OSB 11g - Securing OSB Services - part1

Hi

In this post, security of OSB services is illustrated with details steps of securing OSB services, and testing them from OSB console as well as from soapUI. 

This will be a series of posts covering different security use cases and realizing them in OSB services. The following are the security use cases that are planned for series of these posts:

- Securing OSB service with WS-Security username Token
- Securing OSB service with 'http basic authentication'
- Securing OSB service with PKI -security and message protection

In this post lets focus on securing OSB service with WS-Security usernameToken and testing it multiple ways.

Securing OSB Service with WS-Security usernameToken

Setup:

OSB 11g Services: a OSB project with name StringConversionService, that contains StringConversionPS (proxy service) and StringConversionBS (business service). StringConversionBS wraps up the SOA 11g SCA composite listed just below -that does string conversion to upper case.

SOA 11g SCA composite - StringConverterProcess: This accepts a string as an input and converts it to upper case and gives it as a response.


Here is a high-level diagram of message flow in this use case:

And, yes, for this use case setup can be simple -no need of a SCA composite and for that matter no need of even the Business Service. However, I am building this setup for the next blogs on this series, hence, for now, lets move along with this not-so-relevant-for-now components. 

Discussing the development of these SCA composite and OSB services are out of the scope of this discussion, as they are trivial from development perspective.

For this illustration, I have both OSB and SOA runtimes hosted on localhost.

Now, let us apply a 11g OWSM security policy to the StringConversionPS and try to test them.

Note - For applying OWSM security policy to the proxy service in context, the domain in the context should have been configured for 'OSB OWSM Extension'. For details on how to configure/extend the domain for this, pl refer to 'Extending an existing Weblogic domain with OSB'.

Steps to make OSB service secure

Log on to OSB console. In the project explorer interface, click on the name of the proxy service in the right pane to get to the configuration details of the proxy service, and click on the policies:

And, then create a Weblogic session to be able to update the service config, and choose 'OWSM Policy Store' as the source for policy selection

In the service level policies, click the 'Add' button a widow pops with a list of available policies. In those policies navigate through, and select 'oracle/wss_username_token_service_policy'

Update the service configuration and activate the OSB session.

Now, when we want to test this from OSB test console, we will be prompted for a key (instead of ws-security username and password details). Hence, lets create a key with valid credentials, and before that, we need to attach a key store to the domain.

Go to the Enterprise Manager console, and navigate to domain security provider configuration

And, provide a java keystore (.jks file) for the keystore configuration:

If you don't have any keystores handy to use for this, create a keystore using java keytool with at least one key in it.

We are not going to use any existing keys in it, but plan to create a new key into it, and use that key for testing the proxy service configured with OWSM security policy.

In the EM console, go to the domain security interface, and select credentials:

Create a key in the store that has been just added:

In the details, select the map associated with the keystore just added, and select type as password and provide valid credentials.

Testing secured OSB service from OSB test console

After successfully adding 'weblogic-key' to the keystore, lets use this key to test the proxy service StringConversionPS

Open the proxy service test console and provide a test input string, and provide the weblogic-key as the input csf-key

And then execute the test case.

Here is the typical result:

Request message enhanced with ws-security info (gather from weblogic-key details)

Response document with upper case string:

Testing secured OSB service from soapUI

Load the OSB service WSDL (http://localhost:10001/sbresource?WSDL/StringConversionService/StringConversionPS) into soapUI and create a project. 

At the project level, create a Outgoing WS Security configuration, with name something like 'Outgoing-WSSUsernameToken', and add WSS entry of type 'Username' to it and provide the credentials of 'weblogic' user.

And, then open a test request, and in that in 'Aut' tab at the left bottom, choose the Outgoing WSS as the that was created above (i.e., Outgoing-WSSUsernameToken')

Execute the request, and the below is the typical output:

In the next post, let us discuss 'http basic authentication' based security for OSB services.

॥ स्वस्ति ॥