jobs as steps in the metadata and submit them as single unit. We can also specify the relationship among these steps either as Serial or Parallel.

Job Set also allows another Job Set to be included so that a parallel job set can have a Serial Job set and vice versa so that more more complex Job Sets can be created.

To create Job Set, select File –> New –> Enterprise Scheduler Metadata –> Job Set.

jobsetnew

Give a meaningful name and use the same package as used in previous post.

jobsetnew1

Click OK and you can observe new Job Set shown in Project Explorer and a new tab is opened.

explrjobset

jobsetsteps

Let us create Serial Job Set at first. Click + in the Job Set Steps option to add jobs. We can also specify any System Application properties at each step using the respective tabs shown below.

step1

Now your Job Set Steps visual diagram look like below. After the execution, each job step can assume any of the statuses Success, Warning and Error represented by icons in below screenshot. Here, you can define relationship of steps with other steps based on the status. So the following diagram depicts that Job Set execution to stop on occurrence of Error or Warning and proceed to next step (if any) on Success.

step1graphic

Similarly add another step as shown below.

step2

step2graphic

Now modify the relationships of Step1 as shown below.

step1and2

Now save your changes and deploy to ESS server using the steps mentioned in previous post.

To view the newly created Job Set in EM console, navigate to ESSAPP –> Job Metadata–> Job Sets and do search for EssNativeHostingApp as shown below.

emjobsetview

Navigate to ESSAPP –> Job Requests –> Submit Job Request and submit Job Set as shown below.

submitjobset

submitjobset1

Run this Job Set when the service is down so that we can see it’s behavior when an error occurred during execution. Observe that both of the steps are resulted into an error as shown below.

jobsetstatus

And Search Job Requests page shows these requests as below where each step is executed as child request and we can also observe the serial execution by looking at Processing Start Time and Run Time.

jobstatus1

Now modify Step1 to Stop on occurrence of error. Now save you changes and deploy your application to ESS server.

step1stop

Submit request using this Job Set and observe the Job Status as shown below. Now you can clearly observe that only Step1 has been executed because of the above changes.

step1stop1

step1stop2

Now bring up service and submit the Job Set to observe both of the steps are successful.

stepsuccess

By default, each step status does determine the terminal state of Job Set. To override this behavior you can define the system property SYS_selectState at step level as shown below and set value to false.

sysprop1

sysprop2

ss

parallel1

parallel2

parallel3

parallel1step1

parallel1step2

parallel4

In Parallel job set, all steps execution will start at same time hence we can’t define relationships among steps based on step execution status similar to Serial job set. However, you can still define the step level system parameter SYS_selectState to override default behavior.

Now save changes and deploy application to ESS server. Submit a request using this new Job Set and observe the parallel runtime behavior as shown below.

jobsetparallel

parallestatus

You can find more information about Job Sets in ESS documentation here and sample project used in this blog can be downloaded from here.

Using EM Console to Create Job Set

We can also create a Job Set in EM console as shown below and the steps look similar to above.

emjobset

emcreate1

emcreate2

emcreatestep

emcreate3

SOA 12c–Creating ESS Incompatibility metadata

Published June 2, 2015 ESS Comment
Tags: , , ,

We often come across following restrictions when we use ESS jobs because of data corruption issue or for some other functional reason.

  • Only single instance of Job definition should run at particular time.
  • Some jobs should not be run during the run of other jobs irrespective of parameters.
  • Some jobs should not be run during the run of other jobs when acting on same object i.e. having same value for a particular parameter.

In ESS, all of above requirements are addressed by using Incompatibility definition. The first requirement is addressed by using Self Incompatible option. Second and third requirements are addressed by using Global and Domain type incompatibility definitions. In this blog post, we will learn how to create Incompatibility catering to above requirements.

To create Incompatibility metadata, select File –> New –> Enterprise Scheduler Metadata –> Incompatibility.

incomp

Give a meaningful name and use the same package as used in previous post. Here we are creating Global type.

incompdef

Click OK and you can observe the new Incompatibility file shown in the project explorer and a new tab is opened.

projexpl

incomptab

Click + icon in Entities section to start adding the jobs.

joblist

Select the required jobs and click OK. If we try to save , we will get an error as shown below. As shown below, aAn Incompatibility definition mandates us to select Self Incompatible option when we are adding just single job (entity).

error

To set this option, double click job in Entities section and choose the option as shown below and click OK. This would make ESS request processor run only single instance of this job at a particular time.

selfincomp

Now save your changes and deploy to ESS server using the steps mentioned in previous post.

To view newly created Incompatibility in EM console, navigate to ESSAPP –> Job Metadata–> Incompatibilities and do search for EssNativeHostingApp as shown below.

deployedincomp

To verify the effect of incompatibility, let us submit 2 instances of the same job and schedule them to run at same time as shown below.

submitted

On the scheduled time, we can observe that one of the requests is blocked as shown below because of our incompatibility definition.

blocked

Once the job with request id 205 is completed, 206 will be kick started by request processor which is evident from the start times shown in the below screenshot.

starttime

If you want to make 2 job incompatible with each other, add the other job in the incompatibility definition as shown below.

secondjob

secondjob1

Similar to above, you can observe the same blocked behavior for these 2 jobs in following screenshots when submitted in EM console at the same scheduled time.

schedule2jobs

sucess2jobs

Domain type Incompatibility

You can create incompatibility definition of Domain type using the following screenshots.

domainincomp

domainincomp1

Double click on each job in Entities section to select the property to be used for defining the incompatibility. Note that, we can have different property names to define the incompatibility definition.

1stjobprop

2ndprop

Now your incompatibility definition should look like below.

2ndincomp

Now deploy your ESS project to verify effect of new incompatibility definition. Note that you have to remove SecondOSBJob from previous incompatibility definition before deployment as that is of Global type and is necessary to see effect of this domain type incompatibility which is based on properties.

When used different values for the parameters, you can observe that both jobs started execution at same time which is evident from the date values shown below.

sametime

When used same values for the parameters, you can observe that one of the requests is blocked which is evident from the following screenshots.

samevalues

samevalues1

Using EM Console to Create Schedule

We can also create a Incompatibility in EM console as shown below  and the steps look similar to above.

emincomp

emincompcreate

createincomp

entitylist

selfincompem

defn

You can find more information in the documentation here and sample project used in this blog can be downloaded from here.

SOA 12c–Creating ESS Schedule metadata

Published May 31, 2015 ESS Comment
Tags: , , ,

The real strength of ESS comes from the ability of scheduling a job which is a common use case. ESS provides Schedule as the job metadata to enable the user to schedule job either based on recurrence or on explicit dates. In this post, we will see how to create this Schedule metadata and use it for our ESS job created in the previous post.

To create Schedule metadata, select File –> New –> Enterprise Scheduler Metadata –> Schedule.

newsch1

Give a meaningful name for the schedule and use the same package as used in previous post.

newsch2

Click OK and you can observe the new schedule in project explorer.

schprojexplore

Let us define a schedule so that ESS job runs for every 2 min thrice considering Start and End dates as shown below. You can also give explicit dates to be included regardless of recurring settings in the respective section. Observe that we are not specifying any ESS job while defining the schedule which enables the reuse of schedule and can be used for any ESS jobs.

newsch3

Now save your changes and deploy to ESS server using the steps mentioned in previous post.

To view the newly created Schedule in EM console, navigate to ESSAPP –> Job Requests –> Define Schedule and do search for EssNativeHostingApp as shown below.

emnewsch3

You can also set the recurrence settings using Every field for seconds, Hours, Days, Weeks etc.. as shown below.

recurr

And appropriate selection of days, weeks etc.. will be enabled based on the selected frequency as shown below.

recurr1

Navigate to ESSAPP –> Job Requests –> Submit Job Request and select the job definition as shown below. Go to Schedule section and click search icon for Use existing schedule.

jobsubmission

Select the appropriate schedule and click OK.

selectschedule

schsubmission2

To see submitted requests, navigate to ESSAPP->Job Requests –> Search Job Requests and do search for this job.

searchjobreq

In the above screenshot, you can observe 3 requests (used 3 as the count in Schedule) have been submitted as child jobs. Click on Parent ID and Request ID to see more information on these job requests.

parentreq

childreq

Using EM Console to Create Schedule

We can also create a schedule using EM console directly as shown below.

emnewsch

emnewsch1

emnewsch2

emnewsch3

Service Bus 12c– Outbound SSL

Published March 6, 2015 OSB Comments
Tags: , , , ,

In the last 2 posts, we have seen how to configure Service Bus to use 1-Way SSL and 2-Way SSL. In both of these scenarios, our Service Bus managed server is acting as Server but our server can also become a Client when talking to external services using the Business Services having SSL enabled. So we will discuss about Outbound SSL in this post.

1-Way SSL

Before getting into the required OSB setup, enable our SOAP UI mock service to use SSL. Go to File –> Preferences –> SSL Settings and set properties as shown below.

soapuissl

Access your mock service as shown below to confirm that SSL is enabled.

mockssl

Now update the business service endpoint URI with this URL in the Service Bus Console as shown below.

bsendpoint

Now test your business service and you can observe following error in server logs. This is because you have not yet updated the OSB server trust store with the certificate of SOAP UI mock service.

sslerror

sslbserror

So now export the Public Certificate from the keystore used for mock service and import into OSB trust store using following commands.

keytool –exportcert -alias localclient -keystore clientkeystore.jks -file localclient.cer

keytool -importcert -alias localclient -keystore osbkeystore.jks -file localclient.cer

Now test your Business Service to see the response as given below.

bstestsucc

2-Way SSL

In case of 2-way SSL, our Proxy Service acts as client and need to send the corresponding Public Certificate when server requests(in our case, it’s SOAP UI Mock Service).

In Service Bus, the resource Service Key Provider is used to retrieve the required PKI credentials that  includes Private key paired with a certificate. Proxy services use this key-pair to authenticate when acting as a client during an outbound SSL i.e. during routing a message to HTTPS business service or proxy service requiring Client Certificate authentication. You can find more information in Service Bus documentation here.

Service Key Provider makes use of PKI credential mapper  to retrieve the PKI credentials which has to be created first.

PKI Credential Mapper

In WLS admin console, navigate to Security Realms –> myrealm –> Providers –> Credential Mapping. Click New.

pkiprovider1_thumb2_thumb_thumb_thum

Give name and select Type as PKICredentialMapper and Click OK.

pkiprovider2_thumb2_thumb_thumb_thum

Verify that new credential mapping provider is created.

pkiprovider4_thumb3_thumb_thumb_thum

Now click SSLPKIProvider and navigate to Provider Specific tab. Mention the Keystore and Pass Phrase specific to OSB managed server and click Save.

pkiprovider3_thumb3_thumb_thumb_thum

Service Key Provider

We will directly use the sbconsole for creating the Service Key Provider and to make other required changes for Business and Proxy Services.

Create a OSB session and select Service Key Provider from drop down menu as shown below once you select the Service Bus Project.

skp1_thumb[2]

Provide the name and click Create.

skp2_thumb[2]

Now the Service Provider Definition look like as below. Since we are using this for SSL purpose click search icon for SSL Client Authentication Key.

skp4_thumb[3]

Choose the Key Alias as shown below and provide the password.

skp5_thumb[3]

Click OK to bring up following screen and Save your changes done for Service Key Provider. Do activate Service Bus session.

skp6_thumb[3]

Soap UI Settings

Before proceeding with Proxy and Business service changes, you have to enable the SOAP UI mock service to request for Client Certificate.

To do this, navigate to File –> Preferences –> SSL Settings and choose Client Authentication as shown below.

soapuiclient_thumb[2]

Now test your Proxy Service to observe the following errors in response tab, jetty log and Service Bus logs respectively. This happens as we have not yet imported OSB server Public Certificate into clientkeystore.jks and also did not configure our Proxy/Business Service to send the client Certificate.

soapuibadcert_thumb[2]

soapuibadcert1_thumb[2]

osberror_thumb[2]

Export OSB server public certificate and import into clientkeystore.jks using following commands.

keytool -exportcert -alias localosb –keystore osbkeystore.jks –file osbcert.cer

keytool -importcert -alias localosb -keystore clientkeystore.jks –file osbcert.cer

keystoreimport_thumb[2]

With this, we are done with the SOAP UI settings and let us proceed  with the changes required for Proxy and Business Services.

Proxy and Business Service changes

Open business service and navigate to Transport Detail tab. Select Client Certificate as shown below for Authentication and save changes.

bsclientcert_thumb[3]

Open proxy service and navigate to Security –> Security Settings tab. Click search icon for Service Key Provider.

proxyskp_thumb[3]

Click Search and select the one that we have created earlier as shown below and click OK.

psskp1_thumb[3]

Now Security tab should show your selection as below.

psskp2_thumb[2]

Remember that you have to create OSB session before making changes and need to activate it once your changes are done.

You should see successful response as shown below, if you test your proxy service now.

success_thumb[3]

Please note that above logs are generated when following JVM options are set in setDomainEnv.cmd file for EXTRA_JAVA_PROPERTIES.

           -Dssl.debug=true -Dweblogic.StdoutDebugEnabled=true

Pages

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 379 other subscribers

Enter your email address to follow this blog and receive notifications of new posts by email.