WS-Security vs SSL/TLS Security with reference to WebServices

SSL/TLS encrypts at transport level; WS-Security encrypts at message level. SSL/TLS provides in-transit security only. This means that the request is only encrypted while it is travelling from client to server (or back). ... WS-Security maintains the encryption until the moment when the request is processed. SSL/TLS secure messages at HTTP level whereas WS-Security at XML level. In performance-wise SSL is very much faster than WS-Security.

Please note that REST-based WebServices inherits security measures from the underlying transport level security.

Limitation with SSL/TLS

1.      SSL/TLS is at point-to-point whereas WS-Security is at end-to-end, where multiple intermediary nodes (WebServers, Load balancer, proxy server etc) could exist between the two endpoints.

2.      SSL/TLS does not provide Know-Your-Customer (KYC) whereas WS-Security provides this feature.

3.      SSL does not provide element-wise signing and encryption. For example, if you have a large purchase order XML document, yet you want to only sign or encrypt a credit card element, signing or encrypting only that element with SSL proves rather difficult. Again, that is due to the fact that SSL is a transport-level security scheme as opposed to a message-level scheme.

We can configure transport level security and message level security without configuring SSL/TLS at server level  then you need to configure SSL/TLS WSM policy at WebService level for example oracle/wss_http_token_over_ssl_service_policy.

How to configure secure RIDC port in WebCenter Content?

An SSL Incoming Provider is leveraged and instantiated to create an SSL server socket to which Intradoc clients (WCC UI, WCP etc) can connect, and whereby traffic is encrypted. The provider can be configured with or without requiring client authentication (the WCC UI Managed Server is a client of Content Server). When client authentication is not required, the JAVA RIDC client making the connection to the SSL server socket (Intradoc secure-socket port) does not need to present a valid certificate. This mode is not very different from a normal, non-SSL Intradoc connection. The main difference, however, is that traffic is encrypted and cannot be viewed by packet capture, and so on, in the clear. Client authentication means that the client must supply a valid SSL certificate signed by an authority that is in the server's trust store. 

Pre-requisites

1.       Oracle WebCenter Content (WCC) 12.2.1 is installed

2.       WCC domain is created and all servers are running.

3.       RIDC non-SSL port is configured and IDC is running on 4444.

Steps:

1.       Create the SSL incoming socket provider of sslincoming provider type

Provider Name:	sslkeepaliveincomingprovider
Provider Description:	For RIDC over SSL
Provider Type:	sslincoming
Provider Class:	idc.provider.ssl.SSLSocketIncomingProvider
Provider Connection:	idc.provider.KeepaliveSocketIncomingConnection
Server Thread Class:	idc.server.KeepaliveIdcServerThread
Server Port:	4445
Request Client Authentication:	No
Require Client Authentication:	No
Keystore File Path:	/oracle/app/keystores/wcc_keystore.jks
Alias:	Dev1WCC
Truststore File Path:	/oracle/app/keystore/wcc_trust.jks
Note: a. Please note that RIDC non-secure port and RIDC secure port should be different and must have required firewalls rules. b. If you want client authentication then check the “Require Client Authentication” from the SSL incoming provider. Then you must configure keystore for your client.

2.       Restart the WCC managed server. Make sure that sslincoming provider is in good state.

Once you finished with above steps, IDC server is configured for RIDC secure (SSL) port and you can use idcs protocol for any client.

Verification:

1.       Check SSL is configured

openssl s_client -connect wcchost1:4445

CONNECTED(00000003)
depth=2 C = AU, ST = NSW, L = Sydney, O = myCompany, OU = Digital Certificates Security Services, CN = Imran Mirza

verify error:num=19:self signed certificate in certificate chain

verify return:0

---

Certificate chain
0 s:/C=AU/ST=New South Wales/L=Sydney/O= O = myCompany, OU = Digital Certificates Security Services, CN = Imran Mirza

2.       Check the IDC Service PING_SERVER

http://wcchost1:16200/cs/idcplg?IdcService=PING_SERVER&IsAllowAnonymous=1&IsJava=1

You will see output like:

<?hda version="12.2.1.2.0-2017-07-05 09:25:44Z-r155055" jcharset="UTF8" encoding="utf-8"?>

@Properties LocalData

IdcService=PING_SERVER

IsAllowAnonymous=1

IsJava=1

StatusMessage=You are logged in as ‘weblogic’.

3.       You can configure idcs connection url in any RIDC client for example WCC UI app:

updateRIDCConnection('Oracle WebCenter Content – Web UI',

'WccAdfServerConnection',connUrl='idcs://wcchost1:4445',

credUsername='sysadmin')

Configuring Two-way SSL for Oracle SOA Suite

By default, WebLogic Server is configured to use one-way SSL (the server passes its identity to the client). When the server needs to authenticate the client, you use two-way SSL. In a two-way SSL connection, the client verifies the identity of the server and then passes its identity certificate to the server. The server then validates the identity certificate of the client before completing the SSL handshake. The server determines whether or not two-way SSL is used.

If you have a need to use two-way SSL between SOA/OSB and external application, you can follow these steps.

·         Configuring two-way Inbound SSL

·         Configuring two-ways Outbound SSL

Perquisites

1.    Keystore has been configured for SOA and OSB server.

2.    Identity Certificate for the SOA server has been added in the Identity Key Store.

3.    Public Certificates of the partner have been added into the Trust Key Store.

Configuring two-way Inbound SSL
Change the following SSL properties for SOA and OSB server:

	SOA_server1	1/2 way
SSL Port Enabled	True	1
SSL Port	8002	1
Private Key Alias	PRIVATE-KEY-ALIAS	1
Private Key Passphrase	<Passphrase>	1
Use Server Certs	Checked	2
Two Way Client Cert Behavior	Client Certs Requested And Enforced	2

Once you performed above step, two way SSL for inbound connection is done.   

Configuring two-ways Outbound SSL

For two-way outbound SSL connection (i.e. a SOA composite application to invoke another application), perform the followings are the additional steps:-

1.    Go to Soa-infra->SOA Administration->Common Properties.

2.    Then click at the link at the bottom of the page: “More SOA Infra Advances Infrastructure Configuration Properties” and then enter the full path of soa identity keystore in the value field of the KeyStoreLocation attribute.

3.    Now, navigate to the domain->security->credential

4.    Click Create Map. In the Map Name field, enter SOA, and click OK

5. Click Create Key.  Enter the following details where the password is the password for the SOA identity keystore.

Field	Value	Description
Select Map	SOA	Select the map created in last step.
Key	KeystorePassword	Enter the key name (KeystorePassword is the default).
Type	Password	Select Password.
User Name	KeystorePassword	Enter the keystore user name (KeystorePassword is the default).
Password	<Passphrase>	Enter the password that you created for the keystore
Description	Keystore for Outbound Webservice binding via SSL	Description of the credential keystore

6.    Restart SOA  managed servers.

Quick Enterprise Installation of Oracle SOA Suite 12c Release 2 (12.2.1.0.0)

Oracle released Oracle SOA Suite 12c version on 23/10/2015 along-with other Fusion Middleware products. This is a 2^nd release of SOA Suite after 12c R1.

Installation process is exactly same as we used to install with 11g or 12c R1. In case of quick installer for 12c, you just need to install database and then everything will be installed with SOA quick installer.

Here, we are going to install and configure SOA domain for production environments. You can use same instructions to install other environments (TEST or DEV). In this post, we are going to install and configure following components:-

1.       SOA

2.       OSB

3.       ESS

4.       B2B

We are not going to configure persistence stores and other HA configurations. We will cover these topics in upcoming blog posts.

Prerequisites

1.       You must have atleast JDK version 1.8.0_51 or above.

2.       Admin server will be installed on shared storage for manual failover. Whereas Managed server will be installed on local storage due to performance.

3.       Download the following distributions from download link:

Software	Download Link
JDK	http://download.oracle.com/otn-pub/java/jdk/8u65-b17/jdk-8u65-linux-x64.tar.gz File Name : jdk-8u65-linux-x64.tar.gz
Oracle Fusion Middleware Infrastructure	http://download.oracle.com/otn/nt/middleware/12c/1221/fmw_12.2.1.0.0_infrastructure_Disk1_1of1.zip File Name : fmw_12.2.1.0.0_infrastructure_Disk1_1of1.zip
Oracle SOA Suite -          SOA/BPM -          BAM -          ESS	https://edelivery.oracle.com/osdc/download?fileName=V78169-01.zip File Name: V78169-01.zip
Oracle Service Bus	https://edelivery.oracle.com/osdc/download?fileName=V78173-01.zip File Name: V78173-01.zip
Oracle B2B	https://edelivery.oracle.com/osdc/download?fileName=V78170-01.zip File Name : V78170-01.zip

4.       All installers must be executed with JDK not with JRE.

Instructions

Directory Structure Creation

1.       Setup umask to 027 before creating any directory or before installing any Oracle product.

umask 027

2.       Create the directory structure

mkdir -p  /u01/oracle/products/fmw1221

mkdir -p /u01/oracle/config/domains/aserver

mkdir -p /u01/oracle/config/domains/mserver

mkdir –p /u01/oracle/config/nodemanager

mkdir –p /u01/oracle/config/applications/soa_domain

Install JAVA

3.       Unzip the jdk directory.

tar -xzvf jdk-8u65-linux-x64.tar.gz

4.       Move the directory to /u01/oracle/products/

export JAVA_HOME=/u01/oracle/products/jdk1.8.0_65

export PATH=$JAVA_HOME/bin:$PATH

5.       Verify that path has been set properly:

[oratest@vensoan01 products]$ java -version

java version "1.8.0_65"

Java(TM) SE Runtime Environment (build 1.8.0_65-b17)

Java HotSpot(TM) 64-Bit Server VM (build 25.65-b01, mixed mode)

Install SOA Suite

6.       Run the following installer in sequence. During installation, enter/select the oracle home and select the Installation type as mentioned in the table.

Product	Installer	Oracle Home	Installation Type	Dependencies
Oracle FMW Infrastructure	java -d64 -jar fmw_12.2.1.0.0_infrastructure.jar	/u01/oracle/products/fmw1221	FMW Infrastructure
Oracle SOA Suite	java -d64 -jar fmw_12.2.1.0.0_soa.jar	/u01/oracle/products/fmw1221	SOA Suite	FMW Infra
Oracle Service Bus	java -d64 -jar fmw_12.2.1.0.0_osb.jar	/u01/oracle/products/fmw1221	OSB	FMW Infra
Oracle B2B	java -d64 -jar fmw_12.2.1.0.0_b2bhealthcare.jar	/u01/oracle/products/fmw1221	B2B	-FMW Infra -Oracle SOA

SOA Schema Creation

7.       RCU is also installed when we install FMW Infra. Run rcu.sh file from
cd /u01/oracle/products/fmw1221/oracle_common/bin/ and select SOA Insfrastructure and Oracle Enterprise Scheduler. These two schemas will select required schemas automatically.

1.       Custom variable screen, enter LARGE.

Note: Value of Database Profile is case sensitive. Please ener value in Uppercase.

8.       Go default to rest of the screens.

Creation of Domain

9.       Start the configuration wizard: /u01/oracle/products/fmw1221/oracle_common/common/bin/config.sh

Domain Location is /u01/oracle/config/domains/aserver/soa_domain

10.   On the next screen, select the domain template if you have from previous environment OR Select the following templates

Oracle Enterprise Manager - 12.2.1.0 [em]

Selecting this template automatically selects the following dependencies:

Oracle JRF - 12.2.1.0 [oracle_common]

WebLogic Coherence Cluster Extension - 12.2.1.0 [wlserver]

Oracle WSM Policy Manager - 12.2.1.0 [oracle_common]

Oracle SOA Suite - 12.2.1.0 [soa]

Oracle Service Bus - 12.2.1.0 [osb]

Oracle B2B - 12.2.1.0 [soa]

Oracle Enterprise Scheduler Service Basic - 12.2.1.0

Oracle Enterprise Manager Plugin for ESS - 12.2.1.0

11.   Application location /u01/oracle/config/applications/soa_domain

12.   Domain Mode should be Production and verify that right JDK is there.

13.   Get RCU Configuration: It will automatically retrieve RCU schemas configurations.

14.   Configuring datasources

Note: Make sure you choose Convert to GridLink option for RAC database.

 

15.   Make sure “Enable Fan” is selected. Enter database host name and port in SCAN address.

16.   Select the following component in Advanced Configruations

17.   On Node Manager screen, select manual Node Manager Setup.

18.   Create/configure the following managed servers

Cluster Name	Server Name	Listen Address	Port	Server Group
	AdminServer	ADMINVHN	7001	None
WSM_cluster	WSM_server1	soahost1.example.com	7001	JRF-MAN-SVR WSM-CACHE-SVR WSMPM-MAN-SVR
SOA_cluster	SOA_server1	soahost1.example.com	8005	SOA-MGD-SVR
OSB_cluster	OSB_server1	soahost1.example.com	8007	OSB-MGD-SVR
ESS_cluster	ESS_server1	soahost1.example.com	8009	ESS-MGD-SVR

19.   Configuration wizard will automatically create coherence cluster for member clusters (SOA_cluster, OSB_Cluster, ESS_Cluster etc). Just change port to 9991 or any other appropriate port.

Note: Coherence provides replicated and distributed data management and caching services that you can use to reliably make an application's objects and data available to all servers in a Coherence cluster. To do this, WebLogic Server retains configuration information used to locate and communicate with a Coherence cluster.

20.   Create two Unix machines one for AdminServer and other for Managed Servers.

Machine Name	NodeManager Listen Address	NodeManager Listen Port	Server Group
ADMINHOST	ADMINVHN	5556	AdminServer
SOAHOST1	soahost1.example.com	5556	WSM_server1 ESS_server1 SOA_server1 OSB_server1

21.   Review the summary and create the domain.

Creating the boot.properties file

mkdir -p $ASEVER_HOME/servers/AdminServer/security

In a text editor, create a file called boot.properties in the security directory created in the previous step, and enter the Administration Server credentials that you defined when you ran the Configuration Wizard to create the domain:

Username=weblogic

Password=XXXXXX

Start the admin server to validate the config

$ASERVER_HOME/bin/nohup ./startWeblogic.sh &

Verify that there is no error in AdminServer.out log file and access the console http://soahost1.example.com:7001/console/

Configuring the Nodemanager Per host

1.    Change the communication type from SSL to plain for SOAHOST1 and ADMINHOST.

2.    Set the Nodemanager Credential. Go to soa_domain >> Security tab >> General and then click on Advanced.

3.    Create the nodemanager.properties in /u01/oracle/config/nodemanager/ with following values:

DomainsFile=/u01/oracle/config/nodemanager/nodemanager.domains

LogLimit=0

PropertiesVersion=12.2.1

AuthenticationEnabled=true

NodeManagerHome=/u01/oracle/config/nodemanager

JavaHome=/u01/oracle/products/jdk1.8.0_65

LogLevel=INFO

DomainsFileEnabled=true

StartScriptName=startWebLogic.sh

ListenAddress=

NativeVersionEnabled=true

ListenPort=5556

LogToStderr=true

SecureListener=false

LogCount=1

StopScriptEnabled=false

QuitEnabled=false

LogAppend=true

StateCheckInterval=500

CrashRecoveryEnabled=false

StartScriptEnabled=true

LogFile=/u01/oracle/config/nodemanager/nodemanager.log

LogFormatter=weblogic.nodemanager.server.LogFormatter

ListenBacklog=50

4.    Copy the startNodemanager from

WL_HOME/server/bin

To /u01/oracle/config/nodemanager/

And add

NODEMGR_HOME="/u01/oracle/config/nodemanager/"

5.    Add the ASERVER and MSERVER path in nodemanager.domain file

Add the following entries to the new nodemanager.domains files:

soa_domain=/u01/oracle/config/domains/mserver/soa_domain;/u01/oracle/config/domains/aserver/soa_domain

6.    Start the nodemanager from $NM_HOME.

nohup ./startNodeManager.sh > ./nodemanager.out 2>&1 &

Monitor the nodemanager.out file and make sure the following string:-

<INFO><Plain socket listener started on port 5556>

Creation of MSERVER domain

1.    Log in to SOAHOST1 and run the pack command to create a template as follows:

cd $ORACLE_HOME/oracle_common/common/bin

 ./pack.sh -managed=true -domain=$ASERVER_HOME -template=/u01/oracle/config/soadomaintemplate.jar -template_name=soa_domain_template

2.    Run the unpack command to unpack the template in the domain directory onto the local storage, as follows:

cd ORACLE_COMMON_HOME/common/bin

./unpack.sh -domain=$MSERVER_HOME -overwrite_domain=true -template=/u01/oracle/config/soadomaintemplate.jar -log_priority=DEBUG -log=/tmp/unpack.log -app_dir=/u01/oracle/config/applications/soa_domain/

Starting the AdminServer with Nodemanager

1. Start the WebLogic Scripting Tool (WLST):

cd ORACLE_COMMON_HOME/common/bin

./wlst.sh

2. Connect to Node Manager using the Node Manager credentials you defined in the WebLogic Server Administration Console:

wls:/offline>nmConnect('weblogic_nm','xxxxxx’,'localhost','5556','soa_a_domain','/u01/oracle/config/domains/aserver/soa_domain','PLAIN')

3.    Start the Administration Server:

nmStart('AdminServer')

Verify the console and em from WLS console.

4.     Start all the managed servers from EM.

Configuring SOA Schemas for Transaction Recovery

This procedure sets the appropriate database privileges to SOAINFRA schema so that the WLS transaction manager can query the schemas for transaction state information and issue the appropriate commands, such as commit and rollback, during recovery of in-flight transactions after a WLS is unexpectedly unavailable.

Connect with sys user and run following two commands:

Grant select on sys.dba_pending_transactions to soa_soainfra;

Grant force any transaction to soa_soainfra;

Modifying the Upload and Stage Directories Path

After creating the domain and unpacking it to the Managed Server domain directory, verify and update the upload and stage directories for the Managed Servers. This step is necessary to avoid potential issues when performing remote deployments and for deployments that require the stage mode.

1.    Go to each managed server à Configuration tab à Deployment tab and update the staging and upload directory path.

Staging Directory Name:

ESS: /u01/oracle/config/domains/mserver/soa_domain/servers/ESS_server1/stage

OSB: /u01/oracle/config/domains/mserver/soa_domain/servers/OSB_server1/stage

SOA: /u01/oracle/config/domains/mserver/soa_domain/servers/SOA_server1/stage

WSM: /u01/oracle/config/domains/mserver/soa_domain/servers/WSM_server1/stage

Upload Directory Name: /u01/oracle/config/domains/aserver/soa_domain/servers/AdminServer/upload

2.    Restart all managed servers.

Domain Verification

Service	URL
WLS Admin Console	http://soahost1.example.com:7001/console
EM Control	http://soahost1.example.com:7001/em
OSB Console	http://soahost1.example.com:7001/sbconsole
SB Inspection	http://soahost1.example.com:7007/sbinspection.wsil
SOA Infra	http://soahost1.example.com:7005/soa-infra/
SOA Composer	http://soahost1.example.com:7005/soa/composer
BPM Worklist	http://soahost1.example.com:7005/integration/worklistapp
User Communication preferences	http://soahost1.example.com:7005/sdpmessaging/userprefs-ui
Identity Service	http://soahost1.example.com:7005/integration/services/IdentityService/identity?WSDL
WSM	http://soahost1.example.com:7003/wsm-pm/validator
ESS Health Check	http://soahost1.example.com:7009/EssHealthCheck
ESS	http://soahost1.example.com:7009/ess/
B2B Console	http://soahost1.example.com:7005/b2bconsole
B2B Services	http://soahost1.example.com:7005/b2b/services