Monday, July 7, 2014

Security is major concern when we expose our services to external world. If services are not secured than anyone can access the service from web and manipulate the data so to avoid this we must add security to our web service when we expose it to external world.

In this post, I will show you how to secure Oracle service Bus proxy service when we expose it to external world.

We use OWSM policies to add security to OSB proxy service, we use user name token policy so the user need to pass user credentials to access this service. There are many other policies available in OWSM which we can apply to proxy service but for this post , we will use only username token policy just to show how we can apply OWSM policy to proxy service.

First create a OSB project. Add required folders under it. 



Inside resource folder, import SOA composite WSDL and XSD file. We will invoke this service from OSB.

Create a business service which invokes SOA composite.



Create a proxy service based on above created business service.



Now to secure your proxy service, go to “Policies” tab of proxy service.

Check “From OWSM Policy Store” radio button as we use OWSM security policy.



Click on Add button to add required OWSM policy.

Choose “Oracle/wss_username_token_service_polciy” from the list.



You will see policy added to your proxy service and your proxy is secure now.



Now we will see how we can test this secure service.

We can test this by following two ways.
  • SOAP Security header
  • OWSM client policy and CSF-key

Sometime you may face below error when you try to test proxy service.

Error: [OSB Security - OWSM: 387253] Failed to initialize Owsm Credential Manager. Please validate the Keystore Configuration.



See my next post, how to resolve this error.


Let’s discuss above mentioned option one by one.

SOAP Security header

As proxy service is secured by username so we need to pass user credentials in SOAP header to call this proxy service.

Add below security header inside SOAP header.

<wsse:Security xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-
secext-1.0.xsd"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-
1.0.xsd">
<wsse:UsernameToken>
<Username>weblogic</Username>
<Password>welcome1</Password>
</wsse:UsernameToken>
</wsse:Security>

Once you add above security header inside SOAP header, test your proxy service. You see successful response.

Request message


Response Message



OWSM client policy and CSF-key

Another way to test this proxy service is to add client user name token policy to proxy service, assign CSF-key which has user credentials to the client policy.


First create a CSF-key, see my post to create CSF-key.

Once you create the key, go to proxy service test console. Add user name token client policy under security section and provide csf-key name.





Test your proxy service, you see success response.



2 comments :

  1. Hi..
    How can we achieve application level authentication in OSB?
    Thanks in advance.

    ReplyDelete
  2. Hi,
    If you aware or come across this, could you please tell how to move the wls polices to OWSM policy while upgrading the OSB domain from 11g to 12c.

    Thanks.

    ReplyDelete