Oracle SOA Suite 11

Hands-On Workshop
Lab 7
Adding Message Security using Fusion Middleware
Policy Manager

Lab 1

Because of its nature (Loosely coupled connections) and its use of open access (Mainly
HTTP), SOA implemented by Web services adds a new set of requirements to the
security landscape. Web services security includes several aspects:

AuthenticationVerifying that the user is who she claims to be. A user's identity
is verified based on the credentials presented by that user
Authorization (or Access Control)Granting access to specific resources based
on an authenticated user's entitlements. Entitlements are defined by one or several
attributes. An attribute is the property or characteristic of a user, for example, if
"Marc" is the user, "conference speaker" is the attribute.
Confidentiality, privacyKeeping information secret. Accesses a message, for
example a web service request or an email, as well as the identity of the sending
and receiving parties in a confidential manner. Confidentiality and privacy can be
achieved by encrypting the content of a message and obfuscating the sending and
receiving parties' identities.
Integrity, non repudiationMaking sure that a message remains unaltered
during transit by having the sender digitally sign the message. A digital signature
is used to validate the signature and provides non-repudiation. The timestamp in
the signature prevents anyone from replaying this message after the expiration.

Oracle Web Services Manager (WSM) provides a policy framework to manage and
secure Web services consistently across your organization. Oracle WSM can be used by
developers at design time, and system administrators in production environments.
The policy framework is built using the WS-Policy standard. Policies describe the
capabilities and requirements of a Web service such as whether and how a message must
be secured, whether and how a message must be delivered reliably, and so on.
Oracle Fusion Middleware 11g Release 1 (11.1.1) supports the following types of
policies:

SOA 11g Workshop Lab 7

WS-ReliableMessaging Reliable messaging policies that implement the WSReliableMessaging standard describes a wire-level protocol that allows
guaranteed delivery of SOAP messages, and can maintain the order of sequence
in which a set of messages are delivered.
ManagementManagement policies that log request, response, and fault
messages to a message log. Management policies may include custom policies.
WS-AddressingWS-Addressing policies that verify that SOAP messages
include WS-Addressing headers in conformance with the WS-Addressing
specification. Transport-level data is included in the XML message rather than
relying on the network-level transport to convey this information.
SecuritySecurity policies that implement the WS-Security 1.0 and 1.1
standards. They enforce message protection (message integrity and message
confidentiality), and authentication and authorization of Web service requesters
and providers. The following token profiles are supported: username token, X.509
certificate, Kerberos ticket, and Security Assertion Markup Language (SAML)
assertion.
Message Transmission Optimization Mechanism (MTOM)Binary content,
such as an image in JPEG format, can be passed between the client and the Web
service.

In this lab well be attaching an out of the box policy which adds the capability of the
web service client (Permit Composite) to digitally sign and encrypt our message to our
web service (CreditScore). Well also be adding a policy to the CreditScore web service
to verify that the message came from a trusted consumer and decrypt the message. The
response will go through the same process in reverse. The wss11_message_protection
policy supports XML Signature and XML Encryption in accordance with the WSSecurity 1.1 specification.

SOA 11g Workshop Lab 7

Attach Policy to CreditScore Web Service

First well be attaching the polcy to our CreditScore web service. To do this well use the
WebLogic Server administration console.
1. Open Firefox and click on the link for the Admin Console.

2. Enter Username:weblogic and Password:welcome1 and click Log In

SOA 11g Workshop Lab 7

3. On the left navigation bar click Deployments

4. Click the + sign next to CreditScore-CreditScore-context-root to expand the

node.

SOA 11g Workshop Lab 7

5. Click the link for CreditScoreService under the Web Services branch.

6. Click on the Configuration tab.

7. Click on the WS-Policy tab

SOA 11g Workshop Lab 7

8. Click on the link CreditScorePort

9. Make sure the OWSM radio button is selected and click Next.

SOA 11g Workshop Lab 7

10. Highlight the policy:oracle/wss11_message_protection_service_policy (Take

care to make sure you select the correct one) under the Available Endpoint
Policies box on the left and click the > arrow to shuttle to the Chosen Endpoint
Policies box.

11. Then click Finish

SOA 11g Workshop Lab 7

12. On the Save Deployment Plan Assistant page just click OK.

13. You should now see some messages near the top of the page. Make sure they look
similar to the screenshot below.

SOA 11g Workshop Lab 7

14. Again click on the Deployments link on the left navigation bar.

15. First, select the checkbox (Do not click the link) next to CreditScore-CreditScorecontext-root. Once selected click the Update button.

SOA 11g Workshop Lab 7

16. On the next page just click Finish

17. Verify that you see two green messages as below and click Logout.

Our policy is now applied to our CreditScore web service. Next well do the same for our
client (Permit Composite).

SOA 11g Workshop Lab 7

10

Attach Policy to Permit Composite

Were now going to attach the client side version of this policy to Permit Compositie.
Well be attaching it through Enterprise Manager.
1. Open Firefox if not already open and click on the link for Enterprise Manager
use weblogic and password welcome1

SOA 11g Workshop Lab 7

11

2. Expand the SOA and soa-infra (AdminServer) nodes and click on the
PermitAppComposite[1.0] link.

3. Click on the Policies tab

SOA 11g Workshop Lab 7

12

4. Select the down arrow next to Attach To/Detach From box and select
CreditScore.

SOA 11g Workshop Lab 7

13

5. First, highlight the oracle/wss11_message_protection_client_policy (Take care

to make sure you select the correct one) by clicking on it. Then click the Attach
button.

6. Click OK

SOA 11g Workshop Lab 7

14

7. Once the Policy shows up in the list, click the Test button.

8. At this point we will cut a paste a test payload into the browser. Minimize the
broswer and open a terminal window on the Linux desktop using the icon.

9. Change directory into MyFiles ( cd My* ) and type: gedit SamplePermitWS.xml

<hit Return/Enter>

10. From the gedit window select EditSelect All and then select EditCopy.
Minimize the terminal window.

SOA 11g Workshop Lab 7

15

11. Go back to the browser and scroll down towards the bottom were you see the
Input Arguments section. In this section choose XML View.

12. Right click anywhere inside the argument pane and choose Select All. The test
payload will be highlighted.

13. Hold down the <Ctrl> key on the keyboard and type v. This will paste the
contents you copied from within the gedit session.. Click the
button.

SOA 11g Workshop Lab 7

16

14. As in our previous testing you should get back a succesfully return. NOTE: If
you did receive an error retry the test, sometimes the policy may not be
intialized on the first try.

15. At this point well look at our Message Log to view the client messages both prior
to and after the signature and encryption have been applied. Minimize the
browser and double click the Message Log icon on the desktop.

SOA 11g Workshop Lab 7

17

16. Our first log entry shows the message prior to the policy being applied. Note that
the SSN is still in plain text.

17. If we scroll down to the next entry well see the WS-Security header added with
our attributes for the signature and encryption. Note the SSN is now encrypted.

SOA 11g Workshop Lab 7

18