How to add the OWSM to WS server side and client side

By W.ZH July 2011

Oracel Web Service Manager is to add the WS security policy to the  web service, can be add to the ADF BC WS, ADF data control WS, an SOA applications’s WS and also a normal WS, such as and EJB WS. I just  add some my experience here for future easily pick up OWSM.

Server Side:

For a normal WS, there are several ways you can add the WS security plicy to the WS Server Side:

1. Design time, when you design the WS in Jdeveloper, you can right click that WS to config’s policy and it will add some security related annotiona to your WS method signature.

2. Or, after your WS is deployed, you can add the security policy at run time, you can either do from EM fusion middleware control , or from WLS console.

In EM control, find the WS in your domain — select the endpoint and select the policy to attach and de-attach the policy to it.

In console, you can go to deployment– your WS project — ur WS — in its configuration, to select the WS-policies to config its policy.

Client Side:

1. Your client is the JAVA code in Jdeveloper, you can create an WS proxy client in Jdev first, after you have that proxy, you can right click the proxy to change its’ properties and, after you get the dialog for proxy prpoperties, there is one can let u change the client proxy, set it matches with your server side proxy and also change the related java code to input the data to make it can call the WS be secured. Something code like this:

   // set the WS service and security token
SecurityPolicyFeature[] securityFeatures =
new SecurityPolicyFeature[] { new SecurityPolicyFeature(“oracle/wss_username_token_client_policy”) };
myService =
new MYService(new URL(“”),
MyEJBBean myEJBBean =

Map<String, Object> myReqContext =
myReqContext.put(BindingProvider.USERNAME_PROPERTY, “user name”);
myReqContext.put(BindingProvider.PASSWORD_PROPERTY, “password”);

Then you can call the WS like normal proxy code to call the WS server side.

2. Your client is the SOA composite application, such as inside a BPEL process, you have a “invoke” to call the WS proxy outside the BPEL process. You can right click that invoke to config’s WS client policy too, you can refer the dev guide about this part. should not be too hard.

OWSM For WS Security in Oracle Service Bus

July 2011, By W.ZH

I am going to give you a small example on the WS security in OSB. This is going to be a very good example to let you pick up and to test the OWSM on OSB easily. OWSM is the oracle recommended way to secure your web service in 11g release. I have made all following running in my system.

1. When you extend your domain in Weblogic , you need to select the “OWSM extension for OSB” lib in the domain extension, and this is not removable.

2. You can use java tool key to create a keystore file in the domain’s config folder,

        keytool -genkey -keyalg RSA -dname "cn=XXX,OU=XXX,O=XXX,L=XX,ST=XX,C=XX,dc=XXX,dc=XXX" -alias orakey -keypass pass1 -keystore default-keystore.jks -storepass pass2 -validity 1064

3. The key store file name we use is the default file name here, it by default setting in the
, you can open this file take a look the node of

<serviceInstance name=”keystore” provider=”keystore.provider” location=”./default-keystore.jks”>

<description>Default JPS Keystore Service</description>

4. You need to restart your WLS and others to let WLS pickup this keystore file. Start your domain with SOA suite and OSB server.

5. You can go to Fusion Middleware control to set up your key store:

WebLogic Domain menu, select
Security -> Security Provider Configuration.

      1. Expand the Keystore section on the Security Provider Configuration page.
      2. Click Configure.
      3. Check Configure Keystore Management and use the following settings to specify the location of the keystore that contains the certificate and private key, and the signature key and encryption key aliases:
        • Keystore Path: ./default-keystore.jks
        • Password: Enter and confirm the password for the keystore. (pass2)
        • Key Alias: orakey
        • Signature Password: Enter and confirm the password for the signature key.(pass1)
        • Crypt Alias: orakey
        • Crypt Password: Enter and confirm the password for the encryption key.(pass1)
      4. Click OK to save your settings. Restart the Administration server for the domain.

6. Beside that, another way to do this is by
WLST commands to update the credential store:

createCred(map=””, key=”keystore-csf-key”, user=”owsm”, password=keystore_password, desc=”Keystore key”)

createCred(map=””, key=”enc-csf-key”, user=”orakey”, password=private_key_password, desc=”Encryption key”)

createCred(map=””, key=”sign-csf-key”, user=”orakey”, password=private_key_password, desc=”Signing key”)

7. Ok you have set up all these keystrore ready for tesing the OWSM on OSB.

At OSB side:

  1. Go to your OSB console http://yourIP:7001/sbconsole/, create one project.
  2. Create one Buisiness service from a WS WSDL
  3. Create one Proxy Service by that Business Service.
  4. Ok, you can test your proxy service using the “test console”,
  5. Now it is ready to apply the OWSM Assertions policy to it,
  6. We can add the oracle/wss_username_token_service_policy for testing now
  7. In OSB web Console, Click Resource Browser, click Proxy Services and click on your proxy service to edit the configuration
  8. Navigate to Policies tab
  9. Select OWSM Policy Bindings
  10. Click Add to add an OWSM Policy
  11. Select OWSM Policy dialog is displayed. Select oracle/wss_username_token_service_policy. Click Submit
  12. Then Update to make policy run. (In the security part double check that set Process WS-Security Header flag to YES (Do not miss this step) )
  13. Ok, you can start test from test console again, you need to supply the username and password for the SOAP header to make the test can work.
  14. So how you can get the user name and password submited in test console?
  15. Create a user in the WLS security realm in EM, you can also do this from the OSB console, eg. user_a/password3,
  16. In EM, go to the domain –credential setting, you will see the map over there for ““, create one more key there for testing user a:

    key: usera_key

    username: user_a

    pass: password3

  17. Ok we can use this key to retrieve the username and pass in the OSB test console to test the WS.
  18. In the test console , you can choose to overide the csf-key values.

    Policy Name  — oracle/wss_username_token_client_policy

    Property — csf-key

    Default Value    —- basic.credentials

    Override Value    —   usera_key

  19. Then when you try to test a WS call, the test console will auto get user_a and pass to compose the WS-Security SOAP header for you and to hit the OSB proxy Service.

All these are concise steps for OWSM ruuning on OSB proxy service. For OSB project you need to commit your change for changing session every time you change it.

There is a chapter in the Oracle® Fusion Middleware Administrator’s Guide for Oracle WebCenter 11g (R4) – 28 Configuring WS-Security for WebCenter Applications and Components , it gives an example that how you can apply the WS-security on the Web Center related service. It in fact is a good example of how to config and apply the OWSM to any WS.

NoClassDefFoundError: weblogic.WLST

By W.Zh July 2011


When u try start the WLST you get  NoClassDefFoundError: Weblogic.WLST

Solution :

You can use a WL_HOME\server\bin\setWLSEnv script to set env \
java weblogic.WLST

If you get exception of  – Exception in thread “main” java.lang.NoClassDefFoundError: Weblogic.WLST, What happen?

try “. ./” as the setting cmd for that, two periods with a space between made the trick!