Wednesday, December 6, 2017

WS-Security vs SSL/TLS Security with reference to WebServices

SSL/TLS encrypts at transport level; WS-Security encrypts at message level. SSL/TLS provides in-transit security only. This means that the request is only encrypted while it is travelling from client to server (or back). ... WS-Security maintains the encryption until the moment when the request is processed. SSL/TLS secure messages at HTTP level whereas WS-Security at XML level. In performance-wise SSL is very much faster than WS-Security.

Please note that REST-based WebServices inherits security measures from the underlying transport level security.

Limitation with SSL/TLS

1.      SSL/TLS is at point-to-point whereas WS-Security is at end-to-end, where multiple intermediary nodes (WebServers, Load balancer, proxy server etc) could exist between the two endpoints.
2.      SSL/TLS does not provide Know-Your-Customer (KYC) whereas WS-Security provides this feature.
3.      SSL does not provide element-wise signing and encryption. For example, if you have a large purchase order XML document, yet you want to only sign or encrypt a credit card element, signing or encrypting only that element with SSL proves rather difficult. Again, that is due to the fact that SSL is a transport-level security scheme as opposed to a message-level scheme.


We can configure transport level security and message level security without configuring SSL/TLS at server level  then you need to configure SSL/TLS WSM policy at WebService level for example oracle/wss_http_token_over_ssl_service_policy.

Monday, October 30, 2017

How to configure secure RIDC port in WebCenter Content?

An SSL Incoming Provider is leveraged and instantiated to create an SSL server socket to which Intradoc clients (WCC UI, WCP etc) can connect, and whereby traffic is encrypted. The provider can be configured with or without requiring client authentication (the WCC UI Managed Server is a client of Content Server). When client authentication is not required, the JAVA RIDC client making the connection to the SSL server socket (Intradoc secure-socket port) does not need to present a valid certificate. This mode is not very different from a normal, non-SSL Intradoc connection. The main difference, however, is that traffic is encrypted and cannot be viewed by packet capture, and so on, in the clear. Client authentication means that the client must supply a valid SSL certificate signed by an authority that is in the server's trust store. 
Pre-requisites
1.       Oracle WebCenter Content (WCC) 12.2.1 is installed
2.       WCC domain is created and all servers are running.
3.       RIDC non-SSL port is configured and IDC is running on 4444.
Steps:
1.       Create the SSL incoming socket provider of sslincoming provider type



Provider Name:
sslkeepaliveincomingprovider
Provider Description:
For RIDC over SSL


Provider Type:
sslincoming
Provider Class:
idc.provider.ssl.SSLSocketIncomingProvider
Provider Connection:
idc.provider.KeepaliveSocketIncomingConnection 
Server Thread Class:
idc.server.KeepaliveIdcServerThread
Server Port:
4445


Request Client Authentication:
No
Require Client Authentication:
No


Keystore File Path:
/oracle/app/keystores/wcc_keystore.jks
Alias:
Dev1WCC
Truststore File Path:
/oracle/app/keystore/wcc_trust.jks



Note:
a. Please note that RIDC non-secure port and RIDC secure port should be different and must have required firewalls rules.
b. If you want client authentication then check the “Require Client Authentication” from the SSL incoming provider. Then you must configure keystore for your client.

2.       Restart the WCC managed server. Make sure that sslincoming provider is in good state.
Once you finished with above steps, IDC server is configured for RIDC secure (SSL) port and you can use idcs protocol for any client.
Verification:
1.       Check SSL is configured
openssl s_client -connect wcchost1:4445

CONNECTED(00000003)
depth=2 C = AU, ST = NSW, L = Sydney, O = myCompany, OU = Digital Certificates Security Services, CN = Imran Mirza
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/C=AU/ST=New South Wales/L=Sydney/O= O = myCompany, OU = Digital Certificates Security Services, CN = Imran Mirza

2.       Check the IDC Service PING_SERVER
You will see output like:
<?hda version="12.2.1.2.0-2017-07-05 09:25:44Z-r155055" jcharset="UTF8" encoding="utf-8"?>
@Properties LocalData
IdcService=PING_SERVER
IsAllowAnonymous=1
IsJava=1
StatusMessage=You are logged in as ‘weblogic’.

3.       You can configure idcs connection url in any RIDC client for example WCC UI app:

updateRIDCConnection('Oracle WebCenter Content – Web UI',
'WccAdfServerConnection',connUrl='idcs://wcchost1:4445',
credUsername='sysadmin')

Thursday, April 7, 2016

Configuring Two-way SSL for Oracle SOA Suite

By default, WebLogic Server is configured to use one-way SSL (the server passes its identity to the client). When the server needs to authenticate the client, you use two-way SSL. In a two-way SSL connection, the client verifies the identity of the server and then passes its identity certificate to the server. The server then validates the identity certificate of the client before completing the SSL handshake. The server determines whether or not two-way SSL is used.

If you have a need to use two-way SSL between SOA/OSB and external application, you can follow these steps.
·         Configuring two-way Inbound SSL
·         Configuring two-ways Outbound SSL

Perquisites

1.    Keystore has been configured for SOA and OSB server.
2.    Identity Certificate for the SOA server has been added in the Identity Key Store.
3.    Public Certificates of the partner have been added into the Trust Key Store.

Configuring two-way Inbound SSL
Change the following SSL properties for SOA and OSB server:


SOA_server1
1/2 way
SSL Port Enabled
True
1
SSL Port
8002
1
Private Key Alias
PRIVATE-KEY-ALIAS

1
Private Key Passphrase
<Passphrase>
1
Use Server Certs
Checked
2
Two Way Client Cert Behavior
Client Certs Requested And Enforced
2

Once you performed above step, two way SSL for inbound connection is done.   

Configuring two-ways Outbound SSL

For two-way outbound SSL connection (i.e. a SOA composite application to invoke another application), perform the followings are the additional steps:-
1.    Go to Soa-infra->SOA Administration->Common Properties.
2.    Then click at the link at the bottom of the page: “More SOA Infra Advances Infrastructure Configuration Properties” and then enter the full path of soa identity keystore in the value field of the KeyStoreLocation attribute.

3.    Now, navigate to the domain->security->credential
4.    Click Create Map. In the Map Name field, enter SOA, and click OK
  1. Click Create Key.  Enter the following details where the password is the password for the SOA identity keystore.

Field
Value
Description
Select Map
SOA
Select the map created in last step.
Key
KeystorePassword
Enter the key name (KeystorePassword is the default).
Type
Password
Select Password.
User Name
KeystorePassword
Enter the keystore user name (KeystorePassword is the default).
Password
<Passphrase>
Enter the password that you created for the keystore
Description
Keystore for Outbound Webservice binding via SSL
Description of the credential keystore

6.    Restart SOA  managed servers.


Monday, November 23, 2015

Quick Enterprise Installation of Oracle SOA Suite 12c Release 2 (12.2.1.0.0)


Oracle released Oracle SOA Suite 12c version on 23/10/2015 along-with other Fusion Middleware products. This is a 2nd release of SOA Suite after 12c R1.

Installation process is exactly same as we used to install with 11g or 12c R1. In case of quick installer for 12c, you just need to install database and then everything will be installed with SOA quick installer.

Here, we are going to install and configure SOA domain for production environments. You can use same instructions to install other environments (TEST or DEV). In this post, we are going to install and configure following components:-
1.       SOA
2.       OSB
3.       ESS
4.       B2B

We are not going to configure persistence stores and other HA configurations. We will cover these topics in upcoming blog posts.

Prerequisites

1.       You must have atleast JDK version 1.8.0_51 or above.
2.       Admin server will be installed on shared storage for manual failover. Whereas Managed server will be installed on local storage due to performance.
3.       Download the following distributions from download link:
Software
Download Link
JDK
Oracle Fusion Middleware Infrastructure
Oracle SOA Suite
-          SOA/BPM
-          BAM
-          ESS
Oracle Service Bus
Oracle B2B

File Name : V78170-01.zip

4.       All installers must be executed with JDK not with JRE.

Instructions

Directory Structure Creation

1.       Setup umask to 027 before creating any directory or before installing any Oracle product.
umask 027
2.       Create the directory structure
mkdir -p  /u01/oracle/products/fmw1221
mkdir -p /u01/oracle/config/domains/aserver
mkdir -p /u01/oracle/config/domains/mserver
mkdir –p /u01/oracle/config/nodemanager
mkdir –p /u01/oracle/config/applications/soa_domain

Install JAVA

3.       Unzip the jdk directory.
tar -xzvf jdk-8u65-linux-x64.tar.gz
4.       Move the directory to /u01/oracle/products/
export JAVA_HOME=/u01/oracle/products/jdk1.8.0_65
export PATH=$JAVA_HOME/bin:$PATH
5.       Verify that path has been set properly:
[oratest@vensoan01 products]$ java -version
java version "1.8.0_65"
Java(TM) SE Runtime Environment (build 1.8.0_65-b17)
Java HotSpot(TM) 64-Bit Server VM (build 25.65-b01, mixed mode)

Install SOA Suite

6.       Run the following installer in sequence. During installation, enter/select the oracle home and select the Installation type as mentioned in the table.
Product
Installer
Oracle Home
Installation Type
Dependencies
Oracle FMW Infrastructure
java -d64 -jar fmw_12.2.1.0.0_infrastructure.jar

/u01/oracle/products/fmw1221
FMW Infrastructure

Oracle SOA Suite
java -d64 -jar fmw_12.2.1.0.0_soa.jar

/u01/oracle/products/fmw1221
SOA Suite
FMW Infra
Oracle Service Bus
java -d64 -jar fmw_12.2.1.0.0_osb.jar

/u01/oracle/products/fmw1221
OSB
FMW Infra
Oracle B2B
java -d64 -jar fmw_12.2.1.0.0_b2bhealthcare.jar
/u01/oracle/products/fmw1221
B2B
-FMW Infra
-Oracle SOA

SOA Schema Creation

7.       RCU is also installed when we install FMW Infra. Run rcu.sh file from
cd /u01/oracle/products/fmw1221/oracle_common/bin/ and select SOA Insfrastructure and Oracle Enterprise Scheduler. These two schemas will select required schemas automatically.

1.       Custom variable screen, enter LARGE.

Note: Value of Database Profile is case sensitive. Please ener value in Uppercase.
8.       Go default to rest of the screens.

Creation of Domain

9.       Start the configuration wizard: /u01/oracle/products/fmw1221/oracle_common/common/bin/config.sh

Domain Location is /u01/oracle/config/domains/aserver/soa_domain
10.   On the next screen, select the domain template if you have from previous environment OR Select the following templates
Oracle Enterprise Manager - 12.2.1.0 [em]
Selecting this template automatically selects the following dependencies:
Oracle JRF - 12.2.1.0 [oracle_common]
WebLogic Coherence Cluster Extension - 12.2.1.0 [wlserver]
Oracle WSM Policy Manager - 12.2.1.0 [oracle_common]
Oracle SOA Suite - 12.2.1.0 [soa]
Oracle Service Bus - 12.2.1.0 [osb]
Oracle B2B - 12.2.1.0 [soa]
Oracle Enterprise Scheduler Service Basic - 12.2.1.0
Oracle Enterprise Manager Plugin for ESS - 12.2.1.0
11.   Application location /u01/oracle/config/applications/soa_domain


12.   Domain Mode should be Production and verify that right JDK is there.

13.   Get RCU Configuration: It will automatically retrieve RCU schemas configurations.


14.   Configuring datasources
Note: Make sure you choose Convert to GridLink option for RAC database.
 

15.   Make sure “Enable Fan” is selected. Enter database host name and port in SCAN address.
16.   Select the following component in Advanced Configruations


17.   On Node Manager screen, select manual Node Manager Setup.
18.   Create/configure the following managed servers
Cluster Name
Server Name
Listen Address
Port
Server Group

AdminServer
ADMINVHN
7001
None
WSM_cluster
WSM_server1
soahost1.example.com
7001
JRF-MAN-SVR
WSM-CACHE-SVR
WSMPM-MAN-SVR
SOA_cluster
SOA_server1
soahost1.example.com
8005
SOA-MGD-SVR
OSB_cluster
OSB_server1
soahost1.example.com
8007
OSB-MGD-SVR
ESS_cluster
ESS_server1
soahost1.example.com
8009
ESS-MGD-SVR

19.   Configuration wizard will automatically create coherence cluster for member clusters (SOA_cluster, OSB_Cluster, ESS_Cluster etc). Just change port to 9991 or any other appropriate port.
Note: Coherence provides replicated and distributed data management and caching services that you can use to reliably make an application's objects and data available to all servers in a Coherence cluster. To do this, WebLogic Server retains configuration information used to locate and communicate with a Coherence cluster.
20.   Create two Unix machines one for AdminServer and other for Managed Servers.
Machine Name
NodeManager Listen Address
NodeManager Listen Port
Server Group
ADMINHOST
ADMINVHN
5556
AdminServer
SOAHOST1
soahost1.example.com
5556
WSM_server1
ESS_server1
SOA_server1
OSB_server1
21.   Review the summary and create the domain.

Creating the boot.properties file

mkdir -p $ASEVER_HOME/servers/AdminServer/security
In a text editor, create a file called boot.properties in the security directory created in the previous step, and enter the Administration Server credentials that you defined when you ran the Configuration Wizard to create the domain:
Username=weblogic
Password=XXXXXX
Start the admin server to validate the config
$ASERVER_HOME/bin/nohup ./startWeblogic.sh &
Verify that there is no error in AdminServer.out log file and access the console http://soahost1.example.com:7001/console/

Configuring the Nodemanager Per host

1.    Change the communication type from SSL to plain for SOAHOST1 and ADMINHOST.
2.    Set the Nodemanager Credential. Go to soa_domain >> Security tab >> General and then click on Advanced.
3.    Create the nodemanager.properties in /u01/oracle/config/nodemanager/ with following values:
DomainsFile=/u01/oracle/config/nodemanager/nodemanager.domains
LogLimit=0
PropertiesVersion=12.2.1
AuthenticationEnabled=true
NodeManagerHome=/u01/oracle/config/nodemanager
JavaHome=/u01/oracle/products/jdk1.8.0_65
LogLevel=INFO
DomainsFileEnabled=true
StartScriptName=startWebLogic.sh
ListenAddress=
NativeVersionEnabled=true
ListenPort=5556
LogToStderr=true
SecureListener=false
LogCount=1
StopScriptEnabled=false
QuitEnabled=false
LogAppend=true
StateCheckInterval=500
CrashRecoveryEnabled=false
StartScriptEnabled=true
LogFile=/u01/oracle/config/nodemanager/nodemanager.log
LogFormatter=weblogic.nodemanager.server.LogFormatter
ListenBacklog=50
4.    Copy the startNodemanager from
WL_HOME/server/bin
To /u01/oracle/config/nodemanager/
And add
NODEMGR_HOME="/u01/oracle/config/nodemanager/"
5.    Add the ASERVER and MSERVER path in nodemanager.domain file
Add the following entries to the new nodemanager.domains files:
soa_domain=/u01/oracle/config/domains/mserver/soa_domain;/u01/oracle/config/domains/aserver/soa_domain
6.    Start the nodemanager from $NM_HOME.
nohup ./startNodeManager.sh > ./nodemanager.out 2>&1 &
Monitor the nodemanager.out file and make sure the following string:-
<INFO><Plain socket listener started on port 5556>

Creation of MSERVER domain

1.    Log in to SOAHOST1 and run the pack command to create a template as follows:
cd $ORACLE_HOME/oracle_common/common/bin
 ./pack.sh -managed=true -domain=$ASERVER_HOME -template=/u01/oracle/config/soadomaintemplate.jar -template_name=soa_domain_template
2.    Run the unpack command to unpack the template in the domain directory onto the local storage, as follows:
cd ORACLE_COMMON_HOME/common/bin

./unpack.sh -domain=$MSERVER_HOME -overwrite_domain=true -template=/u01/oracle/config/soadomaintemplate.jar -log_priority=DEBUG -log=/tmp/unpack.log -app_dir=/u01/oracle/config/applications/soa_domain/

Starting the AdminServer with Nodemanager

  1. Start the WebLogic Scripting Tool (WLST):
cd ORACLE_COMMON_HOME/common/bin
./wlst.sh
  1. Connect to Node Manager using the Node Manager credentials you defined in the WebLogic Server Administration Console:
wls:/offline>nmConnect('weblogic_nm','xxxxxx’,'localhost','5556','soa_a_domain','/u01/oracle/config/domains/aserver/soa_domain','PLAIN')
3.    Start the Administration Server:
nmStart('AdminServer')
Verify the console and em from WLS console.
4.     Start all the managed servers from EM.

Configuring SOA Schemas for Transaction Recovery

This procedure sets the appropriate database privileges to SOAINFRA schema so that the WLS transaction manager can query the schemas for transaction state information and issue the appropriate commands, such as commit and rollback, during recovery of in-flight transactions after a WLS is unexpectedly unavailable.
Connect with sys user and run following two commands:
Grant select on sys.dba_pending_transactions to soa_soainfra;
Grant force any transaction to soa_soainfra;

Modifying the Upload and Stage Directories Path

After creating the domain and unpacking it to the Managed Server domain directory, verify and update the upload and stage directories for the Managed Servers. This step is necessary to avoid potential issues when performing remote deployments and for deployments that require the stage mode.
1.    Go to each managed server à Configuration tab à Deployment tab and update the staging and upload directory path.
Staging Directory Name:
ESS: /u01/oracle/config/domains/mserver/soa_domain/servers/ESS_server1/stage
OSB: /u01/oracle/config/domains/mserver/soa_domain/servers/OSB_server1/stage
SOA: /u01/oracle/config/domains/mserver/soa_domain/servers/SOA_server1/stage
WSM: /u01/oracle/config/domains/mserver/soa_domain/servers/WSM_server1/stage
Upload Directory Name: /u01/oracle/config/domains/aserver/soa_domain/servers/AdminServer/upload
2.    Restart all managed servers.

Domain Verification

Service
URL
WLS Admin Console
EM Control
OSB Console
SB Inspection
SOA Infra
SOA Composer
BPM Worklist
User Communication preferences
Identity Service
WSM
ESS Health Check
ESS
B2B Console
B2B Services