Escolar Documentos
Profissional Documentos
Cultura Documentos
Hands-On Workshop
Lab 7
Adding Message Security using Fusion Middleware
Policy Manager
Lab 1
Because of its nature (Loosely coupled connections) and its use of open access (Mainly
HTTP), SOA implemented by Web services adds a new set of requirements to the
security landscape. Web services security includes several aspects:
AuthenticationVerifying that the user is who she claims to be. A user's identity
is verified based on the credentials presented by that user
Authorization (or Access Control)Granting access to specific resources based
on an authenticated user's entitlements. Entitlements are defined by one or several
attributes. An attribute is the property or characteristic of a user, for example, if
"Marc" is the user, "conference speaker" is the attribute.
Confidentiality, privacyKeeping information secret. Accesses a message, for
example a web service request or an email, as well as the identity of the sending
and receiving parties in a confidential manner. Confidentiality and privacy can be
achieved by encrypting the content of a message and obfuscating the sending and
receiving parties' identities.
Integrity, non repudiationMaking sure that a message remains unaltered
during transit by having the sender digitally sign the message. A digital signature
is used to validate the signature and provides non-repudiation. The timestamp in
the signature prevents anyone from replaying this message after the expiration.
Oracle Web Services Manager (WSM) provides a policy framework to manage and
secure Web services consistently across your organization. Oracle WSM can be used by
developers at design time, and system administrators in production environments.
The policy framework is built using the WS-Policy standard. Policies describe the
capabilities and requirements of a Web service such as whether and how a message must
be secured, whether and how a message must be delivered reliably, and so on.
Oracle Fusion Middleware 11g Release 1 (11.1.1) supports the following types of
policies:
WS-ReliableMessaging Reliable messaging policies that implement the WSReliableMessaging standard describes a wire-level protocol that allows
guaranteed delivery of SOAP messages, and can maintain the order of sequence
in which a set of messages are delivered.
ManagementManagement policies that log request, response, and fault
messages to a message log. Management policies may include custom policies.
WS-AddressingWS-Addressing policies that verify that SOAP messages
include WS-Addressing headers in conformance with the WS-Addressing
specification. Transport-level data is included in the XML message rather than
relying on the network-level transport to convey this information.
SecuritySecurity policies that implement the WS-Security 1.0 and 1.1
standards. They enforce message protection (message integrity and message
confidentiality), and authentication and authorization of Web service requesters
and providers. The following token profiles are supported: username token, X.509
certificate, Kerberos ticket, and Security Assertion Markup Language (SAML)
assertion.
Message Transmission Optimization Mechanism (MTOM)Binary content,
such as an image in JPEG format, can be passed between the client and the Web
service.
In this lab well be attaching an out of the box policy which adds the capability of the
web service client (Permit Composite) to digitally sign and encrypt our message to our
web service (CreditScore). Well also be adding a policy to the CreditScore web service
to verify that the message came from a trusted consumer and decrypt the message. The
response will go through the same process in reverse. The wss11_message_protection
policy supports XML Signature and XML Encryption in accordance with the WSSecurity 1.1 specification.
5. Click the link for CreditScoreService under the Web Services branch.
9. Make sure the OWSM radio button is selected and click Next.
12. On the Save Deployment Plan Assistant page just click OK.
13. You should now see some messages near the top of the page. Make sure they look
similar to the screenshot below.
14. Again click on the Deployments link on the left navigation bar.
15. First, select the checkbox (Do not click the link) next to CreditScore-CreditScorecontext-root. Once selected click the Update button.
17. Verify that you see two green messages as below and click Logout.
Our policy is now applied to our CreditScore web service. Next well do the same for our
client (Permit Composite).
10
11
2. Expand the SOA and soa-infra (AdminServer) nodes and click on the
PermitAppComposite[1.0] link.
12
4. Select the down arrow next to Attach To/Detach From box and select
CreditScore.
13
6. Click OK
14
7. Once the Policy shows up in the list, click the Test button.
8. At this point we will cut a paste a test payload into the browser. Minimize the
broswer and open a terminal window on the Linux desktop using the icon.
10. From the gedit window select EditSelect All and then select EditCopy.
Minimize the terminal window.
15
11. Go back to the browser and scroll down towards the bottom were you see the
Input Arguments section. In this section choose XML View.
12. Right click anywhere inside the argument pane and choose Select All. The test
payload will be highlighted.
13. Hold down the <Ctrl> key on the keyboard and type v. This will paste the
contents you copied from within the gedit session.. Click the
button.
16
14. As in our previous testing you should get back a succesfully return. NOTE: If
you did receive an error retry the test, sometimes the policy may not be
intialized on the first try.
15. At this point well look at our Message Log to view the client messages both prior
to and after the signature and encryption have been applied. Minimize the
browser and double click the Message Log icon on the desktop.
17
16. Our first log entry shows the message prior to the policy being applied. Note that
the SSN is still in plain text.
17. If we scroll down to the next entry well see the WS-Security header added with
our attributes for the signature and encryption. Note the SSN is now encrypted.
18