OWSM For WS Security in Oracle Service Bus

July 2011, By W.ZH

I am going to give you a small example on the WS security in OSB. This is going to be a very good example to let you pick up and to test the OWSM on OSB easily. OWSM is the oracle recommended way to secure your web service in 11g release. I have made all following running in my system.

1. When you extend your domain in Weblogic , you need to select the “OWSM extension for OSB” lib in the domain extension, and this is not removable.

2. You can use java tool key to create a keystore file in the domain’s config folder,

        keytool -genkey -keyalg RSA -dname "cn=XXX,OU=XXX,O=XXX,L=XX,ST=XX,C=XX,dc=XXX,dc=XXX" -alias orakey -keypass pass1 -keystore default-keystore.jks -storepass pass2 -validity 1064

3. The key store file name we use is the default file name here, it by default setting in the
, you can open this file take a look the node of

<serviceInstance name=”keystore” provider=”keystore.provider” location=”./default-keystore.jks”>

<description>Default JPS Keystore Service</description>

4. You need to restart your WLS and others to let WLS pickup this keystore file. Start your domain with SOA suite and OSB server.

5. You can go to Fusion Middleware control to set up your key store:

WebLogic Domain menu, select
Security -> Security Provider Configuration.

      1. Expand the Keystore section on the Security Provider Configuration page.
      2. Click Configure.
      3. Check Configure Keystore Management and use the following settings to specify the location of the keystore that contains the certificate and private key, and the signature key and encryption key aliases:
        • Keystore Path: ./default-keystore.jks
        • Password: Enter and confirm the password for the keystore. (pass2)
        • Key Alias: orakey
        • Signature Password: Enter and confirm the password for the signature key.(pass1)
        • Crypt Alias: orakey
        • Crypt Password: Enter and confirm the password for the encryption key.(pass1)
      4. Click OK to save your settings. Restart the Administration server for the domain.

6. Beside that, another way to do this is by
WLST commands to update the credential store:

createCred(map=”oracle.wsm.security”, key=”keystore-csf-key”, user=”owsm”, password=keystore_password, desc=”Keystore key”)

createCred(map=”oracle.wsm.security”, key=”enc-csf-key”, user=”orakey”, password=private_key_password, desc=”Encryption key”)

createCred(map=”oracle.wsm.security”, key=”sign-csf-key”, user=”orakey”, password=private_key_password, desc=”Signing key”)

7. Ok you have set up all these keystrore ready for tesing the OWSM on OSB.

At OSB side:

  1. Go to your OSB console http://yourIP:7001/sbconsole/, create one project.
  2. Create one Buisiness service from a WS WSDL
  3. Create one Proxy Service by that Business Service.
  4. Ok, you can test your proxy service using the “test console”,
  5. Now it is ready to apply the OWSM Assertions policy to it,
  6. We can add the oracle/wss_username_token_service_policy for testing now
  7. In OSB web Console, Click Resource Browser, click Proxy Services and click on your proxy service to edit the configuration
  8. Navigate to Policies tab
  9. Select OWSM Policy Bindings
  10. Click Add to add an OWSM Policy
  11. Select OWSM Policy dialog is displayed. Select oracle/wss_username_token_service_policy. Click Submit
  12. Then Update to make policy run. (In the security part double check that set Process WS-Security Header flag to YES (Do not miss this step) )
  13. Ok, you can start test from test console again, you need to supply the username and password for the SOAP header to make the test can work.
  14. So how you can get the user name and password submited in test console?
  15. Create a user in the WLS security realm in EM, you can also do this from the OSB console, eg. user_a/password3,
  16. In EM, go to the domain –credential setting, you will see the map over there for “oracle.wsm.security“, create one more key there for testing user a:

    key: usera_key

    username: user_a

    pass: password3

  17. Ok we can use this key to retrieve the username and pass in the OSB test console to test the WS.
  18. In the test console , you can choose to overide the csf-key values.

    Policy Name  — oracle/wss_username_token_client_policy

    Property — csf-key

    Default Value    —- basic.credentials

    Override Value    —   usera_key

  19. Then when you try to test a WS call, the test console will auto get user_a and pass to compose the WS-Security SOAP header for you and to hit the OSB proxy Service.

All these are concise steps for OWSM ruuning on OSB proxy service. For OSB project you need to commit your change for changing session every time you change it.

There is a chapter in the Oracle® Fusion Middleware Administrator’s Guide for Oracle WebCenter 11g (R4) – 28 Configuring WS-Security for WebCenter Applications and Components , it gives an example that how you can apply the WS-security on the Web Center related service. It in fact is a good example of how to config and apply the OWSM to any WS.