Upload
others
View
2
Download
4
Embed Size (px)
Citation preview
Oracle Web Service Manager 11g Message Protection Policy (in WLS) March 2012
Step-by-Step Instruction Guide
Author Prakash Yamuna Senior Development Manager
Oracle Corporation
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 2
Table of Contents Use Case 4
Description 4
Objective 4
Software Requirements 4
Prerequisites 4
Verified Product Version 4
Potentially Applies to Product Version(s) 4
Download Main Page 4
Product URLs 5
Step by Step Instructions 6
Install Location 6
Create HelloWorld POJO JAX-WS Application 7
Attach Message protection OWSM Security Policy 18
Creating Keystore and Credentials 22
Configuring Integrated WLS Server to enable enforcing Message protection Policy 23
Copying the Keystore under the right location for Integrated WLS Server 25
Verifying jps-configxml in Default Domain 26
Creating Credentials required for Keystore access 27
Relationship between Keystore Credential Store jps-configxml 29
Testing with SOAP UI 30
Create SOAP UI Project 30
Create WS-Security Configurations 33
Add KeystoreCertificates 34
Add Outgoing WS-Security Configurations 36
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 3
Add Incoming WS-Security Configurations 42
Appendix 47
Log Generated the first time any app is run in Integrated WLS Server 47
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 4
Use Case
Description
This How-To demonstrates how to use OWSM Message Protection policy to secure a JAX-WS Web Service and how to
test it with SOAP UI
Objective
The main objective of this How-To
Demonstrate the steps required to secure a simple HelloWorld JAX-WS web service in JDeveloper
Configure the Integrated WLS Server to enable using OWSM message protection policies to secure HelloWorld
JAX-WS
Run the HelloWorld JAX-WS web service within the Integrated WLS Server that ships with JDeveloper
Configure and Test the HelloWorld JAX-WS with SOAP UI
Software Requirements
Prerequisites
Product Download URL
1 Install SOA Suite 11116 with
JDeveloper
2 SOAP UI Pro 401
Verified Product Version
Product Release Version
1 WebLogic 1036
2 SOA 11116
3 JDeveloper 11116
Potentially Applies to Product Version(s)
Product Release Version
1 WebLogic 1033 1034 1035 1036
2 SOA 11114 11115 11116
Download Main Page
httpwwworaclecomtechnetworkmiddlewaresoasuitedownloadsindexhtml
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 5
Product URLs
Product URL LoginPassword
EM Fusion Middle Control httpadmin_hostadmin_portem User weblogic
Password welcome1
Note This How-To uses SOAP UI Pro 401 The steps can vary with other versions of SOAP UI
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 6
Step by Step Instructions
Install Location
In this How-To JDeveloper has been installed at
DOracle11gMiddleware
We will define ORACLE_HOME= DOracle11gMiddleware
JDeveloperexe is at $ORACLE_HOMEjdeveloperjdeveloperexe
In this How-To I am running JDeveloper from command line as shown in Figure 1
Figure 1 Starting JDeveloper with the -su option
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 7
Create HelloWorld POJO JAX-WS Application
1 Start creation of a new application by click on ldquoNew Applicationrdquo in Figure 2
Figure 2 Click on New Application
This is will launch a new application creation wizard
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 8
2 Provide the following values as show in Figure 3 ldquoApplication NamerdquoHelloWorldJaxWS ldquoDirectoryrdquo DJDevelopermyworkHelloWorldJaxWS JDeveloper wil create the new application in the above directory For purposes of this How-To select ldquoGeneric Applicationrdquo from the Application Template as shown in Figure 3
Figure 3 Provide Application Name and Folder information
Click on ldquoNextrdquo button to proceed to the next step
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 9
3 Create a Project for the new application by providing Project information like ldquoProject Namerdquo ldquoDirectoryrdquo as show in Figure 4 Since we want to create a POJO based Web Service Select ldquoWeb Servicesrdquo from the ldquoProject Technologiesrdquo tab This will automatically also include Java Figure 4 shows the selected technologies for this project
Figure 4 Select Project Technologies and provide Project information
Click on ldquoNextrdquo button
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 10
4 Complete the New Application creation process by providing package information and leave the defaults for ldquoJava Source Pathrdquo and ldquoOutput Directoryrdquo as shown on Figure 5
Figure 5 Provide Package and other Java Settings
Click on ldquoFinishrdquo button to complete creation of the new application and the project
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 11
5 Next we will create a Java Class To create a Java Class right click on the ldquoHelloWorldrdquo project under the HelloWorldJaxWS application and select ldquoNewrdquo from the Context Menu as shown in Figure 6
Figure 6 Creating Java Class in a project
6 This will launch the Dialog show in Figure 7 In the ldquoCurrent Project Technologiesrdquo tab Select ldquoJavardquo from the
ldquoCategoriesrdquo on the Left Hand Side and under ldquoItemsrdquo panel on the Right Hand side select ldquoJava Classrdquo as shown in
Figure 7 Click on the ldquoOKrdquo button after making the above selections
Figure 7 Select Java Class from the New Gallery Dialog
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 12
7 This will launch the new ldquoJava Classrdquo Creation Dialog as show in Figure 8 Provide ldquoHelloWorldrdquo as the name of the
java class and provide appropriate value for the java package Retain defaults for the remainder of the fields Click
ldquoOKrdquo to complete the new Java Class creation dialog
Figure 8 New Java Class creation Dialog
8 JDeveloper will generate code along the lines shown below
package helloworld
public class HelloWorld
public HelloWorld()
super()
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 13
Add the following lines of code to the HelloWorld class
9 The next step is to basically create a Web Service from the HelloWorld java class created in the previous steps To
create a Web Service right click on the HelloWorldjava file Select ldquoCreate Web Servicehelliprdquo from the Context menu
as shown in Figure 9
Figure 9 Launch the Web Service Creation Wizard on the HelloWorld POJO class
public String hello(String str)
return Hello + str
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 14
10 From the ldquoJava Web Service creationrdquo wizard select Java EE 15 option The entire Web Service creation wizard is a
multi-step process as show in Figure 10 - Figure 17
Figure 10 Select Java EE 15 from the Java Web Service Creation wizard
Figure 11 Provide Web Service name
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 15
Figure 12 Retain default SOAP binding
Figure 13 Select the methods that should be exposed as part of the Web Service
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 16
Figure 14 Skip Additional Classes
Figure 15 Skip specifiying policies
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 17
Figure 16 Skip providing any Handlers
Figure 17 Finish creation of Web Service
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 18
Attach Message protection OWSM Security Policy
1 To attach the OWSM message protection policy to the Web Service ldquoright clickrdquo on the HelloWorldjava file in
JDeveloper Select ldquoWeb Service Propertieshelliprdquo from the Context menu item Figure 18 This will launch the Dialog box
seen in Figure 19
Figure 18 Define Web Service Properties
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 19
2 In the Configure Policies Dialog select ldquoOWSM policiesrdquo Upon selection of the OWSM Policies option the system
will display the list of out of the box policies that are shipped as part of OWSM Also notice the Default Policy Store
location
In this How-To it maps to
ldquoDOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainoraclestoregmdsrdquo
Figure 19 Select OWSM policies option to secure the Web Service
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 20
3 For the purposes of this How-To letrsquos select the oraclewss10_message_protection_service_policy as show in
Figure 20
Figure 20 Selection of oraclewss10_message_protection_service_policy
Click ldquoOKrdquo button to complete the Policy Attachment Upon completion of the PolicyAttachment the SecurityPolicy
annotation will be added to the HelloWorld POJO class as show in Figure 21
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 21
Figure 21 Code view with SecurityPolicy annotation
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 22
Creating Keystore and Credentials
4 In order to use the oraclewss10_message_protection_service_policy we need Keystore and Credentials First we
will create keystore using the keytool command as shown in Figure 22 The command to create the keystore using
keytool (Note Keytool is shipped with JDK)
Figure 22 Keystore creation command and steps
You can validate the contents of the keystore by using the following keytool command
Figure 23 Check contents of Keystore using keytool
$gt keytool -genkey -keyalg RSA -alias orakey -keystore default-keystorejks -storepass welcome1 -validity
3600
$gtkeytool -list -keystore default-keystorejks -storepass welcome1
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 23
Configuring Integrated WLS Server to enable enforcing Message protection Policy
In order to be able to deploy the HelloWorld POJO Web Service to Integrated WLS Server and test the enforcement of
the OWSM oraclewss10_message_protection_service_policy ndash we need to configure the WLS Domain in which
Integrated WLS Server runs however initially upon the Install the domain is not created completely You can ensure the
domain is created completely by trying to the ldquoHelloWorldrdquo Web Service You do this by ldquoright clickingrdquo on
HelloWorldjava and selecting ldquoRunrdquo from the Context Menu as show in Figure 24
Figure 24 Running HelloWorld Web Service in Integrated WLS Server first time
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 24
The appendix shows the log that is output by the system in JDeveloper The key aspect that is of interest here are the
following messages
[Waiting for the domain to finish building]
[094756 PM] Creating Integrated Weblogic domain
[095003 PM] Extending Integrated Weblogic domain
[095051 PM] Integrated Weblogic domain processing completed successfully
Using port 7101
DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainbinstartWebLogiccmd
[waiting for the server to complete its initialization]
As mentioned earlier the key thing to note is
On running this the first time ndash the domain for running the Integrated WLS is extended and the necessary artifacts are created By default this domain is called ldquoDefaultDomainrdquo In this scenario the ldquoDefaultDomainrdquo is located at DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomain
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 25
Copying the Keystore under the right location for Integrated WLS Server
5 Copy the default-keystorejks created earlier to
ldquoDOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainconfigfmwconfigrdquo as shown in Figure 25
Figure 25 Copying default-keystorejks under DefaultDomain
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 26
Verifying jps-configxml in Default Domain
6 The jps-configxml will be found under
DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainconfigfmwconfig The most important entry in jps-configxml that is of interest is the following keystore service entry lt-- KeyStore Service Instance --gt ltserviceInstance name=keystore provider=keystoreprovider location=default-keystorejksgt ltdescriptiongtDefault JPS Keystore Serviceltdescriptiongt ltproperty name=keystoreprovidertype value=filegt ltproperty name=keystorefilepath value=gt ltproperty name=keystoretype value=JKSgt ltproperty name=keystorecsfmap value=oraclewsmsecuritygt ltproperty name=keystorepasscsfkey value=keystore-csf-keygt ltproperty name=keystoresigcsfkey value=sign-csf-keygt ltproperty name=keystoreenccsfkey value=enc-csf-keygt ltserviceInstancegt The next step is to configure the credentials in the DefaultDomain
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 27
Creating Credentials required for Keystore access
Ensure the Integrated WLS Server is running 7 Start WLST from DOracle11gMiddleware oracle_commoncommonbinwlstcmd as shown in Figure 26
Figure 26 Starting WLST for Integrated WLS Server
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 28
8 Connect to the Integrated WLS Server running DefaultDomain as show in Figure 27
Figure 27 Connect to Integrated WLS Server
Once connected add the following credentials to the credential store
$gt createCred(map=oraclewsmsecurity key=keystore-csf-key user=owsm password=welcome1 desc=Keystore key) $gtcreateCred(map=oraclewsmsecurity key=enc-csf-key user=orakey password=welcome1 desc=Encryption key) $gtcreateCred(map=oraclewsmsecurity key=sign-csf-key user=orakey password=welcome1 desc=Signing key)
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 29
Relationship between Keystore Credential Store jps-configxml
9 Many people find the relationship between keystore keys credential store credentials and jps-configxml
confusing Figure 28 shows the relationship between all these artifacts
Figure 28 Relationship bw Keystore Credential Store Credentials and jps-configxml
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 30
Testing with SOAP UI 1 Before testing the Web Service with SOAP UI Run the HelloWorld from within JDeveloper as shown in Figure 24
Create SOAP UI Project
2 To test the HelloWorld Web Service secured with the OWSM ldquooraclewss10_message_protection_service_policyrdquo start SOAP UI and create a new Project as shown in Figure 29
Figure 29 Create new project in SOAP UI
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 31
3 Provide Project Namerdquo and ldquoWSDLrdquo information for the HelloWorld WS as show in Figure 30
Figure 30 Provide WSDL information for the Web Service that needs to be tested
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 32
4 Double click on the helloworld-msg-prot-test SOAP UI project to open various configurations one can specify for the
project as show in Figure 31 Click on the WS-Security Configurations tab
Figure 31 Specify the WS-Security Configurations
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 33
Create WS-Security Configurations
5 There are 3 sub-tabs under the ldquoWS-Security Configurationsrdquo tab in SOAP UI These are the ldquoOutgoing WS-Security
Configurationsrdquo tab ldquoIncoming WS-Security Configurationsrdquo tab and the ldquoKeystoreCertificatesrdquo tab We will first fill
out the KeystoresCertificates tab Click on the KeystoreCertificates tab as shown in Figure 32
Figure 32 Specify the KeystoreCertificates to be used by SOAP UI
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 34
Add KeystoreCertificates
6 Click on the ldquo+rdquo button to add a keystore as shown in Figure 33 This will launch a dialog to select the Key Material as
show in Figure 34 You will be prompted for the password to the default-keystorejks Enter ldquowelcome1rdquo as show in
Figure 35
Figure 33 Adding a Keystore
Figure 34 Select a JKS keystore from the file system
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 35
Figure 35 Specify Password for the default-keystorejks
7 Figure 36 shows the result of adding the default-keystorejks to SOAP UI
Figure 36 Result of adding default-keystorejks
NOTE For purposes of simplicity ndash I have selected the same default-keystorejks file that was used by the HelloWorld Web Service in practice the client and service DO NOT share the same keystore instead you should use separate keystores and exchange the public certificates of the client and the service
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 36
Add Outgoing WS-Security Configurations
8 The next step is to add the ldquoOutgoing WS-Secure Configurationsrdquo to the project You can do this by click on the Outgoing S-Security Configurations tab and clicking on the ldquo+rdquo icon as shown in Figure 37
Figure 37 Initiate addition of Outgoing WS-Security Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 37
9 Enter the ldquoNamerdquo of the configuration as ldquowss10rdquo This will create a panel on the lower half of the screen to add relevant WS-Security Configuration for ldquowss10rdquo Click on the ldquo+rdquo icon highlighted with a red circle in Figure 38 We need to add 3 entries in the following order
a Timestamp b Signature c Encryption
Upon clicking the ldquo+rdquo icon an ldquoAdd WSS Entryrdquo popup dialog will be presented which contains a single drop down list Select ldquoTimestamprdquo from the dialog as shown in Figure 39
Figure 38 Adding WSS Configuration for wss10
Figure 39 Add Timestamp
10 Configure the ldquoTimestamprdquo WSS Entry The two fields are shown in Figure 40
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 38
a Time to Live 5000 b Leave the unit for ldquoTime to Liverdquo in milliseconds
Figure 40 Specify Time to Live as part of Timestamp configuration
11 Add the ldquoSignaturerdquo WSS Entry by clicking on the ldquo+rdquo icon again as shown in Figure 38 and selecting ldquoSignaturerdquo from
the ldquoAdd WSS Entryrdquo drop down as shown in Figure 41
Figure 41 Select Signature WSS Entry to Add to wss10 configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 39
12 The ldquoSignaturerdquo configuration is more involved and requires a lot more fields to be filled in as shown in Figure 42 Here is a summary of the fields and values that need to be provided
a Keystore Select ldquodefault-keystorejksrdquo from the drop down (Note Only keystores added in the KeystoreCertificates tab will be displayed in this drop down)
b Alias ldquoorakeyrdquo This particular keystore in the How-To has only a single alias However a keystore can have multiple keys and aliases
c Password ldquowelcome1rdquo This is the password for the alias d Key Identifier Type Select ldquoBinary Security Tokenrdquo from the drop down e Signature Algorithm Select ldquohttpwwww3org200009xmldsigrsa-sha1rdquo from the drop down f Signature Canonicalization Select ldquohttpwwww3org200110xml-exc-c14nrdquo from the drop down g Digest Algorithm Select ldquohttpwwww3org200009xmldsigsha1rdquo from the drop down h Use Single Certificate Ensure ldquoUse single certificate for signingrdquo is checked i Parts
Name Namespace Encode
Body httpschemasxmlsoaporgsoapenvelope Element
Timestamp httpdocsoasis-openorgwss200401oasis-200401-wss-wssecurity-utility-10xsd
Element
Figure 42 Providing Signature configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 40
13 Add the ldquoEncryptionrdquo WSS Entry by clicking on the ldquo+rdquo icon again as shown in Figure 38 and selecting ldquoEncryptionrdquo from the ldquoAdd WSS Entryrdquo drop down as shown in Figure 43
Figure 43 Adding Encryption WSS entry
14 The ldquoEncryptionrdquo configuration is more involved and requires a lot more fields to be filled in as shown in Figure 44
Here is a summary of the fields and values that need to be provided a Keystore Select ldquodefault-keystorejksrdquo from the drop down (Note Only keystores added in the
KeystoreCertificates tab will be displayed in this drop down) b Alias ldquoorakeyrdquo This particular keystore in the How-To has only a single alias However a keystore can have
multiple keys and aliases c Password ldquowelcome1rdquo This is the password for the alias d Key Identifier Type Select ldquoBinary Security Tokenrdquo from the drop down e Embedded Key Name and Embedded Key Password are not relevant and will be readonly fields So skip
these fields f Symmetric Encoding Algorithm Select ldquohttpwwww3org200104xmlencaes128-cbcrdquo from the drop
down g Key Encryption Algorithm Select ldquohttpwwww3org200104xmlencrsa-oaep-mgf1prdquo from the drop
down h Encryption Canonicalization Select ldquohttpwwww3org200110xml-exc-c14nrdquo from the drop down i Create Encrypted Key Ensure the checkbox is checked j Parts
Name Namespace Encode
Body httpschemasxmlsoaporgsoapenvelope Content
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 41
Figure 44 Encryption Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 42
Add Incoming WS-Security Configurations
15 Click on the ldquoIncoming WS-Security Configurationsrdquo sub tab and click on the ldquo+rdquo icon as show in Figure 45 You will be prompted to enter a name for the incoming configuration specify ldquowss10rdquo as the name as shown in Figure 46
Figure 45 Add Incoming WS-Security Configuration
Figure 46 Provide a name for the Incoming WSS Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 43
16 Click on the ldquowss10rdquo entry and select the following a Decrypt Keystore Select ldquodefault-keystorejksrdquo from the drop down b Signature Keystore Select ldquodefault-keystorejksrdquo from the drop down c Password ldquowelcome1rdquo
The final incoming security configuration is shown in Figure 47
Figure 47 Incoming WSS Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 44
17 Now that we have created all the necessary WS-Security Configurations we are ready to test the HelloWorld Service To do so click on the ldquohellordquo operation on the Left hand browse tree This will create a request as show in Figure 48 Click on the ldquoAutrdquo tab on the ldquoRequestrdquo panel on the RHS side of the screen The ldquoAutrdquo tab is in the bottom and has been highlighted in Figure 48 Select the following values
a Outgoing WSS Select ldquowss10rdquo from the drop down b Incoming WSS Select ldquowss10rdquo from the drop down
Figure 48 Select the previosuly created WSS Configuration to be used while testing
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 45
18 Enter ldquoprakashrdquo for arg0 and click on the green arrow button to send the request You will be prompted for password ndash enter ldquowelcome1rdquo Figure 49 and Figure 50 show the steps and the results of a successful test If there is a failure ndash you will see a SOAP response with a fault
Figure 49 Send request to the HelloWorld WS
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 46
Figure 50 Results of a successful test
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 47
Appendix
Log Generated the first time any app is run in Integrated WLS Server
[Waiting for the domain to finish building]
[094756 PM] Creating Integrated Weblogic domain
[095003 PM] Extending Integrated Weblogic domain
[095051 PM] Integrated Weblogic domain processing completed successfully
Using port 7101
DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainbinstartWebLogiccmd
[waiting for the server to complete its initialization]
JAVA Memory arguments -Xms256m -Xmx512m -XXCompileThreshold=8000 -XXPermSize=128m -XXMaxPermSize=512m
WLS Start Mode=Development
CLASSPATH=DORACLE~1MIDDLE~1ORACLE~1modulesoraclejdbc_1111ojdbc6dmsjarDORACLE~1MIDDLE~1patch_wls1035profilesdefaultsys_manifest_classpathweblogic_patchjarDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultsys_manifest_classpathweblogic_patchjarDORACLE~1MIDDLE~1JDK160~1libtoolsjarDORACLE~1MIDDLE~1WLSERV~13serverlibweblogic_spjarDORACLE~1MIDDLE~1WLSERV~13serverlibweblogicjarDORACLE~1MIDDLE~1modulesfeaturesweblogicservermodules_10350jarDORACLE~1MIDDLE~1WLSERV~13serverlibwebservicesjarDORACLE~1MIDDLE~1modulesORGAPA~11libant-alljarDORACLE~1MIDDLE~1modulesNETSFA~10_1libant-contribjarDORACLE~1MIDDLE~1ORACLE~1modulesoraclejrf_1111jrfjarDORACLE~1MIDDLE~1WLSERV~13commonderbylibderbyclientjarDORACLE~1MIDDLE~1WLSERV~13serverlibxqrljar
PATH=DORACLE~1MIDDLE~1patch_wls1035profilesdefaultnativeDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultnativeDORACLE~1MIDDLE~1WLSERV~13servernativewin32DORACLE~1MIDDLE~1WLSERV~13serverbinDORACLE~1MIDDLE~1modulesORGAPA~11binDORACLE~1MIDDLE~1JDK160~1jrebinDORACLE~1MIDDLE~1JDK160~1binDoraclexeapporacleproduct1020serverbinCProgram FilesThinkPadUtilitiesCWINDOWSsystem32CWINDOWSCWINDOWSSystem32WbemCWINDOWSsystem32WindowsPowerShellv10DORACLE~1MIDDLE~1WLSERV~13servernativewin32oci920_8
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 48
To start WebLogic Server use a username and
password assigned to an admin-level user For
server administration use the WebLogic Server
console at httphostnameportconsole
starting weblogic with Java version
java version 160_24
Java(TM) SE Runtime Environment (build 160_24-b50)
Java HotSpot(TM) Client VM (build 191-b02 mixed mode)
Starting WLS with line
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 49
DORACLE~1MIDDLE~1JDK160~1binjava -client -Xms256m -Xmx512m -XXCompileThreshold=8000 -XXPermSize=128m -XXMaxPermSize=512m -DweblogicName=DefaultServer -Djavasecuritypolicy=DORACLE~1MIDDLE~1WLSERV~13serverlibweblogicpolicy -DjavaxnetssltrustStore=DOracle11gMiddlewarewlserver_103serverlibDemoTrustjks -DweblogicnodemanagerServiceEnabled=true -Xverifynone -da -Dplatformhome=DORACLE~1MIDDLE~1WLSERV~13 -Dwlshome=DORACLE~1MIDDLE~1WLSERV~13server -Dweblogichome=DORACLE~1MIDDLE~1WLSERV~13server -Djpsappcredentialoverwriteallowed=true -Dcommoncomponentshome=DORACLE~1MIDDLE~1ORACLE~1 -Djrfversion=1111 -DorgapachecommonsloggingLog=orgapachecommonsloggingimplJdk14Logger -Ddomainhome=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1 -Djrockitoptfile=DORACLE~1MIDDLE~1ORACLE~1modulesoraclejrf_1111jrocket_optfiletxt -Doracleserverconfigdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1serversDefaultServer -Doracledomainconfigdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1 -Digfarisidbeanscarmlloc=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1carml -Digfarisidstackhome=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1arisidprovider -Doraclesecurityjpsconfig=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configfmwconfigjps-configxml -Doracledeployedappdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1serversDefaultServertmp_WL_user -Doracledeployedappext=- -DweblogicalternateTypesDirectory=DORACLE~1MIDDLE~1ORACLE~1modulesoracleossoiap_1111DORACLE~1MIDDLE~1ORACLE~1modulesoracleoamprovider_1111 -Djavaprotocolhandlerpkgs=oraclemdsnetprotocol -DweblogicjdbcremoteEnabled=false -Dwsmrepositorypath=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1oraclestoregmds -Dweblogicmanagementdiscover=true -DwlwiterativeDev= -DwlwtestConsole= -DwlwlogErrorsToConsole= -Dweblogicextdirs=DORACLE~1MIDDLE~1patch_wls1035profilesdefaultsysext_manifest_classpathDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultsysext_manifest_classpath weblogicServer
ltMar 16 2012 95054 PM PDTgt ltInfogt ltSecuritygt ltBEA-090905gt ltDisabling CryptoJ JCE Provider self-integrity check for better startup performance To enable this check specify -DweblogicsecurityallowCryptoJDefaultJCEVerification=truegt
ltMar 16 2012 95054 PM PDTgt ltInfogt ltSecuritygt ltBEA-090906gt ltChanging the default Random Number Generator in RSA CryptoJ from ECDRBG to FIPS186PRNG To disable this change specify -DweblogicsecurityallowCryptoJDefaultPRNG=truegt
ltMar 16 2012 95055 PM PDTgt ltInfogt ltWebLogicServergt ltBEA-000377gt ltStarting WebLogic Server with Java HotSpot(TM) Client VM Version 191-b02 from Sun Microsystems Incgt
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 50
ltMar 16 2012 95055 PM PDTgt ltInfogt ltManagementgt ltBEA-141107gt ltVersion WebLogic Server 10350 Fri Apr 1 202006 PDT 2011 1398638 gt
ltMar 16 2012 95057 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STARTINGgt
ltMar 16 2012 95057 PM PDTgt ltInfogt ltWorkManagergt ltBEA-002900gt ltInitializing self-tuning thread poolgt
ltMar 16 2012 95057 PM PDTgt ltNoticegt ltLog Managementgt ltBEA-170019gt ltThe server log file DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainserversDefaultServerlogsDefaultServerlog is opened All server side log events will be written to this filegt
ltMar 16 2012 95108 PM PDTgt ltNoticegt ltSecuritygt ltBEA-090082gt ltSecurity initializing using security realm myrealmgt
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO ConfigObjectReloaded for ServerConfig PreviousVersion -1 CurrentVersion 0
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification event sent for activating changes
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for Mapping config object reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO ConfigObjectReloaded for ServerConfig PreviousVersion -1 CurrentVersion 0
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification event sent for activating changes
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 51
INFO Notification sent for Mapping config object reloaded
ltMar 16 2012 95122 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STANDBYgt
ltMar 16 2012 95122 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STARTINGgt
ltMar 16 2012 95204 PM PDTgt ltNoticegt ltLog Managementgt ltBEA-170027gt ltThe Server has established connection with the Domain level Diagnostic Service successfullygt
ltMar 16 2012 95204 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to ADMINgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to RESUMINGgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltServergt ltBEA-002613gt ltChannel Default is now listening on 1270017101 for protocols iiop t3 ldap snmp httpgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000331gt ltStarted WebLogic Admin Server DefaultServer for domain DefaultDomain running in Development Modegt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to RUNNINGgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000360gt ltServer started in RUNNING modegt
IntegratedWebLogicServer startup time 74437 ms
IntegratedWebLogicServer started
[Running application HelloWorldJaxWS on Server Instance IntegratedWebLogicServer]
[095206 PM] ---- Deployment started ----
[095206 PM] Target platform is (Weblogic 103)
[095208 PM] Retrieving existing application information
[095208 PM] Running dependency analysis
[095208 PM] Deploying 2 profiles
[095209 PM] Wrote Web Application Module to DOracle11gMiddlewarejdevelopersystem11116386192oj2eedrsHelloWorldJaxWSHelloWorldWebAppwar
[095210 PM] Wrote Enterprise Application Module to DOracle11gMiddlewarejdevelopersystem11116386192oj2eedrsHelloWorldJaxWS
[095210 PM] Deploying Application
[095213 PM] Application Deployed Successfully
[095213 PM] The following URL context root(s) were defined and can be used as a starting point to test your application
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 52
[095213 PM] http1270017101HelloWorldJaxWS-HelloWorld-context-root
[095213 PM] Elapsed time for deployment 6 seconds
[095213 PM] ---- Deployment finished ----
Run startup time 6609 ms
[Application HelloWorldJaxWS deployed to Server Instance IntegratedWebLogicServer]
Target URL -- http1270017101HelloWorldJaxWS-HelloWorld-context-rootHelloWorldPort
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 53
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 2
Table of Contents Use Case 4
Description 4
Objective 4
Software Requirements 4
Prerequisites 4
Verified Product Version 4
Potentially Applies to Product Version(s) 4
Download Main Page 4
Product URLs 5
Step by Step Instructions 6
Install Location 6
Create HelloWorld POJO JAX-WS Application 7
Attach Message protection OWSM Security Policy 18
Creating Keystore and Credentials 22
Configuring Integrated WLS Server to enable enforcing Message protection Policy 23
Copying the Keystore under the right location for Integrated WLS Server 25
Verifying jps-configxml in Default Domain 26
Creating Credentials required for Keystore access 27
Relationship between Keystore Credential Store jps-configxml 29
Testing with SOAP UI 30
Create SOAP UI Project 30
Create WS-Security Configurations 33
Add KeystoreCertificates 34
Add Outgoing WS-Security Configurations 36
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 3
Add Incoming WS-Security Configurations 42
Appendix 47
Log Generated the first time any app is run in Integrated WLS Server 47
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 4
Use Case
Description
This How-To demonstrates how to use OWSM Message Protection policy to secure a JAX-WS Web Service and how to
test it with SOAP UI
Objective
The main objective of this How-To
Demonstrate the steps required to secure a simple HelloWorld JAX-WS web service in JDeveloper
Configure the Integrated WLS Server to enable using OWSM message protection policies to secure HelloWorld
JAX-WS
Run the HelloWorld JAX-WS web service within the Integrated WLS Server that ships with JDeveloper
Configure and Test the HelloWorld JAX-WS with SOAP UI
Software Requirements
Prerequisites
Product Download URL
1 Install SOA Suite 11116 with
JDeveloper
2 SOAP UI Pro 401
Verified Product Version
Product Release Version
1 WebLogic 1036
2 SOA 11116
3 JDeveloper 11116
Potentially Applies to Product Version(s)
Product Release Version
1 WebLogic 1033 1034 1035 1036
2 SOA 11114 11115 11116
Download Main Page
httpwwworaclecomtechnetworkmiddlewaresoasuitedownloadsindexhtml
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 5
Product URLs
Product URL LoginPassword
EM Fusion Middle Control httpadmin_hostadmin_portem User weblogic
Password welcome1
Note This How-To uses SOAP UI Pro 401 The steps can vary with other versions of SOAP UI
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 6
Step by Step Instructions
Install Location
In this How-To JDeveloper has been installed at
DOracle11gMiddleware
We will define ORACLE_HOME= DOracle11gMiddleware
JDeveloperexe is at $ORACLE_HOMEjdeveloperjdeveloperexe
In this How-To I am running JDeveloper from command line as shown in Figure 1
Figure 1 Starting JDeveloper with the -su option
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 7
Create HelloWorld POJO JAX-WS Application
1 Start creation of a new application by click on ldquoNew Applicationrdquo in Figure 2
Figure 2 Click on New Application
This is will launch a new application creation wizard
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 8
2 Provide the following values as show in Figure 3 ldquoApplication NamerdquoHelloWorldJaxWS ldquoDirectoryrdquo DJDevelopermyworkHelloWorldJaxWS JDeveloper wil create the new application in the above directory For purposes of this How-To select ldquoGeneric Applicationrdquo from the Application Template as shown in Figure 3
Figure 3 Provide Application Name and Folder information
Click on ldquoNextrdquo button to proceed to the next step
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 9
3 Create a Project for the new application by providing Project information like ldquoProject Namerdquo ldquoDirectoryrdquo as show in Figure 4 Since we want to create a POJO based Web Service Select ldquoWeb Servicesrdquo from the ldquoProject Technologiesrdquo tab This will automatically also include Java Figure 4 shows the selected technologies for this project
Figure 4 Select Project Technologies and provide Project information
Click on ldquoNextrdquo button
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 10
4 Complete the New Application creation process by providing package information and leave the defaults for ldquoJava Source Pathrdquo and ldquoOutput Directoryrdquo as shown on Figure 5
Figure 5 Provide Package and other Java Settings
Click on ldquoFinishrdquo button to complete creation of the new application and the project
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 11
5 Next we will create a Java Class To create a Java Class right click on the ldquoHelloWorldrdquo project under the HelloWorldJaxWS application and select ldquoNewrdquo from the Context Menu as shown in Figure 6
Figure 6 Creating Java Class in a project
6 This will launch the Dialog show in Figure 7 In the ldquoCurrent Project Technologiesrdquo tab Select ldquoJavardquo from the
ldquoCategoriesrdquo on the Left Hand Side and under ldquoItemsrdquo panel on the Right Hand side select ldquoJava Classrdquo as shown in
Figure 7 Click on the ldquoOKrdquo button after making the above selections
Figure 7 Select Java Class from the New Gallery Dialog
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 12
7 This will launch the new ldquoJava Classrdquo Creation Dialog as show in Figure 8 Provide ldquoHelloWorldrdquo as the name of the
java class and provide appropriate value for the java package Retain defaults for the remainder of the fields Click
ldquoOKrdquo to complete the new Java Class creation dialog
Figure 8 New Java Class creation Dialog
8 JDeveloper will generate code along the lines shown below
package helloworld
public class HelloWorld
public HelloWorld()
super()
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 13
Add the following lines of code to the HelloWorld class
9 The next step is to basically create a Web Service from the HelloWorld java class created in the previous steps To
create a Web Service right click on the HelloWorldjava file Select ldquoCreate Web Servicehelliprdquo from the Context menu
as shown in Figure 9
Figure 9 Launch the Web Service Creation Wizard on the HelloWorld POJO class
public String hello(String str)
return Hello + str
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 14
10 From the ldquoJava Web Service creationrdquo wizard select Java EE 15 option The entire Web Service creation wizard is a
multi-step process as show in Figure 10 - Figure 17
Figure 10 Select Java EE 15 from the Java Web Service Creation wizard
Figure 11 Provide Web Service name
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 15
Figure 12 Retain default SOAP binding
Figure 13 Select the methods that should be exposed as part of the Web Service
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 16
Figure 14 Skip Additional Classes
Figure 15 Skip specifiying policies
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 17
Figure 16 Skip providing any Handlers
Figure 17 Finish creation of Web Service
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 18
Attach Message protection OWSM Security Policy
1 To attach the OWSM message protection policy to the Web Service ldquoright clickrdquo on the HelloWorldjava file in
JDeveloper Select ldquoWeb Service Propertieshelliprdquo from the Context menu item Figure 18 This will launch the Dialog box
seen in Figure 19
Figure 18 Define Web Service Properties
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 19
2 In the Configure Policies Dialog select ldquoOWSM policiesrdquo Upon selection of the OWSM Policies option the system
will display the list of out of the box policies that are shipped as part of OWSM Also notice the Default Policy Store
location
In this How-To it maps to
ldquoDOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainoraclestoregmdsrdquo
Figure 19 Select OWSM policies option to secure the Web Service
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 20
3 For the purposes of this How-To letrsquos select the oraclewss10_message_protection_service_policy as show in
Figure 20
Figure 20 Selection of oraclewss10_message_protection_service_policy
Click ldquoOKrdquo button to complete the Policy Attachment Upon completion of the PolicyAttachment the SecurityPolicy
annotation will be added to the HelloWorld POJO class as show in Figure 21
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 21
Figure 21 Code view with SecurityPolicy annotation
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 22
Creating Keystore and Credentials
4 In order to use the oraclewss10_message_protection_service_policy we need Keystore and Credentials First we
will create keystore using the keytool command as shown in Figure 22 The command to create the keystore using
keytool (Note Keytool is shipped with JDK)
Figure 22 Keystore creation command and steps
You can validate the contents of the keystore by using the following keytool command
Figure 23 Check contents of Keystore using keytool
$gt keytool -genkey -keyalg RSA -alias orakey -keystore default-keystorejks -storepass welcome1 -validity
3600
$gtkeytool -list -keystore default-keystorejks -storepass welcome1
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 23
Configuring Integrated WLS Server to enable enforcing Message protection Policy
In order to be able to deploy the HelloWorld POJO Web Service to Integrated WLS Server and test the enforcement of
the OWSM oraclewss10_message_protection_service_policy ndash we need to configure the WLS Domain in which
Integrated WLS Server runs however initially upon the Install the domain is not created completely You can ensure the
domain is created completely by trying to the ldquoHelloWorldrdquo Web Service You do this by ldquoright clickingrdquo on
HelloWorldjava and selecting ldquoRunrdquo from the Context Menu as show in Figure 24
Figure 24 Running HelloWorld Web Service in Integrated WLS Server first time
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 24
The appendix shows the log that is output by the system in JDeveloper The key aspect that is of interest here are the
following messages
[Waiting for the domain to finish building]
[094756 PM] Creating Integrated Weblogic domain
[095003 PM] Extending Integrated Weblogic domain
[095051 PM] Integrated Weblogic domain processing completed successfully
Using port 7101
DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainbinstartWebLogiccmd
[waiting for the server to complete its initialization]
As mentioned earlier the key thing to note is
On running this the first time ndash the domain for running the Integrated WLS is extended and the necessary artifacts are created By default this domain is called ldquoDefaultDomainrdquo In this scenario the ldquoDefaultDomainrdquo is located at DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomain
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 25
Copying the Keystore under the right location for Integrated WLS Server
5 Copy the default-keystorejks created earlier to
ldquoDOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainconfigfmwconfigrdquo as shown in Figure 25
Figure 25 Copying default-keystorejks under DefaultDomain
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 26
Verifying jps-configxml in Default Domain
6 The jps-configxml will be found under
DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainconfigfmwconfig The most important entry in jps-configxml that is of interest is the following keystore service entry lt-- KeyStore Service Instance --gt ltserviceInstance name=keystore provider=keystoreprovider location=default-keystorejksgt ltdescriptiongtDefault JPS Keystore Serviceltdescriptiongt ltproperty name=keystoreprovidertype value=filegt ltproperty name=keystorefilepath value=gt ltproperty name=keystoretype value=JKSgt ltproperty name=keystorecsfmap value=oraclewsmsecuritygt ltproperty name=keystorepasscsfkey value=keystore-csf-keygt ltproperty name=keystoresigcsfkey value=sign-csf-keygt ltproperty name=keystoreenccsfkey value=enc-csf-keygt ltserviceInstancegt The next step is to configure the credentials in the DefaultDomain
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 27
Creating Credentials required for Keystore access
Ensure the Integrated WLS Server is running 7 Start WLST from DOracle11gMiddleware oracle_commoncommonbinwlstcmd as shown in Figure 26
Figure 26 Starting WLST for Integrated WLS Server
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 28
8 Connect to the Integrated WLS Server running DefaultDomain as show in Figure 27
Figure 27 Connect to Integrated WLS Server
Once connected add the following credentials to the credential store
$gt createCred(map=oraclewsmsecurity key=keystore-csf-key user=owsm password=welcome1 desc=Keystore key) $gtcreateCred(map=oraclewsmsecurity key=enc-csf-key user=orakey password=welcome1 desc=Encryption key) $gtcreateCred(map=oraclewsmsecurity key=sign-csf-key user=orakey password=welcome1 desc=Signing key)
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 29
Relationship between Keystore Credential Store jps-configxml
9 Many people find the relationship between keystore keys credential store credentials and jps-configxml
confusing Figure 28 shows the relationship between all these artifacts
Figure 28 Relationship bw Keystore Credential Store Credentials and jps-configxml
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 30
Testing with SOAP UI 1 Before testing the Web Service with SOAP UI Run the HelloWorld from within JDeveloper as shown in Figure 24
Create SOAP UI Project
2 To test the HelloWorld Web Service secured with the OWSM ldquooraclewss10_message_protection_service_policyrdquo start SOAP UI and create a new Project as shown in Figure 29
Figure 29 Create new project in SOAP UI
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 31
3 Provide Project Namerdquo and ldquoWSDLrdquo information for the HelloWorld WS as show in Figure 30
Figure 30 Provide WSDL information for the Web Service that needs to be tested
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 32
4 Double click on the helloworld-msg-prot-test SOAP UI project to open various configurations one can specify for the
project as show in Figure 31 Click on the WS-Security Configurations tab
Figure 31 Specify the WS-Security Configurations
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 33
Create WS-Security Configurations
5 There are 3 sub-tabs under the ldquoWS-Security Configurationsrdquo tab in SOAP UI These are the ldquoOutgoing WS-Security
Configurationsrdquo tab ldquoIncoming WS-Security Configurationsrdquo tab and the ldquoKeystoreCertificatesrdquo tab We will first fill
out the KeystoresCertificates tab Click on the KeystoreCertificates tab as shown in Figure 32
Figure 32 Specify the KeystoreCertificates to be used by SOAP UI
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 34
Add KeystoreCertificates
6 Click on the ldquo+rdquo button to add a keystore as shown in Figure 33 This will launch a dialog to select the Key Material as
show in Figure 34 You will be prompted for the password to the default-keystorejks Enter ldquowelcome1rdquo as show in
Figure 35
Figure 33 Adding a Keystore
Figure 34 Select a JKS keystore from the file system
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 35
Figure 35 Specify Password for the default-keystorejks
7 Figure 36 shows the result of adding the default-keystorejks to SOAP UI
Figure 36 Result of adding default-keystorejks
NOTE For purposes of simplicity ndash I have selected the same default-keystorejks file that was used by the HelloWorld Web Service in practice the client and service DO NOT share the same keystore instead you should use separate keystores and exchange the public certificates of the client and the service
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 36
Add Outgoing WS-Security Configurations
8 The next step is to add the ldquoOutgoing WS-Secure Configurationsrdquo to the project You can do this by click on the Outgoing S-Security Configurations tab and clicking on the ldquo+rdquo icon as shown in Figure 37
Figure 37 Initiate addition of Outgoing WS-Security Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 37
9 Enter the ldquoNamerdquo of the configuration as ldquowss10rdquo This will create a panel on the lower half of the screen to add relevant WS-Security Configuration for ldquowss10rdquo Click on the ldquo+rdquo icon highlighted with a red circle in Figure 38 We need to add 3 entries in the following order
a Timestamp b Signature c Encryption
Upon clicking the ldquo+rdquo icon an ldquoAdd WSS Entryrdquo popup dialog will be presented which contains a single drop down list Select ldquoTimestamprdquo from the dialog as shown in Figure 39
Figure 38 Adding WSS Configuration for wss10
Figure 39 Add Timestamp
10 Configure the ldquoTimestamprdquo WSS Entry The two fields are shown in Figure 40
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 38
a Time to Live 5000 b Leave the unit for ldquoTime to Liverdquo in milliseconds
Figure 40 Specify Time to Live as part of Timestamp configuration
11 Add the ldquoSignaturerdquo WSS Entry by clicking on the ldquo+rdquo icon again as shown in Figure 38 and selecting ldquoSignaturerdquo from
the ldquoAdd WSS Entryrdquo drop down as shown in Figure 41
Figure 41 Select Signature WSS Entry to Add to wss10 configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 39
12 The ldquoSignaturerdquo configuration is more involved and requires a lot more fields to be filled in as shown in Figure 42 Here is a summary of the fields and values that need to be provided
a Keystore Select ldquodefault-keystorejksrdquo from the drop down (Note Only keystores added in the KeystoreCertificates tab will be displayed in this drop down)
b Alias ldquoorakeyrdquo This particular keystore in the How-To has only a single alias However a keystore can have multiple keys and aliases
c Password ldquowelcome1rdquo This is the password for the alias d Key Identifier Type Select ldquoBinary Security Tokenrdquo from the drop down e Signature Algorithm Select ldquohttpwwww3org200009xmldsigrsa-sha1rdquo from the drop down f Signature Canonicalization Select ldquohttpwwww3org200110xml-exc-c14nrdquo from the drop down g Digest Algorithm Select ldquohttpwwww3org200009xmldsigsha1rdquo from the drop down h Use Single Certificate Ensure ldquoUse single certificate for signingrdquo is checked i Parts
Name Namespace Encode
Body httpschemasxmlsoaporgsoapenvelope Element
Timestamp httpdocsoasis-openorgwss200401oasis-200401-wss-wssecurity-utility-10xsd
Element
Figure 42 Providing Signature configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 40
13 Add the ldquoEncryptionrdquo WSS Entry by clicking on the ldquo+rdquo icon again as shown in Figure 38 and selecting ldquoEncryptionrdquo from the ldquoAdd WSS Entryrdquo drop down as shown in Figure 43
Figure 43 Adding Encryption WSS entry
14 The ldquoEncryptionrdquo configuration is more involved and requires a lot more fields to be filled in as shown in Figure 44
Here is a summary of the fields and values that need to be provided a Keystore Select ldquodefault-keystorejksrdquo from the drop down (Note Only keystores added in the
KeystoreCertificates tab will be displayed in this drop down) b Alias ldquoorakeyrdquo This particular keystore in the How-To has only a single alias However a keystore can have
multiple keys and aliases c Password ldquowelcome1rdquo This is the password for the alias d Key Identifier Type Select ldquoBinary Security Tokenrdquo from the drop down e Embedded Key Name and Embedded Key Password are not relevant and will be readonly fields So skip
these fields f Symmetric Encoding Algorithm Select ldquohttpwwww3org200104xmlencaes128-cbcrdquo from the drop
down g Key Encryption Algorithm Select ldquohttpwwww3org200104xmlencrsa-oaep-mgf1prdquo from the drop
down h Encryption Canonicalization Select ldquohttpwwww3org200110xml-exc-c14nrdquo from the drop down i Create Encrypted Key Ensure the checkbox is checked j Parts
Name Namespace Encode
Body httpschemasxmlsoaporgsoapenvelope Content
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 41
Figure 44 Encryption Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 42
Add Incoming WS-Security Configurations
15 Click on the ldquoIncoming WS-Security Configurationsrdquo sub tab and click on the ldquo+rdquo icon as show in Figure 45 You will be prompted to enter a name for the incoming configuration specify ldquowss10rdquo as the name as shown in Figure 46
Figure 45 Add Incoming WS-Security Configuration
Figure 46 Provide a name for the Incoming WSS Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 43
16 Click on the ldquowss10rdquo entry and select the following a Decrypt Keystore Select ldquodefault-keystorejksrdquo from the drop down b Signature Keystore Select ldquodefault-keystorejksrdquo from the drop down c Password ldquowelcome1rdquo
The final incoming security configuration is shown in Figure 47
Figure 47 Incoming WSS Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 44
17 Now that we have created all the necessary WS-Security Configurations we are ready to test the HelloWorld Service To do so click on the ldquohellordquo operation on the Left hand browse tree This will create a request as show in Figure 48 Click on the ldquoAutrdquo tab on the ldquoRequestrdquo panel on the RHS side of the screen The ldquoAutrdquo tab is in the bottom and has been highlighted in Figure 48 Select the following values
a Outgoing WSS Select ldquowss10rdquo from the drop down b Incoming WSS Select ldquowss10rdquo from the drop down
Figure 48 Select the previosuly created WSS Configuration to be used while testing
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 45
18 Enter ldquoprakashrdquo for arg0 and click on the green arrow button to send the request You will be prompted for password ndash enter ldquowelcome1rdquo Figure 49 and Figure 50 show the steps and the results of a successful test If there is a failure ndash you will see a SOAP response with a fault
Figure 49 Send request to the HelloWorld WS
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 46
Figure 50 Results of a successful test
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 47
Appendix
Log Generated the first time any app is run in Integrated WLS Server
[Waiting for the domain to finish building]
[094756 PM] Creating Integrated Weblogic domain
[095003 PM] Extending Integrated Weblogic domain
[095051 PM] Integrated Weblogic domain processing completed successfully
Using port 7101
DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainbinstartWebLogiccmd
[waiting for the server to complete its initialization]
JAVA Memory arguments -Xms256m -Xmx512m -XXCompileThreshold=8000 -XXPermSize=128m -XXMaxPermSize=512m
WLS Start Mode=Development
CLASSPATH=DORACLE~1MIDDLE~1ORACLE~1modulesoraclejdbc_1111ojdbc6dmsjarDORACLE~1MIDDLE~1patch_wls1035profilesdefaultsys_manifest_classpathweblogic_patchjarDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultsys_manifest_classpathweblogic_patchjarDORACLE~1MIDDLE~1JDK160~1libtoolsjarDORACLE~1MIDDLE~1WLSERV~13serverlibweblogic_spjarDORACLE~1MIDDLE~1WLSERV~13serverlibweblogicjarDORACLE~1MIDDLE~1modulesfeaturesweblogicservermodules_10350jarDORACLE~1MIDDLE~1WLSERV~13serverlibwebservicesjarDORACLE~1MIDDLE~1modulesORGAPA~11libant-alljarDORACLE~1MIDDLE~1modulesNETSFA~10_1libant-contribjarDORACLE~1MIDDLE~1ORACLE~1modulesoraclejrf_1111jrfjarDORACLE~1MIDDLE~1WLSERV~13commonderbylibderbyclientjarDORACLE~1MIDDLE~1WLSERV~13serverlibxqrljar
PATH=DORACLE~1MIDDLE~1patch_wls1035profilesdefaultnativeDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultnativeDORACLE~1MIDDLE~1WLSERV~13servernativewin32DORACLE~1MIDDLE~1WLSERV~13serverbinDORACLE~1MIDDLE~1modulesORGAPA~11binDORACLE~1MIDDLE~1JDK160~1jrebinDORACLE~1MIDDLE~1JDK160~1binDoraclexeapporacleproduct1020serverbinCProgram FilesThinkPadUtilitiesCWINDOWSsystem32CWINDOWSCWINDOWSSystem32WbemCWINDOWSsystem32WindowsPowerShellv10DORACLE~1MIDDLE~1WLSERV~13servernativewin32oci920_8
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 48
To start WebLogic Server use a username and
password assigned to an admin-level user For
server administration use the WebLogic Server
console at httphostnameportconsole
starting weblogic with Java version
java version 160_24
Java(TM) SE Runtime Environment (build 160_24-b50)
Java HotSpot(TM) Client VM (build 191-b02 mixed mode)
Starting WLS with line
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 49
DORACLE~1MIDDLE~1JDK160~1binjava -client -Xms256m -Xmx512m -XXCompileThreshold=8000 -XXPermSize=128m -XXMaxPermSize=512m -DweblogicName=DefaultServer -Djavasecuritypolicy=DORACLE~1MIDDLE~1WLSERV~13serverlibweblogicpolicy -DjavaxnetssltrustStore=DOracle11gMiddlewarewlserver_103serverlibDemoTrustjks -DweblogicnodemanagerServiceEnabled=true -Xverifynone -da -Dplatformhome=DORACLE~1MIDDLE~1WLSERV~13 -Dwlshome=DORACLE~1MIDDLE~1WLSERV~13server -Dweblogichome=DORACLE~1MIDDLE~1WLSERV~13server -Djpsappcredentialoverwriteallowed=true -Dcommoncomponentshome=DORACLE~1MIDDLE~1ORACLE~1 -Djrfversion=1111 -DorgapachecommonsloggingLog=orgapachecommonsloggingimplJdk14Logger -Ddomainhome=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1 -Djrockitoptfile=DORACLE~1MIDDLE~1ORACLE~1modulesoraclejrf_1111jrocket_optfiletxt -Doracleserverconfigdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1serversDefaultServer -Doracledomainconfigdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1 -Digfarisidbeanscarmlloc=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1carml -Digfarisidstackhome=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1arisidprovider -Doraclesecurityjpsconfig=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configfmwconfigjps-configxml -Doracledeployedappdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1serversDefaultServertmp_WL_user -Doracledeployedappext=- -DweblogicalternateTypesDirectory=DORACLE~1MIDDLE~1ORACLE~1modulesoracleossoiap_1111DORACLE~1MIDDLE~1ORACLE~1modulesoracleoamprovider_1111 -Djavaprotocolhandlerpkgs=oraclemdsnetprotocol -DweblogicjdbcremoteEnabled=false -Dwsmrepositorypath=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1oraclestoregmds -Dweblogicmanagementdiscover=true -DwlwiterativeDev= -DwlwtestConsole= -DwlwlogErrorsToConsole= -Dweblogicextdirs=DORACLE~1MIDDLE~1patch_wls1035profilesdefaultsysext_manifest_classpathDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultsysext_manifest_classpath weblogicServer
ltMar 16 2012 95054 PM PDTgt ltInfogt ltSecuritygt ltBEA-090905gt ltDisabling CryptoJ JCE Provider self-integrity check for better startup performance To enable this check specify -DweblogicsecurityallowCryptoJDefaultJCEVerification=truegt
ltMar 16 2012 95054 PM PDTgt ltInfogt ltSecuritygt ltBEA-090906gt ltChanging the default Random Number Generator in RSA CryptoJ from ECDRBG to FIPS186PRNG To disable this change specify -DweblogicsecurityallowCryptoJDefaultPRNG=truegt
ltMar 16 2012 95055 PM PDTgt ltInfogt ltWebLogicServergt ltBEA-000377gt ltStarting WebLogic Server with Java HotSpot(TM) Client VM Version 191-b02 from Sun Microsystems Incgt
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 50
ltMar 16 2012 95055 PM PDTgt ltInfogt ltManagementgt ltBEA-141107gt ltVersion WebLogic Server 10350 Fri Apr 1 202006 PDT 2011 1398638 gt
ltMar 16 2012 95057 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STARTINGgt
ltMar 16 2012 95057 PM PDTgt ltInfogt ltWorkManagergt ltBEA-002900gt ltInitializing self-tuning thread poolgt
ltMar 16 2012 95057 PM PDTgt ltNoticegt ltLog Managementgt ltBEA-170019gt ltThe server log file DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainserversDefaultServerlogsDefaultServerlog is opened All server side log events will be written to this filegt
ltMar 16 2012 95108 PM PDTgt ltNoticegt ltSecuritygt ltBEA-090082gt ltSecurity initializing using security realm myrealmgt
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO ConfigObjectReloaded for ServerConfig PreviousVersion -1 CurrentVersion 0
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification event sent for activating changes
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for Mapping config object reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO ConfigObjectReloaded for ServerConfig PreviousVersion -1 CurrentVersion 0
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification event sent for activating changes
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 51
INFO Notification sent for Mapping config object reloaded
ltMar 16 2012 95122 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STANDBYgt
ltMar 16 2012 95122 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STARTINGgt
ltMar 16 2012 95204 PM PDTgt ltNoticegt ltLog Managementgt ltBEA-170027gt ltThe Server has established connection with the Domain level Diagnostic Service successfullygt
ltMar 16 2012 95204 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to ADMINgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to RESUMINGgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltServergt ltBEA-002613gt ltChannel Default is now listening on 1270017101 for protocols iiop t3 ldap snmp httpgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000331gt ltStarted WebLogic Admin Server DefaultServer for domain DefaultDomain running in Development Modegt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to RUNNINGgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000360gt ltServer started in RUNNING modegt
IntegratedWebLogicServer startup time 74437 ms
IntegratedWebLogicServer started
[Running application HelloWorldJaxWS on Server Instance IntegratedWebLogicServer]
[095206 PM] ---- Deployment started ----
[095206 PM] Target platform is (Weblogic 103)
[095208 PM] Retrieving existing application information
[095208 PM] Running dependency analysis
[095208 PM] Deploying 2 profiles
[095209 PM] Wrote Web Application Module to DOracle11gMiddlewarejdevelopersystem11116386192oj2eedrsHelloWorldJaxWSHelloWorldWebAppwar
[095210 PM] Wrote Enterprise Application Module to DOracle11gMiddlewarejdevelopersystem11116386192oj2eedrsHelloWorldJaxWS
[095210 PM] Deploying Application
[095213 PM] Application Deployed Successfully
[095213 PM] The following URL context root(s) were defined and can be used as a starting point to test your application
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 52
[095213 PM] http1270017101HelloWorldJaxWS-HelloWorld-context-root
[095213 PM] Elapsed time for deployment 6 seconds
[095213 PM] ---- Deployment finished ----
Run startup time 6609 ms
[Application HelloWorldJaxWS deployed to Server Instance IntegratedWebLogicServer]
Target URL -- http1270017101HelloWorldJaxWS-HelloWorld-context-rootHelloWorldPort
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 53
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 3
Add Incoming WS-Security Configurations 42
Appendix 47
Log Generated the first time any app is run in Integrated WLS Server 47
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 4
Use Case
Description
This How-To demonstrates how to use OWSM Message Protection policy to secure a JAX-WS Web Service and how to
test it with SOAP UI
Objective
The main objective of this How-To
Demonstrate the steps required to secure a simple HelloWorld JAX-WS web service in JDeveloper
Configure the Integrated WLS Server to enable using OWSM message protection policies to secure HelloWorld
JAX-WS
Run the HelloWorld JAX-WS web service within the Integrated WLS Server that ships with JDeveloper
Configure and Test the HelloWorld JAX-WS with SOAP UI
Software Requirements
Prerequisites
Product Download URL
1 Install SOA Suite 11116 with
JDeveloper
2 SOAP UI Pro 401
Verified Product Version
Product Release Version
1 WebLogic 1036
2 SOA 11116
3 JDeveloper 11116
Potentially Applies to Product Version(s)
Product Release Version
1 WebLogic 1033 1034 1035 1036
2 SOA 11114 11115 11116
Download Main Page
httpwwworaclecomtechnetworkmiddlewaresoasuitedownloadsindexhtml
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 5
Product URLs
Product URL LoginPassword
EM Fusion Middle Control httpadmin_hostadmin_portem User weblogic
Password welcome1
Note This How-To uses SOAP UI Pro 401 The steps can vary with other versions of SOAP UI
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 6
Step by Step Instructions
Install Location
In this How-To JDeveloper has been installed at
DOracle11gMiddleware
We will define ORACLE_HOME= DOracle11gMiddleware
JDeveloperexe is at $ORACLE_HOMEjdeveloperjdeveloperexe
In this How-To I am running JDeveloper from command line as shown in Figure 1
Figure 1 Starting JDeveloper with the -su option
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 7
Create HelloWorld POJO JAX-WS Application
1 Start creation of a new application by click on ldquoNew Applicationrdquo in Figure 2
Figure 2 Click on New Application
This is will launch a new application creation wizard
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 8
2 Provide the following values as show in Figure 3 ldquoApplication NamerdquoHelloWorldJaxWS ldquoDirectoryrdquo DJDevelopermyworkHelloWorldJaxWS JDeveloper wil create the new application in the above directory For purposes of this How-To select ldquoGeneric Applicationrdquo from the Application Template as shown in Figure 3
Figure 3 Provide Application Name and Folder information
Click on ldquoNextrdquo button to proceed to the next step
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 9
3 Create a Project for the new application by providing Project information like ldquoProject Namerdquo ldquoDirectoryrdquo as show in Figure 4 Since we want to create a POJO based Web Service Select ldquoWeb Servicesrdquo from the ldquoProject Technologiesrdquo tab This will automatically also include Java Figure 4 shows the selected technologies for this project
Figure 4 Select Project Technologies and provide Project information
Click on ldquoNextrdquo button
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 10
4 Complete the New Application creation process by providing package information and leave the defaults for ldquoJava Source Pathrdquo and ldquoOutput Directoryrdquo as shown on Figure 5
Figure 5 Provide Package and other Java Settings
Click on ldquoFinishrdquo button to complete creation of the new application and the project
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 11
5 Next we will create a Java Class To create a Java Class right click on the ldquoHelloWorldrdquo project under the HelloWorldJaxWS application and select ldquoNewrdquo from the Context Menu as shown in Figure 6
Figure 6 Creating Java Class in a project
6 This will launch the Dialog show in Figure 7 In the ldquoCurrent Project Technologiesrdquo tab Select ldquoJavardquo from the
ldquoCategoriesrdquo on the Left Hand Side and under ldquoItemsrdquo panel on the Right Hand side select ldquoJava Classrdquo as shown in
Figure 7 Click on the ldquoOKrdquo button after making the above selections
Figure 7 Select Java Class from the New Gallery Dialog
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 12
7 This will launch the new ldquoJava Classrdquo Creation Dialog as show in Figure 8 Provide ldquoHelloWorldrdquo as the name of the
java class and provide appropriate value for the java package Retain defaults for the remainder of the fields Click
ldquoOKrdquo to complete the new Java Class creation dialog
Figure 8 New Java Class creation Dialog
8 JDeveloper will generate code along the lines shown below
package helloworld
public class HelloWorld
public HelloWorld()
super()
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 13
Add the following lines of code to the HelloWorld class
9 The next step is to basically create a Web Service from the HelloWorld java class created in the previous steps To
create a Web Service right click on the HelloWorldjava file Select ldquoCreate Web Servicehelliprdquo from the Context menu
as shown in Figure 9
Figure 9 Launch the Web Service Creation Wizard on the HelloWorld POJO class
public String hello(String str)
return Hello + str
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 14
10 From the ldquoJava Web Service creationrdquo wizard select Java EE 15 option The entire Web Service creation wizard is a
multi-step process as show in Figure 10 - Figure 17
Figure 10 Select Java EE 15 from the Java Web Service Creation wizard
Figure 11 Provide Web Service name
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 15
Figure 12 Retain default SOAP binding
Figure 13 Select the methods that should be exposed as part of the Web Service
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 16
Figure 14 Skip Additional Classes
Figure 15 Skip specifiying policies
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 17
Figure 16 Skip providing any Handlers
Figure 17 Finish creation of Web Service
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 18
Attach Message protection OWSM Security Policy
1 To attach the OWSM message protection policy to the Web Service ldquoright clickrdquo on the HelloWorldjava file in
JDeveloper Select ldquoWeb Service Propertieshelliprdquo from the Context menu item Figure 18 This will launch the Dialog box
seen in Figure 19
Figure 18 Define Web Service Properties
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 19
2 In the Configure Policies Dialog select ldquoOWSM policiesrdquo Upon selection of the OWSM Policies option the system
will display the list of out of the box policies that are shipped as part of OWSM Also notice the Default Policy Store
location
In this How-To it maps to
ldquoDOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainoraclestoregmdsrdquo
Figure 19 Select OWSM policies option to secure the Web Service
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 20
3 For the purposes of this How-To letrsquos select the oraclewss10_message_protection_service_policy as show in
Figure 20
Figure 20 Selection of oraclewss10_message_protection_service_policy
Click ldquoOKrdquo button to complete the Policy Attachment Upon completion of the PolicyAttachment the SecurityPolicy
annotation will be added to the HelloWorld POJO class as show in Figure 21
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 21
Figure 21 Code view with SecurityPolicy annotation
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 22
Creating Keystore and Credentials
4 In order to use the oraclewss10_message_protection_service_policy we need Keystore and Credentials First we
will create keystore using the keytool command as shown in Figure 22 The command to create the keystore using
keytool (Note Keytool is shipped with JDK)
Figure 22 Keystore creation command and steps
You can validate the contents of the keystore by using the following keytool command
Figure 23 Check contents of Keystore using keytool
$gt keytool -genkey -keyalg RSA -alias orakey -keystore default-keystorejks -storepass welcome1 -validity
3600
$gtkeytool -list -keystore default-keystorejks -storepass welcome1
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 23
Configuring Integrated WLS Server to enable enforcing Message protection Policy
In order to be able to deploy the HelloWorld POJO Web Service to Integrated WLS Server and test the enforcement of
the OWSM oraclewss10_message_protection_service_policy ndash we need to configure the WLS Domain in which
Integrated WLS Server runs however initially upon the Install the domain is not created completely You can ensure the
domain is created completely by trying to the ldquoHelloWorldrdquo Web Service You do this by ldquoright clickingrdquo on
HelloWorldjava and selecting ldquoRunrdquo from the Context Menu as show in Figure 24
Figure 24 Running HelloWorld Web Service in Integrated WLS Server first time
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 24
The appendix shows the log that is output by the system in JDeveloper The key aspect that is of interest here are the
following messages
[Waiting for the domain to finish building]
[094756 PM] Creating Integrated Weblogic domain
[095003 PM] Extending Integrated Weblogic domain
[095051 PM] Integrated Weblogic domain processing completed successfully
Using port 7101
DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainbinstartWebLogiccmd
[waiting for the server to complete its initialization]
As mentioned earlier the key thing to note is
On running this the first time ndash the domain for running the Integrated WLS is extended and the necessary artifacts are created By default this domain is called ldquoDefaultDomainrdquo In this scenario the ldquoDefaultDomainrdquo is located at DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomain
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 25
Copying the Keystore under the right location for Integrated WLS Server
5 Copy the default-keystorejks created earlier to
ldquoDOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainconfigfmwconfigrdquo as shown in Figure 25
Figure 25 Copying default-keystorejks under DefaultDomain
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 26
Verifying jps-configxml in Default Domain
6 The jps-configxml will be found under
DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainconfigfmwconfig The most important entry in jps-configxml that is of interest is the following keystore service entry lt-- KeyStore Service Instance --gt ltserviceInstance name=keystore provider=keystoreprovider location=default-keystorejksgt ltdescriptiongtDefault JPS Keystore Serviceltdescriptiongt ltproperty name=keystoreprovidertype value=filegt ltproperty name=keystorefilepath value=gt ltproperty name=keystoretype value=JKSgt ltproperty name=keystorecsfmap value=oraclewsmsecuritygt ltproperty name=keystorepasscsfkey value=keystore-csf-keygt ltproperty name=keystoresigcsfkey value=sign-csf-keygt ltproperty name=keystoreenccsfkey value=enc-csf-keygt ltserviceInstancegt The next step is to configure the credentials in the DefaultDomain
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 27
Creating Credentials required for Keystore access
Ensure the Integrated WLS Server is running 7 Start WLST from DOracle11gMiddleware oracle_commoncommonbinwlstcmd as shown in Figure 26
Figure 26 Starting WLST for Integrated WLS Server
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 28
8 Connect to the Integrated WLS Server running DefaultDomain as show in Figure 27
Figure 27 Connect to Integrated WLS Server
Once connected add the following credentials to the credential store
$gt createCred(map=oraclewsmsecurity key=keystore-csf-key user=owsm password=welcome1 desc=Keystore key) $gtcreateCred(map=oraclewsmsecurity key=enc-csf-key user=orakey password=welcome1 desc=Encryption key) $gtcreateCred(map=oraclewsmsecurity key=sign-csf-key user=orakey password=welcome1 desc=Signing key)
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 29
Relationship between Keystore Credential Store jps-configxml
9 Many people find the relationship between keystore keys credential store credentials and jps-configxml
confusing Figure 28 shows the relationship between all these artifacts
Figure 28 Relationship bw Keystore Credential Store Credentials and jps-configxml
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 30
Testing with SOAP UI 1 Before testing the Web Service with SOAP UI Run the HelloWorld from within JDeveloper as shown in Figure 24
Create SOAP UI Project
2 To test the HelloWorld Web Service secured with the OWSM ldquooraclewss10_message_protection_service_policyrdquo start SOAP UI and create a new Project as shown in Figure 29
Figure 29 Create new project in SOAP UI
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 31
3 Provide Project Namerdquo and ldquoWSDLrdquo information for the HelloWorld WS as show in Figure 30
Figure 30 Provide WSDL information for the Web Service that needs to be tested
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 32
4 Double click on the helloworld-msg-prot-test SOAP UI project to open various configurations one can specify for the
project as show in Figure 31 Click on the WS-Security Configurations tab
Figure 31 Specify the WS-Security Configurations
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 33
Create WS-Security Configurations
5 There are 3 sub-tabs under the ldquoWS-Security Configurationsrdquo tab in SOAP UI These are the ldquoOutgoing WS-Security
Configurationsrdquo tab ldquoIncoming WS-Security Configurationsrdquo tab and the ldquoKeystoreCertificatesrdquo tab We will first fill
out the KeystoresCertificates tab Click on the KeystoreCertificates tab as shown in Figure 32
Figure 32 Specify the KeystoreCertificates to be used by SOAP UI
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 34
Add KeystoreCertificates
6 Click on the ldquo+rdquo button to add a keystore as shown in Figure 33 This will launch a dialog to select the Key Material as
show in Figure 34 You will be prompted for the password to the default-keystorejks Enter ldquowelcome1rdquo as show in
Figure 35
Figure 33 Adding a Keystore
Figure 34 Select a JKS keystore from the file system
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 35
Figure 35 Specify Password for the default-keystorejks
7 Figure 36 shows the result of adding the default-keystorejks to SOAP UI
Figure 36 Result of adding default-keystorejks
NOTE For purposes of simplicity ndash I have selected the same default-keystorejks file that was used by the HelloWorld Web Service in practice the client and service DO NOT share the same keystore instead you should use separate keystores and exchange the public certificates of the client and the service
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 36
Add Outgoing WS-Security Configurations
8 The next step is to add the ldquoOutgoing WS-Secure Configurationsrdquo to the project You can do this by click on the Outgoing S-Security Configurations tab and clicking on the ldquo+rdquo icon as shown in Figure 37
Figure 37 Initiate addition of Outgoing WS-Security Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 37
9 Enter the ldquoNamerdquo of the configuration as ldquowss10rdquo This will create a panel on the lower half of the screen to add relevant WS-Security Configuration for ldquowss10rdquo Click on the ldquo+rdquo icon highlighted with a red circle in Figure 38 We need to add 3 entries in the following order
a Timestamp b Signature c Encryption
Upon clicking the ldquo+rdquo icon an ldquoAdd WSS Entryrdquo popup dialog will be presented which contains a single drop down list Select ldquoTimestamprdquo from the dialog as shown in Figure 39
Figure 38 Adding WSS Configuration for wss10
Figure 39 Add Timestamp
10 Configure the ldquoTimestamprdquo WSS Entry The two fields are shown in Figure 40
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 38
a Time to Live 5000 b Leave the unit for ldquoTime to Liverdquo in milliseconds
Figure 40 Specify Time to Live as part of Timestamp configuration
11 Add the ldquoSignaturerdquo WSS Entry by clicking on the ldquo+rdquo icon again as shown in Figure 38 and selecting ldquoSignaturerdquo from
the ldquoAdd WSS Entryrdquo drop down as shown in Figure 41
Figure 41 Select Signature WSS Entry to Add to wss10 configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 39
12 The ldquoSignaturerdquo configuration is more involved and requires a lot more fields to be filled in as shown in Figure 42 Here is a summary of the fields and values that need to be provided
a Keystore Select ldquodefault-keystorejksrdquo from the drop down (Note Only keystores added in the KeystoreCertificates tab will be displayed in this drop down)
b Alias ldquoorakeyrdquo This particular keystore in the How-To has only a single alias However a keystore can have multiple keys and aliases
c Password ldquowelcome1rdquo This is the password for the alias d Key Identifier Type Select ldquoBinary Security Tokenrdquo from the drop down e Signature Algorithm Select ldquohttpwwww3org200009xmldsigrsa-sha1rdquo from the drop down f Signature Canonicalization Select ldquohttpwwww3org200110xml-exc-c14nrdquo from the drop down g Digest Algorithm Select ldquohttpwwww3org200009xmldsigsha1rdquo from the drop down h Use Single Certificate Ensure ldquoUse single certificate for signingrdquo is checked i Parts
Name Namespace Encode
Body httpschemasxmlsoaporgsoapenvelope Element
Timestamp httpdocsoasis-openorgwss200401oasis-200401-wss-wssecurity-utility-10xsd
Element
Figure 42 Providing Signature configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 40
13 Add the ldquoEncryptionrdquo WSS Entry by clicking on the ldquo+rdquo icon again as shown in Figure 38 and selecting ldquoEncryptionrdquo from the ldquoAdd WSS Entryrdquo drop down as shown in Figure 43
Figure 43 Adding Encryption WSS entry
14 The ldquoEncryptionrdquo configuration is more involved and requires a lot more fields to be filled in as shown in Figure 44
Here is a summary of the fields and values that need to be provided a Keystore Select ldquodefault-keystorejksrdquo from the drop down (Note Only keystores added in the
KeystoreCertificates tab will be displayed in this drop down) b Alias ldquoorakeyrdquo This particular keystore in the How-To has only a single alias However a keystore can have
multiple keys and aliases c Password ldquowelcome1rdquo This is the password for the alias d Key Identifier Type Select ldquoBinary Security Tokenrdquo from the drop down e Embedded Key Name and Embedded Key Password are not relevant and will be readonly fields So skip
these fields f Symmetric Encoding Algorithm Select ldquohttpwwww3org200104xmlencaes128-cbcrdquo from the drop
down g Key Encryption Algorithm Select ldquohttpwwww3org200104xmlencrsa-oaep-mgf1prdquo from the drop
down h Encryption Canonicalization Select ldquohttpwwww3org200110xml-exc-c14nrdquo from the drop down i Create Encrypted Key Ensure the checkbox is checked j Parts
Name Namespace Encode
Body httpschemasxmlsoaporgsoapenvelope Content
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 41
Figure 44 Encryption Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 42
Add Incoming WS-Security Configurations
15 Click on the ldquoIncoming WS-Security Configurationsrdquo sub tab and click on the ldquo+rdquo icon as show in Figure 45 You will be prompted to enter a name for the incoming configuration specify ldquowss10rdquo as the name as shown in Figure 46
Figure 45 Add Incoming WS-Security Configuration
Figure 46 Provide a name for the Incoming WSS Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 43
16 Click on the ldquowss10rdquo entry and select the following a Decrypt Keystore Select ldquodefault-keystorejksrdquo from the drop down b Signature Keystore Select ldquodefault-keystorejksrdquo from the drop down c Password ldquowelcome1rdquo
The final incoming security configuration is shown in Figure 47
Figure 47 Incoming WSS Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 44
17 Now that we have created all the necessary WS-Security Configurations we are ready to test the HelloWorld Service To do so click on the ldquohellordquo operation on the Left hand browse tree This will create a request as show in Figure 48 Click on the ldquoAutrdquo tab on the ldquoRequestrdquo panel on the RHS side of the screen The ldquoAutrdquo tab is in the bottom and has been highlighted in Figure 48 Select the following values
a Outgoing WSS Select ldquowss10rdquo from the drop down b Incoming WSS Select ldquowss10rdquo from the drop down
Figure 48 Select the previosuly created WSS Configuration to be used while testing
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 45
18 Enter ldquoprakashrdquo for arg0 and click on the green arrow button to send the request You will be prompted for password ndash enter ldquowelcome1rdquo Figure 49 and Figure 50 show the steps and the results of a successful test If there is a failure ndash you will see a SOAP response with a fault
Figure 49 Send request to the HelloWorld WS
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 46
Figure 50 Results of a successful test
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 47
Appendix
Log Generated the first time any app is run in Integrated WLS Server
[Waiting for the domain to finish building]
[094756 PM] Creating Integrated Weblogic domain
[095003 PM] Extending Integrated Weblogic domain
[095051 PM] Integrated Weblogic domain processing completed successfully
Using port 7101
DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainbinstartWebLogiccmd
[waiting for the server to complete its initialization]
JAVA Memory arguments -Xms256m -Xmx512m -XXCompileThreshold=8000 -XXPermSize=128m -XXMaxPermSize=512m
WLS Start Mode=Development
CLASSPATH=DORACLE~1MIDDLE~1ORACLE~1modulesoraclejdbc_1111ojdbc6dmsjarDORACLE~1MIDDLE~1patch_wls1035profilesdefaultsys_manifest_classpathweblogic_patchjarDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultsys_manifest_classpathweblogic_patchjarDORACLE~1MIDDLE~1JDK160~1libtoolsjarDORACLE~1MIDDLE~1WLSERV~13serverlibweblogic_spjarDORACLE~1MIDDLE~1WLSERV~13serverlibweblogicjarDORACLE~1MIDDLE~1modulesfeaturesweblogicservermodules_10350jarDORACLE~1MIDDLE~1WLSERV~13serverlibwebservicesjarDORACLE~1MIDDLE~1modulesORGAPA~11libant-alljarDORACLE~1MIDDLE~1modulesNETSFA~10_1libant-contribjarDORACLE~1MIDDLE~1ORACLE~1modulesoraclejrf_1111jrfjarDORACLE~1MIDDLE~1WLSERV~13commonderbylibderbyclientjarDORACLE~1MIDDLE~1WLSERV~13serverlibxqrljar
PATH=DORACLE~1MIDDLE~1patch_wls1035profilesdefaultnativeDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultnativeDORACLE~1MIDDLE~1WLSERV~13servernativewin32DORACLE~1MIDDLE~1WLSERV~13serverbinDORACLE~1MIDDLE~1modulesORGAPA~11binDORACLE~1MIDDLE~1JDK160~1jrebinDORACLE~1MIDDLE~1JDK160~1binDoraclexeapporacleproduct1020serverbinCProgram FilesThinkPadUtilitiesCWINDOWSsystem32CWINDOWSCWINDOWSSystem32WbemCWINDOWSsystem32WindowsPowerShellv10DORACLE~1MIDDLE~1WLSERV~13servernativewin32oci920_8
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 48
To start WebLogic Server use a username and
password assigned to an admin-level user For
server administration use the WebLogic Server
console at httphostnameportconsole
starting weblogic with Java version
java version 160_24
Java(TM) SE Runtime Environment (build 160_24-b50)
Java HotSpot(TM) Client VM (build 191-b02 mixed mode)
Starting WLS with line
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 49
DORACLE~1MIDDLE~1JDK160~1binjava -client -Xms256m -Xmx512m -XXCompileThreshold=8000 -XXPermSize=128m -XXMaxPermSize=512m -DweblogicName=DefaultServer -Djavasecuritypolicy=DORACLE~1MIDDLE~1WLSERV~13serverlibweblogicpolicy -DjavaxnetssltrustStore=DOracle11gMiddlewarewlserver_103serverlibDemoTrustjks -DweblogicnodemanagerServiceEnabled=true -Xverifynone -da -Dplatformhome=DORACLE~1MIDDLE~1WLSERV~13 -Dwlshome=DORACLE~1MIDDLE~1WLSERV~13server -Dweblogichome=DORACLE~1MIDDLE~1WLSERV~13server -Djpsappcredentialoverwriteallowed=true -Dcommoncomponentshome=DORACLE~1MIDDLE~1ORACLE~1 -Djrfversion=1111 -DorgapachecommonsloggingLog=orgapachecommonsloggingimplJdk14Logger -Ddomainhome=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1 -Djrockitoptfile=DORACLE~1MIDDLE~1ORACLE~1modulesoraclejrf_1111jrocket_optfiletxt -Doracleserverconfigdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1serversDefaultServer -Doracledomainconfigdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1 -Digfarisidbeanscarmlloc=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1carml -Digfarisidstackhome=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1arisidprovider -Doraclesecurityjpsconfig=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configfmwconfigjps-configxml -Doracledeployedappdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1serversDefaultServertmp_WL_user -Doracledeployedappext=- -DweblogicalternateTypesDirectory=DORACLE~1MIDDLE~1ORACLE~1modulesoracleossoiap_1111DORACLE~1MIDDLE~1ORACLE~1modulesoracleoamprovider_1111 -Djavaprotocolhandlerpkgs=oraclemdsnetprotocol -DweblogicjdbcremoteEnabled=false -Dwsmrepositorypath=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1oraclestoregmds -Dweblogicmanagementdiscover=true -DwlwiterativeDev= -DwlwtestConsole= -DwlwlogErrorsToConsole= -Dweblogicextdirs=DORACLE~1MIDDLE~1patch_wls1035profilesdefaultsysext_manifest_classpathDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultsysext_manifest_classpath weblogicServer
ltMar 16 2012 95054 PM PDTgt ltInfogt ltSecuritygt ltBEA-090905gt ltDisabling CryptoJ JCE Provider self-integrity check for better startup performance To enable this check specify -DweblogicsecurityallowCryptoJDefaultJCEVerification=truegt
ltMar 16 2012 95054 PM PDTgt ltInfogt ltSecuritygt ltBEA-090906gt ltChanging the default Random Number Generator in RSA CryptoJ from ECDRBG to FIPS186PRNG To disable this change specify -DweblogicsecurityallowCryptoJDefaultPRNG=truegt
ltMar 16 2012 95055 PM PDTgt ltInfogt ltWebLogicServergt ltBEA-000377gt ltStarting WebLogic Server with Java HotSpot(TM) Client VM Version 191-b02 from Sun Microsystems Incgt
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 50
ltMar 16 2012 95055 PM PDTgt ltInfogt ltManagementgt ltBEA-141107gt ltVersion WebLogic Server 10350 Fri Apr 1 202006 PDT 2011 1398638 gt
ltMar 16 2012 95057 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STARTINGgt
ltMar 16 2012 95057 PM PDTgt ltInfogt ltWorkManagergt ltBEA-002900gt ltInitializing self-tuning thread poolgt
ltMar 16 2012 95057 PM PDTgt ltNoticegt ltLog Managementgt ltBEA-170019gt ltThe server log file DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainserversDefaultServerlogsDefaultServerlog is opened All server side log events will be written to this filegt
ltMar 16 2012 95108 PM PDTgt ltNoticegt ltSecuritygt ltBEA-090082gt ltSecurity initializing using security realm myrealmgt
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO ConfigObjectReloaded for ServerConfig PreviousVersion -1 CurrentVersion 0
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification event sent for activating changes
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for Mapping config object reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO ConfigObjectReloaded for ServerConfig PreviousVersion -1 CurrentVersion 0
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification event sent for activating changes
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 51
INFO Notification sent for Mapping config object reloaded
ltMar 16 2012 95122 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STANDBYgt
ltMar 16 2012 95122 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STARTINGgt
ltMar 16 2012 95204 PM PDTgt ltNoticegt ltLog Managementgt ltBEA-170027gt ltThe Server has established connection with the Domain level Diagnostic Service successfullygt
ltMar 16 2012 95204 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to ADMINgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to RESUMINGgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltServergt ltBEA-002613gt ltChannel Default is now listening on 1270017101 for protocols iiop t3 ldap snmp httpgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000331gt ltStarted WebLogic Admin Server DefaultServer for domain DefaultDomain running in Development Modegt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to RUNNINGgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000360gt ltServer started in RUNNING modegt
IntegratedWebLogicServer startup time 74437 ms
IntegratedWebLogicServer started
[Running application HelloWorldJaxWS on Server Instance IntegratedWebLogicServer]
[095206 PM] ---- Deployment started ----
[095206 PM] Target platform is (Weblogic 103)
[095208 PM] Retrieving existing application information
[095208 PM] Running dependency analysis
[095208 PM] Deploying 2 profiles
[095209 PM] Wrote Web Application Module to DOracle11gMiddlewarejdevelopersystem11116386192oj2eedrsHelloWorldJaxWSHelloWorldWebAppwar
[095210 PM] Wrote Enterprise Application Module to DOracle11gMiddlewarejdevelopersystem11116386192oj2eedrsHelloWorldJaxWS
[095210 PM] Deploying Application
[095213 PM] Application Deployed Successfully
[095213 PM] The following URL context root(s) were defined and can be used as a starting point to test your application
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 52
[095213 PM] http1270017101HelloWorldJaxWS-HelloWorld-context-root
[095213 PM] Elapsed time for deployment 6 seconds
[095213 PM] ---- Deployment finished ----
Run startup time 6609 ms
[Application HelloWorldJaxWS deployed to Server Instance IntegratedWebLogicServer]
Target URL -- http1270017101HelloWorldJaxWS-HelloWorld-context-rootHelloWorldPort
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 53
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 4
Use Case
Description
This How-To demonstrates how to use OWSM Message Protection policy to secure a JAX-WS Web Service and how to
test it with SOAP UI
Objective
The main objective of this How-To
Demonstrate the steps required to secure a simple HelloWorld JAX-WS web service in JDeveloper
Configure the Integrated WLS Server to enable using OWSM message protection policies to secure HelloWorld
JAX-WS
Run the HelloWorld JAX-WS web service within the Integrated WLS Server that ships with JDeveloper
Configure and Test the HelloWorld JAX-WS with SOAP UI
Software Requirements
Prerequisites
Product Download URL
1 Install SOA Suite 11116 with
JDeveloper
2 SOAP UI Pro 401
Verified Product Version
Product Release Version
1 WebLogic 1036
2 SOA 11116
3 JDeveloper 11116
Potentially Applies to Product Version(s)
Product Release Version
1 WebLogic 1033 1034 1035 1036
2 SOA 11114 11115 11116
Download Main Page
httpwwworaclecomtechnetworkmiddlewaresoasuitedownloadsindexhtml
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 5
Product URLs
Product URL LoginPassword
EM Fusion Middle Control httpadmin_hostadmin_portem User weblogic
Password welcome1
Note This How-To uses SOAP UI Pro 401 The steps can vary with other versions of SOAP UI
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 6
Step by Step Instructions
Install Location
In this How-To JDeveloper has been installed at
DOracle11gMiddleware
We will define ORACLE_HOME= DOracle11gMiddleware
JDeveloperexe is at $ORACLE_HOMEjdeveloperjdeveloperexe
In this How-To I am running JDeveloper from command line as shown in Figure 1
Figure 1 Starting JDeveloper with the -su option
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 7
Create HelloWorld POJO JAX-WS Application
1 Start creation of a new application by click on ldquoNew Applicationrdquo in Figure 2
Figure 2 Click on New Application
This is will launch a new application creation wizard
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 8
2 Provide the following values as show in Figure 3 ldquoApplication NamerdquoHelloWorldJaxWS ldquoDirectoryrdquo DJDevelopermyworkHelloWorldJaxWS JDeveloper wil create the new application in the above directory For purposes of this How-To select ldquoGeneric Applicationrdquo from the Application Template as shown in Figure 3
Figure 3 Provide Application Name and Folder information
Click on ldquoNextrdquo button to proceed to the next step
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 9
3 Create a Project for the new application by providing Project information like ldquoProject Namerdquo ldquoDirectoryrdquo as show in Figure 4 Since we want to create a POJO based Web Service Select ldquoWeb Servicesrdquo from the ldquoProject Technologiesrdquo tab This will automatically also include Java Figure 4 shows the selected technologies for this project
Figure 4 Select Project Technologies and provide Project information
Click on ldquoNextrdquo button
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 10
4 Complete the New Application creation process by providing package information and leave the defaults for ldquoJava Source Pathrdquo and ldquoOutput Directoryrdquo as shown on Figure 5
Figure 5 Provide Package and other Java Settings
Click on ldquoFinishrdquo button to complete creation of the new application and the project
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 11
5 Next we will create a Java Class To create a Java Class right click on the ldquoHelloWorldrdquo project under the HelloWorldJaxWS application and select ldquoNewrdquo from the Context Menu as shown in Figure 6
Figure 6 Creating Java Class in a project
6 This will launch the Dialog show in Figure 7 In the ldquoCurrent Project Technologiesrdquo tab Select ldquoJavardquo from the
ldquoCategoriesrdquo on the Left Hand Side and under ldquoItemsrdquo panel on the Right Hand side select ldquoJava Classrdquo as shown in
Figure 7 Click on the ldquoOKrdquo button after making the above selections
Figure 7 Select Java Class from the New Gallery Dialog
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 12
7 This will launch the new ldquoJava Classrdquo Creation Dialog as show in Figure 8 Provide ldquoHelloWorldrdquo as the name of the
java class and provide appropriate value for the java package Retain defaults for the remainder of the fields Click
ldquoOKrdquo to complete the new Java Class creation dialog
Figure 8 New Java Class creation Dialog
8 JDeveloper will generate code along the lines shown below
package helloworld
public class HelloWorld
public HelloWorld()
super()
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 13
Add the following lines of code to the HelloWorld class
9 The next step is to basically create a Web Service from the HelloWorld java class created in the previous steps To
create a Web Service right click on the HelloWorldjava file Select ldquoCreate Web Servicehelliprdquo from the Context menu
as shown in Figure 9
Figure 9 Launch the Web Service Creation Wizard on the HelloWorld POJO class
public String hello(String str)
return Hello + str
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 14
10 From the ldquoJava Web Service creationrdquo wizard select Java EE 15 option The entire Web Service creation wizard is a
multi-step process as show in Figure 10 - Figure 17
Figure 10 Select Java EE 15 from the Java Web Service Creation wizard
Figure 11 Provide Web Service name
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 15
Figure 12 Retain default SOAP binding
Figure 13 Select the methods that should be exposed as part of the Web Service
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 16
Figure 14 Skip Additional Classes
Figure 15 Skip specifiying policies
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 17
Figure 16 Skip providing any Handlers
Figure 17 Finish creation of Web Service
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 18
Attach Message protection OWSM Security Policy
1 To attach the OWSM message protection policy to the Web Service ldquoright clickrdquo on the HelloWorldjava file in
JDeveloper Select ldquoWeb Service Propertieshelliprdquo from the Context menu item Figure 18 This will launch the Dialog box
seen in Figure 19
Figure 18 Define Web Service Properties
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 19
2 In the Configure Policies Dialog select ldquoOWSM policiesrdquo Upon selection of the OWSM Policies option the system
will display the list of out of the box policies that are shipped as part of OWSM Also notice the Default Policy Store
location
In this How-To it maps to
ldquoDOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainoraclestoregmdsrdquo
Figure 19 Select OWSM policies option to secure the Web Service
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 20
3 For the purposes of this How-To letrsquos select the oraclewss10_message_protection_service_policy as show in
Figure 20
Figure 20 Selection of oraclewss10_message_protection_service_policy
Click ldquoOKrdquo button to complete the Policy Attachment Upon completion of the PolicyAttachment the SecurityPolicy
annotation will be added to the HelloWorld POJO class as show in Figure 21
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 21
Figure 21 Code view with SecurityPolicy annotation
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 22
Creating Keystore and Credentials
4 In order to use the oraclewss10_message_protection_service_policy we need Keystore and Credentials First we
will create keystore using the keytool command as shown in Figure 22 The command to create the keystore using
keytool (Note Keytool is shipped with JDK)
Figure 22 Keystore creation command and steps
You can validate the contents of the keystore by using the following keytool command
Figure 23 Check contents of Keystore using keytool
$gt keytool -genkey -keyalg RSA -alias orakey -keystore default-keystorejks -storepass welcome1 -validity
3600
$gtkeytool -list -keystore default-keystorejks -storepass welcome1
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 23
Configuring Integrated WLS Server to enable enforcing Message protection Policy
In order to be able to deploy the HelloWorld POJO Web Service to Integrated WLS Server and test the enforcement of
the OWSM oraclewss10_message_protection_service_policy ndash we need to configure the WLS Domain in which
Integrated WLS Server runs however initially upon the Install the domain is not created completely You can ensure the
domain is created completely by trying to the ldquoHelloWorldrdquo Web Service You do this by ldquoright clickingrdquo on
HelloWorldjava and selecting ldquoRunrdquo from the Context Menu as show in Figure 24
Figure 24 Running HelloWorld Web Service in Integrated WLS Server first time
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 24
The appendix shows the log that is output by the system in JDeveloper The key aspect that is of interest here are the
following messages
[Waiting for the domain to finish building]
[094756 PM] Creating Integrated Weblogic domain
[095003 PM] Extending Integrated Weblogic domain
[095051 PM] Integrated Weblogic domain processing completed successfully
Using port 7101
DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainbinstartWebLogiccmd
[waiting for the server to complete its initialization]
As mentioned earlier the key thing to note is
On running this the first time ndash the domain for running the Integrated WLS is extended and the necessary artifacts are created By default this domain is called ldquoDefaultDomainrdquo In this scenario the ldquoDefaultDomainrdquo is located at DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomain
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 25
Copying the Keystore under the right location for Integrated WLS Server
5 Copy the default-keystorejks created earlier to
ldquoDOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainconfigfmwconfigrdquo as shown in Figure 25
Figure 25 Copying default-keystorejks under DefaultDomain
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 26
Verifying jps-configxml in Default Domain
6 The jps-configxml will be found under
DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainconfigfmwconfig The most important entry in jps-configxml that is of interest is the following keystore service entry lt-- KeyStore Service Instance --gt ltserviceInstance name=keystore provider=keystoreprovider location=default-keystorejksgt ltdescriptiongtDefault JPS Keystore Serviceltdescriptiongt ltproperty name=keystoreprovidertype value=filegt ltproperty name=keystorefilepath value=gt ltproperty name=keystoretype value=JKSgt ltproperty name=keystorecsfmap value=oraclewsmsecuritygt ltproperty name=keystorepasscsfkey value=keystore-csf-keygt ltproperty name=keystoresigcsfkey value=sign-csf-keygt ltproperty name=keystoreenccsfkey value=enc-csf-keygt ltserviceInstancegt The next step is to configure the credentials in the DefaultDomain
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 27
Creating Credentials required for Keystore access
Ensure the Integrated WLS Server is running 7 Start WLST from DOracle11gMiddleware oracle_commoncommonbinwlstcmd as shown in Figure 26
Figure 26 Starting WLST for Integrated WLS Server
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 28
8 Connect to the Integrated WLS Server running DefaultDomain as show in Figure 27
Figure 27 Connect to Integrated WLS Server
Once connected add the following credentials to the credential store
$gt createCred(map=oraclewsmsecurity key=keystore-csf-key user=owsm password=welcome1 desc=Keystore key) $gtcreateCred(map=oraclewsmsecurity key=enc-csf-key user=orakey password=welcome1 desc=Encryption key) $gtcreateCred(map=oraclewsmsecurity key=sign-csf-key user=orakey password=welcome1 desc=Signing key)
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 29
Relationship between Keystore Credential Store jps-configxml
9 Many people find the relationship between keystore keys credential store credentials and jps-configxml
confusing Figure 28 shows the relationship between all these artifacts
Figure 28 Relationship bw Keystore Credential Store Credentials and jps-configxml
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 30
Testing with SOAP UI 1 Before testing the Web Service with SOAP UI Run the HelloWorld from within JDeveloper as shown in Figure 24
Create SOAP UI Project
2 To test the HelloWorld Web Service secured with the OWSM ldquooraclewss10_message_protection_service_policyrdquo start SOAP UI and create a new Project as shown in Figure 29
Figure 29 Create new project in SOAP UI
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 31
3 Provide Project Namerdquo and ldquoWSDLrdquo information for the HelloWorld WS as show in Figure 30
Figure 30 Provide WSDL information for the Web Service that needs to be tested
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 32
4 Double click on the helloworld-msg-prot-test SOAP UI project to open various configurations one can specify for the
project as show in Figure 31 Click on the WS-Security Configurations tab
Figure 31 Specify the WS-Security Configurations
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 33
Create WS-Security Configurations
5 There are 3 sub-tabs under the ldquoWS-Security Configurationsrdquo tab in SOAP UI These are the ldquoOutgoing WS-Security
Configurationsrdquo tab ldquoIncoming WS-Security Configurationsrdquo tab and the ldquoKeystoreCertificatesrdquo tab We will first fill
out the KeystoresCertificates tab Click on the KeystoreCertificates tab as shown in Figure 32
Figure 32 Specify the KeystoreCertificates to be used by SOAP UI
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 34
Add KeystoreCertificates
6 Click on the ldquo+rdquo button to add a keystore as shown in Figure 33 This will launch a dialog to select the Key Material as
show in Figure 34 You will be prompted for the password to the default-keystorejks Enter ldquowelcome1rdquo as show in
Figure 35
Figure 33 Adding a Keystore
Figure 34 Select a JKS keystore from the file system
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 35
Figure 35 Specify Password for the default-keystorejks
7 Figure 36 shows the result of adding the default-keystorejks to SOAP UI
Figure 36 Result of adding default-keystorejks
NOTE For purposes of simplicity ndash I have selected the same default-keystorejks file that was used by the HelloWorld Web Service in practice the client and service DO NOT share the same keystore instead you should use separate keystores and exchange the public certificates of the client and the service
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 36
Add Outgoing WS-Security Configurations
8 The next step is to add the ldquoOutgoing WS-Secure Configurationsrdquo to the project You can do this by click on the Outgoing S-Security Configurations tab and clicking on the ldquo+rdquo icon as shown in Figure 37
Figure 37 Initiate addition of Outgoing WS-Security Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 37
9 Enter the ldquoNamerdquo of the configuration as ldquowss10rdquo This will create a panel on the lower half of the screen to add relevant WS-Security Configuration for ldquowss10rdquo Click on the ldquo+rdquo icon highlighted with a red circle in Figure 38 We need to add 3 entries in the following order
a Timestamp b Signature c Encryption
Upon clicking the ldquo+rdquo icon an ldquoAdd WSS Entryrdquo popup dialog will be presented which contains a single drop down list Select ldquoTimestamprdquo from the dialog as shown in Figure 39
Figure 38 Adding WSS Configuration for wss10
Figure 39 Add Timestamp
10 Configure the ldquoTimestamprdquo WSS Entry The two fields are shown in Figure 40
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 38
a Time to Live 5000 b Leave the unit for ldquoTime to Liverdquo in milliseconds
Figure 40 Specify Time to Live as part of Timestamp configuration
11 Add the ldquoSignaturerdquo WSS Entry by clicking on the ldquo+rdquo icon again as shown in Figure 38 and selecting ldquoSignaturerdquo from
the ldquoAdd WSS Entryrdquo drop down as shown in Figure 41
Figure 41 Select Signature WSS Entry to Add to wss10 configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 39
12 The ldquoSignaturerdquo configuration is more involved and requires a lot more fields to be filled in as shown in Figure 42 Here is a summary of the fields and values that need to be provided
a Keystore Select ldquodefault-keystorejksrdquo from the drop down (Note Only keystores added in the KeystoreCertificates tab will be displayed in this drop down)
b Alias ldquoorakeyrdquo This particular keystore in the How-To has only a single alias However a keystore can have multiple keys and aliases
c Password ldquowelcome1rdquo This is the password for the alias d Key Identifier Type Select ldquoBinary Security Tokenrdquo from the drop down e Signature Algorithm Select ldquohttpwwww3org200009xmldsigrsa-sha1rdquo from the drop down f Signature Canonicalization Select ldquohttpwwww3org200110xml-exc-c14nrdquo from the drop down g Digest Algorithm Select ldquohttpwwww3org200009xmldsigsha1rdquo from the drop down h Use Single Certificate Ensure ldquoUse single certificate for signingrdquo is checked i Parts
Name Namespace Encode
Body httpschemasxmlsoaporgsoapenvelope Element
Timestamp httpdocsoasis-openorgwss200401oasis-200401-wss-wssecurity-utility-10xsd
Element
Figure 42 Providing Signature configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 40
13 Add the ldquoEncryptionrdquo WSS Entry by clicking on the ldquo+rdquo icon again as shown in Figure 38 and selecting ldquoEncryptionrdquo from the ldquoAdd WSS Entryrdquo drop down as shown in Figure 43
Figure 43 Adding Encryption WSS entry
14 The ldquoEncryptionrdquo configuration is more involved and requires a lot more fields to be filled in as shown in Figure 44
Here is a summary of the fields and values that need to be provided a Keystore Select ldquodefault-keystorejksrdquo from the drop down (Note Only keystores added in the
KeystoreCertificates tab will be displayed in this drop down) b Alias ldquoorakeyrdquo This particular keystore in the How-To has only a single alias However a keystore can have
multiple keys and aliases c Password ldquowelcome1rdquo This is the password for the alias d Key Identifier Type Select ldquoBinary Security Tokenrdquo from the drop down e Embedded Key Name and Embedded Key Password are not relevant and will be readonly fields So skip
these fields f Symmetric Encoding Algorithm Select ldquohttpwwww3org200104xmlencaes128-cbcrdquo from the drop
down g Key Encryption Algorithm Select ldquohttpwwww3org200104xmlencrsa-oaep-mgf1prdquo from the drop
down h Encryption Canonicalization Select ldquohttpwwww3org200110xml-exc-c14nrdquo from the drop down i Create Encrypted Key Ensure the checkbox is checked j Parts
Name Namespace Encode
Body httpschemasxmlsoaporgsoapenvelope Content
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 41
Figure 44 Encryption Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 42
Add Incoming WS-Security Configurations
15 Click on the ldquoIncoming WS-Security Configurationsrdquo sub tab and click on the ldquo+rdquo icon as show in Figure 45 You will be prompted to enter a name for the incoming configuration specify ldquowss10rdquo as the name as shown in Figure 46
Figure 45 Add Incoming WS-Security Configuration
Figure 46 Provide a name for the Incoming WSS Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 43
16 Click on the ldquowss10rdquo entry and select the following a Decrypt Keystore Select ldquodefault-keystorejksrdquo from the drop down b Signature Keystore Select ldquodefault-keystorejksrdquo from the drop down c Password ldquowelcome1rdquo
The final incoming security configuration is shown in Figure 47
Figure 47 Incoming WSS Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 44
17 Now that we have created all the necessary WS-Security Configurations we are ready to test the HelloWorld Service To do so click on the ldquohellordquo operation on the Left hand browse tree This will create a request as show in Figure 48 Click on the ldquoAutrdquo tab on the ldquoRequestrdquo panel on the RHS side of the screen The ldquoAutrdquo tab is in the bottom and has been highlighted in Figure 48 Select the following values
a Outgoing WSS Select ldquowss10rdquo from the drop down b Incoming WSS Select ldquowss10rdquo from the drop down
Figure 48 Select the previosuly created WSS Configuration to be used while testing
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 45
18 Enter ldquoprakashrdquo for arg0 and click on the green arrow button to send the request You will be prompted for password ndash enter ldquowelcome1rdquo Figure 49 and Figure 50 show the steps and the results of a successful test If there is a failure ndash you will see a SOAP response with a fault
Figure 49 Send request to the HelloWorld WS
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 46
Figure 50 Results of a successful test
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 47
Appendix
Log Generated the first time any app is run in Integrated WLS Server
[Waiting for the domain to finish building]
[094756 PM] Creating Integrated Weblogic domain
[095003 PM] Extending Integrated Weblogic domain
[095051 PM] Integrated Weblogic domain processing completed successfully
Using port 7101
DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainbinstartWebLogiccmd
[waiting for the server to complete its initialization]
JAVA Memory arguments -Xms256m -Xmx512m -XXCompileThreshold=8000 -XXPermSize=128m -XXMaxPermSize=512m
WLS Start Mode=Development
CLASSPATH=DORACLE~1MIDDLE~1ORACLE~1modulesoraclejdbc_1111ojdbc6dmsjarDORACLE~1MIDDLE~1patch_wls1035profilesdefaultsys_manifest_classpathweblogic_patchjarDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultsys_manifest_classpathweblogic_patchjarDORACLE~1MIDDLE~1JDK160~1libtoolsjarDORACLE~1MIDDLE~1WLSERV~13serverlibweblogic_spjarDORACLE~1MIDDLE~1WLSERV~13serverlibweblogicjarDORACLE~1MIDDLE~1modulesfeaturesweblogicservermodules_10350jarDORACLE~1MIDDLE~1WLSERV~13serverlibwebservicesjarDORACLE~1MIDDLE~1modulesORGAPA~11libant-alljarDORACLE~1MIDDLE~1modulesNETSFA~10_1libant-contribjarDORACLE~1MIDDLE~1ORACLE~1modulesoraclejrf_1111jrfjarDORACLE~1MIDDLE~1WLSERV~13commonderbylibderbyclientjarDORACLE~1MIDDLE~1WLSERV~13serverlibxqrljar
PATH=DORACLE~1MIDDLE~1patch_wls1035profilesdefaultnativeDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultnativeDORACLE~1MIDDLE~1WLSERV~13servernativewin32DORACLE~1MIDDLE~1WLSERV~13serverbinDORACLE~1MIDDLE~1modulesORGAPA~11binDORACLE~1MIDDLE~1JDK160~1jrebinDORACLE~1MIDDLE~1JDK160~1binDoraclexeapporacleproduct1020serverbinCProgram FilesThinkPadUtilitiesCWINDOWSsystem32CWINDOWSCWINDOWSSystem32WbemCWINDOWSsystem32WindowsPowerShellv10DORACLE~1MIDDLE~1WLSERV~13servernativewin32oci920_8
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 48
To start WebLogic Server use a username and
password assigned to an admin-level user For
server administration use the WebLogic Server
console at httphostnameportconsole
starting weblogic with Java version
java version 160_24
Java(TM) SE Runtime Environment (build 160_24-b50)
Java HotSpot(TM) Client VM (build 191-b02 mixed mode)
Starting WLS with line
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 49
DORACLE~1MIDDLE~1JDK160~1binjava -client -Xms256m -Xmx512m -XXCompileThreshold=8000 -XXPermSize=128m -XXMaxPermSize=512m -DweblogicName=DefaultServer -Djavasecuritypolicy=DORACLE~1MIDDLE~1WLSERV~13serverlibweblogicpolicy -DjavaxnetssltrustStore=DOracle11gMiddlewarewlserver_103serverlibDemoTrustjks -DweblogicnodemanagerServiceEnabled=true -Xverifynone -da -Dplatformhome=DORACLE~1MIDDLE~1WLSERV~13 -Dwlshome=DORACLE~1MIDDLE~1WLSERV~13server -Dweblogichome=DORACLE~1MIDDLE~1WLSERV~13server -Djpsappcredentialoverwriteallowed=true -Dcommoncomponentshome=DORACLE~1MIDDLE~1ORACLE~1 -Djrfversion=1111 -DorgapachecommonsloggingLog=orgapachecommonsloggingimplJdk14Logger -Ddomainhome=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1 -Djrockitoptfile=DORACLE~1MIDDLE~1ORACLE~1modulesoraclejrf_1111jrocket_optfiletxt -Doracleserverconfigdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1serversDefaultServer -Doracledomainconfigdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1 -Digfarisidbeanscarmlloc=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1carml -Digfarisidstackhome=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1arisidprovider -Doraclesecurityjpsconfig=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configfmwconfigjps-configxml -Doracledeployedappdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1serversDefaultServertmp_WL_user -Doracledeployedappext=- -DweblogicalternateTypesDirectory=DORACLE~1MIDDLE~1ORACLE~1modulesoracleossoiap_1111DORACLE~1MIDDLE~1ORACLE~1modulesoracleoamprovider_1111 -Djavaprotocolhandlerpkgs=oraclemdsnetprotocol -DweblogicjdbcremoteEnabled=false -Dwsmrepositorypath=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1oraclestoregmds -Dweblogicmanagementdiscover=true -DwlwiterativeDev= -DwlwtestConsole= -DwlwlogErrorsToConsole= -Dweblogicextdirs=DORACLE~1MIDDLE~1patch_wls1035profilesdefaultsysext_manifest_classpathDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultsysext_manifest_classpath weblogicServer
ltMar 16 2012 95054 PM PDTgt ltInfogt ltSecuritygt ltBEA-090905gt ltDisabling CryptoJ JCE Provider self-integrity check for better startup performance To enable this check specify -DweblogicsecurityallowCryptoJDefaultJCEVerification=truegt
ltMar 16 2012 95054 PM PDTgt ltInfogt ltSecuritygt ltBEA-090906gt ltChanging the default Random Number Generator in RSA CryptoJ from ECDRBG to FIPS186PRNG To disable this change specify -DweblogicsecurityallowCryptoJDefaultPRNG=truegt
ltMar 16 2012 95055 PM PDTgt ltInfogt ltWebLogicServergt ltBEA-000377gt ltStarting WebLogic Server with Java HotSpot(TM) Client VM Version 191-b02 from Sun Microsystems Incgt
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 50
ltMar 16 2012 95055 PM PDTgt ltInfogt ltManagementgt ltBEA-141107gt ltVersion WebLogic Server 10350 Fri Apr 1 202006 PDT 2011 1398638 gt
ltMar 16 2012 95057 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STARTINGgt
ltMar 16 2012 95057 PM PDTgt ltInfogt ltWorkManagergt ltBEA-002900gt ltInitializing self-tuning thread poolgt
ltMar 16 2012 95057 PM PDTgt ltNoticegt ltLog Managementgt ltBEA-170019gt ltThe server log file DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainserversDefaultServerlogsDefaultServerlog is opened All server side log events will be written to this filegt
ltMar 16 2012 95108 PM PDTgt ltNoticegt ltSecuritygt ltBEA-090082gt ltSecurity initializing using security realm myrealmgt
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO ConfigObjectReloaded for ServerConfig PreviousVersion -1 CurrentVersion 0
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification event sent for activating changes
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for Mapping config object reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO ConfigObjectReloaded for ServerConfig PreviousVersion -1 CurrentVersion 0
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification event sent for activating changes
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 51
INFO Notification sent for Mapping config object reloaded
ltMar 16 2012 95122 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STANDBYgt
ltMar 16 2012 95122 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STARTINGgt
ltMar 16 2012 95204 PM PDTgt ltNoticegt ltLog Managementgt ltBEA-170027gt ltThe Server has established connection with the Domain level Diagnostic Service successfullygt
ltMar 16 2012 95204 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to ADMINgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to RESUMINGgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltServergt ltBEA-002613gt ltChannel Default is now listening on 1270017101 for protocols iiop t3 ldap snmp httpgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000331gt ltStarted WebLogic Admin Server DefaultServer for domain DefaultDomain running in Development Modegt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to RUNNINGgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000360gt ltServer started in RUNNING modegt
IntegratedWebLogicServer startup time 74437 ms
IntegratedWebLogicServer started
[Running application HelloWorldJaxWS on Server Instance IntegratedWebLogicServer]
[095206 PM] ---- Deployment started ----
[095206 PM] Target platform is (Weblogic 103)
[095208 PM] Retrieving existing application information
[095208 PM] Running dependency analysis
[095208 PM] Deploying 2 profiles
[095209 PM] Wrote Web Application Module to DOracle11gMiddlewarejdevelopersystem11116386192oj2eedrsHelloWorldJaxWSHelloWorldWebAppwar
[095210 PM] Wrote Enterprise Application Module to DOracle11gMiddlewarejdevelopersystem11116386192oj2eedrsHelloWorldJaxWS
[095210 PM] Deploying Application
[095213 PM] Application Deployed Successfully
[095213 PM] The following URL context root(s) were defined and can be used as a starting point to test your application
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 52
[095213 PM] http1270017101HelloWorldJaxWS-HelloWorld-context-root
[095213 PM] Elapsed time for deployment 6 seconds
[095213 PM] ---- Deployment finished ----
Run startup time 6609 ms
[Application HelloWorldJaxWS deployed to Server Instance IntegratedWebLogicServer]
Target URL -- http1270017101HelloWorldJaxWS-HelloWorld-context-rootHelloWorldPort
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 53
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 5
Product URLs
Product URL LoginPassword
EM Fusion Middle Control httpadmin_hostadmin_portem User weblogic
Password welcome1
Note This How-To uses SOAP UI Pro 401 The steps can vary with other versions of SOAP UI
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 6
Step by Step Instructions
Install Location
In this How-To JDeveloper has been installed at
DOracle11gMiddleware
We will define ORACLE_HOME= DOracle11gMiddleware
JDeveloperexe is at $ORACLE_HOMEjdeveloperjdeveloperexe
In this How-To I am running JDeveloper from command line as shown in Figure 1
Figure 1 Starting JDeveloper with the -su option
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 7
Create HelloWorld POJO JAX-WS Application
1 Start creation of a new application by click on ldquoNew Applicationrdquo in Figure 2
Figure 2 Click on New Application
This is will launch a new application creation wizard
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 8
2 Provide the following values as show in Figure 3 ldquoApplication NamerdquoHelloWorldJaxWS ldquoDirectoryrdquo DJDevelopermyworkHelloWorldJaxWS JDeveloper wil create the new application in the above directory For purposes of this How-To select ldquoGeneric Applicationrdquo from the Application Template as shown in Figure 3
Figure 3 Provide Application Name and Folder information
Click on ldquoNextrdquo button to proceed to the next step
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 9
3 Create a Project for the new application by providing Project information like ldquoProject Namerdquo ldquoDirectoryrdquo as show in Figure 4 Since we want to create a POJO based Web Service Select ldquoWeb Servicesrdquo from the ldquoProject Technologiesrdquo tab This will automatically also include Java Figure 4 shows the selected technologies for this project
Figure 4 Select Project Technologies and provide Project information
Click on ldquoNextrdquo button
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 10
4 Complete the New Application creation process by providing package information and leave the defaults for ldquoJava Source Pathrdquo and ldquoOutput Directoryrdquo as shown on Figure 5
Figure 5 Provide Package and other Java Settings
Click on ldquoFinishrdquo button to complete creation of the new application and the project
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 11
5 Next we will create a Java Class To create a Java Class right click on the ldquoHelloWorldrdquo project under the HelloWorldJaxWS application and select ldquoNewrdquo from the Context Menu as shown in Figure 6
Figure 6 Creating Java Class in a project
6 This will launch the Dialog show in Figure 7 In the ldquoCurrent Project Technologiesrdquo tab Select ldquoJavardquo from the
ldquoCategoriesrdquo on the Left Hand Side and under ldquoItemsrdquo panel on the Right Hand side select ldquoJava Classrdquo as shown in
Figure 7 Click on the ldquoOKrdquo button after making the above selections
Figure 7 Select Java Class from the New Gallery Dialog
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 12
7 This will launch the new ldquoJava Classrdquo Creation Dialog as show in Figure 8 Provide ldquoHelloWorldrdquo as the name of the
java class and provide appropriate value for the java package Retain defaults for the remainder of the fields Click
ldquoOKrdquo to complete the new Java Class creation dialog
Figure 8 New Java Class creation Dialog
8 JDeveloper will generate code along the lines shown below
package helloworld
public class HelloWorld
public HelloWorld()
super()
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 13
Add the following lines of code to the HelloWorld class
9 The next step is to basically create a Web Service from the HelloWorld java class created in the previous steps To
create a Web Service right click on the HelloWorldjava file Select ldquoCreate Web Servicehelliprdquo from the Context menu
as shown in Figure 9
Figure 9 Launch the Web Service Creation Wizard on the HelloWorld POJO class
public String hello(String str)
return Hello + str
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 14
10 From the ldquoJava Web Service creationrdquo wizard select Java EE 15 option The entire Web Service creation wizard is a
multi-step process as show in Figure 10 - Figure 17
Figure 10 Select Java EE 15 from the Java Web Service Creation wizard
Figure 11 Provide Web Service name
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 15
Figure 12 Retain default SOAP binding
Figure 13 Select the methods that should be exposed as part of the Web Service
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 16
Figure 14 Skip Additional Classes
Figure 15 Skip specifiying policies
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 17
Figure 16 Skip providing any Handlers
Figure 17 Finish creation of Web Service
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 18
Attach Message protection OWSM Security Policy
1 To attach the OWSM message protection policy to the Web Service ldquoright clickrdquo on the HelloWorldjava file in
JDeveloper Select ldquoWeb Service Propertieshelliprdquo from the Context menu item Figure 18 This will launch the Dialog box
seen in Figure 19
Figure 18 Define Web Service Properties
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 19
2 In the Configure Policies Dialog select ldquoOWSM policiesrdquo Upon selection of the OWSM Policies option the system
will display the list of out of the box policies that are shipped as part of OWSM Also notice the Default Policy Store
location
In this How-To it maps to
ldquoDOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainoraclestoregmdsrdquo
Figure 19 Select OWSM policies option to secure the Web Service
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 20
3 For the purposes of this How-To letrsquos select the oraclewss10_message_protection_service_policy as show in
Figure 20
Figure 20 Selection of oraclewss10_message_protection_service_policy
Click ldquoOKrdquo button to complete the Policy Attachment Upon completion of the PolicyAttachment the SecurityPolicy
annotation will be added to the HelloWorld POJO class as show in Figure 21
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 21
Figure 21 Code view with SecurityPolicy annotation
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 22
Creating Keystore and Credentials
4 In order to use the oraclewss10_message_protection_service_policy we need Keystore and Credentials First we
will create keystore using the keytool command as shown in Figure 22 The command to create the keystore using
keytool (Note Keytool is shipped with JDK)
Figure 22 Keystore creation command and steps
You can validate the contents of the keystore by using the following keytool command
Figure 23 Check contents of Keystore using keytool
$gt keytool -genkey -keyalg RSA -alias orakey -keystore default-keystorejks -storepass welcome1 -validity
3600
$gtkeytool -list -keystore default-keystorejks -storepass welcome1
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 23
Configuring Integrated WLS Server to enable enforcing Message protection Policy
In order to be able to deploy the HelloWorld POJO Web Service to Integrated WLS Server and test the enforcement of
the OWSM oraclewss10_message_protection_service_policy ndash we need to configure the WLS Domain in which
Integrated WLS Server runs however initially upon the Install the domain is not created completely You can ensure the
domain is created completely by trying to the ldquoHelloWorldrdquo Web Service You do this by ldquoright clickingrdquo on
HelloWorldjava and selecting ldquoRunrdquo from the Context Menu as show in Figure 24
Figure 24 Running HelloWorld Web Service in Integrated WLS Server first time
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 24
The appendix shows the log that is output by the system in JDeveloper The key aspect that is of interest here are the
following messages
[Waiting for the domain to finish building]
[094756 PM] Creating Integrated Weblogic domain
[095003 PM] Extending Integrated Weblogic domain
[095051 PM] Integrated Weblogic domain processing completed successfully
Using port 7101
DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainbinstartWebLogiccmd
[waiting for the server to complete its initialization]
As mentioned earlier the key thing to note is
On running this the first time ndash the domain for running the Integrated WLS is extended and the necessary artifacts are created By default this domain is called ldquoDefaultDomainrdquo In this scenario the ldquoDefaultDomainrdquo is located at DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomain
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 25
Copying the Keystore under the right location for Integrated WLS Server
5 Copy the default-keystorejks created earlier to
ldquoDOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainconfigfmwconfigrdquo as shown in Figure 25
Figure 25 Copying default-keystorejks under DefaultDomain
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 26
Verifying jps-configxml in Default Domain
6 The jps-configxml will be found under
DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainconfigfmwconfig The most important entry in jps-configxml that is of interest is the following keystore service entry lt-- KeyStore Service Instance --gt ltserviceInstance name=keystore provider=keystoreprovider location=default-keystorejksgt ltdescriptiongtDefault JPS Keystore Serviceltdescriptiongt ltproperty name=keystoreprovidertype value=filegt ltproperty name=keystorefilepath value=gt ltproperty name=keystoretype value=JKSgt ltproperty name=keystorecsfmap value=oraclewsmsecuritygt ltproperty name=keystorepasscsfkey value=keystore-csf-keygt ltproperty name=keystoresigcsfkey value=sign-csf-keygt ltproperty name=keystoreenccsfkey value=enc-csf-keygt ltserviceInstancegt The next step is to configure the credentials in the DefaultDomain
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 27
Creating Credentials required for Keystore access
Ensure the Integrated WLS Server is running 7 Start WLST from DOracle11gMiddleware oracle_commoncommonbinwlstcmd as shown in Figure 26
Figure 26 Starting WLST for Integrated WLS Server
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 28
8 Connect to the Integrated WLS Server running DefaultDomain as show in Figure 27
Figure 27 Connect to Integrated WLS Server
Once connected add the following credentials to the credential store
$gt createCred(map=oraclewsmsecurity key=keystore-csf-key user=owsm password=welcome1 desc=Keystore key) $gtcreateCred(map=oraclewsmsecurity key=enc-csf-key user=orakey password=welcome1 desc=Encryption key) $gtcreateCred(map=oraclewsmsecurity key=sign-csf-key user=orakey password=welcome1 desc=Signing key)
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 29
Relationship between Keystore Credential Store jps-configxml
9 Many people find the relationship between keystore keys credential store credentials and jps-configxml
confusing Figure 28 shows the relationship between all these artifacts
Figure 28 Relationship bw Keystore Credential Store Credentials and jps-configxml
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 30
Testing with SOAP UI 1 Before testing the Web Service with SOAP UI Run the HelloWorld from within JDeveloper as shown in Figure 24
Create SOAP UI Project
2 To test the HelloWorld Web Service secured with the OWSM ldquooraclewss10_message_protection_service_policyrdquo start SOAP UI and create a new Project as shown in Figure 29
Figure 29 Create new project in SOAP UI
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 31
3 Provide Project Namerdquo and ldquoWSDLrdquo information for the HelloWorld WS as show in Figure 30
Figure 30 Provide WSDL information for the Web Service that needs to be tested
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 32
4 Double click on the helloworld-msg-prot-test SOAP UI project to open various configurations one can specify for the
project as show in Figure 31 Click on the WS-Security Configurations tab
Figure 31 Specify the WS-Security Configurations
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 33
Create WS-Security Configurations
5 There are 3 sub-tabs under the ldquoWS-Security Configurationsrdquo tab in SOAP UI These are the ldquoOutgoing WS-Security
Configurationsrdquo tab ldquoIncoming WS-Security Configurationsrdquo tab and the ldquoKeystoreCertificatesrdquo tab We will first fill
out the KeystoresCertificates tab Click on the KeystoreCertificates tab as shown in Figure 32
Figure 32 Specify the KeystoreCertificates to be used by SOAP UI
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 34
Add KeystoreCertificates
6 Click on the ldquo+rdquo button to add a keystore as shown in Figure 33 This will launch a dialog to select the Key Material as
show in Figure 34 You will be prompted for the password to the default-keystorejks Enter ldquowelcome1rdquo as show in
Figure 35
Figure 33 Adding a Keystore
Figure 34 Select a JKS keystore from the file system
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 35
Figure 35 Specify Password for the default-keystorejks
7 Figure 36 shows the result of adding the default-keystorejks to SOAP UI
Figure 36 Result of adding default-keystorejks
NOTE For purposes of simplicity ndash I have selected the same default-keystorejks file that was used by the HelloWorld Web Service in practice the client and service DO NOT share the same keystore instead you should use separate keystores and exchange the public certificates of the client and the service
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 36
Add Outgoing WS-Security Configurations
8 The next step is to add the ldquoOutgoing WS-Secure Configurationsrdquo to the project You can do this by click on the Outgoing S-Security Configurations tab and clicking on the ldquo+rdquo icon as shown in Figure 37
Figure 37 Initiate addition of Outgoing WS-Security Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 37
9 Enter the ldquoNamerdquo of the configuration as ldquowss10rdquo This will create a panel on the lower half of the screen to add relevant WS-Security Configuration for ldquowss10rdquo Click on the ldquo+rdquo icon highlighted with a red circle in Figure 38 We need to add 3 entries in the following order
a Timestamp b Signature c Encryption
Upon clicking the ldquo+rdquo icon an ldquoAdd WSS Entryrdquo popup dialog will be presented which contains a single drop down list Select ldquoTimestamprdquo from the dialog as shown in Figure 39
Figure 38 Adding WSS Configuration for wss10
Figure 39 Add Timestamp
10 Configure the ldquoTimestamprdquo WSS Entry The two fields are shown in Figure 40
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 38
a Time to Live 5000 b Leave the unit for ldquoTime to Liverdquo in milliseconds
Figure 40 Specify Time to Live as part of Timestamp configuration
11 Add the ldquoSignaturerdquo WSS Entry by clicking on the ldquo+rdquo icon again as shown in Figure 38 and selecting ldquoSignaturerdquo from
the ldquoAdd WSS Entryrdquo drop down as shown in Figure 41
Figure 41 Select Signature WSS Entry to Add to wss10 configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 39
12 The ldquoSignaturerdquo configuration is more involved and requires a lot more fields to be filled in as shown in Figure 42 Here is a summary of the fields and values that need to be provided
a Keystore Select ldquodefault-keystorejksrdquo from the drop down (Note Only keystores added in the KeystoreCertificates tab will be displayed in this drop down)
b Alias ldquoorakeyrdquo This particular keystore in the How-To has only a single alias However a keystore can have multiple keys and aliases
c Password ldquowelcome1rdquo This is the password for the alias d Key Identifier Type Select ldquoBinary Security Tokenrdquo from the drop down e Signature Algorithm Select ldquohttpwwww3org200009xmldsigrsa-sha1rdquo from the drop down f Signature Canonicalization Select ldquohttpwwww3org200110xml-exc-c14nrdquo from the drop down g Digest Algorithm Select ldquohttpwwww3org200009xmldsigsha1rdquo from the drop down h Use Single Certificate Ensure ldquoUse single certificate for signingrdquo is checked i Parts
Name Namespace Encode
Body httpschemasxmlsoaporgsoapenvelope Element
Timestamp httpdocsoasis-openorgwss200401oasis-200401-wss-wssecurity-utility-10xsd
Element
Figure 42 Providing Signature configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 40
13 Add the ldquoEncryptionrdquo WSS Entry by clicking on the ldquo+rdquo icon again as shown in Figure 38 and selecting ldquoEncryptionrdquo from the ldquoAdd WSS Entryrdquo drop down as shown in Figure 43
Figure 43 Adding Encryption WSS entry
14 The ldquoEncryptionrdquo configuration is more involved and requires a lot more fields to be filled in as shown in Figure 44
Here is a summary of the fields and values that need to be provided a Keystore Select ldquodefault-keystorejksrdquo from the drop down (Note Only keystores added in the
KeystoreCertificates tab will be displayed in this drop down) b Alias ldquoorakeyrdquo This particular keystore in the How-To has only a single alias However a keystore can have
multiple keys and aliases c Password ldquowelcome1rdquo This is the password for the alias d Key Identifier Type Select ldquoBinary Security Tokenrdquo from the drop down e Embedded Key Name and Embedded Key Password are not relevant and will be readonly fields So skip
these fields f Symmetric Encoding Algorithm Select ldquohttpwwww3org200104xmlencaes128-cbcrdquo from the drop
down g Key Encryption Algorithm Select ldquohttpwwww3org200104xmlencrsa-oaep-mgf1prdquo from the drop
down h Encryption Canonicalization Select ldquohttpwwww3org200110xml-exc-c14nrdquo from the drop down i Create Encrypted Key Ensure the checkbox is checked j Parts
Name Namespace Encode
Body httpschemasxmlsoaporgsoapenvelope Content
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 41
Figure 44 Encryption Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 42
Add Incoming WS-Security Configurations
15 Click on the ldquoIncoming WS-Security Configurationsrdquo sub tab and click on the ldquo+rdquo icon as show in Figure 45 You will be prompted to enter a name for the incoming configuration specify ldquowss10rdquo as the name as shown in Figure 46
Figure 45 Add Incoming WS-Security Configuration
Figure 46 Provide a name for the Incoming WSS Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 43
16 Click on the ldquowss10rdquo entry and select the following a Decrypt Keystore Select ldquodefault-keystorejksrdquo from the drop down b Signature Keystore Select ldquodefault-keystorejksrdquo from the drop down c Password ldquowelcome1rdquo
The final incoming security configuration is shown in Figure 47
Figure 47 Incoming WSS Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 44
17 Now that we have created all the necessary WS-Security Configurations we are ready to test the HelloWorld Service To do so click on the ldquohellordquo operation on the Left hand browse tree This will create a request as show in Figure 48 Click on the ldquoAutrdquo tab on the ldquoRequestrdquo panel on the RHS side of the screen The ldquoAutrdquo tab is in the bottom and has been highlighted in Figure 48 Select the following values
a Outgoing WSS Select ldquowss10rdquo from the drop down b Incoming WSS Select ldquowss10rdquo from the drop down
Figure 48 Select the previosuly created WSS Configuration to be used while testing
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 45
18 Enter ldquoprakashrdquo for arg0 and click on the green arrow button to send the request You will be prompted for password ndash enter ldquowelcome1rdquo Figure 49 and Figure 50 show the steps and the results of a successful test If there is a failure ndash you will see a SOAP response with a fault
Figure 49 Send request to the HelloWorld WS
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 46
Figure 50 Results of a successful test
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 47
Appendix
Log Generated the first time any app is run in Integrated WLS Server
[Waiting for the domain to finish building]
[094756 PM] Creating Integrated Weblogic domain
[095003 PM] Extending Integrated Weblogic domain
[095051 PM] Integrated Weblogic domain processing completed successfully
Using port 7101
DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainbinstartWebLogiccmd
[waiting for the server to complete its initialization]
JAVA Memory arguments -Xms256m -Xmx512m -XXCompileThreshold=8000 -XXPermSize=128m -XXMaxPermSize=512m
WLS Start Mode=Development
CLASSPATH=DORACLE~1MIDDLE~1ORACLE~1modulesoraclejdbc_1111ojdbc6dmsjarDORACLE~1MIDDLE~1patch_wls1035profilesdefaultsys_manifest_classpathweblogic_patchjarDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultsys_manifest_classpathweblogic_patchjarDORACLE~1MIDDLE~1JDK160~1libtoolsjarDORACLE~1MIDDLE~1WLSERV~13serverlibweblogic_spjarDORACLE~1MIDDLE~1WLSERV~13serverlibweblogicjarDORACLE~1MIDDLE~1modulesfeaturesweblogicservermodules_10350jarDORACLE~1MIDDLE~1WLSERV~13serverlibwebservicesjarDORACLE~1MIDDLE~1modulesORGAPA~11libant-alljarDORACLE~1MIDDLE~1modulesNETSFA~10_1libant-contribjarDORACLE~1MIDDLE~1ORACLE~1modulesoraclejrf_1111jrfjarDORACLE~1MIDDLE~1WLSERV~13commonderbylibderbyclientjarDORACLE~1MIDDLE~1WLSERV~13serverlibxqrljar
PATH=DORACLE~1MIDDLE~1patch_wls1035profilesdefaultnativeDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultnativeDORACLE~1MIDDLE~1WLSERV~13servernativewin32DORACLE~1MIDDLE~1WLSERV~13serverbinDORACLE~1MIDDLE~1modulesORGAPA~11binDORACLE~1MIDDLE~1JDK160~1jrebinDORACLE~1MIDDLE~1JDK160~1binDoraclexeapporacleproduct1020serverbinCProgram FilesThinkPadUtilitiesCWINDOWSsystem32CWINDOWSCWINDOWSSystem32WbemCWINDOWSsystem32WindowsPowerShellv10DORACLE~1MIDDLE~1WLSERV~13servernativewin32oci920_8
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 48
To start WebLogic Server use a username and
password assigned to an admin-level user For
server administration use the WebLogic Server
console at httphostnameportconsole
starting weblogic with Java version
java version 160_24
Java(TM) SE Runtime Environment (build 160_24-b50)
Java HotSpot(TM) Client VM (build 191-b02 mixed mode)
Starting WLS with line
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 49
DORACLE~1MIDDLE~1JDK160~1binjava -client -Xms256m -Xmx512m -XXCompileThreshold=8000 -XXPermSize=128m -XXMaxPermSize=512m -DweblogicName=DefaultServer -Djavasecuritypolicy=DORACLE~1MIDDLE~1WLSERV~13serverlibweblogicpolicy -DjavaxnetssltrustStore=DOracle11gMiddlewarewlserver_103serverlibDemoTrustjks -DweblogicnodemanagerServiceEnabled=true -Xverifynone -da -Dplatformhome=DORACLE~1MIDDLE~1WLSERV~13 -Dwlshome=DORACLE~1MIDDLE~1WLSERV~13server -Dweblogichome=DORACLE~1MIDDLE~1WLSERV~13server -Djpsappcredentialoverwriteallowed=true -Dcommoncomponentshome=DORACLE~1MIDDLE~1ORACLE~1 -Djrfversion=1111 -DorgapachecommonsloggingLog=orgapachecommonsloggingimplJdk14Logger -Ddomainhome=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1 -Djrockitoptfile=DORACLE~1MIDDLE~1ORACLE~1modulesoraclejrf_1111jrocket_optfiletxt -Doracleserverconfigdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1serversDefaultServer -Doracledomainconfigdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1 -Digfarisidbeanscarmlloc=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1carml -Digfarisidstackhome=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1arisidprovider -Doraclesecurityjpsconfig=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configfmwconfigjps-configxml -Doracledeployedappdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1serversDefaultServertmp_WL_user -Doracledeployedappext=- -DweblogicalternateTypesDirectory=DORACLE~1MIDDLE~1ORACLE~1modulesoracleossoiap_1111DORACLE~1MIDDLE~1ORACLE~1modulesoracleoamprovider_1111 -Djavaprotocolhandlerpkgs=oraclemdsnetprotocol -DweblogicjdbcremoteEnabled=false -Dwsmrepositorypath=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1oraclestoregmds -Dweblogicmanagementdiscover=true -DwlwiterativeDev= -DwlwtestConsole= -DwlwlogErrorsToConsole= -Dweblogicextdirs=DORACLE~1MIDDLE~1patch_wls1035profilesdefaultsysext_manifest_classpathDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultsysext_manifest_classpath weblogicServer
ltMar 16 2012 95054 PM PDTgt ltInfogt ltSecuritygt ltBEA-090905gt ltDisabling CryptoJ JCE Provider self-integrity check for better startup performance To enable this check specify -DweblogicsecurityallowCryptoJDefaultJCEVerification=truegt
ltMar 16 2012 95054 PM PDTgt ltInfogt ltSecuritygt ltBEA-090906gt ltChanging the default Random Number Generator in RSA CryptoJ from ECDRBG to FIPS186PRNG To disable this change specify -DweblogicsecurityallowCryptoJDefaultPRNG=truegt
ltMar 16 2012 95055 PM PDTgt ltInfogt ltWebLogicServergt ltBEA-000377gt ltStarting WebLogic Server with Java HotSpot(TM) Client VM Version 191-b02 from Sun Microsystems Incgt
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 50
ltMar 16 2012 95055 PM PDTgt ltInfogt ltManagementgt ltBEA-141107gt ltVersion WebLogic Server 10350 Fri Apr 1 202006 PDT 2011 1398638 gt
ltMar 16 2012 95057 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STARTINGgt
ltMar 16 2012 95057 PM PDTgt ltInfogt ltWorkManagergt ltBEA-002900gt ltInitializing self-tuning thread poolgt
ltMar 16 2012 95057 PM PDTgt ltNoticegt ltLog Managementgt ltBEA-170019gt ltThe server log file DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainserversDefaultServerlogsDefaultServerlog is opened All server side log events will be written to this filegt
ltMar 16 2012 95108 PM PDTgt ltNoticegt ltSecuritygt ltBEA-090082gt ltSecurity initializing using security realm myrealmgt
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO ConfigObjectReloaded for ServerConfig PreviousVersion -1 CurrentVersion 0
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification event sent for activating changes
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for Mapping config object reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO ConfigObjectReloaded for ServerConfig PreviousVersion -1 CurrentVersion 0
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification event sent for activating changes
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 51
INFO Notification sent for Mapping config object reloaded
ltMar 16 2012 95122 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STANDBYgt
ltMar 16 2012 95122 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STARTINGgt
ltMar 16 2012 95204 PM PDTgt ltNoticegt ltLog Managementgt ltBEA-170027gt ltThe Server has established connection with the Domain level Diagnostic Service successfullygt
ltMar 16 2012 95204 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to ADMINgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to RESUMINGgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltServergt ltBEA-002613gt ltChannel Default is now listening on 1270017101 for protocols iiop t3 ldap snmp httpgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000331gt ltStarted WebLogic Admin Server DefaultServer for domain DefaultDomain running in Development Modegt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to RUNNINGgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000360gt ltServer started in RUNNING modegt
IntegratedWebLogicServer startup time 74437 ms
IntegratedWebLogicServer started
[Running application HelloWorldJaxWS on Server Instance IntegratedWebLogicServer]
[095206 PM] ---- Deployment started ----
[095206 PM] Target platform is (Weblogic 103)
[095208 PM] Retrieving existing application information
[095208 PM] Running dependency analysis
[095208 PM] Deploying 2 profiles
[095209 PM] Wrote Web Application Module to DOracle11gMiddlewarejdevelopersystem11116386192oj2eedrsHelloWorldJaxWSHelloWorldWebAppwar
[095210 PM] Wrote Enterprise Application Module to DOracle11gMiddlewarejdevelopersystem11116386192oj2eedrsHelloWorldJaxWS
[095210 PM] Deploying Application
[095213 PM] Application Deployed Successfully
[095213 PM] The following URL context root(s) were defined and can be used as a starting point to test your application
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 52
[095213 PM] http1270017101HelloWorldJaxWS-HelloWorld-context-root
[095213 PM] Elapsed time for deployment 6 seconds
[095213 PM] ---- Deployment finished ----
Run startup time 6609 ms
[Application HelloWorldJaxWS deployed to Server Instance IntegratedWebLogicServer]
Target URL -- http1270017101HelloWorldJaxWS-HelloWorld-context-rootHelloWorldPort
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 53
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 6
Step by Step Instructions
Install Location
In this How-To JDeveloper has been installed at
DOracle11gMiddleware
We will define ORACLE_HOME= DOracle11gMiddleware
JDeveloperexe is at $ORACLE_HOMEjdeveloperjdeveloperexe
In this How-To I am running JDeveloper from command line as shown in Figure 1
Figure 1 Starting JDeveloper with the -su option
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 7
Create HelloWorld POJO JAX-WS Application
1 Start creation of a new application by click on ldquoNew Applicationrdquo in Figure 2
Figure 2 Click on New Application
This is will launch a new application creation wizard
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 8
2 Provide the following values as show in Figure 3 ldquoApplication NamerdquoHelloWorldJaxWS ldquoDirectoryrdquo DJDevelopermyworkHelloWorldJaxWS JDeveloper wil create the new application in the above directory For purposes of this How-To select ldquoGeneric Applicationrdquo from the Application Template as shown in Figure 3
Figure 3 Provide Application Name and Folder information
Click on ldquoNextrdquo button to proceed to the next step
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 9
3 Create a Project for the new application by providing Project information like ldquoProject Namerdquo ldquoDirectoryrdquo as show in Figure 4 Since we want to create a POJO based Web Service Select ldquoWeb Servicesrdquo from the ldquoProject Technologiesrdquo tab This will automatically also include Java Figure 4 shows the selected technologies for this project
Figure 4 Select Project Technologies and provide Project information
Click on ldquoNextrdquo button
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 10
4 Complete the New Application creation process by providing package information and leave the defaults for ldquoJava Source Pathrdquo and ldquoOutput Directoryrdquo as shown on Figure 5
Figure 5 Provide Package and other Java Settings
Click on ldquoFinishrdquo button to complete creation of the new application and the project
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 11
5 Next we will create a Java Class To create a Java Class right click on the ldquoHelloWorldrdquo project under the HelloWorldJaxWS application and select ldquoNewrdquo from the Context Menu as shown in Figure 6
Figure 6 Creating Java Class in a project
6 This will launch the Dialog show in Figure 7 In the ldquoCurrent Project Technologiesrdquo tab Select ldquoJavardquo from the
ldquoCategoriesrdquo on the Left Hand Side and under ldquoItemsrdquo panel on the Right Hand side select ldquoJava Classrdquo as shown in
Figure 7 Click on the ldquoOKrdquo button after making the above selections
Figure 7 Select Java Class from the New Gallery Dialog
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 12
7 This will launch the new ldquoJava Classrdquo Creation Dialog as show in Figure 8 Provide ldquoHelloWorldrdquo as the name of the
java class and provide appropriate value for the java package Retain defaults for the remainder of the fields Click
ldquoOKrdquo to complete the new Java Class creation dialog
Figure 8 New Java Class creation Dialog
8 JDeveloper will generate code along the lines shown below
package helloworld
public class HelloWorld
public HelloWorld()
super()
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 13
Add the following lines of code to the HelloWorld class
9 The next step is to basically create a Web Service from the HelloWorld java class created in the previous steps To
create a Web Service right click on the HelloWorldjava file Select ldquoCreate Web Servicehelliprdquo from the Context menu
as shown in Figure 9
Figure 9 Launch the Web Service Creation Wizard on the HelloWorld POJO class
public String hello(String str)
return Hello + str
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 14
10 From the ldquoJava Web Service creationrdquo wizard select Java EE 15 option The entire Web Service creation wizard is a
multi-step process as show in Figure 10 - Figure 17
Figure 10 Select Java EE 15 from the Java Web Service Creation wizard
Figure 11 Provide Web Service name
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 15
Figure 12 Retain default SOAP binding
Figure 13 Select the methods that should be exposed as part of the Web Service
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 16
Figure 14 Skip Additional Classes
Figure 15 Skip specifiying policies
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 17
Figure 16 Skip providing any Handlers
Figure 17 Finish creation of Web Service
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 18
Attach Message protection OWSM Security Policy
1 To attach the OWSM message protection policy to the Web Service ldquoright clickrdquo on the HelloWorldjava file in
JDeveloper Select ldquoWeb Service Propertieshelliprdquo from the Context menu item Figure 18 This will launch the Dialog box
seen in Figure 19
Figure 18 Define Web Service Properties
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 19
2 In the Configure Policies Dialog select ldquoOWSM policiesrdquo Upon selection of the OWSM Policies option the system
will display the list of out of the box policies that are shipped as part of OWSM Also notice the Default Policy Store
location
In this How-To it maps to
ldquoDOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainoraclestoregmdsrdquo
Figure 19 Select OWSM policies option to secure the Web Service
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 20
3 For the purposes of this How-To letrsquos select the oraclewss10_message_protection_service_policy as show in
Figure 20
Figure 20 Selection of oraclewss10_message_protection_service_policy
Click ldquoOKrdquo button to complete the Policy Attachment Upon completion of the PolicyAttachment the SecurityPolicy
annotation will be added to the HelloWorld POJO class as show in Figure 21
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 21
Figure 21 Code view with SecurityPolicy annotation
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 22
Creating Keystore and Credentials
4 In order to use the oraclewss10_message_protection_service_policy we need Keystore and Credentials First we
will create keystore using the keytool command as shown in Figure 22 The command to create the keystore using
keytool (Note Keytool is shipped with JDK)
Figure 22 Keystore creation command and steps
You can validate the contents of the keystore by using the following keytool command
Figure 23 Check contents of Keystore using keytool
$gt keytool -genkey -keyalg RSA -alias orakey -keystore default-keystorejks -storepass welcome1 -validity
3600
$gtkeytool -list -keystore default-keystorejks -storepass welcome1
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 23
Configuring Integrated WLS Server to enable enforcing Message protection Policy
In order to be able to deploy the HelloWorld POJO Web Service to Integrated WLS Server and test the enforcement of
the OWSM oraclewss10_message_protection_service_policy ndash we need to configure the WLS Domain in which
Integrated WLS Server runs however initially upon the Install the domain is not created completely You can ensure the
domain is created completely by trying to the ldquoHelloWorldrdquo Web Service You do this by ldquoright clickingrdquo on
HelloWorldjava and selecting ldquoRunrdquo from the Context Menu as show in Figure 24
Figure 24 Running HelloWorld Web Service in Integrated WLS Server first time
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 24
The appendix shows the log that is output by the system in JDeveloper The key aspect that is of interest here are the
following messages
[Waiting for the domain to finish building]
[094756 PM] Creating Integrated Weblogic domain
[095003 PM] Extending Integrated Weblogic domain
[095051 PM] Integrated Weblogic domain processing completed successfully
Using port 7101
DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainbinstartWebLogiccmd
[waiting for the server to complete its initialization]
As mentioned earlier the key thing to note is
On running this the first time ndash the domain for running the Integrated WLS is extended and the necessary artifacts are created By default this domain is called ldquoDefaultDomainrdquo In this scenario the ldquoDefaultDomainrdquo is located at DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomain
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 25
Copying the Keystore under the right location for Integrated WLS Server
5 Copy the default-keystorejks created earlier to
ldquoDOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainconfigfmwconfigrdquo as shown in Figure 25
Figure 25 Copying default-keystorejks under DefaultDomain
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 26
Verifying jps-configxml in Default Domain
6 The jps-configxml will be found under
DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainconfigfmwconfig The most important entry in jps-configxml that is of interest is the following keystore service entry lt-- KeyStore Service Instance --gt ltserviceInstance name=keystore provider=keystoreprovider location=default-keystorejksgt ltdescriptiongtDefault JPS Keystore Serviceltdescriptiongt ltproperty name=keystoreprovidertype value=filegt ltproperty name=keystorefilepath value=gt ltproperty name=keystoretype value=JKSgt ltproperty name=keystorecsfmap value=oraclewsmsecuritygt ltproperty name=keystorepasscsfkey value=keystore-csf-keygt ltproperty name=keystoresigcsfkey value=sign-csf-keygt ltproperty name=keystoreenccsfkey value=enc-csf-keygt ltserviceInstancegt The next step is to configure the credentials in the DefaultDomain
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 27
Creating Credentials required for Keystore access
Ensure the Integrated WLS Server is running 7 Start WLST from DOracle11gMiddleware oracle_commoncommonbinwlstcmd as shown in Figure 26
Figure 26 Starting WLST for Integrated WLS Server
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 28
8 Connect to the Integrated WLS Server running DefaultDomain as show in Figure 27
Figure 27 Connect to Integrated WLS Server
Once connected add the following credentials to the credential store
$gt createCred(map=oraclewsmsecurity key=keystore-csf-key user=owsm password=welcome1 desc=Keystore key) $gtcreateCred(map=oraclewsmsecurity key=enc-csf-key user=orakey password=welcome1 desc=Encryption key) $gtcreateCred(map=oraclewsmsecurity key=sign-csf-key user=orakey password=welcome1 desc=Signing key)
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 29
Relationship between Keystore Credential Store jps-configxml
9 Many people find the relationship between keystore keys credential store credentials and jps-configxml
confusing Figure 28 shows the relationship between all these artifacts
Figure 28 Relationship bw Keystore Credential Store Credentials and jps-configxml
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 30
Testing with SOAP UI 1 Before testing the Web Service with SOAP UI Run the HelloWorld from within JDeveloper as shown in Figure 24
Create SOAP UI Project
2 To test the HelloWorld Web Service secured with the OWSM ldquooraclewss10_message_protection_service_policyrdquo start SOAP UI and create a new Project as shown in Figure 29
Figure 29 Create new project in SOAP UI
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 31
3 Provide Project Namerdquo and ldquoWSDLrdquo information for the HelloWorld WS as show in Figure 30
Figure 30 Provide WSDL information for the Web Service that needs to be tested
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 32
4 Double click on the helloworld-msg-prot-test SOAP UI project to open various configurations one can specify for the
project as show in Figure 31 Click on the WS-Security Configurations tab
Figure 31 Specify the WS-Security Configurations
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 33
Create WS-Security Configurations
5 There are 3 sub-tabs under the ldquoWS-Security Configurationsrdquo tab in SOAP UI These are the ldquoOutgoing WS-Security
Configurationsrdquo tab ldquoIncoming WS-Security Configurationsrdquo tab and the ldquoKeystoreCertificatesrdquo tab We will first fill
out the KeystoresCertificates tab Click on the KeystoreCertificates tab as shown in Figure 32
Figure 32 Specify the KeystoreCertificates to be used by SOAP UI
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 34
Add KeystoreCertificates
6 Click on the ldquo+rdquo button to add a keystore as shown in Figure 33 This will launch a dialog to select the Key Material as
show in Figure 34 You will be prompted for the password to the default-keystorejks Enter ldquowelcome1rdquo as show in
Figure 35
Figure 33 Adding a Keystore
Figure 34 Select a JKS keystore from the file system
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 35
Figure 35 Specify Password for the default-keystorejks
7 Figure 36 shows the result of adding the default-keystorejks to SOAP UI
Figure 36 Result of adding default-keystorejks
NOTE For purposes of simplicity ndash I have selected the same default-keystorejks file that was used by the HelloWorld Web Service in practice the client and service DO NOT share the same keystore instead you should use separate keystores and exchange the public certificates of the client and the service
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 36
Add Outgoing WS-Security Configurations
8 The next step is to add the ldquoOutgoing WS-Secure Configurationsrdquo to the project You can do this by click on the Outgoing S-Security Configurations tab and clicking on the ldquo+rdquo icon as shown in Figure 37
Figure 37 Initiate addition of Outgoing WS-Security Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 37
9 Enter the ldquoNamerdquo of the configuration as ldquowss10rdquo This will create a panel on the lower half of the screen to add relevant WS-Security Configuration for ldquowss10rdquo Click on the ldquo+rdquo icon highlighted with a red circle in Figure 38 We need to add 3 entries in the following order
a Timestamp b Signature c Encryption
Upon clicking the ldquo+rdquo icon an ldquoAdd WSS Entryrdquo popup dialog will be presented which contains a single drop down list Select ldquoTimestamprdquo from the dialog as shown in Figure 39
Figure 38 Adding WSS Configuration for wss10
Figure 39 Add Timestamp
10 Configure the ldquoTimestamprdquo WSS Entry The two fields are shown in Figure 40
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 38
a Time to Live 5000 b Leave the unit for ldquoTime to Liverdquo in milliseconds
Figure 40 Specify Time to Live as part of Timestamp configuration
11 Add the ldquoSignaturerdquo WSS Entry by clicking on the ldquo+rdquo icon again as shown in Figure 38 and selecting ldquoSignaturerdquo from
the ldquoAdd WSS Entryrdquo drop down as shown in Figure 41
Figure 41 Select Signature WSS Entry to Add to wss10 configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 39
12 The ldquoSignaturerdquo configuration is more involved and requires a lot more fields to be filled in as shown in Figure 42 Here is a summary of the fields and values that need to be provided
a Keystore Select ldquodefault-keystorejksrdquo from the drop down (Note Only keystores added in the KeystoreCertificates tab will be displayed in this drop down)
b Alias ldquoorakeyrdquo This particular keystore in the How-To has only a single alias However a keystore can have multiple keys and aliases
c Password ldquowelcome1rdquo This is the password for the alias d Key Identifier Type Select ldquoBinary Security Tokenrdquo from the drop down e Signature Algorithm Select ldquohttpwwww3org200009xmldsigrsa-sha1rdquo from the drop down f Signature Canonicalization Select ldquohttpwwww3org200110xml-exc-c14nrdquo from the drop down g Digest Algorithm Select ldquohttpwwww3org200009xmldsigsha1rdquo from the drop down h Use Single Certificate Ensure ldquoUse single certificate for signingrdquo is checked i Parts
Name Namespace Encode
Body httpschemasxmlsoaporgsoapenvelope Element
Timestamp httpdocsoasis-openorgwss200401oasis-200401-wss-wssecurity-utility-10xsd
Element
Figure 42 Providing Signature configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 40
13 Add the ldquoEncryptionrdquo WSS Entry by clicking on the ldquo+rdquo icon again as shown in Figure 38 and selecting ldquoEncryptionrdquo from the ldquoAdd WSS Entryrdquo drop down as shown in Figure 43
Figure 43 Adding Encryption WSS entry
14 The ldquoEncryptionrdquo configuration is more involved and requires a lot more fields to be filled in as shown in Figure 44
Here is a summary of the fields and values that need to be provided a Keystore Select ldquodefault-keystorejksrdquo from the drop down (Note Only keystores added in the
KeystoreCertificates tab will be displayed in this drop down) b Alias ldquoorakeyrdquo This particular keystore in the How-To has only a single alias However a keystore can have
multiple keys and aliases c Password ldquowelcome1rdquo This is the password for the alias d Key Identifier Type Select ldquoBinary Security Tokenrdquo from the drop down e Embedded Key Name and Embedded Key Password are not relevant and will be readonly fields So skip
these fields f Symmetric Encoding Algorithm Select ldquohttpwwww3org200104xmlencaes128-cbcrdquo from the drop
down g Key Encryption Algorithm Select ldquohttpwwww3org200104xmlencrsa-oaep-mgf1prdquo from the drop
down h Encryption Canonicalization Select ldquohttpwwww3org200110xml-exc-c14nrdquo from the drop down i Create Encrypted Key Ensure the checkbox is checked j Parts
Name Namespace Encode
Body httpschemasxmlsoaporgsoapenvelope Content
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 41
Figure 44 Encryption Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 42
Add Incoming WS-Security Configurations
15 Click on the ldquoIncoming WS-Security Configurationsrdquo sub tab and click on the ldquo+rdquo icon as show in Figure 45 You will be prompted to enter a name for the incoming configuration specify ldquowss10rdquo as the name as shown in Figure 46
Figure 45 Add Incoming WS-Security Configuration
Figure 46 Provide a name for the Incoming WSS Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 43
16 Click on the ldquowss10rdquo entry and select the following a Decrypt Keystore Select ldquodefault-keystorejksrdquo from the drop down b Signature Keystore Select ldquodefault-keystorejksrdquo from the drop down c Password ldquowelcome1rdquo
The final incoming security configuration is shown in Figure 47
Figure 47 Incoming WSS Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 44
17 Now that we have created all the necessary WS-Security Configurations we are ready to test the HelloWorld Service To do so click on the ldquohellordquo operation on the Left hand browse tree This will create a request as show in Figure 48 Click on the ldquoAutrdquo tab on the ldquoRequestrdquo panel on the RHS side of the screen The ldquoAutrdquo tab is in the bottom and has been highlighted in Figure 48 Select the following values
a Outgoing WSS Select ldquowss10rdquo from the drop down b Incoming WSS Select ldquowss10rdquo from the drop down
Figure 48 Select the previosuly created WSS Configuration to be used while testing
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 45
18 Enter ldquoprakashrdquo for arg0 and click on the green arrow button to send the request You will be prompted for password ndash enter ldquowelcome1rdquo Figure 49 and Figure 50 show the steps and the results of a successful test If there is a failure ndash you will see a SOAP response with a fault
Figure 49 Send request to the HelloWorld WS
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 46
Figure 50 Results of a successful test
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 47
Appendix
Log Generated the first time any app is run in Integrated WLS Server
[Waiting for the domain to finish building]
[094756 PM] Creating Integrated Weblogic domain
[095003 PM] Extending Integrated Weblogic domain
[095051 PM] Integrated Weblogic domain processing completed successfully
Using port 7101
DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainbinstartWebLogiccmd
[waiting for the server to complete its initialization]
JAVA Memory arguments -Xms256m -Xmx512m -XXCompileThreshold=8000 -XXPermSize=128m -XXMaxPermSize=512m
WLS Start Mode=Development
CLASSPATH=DORACLE~1MIDDLE~1ORACLE~1modulesoraclejdbc_1111ojdbc6dmsjarDORACLE~1MIDDLE~1patch_wls1035profilesdefaultsys_manifest_classpathweblogic_patchjarDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultsys_manifest_classpathweblogic_patchjarDORACLE~1MIDDLE~1JDK160~1libtoolsjarDORACLE~1MIDDLE~1WLSERV~13serverlibweblogic_spjarDORACLE~1MIDDLE~1WLSERV~13serverlibweblogicjarDORACLE~1MIDDLE~1modulesfeaturesweblogicservermodules_10350jarDORACLE~1MIDDLE~1WLSERV~13serverlibwebservicesjarDORACLE~1MIDDLE~1modulesORGAPA~11libant-alljarDORACLE~1MIDDLE~1modulesNETSFA~10_1libant-contribjarDORACLE~1MIDDLE~1ORACLE~1modulesoraclejrf_1111jrfjarDORACLE~1MIDDLE~1WLSERV~13commonderbylibderbyclientjarDORACLE~1MIDDLE~1WLSERV~13serverlibxqrljar
PATH=DORACLE~1MIDDLE~1patch_wls1035profilesdefaultnativeDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultnativeDORACLE~1MIDDLE~1WLSERV~13servernativewin32DORACLE~1MIDDLE~1WLSERV~13serverbinDORACLE~1MIDDLE~1modulesORGAPA~11binDORACLE~1MIDDLE~1JDK160~1jrebinDORACLE~1MIDDLE~1JDK160~1binDoraclexeapporacleproduct1020serverbinCProgram FilesThinkPadUtilitiesCWINDOWSsystem32CWINDOWSCWINDOWSSystem32WbemCWINDOWSsystem32WindowsPowerShellv10DORACLE~1MIDDLE~1WLSERV~13servernativewin32oci920_8
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 48
To start WebLogic Server use a username and
password assigned to an admin-level user For
server administration use the WebLogic Server
console at httphostnameportconsole
starting weblogic with Java version
java version 160_24
Java(TM) SE Runtime Environment (build 160_24-b50)
Java HotSpot(TM) Client VM (build 191-b02 mixed mode)
Starting WLS with line
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 49
DORACLE~1MIDDLE~1JDK160~1binjava -client -Xms256m -Xmx512m -XXCompileThreshold=8000 -XXPermSize=128m -XXMaxPermSize=512m -DweblogicName=DefaultServer -Djavasecuritypolicy=DORACLE~1MIDDLE~1WLSERV~13serverlibweblogicpolicy -DjavaxnetssltrustStore=DOracle11gMiddlewarewlserver_103serverlibDemoTrustjks -DweblogicnodemanagerServiceEnabled=true -Xverifynone -da -Dplatformhome=DORACLE~1MIDDLE~1WLSERV~13 -Dwlshome=DORACLE~1MIDDLE~1WLSERV~13server -Dweblogichome=DORACLE~1MIDDLE~1WLSERV~13server -Djpsappcredentialoverwriteallowed=true -Dcommoncomponentshome=DORACLE~1MIDDLE~1ORACLE~1 -Djrfversion=1111 -DorgapachecommonsloggingLog=orgapachecommonsloggingimplJdk14Logger -Ddomainhome=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1 -Djrockitoptfile=DORACLE~1MIDDLE~1ORACLE~1modulesoraclejrf_1111jrocket_optfiletxt -Doracleserverconfigdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1serversDefaultServer -Doracledomainconfigdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1 -Digfarisidbeanscarmlloc=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1carml -Digfarisidstackhome=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1arisidprovider -Doraclesecurityjpsconfig=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configfmwconfigjps-configxml -Doracledeployedappdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1serversDefaultServertmp_WL_user -Doracledeployedappext=- -DweblogicalternateTypesDirectory=DORACLE~1MIDDLE~1ORACLE~1modulesoracleossoiap_1111DORACLE~1MIDDLE~1ORACLE~1modulesoracleoamprovider_1111 -Djavaprotocolhandlerpkgs=oraclemdsnetprotocol -DweblogicjdbcremoteEnabled=false -Dwsmrepositorypath=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1oraclestoregmds -Dweblogicmanagementdiscover=true -DwlwiterativeDev= -DwlwtestConsole= -DwlwlogErrorsToConsole= -Dweblogicextdirs=DORACLE~1MIDDLE~1patch_wls1035profilesdefaultsysext_manifest_classpathDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultsysext_manifest_classpath weblogicServer
ltMar 16 2012 95054 PM PDTgt ltInfogt ltSecuritygt ltBEA-090905gt ltDisabling CryptoJ JCE Provider self-integrity check for better startup performance To enable this check specify -DweblogicsecurityallowCryptoJDefaultJCEVerification=truegt
ltMar 16 2012 95054 PM PDTgt ltInfogt ltSecuritygt ltBEA-090906gt ltChanging the default Random Number Generator in RSA CryptoJ from ECDRBG to FIPS186PRNG To disable this change specify -DweblogicsecurityallowCryptoJDefaultPRNG=truegt
ltMar 16 2012 95055 PM PDTgt ltInfogt ltWebLogicServergt ltBEA-000377gt ltStarting WebLogic Server with Java HotSpot(TM) Client VM Version 191-b02 from Sun Microsystems Incgt
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 50
ltMar 16 2012 95055 PM PDTgt ltInfogt ltManagementgt ltBEA-141107gt ltVersion WebLogic Server 10350 Fri Apr 1 202006 PDT 2011 1398638 gt
ltMar 16 2012 95057 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STARTINGgt
ltMar 16 2012 95057 PM PDTgt ltInfogt ltWorkManagergt ltBEA-002900gt ltInitializing self-tuning thread poolgt
ltMar 16 2012 95057 PM PDTgt ltNoticegt ltLog Managementgt ltBEA-170019gt ltThe server log file DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainserversDefaultServerlogsDefaultServerlog is opened All server side log events will be written to this filegt
ltMar 16 2012 95108 PM PDTgt ltNoticegt ltSecuritygt ltBEA-090082gt ltSecurity initializing using security realm myrealmgt
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO ConfigObjectReloaded for ServerConfig PreviousVersion -1 CurrentVersion 0
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification event sent for activating changes
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for Mapping config object reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO ConfigObjectReloaded for ServerConfig PreviousVersion -1 CurrentVersion 0
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification event sent for activating changes
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 51
INFO Notification sent for Mapping config object reloaded
ltMar 16 2012 95122 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STANDBYgt
ltMar 16 2012 95122 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STARTINGgt
ltMar 16 2012 95204 PM PDTgt ltNoticegt ltLog Managementgt ltBEA-170027gt ltThe Server has established connection with the Domain level Diagnostic Service successfullygt
ltMar 16 2012 95204 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to ADMINgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to RESUMINGgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltServergt ltBEA-002613gt ltChannel Default is now listening on 1270017101 for protocols iiop t3 ldap snmp httpgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000331gt ltStarted WebLogic Admin Server DefaultServer for domain DefaultDomain running in Development Modegt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to RUNNINGgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000360gt ltServer started in RUNNING modegt
IntegratedWebLogicServer startup time 74437 ms
IntegratedWebLogicServer started
[Running application HelloWorldJaxWS on Server Instance IntegratedWebLogicServer]
[095206 PM] ---- Deployment started ----
[095206 PM] Target platform is (Weblogic 103)
[095208 PM] Retrieving existing application information
[095208 PM] Running dependency analysis
[095208 PM] Deploying 2 profiles
[095209 PM] Wrote Web Application Module to DOracle11gMiddlewarejdevelopersystem11116386192oj2eedrsHelloWorldJaxWSHelloWorldWebAppwar
[095210 PM] Wrote Enterprise Application Module to DOracle11gMiddlewarejdevelopersystem11116386192oj2eedrsHelloWorldJaxWS
[095210 PM] Deploying Application
[095213 PM] Application Deployed Successfully
[095213 PM] The following URL context root(s) were defined and can be used as a starting point to test your application
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 52
[095213 PM] http1270017101HelloWorldJaxWS-HelloWorld-context-root
[095213 PM] Elapsed time for deployment 6 seconds
[095213 PM] ---- Deployment finished ----
Run startup time 6609 ms
[Application HelloWorldJaxWS deployed to Server Instance IntegratedWebLogicServer]
Target URL -- http1270017101HelloWorldJaxWS-HelloWorld-context-rootHelloWorldPort
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 53
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 7
Create HelloWorld POJO JAX-WS Application
1 Start creation of a new application by click on ldquoNew Applicationrdquo in Figure 2
Figure 2 Click on New Application
This is will launch a new application creation wizard
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 8
2 Provide the following values as show in Figure 3 ldquoApplication NamerdquoHelloWorldJaxWS ldquoDirectoryrdquo DJDevelopermyworkHelloWorldJaxWS JDeveloper wil create the new application in the above directory For purposes of this How-To select ldquoGeneric Applicationrdquo from the Application Template as shown in Figure 3
Figure 3 Provide Application Name and Folder information
Click on ldquoNextrdquo button to proceed to the next step
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 9
3 Create a Project for the new application by providing Project information like ldquoProject Namerdquo ldquoDirectoryrdquo as show in Figure 4 Since we want to create a POJO based Web Service Select ldquoWeb Servicesrdquo from the ldquoProject Technologiesrdquo tab This will automatically also include Java Figure 4 shows the selected technologies for this project
Figure 4 Select Project Technologies and provide Project information
Click on ldquoNextrdquo button
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 10
4 Complete the New Application creation process by providing package information and leave the defaults for ldquoJava Source Pathrdquo and ldquoOutput Directoryrdquo as shown on Figure 5
Figure 5 Provide Package and other Java Settings
Click on ldquoFinishrdquo button to complete creation of the new application and the project
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 11
5 Next we will create a Java Class To create a Java Class right click on the ldquoHelloWorldrdquo project under the HelloWorldJaxWS application and select ldquoNewrdquo from the Context Menu as shown in Figure 6
Figure 6 Creating Java Class in a project
6 This will launch the Dialog show in Figure 7 In the ldquoCurrent Project Technologiesrdquo tab Select ldquoJavardquo from the
ldquoCategoriesrdquo on the Left Hand Side and under ldquoItemsrdquo panel on the Right Hand side select ldquoJava Classrdquo as shown in
Figure 7 Click on the ldquoOKrdquo button after making the above selections
Figure 7 Select Java Class from the New Gallery Dialog
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 12
7 This will launch the new ldquoJava Classrdquo Creation Dialog as show in Figure 8 Provide ldquoHelloWorldrdquo as the name of the
java class and provide appropriate value for the java package Retain defaults for the remainder of the fields Click
ldquoOKrdquo to complete the new Java Class creation dialog
Figure 8 New Java Class creation Dialog
8 JDeveloper will generate code along the lines shown below
package helloworld
public class HelloWorld
public HelloWorld()
super()
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 13
Add the following lines of code to the HelloWorld class
9 The next step is to basically create a Web Service from the HelloWorld java class created in the previous steps To
create a Web Service right click on the HelloWorldjava file Select ldquoCreate Web Servicehelliprdquo from the Context menu
as shown in Figure 9
Figure 9 Launch the Web Service Creation Wizard on the HelloWorld POJO class
public String hello(String str)
return Hello + str
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 14
10 From the ldquoJava Web Service creationrdquo wizard select Java EE 15 option The entire Web Service creation wizard is a
multi-step process as show in Figure 10 - Figure 17
Figure 10 Select Java EE 15 from the Java Web Service Creation wizard
Figure 11 Provide Web Service name
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 15
Figure 12 Retain default SOAP binding
Figure 13 Select the methods that should be exposed as part of the Web Service
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 16
Figure 14 Skip Additional Classes
Figure 15 Skip specifiying policies
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 17
Figure 16 Skip providing any Handlers
Figure 17 Finish creation of Web Service
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 18
Attach Message protection OWSM Security Policy
1 To attach the OWSM message protection policy to the Web Service ldquoright clickrdquo on the HelloWorldjava file in
JDeveloper Select ldquoWeb Service Propertieshelliprdquo from the Context menu item Figure 18 This will launch the Dialog box
seen in Figure 19
Figure 18 Define Web Service Properties
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 19
2 In the Configure Policies Dialog select ldquoOWSM policiesrdquo Upon selection of the OWSM Policies option the system
will display the list of out of the box policies that are shipped as part of OWSM Also notice the Default Policy Store
location
In this How-To it maps to
ldquoDOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainoraclestoregmdsrdquo
Figure 19 Select OWSM policies option to secure the Web Service
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 20
3 For the purposes of this How-To letrsquos select the oraclewss10_message_protection_service_policy as show in
Figure 20
Figure 20 Selection of oraclewss10_message_protection_service_policy
Click ldquoOKrdquo button to complete the Policy Attachment Upon completion of the PolicyAttachment the SecurityPolicy
annotation will be added to the HelloWorld POJO class as show in Figure 21
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 21
Figure 21 Code view with SecurityPolicy annotation
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 22
Creating Keystore and Credentials
4 In order to use the oraclewss10_message_protection_service_policy we need Keystore and Credentials First we
will create keystore using the keytool command as shown in Figure 22 The command to create the keystore using
keytool (Note Keytool is shipped with JDK)
Figure 22 Keystore creation command and steps
You can validate the contents of the keystore by using the following keytool command
Figure 23 Check contents of Keystore using keytool
$gt keytool -genkey -keyalg RSA -alias orakey -keystore default-keystorejks -storepass welcome1 -validity
3600
$gtkeytool -list -keystore default-keystorejks -storepass welcome1
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 23
Configuring Integrated WLS Server to enable enforcing Message protection Policy
In order to be able to deploy the HelloWorld POJO Web Service to Integrated WLS Server and test the enforcement of
the OWSM oraclewss10_message_protection_service_policy ndash we need to configure the WLS Domain in which
Integrated WLS Server runs however initially upon the Install the domain is not created completely You can ensure the
domain is created completely by trying to the ldquoHelloWorldrdquo Web Service You do this by ldquoright clickingrdquo on
HelloWorldjava and selecting ldquoRunrdquo from the Context Menu as show in Figure 24
Figure 24 Running HelloWorld Web Service in Integrated WLS Server first time
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 24
The appendix shows the log that is output by the system in JDeveloper The key aspect that is of interest here are the
following messages
[Waiting for the domain to finish building]
[094756 PM] Creating Integrated Weblogic domain
[095003 PM] Extending Integrated Weblogic domain
[095051 PM] Integrated Weblogic domain processing completed successfully
Using port 7101
DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainbinstartWebLogiccmd
[waiting for the server to complete its initialization]
As mentioned earlier the key thing to note is
On running this the first time ndash the domain for running the Integrated WLS is extended and the necessary artifacts are created By default this domain is called ldquoDefaultDomainrdquo In this scenario the ldquoDefaultDomainrdquo is located at DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomain
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 25
Copying the Keystore under the right location for Integrated WLS Server
5 Copy the default-keystorejks created earlier to
ldquoDOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainconfigfmwconfigrdquo as shown in Figure 25
Figure 25 Copying default-keystorejks under DefaultDomain
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 26
Verifying jps-configxml in Default Domain
6 The jps-configxml will be found under
DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainconfigfmwconfig The most important entry in jps-configxml that is of interest is the following keystore service entry lt-- KeyStore Service Instance --gt ltserviceInstance name=keystore provider=keystoreprovider location=default-keystorejksgt ltdescriptiongtDefault JPS Keystore Serviceltdescriptiongt ltproperty name=keystoreprovidertype value=filegt ltproperty name=keystorefilepath value=gt ltproperty name=keystoretype value=JKSgt ltproperty name=keystorecsfmap value=oraclewsmsecuritygt ltproperty name=keystorepasscsfkey value=keystore-csf-keygt ltproperty name=keystoresigcsfkey value=sign-csf-keygt ltproperty name=keystoreenccsfkey value=enc-csf-keygt ltserviceInstancegt The next step is to configure the credentials in the DefaultDomain
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 27
Creating Credentials required for Keystore access
Ensure the Integrated WLS Server is running 7 Start WLST from DOracle11gMiddleware oracle_commoncommonbinwlstcmd as shown in Figure 26
Figure 26 Starting WLST for Integrated WLS Server
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 28
8 Connect to the Integrated WLS Server running DefaultDomain as show in Figure 27
Figure 27 Connect to Integrated WLS Server
Once connected add the following credentials to the credential store
$gt createCred(map=oraclewsmsecurity key=keystore-csf-key user=owsm password=welcome1 desc=Keystore key) $gtcreateCred(map=oraclewsmsecurity key=enc-csf-key user=orakey password=welcome1 desc=Encryption key) $gtcreateCred(map=oraclewsmsecurity key=sign-csf-key user=orakey password=welcome1 desc=Signing key)
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 29
Relationship between Keystore Credential Store jps-configxml
9 Many people find the relationship between keystore keys credential store credentials and jps-configxml
confusing Figure 28 shows the relationship between all these artifacts
Figure 28 Relationship bw Keystore Credential Store Credentials and jps-configxml
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 30
Testing with SOAP UI 1 Before testing the Web Service with SOAP UI Run the HelloWorld from within JDeveloper as shown in Figure 24
Create SOAP UI Project
2 To test the HelloWorld Web Service secured with the OWSM ldquooraclewss10_message_protection_service_policyrdquo start SOAP UI and create a new Project as shown in Figure 29
Figure 29 Create new project in SOAP UI
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 31
3 Provide Project Namerdquo and ldquoWSDLrdquo information for the HelloWorld WS as show in Figure 30
Figure 30 Provide WSDL information for the Web Service that needs to be tested
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 32
4 Double click on the helloworld-msg-prot-test SOAP UI project to open various configurations one can specify for the
project as show in Figure 31 Click on the WS-Security Configurations tab
Figure 31 Specify the WS-Security Configurations
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 33
Create WS-Security Configurations
5 There are 3 sub-tabs under the ldquoWS-Security Configurationsrdquo tab in SOAP UI These are the ldquoOutgoing WS-Security
Configurationsrdquo tab ldquoIncoming WS-Security Configurationsrdquo tab and the ldquoKeystoreCertificatesrdquo tab We will first fill
out the KeystoresCertificates tab Click on the KeystoreCertificates tab as shown in Figure 32
Figure 32 Specify the KeystoreCertificates to be used by SOAP UI
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 34
Add KeystoreCertificates
6 Click on the ldquo+rdquo button to add a keystore as shown in Figure 33 This will launch a dialog to select the Key Material as
show in Figure 34 You will be prompted for the password to the default-keystorejks Enter ldquowelcome1rdquo as show in
Figure 35
Figure 33 Adding a Keystore
Figure 34 Select a JKS keystore from the file system
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 35
Figure 35 Specify Password for the default-keystorejks
7 Figure 36 shows the result of adding the default-keystorejks to SOAP UI
Figure 36 Result of adding default-keystorejks
NOTE For purposes of simplicity ndash I have selected the same default-keystorejks file that was used by the HelloWorld Web Service in practice the client and service DO NOT share the same keystore instead you should use separate keystores and exchange the public certificates of the client and the service
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 36
Add Outgoing WS-Security Configurations
8 The next step is to add the ldquoOutgoing WS-Secure Configurationsrdquo to the project You can do this by click on the Outgoing S-Security Configurations tab and clicking on the ldquo+rdquo icon as shown in Figure 37
Figure 37 Initiate addition of Outgoing WS-Security Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 37
9 Enter the ldquoNamerdquo of the configuration as ldquowss10rdquo This will create a panel on the lower half of the screen to add relevant WS-Security Configuration for ldquowss10rdquo Click on the ldquo+rdquo icon highlighted with a red circle in Figure 38 We need to add 3 entries in the following order
a Timestamp b Signature c Encryption
Upon clicking the ldquo+rdquo icon an ldquoAdd WSS Entryrdquo popup dialog will be presented which contains a single drop down list Select ldquoTimestamprdquo from the dialog as shown in Figure 39
Figure 38 Adding WSS Configuration for wss10
Figure 39 Add Timestamp
10 Configure the ldquoTimestamprdquo WSS Entry The two fields are shown in Figure 40
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 38
a Time to Live 5000 b Leave the unit for ldquoTime to Liverdquo in milliseconds
Figure 40 Specify Time to Live as part of Timestamp configuration
11 Add the ldquoSignaturerdquo WSS Entry by clicking on the ldquo+rdquo icon again as shown in Figure 38 and selecting ldquoSignaturerdquo from
the ldquoAdd WSS Entryrdquo drop down as shown in Figure 41
Figure 41 Select Signature WSS Entry to Add to wss10 configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 39
12 The ldquoSignaturerdquo configuration is more involved and requires a lot more fields to be filled in as shown in Figure 42 Here is a summary of the fields and values that need to be provided
a Keystore Select ldquodefault-keystorejksrdquo from the drop down (Note Only keystores added in the KeystoreCertificates tab will be displayed in this drop down)
b Alias ldquoorakeyrdquo This particular keystore in the How-To has only a single alias However a keystore can have multiple keys and aliases
c Password ldquowelcome1rdquo This is the password for the alias d Key Identifier Type Select ldquoBinary Security Tokenrdquo from the drop down e Signature Algorithm Select ldquohttpwwww3org200009xmldsigrsa-sha1rdquo from the drop down f Signature Canonicalization Select ldquohttpwwww3org200110xml-exc-c14nrdquo from the drop down g Digest Algorithm Select ldquohttpwwww3org200009xmldsigsha1rdquo from the drop down h Use Single Certificate Ensure ldquoUse single certificate for signingrdquo is checked i Parts
Name Namespace Encode
Body httpschemasxmlsoaporgsoapenvelope Element
Timestamp httpdocsoasis-openorgwss200401oasis-200401-wss-wssecurity-utility-10xsd
Element
Figure 42 Providing Signature configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 40
13 Add the ldquoEncryptionrdquo WSS Entry by clicking on the ldquo+rdquo icon again as shown in Figure 38 and selecting ldquoEncryptionrdquo from the ldquoAdd WSS Entryrdquo drop down as shown in Figure 43
Figure 43 Adding Encryption WSS entry
14 The ldquoEncryptionrdquo configuration is more involved and requires a lot more fields to be filled in as shown in Figure 44
Here is a summary of the fields and values that need to be provided a Keystore Select ldquodefault-keystorejksrdquo from the drop down (Note Only keystores added in the
KeystoreCertificates tab will be displayed in this drop down) b Alias ldquoorakeyrdquo This particular keystore in the How-To has only a single alias However a keystore can have
multiple keys and aliases c Password ldquowelcome1rdquo This is the password for the alias d Key Identifier Type Select ldquoBinary Security Tokenrdquo from the drop down e Embedded Key Name and Embedded Key Password are not relevant and will be readonly fields So skip
these fields f Symmetric Encoding Algorithm Select ldquohttpwwww3org200104xmlencaes128-cbcrdquo from the drop
down g Key Encryption Algorithm Select ldquohttpwwww3org200104xmlencrsa-oaep-mgf1prdquo from the drop
down h Encryption Canonicalization Select ldquohttpwwww3org200110xml-exc-c14nrdquo from the drop down i Create Encrypted Key Ensure the checkbox is checked j Parts
Name Namespace Encode
Body httpschemasxmlsoaporgsoapenvelope Content
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 41
Figure 44 Encryption Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 42
Add Incoming WS-Security Configurations
15 Click on the ldquoIncoming WS-Security Configurationsrdquo sub tab and click on the ldquo+rdquo icon as show in Figure 45 You will be prompted to enter a name for the incoming configuration specify ldquowss10rdquo as the name as shown in Figure 46
Figure 45 Add Incoming WS-Security Configuration
Figure 46 Provide a name for the Incoming WSS Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 43
16 Click on the ldquowss10rdquo entry and select the following a Decrypt Keystore Select ldquodefault-keystorejksrdquo from the drop down b Signature Keystore Select ldquodefault-keystorejksrdquo from the drop down c Password ldquowelcome1rdquo
The final incoming security configuration is shown in Figure 47
Figure 47 Incoming WSS Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 44
17 Now that we have created all the necessary WS-Security Configurations we are ready to test the HelloWorld Service To do so click on the ldquohellordquo operation on the Left hand browse tree This will create a request as show in Figure 48 Click on the ldquoAutrdquo tab on the ldquoRequestrdquo panel on the RHS side of the screen The ldquoAutrdquo tab is in the bottom and has been highlighted in Figure 48 Select the following values
a Outgoing WSS Select ldquowss10rdquo from the drop down b Incoming WSS Select ldquowss10rdquo from the drop down
Figure 48 Select the previosuly created WSS Configuration to be used while testing
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 45
18 Enter ldquoprakashrdquo for arg0 and click on the green arrow button to send the request You will be prompted for password ndash enter ldquowelcome1rdquo Figure 49 and Figure 50 show the steps and the results of a successful test If there is a failure ndash you will see a SOAP response with a fault
Figure 49 Send request to the HelloWorld WS
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 46
Figure 50 Results of a successful test
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 47
Appendix
Log Generated the first time any app is run in Integrated WLS Server
[Waiting for the domain to finish building]
[094756 PM] Creating Integrated Weblogic domain
[095003 PM] Extending Integrated Weblogic domain
[095051 PM] Integrated Weblogic domain processing completed successfully
Using port 7101
DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainbinstartWebLogiccmd
[waiting for the server to complete its initialization]
JAVA Memory arguments -Xms256m -Xmx512m -XXCompileThreshold=8000 -XXPermSize=128m -XXMaxPermSize=512m
WLS Start Mode=Development
CLASSPATH=DORACLE~1MIDDLE~1ORACLE~1modulesoraclejdbc_1111ojdbc6dmsjarDORACLE~1MIDDLE~1patch_wls1035profilesdefaultsys_manifest_classpathweblogic_patchjarDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultsys_manifest_classpathweblogic_patchjarDORACLE~1MIDDLE~1JDK160~1libtoolsjarDORACLE~1MIDDLE~1WLSERV~13serverlibweblogic_spjarDORACLE~1MIDDLE~1WLSERV~13serverlibweblogicjarDORACLE~1MIDDLE~1modulesfeaturesweblogicservermodules_10350jarDORACLE~1MIDDLE~1WLSERV~13serverlibwebservicesjarDORACLE~1MIDDLE~1modulesORGAPA~11libant-alljarDORACLE~1MIDDLE~1modulesNETSFA~10_1libant-contribjarDORACLE~1MIDDLE~1ORACLE~1modulesoraclejrf_1111jrfjarDORACLE~1MIDDLE~1WLSERV~13commonderbylibderbyclientjarDORACLE~1MIDDLE~1WLSERV~13serverlibxqrljar
PATH=DORACLE~1MIDDLE~1patch_wls1035profilesdefaultnativeDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultnativeDORACLE~1MIDDLE~1WLSERV~13servernativewin32DORACLE~1MIDDLE~1WLSERV~13serverbinDORACLE~1MIDDLE~1modulesORGAPA~11binDORACLE~1MIDDLE~1JDK160~1jrebinDORACLE~1MIDDLE~1JDK160~1binDoraclexeapporacleproduct1020serverbinCProgram FilesThinkPadUtilitiesCWINDOWSsystem32CWINDOWSCWINDOWSSystem32WbemCWINDOWSsystem32WindowsPowerShellv10DORACLE~1MIDDLE~1WLSERV~13servernativewin32oci920_8
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 48
To start WebLogic Server use a username and
password assigned to an admin-level user For
server administration use the WebLogic Server
console at httphostnameportconsole
starting weblogic with Java version
java version 160_24
Java(TM) SE Runtime Environment (build 160_24-b50)
Java HotSpot(TM) Client VM (build 191-b02 mixed mode)
Starting WLS with line
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 49
DORACLE~1MIDDLE~1JDK160~1binjava -client -Xms256m -Xmx512m -XXCompileThreshold=8000 -XXPermSize=128m -XXMaxPermSize=512m -DweblogicName=DefaultServer -Djavasecuritypolicy=DORACLE~1MIDDLE~1WLSERV~13serverlibweblogicpolicy -DjavaxnetssltrustStore=DOracle11gMiddlewarewlserver_103serverlibDemoTrustjks -DweblogicnodemanagerServiceEnabled=true -Xverifynone -da -Dplatformhome=DORACLE~1MIDDLE~1WLSERV~13 -Dwlshome=DORACLE~1MIDDLE~1WLSERV~13server -Dweblogichome=DORACLE~1MIDDLE~1WLSERV~13server -Djpsappcredentialoverwriteallowed=true -Dcommoncomponentshome=DORACLE~1MIDDLE~1ORACLE~1 -Djrfversion=1111 -DorgapachecommonsloggingLog=orgapachecommonsloggingimplJdk14Logger -Ddomainhome=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1 -Djrockitoptfile=DORACLE~1MIDDLE~1ORACLE~1modulesoraclejrf_1111jrocket_optfiletxt -Doracleserverconfigdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1serversDefaultServer -Doracledomainconfigdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1 -Digfarisidbeanscarmlloc=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1carml -Digfarisidstackhome=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1arisidprovider -Doraclesecurityjpsconfig=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configfmwconfigjps-configxml -Doracledeployedappdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1serversDefaultServertmp_WL_user -Doracledeployedappext=- -DweblogicalternateTypesDirectory=DORACLE~1MIDDLE~1ORACLE~1modulesoracleossoiap_1111DORACLE~1MIDDLE~1ORACLE~1modulesoracleoamprovider_1111 -Djavaprotocolhandlerpkgs=oraclemdsnetprotocol -DweblogicjdbcremoteEnabled=false -Dwsmrepositorypath=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1oraclestoregmds -Dweblogicmanagementdiscover=true -DwlwiterativeDev= -DwlwtestConsole= -DwlwlogErrorsToConsole= -Dweblogicextdirs=DORACLE~1MIDDLE~1patch_wls1035profilesdefaultsysext_manifest_classpathDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultsysext_manifest_classpath weblogicServer
ltMar 16 2012 95054 PM PDTgt ltInfogt ltSecuritygt ltBEA-090905gt ltDisabling CryptoJ JCE Provider self-integrity check for better startup performance To enable this check specify -DweblogicsecurityallowCryptoJDefaultJCEVerification=truegt
ltMar 16 2012 95054 PM PDTgt ltInfogt ltSecuritygt ltBEA-090906gt ltChanging the default Random Number Generator in RSA CryptoJ from ECDRBG to FIPS186PRNG To disable this change specify -DweblogicsecurityallowCryptoJDefaultPRNG=truegt
ltMar 16 2012 95055 PM PDTgt ltInfogt ltWebLogicServergt ltBEA-000377gt ltStarting WebLogic Server with Java HotSpot(TM) Client VM Version 191-b02 from Sun Microsystems Incgt
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 50
ltMar 16 2012 95055 PM PDTgt ltInfogt ltManagementgt ltBEA-141107gt ltVersion WebLogic Server 10350 Fri Apr 1 202006 PDT 2011 1398638 gt
ltMar 16 2012 95057 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STARTINGgt
ltMar 16 2012 95057 PM PDTgt ltInfogt ltWorkManagergt ltBEA-002900gt ltInitializing self-tuning thread poolgt
ltMar 16 2012 95057 PM PDTgt ltNoticegt ltLog Managementgt ltBEA-170019gt ltThe server log file DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainserversDefaultServerlogsDefaultServerlog is opened All server side log events will be written to this filegt
ltMar 16 2012 95108 PM PDTgt ltNoticegt ltSecuritygt ltBEA-090082gt ltSecurity initializing using security realm myrealmgt
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO ConfigObjectReloaded for ServerConfig PreviousVersion -1 CurrentVersion 0
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification event sent for activating changes
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for Mapping config object reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO ConfigObjectReloaded for ServerConfig PreviousVersion -1 CurrentVersion 0
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification event sent for activating changes
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 51
INFO Notification sent for Mapping config object reloaded
ltMar 16 2012 95122 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STANDBYgt
ltMar 16 2012 95122 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STARTINGgt
ltMar 16 2012 95204 PM PDTgt ltNoticegt ltLog Managementgt ltBEA-170027gt ltThe Server has established connection with the Domain level Diagnostic Service successfullygt
ltMar 16 2012 95204 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to ADMINgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to RESUMINGgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltServergt ltBEA-002613gt ltChannel Default is now listening on 1270017101 for protocols iiop t3 ldap snmp httpgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000331gt ltStarted WebLogic Admin Server DefaultServer for domain DefaultDomain running in Development Modegt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to RUNNINGgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000360gt ltServer started in RUNNING modegt
IntegratedWebLogicServer startup time 74437 ms
IntegratedWebLogicServer started
[Running application HelloWorldJaxWS on Server Instance IntegratedWebLogicServer]
[095206 PM] ---- Deployment started ----
[095206 PM] Target platform is (Weblogic 103)
[095208 PM] Retrieving existing application information
[095208 PM] Running dependency analysis
[095208 PM] Deploying 2 profiles
[095209 PM] Wrote Web Application Module to DOracle11gMiddlewarejdevelopersystem11116386192oj2eedrsHelloWorldJaxWSHelloWorldWebAppwar
[095210 PM] Wrote Enterprise Application Module to DOracle11gMiddlewarejdevelopersystem11116386192oj2eedrsHelloWorldJaxWS
[095210 PM] Deploying Application
[095213 PM] Application Deployed Successfully
[095213 PM] The following URL context root(s) were defined and can be used as a starting point to test your application
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 52
[095213 PM] http1270017101HelloWorldJaxWS-HelloWorld-context-root
[095213 PM] Elapsed time for deployment 6 seconds
[095213 PM] ---- Deployment finished ----
Run startup time 6609 ms
[Application HelloWorldJaxWS deployed to Server Instance IntegratedWebLogicServer]
Target URL -- http1270017101HelloWorldJaxWS-HelloWorld-context-rootHelloWorldPort
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 53
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 8
2 Provide the following values as show in Figure 3 ldquoApplication NamerdquoHelloWorldJaxWS ldquoDirectoryrdquo DJDevelopermyworkHelloWorldJaxWS JDeveloper wil create the new application in the above directory For purposes of this How-To select ldquoGeneric Applicationrdquo from the Application Template as shown in Figure 3
Figure 3 Provide Application Name and Folder information
Click on ldquoNextrdquo button to proceed to the next step
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 9
3 Create a Project for the new application by providing Project information like ldquoProject Namerdquo ldquoDirectoryrdquo as show in Figure 4 Since we want to create a POJO based Web Service Select ldquoWeb Servicesrdquo from the ldquoProject Technologiesrdquo tab This will automatically also include Java Figure 4 shows the selected technologies for this project
Figure 4 Select Project Technologies and provide Project information
Click on ldquoNextrdquo button
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 10
4 Complete the New Application creation process by providing package information and leave the defaults for ldquoJava Source Pathrdquo and ldquoOutput Directoryrdquo as shown on Figure 5
Figure 5 Provide Package and other Java Settings
Click on ldquoFinishrdquo button to complete creation of the new application and the project
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 11
5 Next we will create a Java Class To create a Java Class right click on the ldquoHelloWorldrdquo project under the HelloWorldJaxWS application and select ldquoNewrdquo from the Context Menu as shown in Figure 6
Figure 6 Creating Java Class in a project
6 This will launch the Dialog show in Figure 7 In the ldquoCurrent Project Technologiesrdquo tab Select ldquoJavardquo from the
ldquoCategoriesrdquo on the Left Hand Side and under ldquoItemsrdquo panel on the Right Hand side select ldquoJava Classrdquo as shown in
Figure 7 Click on the ldquoOKrdquo button after making the above selections
Figure 7 Select Java Class from the New Gallery Dialog
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 12
7 This will launch the new ldquoJava Classrdquo Creation Dialog as show in Figure 8 Provide ldquoHelloWorldrdquo as the name of the
java class and provide appropriate value for the java package Retain defaults for the remainder of the fields Click
ldquoOKrdquo to complete the new Java Class creation dialog
Figure 8 New Java Class creation Dialog
8 JDeveloper will generate code along the lines shown below
package helloworld
public class HelloWorld
public HelloWorld()
super()
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 13
Add the following lines of code to the HelloWorld class
9 The next step is to basically create a Web Service from the HelloWorld java class created in the previous steps To
create a Web Service right click on the HelloWorldjava file Select ldquoCreate Web Servicehelliprdquo from the Context menu
as shown in Figure 9
Figure 9 Launch the Web Service Creation Wizard on the HelloWorld POJO class
public String hello(String str)
return Hello + str
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 14
10 From the ldquoJava Web Service creationrdquo wizard select Java EE 15 option The entire Web Service creation wizard is a
multi-step process as show in Figure 10 - Figure 17
Figure 10 Select Java EE 15 from the Java Web Service Creation wizard
Figure 11 Provide Web Service name
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 15
Figure 12 Retain default SOAP binding
Figure 13 Select the methods that should be exposed as part of the Web Service
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 16
Figure 14 Skip Additional Classes
Figure 15 Skip specifiying policies
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 17
Figure 16 Skip providing any Handlers
Figure 17 Finish creation of Web Service
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 18
Attach Message protection OWSM Security Policy
1 To attach the OWSM message protection policy to the Web Service ldquoright clickrdquo on the HelloWorldjava file in
JDeveloper Select ldquoWeb Service Propertieshelliprdquo from the Context menu item Figure 18 This will launch the Dialog box
seen in Figure 19
Figure 18 Define Web Service Properties
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 19
2 In the Configure Policies Dialog select ldquoOWSM policiesrdquo Upon selection of the OWSM Policies option the system
will display the list of out of the box policies that are shipped as part of OWSM Also notice the Default Policy Store
location
In this How-To it maps to
ldquoDOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainoraclestoregmdsrdquo
Figure 19 Select OWSM policies option to secure the Web Service
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 20
3 For the purposes of this How-To letrsquos select the oraclewss10_message_protection_service_policy as show in
Figure 20
Figure 20 Selection of oraclewss10_message_protection_service_policy
Click ldquoOKrdquo button to complete the Policy Attachment Upon completion of the PolicyAttachment the SecurityPolicy
annotation will be added to the HelloWorld POJO class as show in Figure 21
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 21
Figure 21 Code view with SecurityPolicy annotation
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 22
Creating Keystore and Credentials
4 In order to use the oraclewss10_message_protection_service_policy we need Keystore and Credentials First we
will create keystore using the keytool command as shown in Figure 22 The command to create the keystore using
keytool (Note Keytool is shipped with JDK)
Figure 22 Keystore creation command and steps
You can validate the contents of the keystore by using the following keytool command
Figure 23 Check contents of Keystore using keytool
$gt keytool -genkey -keyalg RSA -alias orakey -keystore default-keystorejks -storepass welcome1 -validity
3600
$gtkeytool -list -keystore default-keystorejks -storepass welcome1
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 23
Configuring Integrated WLS Server to enable enforcing Message protection Policy
In order to be able to deploy the HelloWorld POJO Web Service to Integrated WLS Server and test the enforcement of
the OWSM oraclewss10_message_protection_service_policy ndash we need to configure the WLS Domain in which
Integrated WLS Server runs however initially upon the Install the domain is not created completely You can ensure the
domain is created completely by trying to the ldquoHelloWorldrdquo Web Service You do this by ldquoright clickingrdquo on
HelloWorldjava and selecting ldquoRunrdquo from the Context Menu as show in Figure 24
Figure 24 Running HelloWorld Web Service in Integrated WLS Server first time
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 24
The appendix shows the log that is output by the system in JDeveloper The key aspect that is of interest here are the
following messages
[Waiting for the domain to finish building]
[094756 PM] Creating Integrated Weblogic domain
[095003 PM] Extending Integrated Weblogic domain
[095051 PM] Integrated Weblogic domain processing completed successfully
Using port 7101
DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainbinstartWebLogiccmd
[waiting for the server to complete its initialization]
As mentioned earlier the key thing to note is
On running this the first time ndash the domain for running the Integrated WLS is extended and the necessary artifacts are created By default this domain is called ldquoDefaultDomainrdquo In this scenario the ldquoDefaultDomainrdquo is located at DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomain
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 25
Copying the Keystore under the right location for Integrated WLS Server
5 Copy the default-keystorejks created earlier to
ldquoDOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainconfigfmwconfigrdquo as shown in Figure 25
Figure 25 Copying default-keystorejks under DefaultDomain
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 26
Verifying jps-configxml in Default Domain
6 The jps-configxml will be found under
DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainconfigfmwconfig The most important entry in jps-configxml that is of interest is the following keystore service entry lt-- KeyStore Service Instance --gt ltserviceInstance name=keystore provider=keystoreprovider location=default-keystorejksgt ltdescriptiongtDefault JPS Keystore Serviceltdescriptiongt ltproperty name=keystoreprovidertype value=filegt ltproperty name=keystorefilepath value=gt ltproperty name=keystoretype value=JKSgt ltproperty name=keystorecsfmap value=oraclewsmsecuritygt ltproperty name=keystorepasscsfkey value=keystore-csf-keygt ltproperty name=keystoresigcsfkey value=sign-csf-keygt ltproperty name=keystoreenccsfkey value=enc-csf-keygt ltserviceInstancegt The next step is to configure the credentials in the DefaultDomain
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 27
Creating Credentials required for Keystore access
Ensure the Integrated WLS Server is running 7 Start WLST from DOracle11gMiddleware oracle_commoncommonbinwlstcmd as shown in Figure 26
Figure 26 Starting WLST for Integrated WLS Server
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 28
8 Connect to the Integrated WLS Server running DefaultDomain as show in Figure 27
Figure 27 Connect to Integrated WLS Server
Once connected add the following credentials to the credential store
$gt createCred(map=oraclewsmsecurity key=keystore-csf-key user=owsm password=welcome1 desc=Keystore key) $gtcreateCred(map=oraclewsmsecurity key=enc-csf-key user=orakey password=welcome1 desc=Encryption key) $gtcreateCred(map=oraclewsmsecurity key=sign-csf-key user=orakey password=welcome1 desc=Signing key)
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 29
Relationship between Keystore Credential Store jps-configxml
9 Many people find the relationship between keystore keys credential store credentials and jps-configxml
confusing Figure 28 shows the relationship between all these artifacts
Figure 28 Relationship bw Keystore Credential Store Credentials and jps-configxml
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 30
Testing with SOAP UI 1 Before testing the Web Service with SOAP UI Run the HelloWorld from within JDeveloper as shown in Figure 24
Create SOAP UI Project
2 To test the HelloWorld Web Service secured with the OWSM ldquooraclewss10_message_protection_service_policyrdquo start SOAP UI and create a new Project as shown in Figure 29
Figure 29 Create new project in SOAP UI
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 31
3 Provide Project Namerdquo and ldquoWSDLrdquo information for the HelloWorld WS as show in Figure 30
Figure 30 Provide WSDL information for the Web Service that needs to be tested
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 32
4 Double click on the helloworld-msg-prot-test SOAP UI project to open various configurations one can specify for the
project as show in Figure 31 Click on the WS-Security Configurations tab
Figure 31 Specify the WS-Security Configurations
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 33
Create WS-Security Configurations
5 There are 3 sub-tabs under the ldquoWS-Security Configurationsrdquo tab in SOAP UI These are the ldquoOutgoing WS-Security
Configurationsrdquo tab ldquoIncoming WS-Security Configurationsrdquo tab and the ldquoKeystoreCertificatesrdquo tab We will first fill
out the KeystoresCertificates tab Click on the KeystoreCertificates tab as shown in Figure 32
Figure 32 Specify the KeystoreCertificates to be used by SOAP UI
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 34
Add KeystoreCertificates
6 Click on the ldquo+rdquo button to add a keystore as shown in Figure 33 This will launch a dialog to select the Key Material as
show in Figure 34 You will be prompted for the password to the default-keystorejks Enter ldquowelcome1rdquo as show in
Figure 35
Figure 33 Adding a Keystore
Figure 34 Select a JKS keystore from the file system
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 35
Figure 35 Specify Password for the default-keystorejks
7 Figure 36 shows the result of adding the default-keystorejks to SOAP UI
Figure 36 Result of adding default-keystorejks
NOTE For purposes of simplicity ndash I have selected the same default-keystorejks file that was used by the HelloWorld Web Service in practice the client and service DO NOT share the same keystore instead you should use separate keystores and exchange the public certificates of the client and the service
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 36
Add Outgoing WS-Security Configurations
8 The next step is to add the ldquoOutgoing WS-Secure Configurationsrdquo to the project You can do this by click on the Outgoing S-Security Configurations tab and clicking on the ldquo+rdquo icon as shown in Figure 37
Figure 37 Initiate addition of Outgoing WS-Security Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 37
9 Enter the ldquoNamerdquo of the configuration as ldquowss10rdquo This will create a panel on the lower half of the screen to add relevant WS-Security Configuration for ldquowss10rdquo Click on the ldquo+rdquo icon highlighted with a red circle in Figure 38 We need to add 3 entries in the following order
a Timestamp b Signature c Encryption
Upon clicking the ldquo+rdquo icon an ldquoAdd WSS Entryrdquo popup dialog will be presented which contains a single drop down list Select ldquoTimestamprdquo from the dialog as shown in Figure 39
Figure 38 Adding WSS Configuration for wss10
Figure 39 Add Timestamp
10 Configure the ldquoTimestamprdquo WSS Entry The two fields are shown in Figure 40
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 38
a Time to Live 5000 b Leave the unit for ldquoTime to Liverdquo in milliseconds
Figure 40 Specify Time to Live as part of Timestamp configuration
11 Add the ldquoSignaturerdquo WSS Entry by clicking on the ldquo+rdquo icon again as shown in Figure 38 and selecting ldquoSignaturerdquo from
the ldquoAdd WSS Entryrdquo drop down as shown in Figure 41
Figure 41 Select Signature WSS Entry to Add to wss10 configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 39
12 The ldquoSignaturerdquo configuration is more involved and requires a lot more fields to be filled in as shown in Figure 42 Here is a summary of the fields and values that need to be provided
a Keystore Select ldquodefault-keystorejksrdquo from the drop down (Note Only keystores added in the KeystoreCertificates tab will be displayed in this drop down)
b Alias ldquoorakeyrdquo This particular keystore in the How-To has only a single alias However a keystore can have multiple keys and aliases
c Password ldquowelcome1rdquo This is the password for the alias d Key Identifier Type Select ldquoBinary Security Tokenrdquo from the drop down e Signature Algorithm Select ldquohttpwwww3org200009xmldsigrsa-sha1rdquo from the drop down f Signature Canonicalization Select ldquohttpwwww3org200110xml-exc-c14nrdquo from the drop down g Digest Algorithm Select ldquohttpwwww3org200009xmldsigsha1rdquo from the drop down h Use Single Certificate Ensure ldquoUse single certificate for signingrdquo is checked i Parts
Name Namespace Encode
Body httpschemasxmlsoaporgsoapenvelope Element
Timestamp httpdocsoasis-openorgwss200401oasis-200401-wss-wssecurity-utility-10xsd
Element
Figure 42 Providing Signature configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 40
13 Add the ldquoEncryptionrdquo WSS Entry by clicking on the ldquo+rdquo icon again as shown in Figure 38 and selecting ldquoEncryptionrdquo from the ldquoAdd WSS Entryrdquo drop down as shown in Figure 43
Figure 43 Adding Encryption WSS entry
14 The ldquoEncryptionrdquo configuration is more involved and requires a lot more fields to be filled in as shown in Figure 44
Here is a summary of the fields and values that need to be provided a Keystore Select ldquodefault-keystorejksrdquo from the drop down (Note Only keystores added in the
KeystoreCertificates tab will be displayed in this drop down) b Alias ldquoorakeyrdquo This particular keystore in the How-To has only a single alias However a keystore can have
multiple keys and aliases c Password ldquowelcome1rdquo This is the password for the alias d Key Identifier Type Select ldquoBinary Security Tokenrdquo from the drop down e Embedded Key Name and Embedded Key Password are not relevant and will be readonly fields So skip
these fields f Symmetric Encoding Algorithm Select ldquohttpwwww3org200104xmlencaes128-cbcrdquo from the drop
down g Key Encryption Algorithm Select ldquohttpwwww3org200104xmlencrsa-oaep-mgf1prdquo from the drop
down h Encryption Canonicalization Select ldquohttpwwww3org200110xml-exc-c14nrdquo from the drop down i Create Encrypted Key Ensure the checkbox is checked j Parts
Name Namespace Encode
Body httpschemasxmlsoaporgsoapenvelope Content
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 41
Figure 44 Encryption Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 42
Add Incoming WS-Security Configurations
15 Click on the ldquoIncoming WS-Security Configurationsrdquo sub tab and click on the ldquo+rdquo icon as show in Figure 45 You will be prompted to enter a name for the incoming configuration specify ldquowss10rdquo as the name as shown in Figure 46
Figure 45 Add Incoming WS-Security Configuration
Figure 46 Provide a name for the Incoming WSS Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 43
16 Click on the ldquowss10rdquo entry and select the following a Decrypt Keystore Select ldquodefault-keystorejksrdquo from the drop down b Signature Keystore Select ldquodefault-keystorejksrdquo from the drop down c Password ldquowelcome1rdquo
The final incoming security configuration is shown in Figure 47
Figure 47 Incoming WSS Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 44
17 Now that we have created all the necessary WS-Security Configurations we are ready to test the HelloWorld Service To do so click on the ldquohellordquo operation on the Left hand browse tree This will create a request as show in Figure 48 Click on the ldquoAutrdquo tab on the ldquoRequestrdquo panel on the RHS side of the screen The ldquoAutrdquo tab is in the bottom and has been highlighted in Figure 48 Select the following values
a Outgoing WSS Select ldquowss10rdquo from the drop down b Incoming WSS Select ldquowss10rdquo from the drop down
Figure 48 Select the previosuly created WSS Configuration to be used while testing
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 45
18 Enter ldquoprakashrdquo for arg0 and click on the green arrow button to send the request You will be prompted for password ndash enter ldquowelcome1rdquo Figure 49 and Figure 50 show the steps and the results of a successful test If there is a failure ndash you will see a SOAP response with a fault
Figure 49 Send request to the HelloWorld WS
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 46
Figure 50 Results of a successful test
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 47
Appendix
Log Generated the first time any app is run in Integrated WLS Server
[Waiting for the domain to finish building]
[094756 PM] Creating Integrated Weblogic domain
[095003 PM] Extending Integrated Weblogic domain
[095051 PM] Integrated Weblogic domain processing completed successfully
Using port 7101
DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainbinstartWebLogiccmd
[waiting for the server to complete its initialization]
JAVA Memory arguments -Xms256m -Xmx512m -XXCompileThreshold=8000 -XXPermSize=128m -XXMaxPermSize=512m
WLS Start Mode=Development
CLASSPATH=DORACLE~1MIDDLE~1ORACLE~1modulesoraclejdbc_1111ojdbc6dmsjarDORACLE~1MIDDLE~1patch_wls1035profilesdefaultsys_manifest_classpathweblogic_patchjarDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultsys_manifest_classpathweblogic_patchjarDORACLE~1MIDDLE~1JDK160~1libtoolsjarDORACLE~1MIDDLE~1WLSERV~13serverlibweblogic_spjarDORACLE~1MIDDLE~1WLSERV~13serverlibweblogicjarDORACLE~1MIDDLE~1modulesfeaturesweblogicservermodules_10350jarDORACLE~1MIDDLE~1WLSERV~13serverlibwebservicesjarDORACLE~1MIDDLE~1modulesORGAPA~11libant-alljarDORACLE~1MIDDLE~1modulesNETSFA~10_1libant-contribjarDORACLE~1MIDDLE~1ORACLE~1modulesoraclejrf_1111jrfjarDORACLE~1MIDDLE~1WLSERV~13commonderbylibderbyclientjarDORACLE~1MIDDLE~1WLSERV~13serverlibxqrljar
PATH=DORACLE~1MIDDLE~1patch_wls1035profilesdefaultnativeDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultnativeDORACLE~1MIDDLE~1WLSERV~13servernativewin32DORACLE~1MIDDLE~1WLSERV~13serverbinDORACLE~1MIDDLE~1modulesORGAPA~11binDORACLE~1MIDDLE~1JDK160~1jrebinDORACLE~1MIDDLE~1JDK160~1binDoraclexeapporacleproduct1020serverbinCProgram FilesThinkPadUtilitiesCWINDOWSsystem32CWINDOWSCWINDOWSSystem32WbemCWINDOWSsystem32WindowsPowerShellv10DORACLE~1MIDDLE~1WLSERV~13servernativewin32oci920_8
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 48
To start WebLogic Server use a username and
password assigned to an admin-level user For
server administration use the WebLogic Server
console at httphostnameportconsole
starting weblogic with Java version
java version 160_24
Java(TM) SE Runtime Environment (build 160_24-b50)
Java HotSpot(TM) Client VM (build 191-b02 mixed mode)
Starting WLS with line
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 49
DORACLE~1MIDDLE~1JDK160~1binjava -client -Xms256m -Xmx512m -XXCompileThreshold=8000 -XXPermSize=128m -XXMaxPermSize=512m -DweblogicName=DefaultServer -Djavasecuritypolicy=DORACLE~1MIDDLE~1WLSERV~13serverlibweblogicpolicy -DjavaxnetssltrustStore=DOracle11gMiddlewarewlserver_103serverlibDemoTrustjks -DweblogicnodemanagerServiceEnabled=true -Xverifynone -da -Dplatformhome=DORACLE~1MIDDLE~1WLSERV~13 -Dwlshome=DORACLE~1MIDDLE~1WLSERV~13server -Dweblogichome=DORACLE~1MIDDLE~1WLSERV~13server -Djpsappcredentialoverwriteallowed=true -Dcommoncomponentshome=DORACLE~1MIDDLE~1ORACLE~1 -Djrfversion=1111 -DorgapachecommonsloggingLog=orgapachecommonsloggingimplJdk14Logger -Ddomainhome=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1 -Djrockitoptfile=DORACLE~1MIDDLE~1ORACLE~1modulesoraclejrf_1111jrocket_optfiletxt -Doracleserverconfigdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1serversDefaultServer -Doracledomainconfigdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1 -Digfarisidbeanscarmlloc=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1carml -Digfarisidstackhome=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1arisidprovider -Doraclesecurityjpsconfig=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configfmwconfigjps-configxml -Doracledeployedappdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1serversDefaultServertmp_WL_user -Doracledeployedappext=- -DweblogicalternateTypesDirectory=DORACLE~1MIDDLE~1ORACLE~1modulesoracleossoiap_1111DORACLE~1MIDDLE~1ORACLE~1modulesoracleoamprovider_1111 -Djavaprotocolhandlerpkgs=oraclemdsnetprotocol -DweblogicjdbcremoteEnabled=false -Dwsmrepositorypath=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1oraclestoregmds -Dweblogicmanagementdiscover=true -DwlwiterativeDev= -DwlwtestConsole= -DwlwlogErrorsToConsole= -Dweblogicextdirs=DORACLE~1MIDDLE~1patch_wls1035profilesdefaultsysext_manifest_classpathDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultsysext_manifest_classpath weblogicServer
ltMar 16 2012 95054 PM PDTgt ltInfogt ltSecuritygt ltBEA-090905gt ltDisabling CryptoJ JCE Provider self-integrity check for better startup performance To enable this check specify -DweblogicsecurityallowCryptoJDefaultJCEVerification=truegt
ltMar 16 2012 95054 PM PDTgt ltInfogt ltSecuritygt ltBEA-090906gt ltChanging the default Random Number Generator in RSA CryptoJ from ECDRBG to FIPS186PRNG To disable this change specify -DweblogicsecurityallowCryptoJDefaultPRNG=truegt
ltMar 16 2012 95055 PM PDTgt ltInfogt ltWebLogicServergt ltBEA-000377gt ltStarting WebLogic Server with Java HotSpot(TM) Client VM Version 191-b02 from Sun Microsystems Incgt
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 50
ltMar 16 2012 95055 PM PDTgt ltInfogt ltManagementgt ltBEA-141107gt ltVersion WebLogic Server 10350 Fri Apr 1 202006 PDT 2011 1398638 gt
ltMar 16 2012 95057 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STARTINGgt
ltMar 16 2012 95057 PM PDTgt ltInfogt ltWorkManagergt ltBEA-002900gt ltInitializing self-tuning thread poolgt
ltMar 16 2012 95057 PM PDTgt ltNoticegt ltLog Managementgt ltBEA-170019gt ltThe server log file DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainserversDefaultServerlogsDefaultServerlog is opened All server side log events will be written to this filegt
ltMar 16 2012 95108 PM PDTgt ltNoticegt ltSecuritygt ltBEA-090082gt ltSecurity initializing using security realm myrealmgt
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO ConfigObjectReloaded for ServerConfig PreviousVersion -1 CurrentVersion 0
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification event sent for activating changes
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for Mapping config object reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO ConfigObjectReloaded for ServerConfig PreviousVersion -1 CurrentVersion 0
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification event sent for activating changes
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 51
INFO Notification sent for Mapping config object reloaded
ltMar 16 2012 95122 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STANDBYgt
ltMar 16 2012 95122 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STARTINGgt
ltMar 16 2012 95204 PM PDTgt ltNoticegt ltLog Managementgt ltBEA-170027gt ltThe Server has established connection with the Domain level Diagnostic Service successfullygt
ltMar 16 2012 95204 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to ADMINgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to RESUMINGgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltServergt ltBEA-002613gt ltChannel Default is now listening on 1270017101 for protocols iiop t3 ldap snmp httpgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000331gt ltStarted WebLogic Admin Server DefaultServer for domain DefaultDomain running in Development Modegt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to RUNNINGgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000360gt ltServer started in RUNNING modegt
IntegratedWebLogicServer startup time 74437 ms
IntegratedWebLogicServer started
[Running application HelloWorldJaxWS on Server Instance IntegratedWebLogicServer]
[095206 PM] ---- Deployment started ----
[095206 PM] Target platform is (Weblogic 103)
[095208 PM] Retrieving existing application information
[095208 PM] Running dependency analysis
[095208 PM] Deploying 2 profiles
[095209 PM] Wrote Web Application Module to DOracle11gMiddlewarejdevelopersystem11116386192oj2eedrsHelloWorldJaxWSHelloWorldWebAppwar
[095210 PM] Wrote Enterprise Application Module to DOracle11gMiddlewarejdevelopersystem11116386192oj2eedrsHelloWorldJaxWS
[095210 PM] Deploying Application
[095213 PM] Application Deployed Successfully
[095213 PM] The following URL context root(s) were defined and can be used as a starting point to test your application
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 52
[095213 PM] http1270017101HelloWorldJaxWS-HelloWorld-context-root
[095213 PM] Elapsed time for deployment 6 seconds
[095213 PM] ---- Deployment finished ----
Run startup time 6609 ms
[Application HelloWorldJaxWS deployed to Server Instance IntegratedWebLogicServer]
Target URL -- http1270017101HelloWorldJaxWS-HelloWorld-context-rootHelloWorldPort
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 53
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 9
3 Create a Project for the new application by providing Project information like ldquoProject Namerdquo ldquoDirectoryrdquo as show in Figure 4 Since we want to create a POJO based Web Service Select ldquoWeb Servicesrdquo from the ldquoProject Technologiesrdquo tab This will automatically also include Java Figure 4 shows the selected technologies for this project
Figure 4 Select Project Technologies and provide Project information
Click on ldquoNextrdquo button
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 10
4 Complete the New Application creation process by providing package information and leave the defaults for ldquoJava Source Pathrdquo and ldquoOutput Directoryrdquo as shown on Figure 5
Figure 5 Provide Package and other Java Settings
Click on ldquoFinishrdquo button to complete creation of the new application and the project
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 11
5 Next we will create a Java Class To create a Java Class right click on the ldquoHelloWorldrdquo project under the HelloWorldJaxWS application and select ldquoNewrdquo from the Context Menu as shown in Figure 6
Figure 6 Creating Java Class in a project
6 This will launch the Dialog show in Figure 7 In the ldquoCurrent Project Technologiesrdquo tab Select ldquoJavardquo from the
ldquoCategoriesrdquo on the Left Hand Side and under ldquoItemsrdquo panel on the Right Hand side select ldquoJava Classrdquo as shown in
Figure 7 Click on the ldquoOKrdquo button after making the above selections
Figure 7 Select Java Class from the New Gallery Dialog
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 12
7 This will launch the new ldquoJava Classrdquo Creation Dialog as show in Figure 8 Provide ldquoHelloWorldrdquo as the name of the
java class and provide appropriate value for the java package Retain defaults for the remainder of the fields Click
ldquoOKrdquo to complete the new Java Class creation dialog
Figure 8 New Java Class creation Dialog
8 JDeveloper will generate code along the lines shown below
package helloworld
public class HelloWorld
public HelloWorld()
super()
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 13
Add the following lines of code to the HelloWorld class
9 The next step is to basically create a Web Service from the HelloWorld java class created in the previous steps To
create a Web Service right click on the HelloWorldjava file Select ldquoCreate Web Servicehelliprdquo from the Context menu
as shown in Figure 9
Figure 9 Launch the Web Service Creation Wizard on the HelloWorld POJO class
public String hello(String str)
return Hello + str
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 14
10 From the ldquoJava Web Service creationrdquo wizard select Java EE 15 option The entire Web Service creation wizard is a
multi-step process as show in Figure 10 - Figure 17
Figure 10 Select Java EE 15 from the Java Web Service Creation wizard
Figure 11 Provide Web Service name
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 15
Figure 12 Retain default SOAP binding
Figure 13 Select the methods that should be exposed as part of the Web Service
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 16
Figure 14 Skip Additional Classes
Figure 15 Skip specifiying policies
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 17
Figure 16 Skip providing any Handlers
Figure 17 Finish creation of Web Service
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 18
Attach Message protection OWSM Security Policy
1 To attach the OWSM message protection policy to the Web Service ldquoright clickrdquo on the HelloWorldjava file in
JDeveloper Select ldquoWeb Service Propertieshelliprdquo from the Context menu item Figure 18 This will launch the Dialog box
seen in Figure 19
Figure 18 Define Web Service Properties
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 19
2 In the Configure Policies Dialog select ldquoOWSM policiesrdquo Upon selection of the OWSM Policies option the system
will display the list of out of the box policies that are shipped as part of OWSM Also notice the Default Policy Store
location
In this How-To it maps to
ldquoDOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainoraclestoregmdsrdquo
Figure 19 Select OWSM policies option to secure the Web Service
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 20
3 For the purposes of this How-To letrsquos select the oraclewss10_message_protection_service_policy as show in
Figure 20
Figure 20 Selection of oraclewss10_message_protection_service_policy
Click ldquoOKrdquo button to complete the Policy Attachment Upon completion of the PolicyAttachment the SecurityPolicy
annotation will be added to the HelloWorld POJO class as show in Figure 21
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 21
Figure 21 Code view with SecurityPolicy annotation
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 22
Creating Keystore and Credentials
4 In order to use the oraclewss10_message_protection_service_policy we need Keystore and Credentials First we
will create keystore using the keytool command as shown in Figure 22 The command to create the keystore using
keytool (Note Keytool is shipped with JDK)
Figure 22 Keystore creation command and steps
You can validate the contents of the keystore by using the following keytool command
Figure 23 Check contents of Keystore using keytool
$gt keytool -genkey -keyalg RSA -alias orakey -keystore default-keystorejks -storepass welcome1 -validity
3600
$gtkeytool -list -keystore default-keystorejks -storepass welcome1
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 23
Configuring Integrated WLS Server to enable enforcing Message protection Policy
In order to be able to deploy the HelloWorld POJO Web Service to Integrated WLS Server and test the enforcement of
the OWSM oraclewss10_message_protection_service_policy ndash we need to configure the WLS Domain in which
Integrated WLS Server runs however initially upon the Install the domain is not created completely You can ensure the
domain is created completely by trying to the ldquoHelloWorldrdquo Web Service You do this by ldquoright clickingrdquo on
HelloWorldjava and selecting ldquoRunrdquo from the Context Menu as show in Figure 24
Figure 24 Running HelloWorld Web Service in Integrated WLS Server first time
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 24
The appendix shows the log that is output by the system in JDeveloper The key aspect that is of interest here are the
following messages
[Waiting for the domain to finish building]
[094756 PM] Creating Integrated Weblogic domain
[095003 PM] Extending Integrated Weblogic domain
[095051 PM] Integrated Weblogic domain processing completed successfully
Using port 7101
DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainbinstartWebLogiccmd
[waiting for the server to complete its initialization]
As mentioned earlier the key thing to note is
On running this the first time ndash the domain for running the Integrated WLS is extended and the necessary artifacts are created By default this domain is called ldquoDefaultDomainrdquo In this scenario the ldquoDefaultDomainrdquo is located at DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomain
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 25
Copying the Keystore under the right location for Integrated WLS Server
5 Copy the default-keystorejks created earlier to
ldquoDOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainconfigfmwconfigrdquo as shown in Figure 25
Figure 25 Copying default-keystorejks under DefaultDomain
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 26
Verifying jps-configxml in Default Domain
6 The jps-configxml will be found under
DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainconfigfmwconfig The most important entry in jps-configxml that is of interest is the following keystore service entry lt-- KeyStore Service Instance --gt ltserviceInstance name=keystore provider=keystoreprovider location=default-keystorejksgt ltdescriptiongtDefault JPS Keystore Serviceltdescriptiongt ltproperty name=keystoreprovidertype value=filegt ltproperty name=keystorefilepath value=gt ltproperty name=keystoretype value=JKSgt ltproperty name=keystorecsfmap value=oraclewsmsecuritygt ltproperty name=keystorepasscsfkey value=keystore-csf-keygt ltproperty name=keystoresigcsfkey value=sign-csf-keygt ltproperty name=keystoreenccsfkey value=enc-csf-keygt ltserviceInstancegt The next step is to configure the credentials in the DefaultDomain
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 27
Creating Credentials required for Keystore access
Ensure the Integrated WLS Server is running 7 Start WLST from DOracle11gMiddleware oracle_commoncommonbinwlstcmd as shown in Figure 26
Figure 26 Starting WLST for Integrated WLS Server
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 28
8 Connect to the Integrated WLS Server running DefaultDomain as show in Figure 27
Figure 27 Connect to Integrated WLS Server
Once connected add the following credentials to the credential store
$gt createCred(map=oraclewsmsecurity key=keystore-csf-key user=owsm password=welcome1 desc=Keystore key) $gtcreateCred(map=oraclewsmsecurity key=enc-csf-key user=orakey password=welcome1 desc=Encryption key) $gtcreateCred(map=oraclewsmsecurity key=sign-csf-key user=orakey password=welcome1 desc=Signing key)
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 29
Relationship between Keystore Credential Store jps-configxml
9 Many people find the relationship between keystore keys credential store credentials and jps-configxml
confusing Figure 28 shows the relationship between all these artifacts
Figure 28 Relationship bw Keystore Credential Store Credentials and jps-configxml
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 30
Testing with SOAP UI 1 Before testing the Web Service with SOAP UI Run the HelloWorld from within JDeveloper as shown in Figure 24
Create SOAP UI Project
2 To test the HelloWorld Web Service secured with the OWSM ldquooraclewss10_message_protection_service_policyrdquo start SOAP UI and create a new Project as shown in Figure 29
Figure 29 Create new project in SOAP UI
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 31
3 Provide Project Namerdquo and ldquoWSDLrdquo information for the HelloWorld WS as show in Figure 30
Figure 30 Provide WSDL information for the Web Service that needs to be tested
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 32
4 Double click on the helloworld-msg-prot-test SOAP UI project to open various configurations one can specify for the
project as show in Figure 31 Click on the WS-Security Configurations tab
Figure 31 Specify the WS-Security Configurations
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 33
Create WS-Security Configurations
5 There are 3 sub-tabs under the ldquoWS-Security Configurationsrdquo tab in SOAP UI These are the ldquoOutgoing WS-Security
Configurationsrdquo tab ldquoIncoming WS-Security Configurationsrdquo tab and the ldquoKeystoreCertificatesrdquo tab We will first fill
out the KeystoresCertificates tab Click on the KeystoreCertificates tab as shown in Figure 32
Figure 32 Specify the KeystoreCertificates to be used by SOAP UI
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 34
Add KeystoreCertificates
6 Click on the ldquo+rdquo button to add a keystore as shown in Figure 33 This will launch a dialog to select the Key Material as
show in Figure 34 You will be prompted for the password to the default-keystorejks Enter ldquowelcome1rdquo as show in
Figure 35
Figure 33 Adding a Keystore
Figure 34 Select a JKS keystore from the file system
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 35
Figure 35 Specify Password for the default-keystorejks
7 Figure 36 shows the result of adding the default-keystorejks to SOAP UI
Figure 36 Result of adding default-keystorejks
NOTE For purposes of simplicity ndash I have selected the same default-keystorejks file that was used by the HelloWorld Web Service in practice the client and service DO NOT share the same keystore instead you should use separate keystores and exchange the public certificates of the client and the service
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 36
Add Outgoing WS-Security Configurations
8 The next step is to add the ldquoOutgoing WS-Secure Configurationsrdquo to the project You can do this by click on the Outgoing S-Security Configurations tab and clicking on the ldquo+rdquo icon as shown in Figure 37
Figure 37 Initiate addition of Outgoing WS-Security Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 37
9 Enter the ldquoNamerdquo of the configuration as ldquowss10rdquo This will create a panel on the lower half of the screen to add relevant WS-Security Configuration for ldquowss10rdquo Click on the ldquo+rdquo icon highlighted with a red circle in Figure 38 We need to add 3 entries in the following order
a Timestamp b Signature c Encryption
Upon clicking the ldquo+rdquo icon an ldquoAdd WSS Entryrdquo popup dialog will be presented which contains a single drop down list Select ldquoTimestamprdquo from the dialog as shown in Figure 39
Figure 38 Adding WSS Configuration for wss10
Figure 39 Add Timestamp
10 Configure the ldquoTimestamprdquo WSS Entry The two fields are shown in Figure 40
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 38
a Time to Live 5000 b Leave the unit for ldquoTime to Liverdquo in milliseconds
Figure 40 Specify Time to Live as part of Timestamp configuration
11 Add the ldquoSignaturerdquo WSS Entry by clicking on the ldquo+rdquo icon again as shown in Figure 38 and selecting ldquoSignaturerdquo from
the ldquoAdd WSS Entryrdquo drop down as shown in Figure 41
Figure 41 Select Signature WSS Entry to Add to wss10 configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 39
12 The ldquoSignaturerdquo configuration is more involved and requires a lot more fields to be filled in as shown in Figure 42 Here is a summary of the fields and values that need to be provided
a Keystore Select ldquodefault-keystorejksrdquo from the drop down (Note Only keystores added in the KeystoreCertificates tab will be displayed in this drop down)
b Alias ldquoorakeyrdquo This particular keystore in the How-To has only a single alias However a keystore can have multiple keys and aliases
c Password ldquowelcome1rdquo This is the password for the alias d Key Identifier Type Select ldquoBinary Security Tokenrdquo from the drop down e Signature Algorithm Select ldquohttpwwww3org200009xmldsigrsa-sha1rdquo from the drop down f Signature Canonicalization Select ldquohttpwwww3org200110xml-exc-c14nrdquo from the drop down g Digest Algorithm Select ldquohttpwwww3org200009xmldsigsha1rdquo from the drop down h Use Single Certificate Ensure ldquoUse single certificate for signingrdquo is checked i Parts
Name Namespace Encode
Body httpschemasxmlsoaporgsoapenvelope Element
Timestamp httpdocsoasis-openorgwss200401oasis-200401-wss-wssecurity-utility-10xsd
Element
Figure 42 Providing Signature configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 40
13 Add the ldquoEncryptionrdquo WSS Entry by clicking on the ldquo+rdquo icon again as shown in Figure 38 and selecting ldquoEncryptionrdquo from the ldquoAdd WSS Entryrdquo drop down as shown in Figure 43
Figure 43 Adding Encryption WSS entry
14 The ldquoEncryptionrdquo configuration is more involved and requires a lot more fields to be filled in as shown in Figure 44
Here is a summary of the fields and values that need to be provided a Keystore Select ldquodefault-keystorejksrdquo from the drop down (Note Only keystores added in the
KeystoreCertificates tab will be displayed in this drop down) b Alias ldquoorakeyrdquo This particular keystore in the How-To has only a single alias However a keystore can have
multiple keys and aliases c Password ldquowelcome1rdquo This is the password for the alias d Key Identifier Type Select ldquoBinary Security Tokenrdquo from the drop down e Embedded Key Name and Embedded Key Password are not relevant and will be readonly fields So skip
these fields f Symmetric Encoding Algorithm Select ldquohttpwwww3org200104xmlencaes128-cbcrdquo from the drop
down g Key Encryption Algorithm Select ldquohttpwwww3org200104xmlencrsa-oaep-mgf1prdquo from the drop
down h Encryption Canonicalization Select ldquohttpwwww3org200110xml-exc-c14nrdquo from the drop down i Create Encrypted Key Ensure the checkbox is checked j Parts
Name Namespace Encode
Body httpschemasxmlsoaporgsoapenvelope Content
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 41
Figure 44 Encryption Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 42
Add Incoming WS-Security Configurations
15 Click on the ldquoIncoming WS-Security Configurationsrdquo sub tab and click on the ldquo+rdquo icon as show in Figure 45 You will be prompted to enter a name for the incoming configuration specify ldquowss10rdquo as the name as shown in Figure 46
Figure 45 Add Incoming WS-Security Configuration
Figure 46 Provide a name for the Incoming WSS Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 43
16 Click on the ldquowss10rdquo entry and select the following a Decrypt Keystore Select ldquodefault-keystorejksrdquo from the drop down b Signature Keystore Select ldquodefault-keystorejksrdquo from the drop down c Password ldquowelcome1rdquo
The final incoming security configuration is shown in Figure 47
Figure 47 Incoming WSS Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 44
17 Now that we have created all the necessary WS-Security Configurations we are ready to test the HelloWorld Service To do so click on the ldquohellordquo operation on the Left hand browse tree This will create a request as show in Figure 48 Click on the ldquoAutrdquo tab on the ldquoRequestrdquo panel on the RHS side of the screen The ldquoAutrdquo tab is in the bottom and has been highlighted in Figure 48 Select the following values
a Outgoing WSS Select ldquowss10rdquo from the drop down b Incoming WSS Select ldquowss10rdquo from the drop down
Figure 48 Select the previosuly created WSS Configuration to be used while testing
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 45
18 Enter ldquoprakashrdquo for arg0 and click on the green arrow button to send the request You will be prompted for password ndash enter ldquowelcome1rdquo Figure 49 and Figure 50 show the steps and the results of a successful test If there is a failure ndash you will see a SOAP response with a fault
Figure 49 Send request to the HelloWorld WS
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 46
Figure 50 Results of a successful test
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 47
Appendix
Log Generated the first time any app is run in Integrated WLS Server
[Waiting for the domain to finish building]
[094756 PM] Creating Integrated Weblogic domain
[095003 PM] Extending Integrated Weblogic domain
[095051 PM] Integrated Weblogic domain processing completed successfully
Using port 7101
DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainbinstartWebLogiccmd
[waiting for the server to complete its initialization]
JAVA Memory arguments -Xms256m -Xmx512m -XXCompileThreshold=8000 -XXPermSize=128m -XXMaxPermSize=512m
WLS Start Mode=Development
CLASSPATH=DORACLE~1MIDDLE~1ORACLE~1modulesoraclejdbc_1111ojdbc6dmsjarDORACLE~1MIDDLE~1patch_wls1035profilesdefaultsys_manifest_classpathweblogic_patchjarDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultsys_manifest_classpathweblogic_patchjarDORACLE~1MIDDLE~1JDK160~1libtoolsjarDORACLE~1MIDDLE~1WLSERV~13serverlibweblogic_spjarDORACLE~1MIDDLE~1WLSERV~13serverlibweblogicjarDORACLE~1MIDDLE~1modulesfeaturesweblogicservermodules_10350jarDORACLE~1MIDDLE~1WLSERV~13serverlibwebservicesjarDORACLE~1MIDDLE~1modulesORGAPA~11libant-alljarDORACLE~1MIDDLE~1modulesNETSFA~10_1libant-contribjarDORACLE~1MIDDLE~1ORACLE~1modulesoraclejrf_1111jrfjarDORACLE~1MIDDLE~1WLSERV~13commonderbylibderbyclientjarDORACLE~1MIDDLE~1WLSERV~13serverlibxqrljar
PATH=DORACLE~1MIDDLE~1patch_wls1035profilesdefaultnativeDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultnativeDORACLE~1MIDDLE~1WLSERV~13servernativewin32DORACLE~1MIDDLE~1WLSERV~13serverbinDORACLE~1MIDDLE~1modulesORGAPA~11binDORACLE~1MIDDLE~1JDK160~1jrebinDORACLE~1MIDDLE~1JDK160~1binDoraclexeapporacleproduct1020serverbinCProgram FilesThinkPadUtilitiesCWINDOWSsystem32CWINDOWSCWINDOWSSystem32WbemCWINDOWSsystem32WindowsPowerShellv10DORACLE~1MIDDLE~1WLSERV~13servernativewin32oci920_8
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 48
To start WebLogic Server use a username and
password assigned to an admin-level user For
server administration use the WebLogic Server
console at httphostnameportconsole
starting weblogic with Java version
java version 160_24
Java(TM) SE Runtime Environment (build 160_24-b50)
Java HotSpot(TM) Client VM (build 191-b02 mixed mode)
Starting WLS with line
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 49
DORACLE~1MIDDLE~1JDK160~1binjava -client -Xms256m -Xmx512m -XXCompileThreshold=8000 -XXPermSize=128m -XXMaxPermSize=512m -DweblogicName=DefaultServer -Djavasecuritypolicy=DORACLE~1MIDDLE~1WLSERV~13serverlibweblogicpolicy -DjavaxnetssltrustStore=DOracle11gMiddlewarewlserver_103serverlibDemoTrustjks -DweblogicnodemanagerServiceEnabled=true -Xverifynone -da -Dplatformhome=DORACLE~1MIDDLE~1WLSERV~13 -Dwlshome=DORACLE~1MIDDLE~1WLSERV~13server -Dweblogichome=DORACLE~1MIDDLE~1WLSERV~13server -Djpsappcredentialoverwriteallowed=true -Dcommoncomponentshome=DORACLE~1MIDDLE~1ORACLE~1 -Djrfversion=1111 -DorgapachecommonsloggingLog=orgapachecommonsloggingimplJdk14Logger -Ddomainhome=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1 -Djrockitoptfile=DORACLE~1MIDDLE~1ORACLE~1modulesoraclejrf_1111jrocket_optfiletxt -Doracleserverconfigdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1serversDefaultServer -Doracledomainconfigdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1 -Digfarisidbeanscarmlloc=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1carml -Digfarisidstackhome=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1arisidprovider -Doraclesecurityjpsconfig=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configfmwconfigjps-configxml -Doracledeployedappdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1serversDefaultServertmp_WL_user -Doracledeployedappext=- -DweblogicalternateTypesDirectory=DORACLE~1MIDDLE~1ORACLE~1modulesoracleossoiap_1111DORACLE~1MIDDLE~1ORACLE~1modulesoracleoamprovider_1111 -Djavaprotocolhandlerpkgs=oraclemdsnetprotocol -DweblogicjdbcremoteEnabled=false -Dwsmrepositorypath=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1oraclestoregmds -Dweblogicmanagementdiscover=true -DwlwiterativeDev= -DwlwtestConsole= -DwlwlogErrorsToConsole= -Dweblogicextdirs=DORACLE~1MIDDLE~1patch_wls1035profilesdefaultsysext_manifest_classpathDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultsysext_manifest_classpath weblogicServer
ltMar 16 2012 95054 PM PDTgt ltInfogt ltSecuritygt ltBEA-090905gt ltDisabling CryptoJ JCE Provider self-integrity check for better startup performance To enable this check specify -DweblogicsecurityallowCryptoJDefaultJCEVerification=truegt
ltMar 16 2012 95054 PM PDTgt ltInfogt ltSecuritygt ltBEA-090906gt ltChanging the default Random Number Generator in RSA CryptoJ from ECDRBG to FIPS186PRNG To disable this change specify -DweblogicsecurityallowCryptoJDefaultPRNG=truegt
ltMar 16 2012 95055 PM PDTgt ltInfogt ltWebLogicServergt ltBEA-000377gt ltStarting WebLogic Server with Java HotSpot(TM) Client VM Version 191-b02 from Sun Microsystems Incgt
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 50
ltMar 16 2012 95055 PM PDTgt ltInfogt ltManagementgt ltBEA-141107gt ltVersion WebLogic Server 10350 Fri Apr 1 202006 PDT 2011 1398638 gt
ltMar 16 2012 95057 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STARTINGgt
ltMar 16 2012 95057 PM PDTgt ltInfogt ltWorkManagergt ltBEA-002900gt ltInitializing self-tuning thread poolgt
ltMar 16 2012 95057 PM PDTgt ltNoticegt ltLog Managementgt ltBEA-170019gt ltThe server log file DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainserversDefaultServerlogsDefaultServerlog is opened All server side log events will be written to this filegt
ltMar 16 2012 95108 PM PDTgt ltNoticegt ltSecuritygt ltBEA-090082gt ltSecurity initializing using security realm myrealmgt
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO ConfigObjectReloaded for ServerConfig PreviousVersion -1 CurrentVersion 0
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification event sent for activating changes
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for Mapping config object reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO ConfigObjectReloaded for ServerConfig PreviousVersion -1 CurrentVersion 0
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification event sent for activating changes
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 51
INFO Notification sent for Mapping config object reloaded
ltMar 16 2012 95122 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STANDBYgt
ltMar 16 2012 95122 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STARTINGgt
ltMar 16 2012 95204 PM PDTgt ltNoticegt ltLog Managementgt ltBEA-170027gt ltThe Server has established connection with the Domain level Diagnostic Service successfullygt
ltMar 16 2012 95204 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to ADMINgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to RESUMINGgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltServergt ltBEA-002613gt ltChannel Default is now listening on 1270017101 for protocols iiop t3 ldap snmp httpgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000331gt ltStarted WebLogic Admin Server DefaultServer for domain DefaultDomain running in Development Modegt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to RUNNINGgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000360gt ltServer started in RUNNING modegt
IntegratedWebLogicServer startup time 74437 ms
IntegratedWebLogicServer started
[Running application HelloWorldJaxWS on Server Instance IntegratedWebLogicServer]
[095206 PM] ---- Deployment started ----
[095206 PM] Target platform is (Weblogic 103)
[095208 PM] Retrieving existing application information
[095208 PM] Running dependency analysis
[095208 PM] Deploying 2 profiles
[095209 PM] Wrote Web Application Module to DOracle11gMiddlewarejdevelopersystem11116386192oj2eedrsHelloWorldJaxWSHelloWorldWebAppwar
[095210 PM] Wrote Enterprise Application Module to DOracle11gMiddlewarejdevelopersystem11116386192oj2eedrsHelloWorldJaxWS
[095210 PM] Deploying Application
[095213 PM] Application Deployed Successfully
[095213 PM] The following URL context root(s) were defined and can be used as a starting point to test your application
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 52
[095213 PM] http1270017101HelloWorldJaxWS-HelloWorld-context-root
[095213 PM] Elapsed time for deployment 6 seconds
[095213 PM] ---- Deployment finished ----
Run startup time 6609 ms
[Application HelloWorldJaxWS deployed to Server Instance IntegratedWebLogicServer]
Target URL -- http1270017101HelloWorldJaxWS-HelloWorld-context-rootHelloWorldPort
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 53
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 10
4 Complete the New Application creation process by providing package information and leave the defaults for ldquoJava Source Pathrdquo and ldquoOutput Directoryrdquo as shown on Figure 5
Figure 5 Provide Package and other Java Settings
Click on ldquoFinishrdquo button to complete creation of the new application and the project
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 11
5 Next we will create a Java Class To create a Java Class right click on the ldquoHelloWorldrdquo project under the HelloWorldJaxWS application and select ldquoNewrdquo from the Context Menu as shown in Figure 6
Figure 6 Creating Java Class in a project
6 This will launch the Dialog show in Figure 7 In the ldquoCurrent Project Technologiesrdquo tab Select ldquoJavardquo from the
ldquoCategoriesrdquo on the Left Hand Side and under ldquoItemsrdquo panel on the Right Hand side select ldquoJava Classrdquo as shown in
Figure 7 Click on the ldquoOKrdquo button after making the above selections
Figure 7 Select Java Class from the New Gallery Dialog
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 12
7 This will launch the new ldquoJava Classrdquo Creation Dialog as show in Figure 8 Provide ldquoHelloWorldrdquo as the name of the
java class and provide appropriate value for the java package Retain defaults for the remainder of the fields Click
ldquoOKrdquo to complete the new Java Class creation dialog
Figure 8 New Java Class creation Dialog
8 JDeveloper will generate code along the lines shown below
package helloworld
public class HelloWorld
public HelloWorld()
super()
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 13
Add the following lines of code to the HelloWorld class
9 The next step is to basically create a Web Service from the HelloWorld java class created in the previous steps To
create a Web Service right click on the HelloWorldjava file Select ldquoCreate Web Servicehelliprdquo from the Context menu
as shown in Figure 9
Figure 9 Launch the Web Service Creation Wizard on the HelloWorld POJO class
public String hello(String str)
return Hello + str
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 14
10 From the ldquoJava Web Service creationrdquo wizard select Java EE 15 option The entire Web Service creation wizard is a
multi-step process as show in Figure 10 - Figure 17
Figure 10 Select Java EE 15 from the Java Web Service Creation wizard
Figure 11 Provide Web Service name
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 15
Figure 12 Retain default SOAP binding
Figure 13 Select the methods that should be exposed as part of the Web Service
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 16
Figure 14 Skip Additional Classes
Figure 15 Skip specifiying policies
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 17
Figure 16 Skip providing any Handlers
Figure 17 Finish creation of Web Service
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 18
Attach Message protection OWSM Security Policy
1 To attach the OWSM message protection policy to the Web Service ldquoright clickrdquo on the HelloWorldjava file in
JDeveloper Select ldquoWeb Service Propertieshelliprdquo from the Context menu item Figure 18 This will launch the Dialog box
seen in Figure 19
Figure 18 Define Web Service Properties
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 19
2 In the Configure Policies Dialog select ldquoOWSM policiesrdquo Upon selection of the OWSM Policies option the system
will display the list of out of the box policies that are shipped as part of OWSM Also notice the Default Policy Store
location
In this How-To it maps to
ldquoDOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainoraclestoregmdsrdquo
Figure 19 Select OWSM policies option to secure the Web Service
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 20
3 For the purposes of this How-To letrsquos select the oraclewss10_message_protection_service_policy as show in
Figure 20
Figure 20 Selection of oraclewss10_message_protection_service_policy
Click ldquoOKrdquo button to complete the Policy Attachment Upon completion of the PolicyAttachment the SecurityPolicy
annotation will be added to the HelloWorld POJO class as show in Figure 21
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 21
Figure 21 Code view with SecurityPolicy annotation
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 22
Creating Keystore and Credentials
4 In order to use the oraclewss10_message_protection_service_policy we need Keystore and Credentials First we
will create keystore using the keytool command as shown in Figure 22 The command to create the keystore using
keytool (Note Keytool is shipped with JDK)
Figure 22 Keystore creation command and steps
You can validate the contents of the keystore by using the following keytool command
Figure 23 Check contents of Keystore using keytool
$gt keytool -genkey -keyalg RSA -alias orakey -keystore default-keystorejks -storepass welcome1 -validity
3600
$gtkeytool -list -keystore default-keystorejks -storepass welcome1
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 23
Configuring Integrated WLS Server to enable enforcing Message protection Policy
In order to be able to deploy the HelloWorld POJO Web Service to Integrated WLS Server and test the enforcement of
the OWSM oraclewss10_message_protection_service_policy ndash we need to configure the WLS Domain in which
Integrated WLS Server runs however initially upon the Install the domain is not created completely You can ensure the
domain is created completely by trying to the ldquoHelloWorldrdquo Web Service You do this by ldquoright clickingrdquo on
HelloWorldjava and selecting ldquoRunrdquo from the Context Menu as show in Figure 24
Figure 24 Running HelloWorld Web Service in Integrated WLS Server first time
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 24
The appendix shows the log that is output by the system in JDeveloper The key aspect that is of interest here are the
following messages
[Waiting for the domain to finish building]
[094756 PM] Creating Integrated Weblogic domain
[095003 PM] Extending Integrated Weblogic domain
[095051 PM] Integrated Weblogic domain processing completed successfully
Using port 7101
DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainbinstartWebLogiccmd
[waiting for the server to complete its initialization]
As mentioned earlier the key thing to note is
On running this the first time ndash the domain for running the Integrated WLS is extended and the necessary artifacts are created By default this domain is called ldquoDefaultDomainrdquo In this scenario the ldquoDefaultDomainrdquo is located at DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomain
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 25
Copying the Keystore under the right location for Integrated WLS Server
5 Copy the default-keystorejks created earlier to
ldquoDOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainconfigfmwconfigrdquo as shown in Figure 25
Figure 25 Copying default-keystorejks under DefaultDomain
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 26
Verifying jps-configxml in Default Domain
6 The jps-configxml will be found under
DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainconfigfmwconfig The most important entry in jps-configxml that is of interest is the following keystore service entry lt-- KeyStore Service Instance --gt ltserviceInstance name=keystore provider=keystoreprovider location=default-keystorejksgt ltdescriptiongtDefault JPS Keystore Serviceltdescriptiongt ltproperty name=keystoreprovidertype value=filegt ltproperty name=keystorefilepath value=gt ltproperty name=keystoretype value=JKSgt ltproperty name=keystorecsfmap value=oraclewsmsecuritygt ltproperty name=keystorepasscsfkey value=keystore-csf-keygt ltproperty name=keystoresigcsfkey value=sign-csf-keygt ltproperty name=keystoreenccsfkey value=enc-csf-keygt ltserviceInstancegt The next step is to configure the credentials in the DefaultDomain
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 27
Creating Credentials required for Keystore access
Ensure the Integrated WLS Server is running 7 Start WLST from DOracle11gMiddleware oracle_commoncommonbinwlstcmd as shown in Figure 26
Figure 26 Starting WLST for Integrated WLS Server
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 28
8 Connect to the Integrated WLS Server running DefaultDomain as show in Figure 27
Figure 27 Connect to Integrated WLS Server
Once connected add the following credentials to the credential store
$gt createCred(map=oraclewsmsecurity key=keystore-csf-key user=owsm password=welcome1 desc=Keystore key) $gtcreateCred(map=oraclewsmsecurity key=enc-csf-key user=orakey password=welcome1 desc=Encryption key) $gtcreateCred(map=oraclewsmsecurity key=sign-csf-key user=orakey password=welcome1 desc=Signing key)
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 29
Relationship between Keystore Credential Store jps-configxml
9 Many people find the relationship between keystore keys credential store credentials and jps-configxml
confusing Figure 28 shows the relationship between all these artifacts
Figure 28 Relationship bw Keystore Credential Store Credentials and jps-configxml
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 30
Testing with SOAP UI 1 Before testing the Web Service with SOAP UI Run the HelloWorld from within JDeveloper as shown in Figure 24
Create SOAP UI Project
2 To test the HelloWorld Web Service secured with the OWSM ldquooraclewss10_message_protection_service_policyrdquo start SOAP UI and create a new Project as shown in Figure 29
Figure 29 Create new project in SOAP UI
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 31
3 Provide Project Namerdquo and ldquoWSDLrdquo information for the HelloWorld WS as show in Figure 30
Figure 30 Provide WSDL information for the Web Service that needs to be tested
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 32
4 Double click on the helloworld-msg-prot-test SOAP UI project to open various configurations one can specify for the
project as show in Figure 31 Click on the WS-Security Configurations tab
Figure 31 Specify the WS-Security Configurations
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 33
Create WS-Security Configurations
5 There are 3 sub-tabs under the ldquoWS-Security Configurationsrdquo tab in SOAP UI These are the ldquoOutgoing WS-Security
Configurationsrdquo tab ldquoIncoming WS-Security Configurationsrdquo tab and the ldquoKeystoreCertificatesrdquo tab We will first fill
out the KeystoresCertificates tab Click on the KeystoreCertificates tab as shown in Figure 32
Figure 32 Specify the KeystoreCertificates to be used by SOAP UI
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 34
Add KeystoreCertificates
6 Click on the ldquo+rdquo button to add a keystore as shown in Figure 33 This will launch a dialog to select the Key Material as
show in Figure 34 You will be prompted for the password to the default-keystorejks Enter ldquowelcome1rdquo as show in
Figure 35
Figure 33 Adding a Keystore
Figure 34 Select a JKS keystore from the file system
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 35
Figure 35 Specify Password for the default-keystorejks
7 Figure 36 shows the result of adding the default-keystorejks to SOAP UI
Figure 36 Result of adding default-keystorejks
NOTE For purposes of simplicity ndash I have selected the same default-keystorejks file that was used by the HelloWorld Web Service in practice the client and service DO NOT share the same keystore instead you should use separate keystores and exchange the public certificates of the client and the service
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 36
Add Outgoing WS-Security Configurations
8 The next step is to add the ldquoOutgoing WS-Secure Configurationsrdquo to the project You can do this by click on the Outgoing S-Security Configurations tab and clicking on the ldquo+rdquo icon as shown in Figure 37
Figure 37 Initiate addition of Outgoing WS-Security Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 37
9 Enter the ldquoNamerdquo of the configuration as ldquowss10rdquo This will create a panel on the lower half of the screen to add relevant WS-Security Configuration for ldquowss10rdquo Click on the ldquo+rdquo icon highlighted with a red circle in Figure 38 We need to add 3 entries in the following order
a Timestamp b Signature c Encryption
Upon clicking the ldquo+rdquo icon an ldquoAdd WSS Entryrdquo popup dialog will be presented which contains a single drop down list Select ldquoTimestamprdquo from the dialog as shown in Figure 39
Figure 38 Adding WSS Configuration for wss10
Figure 39 Add Timestamp
10 Configure the ldquoTimestamprdquo WSS Entry The two fields are shown in Figure 40
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 38
a Time to Live 5000 b Leave the unit for ldquoTime to Liverdquo in milliseconds
Figure 40 Specify Time to Live as part of Timestamp configuration
11 Add the ldquoSignaturerdquo WSS Entry by clicking on the ldquo+rdquo icon again as shown in Figure 38 and selecting ldquoSignaturerdquo from
the ldquoAdd WSS Entryrdquo drop down as shown in Figure 41
Figure 41 Select Signature WSS Entry to Add to wss10 configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 39
12 The ldquoSignaturerdquo configuration is more involved and requires a lot more fields to be filled in as shown in Figure 42 Here is a summary of the fields and values that need to be provided
a Keystore Select ldquodefault-keystorejksrdquo from the drop down (Note Only keystores added in the KeystoreCertificates tab will be displayed in this drop down)
b Alias ldquoorakeyrdquo This particular keystore in the How-To has only a single alias However a keystore can have multiple keys and aliases
c Password ldquowelcome1rdquo This is the password for the alias d Key Identifier Type Select ldquoBinary Security Tokenrdquo from the drop down e Signature Algorithm Select ldquohttpwwww3org200009xmldsigrsa-sha1rdquo from the drop down f Signature Canonicalization Select ldquohttpwwww3org200110xml-exc-c14nrdquo from the drop down g Digest Algorithm Select ldquohttpwwww3org200009xmldsigsha1rdquo from the drop down h Use Single Certificate Ensure ldquoUse single certificate for signingrdquo is checked i Parts
Name Namespace Encode
Body httpschemasxmlsoaporgsoapenvelope Element
Timestamp httpdocsoasis-openorgwss200401oasis-200401-wss-wssecurity-utility-10xsd
Element
Figure 42 Providing Signature configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 40
13 Add the ldquoEncryptionrdquo WSS Entry by clicking on the ldquo+rdquo icon again as shown in Figure 38 and selecting ldquoEncryptionrdquo from the ldquoAdd WSS Entryrdquo drop down as shown in Figure 43
Figure 43 Adding Encryption WSS entry
14 The ldquoEncryptionrdquo configuration is more involved and requires a lot more fields to be filled in as shown in Figure 44
Here is a summary of the fields and values that need to be provided a Keystore Select ldquodefault-keystorejksrdquo from the drop down (Note Only keystores added in the
KeystoreCertificates tab will be displayed in this drop down) b Alias ldquoorakeyrdquo This particular keystore in the How-To has only a single alias However a keystore can have
multiple keys and aliases c Password ldquowelcome1rdquo This is the password for the alias d Key Identifier Type Select ldquoBinary Security Tokenrdquo from the drop down e Embedded Key Name and Embedded Key Password are not relevant and will be readonly fields So skip
these fields f Symmetric Encoding Algorithm Select ldquohttpwwww3org200104xmlencaes128-cbcrdquo from the drop
down g Key Encryption Algorithm Select ldquohttpwwww3org200104xmlencrsa-oaep-mgf1prdquo from the drop
down h Encryption Canonicalization Select ldquohttpwwww3org200110xml-exc-c14nrdquo from the drop down i Create Encrypted Key Ensure the checkbox is checked j Parts
Name Namespace Encode
Body httpschemasxmlsoaporgsoapenvelope Content
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 41
Figure 44 Encryption Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 42
Add Incoming WS-Security Configurations
15 Click on the ldquoIncoming WS-Security Configurationsrdquo sub tab and click on the ldquo+rdquo icon as show in Figure 45 You will be prompted to enter a name for the incoming configuration specify ldquowss10rdquo as the name as shown in Figure 46
Figure 45 Add Incoming WS-Security Configuration
Figure 46 Provide a name for the Incoming WSS Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 43
16 Click on the ldquowss10rdquo entry and select the following a Decrypt Keystore Select ldquodefault-keystorejksrdquo from the drop down b Signature Keystore Select ldquodefault-keystorejksrdquo from the drop down c Password ldquowelcome1rdquo
The final incoming security configuration is shown in Figure 47
Figure 47 Incoming WSS Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 44
17 Now that we have created all the necessary WS-Security Configurations we are ready to test the HelloWorld Service To do so click on the ldquohellordquo operation on the Left hand browse tree This will create a request as show in Figure 48 Click on the ldquoAutrdquo tab on the ldquoRequestrdquo panel on the RHS side of the screen The ldquoAutrdquo tab is in the bottom and has been highlighted in Figure 48 Select the following values
a Outgoing WSS Select ldquowss10rdquo from the drop down b Incoming WSS Select ldquowss10rdquo from the drop down
Figure 48 Select the previosuly created WSS Configuration to be used while testing
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 45
18 Enter ldquoprakashrdquo for arg0 and click on the green arrow button to send the request You will be prompted for password ndash enter ldquowelcome1rdquo Figure 49 and Figure 50 show the steps and the results of a successful test If there is a failure ndash you will see a SOAP response with a fault
Figure 49 Send request to the HelloWorld WS
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 46
Figure 50 Results of a successful test
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 47
Appendix
Log Generated the first time any app is run in Integrated WLS Server
[Waiting for the domain to finish building]
[094756 PM] Creating Integrated Weblogic domain
[095003 PM] Extending Integrated Weblogic domain
[095051 PM] Integrated Weblogic domain processing completed successfully
Using port 7101
DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainbinstartWebLogiccmd
[waiting for the server to complete its initialization]
JAVA Memory arguments -Xms256m -Xmx512m -XXCompileThreshold=8000 -XXPermSize=128m -XXMaxPermSize=512m
WLS Start Mode=Development
CLASSPATH=DORACLE~1MIDDLE~1ORACLE~1modulesoraclejdbc_1111ojdbc6dmsjarDORACLE~1MIDDLE~1patch_wls1035profilesdefaultsys_manifest_classpathweblogic_patchjarDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultsys_manifest_classpathweblogic_patchjarDORACLE~1MIDDLE~1JDK160~1libtoolsjarDORACLE~1MIDDLE~1WLSERV~13serverlibweblogic_spjarDORACLE~1MIDDLE~1WLSERV~13serverlibweblogicjarDORACLE~1MIDDLE~1modulesfeaturesweblogicservermodules_10350jarDORACLE~1MIDDLE~1WLSERV~13serverlibwebservicesjarDORACLE~1MIDDLE~1modulesORGAPA~11libant-alljarDORACLE~1MIDDLE~1modulesNETSFA~10_1libant-contribjarDORACLE~1MIDDLE~1ORACLE~1modulesoraclejrf_1111jrfjarDORACLE~1MIDDLE~1WLSERV~13commonderbylibderbyclientjarDORACLE~1MIDDLE~1WLSERV~13serverlibxqrljar
PATH=DORACLE~1MIDDLE~1patch_wls1035profilesdefaultnativeDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultnativeDORACLE~1MIDDLE~1WLSERV~13servernativewin32DORACLE~1MIDDLE~1WLSERV~13serverbinDORACLE~1MIDDLE~1modulesORGAPA~11binDORACLE~1MIDDLE~1JDK160~1jrebinDORACLE~1MIDDLE~1JDK160~1binDoraclexeapporacleproduct1020serverbinCProgram FilesThinkPadUtilitiesCWINDOWSsystem32CWINDOWSCWINDOWSSystem32WbemCWINDOWSsystem32WindowsPowerShellv10DORACLE~1MIDDLE~1WLSERV~13servernativewin32oci920_8
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 48
To start WebLogic Server use a username and
password assigned to an admin-level user For
server administration use the WebLogic Server
console at httphostnameportconsole
starting weblogic with Java version
java version 160_24
Java(TM) SE Runtime Environment (build 160_24-b50)
Java HotSpot(TM) Client VM (build 191-b02 mixed mode)
Starting WLS with line
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 49
DORACLE~1MIDDLE~1JDK160~1binjava -client -Xms256m -Xmx512m -XXCompileThreshold=8000 -XXPermSize=128m -XXMaxPermSize=512m -DweblogicName=DefaultServer -Djavasecuritypolicy=DORACLE~1MIDDLE~1WLSERV~13serverlibweblogicpolicy -DjavaxnetssltrustStore=DOracle11gMiddlewarewlserver_103serverlibDemoTrustjks -DweblogicnodemanagerServiceEnabled=true -Xverifynone -da -Dplatformhome=DORACLE~1MIDDLE~1WLSERV~13 -Dwlshome=DORACLE~1MIDDLE~1WLSERV~13server -Dweblogichome=DORACLE~1MIDDLE~1WLSERV~13server -Djpsappcredentialoverwriteallowed=true -Dcommoncomponentshome=DORACLE~1MIDDLE~1ORACLE~1 -Djrfversion=1111 -DorgapachecommonsloggingLog=orgapachecommonsloggingimplJdk14Logger -Ddomainhome=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1 -Djrockitoptfile=DORACLE~1MIDDLE~1ORACLE~1modulesoraclejrf_1111jrocket_optfiletxt -Doracleserverconfigdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1serversDefaultServer -Doracledomainconfigdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1 -Digfarisidbeanscarmlloc=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1carml -Digfarisidstackhome=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1arisidprovider -Doraclesecurityjpsconfig=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configfmwconfigjps-configxml -Doracledeployedappdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1serversDefaultServertmp_WL_user -Doracledeployedappext=- -DweblogicalternateTypesDirectory=DORACLE~1MIDDLE~1ORACLE~1modulesoracleossoiap_1111DORACLE~1MIDDLE~1ORACLE~1modulesoracleoamprovider_1111 -Djavaprotocolhandlerpkgs=oraclemdsnetprotocol -DweblogicjdbcremoteEnabled=false -Dwsmrepositorypath=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1oraclestoregmds -Dweblogicmanagementdiscover=true -DwlwiterativeDev= -DwlwtestConsole= -DwlwlogErrorsToConsole= -Dweblogicextdirs=DORACLE~1MIDDLE~1patch_wls1035profilesdefaultsysext_manifest_classpathDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultsysext_manifest_classpath weblogicServer
ltMar 16 2012 95054 PM PDTgt ltInfogt ltSecuritygt ltBEA-090905gt ltDisabling CryptoJ JCE Provider self-integrity check for better startup performance To enable this check specify -DweblogicsecurityallowCryptoJDefaultJCEVerification=truegt
ltMar 16 2012 95054 PM PDTgt ltInfogt ltSecuritygt ltBEA-090906gt ltChanging the default Random Number Generator in RSA CryptoJ from ECDRBG to FIPS186PRNG To disable this change specify -DweblogicsecurityallowCryptoJDefaultPRNG=truegt
ltMar 16 2012 95055 PM PDTgt ltInfogt ltWebLogicServergt ltBEA-000377gt ltStarting WebLogic Server with Java HotSpot(TM) Client VM Version 191-b02 from Sun Microsystems Incgt
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 50
ltMar 16 2012 95055 PM PDTgt ltInfogt ltManagementgt ltBEA-141107gt ltVersion WebLogic Server 10350 Fri Apr 1 202006 PDT 2011 1398638 gt
ltMar 16 2012 95057 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STARTINGgt
ltMar 16 2012 95057 PM PDTgt ltInfogt ltWorkManagergt ltBEA-002900gt ltInitializing self-tuning thread poolgt
ltMar 16 2012 95057 PM PDTgt ltNoticegt ltLog Managementgt ltBEA-170019gt ltThe server log file DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainserversDefaultServerlogsDefaultServerlog is opened All server side log events will be written to this filegt
ltMar 16 2012 95108 PM PDTgt ltNoticegt ltSecuritygt ltBEA-090082gt ltSecurity initializing using security realm myrealmgt
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO ConfigObjectReloaded for ServerConfig PreviousVersion -1 CurrentVersion 0
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification event sent for activating changes
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for Mapping config object reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO ConfigObjectReloaded for ServerConfig PreviousVersion -1 CurrentVersion 0
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification event sent for activating changes
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 51
INFO Notification sent for Mapping config object reloaded
ltMar 16 2012 95122 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STANDBYgt
ltMar 16 2012 95122 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STARTINGgt
ltMar 16 2012 95204 PM PDTgt ltNoticegt ltLog Managementgt ltBEA-170027gt ltThe Server has established connection with the Domain level Diagnostic Service successfullygt
ltMar 16 2012 95204 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to ADMINgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to RESUMINGgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltServergt ltBEA-002613gt ltChannel Default is now listening on 1270017101 for protocols iiop t3 ldap snmp httpgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000331gt ltStarted WebLogic Admin Server DefaultServer for domain DefaultDomain running in Development Modegt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to RUNNINGgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000360gt ltServer started in RUNNING modegt
IntegratedWebLogicServer startup time 74437 ms
IntegratedWebLogicServer started
[Running application HelloWorldJaxWS on Server Instance IntegratedWebLogicServer]
[095206 PM] ---- Deployment started ----
[095206 PM] Target platform is (Weblogic 103)
[095208 PM] Retrieving existing application information
[095208 PM] Running dependency analysis
[095208 PM] Deploying 2 profiles
[095209 PM] Wrote Web Application Module to DOracle11gMiddlewarejdevelopersystem11116386192oj2eedrsHelloWorldJaxWSHelloWorldWebAppwar
[095210 PM] Wrote Enterprise Application Module to DOracle11gMiddlewarejdevelopersystem11116386192oj2eedrsHelloWorldJaxWS
[095210 PM] Deploying Application
[095213 PM] Application Deployed Successfully
[095213 PM] The following URL context root(s) were defined and can be used as a starting point to test your application
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 52
[095213 PM] http1270017101HelloWorldJaxWS-HelloWorld-context-root
[095213 PM] Elapsed time for deployment 6 seconds
[095213 PM] ---- Deployment finished ----
Run startup time 6609 ms
[Application HelloWorldJaxWS deployed to Server Instance IntegratedWebLogicServer]
Target URL -- http1270017101HelloWorldJaxWS-HelloWorld-context-rootHelloWorldPort
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 53
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 11
5 Next we will create a Java Class To create a Java Class right click on the ldquoHelloWorldrdquo project under the HelloWorldJaxWS application and select ldquoNewrdquo from the Context Menu as shown in Figure 6
Figure 6 Creating Java Class in a project
6 This will launch the Dialog show in Figure 7 In the ldquoCurrent Project Technologiesrdquo tab Select ldquoJavardquo from the
ldquoCategoriesrdquo on the Left Hand Side and under ldquoItemsrdquo panel on the Right Hand side select ldquoJava Classrdquo as shown in
Figure 7 Click on the ldquoOKrdquo button after making the above selections
Figure 7 Select Java Class from the New Gallery Dialog
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 12
7 This will launch the new ldquoJava Classrdquo Creation Dialog as show in Figure 8 Provide ldquoHelloWorldrdquo as the name of the
java class and provide appropriate value for the java package Retain defaults for the remainder of the fields Click
ldquoOKrdquo to complete the new Java Class creation dialog
Figure 8 New Java Class creation Dialog
8 JDeveloper will generate code along the lines shown below
package helloworld
public class HelloWorld
public HelloWorld()
super()
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 13
Add the following lines of code to the HelloWorld class
9 The next step is to basically create a Web Service from the HelloWorld java class created in the previous steps To
create a Web Service right click on the HelloWorldjava file Select ldquoCreate Web Servicehelliprdquo from the Context menu
as shown in Figure 9
Figure 9 Launch the Web Service Creation Wizard on the HelloWorld POJO class
public String hello(String str)
return Hello + str
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 14
10 From the ldquoJava Web Service creationrdquo wizard select Java EE 15 option The entire Web Service creation wizard is a
multi-step process as show in Figure 10 - Figure 17
Figure 10 Select Java EE 15 from the Java Web Service Creation wizard
Figure 11 Provide Web Service name
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 15
Figure 12 Retain default SOAP binding
Figure 13 Select the methods that should be exposed as part of the Web Service
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 16
Figure 14 Skip Additional Classes
Figure 15 Skip specifiying policies
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 17
Figure 16 Skip providing any Handlers
Figure 17 Finish creation of Web Service
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 18
Attach Message protection OWSM Security Policy
1 To attach the OWSM message protection policy to the Web Service ldquoright clickrdquo on the HelloWorldjava file in
JDeveloper Select ldquoWeb Service Propertieshelliprdquo from the Context menu item Figure 18 This will launch the Dialog box
seen in Figure 19
Figure 18 Define Web Service Properties
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 19
2 In the Configure Policies Dialog select ldquoOWSM policiesrdquo Upon selection of the OWSM Policies option the system
will display the list of out of the box policies that are shipped as part of OWSM Also notice the Default Policy Store
location
In this How-To it maps to
ldquoDOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainoraclestoregmdsrdquo
Figure 19 Select OWSM policies option to secure the Web Service
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 20
3 For the purposes of this How-To letrsquos select the oraclewss10_message_protection_service_policy as show in
Figure 20
Figure 20 Selection of oraclewss10_message_protection_service_policy
Click ldquoOKrdquo button to complete the Policy Attachment Upon completion of the PolicyAttachment the SecurityPolicy
annotation will be added to the HelloWorld POJO class as show in Figure 21
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 21
Figure 21 Code view with SecurityPolicy annotation
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 22
Creating Keystore and Credentials
4 In order to use the oraclewss10_message_protection_service_policy we need Keystore and Credentials First we
will create keystore using the keytool command as shown in Figure 22 The command to create the keystore using
keytool (Note Keytool is shipped with JDK)
Figure 22 Keystore creation command and steps
You can validate the contents of the keystore by using the following keytool command
Figure 23 Check contents of Keystore using keytool
$gt keytool -genkey -keyalg RSA -alias orakey -keystore default-keystorejks -storepass welcome1 -validity
3600
$gtkeytool -list -keystore default-keystorejks -storepass welcome1
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 23
Configuring Integrated WLS Server to enable enforcing Message protection Policy
In order to be able to deploy the HelloWorld POJO Web Service to Integrated WLS Server and test the enforcement of
the OWSM oraclewss10_message_protection_service_policy ndash we need to configure the WLS Domain in which
Integrated WLS Server runs however initially upon the Install the domain is not created completely You can ensure the
domain is created completely by trying to the ldquoHelloWorldrdquo Web Service You do this by ldquoright clickingrdquo on
HelloWorldjava and selecting ldquoRunrdquo from the Context Menu as show in Figure 24
Figure 24 Running HelloWorld Web Service in Integrated WLS Server first time
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 24
The appendix shows the log that is output by the system in JDeveloper The key aspect that is of interest here are the
following messages
[Waiting for the domain to finish building]
[094756 PM] Creating Integrated Weblogic domain
[095003 PM] Extending Integrated Weblogic domain
[095051 PM] Integrated Weblogic domain processing completed successfully
Using port 7101
DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainbinstartWebLogiccmd
[waiting for the server to complete its initialization]
As mentioned earlier the key thing to note is
On running this the first time ndash the domain for running the Integrated WLS is extended and the necessary artifacts are created By default this domain is called ldquoDefaultDomainrdquo In this scenario the ldquoDefaultDomainrdquo is located at DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomain
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 25
Copying the Keystore under the right location for Integrated WLS Server
5 Copy the default-keystorejks created earlier to
ldquoDOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainconfigfmwconfigrdquo as shown in Figure 25
Figure 25 Copying default-keystorejks under DefaultDomain
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 26
Verifying jps-configxml in Default Domain
6 The jps-configxml will be found under
DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainconfigfmwconfig The most important entry in jps-configxml that is of interest is the following keystore service entry lt-- KeyStore Service Instance --gt ltserviceInstance name=keystore provider=keystoreprovider location=default-keystorejksgt ltdescriptiongtDefault JPS Keystore Serviceltdescriptiongt ltproperty name=keystoreprovidertype value=filegt ltproperty name=keystorefilepath value=gt ltproperty name=keystoretype value=JKSgt ltproperty name=keystorecsfmap value=oraclewsmsecuritygt ltproperty name=keystorepasscsfkey value=keystore-csf-keygt ltproperty name=keystoresigcsfkey value=sign-csf-keygt ltproperty name=keystoreenccsfkey value=enc-csf-keygt ltserviceInstancegt The next step is to configure the credentials in the DefaultDomain
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 27
Creating Credentials required for Keystore access
Ensure the Integrated WLS Server is running 7 Start WLST from DOracle11gMiddleware oracle_commoncommonbinwlstcmd as shown in Figure 26
Figure 26 Starting WLST for Integrated WLS Server
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 28
8 Connect to the Integrated WLS Server running DefaultDomain as show in Figure 27
Figure 27 Connect to Integrated WLS Server
Once connected add the following credentials to the credential store
$gt createCred(map=oraclewsmsecurity key=keystore-csf-key user=owsm password=welcome1 desc=Keystore key) $gtcreateCred(map=oraclewsmsecurity key=enc-csf-key user=orakey password=welcome1 desc=Encryption key) $gtcreateCred(map=oraclewsmsecurity key=sign-csf-key user=orakey password=welcome1 desc=Signing key)
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 29
Relationship between Keystore Credential Store jps-configxml
9 Many people find the relationship between keystore keys credential store credentials and jps-configxml
confusing Figure 28 shows the relationship between all these artifacts
Figure 28 Relationship bw Keystore Credential Store Credentials and jps-configxml
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 30
Testing with SOAP UI 1 Before testing the Web Service with SOAP UI Run the HelloWorld from within JDeveloper as shown in Figure 24
Create SOAP UI Project
2 To test the HelloWorld Web Service secured with the OWSM ldquooraclewss10_message_protection_service_policyrdquo start SOAP UI and create a new Project as shown in Figure 29
Figure 29 Create new project in SOAP UI
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 31
3 Provide Project Namerdquo and ldquoWSDLrdquo information for the HelloWorld WS as show in Figure 30
Figure 30 Provide WSDL information for the Web Service that needs to be tested
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 32
4 Double click on the helloworld-msg-prot-test SOAP UI project to open various configurations one can specify for the
project as show in Figure 31 Click on the WS-Security Configurations tab
Figure 31 Specify the WS-Security Configurations
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 33
Create WS-Security Configurations
5 There are 3 sub-tabs under the ldquoWS-Security Configurationsrdquo tab in SOAP UI These are the ldquoOutgoing WS-Security
Configurationsrdquo tab ldquoIncoming WS-Security Configurationsrdquo tab and the ldquoKeystoreCertificatesrdquo tab We will first fill
out the KeystoresCertificates tab Click on the KeystoreCertificates tab as shown in Figure 32
Figure 32 Specify the KeystoreCertificates to be used by SOAP UI
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 34
Add KeystoreCertificates
6 Click on the ldquo+rdquo button to add a keystore as shown in Figure 33 This will launch a dialog to select the Key Material as
show in Figure 34 You will be prompted for the password to the default-keystorejks Enter ldquowelcome1rdquo as show in
Figure 35
Figure 33 Adding a Keystore
Figure 34 Select a JKS keystore from the file system
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 35
Figure 35 Specify Password for the default-keystorejks
7 Figure 36 shows the result of adding the default-keystorejks to SOAP UI
Figure 36 Result of adding default-keystorejks
NOTE For purposes of simplicity ndash I have selected the same default-keystorejks file that was used by the HelloWorld Web Service in practice the client and service DO NOT share the same keystore instead you should use separate keystores and exchange the public certificates of the client and the service
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 36
Add Outgoing WS-Security Configurations
8 The next step is to add the ldquoOutgoing WS-Secure Configurationsrdquo to the project You can do this by click on the Outgoing S-Security Configurations tab and clicking on the ldquo+rdquo icon as shown in Figure 37
Figure 37 Initiate addition of Outgoing WS-Security Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 37
9 Enter the ldquoNamerdquo of the configuration as ldquowss10rdquo This will create a panel on the lower half of the screen to add relevant WS-Security Configuration for ldquowss10rdquo Click on the ldquo+rdquo icon highlighted with a red circle in Figure 38 We need to add 3 entries in the following order
a Timestamp b Signature c Encryption
Upon clicking the ldquo+rdquo icon an ldquoAdd WSS Entryrdquo popup dialog will be presented which contains a single drop down list Select ldquoTimestamprdquo from the dialog as shown in Figure 39
Figure 38 Adding WSS Configuration for wss10
Figure 39 Add Timestamp
10 Configure the ldquoTimestamprdquo WSS Entry The two fields are shown in Figure 40
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 38
a Time to Live 5000 b Leave the unit for ldquoTime to Liverdquo in milliseconds
Figure 40 Specify Time to Live as part of Timestamp configuration
11 Add the ldquoSignaturerdquo WSS Entry by clicking on the ldquo+rdquo icon again as shown in Figure 38 and selecting ldquoSignaturerdquo from
the ldquoAdd WSS Entryrdquo drop down as shown in Figure 41
Figure 41 Select Signature WSS Entry to Add to wss10 configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 39
12 The ldquoSignaturerdquo configuration is more involved and requires a lot more fields to be filled in as shown in Figure 42 Here is a summary of the fields and values that need to be provided
a Keystore Select ldquodefault-keystorejksrdquo from the drop down (Note Only keystores added in the KeystoreCertificates tab will be displayed in this drop down)
b Alias ldquoorakeyrdquo This particular keystore in the How-To has only a single alias However a keystore can have multiple keys and aliases
c Password ldquowelcome1rdquo This is the password for the alias d Key Identifier Type Select ldquoBinary Security Tokenrdquo from the drop down e Signature Algorithm Select ldquohttpwwww3org200009xmldsigrsa-sha1rdquo from the drop down f Signature Canonicalization Select ldquohttpwwww3org200110xml-exc-c14nrdquo from the drop down g Digest Algorithm Select ldquohttpwwww3org200009xmldsigsha1rdquo from the drop down h Use Single Certificate Ensure ldquoUse single certificate for signingrdquo is checked i Parts
Name Namespace Encode
Body httpschemasxmlsoaporgsoapenvelope Element
Timestamp httpdocsoasis-openorgwss200401oasis-200401-wss-wssecurity-utility-10xsd
Element
Figure 42 Providing Signature configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 40
13 Add the ldquoEncryptionrdquo WSS Entry by clicking on the ldquo+rdquo icon again as shown in Figure 38 and selecting ldquoEncryptionrdquo from the ldquoAdd WSS Entryrdquo drop down as shown in Figure 43
Figure 43 Adding Encryption WSS entry
14 The ldquoEncryptionrdquo configuration is more involved and requires a lot more fields to be filled in as shown in Figure 44
Here is a summary of the fields and values that need to be provided a Keystore Select ldquodefault-keystorejksrdquo from the drop down (Note Only keystores added in the
KeystoreCertificates tab will be displayed in this drop down) b Alias ldquoorakeyrdquo This particular keystore in the How-To has only a single alias However a keystore can have
multiple keys and aliases c Password ldquowelcome1rdquo This is the password for the alias d Key Identifier Type Select ldquoBinary Security Tokenrdquo from the drop down e Embedded Key Name and Embedded Key Password are not relevant and will be readonly fields So skip
these fields f Symmetric Encoding Algorithm Select ldquohttpwwww3org200104xmlencaes128-cbcrdquo from the drop
down g Key Encryption Algorithm Select ldquohttpwwww3org200104xmlencrsa-oaep-mgf1prdquo from the drop
down h Encryption Canonicalization Select ldquohttpwwww3org200110xml-exc-c14nrdquo from the drop down i Create Encrypted Key Ensure the checkbox is checked j Parts
Name Namespace Encode
Body httpschemasxmlsoaporgsoapenvelope Content
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 41
Figure 44 Encryption Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 42
Add Incoming WS-Security Configurations
15 Click on the ldquoIncoming WS-Security Configurationsrdquo sub tab and click on the ldquo+rdquo icon as show in Figure 45 You will be prompted to enter a name for the incoming configuration specify ldquowss10rdquo as the name as shown in Figure 46
Figure 45 Add Incoming WS-Security Configuration
Figure 46 Provide a name for the Incoming WSS Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 43
16 Click on the ldquowss10rdquo entry and select the following a Decrypt Keystore Select ldquodefault-keystorejksrdquo from the drop down b Signature Keystore Select ldquodefault-keystorejksrdquo from the drop down c Password ldquowelcome1rdquo
The final incoming security configuration is shown in Figure 47
Figure 47 Incoming WSS Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 44
17 Now that we have created all the necessary WS-Security Configurations we are ready to test the HelloWorld Service To do so click on the ldquohellordquo operation on the Left hand browse tree This will create a request as show in Figure 48 Click on the ldquoAutrdquo tab on the ldquoRequestrdquo panel on the RHS side of the screen The ldquoAutrdquo tab is in the bottom and has been highlighted in Figure 48 Select the following values
a Outgoing WSS Select ldquowss10rdquo from the drop down b Incoming WSS Select ldquowss10rdquo from the drop down
Figure 48 Select the previosuly created WSS Configuration to be used while testing
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 45
18 Enter ldquoprakashrdquo for arg0 and click on the green arrow button to send the request You will be prompted for password ndash enter ldquowelcome1rdquo Figure 49 and Figure 50 show the steps and the results of a successful test If there is a failure ndash you will see a SOAP response with a fault
Figure 49 Send request to the HelloWorld WS
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 46
Figure 50 Results of a successful test
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 47
Appendix
Log Generated the first time any app is run in Integrated WLS Server
[Waiting for the domain to finish building]
[094756 PM] Creating Integrated Weblogic domain
[095003 PM] Extending Integrated Weblogic domain
[095051 PM] Integrated Weblogic domain processing completed successfully
Using port 7101
DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainbinstartWebLogiccmd
[waiting for the server to complete its initialization]
JAVA Memory arguments -Xms256m -Xmx512m -XXCompileThreshold=8000 -XXPermSize=128m -XXMaxPermSize=512m
WLS Start Mode=Development
CLASSPATH=DORACLE~1MIDDLE~1ORACLE~1modulesoraclejdbc_1111ojdbc6dmsjarDORACLE~1MIDDLE~1patch_wls1035profilesdefaultsys_manifest_classpathweblogic_patchjarDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultsys_manifest_classpathweblogic_patchjarDORACLE~1MIDDLE~1JDK160~1libtoolsjarDORACLE~1MIDDLE~1WLSERV~13serverlibweblogic_spjarDORACLE~1MIDDLE~1WLSERV~13serverlibweblogicjarDORACLE~1MIDDLE~1modulesfeaturesweblogicservermodules_10350jarDORACLE~1MIDDLE~1WLSERV~13serverlibwebservicesjarDORACLE~1MIDDLE~1modulesORGAPA~11libant-alljarDORACLE~1MIDDLE~1modulesNETSFA~10_1libant-contribjarDORACLE~1MIDDLE~1ORACLE~1modulesoraclejrf_1111jrfjarDORACLE~1MIDDLE~1WLSERV~13commonderbylibderbyclientjarDORACLE~1MIDDLE~1WLSERV~13serverlibxqrljar
PATH=DORACLE~1MIDDLE~1patch_wls1035profilesdefaultnativeDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultnativeDORACLE~1MIDDLE~1WLSERV~13servernativewin32DORACLE~1MIDDLE~1WLSERV~13serverbinDORACLE~1MIDDLE~1modulesORGAPA~11binDORACLE~1MIDDLE~1JDK160~1jrebinDORACLE~1MIDDLE~1JDK160~1binDoraclexeapporacleproduct1020serverbinCProgram FilesThinkPadUtilitiesCWINDOWSsystem32CWINDOWSCWINDOWSSystem32WbemCWINDOWSsystem32WindowsPowerShellv10DORACLE~1MIDDLE~1WLSERV~13servernativewin32oci920_8
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 48
To start WebLogic Server use a username and
password assigned to an admin-level user For
server administration use the WebLogic Server
console at httphostnameportconsole
starting weblogic with Java version
java version 160_24
Java(TM) SE Runtime Environment (build 160_24-b50)
Java HotSpot(TM) Client VM (build 191-b02 mixed mode)
Starting WLS with line
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 49
DORACLE~1MIDDLE~1JDK160~1binjava -client -Xms256m -Xmx512m -XXCompileThreshold=8000 -XXPermSize=128m -XXMaxPermSize=512m -DweblogicName=DefaultServer -Djavasecuritypolicy=DORACLE~1MIDDLE~1WLSERV~13serverlibweblogicpolicy -DjavaxnetssltrustStore=DOracle11gMiddlewarewlserver_103serverlibDemoTrustjks -DweblogicnodemanagerServiceEnabled=true -Xverifynone -da -Dplatformhome=DORACLE~1MIDDLE~1WLSERV~13 -Dwlshome=DORACLE~1MIDDLE~1WLSERV~13server -Dweblogichome=DORACLE~1MIDDLE~1WLSERV~13server -Djpsappcredentialoverwriteallowed=true -Dcommoncomponentshome=DORACLE~1MIDDLE~1ORACLE~1 -Djrfversion=1111 -DorgapachecommonsloggingLog=orgapachecommonsloggingimplJdk14Logger -Ddomainhome=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1 -Djrockitoptfile=DORACLE~1MIDDLE~1ORACLE~1modulesoraclejrf_1111jrocket_optfiletxt -Doracleserverconfigdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1serversDefaultServer -Doracledomainconfigdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1 -Digfarisidbeanscarmlloc=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1carml -Digfarisidstackhome=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1arisidprovider -Doraclesecurityjpsconfig=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configfmwconfigjps-configxml -Doracledeployedappdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1serversDefaultServertmp_WL_user -Doracledeployedappext=- -DweblogicalternateTypesDirectory=DORACLE~1MIDDLE~1ORACLE~1modulesoracleossoiap_1111DORACLE~1MIDDLE~1ORACLE~1modulesoracleoamprovider_1111 -Djavaprotocolhandlerpkgs=oraclemdsnetprotocol -DweblogicjdbcremoteEnabled=false -Dwsmrepositorypath=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1oraclestoregmds -Dweblogicmanagementdiscover=true -DwlwiterativeDev= -DwlwtestConsole= -DwlwlogErrorsToConsole= -Dweblogicextdirs=DORACLE~1MIDDLE~1patch_wls1035profilesdefaultsysext_manifest_classpathDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultsysext_manifest_classpath weblogicServer
ltMar 16 2012 95054 PM PDTgt ltInfogt ltSecuritygt ltBEA-090905gt ltDisabling CryptoJ JCE Provider self-integrity check for better startup performance To enable this check specify -DweblogicsecurityallowCryptoJDefaultJCEVerification=truegt
ltMar 16 2012 95054 PM PDTgt ltInfogt ltSecuritygt ltBEA-090906gt ltChanging the default Random Number Generator in RSA CryptoJ from ECDRBG to FIPS186PRNG To disable this change specify -DweblogicsecurityallowCryptoJDefaultPRNG=truegt
ltMar 16 2012 95055 PM PDTgt ltInfogt ltWebLogicServergt ltBEA-000377gt ltStarting WebLogic Server with Java HotSpot(TM) Client VM Version 191-b02 from Sun Microsystems Incgt
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 50
ltMar 16 2012 95055 PM PDTgt ltInfogt ltManagementgt ltBEA-141107gt ltVersion WebLogic Server 10350 Fri Apr 1 202006 PDT 2011 1398638 gt
ltMar 16 2012 95057 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STARTINGgt
ltMar 16 2012 95057 PM PDTgt ltInfogt ltWorkManagergt ltBEA-002900gt ltInitializing self-tuning thread poolgt
ltMar 16 2012 95057 PM PDTgt ltNoticegt ltLog Managementgt ltBEA-170019gt ltThe server log file DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainserversDefaultServerlogsDefaultServerlog is opened All server side log events will be written to this filegt
ltMar 16 2012 95108 PM PDTgt ltNoticegt ltSecuritygt ltBEA-090082gt ltSecurity initializing using security realm myrealmgt
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO ConfigObjectReloaded for ServerConfig PreviousVersion -1 CurrentVersion 0
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification event sent for activating changes
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for Mapping config object reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO ConfigObjectReloaded for ServerConfig PreviousVersion -1 CurrentVersion 0
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification event sent for activating changes
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 51
INFO Notification sent for Mapping config object reloaded
ltMar 16 2012 95122 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STANDBYgt
ltMar 16 2012 95122 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STARTINGgt
ltMar 16 2012 95204 PM PDTgt ltNoticegt ltLog Managementgt ltBEA-170027gt ltThe Server has established connection with the Domain level Diagnostic Service successfullygt
ltMar 16 2012 95204 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to ADMINgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to RESUMINGgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltServergt ltBEA-002613gt ltChannel Default is now listening on 1270017101 for protocols iiop t3 ldap snmp httpgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000331gt ltStarted WebLogic Admin Server DefaultServer for domain DefaultDomain running in Development Modegt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to RUNNINGgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000360gt ltServer started in RUNNING modegt
IntegratedWebLogicServer startup time 74437 ms
IntegratedWebLogicServer started
[Running application HelloWorldJaxWS on Server Instance IntegratedWebLogicServer]
[095206 PM] ---- Deployment started ----
[095206 PM] Target platform is (Weblogic 103)
[095208 PM] Retrieving existing application information
[095208 PM] Running dependency analysis
[095208 PM] Deploying 2 profiles
[095209 PM] Wrote Web Application Module to DOracle11gMiddlewarejdevelopersystem11116386192oj2eedrsHelloWorldJaxWSHelloWorldWebAppwar
[095210 PM] Wrote Enterprise Application Module to DOracle11gMiddlewarejdevelopersystem11116386192oj2eedrsHelloWorldJaxWS
[095210 PM] Deploying Application
[095213 PM] Application Deployed Successfully
[095213 PM] The following URL context root(s) were defined and can be used as a starting point to test your application
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 52
[095213 PM] http1270017101HelloWorldJaxWS-HelloWorld-context-root
[095213 PM] Elapsed time for deployment 6 seconds
[095213 PM] ---- Deployment finished ----
Run startup time 6609 ms
[Application HelloWorldJaxWS deployed to Server Instance IntegratedWebLogicServer]
Target URL -- http1270017101HelloWorldJaxWS-HelloWorld-context-rootHelloWorldPort
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 53
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 12
7 This will launch the new ldquoJava Classrdquo Creation Dialog as show in Figure 8 Provide ldquoHelloWorldrdquo as the name of the
java class and provide appropriate value for the java package Retain defaults for the remainder of the fields Click
ldquoOKrdquo to complete the new Java Class creation dialog
Figure 8 New Java Class creation Dialog
8 JDeveloper will generate code along the lines shown below
package helloworld
public class HelloWorld
public HelloWorld()
super()
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 13
Add the following lines of code to the HelloWorld class
9 The next step is to basically create a Web Service from the HelloWorld java class created in the previous steps To
create a Web Service right click on the HelloWorldjava file Select ldquoCreate Web Servicehelliprdquo from the Context menu
as shown in Figure 9
Figure 9 Launch the Web Service Creation Wizard on the HelloWorld POJO class
public String hello(String str)
return Hello + str
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 14
10 From the ldquoJava Web Service creationrdquo wizard select Java EE 15 option The entire Web Service creation wizard is a
multi-step process as show in Figure 10 - Figure 17
Figure 10 Select Java EE 15 from the Java Web Service Creation wizard
Figure 11 Provide Web Service name
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 15
Figure 12 Retain default SOAP binding
Figure 13 Select the methods that should be exposed as part of the Web Service
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 16
Figure 14 Skip Additional Classes
Figure 15 Skip specifiying policies
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 17
Figure 16 Skip providing any Handlers
Figure 17 Finish creation of Web Service
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 18
Attach Message protection OWSM Security Policy
1 To attach the OWSM message protection policy to the Web Service ldquoright clickrdquo on the HelloWorldjava file in
JDeveloper Select ldquoWeb Service Propertieshelliprdquo from the Context menu item Figure 18 This will launch the Dialog box
seen in Figure 19
Figure 18 Define Web Service Properties
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 19
2 In the Configure Policies Dialog select ldquoOWSM policiesrdquo Upon selection of the OWSM Policies option the system
will display the list of out of the box policies that are shipped as part of OWSM Also notice the Default Policy Store
location
In this How-To it maps to
ldquoDOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainoraclestoregmdsrdquo
Figure 19 Select OWSM policies option to secure the Web Service
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 20
3 For the purposes of this How-To letrsquos select the oraclewss10_message_protection_service_policy as show in
Figure 20
Figure 20 Selection of oraclewss10_message_protection_service_policy
Click ldquoOKrdquo button to complete the Policy Attachment Upon completion of the PolicyAttachment the SecurityPolicy
annotation will be added to the HelloWorld POJO class as show in Figure 21
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 21
Figure 21 Code view with SecurityPolicy annotation
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 22
Creating Keystore and Credentials
4 In order to use the oraclewss10_message_protection_service_policy we need Keystore and Credentials First we
will create keystore using the keytool command as shown in Figure 22 The command to create the keystore using
keytool (Note Keytool is shipped with JDK)
Figure 22 Keystore creation command and steps
You can validate the contents of the keystore by using the following keytool command
Figure 23 Check contents of Keystore using keytool
$gt keytool -genkey -keyalg RSA -alias orakey -keystore default-keystorejks -storepass welcome1 -validity
3600
$gtkeytool -list -keystore default-keystorejks -storepass welcome1
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 23
Configuring Integrated WLS Server to enable enforcing Message protection Policy
In order to be able to deploy the HelloWorld POJO Web Service to Integrated WLS Server and test the enforcement of
the OWSM oraclewss10_message_protection_service_policy ndash we need to configure the WLS Domain in which
Integrated WLS Server runs however initially upon the Install the domain is not created completely You can ensure the
domain is created completely by trying to the ldquoHelloWorldrdquo Web Service You do this by ldquoright clickingrdquo on
HelloWorldjava and selecting ldquoRunrdquo from the Context Menu as show in Figure 24
Figure 24 Running HelloWorld Web Service in Integrated WLS Server first time
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 24
The appendix shows the log that is output by the system in JDeveloper The key aspect that is of interest here are the
following messages
[Waiting for the domain to finish building]
[094756 PM] Creating Integrated Weblogic domain
[095003 PM] Extending Integrated Weblogic domain
[095051 PM] Integrated Weblogic domain processing completed successfully
Using port 7101
DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainbinstartWebLogiccmd
[waiting for the server to complete its initialization]
As mentioned earlier the key thing to note is
On running this the first time ndash the domain for running the Integrated WLS is extended and the necessary artifacts are created By default this domain is called ldquoDefaultDomainrdquo In this scenario the ldquoDefaultDomainrdquo is located at DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomain
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 25
Copying the Keystore under the right location for Integrated WLS Server
5 Copy the default-keystorejks created earlier to
ldquoDOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainconfigfmwconfigrdquo as shown in Figure 25
Figure 25 Copying default-keystorejks under DefaultDomain
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 26
Verifying jps-configxml in Default Domain
6 The jps-configxml will be found under
DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainconfigfmwconfig The most important entry in jps-configxml that is of interest is the following keystore service entry lt-- KeyStore Service Instance --gt ltserviceInstance name=keystore provider=keystoreprovider location=default-keystorejksgt ltdescriptiongtDefault JPS Keystore Serviceltdescriptiongt ltproperty name=keystoreprovidertype value=filegt ltproperty name=keystorefilepath value=gt ltproperty name=keystoretype value=JKSgt ltproperty name=keystorecsfmap value=oraclewsmsecuritygt ltproperty name=keystorepasscsfkey value=keystore-csf-keygt ltproperty name=keystoresigcsfkey value=sign-csf-keygt ltproperty name=keystoreenccsfkey value=enc-csf-keygt ltserviceInstancegt The next step is to configure the credentials in the DefaultDomain
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 27
Creating Credentials required for Keystore access
Ensure the Integrated WLS Server is running 7 Start WLST from DOracle11gMiddleware oracle_commoncommonbinwlstcmd as shown in Figure 26
Figure 26 Starting WLST for Integrated WLS Server
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 28
8 Connect to the Integrated WLS Server running DefaultDomain as show in Figure 27
Figure 27 Connect to Integrated WLS Server
Once connected add the following credentials to the credential store
$gt createCred(map=oraclewsmsecurity key=keystore-csf-key user=owsm password=welcome1 desc=Keystore key) $gtcreateCred(map=oraclewsmsecurity key=enc-csf-key user=orakey password=welcome1 desc=Encryption key) $gtcreateCred(map=oraclewsmsecurity key=sign-csf-key user=orakey password=welcome1 desc=Signing key)
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 29
Relationship between Keystore Credential Store jps-configxml
9 Many people find the relationship between keystore keys credential store credentials and jps-configxml
confusing Figure 28 shows the relationship between all these artifacts
Figure 28 Relationship bw Keystore Credential Store Credentials and jps-configxml
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 30
Testing with SOAP UI 1 Before testing the Web Service with SOAP UI Run the HelloWorld from within JDeveloper as shown in Figure 24
Create SOAP UI Project
2 To test the HelloWorld Web Service secured with the OWSM ldquooraclewss10_message_protection_service_policyrdquo start SOAP UI and create a new Project as shown in Figure 29
Figure 29 Create new project in SOAP UI
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 31
3 Provide Project Namerdquo and ldquoWSDLrdquo information for the HelloWorld WS as show in Figure 30
Figure 30 Provide WSDL information for the Web Service that needs to be tested
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 32
4 Double click on the helloworld-msg-prot-test SOAP UI project to open various configurations one can specify for the
project as show in Figure 31 Click on the WS-Security Configurations tab
Figure 31 Specify the WS-Security Configurations
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 33
Create WS-Security Configurations
5 There are 3 sub-tabs under the ldquoWS-Security Configurationsrdquo tab in SOAP UI These are the ldquoOutgoing WS-Security
Configurationsrdquo tab ldquoIncoming WS-Security Configurationsrdquo tab and the ldquoKeystoreCertificatesrdquo tab We will first fill
out the KeystoresCertificates tab Click on the KeystoreCertificates tab as shown in Figure 32
Figure 32 Specify the KeystoreCertificates to be used by SOAP UI
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 34
Add KeystoreCertificates
6 Click on the ldquo+rdquo button to add a keystore as shown in Figure 33 This will launch a dialog to select the Key Material as
show in Figure 34 You will be prompted for the password to the default-keystorejks Enter ldquowelcome1rdquo as show in
Figure 35
Figure 33 Adding a Keystore
Figure 34 Select a JKS keystore from the file system
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 35
Figure 35 Specify Password for the default-keystorejks
7 Figure 36 shows the result of adding the default-keystorejks to SOAP UI
Figure 36 Result of adding default-keystorejks
NOTE For purposes of simplicity ndash I have selected the same default-keystorejks file that was used by the HelloWorld Web Service in practice the client and service DO NOT share the same keystore instead you should use separate keystores and exchange the public certificates of the client and the service
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 36
Add Outgoing WS-Security Configurations
8 The next step is to add the ldquoOutgoing WS-Secure Configurationsrdquo to the project You can do this by click on the Outgoing S-Security Configurations tab and clicking on the ldquo+rdquo icon as shown in Figure 37
Figure 37 Initiate addition of Outgoing WS-Security Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 37
9 Enter the ldquoNamerdquo of the configuration as ldquowss10rdquo This will create a panel on the lower half of the screen to add relevant WS-Security Configuration for ldquowss10rdquo Click on the ldquo+rdquo icon highlighted with a red circle in Figure 38 We need to add 3 entries in the following order
a Timestamp b Signature c Encryption
Upon clicking the ldquo+rdquo icon an ldquoAdd WSS Entryrdquo popup dialog will be presented which contains a single drop down list Select ldquoTimestamprdquo from the dialog as shown in Figure 39
Figure 38 Adding WSS Configuration for wss10
Figure 39 Add Timestamp
10 Configure the ldquoTimestamprdquo WSS Entry The two fields are shown in Figure 40
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 38
a Time to Live 5000 b Leave the unit for ldquoTime to Liverdquo in milliseconds
Figure 40 Specify Time to Live as part of Timestamp configuration
11 Add the ldquoSignaturerdquo WSS Entry by clicking on the ldquo+rdquo icon again as shown in Figure 38 and selecting ldquoSignaturerdquo from
the ldquoAdd WSS Entryrdquo drop down as shown in Figure 41
Figure 41 Select Signature WSS Entry to Add to wss10 configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 39
12 The ldquoSignaturerdquo configuration is more involved and requires a lot more fields to be filled in as shown in Figure 42 Here is a summary of the fields and values that need to be provided
a Keystore Select ldquodefault-keystorejksrdquo from the drop down (Note Only keystores added in the KeystoreCertificates tab will be displayed in this drop down)
b Alias ldquoorakeyrdquo This particular keystore in the How-To has only a single alias However a keystore can have multiple keys and aliases
c Password ldquowelcome1rdquo This is the password for the alias d Key Identifier Type Select ldquoBinary Security Tokenrdquo from the drop down e Signature Algorithm Select ldquohttpwwww3org200009xmldsigrsa-sha1rdquo from the drop down f Signature Canonicalization Select ldquohttpwwww3org200110xml-exc-c14nrdquo from the drop down g Digest Algorithm Select ldquohttpwwww3org200009xmldsigsha1rdquo from the drop down h Use Single Certificate Ensure ldquoUse single certificate for signingrdquo is checked i Parts
Name Namespace Encode
Body httpschemasxmlsoaporgsoapenvelope Element
Timestamp httpdocsoasis-openorgwss200401oasis-200401-wss-wssecurity-utility-10xsd
Element
Figure 42 Providing Signature configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 40
13 Add the ldquoEncryptionrdquo WSS Entry by clicking on the ldquo+rdquo icon again as shown in Figure 38 and selecting ldquoEncryptionrdquo from the ldquoAdd WSS Entryrdquo drop down as shown in Figure 43
Figure 43 Adding Encryption WSS entry
14 The ldquoEncryptionrdquo configuration is more involved and requires a lot more fields to be filled in as shown in Figure 44
Here is a summary of the fields and values that need to be provided a Keystore Select ldquodefault-keystorejksrdquo from the drop down (Note Only keystores added in the
KeystoreCertificates tab will be displayed in this drop down) b Alias ldquoorakeyrdquo This particular keystore in the How-To has only a single alias However a keystore can have
multiple keys and aliases c Password ldquowelcome1rdquo This is the password for the alias d Key Identifier Type Select ldquoBinary Security Tokenrdquo from the drop down e Embedded Key Name and Embedded Key Password are not relevant and will be readonly fields So skip
these fields f Symmetric Encoding Algorithm Select ldquohttpwwww3org200104xmlencaes128-cbcrdquo from the drop
down g Key Encryption Algorithm Select ldquohttpwwww3org200104xmlencrsa-oaep-mgf1prdquo from the drop
down h Encryption Canonicalization Select ldquohttpwwww3org200110xml-exc-c14nrdquo from the drop down i Create Encrypted Key Ensure the checkbox is checked j Parts
Name Namespace Encode
Body httpschemasxmlsoaporgsoapenvelope Content
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 41
Figure 44 Encryption Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 42
Add Incoming WS-Security Configurations
15 Click on the ldquoIncoming WS-Security Configurationsrdquo sub tab and click on the ldquo+rdquo icon as show in Figure 45 You will be prompted to enter a name for the incoming configuration specify ldquowss10rdquo as the name as shown in Figure 46
Figure 45 Add Incoming WS-Security Configuration
Figure 46 Provide a name for the Incoming WSS Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 43
16 Click on the ldquowss10rdquo entry and select the following a Decrypt Keystore Select ldquodefault-keystorejksrdquo from the drop down b Signature Keystore Select ldquodefault-keystorejksrdquo from the drop down c Password ldquowelcome1rdquo
The final incoming security configuration is shown in Figure 47
Figure 47 Incoming WSS Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 44
17 Now that we have created all the necessary WS-Security Configurations we are ready to test the HelloWorld Service To do so click on the ldquohellordquo operation on the Left hand browse tree This will create a request as show in Figure 48 Click on the ldquoAutrdquo tab on the ldquoRequestrdquo panel on the RHS side of the screen The ldquoAutrdquo tab is in the bottom and has been highlighted in Figure 48 Select the following values
a Outgoing WSS Select ldquowss10rdquo from the drop down b Incoming WSS Select ldquowss10rdquo from the drop down
Figure 48 Select the previosuly created WSS Configuration to be used while testing
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 45
18 Enter ldquoprakashrdquo for arg0 and click on the green arrow button to send the request You will be prompted for password ndash enter ldquowelcome1rdquo Figure 49 and Figure 50 show the steps and the results of a successful test If there is a failure ndash you will see a SOAP response with a fault
Figure 49 Send request to the HelloWorld WS
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 46
Figure 50 Results of a successful test
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 47
Appendix
Log Generated the first time any app is run in Integrated WLS Server
[Waiting for the domain to finish building]
[094756 PM] Creating Integrated Weblogic domain
[095003 PM] Extending Integrated Weblogic domain
[095051 PM] Integrated Weblogic domain processing completed successfully
Using port 7101
DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainbinstartWebLogiccmd
[waiting for the server to complete its initialization]
JAVA Memory arguments -Xms256m -Xmx512m -XXCompileThreshold=8000 -XXPermSize=128m -XXMaxPermSize=512m
WLS Start Mode=Development
CLASSPATH=DORACLE~1MIDDLE~1ORACLE~1modulesoraclejdbc_1111ojdbc6dmsjarDORACLE~1MIDDLE~1patch_wls1035profilesdefaultsys_manifest_classpathweblogic_patchjarDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultsys_manifest_classpathweblogic_patchjarDORACLE~1MIDDLE~1JDK160~1libtoolsjarDORACLE~1MIDDLE~1WLSERV~13serverlibweblogic_spjarDORACLE~1MIDDLE~1WLSERV~13serverlibweblogicjarDORACLE~1MIDDLE~1modulesfeaturesweblogicservermodules_10350jarDORACLE~1MIDDLE~1WLSERV~13serverlibwebservicesjarDORACLE~1MIDDLE~1modulesORGAPA~11libant-alljarDORACLE~1MIDDLE~1modulesNETSFA~10_1libant-contribjarDORACLE~1MIDDLE~1ORACLE~1modulesoraclejrf_1111jrfjarDORACLE~1MIDDLE~1WLSERV~13commonderbylibderbyclientjarDORACLE~1MIDDLE~1WLSERV~13serverlibxqrljar
PATH=DORACLE~1MIDDLE~1patch_wls1035profilesdefaultnativeDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultnativeDORACLE~1MIDDLE~1WLSERV~13servernativewin32DORACLE~1MIDDLE~1WLSERV~13serverbinDORACLE~1MIDDLE~1modulesORGAPA~11binDORACLE~1MIDDLE~1JDK160~1jrebinDORACLE~1MIDDLE~1JDK160~1binDoraclexeapporacleproduct1020serverbinCProgram FilesThinkPadUtilitiesCWINDOWSsystem32CWINDOWSCWINDOWSSystem32WbemCWINDOWSsystem32WindowsPowerShellv10DORACLE~1MIDDLE~1WLSERV~13servernativewin32oci920_8
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 48
To start WebLogic Server use a username and
password assigned to an admin-level user For
server administration use the WebLogic Server
console at httphostnameportconsole
starting weblogic with Java version
java version 160_24
Java(TM) SE Runtime Environment (build 160_24-b50)
Java HotSpot(TM) Client VM (build 191-b02 mixed mode)
Starting WLS with line
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 49
DORACLE~1MIDDLE~1JDK160~1binjava -client -Xms256m -Xmx512m -XXCompileThreshold=8000 -XXPermSize=128m -XXMaxPermSize=512m -DweblogicName=DefaultServer -Djavasecuritypolicy=DORACLE~1MIDDLE~1WLSERV~13serverlibweblogicpolicy -DjavaxnetssltrustStore=DOracle11gMiddlewarewlserver_103serverlibDemoTrustjks -DweblogicnodemanagerServiceEnabled=true -Xverifynone -da -Dplatformhome=DORACLE~1MIDDLE~1WLSERV~13 -Dwlshome=DORACLE~1MIDDLE~1WLSERV~13server -Dweblogichome=DORACLE~1MIDDLE~1WLSERV~13server -Djpsappcredentialoverwriteallowed=true -Dcommoncomponentshome=DORACLE~1MIDDLE~1ORACLE~1 -Djrfversion=1111 -DorgapachecommonsloggingLog=orgapachecommonsloggingimplJdk14Logger -Ddomainhome=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1 -Djrockitoptfile=DORACLE~1MIDDLE~1ORACLE~1modulesoraclejrf_1111jrocket_optfiletxt -Doracleserverconfigdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1serversDefaultServer -Doracledomainconfigdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1 -Digfarisidbeanscarmlloc=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1carml -Digfarisidstackhome=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1arisidprovider -Doraclesecurityjpsconfig=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configfmwconfigjps-configxml -Doracledeployedappdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1serversDefaultServertmp_WL_user -Doracledeployedappext=- -DweblogicalternateTypesDirectory=DORACLE~1MIDDLE~1ORACLE~1modulesoracleossoiap_1111DORACLE~1MIDDLE~1ORACLE~1modulesoracleoamprovider_1111 -Djavaprotocolhandlerpkgs=oraclemdsnetprotocol -DweblogicjdbcremoteEnabled=false -Dwsmrepositorypath=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1oraclestoregmds -Dweblogicmanagementdiscover=true -DwlwiterativeDev= -DwlwtestConsole= -DwlwlogErrorsToConsole= -Dweblogicextdirs=DORACLE~1MIDDLE~1patch_wls1035profilesdefaultsysext_manifest_classpathDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultsysext_manifest_classpath weblogicServer
ltMar 16 2012 95054 PM PDTgt ltInfogt ltSecuritygt ltBEA-090905gt ltDisabling CryptoJ JCE Provider self-integrity check for better startup performance To enable this check specify -DweblogicsecurityallowCryptoJDefaultJCEVerification=truegt
ltMar 16 2012 95054 PM PDTgt ltInfogt ltSecuritygt ltBEA-090906gt ltChanging the default Random Number Generator in RSA CryptoJ from ECDRBG to FIPS186PRNG To disable this change specify -DweblogicsecurityallowCryptoJDefaultPRNG=truegt
ltMar 16 2012 95055 PM PDTgt ltInfogt ltWebLogicServergt ltBEA-000377gt ltStarting WebLogic Server with Java HotSpot(TM) Client VM Version 191-b02 from Sun Microsystems Incgt
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 50
ltMar 16 2012 95055 PM PDTgt ltInfogt ltManagementgt ltBEA-141107gt ltVersion WebLogic Server 10350 Fri Apr 1 202006 PDT 2011 1398638 gt
ltMar 16 2012 95057 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STARTINGgt
ltMar 16 2012 95057 PM PDTgt ltInfogt ltWorkManagergt ltBEA-002900gt ltInitializing self-tuning thread poolgt
ltMar 16 2012 95057 PM PDTgt ltNoticegt ltLog Managementgt ltBEA-170019gt ltThe server log file DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainserversDefaultServerlogsDefaultServerlog is opened All server side log events will be written to this filegt
ltMar 16 2012 95108 PM PDTgt ltNoticegt ltSecuritygt ltBEA-090082gt ltSecurity initializing using security realm myrealmgt
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO ConfigObjectReloaded for ServerConfig PreviousVersion -1 CurrentVersion 0
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification event sent for activating changes
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for Mapping config object reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO ConfigObjectReloaded for ServerConfig PreviousVersion -1 CurrentVersion 0
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification event sent for activating changes
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 51
INFO Notification sent for Mapping config object reloaded
ltMar 16 2012 95122 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STANDBYgt
ltMar 16 2012 95122 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STARTINGgt
ltMar 16 2012 95204 PM PDTgt ltNoticegt ltLog Managementgt ltBEA-170027gt ltThe Server has established connection with the Domain level Diagnostic Service successfullygt
ltMar 16 2012 95204 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to ADMINgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to RESUMINGgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltServergt ltBEA-002613gt ltChannel Default is now listening on 1270017101 for protocols iiop t3 ldap snmp httpgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000331gt ltStarted WebLogic Admin Server DefaultServer for domain DefaultDomain running in Development Modegt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to RUNNINGgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000360gt ltServer started in RUNNING modegt
IntegratedWebLogicServer startup time 74437 ms
IntegratedWebLogicServer started
[Running application HelloWorldJaxWS on Server Instance IntegratedWebLogicServer]
[095206 PM] ---- Deployment started ----
[095206 PM] Target platform is (Weblogic 103)
[095208 PM] Retrieving existing application information
[095208 PM] Running dependency analysis
[095208 PM] Deploying 2 profiles
[095209 PM] Wrote Web Application Module to DOracle11gMiddlewarejdevelopersystem11116386192oj2eedrsHelloWorldJaxWSHelloWorldWebAppwar
[095210 PM] Wrote Enterprise Application Module to DOracle11gMiddlewarejdevelopersystem11116386192oj2eedrsHelloWorldJaxWS
[095210 PM] Deploying Application
[095213 PM] Application Deployed Successfully
[095213 PM] The following URL context root(s) were defined and can be used as a starting point to test your application
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 52
[095213 PM] http1270017101HelloWorldJaxWS-HelloWorld-context-root
[095213 PM] Elapsed time for deployment 6 seconds
[095213 PM] ---- Deployment finished ----
Run startup time 6609 ms
[Application HelloWorldJaxWS deployed to Server Instance IntegratedWebLogicServer]
Target URL -- http1270017101HelloWorldJaxWS-HelloWorld-context-rootHelloWorldPort
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 53
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 13
Add the following lines of code to the HelloWorld class
9 The next step is to basically create a Web Service from the HelloWorld java class created in the previous steps To
create a Web Service right click on the HelloWorldjava file Select ldquoCreate Web Servicehelliprdquo from the Context menu
as shown in Figure 9
Figure 9 Launch the Web Service Creation Wizard on the HelloWorld POJO class
public String hello(String str)
return Hello + str
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 14
10 From the ldquoJava Web Service creationrdquo wizard select Java EE 15 option The entire Web Service creation wizard is a
multi-step process as show in Figure 10 - Figure 17
Figure 10 Select Java EE 15 from the Java Web Service Creation wizard
Figure 11 Provide Web Service name
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 15
Figure 12 Retain default SOAP binding
Figure 13 Select the methods that should be exposed as part of the Web Service
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 16
Figure 14 Skip Additional Classes
Figure 15 Skip specifiying policies
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 17
Figure 16 Skip providing any Handlers
Figure 17 Finish creation of Web Service
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 18
Attach Message protection OWSM Security Policy
1 To attach the OWSM message protection policy to the Web Service ldquoright clickrdquo on the HelloWorldjava file in
JDeveloper Select ldquoWeb Service Propertieshelliprdquo from the Context menu item Figure 18 This will launch the Dialog box
seen in Figure 19
Figure 18 Define Web Service Properties
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 19
2 In the Configure Policies Dialog select ldquoOWSM policiesrdquo Upon selection of the OWSM Policies option the system
will display the list of out of the box policies that are shipped as part of OWSM Also notice the Default Policy Store
location
In this How-To it maps to
ldquoDOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainoraclestoregmdsrdquo
Figure 19 Select OWSM policies option to secure the Web Service
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 20
3 For the purposes of this How-To letrsquos select the oraclewss10_message_protection_service_policy as show in
Figure 20
Figure 20 Selection of oraclewss10_message_protection_service_policy
Click ldquoOKrdquo button to complete the Policy Attachment Upon completion of the PolicyAttachment the SecurityPolicy
annotation will be added to the HelloWorld POJO class as show in Figure 21
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 21
Figure 21 Code view with SecurityPolicy annotation
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 22
Creating Keystore and Credentials
4 In order to use the oraclewss10_message_protection_service_policy we need Keystore and Credentials First we
will create keystore using the keytool command as shown in Figure 22 The command to create the keystore using
keytool (Note Keytool is shipped with JDK)
Figure 22 Keystore creation command and steps
You can validate the contents of the keystore by using the following keytool command
Figure 23 Check contents of Keystore using keytool
$gt keytool -genkey -keyalg RSA -alias orakey -keystore default-keystorejks -storepass welcome1 -validity
3600
$gtkeytool -list -keystore default-keystorejks -storepass welcome1
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 23
Configuring Integrated WLS Server to enable enforcing Message protection Policy
In order to be able to deploy the HelloWorld POJO Web Service to Integrated WLS Server and test the enforcement of
the OWSM oraclewss10_message_protection_service_policy ndash we need to configure the WLS Domain in which
Integrated WLS Server runs however initially upon the Install the domain is not created completely You can ensure the
domain is created completely by trying to the ldquoHelloWorldrdquo Web Service You do this by ldquoright clickingrdquo on
HelloWorldjava and selecting ldquoRunrdquo from the Context Menu as show in Figure 24
Figure 24 Running HelloWorld Web Service in Integrated WLS Server first time
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 24
The appendix shows the log that is output by the system in JDeveloper The key aspect that is of interest here are the
following messages
[Waiting for the domain to finish building]
[094756 PM] Creating Integrated Weblogic domain
[095003 PM] Extending Integrated Weblogic domain
[095051 PM] Integrated Weblogic domain processing completed successfully
Using port 7101
DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainbinstartWebLogiccmd
[waiting for the server to complete its initialization]
As mentioned earlier the key thing to note is
On running this the first time ndash the domain for running the Integrated WLS is extended and the necessary artifacts are created By default this domain is called ldquoDefaultDomainrdquo In this scenario the ldquoDefaultDomainrdquo is located at DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomain
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 25
Copying the Keystore under the right location for Integrated WLS Server
5 Copy the default-keystorejks created earlier to
ldquoDOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainconfigfmwconfigrdquo as shown in Figure 25
Figure 25 Copying default-keystorejks under DefaultDomain
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 26
Verifying jps-configxml in Default Domain
6 The jps-configxml will be found under
DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainconfigfmwconfig The most important entry in jps-configxml that is of interest is the following keystore service entry lt-- KeyStore Service Instance --gt ltserviceInstance name=keystore provider=keystoreprovider location=default-keystorejksgt ltdescriptiongtDefault JPS Keystore Serviceltdescriptiongt ltproperty name=keystoreprovidertype value=filegt ltproperty name=keystorefilepath value=gt ltproperty name=keystoretype value=JKSgt ltproperty name=keystorecsfmap value=oraclewsmsecuritygt ltproperty name=keystorepasscsfkey value=keystore-csf-keygt ltproperty name=keystoresigcsfkey value=sign-csf-keygt ltproperty name=keystoreenccsfkey value=enc-csf-keygt ltserviceInstancegt The next step is to configure the credentials in the DefaultDomain
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 27
Creating Credentials required for Keystore access
Ensure the Integrated WLS Server is running 7 Start WLST from DOracle11gMiddleware oracle_commoncommonbinwlstcmd as shown in Figure 26
Figure 26 Starting WLST for Integrated WLS Server
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 28
8 Connect to the Integrated WLS Server running DefaultDomain as show in Figure 27
Figure 27 Connect to Integrated WLS Server
Once connected add the following credentials to the credential store
$gt createCred(map=oraclewsmsecurity key=keystore-csf-key user=owsm password=welcome1 desc=Keystore key) $gtcreateCred(map=oraclewsmsecurity key=enc-csf-key user=orakey password=welcome1 desc=Encryption key) $gtcreateCred(map=oraclewsmsecurity key=sign-csf-key user=orakey password=welcome1 desc=Signing key)
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 29
Relationship between Keystore Credential Store jps-configxml
9 Many people find the relationship between keystore keys credential store credentials and jps-configxml
confusing Figure 28 shows the relationship between all these artifacts
Figure 28 Relationship bw Keystore Credential Store Credentials and jps-configxml
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 30
Testing with SOAP UI 1 Before testing the Web Service with SOAP UI Run the HelloWorld from within JDeveloper as shown in Figure 24
Create SOAP UI Project
2 To test the HelloWorld Web Service secured with the OWSM ldquooraclewss10_message_protection_service_policyrdquo start SOAP UI and create a new Project as shown in Figure 29
Figure 29 Create new project in SOAP UI
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 31
3 Provide Project Namerdquo and ldquoWSDLrdquo information for the HelloWorld WS as show in Figure 30
Figure 30 Provide WSDL information for the Web Service that needs to be tested
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 32
4 Double click on the helloworld-msg-prot-test SOAP UI project to open various configurations one can specify for the
project as show in Figure 31 Click on the WS-Security Configurations tab
Figure 31 Specify the WS-Security Configurations
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 33
Create WS-Security Configurations
5 There are 3 sub-tabs under the ldquoWS-Security Configurationsrdquo tab in SOAP UI These are the ldquoOutgoing WS-Security
Configurationsrdquo tab ldquoIncoming WS-Security Configurationsrdquo tab and the ldquoKeystoreCertificatesrdquo tab We will first fill
out the KeystoresCertificates tab Click on the KeystoreCertificates tab as shown in Figure 32
Figure 32 Specify the KeystoreCertificates to be used by SOAP UI
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 34
Add KeystoreCertificates
6 Click on the ldquo+rdquo button to add a keystore as shown in Figure 33 This will launch a dialog to select the Key Material as
show in Figure 34 You will be prompted for the password to the default-keystorejks Enter ldquowelcome1rdquo as show in
Figure 35
Figure 33 Adding a Keystore
Figure 34 Select a JKS keystore from the file system
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 35
Figure 35 Specify Password for the default-keystorejks
7 Figure 36 shows the result of adding the default-keystorejks to SOAP UI
Figure 36 Result of adding default-keystorejks
NOTE For purposes of simplicity ndash I have selected the same default-keystorejks file that was used by the HelloWorld Web Service in practice the client and service DO NOT share the same keystore instead you should use separate keystores and exchange the public certificates of the client and the service
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 36
Add Outgoing WS-Security Configurations
8 The next step is to add the ldquoOutgoing WS-Secure Configurationsrdquo to the project You can do this by click on the Outgoing S-Security Configurations tab and clicking on the ldquo+rdquo icon as shown in Figure 37
Figure 37 Initiate addition of Outgoing WS-Security Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 37
9 Enter the ldquoNamerdquo of the configuration as ldquowss10rdquo This will create a panel on the lower half of the screen to add relevant WS-Security Configuration for ldquowss10rdquo Click on the ldquo+rdquo icon highlighted with a red circle in Figure 38 We need to add 3 entries in the following order
a Timestamp b Signature c Encryption
Upon clicking the ldquo+rdquo icon an ldquoAdd WSS Entryrdquo popup dialog will be presented which contains a single drop down list Select ldquoTimestamprdquo from the dialog as shown in Figure 39
Figure 38 Adding WSS Configuration for wss10
Figure 39 Add Timestamp
10 Configure the ldquoTimestamprdquo WSS Entry The two fields are shown in Figure 40
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 38
a Time to Live 5000 b Leave the unit for ldquoTime to Liverdquo in milliseconds
Figure 40 Specify Time to Live as part of Timestamp configuration
11 Add the ldquoSignaturerdquo WSS Entry by clicking on the ldquo+rdquo icon again as shown in Figure 38 and selecting ldquoSignaturerdquo from
the ldquoAdd WSS Entryrdquo drop down as shown in Figure 41
Figure 41 Select Signature WSS Entry to Add to wss10 configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 39
12 The ldquoSignaturerdquo configuration is more involved and requires a lot more fields to be filled in as shown in Figure 42 Here is a summary of the fields and values that need to be provided
a Keystore Select ldquodefault-keystorejksrdquo from the drop down (Note Only keystores added in the KeystoreCertificates tab will be displayed in this drop down)
b Alias ldquoorakeyrdquo This particular keystore in the How-To has only a single alias However a keystore can have multiple keys and aliases
c Password ldquowelcome1rdquo This is the password for the alias d Key Identifier Type Select ldquoBinary Security Tokenrdquo from the drop down e Signature Algorithm Select ldquohttpwwww3org200009xmldsigrsa-sha1rdquo from the drop down f Signature Canonicalization Select ldquohttpwwww3org200110xml-exc-c14nrdquo from the drop down g Digest Algorithm Select ldquohttpwwww3org200009xmldsigsha1rdquo from the drop down h Use Single Certificate Ensure ldquoUse single certificate for signingrdquo is checked i Parts
Name Namespace Encode
Body httpschemasxmlsoaporgsoapenvelope Element
Timestamp httpdocsoasis-openorgwss200401oasis-200401-wss-wssecurity-utility-10xsd
Element
Figure 42 Providing Signature configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 40
13 Add the ldquoEncryptionrdquo WSS Entry by clicking on the ldquo+rdquo icon again as shown in Figure 38 and selecting ldquoEncryptionrdquo from the ldquoAdd WSS Entryrdquo drop down as shown in Figure 43
Figure 43 Adding Encryption WSS entry
14 The ldquoEncryptionrdquo configuration is more involved and requires a lot more fields to be filled in as shown in Figure 44
Here is a summary of the fields and values that need to be provided a Keystore Select ldquodefault-keystorejksrdquo from the drop down (Note Only keystores added in the
KeystoreCertificates tab will be displayed in this drop down) b Alias ldquoorakeyrdquo This particular keystore in the How-To has only a single alias However a keystore can have
multiple keys and aliases c Password ldquowelcome1rdquo This is the password for the alias d Key Identifier Type Select ldquoBinary Security Tokenrdquo from the drop down e Embedded Key Name and Embedded Key Password are not relevant and will be readonly fields So skip
these fields f Symmetric Encoding Algorithm Select ldquohttpwwww3org200104xmlencaes128-cbcrdquo from the drop
down g Key Encryption Algorithm Select ldquohttpwwww3org200104xmlencrsa-oaep-mgf1prdquo from the drop
down h Encryption Canonicalization Select ldquohttpwwww3org200110xml-exc-c14nrdquo from the drop down i Create Encrypted Key Ensure the checkbox is checked j Parts
Name Namespace Encode
Body httpschemasxmlsoaporgsoapenvelope Content
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 41
Figure 44 Encryption Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 42
Add Incoming WS-Security Configurations
15 Click on the ldquoIncoming WS-Security Configurationsrdquo sub tab and click on the ldquo+rdquo icon as show in Figure 45 You will be prompted to enter a name for the incoming configuration specify ldquowss10rdquo as the name as shown in Figure 46
Figure 45 Add Incoming WS-Security Configuration
Figure 46 Provide a name for the Incoming WSS Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 43
16 Click on the ldquowss10rdquo entry and select the following a Decrypt Keystore Select ldquodefault-keystorejksrdquo from the drop down b Signature Keystore Select ldquodefault-keystorejksrdquo from the drop down c Password ldquowelcome1rdquo
The final incoming security configuration is shown in Figure 47
Figure 47 Incoming WSS Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 44
17 Now that we have created all the necessary WS-Security Configurations we are ready to test the HelloWorld Service To do so click on the ldquohellordquo operation on the Left hand browse tree This will create a request as show in Figure 48 Click on the ldquoAutrdquo tab on the ldquoRequestrdquo panel on the RHS side of the screen The ldquoAutrdquo tab is in the bottom and has been highlighted in Figure 48 Select the following values
a Outgoing WSS Select ldquowss10rdquo from the drop down b Incoming WSS Select ldquowss10rdquo from the drop down
Figure 48 Select the previosuly created WSS Configuration to be used while testing
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 45
18 Enter ldquoprakashrdquo for arg0 and click on the green arrow button to send the request You will be prompted for password ndash enter ldquowelcome1rdquo Figure 49 and Figure 50 show the steps and the results of a successful test If there is a failure ndash you will see a SOAP response with a fault
Figure 49 Send request to the HelloWorld WS
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 46
Figure 50 Results of a successful test
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 47
Appendix
Log Generated the first time any app is run in Integrated WLS Server
[Waiting for the domain to finish building]
[094756 PM] Creating Integrated Weblogic domain
[095003 PM] Extending Integrated Weblogic domain
[095051 PM] Integrated Weblogic domain processing completed successfully
Using port 7101
DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainbinstartWebLogiccmd
[waiting for the server to complete its initialization]
JAVA Memory arguments -Xms256m -Xmx512m -XXCompileThreshold=8000 -XXPermSize=128m -XXMaxPermSize=512m
WLS Start Mode=Development
CLASSPATH=DORACLE~1MIDDLE~1ORACLE~1modulesoraclejdbc_1111ojdbc6dmsjarDORACLE~1MIDDLE~1patch_wls1035profilesdefaultsys_manifest_classpathweblogic_patchjarDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultsys_manifest_classpathweblogic_patchjarDORACLE~1MIDDLE~1JDK160~1libtoolsjarDORACLE~1MIDDLE~1WLSERV~13serverlibweblogic_spjarDORACLE~1MIDDLE~1WLSERV~13serverlibweblogicjarDORACLE~1MIDDLE~1modulesfeaturesweblogicservermodules_10350jarDORACLE~1MIDDLE~1WLSERV~13serverlibwebservicesjarDORACLE~1MIDDLE~1modulesORGAPA~11libant-alljarDORACLE~1MIDDLE~1modulesNETSFA~10_1libant-contribjarDORACLE~1MIDDLE~1ORACLE~1modulesoraclejrf_1111jrfjarDORACLE~1MIDDLE~1WLSERV~13commonderbylibderbyclientjarDORACLE~1MIDDLE~1WLSERV~13serverlibxqrljar
PATH=DORACLE~1MIDDLE~1patch_wls1035profilesdefaultnativeDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultnativeDORACLE~1MIDDLE~1WLSERV~13servernativewin32DORACLE~1MIDDLE~1WLSERV~13serverbinDORACLE~1MIDDLE~1modulesORGAPA~11binDORACLE~1MIDDLE~1JDK160~1jrebinDORACLE~1MIDDLE~1JDK160~1binDoraclexeapporacleproduct1020serverbinCProgram FilesThinkPadUtilitiesCWINDOWSsystem32CWINDOWSCWINDOWSSystem32WbemCWINDOWSsystem32WindowsPowerShellv10DORACLE~1MIDDLE~1WLSERV~13servernativewin32oci920_8
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 48
To start WebLogic Server use a username and
password assigned to an admin-level user For
server administration use the WebLogic Server
console at httphostnameportconsole
starting weblogic with Java version
java version 160_24
Java(TM) SE Runtime Environment (build 160_24-b50)
Java HotSpot(TM) Client VM (build 191-b02 mixed mode)
Starting WLS with line
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 49
DORACLE~1MIDDLE~1JDK160~1binjava -client -Xms256m -Xmx512m -XXCompileThreshold=8000 -XXPermSize=128m -XXMaxPermSize=512m -DweblogicName=DefaultServer -Djavasecuritypolicy=DORACLE~1MIDDLE~1WLSERV~13serverlibweblogicpolicy -DjavaxnetssltrustStore=DOracle11gMiddlewarewlserver_103serverlibDemoTrustjks -DweblogicnodemanagerServiceEnabled=true -Xverifynone -da -Dplatformhome=DORACLE~1MIDDLE~1WLSERV~13 -Dwlshome=DORACLE~1MIDDLE~1WLSERV~13server -Dweblogichome=DORACLE~1MIDDLE~1WLSERV~13server -Djpsappcredentialoverwriteallowed=true -Dcommoncomponentshome=DORACLE~1MIDDLE~1ORACLE~1 -Djrfversion=1111 -DorgapachecommonsloggingLog=orgapachecommonsloggingimplJdk14Logger -Ddomainhome=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1 -Djrockitoptfile=DORACLE~1MIDDLE~1ORACLE~1modulesoraclejrf_1111jrocket_optfiletxt -Doracleserverconfigdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1serversDefaultServer -Doracledomainconfigdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1 -Digfarisidbeanscarmlloc=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1carml -Digfarisidstackhome=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1arisidprovider -Doraclesecurityjpsconfig=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configfmwconfigjps-configxml -Doracledeployedappdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1serversDefaultServertmp_WL_user -Doracledeployedappext=- -DweblogicalternateTypesDirectory=DORACLE~1MIDDLE~1ORACLE~1modulesoracleossoiap_1111DORACLE~1MIDDLE~1ORACLE~1modulesoracleoamprovider_1111 -Djavaprotocolhandlerpkgs=oraclemdsnetprotocol -DweblogicjdbcremoteEnabled=false -Dwsmrepositorypath=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1oraclestoregmds -Dweblogicmanagementdiscover=true -DwlwiterativeDev= -DwlwtestConsole= -DwlwlogErrorsToConsole= -Dweblogicextdirs=DORACLE~1MIDDLE~1patch_wls1035profilesdefaultsysext_manifest_classpathDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultsysext_manifest_classpath weblogicServer
ltMar 16 2012 95054 PM PDTgt ltInfogt ltSecuritygt ltBEA-090905gt ltDisabling CryptoJ JCE Provider self-integrity check for better startup performance To enable this check specify -DweblogicsecurityallowCryptoJDefaultJCEVerification=truegt
ltMar 16 2012 95054 PM PDTgt ltInfogt ltSecuritygt ltBEA-090906gt ltChanging the default Random Number Generator in RSA CryptoJ from ECDRBG to FIPS186PRNG To disable this change specify -DweblogicsecurityallowCryptoJDefaultPRNG=truegt
ltMar 16 2012 95055 PM PDTgt ltInfogt ltWebLogicServergt ltBEA-000377gt ltStarting WebLogic Server with Java HotSpot(TM) Client VM Version 191-b02 from Sun Microsystems Incgt
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 50
ltMar 16 2012 95055 PM PDTgt ltInfogt ltManagementgt ltBEA-141107gt ltVersion WebLogic Server 10350 Fri Apr 1 202006 PDT 2011 1398638 gt
ltMar 16 2012 95057 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STARTINGgt
ltMar 16 2012 95057 PM PDTgt ltInfogt ltWorkManagergt ltBEA-002900gt ltInitializing self-tuning thread poolgt
ltMar 16 2012 95057 PM PDTgt ltNoticegt ltLog Managementgt ltBEA-170019gt ltThe server log file DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainserversDefaultServerlogsDefaultServerlog is opened All server side log events will be written to this filegt
ltMar 16 2012 95108 PM PDTgt ltNoticegt ltSecuritygt ltBEA-090082gt ltSecurity initializing using security realm myrealmgt
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO ConfigObjectReloaded for ServerConfig PreviousVersion -1 CurrentVersion 0
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification event sent for activating changes
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for Mapping config object reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO ConfigObjectReloaded for ServerConfig PreviousVersion -1 CurrentVersion 0
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification event sent for activating changes
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 51
INFO Notification sent for Mapping config object reloaded
ltMar 16 2012 95122 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STANDBYgt
ltMar 16 2012 95122 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STARTINGgt
ltMar 16 2012 95204 PM PDTgt ltNoticegt ltLog Managementgt ltBEA-170027gt ltThe Server has established connection with the Domain level Diagnostic Service successfullygt
ltMar 16 2012 95204 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to ADMINgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to RESUMINGgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltServergt ltBEA-002613gt ltChannel Default is now listening on 1270017101 for protocols iiop t3 ldap snmp httpgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000331gt ltStarted WebLogic Admin Server DefaultServer for domain DefaultDomain running in Development Modegt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to RUNNINGgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000360gt ltServer started in RUNNING modegt
IntegratedWebLogicServer startup time 74437 ms
IntegratedWebLogicServer started
[Running application HelloWorldJaxWS on Server Instance IntegratedWebLogicServer]
[095206 PM] ---- Deployment started ----
[095206 PM] Target platform is (Weblogic 103)
[095208 PM] Retrieving existing application information
[095208 PM] Running dependency analysis
[095208 PM] Deploying 2 profiles
[095209 PM] Wrote Web Application Module to DOracle11gMiddlewarejdevelopersystem11116386192oj2eedrsHelloWorldJaxWSHelloWorldWebAppwar
[095210 PM] Wrote Enterprise Application Module to DOracle11gMiddlewarejdevelopersystem11116386192oj2eedrsHelloWorldJaxWS
[095210 PM] Deploying Application
[095213 PM] Application Deployed Successfully
[095213 PM] The following URL context root(s) were defined and can be used as a starting point to test your application
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 52
[095213 PM] http1270017101HelloWorldJaxWS-HelloWorld-context-root
[095213 PM] Elapsed time for deployment 6 seconds
[095213 PM] ---- Deployment finished ----
Run startup time 6609 ms
[Application HelloWorldJaxWS deployed to Server Instance IntegratedWebLogicServer]
Target URL -- http1270017101HelloWorldJaxWS-HelloWorld-context-rootHelloWorldPort
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 53
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 14
10 From the ldquoJava Web Service creationrdquo wizard select Java EE 15 option The entire Web Service creation wizard is a
multi-step process as show in Figure 10 - Figure 17
Figure 10 Select Java EE 15 from the Java Web Service Creation wizard
Figure 11 Provide Web Service name
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 15
Figure 12 Retain default SOAP binding
Figure 13 Select the methods that should be exposed as part of the Web Service
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 16
Figure 14 Skip Additional Classes
Figure 15 Skip specifiying policies
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 17
Figure 16 Skip providing any Handlers
Figure 17 Finish creation of Web Service
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 18
Attach Message protection OWSM Security Policy
1 To attach the OWSM message protection policy to the Web Service ldquoright clickrdquo on the HelloWorldjava file in
JDeveloper Select ldquoWeb Service Propertieshelliprdquo from the Context menu item Figure 18 This will launch the Dialog box
seen in Figure 19
Figure 18 Define Web Service Properties
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 19
2 In the Configure Policies Dialog select ldquoOWSM policiesrdquo Upon selection of the OWSM Policies option the system
will display the list of out of the box policies that are shipped as part of OWSM Also notice the Default Policy Store
location
In this How-To it maps to
ldquoDOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainoraclestoregmdsrdquo
Figure 19 Select OWSM policies option to secure the Web Service
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 20
3 For the purposes of this How-To letrsquos select the oraclewss10_message_protection_service_policy as show in
Figure 20
Figure 20 Selection of oraclewss10_message_protection_service_policy
Click ldquoOKrdquo button to complete the Policy Attachment Upon completion of the PolicyAttachment the SecurityPolicy
annotation will be added to the HelloWorld POJO class as show in Figure 21
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 21
Figure 21 Code view with SecurityPolicy annotation
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 22
Creating Keystore and Credentials
4 In order to use the oraclewss10_message_protection_service_policy we need Keystore and Credentials First we
will create keystore using the keytool command as shown in Figure 22 The command to create the keystore using
keytool (Note Keytool is shipped with JDK)
Figure 22 Keystore creation command and steps
You can validate the contents of the keystore by using the following keytool command
Figure 23 Check contents of Keystore using keytool
$gt keytool -genkey -keyalg RSA -alias orakey -keystore default-keystorejks -storepass welcome1 -validity
3600
$gtkeytool -list -keystore default-keystorejks -storepass welcome1
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 23
Configuring Integrated WLS Server to enable enforcing Message protection Policy
In order to be able to deploy the HelloWorld POJO Web Service to Integrated WLS Server and test the enforcement of
the OWSM oraclewss10_message_protection_service_policy ndash we need to configure the WLS Domain in which
Integrated WLS Server runs however initially upon the Install the domain is not created completely You can ensure the
domain is created completely by trying to the ldquoHelloWorldrdquo Web Service You do this by ldquoright clickingrdquo on
HelloWorldjava and selecting ldquoRunrdquo from the Context Menu as show in Figure 24
Figure 24 Running HelloWorld Web Service in Integrated WLS Server first time
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 24
The appendix shows the log that is output by the system in JDeveloper The key aspect that is of interest here are the
following messages
[Waiting for the domain to finish building]
[094756 PM] Creating Integrated Weblogic domain
[095003 PM] Extending Integrated Weblogic domain
[095051 PM] Integrated Weblogic domain processing completed successfully
Using port 7101
DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainbinstartWebLogiccmd
[waiting for the server to complete its initialization]
As mentioned earlier the key thing to note is
On running this the first time ndash the domain for running the Integrated WLS is extended and the necessary artifacts are created By default this domain is called ldquoDefaultDomainrdquo In this scenario the ldquoDefaultDomainrdquo is located at DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomain
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 25
Copying the Keystore under the right location for Integrated WLS Server
5 Copy the default-keystorejks created earlier to
ldquoDOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainconfigfmwconfigrdquo as shown in Figure 25
Figure 25 Copying default-keystorejks under DefaultDomain
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 26
Verifying jps-configxml in Default Domain
6 The jps-configxml will be found under
DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainconfigfmwconfig The most important entry in jps-configxml that is of interest is the following keystore service entry lt-- KeyStore Service Instance --gt ltserviceInstance name=keystore provider=keystoreprovider location=default-keystorejksgt ltdescriptiongtDefault JPS Keystore Serviceltdescriptiongt ltproperty name=keystoreprovidertype value=filegt ltproperty name=keystorefilepath value=gt ltproperty name=keystoretype value=JKSgt ltproperty name=keystorecsfmap value=oraclewsmsecuritygt ltproperty name=keystorepasscsfkey value=keystore-csf-keygt ltproperty name=keystoresigcsfkey value=sign-csf-keygt ltproperty name=keystoreenccsfkey value=enc-csf-keygt ltserviceInstancegt The next step is to configure the credentials in the DefaultDomain
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 27
Creating Credentials required for Keystore access
Ensure the Integrated WLS Server is running 7 Start WLST from DOracle11gMiddleware oracle_commoncommonbinwlstcmd as shown in Figure 26
Figure 26 Starting WLST for Integrated WLS Server
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 28
8 Connect to the Integrated WLS Server running DefaultDomain as show in Figure 27
Figure 27 Connect to Integrated WLS Server
Once connected add the following credentials to the credential store
$gt createCred(map=oraclewsmsecurity key=keystore-csf-key user=owsm password=welcome1 desc=Keystore key) $gtcreateCred(map=oraclewsmsecurity key=enc-csf-key user=orakey password=welcome1 desc=Encryption key) $gtcreateCred(map=oraclewsmsecurity key=sign-csf-key user=orakey password=welcome1 desc=Signing key)
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 29
Relationship between Keystore Credential Store jps-configxml
9 Many people find the relationship between keystore keys credential store credentials and jps-configxml
confusing Figure 28 shows the relationship between all these artifacts
Figure 28 Relationship bw Keystore Credential Store Credentials and jps-configxml
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 30
Testing with SOAP UI 1 Before testing the Web Service with SOAP UI Run the HelloWorld from within JDeveloper as shown in Figure 24
Create SOAP UI Project
2 To test the HelloWorld Web Service secured with the OWSM ldquooraclewss10_message_protection_service_policyrdquo start SOAP UI and create a new Project as shown in Figure 29
Figure 29 Create new project in SOAP UI
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 31
3 Provide Project Namerdquo and ldquoWSDLrdquo information for the HelloWorld WS as show in Figure 30
Figure 30 Provide WSDL information for the Web Service that needs to be tested
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 32
4 Double click on the helloworld-msg-prot-test SOAP UI project to open various configurations one can specify for the
project as show in Figure 31 Click on the WS-Security Configurations tab
Figure 31 Specify the WS-Security Configurations
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 33
Create WS-Security Configurations
5 There are 3 sub-tabs under the ldquoWS-Security Configurationsrdquo tab in SOAP UI These are the ldquoOutgoing WS-Security
Configurationsrdquo tab ldquoIncoming WS-Security Configurationsrdquo tab and the ldquoKeystoreCertificatesrdquo tab We will first fill
out the KeystoresCertificates tab Click on the KeystoreCertificates tab as shown in Figure 32
Figure 32 Specify the KeystoreCertificates to be used by SOAP UI
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 34
Add KeystoreCertificates
6 Click on the ldquo+rdquo button to add a keystore as shown in Figure 33 This will launch a dialog to select the Key Material as
show in Figure 34 You will be prompted for the password to the default-keystorejks Enter ldquowelcome1rdquo as show in
Figure 35
Figure 33 Adding a Keystore
Figure 34 Select a JKS keystore from the file system
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 35
Figure 35 Specify Password for the default-keystorejks
7 Figure 36 shows the result of adding the default-keystorejks to SOAP UI
Figure 36 Result of adding default-keystorejks
NOTE For purposes of simplicity ndash I have selected the same default-keystorejks file that was used by the HelloWorld Web Service in practice the client and service DO NOT share the same keystore instead you should use separate keystores and exchange the public certificates of the client and the service
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 36
Add Outgoing WS-Security Configurations
8 The next step is to add the ldquoOutgoing WS-Secure Configurationsrdquo to the project You can do this by click on the Outgoing S-Security Configurations tab and clicking on the ldquo+rdquo icon as shown in Figure 37
Figure 37 Initiate addition of Outgoing WS-Security Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 37
9 Enter the ldquoNamerdquo of the configuration as ldquowss10rdquo This will create a panel on the lower half of the screen to add relevant WS-Security Configuration for ldquowss10rdquo Click on the ldquo+rdquo icon highlighted with a red circle in Figure 38 We need to add 3 entries in the following order
a Timestamp b Signature c Encryption
Upon clicking the ldquo+rdquo icon an ldquoAdd WSS Entryrdquo popup dialog will be presented which contains a single drop down list Select ldquoTimestamprdquo from the dialog as shown in Figure 39
Figure 38 Adding WSS Configuration for wss10
Figure 39 Add Timestamp
10 Configure the ldquoTimestamprdquo WSS Entry The two fields are shown in Figure 40
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 38
a Time to Live 5000 b Leave the unit for ldquoTime to Liverdquo in milliseconds
Figure 40 Specify Time to Live as part of Timestamp configuration
11 Add the ldquoSignaturerdquo WSS Entry by clicking on the ldquo+rdquo icon again as shown in Figure 38 and selecting ldquoSignaturerdquo from
the ldquoAdd WSS Entryrdquo drop down as shown in Figure 41
Figure 41 Select Signature WSS Entry to Add to wss10 configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 39
12 The ldquoSignaturerdquo configuration is more involved and requires a lot more fields to be filled in as shown in Figure 42 Here is a summary of the fields and values that need to be provided
a Keystore Select ldquodefault-keystorejksrdquo from the drop down (Note Only keystores added in the KeystoreCertificates tab will be displayed in this drop down)
b Alias ldquoorakeyrdquo This particular keystore in the How-To has only a single alias However a keystore can have multiple keys and aliases
c Password ldquowelcome1rdquo This is the password for the alias d Key Identifier Type Select ldquoBinary Security Tokenrdquo from the drop down e Signature Algorithm Select ldquohttpwwww3org200009xmldsigrsa-sha1rdquo from the drop down f Signature Canonicalization Select ldquohttpwwww3org200110xml-exc-c14nrdquo from the drop down g Digest Algorithm Select ldquohttpwwww3org200009xmldsigsha1rdquo from the drop down h Use Single Certificate Ensure ldquoUse single certificate for signingrdquo is checked i Parts
Name Namespace Encode
Body httpschemasxmlsoaporgsoapenvelope Element
Timestamp httpdocsoasis-openorgwss200401oasis-200401-wss-wssecurity-utility-10xsd
Element
Figure 42 Providing Signature configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 40
13 Add the ldquoEncryptionrdquo WSS Entry by clicking on the ldquo+rdquo icon again as shown in Figure 38 and selecting ldquoEncryptionrdquo from the ldquoAdd WSS Entryrdquo drop down as shown in Figure 43
Figure 43 Adding Encryption WSS entry
14 The ldquoEncryptionrdquo configuration is more involved and requires a lot more fields to be filled in as shown in Figure 44
Here is a summary of the fields and values that need to be provided a Keystore Select ldquodefault-keystorejksrdquo from the drop down (Note Only keystores added in the
KeystoreCertificates tab will be displayed in this drop down) b Alias ldquoorakeyrdquo This particular keystore in the How-To has only a single alias However a keystore can have
multiple keys and aliases c Password ldquowelcome1rdquo This is the password for the alias d Key Identifier Type Select ldquoBinary Security Tokenrdquo from the drop down e Embedded Key Name and Embedded Key Password are not relevant and will be readonly fields So skip
these fields f Symmetric Encoding Algorithm Select ldquohttpwwww3org200104xmlencaes128-cbcrdquo from the drop
down g Key Encryption Algorithm Select ldquohttpwwww3org200104xmlencrsa-oaep-mgf1prdquo from the drop
down h Encryption Canonicalization Select ldquohttpwwww3org200110xml-exc-c14nrdquo from the drop down i Create Encrypted Key Ensure the checkbox is checked j Parts
Name Namespace Encode
Body httpschemasxmlsoaporgsoapenvelope Content
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 41
Figure 44 Encryption Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 42
Add Incoming WS-Security Configurations
15 Click on the ldquoIncoming WS-Security Configurationsrdquo sub tab and click on the ldquo+rdquo icon as show in Figure 45 You will be prompted to enter a name for the incoming configuration specify ldquowss10rdquo as the name as shown in Figure 46
Figure 45 Add Incoming WS-Security Configuration
Figure 46 Provide a name for the Incoming WSS Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 43
16 Click on the ldquowss10rdquo entry and select the following a Decrypt Keystore Select ldquodefault-keystorejksrdquo from the drop down b Signature Keystore Select ldquodefault-keystorejksrdquo from the drop down c Password ldquowelcome1rdquo
The final incoming security configuration is shown in Figure 47
Figure 47 Incoming WSS Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 44
17 Now that we have created all the necessary WS-Security Configurations we are ready to test the HelloWorld Service To do so click on the ldquohellordquo operation on the Left hand browse tree This will create a request as show in Figure 48 Click on the ldquoAutrdquo tab on the ldquoRequestrdquo panel on the RHS side of the screen The ldquoAutrdquo tab is in the bottom and has been highlighted in Figure 48 Select the following values
a Outgoing WSS Select ldquowss10rdquo from the drop down b Incoming WSS Select ldquowss10rdquo from the drop down
Figure 48 Select the previosuly created WSS Configuration to be used while testing
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 45
18 Enter ldquoprakashrdquo for arg0 and click on the green arrow button to send the request You will be prompted for password ndash enter ldquowelcome1rdquo Figure 49 and Figure 50 show the steps and the results of a successful test If there is a failure ndash you will see a SOAP response with a fault
Figure 49 Send request to the HelloWorld WS
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 46
Figure 50 Results of a successful test
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 47
Appendix
Log Generated the first time any app is run in Integrated WLS Server
[Waiting for the domain to finish building]
[094756 PM] Creating Integrated Weblogic domain
[095003 PM] Extending Integrated Weblogic domain
[095051 PM] Integrated Weblogic domain processing completed successfully
Using port 7101
DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainbinstartWebLogiccmd
[waiting for the server to complete its initialization]
JAVA Memory arguments -Xms256m -Xmx512m -XXCompileThreshold=8000 -XXPermSize=128m -XXMaxPermSize=512m
WLS Start Mode=Development
CLASSPATH=DORACLE~1MIDDLE~1ORACLE~1modulesoraclejdbc_1111ojdbc6dmsjarDORACLE~1MIDDLE~1patch_wls1035profilesdefaultsys_manifest_classpathweblogic_patchjarDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultsys_manifest_classpathweblogic_patchjarDORACLE~1MIDDLE~1JDK160~1libtoolsjarDORACLE~1MIDDLE~1WLSERV~13serverlibweblogic_spjarDORACLE~1MIDDLE~1WLSERV~13serverlibweblogicjarDORACLE~1MIDDLE~1modulesfeaturesweblogicservermodules_10350jarDORACLE~1MIDDLE~1WLSERV~13serverlibwebservicesjarDORACLE~1MIDDLE~1modulesORGAPA~11libant-alljarDORACLE~1MIDDLE~1modulesNETSFA~10_1libant-contribjarDORACLE~1MIDDLE~1ORACLE~1modulesoraclejrf_1111jrfjarDORACLE~1MIDDLE~1WLSERV~13commonderbylibderbyclientjarDORACLE~1MIDDLE~1WLSERV~13serverlibxqrljar
PATH=DORACLE~1MIDDLE~1patch_wls1035profilesdefaultnativeDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultnativeDORACLE~1MIDDLE~1WLSERV~13servernativewin32DORACLE~1MIDDLE~1WLSERV~13serverbinDORACLE~1MIDDLE~1modulesORGAPA~11binDORACLE~1MIDDLE~1JDK160~1jrebinDORACLE~1MIDDLE~1JDK160~1binDoraclexeapporacleproduct1020serverbinCProgram FilesThinkPadUtilitiesCWINDOWSsystem32CWINDOWSCWINDOWSSystem32WbemCWINDOWSsystem32WindowsPowerShellv10DORACLE~1MIDDLE~1WLSERV~13servernativewin32oci920_8
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 48
To start WebLogic Server use a username and
password assigned to an admin-level user For
server administration use the WebLogic Server
console at httphostnameportconsole
starting weblogic with Java version
java version 160_24
Java(TM) SE Runtime Environment (build 160_24-b50)
Java HotSpot(TM) Client VM (build 191-b02 mixed mode)
Starting WLS with line
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 49
DORACLE~1MIDDLE~1JDK160~1binjava -client -Xms256m -Xmx512m -XXCompileThreshold=8000 -XXPermSize=128m -XXMaxPermSize=512m -DweblogicName=DefaultServer -Djavasecuritypolicy=DORACLE~1MIDDLE~1WLSERV~13serverlibweblogicpolicy -DjavaxnetssltrustStore=DOracle11gMiddlewarewlserver_103serverlibDemoTrustjks -DweblogicnodemanagerServiceEnabled=true -Xverifynone -da -Dplatformhome=DORACLE~1MIDDLE~1WLSERV~13 -Dwlshome=DORACLE~1MIDDLE~1WLSERV~13server -Dweblogichome=DORACLE~1MIDDLE~1WLSERV~13server -Djpsappcredentialoverwriteallowed=true -Dcommoncomponentshome=DORACLE~1MIDDLE~1ORACLE~1 -Djrfversion=1111 -DorgapachecommonsloggingLog=orgapachecommonsloggingimplJdk14Logger -Ddomainhome=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1 -Djrockitoptfile=DORACLE~1MIDDLE~1ORACLE~1modulesoraclejrf_1111jrocket_optfiletxt -Doracleserverconfigdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1serversDefaultServer -Doracledomainconfigdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1 -Digfarisidbeanscarmlloc=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1carml -Digfarisidstackhome=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1arisidprovider -Doraclesecurityjpsconfig=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configfmwconfigjps-configxml -Doracledeployedappdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1serversDefaultServertmp_WL_user -Doracledeployedappext=- -DweblogicalternateTypesDirectory=DORACLE~1MIDDLE~1ORACLE~1modulesoracleossoiap_1111DORACLE~1MIDDLE~1ORACLE~1modulesoracleoamprovider_1111 -Djavaprotocolhandlerpkgs=oraclemdsnetprotocol -DweblogicjdbcremoteEnabled=false -Dwsmrepositorypath=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1oraclestoregmds -Dweblogicmanagementdiscover=true -DwlwiterativeDev= -DwlwtestConsole= -DwlwlogErrorsToConsole= -Dweblogicextdirs=DORACLE~1MIDDLE~1patch_wls1035profilesdefaultsysext_manifest_classpathDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultsysext_manifest_classpath weblogicServer
ltMar 16 2012 95054 PM PDTgt ltInfogt ltSecuritygt ltBEA-090905gt ltDisabling CryptoJ JCE Provider self-integrity check for better startup performance To enable this check specify -DweblogicsecurityallowCryptoJDefaultJCEVerification=truegt
ltMar 16 2012 95054 PM PDTgt ltInfogt ltSecuritygt ltBEA-090906gt ltChanging the default Random Number Generator in RSA CryptoJ from ECDRBG to FIPS186PRNG To disable this change specify -DweblogicsecurityallowCryptoJDefaultPRNG=truegt
ltMar 16 2012 95055 PM PDTgt ltInfogt ltWebLogicServergt ltBEA-000377gt ltStarting WebLogic Server with Java HotSpot(TM) Client VM Version 191-b02 from Sun Microsystems Incgt
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 50
ltMar 16 2012 95055 PM PDTgt ltInfogt ltManagementgt ltBEA-141107gt ltVersion WebLogic Server 10350 Fri Apr 1 202006 PDT 2011 1398638 gt
ltMar 16 2012 95057 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STARTINGgt
ltMar 16 2012 95057 PM PDTgt ltInfogt ltWorkManagergt ltBEA-002900gt ltInitializing self-tuning thread poolgt
ltMar 16 2012 95057 PM PDTgt ltNoticegt ltLog Managementgt ltBEA-170019gt ltThe server log file DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainserversDefaultServerlogsDefaultServerlog is opened All server side log events will be written to this filegt
ltMar 16 2012 95108 PM PDTgt ltNoticegt ltSecuritygt ltBEA-090082gt ltSecurity initializing using security realm myrealmgt
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO ConfigObjectReloaded for ServerConfig PreviousVersion -1 CurrentVersion 0
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification event sent for activating changes
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for Mapping config object reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO ConfigObjectReloaded for ServerConfig PreviousVersion -1 CurrentVersion 0
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification event sent for activating changes
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 51
INFO Notification sent for Mapping config object reloaded
ltMar 16 2012 95122 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STANDBYgt
ltMar 16 2012 95122 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STARTINGgt
ltMar 16 2012 95204 PM PDTgt ltNoticegt ltLog Managementgt ltBEA-170027gt ltThe Server has established connection with the Domain level Diagnostic Service successfullygt
ltMar 16 2012 95204 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to ADMINgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to RESUMINGgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltServergt ltBEA-002613gt ltChannel Default is now listening on 1270017101 for protocols iiop t3 ldap snmp httpgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000331gt ltStarted WebLogic Admin Server DefaultServer for domain DefaultDomain running in Development Modegt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to RUNNINGgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000360gt ltServer started in RUNNING modegt
IntegratedWebLogicServer startup time 74437 ms
IntegratedWebLogicServer started
[Running application HelloWorldJaxWS on Server Instance IntegratedWebLogicServer]
[095206 PM] ---- Deployment started ----
[095206 PM] Target platform is (Weblogic 103)
[095208 PM] Retrieving existing application information
[095208 PM] Running dependency analysis
[095208 PM] Deploying 2 profiles
[095209 PM] Wrote Web Application Module to DOracle11gMiddlewarejdevelopersystem11116386192oj2eedrsHelloWorldJaxWSHelloWorldWebAppwar
[095210 PM] Wrote Enterprise Application Module to DOracle11gMiddlewarejdevelopersystem11116386192oj2eedrsHelloWorldJaxWS
[095210 PM] Deploying Application
[095213 PM] Application Deployed Successfully
[095213 PM] The following URL context root(s) were defined and can be used as a starting point to test your application
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 52
[095213 PM] http1270017101HelloWorldJaxWS-HelloWorld-context-root
[095213 PM] Elapsed time for deployment 6 seconds
[095213 PM] ---- Deployment finished ----
Run startup time 6609 ms
[Application HelloWorldJaxWS deployed to Server Instance IntegratedWebLogicServer]
Target URL -- http1270017101HelloWorldJaxWS-HelloWorld-context-rootHelloWorldPort
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 53
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 15
Figure 12 Retain default SOAP binding
Figure 13 Select the methods that should be exposed as part of the Web Service
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 16
Figure 14 Skip Additional Classes
Figure 15 Skip specifiying policies
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 17
Figure 16 Skip providing any Handlers
Figure 17 Finish creation of Web Service
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 18
Attach Message protection OWSM Security Policy
1 To attach the OWSM message protection policy to the Web Service ldquoright clickrdquo on the HelloWorldjava file in
JDeveloper Select ldquoWeb Service Propertieshelliprdquo from the Context menu item Figure 18 This will launch the Dialog box
seen in Figure 19
Figure 18 Define Web Service Properties
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 19
2 In the Configure Policies Dialog select ldquoOWSM policiesrdquo Upon selection of the OWSM Policies option the system
will display the list of out of the box policies that are shipped as part of OWSM Also notice the Default Policy Store
location
In this How-To it maps to
ldquoDOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainoraclestoregmdsrdquo
Figure 19 Select OWSM policies option to secure the Web Service
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 20
3 For the purposes of this How-To letrsquos select the oraclewss10_message_protection_service_policy as show in
Figure 20
Figure 20 Selection of oraclewss10_message_protection_service_policy
Click ldquoOKrdquo button to complete the Policy Attachment Upon completion of the PolicyAttachment the SecurityPolicy
annotation will be added to the HelloWorld POJO class as show in Figure 21
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 21
Figure 21 Code view with SecurityPolicy annotation
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 22
Creating Keystore and Credentials
4 In order to use the oraclewss10_message_protection_service_policy we need Keystore and Credentials First we
will create keystore using the keytool command as shown in Figure 22 The command to create the keystore using
keytool (Note Keytool is shipped with JDK)
Figure 22 Keystore creation command and steps
You can validate the contents of the keystore by using the following keytool command
Figure 23 Check contents of Keystore using keytool
$gt keytool -genkey -keyalg RSA -alias orakey -keystore default-keystorejks -storepass welcome1 -validity
3600
$gtkeytool -list -keystore default-keystorejks -storepass welcome1
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 23
Configuring Integrated WLS Server to enable enforcing Message protection Policy
In order to be able to deploy the HelloWorld POJO Web Service to Integrated WLS Server and test the enforcement of
the OWSM oraclewss10_message_protection_service_policy ndash we need to configure the WLS Domain in which
Integrated WLS Server runs however initially upon the Install the domain is not created completely You can ensure the
domain is created completely by trying to the ldquoHelloWorldrdquo Web Service You do this by ldquoright clickingrdquo on
HelloWorldjava and selecting ldquoRunrdquo from the Context Menu as show in Figure 24
Figure 24 Running HelloWorld Web Service in Integrated WLS Server first time
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 24
The appendix shows the log that is output by the system in JDeveloper The key aspect that is of interest here are the
following messages
[Waiting for the domain to finish building]
[094756 PM] Creating Integrated Weblogic domain
[095003 PM] Extending Integrated Weblogic domain
[095051 PM] Integrated Weblogic domain processing completed successfully
Using port 7101
DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainbinstartWebLogiccmd
[waiting for the server to complete its initialization]
As mentioned earlier the key thing to note is
On running this the first time ndash the domain for running the Integrated WLS is extended and the necessary artifacts are created By default this domain is called ldquoDefaultDomainrdquo In this scenario the ldquoDefaultDomainrdquo is located at DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomain
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 25
Copying the Keystore under the right location for Integrated WLS Server
5 Copy the default-keystorejks created earlier to
ldquoDOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainconfigfmwconfigrdquo as shown in Figure 25
Figure 25 Copying default-keystorejks under DefaultDomain
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 26
Verifying jps-configxml in Default Domain
6 The jps-configxml will be found under
DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainconfigfmwconfig The most important entry in jps-configxml that is of interest is the following keystore service entry lt-- KeyStore Service Instance --gt ltserviceInstance name=keystore provider=keystoreprovider location=default-keystorejksgt ltdescriptiongtDefault JPS Keystore Serviceltdescriptiongt ltproperty name=keystoreprovidertype value=filegt ltproperty name=keystorefilepath value=gt ltproperty name=keystoretype value=JKSgt ltproperty name=keystorecsfmap value=oraclewsmsecuritygt ltproperty name=keystorepasscsfkey value=keystore-csf-keygt ltproperty name=keystoresigcsfkey value=sign-csf-keygt ltproperty name=keystoreenccsfkey value=enc-csf-keygt ltserviceInstancegt The next step is to configure the credentials in the DefaultDomain
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 27
Creating Credentials required for Keystore access
Ensure the Integrated WLS Server is running 7 Start WLST from DOracle11gMiddleware oracle_commoncommonbinwlstcmd as shown in Figure 26
Figure 26 Starting WLST for Integrated WLS Server
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 28
8 Connect to the Integrated WLS Server running DefaultDomain as show in Figure 27
Figure 27 Connect to Integrated WLS Server
Once connected add the following credentials to the credential store
$gt createCred(map=oraclewsmsecurity key=keystore-csf-key user=owsm password=welcome1 desc=Keystore key) $gtcreateCred(map=oraclewsmsecurity key=enc-csf-key user=orakey password=welcome1 desc=Encryption key) $gtcreateCred(map=oraclewsmsecurity key=sign-csf-key user=orakey password=welcome1 desc=Signing key)
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 29
Relationship between Keystore Credential Store jps-configxml
9 Many people find the relationship between keystore keys credential store credentials and jps-configxml
confusing Figure 28 shows the relationship between all these artifacts
Figure 28 Relationship bw Keystore Credential Store Credentials and jps-configxml
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 30
Testing with SOAP UI 1 Before testing the Web Service with SOAP UI Run the HelloWorld from within JDeveloper as shown in Figure 24
Create SOAP UI Project
2 To test the HelloWorld Web Service secured with the OWSM ldquooraclewss10_message_protection_service_policyrdquo start SOAP UI and create a new Project as shown in Figure 29
Figure 29 Create new project in SOAP UI
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 31
3 Provide Project Namerdquo and ldquoWSDLrdquo information for the HelloWorld WS as show in Figure 30
Figure 30 Provide WSDL information for the Web Service that needs to be tested
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 32
4 Double click on the helloworld-msg-prot-test SOAP UI project to open various configurations one can specify for the
project as show in Figure 31 Click on the WS-Security Configurations tab
Figure 31 Specify the WS-Security Configurations
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 33
Create WS-Security Configurations
5 There are 3 sub-tabs under the ldquoWS-Security Configurationsrdquo tab in SOAP UI These are the ldquoOutgoing WS-Security
Configurationsrdquo tab ldquoIncoming WS-Security Configurationsrdquo tab and the ldquoKeystoreCertificatesrdquo tab We will first fill
out the KeystoresCertificates tab Click on the KeystoreCertificates tab as shown in Figure 32
Figure 32 Specify the KeystoreCertificates to be used by SOAP UI
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 34
Add KeystoreCertificates
6 Click on the ldquo+rdquo button to add a keystore as shown in Figure 33 This will launch a dialog to select the Key Material as
show in Figure 34 You will be prompted for the password to the default-keystorejks Enter ldquowelcome1rdquo as show in
Figure 35
Figure 33 Adding a Keystore
Figure 34 Select a JKS keystore from the file system
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 35
Figure 35 Specify Password for the default-keystorejks
7 Figure 36 shows the result of adding the default-keystorejks to SOAP UI
Figure 36 Result of adding default-keystorejks
NOTE For purposes of simplicity ndash I have selected the same default-keystorejks file that was used by the HelloWorld Web Service in practice the client and service DO NOT share the same keystore instead you should use separate keystores and exchange the public certificates of the client and the service
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 36
Add Outgoing WS-Security Configurations
8 The next step is to add the ldquoOutgoing WS-Secure Configurationsrdquo to the project You can do this by click on the Outgoing S-Security Configurations tab and clicking on the ldquo+rdquo icon as shown in Figure 37
Figure 37 Initiate addition of Outgoing WS-Security Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 37
9 Enter the ldquoNamerdquo of the configuration as ldquowss10rdquo This will create a panel on the lower half of the screen to add relevant WS-Security Configuration for ldquowss10rdquo Click on the ldquo+rdquo icon highlighted with a red circle in Figure 38 We need to add 3 entries in the following order
a Timestamp b Signature c Encryption
Upon clicking the ldquo+rdquo icon an ldquoAdd WSS Entryrdquo popup dialog will be presented which contains a single drop down list Select ldquoTimestamprdquo from the dialog as shown in Figure 39
Figure 38 Adding WSS Configuration for wss10
Figure 39 Add Timestamp
10 Configure the ldquoTimestamprdquo WSS Entry The two fields are shown in Figure 40
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 38
a Time to Live 5000 b Leave the unit for ldquoTime to Liverdquo in milliseconds
Figure 40 Specify Time to Live as part of Timestamp configuration
11 Add the ldquoSignaturerdquo WSS Entry by clicking on the ldquo+rdquo icon again as shown in Figure 38 and selecting ldquoSignaturerdquo from
the ldquoAdd WSS Entryrdquo drop down as shown in Figure 41
Figure 41 Select Signature WSS Entry to Add to wss10 configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 39
12 The ldquoSignaturerdquo configuration is more involved and requires a lot more fields to be filled in as shown in Figure 42 Here is a summary of the fields and values that need to be provided
a Keystore Select ldquodefault-keystorejksrdquo from the drop down (Note Only keystores added in the KeystoreCertificates tab will be displayed in this drop down)
b Alias ldquoorakeyrdquo This particular keystore in the How-To has only a single alias However a keystore can have multiple keys and aliases
c Password ldquowelcome1rdquo This is the password for the alias d Key Identifier Type Select ldquoBinary Security Tokenrdquo from the drop down e Signature Algorithm Select ldquohttpwwww3org200009xmldsigrsa-sha1rdquo from the drop down f Signature Canonicalization Select ldquohttpwwww3org200110xml-exc-c14nrdquo from the drop down g Digest Algorithm Select ldquohttpwwww3org200009xmldsigsha1rdquo from the drop down h Use Single Certificate Ensure ldquoUse single certificate for signingrdquo is checked i Parts
Name Namespace Encode
Body httpschemasxmlsoaporgsoapenvelope Element
Timestamp httpdocsoasis-openorgwss200401oasis-200401-wss-wssecurity-utility-10xsd
Element
Figure 42 Providing Signature configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 40
13 Add the ldquoEncryptionrdquo WSS Entry by clicking on the ldquo+rdquo icon again as shown in Figure 38 and selecting ldquoEncryptionrdquo from the ldquoAdd WSS Entryrdquo drop down as shown in Figure 43
Figure 43 Adding Encryption WSS entry
14 The ldquoEncryptionrdquo configuration is more involved and requires a lot more fields to be filled in as shown in Figure 44
Here is a summary of the fields and values that need to be provided a Keystore Select ldquodefault-keystorejksrdquo from the drop down (Note Only keystores added in the
KeystoreCertificates tab will be displayed in this drop down) b Alias ldquoorakeyrdquo This particular keystore in the How-To has only a single alias However a keystore can have
multiple keys and aliases c Password ldquowelcome1rdquo This is the password for the alias d Key Identifier Type Select ldquoBinary Security Tokenrdquo from the drop down e Embedded Key Name and Embedded Key Password are not relevant and will be readonly fields So skip
these fields f Symmetric Encoding Algorithm Select ldquohttpwwww3org200104xmlencaes128-cbcrdquo from the drop
down g Key Encryption Algorithm Select ldquohttpwwww3org200104xmlencrsa-oaep-mgf1prdquo from the drop
down h Encryption Canonicalization Select ldquohttpwwww3org200110xml-exc-c14nrdquo from the drop down i Create Encrypted Key Ensure the checkbox is checked j Parts
Name Namespace Encode
Body httpschemasxmlsoaporgsoapenvelope Content
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 41
Figure 44 Encryption Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 42
Add Incoming WS-Security Configurations
15 Click on the ldquoIncoming WS-Security Configurationsrdquo sub tab and click on the ldquo+rdquo icon as show in Figure 45 You will be prompted to enter a name for the incoming configuration specify ldquowss10rdquo as the name as shown in Figure 46
Figure 45 Add Incoming WS-Security Configuration
Figure 46 Provide a name for the Incoming WSS Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 43
16 Click on the ldquowss10rdquo entry and select the following a Decrypt Keystore Select ldquodefault-keystorejksrdquo from the drop down b Signature Keystore Select ldquodefault-keystorejksrdquo from the drop down c Password ldquowelcome1rdquo
The final incoming security configuration is shown in Figure 47
Figure 47 Incoming WSS Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 44
17 Now that we have created all the necessary WS-Security Configurations we are ready to test the HelloWorld Service To do so click on the ldquohellordquo operation on the Left hand browse tree This will create a request as show in Figure 48 Click on the ldquoAutrdquo tab on the ldquoRequestrdquo panel on the RHS side of the screen The ldquoAutrdquo tab is in the bottom and has been highlighted in Figure 48 Select the following values
a Outgoing WSS Select ldquowss10rdquo from the drop down b Incoming WSS Select ldquowss10rdquo from the drop down
Figure 48 Select the previosuly created WSS Configuration to be used while testing
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 45
18 Enter ldquoprakashrdquo for arg0 and click on the green arrow button to send the request You will be prompted for password ndash enter ldquowelcome1rdquo Figure 49 and Figure 50 show the steps and the results of a successful test If there is a failure ndash you will see a SOAP response with a fault
Figure 49 Send request to the HelloWorld WS
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 46
Figure 50 Results of a successful test
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 47
Appendix
Log Generated the first time any app is run in Integrated WLS Server
[Waiting for the domain to finish building]
[094756 PM] Creating Integrated Weblogic domain
[095003 PM] Extending Integrated Weblogic domain
[095051 PM] Integrated Weblogic domain processing completed successfully
Using port 7101
DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainbinstartWebLogiccmd
[waiting for the server to complete its initialization]
JAVA Memory arguments -Xms256m -Xmx512m -XXCompileThreshold=8000 -XXPermSize=128m -XXMaxPermSize=512m
WLS Start Mode=Development
CLASSPATH=DORACLE~1MIDDLE~1ORACLE~1modulesoraclejdbc_1111ojdbc6dmsjarDORACLE~1MIDDLE~1patch_wls1035profilesdefaultsys_manifest_classpathweblogic_patchjarDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultsys_manifest_classpathweblogic_patchjarDORACLE~1MIDDLE~1JDK160~1libtoolsjarDORACLE~1MIDDLE~1WLSERV~13serverlibweblogic_spjarDORACLE~1MIDDLE~1WLSERV~13serverlibweblogicjarDORACLE~1MIDDLE~1modulesfeaturesweblogicservermodules_10350jarDORACLE~1MIDDLE~1WLSERV~13serverlibwebservicesjarDORACLE~1MIDDLE~1modulesORGAPA~11libant-alljarDORACLE~1MIDDLE~1modulesNETSFA~10_1libant-contribjarDORACLE~1MIDDLE~1ORACLE~1modulesoraclejrf_1111jrfjarDORACLE~1MIDDLE~1WLSERV~13commonderbylibderbyclientjarDORACLE~1MIDDLE~1WLSERV~13serverlibxqrljar
PATH=DORACLE~1MIDDLE~1patch_wls1035profilesdefaultnativeDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultnativeDORACLE~1MIDDLE~1WLSERV~13servernativewin32DORACLE~1MIDDLE~1WLSERV~13serverbinDORACLE~1MIDDLE~1modulesORGAPA~11binDORACLE~1MIDDLE~1JDK160~1jrebinDORACLE~1MIDDLE~1JDK160~1binDoraclexeapporacleproduct1020serverbinCProgram FilesThinkPadUtilitiesCWINDOWSsystem32CWINDOWSCWINDOWSSystem32WbemCWINDOWSsystem32WindowsPowerShellv10DORACLE~1MIDDLE~1WLSERV~13servernativewin32oci920_8
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 48
To start WebLogic Server use a username and
password assigned to an admin-level user For
server administration use the WebLogic Server
console at httphostnameportconsole
starting weblogic with Java version
java version 160_24
Java(TM) SE Runtime Environment (build 160_24-b50)
Java HotSpot(TM) Client VM (build 191-b02 mixed mode)
Starting WLS with line
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 49
DORACLE~1MIDDLE~1JDK160~1binjava -client -Xms256m -Xmx512m -XXCompileThreshold=8000 -XXPermSize=128m -XXMaxPermSize=512m -DweblogicName=DefaultServer -Djavasecuritypolicy=DORACLE~1MIDDLE~1WLSERV~13serverlibweblogicpolicy -DjavaxnetssltrustStore=DOracle11gMiddlewarewlserver_103serverlibDemoTrustjks -DweblogicnodemanagerServiceEnabled=true -Xverifynone -da -Dplatformhome=DORACLE~1MIDDLE~1WLSERV~13 -Dwlshome=DORACLE~1MIDDLE~1WLSERV~13server -Dweblogichome=DORACLE~1MIDDLE~1WLSERV~13server -Djpsappcredentialoverwriteallowed=true -Dcommoncomponentshome=DORACLE~1MIDDLE~1ORACLE~1 -Djrfversion=1111 -DorgapachecommonsloggingLog=orgapachecommonsloggingimplJdk14Logger -Ddomainhome=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1 -Djrockitoptfile=DORACLE~1MIDDLE~1ORACLE~1modulesoraclejrf_1111jrocket_optfiletxt -Doracleserverconfigdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1serversDefaultServer -Doracledomainconfigdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1 -Digfarisidbeanscarmlloc=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1carml -Digfarisidstackhome=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1arisidprovider -Doraclesecurityjpsconfig=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configfmwconfigjps-configxml -Doracledeployedappdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1serversDefaultServertmp_WL_user -Doracledeployedappext=- -DweblogicalternateTypesDirectory=DORACLE~1MIDDLE~1ORACLE~1modulesoracleossoiap_1111DORACLE~1MIDDLE~1ORACLE~1modulesoracleoamprovider_1111 -Djavaprotocolhandlerpkgs=oraclemdsnetprotocol -DweblogicjdbcremoteEnabled=false -Dwsmrepositorypath=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1oraclestoregmds -Dweblogicmanagementdiscover=true -DwlwiterativeDev= -DwlwtestConsole= -DwlwlogErrorsToConsole= -Dweblogicextdirs=DORACLE~1MIDDLE~1patch_wls1035profilesdefaultsysext_manifest_classpathDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultsysext_manifest_classpath weblogicServer
ltMar 16 2012 95054 PM PDTgt ltInfogt ltSecuritygt ltBEA-090905gt ltDisabling CryptoJ JCE Provider self-integrity check for better startup performance To enable this check specify -DweblogicsecurityallowCryptoJDefaultJCEVerification=truegt
ltMar 16 2012 95054 PM PDTgt ltInfogt ltSecuritygt ltBEA-090906gt ltChanging the default Random Number Generator in RSA CryptoJ from ECDRBG to FIPS186PRNG To disable this change specify -DweblogicsecurityallowCryptoJDefaultPRNG=truegt
ltMar 16 2012 95055 PM PDTgt ltInfogt ltWebLogicServergt ltBEA-000377gt ltStarting WebLogic Server with Java HotSpot(TM) Client VM Version 191-b02 from Sun Microsystems Incgt
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 50
ltMar 16 2012 95055 PM PDTgt ltInfogt ltManagementgt ltBEA-141107gt ltVersion WebLogic Server 10350 Fri Apr 1 202006 PDT 2011 1398638 gt
ltMar 16 2012 95057 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STARTINGgt
ltMar 16 2012 95057 PM PDTgt ltInfogt ltWorkManagergt ltBEA-002900gt ltInitializing self-tuning thread poolgt
ltMar 16 2012 95057 PM PDTgt ltNoticegt ltLog Managementgt ltBEA-170019gt ltThe server log file DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainserversDefaultServerlogsDefaultServerlog is opened All server side log events will be written to this filegt
ltMar 16 2012 95108 PM PDTgt ltNoticegt ltSecuritygt ltBEA-090082gt ltSecurity initializing using security realm myrealmgt
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO ConfigObjectReloaded for ServerConfig PreviousVersion -1 CurrentVersion 0
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification event sent for activating changes
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for Mapping config object reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO ConfigObjectReloaded for ServerConfig PreviousVersion -1 CurrentVersion 0
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification event sent for activating changes
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 51
INFO Notification sent for Mapping config object reloaded
ltMar 16 2012 95122 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STANDBYgt
ltMar 16 2012 95122 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STARTINGgt
ltMar 16 2012 95204 PM PDTgt ltNoticegt ltLog Managementgt ltBEA-170027gt ltThe Server has established connection with the Domain level Diagnostic Service successfullygt
ltMar 16 2012 95204 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to ADMINgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to RESUMINGgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltServergt ltBEA-002613gt ltChannel Default is now listening on 1270017101 for protocols iiop t3 ldap snmp httpgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000331gt ltStarted WebLogic Admin Server DefaultServer for domain DefaultDomain running in Development Modegt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to RUNNINGgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000360gt ltServer started in RUNNING modegt
IntegratedWebLogicServer startup time 74437 ms
IntegratedWebLogicServer started
[Running application HelloWorldJaxWS on Server Instance IntegratedWebLogicServer]
[095206 PM] ---- Deployment started ----
[095206 PM] Target platform is (Weblogic 103)
[095208 PM] Retrieving existing application information
[095208 PM] Running dependency analysis
[095208 PM] Deploying 2 profiles
[095209 PM] Wrote Web Application Module to DOracle11gMiddlewarejdevelopersystem11116386192oj2eedrsHelloWorldJaxWSHelloWorldWebAppwar
[095210 PM] Wrote Enterprise Application Module to DOracle11gMiddlewarejdevelopersystem11116386192oj2eedrsHelloWorldJaxWS
[095210 PM] Deploying Application
[095213 PM] Application Deployed Successfully
[095213 PM] The following URL context root(s) were defined and can be used as a starting point to test your application
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 52
[095213 PM] http1270017101HelloWorldJaxWS-HelloWorld-context-root
[095213 PM] Elapsed time for deployment 6 seconds
[095213 PM] ---- Deployment finished ----
Run startup time 6609 ms
[Application HelloWorldJaxWS deployed to Server Instance IntegratedWebLogicServer]
Target URL -- http1270017101HelloWorldJaxWS-HelloWorld-context-rootHelloWorldPort
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 53
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 16
Figure 14 Skip Additional Classes
Figure 15 Skip specifiying policies
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 17
Figure 16 Skip providing any Handlers
Figure 17 Finish creation of Web Service
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 18
Attach Message protection OWSM Security Policy
1 To attach the OWSM message protection policy to the Web Service ldquoright clickrdquo on the HelloWorldjava file in
JDeveloper Select ldquoWeb Service Propertieshelliprdquo from the Context menu item Figure 18 This will launch the Dialog box
seen in Figure 19
Figure 18 Define Web Service Properties
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 19
2 In the Configure Policies Dialog select ldquoOWSM policiesrdquo Upon selection of the OWSM Policies option the system
will display the list of out of the box policies that are shipped as part of OWSM Also notice the Default Policy Store
location
In this How-To it maps to
ldquoDOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainoraclestoregmdsrdquo
Figure 19 Select OWSM policies option to secure the Web Service
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 20
3 For the purposes of this How-To letrsquos select the oraclewss10_message_protection_service_policy as show in
Figure 20
Figure 20 Selection of oraclewss10_message_protection_service_policy
Click ldquoOKrdquo button to complete the Policy Attachment Upon completion of the PolicyAttachment the SecurityPolicy
annotation will be added to the HelloWorld POJO class as show in Figure 21
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 21
Figure 21 Code view with SecurityPolicy annotation
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 22
Creating Keystore and Credentials
4 In order to use the oraclewss10_message_protection_service_policy we need Keystore and Credentials First we
will create keystore using the keytool command as shown in Figure 22 The command to create the keystore using
keytool (Note Keytool is shipped with JDK)
Figure 22 Keystore creation command and steps
You can validate the contents of the keystore by using the following keytool command
Figure 23 Check contents of Keystore using keytool
$gt keytool -genkey -keyalg RSA -alias orakey -keystore default-keystorejks -storepass welcome1 -validity
3600
$gtkeytool -list -keystore default-keystorejks -storepass welcome1
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 23
Configuring Integrated WLS Server to enable enforcing Message protection Policy
In order to be able to deploy the HelloWorld POJO Web Service to Integrated WLS Server and test the enforcement of
the OWSM oraclewss10_message_protection_service_policy ndash we need to configure the WLS Domain in which
Integrated WLS Server runs however initially upon the Install the domain is not created completely You can ensure the
domain is created completely by trying to the ldquoHelloWorldrdquo Web Service You do this by ldquoright clickingrdquo on
HelloWorldjava and selecting ldquoRunrdquo from the Context Menu as show in Figure 24
Figure 24 Running HelloWorld Web Service in Integrated WLS Server first time
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 24
The appendix shows the log that is output by the system in JDeveloper The key aspect that is of interest here are the
following messages
[Waiting for the domain to finish building]
[094756 PM] Creating Integrated Weblogic domain
[095003 PM] Extending Integrated Weblogic domain
[095051 PM] Integrated Weblogic domain processing completed successfully
Using port 7101
DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainbinstartWebLogiccmd
[waiting for the server to complete its initialization]
As mentioned earlier the key thing to note is
On running this the first time ndash the domain for running the Integrated WLS is extended and the necessary artifacts are created By default this domain is called ldquoDefaultDomainrdquo In this scenario the ldquoDefaultDomainrdquo is located at DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomain
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 25
Copying the Keystore under the right location for Integrated WLS Server
5 Copy the default-keystorejks created earlier to
ldquoDOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainconfigfmwconfigrdquo as shown in Figure 25
Figure 25 Copying default-keystorejks under DefaultDomain
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 26
Verifying jps-configxml in Default Domain
6 The jps-configxml will be found under
DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainconfigfmwconfig The most important entry in jps-configxml that is of interest is the following keystore service entry lt-- KeyStore Service Instance --gt ltserviceInstance name=keystore provider=keystoreprovider location=default-keystorejksgt ltdescriptiongtDefault JPS Keystore Serviceltdescriptiongt ltproperty name=keystoreprovidertype value=filegt ltproperty name=keystorefilepath value=gt ltproperty name=keystoretype value=JKSgt ltproperty name=keystorecsfmap value=oraclewsmsecuritygt ltproperty name=keystorepasscsfkey value=keystore-csf-keygt ltproperty name=keystoresigcsfkey value=sign-csf-keygt ltproperty name=keystoreenccsfkey value=enc-csf-keygt ltserviceInstancegt The next step is to configure the credentials in the DefaultDomain
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 27
Creating Credentials required for Keystore access
Ensure the Integrated WLS Server is running 7 Start WLST from DOracle11gMiddleware oracle_commoncommonbinwlstcmd as shown in Figure 26
Figure 26 Starting WLST for Integrated WLS Server
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 28
8 Connect to the Integrated WLS Server running DefaultDomain as show in Figure 27
Figure 27 Connect to Integrated WLS Server
Once connected add the following credentials to the credential store
$gt createCred(map=oraclewsmsecurity key=keystore-csf-key user=owsm password=welcome1 desc=Keystore key) $gtcreateCred(map=oraclewsmsecurity key=enc-csf-key user=orakey password=welcome1 desc=Encryption key) $gtcreateCred(map=oraclewsmsecurity key=sign-csf-key user=orakey password=welcome1 desc=Signing key)
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 29
Relationship between Keystore Credential Store jps-configxml
9 Many people find the relationship between keystore keys credential store credentials and jps-configxml
confusing Figure 28 shows the relationship between all these artifacts
Figure 28 Relationship bw Keystore Credential Store Credentials and jps-configxml
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 30
Testing with SOAP UI 1 Before testing the Web Service with SOAP UI Run the HelloWorld from within JDeveloper as shown in Figure 24
Create SOAP UI Project
2 To test the HelloWorld Web Service secured with the OWSM ldquooraclewss10_message_protection_service_policyrdquo start SOAP UI and create a new Project as shown in Figure 29
Figure 29 Create new project in SOAP UI
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 31
3 Provide Project Namerdquo and ldquoWSDLrdquo information for the HelloWorld WS as show in Figure 30
Figure 30 Provide WSDL information for the Web Service that needs to be tested
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 32
4 Double click on the helloworld-msg-prot-test SOAP UI project to open various configurations one can specify for the
project as show in Figure 31 Click on the WS-Security Configurations tab
Figure 31 Specify the WS-Security Configurations
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 33
Create WS-Security Configurations
5 There are 3 sub-tabs under the ldquoWS-Security Configurationsrdquo tab in SOAP UI These are the ldquoOutgoing WS-Security
Configurationsrdquo tab ldquoIncoming WS-Security Configurationsrdquo tab and the ldquoKeystoreCertificatesrdquo tab We will first fill
out the KeystoresCertificates tab Click on the KeystoreCertificates tab as shown in Figure 32
Figure 32 Specify the KeystoreCertificates to be used by SOAP UI
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 34
Add KeystoreCertificates
6 Click on the ldquo+rdquo button to add a keystore as shown in Figure 33 This will launch a dialog to select the Key Material as
show in Figure 34 You will be prompted for the password to the default-keystorejks Enter ldquowelcome1rdquo as show in
Figure 35
Figure 33 Adding a Keystore
Figure 34 Select a JKS keystore from the file system
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 35
Figure 35 Specify Password for the default-keystorejks
7 Figure 36 shows the result of adding the default-keystorejks to SOAP UI
Figure 36 Result of adding default-keystorejks
NOTE For purposes of simplicity ndash I have selected the same default-keystorejks file that was used by the HelloWorld Web Service in practice the client and service DO NOT share the same keystore instead you should use separate keystores and exchange the public certificates of the client and the service
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 36
Add Outgoing WS-Security Configurations
8 The next step is to add the ldquoOutgoing WS-Secure Configurationsrdquo to the project You can do this by click on the Outgoing S-Security Configurations tab and clicking on the ldquo+rdquo icon as shown in Figure 37
Figure 37 Initiate addition of Outgoing WS-Security Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 37
9 Enter the ldquoNamerdquo of the configuration as ldquowss10rdquo This will create a panel on the lower half of the screen to add relevant WS-Security Configuration for ldquowss10rdquo Click on the ldquo+rdquo icon highlighted with a red circle in Figure 38 We need to add 3 entries in the following order
a Timestamp b Signature c Encryption
Upon clicking the ldquo+rdquo icon an ldquoAdd WSS Entryrdquo popup dialog will be presented which contains a single drop down list Select ldquoTimestamprdquo from the dialog as shown in Figure 39
Figure 38 Adding WSS Configuration for wss10
Figure 39 Add Timestamp
10 Configure the ldquoTimestamprdquo WSS Entry The two fields are shown in Figure 40
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 38
a Time to Live 5000 b Leave the unit for ldquoTime to Liverdquo in milliseconds
Figure 40 Specify Time to Live as part of Timestamp configuration
11 Add the ldquoSignaturerdquo WSS Entry by clicking on the ldquo+rdquo icon again as shown in Figure 38 and selecting ldquoSignaturerdquo from
the ldquoAdd WSS Entryrdquo drop down as shown in Figure 41
Figure 41 Select Signature WSS Entry to Add to wss10 configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 39
12 The ldquoSignaturerdquo configuration is more involved and requires a lot more fields to be filled in as shown in Figure 42 Here is a summary of the fields and values that need to be provided
a Keystore Select ldquodefault-keystorejksrdquo from the drop down (Note Only keystores added in the KeystoreCertificates tab will be displayed in this drop down)
b Alias ldquoorakeyrdquo This particular keystore in the How-To has only a single alias However a keystore can have multiple keys and aliases
c Password ldquowelcome1rdquo This is the password for the alias d Key Identifier Type Select ldquoBinary Security Tokenrdquo from the drop down e Signature Algorithm Select ldquohttpwwww3org200009xmldsigrsa-sha1rdquo from the drop down f Signature Canonicalization Select ldquohttpwwww3org200110xml-exc-c14nrdquo from the drop down g Digest Algorithm Select ldquohttpwwww3org200009xmldsigsha1rdquo from the drop down h Use Single Certificate Ensure ldquoUse single certificate for signingrdquo is checked i Parts
Name Namespace Encode
Body httpschemasxmlsoaporgsoapenvelope Element
Timestamp httpdocsoasis-openorgwss200401oasis-200401-wss-wssecurity-utility-10xsd
Element
Figure 42 Providing Signature configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 40
13 Add the ldquoEncryptionrdquo WSS Entry by clicking on the ldquo+rdquo icon again as shown in Figure 38 and selecting ldquoEncryptionrdquo from the ldquoAdd WSS Entryrdquo drop down as shown in Figure 43
Figure 43 Adding Encryption WSS entry
14 The ldquoEncryptionrdquo configuration is more involved and requires a lot more fields to be filled in as shown in Figure 44
Here is a summary of the fields and values that need to be provided a Keystore Select ldquodefault-keystorejksrdquo from the drop down (Note Only keystores added in the
KeystoreCertificates tab will be displayed in this drop down) b Alias ldquoorakeyrdquo This particular keystore in the How-To has only a single alias However a keystore can have
multiple keys and aliases c Password ldquowelcome1rdquo This is the password for the alias d Key Identifier Type Select ldquoBinary Security Tokenrdquo from the drop down e Embedded Key Name and Embedded Key Password are not relevant and will be readonly fields So skip
these fields f Symmetric Encoding Algorithm Select ldquohttpwwww3org200104xmlencaes128-cbcrdquo from the drop
down g Key Encryption Algorithm Select ldquohttpwwww3org200104xmlencrsa-oaep-mgf1prdquo from the drop
down h Encryption Canonicalization Select ldquohttpwwww3org200110xml-exc-c14nrdquo from the drop down i Create Encrypted Key Ensure the checkbox is checked j Parts
Name Namespace Encode
Body httpschemasxmlsoaporgsoapenvelope Content
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 41
Figure 44 Encryption Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 42
Add Incoming WS-Security Configurations
15 Click on the ldquoIncoming WS-Security Configurationsrdquo sub tab and click on the ldquo+rdquo icon as show in Figure 45 You will be prompted to enter a name for the incoming configuration specify ldquowss10rdquo as the name as shown in Figure 46
Figure 45 Add Incoming WS-Security Configuration
Figure 46 Provide a name for the Incoming WSS Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 43
16 Click on the ldquowss10rdquo entry and select the following a Decrypt Keystore Select ldquodefault-keystorejksrdquo from the drop down b Signature Keystore Select ldquodefault-keystorejksrdquo from the drop down c Password ldquowelcome1rdquo
The final incoming security configuration is shown in Figure 47
Figure 47 Incoming WSS Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 44
17 Now that we have created all the necessary WS-Security Configurations we are ready to test the HelloWorld Service To do so click on the ldquohellordquo operation on the Left hand browse tree This will create a request as show in Figure 48 Click on the ldquoAutrdquo tab on the ldquoRequestrdquo panel on the RHS side of the screen The ldquoAutrdquo tab is in the bottom and has been highlighted in Figure 48 Select the following values
a Outgoing WSS Select ldquowss10rdquo from the drop down b Incoming WSS Select ldquowss10rdquo from the drop down
Figure 48 Select the previosuly created WSS Configuration to be used while testing
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 45
18 Enter ldquoprakashrdquo for arg0 and click on the green arrow button to send the request You will be prompted for password ndash enter ldquowelcome1rdquo Figure 49 and Figure 50 show the steps and the results of a successful test If there is a failure ndash you will see a SOAP response with a fault
Figure 49 Send request to the HelloWorld WS
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 46
Figure 50 Results of a successful test
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 47
Appendix
Log Generated the first time any app is run in Integrated WLS Server
[Waiting for the domain to finish building]
[094756 PM] Creating Integrated Weblogic domain
[095003 PM] Extending Integrated Weblogic domain
[095051 PM] Integrated Weblogic domain processing completed successfully
Using port 7101
DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainbinstartWebLogiccmd
[waiting for the server to complete its initialization]
JAVA Memory arguments -Xms256m -Xmx512m -XXCompileThreshold=8000 -XXPermSize=128m -XXMaxPermSize=512m
WLS Start Mode=Development
CLASSPATH=DORACLE~1MIDDLE~1ORACLE~1modulesoraclejdbc_1111ojdbc6dmsjarDORACLE~1MIDDLE~1patch_wls1035profilesdefaultsys_manifest_classpathweblogic_patchjarDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultsys_manifest_classpathweblogic_patchjarDORACLE~1MIDDLE~1JDK160~1libtoolsjarDORACLE~1MIDDLE~1WLSERV~13serverlibweblogic_spjarDORACLE~1MIDDLE~1WLSERV~13serverlibweblogicjarDORACLE~1MIDDLE~1modulesfeaturesweblogicservermodules_10350jarDORACLE~1MIDDLE~1WLSERV~13serverlibwebservicesjarDORACLE~1MIDDLE~1modulesORGAPA~11libant-alljarDORACLE~1MIDDLE~1modulesNETSFA~10_1libant-contribjarDORACLE~1MIDDLE~1ORACLE~1modulesoraclejrf_1111jrfjarDORACLE~1MIDDLE~1WLSERV~13commonderbylibderbyclientjarDORACLE~1MIDDLE~1WLSERV~13serverlibxqrljar
PATH=DORACLE~1MIDDLE~1patch_wls1035profilesdefaultnativeDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultnativeDORACLE~1MIDDLE~1WLSERV~13servernativewin32DORACLE~1MIDDLE~1WLSERV~13serverbinDORACLE~1MIDDLE~1modulesORGAPA~11binDORACLE~1MIDDLE~1JDK160~1jrebinDORACLE~1MIDDLE~1JDK160~1binDoraclexeapporacleproduct1020serverbinCProgram FilesThinkPadUtilitiesCWINDOWSsystem32CWINDOWSCWINDOWSSystem32WbemCWINDOWSsystem32WindowsPowerShellv10DORACLE~1MIDDLE~1WLSERV~13servernativewin32oci920_8
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 48
To start WebLogic Server use a username and
password assigned to an admin-level user For
server administration use the WebLogic Server
console at httphostnameportconsole
starting weblogic with Java version
java version 160_24
Java(TM) SE Runtime Environment (build 160_24-b50)
Java HotSpot(TM) Client VM (build 191-b02 mixed mode)
Starting WLS with line
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 49
DORACLE~1MIDDLE~1JDK160~1binjava -client -Xms256m -Xmx512m -XXCompileThreshold=8000 -XXPermSize=128m -XXMaxPermSize=512m -DweblogicName=DefaultServer -Djavasecuritypolicy=DORACLE~1MIDDLE~1WLSERV~13serverlibweblogicpolicy -DjavaxnetssltrustStore=DOracle11gMiddlewarewlserver_103serverlibDemoTrustjks -DweblogicnodemanagerServiceEnabled=true -Xverifynone -da -Dplatformhome=DORACLE~1MIDDLE~1WLSERV~13 -Dwlshome=DORACLE~1MIDDLE~1WLSERV~13server -Dweblogichome=DORACLE~1MIDDLE~1WLSERV~13server -Djpsappcredentialoverwriteallowed=true -Dcommoncomponentshome=DORACLE~1MIDDLE~1ORACLE~1 -Djrfversion=1111 -DorgapachecommonsloggingLog=orgapachecommonsloggingimplJdk14Logger -Ddomainhome=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1 -Djrockitoptfile=DORACLE~1MIDDLE~1ORACLE~1modulesoraclejrf_1111jrocket_optfiletxt -Doracleserverconfigdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1serversDefaultServer -Doracledomainconfigdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1 -Digfarisidbeanscarmlloc=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1carml -Digfarisidstackhome=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1arisidprovider -Doraclesecurityjpsconfig=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configfmwconfigjps-configxml -Doracledeployedappdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1serversDefaultServertmp_WL_user -Doracledeployedappext=- -DweblogicalternateTypesDirectory=DORACLE~1MIDDLE~1ORACLE~1modulesoracleossoiap_1111DORACLE~1MIDDLE~1ORACLE~1modulesoracleoamprovider_1111 -Djavaprotocolhandlerpkgs=oraclemdsnetprotocol -DweblogicjdbcremoteEnabled=false -Dwsmrepositorypath=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1oraclestoregmds -Dweblogicmanagementdiscover=true -DwlwiterativeDev= -DwlwtestConsole= -DwlwlogErrorsToConsole= -Dweblogicextdirs=DORACLE~1MIDDLE~1patch_wls1035profilesdefaultsysext_manifest_classpathDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultsysext_manifest_classpath weblogicServer
ltMar 16 2012 95054 PM PDTgt ltInfogt ltSecuritygt ltBEA-090905gt ltDisabling CryptoJ JCE Provider self-integrity check for better startup performance To enable this check specify -DweblogicsecurityallowCryptoJDefaultJCEVerification=truegt
ltMar 16 2012 95054 PM PDTgt ltInfogt ltSecuritygt ltBEA-090906gt ltChanging the default Random Number Generator in RSA CryptoJ from ECDRBG to FIPS186PRNG To disable this change specify -DweblogicsecurityallowCryptoJDefaultPRNG=truegt
ltMar 16 2012 95055 PM PDTgt ltInfogt ltWebLogicServergt ltBEA-000377gt ltStarting WebLogic Server with Java HotSpot(TM) Client VM Version 191-b02 from Sun Microsystems Incgt
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 50
ltMar 16 2012 95055 PM PDTgt ltInfogt ltManagementgt ltBEA-141107gt ltVersion WebLogic Server 10350 Fri Apr 1 202006 PDT 2011 1398638 gt
ltMar 16 2012 95057 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STARTINGgt
ltMar 16 2012 95057 PM PDTgt ltInfogt ltWorkManagergt ltBEA-002900gt ltInitializing self-tuning thread poolgt
ltMar 16 2012 95057 PM PDTgt ltNoticegt ltLog Managementgt ltBEA-170019gt ltThe server log file DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainserversDefaultServerlogsDefaultServerlog is opened All server side log events will be written to this filegt
ltMar 16 2012 95108 PM PDTgt ltNoticegt ltSecuritygt ltBEA-090082gt ltSecurity initializing using security realm myrealmgt
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO ConfigObjectReloaded for ServerConfig PreviousVersion -1 CurrentVersion 0
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification event sent for activating changes
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for Mapping config object reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO ConfigObjectReloaded for ServerConfig PreviousVersion -1 CurrentVersion 0
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification event sent for activating changes
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 51
INFO Notification sent for Mapping config object reloaded
ltMar 16 2012 95122 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STANDBYgt
ltMar 16 2012 95122 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STARTINGgt
ltMar 16 2012 95204 PM PDTgt ltNoticegt ltLog Managementgt ltBEA-170027gt ltThe Server has established connection with the Domain level Diagnostic Service successfullygt
ltMar 16 2012 95204 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to ADMINgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to RESUMINGgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltServergt ltBEA-002613gt ltChannel Default is now listening on 1270017101 for protocols iiop t3 ldap snmp httpgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000331gt ltStarted WebLogic Admin Server DefaultServer for domain DefaultDomain running in Development Modegt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to RUNNINGgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000360gt ltServer started in RUNNING modegt
IntegratedWebLogicServer startup time 74437 ms
IntegratedWebLogicServer started
[Running application HelloWorldJaxWS on Server Instance IntegratedWebLogicServer]
[095206 PM] ---- Deployment started ----
[095206 PM] Target platform is (Weblogic 103)
[095208 PM] Retrieving existing application information
[095208 PM] Running dependency analysis
[095208 PM] Deploying 2 profiles
[095209 PM] Wrote Web Application Module to DOracle11gMiddlewarejdevelopersystem11116386192oj2eedrsHelloWorldJaxWSHelloWorldWebAppwar
[095210 PM] Wrote Enterprise Application Module to DOracle11gMiddlewarejdevelopersystem11116386192oj2eedrsHelloWorldJaxWS
[095210 PM] Deploying Application
[095213 PM] Application Deployed Successfully
[095213 PM] The following URL context root(s) were defined and can be used as a starting point to test your application
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 52
[095213 PM] http1270017101HelloWorldJaxWS-HelloWorld-context-root
[095213 PM] Elapsed time for deployment 6 seconds
[095213 PM] ---- Deployment finished ----
Run startup time 6609 ms
[Application HelloWorldJaxWS deployed to Server Instance IntegratedWebLogicServer]
Target URL -- http1270017101HelloWorldJaxWS-HelloWorld-context-rootHelloWorldPort
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 53
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 17
Figure 16 Skip providing any Handlers
Figure 17 Finish creation of Web Service
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 18
Attach Message protection OWSM Security Policy
1 To attach the OWSM message protection policy to the Web Service ldquoright clickrdquo on the HelloWorldjava file in
JDeveloper Select ldquoWeb Service Propertieshelliprdquo from the Context menu item Figure 18 This will launch the Dialog box
seen in Figure 19
Figure 18 Define Web Service Properties
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 19
2 In the Configure Policies Dialog select ldquoOWSM policiesrdquo Upon selection of the OWSM Policies option the system
will display the list of out of the box policies that are shipped as part of OWSM Also notice the Default Policy Store
location
In this How-To it maps to
ldquoDOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainoraclestoregmdsrdquo
Figure 19 Select OWSM policies option to secure the Web Service
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 20
3 For the purposes of this How-To letrsquos select the oraclewss10_message_protection_service_policy as show in
Figure 20
Figure 20 Selection of oraclewss10_message_protection_service_policy
Click ldquoOKrdquo button to complete the Policy Attachment Upon completion of the PolicyAttachment the SecurityPolicy
annotation will be added to the HelloWorld POJO class as show in Figure 21
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 21
Figure 21 Code view with SecurityPolicy annotation
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 22
Creating Keystore and Credentials
4 In order to use the oraclewss10_message_protection_service_policy we need Keystore and Credentials First we
will create keystore using the keytool command as shown in Figure 22 The command to create the keystore using
keytool (Note Keytool is shipped with JDK)
Figure 22 Keystore creation command and steps
You can validate the contents of the keystore by using the following keytool command
Figure 23 Check contents of Keystore using keytool
$gt keytool -genkey -keyalg RSA -alias orakey -keystore default-keystorejks -storepass welcome1 -validity
3600
$gtkeytool -list -keystore default-keystorejks -storepass welcome1
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 23
Configuring Integrated WLS Server to enable enforcing Message protection Policy
In order to be able to deploy the HelloWorld POJO Web Service to Integrated WLS Server and test the enforcement of
the OWSM oraclewss10_message_protection_service_policy ndash we need to configure the WLS Domain in which
Integrated WLS Server runs however initially upon the Install the domain is not created completely You can ensure the
domain is created completely by trying to the ldquoHelloWorldrdquo Web Service You do this by ldquoright clickingrdquo on
HelloWorldjava and selecting ldquoRunrdquo from the Context Menu as show in Figure 24
Figure 24 Running HelloWorld Web Service in Integrated WLS Server first time
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 24
The appendix shows the log that is output by the system in JDeveloper The key aspect that is of interest here are the
following messages
[Waiting for the domain to finish building]
[094756 PM] Creating Integrated Weblogic domain
[095003 PM] Extending Integrated Weblogic domain
[095051 PM] Integrated Weblogic domain processing completed successfully
Using port 7101
DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainbinstartWebLogiccmd
[waiting for the server to complete its initialization]
As mentioned earlier the key thing to note is
On running this the first time ndash the domain for running the Integrated WLS is extended and the necessary artifacts are created By default this domain is called ldquoDefaultDomainrdquo In this scenario the ldquoDefaultDomainrdquo is located at DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomain
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 25
Copying the Keystore under the right location for Integrated WLS Server
5 Copy the default-keystorejks created earlier to
ldquoDOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainconfigfmwconfigrdquo as shown in Figure 25
Figure 25 Copying default-keystorejks under DefaultDomain
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 26
Verifying jps-configxml in Default Domain
6 The jps-configxml will be found under
DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainconfigfmwconfig The most important entry in jps-configxml that is of interest is the following keystore service entry lt-- KeyStore Service Instance --gt ltserviceInstance name=keystore provider=keystoreprovider location=default-keystorejksgt ltdescriptiongtDefault JPS Keystore Serviceltdescriptiongt ltproperty name=keystoreprovidertype value=filegt ltproperty name=keystorefilepath value=gt ltproperty name=keystoretype value=JKSgt ltproperty name=keystorecsfmap value=oraclewsmsecuritygt ltproperty name=keystorepasscsfkey value=keystore-csf-keygt ltproperty name=keystoresigcsfkey value=sign-csf-keygt ltproperty name=keystoreenccsfkey value=enc-csf-keygt ltserviceInstancegt The next step is to configure the credentials in the DefaultDomain
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 27
Creating Credentials required for Keystore access
Ensure the Integrated WLS Server is running 7 Start WLST from DOracle11gMiddleware oracle_commoncommonbinwlstcmd as shown in Figure 26
Figure 26 Starting WLST for Integrated WLS Server
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 28
8 Connect to the Integrated WLS Server running DefaultDomain as show in Figure 27
Figure 27 Connect to Integrated WLS Server
Once connected add the following credentials to the credential store
$gt createCred(map=oraclewsmsecurity key=keystore-csf-key user=owsm password=welcome1 desc=Keystore key) $gtcreateCred(map=oraclewsmsecurity key=enc-csf-key user=orakey password=welcome1 desc=Encryption key) $gtcreateCred(map=oraclewsmsecurity key=sign-csf-key user=orakey password=welcome1 desc=Signing key)
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 29
Relationship between Keystore Credential Store jps-configxml
9 Many people find the relationship between keystore keys credential store credentials and jps-configxml
confusing Figure 28 shows the relationship between all these artifacts
Figure 28 Relationship bw Keystore Credential Store Credentials and jps-configxml
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 30
Testing with SOAP UI 1 Before testing the Web Service with SOAP UI Run the HelloWorld from within JDeveloper as shown in Figure 24
Create SOAP UI Project
2 To test the HelloWorld Web Service secured with the OWSM ldquooraclewss10_message_protection_service_policyrdquo start SOAP UI and create a new Project as shown in Figure 29
Figure 29 Create new project in SOAP UI
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 31
3 Provide Project Namerdquo and ldquoWSDLrdquo information for the HelloWorld WS as show in Figure 30
Figure 30 Provide WSDL information for the Web Service that needs to be tested
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 32
4 Double click on the helloworld-msg-prot-test SOAP UI project to open various configurations one can specify for the
project as show in Figure 31 Click on the WS-Security Configurations tab
Figure 31 Specify the WS-Security Configurations
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 33
Create WS-Security Configurations
5 There are 3 sub-tabs under the ldquoWS-Security Configurationsrdquo tab in SOAP UI These are the ldquoOutgoing WS-Security
Configurationsrdquo tab ldquoIncoming WS-Security Configurationsrdquo tab and the ldquoKeystoreCertificatesrdquo tab We will first fill
out the KeystoresCertificates tab Click on the KeystoreCertificates tab as shown in Figure 32
Figure 32 Specify the KeystoreCertificates to be used by SOAP UI
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 34
Add KeystoreCertificates
6 Click on the ldquo+rdquo button to add a keystore as shown in Figure 33 This will launch a dialog to select the Key Material as
show in Figure 34 You will be prompted for the password to the default-keystorejks Enter ldquowelcome1rdquo as show in
Figure 35
Figure 33 Adding a Keystore
Figure 34 Select a JKS keystore from the file system
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 35
Figure 35 Specify Password for the default-keystorejks
7 Figure 36 shows the result of adding the default-keystorejks to SOAP UI
Figure 36 Result of adding default-keystorejks
NOTE For purposes of simplicity ndash I have selected the same default-keystorejks file that was used by the HelloWorld Web Service in practice the client and service DO NOT share the same keystore instead you should use separate keystores and exchange the public certificates of the client and the service
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 36
Add Outgoing WS-Security Configurations
8 The next step is to add the ldquoOutgoing WS-Secure Configurationsrdquo to the project You can do this by click on the Outgoing S-Security Configurations tab and clicking on the ldquo+rdquo icon as shown in Figure 37
Figure 37 Initiate addition of Outgoing WS-Security Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 37
9 Enter the ldquoNamerdquo of the configuration as ldquowss10rdquo This will create a panel on the lower half of the screen to add relevant WS-Security Configuration for ldquowss10rdquo Click on the ldquo+rdquo icon highlighted with a red circle in Figure 38 We need to add 3 entries in the following order
a Timestamp b Signature c Encryption
Upon clicking the ldquo+rdquo icon an ldquoAdd WSS Entryrdquo popup dialog will be presented which contains a single drop down list Select ldquoTimestamprdquo from the dialog as shown in Figure 39
Figure 38 Adding WSS Configuration for wss10
Figure 39 Add Timestamp
10 Configure the ldquoTimestamprdquo WSS Entry The two fields are shown in Figure 40
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 38
a Time to Live 5000 b Leave the unit for ldquoTime to Liverdquo in milliseconds
Figure 40 Specify Time to Live as part of Timestamp configuration
11 Add the ldquoSignaturerdquo WSS Entry by clicking on the ldquo+rdquo icon again as shown in Figure 38 and selecting ldquoSignaturerdquo from
the ldquoAdd WSS Entryrdquo drop down as shown in Figure 41
Figure 41 Select Signature WSS Entry to Add to wss10 configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 39
12 The ldquoSignaturerdquo configuration is more involved and requires a lot more fields to be filled in as shown in Figure 42 Here is a summary of the fields and values that need to be provided
a Keystore Select ldquodefault-keystorejksrdquo from the drop down (Note Only keystores added in the KeystoreCertificates tab will be displayed in this drop down)
b Alias ldquoorakeyrdquo This particular keystore in the How-To has only a single alias However a keystore can have multiple keys and aliases
c Password ldquowelcome1rdquo This is the password for the alias d Key Identifier Type Select ldquoBinary Security Tokenrdquo from the drop down e Signature Algorithm Select ldquohttpwwww3org200009xmldsigrsa-sha1rdquo from the drop down f Signature Canonicalization Select ldquohttpwwww3org200110xml-exc-c14nrdquo from the drop down g Digest Algorithm Select ldquohttpwwww3org200009xmldsigsha1rdquo from the drop down h Use Single Certificate Ensure ldquoUse single certificate for signingrdquo is checked i Parts
Name Namespace Encode
Body httpschemasxmlsoaporgsoapenvelope Element
Timestamp httpdocsoasis-openorgwss200401oasis-200401-wss-wssecurity-utility-10xsd
Element
Figure 42 Providing Signature configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 40
13 Add the ldquoEncryptionrdquo WSS Entry by clicking on the ldquo+rdquo icon again as shown in Figure 38 and selecting ldquoEncryptionrdquo from the ldquoAdd WSS Entryrdquo drop down as shown in Figure 43
Figure 43 Adding Encryption WSS entry
14 The ldquoEncryptionrdquo configuration is more involved and requires a lot more fields to be filled in as shown in Figure 44
Here is a summary of the fields and values that need to be provided a Keystore Select ldquodefault-keystorejksrdquo from the drop down (Note Only keystores added in the
KeystoreCertificates tab will be displayed in this drop down) b Alias ldquoorakeyrdquo This particular keystore in the How-To has only a single alias However a keystore can have
multiple keys and aliases c Password ldquowelcome1rdquo This is the password for the alias d Key Identifier Type Select ldquoBinary Security Tokenrdquo from the drop down e Embedded Key Name and Embedded Key Password are not relevant and will be readonly fields So skip
these fields f Symmetric Encoding Algorithm Select ldquohttpwwww3org200104xmlencaes128-cbcrdquo from the drop
down g Key Encryption Algorithm Select ldquohttpwwww3org200104xmlencrsa-oaep-mgf1prdquo from the drop
down h Encryption Canonicalization Select ldquohttpwwww3org200110xml-exc-c14nrdquo from the drop down i Create Encrypted Key Ensure the checkbox is checked j Parts
Name Namespace Encode
Body httpschemasxmlsoaporgsoapenvelope Content
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 41
Figure 44 Encryption Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 42
Add Incoming WS-Security Configurations
15 Click on the ldquoIncoming WS-Security Configurationsrdquo sub tab and click on the ldquo+rdquo icon as show in Figure 45 You will be prompted to enter a name for the incoming configuration specify ldquowss10rdquo as the name as shown in Figure 46
Figure 45 Add Incoming WS-Security Configuration
Figure 46 Provide a name for the Incoming WSS Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 43
16 Click on the ldquowss10rdquo entry and select the following a Decrypt Keystore Select ldquodefault-keystorejksrdquo from the drop down b Signature Keystore Select ldquodefault-keystorejksrdquo from the drop down c Password ldquowelcome1rdquo
The final incoming security configuration is shown in Figure 47
Figure 47 Incoming WSS Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 44
17 Now that we have created all the necessary WS-Security Configurations we are ready to test the HelloWorld Service To do so click on the ldquohellordquo operation on the Left hand browse tree This will create a request as show in Figure 48 Click on the ldquoAutrdquo tab on the ldquoRequestrdquo panel on the RHS side of the screen The ldquoAutrdquo tab is in the bottom and has been highlighted in Figure 48 Select the following values
a Outgoing WSS Select ldquowss10rdquo from the drop down b Incoming WSS Select ldquowss10rdquo from the drop down
Figure 48 Select the previosuly created WSS Configuration to be used while testing
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 45
18 Enter ldquoprakashrdquo for arg0 and click on the green arrow button to send the request You will be prompted for password ndash enter ldquowelcome1rdquo Figure 49 and Figure 50 show the steps and the results of a successful test If there is a failure ndash you will see a SOAP response with a fault
Figure 49 Send request to the HelloWorld WS
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 46
Figure 50 Results of a successful test
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 47
Appendix
Log Generated the first time any app is run in Integrated WLS Server
[Waiting for the domain to finish building]
[094756 PM] Creating Integrated Weblogic domain
[095003 PM] Extending Integrated Weblogic domain
[095051 PM] Integrated Weblogic domain processing completed successfully
Using port 7101
DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainbinstartWebLogiccmd
[waiting for the server to complete its initialization]
JAVA Memory arguments -Xms256m -Xmx512m -XXCompileThreshold=8000 -XXPermSize=128m -XXMaxPermSize=512m
WLS Start Mode=Development
CLASSPATH=DORACLE~1MIDDLE~1ORACLE~1modulesoraclejdbc_1111ojdbc6dmsjarDORACLE~1MIDDLE~1patch_wls1035profilesdefaultsys_manifest_classpathweblogic_patchjarDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultsys_manifest_classpathweblogic_patchjarDORACLE~1MIDDLE~1JDK160~1libtoolsjarDORACLE~1MIDDLE~1WLSERV~13serverlibweblogic_spjarDORACLE~1MIDDLE~1WLSERV~13serverlibweblogicjarDORACLE~1MIDDLE~1modulesfeaturesweblogicservermodules_10350jarDORACLE~1MIDDLE~1WLSERV~13serverlibwebservicesjarDORACLE~1MIDDLE~1modulesORGAPA~11libant-alljarDORACLE~1MIDDLE~1modulesNETSFA~10_1libant-contribjarDORACLE~1MIDDLE~1ORACLE~1modulesoraclejrf_1111jrfjarDORACLE~1MIDDLE~1WLSERV~13commonderbylibderbyclientjarDORACLE~1MIDDLE~1WLSERV~13serverlibxqrljar
PATH=DORACLE~1MIDDLE~1patch_wls1035profilesdefaultnativeDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultnativeDORACLE~1MIDDLE~1WLSERV~13servernativewin32DORACLE~1MIDDLE~1WLSERV~13serverbinDORACLE~1MIDDLE~1modulesORGAPA~11binDORACLE~1MIDDLE~1JDK160~1jrebinDORACLE~1MIDDLE~1JDK160~1binDoraclexeapporacleproduct1020serverbinCProgram FilesThinkPadUtilitiesCWINDOWSsystem32CWINDOWSCWINDOWSSystem32WbemCWINDOWSsystem32WindowsPowerShellv10DORACLE~1MIDDLE~1WLSERV~13servernativewin32oci920_8
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 48
To start WebLogic Server use a username and
password assigned to an admin-level user For
server administration use the WebLogic Server
console at httphostnameportconsole
starting weblogic with Java version
java version 160_24
Java(TM) SE Runtime Environment (build 160_24-b50)
Java HotSpot(TM) Client VM (build 191-b02 mixed mode)
Starting WLS with line
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 49
DORACLE~1MIDDLE~1JDK160~1binjava -client -Xms256m -Xmx512m -XXCompileThreshold=8000 -XXPermSize=128m -XXMaxPermSize=512m -DweblogicName=DefaultServer -Djavasecuritypolicy=DORACLE~1MIDDLE~1WLSERV~13serverlibweblogicpolicy -DjavaxnetssltrustStore=DOracle11gMiddlewarewlserver_103serverlibDemoTrustjks -DweblogicnodemanagerServiceEnabled=true -Xverifynone -da -Dplatformhome=DORACLE~1MIDDLE~1WLSERV~13 -Dwlshome=DORACLE~1MIDDLE~1WLSERV~13server -Dweblogichome=DORACLE~1MIDDLE~1WLSERV~13server -Djpsappcredentialoverwriteallowed=true -Dcommoncomponentshome=DORACLE~1MIDDLE~1ORACLE~1 -Djrfversion=1111 -DorgapachecommonsloggingLog=orgapachecommonsloggingimplJdk14Logger -Ddomainhome=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1 -Djrockitoptfile=DORACLE~1MIDDLE~1ORACLE~1modulesoraclejrf_1111jrocket_optfiletxt -Doracleserverconfigdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1serversDefaultServer -Doracledomainconfigdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1 -Digfarisidbeanscarmlloc=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1carml -Digfarisidstackhome=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1arisidprovider -Doraclesecurityjpsconfig=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configfmwconfigjps-configxml -Doracledeployedappdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1serversDefaultServertmp_WL_user -Doracledeployedappext=- -DweblogicalternateTypesDirectory=DORACLE~1MIDDLE~1ORACLE~1modulesoracleossoiap_1111DORACLE~1MIDDLE~1ORACLE~1modulesoracleoamprovider_1111 -Djavaprotocolhandlerpkgs=oraclemdsnetprotocol -DweblogicjdbcremoteEnabled=false -Dwsmrepositorypath=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1oraclestoregmds -Dweblogicmanagementdiscover=true -DwlwiterativeDev= -DwlwtestConsole= -DwlwlogErrorsToConsole= -Dweblogicextdirs=DORACLE~1MIDDLE~1patch_wls1035profilesdefaultsysext_manifest_classpathDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultsysext_manifest_classpath weblogicServer
ltMar 16 2012 95054 PM PDTgt ltInfogt ltSecuritygt ltBEA-090905gt ltDisabling CryptoJ JCE Provider self-integrity check for better startup performance To enable this check specify -DweblogicsecurityallowCryptoJDefaultJCEVerification=truegt
ltMar 16 2012 95054 PM PDTgt ltInfogt ltSecuritygt ltBEA-090906gt ltChanging the default Random Number Generator in RSA CryptoJ from ECDRBG to FIPS186PRNG To disable this change specify -DweblogicsecurityallowCryptoJDefaultPRNG=truegt
ltMar 16 2012 95055 PM PDTgt ltInfogt ltWebLogicServergt ltBEA-000377gt ltStarting WebLogic Server with Java HotSpot(TM) Client VM Version 191-b02 from Sun Microsystems Incgt
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 50
ltMar 16 2012 95055 PM PDTgt ltInfogt ltManagementgt ltBEA-141107gt ltVersion WebLogic Server 10350 Fri Apr 1 202006 PDT 2011 1398638 gt
ltMar 16 2012 95057 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STARTINGgt
ltMar 16 2012 95057 PM PDTgt ltInfogt ltWorkManagergt ltBEA-002900gt ltInitializing self-tuning thread poolgt
ltMar 16 2012 95057 PM PDTgt ltNoticegt ltLog Managementgt ltBEA-170019gt ltThe server log file DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainserversDefaultServerlogsDefaultServerlog is opened All server side log events will be written to this filegt
ltMar 16 2012 95108 PM PDTgt ltNoticegt ltSecuritygt ltBEA-090082gt ltSecurity initializing using security realm myrealmgt
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO ConfigObjectReloaded for ServerConfig PreviousVersion -1 CurrentVersion 0
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification event sent for activating changes
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for Mapping config object reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO ConfigObjectReloaded for ServerConfig PreviousVersion -1 CurrentVersion 0
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification event sent for activating changes
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 51
INFO Notification sent for Mapping config object reloaded
ltMar 16 2012 95122 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STANDBYgt
ltMar 16 2012 95122 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STARTINGgt
ltMar 16 2012 95204 PM PDTgt ltNoticegt ltLog Managementgt ltBEA-170027gt ltThe Server has established connection with the Domain level Diagnostic Service successfullygt
ltMar 16 2012 95204 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to ADMINgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to RESUMINGgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltServergt ltBEA-002613gt ltChannel Default is now listening on 1270017101 for protocols iiop t3 ldap snmp httpgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000331gt ltStarted WebLogic Admin Server DefaultServer for domain DefaultDomain running in Development Modegt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to RUNNINGgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000360gt ltServer started in RUNNING modegt
IntegratedWebLogicServer startup time 74437 ms
IntegratedWebLogicServer started
[Running application HelloWorldJaxWS on Server Instance IntegratedWebLogicServer]
[095206 PM] ---- Deployment started ----
[095206 PM] Target platform is (Weblogic 103)
[095208 PM] Retrieving existing application information
[095208 PM] Running dependency analysis
[095208 PM] Deploying 2 profiles
[095209 PM] Wrote Web Application Module to DOracle11gMiddlewarejdevelopersystem11116386192oj2eedrsHelloWorldJaxWSHelloWorldWebAppwar
[095210 PM] Wrote Enterprise Application Module to DOracle11gMiddlewarejdevelopersystem11116386192oj2eedrsHelloWorldJaxWS
[095210 PM] Deploying Application
[095213 PM] Application Deployed Successfully
[095213 PM] The following URL context root(s) were defined and can be used as a starting point to test your application
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 52
[095213 PM] http1270017101HelloWorldJaxWS-HelloWorld-context-root
[095213 PM] Elapsed time for deployment 6 seconds
[095213 PM] ---- Deployment finished ----
Run startup time 6609 ms
[Application HelloWorldJaxWS deployed to Server Instance IntegratedWebLogicServer]
Target URL -- http1270017101HelloWorldJaxWS-HelloWorld-context-rootHelloWorldPort
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 53
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 18
Attach Message protection OWSM Security Policy
1 To attach the OWSM message protection policy to the Web Service ldquoright clickrdquo on the HelloWorldjava file in
JDeveloper Select ldquoWeb Service Propertieshelliprdquo from the Context menu item Figure 18 This will launch the Dialog box
seen in Figure 19
Figure 18 Define Web Service Properties
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 19
2 In the Configure Policies Dialog select ldquoOWSM policiesrdquo Upon selection of the OWSM Policies option the system
will display the list of out of the box policies that are shipped as part of OWSM Also notice the Default Policy Store
location
In this How-To it maps to
ldquoDOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainoraclestoregmdsrdquo
Figure 19 Select OWSM policies option to secure the Web Service
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 20
3 For the purposes of this How-To letrsquos select the oraclewss10_message_protection_service_policy as show in
Figure 20
Figure 20 Selection of oraclewss10_message_protection_service_policy
Click ldquoOKrdquo button to complete the Policy Attachment Upon completion of the PolicyAttachment the SecurityPolicy
annotation will be added to the HelloWorld POJO class as show in Figure 21
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 21
Figure 21 Code view with SecurityPolicy annotation
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 22
Creating Keystore and Credentials
4 In order to use the oraclewss10_message_protection_service_policy we need Keystore and Credentials First we
will create keystore using the keytool command as shown in Figure 22 The command to create the keystore using
keytool (Note Keytool is shipped with JDK)
Figure 22 Keystore creation command and steps
You can validate the contents of the keystore by using the following keytool command
Figure 23 Check contents of Keystore using keytool
$gt keytool -genkey -keyalg RSA -alias orakey -keystore default-keystorejks -storepass welcome1 -validity
3600
$gtkeytool -list -keystore default-keystorejks -storepass welcome1
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 23
Configuring Integrated WLS Server to enable enforcing Message protection Policy
In order to be able to deploy the HelloWorld POJO Web Service to Integrated WLS Server and test the enforcement of
the OWSM oraclewss10_message_protection_service_policy ndash we need to configure the WLS Domain in which
Integrated WLS Server runs however initially upon the Install the domain is not created completely You can ensure the
domain is created completely by trying to the ldquoHelloWorldrdquo Web Service You do this by ldquoright clickingrdquo on
HelloWorldjava and selecting ldquoRunrdquo from the Context Menu as show in Figure 24
Figure 24 Running HelloWorld Web Service in Integrated WLS Server first time
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 24
The appendix shows the log that is output by the system in JDeveloper The key aspect that is of interest here are the
following messages
[Waiting for the domain to finish building]
[094756 PM] Creating Integrated Weblogic domain
[095003 PM] Extending Integrated Weblogic domain
[095051 PM] Integrated Weblogic domain processing completed successfully
Using port 7101
DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainbinstartWebLogiccmd
[waiting for the server to complete its initialization]
As mentioned earlier the key thing to note is
On running this the first time ndash the domain for running the Integrated WLS is extended and the necessary artifacts are created By default this domain is called ldquoDefaultDomainrdquo In this scenario the ldquoDefaultDomainrdquo is located at DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomain
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 25
Copying the Keystore under the right location for Integrated WLS Server
5 Copy the default-keystorejks created earlier to
ldquoDOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainconfigfmwconfigrdquo as shown in Figure 25
Figure 25 Copying default-keystorejks under DefaultDomain
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 26
Verifying jps-configxml in Default Domain
6 The jps-configxml will be found under
DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainconfigfmwconfig The most important entry in jps-configxml that is of interest is the following keystore service entry lt-- KeyStore Service Instance --gt ltserviceInstance name=keystore provider=keystoreprovider location=default-keystorejksgt ltdescriptiongtDefault JPS Keystore Serviceltdescriptiongt ltproperty name=keystoreprovidertype value=filegt ltproperty name=keystorefilepath value=gt ltproperty name=keystoretype value=JKSgt ltproperty name=keystorecsfmap value=oraclewsmsecuritygt ltproperty name=keystorepasscsfkey value=keystore-csf-keygt ltproperty name=keystoresigcsfkey value=sign-csf-keygt ltproperty name=keystoreenccsfkey value=enc-csf-keygt ltserviceInstancegt The next step is to configure the credentials in the DefaultDomain
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 27
Creating Credentials required for Keystore access
Ensure the Integrated WLS Server is running 7 Start WLST from DOracle11gMiddleware oracle_commoncommonbinwlstcmd as shown in Figure 26
Figure 26 Starting WLST for Integrated WLS Server
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 28
8 Connect to the Integrated WLS Server running DefaultDomain as show in Figure 27
Figure 27 Connect to Integrated WLS Server
Once connected add the following credentials to the credential store
$gt createCred(map=oraclewsmsecurity key=keystore-csf-key user=owsm password=welcome1 desc=Keystore key) $gtcreateCred(map=oraclewsmsecurity key=enc-csf-key user=orakey password=welcome1 desc=Encryption key) $gtcreateCred(map=oraclewsmsecurity key=sign-csf-key user=orakey password=welcome1 desc=Signing key)
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 29
Relationship between Keystore Credential Store jps-configxml
9 Many people find the relationship between keystore keys credential store credentials and jps-configxml
confusing Figure 28 shows the relationship between all these artifacts
Figure 28 Relationship bw Keystore Credential Store Credentials and jps-configxml
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 30
Testing with SOAP UI 1 Before testing the Web Service with SOAP UI Run the HelloWorld from within JDeveloper as shown in Figure 24
Create SOAP UI Project
2 To test the HelloWorld Web Service secured with the OWSM ldquooraclewss10_message_protection_service_policyrdquo start SOAP UI and create a new Project as shown in Figure 29
Figure 29 Create new project in SOAP UI
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 31
3 Provide Project Namerdquo and ldquoWSDLrdquo information for the HelloWorld WS as show in Figure 30
Figure 30 Provide WSDL information for the Web Service that needs to be tested
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 32
4 Double click on the helloworld-msg-prot-test SOAP UI project to open various configurations one can specify for the
project as show in Figure 31 Click on the WS-Security Configurations tab
Figure 31 Specify the WS-Security Configurations
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 33
Create WS-Security Configurations
5 There are 3 sub-tabs under the ldquoWS-Security Configurationsrdquo tab in SOAP UI These are the ldquoOutgoing WS-Security
Configurationsrdquo tab ldquoIncoming WS-Security Configurationsrdquo tab and the ldquoKeystoreCertificatesrdquo tab We will first fill
out the KeystoresCertificates tab Click on the KeystoreCertificates tab as shown in Figure 32
Figure 32 Specify the KeystoreCertificates to be used by SOAP UI
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 34
Add KeystoreCertificates
6 Click on the ldquo+rdquo button to add a keystore as shown in Figure 33 This will launch a dialog to select the Key Material as
show in Figure 34 You will be prompted for the password to the default-keystorejks Enter ldquowelcome1rdquo as show in
Figure 35
Figure 33 Adding a Keystore
Figure 34 Select a JKS keystore from the file system
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 35
Figure 35 Specify Password for the default-keystorejks
7 Figure 36 shows the result of adding the default-keystorejks to SOAP UI
Figure 36 Result of adding default-keystorejks
NOTE For purposes of simplicity ndash I have selected the same default-keystorejks file that was used by the HelloWorld Web Service in practice the client and service DO NOT share the same keystore instead you should use separate keystores and exchange the public certificates of the client and the service
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 36
Add Outgoing WS-Security Configurations
8 The next step is to add the ldquoOutgoing WS-Secure Configurationsrdquo to the project You can do this by click on the Outgoing S-Security Configurations tab and clicking on the ldquo+rdquo icon as shown in Figure 37
Figure 37 Initiate addition of Outgoing WS-Security Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 37
9 Enter the ldquoNamerdquo of the configuration as ldquowss10rdquo This will create a panel on the lower half of the screen to add relevant WS-Security Configuration for ldquowss10rdquo Click on the ldquo+rdquo icon highlighted with a red circle in Figure 38 We need to add 3 entries in the following order
a Timestamp b Signature c Encryption
Upon clicking the ldquo+rdquo icon an ldquoAdd WSS Entryrdquo popup dialog will be presented which contains a single drop down list Select ldquoTimestamprdquo from the dialog as shown in Figure 39
Figure 38 Adding WSS Configuration for wss10
Figure 39 Add Timestamp
10 Configure the ldquoTimestamprdquo WSS Entry The two fields are shown in Figure 40
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 38
a Time to Live 5000 b Leave the unit for ldquoTime to Liverdquo in milliseconds
Figure 40 Specify Time to Live as part of Timestamp configuration
11 Add the ldquoSignaturerdquo WSS Entry by clicking on the ldquo+rdquo icon again as shown in Figure 38 and selecting ldquoSignaturerdquo from
the ldquoAdd WSS Entryrdquo drop down as shown in Figure 41
Figure 41 Select Signature WSS Entry to Add to wss10 configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 39
12 The ldquoSignaturerdquo configuration is more involved and requires a lot more fields to be filled in as shown in Figure 42 Here is a summary of the fields and values that need to be provided
a Keystore Select ldquodefault-keystorejksrdquo from the drop down (Note Only keystores added in the KeystoreCertificates tab will be displayed in this drop down)
b Alias ldquoorakeyrdquo This particular keystore in the How-To has only a single alias However a keystore can have multiple keys and aliases
c Password ldquowelcome1rdquo This is the password for the alias d Key Identifier Type Select ldquoBinary Security Tokenrdquo from the drop down e Signature Algorithm Select ldquohttpwwww3org200009xmldsigrsa-sha1rdquo from the drop down f Signature Canonicalization Select ldquohttpwwww3org200110xml-exc-c14nrdquo from the drop down g Digest Algorithm Select ldquohttpwwww3org200009xmldsigsha1rdquo from the drop down h Use Single Certificate Ensure ldquoUse single certificate for signingrdquo is checked i Parts
Name Namespace Encode
Body httpschemasxmlsoaporgsoapenvelope Element
Timestamp httpdocsoasis-openorgwss200401oasis-200401-wss-wssecurity-utility-10xsd
Element
Figure 42 Providing Signature configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 40
13 Add the ldquoEncryptionrdquo WSS Entry by clicking on the ldquo+rdquo icon again as shown in Figure 38 and selecting ldquoEncryptionrdquo from the ldquoAdd WSS Entryrdquo drop down as shown in Figure 43
Figure 43 Adding Encryption WSS entry
14 The ldquoEncryptionrdquo configuration is more involved and requires a lot more fields to be filled in as shown in Figure 44
Here is a summary of the fields and values that need to be provided a Keystore Select ldquodefault-keystorejksrdquo from the drop down (Note Only keystores added in the
KeystoreCertificates tab will be displayed in this drop down) b Alias ldquoorakeyrdquo This particular keystore in the How-To has only a single alias However a keystore can have
multiple keys and aliases c Password ldquowelcome1rdquo This is the password for the alias d Key Identifier Type Select ldquoBinary Security Tokenrdquo from the drop down e Embedded Key Name and Embedded Key Password are not relevant and will be readonly fields So skip
these fields f Symmetric Encoding Algorithm Select ldquohttpwwww3org200104xmlencaes128-cbcrdquo from the drop
down g Key Encryption Algorithm Select ldquohttpwwww3org200104xmlencrsa-oaep-mgf1prdquo from the drop
down h Encryption Canonicalization Select ldquohttpwwww3org200110xml-exc-c14nrdquo from the drop down i Create Encrypted Key Ensure the checkbox is checked j Parts
Name Namespace Encode
Body httpschemasxmlsoaporgsoapenvelope Content
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 41
Figure 44 Encryption Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 42
Add Incoming WS-Security Configurations
15 Click on the ldquoIncoming WS-Security Configurationsrdquo sub tab and click on the ldquo+rdquo icon as show in Figure 45 You will be prompted to enter a name for the incoming configuration specify ldquowss10rdquo as the name as shown in Figure 46
Figure 45 Add Incoming WS-Security Configuration
Figure 46 Provide a name for the Incoming WSS Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 43
16 Click on the ldquowss10rdquo entry and select the following a Decrypt Keystore Select ldquodefault-keystorejksrdquo from the drop down b Signature Keystore Select ldquodefault-keystorejksrdquo from the drop down c Password ldquowelcome1rdquo
The final incoming security configuration is shown in Figure 47
Figure 47 Incoming WSS Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 44
17 Now that we have created all the necessary WS-Security Configurations we are ready to test the HelloWorld Service To do so click on the ldquohellordquo operation on the Left hand browse tree This will create a request as show in Figure 48 Click on the ldquoAutrdquo tab on the ldquoRequestrdquo panel on the RHS side of the screen The ldquoAutrdquo tab is in the bottom and has been highlighted in Figure 48 Select the following values
a Outgoing WSS Select ldquowss10rdquo from the drop down b Incoming WSS Select ldquowss10rdquo from the drop down
Figure 48 Select the previosuly created WSS Configuration to be used while testing
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 45
18 Enter ldquoprakashrdquo for arg0 and click on the green arrow button to send the request You will be prompted for password ndash enter ldquowelcome1rdquo Figure 49 and Figure 50 show the steps and the results of a successful test If there is a failure ndash you will see a SOAP response with a fault
Figure 49 Send request to the HelloWorld WS
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 46
Figure 50 Results of a successful test
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 47
Appendix
Log Generated the first time any app is run in Integrated WLS Server
[Waiting for the domain to finish building]
[094756 PM] Creating Integrated Weblogic domain
[095003 PM] Extending Integrated Weblogic domain
[095051 PM] Integrated Weblogic domain processing completed successfully
Using port 7101
DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainbinstartWebLogiccmd
[waiting for the server to complete its initialization]
JAVA Memory arguments -Xms256m -Xmx512m -XXCompileThreshold=8000 -XXPermSize=128m -XXMaxPermSize=512m
WLS Start Mode=Development
CLASSPATH=DORACLE~1MIDDLE~1ORACLE~1modulesoraclejdbc_1111ojdbc6dmsjarDORACLE~1MIDDLE~1patch_wls1035profilesdefaultsys_manifest_classpathweblogic_patchjarDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultsys_manifest_classpathweblogic_patchjarDORACLE~1MIDDLE~1JDK160~1libtoolsjarDORACLE~1MIDDLE~1WLSERV~13serverlibweblogic_spjarDORACLE~1MIDDLE~1WLSERV~13serverlibweblogicjarDORACLE~1MIDDLE~1modulesfeaturesweblogicservermodules_10350jarDORACLE~1MIDDLE~1WLSERV~13serverlibwebservicesjarDORACLE~1MIDDLE~1modulesORGAPA~11libant-alljarDORACLE~1MIDDLE~1modulesNETSFA~10_1libant-contribjarDORACLE~1MIDDLE~1ORACLE~1modulesoraclejrf_1111jrfjarDORACLE~1MIDDLE~1WLSERV~13commonderbylibderbyclientjarDORACLE~1MIDDLE~1WLSERV~13serverlibxqrljar
PATH=DORACLE~1MIDDLE~1patch_wls1035profilesdefaultnativeDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultnativeDORACLE~1MIDDLE~1WLSERV~13servernativewin32DORACLE~1MIDDLE~1WLSERV~13serverbinDORACLE~1MIDDLE~1modulesORGAPA~11binDORACLE~1MIDDLE~1JDK160~1jrebinDORACLE~1MIDDLE~1JDK160~1binDoraclexeapporacleproduct1020serverbinCProgram FilesThinkPadUtilitiesCWINDOWSsystem32CWINDOWSCWINDOWSSystem32WbemCWINDOWSsystem32WindowsPowerShellv10DORACLE~1MIDDLE~1WLSERV~13servernativewin32oci920_8
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 48
To start WebLogic Server use a username and
password assigned to an admin-level user For
server administration use the WebLogic Server
console at httphostnameportconsole
starting weblogic with Java version
java version 160_24
Java(TM) SE Runtime Environment (build 160_24-b50)
Java HotSpot(TM) Client VM (build 191-b02 mixed mode)
Starting WLS with line
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 49
DORACLE~1MIDDLE~1JDK160~1binjava -client -Xms256m -Xmx512m -XXCompileThreshold=8000 -XXPermSize=128m -XXMaxPermSize=512m -DweblogicName=DefaultServer -Djavasecuritypolicy=DORACLE~1MIDDLE~1WLSERV~13serverlibweblogicpolicy -DjavaxnetssltrustStore=DOracle11gMiddlewarewlserver_103serverlibDemoTrustjks -DweblogicnodemanagerServiceEnabled=true -Xverifynone -da -Dplatformhome=DORACLE~1MIDDLE~1WLSERV~13 -Dwlshome=DORACLE~1MIDDLE~1WLSERV~13server -Dweblogichome=DORACLE~1MIDDLE~1WLSERV~13server -Djpsappcredentialoverwriteallowed=true -Dcommoncomponentshome=DORACLE~1MIDDLE~1ORACLE~1 -Djrfversion=1111 -DorgapachecommonsloggingLog=orgapachecommonsloggingimplJdk14Logger -Ddomainhome=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1 -Djrockitoptfile=DORACLE~1MIDDLE~1ORACLE~1modulesoraclejrf_1111jrocket_optfiletxt -Doracleserverconfigdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1serversDefaultServer -Doracledomainconfigdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1 -Digfarisidbeanscarmlloc=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1carml -Digfarisidstackhome=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1arisidprovider -Doraclesecurityjpsconfig=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configfmwconfigjps-configxml -Doracledeployedappdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1serversDefaultServertmp_WL_user -Doracledeployedappext=- -DweblogicalternateTypesDirectory=DORACLE~1MIDDLE~1ORACLE~1modulesoracleossoiap_1111DORACLE~1MIDDLE~1ORACLE~1modulesoracleoamprovider_1111 -Djavaprotocolhandlerpkgs=oraclemdsnetprotocol -DweblogicjdbcremoteEnabled=false -Dwsmrepositorypath=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1oraclestoregmds -Dweblogicmanagementdiscover=true -DwlwiterativeDev= -DwlwtestConsole= -DwlwlogErrorsToConsole= -Dweblogicextdirs=DORACLE~1MIDDLE~1patch_wls1035profilesdefaultsysext_manifest_classpathDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultsysext_manifest_classpath weblogicServer
ltMar 16 2012 95054 PM PDTgt ltInfogt ltSecuritygt ltBEA-090905gt ltDisabling CryptoJ JCE Provider self-integrity check for better startup performance To enable this check specify -DweblogicsecurityallowCryptoJDefaultJCEVerification=truegt
ltMar 16 2012 95054 PM PDTgt ltInfogt ltSecuritygt ltBEA-090906gt ltChanging the default Random Number Generator in RSA CryptoJ from ECDRBG to FIPS186PRNG To disable this change specify -DweblogicsecurityallowCryptoJDefaultPRNG=truegt
ltMar 16 2012 95055 PM PDTgt ltInfogt ltWebLogicServergt ltBEA-000377gt ltStarting WebLogic Server with Java HotSpot(TM) Client VM Version 191-b02 from Sun Microsystems Incgt
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 50
ltMar 16 2012 95055 PM PDTgt ltInfogt ltManagementgt ltBEA-141107gt ltVersion WebLogic Server 10350 Fri Apr 1 202006 PDT 2011 1398638 gt
ltMar 16 2012 95057 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STARTINGgt
ltMar 16 2012 95057 PM PDTgt ltInfogt ltWorkManagergt ltBEA-002900gt ltInitializing self-tuning thread poolgt
ltMar 16 2012 95057 PM PDTgt ltNoticegt ltLog Managementgt ltBEA-170019gt ltThe server log file DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainserversDefaultServerlogsDefaultServerlog is opened All server side log events will be written to this filegt
ltMar 16 2012 95108 PM PDTgt ltNoticegt ltSecuritygt ltBEA-090082gt ltSecurity initializing using security realm myrealmgt
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO ConfigObjectReloaded for ServerConfig PreviousVersion -1 CurrentVersion 0
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification event sent for activating changes
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for Mapping config object reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO ConfigObjectReloaded for ServerConfig PreviousVersion -1 CurrentVersion 0
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification event sent for activating changes
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 51
INFO Notification sent for Mapping config object reloaded
ltMar 16 2012 95122 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STANDBYgt
ltMar 16 2012 95122 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STARTINGgt
ltMar 16 2012 95204 PM PDTgt ltNoticegt ltLog Managementgt ltBEA-170027gt ltThe Server has established connection with the Domain level Diagnostic Service successfullygt
ltMar 16 2012 95204 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to ADMINgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to RESUMINGgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltServergt ltBEA-002613gt ltChannel Default is now listening on 1270017101 for protocols iiop t3 ldap snmp httpgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000331gt ltStarted WebLogic Admin Server DefaultServer for domain DefaultDomain running in Development Modegt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to RUNNINGgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000360gt ltServer started in RUNNING modegt
IntegratedWebLogicServer startup time 74437 ms
IntegratedWebLogicServer started
[Running application HelloWorldJaxWS on Server Instance IntegratedWebLogicServer]
[095206 PM] ---- Deployment started ----
[095206 PM] Target platform is (Weblogic 103)
[095208 PM] Retrieving existing application information
[095208 PM] Running dependency analysis
[095208 PM] Deploying 2 profiles
[095209 PM] Wrote Web Application Module to DOracle11gMiddlewarejdevelopersystem11116386192oj2eedrsHelloWorldJaxWSHelloWorldWebAppwar
[095210 PM] Wrote Enterprise Application Module to DOracle11gMiddlewarejdevelopersystem11116386192oj2eedrsHelloWorldJaxWS
[095210 PM] Deploying Application
[095213 PM] Application Deployed Successfully
[095213 PM] The following URL context root(s) were defined and can be used as a starting point to test your application
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 52
[095213 PM] http1270017101HelloWorldJaxWS-HelloWorld-context-root
[095213 PM] Elapsed time for deployment 6 seconds
[095213 PM] ---- Deployment finished ----
Run startup time 6609 ms
[Application HelloWorldJaxWS deployed to Server Instance IntegratedWebLogicServer]
Target URL -- http1270017101HelloWorldJaxWS-HelloWorld-context-rootHelloWorldPort
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 53
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 19
2 In the Configure Policies Dialog select ldquoOWSM policiesrdquo Upon selection of the OWSM Policies option the system
will display the list of out of the box policies that are shipped as part of OWSM Also notice the Default Policy Store
location
In this How-To it maps to
ldquoDOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainoraclestoregmdsrdquo
Figure 19 Select OWSM policies option to secure the Web Service
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 20
3 For the purposes of this How-To letrsquos select the oraclewss10_message_protection_service_policy as show in
Figure 20
Figure 20 Selection of oraclewss10_message_protection_service_policy
Click ldquoOKrdquo button to complete the Policy Attachment Upon completion of the PolicyAttachment the SecurityPolicy
annotation will be added to the HelloWorld POJO class as show in Figure 21
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 21
Figure 21 Code view with SecurityPolicy annotation
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 22
Creating Keystore and Credentials
4 In order to use the oraclewss10_message_protection_service_policy we need Keystore and Credentials First we
will create keystore using the keytool command as shown in Figure 22 The command to create the keystore using
keytool (Note Keytool is shipped with JDK)
Figure 22 Keystore creation command and steps
You can validate the contents of the keystore by using the following keytool command
Figure 23 Check contents of Keystore using keytool
$gt keytool -genkey -keyalg RSA -alias orakey -keystore default-keystorejks -storepass welcome1 -validity
3600
$gtkeytool -list -keystore default-keystorejks -storepass welcome1
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 23
Configuring Integrated WLS Server to enable enforcing Message protection Policy
In order to be able to deploy the HelloWorld POJO Web Service to Integrated WLS Server and test the enforcement of
the OWSM oraclewss10_message_protection_service_policy ndash we need to configure the WLS Domain in which
Integrated WLS Server runs however initially upon the Install the domain is not created completely You can ensure the
domain is created completely by trying to the ldquoHelloWorldrdquo Web Service You do this by ldquoright clickingrdquo on
HelloWorldjava and selecting ldquoRunrdquo from the Context Menu as show in Figure 24
Figure 24 Running HelloWorld Web Service in Integrated WLS Server first time
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 24
The appendix shows the log that is output by the system in JDeveloper The key aspect that is of interest here are the
following messages
[Waiting for the domain to finish building]
[094756 PM] Creating Integrated Weblogic domain
[095003 PM] Extending Integrated Weblogic domain
[095051 PM] Integrated Weblogic domain processing completed successfully
Using port 7101
DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainbinstartWebLogiccmd
[waiting for the server to complete its initialization]
As mentioned earlier the key thing to note is
On running this the first time ndash the domain for running the Integrated WLS is extended and the necessary artifacts are created By default this domain is called ldquoDefaultDomainrdquo In this scenario the ldquoDefaultDomainrdquo is located at DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomain
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 25
Copying the Keystore under the right location for Integrated WLS Server
5 Copy the default-keystorejks created earlier to
ldquoDOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainconfigfmwconfigrdquo as shown in Figure 25
Figure 25 Copying default-keystorejks under DefaultDomain
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 26
Verifying jps-configxml in Default Domain
6 The jps-configxml will be found under
DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainconfigfmwconfig The most important entry in jps-configxml that is of interest is the following keystore service entry lt-- KeyStore Service Instance --gt ltserviceInstance name=keystore provider=keystoreprovider location=default-keystorejksgt ltdescriptiongtDefault JPS Keystore Serviceltdescriptiongt ltproperty name=keystoreprovidertype value=filegt ltproperty name=keystorefilepath value=gt ltproperty name=keystoretype value=JKSgt ltproperty name=keystorecsfmap value=oraclewsmsecuritygt ltproperty name=keystorepasscsfkey value=keystore-csf-keygt ltproperty name=keystoresigcsfkey value=sign-csf-keygt ltproperty name=keystoreenccsfkey value=enc-csf-keygt ltserviceInstancegt The next step is to configure the credentials in the DefaultDomain
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 27
Creating Credentials required for Keystore access
Ensure the Integrated WLS Server is running 7 Start WLST from DOracle11gMiddleware oracle_commoncommonbinwlstcmd as shown in Figure 26
Figure 26 Starting WLST for Integrated WLS Server
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 28
8 Connect to the Integrated WLS Server running DefaultDomain as show in Figure 27
Figure 27 Connect to Integrated WLS Server
Once connected add the following credentials to the credential store
$gt createCred(map=oraclewsmsecurity key=keystore-csf-key user=owsm password=welcome1 desc=Keystore key) $gtcreateCred(map=oraclewsmsecurity key=enc-csf-key user=orakey password=welcome1 desc=Encryption key) $gtcreateCred(map=oraclewsmsecurity key=sign-csf-key user=orakey password=welcome1 desc=Signing key)
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 29
Relationship between Keystore Credential Store jps-configxml
9 Many people find the relationship between keystore keys credential store credentials and jps-configxml
confusing Figure 28 shows the relationship between all these artifacts
Figure 28 Relationship bw Keystore Credential Store Credentials and jps-configxml
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 30
Testing with SOAP UI 1 Before testing the Web Service with SOAP UI Run the HelloWorld from within JDeveloper as shown in Figure 24
Create SOAP UI Project
2 To test the HelloWorld Web Service secured with the OWSM ldquooraclewss10_message_protection_service_policyrdquo start SOAP UI and create a new Project as shown in Figure 29
Figure 29 Create new project in SOAP UI
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 31
3 Provide Project Namerdquo and ldquoWSDLrdquo information for the HelloWorld WS as show in Figure 30
Figure 30 Provide WSDL information for the Web Service that needs to be tested
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 32
4 Double click on the helloworld-msg-prot-test SOAP UI project to open various configurations one can specify for the
project as show in Figure 31 Click on the WS-Security Configurations tab
Figure 31 Specify the WS-Security Configurations
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 33
Create WS-Security Configurations
5 There are 3 sub-tabs under the ldquoWS-Security Configurationsrdquo tab in SOAP UI These are the ldquoOutgoing WS-Security
Configurationsrdquo tab ldquoIncoming WS-Security Configurationsrdquo tab and the ldquoKeystoreCertificatesrdquo tab We will first fill
out the KeystoresCertificates tab Click on the KeystoreCertificates tab as shown in Figure 32
Figure 32 Specify the KeystoreCertificates to be used by SOAP UI
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 34
Add KeystoreCertificates
6 Click on the ldquo+rdquo button to add a keystore as shown in Figure 33 This will launch a dialog to select the Key Material as
show in Figure 34 You will be prompted for the password to the default-keystorejks Enter ldquowelcome1rdquo as show in
Figure 35
Figure 33 Adding a Keystore
Figure 34 Select a JKS keystore from the file system
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 35
Figure 35 Specify Password for the default-keystorejks
7 Figure 36 shows the result of adding the default-keystorejks to SOAP UI
Figure 36 Result of adding default-keystorejks
NOTE For purposes of simplicity ndash I have selected the same default-keystorejks file that was used by the HelloWorld Web Service in practice the client and service DO NOT share the same keystore instead you should use separate keystores and exchange the public certificates of the client and the service
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 36
Add Outgoing WS-Security Configurations
8 The next step is to add the ldquoOutgoing WS-Secure Configurationsrdquo to the project You can do this by click on the Outgoing S-Security Configurations tab and clicking on the ldquo+rdquo icon as shown in Figure 37
Figure 37 Initiate addition of Outgoing WS-Security Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 37
9 Enter the ldquoNamerdquo of the configuration as ldquowss10rdquo This will create a panel on the lower half of the screen to add relevant WS-Security Configuration for ldquowss10rdquo Click on the ldquo+rdquo icon highlighted with a red circle in Figure 38 We need to add 3 entries in the following order
a Timestamp b Signature c Encryption
Upon clicking the ldquo+rdquo icon an ldquoAdd WSS Entryrdquo popup dialog will be presented which contains a single drop down list Select ldquoTimestamprdquo from the dialog as shown in Figure 39
Figure 38 Adding WSS Configuration for wss10
Figure 39 Add Timestamp
10 Configure the ldquoTimestamprdquo WSS Entry The two fields are shown in Figure 40
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 38
a Time to Live 5000 b Leave the unit for ldquoTime to Liverdquo in milliseconds
Figure 40 Specify Time to Live as part of Timestamp configuration
11 Add the ldquoSignaturerdquo WSS Entry by clicking on the ldquo+rdquo icon again as shown in Figure 38 and selecting ldquoSignaturerdquo from
the ldquoAdd WSS Entryrdquo drop down as shown in Figure 41
Figure 41 Select Signature WSS Entry to Add to wss10 configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 39
12 The ldquoSignaturerdquo configuration is more involved and requires a lot more fields to be filled in as shown in Figure 42 Here is a summary of the fields and values that need to be provided
a Keystore Select ldquodefault-keystorejksrdquo from the drop down (Note Only keystores added in the KeystoreCertificates tab will be displayed in this drop down)
b Alias ldquoorakeyrdquo This particular keystore in the How-To has only a single alias However a keystore can have multiple keys and aliases
c Password ldquowelcome1rdquo This is the password for the alias d Key Identifier Type Select ldquoBinary Security Tokenrdquo from the drop down e Signature Algorithm Select ldquohttpwwww3org200009xmldsigrsa-sha1rdquo from the drop down f Signature Canonicalization Select ldquohttpwwww3org200110xml-exc-c14nrdquo from the drop down g Digest Algorithm Select ldquohttpwwww3org200009xmldsigsha1rdquo from the drop down h Use Single Certificate Ensure ldquoUse single certificate for signingrdquo is checked i Parts
Name Namespace Encode
Body httpschemasxmlsoaporgsoapenvelope Element
Timestamp httpdocsoasis-openorgwss200401oasis-200401-wss-wssecurity-utility-10xsd
Element
Figure 42 Providing Signature configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 40
13 Add the ldquoEncryptionrdquo WSS Entry by clicking on the ldquo+rdquo icon again as shown in Figure 38 and selecting ldquoEncryptionrdquo from the ldquoAdd WSS Entryrdquo drop down as shown in Figure 43
Figure 43 Adding Encryption WSS entry
14 The ldquoEncryptionrdquo configuration is more involved and requires a lot more fields to be filled in as shown in Figure 44
Here is a summary of the fields and values that need to be provided a Keystore Select ldquodefault-keystorejksrdquo from the drop down (Note Only keystores added in the
KeystoreCertificates tab will be displayed in this drop down) b Alias ldquoorakeyrdquo This particular keystore in the How-To has only a single alias However a keystore can have
multiple keys and aliases c Password ldquowelcome1rdquo This is the password for the alias d Key Identifier Type Select ldquoBinary Security Tokenrdquo from the drop down e Embedded Key Name and Embedded Key Password are not relevant and will be readonly fields So skip
these fields f Symmetric Encoding Algorithm Select ldquohttpwwww3org200104xmlencaes128-cbcrdquo from the drop
down g Key Encryption Algorithm Select ldquohttpwwww3org200104xmlencrsa-oaep-mgf1prdquo from the drop
down h Encryption Canonicalization Select ldquohttpwwww3org200110xml-exc-c14nrdquo from the drop down i Create Encrypted Key Ensure the checkbox is checked j Parts
Name Namespace Encode
Body httpschemasxmlsoaporgsoapenvelope Content
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 41
Figure 44 Encryption Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 42
Add Incoming WS-Security Configurations
15 Click on the ldquoIncoming WS-Security Configurationsrdquo sub tab and click on the ldquo+rdquo icon as show in Figure 45 You will be prompted to enter a name for the incoming configuration specify ldquowss10rdquo as the name as shown in Figure 46
Figure 45 Add Incoming WS-Security Configuration
Figure 46 Provide a name for the Incoming WSS Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 43
16 Click on the ldquowss10rdquo entry and select the following a Decrypt Keystore Select ldquodefault-keystorejksrdquo from the drop down b Signature Keystore Select ldquodefault-keystorejksrdquo from the drop down c Password ldquowelcome1rdquo
The final incoming security configuration is shown in Figure 47
Figure 47 Incoming WSS Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 44
17 Now that we have created all the necessary WS-Security Configurations we are ready to test the HelloWorld Service To do so click on the ldquohellordquo operation on the Left hand browse tree This will create a request as show in Figure 48 Click on the ldquoAutrdquo tab on the ldquoRequestrdquo panel on the RHS side of the screen The ldquoAutrdquo tab is in the bottom and has been highlighted in Figure 48 Select the following values
a Outgoing WSS Select ldquowss10rdquo from the drop down b Incoming WSS Select ldquowss10rdquo from the drop down
Figure 48 Select the previosuly created WSS Configuration to be used while testing
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 45
18 Enter ldquoprakashrdquo for arg0 and click on the green arrow button to send the request You will be prompted for password ndash enter ldquowelcome1rdquo Figure 49 and Figure 50 show the steps and the results of a successful test If there is a failure ndash you will see a SOAP response with a fault
Figure 49 Send request to the HelloWorld WS
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 46
Figure 50 Results of a successful test
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 47
Appendix
Log Generated the first time any app is run in Integrated WLS Server
[Waiting for the domain to finish building]
[094756 PM] Creating Integrated Weblogic domain
[095003 PM] Extending Integrated Weblogic domain
[095051 PM] Integrated Weblogic domain processing completed successfully
Using port 7101
DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainbinstartWebLogiccmd
[waiting for the server to complete its initialization]
JAVA Memory arguments -Xms256m -Xmx512m -XXCompileThreshold=8000 -XXPermSize=128m -XXMaxPermSize=512m
WLS Start Mode=Development
CLASSPATH=DORACLE~1MIDDLE~1ORACLE~1modulesoraclejdbc_1111ojdbc6dmsjarDORACLE~1MIDDLE~1patch_wls1035profilesdefaultsys_manifest_classpathweblogic_patchjarDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultsys_manifest_classpathweblogic_patchjarDORACLE~1MIDDLE~1JDK160~1libtoolsjarDORACLE~1MIDDLE~1WLSERV~13serverlibweblogic_spjarDORACLE~1MIDDLE~1WLSERV~13serverlibweblogicjarDORACLE~1MIDDLE~1modulesfeaturesweblogicservermodules_10350jarDORACLE~1MIDDLE~1WLSERV~13serverlibwebservicesjarDORACLE~1MIDDLE~1modulesORGAPA~11libant-alljarDORACLE~1MIDDLE~1modulesNETSFA~10_1libant-contribjarDORACLE~1MIDDLE~1ORACLE~1modulesoraclejrf_1111jrfjarDORACLE~1MIDDLE~1WLSERV~13commonderbylibderbyclientjarDORACLE~1MIDDLE~1WLSERV~13serverlibxqrljar
PATH=DORACLE~1MIDDLE~1patch_wls1035profilesdefaultnativeDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultnativeDORACLE~1MIDDLE~1WLSERV~13servernativewin32DORACLE~1MIDDLE~1WLSERV~13serverbinDORACLE~1MIDDLE~1modulesORGAPA~11binDORACLE~1MIDDLE~1JDK160~1jrebinDORACLE~1MIDDLE~1JDK160~1binDoraclexeapporacleproduct1020serverbinCProgram FilesThinkPadUtilitiesCWINDOWSsystem32CWINDOWSCWINDOWSSystem32WbemCWINDOWSsystem32WindowsPowerShellv10DORACLE~1MIDDLE~1WLSERV~13servernativewin32oci920_8
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 48
To start WebLogic Server use a username and
password assigned to an admin-level user For
server administration use the WebLogic Server
console at httphostnameportconsole
starting weblogic with Java version
java version 160_24
Java(TM) SE Runtime Environment (build 160_24-b50)
Java HotSpot(TM) Client VM (build 191-b02 mixed mode)
Starting WLS with line
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 49
DORACLE~1MIDDLE~1JDK160~1binjava -client -Xms256m -Xmx512m -XXCompileThreshold=8000 -XXPermSize=128m -XXMaxPermSize=512m -DweblogicName=DefaultServer -Djavasecuritypolicy=DORACLE~1MIDDLE~1WLSERV~13serverlibweblogicpolicy -DjavaxnetssltrustStore=DOracle11gMiddlewarewlserver_103serverlibDemoTrustjks -DweblogicnodemanagerServiceEnabled=true -Xverifynone -da -Dplatformhome=DORACLE~1MIDDLE~1WLSERV~13 -Dwlshome=DORACLE~1MIDDLE~1WLSERV~13server -Dweblogichome=DORACLE~1MIDDLE~1WLSERV~13server -Djpsappcredentialoverwriteallowed=true -Dcommoncomponentshome=DORACLE~1MIDDLE~1ORACLE~1 -Djrfversion=1111 -DorgapachecommonsloggingLog=orgapachecommonsloggingimplJdk14Logger -Ddomainhome=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1 -Djrockitoptfile=DORACLE~1MIDDLE~1ORACLE~1modulesoraclejrf_1111jrocket_optfiletxt -Doracleserverconfigdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1serversDefaultServer -Doracledomainconfigdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1 -Digfarisidbeanscarmlloc=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1carml -Digfarisidstackhome=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1arisidprovider -Doraclesecurityjpsconfig=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configfmwconfigjps-configxml -Doracledeployedappdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1serversDefaultServertmp_WL_user -Doracledeployedappext=- -DweblogicalternateTypesDirectory=DORACLE~1MIDDLE~1ORACLE~1modulesoracleossoiap_1111DORACLE~1MIDDLE~1ORACLE~1modulesoracleoamprovider_1111 -Djavaprotocolhandlerpkgs=oraclemdsnetprotocol -DweblogicjdbcremoteEnabled=false -Dwsmrepositorypath=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1oraclestoregmds -Dweblogicmanagementdiscover=true -DwlwiterativeDev= -DwlwtestConsole= -DwlwlogErrorsToConsole= -Dweblogicextdirs=DORACLE~1MIDDLE~1patch_wls1035profilesdefaultsysext_manifest_classpathDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultsysext_manifest_classpath weblogicServer
ltMar 16 2012 95054 PM PDTgt ltInfogt ltSecuritygt ltBEA-090905gt ltDisabling CryptoJ JCE Provider self-integrity check for better startup performance To enable this check specify -DweblogicsecurityallowCryptoJDefaultJCEVerification=truegt
ltMar 16 2012 95054 PM PDTgt ltInfogt ltSecuritygt ltBEA-090906gt ltChanging the default Random Number Generator in RSA CryptoJ from ECDRBG to FIPS186PRNG To disable this change specify -DweblogicsecurityallowCryptoJDefaultPRNG=truegt
ltMar 16 2012 95055 PM PDTgt ltInfogt ltWebLogicServergt ltBEA-000377gt ltStarting WebLogic Server with Java HotSpot(TM) Client VM Version 191-b02 from Sun Microsystems Incgt
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 50
ltMar 16 2012 95055 PM PDTgt ltInfogt ltManagementgt ltBEA-141107gt ltVersion WebLogic Server 10350 Fri Apr 1 202006 PDT 2011 1398638 gt
ltMar 16 2012 95057 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STARTINGgt
ltMar 16 2012 95057 PM PDTgt ltInfogt ltWorkManagergt ltBEA-002900gt ltInitializing self-tuning thread poolgt
ltMar 16 2012 95057 PM PDTgt ltNoticegt ltLog Managementgt ltBEA-170019gt ltThe server log file DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainserversDefaultServerlogsDefaultServerlog is opened All server side log events will be written to this filegt
ltMar 16 2012 95108 PM PDTgt ltNoticegt ltSecuritygt ltBEA-090082gt ltSecurity initializing using security realm myrealmgt
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO ConfigObjectReloaded for ServerConfig PreviousVersion -1 CurrentVersion 0
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification event sent for activating changes
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for Mapping config object reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO ConfigObjectReloaded for ServerConfig PreviousVersion -1 CurrentVersion 0
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification event sent for activating changes
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 51
INFO Notification sent for Mapping config object reloaded
ltMar 16 2012 95122 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STANDBYgt
ltMar 16 2012 95122 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STARTINGgt
ltMar 16 2012 95204 PM PDTgt ltNoticegt ltLog Managementgt ltBEA-170027gt ltThe Server has established connection with the Domain level Diagnostic Service successfullygt
ltMar 16 2012 95204 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to ADMINgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to RESUMINGgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltServergt ltBEA-002613gt ltChannel Default is now listening on 1270017101 for protocols iiop t3 ldap snmp httpgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000331gt ltStarted WebLogic Admin Server DefaultServer for domain DefaultDomain running in Development Modegt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to RUNNINGgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000360gt ltServer started in RUNNING modegt
IntegratedWebLogicServer startup time 74437 ms
IntegratedWebLogicServer started
[Running application HelloWorldJaxWS on Server Instance IntegratedWebLogicServer]
[095206 PM] ---- Deployment started ----
[095206 PM] Target platform is (Weblogic 103)
[095208 PM] Retrieving existing application information
[095208 PM] Running dependency analysis
[095208 PM] Deploying 2 profiles
[095209 PM] Wrote Web Application Module to DOracle11gMiddlewarejdevelopersystem11116386192oj2eedrsHelloWorldJaxWSHelloWorldWebAppwar
[095210 PM] Wrote Enterprise Application Module to DOracle11gMiddlewarejdevelopersystem11116386192oj2eedrsHelloWorldJaxWS
[095210 PM] Deploying Application
[095213 PM] Application Deployed Successfully
[095213 PM] The following URL context root(s) were defined and can be used as a starting point to test your application
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 52
[095213 PM] http1270017101HelloWorldJaxWS-HelloWorld-context-root
[095213 PM] Elapsed time for deployment 6 seconds
[095213 PM] ---- Deployment finished ----
Run startup time 6609 ms
[Application HelloWorldJaxWS deployed to Server Instance IntegratedWebLogicServer]
Target URL -- http1270017101HelloWorldJaxWS-HelloWorld-context-rootHelloWorldPort
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 53
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 20
3 For the purposes of this How-To letrsquos select the oraclewss10_message_protection_service_policy as show in
Figure 20
Figure 20 Selection of oraclewss10_message_protection_service_policy
Click ldquoOKrdquo button to complete the Policy Attachment Upon completion of the PolicyAttachment the SecurityPolicy
annotation will be added to the HelloWorld POJO class as show in Figure 21
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 21
Figure 21 Code view with SecurityPolicy annotation
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 22
Creating Keystore and Credentials
4 In order to use the oraclewss10_message_protection_service_policy we need Keystore and Credentials First we
will create keystore using the keytool command as shown in Figure 22 The command to create the keystore using
keytool (Note Keytool is shipped with JDK)
Figure 22 Keystore creation command and steps
You can validate the contents of the keystore by using the following keytool command
Figure 23 Check contents of Keystore using keytool
$gt keytool -genkey -keyalg RSA -alias orakey -keystore default-keystorejks -storepass welcome1 -validity
3600
$gtkeytool -list -keystore default-keystorejks -storepass welcome1
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 23
Configuring Integrated WLS Server to enable enforcing Message protection Policy
In order to be able to deploy the HelloWorld POJO Web Service to Integrated WLS Server and test the enforcement of
the OWSM oraclewss10_message_protection_service_policy ndash we need to configure the WLS Domain in which
Integrated WLS Server runs however initially upon the Install the domain is not created completely You can ensure the
domain is created completely by trying to the ldquoHelloWorldrdquo Web Service You do this by ldquoright clickingrdquo on
HelloWorldjava and selecting ldquoRunrdquo from the Context Menu as show in Figure 24
Figure 24 Running HelloWorld Web Service in Integrated WLS Server first time
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 24
The appendix shows the log that is output by the system in JDeveloper The key aspect that is of interest here are the
following messages
[Waiting for the domain to finish building]
[094756 PM] Creating Integrated Weblogic domain
[095003 PM] Extending Integrated Weblogic domain
[095051 PM] Integrated Weblogic domain processing completed successfully
Using port 7101
DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainbinstartWebLogiccmd
[waiting for the server to complete its initialization]
As mentioned earlier the key thing to note is
On running this the first time ndash the domain for running the Integrated WLS is extended and the necessary artifacts are created By default this domain is called ldquoDefaultDomainrdquo In this scenario the ldquoDefaultDomainrdquo is located at DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomain
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 25
Copying the Keystore under the right location for Integrated WLS Server
5 Copy the default-keystorejks created earlier to
ldquoDOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainconfigfmwconfigrdquo as shown in Figure 25
Figure 25 Copying default-keystorejks under DefaultDomain
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 26
Verifying jps-configxml in Default Domain
6 The jps-configxml will be found under
DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainconfigfmwconfig The most important entry in jps-configxml that is of interest is the following keystore service entry lt-- KeyStore Service Instance --gt ltserviceInstance name=keystore provider=keystoreprovider location=default-keystorejksgt ltdescriptiongtDefault JPS Keystore Serviceltdescriptiongt ltproperty name=keystoreprovidertype value=filegt ltproperty name=keystorefilepath value=gt ltproperty name=keystoretype value=JKSgt ltproperty name=keystorecsfmap value=oraclewsmsecuritygt ltproperty name=keystorepasscsfkey value=keystore-csf-keygt ltproperty name=keystoresigcsfkey value=sign-csf-keygt ltproperty name=keystoreenccsfkey value=enc-csf-keygt ltserviceInstancegt The next step is to configure the credentials in the DefaultDomain
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 27
Creating Credentials required for Keystore access
Ensure the Integrated WLS Server is running 7 Start WLST from DOracle11gMiddleware oracle_commoncommonbinwlstcmd as shown in Figure 26
Figure 26 Starting WLST for Integrated WLS Server
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 28
8 Connect to the Integrated WLS Server running DefaultDomain as show in Figure 27
Figure 27 Connect to Integrated WLS Server
Once connected add the following credentials to the credential store
$gt createCred(map=oraclewsmsecurity key=keystore-csf-key user=owsm password=welcome1 desc=Keystore key) $gtcreateCred(map=oraclewsmsecurity key=enc-csf-key user=orakey password=welcome1 desc=Encryption key) $gtcreateCred(map=oraclewsmsecurity key=sign-csf-key user=orakey password=welcome1 desc=Signing key)
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 29
Relationship between Keystore Credential Store jps-configxml
9 Many people find the relationship between keystore keys credential store credentials and jps-configxml
confusing Figure 28 shows the relationship between all these artifacts
Figure 28 Relationship bw Keystore Credential Store Credentials and jps-configxml
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 30
Testing with SOAP UI 1 Before testing the Web Service with SOAP UI Run the HelloWorld from within JDeveloper as shown in Figure 24
Create SOAP UI Project
2 To test the HelloWorld Web Service secured with the OWSM ldquooraclewss10_message_protection_service_policyrdquo start SOAP UI and create a new Project as shown in Figure 29
Figure 29 Create new project in SOAP UI
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 31
3 Provide Project Namerdquo and ldquoWSDLrdquo information for the HelloWorld WS as show in Figure 30
Figure 30 Provide WSDL information for the Web Service that needs to be tested
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 32
4 Double click on the helloworld-msg-prot-test SOAP UI project to open various configurations one can specify for the
project as show in Figure 31 Click on the WS-Security Configurations tab
Figure 31 Specify the WS-Security Configurations
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 33
Create WS-Security Configurations
5 There are 3 sub-tabs under the ldquoWS-Security Configurationsrdquo tab in SOAP UI These are the ldquoOutgoing WS-Security
Configurationsrdquo tab ldquoIncoming WS-Security Configurationsrdquo tab and the ldquoKeystoreCertificatesrdquo tab We will first fill
out the KeystoresCertificates tab Click on the KeystoreCertificates tab as shown in Figure 32
Figure 32 Specify the KeystoreCertificates to be used by SOAP UI
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 34
Add KeystoreCertificates
6 Click on the ldquo+rdquo button to add a keystore as shown in Figure 33 This will launch a dialog to select the Key Material as
show in Figure 34 You will be prompted for the password to the default-keystorejks Enter ldquowelcome1rdquo as show in
Figure 35
Figure 33 Adding a Keystore
Figure 34 Select a JKS keystore from the file system
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 35
Figure 35 Specify Password for the default-keystorejks
7 Figure 36 shows the result of adding the default-keystorejks to SOAP UI
Figure 36 Result of adding default-keystorejks
NOTE For purposes of simplicity ndash I have selected the same default-keystorejks file that was used by the HelloWorld Web Service in practice the client and service DO NOT share the same keystore instead you should use separate keystores and exchange the public certificates of the client and the service
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 36
Add Outgoing WS-Security Configurations
8 The next step is to add the ldquoOutgoing WS-Secure Configurationsrdquo to the project You can do this by click on the Outgoing S-Security Configurations tab and clicking on the ldquo+rdquo icon as shown in Figure 37
Figure 37 Initiate addition of Outgoing WS-Security Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 37
9 Enter the ldquoNamerdquo of the configuration as ldquowss10rdquo This will create a panel on the lower half of the screen to add relevant WS-Security Configuration for ldquowss10rdquo Click on the ldquo+rdquo icon highlighted with a red circle in Figure 38 We need to add 3 entries in the following order
a Timestamp b Signature c Encryption
Upon clicking the ldquo+rdquo icon an ldquoAdd WSS Entryrdquo popup dialog will be presented which contains a single drop down list Select ldquoTimestamprdquo from the dialog as shown in Figure 39
Figure 38 Adding WSS Configuration for wss10
Figure 39 Add Timestamp
10 Configure the ldquoTimestamprdquo WSS Entry The two fields are shown in Figure 40
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 38
a Time to Live 5000 b Leave the unit for ldquoTime to Liverdquo in milliseconds
Figure 40 Specify Time to Live as part of Timestamp configuration
11 Add the ldquoSignaturerdquo WSS Entry by clicking on the ldquo+rdquo icon again as shown in Figure 38 and selecting ldquoSignaturerdquo from
the ldquoAdd WSS Entryrdquo drop down as shown in Figure 41
Figure 41 Select Signature WSS Entry to Add to wss10 configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 39
12 The ldquoSignaturerdquo configuration is more involved and requires a lot more fields to be filled in as shown in Figure 42 Here is a summary of the fields and values that need to be provided
a Keystore Select ldquodefault-keystorejksrdquo from the drop down (Note Only keystores added in the KeystoreCertificates tab will be displayed in this drop down)
b Alias ldquoorakeyrdquo This particular keystore in the How-To has only a single alias However a keystore can have multiple keys and aliases
c Password ldquowelcome1rdquo This is the password for the alias d Key Identifier Type Select ldquoBinary Security Tokenrdquo from the drop down e Signature Algorithm Select ldquohttpwwww3org200009xmldsigrsa-sha1rdquo from the drop down f Signature Canonicalization Select ldquohttpwwww3org200110xml-exc-c14nrdquo from the drop down g Digest Algorithm Select ldquohttpwwww3org200009xmldsigsha1rdquo from the drop down h Use Single Certificate Ensure ldquoUse single certificate for signingrdquo is checked i Parts
Name Namespace Encode
Body httpschemasxmlsoaporgsoapenvelope Element
Timestamp httpdocsoasis-openorgwss200401oasis-200401-wss-wssecurity-utility-10xsd
Element
Figure 42 Providing Signature configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 40
13 Add the ldquoEncryptionrdquo WSS Entry by clicking on the ldquo+rdquo icon again as shown in Figure 38 and selecting ldquoEncryptionrdquo from the ldquoAdd WSS Entryrdquo drop down as shown in Figure 43
Figure 43 Adding Encryption WSS entry
14 The ldquoEncryptionrdquo configuration is more involved and requires a lot more fields to be filled in as shown in Figure 44
Here is a summary of the fields and values that need to be provided a Keystore Select ldquodefault-keystorejksrdquo from the drop down (Note Only keystores added in the
KeystoreCertificates tab will be displayed in this drop down) b Alias ldquoorakeyrdquo This particular keystore in the How-To has only a single alias However a keystore can have
multiple keys and aliases c Password ldquowelcome1rdquo This is the password for the alias d Key Identifier Type Select ldquoBinary Security Tokenrdquo from the drop down e Embedded Key Name and Embedded Key Password are not relevant and will be readonly fields So skip
these fields f Symmetric Encoding Algorithm Select ldquohttpwwww3org200104xmlencaes128-cbcrdquo from the drop
down g Key Encryption Algorithm Select ldquohttpwwww3org200104xmlencrsa-oaep-mgf1prdquo from the drop
down h Encryption Canonicalization Select ldquohttpwwww3org200110xml-exc-c14nrdquo from the drop down i Create Encrypted Key Ensure the checkbox is checked j Parts
Name Namespace Encode
Body httpschemasxmlsoaporgsoapenvelope Content
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 41
Figure 44 Encryption Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 42
Add Incoming WS-Security Configurations
15 Click on the ldquoIncoming WS-Security Configurationsrdquo sub tab and click on the ldquo+rdquo icon as show in Figure 45 You will be prompted to enter a name for the incoming configuration specify ldquowss10rdquo as the name as shown in Figure 46
Figure 45 Add Incoming WS-Security Configuration
Figure 46 Provide a name for the Incoming WSS Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 43
16 Click on the ldquowss10rdquo entry and select the following a Decrypt Keystore Select ldquodefault-keystorejksrdquo from the drop down b Signature Keystore Select ldquodefault-keystorejksrdquo from the drop down c Password ldquowelcome1rdquo
The final incoming security configuration is shown in Figure 47
Figure 47 Incoming WSS Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 44
17 Now that we have created all the necessary WS-Security Configurations we are ready to test the HelloWorld Service To do so click on the ldquohellordquo operation on the Left hand browse tree This will create a request as show in Figure 48 Click on the ldquoAutrdquo tab on the ldquoRequestrdquo panel on the RHS side of the screen The ldquoAutrdquo tab is in the bottom and has been highlighted in Figure 48 Select the following values
a Outgoing WSS Select ldquowss10rdquo from the drop down b Incoming WSS Select ldquowss10rdquo from the drop down
Figure 48 Select the previosuly created WSS Configuration to be used while testing
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 45
18 Enter ldquoprakashrdquo for arg0 and click on the green arrow button to send the request You will be prompted for password ndash enter ldquowelcome1rdquo Figure 49 and Figure 50 show the steps and the results of a successful test If there is a failure ndash you will see a SOAP response with a fault
Figure 49 Send request to the HelloWorld WS
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 46
Figure 50 Results of a successful test
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 47
Appendix
Log Generated the first time any app is run in Integrated WLS Server
[Waiting for the domain to finish building]
[094756 PM] Creating Integrated Weblogic domain
[095003 PM] Extending Integrated Weblogic domain
[095051 PM] Integrated Weblogic domain processing completed successfully
Using port 7101
DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainbinstartWebLogiccmd
[waiting for the server to complete its initialization]
JAVA Memory arguments -Xms256m -Xmx512m -XXCompileThreshold=8000 -XXPermSize=128m -XXMaxPermSize=512m
WLS Start Mode=Development
CLASSPATH=DORACLE~1MIDDLE~1ORACLE~1modulesoraclejdbc_1111ojdbc6dmsjarDORACLE~1MIDDLE~1patch_wls1035profilesdefaultsys_manifest_classpathweblogic_patchjarDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultsys_manifest_classpathweblogic_patchjarDORACLE~1MIDDLE~1JDK160~1libtoolsjarDORACLE~1MIDDLE~1WLSERV~13serverlibweblogic_spjarDORACLE~1MIDDLE~1WLSERV~13serverlibweblogicjarDORACLE~1MIDDLE~1modulesfeaturesweblogicservermodules_10350jarDORACLE~1MIDDLE~1WLSERV~13serverlibwebservicesjarDORACLE~1MIDDLE~1modulesORGAPA~11libant-alljarDORACLE~1MIDDLE~1modulesNETSFA~10_1libant-contribjarDORACLE~1MIDDLE~1ORACLE~1modulesoraclejrf_1111jrfjarDORACLE~1MIDDLE~1WLSERV~13commonderbylibderbyclientjarDORACLE~1MIDDLE~1WLSERV~13serverlibxqrljar
PATH=DORACLE~1MIDDLE~1patch_wls1035profilesdefaultnativeDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultnativeDORACLE~1MIDDLE~1WLSERV~13servernativewin32DORACLE~1MIDDLE~1WLSERV~13serverbinDORACLE~1MIDDLE~1modulesORGAPA~11binDORACLE~1MIDDLE~1JDK160~1jrebinDORACLE~1MIDDLE~1JDK160~1binDoraclexeapporacleproduct1020serverbinCProgram FilesThinkPadUtilitiesCWINDOWSsystem32CWINDOWSCWINDOWSSystem32WbemCWINDOWSsystem32WindowsPowerShellv10DORACLE~1MIDDLE~1WLSERV~13servernativewin32oci920_8
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 48
To start WebLogic Server use a username and
password assigned to an admin-level user For
server administration use the WebLogic Server
console at httphostnameportconsole
starting weblogic with Java version
java version 160_24
Java(TM) SE Runtime Environment (build 160_24-b50)
Java HotSpot(TM) Client VM (build 191-b02 mixed mode)
Starting WLS with line
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 49
DORACLE~1MIDDLE~1JDK160~1binjava -client -Xms256m -Xmx512m -XXCompileThreshold=8000 -XXPermSize=128m -XXMaxPermSize=512m -DweblogicName=DefaultServer -Djavasecuritypolicy=DORACLE~1MIDDLE~1WLSERV~13serverlibweblogicpolicy -DjavaxnetssltrustStore=DOracle11gMiddlewarewlserver_103serverlibDemoTrustjks -DweblogicnodemanagerServiceEnabled=true -Xverifynone -da -Dplatformhome=DORACLE~1MIDDLE~1WLSERV~13 -Dwlshome=DORACLE~1MIDDLE~1WLSERV~13server -Dweblogichome=DORACLE~1MIDDLE~1WLSERV~13server -Djpsappcredentialoverwriteallowed=true -Dcommoncomponentshome=DORACLE~1MIDDLE~1ORACLE~1 -Djrfversion=1111 -DorgapachecommonsloggingLog=orgapachecommonsloggingimplJdk14Logger -Ddomainhome=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1 -Djrockitoptfile=DORACLE~1MIDDLE~1ORACLE~1modulesoraclejrf_1111jrocket_optfiletxt -Doracleserverconfigdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1serversDefaultServer -Doracledomainconfigdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1 -Digfarisidbeanscarmlloc=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1carml -Digfarisidstackhome=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1arisidprovider -Doraclesecurityjpsconfig=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configfmwconfigjps-configxml -Doracledeployedappdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1serversDefaultServertmp_WL_user -Doracledeployedappext=- -DweblogicalternateTypesDirectory=DORACLE~1MIDDLE~1ORACLE~1modulesoracleossoiap_1111DORACLE~1MIDDLE~1ORACLE~1modulesoracleoamprovider_1111 -Djavaprotocolhandlerpkgs=oraclemdsnetprotocol -DweblogicjdbcremoteEnabled=false -Dwsmrepositorypath=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1oraclestoregmds -Dweblogicmanagementdiscover=true -DwlwiterativeDev= -DwlwtestConsole= -DwlwlogErrorsToConsole= -Dweblogicextdirs=DORACLE~1MIDDLE~1patch_wls1035profilesdefaultsysext_manifest_classpathDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultsysext_manifest_classpath weblogicServer
ltMar 16 2012 95054 PM PDTgt ltInfogt ltSecuritygt ltBEA-090905gt ltDisabling CryptoJ JCE Provider self-integrity check for better startup performance To enable this check specify -DweblogicsecurityallowCryptoJDefaultJCEVerification=truegt
ltMar 16 2012 95054 PM PDTgt ltInfogt ltSecuritygt ltBEA-090906gt ltChanging the default Random Number Generator in RSA CryptoJ from ECDRBG to FIPS186PRNG To disable this change specify -DweblogicsecurityallowCryptoJDefaultPRNG=truegt
ltMar 16 2012 95055 PM PDTgt ltInfogt ltWebLogicServergt ltBEA-000377gt ltStarting WebLogic Server with Java HotSpot(TM) Client VM Version 191-b02 from Sun Microsystems Incgt
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 50
ltMar 16 2012 95055 PM PDTgt ltInfogt ltManagementgt ltBEA-141107gt ltVersion WebLogic Server 10350 Fri Apr 1 202006 PDT 2011 1398638 gt
ltMar 16 2012 95057 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STARTINGgt
ltMar 16 2012 95057 PM PDTgt ltInfogt ltWorkManagergt ltBEA-002900gt ltInitializing self-tuning thread poolgt
ltMar 16 2012 95057 PM PDTgt ltNoticegt ltLog Managementgt ltBEA-170019gt ltThe server log file DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainserversDefaultServerlogsDefaultServerlog is opened All server side log events will be written to this filegt
ltMar 16 2012 95108 PM PDTgt ltNoticegt ltSecuritygt ltBEA-090082gt ltSecurity initializing using security realm myrealmgt
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO ConfigObjectReloaded for ServerConfig PreviousVersion -1 CurrentVersion 0
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification event sent for activating changes
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for Mapping config object reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO ConfigObjectReloaded for ServerConfig PreviousVersion -1 CurrentVersion 0
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification event sent for activating changes
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 51
INFO Notification sent for Mapping config object reloaded
ltMar 16 2012 95122 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STANDBYgt
ltMar 16 2012 95122 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STARTINGgt
ltMar 16 2012 95204 PM PDTgt ltNoticegt ltLog Managementgt ltBEA-170027gt ltThe Server has established connection with the Domain level Diagnostic Service successfullygt
ltMar 16 2012 95204 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to ADMINgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to RESUMINGgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltServergt ltBEA-002613gt ltChannel Default is now listening on 1270017101 for protocols iiop t3 ldap snmp httpgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000331gt ltStarted WebLogic Admin Server DefaultServer for domain DefaultDomain running in Development Modegt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to RUNNINGgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000360gt ltServer started in RUNNING modegt
IntegratedWebLogicServer startup time 74437 ms
IntegratedWebLogicServer started
[Running application HelloWorldJaxWS on Server Instance IntegratedWebLogicServer]
[095206 PM] ---- Deployment started ----
[095206 PM] Target platform is (Weblogic 103)
[095208 PM] Retrieving existing application information
[095208 PM] Running dependency analysis
[095208 PM] Deploying 2 profiles
[095209 PM] Wrote Web Application Module to DOracle11gMiddlewarejdevelopersystem11116386192oj2eedrsHelloWorldJaxWSHelloWorldWebAppwar
[095210 PM] Wrote Enterprise Application Module to DOracle11gMiddlewarejdevelopersystem11116386192oj2eedrsHelloWorldJaxWS
[095210 PM] Deploying Application
[095213 PM] Application Deployed Successfully
[095213 PM] The following URL context root(s) were defined and can be used as a starting point to test your application
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 52
[095213 PM] http1270017101HelloWorldJaxWS-HelloWorld-context-root
[095213 PM] Elapsed time for deployment 6 seconds
[095213 PM] ---- Deployment finished ----
Run startup time 6609 ms
[Application HelloWorldJaxWS deployed to Server Instance IntegratedWebLogicServer]
Target URL -- http1270017101HelloWorldJaxWS-HelloWorld-context-rootHelloWorldPort
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 53
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 21
Figure 21 Code view with SecurityPolicy annotation
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 22
Creating Keystore and Credentials
4 In order to use the oraclewss10_message_protection_service_policy we need Keystore and Credentials First we
will create keystore using the keytool command as shown in Figure 22 The command to create the keystore using
keytool (Note Keytool is shipped with JDK)
Figure 22 Keystore creation command and steps
You can validate the contents of the keystore by using the following keytool command
Figure 23 Check contents of Keystore using keytool
$gt keytool -genkey -keyalg RSA -alias orakey -keystore default-keystorejks -storepass welcome1 -validity
3600
$gtkeytool -list -keystore default-keystorejks -storepass welcome1
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 23
Configuring Integrated WLS Server to enable enforcing Message protection Policy
In order to be able to deploy the HelloWorld POJO Web Service to Integrated WLS Server and test the enforcement of
the OWSM oraclewss10_message_protection_service_policy ndash we need to configure the WLS Domain in which
Integrated WLS Server runs however initially upon the Install the domain is not created completely You can ensure the
domain is created completely by trying to the ldquoHelloWorldrdquo Web Service You do this by ldquoright clickingrdquo on
HelloWorldjava and selecting ldquoRunrdquo from the Context Menu as show in Figure 24
Figure 24 Running HelloWorld Web Service in Integrated WLS Server first time
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 24
The appendix shows the log that is output by the system in JDeveloper The key aspect that is of interest here are the
following messages
[Waiting for the domain to finish building]
[094756 PM] Creating Integrated Weblogic domain
[095003 PM] Extending Integrated Weblogic domain
[095051 PM] Integrated Weblogic domain processing completed successfully
Using port 7101
DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainbinstartWebLogiccmd
[waiting for the server to complete its initialization]
As mentioned earlier the key thing to note is
On running this the first time ndash the domain for running the Integrated WLS is extended and the necessary artifacts are created By default this domain is called ldquoDefaultDomainrdquo In this scenario the ldquoDefaultDomainrdquo is located at DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomain
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 25
Copying the Keystore under the right location for Integrated WLS Server
5 Copy the default-keystorejks created earlier to
ldquoDOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainconfigfmwconfigrdquo as shown in Figure 25
Figure 25 Copying default-keystorejks under DefaultDomain
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 26
Verifying jps-configxml in Default Domain
6 The jps-configxml will be found under
DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainconfigfmwconfig The most important entry in jps-configxml that is of interest is the following keystore service entry lt-- KeyStore Service Instance --gt ltserviceInstance name=keystore provider=keystoreprovider location=default-keystorejksgt ltdescriptiongtDefault JPS Keystore Serviceltdescriptiongt ltproperty name=keystoreprovidertype value=filegt ltproperty name=keystorefilepath value=gt ltproperty name=keystoretype value=JKSgt ltproperty name=keystorecsfmap value=oraclewsmsecuritygt ltproperty name=keystorepasscsfkey value=keystore-csf-keygt ltproperty name=keystoresigcsfkey value=sign-csf-keygt ltproperty name=keystoreenccsfkey value=enc-csf-keygt ltserviceInstancegt The next step is to configure the credentials in the DefaultDomain
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 27
Creating Credentials required for Keystore access
Ensure the Integrated WLS Server is running 7 Start WLST from DOracle11gMiddleware oracle_commoncommonbinwlstcmd as shown in Figure 26
Figure 26 Starting WLST for Integrated WLS Server
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 28
8 Connect to the Integrated WLS Server running DefaultDomain as show in Figure 27
Figure 27 Connect to Integrated WLS Server
Once connected add the following credentials to the credential store
$gt createCred(map=oraclewsmsecurity key=keystore-csf-key user=owsm password=welcome1 desc=Keystore key) $gtcreateCred(map=oraclewsmsecurity key=enc-csf-key user=orakey password=welcome1 desc=Encryption key) $gtcreateCred(map=oraclewsmsecurity key=sign-csf-key user=orakey password=welcome1 desc=Signing key)
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 29
Relationship between Keystore Credential Store jps-configxml
9 Many people find the relationship between keystore keys credential store credentials and jps-configxml
confusing Figure 28 shows the relationship between all these artifacts
Figure 28 Relationship bw Keystore Credential Store Credentials and jps-configxml
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 30
Testing with SOAP UI 1 Before testing the Web Service with SOAP UI Run the HelloWorld from within JDeveloper as shown in Figure 24
Create SOAP UI Project
2 To test the HelloWorld Web Service secured with the OWSM ldquooraclewss10_message_protection_service_policyrdquo start SOAP UI and create a new Project as shown in Figure 29
Figure 29 Create new project in SOAP UI
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 31
3 Provide Project Namerdquo and ldquoWSDLrdquo information for the HelloWorld WS as show in Figure 30
Figure 30 Provide WSDL information for the Web Service that needs to be tested
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 32
4 Double click on the helloworld-msg-prot-test SOAP UI project to open various configurations one can specify for the
project as show in Figure 31 Click on the WS-Security Configurations tab
Figure 31 Specify the WS-Security Configurations
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 33
Create WS-Security Configurations
5 There are 3 sub-tabs under the ldquoWS-Security Configurationsrdquo tab in SOAP UI These are the ldquoOutgoing WS-Security
Configurationsrdquo tab ldquoIncoming WS-Security Configurationsrdquo tab and the ldquoKeystoreCertificatesrdquo tab We will first fill
out the KeystoresCertificates tab Click on the KeystoreCertificates tab as shown in Figure 32
Figure 32 Specify the KeystoreCertificates to be used by SOAP UI
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 34
Add KeystoreCertificates
6 Click on the ldquo+rdquo button to add a keystore as shown in Figure 33 This will launch a dialog to select the Key Material as
show in Figure 34 You will be prompted for the password to the default-keystorejks Enter ldquowelcome1rdquo as show in
Figure 35
Figure 33 Adding a Keystore
Figure 34 Select a JKS keystore from the file system
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 35
Figure 35 Specify Password for the default-keystorejks
7 Figure 36 shows the result of adding the default-keystorejks to SOAP UI
Figure 36 Result of adding default-keystorejks
NOTE For purposes of simplicity ndash I have selected the same default-keystorejks file that was used by the HelloWorld Web Service in practice the client and service DO NOT share the same keystore instead you should use separate keystores and exchange the public certificates of the client and the service
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 36
Add Outgoing WS-Security Configurations
8 The next step is to add the ldquoOutgoing WS-Secure Configurationsrdquo to the project You can do this by click on the Outgoing S-Security Configurations tab and clicking on the ldquo+rdquo icon as shown in Figure 37
Figure 37 Initiate addition of Outgoing WS-Security Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 37
9 Enter the ldquoNamerdquo of the configuration as ldquowss10rdquo This will create a panel on the lower half of the screen to add relevant WS-Security Configuration for ldquowss10rdquo Click on the ldquo+rdquo icon highlighted with a red circle in Figure 38 We need to add 3 entries in the following order
a Timestamp b Signature c Encryption
Upon clicking the ldquo+rdquo icon an ldquoAdd WSS Entryrdquo popup dialog will be presented which contains a single drop down list Select ldquoTimestamprdquo from the dialog as shown in Figure 39
Figure 38 Adding WSS Configuration for wss10
Figure 39 Add Timestamp
10 Configure the ldquoTimestamprdquo WSS Entry The two fields are shown in Figure 40
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 38
a Time to Live 5000 b Leave the unit for ldquoTime to Liverdquo in milliseconds
Figure 40 Specify Time to Live as part of Timestamp configuration
11 Add the ldquoSignaturerdquo WSS Entry by clicking on the ldquo+rdquo icon again as shown in Figure 38 and selecting ldquoSignaturerdquo from
the ldquoAdd WSS Entryrdquo drop down as shown in Figure 41
Figure 41 Select Signature WSS Entry to Add to wss10 configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 39
12 The ldquoSignaturerdquo configuration is more involved and requires a lot more fields to be filled in as shown in Figure 42 Here is a summary of the fields and values that need to be provided
a Keystore Select ldquodefault-keystorejksrdquo from the drop down (Note Only keystores added in the KeystoreCertificates tab will be displayed in this drop down)
b Alias ldquoorakeyrdquo This particular keystore in the How-To has only a single alias However a keystore can have multiple keys and aliases
c Password ldquowelcome1rdquo This is the password for the alias d Key Identifier Type Select ldquoBinary Security Tokenrdquo from the drop down e Signature Algorithm Select ldquohttpwwww3org200009xmldsigrsa-sha1rdquo from the drop down f Signature Canonicalization Select ldquohttpwwww3org200110xml-exc-c14nrdquo from the drop down g Digest Algorithm Select ldquohttpwwww3org200009xmldsigsha1rdquo from the drop down h Use Single Certificate Ensure ldquoUse single certificate for signingrdquo is checked i Parts
Name Namespace Encode
Body httpschemasxmlsoaporgsoapenvelope Element
Timestamp httpdocsoasis-openorgwss200401oasis-200401-wss-wssecurity-utility-10xsd
Element
Figure 42 Providing Signature configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 40
13 Add the ldquoEncryptionrdquo WSS Entry by clicking on the ldquo+rdquo icon again as shown in Figure 38 and selecting ldquoEncryptionrdquo from the ldquoAdd WSS Entryrdquo drop down as shown in Figure 43
Figure 43 Adding Encryption WSS entry
14 The ldquoEncryptionrdquo configuration is more involved and requires a lot more fields to be filled in as shown in Figure 44
Here is a summary of the fields and values that need to be provided a Keystore Select ldquodefault-keystorejksrdquo from the drop down (Note Only keystores added in the
KeystoreCertificates tab will be displayed in this drop down) b Alias ldquoorakeyrdquo This particular keystore in the How-To has only a single alias However a keystore can have
multiple keys and aliases c Password ldquowelcome1rdquo This is the password for the alias d Key Identifier Type Select ldquoBinary Security Tokenrdquo from the drop down e Embedded Key Name and Embedded Key Password are not relevant and will be readonly fields So skip
these fields f Symmetric Encoding Algorithm Select ldquohttpwwww3org200104xmlencaes128-cbcrdquo from the drop
down g Key Encryption Algorithm Select ldquohttpwwww3org200104xmlencrsa-oaep-mgf1prdquo from the drop
down h Encryption Canonicalization Select ldquohttpwwww3org200110xml-exc-c14nrdquo from the drop down i Create Encrypted Key Ensure the checkbox is checked j Parts
Name Namespace Encode
Body httpschemasxmlsoaporgsoapenvelope Content
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 41
Figure 44 Encryption Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 42
Add Incoming WS-Security Configurations
15 Click on the ldquoIncoming WS-Security Configurationsrdquo sub tab and click on the ldquo+rdquo icon as show in Figure 45 You will be prompted to enter a name for the incoming configuration specify ldquowss10rdquo as the name as shown in Figure 46
Figure 45 Add Incoming WS-Security Configuration
Figure 46 Provide a name for the Incoming WSS Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 43
16 Click on the ldquowss10rdquo entry and select the following a Decrypt Keystore Select ldquodefault-keystorejksrdquo from the drop down b Signature Keystore Select ldquodefault-keystorejksrdquo from the drop down c Password ldquowelcome1rdquo
The final incoming security configuration is shown in Figure 47
Figure 47 Incoming WSS Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 44
17 Now that we have created all the necessary WS-Security Configurations we are ready to test the HelloWorld Service To do so click on the ldquohellordquo operation on the Left hand browse tree This will create a request as show in Figure 48 Click on the ldquoAutrdquo tab on the ldquoRequestrdquo panel on the RHS side of the screen The ldquoAutrdquo tab is in the bottom and has been highlighted in Figure 48 Select the following values
a Outgoing WSS Select ldquowss10rdquo from the drop down b Incoming WSS Select ldquowss10rdquo from the drop down
Figure 48 Select the previosuly created WSS Configuration to be used while testing
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 45
18 Enter ldquoprakashrdquo for arg0 and click on the green arrow button to send the request You will be prompted for password ndash enter ldquowelcome1rdquo Figure 49 and Figure 50 show the steps and the results of a successful test If there is a failure ndash you will see a SOAP response with a fault
Figure 49 Send request to the HelloWorld WS
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 46
Figure 50 Results of a successful test
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 47
Appendix
Log Generated the first time any app is run in Integrated WLS Server
[Waiting for the domain to finish building]
[094756 PM] Creating Integrated Weblogic domain
[095003 PM] Extending Integrated Weblogic domain
[095051 PM] Integrated Weblogic domain processing completed successfully
Using port 7101
DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainbinstartWebLogiccmd
[waiting for the server to complete its initialization]
JAVA Memory arguments -Xms256m -Xmx512m -XXCompileThreshold=8000 -XXPermSize=128m -XXMaxPermSize=512m
WLS Start Mode=Development
CLASSPATH=DORACLE~1MIDDLE~1ORACLE~1modulesoraclejdbc_1111ojdbc6dmsjarDORACLE~1MIDDLE~1patch_wls1035profilesdefaultsys_manifest_classpathweblogic_patchjarDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultsys_manifest_classpathweblogic_patchjarDORACLE~1MIDDLE~1JDK160~1libtoolsjarDORACLE~1MIDDLE~1WLSERV~13serverlibweblogic_spjarDORACLE~1MIDDLE~1WLSERV~13serverlibweblogicjarDORACLE~1MIDDLE~1modulesfeaturesweblogicservermodules_10350jarDORACLE~1MIDDLE~1WLSERV~13serverlibwebservicesjarDORACLE~1MIDDLE~1modulesORGAPA~11libant-alljarDORACLE~1MIDDLE~1modulesNETSFA~10_1libant-contribjarDORACLE~1MIDDLE~1ORACLE~1modulesoraclejrf_1111jrfjarDORACLE~1MIDDLE~1WLSERV~13commonderbylibderbyclientjarDORACLE~1MIDDLE~1WLSERV~13serverlibxqrljar
PATH=DORACLE~1MIDDLE~1patch_wls1035profilesdefaultnativeDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultnativeDORACLE~1MIDDLE~1WLSERV~13servernativewin32DORACLE~1MIDDLE~1WLSERV~13serverbinDORACLE~1MIDDLE~1modulesORGAPA~11binDORACLE~1MIDDLE~1JDK160~1jrebinDORACLE~1MIDDLE~1JDK160~1binDoraclexeapporacleproduct1020serverbinCProgram FilesThinkPadUtilitiesCWINDOWSsystem32CWINDOWSCWINDOWSSystem32WbemCWINDOWSsystem32WindowsPowerShellv10DORACLE~1MIDDLE~1WLSERV~13servernativewin32oci920_8
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 48
To start WebLogic Server use a username and
password assigned to an admin-level user For
server administration use the WebLogic Server
console at httphostnameportconsole
starting weblogic with Java version
java version 160_24
Java(TM) SE Runtime Environment (build 160_24-b50)
Java HotSpot(TM) Client VM (build 191-b02 mixed mode)
Starting WLS with line
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 49
DORACLE~1MIDDLE~1JDK160~1binjava -client -Xms256m -Xmx512m -XXCompileThreshold=8000 -XXPermSize=128m -XXMaxPermSize=512m -DweblogicName=DefaultServer -Djavasecuritypolicy=DORACLE~1MIDDLE~1WLSERV~13serverlibweblogicpolicy -DjavaxnetssltrustStore=DOracle11gMiddlewarewlserver_103serverlibDemoTrustjks -DweblogicnodemanagerServiceEnabled=true -Xverifynone -da -Dplatformhome=DORACLE~1MIDDLE~1WLSERV~13 -Dwlshome=DORACLE~1MIDDLE~1WLSERV~13server -Dweblogichome=DORACLE~1MIDDLE~1WLSERV~13server -Djpsappcredentialoverwriteallowed=true -Dcommoncomponentshome=DORACLE~1MIDDLE~1ORACLE~1 -Djrfversion=1111 -DorgapachecommonsloggingLog=orgapachecommonsloggingimplJdk14Logger -Ddomainhome=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1 -Djrockitoptfile=DORACLE~1MIDDLE~1ORACLE~1modulesoraclejrf_1111jrocket_optfiletxt -Doracleserverconfigdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1serversDefaultServer -Doracledomainconfigdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1 -Digfarisidbeanscarmlloc=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1carml -Digfarisidstackhome=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1arisidprovider -Doraclesecurityjpsconfig=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configfmwconfigjps-configxml -Doracledeployedappdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1serversDefaultServertmp_WL_user -Doracledeployedappext=- -DweblogicalternateTypesDirectory=DORACLE~1MIDDLE~1ORACLE~1modulesoracleossoiap_1111DORACLE~1MIDDLE~1ORACLE~1modulesoracleoamprovider_1111 -Djavaprotocolhandlerpkgs=oraclemdsnetprotocol -DweblogicjdbcremoteEnabled=false -Dwsmrepositorypath=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1oraclestoregmds -Dweblogicmanagementdiscover=true -DwlwiterativeDev= -DwlwtestConsole= -DwlwlogErrorsToConsole= -Dweblogicextdirs=DORACLE~1MIDDLE~1patch_wls1035profilesdefaultsysext_manifest_classpathDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultsysext_manifest_classpath weblogicServer
ltMar 16 2012 95054 PM PDTgt ltInfogt ltSecuritygt ltBEA-090905gt ltDisabling CryptoJ JCE Provider self-integrity check for better startup performance To enable this check specify -DweblogicsecurityallowCryptoJDefaultJCEVerification=truegt
ltMar 16 2012 95054 PM PDTgt ltInfogt ltSecuritygt ltBEA-090906gt ltChanging the default Random Number Generator in RSA CryptoJ from ECDRBG to FIPS186PRNG To disable this change specify -DweblogicsecurityallowCryptoJDefaultPRNG=truegt
ltMar 16 2012 95055 PM PDTgt ltInfogt ltWebLogicServergt ltBEA-000377gt ltStarting WebLogic Server with Java HotSpot(TM) Client VM Version 191-b02 from Sun Microsystems Incgt
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 50
ltMar 16 2012 95055 PM PDTgt ltInfogt ltManagementgt ltBEA-141107gt ltVersion WebLogic Server 10350 Fri Apr 1 202006 PDT 2011 1398638 gt
ltMar 16 2012 95057 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STARTINGgt
ltMar 16 2012 95057 PM PDTgt ltInfogt ltWorkManagergt ltBEA-002900gt ltInitializing self-tuning thread poolgt
ltMar 16 2012 95057 PM PDTgt ltNoticegt ltLog Managementgt ltBEA-170019gt ltThe server log file DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainserversDefaultServerlogsDefaultServerlog is opened All server side log events will be written to this filegt
ltMar 16 2012 95108 PM PDTgt ltNoticegt ltSecuritygt ltBEA-090082gt ltSecurity initializing using security realm myrealmgt
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO ConfigObjectReloaded for ServerConfig PreviousVersion -1 CurrentVersion 0
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification event sent for activating changes
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for Mapping config object reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO ConfigObjectReloaded for ServerConfig PreviousVersion -1 CurrentVersion 0
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification event sent for activating changes
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 51
INFO Notification sent for Mapping config object reloaded
ltMar 16 2012 95122 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STANDBYgt
ltMar 16 2012 95122 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STARTINGgt
ltMar 16 2012 95204 PM PDTgt ltNoticegt ltLog Managementgt ltBEA-170027gt ltThe Server has established connection with the Domain level Diagnostic Service successfullygt
ltMar 16 2012 95204 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to ADMINgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to RESUMINGgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltServergt ltBEA-002613gt ltChannel Default is now listening on 1270017101 for protocols iiop t3 ldap snmp httpgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000331gt ltStarted WebLogic Admin Server DefaultServer for domain DefaultDomain running in Development Modegt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to RUNNINGgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000360gt ltServer started in RUNNING modegt
IntegratedWebLogicServer startup time 74437 ms
IntegratedWebLogicServer started
[Running application HelloWorldJaxWS on Server Instance IntegratedWebLogicServer]
[095206 PM] ---- Deployment started ----
[095206 PM] Target platform is (Weblogic 103)
[095208 PM] Retrieving existing application information
[095208 PM] Running dependency analysis
[095208 PM] Deploying 2 profiles
[095209 PM] Wrote Web Application Module to DOracle11gMiddlewarejdevelopersystem11116386192oj2eedrsHelloWorldJaxWSHelloWorldWebAppwar
[095210 PM] Wrote Enterprise Application Module to DOracle11gMiddlewarejdevelopersystem11116386192oj2eedrsHelloWorldJaxWS
[095210 PM] Deploying Application
[095213 PM] Application Deployed Successfully
[095213 PM] The following URL context root(s) were defined and can be used as a starting point to test your application
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 52
[095213 PM] http1270017101HelloWorldJaxWS-HelloWorld-context-root
[095213 PM] Elapsed time for deployment 6 seconds
[095213 PM] ---- Deployment finished ----
Run startup time 6609 ms
[Application HelloWorldJaxWS deployed to Server Instance IntegratedWebLogicServer]
Target URL -- http1270017101HelloWorldJaxWS-HelloWorld-context-rootHelloWorldPort
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 53
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 22
Creating Keystore and Credentials
4 In order to use the oraclewss10_message_protection_service_policy we need Keystore and Credentials First we
will create keystore using the keytool command as shown in Figure 22 The command to create the keystore using
keytool (Note Keytool is shipped with JDK)
Figure 22 Keystore creation command and steps
You can validate the contents of the keystore by using the following keytool command
Figure 23 Check contents of Keystore using keytool
$gt keytool -genkey -keyalg RSA -alias orakey -keystore default-keystorejks -storepass welcome1 -validity
3600
$gtkeytool -list -keystore default-keystorejks -storepass welcome1
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 23
Configuring Integrated WLS Server to enable enforcing Message protection Policy
In order to be able to deploy the HelloWorld POJO Web Service to Integrated WLS Server and test the enforcement of
the OWSM oraclewss10_message_protection_service_policy ndash we need to configure the WLS Domain in which
Integrated WLS Server runs however initially upon the Install the domain is not created completely You can ensure the
domain is created completely by trying to the ldquoHelloWorldrdquo Web Service You do this by ldquoright clickingrdquo on
HelloWorldjava and selecting ldquoRunrdquo from the Context Menu as show in Figure 24
Figure 24 Running HelloWorld Web Service in Integrated WLS Server first time
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 24
The appendix shows the log that is output by the system in JDeveloper The key aspect that is of interest here are the
following messages
[Waiting for the domain to finish building]
[094756 PM] Creating Integrated Weblogic domain
[095003 PM] Extending Integrated Weblogic domain
[095051 PM] Integrated Weblogic domain processing completed successfully
Using port 7101
DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainbinstartWebLogiccmd
[waiting for the server to complete its initialization]
As mentioned earlier the key thing to note is
On running this the first time ndash the domain for running the Integrated WLS is extended and the necessary artifacts are created By default this domain is called ldquoDefaultDomainrdquo In this scenario the ldquoDefaultDomainrdquo is located at DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomain
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 25
Copying the Keystore under the right location for Integrated WLS Server
5 Copy the default-keystorejks created earlier to
ldquoDOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainconfigfmwconfigrdquo as shown in Figure 25
Figure 25 Copying default-keystorejks under DefaultDomain
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 26
Verifying jps-configxml in Default Domain
6 The jps-configxml will be found under
DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainconfigfmwconfig The most important entry in jps-configxml that is of interest is the following keystore service entry lt-- KeyStore Service Instance --gt ltserviceInstance name=keystore provider=keystoreprovider location=default-keystorejksgt ltdescriptiongtDefault JPS Keystore Serviceltdescriptiongt ltproperty name=keystoreprovidertype value=filegt ltproperty name=keystorefilepath value=gt ltproperty name=keystoretype value=JKSgt ltproperty name=keystorecsfmap value=oraclewsmsecuritygt ltproperty name=keystorepasscsfkey value=keystore-csf-keygt ltproperty name=keystoresigcsfkey value=sign-csf-keygt ltproperty name=keystoreenccsfkey value=enc-csf-keygt ltserviceInstancegt The next step is to configure the credentials in the DefaultDomain
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 27
Creating Credentials required for Keystore access
Ensure the Integrated WLS Server is running 7 Start WLST from DOracle11gMiddleware oracle_commoncommonbinwlstcmd as shown in Figure 26
Figure 26 Starting WLST for Integrated WLS Server
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 28
8 Connect to the Integrated WLS Server running DefaultDomain as show in Figure 27
Figure 27 Connect to Integrated WLS Server
Once connected add the following credentials to the credential store
$gt createCred(map=oraclewsmsecurity key=keystore-csf-key user=owsm password=welcome1 desc=Keystore key) $gtcreateCred(map=oraclewsmsecurity key=enc-csf-key user=orakey password=welcome1 desc=Encryption key) $gtcreateCred(map=oraclewsmsecurity key=sign-csf-key user=orakey password=welcome1 desc=Signing key)
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 29
Relationship between Keystore Credential Store jps-configxml
9 Many people find the relationship between keystore keys credential store credentials and jps-configxml
confusing Figure 28 shows the relationship between all these artifacts
Figure 28 Relationship bw Keystore Credential Store Credentials and jps-configxml
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 30
Testing with SOAP UI 1 Before testing the Web Service with SOAP UI Run the HelloWorld from within JDeveloper as shown in Figure 24
Create SOAP UI Project
2 To test the HelloWorld Web Service secured with the OWSM ldquooraclewss10_message_protection_service_policyrdquo start SOAP UI and create a new Project as shown in Figure 29
Figure 29 Create new project in SOAP UI
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 31
3 Provide Project Namerdquo and ldquoWSDLrdquo information for the HelloWorld WS as show in Figure 30
Figure 30 Provide WSDL information for the Web Service that needs to be tested
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 32
4 Double click on the helloworld-msg-prot-test SOAP UI project to open various configurations one can specify for the
project as show in Figure 31 Click on the WS-Security Configurations tab
Figure 31 Specify the WS-Security Configurations
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 33
Create WS-Security Configurations
5 There are 3 sub-tabs under the ldquoWS-Security Configurationsrdquo tab in SOAP UI These are the ldquoOutgoing WS-Security
Configurationsrdquo tab ldquoIncoming WS-Security Configurationsrdquo tab and the ldquoKeystoreCertificatesrdquo tab We will first fill
out the KeystoresCertificates tab Click on the KeystoreCertificates tab as shown in Figure 32
Figure 32 Specify the KeystoreCertificates to be used by SOAP UI
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 34
Add KeystoreCertificates
6 Click on the ldquo+rdquo button to add a keystore as shown in Figure 33 This will launch a dialog to select the Key Material as
show in Figure 34 You will be prompted for the password to the default-keystorejks Enter ldquowelcome1rdquo as show in
Figure 35
Figure 33 Adding a Keystore
Figure 34 Select a JKS keystore from the file system
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 35
Figure 35 Specify Password for the default-keystorejks
7 Figure 36 shows the result of adding the default-keystorejks to SOAP UI
Figure 36 Result of adding default-keystorejks
NOTE For purposes of simplicity ndash I have selected the same default-keystorejks file that was used by the HelloWorld Web Service in practice the client and service DO NOT share the same keystore instead you should use separate keystores and exchange the public certificates of the client and the service
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 36
Add Outgoing WS-Security Configurations
8 The next step is to add the ldquoOutgoing WS-Secure Configurationsrdquo to the project You can do this by click on the Outgoing S-Security Configurations tab and clicking on the ldquo+rdquo icon as shown in Figure 37
Figure 37 Initiate addition of Outgoing WS-Security Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 37
9 Enter the ldquoNamerdquo of the configuration as ldquowss10rdquo This will create a panel on the lower half of the screen to add relevant WS-Security Configuration for ldquowss10rdquo Click on the ldquo+rdquo icon highlighted with a red circle in Figure 38 We need to add 3 entries in the following order
a Timestamp b Signature c Encryption
Upon clicking the ldquo+rdquo icon an ldquoAdd WSS Entryrdquo popup dialog will be presented which contains a single drop down list Select ldquoTimestamprdquo from the dialog as shown in Figure 39
Figure 38 Adding WSS Configuration for wss10
Figure 39 Add Timestamp
10 Configure the ldquoTimestamprdquo WSS Entry The two fields are shown in Figure 40
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 38
a Time to Live 5000 b Leave the unit for ldquoTime to Liverdquo in milliseconds
Figure 40 Specify Time to Live as part of Timestamp configuration
11 Add the ldquoSignaturerdquo WSS Entry by clicking on the ldquo+rdquo icon again as shown in Figure 38 and selecting ldquoSignaturerdquo from
the ldquoAdd WSS Entryrdquo drop down as shown in Figure 41
Figure 41 Select Signature WSS Entry to Add to wss10 configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 39
12 The ldquoSignaturerdquo configuration is more involved and requires a lot more fields to be filled in as shown in Figure 42 Here is a summary of the fields and values that need to be provided
a Keystore Select ldquodefault-keystorejksrdquo from the drop down (Note Only keystores added in the KeystoreCertificates tab will be displayed in this drop down)
b Alias ldquoorakeyrdquo This particular keystore in the How-To has only a single alias However a keystore can have multiple keys and aliases
c Password ldquowelcome1rdquo This is the password for the alias d Key Identifier Type Select ldquoBinary Security Tokenrdquo from the drop down e Signature Algorithm Select ldquohttpwwww3org200009xmldsigrsa-sha1rdquo from the drop down f Signature Canonicalization Select ldquohttpwwww3org200110xml-exc-c14nrdquo from the drop down g Digest Algorithm Select ldquohttpwwww3org200009xmldsigsha1rdquo from the drop down h Use Single Certificate Ensure ldquoUse single certificate for signingrdquo is checked i Parts
Name Namespace Encode
Body httpschemasxmlsoaporgsoapenvelope Element
Timestamp httpdocsoasis-openorgwss200401oasis-200401-wss-wssecurity-utility-10xsd
Element
Figure 42 Providing Signature configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 40
13 Add the ldquoEncryptionrdquo WSS Entry by clicking on the ldquo+rdquo icon again as shown in Figure 38 and selecting ldquoEncryptionrdquo from the ldquoAdd WSS Entryrdquo drop down as shown in Figure 43
Figure 43 Adding Encryption WSS entry
14 The ldquoEncryptionrdquo configuration is more involved and requires a lot more fields to be filled in as shown in Figure 44
Here is a summary of the fields and values that need to be provided a Keystore Select ldquodefault-keystorejksrdquo from the drop down (Note Only keystores added in the
KeystoreCertificates tab will be displayed in this drop down) b Alias ldquoorakeyrdquo This particular keystore in the How-To has only a single alias However a keystore can have
multiple keys and aliases c Password ldquowelcome1rdquo This is the password for the alias d Key Identifier Type Select ldquoBinary Security Tokenrdquo from the drop down e Embedded Key Name and Embedded Key Password are not relevant and will be readonly fields So skip
these fields f Symmetric Encoding Algorithm Select ldquohttpwwww3org200104xmlencaes128-cbcrdquo from the drop
down g Key Encryption Algorithm Select ldquohttpwwww3org200104xmlencrsa-oaep-mgf1prdquo from the drop
down h Encryption Canonicalization Select ldquohttpwwww3org200110xml-exc-c14nrdquo from the drop down i Create Encrypted Key Ensure the checkbox is checked j Parts
Name Namespace Encode
Body httpschemasxmlsoaporgsoapenvelope Content
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 41
Figure 44 Encryption Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 42
Add Incoming WS-Security Configurations
15 Click on the ldquoIncoming WS-Security Configurationsrdquo sub tab and click on the ldquo+rdquo icon as show in Figure 45 You will be prompted to enter a name for the incoming configuration specify ldquowss10rdquo as the name as shown in Figure 46
Figure 45 Add Incoming WS-Security Configuration
Figure 46 Provide a name for the Incoming WSS Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 43
16 Click on the ldquowss10rdquo entry and select the following a Decrypt Keystore Select ldquodefault-keystorejksrdquo from the drop down b Signature Keystore Select ldquodefault-keystorejksrdquo from the drop down c Password ldquowelcome1rdquo
The final incoming security configuration is shown in Figure 47
Figure 47 Incoming WSS Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 44
17 Now that we have created all the necessary WS-Security Configurations we are ready to test the HelloWorld Service To do so click on the ldquohellordquo operation on the Left hand browse tree This will create a request as show in Figure 48 Click on the ldquoAutrdquo tab on the ldquoRequestrdquo panel on the RHS side of the screen The ldquoAutrdquo tab is in the bottom and has been highlighted in Figure 48 Select the following values
a Outgoing WSS Select ldquowss10rdquo from the drop down b Incoming WSS Select ldquowss10rdquo from the drop down
Figure 48 Select the previosuly created WSS Configuration to be used while testing
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 45
18 Enter ldquoprakashrdquo for arg0 and click on the green arrow button to send the request You will be prompted for password ndash enter ldquowelcome1rdquo Figure 49 and Figure 50 show the steps and the results of a successful test If there is a failure ndash you will see a SOAP response with a fault
Figure 49 Send request to the HelloWorld WS
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 46
Figure 50 Results of a successful test
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 47
Appendix
Log Generated the first time any app is run in Integrated WLS Server
[Waiting for the domain to finish building]
[094756 PM] Creating Integrated Weblogic domain
[095003 PM] Extending Integrated Weblogic domain
[095051 PM] Integrated Weblogic domain processing completed successfully
Using port 7101
DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainbinstartWebLogiccmd
[waiting for the server to complete its initialization]
JAVA Memory arguments -Xms256m -Xmx512m -XXCompileThreshold=8000 -XXPermSize=128m -XXMaxPermSize=512m
WLS Start Mode=Development
CLASSPATH=DORACLE~1MIDDLE~1ORACLE~1modulesoraclejdbc_1111ojdbc6dmsjarDORACLE~1MIDDLE~1patch_wls1035profilesdefaultsys_manifest_classpathweblogic_patchjarDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultsys_manifest_classpathweblogic_patchjarDORACLE~1MIDDLE~1JDK160~1libtoolsjarDORACLE~1MIDDLE~1WLSERV~13serverlibweblogic_spjarDORACLE~1MIDDLE~1WLSERV~13serverlibweblogicjarDORACLE~1MIDDLE~1modulesfeaturesweblogicservermodules_10350jarDORACLE~1MIDDLE~1WLSERV~13serverlibwebservicesjarDORACLE~1MIDDLE~1modulesORGAPA~11libant-alljarDORACLE~1MIDDLE~1modulesNETSFA~10_1libant-contribjarDORACLE~1MIDDLE~1ORACLE~1modulesoraclejrf_1111jrfjarDORACLE~1MIDDLE~1WLSERV~13commonderbylibderbyclientjarDORACLE~1MIDDLE~1WLSERV~13serverlibxqrljar
PATH=DORACLE~1MIDDLE~1patch_wls1035profilesdefaultnativeDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultnativeDORACLE~1MIDDLE~1WLSERV~13servernativewin32DORACLE~1MIDDLE~1WLSERV~13serverbinDORACLE~1MIDDLE~1modulesORGAPA~11binDORACLE~1MIDDLE~1JDK160~1jrebinDORACLE~1MIDDLE~1JDK160~1binDoraclexeapporacleproduct1020serverbinCProgram FilesThinkPadUtilitiesCWINDOWSsystem32CWINDOWSCWINDOWSSystem32WbemCWINDOWSsystem32WindowsPowerShellv10DORACLE~1MIDDLE~1WLSERV~13servernativewin32oci920_8
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 48
To start WebLogic Server use a username and
password assigned to an admin-level user For
server administration use the WebLogic Server
console at httphostnameportconsole
starting weblogic with Java version
java version 160_24
Java(TM) SE Runtime Environment (build 160_24-b50)
Java HotSpot(TM) Client VM (build 191-b02 mixed mode)
Starting WLS with line
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 49
DORACLE~1MIDDLE~1JDK160~1binjava -client -Xms256m -Xmx512m -XXCompileThreshold=8000 -XXPermSize=128m -XXMaxPermSize=512m -DweblogicName=DefaultServer -Djavasecuritypolicy=DORACLE~1MIDDLE~1WLSERV~13serverlibweblogicpolicy -DjavaxnetssltrustStore=DOracle11gMiddlewarewlserver_103serverlibDemoTrustjks -DweblogicnodemanagerServiceEnabled=true -Xverifynone -da -Dplatformhome=DORACLE~1MIDDLE~1WLSERV~13 -Dwlshome=DORACLE~1MIDDLE~1WLSERV~13server -Dweblogichome=DORACLE~1MIDDLE~1WLSERV~13server -Djpsappcredentialoverwriteallowed=true -Dcommoncomponentshome=DORACLE~1MIDDLE~1ORACLE~1 -Djrfversion=1111 -DorgapachecommonsloggingLog=orgapachecommonsloggingimplJdk14Logger -Ddomainhome=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1 -Djrockitoptfile=DORACLE~1MIDDLE~1ORACLE~1modulesoraclejrf_1111jrocket_optfiletxt -Doracleserverconfigdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1serversDefaultServer -Doracledomainconfigdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1 -Digfarisidbeanscarmlloc=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1carml -Digfarisidstackhome=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1arisidprovider -Doraclesecurityjpsconfig=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configfmwconfigjps-configxml -Doracledeployedappdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1serversDefaultServertmp_WL_user -Doracledeployedappext=- -DweblogicalternateTypesDirectory=DORACLE~1MIDDLE~1ORACLE~1modulesoracleossoiap_1111DORACLE~1MIDDLE~1ORACLE~1modulesoracleoamprovider_1111 -Djavaprotocolhandlerpkgs=oraclemdsnetprotocol -DweblogicjdbcremoteEnabled=false -Dwsmrepositorypath=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1oraclestoregmds -Dweblogicmanagementdiscover=true -DwlwiterativeDev= -DwlwtestConsole= -DwlwlogErrorsToConsole= -Dweblogicextdirs=DORACLE~1MIDDLE~1patch_wls1035profilesdefaultsysext_manifest_classpathDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultsysext_manifest_classpath weblogicServer
ltMar 16 2012 95054 PM PDTgt ltInfogt ltSecuritygt ltBEA-090905gt ltDisabling CryptoJ JCE Provider self-integrity check for better startup performance To enable this check specify -DweblogicsecurityallowCryptoJDefaultJCEVerification=truegt
ltMar 16 2012 95054 PM PDTgt ltInfogt ltSecuritygt ltBEA-090906gt ltChanging the default Random Number Generator in RSA CryptoJ from ECDRBG to FIPS186PRNG To disable this change specify -DweblogicsecurityallowCryptoJDefaultPRNG=truegt
ltMar 16 2012 95055 PM PDTgt ltInfogt ltWebLogicServergt ltBEA-000377gt ltStarting WebLogic Server with Java HotSpot(TM) Client VM Version 191-b02 from Sun Microsystems Incgt
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 50
ltMar 16 2012 95055 PM PDTgt ltInfogt ltManagementgt ltBEA-141107gt ltVersion WebLogic Server 10350 Fri Apr 1 202006 PDT 2011 1398638 gt
ltMar 16 2012 95057 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STARTINGgt
ltMar 16 2012 95057 PM PDTgt ltInfogt ltWorkManagergt ltBEA-002900gt ltInitializing self-tuning thread poolgt
ltMar 16 2012 95057 PM PDTgt ltNoticegt ltLog Managementgt ltBEA-170019gt ltThe server log file DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainserversDefaultServerlogsDefaultServerlog is opened All server side log events will be written to this filegt
ltMar 16 2012 95108 PM PDTgt ltNoticegt ltSecuritygt ltBEA-090082gt ltSecurity initializing using security realm myrealmgt
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO ConfigObjectReloaded for ServerConfig PreviousVersion -1 CurrentVersion 0
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification event sent for activating changes
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for Mapping config object reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO ConfigObjectReloaded for ServerConfig PreviousVersion -1 CurrentVersion 0
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification event sent for activating changes
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 51
INFO Notification sent for Mapping config object reloaded
ltMar 16 2012 95122 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STANDBYgt
ltMar 16 2012 95122 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STARTINGgt
ltMar 16 2012 95204 PM PDTgt ltNoticegt ltLog Managementgt ltBEA-170027gt ltThe Server has established connection with the Domain level Diagnostic Service successfullygt
ltMar 16 2012 95204 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to ADMINgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to RESUMINGgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltServergt ltBEA-002613gt ltChannel Default is now listening on 1270017101 for protocols iiop t3 ldap snmp httpgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000331gt ltStarted WebLogic Admin Server DefaultServer for domain DefaultDomain running in Development Modegt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to RUNNINGgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000360gt ltServer started in RUNNING modegt
IntegratedWebLogicServer startup time 74437 ms
IntegratedWebLogicServer started
[Running application HelloWorldJaxWS on Server Instance IntegratedWebLogicServer]
[095206 PM] ---- Deployment started ----
[095206 PM] Target platform is (Weblogic 103)
[095208 PM] Retrieving existing application information
[095208 PM] Running dependency analysis
[095208 PM] Deploying 2 profiles
[095209 PM] Wrote Web Application Module to DOracle11gMiddlewarejdevelopersystem11116386192oj2eedrsHelloWorldJaxWSHelloWorldWebAppwar
[095210 PM] Wrote Enterprise Application Module to DOracle11gMiddlewarejdevelopersystem11116386192oj2eedrsHelloWorldJaxWS
[095210 PM] Deploying Application
[095213 PM] Application Deployed Successfully
[095213 PM] The following URL context root(s) were defined and can be used as a starting point to test your application
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 52
[095213 PM] http1270017101HelloWorldJaxWS-HelloWorld-context-root
[095213 PM] Elapsed time for deployment 6 seconds
[095213 PM] ---- Deployment finished ----
Run startup time 6609 ms
[Application HelloWorldJaxWS deployed to Server Instance IntegratedWebLogicServer]
Target URL -- http1270017101HelloWorldJaxWS-HelloWorld-context-rootHelloWorldPort
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 53
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 23
Configuring Integrated WLS Server to enable enforcing Message protection Policy
In order to be able to deploy the HelloWorld POJO Web Service to Integrated WLS Server and test the enforcement of
the OWSM oraclewss10_message_protection_service_policy ndash we need to configure the WLS Domain in which
Integrated WLS Server runs however initially upon the Install the domain is not created completely You can ensure the
domain is created completely by trying to the ldquoHelloWorldrdquo Web Service You do this by ldquoright clickingrdquo on
HelloWorldjava and selecting ldquoRunrdquo from the Context Menu as show in Figure 24
Figure 24 Running HelloWorld Web Service in Integrated WLS Server first time
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 24
The appendix shows the log that is output by the system in JDeveloper The key aspect that is of interest here are the
following messages
[Waiting for the domain to finish building]
[094756 PM] Creating Integrated Weblogic domain
[095003 PM] Extending Integrated Weblogic domain
[095051 PM] Integrated Weblogic domain processing completed successfully
Using port 7101
DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainbinstartWebLogiccmd
[waiting for the server to complete its initialization]
As mentioned earlier the key thing to note is
On running this the first time ndash the domain for running the Integrated WLS is extended and the necessary artifacts are created By default this domain is called ldquoDefaultDomainrdquo In this scenario the ldquoDefaultDomainrdquo is located at DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomain
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 25
Copying the Keystore under the right location for Integrated WLS Server
5 Copy the default-keystorejks created earlier to
ldquoDOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainconfigfmwconfigrdquo as shown in Figure 25
Figure 25 Copying default-keystorejks under DefaultDomain
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 26
Verifying jps-configxml in Default Domain
6 The jps-configxml will be found under
DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainconfigfmwconfig The most important entry in jps-configxml that is of interest is the following keystore service entry lt-- KeyStore Service Instance --gt ltserviceInstance name=keystore provider=keystoreprovider location=default-keystorejksgt ltdescriptiongtDefault JPS Keystore Serviceltdescriptiongt ltproperty name=keystoreprovidertype value=filegt ltproperty name=keystorefilepath value=gt ltproperty name=keystoretype value=JKSgt ltproperty name=keystorecsfmap value=oraclewsmsecuritygt ltproperty name=keystorepasscsfkey value=keystore-csf-keygt ltproperty name=keystoresigcsfkey value=sign-csf-keygt ltproperty name=keystoreenccsfkey value=enc-csf-keygt ltserviceInstancegt The next step is to configure the credentials in the DefaultDomain
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 27
Creating Credentials required for Keystore access
Ensure the Integrated WLS Server is running 7 Start WLST from DOracle11gMiddleware oracle_commoncommonbinwlstcmd as shown in Figure 26
Figure 26 Starting WLST for Integrated WLS Server
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 28
8 Connect to the Integrated WLS Server running DefaultDomain as show in Figure 27
Figure 27 Connect to Integrated WLS Server
Once connected add the following credentials to the credential store
$gt createCred(map=oraclewsmsecurity key=keystore-csf-key user=owsm password=welcome1 desc=Keystore key) $gtcreateCred(map=oraclewsmsecurity key=enc-csf-key user=orakey password=welcome1 desc=Encryption key) $gtcreateCred(map=oraclewsmsecurity key=sign-csf-key user=orakey password=welcome1 desc=Signing key)
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 29
Relationship between Keystore Credential Store jps-configxml
9 Many people find the relationship between keystore keys credential store credentials and jps-configxml
confusing Figure 28 shows the relationship between all these artifacts
Figure 28 Relationship bw Keystore Credential Store Credentials and jps-configxml
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 30
Testing with SOAP UI 1 Before testing the Web Service with SOAP UI Run the HelloWorld from within JDeveloper as shown in Figure 24
Create SOAP UI Project
2 To test the HelloWorld Web Service secured with the OWSM ldquooraclewss10_message_protection_service_policyrdquo start SOAP UI and create a new Project as shown in Figure 29
Figure 29 Create new project in SOAP UI
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 31
3 Provide Project Namerdquo and ldquoWSDLrdquo information for the HelloWorld WS as show in Figure 30
Figure 30 Provide WSDL information for the Web Service that needs to be tested
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 32
4 Double click on the helloworld-msg-prot-test SOAP UI project to open various configurations one can specify for the
project as show in Figure 31 Click on the WS-Security Configurations tab
Figure 31 Specify the WS-Security Configurations
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 33
Create WS-Security Configurations
5 There are 3 sub-tabs under the ldquoWS-Security Configurationsrdquo tab in SOAP UI These are the ldquoOutgoing WS-Security
Configurationsrdquo tab ldquoIncoming WS-Security Configurationsrdquo tab and the ldquoKeystoreCertificatesrdquo tab We will first fill
out the KeystoresCertificates tab Click on the KeystoreCertificates tab as shown in Figure 32
Figure 32 Specify the KeystoreCertificates to be used by SOAP UI
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 34
Add KeystoreCertificates
6 Click on the ldquo+rdquo button to add a keystore as shown in Figure 33 This will launch a dialog to select the Key Material as
show in Figure 34 You will be prompted for the password to the default-keystorejks Enter ldquowelcome1rdquo as show in
Figure 35
Figure 33 Adding a Keystore
Figure 34 Select a JKS keystore from the file system
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 35
Figure 35 Specify Password for the default-keystorejks
7 Figure 36 shows the result of adding the default-keystorejks to SOAP UI
Figure 36 Result of adding default-keystorejks
NOTE For purposes of simplicity ndash I have selected the same default-keystorejks file that was used by the HelloWorld Web Service in practice the client and service DO NOT share the same keystore instead you should use separate keystores and exchange the public certificates of the client and the service
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 36
Add Outgoing WS-Security Configurations
8 The next step is to add the ldquoOutgoing WS-Secure Configurationsrdquo to the project You can do this by click on the Outgoing S-Security Configurations tab and clicking on the ldquo+rdquo icon as shown in Figure 37
Figure 37 Initiate addition of Outgoing WS-Security Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 37
9 Enter the ldquoNamerdquo of the configuration as ldquowss10rdquo This will create a panel on the lower half of the screen to add relevant WS-Security Configuration for ldquowss10rdquo Click on the ldquo+rdquo icon highlighted with a red circle in Figure 38 We need to add 3 entries in the following order
a Timestamp b Signature c Encryption
Upon clicking the ldquo+rdquo icon an ldquoAdd WSS Entryrdquo popup dialog will be presented which contains a single drop down list Select ldquoTimestamprdquo from the dialog as shown in Figure 39
Figure 38 Adding WSS Configuration for wss10
Figure 39 Add Timestamp
10 Configure the ldquoTimestamprdquo WSS Entry The two fields are shown in Figure 40
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 38
a Time to Live 5000 b Leave the unit for ldquoTime to Liverdquo in milliseconds
Figure 40 Specify Time to Live as part of Timestamp configuration
11 Add the ldquoSignaturerdquo WSS Entry by clicking on the ldquo+rdquo icon again as shown in Figure 38 and selecting ldquoSignaturerdquo from
the ldquoAdd WSS Entryrdquo drop down as shown in Figure 41
Figure 41 Select Signature WSS Entry to Add to wss10 configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 39
12 The ldquoSignaturerdquo configuration is more involved and requires a lot more fields to be filled in as shown in Figure 42 Here is a summary of the fields and values that need to be provided
a Keystore Select ldquodefault-keystorejksrdquo from the drop down (Note Only keystores added in the KeystoreCertificates tab will be displayed in this drop down)
b Alias ldquoorakeyrdquo This particular keystore in the How-To has only a single alias However a keystore can have multiple keys and aliases
c Password ldquowelcome1rdquo This is the password for the alias d Key Identifier Type Select ldquoBinary Security Tokenrdquo from the drop down e Signature Algorithm Select ldquohttpwwww3org200009xmldsigrsa-sha1rdquo from the drop down f Signature Canonicalization Select ldquohttpwwww3org200110xml-exc-c14nrdquo from the drop down g Digest Algorithm Select ldquohttpwwww3org200009xmldsigsha1rdquo from the drop down h Use Single Certificate Ensure ldquoUse single certificate for signingrdquo is checked i Parts
Name Namespace Encode
Body httpschemasxmlsoaporgsoapenvelope Element
Timestamp httpdocsoasis-openorgwss200401oasis-200401-wss-wssecurity-utility-10xsd
Element
Figure 42 Providing Signature configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 40
13 Add the ldquoEncryptionrdquo WSS Entry by clicking on the ldquo+rdquo icon again as shown in Figure 38 and selecting ldquoEncryptionrdquo from the ldquoAdd WSS Entryrdquo drop down as shown in Figure 43
Figure 43 Adding Encryption WSS entry
14 The ldquoEncryptionrdquo configuration is more involved and requires a lot more fields to be filled in as shown in Figure 44
Here is a summary of the fields and values that need to be provided a Keystore Select ldquodefault-keystorejksrdquo from the drop down (Note Only keystores added in the
KeystoreCertificates tab will be displayed in this drop down) b Alias ldquoorakeyrdquo This particular keystore in the How-To has only a single alias However a keystore can have
multiple keys and aliases c Password ldquowelcome1rdquo This is the password for the alias d Key Identifier Type Select ldquoBinary Security Tokenrdquo from the drop down e Embedded Key Name and Embedded Key Password are not relevant and will be readonly fields So skip
these fields f Symmetric Encoding Algorithm Select ldquohttpwwww3org200104xmlencaes128-cbcrdquo from the drop
down g Key Encryption Algorithm Select ldquohttpwwww3org200104xmlencrsa-oaep-mgf1prdquo from the drop
down h Encryption Canonicalization Select ldquohttpwwww3org200110xml-exc-c14nrdquo from the drop down i Create Encrypted Key Ensure the checkbox is checked j Parts
Name Namespace Encode
Body httpschemasxmlsoaporgsoapenvelope Content
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 41
Figure 44 Encryption Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 42
Add Incoming WS-Security Configurations
15 Click on the ldquoIncoming WS-Security Configurationsrdquo sub tab and click on the ldquo+rdquo icon as show in Figure 45 You will be prompted to enter a name for the incoming configuration specify ldquowss10rdquo as the name as shown in Figure 46
Figure 45 Add Incoming WS-Security Configuration
Figure 46 Provide a name for the Incoming WSS Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 43
16 Click on the ldquowss10rdquo entry and select the following a Decrypt Keystore Select ldquodefault-keystorejksrdquo from the drop down b Signature Keystore Select ldquodefault-keystorejksrdquo from the drop down c Password ldquowelcome1rdquo
The final incoming security configuration is shown in Figure 47
Figure 47 Incoming WSS Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 44
17 Now that we have created all the necessary WS-Security Configurations we are ready to test the HelloWorld Service To do so click on the ldquohellordquo operation on the Left hand browse tree This will create a request as show in Figure 48 Click on the ldquoAutrdquo tab on the ldquoRequestrdquo panel on the RHS side of the screen The ldquoAutrdquo tab is in the bottom and has been highlighted in Figure 48 Select the following values
a Outgoing WSS Select ldquowss10rdquo from the drop down b Incoming WSS Select ldquowss10rdquo from the drop down
Figure 48 Select the previosuly created WSS Configuration to be used while testing
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 45
18 Enter ldquoprakashrdquo for arg0 and click on the green arrow button to send the request You will be prompted for password ndash enter ldquowelcome1rdquo Figure 49 and Figure 50 show the steps and the results of a successful test If there is a failure ndash you will see a SOAP response with a fault
Figure 49 Send request to the HelloWorld WS
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 46
Figure 50 Results of a successful test
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 47
Appendix
Log Generated the first time any app is run in Integrated WLS Server
[Waiting for the domain to finish building]
[094756 PM] Creating Integrated Weblogic domain
[095003 PM] Extending Integrated Weblogic domain
[095051 PM] Integrated Weblogic domain processing completed successfully
Using port 7101
DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainbinstartWebLogiccmd
[waiting for the server to complete its initialization]
JAVA Memory arguments -Xms256m -Xmx512m -XXCompileThreshold=8000 -XXPermSize=128m -XXMaxPermSize=512m
WLS Start Mode=Development
CLASSPATH=DORACLE~1MIDDLE~1ORACLE~1modulesoraclejdbc_1111ojdbc6dmsjarDORACLE~1MIDDLE~1patch_wls1035profilesdefaultsys_manifest_classpathweblogic_patchjarDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultsys_manifest_classpathweblogic_patchjarDORACLE~1MIDDLE~1JDK160~1libtoolsjarDORACLE~1MIDDLE~1WLSERV~13serverlibweblogic_spjarDORACLE~1MIDDLE~1WLSERV~13serverlibweblogicjarDORACLE~1MIDDLE~1modulesfeaturesweblogicservermodules_10350jarDORACLE~1MIDDLE~1WLSERV~13serverlibwebservicesjarDORACLE~1MIDDLE~1modulesORGAPA~11libant-alljarDORACLE~1MIDDLE~1modulesNETSFA~10_1libant-contribjarDORACLE~1MIDDLE~1ORACLE~1modulesoraclejrf_1111jrfjarDORACLE~1MIDDLE~1WLSERV~13commonderbylibderbyclientjarDORACLE~1MIDDLE~1WLSERV~13serverlibxqrljar
PATH=DORACLE~1MIDDLE~1patch_wls1035profilesdefaultnativeDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultnativeDORACLE~1MIDDLE~1WLSERV~13servernativewin32DORACLE~1MIDDLE~1WLSERV~13serverbinDORACLE~1MIDDLE~1modulesORGAPA~11binDORACLE~1MIDDLE~1JDK160~1jrebinDORACLE~1MIDDLE~1JDK160~1binDoraclexeapporacleproduct1020serverbinCProgram FilesThinkPadUtilitiesCWINDOWSsystem32CWINDOWSCWINDOWSSystem32WbemCWINDOWSsystem32WindowsPowerShellv10DORACLE~1MIDDLE~1WLSERV~13servernativewin32oci920_8
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 48
To start WebLogic Server use a username and
password assigned to an admin-level user For
server administration use the WebLogic Server
console at httphostnameportconsole
starting weblogic with Java version
java version 160_24
Java(TM) SE Runtime Environment (build 160_24-b50)
Java HotSpot(TM) Client VM (build 191-b02 mixed mode)
Starting WLS with line
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 49
DORACLE~1MIDDLE~1JDK160~1binjava -client -Xms256m -Xmx512m -XXCompileThreshold=8000 -XXPermSize=128m -XXMaxPermSize=512m -DweblogicName=DefaultServer -Djavasecuritypolicy=DORACLE~1MIDDLE~1WLSERV~13serverlibweblogicpolicy -DjavaxnetssltrustStore=DOracle11gMiddlewarewlserver_103serverlibDemoTrustjks -DweblogicnodemanagerServiceEnabled=true -Xverifynone -da -Dplatformhome=DORACLE~1MIDDLE~1WLSERV~13 -Dwlshome=DORACLE~1MIDDLE~1WLSERV~13server -Dweblogichome=DORACLE~1MIDDLE~1WLSERV~13server -Djpsappcredentialoverwriteallowed=true -Dcommoncomponentshome=DORACLE~1MIDDLE~1ORACLE~1 -Djrfversion=1111 -DorgapachecommonsloggingLog=orgapachecommonsloggingimplJdk14Logger -Ddomainhome=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1 -Djrockitoptfile=DORACLE~1MIDDLE~1ORACLE~1modulesoraclejrf_1111jrocket_optfiletxt -Doracleserverconfigdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1serversDefaultServer -Doracledomainconfigdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1 -Digfarisidbeanscarmlloc=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1carml -Digfarisidstackhome=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1arisidprovider -Doraclesecurityjpsconfig=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configfmwconfigjps-configxml -Doracledeployedappdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1serversDefaultServertmp_WL_user -Doracledeployedappext=- -DweblogicalternateTypesDirectory=DORACLE~1MIDDLE~1ORACLE~1modulesoracleossoiap_1111DORACLE~1MIDDLE~1ORACLE~1modulesoracleoamprovider_1111 -Djavaprotocolhandlerpkgs=oraclemdsnetprotocol -DweblogicjdbcremoteEnabled=false -Dwsmrepositorypath=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1oraclestoregmds -Dweblogicmanagementdiscover=true -DwlwiterativeDev= -DwlwtestConsole= -DwlwlogErrorsToConsole= -Dweblogicextdirs=DORACLE~1MIDDLE~1patch_wls1035profilesdefaultsysext_manifest_classpathDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultsysext_manifest_classpath weblogicServer
ltMar 16 2012 95054 PM PDTgt ltInfogt ltSecuritygt ltBEA-090905gt ltDisabling CryptoJ JCE Provider self-integrity check for better startup performance To enable this check specify -DweblogicsecurityallowCryptoJDefaultJCEVerification=truegt
ltMar 16 2012 95054 PM PDTgt ltInfogt ltSecuritygt ltBEA-090906gt ltChanging the default Random Number Generator in RSA CryptoJ from ECDRBG to FIPS186PRNG To disable this change specify -DweblogicsecurityallowCryptoJDefaultPRNG=truegt
ltMar 16 2012 95055 PM PDTgt ltInfogt ltWebLogicServergt ltBEA-000377gt ltStarting WebLogic Server with Java HotSpot(TM) Client VM Version 191-b02 from Sun Microsystems Incgt
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 50
ltMar 16 2012 95055 PM PDTgt ltInfogt ltManagementgt ltBEA-141107gt ltVersion WebLogic Server 10350 Fri Apr 1 202006 PDT 2011 1398638 gt
ltMar 16 2012 95057 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STARTINGgt
ltMar 16 2012 95057 PM PDTgt ltInfogt ltWorkManagergt ltBEA-002900gt ltInitializing self-tuning thread poolgt
ltMar 16 2012 95057 PM PDTgt ltNoticegt ltLog Managementgt ltBEA-170019gt ltThe server log file DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainserversDefaultServerlogsDefaultServerlog is opened All server side log events will be written to this filegt
ltMar 16 2012 95108 PM PDTgt ltNoticegt ltSecuritygt ltBEA-090082gt ltSecurity initializing using security realm myrealmgt
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO ConfigObjectReloaded for ServerConfig PreviousVersion -1 CurrentVersion 0
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification event sent for activating changes
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for Mapping config object reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO ConfigObjectReloaded for ServerConfig PreviousVersion -1 CurrentVersion 0
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification event sent for activating changes
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 51
INFO Notification sent for Mapping config object reloaded
ltMar 16 2012 95122 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STANDBYgt
ltMar 16 2012 95122 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STARTINGgt
ltMar 16 2012 95204 PM PDTgt ltNoticegt ltLog Managementgt ltBEA-170027gt ltThe Server has established connection with the Domain level Diagnostic Service successfullygt
ltMar 16 2012 95204 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to ADMINgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to RESUMINGgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltServergt ltBEA-002613gt ltChannel Default is now listening on 1270017101 for protocols iiop t3 ldap snmp httpgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000331gt ltStarted WebLogic Admin Server DefaultServer for domain DefaultDomain running in Development Modegt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to RUNNINGgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000360gt ltServer started in RUNNING modegt
IntegratedWebLogicServer startup time 74437 ms
IntegratedWebLogicServer started
[Running application HelloWorldJaxWS on Server Instance IntegratedWebLogicServer]
[095206 PM] ---- Deployment started ----
[095206 PM] Target platform is (Weblogic 103)
[095208 PM] Retrieving existing application information
[095208 PM] Running dependency analysis
[095208 PM] Deploying 2 profiles
[095209 PM] Wrote Web Application Module to DOracle11gMiddlewarejdevelopersystem11116386192oj2eedrsHelloWorldJaxWSHelloWorldWebAppwar
[095210 PM] Wrote Enterprise Application Module to DOracle11gMiddlewarejdevelopersystem11116386192oj2eedrsHelloWorldJaxWS
[095210 PM] Deploying Application
[095213 PM] Application Deployed Successfully
[095213 PM] The following URL context root(s) were defined and can be used as a starting point to test your application
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 52
[095213 PM] http1270017101HelloWorldJaxWS-HelloWorld-context-root
[095213 PM] Elapsed time for deployment 6 seconds
[095213 PM] ---- Deployment finished ----
Run startup time 6609 ms
[Application HelloWorldJaxWS deployed to Server Instance IntegratedWebLogicServer]
Target URL -- http1270017101HelloWorldJaxWS-HelloWorld-context-rootHelloWorldPort
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 53
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 24
The appendix shows the log that is output by the system in JDeveloper The key aspect that is of interest here are the
following messages
[Waiting for the domain to finish building]
[094756 PM] Creating Integrated Weblogic domain
[095003 PM] Extending Integrated Weblogic domain
[095051 PM] Integrated Weblogic domain processing completed successfully
Using port 7101
DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainbinstartWebLogiccmd
[waiting for the server to complete its initialization]
As mentioned earlier the key thing to note is
On running this the first time ndash the domain for running the Integrated WLS is extended and the necessary artifacts are created By default this domain is called ldquoDefaultDomainrdquo In this scenario the ldquoDefaultDomainrdquo is located at DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomain
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 25
Copying the Keystore under the right location for Integrated WLS Server
5 Copy the default-keystorejks created earlier to
ldquoDOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainconfigfmwconfigrdquo as shown in Figure 25
Figure 25 Copying default-keystorejks under DefaultDomain
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 26
Verifying jps-configxml in Default Domain
6 The jps-configxml will be found under
DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainconfigfmwconfig The most important entry in jps-configxml that is of interest is the following keystore service entry lt-- KeyStore Service Instance --gt ltserviceInstance name=keystore provider=keystoreprovider location=default-keystorejksgt ltdescriptiongtDefault JPS Keystore Serviceltdescriptiongt ltproperty name=keystoreprovidertype value=filegt ltproperty name=keystorefilepath value=gt ltproperty name=keystoretype value=JKSgt ltproperty name=keystorecsfmap value=oraclewsmsecuritygt ltproperty name=keystorepasscsfkey value=keystore-csf-keygt ltproperty name=keystoresigcsfkey value=sign-csf-keygt ltproperty name=keystoreenccsfkey value=enc-csf-keygt ltserviceInstancegt The next step is to configure the credentials in the DefaultDomain
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 27
Creating Credentials required for Keystore access
Ensure the Integrated WLS Server is running 7 Start WLST from DOracle11gMiddleware oracle_commoncommonbinwlstcmd as shown in Figure 26
Figure 26 Starting WLST for Integrated WLS Server
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 28
8 Connect to the Integrated WLS Server running DefaultDomain as show in Figure 27
Figure 27 Connect to Integrated WLS Server
Once connected add the following credentials to the credential store
$gt createCred(map=oraclewsmsecurity key=keystore-csf-key user=owsm password=welcome1 desc=Keystore key) $gtcreateCred(map=oraclewsmsecurity key=enc-csf-key user=orakey password=welcome1 desc=Encryption key) $gtcreateCred(map=oraclewsmsecurity key=sign-csf-key user=orakey password=welcome1 desc=Signing key)
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 29
Relationship between Keystore Credential Store jps-configxml
9 Many people find the relationship between keystore keys credential store credentials and jps-configxml
confusing Figure 28 shows the relationship between all these artifacts
Figure 28 Relationship bw Keystore Credential Store Credentials and jps-configxml
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 30
Testing with SOAP UI 1 Before testing the Web Service with SOAP UI Run the HelloWorld from within JDeveloper as shown in Figure 24
Create SOAP UI Project
2 To test the HelloWorld Web Service secured with the OWSM ldquooraclewss10_message_protection_service_policyrdquo start SOAP UI and create a new Project as shown in Figure 29
Figure 29 Create new project in SOAP UI
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 31
3 Provide Project Namerdquo and ldquoWSDLrdquo information for the HelloWorld WS as show in Figure 30
Figure 30 Provide WSDL information for the Web Service that needs to be tested
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 32
4 Double click on the helloworld-msg-prot-test SOAP UI project to open various configurations one can specify for the
project as show in Figure 31 Click on the WS-Security Configurations tab
Figure 31 Specify the WS-Security Configurations
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 33
Create WS-Security Configurations
5 There are 3 sub-tabs under the ldquoWS-Security Configurationsrdquo tab in SOAP UI These are the ldquoOutgoing WS-Security
Configurationsrdquo tab ldquoIncoming WS-Security Configurationsrdquo tab and the ldquoKeystoreCertificatesrdquo tab We will first fill
out the KeystoresCertificates tab Click on the KeystoreCertificates tab as shown in Figure 32
Figure 32 Specify the KeystoreCertificates to be used by SOAP UI
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 34
Add KeystoreCertificates
6 Click on the ldquo+rdquo button to add a keystore as shown in Figure 33 This will launch a dialog to select the Key Material as
show in Figure 34 You will be prompted for the password to the default-keystorejks Enter ldquowelcome1rdquo as show in
Figure 35
Figure 33 Adding a Keystore
Figure 34 Select a JKS keystore from the file system
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 35
Figure 35 Specify Password for the default-keystorejks
7 Figure 36 shows the result of adding the default-keystorejks to SOAP UI
Figure 36 Result of adding default-keystorejks
NOTE For purposes of simplicity ndash I have selected the same default-keystorejks file that was used by the HelloWorld Web Service in practice the client and service DO NOT share the same keystore instead you should use separate keystores and exchange the public certificates of the client and the service
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 36
Add Outgoing WS-Security Configurations
8 The next step is to add the ldquoOutgoing WS-Secure Configurationsrdquo to the project You can do this by click on the Outgoing S-Security Configurations tab and clicking on the ldquo+rdquo icon as shown in Figure 37
Figure 37 Initiate addition of Outgoing WS-Security Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 37
9 Enter the ldquoNamerdquo of the configuration as ldquowss10rdquo This will create a panel on the lower half of the screen to add relevant WS-Security Configuration for ldquowss10rdquo Click on the ldquo+rdquo icon highlighted with a red circle in Figure 38 We need to add 3 entries in the following order
a Timestamp b Signature c Encryption
Upon clicking the ldquo+rdquo icon an ldquoAdd WSS Entryrdquo popup dialog will be presented which contains a single drop down list Select ldquoTimestamprdquo from the dialog as shown in Figure 39
Figure 38 Adding WSS Configuration for wss10
Figure 39 Add Timestamp
10 Configure the ldquoTimestamprdquo WSS Entry The two fields are shown in Figure 40
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 38
a Time to Live 5000 b Leave the unit for ldquoTime to Liverdquo in milliseconds
Figure 40 Specify Time to Live as part of Timestamp configuration
11 Add the ldquoSignaturerdquo WSS Entry by clicking on the ldquo+rdquo icon again as shown in Figure 38 and selecting ldquoSignaturerdquo from
the ldquoAdd WSS Entryrdquo drop down as shown in Figure 41
Figure 41 Select Signature WSS Entry to Add to wss10 configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 39
12 The ldquoSignaturerdquo configuration is more involved and requires a lot more fields to be filled in as shown in Figure 42 Here is a summary of the fields and values that need to be provided
a Keystore Select ldquodefault-keystorejksrdquo from the drop down (Note Only keystores added in the KeystoreCertificates tab will be displayed in this drop down)
b Alias ldquoorakeyrdquo This particular keystore in the How-To has only a single alias However a keystore can have multiple keys and aliases
c Password ldquowelcome1rdquo This is the password for the alias d Key Identifier Type Select ldquoBinary Security Tokenrdquo from the drop down e Signature Algorithm Select ldquohttpwwww3org200009xmldsigrsa-sha1rdquo from the drop down f Signature Canonicalization Select ldquohttpwwww3org200110xml-exc-c14nrdquo from the drop down g Digest Algorithm Select ldquohttpwwww3org200009xmldsigsha1rdquo from the drop down h Use Single Certificate Ensure ldquoUse single certificate for signingrdquo is checked i Parts
Name Namespace Encode
Body httpschemasxmlsoaporgsoapenvelope Element
Timestamp httpdocsoasis-openorgwss200401oasis-200401-wss-wssecurity-utility-10xsd
Element
Figure 42 Providing Signature configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 40
13 Add the ldquoEncryptionrdquo WSS Entry by clicking on the ldquo+rdquo icon again as shown in Figure 38 and selecting ldquoEncryptionrdquo from the ldquoAdd WSS Entryrdquo drop down as shown in Figure 43
Figure 43 Adding Encryption WSS entry
14 The ldquoEncryptionrdquo configuration is more involved and requires a lot more fields to be filled in as shown in Figure 44
Here is a summary of the fields and values that need to be provided a Keystore Select ldquodefault-keystorejksrdquo from the drop down (Note Only keystores added in the
KeystoreCertificates tab will be displayed in this drop down) b Alias ldquoorakeyrdquo This particular keystore in the How-To has only a single alias However a keystore can have
multiple keys and aliases c Password ldquowelcome1rdquo This is the password for the alias d Key Identifier Type Select ldquoBinary Security Tokenrdquo from the drop down e Embedded Key Name and Embedded Key Password are not relevant and will be readonly fields So skip
these fields f Symmetric Encoding Algorithm Select ldquohttpwwww3org200104xmlencaes128-cbcrdquo from the drop
down g Key Encryption Algorithm Select ldquohttpwwww3org200104xmlencrsa-oaep-mgf1prdquo from the drop
down h Encryption Canonicalization Select ldquohttpwwww3org200110xml-exc-c14nrdquo from the drop down i Create Encrypted Key Ensure the checkbox is checked j Parts
Name Namespace Encode
Body httpschemasxmlsoaporgsoapenvelope Content
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 41
Figure 44 Encryption Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 42
Add Incoming WS-Security Configurations
15 Click on the ldquoIncoming WS-Security Configurationsrdquo sub tab and click on the ldquo+rdquo icon as show in Figure 45 You will be prompted to enter a name for the incoming configuration specify ldquowss10rdquo as the name as shown in Figure 46
Figure 45 Add Incoming WS-Security Configuration
Figure 46 Provide a name for the Incoming WSS Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 43
16 Click on the ldquowss10rdquo entry and select the following a Decrypt Keystore Select ldquodefault-keystorejksrdquo from the drop down b Signature Keystore Select ldquodefault-keystorejksrdquo from the drop down c Password ldquowelcome1rdquo
The final incoming security configuration is shown in Figure 47
Figure 47 Incoming WSS Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 44
17 Now that we have created all the necessary WS-Security Configurations we are ready to test the HelloWorld Service To do so click on the ldquohellordquo operation on the Left hand browse tree This will create a request as show in Figure 48 Click on the ldquoAutrdquo tab on the ldquoRequestrdquo panel on the RHS side of the screen The ldquoAutrdquo tab is in the bottom and has been highlighted in Figure 48 Select the following values
a Outgoing WSS Select ldquowss10rdquo from the drop down b Incoming WSS Select ldquowss10rdquo from the drop down
Figure 48 Select the previosuly created WSS Configuration to be used while testing
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 45
18 Enter ldquoprakashrdquo for arg0 and click on the green arrow button to send the request You will be prompted for password ndash enter ldquowelcome1rdquo Figure 49 and Figure 50 show the steps and the results of a successful test If there is a failure ndash you will see a SOAP response with a fault
Figure 49 Send request to the HelloWorld WS
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 46
Figure 50 Results of a successful test
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 47
Appendix
Log Generated the first time any app is run in Integrated WLS Server
[Waiting for the domain to finish building]
[094756 PM] Creating Integrated Weblogic domain
[095003 PM] Extending Integrated Weblogic domain
[095051 PM] Integrated Weblogic domain processing completed successfully
Using port 7101
DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainbinstartWebLogiccmd
[waiting for the server to complete its initialization]
JAVA Memory arguments -Xms256m -Xmx512m -XXCompileThreshold=8000 -XXPermSize=128m -XXMaxPermSize=512m
WLS Start Mode=Development
CLASSPATH=DORACLE~1MIDDLE~1ORACLE~1modulesoraclejdbc_1111ojdbc6dmsjarDORACLE~1MIDDLE~1patch_wls1035profilesdefaultsys_manifest_classpathweblogic_patchjarDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultsys_manifest_classpathweblogic_patchjarDORACLE~1MIDDLE~1JDK160~1libtoolsjarDORACLE~1MIDDLE~1WLSERV~13serverlibweblogic_spjarDORACLE~1MIDDLE~1WLSERV~13serverlibweblogicjarDORACLE~1MIDDLE~1modulesfeaturesweblogicservermodules_10350jarDORACLE~1MIDDLE~1WLSERV~13serverlibwebservicesjarDORACLE~1MIDDLE~1modulesORGAPA~11libant-alljarDORACLE~1MIDDLE~1modulesNETSFA~10_1libant-contribjarDORACLE~1MIDDLE~1ORACLE~1modulesoraclejrf_1111jrfjarDORACLE~1MIDDLE~1WLSERV~13commonderbylibderbyclientjarDORACLE~1MIDDLE~1WLSERV~13serverlibxqrljar
PATH=DORACLE~1MIDDLE~1patch_wls1035profilesdefaultnativeDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultnativeDORACLE~1MIDDLE~1WLSERV~13servernativewin32DORACLE~1MIDDLE~1WLSERV~13serverbinDORACLE~1MIDDLE~1modulesORGAPA~11binDORACLE~1MIDDLE~1JDK160~1jrebinDORACLE~1MIDDLE~1JDK160~1binDoraclexeapporacleproduct1020serverbinCProgram FilesThinkPadUtilitiesCWINDOWSsystem32CWINDOWSCWINDOWSSystem32WbemCWINDOWSsystem32WindowsPowerShellv10DORACLE~1MIDDLE~1WLSERV~13servernativewin32oci920_8
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 48
To start WebLogic Server use a username and
password assigned to an admin-level user For
server administration use the WebLogic Server
console at httphostnameportconsole
starting weblogic with Java version
java version 160_24
Java(TM) SE Runtime Environment (build 160_24-b50)
Java HotSpot(TM) Client VM (build 191-b02 mixed mode)
Starting WLS with line
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 49
DORACLE~1MIDDLE~1JDK160~1binjava -client -Xms256m -Xmx512m -XXCompileThreshold=8000 -XXPermSize=128m -XXMaxPermSize=512m -DweblogicName=DefaultServer -Djavasecuritypolicy=DORACLE~1MIDDLE~1WLSERV~13serverlibweblogicpolicy -DjavaxnetssltrustStore=DOracle11gMiddlewarewlserver_103serverlibDemoTrustjks -DweblogicnodemanagerServiceEnabled=true -Xverifynone -da -Dplatformhome=DORACLE~1MIDDLE~1WLSERV~13 -Dwlshome=DORACLE~1MIDDLE~1WLSERV~13server -Dweblogichome=DORACLE~1MIDDLE~1WLSERV~13server -Djpsappcredentialoverwriteallowed=true -Dcommoncomponentshome=DORACLE~1MIDDLE~1ORACLE~1 -Djrfversion=1111 -DorgapachecommonsloggingLog=orgapachecommonsloggingimplJdk14Logger -Ddomainhome=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1 -Djrockitoptfile=DORACLE~1MIDDLE~1ORACLE~1modulesoraclejrf_1111jrocket_optfiletxt -Doracleserverconfigdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1serversDefaultServer -Doracledomainconfigdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1 -Digfarisidbeanscarmlloc=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1carml -Digfarisidstackhome=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1arisidprovider -Doraclesecurityjpsconfig=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configfmwconfigjps-configxml -Doracledeployedappdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1serversDefaultServertmp_WL_user -Doracledeployedappext=- -DweblogicalternateTypesDirectory=DORACLE~1MIDDLE~1ORACLE~1modulesoracleossoiap_1111DORACLE~1MIDDLE~1ORACLE~1modulesoracleoamprovider_1111 -Djavaprotocolhandlerpkgs=oraclemdsnetprotocol -DweblogicjdbcremoteEnabled=false -Dwsmrepositorypath=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1oraclestoregmds -Dweblogicmanagementdiscover=true -DwlwiterativeDev= -DwlwtestConsole= -DwlwlogErrorsToConsole= -Dweblogicextdirs=DORACLE~1MIDDLE~1patch_wls1035profilesdefaultsysext_manifest_classpathDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultsysext_manifest_classpath weblogicServer
ltMar 16 2012 95054 PM PDTgt ltInfogt ltSecuritygt ltBEA-090905gt ltDisabling CryptoJ JCE Provider self-integrity check for better startup performance To enable this check specify -DweblogicsecurityallowCryptoJDefaultJCEVerification=truegt
ltMar 16 2012 95054 PM PDTgt ltInfogt ltSecuritygt ltBEA-090906gt ltChanging the default Random Number Generator in RSA CryptoJ from ECDRBG to FIPS186PRNG To disable this change specify -DweblogicsecurityallowCryptoJDefaultPRNG=truegt
ltMar 16 2012 95055 PM PDTgt ltInfogt ltWebLogicServergt ltBEA-000377gt ltStarting WebLogic Server with Java HotSpot(TM) Client VM Version 191-b02 from Sun Microsystems Incgt
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 50
ltMar 16 2012 95055 PM PDTgt ltInfogt ltManagementgt ltBEA-141107gt ltVersion WebLogic Server 10350 Fri Apr 1 202006 PDT 2011 1398638 gt
ltMar 16 2012 95057 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STARTINGgt
ltMar 16 2012 95057 PM PDTgt ltInfogt ltWorkManagergt ltBEA-002900gt ltInitializing self-tuning thread poolgt
ltMar 16 2012 95057 PM PDTgt ltNoticegt ltLog Managementgt ltBEA-170019gt ltThe server log file DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainserversDefaultServerlogsDefaultServerlog is opened All server side log events will be written to this filegt
ltMar 16 2012 95108 PM PDTgt ltNoticegt ltSecuritygt ltBEA-090082gt ltSecurity initializing using security realm myrealmgt
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO ConfigObjectReloaded for ServerConfig PreviousVersion -1 CurrentVersion 0
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification event sent for activating changes
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for Mapping config object reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO ConfigObjectReloaded for ServerConfig PreviousVersion -1 CurrentVersion 0
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification event sent for activating changes
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 51
INFO Notification sent for Mapping config object reloaded
ltMar 16 2012 95122 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STANDBYgt
ltMar 16 2012 95122 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STARTINGgt
ltMar 16 2012 95204 PM PDTgt ltNoticegt ltLog Managementgt ltBEA-170027gt ltThe Server has established connection with the Domain level Diagnostic Service successfullygt
ltMar 16 2012 95204 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to ADMINgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to RESUMINGgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltServergt ltBEA-002613gt ltChannel Default is now listening on 1270017101 for protocols iiop t3 ldap snmp httpgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000331gt ltStarted WebLogic Admin Server DefaultServer for domain DefaultDomain running in Development Modegt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to RUNNINGgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000360gt ltServer started in RUNNING modegt
IntegratedWebLogicServer startup time 74437 ms
IntegratedWebLogicServer started
[Running application HelloWorldJaxWS on Server Instance IntegratedWebLogicServer]
[095206 PM] ---- Deployment started ----
[095206 PM] Target platform is (Weblogic 103)
[095208 PM] Retrieving existing application information
[095208 PM] Running dependency analysis
[095208 PM] Deploying 2 profiles
[095209 PM] Wrote Web Application Module to DOracle11gMiddlewarejdevelopersystem11116386192oj2eedrsHelloWorldJaxWSHelloWorldWebAppwar
[095210 PM] Wrote Enterprise Application Module to DOracle11gMiddlewarejdevelopersystem11116386192oj2eedrsHelloWorldJaxWS
[095210 PM] Deploying Application
[095213 PM] Application Deployed Successfully
[095213 PM] The following URL context root(s) were defined and can be used as a starting point to test your application
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 52
[095213 PM] http1270017101HelloWorldJaxWS-HelloWorld-context-root
[095213 PM] Elapsed time for deployment 6 seconds
[095213 PM] ---- Deployment finished ----
Run startup time 6609 ms
[Application HelloWorldJaxWS deployed to Server Instance IntegratedWebLogicServer]
Target URL -- http1270017101HelloWorldJaxWS-HelloWorld-context-rootHelloWorldPort
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 53
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 25
Copying the Keystore under the right location for Integrated WLS Server
5 Copy the default-keystorejks created earlier to
ldquoDOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainconfigfmwconfigrdquo as shown in Figure 25
Figure 25 Copying default-keystorejks under DefaultDomain
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 26
Verifying jps-configxml in Default Domain
6 The jps-configxml will be found under
DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainconfigfmwconfig The most important entry in jps-configxml that is of interest is the following keystore service entry lt-- KeyStore Service Instance --gt ltserviceInstance name=keystore provider=keystoreprovider location=default-keystorejksgt ltdescriptiongtDefault JPS Keystore Serviceltdescriptiongt ltproperty name=keystoreprovidertype value=filegt ltproperty name=keystorefilepath value=gt ltproperty name=keystoretype value=JKSgt ltproperty name=keystorecsfmap value=oraclewsmsecuritygt ltproperty name=keystorepasscsfkey value=keystore-csf-keygt ltproperty name=keystoresigcsfkey value=sign-csf-keygt ltproperty name=keystoreenccsfkey value=enc-csf-keygt ltserviceInstancegt The next step is to configure the credentials in the DefaultDomain
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 27
Creating Credentials required for Keystore access
Ensure the Integrated WLS Server is running 7 Start WLST from DOracle11gMiddleware oracle_commoncommonbinwlstcmd as shown in Figure 26
Figure 26 Starting WLST for Integrated WLS Server
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 28
8 Connect to the Integrated WLS Server running DefaultDomain as show in Figure 27
Figure 27 Connect to Integrated WLS Server
Once connected add the following credentials to the credential store
$gt createCred(map=oraclewsmsecurity key=keystore-csf-key user=owsm password=welcome1 desc=Keystore key) $gtcreateCred(map=oraclewsmsecurity key=enc-csf-key user=orakey password=welcome1 desc=Encryption key) $gtcreateCred(map=oraclewsmsecurity key=sign-csf-key user=orakey password=welcome1 desc=Signing key)
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 29
Relationship between Keystore Credential Store jps-configxml
9 Many people find the relationship between keystore keys credential store credentials and jps-configxml
confusing Figure 28 shows the relationship between all these artifacts
Figure 28 Relationship bw Keystore Credential Store Credentials and jps-configxml
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 30
Testing with SOAP UI 1 Before testing the Web Service with SOAP UI Run the HelloWorld from within JDeveloper as shown in Figure 24
Create SOAP UI Project
2 To test the HelloWorld Web Service secured with the OWSM ldquooraclewss10_message_protection_service_policyrdquo start SOAP UI and create a new Project as shown in Figure 29
Figure 29 Create new project in SOAP UI
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 31
3 Provide Project Namerdquo and ldquoWSDLrdquo information for the HelloWorld WS as show in Figure 30
Figure 30 Provide WSDL information for the Web Service that needs to be tested
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 32
4 Double click on the helloworld-msg-prot-test SOAP UI project to open various configurations one can specify for the
project as show in Figure 31 Click on the WS-Security Configurations tab
Figure 31 Specify the WS-Security Configurations
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 33
Create WS-Security Configurations
5 There are 3 sub-tabs under the ldquoWS-Security Configurationsrdquo tab in SOAP UI These are the ldquoOutgoing WS-Security
Configurationsrdquo tab ldquoIncoming WS-Security Configurationsrdquo tab and the ldquoKeystoreCertificatesrdquo tab We will first fill
out the KeystoresCertificates tab Click on the KeystoreCertificates tab as shown in Figure 32
Figure 32 Specify the KeystoreCertificates to be used by SOAP UI
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 34
Add KeystoreCertificates
6 Click on the ldquo+rdquo button to add a keystore as shown in Figure 33 This will launch a dialog to select the Key Material as
show in Figure 34 You will be prompted for the password to the default-keystorejks Enter ldquowelcome1rdquo as show in
Figure 35
Figure 33 Adding a Keystore
Figure 34 Select a JKS keystore from the file system
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 35
Figure 35 Specify Password for the default-keystorejks
7 Figure 36 shows the result of adding the default-keystorejks to SOAP UI
Figure 36 Result of adding default-keystorejks
NOTE For purposes of simplicity ndash I have selected the same default-keystorejks file that was used by the HelloWorld Web Service in practice the client and service DO NOT share the same keystore instead you should use separate keystores and exchange the public certificates of the client and the service
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 36
Add Outgoing WS-Security Configurations
8 The next step is to add the ldquoOutgoing WS-Secure Configurationsrdquo to the project You can do this by click on the Outgoing S-Security Configurations tab and clicking on the ldquo+rdquo icon as shown in Figure 37
Figure 37 Initiate addition of Outgoing WS-Security Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 37
9 Enter the ldquoNamerdquo of the configuration as ldquowss10rdquo This will create a panel on the lower half of the screen to add relevant WS-Security Configuration for ldquowss10rdquo Click on the ldquo+rdquo icon highlighted with a red circle in Figure 38 We need to add 3 entries in the following order
a Timestamp b Signature c Encryption
Upon clicking the ldquo+rdquo icon an ldquoAdd WSS Entryrdquo popup dialog will be presented which contains a single drop down list Select ldquoTimestamprdquo from the dialog as shown in Figure 39
Figure 38 Adding WSS Configuration for wss10
Figure 39 Add Timestamp
10 Configure the ldquoTimestamprdquo WSS Entry The two fields are shown in Figure 40
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 38
a Time to Live 5000 b Leave the unit for ldquoTime to Liverdquo in milliseconds
Figure 40 Specify Time to Live as part of Timestamp configuration
11 Add the ldquoSignaturerdquo WSS Entry by clicking on the ldquo+rdquo icon again as shown in Figure 38 and selecting ldquoSignaturerdquo from
the ldquoAdd WSS Entryrdquo drop down as shown in Figure 41
Figure 41 Select Signature WSS Entry to Add to wss10 configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 39
12 The ldquoSignaturerdquo configuration is more involved and requires a lot more fields to be filled in as shown in Figure 42 Here is a summary of the fields and values that need to be provided
a Keystore Select ldquodefault-keystorejksrdquo from the drop down (Note Only keystores added in the KeystoreCertificates tab will be displayed in this drop down)
b Alias ldquoorakeyrdquo This particular keystore in the How-To has only a single alias However a keystore can have multiple keys and aliases
c Password ldquowelcome1rdquo This is the password for the alias d Key Identifier Type Select ldquoBinary Security Tokenrdquo from the drop down e Signature Algorithm Select ldquohttpwwww3org200009xmldsigrsa-sha1rdquo from the drop down f Signature Canonicalization Select ldquohttpwwww3org200110xml-exc-c14nrdquo from the drop down g Digest Algorithm Select ldquohttpwwww3org200009xmldsigsha1rdquo from the drop down h Use Single Certificate Ensure ldquoUse single certificate for signingrdquo is checked i Parts
Name Namespace Encode
Body httpschemasxmlsoaporgsoapenvelope Element
Timestamp httpdocsoasis-openorgwss200401oasis-200401-wss-wssecurity-utility-10xsd
Element
Figure 42 Providing Signature configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 40
13 Add the ldquoEncryptionrdquo WSS Entry by clicking on the ldquo+rdquo icon again as shown in Figure 38 and selecting ldquoEncryptionrdquo from the ldquoAdd WSS Entryrdquo drop down as shown in Figure 43
Figure 43 Adding Encryption WSS entry
14 The ldquoEncryptionrdquo configuration is more involved and requires a lot more fields to be filled in as shown in Figure 44
Here is a summary of the fields and values that need to be provided a Keystore Select ldquodefault-keystorejksrdquo from the drop down (Note Only keystores added in the
KeystoreCertificates tab will be displayed in this drop down) b Alias ldquoorakeyrdquo This particular keystore in the How-To has only a single alias However a keystore can have
multiple keys and aliases c Password ldquowelcome1rdquo This is the password for the alias d Key Identifier Type Select ldquoBinary Security Tokenrdquo from the drop down e Embedded Key Name and Embedded Key Password are not relevant and will be readonly fields So skip
these fields f Symmetric Encoding Algorithm Select ldquohttpwwww3org200104xmlencaes128-cbcrdquo from the drop
down g Key Encryption Algorithm Select ldquohttpwwww3org200104xmlencrsa-oaep-mgf1prdquo from the drop
down h Encryption Canonicalization Select ldquohttpwwww3org200110xml-exc-c14nrdquo from the drop down i Create Encrypted Key Ensure the checkbox is checked j Parts
Name Namespace Encode
Body httpschemasxmlsoaporgsoapenvelope Content
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 41
Figure 44 Encryption Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 42
Add Incoming WS-Security Configurations
15 Click on the ldquoIncoming WS-Security Configurationsrdquo sub tab and click on the ldquo+rdquo icon as show in Figure 45 You will be prompted to enter a name for the incoming configuration specify ldquowss10rdquo as the name as shown in Figure 46
Figure 45 Add Incoming WS-Security Configuration
Figure 46 Provide a name for the Incoming WSS Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 43
16 Click on the ldquowss10rdquo entry and select the following a Decrypt Keystore Select ldquodefault-keystorejksrdquo from the drop down b Signature Keystore Select ldquodefault-keystorejksrdquo from the drop down c Password ldquowelcome1rdquo
The final incoming security configuration is shown in Figure 47
Figure 47 Incoming WSS Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 44
17 Now that we have created all the necessary WS-Security Configurations we are ready to test the HelloWorld Service To do so click on the ldquohellordquo operation on the Left hand browse tree This will create a request as show in Figure 48 Click on the ldquoAutrdquo tab on the ldquoRequestrdquo panel on the RHS side of the screen The ldquoAutrdquo tab is in the bottom and has been highlighted in Figure 48 Select the following values
a Outgoing WSS Select ldquowss10rdquo from the drop down b Incoming WSS Select ldquowss10rdquo from the drop down
Figure 48 Select the previosuly created WSS Configuration to be used while testing
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 45
18 Enter ldquoprakashrdquo for arg0 and click on the green arrow button to send the request You will be prompted for password ndash enter ldquowelcome1rdquo Figure 49 and Figure 50 show the steps and the results of a successful test If there is a failure ndash you will see a SOAP response with a fault
Figure 49 Send request to the HelloWorld WS
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 46
Figure 50 Results of a successful test
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 47
Appendix
Log Generated the first time any app is run in Integrated WLS Server
[Waiting for the domain to finish building]
[094756 PM] Creating Integrated Weblogic domain
[095003 PM] Extending Integrated Weblogic domain
[095051 PM] Integrated Weblogic domain processing completed successfully
Using port 7101
DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainbinstartWebLogiccmd
[waiting for the server to complete its initialization]
JAVA Memory arguments -Xms256m -Xmx512m -XXCompileThreshold=8000 -XXPermSize=128m -XXMaxPermSize=512m
WLS Start Mode=Development
CLASSPATH=DORACLE~1MIDDLE~1ORACLE~1modulesoraclejdbc_1111ojdbc6dmsjarDORACLE~1MIDDLE~1patch_wls1035profilesdefaultsys_manifest_classpathweblogic_patchjarDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultsys_manifest_classpathweblogic_patchjarDORACLE~1MIDDLE~1JDK160~1libtoolsjarDORACLE~1MIDDLE~1WLSERV~13serverlibweblogic_spjarDORACLE~1MIDDLE~1WLSERV~13serverlibweblogicjarDORACLE~1MIDDLE~1modulesfeaturesweblogicservermodules_10350jarDORACLE~1MIDDLE~1WLSERV~13serverlibwebservicesjarDORACLE~1MIDDLE~1modulesORGAPA~11libant-alljarDORACLE~1MIDDLE~1modulesNETSFA~10_1libant-contribjarDORACLE~1MIDDLE~1ORACLE~1modulesoraclejrf_1111jrfjarDORACLE~1MIDDLE~1WLSERV~13commonderbylibderbyclientjarDORACLE~1MIDDLE~1WLSERV~13serverlibxqrljar
PATH=DORACLE~1MIDDLE~1patch_wls1035profilesdefaultnativeDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultnativeDORACLE~1MIDDLE~1WLSERV~13servernativewin32DORACLE~1MIDDLE~1WLSERV~13serverbinDORACLE~1MIDDLE~1modulesORGAPA~11binDORACLE~1MIDDLE~1JDK160~1jrebinDORACLE~1MIDDLE~1JDK160~1binDoraclexeapporacleproduct1020serverbinCProgram FilesThinkPadUtilitiesCWINDOWSsystem32CWINDOWSCWINDOWSSystem32WbemCWINDOWSsystem32WindowsPowerShellv10DORACLE~1MIDDLE~1WLSERV~13servernativewin32oci920_8
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 48
To start WebLogic Server use a username and
password assigned to an admin-level user For
server administration use the WebLogic Server
console at httphostnameportconsole
starting weblogic with Java version
java version 160_24
Java(TM) SE Runtime Environment (build 160_24-b50)
Java HotSpot(TM) Client VM (build 191-b02 mixed mode)
Starting WLS with line
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 49
DORACLE~1MIDDLE~1JDK160~1binjava -client -Xms256m -Xmx512m -XXCompileThreshold=8000 -XXPermSize=128m -XXMaxPermSize=512m -DweblogicName=DefaultServer -Djavasecuritypolicy=DORACLE~1MIDDLE~1WLSERV~13serverlibweblogicpolicy -DjavaxnetssltrustStore=DOracle11gMiddlewarewlserver_103serverlibDemoTrustjks -DweblogicnodemanagerServiceEnabled=true -Xverifynone -da -Dplatformhome=DORACLE~1MIDDLE~1WLSERV~13 -Dwlshome=DORACLE~1MIDDLE~1WLSERV~13server -Dweblogichome=DORACLE~1MIDDLE~1WLSERV~13server -Djpsappcredentialoverwriteallowed=true -Dcommoncomponentshome=DORACLE~1MIDDLE~1ORACLE~1 -Djrfversion=1111 -DorgapachecommonsloggingLog=orgapachecommonsloggingimplJdk14Logger -Ddomainhome=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1 -Djrockitoptfile=DORACLE~1MIDDLE~1ORACLE~1modulesoraclejrf_1111jrocket_optfiletxt -Doracleserverconfigdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1serversDefaultServer -Doracledomainconfigdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1 -Digfarisidbeanscarmlloc=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1carml -Digfarisidstackhome=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1arisidprovider -Doraclesecurityjpsconfig=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configfmwconfigjps-configxml -Doracledeployedappdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1serversDefaultServertmp_WL_user -Doracledeployedappext=- -DweblogicalternateTypesDirectory=DORACLE~1MIDDLE~1ORACLE~1modulesoracleossoiap_1111DORACLE~1MIDDLE~1ORACLE~1modulesoracleoamprovider_1111 -Djavaprotocolhandlerpkgs=oraclemdsnetprotocol -DweblogicjdbcremoteEnabled=false -Dwsmrepositorypath=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1oraclestoregmds -Dweblogicmanagementdiscover=true -DwlwiterativeDev= -DwlwtestConsole= -DwlwlogErrorsToConsole= -Dweblogicextdirs=DORACLE~1MIDDLE~1patch_wls1035profilesdefaultsysext_manifest_classpathDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultsysext_manifest_classpath weblogicServer
ltMar 16 2012 95054 PM PDTgt ltInfogt ltSecuritygt ltBEA-090905gt ltDisabling CryptoJ JCE Provider self-integrity check for better startup performance To enable this check specify -DweblogicsecurityallowCryptoJDefaultJCEVerification=truegt
ltMar 16 2012 95054 PM PDTgt ltInfogt ltSecuritygt ltBEA-090906gt ltChanging the default Random Number Generator in RSA CryptoJ from ECDRBG to FIPS186PRNG To disable this change specify -DweblogicsecurityallowCryptoJDefaultPRNG=truegt
ltMar 16 2012 95055 PM PDTgt ltInfogt ltWebLogicServergt ltBEA-000377gt ltStarting WebLogic Server with Java HotSpot(TM) Client VM Version 191-b02 from Sun Microsystems Incgt
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 50
ltMar 16 2012 95055 PM PDTgt ltInfogt ltManagementgt ltBEA-141107gt ltVersion WebLogic Server 10350 Fri Apr 1 202006 PDT 2011 1398638 gt
ltMar 16 2012 95057 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STARTINGgt
ltMar 16 2012 95057 PM PDTgt ltInfogt ltWorkManagergt ltBEA-002900gt ltInitializing self-tuning thread poolgt
ltMar 16 2012 95057 PM PDTgt ltNoticegt ltLog Managementgt ltBEA-170019gt ltThe server log file DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainserversDefaultServerlogsDefaultServerlog is opened All server side log events will be written to this filegt
ltMar 16 2012 95108 PM PDTgt ltNoticegt ltSecuritygt ltBEA-090082gt ltSecurity initializing using security realm myrealmgt
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO ConfigObjectReloaded for ServerConfig PreviousVersion -1 CurrentVersion 0
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification event sent for activating changes
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for Mapping config object reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO ConfigObjectReloaded for ServerConfig PreviousVersion -1 CurrentVersion 0
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification event sent for activating changes
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 51
INFO Notification sent for Mapping config object reloaded
ltMar 16 2012 95122 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STANDBYgt
ltMar 16 2012 95122 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STARTINGgt
ltMar 16 2012 95204 PM PDTgt ltNoticegt ltLog Managementgt ltBEA-170027gt ltThe Server has established connection with the Domain level Diagnostic Service successfullygt
ltMar 16 2012 95204 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to ADMINgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to RESUMINGgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltServergt ltBEA-002613gt ltChannel Default is now listening on 1270017101 for protocols iiop t3 ldap snmp httpgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000331gt ltStarted WebLogic Admin Server DefaultServer for domain DefaultDomain running in Development Modegt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to RUNNINGgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000360gt ltServer started in RUNNING modegt
IntegratedWebLogicServer startup time 74437 ms
IntegratedWebLogicServer started
[Running application HelloWorldJaxWS on Server Instance IntegratedWebLogicServer]
[095206 PM] ---- Deployment started ----
[095206 PM] Target platform is (Weblogic 103)
[095208 PM] Retrieving existing application information
[095208 PM] Running dependency analysis
[095208 PM] Deploying 2 profiles
[095209 PM] Wrote Web Application Module to DOracle11gMiddlewarejdevelopersystem11116386192oj2eedrsHelloWorldJaxWSHelloWorldWebAppwar
[095210 PM] Wrote Enterprise Application Module to DOracle11gMiddlewarejdevelopersystem11116386192oj2eedrsHelloWorldJaxWS
[095210 PM] Deploying Application
[095213 PM] Application Deployed Successfully
[095213 PM] The following URL context root(s) were defined and can be used as a starting point to test your application
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 52
[095213 PM] http1270017101HelloWorldJaxWS-HelloWorld-context-root
[095213 PM] Elapsed time for deployment 6 seconds
[095213 PM] ---- Deployment finished ----
Run startup time 6609 ms
[Application HelloWorldJaxWS deployed to Server Instance IntegratedWebLogicServer]
Target URL -- http1270017101HelloWorldJaxWS-HelloWorld-context-rootHelloWorldPort
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 53
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 26
Verifying jps-configxml in Default Domain
6 The jps-configxml will be found under
DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainconfigfmwconfig The most important entry in jps-configxml that is of interest is the following keystore service entry lt-- KeyStore Service Instance --gt ltserviceInstance name=keystore provider=keystoreprovider location=default-keystorejksgt ltdescriptiongtDefault JPS Keystore Serviceltdescriptiongt ltproperty name=keystoreprovidertype value=filegt ltproperty name=keystorefilepath value=gt ltproperty name=keystoretype value=JKSgt ltproperty name=keystorecsfmap value=oraclewsmsecuritygt ltproperty name=keystorepasscsfkey value=keystore-csf-keygt ltproperty name=keystoresigcsfkey value=sign-csf-keygt ltproperty name=keystoreenccsfkey value=enc-csf-keygt ltserviceInstancegt The next step is to configure the credentials in the DefaultDomain
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 27
Creating Credentials required for Keystore access
Ensure the Integrated WLS Server is running 7 Start WLST from DOracle11gMiddleware oracle_commoncommonbinwlstcmd as shown in Figure 26
Figure 26 Starting WLST for Integrated WLS Server
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 28
8 Connect to the Integrated WLS Server running DefaultDomain as show in Figure 27
Figure 27 Connect to Integrated WLS Server
Once connected add the following credentials to the credential store
$gt createCred(map=oraclewsmsecurity key=keystore-csf-key user=owsm password=welcome1 desc=Keystore key) $gtcreateCred(map=oraclewsmsecurity key=enc-csf-key user=orakey password=welcome1 desc=Encryption key) $gtcreateCred(map=oraclewsmsecurity key=sign-csf-key user=orakey password=welcome1 desc=Signing key)
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 29
Relationship between Keystore Credential Store jps-configxml
9 Many people find the relationship between keystore keys credential store credentials and jps-configxml
confusing Figure 28 shows the relationship between all these artifacts
Figure 28 Relationship bw Keystore Credential Store Credentials and jps-configxml
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 30
Testing with SOAP UI 1 Before testing the Web Service with SOAP UI Run the HelloWorld from within JDeveloper as shown in Figure 24
Create SOAP UI Project
2 To test the HelloWorld Web Service secured with the OWSM ldquooraclewss10_message_protection_service_policyrdquo start SOAP UI and create a new Project as shown in Figure 29
Figure 29 Create new project in SOAP UI
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 31
3 Provide Project Namerdquo and ldquoWSDLrdquo information for the HelloWorld WS as show in Figure 30
Figure 30 Provide WSDL information for the Web Service that needs to be tested
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 32
4 Double click on the helloworld-msg-prot-test SOAP UI project to open various configurations one can specify for the
project as show in Figure 31 Click on the WS-Security Configurations tab
Figure 31 Specify the WS-Security Configurations
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 33
Create WS-Security Configurations
5 There are 3 sub-tabs under the ldquoWS-Security Configurationsrdquo tab in SOAP UI These are the ldquoOutgoing WS-Security
Configurationsrdquo tab ldquoIncoming WS-Security Configurationsrdquo tab and the ldquoKeystoreCertificatesrdquo tab We will first fill
out the KeystoresCertificates tab Click on the KeystoreCertificates tab as shown in Figure 32
Figure 32 Specify the KeystoreCertificates to be used by SOAP UI
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 34
Add KeystoreCertificates
6 Click on the ldquo+rdquo button to add a keystore as shown in Figure 33 This will launch a dialog to select the Key Material as
show in Figure 34 You will be prompted for the password to the default-keystorejks Enter ldquowelcome1rdquo as show in
Figure 35
Figure 33 Adding a Keystore
Figure 34 Select a JKS keystore from the file system
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 35
Figure 35 Specify Password for the default-keystorejks
7 Figure 36 shows the result of adding the default-keystorejks to SOAP UI
Figure 36 Result of adding default-keystorejks
NOTE For purposes of simplicity ndash I have selected the same default-keystorejks file that was used by the HelloWorld Web Service in practice the client and service DO NOT share the same keystore instead you should use separate keystores and exchange the public certificates of the client and the service
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 36
Add Outgoing WS-Security Configurations
8 The next step is to add the ldquoOutgoing WS-Secure Configurationsrdquo to the project You can do this by click on the Outgoing S-Security Configurations tab and clicking on the ldquo+rdquo icon as shown in Figure 37
Figure 37 Initiate addition of Outgoing WS-Security Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 37
9 Enter the ldquoNamerdquo of the configuration as ldquowss10rdquo This will create a panel on the lower half of the screen to add relevant WS-Security Configuration for ldquowss10rdquo Click on the ldquo+rdquo icon highlighted with a red circle in Figure 38 We need to add 3 entries in the following order
a Timestamp b Signature c Encryption
Upon clicking the ldquo+rdquo icon an ldquoAdd WSS Entryrdquo popup dialog will be presented which contains a single drop down list Select ldquoTimestamprdquo from the dialog as shown in Figure 39
Figure 38 Adding WSS Configuration for wss10
Figure 39 Add Timestamp
10 Configure the ldquoTimestamprdquo WSS Entry The two fields are shown in Figure 40
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 38
a Time to Live 5000 b Leave the unit for ldquoTime to Liverdquo in milliseconds
Figure 40 Specify Time to Live as part of Timestamp configuration
11 Add the ldquoSignaturerdquo WSS Entry by clicking on the ldquo+rdquo icon again as shown in Figure 38 and selecting ldquoSignaturerdquo from
the ldquoAdd WSS Entryrdquo drop down as shown in Figure 41
Figure 41 Select Signature WSS Entry to Add to wss10 configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 39
12 The ldquoSignaturerdquo configuration is more involved and requires a lot more fields to be filled in as shown in Figure 42 Here is a summary of the fields and values that need to be provided
a Keystore Select ldquodefault-keystorejksrdquo from the drop down (Note Only keystores added in the KeystoreCertificates tab will be displayed in this drop down)
b Alias ldquoorakeyrdquo This particular keystore in the How-To has only a single alias However a keystore can have multiple keys and aliases
c Password ldquowelcome1rdquo This is the password for the alias d Key Identifier Type Select ldquoBinary Security Tokenrdquo from the drop down e Signature Algorithm Select ldquohttpwwww3org200009xmldsigrsa-sha1rdquo from the drop down f Signature Canonicalization Select ldquohttpwwww3org200110xml-exc-c14nrdquo from the drop down g Digest Algorithm Select ldquohttpwwww3org200009xmldsigsha1rdquo from the drop down h Use Single Certificate Ensure ldquoUse single certificate for signingrdquo is checked i Parts
Name Namespace Encode
Body httpschemasxmlsoaporgsoapenvelope Element
Timestamp httpdocsoasis-openorgwss200401oasis-200401-wss-wssecurity-utility-10xsd
Element
Figure 42 Providing Signature configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 40
13 Add the ldquoEncryptionrdquo WSS Entry by clicking on the ldquo+rdquo icon again as shown in Figure 38 and selecting ldquoEncryptionrdquo from the ldquoAdd WSS Entryrdquo drop down as shown in Figure 43
Figure 43 Adding Encryption WSS entry
14 The ldquoEncryptionrdquo configuration is more involved and requires a lot more fields to be filled in as shown in Figure 44
Here is a summary of the fields and values that need to be provided a Keystore Select ldquodefault-keystorejksrdquo from the drop down (Note Only keystores added in the
KeystoreCertificates tab will be displayed in this drop down) b Alias ldquoorakeyrdquo This particular keystore in the How-To has only a single alias However a keystore can have
multiple keys and aliases c Password ldquowelcome1rdquo This is the password for the alias d Key Identifier Type Select ldquoBinary Security Tokenrdquo from the drop down e Embedded Key Name and Embedded Key Password are not relevant and will be readonly fields So skip
these fields f Symmetric Encoding Algorithm Select ldquohttpwwww3org200104xmlencaes128-cbcrdquo from the drop
down g Key Encryption Algorithm Select ldquohttpwwww3org200104xmlencrsa-oaep-mgf1prdquo from the drop
down h Encryption Canonicalization Select ldquohttpwwww3org200110xml-exc-c14nrdquo from the drop down i Create Encrypted Key Ensure the checkbox is checked j Parts
Name Namespace Encode
Body httpschemasxmlsoaporgsoapenvelope Content
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 41
Figure 44 Encryption Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 42
Add Incoming WS-Security Configurations
15 Click on the ldquoIncoming WS-Security Configurationsrdquo sub tab and click on the ldquo+rdquo icon as show in Figure 45 You will be prompted to enter a name for the incoming configuration specify ldquowss10rdquo as the name as shown in Figure 46
Figure 45 Add Incoming WS-Security Configuration
Figure 46 Provide a name for the Incoming WSS Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 43
16 Click on the ldquowss10rdquo entry and select the following a Decrypt Keystore Select ldquodefault-keystorejksrdquo from the drop down b Signature Keystore Select ldquodefault-keystorejksrdquo from the drop down c Password ldquowelcome1rdquo
The final incoming security configuration is shown in Figure 47
Figure 47 Incoming WSS Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 44
17 Now that we have created all the necessary WS-Security Configurations we are ready to test the HelloWorld Service To do so click on the ldquohellordquo operation on the Left hand browse tree This will create a request as show in Figure 48 Click on the ldquoAutrdquo tab on the ldquoRequestrdquo panel on the RHS side of the screen The ldquoAutrdquo tab is in the bottom and has been highlighted in Figure 48 Select the following values
a Outgoing WSS Select ldquowss10rdquo from the drop down b Incoming WSS Select ldquowss10rdquo from the drop down
Figure 48 Select the previosuly created WSS Configuration to be used while testing
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 45
18 Enter ldquoprakashrdquo for arg0 and click on the green arrow button to send the request You will be prompted for password ndash enter ldquowelcome1rdquo Figure 49 and Figure 50 show the steps and the results of a successful test If there is a failure ndash you will see a SOAP response with a fault
Figure 49 Send request to the HelloWorld WS
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 46
Figure 50 Results of a successful test
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 47
Appendix
Log Generated the first time any app is run in Integrated WLS Server
[Waiting for the domain to finish building]
[094756 PM] Creating Integrated Weblogic domain
[095003 PM] Extending Integrated Weblogic domain
[095051 PM] Integrated Weblogic domain processing completed successfully
Using port 7101
DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainbinstartWebLogiccmd
[waiting for the server to complete its initialization]
JAVA Memory arguments -Xms256m -Xmx512m -XXCompileThreshold=8000 -XXPermSize=128m -XXMaxPermSize=512m
WLS Start Mode=Development
CLASSPATH=DORACLE~1MIDDLE~1ORACLE~1modulesoraclejdbc_1111ojdbc6dmsjarDORACLE~1MIDDLE~1patch_wls1035profilesdefaultsys_manifest_classpathweblogic_patchjarDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultsys_manifest_classpathweblogic_patchjarDORACLE~1MIDDLE~1JDK160~1libtoolsjarDORACLE~1MIDDLE~1WLSERV~13serverlibweblogic_spjarDORACLE~1MIDDLE~1WLSERV~13serverlibweblogicjarDORACLE~1MIDDLE~1modulesfeaturesweblogicservermodules_10350jarDORACLE~1MIDDLE~1WLSERV~13serverlibwebservicesjarDORACLE~1MIDDLE~1modulesORGAPA~11libant-alljarDORACLE~1MIDDLE~1modulesNETSFA~10_1libant-contribjarDORACLE~1MIDDLE~1ORACLE~1modulesoraclejrf_1111jrfjarDORACLE~1MIDDLE~1WLSERV~13commonderbylibderbyclientjarDORACLE~1MIDDLE~1WLSERV~13serverlibxqrljar
PATH=DORACLE~1MIDDLE~1patch_wls1035profilesdefaultnativeDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultnativeDORACLE~1MIDDLE~1WLSERV~13servernativewin32DORACLE~1MIDDLE~1WLSERV~13serverbinDORACLE~1MIDDLE~1modulesORGAPA~11binDORACLE~1MIDDLE~1JDK160~1jrebinDORACLE~1MIDDLE~1JDK160~1binDoraclexeapporacleproduct1020serverbinCProgram FilesThinkPadUtilitiesCWINDOWSsystem32CWINDOWSCWINDOWSSystem32WbemCWINDOWSsystem32WindowsPowerShellv10DORACLE~1MIDDLE~1WLSERV~13servernativewin32oci920_8
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 48
To start WebLogic Server use a username and
password assigned to an admin-level user For
server administration use the WebLogic Server
console at httphostnameportconsole
starting weblogic with Java version
java version 160_24
Java(TM) SE Runtime Environment (build 160_24-b50)
Java HotSpot(TM) Client VM (build 191-b02 mixed mode)
Starting WLS with line
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 49
DORACLE~1MIDDLE~1JDK160~1binjava -client -Xms256m -Xmx512m -XXCompileThreshold=8000 -XXPermSize=128m -XXMaxPermSize=512m -DweblogicName=DefaultServer -Djavasecuritypolicy=DORACLE~1MIDDLE~1WLSERV~13serverlibweblogicpolicy -DjavaxnetssltrustStore=DOracle11gMiddlewarewlserver_103serverlibDemoTrustjks -DweblogicnodemanagerServiceEnabled=true -Xverifynone -da -Dplatformhome=DORACLE~1MIDDLE~1WLSERV~13 -Dwlshome=DORACLE~1MIDDLE~1WLSERV~13server -Dweblogichome=DORACLE~1MIDDLE~1WLSERV~13server -Djpsappcredentialoverwriteallowed=true -Dcommoncomponentshome=DORACLE~1MIDDLE~1ORACLE~1 -Djrfversion=1111 -DorgapachecommonsloggingLog=orgapachecommonsloggingimplJdk14Logger -Ddomainhome=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1 -Djrockitoptfile=DORACLE~1MIDDLE~1ORACLE~1modulesoraclejrf_1111jrocket_optfiletxt -Doracleserverconfigdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1serversDefaultServer -Doracledomainconfigdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1 -Digfarisidbeanscarmlloc=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1carml -Digfarisidstackhome=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1arisidprovider -Doraclesecurityjpsconfig=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configfmwconfigjps-configxml -Doracledeployedappdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1serversDefaultServertmp_WL_user -Doracledeployedappext=- -DweblogicalternateTypesDirectory=DORACLE~1MIDDLE~1ORACLE~1modulesoracleossoiap_1111DORACLE~1MIDDLE~1ORACLE~1modulesoracleoamprovider_1111 -Djavaprotocolhandlerpkgs=oraclemdsnetprotocol -DweblogicjdbcremoteEnabled=false -Dwsmrepositorypath=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1oraclestoregmds -Dweblogicmanagementdiscover=true -DwlwiterativeDev= -DwlwtestConsole= -DwlwlogErrorsToConsole= -Dweblogicextdirs=DORACLE~1MIDDLE~1patch_wls1035profilesdefaultsysext_manifest_classpathDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultsysext_manifest_classpath weblogicServer
ltMar 16 2012 95054 PM PDTgt ltInfogt ltSecuritygt ltBEA-090905gt ltDisabling CryptoJ JCE Provider self-integrity check for better startup performance To enable this check specify -DweblogicsecurityallowCryptoJDefaultJCEVerification=truegt
ltMar 16 2012 95054 PM PDTgt ltInfogt ltSecuritygt ltBEA-090906gt ltChanging the default Random Number Generator in RSA CryptoJ from ECDRBG to FIPS186PRNG To disable this change specify -DweblogicsecurityallowCryptoJDefaultPRNG=truegt
ltMar 16 2012 95055 PM PDTgt ltInfogt ltWebLogicServergt ltBEA-000377gt ltStarting WebLogic Server with Java HotSpot(TM) Client VM Version 191-b02 from Sun Microsystems Incgt
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 50
ltMar 16 2012 95055 PM PDTgt ltInfogt ltManagementgt ltBEA-141107gt ltVersion WebLogic Server 10350 Fri Apr 1 202006 PDT 2011 1398638 gt
ltMar 16 2012 95057 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STARTINGgt
ltMar 16 2012 95057 PM PDTgt ltInfogt ltWorkManagergt ltBEA-002900gt ltInitializing self-tuning thread poolgt
ltMar 16 2012 95057 PM PDTgt ltNoticegt ltLog Managementgt ltBEA-170019gt ltThe server log file DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainserversDefaultServerlogsDefaultServerlog is opened All server side log events will be written to this filegt
ltMar 16 2012 95108 PM PDTgt ltNoticegt ltSecuritygt ltBEA-090082gt ltSecurity initializing using security realm myrealmgt
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO ConfigObjectReloaded for ServerConfig PreviousVersion -1 CurrentVersion 0
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification event sent for activating changes
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for Mapping config object reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO ConfigObjectReloaded for ServerConfig PreviousVersion -1 CurrentVersion 0
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification event sent for activating changes
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 51
INFO Notification sent for Mapping config object reloaded
ltMar 16 2012 95122 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STANDBYgt
ltMar 16 2012 95122 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STARTINGgt
ltMar 16 2012 95204 PM PDTgt ltNoticegt ltLog Managementgt ltBEA-170027gt ltThe Server has established connection with the Domain level Diagnostic Service successfullygt
ltMar 16 2012 95204 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to ADMINgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to RESUMINGgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltServergt ltBEA-002613gt ltChannel Default is now listening on 1270017101 for protocols iiop t3 ldap snmp httpgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000331gt ltStarted WebLogic Admin Server DefaultServer for domain DefaultDomain running in Development Modegt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to RUNNINGgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000360gt ltServer started in RUNNING modegt
IntegratedWebLogicServer startup time 74437 ms
IntegratedWebLogicServer started
[Running application HelloWorldJaxWS on Server Instance IntegratedWebLogicServer]
[095206 PM] ---- Deployment started ----
[095206 PM] Target platform is (Weblogic 103)
[095208 PM] Retrieving existing application information
[095208 PM] Running dependency analysis
[095208 PM] Deploying 2 profiles
[095209 PM] Wrote Web Application Module to DOracle11gMiddlewarejdevelopersystem11116386192oj2eedrsHelloWorldJaxWSHelloWorldWebAppwar
[095210 PM] Wrote Enterprise Application Module to DOracle11gMiddlewarejdevelopersystem11116386192oj2eedrsHelloWorldJaxWS
[095210 PM] Deploying Application
[095213 PM] Application Deployed Successfully
[095213 PM] The following URL context root(s) were defined and can be used as a starting point to test your application
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 52
[095213 PM] http1270017101HelloWorldJaxWS-HelloWorld-context-root
[095213 PM] Elapsed time for deployment 6 seconds
[095213 PM] ---- Deployment finished ----
Run startup time 6609 ms
[Application HelloWorldJaxWS deployed to Server Instance IntegratedWebLogicServer]
Target URL -- http1270017101HelloWorldJaxWS-HelloWorld-context-rootHelloWorldPort
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 53
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 27
Creating Credentials required for Keystore access
Ensure the Integrated WLS Server is running 7 Start WLST from DOracle11gMiddleware oracle_commoncommonbinwlstcmd as shown in Figure 26
Figure 26 Starting WLST for Integrated WLS Server
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 28
8 Connect to the Integrated WLS Server running DefaultDomain as show in Figure 27
Figure 27 Connect to Integrated WLS Server
Once connected add the following credentials to the credential store
$gt createCred(map=oraclewsmsecurity key=keystore-csf-key user=owsm password=welcome1 desc=Keystore key) $gtcreateCred(map=oraclewsmsecurity key=enc-csf-key user=orakey password=welcome1 desc=Encryption key) $gtcreateCred(map=oraclewsmsecurity key=sign-csf-key user=orakey password=welcome1 desc=Signing key)
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 29
Relationship between Keystore Credential Store jps-configxml
9 Many people find the relationship between keystore keys credential store credentials and jps-configxml
confusing Figure 28 shows the relationship between all these artifacts
Figure 28 Relationship bw Keystore Credential Store Credentials and jps-configxml
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 30
Testing with SOAP UI 1 Before testing the Web Service with SOAP UI Run the HelloWorld from within JDeveloper as shown in Figure 24
Create SOAP UI Project
2 To test the HelloWorld Web Service secured with the OWSM ldquooraclewss10_message_protection_service_policyrdquo start SOAP UI and create a new Project as shown in Figure 29
Figure 29 Create new project in SOAP UI
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 31
3 Provide Project Namerdquo and ldquoWSDLrdquo information for the HelloWorld WS as show in Figure 30
Figure 30 Provide WSDL information for the Web Service that needs to be tested
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 32
4 Double click on the helloworld-msg-prot-test SOAP UI project to open various configurations one can specify for the
project as show in Figure 31 Click on the WS-Security Configurations tab
Figure 31 Specify the WS-Security Configurations
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 33
Create WS-Security Configurations
5 There are 3 sub-tabs under the ldquoWS-Security Configurationsrdquo tab in SOAP UI These are the ldquoOutgoing WS-Security
Configurationsrdquo tab ldquoIncoming WS-Security Configurationsrdquo tab and the ldquoKeystoreCertificatesrdquo tab We will first fill
out the KeystoresCertificates tab Click on the KeystoreCertificates tab as shown in Figure 32
Figure 32 Specify the KeystoreCertificates to be used by SOAP UI
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 34
Add KeystoreCertificates
6 Click on the ldquo+rdquo button to add a keystore as shown in Figure 33 This will launch a dialog to select the Key Material as
show in Figure 34 You will be prompted for the password to the default-keystorejks Enter ldquowelcome1rdquo as show in
Figure 35
Figure 33 Adding a Keystore
Figure 34 Select a JKS keystore from the file system
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 35
Figure 35 Specify Password for the default-keystorejks
7 Figure 36 shows the result of adding the default-keystorejks to SOAP UI
Figure 36 Result of adding default-keystorejks
NOTE For purposes of simplicity ndash I have selected the same default-keystorejks file that was used by the HelloWorld Web Service in practice the client and service DO NOT share the same keystore instead you should use separate keystores and exchange the public certificates of the client and the service
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 36
Add Outgoing WS-Security Configurations
8 The next step is to add the ldquoOutgoing WS-Secure Configurationsrdquo to the project You can do this by click on the Outgoing S-Security Configurations tab and clicking on the ldquo+rdquo icon as shown in Figure 37
Figure 37 Initiate addition of Outgoing WS-Security Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 37
9 Enter the ldquoNamerdquo of the configuration as ldquowss10rdquo This will create a panel on the lower half of the screen to add relevant WS-Security Configuration for ldquowss10rdquo Click on the ldquo+rdquo icon highlighted with a red circle in Figure 38 We need to add 3 entries in the following order
a Timestamp b Signature c Encryption
Upon clicking the ldquo+rdquo icon an ldquoAdd WSS Entryrdquo popup dialog will be presented which contains a single drop down list Select ldquoTimestamprdquo from the dialog as shown in Figure 39
Figure 38 Adding WSS Configuration for wss10
Figure 39 Add Timestamp
10 Configure the ldquoTimestamprdquo WSS Entry The two fields are shown in Figure 40
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 38
a Time to Live 5000 b Leave the unit for ldquoTime to Liverdquo in milliseconds
Figure 40 Specify Time to Live as part of Timestamp configuration
11 Add the ldquoSignaturerdquo WSS Entry by clicking on the ldquo+rdquo icon again as shown in Figure 38 and selecting ldquoSignaturerdquo from
the ldquoAdd WSS Entryrdquo drop down as shown in Figure 41
Figure 41 Select Signature WSS Entry to Add to wss10 configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 39
12 The ldquoSignaturerdquo configuration is more involved and requires a lot more fields to be filled in as shown in Figure 42 Here is a summary of the fields and values that need to be provided
a Keystore Select ldquodefault-keystorejksrdquo from the drop down (Note Only keystores added in the KeystoreCertificates tab will be displayed in this drop down)
b Alias ldquoorakeyrdquo This particular keystore in the How-To has only a single alias However a keystore can have multiple keys and aliases
c Password ldquowelcome1rdquo This is the password for the alias d Key Identifier Type Select ldquoBinary Security Tokenrdquo from the drop down e Signature Algorithm Select ldquohttpwwww3org200009xmldsigrsa-sha1rdquo from the drop down f Signature Canonicalization Select ldquohttpwwww3org200110xml-exc-c14nrdquo from the drop down g Digest Algorithm Select ldquohttpwwww3org200009xmldsigsha1rdquo from the drop down h Use Single Certificate Ensure ldquoUse single certificate for signingrdquo is checked i Parts
Name Namespace Encode
Body httpschemasxmlsoaporgsoapenvelope Element
Timestamp httpdocsoasis-openorgwss200401oasis-200401-wss-wssecurity-utility-10xsd
Element
Figure 42 Providing Signature configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 40
13 Add the ldquoEncryptionrdquo WSS Entry by clicking on the ldquo+rdquo icon again as shown in Figure 38 and selecting ldquoEncryptionrdquo from the ldquoAdd WSS Entryrdquo drop down as shown in Figure 43
Figure 43 Adding Encryption WSS entry
14 The ldquoEncryptionrdquo configuration is more involved and requires a lot more fields to be filled in as shown in Figure 44
Here is a summary of the fields and values that need to be provided a Keystore Select ldquodefault-keystorejksrdquo from the drop down (Note Only keystores added in the
KeystoreCertificates tab will be displayed in this drop down) b Alias ldquoorakeyrdquo This particular keystore in the How-To has only a single alias However a keystore can have
multiple keys and aliases c Password ldquowelcome1rdquo This is the password for the alias d Key Identifier Type Select ldquoBinary Security Tokenrdquo from the drop down e Embedded Key Name and Embedded Key Password are not relevant and will be readonly fields So skip
these fields f Symmetric Encoding Algorithm Select ldquohttpwwww3org200104xmlencaes128-cbcrdquo from the drop
down g Key Encryption Algorithm Select ldquohttpwwww3org200104xmlencrsa-oaep-mgf1prdquo from the drop
down h Encryption Canonicalization Select ldquohttpwwww3org200110xml-exc-c14nrdquo from the drop down i Create Encrypted Key Ensure the checkbox is checked j Parts
Name Namespace Encode
Body httpschemasxmlsoaporgsoapenvelope Content
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 41
Figure 44 Encryption Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 42
Add Incoming WS-Security Configurations
15 Click on the ldquoIncoming WS-Security Configurationsrdquo sub tab and click on the ldquo+rdquo icon as show in Figure 45 You will be prompted to enter a name for the incoming configuration specify ldquowss10rdquo as the name as shown in Figure 46
Figure 45 Add Incoming WS-Security Configuration
Figure 46 Provide a name for the Incoming WSS Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 43
16 Click on the ldquowss10rdquo entry and select the following a Decrypt Keystore Select ldquodefault-keystorejksrdquo from the drop down b Signature Keystore Select ldquodefault-keystorejksrdquo from the drop down c Password ldquowelcome1rdquo
The final incoming security configuration is shown in Figure 47
Figure 47 Incoming WSS Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 44
17 Now that we have created all the necessary WS-Security Configurations we are ready to test the HelloWorld Service To do so click on the ldquohellordquo operation on the Left hand browse tree This will create a request as show in Figure 48 Click on the ldquoAutrdquo tab on the ldquoRequestrdquo panel on the RHS side of the screen The ldquoAutrdquo tab is in the bottom and has been highlighted in Figure 48 Select the following values
a Outgoing WSS Select ldquowss10rdquo from the drop down b Incoming WSS Select ldquowss10rdquo from the drop down
Figure 48 Select the previosuly created WSS Configuration to be used while testing
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 45
18 Enter ldquoprakashrdquo for arg0 and click on the green arrow button to send the request You will be prompted for password ndash enter ldquowelcome1rdquo Figure 49 and Figure 50 show the steps and the results of a successful test If there is a failure ndash you will see a SOAP response with a fault
Figure 49 Send request to the HelloWorld WS
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 46
Figure 50 Results of a successful test
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 47
Appendix
Log Generated the first time any app is run in Integrated WLS Server
[Waiting for the domain to finish building]
[094756 PM] Creating Integrated Weblogic domain
[095003 PM] Extending Integrated Weblogic domain
[095051 PM] Integrated Weblogic domain processing completed successfully
Using port 7101
DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainbinstartWebLogiccmd
[waiting for the server to complete its initialization]
JAVA Memory arguments -Xms256m -Xmx512m -XXCompileThreshold=8000 -XXPermSize=128m -XXMaxPermSize=512m
WLS Start Mode=Development
CLASSPATH=DORACLE~1MIDDLE~1ORACLE~1modulesoraclejdbc_1111ojdbc6dmsjarDORACLE~1MIDDLE~1patch_wls1035profilesdefaultsys_manifest_classpathweblogic_patchjarDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultsys_manifest_classpathweblogic_patchjarDORACLE~1MIDDLE~1JDK160~1libtoolsjarDORACLE~1MIDDLE~1WLSERV~13serverlibweblogic_spjarDORACLE~1MIDDLE~1WLSERV~13serverlibweblogicjarDORACLE~1MIDDLE~1modulesfeaturesweblogicservermodules_10350jarDORACLE~1MIDDLE~1WLSERV~13serverlibwebservicesjarDORACLE~1MIDDLE~1modulesORGAPA~11libant-alljarDORACLE~1MIDDLE~1modulesNETSFA~10_1libant-contribjarDORACLE~1MIDDLE~1ORACLE~1modulesoraclejrf_1111jrfjarDORACLE~1MIDDLE~1WLSERV~13commonderbylibderbyclientjarDORACLE~1MIDDLE~1WLSERV~13serverlibxqrljar
PATH=DORACLE~1MIDDLE~1patch_wls1035profilesdefaultnativeDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultnativeDORACLE~1MIDDLE~1WLSERV~13servernativewin32DORACLE~1MIDDLE~1WLSERV~13serverbinDORACLE~1MIDDLE~1modulesORGAPA~11binDORACLE~1MIDDLE~1JDK160~1jrebinDORACLE~1MIDDLE~1JDK160~1binDoraclexeapporacleproduct1020serverbinCProgram FilesThinkPadUtilitiesCWINDOWSsystem32CWINDOWSCWINDOWSSystem32WbemCWINDOWSsystem32WindowsPowerShellv10DORACLE~1MIDDLE~1WLSERV~13servernativewin32oci920_8
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 48
To start WebLogic Server use a username and
password assigned to an admin-level user For
server administration use the WebLogic Server
console at httphostnameportconsole
starting weblogic with Java version
java version 160_24
Java(TM) SE Runtime Environment (build 160_24-b50)
Java HotSpot(TM) Client VM (build 191-b02 mixed mode)
Starting WLS with line
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 49
DORACLE~1MIDDLE~1JDK160~1binjava -client -Xms256m -Xmx512m -XXCompileThreshold=8000 -XXPermSize=128m -XXMaxPermSize=512m -DweblogicName=DefaultServer -Djavasecuritypolicy=DORACLE~1MIDDLE~1WLSERV~13serverlibweblogicpolicy -DjavaxnetssltrustStore=DOracle11gMiddlewarewlserver_103serverlibDemoTrustjks -DweblogicnodemanagerServiceEnabled=true -Xverifynone -da -Dplatformhome=DORACLE~1MIDDLE~1WLSERV~13 -Dwlshome=DORACLE~1MIDDLE~1WLSERV~13server -Dweblogichome=DORACLE~1MIDDLE~1WLSERV~13server -Djpsappcredentialoverwriteallowed=true -Dcommoncomponentshome=DORACLE~1MIDDLE~1ORACLE~1 -Djrfversion=1111 -DorgapachecommonsloggingLog=orgapachecommonsloggingimplJdk14Logger -Ddomainhome=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1 -Djrockitoptfile=DORACLE~1MIDDLE~1ORACLE~1modulesoraclejrf_1111jrocket_optfiletxt -Doracleserverconfigdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1serversDefaultServer -Doracledomainconfigdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1 -Digfarisidbeanscarmlloc=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1carml -Digfarisidstackhome=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1arisidprovider -Doraclesecurityjpsconfig=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configfmwconfigjps-configxml -Doracledeployedappdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1serversDefaultServertmp_WL_user -Doracledeployedappext=- -DweblogicalternateTypesDirectory=DORACLE~1MIDDLE~1ORACLE~1modulesoracleossoiap_1111DORACLE~1MIDDLE~1ORACLE~1modulesoracleoamprovider_1111 -Djavaprotocolhandlerpkgs=oraclemdsnetprotocol -DweblogicjdbcremoteEnabled=false -Dwsmrepositorypath=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1oraclestoregmds -Dweblogicmanagementdiscover=true -DwlwiterativeDev= -DwlwtestConsole= -DwlwlogErrorsToConsole= -Dweblogicextdirs=DORACLE~1MIDDLE~1patch_wls1035profilesdefaultsysext_manifest_classpathDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultsysext_manifest_classpath weblogicServer
ltMar 16 2012 95054 PM PDTgt ltInfogt ltSecuritygt ltBEA-090905gt ltDisabling CryptoJ JCE Provider self-integrity check for better startup performance To enable this check specify -DweblogicsecurityallowCryptoJDefaultJCEVerification=truegt
ltMar 16 2012 95054 PM PDTgt ltInfogt ltSecuritygt ltBEA-090906gt ltChanging the default Random Number Generator in RSA CryptoJ from ECDRBG to FIPS186PRNG To disable this change specify -DweblogicsecurityallowCryptoJDefaultPRNG=truegt
ltMar 16 2012 95055 PM PDTgt ltInfogt ltWebLogicServergt ltBEA-000377gt ltStarting WebLogic Server with Java HotSpot(TM) Client VM Version 191-b02 from Sun Microsystems Incgt
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 50
ltMar 16 2012 95055 PM PDTgt ltInfogt ltManagementgt ltBEA-141107gt ltVersion WebLogic Server 10350 Fri Apr 1 202006 PDT 2011 1398638 gt
ltMar 16 2012 95057 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STARTINGgt
ltMar 16 2012 95057 PM PDTgt ltInfogt ltWorkManagergt ltBEA-002900gt ltInitializing self-tuning thread poolgt
ltMar 16 2012 95057 PM PDTgt ltNoticegt ltLog Managementgt ltBEA-170019gt ltThe server log file DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainserversDefaultServerlogsDefaultServerlog is opened All server side log events will be written to this filegt
ltMar 16 2012 95108 PM PDTgt ltNoticegt ltSecuritygt ltBEA-090082gt ltSecurity initializing using security realm myrealmgt
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO ConfigObjectReloaded for ServerConfig PreviousVersion -1 CurrentVersion 0
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification event sent for activating changes
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for Mapping config object reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO ConfigObjectReloaded for ServerConfig PreviousVersion -1 CurrentVersion 0
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification event sent for activating changes
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 51
INFO Notification sent for Mapping config object reloaded
ltMar 16 2012 95122 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STANDBYgt
ltMar 16 2012 95122 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STARTINGgt
ltMar 16 2012 95204 PM PDTgt ltNoticegt ltLog Managementgt ltBEA-170027gt ltThe Server has established connection with the Domain level Diagnostic Service successfullygt
ltMar 16 2012 95204 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to ADMINgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to RESUMINGgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltServergt ltBEA-002613gt ltChannel Default is now listening on 1270017101 for protocols iiop t3 ldap snmp httpgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000331gt ltStarted WebLogic Admin Server DefaultServer for domain DefaultDomain running in Development Modegt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to RUNNINGgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000360gt ltServer started in RUNNING modegt
IntegratedWebLogicServer startup time 74437 ms
IntegratedWebLogicServer started
[Running application HelloWorldJaxWS on Server Instance IntegratedWebLogicServer]
[095206 PM] ---- Deployment started ----
[095206 PM] Target platform is (Weblogic 103)
[095208 PM] Retrieving existing application information
[095208 PM] Running dependency analysis
[095208 PM] Deploying 2 profiles
[095209 PM] Wrote Web Application Module to DOracle11gMiddlewarejdevelopersystem11116386192oj2eedrsHelloWorldJaxWSHelloWorldWebAppwar
[095210 PM] Wrote Enterprise Application Module to DOracle11gMiddlewarejdevelopersystem11116386192oj2eedrsHelloWorldJaxWS
[095210 PM] Deploying Application
[095213 PM] Application Deployed Successfully
[095213 PM] The following URL context root(s) were defined and can be used as a starting point to test your application
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 52
[095213 PM] http1270017101HelloWorldJaxWS-HelloWorld-context-root
[095213 PM] Elapsed time for deployment 6 seconds
[095213 PM] ---- Deployment finished ----
Run startup time 6609 ms
[Application HelloWorldJaxWS deployed to Server Instance IntegratedWebLogicServer]
Target URL -- http1270017101HelloWorldJaxWS-HelloWorld-context-rootHelloWorldPort
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 53
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 28
8 Connect to the Integrated WLS Server running DefaultDomain as show in Figure 27
Figure 27 Connect to Integrated WLS Server
Once connected add the following credentials to the credential store
$gt createCred(map=oraclewsmsecurity key=keystore-csf-key user=owsm password=welcome1 desc=Keystore key) $gtcreateCred(map=oraclewsmsecurity key=enc-csf-key user=orakey password=welcome1 desc=Encryption key) $gtcreateCred(map=oraclewsmsecurity key=sign-csf-key user=orakey password=welcome1 desc=Signing key)
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 29
Relationship between Keystore Credential Store jps-configxml
9 Many people find the relationship between keystore keys credential store credentials and jps-configxml
confusing Figure 28 shows the relationship between all these artifacts
Figure 28 Relationship bw Keystore Credential Store Credentials and jps-configxml
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 30
Testing with SOAP UI 1 Before testing the Web Service with SOAP UI Run the HelloWorld from within JDeveloper as shown in Figure 24
Create SOAP UI Project
2 To test the HelloWorld Web Service secured with the OWSM ldquooraclewss10_message_protection_service_policyrdquo start SOAP UI and create a new Project as shown in Figure 29
Figure 29 Create new project in SOAP UI
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 31
3 Provide Project Namerdquo and ldquoWSDLrdquo information for the HelloWorld WS as show in Figure 30
Figure 30 Provide WSDL information for the Web Service that needs to be tested
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 32
4 Double click on the helloworld-msg-prot-test SOAP UI project to open various configurations one can specify for the
project as show in Figure 31 Click on the WS-Security Configurations tab
Figure 31 Specify the WS-Security Configurations
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 33
Create WS-Security Configurations
5 There are 3 sub-tabs under the ldquoWS-Security Configurationsrdquo tab in SOAP UI These are the ldquoOutgoing WS-Security
Configurationsrdquo tab ldquoIncoming WS-Security Configurationsrdquo tab and the ldquoKeystoreCertificatesrdquo tab We will first fill
out the KeystoresCertificates tab Click on the KeystoreCertificates tab as shown in Figure 32
Figure 32 Specify the KeystoreCertificates to be used by SOAP UI
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 34
Add KeystoreCertificates
6 Click on the ldquo+rdquo button to add a keystore as shown in Figure 33 This will launch a dialog to select the Key Material as
show in Figure 34 You will be prompted for the password to the default-keystorejks Enter ldquowelcome1rdquo as show in
Figure 35
Figure 33 Adding a Keystore
Figure 34 Select a JKS keystore from the file system
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 35
Figure 35 Specify Password for the default-keystorejks
7 Figure 36 shows the result of adding the default-keystorejks to SOAP UI
Figure 36 Result of adding default-keystorejks
NOTE For purposes of simplicity ndash I have selected the same default-keystorejks file that was used by the HelloWorld Web Service in practice the client and service DO NOT share the same keystore instead you should use separate keystores and exchange the public certificates of the client and the service
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 36
Add Outgoing WS-Security Configurations
8 The next step is to add the ldquoOutgoing WS-Secure Configurationsrdquo to the project You can do this by click on the Outgoing S-Security Configurations tab and clicking on the ldquo+rdquo icon as shown in Figure 37
Figure 37 Initiate addition of Outgoing WS-Security Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 37
9 Enter the ldquoNamerdquo of the configuration as ldquowss10rdquo This will create a panel on the lower half of the screen to add relevant WS-Security Configuration for ldquowss10rdquo Click on the ldquo+rdquo icon highlighted with a red circle in Figure 38 We need to add 3 entries in the following order
a Timestamp b Signature c Encryption
Upon clicking the ldquo+rdquo icon an ldquoAdd WSS Entryrdquo popup dialog will be presented which contains a single drop down list Select ldquoTimestamprdquo from the dialog as shown in Figure 39
Figure 38 Adding WSS Configuration for wss10
Figure 39 Add Timestamp
10 Configure the ldquoTimestamprdquo WSS Entry The two fields are shown in Figure 40
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 38
a Time to Live 5000 b Leave the unit for ldquoTime to Liverdquo in milliseconds
Figure 40 Specify Time to Live as part of Timestamp configuration
11 Add the ldquoSignaturerdquo WSS Entry by clicking on the ldquo+rdquo icon again as shown in Figure 38 and selecting ldquoSignaturerdquo from
the ldquoAdd WSS Entryrdquo drop down as shown in Figure 41
Figure 41 Select Signature WSS Entry to Add to wss10 configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 39
12 The ldquoSignaturerdquo configuration is more involved and requires a lot more fields to be filled in as shown in Figure 42 Here is a summary of the fields and values that need to be provided
a Keystore Select ldquodefault-keystorejksrdquo from the drop down (Note Only keystores added in the KeystoreCertificates tab will be displayed in this drop down)
b Alias ldquoorakeyrdquo This particular keystore in the How-To has only a single alias However a keystore can have multiple keys and aliases
c Password ldquowelcome1rdquo This is the password for the alias d Key Identifier Type Select ldquoBinary Security Tokenrdquo from the drop down e Signature Algorithm Select ldquohttpwwww3org200009xmldsigrsa-sha1rdquo from the drop down f Signature Canonicalization Select ldquohttpwwww3org200110xml-exc-c14nrdquo from the drop down g Digest Algorithm Select ldquohttpwwww3org200009xmldsigsha1rdquo from the drop down h Use Single Certificate Ensure ldquoUse single certificate for signingrdquo is checked i Parts
Name Namespace Encode
Body httpschemasxmlsoaporgsoapenvelope Element
Timestamp httpdocsoasis-openorgwss200401oasis-200401-wss-wssecurity-utility-10xsd
Element
Figure 42 Providing Signature configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 40
13 Add the ldquoEncryptionrdquo WSS Entry by clicking on the ldquo+rdquo icon again as shown in Figure 38 and selecting ldquoEncryptionrdquo from the ldquoAdd WSS Entryrdquo drop down as shown in Figure 43
Figure 43 Adding Encryption WSS entry
14 The ldquoEncryptionrdquo configuration is more involved and requires a lot more fields to be filled in as shown in Figure 44
Here is a summary of the fields and values that need to be provided a Keystore Select ldquodefault-keystorejksrdquo from the drop down (Note Only keystores added in the
KeystoreCertificates tab will be displayed in this drop down) b Alias ldquoorakeyrdquo This particular keystore in the How-To has only a single alias However a keystore can have
multiple keys and aliases c Password ldquowelcome1rdquo This is the password for the alias d Key Identifier Type Select ldquoBinary Security Tokenrdquo from the drop down e Embedded Key Name and Embedded Key Password are not relevant and will be readonly fields So skip
these fields f Symmetric Encoding Algorithm Select ldquohttpwwww3org200104xmlencaes128-cbcrdquo from the drop
down g Key Encryption Algorithm Select ldquohttpwwww3org200104xmlencrsa-oaep-mgf1prdquo from the drop
down h Encryption Canonicalization Select ldquohttpwwww3org200110xml-exc-c14nrdquo from the drop down i Create Encrypted Key Ensure the checkbox is checked j Parts
Name Namespace Encode
Body httpschemasxmlsoaporgsoapenvelope Content
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 41
Figure 44 Encryption Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 42
Add Incoming WS-Security Configurations
15 Click on the ldquoIncoming WS-Security Configurationsrdquo sub tab and click on the ldquo+rdquo icon as show in Figure 45 You will be prompted to enter a name for the incoming configuration specify ldquowss10rdquo as the name as shown in Figure 46
Figure 45 Add Incoming WS-Security Configuration
Figure 46 Provide a name for the Incoming WSS Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 43
16 Click on the ldquowss10rdquo entry and select the following a Decrypt Keystore Select ldquodefault-keystorejksrdquo from the drop down b Signature Keystore Select ldquodefault-keystorejksrdquo from the drop down c Password ldquowelcome1rdquo
The final incoming security configuration is shown in Figure 47
Figure 47 Incoming WSS Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 44
17 Now that we have created all the necessary WS-Security Configurations we are ready to test the HelloWorld Service To do so click on the ldquohellordquo operation on the Left hand browse tree This will create a request as show in Figure 48 Click on the ldquoAutrdquo tab on the ldquoRequestrdquo panel on the RHS side of the screen The ldquoAutrdquo tab is in the bottom and has been highlighted in Figure 48 Select the following values
a Outgoing WSS Select ldquowss10rdquo from the drop down b Incoming WSS Select ldquowss10rdquo from the drop down
Figure 48 Select the previosuly created WSS Configuration to be used while testing
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 45
18 Enter ldquoprakashrdquo for arg0 and click on the green arrow button to send the request You will be prompted for password ndash enter ldquowelcome1rdquo Figure 49 and Figure 50 show the steps and the results of a successful test If there is a failure ndash you will see a SOAP response with a fault
Figure 49 Send request to the HelloWorld WS
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 46
Figure 50 Results of a successful test
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 47
Appendix
Log Generated the first time any app is run in Integrated WLS Server
[Waiting for the domain to finish building]
[094756 PM] Creating Integrated Weblogic domain
[095003 PM] Extending Integrated Weblogic domain
[095051 PM] Integrated Weblogic domain processing completed successfully
Using port 7101
DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainbinstartWebLogiccmd
[waiting for the server to complete its initialization]
JAVA Memory arguments -Xms256m -Xmx512m -XXCompileThreshold=8000 -XXPermSize=128m -XXMaxPermSize=512m
WLS Start Mode=Development
CLASSPATH=DORACLE~1MIDDLE~1ORACLE~1modulesoraclejdbc_1111ojdbc6dmsjarDORACLE~1MIDDLE~1patch_wls1035profilesdefaultsys_manifest_classpathweblogic_patchjarDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultsys_manifest_classpathweblogic_patchjarDORACLE~1MIDDLE~1JDK160~1libtoolsjarDORACLE~1MIDDLE~1WLSERV~13serverlibweblogic_spjarDORACLE~1MIDDLE~1WLSERV~13serverlibweblogicjarDORACLE~1MIDDLE~1modulesfeaturesweblogicservermodules_10350jarDORACLE~1MIDDLE~1WLSERV~13serverlibwebservicesjarDORACLE~1MIDDLE~1modulesORGAPA~11libant-alljarDORACLE~1MIDDLE~1modulesNETSFA~10_1libant-contribjarDORACLE~1MIDDLE~1ORACLE~1modulesoraclejrf_1111jrfjarDORACLE~1MIDDLE~1WLSERV~13commonderbylibderbyclientjarDORACLE~1MIDDLE~1WLSERV~13serverlibxqrljar
PATH=DORACLE~1MIDDLE~1patch_wls1035profilesdefaultnativeDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultnativeDORACLE~1MIDDLE~1WLSERV~13servernativewin32DORACLE~1MIDDLE~1WLSERV~13serverbinDORACLE~1MIDDLE~1modulesORGAPA~11binDORACLE~1MIDDLE~1JDK160~1jrebinDORACLE~1MIDDLE~1JDK160~1binDoraclexeapporacleproduct1020serverbinCProgram FilesThinkPadUtilitiesCWINDOWSsystem32CWINDOWSCWINDOWSSystem32WbemCWINDOWSsystem32WindowsPowerShellv10DORACLE~1MIDDLE~1WLSERV~13servernativewin32oci920_8
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 48
To start WebLogic Server use a username and
password assigned to an admin-level user For
server administration use the WebLogic Server
console at httphostnameportconsole
starting weblogic with Java version
java version 160_24
Java(TM) SE Runtime Environment (build 160_24-b50)
Java HotSpot(TM) Client VM (build 191-b02 mixed mode)
Starting WLS with line
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 49
DORACLE~1MIDDLE~1JDK160~1binjava -client -Xms256m -Xmx512m -XXCompileThreshold=8000 -XXPermSize=128m -XXMaxPermSize=512m -DweblogicName=DefaultServer -Djavasecuritypolicy=DORACLE~1MIDDLE~1WLSERV~13serverlibweblogicpolicy -DjavaxnetssltrustStore=DOracle11gMiddlewarewlserver_103serverlibDemoTrustjks -DweblogicnodemanagerServiceEnabled=true -Xverifynone -da -Dplatformhome=DORACLE~1MIDDLE~1WLSERV~13 -Dwlshome=DORACLE~1MIDDLE~1WLSERV~13server -Dweblogichome=DORACLE~1MIDDLE~1WLSERV~13server -Djpsappcredentialoverwriteallowed=true -Dcommoncomponentshome=DORACLE~1MIDDLE~1ORACLE~1 -Djrfversion=1111 -DorgapachecommonsloggingLog=orgapachecommonsloggingimplJdk14Logger -Ddomainhome=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1 -Djrockitoptfile=DORACLE~1MIDDLE~1ORACLE~1modulesoraclejrf_1111jrocket_optfiletxt -Doracleserverconfigdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1serversDefaultServer -Doracledomainconfigdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1 -Digfarisidbeanscarmlloc=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1carml -Digfarisidstackhome=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1arisidprovider -Doraclesecurityjpsconfig=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configfmwconfigjps-configxml -Doracledeployedappdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1serversDefaultServertmp_WL_user -Doracledeployedappext=- -DweblogicalternateTypesDirectory=DORACLE~1MIDDLE~1ORACLE~1modulesoracleossoiap_1111DORACLE~1MIDDLE~1ORACLE~1modulesoracleoamprovider_1111 -Djavaprotocolhandlerpkgs=oraclemdsnetprotocol -DweblogicjdbcremoteEnabled=false -Dwsmrepositorypath=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1oraclestoregmds -Dweblogicmanagementdiscover=true -DwlwiterativeDev= -DwlwtestConsole= -DwlwlogErrorsToConsole= -Dweblogicextdirs=DORACLE~1MIDDLE~1patch_wls1035profilesdefaultsysext_manifest_classpathDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultsysext_manifest_classpath weblogicServer
ltMar 16 2012 95054 PM PDTgt ltInfogt ltSecuritygt ltBEA-090905gt ltDisabling CryptoJ JCE Provider self-integrity check for better startup performance To enable this check specify -DweblogicsecurityallowCryptoJDefaultJCEVerification=truegt
ltMar 16 2012 95054 PM PDTgt ltInfogt ltSecuritygt ltBEA-090906gt ltChanging the default Random Number Generator in RSA CryptoJ from ECDRBG to FIPS186PRNG To disable this change specify -DweblogicsecurityallowCryptoJDefaultPRNG=truegt
ltMar 16 2012 95055 PM PDTgt ltInfogt ltWebLogicServergt ltBEA-000377gt ltStarting WebLogic Server with Java HotSpot(TM) Client VM Version 191-b02 from Sun Microsystems Incgt
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 50
ltMar 16 2012 95055 PM PDTgt ltInfogt ltManagementgt ltBEA-141107gt ltVersion WebLogic Server 10350 Fri Apr 1 202006 PDT 2011 1398638 gt
ltMar 16 2012 95057 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STARTINGgt
ltMar 16 2012 95057 PM PDTgt ltInfogt ltWorkManagergt ltBEA-002900gt ltInitializing self-tuning thread poolgt
ltMar 16 2012 95057 PM PDTgt ltNoticegt ltLog Managementgt ltBEA-170019gt ltThe server log file DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainserversDefaultServerlogsDefaultServerlog is opened All server side log events will be written to this filegt
ltMar 16 2012 95108 PM PDTgt ltNoticegt ltSecuritygt ltBEA-090082gt ltSecurity initializing using security realm myrealmgt
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO ConfigObjectReloaded for ServerConfig PreviousVersion -1 CurrentVersion 0
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification event sent for activating changes
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for Mapping config object reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO ConfigObjectReloaded for ServerConfig PreviousVersion -1 CurrentVersion 0
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification event sent for activating changes
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 51
INFO Notification sent for Mapping config object reloaded
ltMar 16 2012 95122 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STANDBYgt
ltMar 16 2012 95122 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STARTINGgt
ltMar 16 2012 95204 PM PDTgt ltNoticegt ltLog Managementgt ltBEA-170027gt ltThe Server has established connection with the Domain level Diagnostic Service successfullygt
ltMar 16 2012 95204 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to ADMINgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to RESUMINGgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltServergt ltBEA-002613gt ltChannel Default is now listening on 1270017101 for protocols iiop t3 ldap snmp httpgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000331gt ltStarted WebLogic Admin Server DefaultServer for domain DefaultDomain running in Development Modegt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to RUNNINGgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000360gt ltServer started in RUNNING modegt
IntegratedWebLogicServer startup time 74437 ms
IntegratedWebLogicServer started
[Running application HelloWorldJaxWS on Server Instance IntegratedWebLogicServer]
[095206 PM] ---- Deployment started ----
[095206 PM] Target platform is (Weblogic 103)
[095208 PM] Retrieving existing application information
[095208 PM] Running dependency analysis
[095208 PM] Deploying 2 profiles
[095209 PM] Wrote Web Application Module to DOracle11gMiddlewarejdevelopersystem11116386192oj2eedrsHelloWorldJaxWSHelloWorldWebAppwar
[095210 PM] Wrote Enterprise Application Module to DOracle11gMiddlewarejdevelopersystem11116386192oj2eedrsHelloWorldJaxWS
[095210 PM] Deploying Application
[095213 PM] Application Deployed Successfully
[095213 PM] The following URL context root(s) were defined and can be used as a starting point to test your application
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 52
[095213 PM] http1270017101HelloWorldJaxWS-HelloWorld-context-root
[095213 PM] Elapsed time for deployment 6 seconds
[095213 PM] ---- Deployment finished ----
Run startup time 6609 ms
[Application HelloWorldJaxWS deployed to Server Instance IntegratedWebLogicServer]
Target URL -- http1270017101HelloWorldJaxWS-HelloWorld-context-rootHelloWorldPort
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 53
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 29
Relationship between Keystore Credential Store jps-configxml
9 Many people find the relationship between keystore keys credential store credentials and jps-configxml
confusing Figure 28 shows the relationship between all these artifacts
Figure 28 Relationship bw Keystore Credential Store Credentials and jps-configxml
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 30
Testing with SOAP UI 1 Before testing the Web Service with SOAP UI Run the HelloWorld from within JDeveloper as shown in Figure 24
Create SOAP UI Project
2 To test the HelloWorld Web Service secured with the OWSM ldquooraclewss10_message_protection_service_policyrdquo start SOAP UI and create a new Project as shown in Figure 29
Figure 29 Create new project in SOAP UI
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 31
3 Provide Project Namerdquo and ldquoWSDLrdquo information for the HelloWorld WS as show in Figure 30
Figure 30 Provide WSDL information for the Web Service that needs to be tested
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 32
4 Double click on the helloworld-msg-prot-test SOAP UI project to open various configurations one can specify for the
project as show in Figure 31 Click on the WS-Security Configurations tab
Figure 31 Specify the WS-Security Configurations
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 33
Create WS-Security Configurations
5 There are 3 sub-tabs under the ldquoWS-Security Configurationsrdquo tab in SOAP UI These are the ldquoOutgoing WS-Security
Configurationsrdquo tab ldquoIncoming WS-Security Configurationsrdquo tab and the ldquoKeystoreCertificatesrdquo tab We will first fill
out the KeystoresCertificates tab Click on the KeystoreCertificates tab as shown in Figure 32
Figure 32 Specify the KeystoreCertificates to be used by SOAP UI
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 34
Add KeystoreCertificates
6 Click on the ldquo+rdquo button to add a keystore as shown in Figure 33 This will launch a dialog to select the Key Material as
show in Figure 34 You will be prompted for the password to the default-keystorejks Enter ldquowelcome1rdquo as show in
Figure 35
Figure 33 Adding a Keystore
Figure 34 Select a JKS keystore from the file system
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 35
Figure 35 Specify Password for the default-keystorejks
7 Figure 36 shows the result of adding the default-keystorejks to SOAP UI
Figure 36 Result of adding default-keystorejks
NOTE For purposes of simplicity ndash I have selected the same default-keystorejks file that was used by the HelloWorld Web Service in practice the client and service DO NOT share the same keystore instead you should use separate keystores and exchange the public certificates of the client and the service
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 36
Add Outgoing WS-Security Configurations
8 The next step is to add the ldquoOutgoing WS-Secure Configurationsrdquo to the project You can do this by click on the Outgoing S-Security Configurations tab and clicking on the ldquo+rdquo icon as shown in Figure 37
Figure 37 Initiate addition of Outgoing WS-Security Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 37
9 Enter the ldquoNamerdquo of the configuration as ldquowss10rdquo This will create a panel on the lower half of the screen to add relevant WS-Security Configuration for ldquowss10rdquo Click on the ldquo+rdquo icon highlighted with a red circle in Figure 38 We need to add 3 entries in the following order
a Timestamp b Signature c Encryption
Upon clicking the ldquo+rdquo icon an ldquoAdd WSS Entryrdquo popup dialog will be presented which contains a single drop down list Select ldquoTimestamprdquo from the dialog as shown in Figure 39
Figure 38 Adding WSS Configuration for wss10
Figure 39 Add Timestamp
10 Configure the ldquoTimestamprdquo WSS Entry The two fields are shown in Figure 40
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 38
a Time to Live 5000 b Leave the unit for ldquoTime to Liverdquo in milliseconds
Figure 40 Specify Time to Live as part of Timestamp configuration
11 Add the ldquoSignaturerdquo WSS Entry by clicking on the ldquo+rdquo icon again as shown in Figure 38 and selecting ldquoSignaturerdquo from
the ldquoAdd WSS Entryrdquo drop down as shown in Figure 41
Figure 41 Select Signature WSS Entry to Add to wss10 configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 39
12 The ldquoSignaturerdquo configuration is more involved and requires a lot more fields to be filled in as shown in Figure 42 Here is a summary of the fields and values that need to be provided
a Keystore Select ldquodefault-keystorejksrdquo from the drop down (Note Only keystores added in the KeystoreCertificates tab will be displayed in this drop down)
b Alias ldquoorakeyrdquo This particular keystore in the How-To has only a single alias However a keystore can have multiple keys and aliases
c Password ldquowelcome1rdquo This is the password for the alias d Key Identifier Type Select ldquoBinary Security Tokenrdquo from the drop down e Signature Algorithm Select ldquohttpwwww3org200009xmldsigrsa-sha1rdquo from the drop down f Signature Canonicalization Select ldquohttpwwww3org200110xml-exc-c14nrdquo from the drop down g Digest Algorithm Select ldquohttpwwww3org200009xmldsigsha1rdquo from the drop down h Use Single Certificate Ensure ldquoUse single certificate for signingrdquo is checked i Parts
Name Namespace Encode
Body httpschemasxmlsoaporgsoapenvelope Element
Timestamp httpdocsoasis-openorgwss200401oasis-200401-wss-wssecurity-utility-10xsd
Element
Figure 42 Providing Signature configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 40
13 Add the ldquoEncryptionrdquo WSS Entry by clicking on the ldquo+rdquo icon again as shown in Figure 38 and selecting ldquoEncryptionrdquo from the ldquoAdd WSS Entryrdquo drop down as shown in Figure 43
Figure 43 Adding Encryption WSS entry
14 The ldquoEncryptionrdquo configuration is more involved and requires a lot more fields to be filled in as shown in Figure 44
Here is a summary of the fields and values that need to be provided a Keystore Select ldquodefault-keystorejksrdquo from the drop down (Note Only keystores added in the
KeystoreCertificates tab will be displayed in this drop down) b Alias ldquoorakeyrdquo This particular keystore in the How-To has only a single alias However a keystore can have
multiple keys and aliases c Password ldquowelcome1rdquo This is the password for the alias d Key Identifier Type Select ldquoBinary Security Tokenrdquo from the drop down e Embedded Key Name and Embedded Key Password are not relevant and will be readonly fields So skip
these fields f Symmetric Encoding Algorithm Select ldquohttpwwww3org200104xmlencaes128-cbcrdquo from the drop
down g Key Encryption Algorithm Select ldquohttpwwww3org200104xmlencrsa-oaep-mgf1prdquo from the drop
down h Encryption Canonicalization Select ldquohttpwwww3org200110xml-exc-c14nrdquo from the drop down i Create Encrypted Key Ensure the checkbox is checked j Parts
Name Namespace Encode
Body httpschemasxmlsoaporgsoapenvelope Content
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 41
Figure 44 Encryption Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 42
Add Incoming WS-Security Configurations
15 Click on the ldquoIncoming WS-Security Configurationsrdquo sub tab and click on the ldquo+rdquo icon as show in Figure 45 You will be prompted to enter a name for the incoming configuration specify ldquowss10rdquo as the name as shown in Figure 46
Figure 45 Add Incoming WS-Security Configuration
Figure 46 Provide a name for the Incoming WSS Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 43
16 Click on the ldquowss10rdquo entry and select the following a Decrypt Keystore Select ldquodefault-keystorejksrdquo from the drop down b Signature Keystore Select ldquodefault-keystorejksrdquo from the drop down c Password ldquowelcome1rdquo
The final incoming security configuration is shown in Figure 47
Figure 47 Incoming WSS Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 44
17 Now that we have created all the necessary WS-Security Configurations we are ready to test the HelloWorld Service To do so click on the ldquohellordquo operation on the Left hand browse tree This will create a request as show in Figure 48 Click on the ldquoAutrdquo tab on the ldquoRequestrdquo panel on the RHS side of the screen The ldquoAutrdquo tab is in the bottom and has been highlighted in Figure 48 Select the following values
a Outgoing WSS Select ldquowss10rdquo from the drop down b Incoming WSS Select ldquowss10rdquo from the drop down
Figure 48 Select the previosuly created WSS Configuration to be used while testing
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 45
18 Enter ldquoprakashrdquo for arg0 and click on the green arrow button to send the request You will be prompted for password ndash enter ldquowelcome1rdquo Figure 49 and Figure 50 show the steps and the results of a successful test If there is a failure ndash you will see a SOAP response with a fault
Figure 49 Send request to the HelloWorld WS
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 46
Figure 50 Results of a successful test
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 47
Appendix
Log Generated the first time any app is run in Integrated WLS Server
[Waiting for the domain to finish building]
[094756 PM] Creating Integrated Weblogic domain
[095003 PM] Extending Integrated Weblogic domain
[095051 PM] Integrated Weblogic domain processing completed successfully
Using port 7101
DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainbinstartWebLogiccmd
[waiting for the server to complete its initialization]
JAVA Memory arguments -Xms256m -Xmx512m -XXCompileThreshold=8000 -XXPermSize=128m -XXMaxPermSize=512m
WLS Start Mode=Development
CLASSPATH=DORACLE~1MIDDLE~1ORACLE~1modulesoraclejdbc_1111ojdbc6dmsjarDORACLE~1MIDDLE~1patch_wls1035profilesdefaultsys_manifest_classpathweblogic_patchjarDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultsys_manifest_classpathweblogic_patchjarDORACLE~1MIDDLE~1JDK160~1libtoolsjarDORACLE~1MIDDLE~1WLSERV~13serverlibweblogic_spjarDORACLE~1MIDDLE~1WLSERV~13serverlibweblogicjarDORACLE~1MIDDLE~1modulesfeaturesweblogicservermodules_10350jarDORACLE~1MIDDLE~1WLSERV~13serverlibwebservicesjarDORACLE~1MIDDLE~1modulesORGAPA~11libant-alljarDORACLE~1MIDDLE~1modulesNETSFA~10_1libant-contribjarDORACLE~1MIDDLE~1ORACLE~1modulesoraclejrf_1111jrfjarDORACLE~1MIDDLE~1WLSERV~13commonderbylibderbyclientjarDORACLE~1MIDDLE~1WLSERV~13serverlibxqrljar
PATH=DORACLE~1MIDDLE~1patch_wls1035profilesdefaultnativeDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultnativeDORACLE~1MIDDLE~1WLSERV~13servernativewin32DORACLE~1MIDDLE~1WLSERV~13serverbinDORACLE~1MIDDLE~1modulesORGAPA~11binDORACLE~1MIDDLE~1JDK160~1jrebinDORACLE~1MIDDLE~1JDK160~1binDoraclexeapporacleproduct1020serverbinCProgram FilesThinkPadUtilitiesCWINDOWSsystem32CWINDOWSCWINDOWSSystem32WbemCWINDOWSsystem32WindowsPowerShellv10DORACLE~1MIDDLE~1WLSERV~13servernativewin32oci920_8
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 48
To start WebLogic Server use a username and
password assigned to an admin-level user For
server administration use the WebLogic Server
console at httphostnameportconsole
starting weblogic with Java version
java version 160_24
Java(TM) SE Runtime Environment (build 160_24-b50)
Java HotSpot(TM) Client VM (build 191-b02 mixed mode)
Starting WLS with line
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 49
DORACLE~1MIDDLE~1JDK160~1binjava -client -Xms256m -Xmx512m -XXCompileThreshold=8000 -XXPermSize=128m -XXMaxPermSize=512m -DweblogicName=DefaultServer -Djavasecuritypolicy=DORACLE~1MIDDLE~1WLSERV~13serverlibweblogicpolicy -DjavaxnetssltrustStore=DOracle11gMiddlewarewlserver_103serverlibDemoTrustjks -DweblogicnodemanagerServiceEnabled=true -Xverifynone -da -Dplatformhome=DORACLE~1MIDDLE~1WLSERV~13 -Dwlshome=DORACLE~1MIDDLE~1WLSERV~13server -Dweblogichome=DORACLE~1MIDDLE~1WLSERV~13server -Djpsappcredentialoverwriteallowed=true -Dcommoncomponentshome=DORACLE~1MIDDLE~1ORACLE~1 -Djrfversion=1111 -DorgapachecommonsloggingLog=orgapachecommonsloggingimplJdk14Logger -Ddomainhome=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1 -Djrockitoptfile=DORACLE~1MIDDLE~1ORACLE~1modulesoraclejrf_1111jrocket_optfiletxt -Doracleserverconfigdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1serversDefaultServer -Doracledomainconfigdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1 -Digfarisidbeanscarmlloc=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1carml -Digfarisidstackhome=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1arisidprovider -Doraclesecurityjpsconfig=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configfmwconfigjps-configxml -Doracledeployedappdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1serversDefaultServertmp_WL_user -Doracledeployedappext=- -DweblogicalternateTypesDirectory=DORACLE~1MIDDLE~1ORACLE~1modulesoracleossoiap_1111DORACLE~1MIDDLE~1ORACLE~1modulesoracleoamprovider_1111 -Djavaprotocolhandlerpkgs=oraclemdsnetprotocol -DweblogicjdbcremoteEnabled=false -Dwsmrepositorypath=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1oraclestoregmds -Dweblogicmanagementdiscover=true -DwlwiterativeDev= -DwlwtestConsole= -DwlwlogErrorsToConsole= -Dweblogicextdirs=DORACLE~1MIDDLE~1patch_wls1035profilesdefaultsysext_manifest_classpathDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultsysext_manifest_classpath weblogicServer
ltMar 16 2012 95054 PM PDTgt ltInfogt ltSecuritygt ltBEA-090905gt ltDisabling CryptoJ JCE Provider self-integrity check for better startup performance To enable this check specify -DweblogicsecurityallowCryptoJDefaultJCEVerification=truegt
ltMar 16 2012 95054 PM PDTgt ltInfogt ltSecuritygt ltBEA-090906gt ltChanging the default Random Number Generator in RSA CryptoJ from ECDRBG to FIPS186PRNG To disable this change specify -DweblogicsecurityallowCryptoJDefaultPRNG=truegt
ltMar 16 2012 95055 PM PDTgt ltInfogt ltWebLogicServergt ltBEA-000377gt ltStarting WebLogic Server with Java HotSpot(TM) Client VM Version 191-b02 from Sun Microsystems Incgt
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 50
ltMar 16 2012 95055 PM PDTgt ltInfogt ltManagementgt ltBEA-141107gt ltVersion WebLogic Server 10350 Fri Apr 1 202006 PDT 2011 1398638 gt
ltMar 16 2012 95057 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STARTINGgt
ltMar 16 2012 95057 PM PDTgt ltInfogt ltWorkManagergt ltBEA-002900gt ltInitializing self-tuning thread poolgt
ltMar 16 2012 95057 PM PDTgt ltNoticegt ltLog Managementgt ltBEA-170019gt ltThe server log file DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainserversDefaultServerlogsDefaultServerlog is opened All server side log events will be written to this filegt
ltMar 16 2012 95108 PM PDTgt ltNoticegt ltSecuritygt ltBEA-090082gt ltSecurity initializing using security realm myrealmgt
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO ConfigObjectReloaded for ServerConfig PreviousVersion -1 CurrentVersion 0
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification event sent for activating changes
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for Mapping config object reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO ConfigObjectReloaded for ServerConfig PreviousVersion -1 CurrentVersion 0
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification event sent for activating changes
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 51
INFO Notification sent for Mapping config object reloaded
ltMar 16 2012 95122 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STANDBYgt
ltMar 16 2012 95122 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STARTINGgt
ltMar 16 2012 95204 PM PDTgt ltNoticegt ltLog Managementgt ltBEA-170027gt ltThe Server has established connection with the Domain level Diagnostic Service successfullygt
ltMar 16 2012 95204 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to ADMINgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to RESUMINGgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltServergt ltBEA-002613gt ltChannel Default is now listening on 1270017101 for protocols iiop t3 ldap snmp httpgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000331gt ltStarted WebLogic Admin Server DefaultServer for domain DefaultDomain running in Development Modegt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to RUNNINGgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000360gt ltServer started in RUNNING modegt
IntegratedWebLogicServer startup time 74437 ms
IntegratedWebLogicServer started
[Running application HelloWorldJaxWS on Server Instance IntegratedWebLogicServer]
[095206 PM] ---- Deployment started ----
[095206 PM] Target platform is (Weblogic 103)
[095208 PM] Retrieving existing application information
[095208 PM] Running dependency analysis
[095208 PM] Deploying 2 profiles
[095209 PM] Wrote Web Application Module to DOracle11gMiddlewarejdevelopersystem11116386192oj2eedrsHelloWorldJaxWSHelloWorldWebAppwar
[095210 PM] Wrote Enterprise Application Module to DOracle11gMiddlewarejdevelopersystem11116386192oj2eedrsHelloWorldJaxWS
[095210 PM] Deploying Application
[095213 PM] Application Deployed Successfully
[095213 PM] The following URL context root(s) were defined and can be used as a starting point to test your application
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 52
[095213 PM] http1270017101HelloWorldJaxWS-HelloWorld-context-root
[095213 PM] Elapsed time for deployment 6 seconds
[095213 PM] ---- Deployment finished ----
Run startup time 6609 ms
[Application HelloWorldJaxWS deployed to Server Instance IntegratedWebLogicServer]
Target URL -- http1270017101HelloWorldJaxWS-HelloWorld-context-rootHelloWorldPort
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 53
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 30
Testing with SOAP UI 1 Before testing the Web Service with SOAP UI Run the HelloWorld from within JDeveloper as shown in Figure 24
Create SOAP UI Project
2 To test the HelloWorld Web Service secured with the OWSM ldquooraclewss10_message_protection_service_policyrdquo start SOAP UI and create a new Project as shown in Figure 29
Figure 29 Create new project in SOAP UI
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 31
3 Provide Project Namerdquo and ldquoWSDLrdquo information for the HelloWorld WS as show in Figure 30
Figure 30 Provide WSDL information for the Web Service that needs to be tested
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 32
4 Double click on the helloworld-msg-prot-test SOAP UI project to open various configurations one can specify for the
project as show in Figure 31 Click on the WS-Security Configurations tab
Figure 31 Specify the WS-Security Configurations
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 33
Create WS-Security Configurations
5 There are 3 sub-tabs under the ldquoWS-Security Configurationsrdquo tab in SOAP UI These are the ldquoOutgoing WS-Security
Configurationsrdquo tab ldquoIncoming WS-Security Configurationsrdquo tab and the ldquoKeystoreCertificatesrdquo tab We will first fill
out the KeystoresCertificates tab Click on the KeystoreCertificates tab as shown in Figure 32
Figure 32 Specify the KeystoreCertificates to be used by SOAP UI
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 34
Add KeystoreCertificates
6 Click on the ldquo+rdquo button to add a keystore as shown in Figure 33 This will launch a dialog to select the Key Material as
show in Figure 34 You will be prompted for the password to the default-keystorejks Enter ldquowelcome1rdquo as show in
Figure 35
Figure 33 Adding a Keystore
Figure 34 Select a JKS keystore from the file system
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 35
Figure 35 Specify Password for the default-keystorejks
7 Figure 36 shows the result of adding the default-keystorejks to SOAP UI
Figure 36 Result of adding default-keystorejks
NOTE For purposes of simplicity ndash I have selected the same default-keystorejks file that was used by the HelloWorld Web Service in practice the client and service DO NOT share the same keystore instead you should use separate keystores and exchange the public certificates of the client and the service
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 36
Add Outgoing WS-Security Configurations
8 The next step is to add the ldquoOutgoing WS-Secure Configurationsrdquo to the project You can do this by click on the Outgoing S-Security Configurations tab and clicking on the ldquo+rdquo icon as shown in Figure 37
Figure 37 Initiate addition of Outgoing WS-Security Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 37
9 Enter the ldquoNamerdquo of the configuration as ldquowss10rdquo This will create a panel on the lower half of the screen to add relevant WS-Security Configuration for ldquowss10rdquo Click on the ldquo+rdquo icon highlighted with a red circle in Figure 38 We need to add 3 entries in the following order
a Timestamp b Signature c Encryption
Upon clicking the ldquo+rdquo icon an ldquoAdd WSS Entryrdquo popup dialog will be presented which contains a single drop down list Select ldquoTimestamprdquo from the dialog as shown in Figure 39
Figure 38 Adding WSS Configuration for wss10
Figure 39 Add Timestamp
10 Configure the ldquoTimestamprdquo WSS Entry The two fields are shown in Figure 40
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 38
a Time to Live 5000 b Leave the unit for ldquoTime to Liverdquo in milliseconds
Figure 40 Specify Time to Live as part of Timestamp configuration
11 Add the ldquoSignaturerdquo WSS Entry by clicking on the ldquo+rdquo icon again as shown in Figure 38 and selecting ldquoSignaturerdquo from
the ldquoAdd WSS Entryrdquo drop down as shown in Figure 41
Figure 41 Select Signature WSS Entry to Add to wss10 configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 39
12 The ldquoSignaturerdquo configuration is more involved and requires a lot more fields to be filled in as shown in Figure 42 Here is a summary of the fields and values that need to be provided
a Keystore Select ldquodefault-keystorejksrdquo from the drop down (Note Only keystores added in the KeystoreCertificates tab will be displayed in this drop down)
b Alias ldquoorakeyrdquo This particular keystore in the How-To has only a single alias However a keystore can have multiple keys and aliases
c Password ldquowelcome1rdquo This is the password for the alias d Key Identifier Type Select ldquoBinary Security Tokenrdquo from the drop down e Signature Algorithm Select ldquohttpwwww3org200009xmldsigrsa-sha1rdquo from the drop down f Signature Canonicalization Select ldquohttpwwww3org200110xml-exc-c14nrdquo from the drop down g Digest Algorithm Select ldquohttpwwww3org200009xmldsigsha1rdquo from the drop down h Use Single Certificate Ensure ldquoUse single certificate for signingrdquo is checked i Parts
Name Namespace Encode
Body httpschemasxmlsoaporgsoapenvelope Element
Timestamp httpdocsoasis-openorgwss200401oasis-200401-wss-wssecurity-utility-10xsd
Element
Figure 42 Providing Signature configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 40
13 Add the ldquoEncryptionrdquo WSS Entry by clicking on the ldquo+rdquo icon again as shown in Figure 38 and selecting ldquoEncryptionrdquo from the ldquoAdd WSS Entryrdquo drop down as shown in Figure 43
Figure 43 Adding Encryption WSS entry
14 The ldquoEncryptionrdquo configuration is more involved and requires a lot more fields to be filled in as shown in Figure 44
Here is a summary of the fields and values that need to be provided a Keystore Select ldquodefault-keystorejksrdquo from the drop down (Note Only keystores added in the
KeystoreCertificates tab will be displayed in this drop down) b Alias ldquoorakeyrdquo This particular keystore in the How-To has only a single alias However a keystore can have
multiple keys and aliases c Password ldquowelcome1rdquo This is the password for the alias d Key Identifier Type Select ldquoBinary Security Tokenrdquo from the drop down e Embedded Key Name and Embedded Key Password are not relevant and will be readonly fields So skip
these fields f Symmetric Encoding Algorithm Select ldquohttpwwww3org200104xmlencaes128-cbcrdquo from the drop
down g Key Encryption Algorithm Select ldquohttpwwww3org200104xmlencrsa-oaep-mgf1prdquo from the drop
down h Encryption Canonicalization Select ldquohttpwwww3org200110xml-exc-c14nrdquo from the drop down i Create Encrypted Key Ensure the checkbox is checked j Parts
Name Namespace Encode
Body httpschemasxmlsoaporgsoapenvelope Content
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 41
Figure 44 Encryption Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 42
Add Incoming WS-Security Configurations
15 Click on the ldquoIncoming WS-Security Configurationsrdquo sub tab and click on the ldquo+rdquo icon as show in Figure 45 You will be prompted to enter a name for the incoming configuration specify ldquowss10rdquo as the name as shown in Figure 46
Figure 45 Add Incoming WS-Security Configuration
Figure 46 Provide a name for the Incoming WSS Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 43
16 Click on the ldquowss10rdquo entry and select the following a Decrypt Keystore Select ldquodefault-keystorejksrdquo from the drop down b Signature Keystore Select ldquodefault-keystorejksrdquo from the drop down c Password ldquowelcome1rdquo
The final incoming security configuration is shown in Figure 47
Figure 47 Incoming WSS Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 44
17 Now that we have created all the necessary WS-Security Configurations we are ready to test the HelloWorld Service To do so click on the ldquohellordquo operation on the Left hand browse tree This will create a request as show in Figure 48 Click on the ldquoAutrdquo tab on the ldquoRequestrdquo panel on the RHS side of the screen The ldquoAutrdquo tab is in the bottom and has been highlighted in Figure 48 Select the following values
a Outgoing WSS Select ldquowss10rdquo from the drop down b Incoming WSS Select ldquowss10rdquo from the drop down
Figure 48 Select the previosuly created WSS Configuration to be used while testing
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 45
18 Enter ldquoprakashrdquo for arg0 and click on the green arrow button to send the request You will be prompted for password ndash enter ldquowelcome1rdquo Figure 49 and Figure 50 show the steps and the results of a successful test If there is a failure ndash you will see a SOAP response with a fault
Figure 49 Send request to the HelloWorld WS
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 46
Figure 50 Results of a successful test
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 47
Appendix
Log Generated the first time any app is run in Integrated WLS Server
[Waiting for the domain to finish building]
[094756 PM] Creating Integrated Weblogic domain
[095003 PM] Extending Integrated Weblogic domain
[095051 PM] Integrated Weblogic domain processing completed successfully
Using port 7101
DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainbinstartWebLogiccmd
[waiting for the server to complete its initialization]
JAVA Memory arguments -Xms256m -Xmx512m -XXCompileThreshold=8000 -XXPermSize=128m -XXMaxPermSize=512m
WLS Start Mode=Development
CLASSPATH=DORACLE~1MIDDLE~1ORACLE~1modulesoraclejdbc_1111ojdbc6dmsjarDORACLE~1MIDDLE~1patch_wls1035profilesdefaultsys_manifest_classpathweblogic_patchjarDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultsys_manifest_classpathweblogic_patchjarDORACLE~1MIDDLE~1JDK160~1libtoolsjarDORACLE~1MIDDLE~1WLSERV~13serverlibweblogic_spjarDORACLE~1MIDDLE~1WLSERV~13serverlibweblogicjarDORACLE~1MIDDLE~1modulesfeaturesweblogicservermodules_10350jarDORACLE~1MIDDLE~1WLSERV~13serverlibwebservicesjarDORACLE~1MIDDLE~1modulesORGAPA~11libant-alljarDORACLE~1MIDDLE~1modulesNETSFA~10_1libant-contribjarDORACLE~1MIDDLE~1ORACLE~1modulesoraclejrf_1111jrfjarDORACLE~1MIDDLE~1WLSERV~13commonderbylibderbyclientjarDORACLE~1MIDDLE~1WLSERV~13serverlibxqrljar
PATH=DORACLE~1MIDDLE~1patch_wls1035profilesdefaultnativeDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultnativeDORACLE~1MIDDLE~1WLSERV~13servernativewin32DORACLE~1MIDDLE~1WLSERV~13serverbinDORACLE~1MIDDLE~1modulesORGAPA~11binDORACLE~1MIDDLE~1JDK160~1jrebinDORACLE~1MIDDLE~1JDK160~1binDoraclexeapporacleproduct1020serverbinCProgram FilesThinkPadUtilitiesCWINDOWSsystem32CWINDOWSCWINDOWSSystem32WbemCWINDOWSsystem32WindowsPowerShellv10DORACLE~1MIDDLE~1WLSERV~13servernativewin32oci920_8
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 48
To start WebLogic Server use a username and
password assigned to an admin-level user For
server administration use the WebLogic Server
console at httphostnameportconsole
starting weblogic with Java version
java version 160_24
Java(TM) SE Runtime Environment (build 160_24-b50)
Java HotSpot(TM) Client VM (build 191-b02 mixed mode)
Starting WLS with line
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 49
DORACLE~1MIDDLE~1JDK160~1binjava -client -Xms256m -Xmx512m -XXCompileThreshold=8000 -XXPermSize=128m -XXMaxPermSize=512m -DweblogicName=DefaultServer -Djavasecuritypolicy=DORACLE~1MIDDLE~1WLSERV~13serverlibweblogicpolicy -DjavaxnetssltrustStore=DOracle11gMiddlewarewlserver_103serverlibDemoTrustjks -DweblogicnodemanagerServiceEnabled=true -Xverifynone -da -Dplatformhome=DORACLE~1MIDDLE~1WLSERV~13 -Dwlshome=DORACLE~1MIDDLE~1WLSERV~13server -Dweblogichome=DORACLE~1MIDDLE~1WLSERV~13server -Djpsappcredentialoverwriteallowed=true -Dcommoncomponentshome=DORACLE~1MIDDLE~1ORACLE~1 -Djrfversion=1111 -DorgapachecommonsloggingLog=orgapachecommonsloggingimplJdk14Logger -Ddomainhome=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1 -Djrockitoptfile=DORACLE~1MIDDLE~1ORACLE~1modulesoraclejrf_1111jrocket_optfiletxt -Doracleserverconfigdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1serversDefaultServer -Doracledomainconfigdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1 -Digfarisidbeanscarmlloc=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1carml -Digfarisidstackhome=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1arisidprovider -Doraclesecurityjpsconfig=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configfmwconfigjps-configxml -Doracledeployedappdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1serversDefaultServertmp_WL_user -Doracledeployedappext=- -DweblogicalternateTypesDirectory=DORACLE~1MIDDLE~1ORACLE~1modulesoracleossoiap_1111DORACLE~1MIDDLE~1ORACLE~1modulesoracleoamprovider_1111 -Djavaprotocolhandlerpkgs=oraclemdsnetprotocol -DweblogicjdbcremoteEnabled=false -Dwsmrepositorypath=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1oraclestoregmds -Dweblogicmanagementdiscover=true -DwlwiterativeDev= -DwlwtestConsole= -DwlwlogErrorsToConsole= -Dweblogicextdirs=DORACLE~1MIDDLE~1patch_wls1035profilesdefaultsysext_manifest_classpathDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultsysext_manifest_classpath weblogicServer
ltMar 16 2012 95054 PM PDTgt ltInfogt ltSecuritygt ltBEA-090905gt ltDisabling CryptoJ JCE Provider self-integrity check for better startup performance To enable this check specify -DweblogicsecurityallowCryptoJDefaultJCEVerification=truegt
ltMar 16 2012 95054 PM PDTgt ltInfogt ltSecuritygt ltBEA-090906gt ltChanging the default Random Number Generator in RSA CryptoJ from ECDRBG to FIPS186PRNG To disable this change specify -DweblogicsecurityallowCryptoJDefaultPRNG=truegt
ltMar 16 2012 95055 PM PDTgt ltInfogt ltWebLogicServergt ltBEA-000377gt ltStarting WebLogic Server with Java HotSpot(TM) Client VM Version 191-b02 from Sun Microsystems Incgt
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 50
ltMar 16 2012 95055 PM PDTgt ltInfogt ltManagementgt ltBEA-141107gt ltVersion WebLogic Server 10350 Fri Apr 1 202006 PDT 2011 1398638 gt
ltMar 16 2012 95057 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STARTINGgt
ltMar 16 2012 95057 PM PDTgt ltInfogt ltWorkManagergt ltBEA-002900gt ltInitializing self-tuning thread poolgt
ltMar 16 2012 95057 PM PDTgt ltNoticegt ltLog Managementgt ltBEA-170019gt ltThe server log file DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainserversDefaultServerlogsDefaultServerlog is opened All server side log events will be written to this filegt
ltMar 16 2012 95108 PM PDTgt ltNoticegt ltSecuritygt ltBEA-090082gt ltSecurity initializing using security realm myrealmgt
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO ConfigObjectReloaded for ServerConfig PreviousVersion -1 CurrentVersion 0
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification event sent for activating changes
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for Mapping config object reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO ConfigObjectReloaded for ServerConfig PreviousVersion -1 CurrentVersion 0
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification event sent for activating changes
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 51
INFO Notification sent for Mapping config object reloaded
ltMar 16 2012 95122 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STANDBYgt
ltMar 16 2012 95122 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STARTINGgt
ltMar 16 2012 95204 PM PDTgt ltNoticegt ltLog Managementgt ltBEA-170027gt ltThe Server has established connection with the Domain level Diagnostic Service successfullygt
ltMar 16 2012 95204 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to ADMINgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to RESUMINGgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltServergt ltBEA-002613gt ltChannel Default is now listening on 1270017101 for protocols iiop t3 ldap snmp httpgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000331gt ltStarted WebLogic Admin Server DefaultServer for domain DefaultDomain running in Development Modegt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to RUNNINGgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000360gt ltServer started in RUNNING modegt
IntegratedWebLogicServer startup time 74437 ms
IntegratedWebLogicServer started
[Running application HelloWorldJaxWS on Server Instance IntegratedWebLogicServer]
[095206 PM] ---- Deployment started ----
[095206 PM] Target platform is (Weblogic 103)
[095208 PM] Retrieving existing application information
[095208 PM] Running dependency analysis
[095208 PM] Deploying 2 profiles
[095209 PM] Wrote Web Application Module to DOracle11gMiddlewarejdevelopersystem11116386192oj2eedrsHelloWorldJaxWSHelloWorldWebAppwar
[095210 PM] Wrote Enterprise Application Module to DOracle11gMiddlewarejdevelopersystem11116386192oj2eedrsHelloWorldJaxWS
[095210 PM] Deploying Application
[095213 PM] Application Deployed Successfully
[095213 PM] The following URL context root(s) were defined and can be used as a starting point to test your application
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 52
[095213 PM] http1270017101HelloWorldJaxWS-HelloWorld-context-root
[095213 PM] Elapsed time for deployment 6 seconds
[095213 PM] ---- Deployment finished ----
Run startup time 6609 ms
[Application HelloWorldJaxWS deployed to Server Instance IntegratedWebLogicServer]
Target URL -- http1270017101HelloWorldJaxWS-HelloWorld-context-rootHelloWorldPort
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 53
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 31
3 Provide Project Namerdquo and ldquoWSDLrdquo information for the HelloWorld WS as show in Figure 30
Figure 30 Provide WSDL information for the Web Service that needs to be tested
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 32
4 Double click on the helloworld-msg-prot-test SOAP UI project to open various configurations one can specify for the
project as show in Figure 31 Click on the WS-Security Configurations tab
Figure 31 Specify the WS-Security Configurations
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 33
Create WS-Security Configurations
5 There are 3 sub-tabs under the ldquoWS-Security Configurationsrdquo tab in SOAP UI These are the ldquoOutgoing WS-Security
Configurationsrdquo tab ldquoIncoming WS-Security Configurationsrdquo tab and the ldquoKeystoreCertificatesrdquo tab We will first fill
out the KeystoresCertificates tab Click on the KeystoreCertificates tab as shown in Figure 32
Figure 32 Specify the KeystoreCertificates to be used by SOAP UI
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 34
Add KeystoreCertificates
6 Click on the ldquo+rdquo button to add a keystore as shown in Figure 33 This will launch a dialog to select the Key Material as
show in Figure 34 You will be prompted for the password to the default-keystorejks Enter ldquowelcome1rdquo as show in
Figure 35
Figure 33 Adding a Keystore
Figure 34 Select a JKS keystore from the file system
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 35
Figure 35 Specify Password for the default-keystorejks
7 Figure 36 shows the result of adding the default-keystorejks to SOAP UI
Figure 36 Result of adding default-keystorejks
NOTE For purposes of simplicity ndash I have selected the same default-keystorejks file that was used by the HelloWorld Web Service in practice the client and service DO NOT share the same keystore instead you should use separate keystores and exchange the public certificates of the client and the service
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 36
Add Outgoing WS-Security Configurations
8 The next step is to add the ldquoOutgoing WS-Secure Configurationsrdquo to the project You can do this by click on the Outgoing S-Security Configurations tab and clicking on the ldquo+rdquo icon as shown in Figure 37
Figure 37 Initiate addition of Outgoing WS-Security Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 37
9 Enter the ldquoNamerdquo of the configuration as ldquowss10rdquo This will create a panel on the lower half of the screen to add relevant WS-Security Configuration for ldquowss10rdquo Click on the ldquo+rdquo icon highlighted with a red circle in Figure 38 We need to add 3 entries in the following order
a Timestamp b Signature c Encryption
Upon clicking the ldquo+rdquo icon an ldquoAdd WSS Entryrdquo popup dialog will be presented which contains a single drop down list Select ldquoTimestamprdquo from the dialog as shown in Figure 39
Figure 38 Adding WSS Configuration for wss10
Figure 39 Add Timestamp
10 Configure the ldquoTimestamprdquo WSS Entry The two fields are shown in Figure 40
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 38
a Time to Live 5000 b Leave the unit for ldquoTime to Liverdquo in milliseconds
Figure 40 Specify Time to Live as part of Timestamp configuration
11 Add the ldquoSignaturerdquo WSS Entry by clicking on the ldquo+rdquo icon again as shown in Figure 38 and selecting ldquoSignaturerdquo from
the ldquoAdd WSS Entryrdquo drop down as shown in Figure 41
Figure 41 Select Signature WSS Entry to Add to wss10 configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 39
12 The ldquoSignaturerdquo configuration is more involved and requires a lot more fields to be filled in as shown in Figure 42 Here is a summary of the fields and values that need to be provided
a Keystore Select ldquodefault-keystorejksrdquo from the drop down (Note Only keystores added in the KeystoreCertificates tab will be displayed in this drop down)
b Alias ldquoorakeyrdquo This particular keystore in the How-To has only a single alias However a keystore can have multiple keys and aliases
c Password ldquowelcome1rdquo This is the password for the alias d Key Identifier Type Select ldquoBinary Security Tokenrdquo from the drop down e Signature Algorithm Select ldquohttpwwww3org200009xmldsigrsa-sha1rdquo from the drop down f Signature Canonicalization Select ldquohttpwwww3org200110xml-exc-c14nrdquo from the drop down g Digest Algorithm Select ldquohttpwwww3org200009xmldsigsha1rdquo from the drop down h Use Single Certificate Ensure ldquoUse single certificate for signingrdquo is checked i Parts
Name Namespace Encode
Body httpschemasxmlsoaporgsoapenvelope Element
Timestamp httpdocsoasis-openorgwss200401oasis-200401-wss-wssecurity-utility-10xsd
Element
Figure 42 Providing Signature configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 40
13 Add the ldquoEncryptionrdquo WSS Entry by clicking on the ldquo+rdquo icon again as shown in Figure 38 and selecting ldquoEncryptionrdquo from the ldquoAdd WSS Entryrdquo drop down as shown in Figure 43
Figure 43 Adding Encryption WSS entry
14 The ldquoEncryptionrdquo configuration is more involved and requires a lot more fields to be filled in as shown in Figure 44
Here is a summary of the fields and values that need to be provided a Keystore Select ldquodefault-keystorejksrdquo from the drop down (Note Only keystores added in the
KeystoreCertificates tab will be displayed in this drop down) b Alias ldquoorakeyrdquo This particular keystore in the How-To has only a single alias However a keystore can have
multiple keys and aliases c Password ldquowelcome1rdquo This is the password for the alias d Key Identifier Type Select ldquoBinary Security Tokenrdquo from the drop down e Embedded Key Name and Embedded Key Password are not relevant and will be readonly fields So skip
these fields f Symmetric Encoding Algorithm Select ldquohttpwwww3org200104xmlencaes128-cbcrdquo from the drop
down g Key Encryption Algorithm Select ldquohttpwwww3org200104xmlencrsa-oaep-mgf1prdquo from the drop
down h Encryption Canonicalization Select ldquohttpwwww3org200110xml-exc-c14nrdquo from the drop down i Create Encrypted Key Ensure the checkbox is checked j Parts
Name Namespace Encode
Body httpschemasxmlsoaporgsoapenvelope Content
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 41
Figure 44 Encryption Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 42
Add Incoming WS-Security Configurations
15 Click on the ldquoIncoming WS-Security Configurationsrdquo sub tab and click on the ldquo+rdquo icon as show in Figure 45 You will be prompted to enter a name for the incoming configuration specify ldquowss10rdquo as the name as shown in Figure 46
Figure 45 Add Incoming WS-Security Configuration
Figure 46 Provide a name for the Incoming WSS Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 43
16 Click on the ldquowss10rdquo entry and select the following a Decrypt Keystore Select ldquodefault-keystorejksrdquo from the drop down b Signature Keystore Select ldquodefault-keystorejksrdquo from the drop down c Password ldquowelcome1rdquo
The final incoming security configuration is shown in Figure 47
Figure 47 Incoming WSS Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 44
17 Now that we have created all the necessary WS-Security Configurations we are ready to test the HelloWorld Service To do so click on the ldquohellordquo operation on the Left hand browse tree This will create a request as show in Figure 48 Click on the ldquoAutrdquo tab on the ldquoRequestrdquo panel on the RHS side of the screen The ldquoAutrdquo tab is in the bottom and has been highlighted in Figure 48 Select the following values
a Outgoing WSS Select ldquowss10rdquo from the drop down b Incoming WSS Select ldquowss10rdquo from the drop down
Figure 48 Select the previosuly created WSS Configuration to be used while testing
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 45
18 Enter ldquoprakashrdquo for arg0 and click on the green arrow button to send the request You will be prompted for password ndash enter ldquowelcome1rdquo Figure 49 and Figure 50 show the steps and the results of a successful test If there is a failure ndash you will see a SOAP response with a fault
Figure 49 Send request to the HelloWorld WS
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 46
Figure 50 Results of a successful test
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 47
Appendix
Log Generated the first time any app is run in Integrated WLS Server
[Waiting for the domain to finish building]
[094756 PM] Creating Integrated Weblogic domain
[095003 PM] Extending Integrated Weblogic domain
[095051 PM] Integrated Weblogic domain processing completed successfully
Using port 7101
DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainbinstartWebLogiccmd
[waiting for the server to complete its initialization]
JAVA Memory arguments -Xms256m -Xmx512m -XXCompileThreshold=8000 -XXPermSize=128m -XXMaxPermSize=512m
WLS Start Mode=Development
CLASSPATH=DORACLE~1MIDDLE~1ORACLE~1modulesoraclejdbc_1111ojdbc6dmsjarDORACLE~1MIDDLE~1patch_wls1035profilesdefaultsys_manifest_classpathweblogic_patchjarDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultsys_manifest_classpathweblogic_patchjarDORACLE~1MIDDLE~1JDK160~1libtoolsjarDORACLE~1MIDDLE~1WLSERV~13serverlibweblogic_spjarDORACLE~1MIDDLE~1WLSERV~13serverlibweblogicjarDORACLE~1MIDDLE~1modulesfeaturesweblogicservermodules_10350jarDORACLE~1MIDDLE~1WLSERV~13serverlibwebservicesjarDORACLE~1MIDDLE~1modulesORGAPA~11libant-alljarDORACLE~1MIDDLE~1modulesNETSFA~10_1libant-contribjarDORACLE~1MIDDLE~1ORACLE~1modulesoraclejrf_1111jrfjarDORACLE~1MIDDLE~1WLSERV~13commonderbylibderbyclientjarDORACLE~1MIDDLE~1WLSERV~13serverlibxqrljar
PATH=DORACLE~1MIDDLE~1patch_wls1035profilesdefaultnativeDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultnativeDORACLE~1MIDDLE~1WLSERV~13servernativewin32DORACLE~1MIDDLE~1WLSERV~13serverbinDORACLE~1MIDDLE~1modulesORGAPA~11binDORACLE~1MIDDLE~1JDK160~1jrebinDORACLE~1MIDDLE~1JDK160~1binDoraclexeapporacleproduct1020serverbinCProgram FilesThinkPadUtilitiesCWINDOWSsystem32CWINDOWSCWINDOWSSystem32WbemCWINDOWSsystem32WindowsPowerShellv10DORACLE~1MIDDLE~1WLSERV~13servernativewin32oci920_8
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 48
To start WebLogic Server use a username and
password assigned to an admin-level user For
server administration use the WebLogic Server
console at httphostnameportconsole
starting weblogic with Java version
java version 160_24
Java(TM) SE Runtime Environment (build 160_24-b50)
Java HotSpot(TM) Client VM (build 191-b02 mixed mode)
Starting WLS with line
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 49
DORACLE~1MIDDLE~1JDK160~1binjava -client -Xms256m -Xmx512m -XXCompileThreshold=8000 -XXPermSize=128m -XXMaxPermSize=512m -DweblogicName=DefaultServer -Djavasecuritypolicy=DORACLE~1MIDDLE~1WLSERV~13serverlibweblogicpolicy -DjavaxnetssltrustStore=DOracle11gMiddlewarewlserver_103serverlibDemoTrustjks -DweblogicnodemanagerServiceEnabled=true -Xverifynone -da -Dplatformhome=DORACLE~1MIDDLE~1WLSERV~13 -Dwlshome=DORACLE~1MIDDLE~1WLSERV~13server -Dweblogichome=DORACLE~1MIDDLE~1WLSERV~13server -Djpsappcredentialoverwriteallowed=true -Dcommoncomponentshome=DORACLE~1MIDDLE~1ORACLE~1 -Djrfversion=1111 -DorgapachecommonsloggingLog=orgapachecommonsloggingimplJdk14Logger -Ddomainhome=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1 -Djrockitoptfile=DORACLE~1MIDDLE~1ORACLE~1modulesoraclejrf_1111jrocket_optfiletxt -Doracleserverconfigdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1serversDefaultServer -Doracledomainconfigdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1 -Digfarisidbeanscarmlloc=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1carml -Digfarisidstackhome=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1arisidprovider -Doraclesecurityjpsconfig=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configfmwconfigjps-configxml -Doracledeployedappdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1serversDefaultServertmp_WL_user -Doracledeployedappext=- -DweblogicalternateTypesDirectory=DORACLE~1MIDDLE~1ORACLE~1modulesoracleossoiap_1111DORACLE~1MIDDLE~1ORACLE~1modulesoracleoamprovider_1111 -Djavaprotocolhandlerpkgs=oraclemdsnetprotocol -DweblogicjdbcremoteEnabled=false -Dwsmrepositorypath=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1oraclestoregmds -Dweblogicmanagementdiscover=true -DwlwiterativeDev= -DwlwtestConsole= -DwlwlogErrorsToConsole= -Dweblogicextdirs=DORACLE~1MIDDLE~1patch_wls1035profilesdefaultsysext_manifest_classpathDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultsysext_manifest_classpath weblogicServer
ltMar 16 2012 95054 PM PDTgt ltInfogt ltSecuritygt ltBEA-090905gt ltDisabling CryptoJ JCE Provider self-integrity check for better startup performance To enable this check specify -DweblogicsecurityallowCryptoJDefaultJCEVerification=truegt
ltMar 16 2012 95054 PM PDTgt ltInfogt ltSecuritygt ltBEA-090906gt ltChanging the default Random Number Generator in RSA CryptoJ from ECDRBG to FIPS186PRNG To disable this change specify -DweblogicsecurityallowCryptoJDefaultPRNG=truegt
ltMar 16 2012 95055 PM PDTgt ltInfogt ltWebLogicServergt ltBEA-000377gt ltStarting WebLogic Server with Java HotSpot(TM) Client VM Version 191-b02 from Sun Microsystems Incgt
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 50
ltMar 16 2012 95055 PM PDTgt ltInfogt ltManagementgt ltBEA-141107gt ltVersion WebLogic Server 10350 Fri Apr 1 202006 PDT 2011 1398638 gt
ltMar 16 2012 95057 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STARTINGgt
ltMar 16 2012 95057 PM PDTgt ltInfogt ltWorkManagergt ltBEA-002900gt ltInitializing self-tuning thread poolgt
ltMar 16 2012 95057 PM PDTgt ltNoticegt ltLog Managementgt ltBEA-170019gt ltThe server log file DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainserversDefaultServerlogsDefaultServerlog is opened All server side log events will be written to this filegt
ltMar 16 2012 95108 PM PDTgt ltNoticegt ltSecuritygt ltBEA-090082gt ltSecurity initializing using security realm myrealmgt
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO ConfigObjectReloaded for ServerConfig PreviousVersion -1 CurrentVersion 0
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification event sent for activating changes
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for Mapping config object reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO ConfigObjectReloaded for ServerConfig PreviousVersion -1 CurrentVersion 0
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification event sent for activating changes
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 51
INFO Notification sent for Mapping config object reloaded
ltMar 16 2012 95122 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STANDBYgt
ltMar 16 2012 95122 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STARTINGgt
ltMar 16 2012 95204 PM PDTgt ltNoticegt ltLog Managementgt ltBEA-170027gt ltThe Server has established connection with the Domain level Diagnostic Service successfullygt
ltMar 16 2012 95204 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to ADMINgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to RESUMINGgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltServergt ltBEA-002613gt ltChannel Default is now listening on 1270017101 for protocols iiop t3 ldap snmp httpgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000331gt ltStarted WebLogic Admin Server DefaultServer for domain DefaultDomain running in Development Modegt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to RUNNINGgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000360gt ltServer started in RUNNING modegt
IntegratedWebLogicServer startup time 74437 ms
IntegratedWebLogicServer started
[Running application HelloWorldJaxWS on Server Instance IntegratedWebLogicServer]
[095206 PM] ---- Deployment started ----
[095206 PM] Target platform is (Weblogic 103)
[095208 PM] Retrieving existing application information
[095208 PM] Running dependency analysis
[095208 PM] Deploying 2 profiles
[095209 PM] Wrote Web Application Module to DOracle11gMiddlewarejdevelopersystem11116386192oj2eedrsHelloWorldJaxWSHelloWorldWebAppwar
[095210 PM] Wrote Enterprise Application Module to DOracle11gMiddlewarejdevelopersystem11116386192oj2eedrsHelloWorldJaxWS
[095210 PM] Deploying Application
[095213 PM] Application Deployed Successfully
[095213 PM] The following URL context root(s) were defined and can be used as a starting point to test your application
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 52
[095213 PM] http1270017101HelloWorldJaxWS-HelloWorld-context-root
[095213 PM] Elapsed time for deployment 6 seconds
[095213 PM] ---- Deployment finished ----
Run startup time 6609 ms
[Application HelloWorldJaxWS deployed to Server Instance IntegratedWebLogicServer]
Target URL -- http1270017101HelloWorldJaxWS-HelloWorld-context-rootHelloWorldPort
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 53
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 32
4 Double click on the helloworld-msg-prot-test SOAP UI project to open various configurations one can specify for the
project as show in Figure 31 Click on the WS-Security Configurations tab
Figure 31 Specify the WS-Security Configurations
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 33
Create WS-Security Configurations
5 There are 3 sub-tabs under the ldquoWS-Security Configurationsrdquo tab in SOAP UI These are the ldquoOutgoing WS-Security
Configurationsrdquo tab ldquoIncoming WS-Security Configurationsrdquo tab and the ldquoKeystoreCertificatesrdquo tab We will first fill
out the KeystoresCertificates tab Click on the KeystoreCertificates tab as shown in Figure 32
Figure 32 Specify the KeystoreCertificates to be used by SOAP UI
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 34
Add KeystoreCertificates
6 Click on the ldquo+rdquo button to add a keystore as shown in Figure 33 This will launch a dialog to select the Key Material as
show in Figure 34 You will be prompted for the password to the default-keystorejks Enter ldquowelcome1rdquo as show in
Figure 35
Figure 33 Adding a Keystore
Figure 34 Select a JKS keystore from the file system
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 35
Figure 35 Specify Password for the default-keystorejks
7 Figure 36 shows the result of adding the default-keystorejks to SOAP UI
Figure 36 Result of adding default-keystorejks
NOTE For purposes of simplicity ndash I have selected the same default-keystorejks file that was used by the HelloWorld Web Service in practice the client and service DO NOT share the same keystore instead you should use separate keystores and exchange the public certificates of the client and the service
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 36
Add Outgoing WS-Security Configurations
8 The next step is to add the ldquoOutgoing WS-Secure Configurationsrdquo to the project You can do this by click on the Outgoing S-Security Configurations tab and clicking on the ldquo+rdquo icon as shown in Figure 37
Figure 37 Initiate addition of Outgoing WS-Security Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 37
9 Enter the ldquoNamerdquo of the configuration as ldquowss10rdquo This will create a panel on the lower half of the screen to add relevant WS-Security Configuration for ldquowss10rdquo Click on the ldquo+rdquo icon highlighted with a red circle in Figure 38 We need to add 3 entries in the following order
a Timestamp b Signature c Encryption
Upon clicking the ldquo+rdquo icon an ldquoAdd WSS Entryrdquo popup dialog will be presented which contains a single drop down list Select ldquoTimestamprdquo from the dialog as shown in Figure 39
Figure 38 Adding WSS Configuration for wss10
Figure 39 Add Timestamp
10 Configure the ldquoTimestamprdquo WSS Entry The two fields are shown in Figure 40
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 38
a Time to Live 5000 b Leave the unit for ldquoTime to Liverdquo in milliseconds
Figure 40 Specify Time to Live as part of Timestamp configuration
11 Add the ldquoSignaturerdquo WSS Entry by clicking on the ldquo+rdquo icon again as shown in Figure 38 and selecting ldquoSignaturerdquo from
the ldquoAdd WSS Entryrdquo drop down as shown in Figure 41
Figure 41 Select Signature WSS Entry to Add to wss10 configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 39
12 The ldquoSignaturerdquo configuration is more involved and requires a lot more fields to be filled in as shown in Figure 42 Here is a summary of the fields and values that need to be provided
a Keystore Select ldquodefault-keystorejksrdquo from the drop down (Note Only keystores added in the KeystoreCertificates tab will be displayed in this drop down)
b Alias ldquoorakeyrdquo This particular keystore in the How-To has only a single alias However a keystore can have multiple keys and aliases
c Password ldquowelcome1rdquo This is the password for the alias d Key Identifier Type Select ldquoBinary Security Tokenrdquo from the drop down e Signature Algorithm Select ldquohttpwwww3org200009xmldsigrsa-sha1rdquo from the drop down f Signature Canonicalization Select ldquohttpwwww3org200110xml-exc-c14nrdquo from the drop down g Digest Algorithm Select ldquohttpwwww3org200009xmldsigsha1rdquo from the drop down h Use Single Certificate Ensure ldquoUse single certificate for signingrdquo is checked i Parts
Name Namespace Encode
Body httpschemasxmlsoaporgsoapenvelope Element
Timestamp httpdocsoasis-openorgwss200401oasis-200401-wss-wssecurity-utility-10xsd
Element
Figure 42 Providing Signature configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 40
13 Add the ldquoEncryptionrdquo WSS Entry by clicking on the ldquo+rdquo icon again as shown in Figure 38 and selecting ldquoEncryptionrdquo from the ldquoAdd WSS Entryrdquo drop down as shown in Figure 43
Figure 43 Adding Encryption WSS entry
14 The ldquoEncryptionrdquo configuration is more involved and requires a lot more fields to be filled in as shown in Figure 44
Here is a summary of the fields and values that need to be provided a Keystore Select ldquodefault-keystorejksrdquo from the drop down (Note Only keystores added in the
KeystoreCertificates tab will be displayed in this drop down) b Alias ldquoorakeyrdquo This particular keystore in the How-To has only a single alias However a keystore can have
multiple keys and aliases c Password ldquowelcome1rdquo This is the password for the alias d Key Identifier Type Select ldquoBinary Security Tokenrdquo from the drop down e Embedded Key Name and Embedded Key Password are not relevant and will be readonly fields So skip
these fields f Symmetric Encoding Algorithm Select ldquohttpwwww3org200104xmlencaes128-cbcrdquo from the drop
down g Key Encryption Algorithm Select ldquohttpwwww3org200104xmlencrsa-oaep-mgf1prdquo from the drop
down h Encryption Canonicalization Select ldquohttpwwww3org200110xml-exc-c14nrdquo from the drop down i Create Encrypted Key Ensure the checkbox is checked j Parts
Name Namespace Encode
Body httpschemasxmlsoaporgsoapenvelope Content
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 41
Figure 44 Encryption Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 42
Add Incoming WS-Security Configurations
15 Click on the ldquoIncoming WS-Security Configurationsrdquo sub tab and click on the ldquo+rdquo icon as show in Figure 45 You will be prompted to enter a name for the incoming configuration specify ldquowss10rdquo as the name as shown in Figure 46
Figure 45 Add Incoming WS-Security Configuration
Figure 46 Provide a name for the Incoming WSS Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 43
16 Click on the ldquowss10rdquo entry and select the following a Decrypt Keystore Select ldquodefault-keystorejksrdquo from the drop down b Signature Keystore Select ldquodefault-keystorejksrdquo from the drop down c Password ldquowelcome1rdquo
The final incoming security configuration is shown in Figure 47
Figure 47 Incoming WSS Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 44
17 Now that we have created all the necessary WS-Security Configurations we are ready to test the HelloWorld Service To do so click on the ldquohellordquo operation on the Left hand browse tree This will create a request as show in Figure 48 Click on the ldquoAutrdquo tab on the ldquoRequestrdquo panel on the RHS side of the screen The ldquoAutrdquo tab is in the bottom and has been highlighted in Figure 48 Select the following values
a Outgoing WSS Select ldquowss10rdquo from the drop down b Incoming WSS Select ldquowss10rdquo from the drop down
Figure 48 Select the previosuly created WSS Configuration to be used while testing
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 45
18 Enter ldquoprakashrdquo for arg0 and click on the green arrow button to send the request You will be prompted for password ndash enter ldquowelcome1rdquo Figure 49 and Figure 50 show the steps and the results of a successful test If there is a failure ndash you will see a SOAP response with a fault
Figure 49 Send request to the HelloWorld WS
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 46
Figure 50 Results of a successful test
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 47
Appendix
Log Generated the first time any app is run in Integrated WLS Server
[Waiting for the domain to finish building]
[094756 PM] Creating Integrated Weblogic domain
[095003 PM] Extending Integrated Weblogic domain
[095051 PM] Integrated Weblogic domain processing completed successfully
Using port 7101
DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainbinstartWebLogiccmd
[waiting for the server to complete its initialization]
JAVA Memory arguments -Xms256m -Xmx512m -XXCompileThreshold=8000 -XXPermSize=128m -XXMaxPermSize=512m
WLS Start Mode=Development
CLASSPATH=DORACLE~1MIDDLE~1ORACLE~1modulesoraclejdbc_1111ojdbc6dmsjarDORACLE~1MIDDLE~1patch_wls1035profilesdefaultsys_manifest_classpathweblogic_patchjarDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultsys_manifest_classpathweblogic_patchjarDORACLE~1MIDDLE~1JDK160~1libtoolsjarDORACLE~1MIDDLE~1WLSERV~13serverlibweblogic_spjarDORACLE~1MIDDLE~1WLSERV~13serverlibweblogicjarDORACLE~1MIDDLE~1modulesfeaturesweblogicservermodules_10350jarDORACLE~1MIDDLE~1WLSERV~13serverlibwebservicesjarDORACLE~1MIDDLE~1modulesORGAPA~11libant-alljarDORACLE~1MIDDLE~1modulesNETSFA~10_1libant-contribjarDORACLE~1MIDDLE~1ORACLE~1modulesoraclejrf_1111jrfjarDORACLE~1MIDDLE~1WLSERV~13commonderbylibderbyclientjarDORACLE~1MIDDLE~1WLSERV~13serverlibxqrljar
PATH=DORACLE~1MIDDLE~1patch_wls1035profilesdefaultnativeDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultnativeDORACLE~1MIDDLE~1WLSERV~13servernativewin32DORACLE~1MIDDLE~1WLSERV~13serverbinDORACLE~1MIDDLE~1modulesORGAPA~11binDORACLE~1MIDDLE~1JDK160~1jrebinDORACLE~1MIDDLE~1JDK160~1binDoraclexeapporacleproduct1020serverbinCProgram FilesThinkPadUtilitiesCWINDOWSsystem32CWINDOWSCWINDOWSSystem32WbemCWINDOWSsystem32WindowsPowerShellv10DORACLE~1MIDDLE~1WLSERV~13servernativewin32oci920_8
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 48
To start WebLogic Server use a username and
password assigned to an admin-level user For
server administration use the WebLogic Server
console at httphostnameportconsole
starting weblogic with Java version
java version 160_24
Java(TM) SE Runtime Environment (build 160_24-b50)
Java HotSpot(TM) Client VM (build 191-b02 mixed mode)
Starting WLS with line
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 49
DORACLE~1MIDDLE~1JDK160~1binjava -client -Xms256m -Xmx512m -XXCompileThreshold=8000 -XXPermSize=128m -XXMaxPermSize=512m -DweblogicName=DefaultServer -Djavasecuritypolicy=DORACLE~1MIDDLE~1WLSERV~13serverlibweblogicpolicy -DjavaxnetssltrustStore=DOracle11gMiddlewarewlserver_103serverlibDemoTrustjks -DweblogicnodemanagerServiceEnabled=true -Xverifynone -da -Dplatformhome=DORACLE~1MIDDLE~1WLSERV~13 -Dwlshome=DORACLE~1MIDDLE~1WLSERV~13server -Dweblogichome=DORACLE~1MIDDLE~1WLSERV~13server -Djpsappcredentialoverwriteallowed=true -Dcommoncomponentshome=DORACLE~1MIDDLE~1ORACLE~1 -Djrfversion=1111 -DorgapachecommonsloggingLog=orgapachecommonsloggingimplJdk14Logger -Ddomainhome=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1 -Djrockitoptfile=DORACLE~1MIDDLE~1ORACLE~1modulesoraclejrf_1111jrocket_optfiletxt -Doracleserverconfigdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1serversDefaultServer -Doracledomainconfigdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1 -Digfarisidbeanscarmlloc=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1carml -Digfarisidstackhome=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1arisidprovider -Doraclesecurityjpsconfig=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configfmwconfigjps-configxml -Doracledeployedappdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1serversDefaultServertmp_WL_user -Doracledeployedappext=- -DweblogicalternateTypesDirectory=DORACLE~1MIDDLE~1ORACLE~1modulesoracleossoiap_1111DORACLE~1MIDDLE~1ORACLE~1modulesoracleoamprovider_1111 -Djavaprotocolhandlerpkgs=oraclemdsnetprotocol -DweblogicjdbcremoteEnabled=false -Dwsmrepositorypath=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1oraclestoregmds -Dweblogicmanagementdiscover=true -DwlwiterativeDev= -DwlwtestConsole= -DwlwlogErrorsToConsole= -Dweblogicextdirs=DORACLE~1MIDDLE~1patch_wls1035profilesdefaultsysext_manifest_classpathDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultsysext_manifest_classpath weblogicServer
ltMar 16 2012 95054 PM PDTgt ltInfogt ltSecuritygt ltBEA-090905gt ltDisabling CryptoJ JCE Provider self-integrity check for better startup performance To enable this check specify -DweblogicsecurityallowCryptoJDefaultJCEVerification=truegt
ltMar 16 2012 95054 PM PDTgt ltInfogt ltSecuritygt ltBEA-090906gt ltChanging the default Random Number Generator in RSA CryptoJ from ECDRBG to FIPS186PRNG To disable this change specify -DweblogicsecurityallowCryptoJDefaultPRNG=truegt
ltMar 16 2012 95055 PM PDTgt ltInfogt ltWebLogicServergt ltBEA-000377gt ltStarting WebLogic Server with Java HotSpot(TM) Client VM Version 191-b02 from Sun Microsystems Incgt
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 50
ltMar 16 2012 95055 PM PDTgt ltInfogt ltManagementgt ltBEA-141107gt ltVersion WebLogic Server 10350 Fri Apr 1 202006 PDT 2011 1398638 gt
ltMar 16 2012 95057 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STARTINGgt
ltMar 16 2012 95057 PM PDTgt ltInfogt ltWorkManagergt ltBEA-002900gt ltInitializing self-tuning thread poolgt
ltMar 16 2012 95057 PM PDTgt ltNoticegt ltLog Managementgt ltBEA-170019gt ltThe server log file DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainserversDefaultServerlogsDefaultServerlog is opened All server side log events will be written to this filegt
ltMar 16 2012 95108 PM PDTgt ltNoticegt ltSecuritygt ltBEA-090082gt ltSecurity initializing using security realm myrealmgt
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO ConfigObjectReloaded for ServerConfig PreviousVersion -1 CurrentVersion 0
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification event sent for activating changes
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for Mapping config object reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO ConfigObjectReloaded for ServerConfig PreviousVersion -1 CurrentVersion 0
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification event sent for activating changes
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 51
INFO Notification sent for Mapping config object reloaded
ltMar 16 2012 95122 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STANDBYgt
ltMar 16 2012 95122 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STARTINGgt
ltMar 16 2012 95204 PM PDTgt ltNoticegt ltLog Managementgt ltBEA-170027gt ltThe Server has established connection with the Domain level Diagnostic Service successfullygt
ltMar 16 2012 95204 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to ADMINgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to RESUMINGgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltServergt ltBEA-002613gt ltChannel Default is now listening on 1270017101 for protocols iiop t3 ldap snmp httpgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000331gt ltStarted WebLogic Admin Server DefaultServer for domain DefaultDomain running in Development Modegt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to RUNNINGgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000360gt ltServer started in RUNNING modegt
IntegratedWebLogicServer startup time 74437 ms
IntegratedWebLogicServer started
[Running application HelloWorldJaxWS on Server Instance IntegratedWebLogicServer]
[095206 PM] ---- Deployment started ----
[095206 PM] Target platform is (Weblogic 103)
[095208 PM] Retrieving existing application information
[095208 PM] Running dependency analysis
[095208 PM] Deploying 2 profiles
[095209 PM] Wrote Web Application Module to DOracle11gMiddlewarejdevelopersystem11116386192oj2eedrsHelloWorldJaxWSHelloWorldWebAppwar
[095210 PM] Wrote Enterprise Application Module to DOracle11gMiddlewarejdevelopersystem11116386192oj2eedrsHelloWorldJaxWS
[095210 PM] Deploying Application
[095213 PM] Application Deployed Successfully
[095213 PM] The following URL context root(s) were defined and can be used as a starting point to test your application
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 52
[095213 PM] http1270017101HelloWorldJaxWS-HelloWorld-context-root
[095213 PM] Elapsed time for deployment 6 seconds
[095213 PM] ---- Deployment finished ----
Run startup time 6609 ms
[Application HelloWorldJaxWS deployed to Server Instance IntegratedWebLogicServer]
Target URL -- http1270017101HelloWorldJaxWS-HelloWorld-context-rootHelloWorldPort
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 53
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 33
Create WS-Security Configurations
5 There are 3 sub-tabs under the ldquoWS-Security Configurationsrdquo tab in SOAP UI These are the ldquoOutgoing WS-Security
Configurationsrdquo tab ldquoIncoming WS-Security Configurationsrdquo tab and the ldquoKeystoreCertificatesrdquo tab We will first fill
out the KeystoresCertificates tab Click on the KeystoreCertificates tab as shown in Figure 32
Figure 32 Specify the KeystoreCertificates to be used by SOAP UI
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 34
Add KeystoreCertificates
6 Click on the ldquo+rdquo button to add a keystore as shown in Figure 33 This will launch a dialog to select the Key Material as
show in Figure 34 You will be prompted for the password to the default-keystorejks Enter ldquowelcome1rdquo as show in
Figure 35
Figure 33 Adding a Keystore
Figure 34 Select a JKS keystore from the file system
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 35
Figure 35 Specify Password for the default-keystorejks
7 Figure 36 shows the result of adding the default-keystorejks to SOAP UI
Figure 36 Result of adding default-keystorejks
NOTE For purposes of simplicity ndash I have selected the same default-keystorejks file that was used by the HelloWorld Web Service in practice the client and service DO NOT share the same keystore instead you should use separate keystores and exchange the public certificates of the client and the service
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 36
Add Outgoing WS-Security Configurations
8 The next step is to add the ldquoOutgoing WS-Secure Configurationsrdquo to the project You can do this by click on the Outgoing S-Security Configurations tab and clicking on the ldquo+rdquo icon as shown in Figure 37
Figure 37 Initiate addition of Outgoing WS-Security Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 37
9 Enter the ldquoNamerdquo of the configuration as ldquowss10rdquo This will create a panel on the lower half of the screen to add relevant WS-Security Configuration for ldquowss10rdquo Click on the ldquo+rdquo icon highlighted with a red circle in Figure 38 We need to add 3 entries in the following order
a Timestamp b Signature c Encryption
Upon clicking the ldquo+rdquo icon an ldquoAdd WSS Entryrdquo popup dialog will be presented which contains a single drop down list Select ldquoTimestamprdquo from the dialog as shown in Figure 39
Figure 38 Adding WSS Configuration for wss10
Figure 39 Add Timestamp
10 Configure the ldquoTimestamprdquo WSS Entry The two fields are shown in Figure 40
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 38
a Time to Live 5000 b Leave the unit for ldquoTime to Liverdquo in milliseconds
Figure 40 Specify Time to Live as part of Timestamp configuration
11 Add the ldquoSignaturerdquo WSS Entry by clicking on the ldquo+rdquo icon again as shown in Figure 38 and selecting ldquoSignaturerdquo from
the ldquoAdd WSS Entryrdquo drop down as shown in Figure 41
Figure 41 Select Signature WSS Entry to Add to wss10 configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 39
12 The ldquoSignaturerdquo configuration is more involved and requires a lot more fields to be filled in as shown in Figure 42 Here is a summary of the fields and values that need to be provided
a Keystore Select ldquodefault-keystorejksrdquo from the drop down (Note Only keystores added in the KeystoreCertificates tab will be displayed in this drop down)
b Alias ldquoorakeyrdquo This particular keystore in the How-To has only a single alias However a keystore can have multiple keys and aliases
c Password ldquowelcome1rdquo This is the password for the alias d Key Identifier Type Select ldquoBinary Security Tokenrdquo from the drop down e Signature Algorithm Select ldquohttpwwww3org200009xmldsigrsa-sha1rdquo from the drop down f Signature Canonicalization Select ldquohttpwwww3org200110xml-exc-c14nrdquo from the drop down g Digest Algorithm Select ldquohttpwwww3org200009xmldsigsha1rdquo from the drop down h Use Single Certificate Ensure ldquoUse single certificate for signingrdquo is checked i Parts
Name Namespace Encode
Body httpschemasxmlsoaporgsoapenvelope Element
Timestamp httpdocsoasis-openorgwss200401oasis-200401-wss-wssecurity-utility-10xsd
Element
Figure 42 Providing Signature configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 40
13 Add the ldquoEncryptionrdquo WSS Entry by clicking on the ldquo+rdquo icon again as shown in Figure 38 and selecting ldquoEncryptionrdquo from the ldquoAdd WSS Entryrdquo drop down as shown in Figure 43
Figure 43 Adding Encryption WSS entry
14 The ldquoEncryptionrdquo configuration is more involved and requires a lot more fields to be filled in as shown in Figure 44
Here is a summary of the fields and values that need to be provided a Keystore Select ldquodefault-keystorejksrdquo from the drop down (Note Only keystores added in the
KeystoreCertificates tab will be displayed in this drop down) b Alias ldquoorakeyrdquo This particular keystore in the How-To has only a single alias However a keystore can have
multiple keys and aliases c Password ldquowelcome1rdquo This is the password for the alias d Key Identifier Type Select ldquoBinary Security Tokenrdquo from the drop down e Embedded Key Name and Embedded Key Password are not relevant and will be readonly fields So skip
these fields f Symmetric Encoding Algorithm Select ldquohttpwwww3org200104xmlencaes128-cbcrdquo from the drop
down g Key Encryption Algorithm Select ldquohttpwwww3org200104xmlencrsa-oaep-mgf1prdquo from the drop
down h Encryption Canonicalization Select ldquohttpwwww3org200110xml-exc-c14nrdquo from the drop down i Create Encrypted Key Ensure the checkbox is checked j Parts
Name Namespace Encode
Body httpschemasxmlsoaporgsoapenvelope Content
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 41
Figure 44 Encryption Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 42
Add Incoming WS-Security Configurations
15 Click on the ldquoIncoming WS-Security Configurationsrdquo sub tab and click on the ldquo+rdquo icon as show in Figure 45 You will be prompted to enter a name for the incoming configuration specify ldquowss10rdquo as the name as shown in Figure 46
Figure 45 Add Incoming WS-Security Configuration
Figure 46 Provide a name for the Incoming WSS Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 43
16 Click on the ldquowss10rdquo entry and select the following a Decrypt Keystore Select ldquodefault-keystorejksrdquo from the drop down b Signature Keystore Select ldquodefault-keystorejksrdquo from the drop down c Password ldquowelcome1rdquo
The final incoming security configuration is shown in Figure 47
Figure 47 Incoming WSS Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 44
17 Now that we have created all the necessary WS-Security Configurations we are ready to test the HelloWorld Service To do so click on the ldquohellordquo operation on the Left hand browse tree This will create a request as show in Figure 48 Click on the ldquoAutrdquo tab on the ldquoRequestrdquo panel on the RHS side of the screen The ldquoAutrdquo tab is in the bottom and has been highlighted in Figure 48 Select the following values
a Outgoing WSS Select ldquowss10rdquo from the drop down b Incoming WSS Select ldquowss10rdquo from the drop down
Figure 48 Select the previosuly created WSS Configuration to be used while testing
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 45
18 Enter ldquoprakashrdquo for arg0 and click on the green arrow button to send the request You will be prompted for password ndash enter ldquowelcome1rdquo Figure 49 and Figure 50 show the steps and the results of a successful test If there is a failure ndash you will see a SOAP response with a fault
Figure 49 Send request to the HelloWorld WS
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 46
Figure 50 Results of a successful test
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 47
Appendix
Log Generated the first time any app is run in Integrated WLS Server
[Waiting for the domain to finish building]
[094756 PM] Creating Integrated Weblogic domain
[095003 PM] Extending Integrated Weblogic domain
[095051 PM] Integrated Weblogic domain processing completed successfully
Using port 7101
DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainbinstartWebLogiccmd
[waiting for the server to complete its initialization]
JAVA Memory arguments -Xms256m -Xmx512m -XXCompileThreshold=8000 -XXPermSize=128m -XXMaxPermSize=512m
WLS Start Mode=Development
CLASSPATH=DORACLE~1MIDDLE~1ORACLE~1modulesoraclejdbc_1111ojdbc6dmsjarDORACLE~1MIDDLE~1patch_wls1035profilesdefaultsys_manifest_classpathweblogic_patchjarDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultsys_manifest_classpathweblogic_patchjarDORACLE~1MIDDLE~1JDK160~1libtoolsjarDORACLE~1MIDDLE~1WLSERV~13serverlibweblogic_spjarDORACLE~1MIDDLE~1WLSERV~13serverlibweblogicjarDORACLE~1MIDDLE~1modulesfeaturesweblogicservermodules_10350jarDORACLE~1MIDDLE~1WLSERV~13serverlibwebservicesjarDORACLE~1MIDDLE~1modulesORGAPA~11libant-alljarDORACLE~1MIDDLE~1modulesNETSFA~10_1libant-contribjarDORACLE~1MIDDLE~1ORACLE~1modulesoraclejrf_1111jrfjarDORACLE~1MIDDLE~1WLSERV~13commonderbylibderbyclientjarDORACLE~1MIDDLE~1WLSERV~13serverlibxqrljar
PATH=DORACLE~1MIDDLE~1patch_wls1035profilesdefaultnativeDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultnativeDORACLE~1MIDDLE~1WLSERV~13servernativewin32DORACLE~1MIDDLE~1WLSERV~13serverbinDORACLE~1MIDDLE~1modulesORGAPA~11binDORACLE~1MIDDLE~1JDK160~1jrebinDORACLE~1MIDDLE~1JDK160~1binDoraclexeapporacleproduct1020serverbinCProgram FilesThinkPadUtilitiesCWINDOWSsystem32CWINDOWSCWINDOWSSystem32WbemCWINDOWSsystem32WindowsPowerShellv10DORACLE~1MIDDLE~1WLSERV~13servernativewin32oci920_8
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 48
To start WebLogic Server use a username and
password assigned to an admin-level user For
server administration use the WebLogic Server
console at httphostnameportconsole
starting weblogic with Java version
java version 160_24
Java(TM) SE Runtime Environment (build 160_24-b50)
Java HotSpot(TM) Client VM (build 191-b02 mixed mode)
Starting WLS with line
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 49
DORACLE~1MIDDLE~1JDK160~1binjava -client -Xms256m -Xmx512m -XXCompileThreshold=8000 -XXPermSize=128m -XXMaxPermSize=512m -DweblogicName=DefaultServer -Djavasecuritypolicy=DORACLE~1MIDDLE~1WLSERV~13serverlibweblogicpolicy -DjavaxnetssltrustStore=DOracle11gMiddlewarewlserver_103serverlibDemoTrustjks -DweblogicnodemanagerServiceEnabled=true -Xverifynone -da -Dplatformhome=DORACLE~1MIDDLE~1WLSERV~13 -Dwlshome=DORACLE~1MIDDLE~1WLSERV~13server -Dweblogichome=DORACLE~1MIDDLE~1WLSERV~13server -Djpsappcredentialoverwriteallowed=true -Dcommoncomponentshome=DORACLE~1MIDDLE~1ORACLE~1 -Djrfversion=1111 -DorgapachecommonsloggingLog=orgapachecommonsloggingimplJdk14Logger -Ddomainhome=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1 -Djrockitoptfile=DORACLE~1MIDDLE~1ORACLE~1modulesoraclejrf_1111jrocket_optfiletxt -Doracleserverconfigdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1serversDefaultServer -Doracledomainconfigdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1 -Digfarisidbeanscarmlloc=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1carml -Digfarisidstackhome=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1arisidprovider -Doraclesecurityjpsconfig=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configfmwconfigjps-configxml -Doracledeployedappdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1serversDefaultServertmp_WL_user -Doracledeployedappext=- -DweblogicalternateTypesDirectory=DORACLE~1MIDDLE~1ORACLE~1modulesoracleossoiap_1111DORACLE~1MIDDLE~1ORACLE~1modulesoracleoamprovider_1111 -Djavaprotocolhandlerpkgs=oraclemdsnetprotocol -DweblogicjdbcremoteEnabled=false -Dwsmrepositorypath=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1oraclestoregmds -Dweblogicmanagementdiscover=true -DwlwiterativeDev= -DwlwtestConsole= -DwlwlogErrorsToConsole= -Dweblogicextdirs=DORACLE~1MIDDLE~1patch_wls1035profilesdefaultsysext_manifest_classpathDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultsysext_manifest_classpath weblogicServer
ltMar 16 2012 95054 PM PDTgt ltInfogt ltSecuritygt ltBEA-090905gt ltDisabling CryptoJ JCE Provider self-integrity check for better startup performance To enable this check specify -DweblogicsecurityallowCryptoJDefaultJCEVerification=truegt
ltMar 16 2012 95054 PM PDTgt ltInfogt ltSecuritygt ltBEA-090906gt ltChanging the default Random Number Generator in RSA CryptoJ from ECDRBG to FIPS186PRNG To disable this change specify -DweblogicsecurityallowCryptoJDefaultPRNG=truegt
ltMar 16 2012 95055 PM PDTgt ltInfogt ltWebLogicServergt ltBEA-000377gt ltStarting WebLogic Server with Java HotSpot(TM) Client VM Version 191-b02 from Sun Microsystems Incgt
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 50
ltMar 16 2012 95055 PM PDTgt ltInfogt ltManagementgt ltBEA-141107gt ltVersion WebLogic Server 10350 Fri Apr 1 202006 PDT 2011 1398638 gt
ltMar 16 2012 95057 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STARTINGgt
ltMar 16 2012 95057 PM PDTgt ltInfogt ltWorkManagergt ltBEA-002900gt ltInitializing self-tuning thread poolgt
ltMar 16 2012 95057 PM PDTgt ltNoticegt ltLog Managementgt ltBEA-170019gt ltThe server log file DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainserversDefaultServerlogsDefaultServerlog is opened All server side log events will be written to this filegt
ltMar 16 2012 95108 PM PDTgt ltNoticegt ltSecuritygt ltBEA-090082gt ltSecurity initializing using security realm myrealmgt
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO ConfigObjectReloaded for ServerConfig PreviousVersion -1 CurrentVersion 0
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification event sent for activating changes
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for Mapping config object reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO ConfigObjectReloaded for ServerConfig PreviousVersion -1 CurrentVersion 0
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification event sent for activating changes
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 51
INFO Notification sent for Mapping config object reloaded
ltMar 16 2012 95122 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STANDBYgt
ltMar 16 2012 95122 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STARTINGgt
ltMar 16 2012 95204 PM PDTgt ltNoticegt ltLog Managementgt ltBEA-170027gt ltThe Server has established connection with the Domain level Diagnostic Service successfullygt
ltMar 16 2012 95204 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to ADMINgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to RESUMINGgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltServergt ltBEA-002613gt ltChannel Default is now listening on 1270017101 for protocols iiop t3 ldap snmp httpgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000331gt ltStarted WebLogic Admin Server DefaultServer for domain DefaultDomain running in Development Modegt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to RUNNINGgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000360gt ltServer started in RUNNING modegt
IntegratedWebLogicServer startup time 74437 ms
IntegratedWebLogicServer started
[Running application HelloWorldJaxWS on Server Instance IntegratedWebLogicServer]
[095206 PM] ---- Deployment started ----
[095206 PM] Target platform is (Weblogic 103)
[095208 PM] Retrieving existing application information
[095208 PM] Running dependency analysis
[095208 PM] Deploying 2 profiles
[095209 PM] Wrote Web Application Module to DOracle11gMiddlewarejdevelopersystem11116386192oj2eedrsHelloWorldJaxWSHelloWorldWebAppwar
[095210 PM] Wrote Enterprise Application Module to DOracle11gMiddlewarejdevelopersystem11116386192oj2eedrsHelloWorldJaxWS
[095210 PM] Deploying Application
[095213 PM] Application Deployed Successfully
[095213 PM] The following URL context root(s) were defined and can be used as a starting point to test your application
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 52
[095213 PM] http1270017101HelloWorldJaxWS-HelloWorld-context-root
[095213 PM] Elapsed time for deployment 6 seconds
[095213 PM] ---- Deployment finished ----
Run startup time 6609 ms
[Application HelloWorldJaxWS deployed to Server Instance IntegratedWebLogicServer]
Target URL -- http1270017101HelloWorldJaxWS-HelloWorld-context-rootHelloWorldPort
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 53
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 34
Add KeystoreCertificates
6 Click on the ldquo+rdquo button to add a keystore as shown in Figure 33 This will launch a dialog to select the Key Material as
show in Figure 34 You will be prompted for the password to the default-keystorejks Enter ldquowelcome1rdquo as show in
Figure 35
Figure 33 Adding a Keystore
Figure 34 Select a JKS keystore from the file system
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 35
Figure 35 Specify Password for the default-keystorejks
7 Figure 36 shows the result of adding the default-keystorejks to SOAP UI
Figure 36 Result of adding default-keystorejks
NOTE For purposes of simplicity ndash I have selected the same default-keystorejks file that was used by the HelloWorld Web Service in practice the client and service DO NOT share the same keystore instead you should use separate keystores and exchange the public certificates of the client and the service
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 36
Add Outgoing WS-Security Configurations
8 The next step is to add the ldquoOutgoing WS-Secure Configurationsrdquo to the project You can do this by click on the Outgoing S-Security Configurations tab and clicking on the ldquo+rdquo icon as shown in Figure 37
Figure 37 Initiate addition of Outgoing WS-Security Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 37
9 Enter the ldquoNamerdquo of the configuration as ldquowss10rdquo This will create a panel on the lower half of the screen to add relevant WS-Security Configuration for ldquowss10rdquo Click on the ldquo+rdquo icon highlighted with a red circle in Figure 38 We need to add 3 entries in the following order
a Timestamp b Signature c Encryption
Upon clicking the ldquo+rdquo icon an ldquoAdd WSS Entryrdquo popup dialog will be presented which contains a single drop down list Select ldquoTimestamprdquo from the dialog as shown in Figure 39
Figure 38 Adding WSS Configuration for wss10
Figure 39 Add Timestamp
10 Configure the ldquoTimestamprdquo WSS Entry The two fields are shown in Figure 40
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 38
a Time to Live 5000 b Leave the unit for ldquoTime to Liverdquo in milliseconds
Figure 40 Specify Time to Live as part of Timestamp configuration
11 Add the ldquoSignaturerdquo WSS Entry by clicking on the ldquo+rdquo icon again as shown in Figure 38 and selecting ldquoSignaturerdquo from
the ldquoAdd WSS Entryrdquo drop down as shown in Figure 41
Figure 41 Select Signature WSS Entry to Add to wss10 configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 39
12 The ldquoSignaturerdquo configuration is more involved and requires a lot more fields to be filled in as shown in Figure 42 Here is a summary of the fields and values that need to be provided
a Keystore Select ldquodefault-keystorejksrdquo from the drop down (Note Only keystores added in the KeystoreCertificates tab will be displayed in this drop down)
b Alias ldquoorakeyrdquo This particular keystore in the How-To has only a single alias However a keystore can have multiple keys and aliases
c Password ldquowelcome1rdquo This is the password for the alias d Key Identifier Type Select ldquoBinary Security Tokenrdquo from the drop down e Signature Algorithm Select ldquohttpwwww3org200009xmldsigrsa-sha1rdquo from the drop down f Signature Canonicalization Select ldquohttpwwww3org200110xml-exc-c14nrdquo from the drop down g Digest Algorithm Select ldquohttpwwww3org200009xmldsigsha1rdquo from the drop down h Use Single Certificate Ensure ldquoUse single certificate for signingrdquo is checked i Parts
Name Namespace Encode
Body httpschemasxmlsoaporgsoapenvelope Element
Timestamp httpdocsoasis-openorgwss200401oasis-200401-wss-wssecurity-utility-10xsd
Element
Figure 42 Providing Signature configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 40
13 Add the ldquoEncryptionrdquo WSS Entry by clicking on the ldquo+rdquo icon again as shown in Figure 38 and selecting ldquoEncryptionrdquo from the ldquoAdd WSS Entryrdquo drop down as shown in Figure 43
Figure 43 Adding Encryption WSS entry
14 The ldquoEncryptionrdquo configuration is more involved and requires a lot more fields to be filled in as shown in Figure 44
Here is a summary of the fields and values that need to be provided a Keystore Select ldquodefault-keystorejksrdquo from the drop down (Note Only keystores added in the
KeystoreCertificates tab will be displayed in this drop down) b Alias ldquoorakeyrdquo This particular keystore in the How-To has only a single alias However a keystore can have
multiple keys and aliases c Password ldquowelcome1rdquo This is the password for the alias d Key Identifier Type Select ldquoBinary Security Tokenrdquo from the drop down e Embedded Key Name and Embedded Key Password are not relevant and will be readonly fields So skip
these fields f Symmetric Encoding Algorithm Select ldquohttpwwww3org200104xmlencaes128-cbcrdquo from the drop
down g Key Encryption Algorithm Select ldquohttpwwww3org200104xmlencrsa-oaep-mgf1prdquo from the drop
down h Encryption Canonicalization Select ldquohttpwwww3org200110xml-exc-c14nrdquo from the drop down i Create Encrypted Key Ensure the checkbox is checked j Parts
Name Namespace Encode
Body httpschemasxmlsoaporgsoapenvelope Content
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 41
Figure 44 Encryption Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 42
Add Incoming WS-Security Configurations
15 Click on the ldquoIncoming WS-Security Configurationsrdquo sub tab and click on the ldquo+rdquo icon as show in Figure 45 You will be prompted to enter a name for the incoming configuration specify ldquowss10rdquo as the name as shown in Figure 46
Figure 45 Add Incoming WS-Security Configuration
Figure 46 Provide a name for the Incoming WSS Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 43
16 Click on the ldquowss10rdquo entry and select the following a Decrypt Keystore Select ldquodefault-keystorejksrdquo from the drop down b Signature Keystore Select ldquodefault-keystorejksrdquo from the drop down c Password ldquowelcome1rdquo
The final incoming security configuration is shown in Figure 47
Figure 47 Incoming WSS Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 44
17 Now that we have created all the necessary WS-Security Configurations we are ready to test the HelloWorld Service To do so click on the ldquohellordquo operation on the Left hand browse tree This will create a request as show in Figure 48 Click on the ldquoAutrdquo tab on the ldquoRequestrdquo panel on the RHS side of the screen The ldquoAutrdquo tab is in the bottom and has been highlighted in Figure 48 Select the following values
a Outgoing WSS Select ldquowss10rdquo from the drop down b Incoming WSS Select ldquowss10rdquo from the drop down
Figure 48 Select the previosuly created WSS Configuration to be used while testing
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 45
18 Enter ldquoprakashrdquo for arg0 and click on the green arrow button to send the request You will be prompted for password ndash enter ldquowelcome1rdquo Figure 49 and Figure 50 show the steps and the results of a successful test If there is a failure ndash you will see a SOAP response with a fault
Figure 49 Send request to the HelloWorld WS
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 46
Figure 50 Results of a successful test
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 47
Appendix
Log Generated the first time any app is run in Integrated WLS Server
[Waiting for the domain to finish building]
[094756 PM] Creating Integrated Weblogic domain
[095003 PM] Extending Integrated Weblogic domain
[095051 PM] Integrated Weblogic domain processing completed successfully
Using port 7101
DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainbinstartWebLogiccmd
[waiting for the server to complete its initialization]
JAVA Memory arguments -Xms256m -Xmx512m -XXCompileThreshold=8000 -XXPermSize=128m -XXMaxPermSize=512m
WLS Start Mode=Development
CLASSPATH=DORACLE~1MIDDLE~1ORACLE~1modulesoraclejdbc_1111ojdbc6dmsjarDORACLE~1MIDDLE~1patch_wls1035profilesdefaultsys_manifest_classpathweblogic_patchjarDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultsys_manifest_classpathweblogic_patchjarDORACLE~1MIDDLE~1JDK160~1libtoolsjarDORACLE~1MIDDLE~1WLSERV~13serverlibweblogic_spjarDORACLE~1MIDDLE~1WLSERV~13serverlibweblogicjarDORACLE~1MIDDLE~1modulesfeaturesweblogicservermodules_10350jarDORACLE~1MIDDLE~1WLSERV~13serverlibwebservicesjarDORACLE~1MIDDLE~1modulesORGAPA~11libant-alljarDORACLE~1MIDDLE~1modulesNETSFA~10_1libant-contribjarDORACLE~1MIDDLE~1ORACLE~1modulesoraclejrf_1111jrfjarDORACLE~1MIDDLE~1WLSERV~13commonderbylibderbyclientjarDORACLE~1MIDDLE~1WLSERV~13serverlibxqrljar
PATH=DORACLE~1MIDDLE~1patch_wls1035profilesdefaultnativeDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultnativeDORACLE~1MIDDLE~1WLSERV~13servernativewin32DORACLE~1MIDDLE~1WLSERV~13serverbinDORACLE~1MIDDLE~1modulesORGAPA~11binDORACLE~1MIDDLE~1JDK160~1jrebinDORACLE~1MIDDLE~1JDK160~1binDoraclexeapporacleproduct1020serverbinCProgram FilesThinkPadUtilitiesCWINDOWSsystem32CWINDOWSCWINDOWSSystem32WbemCWINDOWSsystem32WindowsPowerShellv10DORACLE~1MIDDLE~1WLSERV~13servernativewin32oci920_8
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 48
To start WebLogic Server use a username and
password assigned to an admin-level user For
server administration use the WebLogic Server
console at httphostnameportconsole
starting weblogic with Java version
java version 160_24
Java(TM) SE Runtime Environment (build 160_24-b50)
Java HotSpot(TM) Client VM (build 191-b02 mixed mode)
Starting WLS with line
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 49
DORACLE~1MIDDLE~1JDK160~1binjava -client -Xms256m -Xmx512m -XXCompileThreshold=8000 -XXPermSize=128m -XXMaxPermSize=512m -DweblogicName=DefaultServer -Djavasecuritypolicy=DORACLE~1MIDDLE~1WLSERV~13serverlibweblogicpolicy -DjavaxnetssltrustStore=DOracle11gMiddlewarewlserver_103serverlibDemoTrustjks -DweblogicnodemanagerServiceEnabled=true -Xverifynone -da -Dplatformhome=DORACLE~1MIDDLE~1WLSERV~13 -Dwlshome=DORACLE~1MIDDLE~1WLSERV~13server -Dweblogichome=DORACLE~1MIDDLE~1WLSERV~13server -Djpsappcredentialoverwriteallowed=true -Dcommoncomponentshome=DORACLE~1MIDDLE~1ORACLE~1 -Djrfversion=1111 -DorgapachecommonsloggingLog=orgapachecommonsloggingimplJdk14Logger -Ddomainhome=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1 -Djrockitoptfile=DORACLE~1MIDDLE~1ORACLE~1modulesoraclejrf_1111jrocket_optfiletxt -Doracleserverconfigdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1serversDefaultServer -Doracledomainconfigdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1 -Digfarisidbeanscarmlloc=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1carml -Digfarisidstackhome=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1arisidprovider -Doraclesecurityjpsconfig=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configfmwconfigjps-configxml -Doracledeployedappdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1serversDefaultServertmp_WL_user -Doracledeployedappext=- -DweblogicalternateTypesDirectory=DORACLE~1MIDDLE~1ORACLE~1modulesoracleossoiap_1111DORACLE~1MIDDLE~1ORACLE~1modulesoracleoamprovider_1111 -Djavaprotocolhandlerpkgs=oraclemdsnetprotocol -DweblogicjdbcremoteEnabled=false -Dwsmrepositorypath=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1oraclestoregmds -Dweblogicmanagementdiscover=true -DwlwiterativeDev= -DwlwtestConsole= -DwlwlogErrorsToConsole= -Dweblogicextdirs=DORACLE~1MIDDLE~1patch_wls1035profilesdefaultsysext_manifest_classpathDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultsysext_manifest_classpath weblogicServer
ltMar 16 2012 95054 PM PDTgt ltInfogt ltSecuritygt ltBEA-090905gt ltDisabling CryptoJ JCE Provider self-integrity check for better startup performance To enable this check specify -DweblogicsecurityallowCryptoJDefaultJCEVerification=truegt
ltMar 16 2012 95054 PM PDTgt ltInfogt ltSecuritygt ltBEA-090906gt ltChanging the default Random Number Generator in RSA CryptoJ from ECDRBG to FIPS186PRNG To disable this change specify -DweblogicsecurityallowCryptoJDefaultPRNG=truegt
ltMar 16 2012 95055 PM PDTgt ltInfogt ltWebLogicServergt ltBEA-000377gt ltStarting WebLogic Server with Java HotSpot(TM) Client VM Version 191-b02 from Sun Microsystems Incgt
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 50
ltMar 16 2012 95055 PM PDTgt ltInfogt ltManagementgt ltBEA-141107gt ltVersion WebLogic Server 10350 Fri Apr 1 202006 PDT 2011 1398638 gt
ltMar 16 2012 95057 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STARTINGgt
ltMar 16 2012 95057 PM PDTgt ltInfogt ltWorkManagergt ltBEA-002900gt ltInitializing self-tuning thread poolgt
ltMar 16 2012 95057 PM PDTgt ltNoticegt ltLog Managementgt ltBEA-170019gt ltThe server log file DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainserversDefaultServerlogsDefaultServerlog is opened All server side log events will be written to this filegt
ltMar 16 2012 95108 PM PDTgt ltNoticegt ltSecuritygt ltBEA-090082gt ltSecurity initializing using security realm myrealmgt
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO ConfigObjectReloaded for ServerConfig PreviousVersion -1 CurrentVersion 0
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification event sent for activating changes
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for Mapping config object reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO ConfigObjectReloaded for ServerConfig PreviousVersion -1 CurrentVersion 0
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification event sent for activating changes
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 51
INFO Notification sent for Mapping config object reloaded
ltMar 16 2012 95122 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STANDBYgt
ltMar 16 2012 95122 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STARTINGgt
ltMar 16 2012 95204 PM PDTgt ltNoticegt ltLog Managementgt ltBEA-170027gt ltThe Server has established connection with the Domain level Diagnostic Service successfullygt
ltMar 16 2012 95204 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to ADMINgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to RESUMINGgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltServergt ltBEA-002613gt ltChannel Default is now listening on 1270017101 for protocols iiop t3 ldap snmp httpgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000331gt ltStarted WebLogic Admin Server DefaultServer for domain DefaultDomain running in Development Modegt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to RUNNINGgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000360gt ltServer started in RUNNING modegt
IntegratedWebLogicServer startup time 74437 ms
IntegratedWebLogicServer started
[Running application HelloWorldJaxWS on Server Instance IntegratedWebLogicServer]
[095206 PM] ---- Deployment started ----
[095206 PM] Target platform is (Weblogic 103)
[095208 PM] Retrieving existing application information
[095208 PM] Running dependency analysis
[095208 PM] Deploying 2 profiles
[095209 PM] Wrote Web Application Module to DOracle11gMiddlewarejdevelopersystem11116386192oj2eedrsHelloWorldJaxWSHelloWorldWebAppwar
[095210 PM] Wrote Enterprise Application Module to DOracle11gMiddlewarejdevelopersystem11116386192oj2eedrsHelloWorldJaxWS
[095210 PM] Deploying Application
[095213 PM] Application Deployed Successfully
[095213 PM] The following URL context root(s) were defined and can be used as a starting point to test your application
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 52
[095213 PM] http1270017101HelloWorldJaxWS-HelloWorld-context-root
[095213 PM] Elapsed time for deployment 6 seconds
[095213 PM] ---- Deployment finished ----
Run startup time 6609 ms
[Application HelloWorldJaxWS deployed to Server Instance IntegratedWebLogicServer]
Target URL -- http1270017101HelloWorldJaxWS-HelloWorld-context-rootHelloWorldPort
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 53
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 35
Figure 35 Specify Password for the default-keystorejks
7 Figure 36 shows the result of adding the default-keystorejks to SOAP UI
Figure 36 Result of adding default-keystorejks
NOTE For purposes of simplicity ndash I have selected the same default-keystorejks file that was used by the HelloWorld Web Service in practice the client and service DO NOT share the same keystore instead you should use separate keystores and exchange the public certificates of the client and the service
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 36
Add Outgoing WS-Security Configurations
8 The next step is to add the ldquoOutgoing WS-Secure Configurationsrdquo to the project You can do this by click on the Outgoing S-Security Configurations tab and clicking on the ldquo+rdquo icon as shown in Figure 37
Figure 37 Initiate addition of Outgoing WS-Security Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 37
9 Enter the ldquoNamerdquo of the configuration as ldquowss10rdquo This will create a panel on the lower half of the screen to add relevant WS-Security Configuration for ldquowss10rdquo Click on the ldquo+rdquo icon highlighted with a red circle in Figure 38 We need to add 3 entries in the following order
a Timestamp b Signature c Encryption
Upon clicking the ldquo+rdquo icon an ldquoAdd WSS Entryrdquo popup dialog will be presented which contains a single drop down list Select ldquoTimestamprdquo from the dialog as shown in Figure 39
Figure 38 Adding WSS Configuration for wss10
Figure 39 Add Timestamp
10 Configure the ldquoTimestamprdquo WSS Entry The two fields are shown in Figure 40
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 38
a Time to Live 5000 b Leave the unit for ldquoTime to Liverdquo in milliseconds
Figure 40 Specify Time to Live as part of Timestamp configuration
11 Add the ldquoSignaturerdquo WSS Entry by clicking on the ldquo+rdquo icon again as shown in Figure 38 and selecting ldquoSignaturerdquo from
the ldquoAdd WSS Entryrdquo drop down as shown in Figure 41
Figure 41 Select Signature WSS Entry to Add to wss10 configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 39
12 The ldquoSignaturerdquo configuration is more involved and requires a lot more fields to be filled in as shown in Figure 42 Here is a summary of the fields and values that need to be provided
a Keystore Select ldquodefault-keystorejksrdquo from the drop down (Note Only keystores added in the KeystoreCertificates tab will be displayed in this drop down)
b Alias ldquoorakeyrdquo This particular keystore in the How-To has only a single alias However a keystore can have multiple keys and aliases
c Password ldquowelcome1rdquo This is the password for the alias d Key Identifier Type Select ldquoBinary Security Tokenrdquo from the drop down e Signature Algorithm Select ldquohttpwwww3org200009xmldsigrsa-sha1rdquo from the drop down f Signature Canonicalization Select ldquohttpwwww3org200110xml-exc-c14nrdquo from the drop down g Digest Algorithm Select ldquohttpwwww3org200009xmldsigsha1rdquo from the drop down h Use Single Certificate Ensure ldquoUse single certificate for signingrdquo is checked i Parts
Name Namespace Encode
Body httpschemasxmlsoaporgsoapenvelope Element
Timestamp httpdocsoasis-openorgwss200401oasis-200401-wss-wssecurity-utility-10xsd
Element
Figure 42 Providing Signature configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 40
13 Add the ldquoEncryptionrdquo WSS Entry by clicking on the ldquo+rdquo icon again as shown in Figure 38 and selecting ldquoEncryptionrdquo from the ldquoAdd WSS Entryrdquo drop down as shown in Figure 43
Figure 43 Adding Encryption WSS entry
14 The ldquoEncryptionrdquo configuration is more involved and requires a lot more fields to be filled in as shown in Figure 44
Here is a summary of the fields and values that need to be provided a Keystore Select ldquodefault-keystorejksrdquo from the drop down (Note Only keystores added in the
KeystoreCertificates tab will be displayed in this drop down) b Alias ldquoorakeyrdquo This particular keystore in the How-To has only a single alias However a keystore can have
multiple keys and aliases c Password ldquowelcome1rdquo This is the password for the alias d Key Identifier Type Select ldquoBinary Security Tokenrdquo from the drop down e Embedded Key Name and Embedded Key Password are not relevant and will be readonly fields So skip
these fields f Symmetric Encoding Algorithm Select ldquohttpwwww3org200104xmlencaes128-cbcrdquo from the drop
down g Key Encryption Algorithm Select ldquohttpwwww3org200104xmlencrsa-oaep-mgf1prdquo from the drop
down h Encryption Canonicalization Select ldquohttpwwww3org200110xml-exc-c14nrdquo from the drop down i Create Encrypted Key Ensure the checkbox is checked j Parts
Name Namespace Encode
Body httpschemasxmlsoaporgsoapenvelope Content
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 41
Figure 44 Encryption Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 42
Add Incoming WS-Security Configurations
15 Click on the ldquoIncoming WS-Security Configurationsrdquo sub tab and click on the ldquo+rdquo icon as show in Figure 45 You will be prompted to enter a name for the incoming configuration specify ldquowss10rdquo as the name as shown in Figure 46
Figure 45 Add Incoming WS-Security Configuration
Figure 46 Provide a name for the Incoming WSS Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 43
16 Click on the ldquowss10rdquo entry and select the following a Decrypt Keystore Select ldquodefault-keystorejksrdquo from the drop down b Signature Keystore Select ldquodefault-keystorejksrdquo from the drop down c Password ldquowelcome1rdquo
The final incoming security configuration is shown in Figure 47
Figure 47 Incoming WSS Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 44
17 Now that we have created all the necessary WS-Security Configurations we are ready to test the HelloWorld Service To do so click on the ldquohellordquo operation on the Left hand browse tree This will create a request as show in Figure 48 Click on the ldquoAutrdquo tab on the ldquoRequestrdquo panel on the RHS side of the screen The ldquoAutrdquo tab is in the bottom and has been highlighted in Figure 48 Select the following values
a Outgoing WSS Select ldquowss10rdquo from the drop down b Incoming WSS Select ldquowss10rdquo from the drop down
Figure 48 Select the previosuly created WSS Configuration to be used while testing
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 45
18 Enter ldquoprakashrdquo for arg0 and click on the green arrow button to send the request You will be prompted for password ndash enter ldquowelcome1rdquo Figure 49 and Figure 50 show the steps and the results of a successful test If there is a failure ndash you will see a SOAP response with a fault
Figure 49 Send request to the HelloWorld WS
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 46
Figure 50 Results of a successful test
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 47
Appendix
Log Generated the first time any app is run in Integrated WLS Server
[Waiting for the domain to finish building]
[094756 PM] Creating Integrated Weblogic domain
[095003 PM] Extending Integrated Weblogic domain
[095051 PM] Integrated Weblogic domain processing completed successfully
Using port 7101
DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainbinstartWebLogiccmd
[waiting for the server to complete its initialization]
JAVA Memory arguments -Xms256m -Xmx512m -XXCompileThreshold=8000 -XXPermSize=128m -XXMaxPermSize=512m
WLS Start Mode=Development
CLASSPATH=DORACLE~1MIDDLE~1ORACLE~1modulesoraclejdbc_1111ojdbc6dmsjarDORACLE~1MIDDLE~1patch_wls1035profilesdefaultsys_manifest_classpathweblogic_patchjarDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultsys_manifest_classpathweblogic_patchjarDORACLE~1MIDDLE~1JDK160~1libtoolsjarDORACLE~1MIDDLE~1WLSERV~13serverlibweblogic_spjarDORACLE~1MIDDLE~1WLSERV~13serverlibweblogicjarDORACLE~1MIDDLE~1modulesfeaturesweblogicservermodules_10350jarDORACLE~1MIDDLE~1WLSERV~13serverlibwebservicesjarDORACLE~1MIDDLE~1modulesORGAPA~11libant-alljarDORACLE~1MIDDLE~1modulesNETSFA~10_1libant-contribjarDORACLE~1MIDDLE~1ORACLE~1modulesoraclejrf_1111jrfjarDORACLE~1MIDDLE~1WLSERV~13commonderbylibderbyclientjarDORACLE~1MIDDLE~1WLSERV~13serverlibxqrljar
PATH=DORACLE~1MIDDLE~1patch_wls1035profilesdefaultnativeDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultnativeDORACLE~1MIDDLE~1WLSERV~13servernativewin32DORACLE~1MIDDLE~1WLSERV~13serverbinDORACLE~1MIDDLE~1modulesORGAPA~11binDORACLE~1MIDDLE~1JDK160~1jrebinDORACLE~1MIDDLE~1JDK160~1binDoraclexeapporacleproduct1020serverbinCProgram FilesThinkPadUtilitiesCWINDOWSsystem32CWINDOWSCWINDOWSSystem32WbemCWINDOWSsystem32WindowsPowerShellv10DORACLE~1MIDDLE~1WLSERV~13servernativewin32oci920_8
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 48
To start WebLogic Server use a username and
password assigned to an admin-level user For
server administration use the WebLogic Server
console at httphostnameportconsole
starting weblogic with Java version
java version 160_24
Java(TM) SE Runtime Environment (build 160_24-b50)
Java HotSpot(TM) Client VM (build 191-b02 mixed mode)
Starting WLS with line
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 49
DORACLE~1MIDDLE~1JDK160~1binjava -client -Xms256m -Xmx512m -XXCompileThreshold=8000 -XXPermSize=128m -XXMaxPermSize=512m -DweblogicName=DefaultServer -Djavasecuritypolicy=DORACLE~1MIDDLE~1WLSERV~13serverlibweblogicpolicy -DjavaxnetssltrustStore=DOracle11gMiddlewarewlserver_103serverlibDemoTrustjks -DweblogicnodemanagerServiceEnabled=true -Xverifynone -da -Dplatformhome=DORACLE~1MIDDLE~1WLSERV~13 -Dwlshome=DORACLE~1MIDDLE~1WLSERV~13server -Dweblogichome=DORACLE~1MIDDLE~1WLSERV~13server -Djpsappcredentialoverwriteallowed=true -Dcommoncomponentshome=DORACLE~1MIDDLE~1ORACLE~1 -Djrfversion=1111 -DorgapachecommonsloggingLog=orgapachecommonsloggingimplJdk14Logger -Ddomainhome=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1 -Djrockitoptfile=DORACLE~1MIDDLE~1ORACLE~1modulesoraclejrf_1111jrocket_optfiletxt -Doracleserverconfigdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1serversDefaultServer -Doracledomainconfigdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1 -Digfarisidbeanscarmlloc=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1carml -Digfarisidstackhome=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1arisidprovider -Doraclesecurityjpsconfig=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configfmwconfigjps-configxml -Doracledeployedappdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1serversDefaultServertmp_WL_user -Doracledeployedappext=- -DweblogicalternateTypesDirectory=DORACLE~1MIDDLE~1ORACLE~1modulesoracleossoiap_1111DORACLE~1MIDDLE~1ORACLE~1modulesoracleoamprovider_1111 -Djavaprotocolhandlerpkgs=oraclemdsnetprotocol -DweblogicjdbcremoteEnabled=false -Dwsmrepositorypath=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1oraclestoregmds -Dweblogicmanagementdiscover=true -DwlwiterativeDev= -DwlwtestConsole= -DwlwlogErrorsToConsole= -Dweblogicextdirs=DORACLE~1MIDDLE~1patch_wls1035profilesdefaultsysext_manifest_classpathDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultsysext_manifest_classpath weblogicServer
ltMar 16 2012 95054 PM PDTgt ltInfogt ltSecuritygt ltBEA-090905gt ltDisabling CryptoJ JCE Provider self-integrity check for better startup performance To enable this check specify -DweblogicsecurityallowCryptoJDefaultJCEVerification=truegt
ltMar 16 2012 95054 PM PDTgt ltInfogt ltSecuritygt ltBEA-090906gt ltChanging the default Random Number Generator in RSA CryptoJ from ECDRBG to FIPS186PRNG To disable this change specify -DweblogicsecurityallowCryptoJDefaultPRNG=truegt
ltMar 16 2012 95055 PM PDTgt ltInfogt ltWebLogicServergt ltBEA-000377gt ltStarting WebLogic Server with Java HotSpot(TM) Client VM Version 191-b02 from Sun Microsystems Incgt
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 50
ltMar 16 2012 95055 PM PDTgt ltInfogt ltManagementgt ltBEA-141107gt ltVersion WebLogic Server 10350 Fri Apr 1 202006 PDT 2011 1398638 gt
ltMar 16 2012 95057 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STARTINGgt
ltMar 16 2012 95057 PM PDTgt ltInfogt ltWorkManagergt ltBEA-002900gt ltInitializing self-tuning thread poolgt
ltMar 16 2012 95057 PM PDTgt ltNoticegt ltLog Managementgt ltBEA-170019gt ltThe server log file DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainserversDefaultServerlogsDefaultServerlog is opened All server side log events will be written to this filegt
ltMar 16 2012 95108 PM PDTgt ltNoticegt ltSecuritygt ltBEA-090082gt ltSecurity initializing using security realm myrealmgt
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO ConfigObjectReloaded for ServerConfig PreviousVersion -1 CurrentVersion 0
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification event sent for activating changes
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for Mapping config object reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO ConfigObjectReloaded for ServerConfig PreviousVersion -1 CurrentVersion 0
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification event sent for activating changes
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 51
INFO Notification sent for Mapping config object reloaded
ltMar 16 2012 95122 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STANDBYgt
ltMar 16 2012 95122 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STARTINGgt
ltMar 16 2012 95204 PM PDTgt ltNoticegt ltLog Managementgt ltBEA-170027gt ltThe Server has established connection with the Domain level Diagnostic Service successfullygt
ltMar 16 2012 95204 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to ADMINgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to RESUMINGgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltServergt ltBEA-002613gt ltChannel Default is now listening on 1270017101 for protocols iiop t3 ldap snmp httpgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000331gt ltStarted WebLogic Admin Server DefaultServer for domain DefaultDomain running in Development Modegt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to RUNNINGgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000360gt ltServer started in RUNNING modegt
IntegratedWebLogicServer startup time 74437 ms
IntegratedWebLogicServer started
[Running application HelloWorldJaxWS on Server Instance IntegratedWebLogicServer]
[095206 PM] ---- Deployment started ----
[095206 PM] Target platform is (Weblogic 103)
[095208 PM] Retrieving existing application information
[095208 PM] Running dependency analysis
[095208 PM] Deploying 2 profiles
[095209 PM] Wrote Web Application Module to DOracle11gMiddlewarejdevelopersystem11116386192oj2eedrsHelloWorldJaxWSHelloWorldWebAppwar
[095210 PM] Wrote Enterprise Application Module to DOracle11gMiddlewarejdevelopersystem11116386192oj2eedrsHelloWorldJaxWS
[095210 PM] Deploying Application
[095213 PM] Application Deployed Successfully
[095213 PM] The following URL context root(s) were defined and can be used as a starting point to test your application
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 52
[095213 PM] http1270017101HelloWorldJaxWS-HelloWorld-context-root
[095213 PM] Elapsed time for deployment 6 seconds
[095213 PM] ---- Deployment finished ----
Run startup time 6609 ms
[Application HelloWorldJaxWS deployed to Server Instance IntegratedWebLogicServer]
Target URL -- http1270017101HelloWorldJaxWS-HelloWorld-context-rootHelloWorldPort
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 53
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 36
Add Outgoing WS-Security Configurations
8 The next step is to add the ldquoOutgoing WS-Secure Configurationsrdquo to the project You can do this by click on the Outgoing S-Security Configurations tab and clicking on the ldquo+rdquo icon as shown in Figure 37
Figure 37 Initiate addition of Outgoing WS-Security Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 37
9 Enter the ldquoNamerdquo of the configuration as ldquowss10rdquo This will create a panel on the lower half of the screen to add relevant WS-Security Configuration for ldquowss10rdquo Click on the ldquo+rdquo icon highlighted with a red circle in Figure 38 We need to add 3 entries in the following order
a Timestamp b Signature c Encryption
Upon clicking the ldquo+rdquo icon an ldquoAdd WSS Entryrdquo popup dialog will be presented which contains a single drop down list Select ldquoTimestamprdquo from the dialog as shown in Figure 39
Figure 38 Adding WSS Configuration for wss10
Figure 39 Add Timestamp
10 Configure the ldquoTimestamprdquo WSS Entry The two fields are shown in Figure 40
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 38
a Time to Live 5000 b Leave the unit for ldquoTime to Liverdquo in milliseconds
Figure 40 Specify Time to Live as part of Timestamp configuration
11 Add the ldquoSignaturerdquo WSS Entry by clicking on the ldquo+rdquo icon again as shown in Figure 38 and selecting ldquoSignaturerdquo from
the ldquoAdd WSS Entryrdquo drop down as shown in Figure 41
Figure 41 Select Signature WSS Entry to Add to wss10 configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 39
12 The ldquoSignaturerdquo configuration is more involved and requires a lot more fields to be filled in as shown in Figure 42 Here is a summary of the fields and values that need to be provided
a Keystore Select ldquodefault-keystorejksrdquo from the drop down (Note Only keystores added in the KeystoreCertificates tab will be displayed in this drop down)
b Alias ldquoorakeyrdquo This particular keystore in the How-To has only a single alias However a keystore can have multiple keys and aliases
c Password ldquowelcome1rdquo This is the password for the alias d Key Identifier Type Select ldquoBinary Security Tokenrdquo from the drop down e Signature Algorithm Select ldquohttpwwww3org200009xmldsigrsa-sha1rdquo from the drop down f Signature Canonicalization Select ldquohttpwwww3org200110xml-exc-c14nrdquo from the drop down g Digest Algorithm Select ldquohttpwwww3org200009xmldsigsha1rdquo from the drop down h Use Single Certificate Ensure ldquoUse single certificate for signingrdquo is checked i Parts
Name Namespace Encode
Body httpschemasxmlsoaporgsoapenvelope Element
Timestamp httpdocsoasis-openorgwss200401oasis-200401-wss-wssecurity-utility-10xsd
Element
Figure 42 Providing Signature configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 40
13 Add the ldquoEncryptionrdquo WSS Entry by clicking on the ldquo+rdquo icon again as shown in Figure 38 and selecting ldquoEncryptionrdquo from the ldquoAdd WSS Entryrdquo drop down as shown in Figure 43
Figure 43 Adding Encryption WSS entry
14 The ldquoEncryptionrdquo configuration is more involved and requires a lot more fields to be filled in as shown in Figure 44
Here is a summary of the fields and values that need to be provided a Keystore Select ldquodefault-keystorejksrdquo from the drop down (Note Only keystores added in the
KeystoreCertificates tab will be displayed in this drop down) b Alias ldquoorakeyrdquo This particular keystore in the How-To has only a single alias However a keystore can have
multiple keys and aliases c Password ldquowelcome1rdquo This is the password for the alias d Key Identifier Type Select ldquoBinary Security Tokenrdquo from the drop down e Embedded Key Name and Embedded Key Password are not relevant and will be readonly fields So skip
these fields f Symmetric Encoding Algorithm Select ldquohttpwwww3org200104xmlencaes128-cbcrdquo from the drop
down g Key Encryption Algorithm Select ldquohttpwwww3org200104xmlencrsa-oaep-mgf1prdquo from the drop
down h Encryption Canonicalization Select ldquohttpwwww3org200110xml-exc-c14nrdquo from the drop down i Create Encrypted Key Ensure the checkbox is checked j Parts
Name Namespace Encode
Body httpschemasxmlsoaporgsoapenvelope Content
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 41
Figure 44 Encryption Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 42
Add Incoming WS-Security Configurations
15 Click on the ldquoIncoming WS-Security Configurationsrdquo sub tab and click on the ldquo+rdquo icon as show in Figure 45 You will be prompted to enter a name for the incoming configuration specify ldquowss10rdquo as the name as shown in Figure 46
Figure 45 Add Incoming WS-Security Configuration
Figure 46 Provide a name for the Incoming WSS Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 43
16 Click on the ldquowss10rdquo entry and select the following a Decrypt Keystore Select ldquodefault-keystorejksrdquo from the drop down b Signature Keystore Select ldquodefault-keystorejksrdquo from the drop down c Password ldquowelcome1rdquo
The final incoming security configuration is shown in Figure 47
Figure 47 Incoming WSS Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 44
17 Now that we have created all the necessary WS-Security Configurations we are ready to test the HelloWorld Service To do so click on the ldquohellordquo operation on the Left hand browse tree This will create a request as show in Figure 48 Click on the ldquoAutrdquo tab on the ldquoRequestrdquo panel on the RHS side of the screen The ldquoAutrdquo tab is in the bottom and has been highlighted in Figure 48 Select the following values
a Outgoing WSS Select ldquowss10rdquo from the drop down b Incoming WSS Select ldquowss10rdquo from the drop down
Figure 48 Select the previosuly created WSS Configuration to be used while testing
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 45
18 Enter ldquoprakashrdquo for arg0 and click on the green arrow button to send the request You will be prompted for password ndash enter ldquowelcome1rdquo Figure 49 and Figure 50 show the steps and the results of a successful test If there is a failure ndash you will see a SOAP response with a fault
Figure 49 Send request to the HelloWorld WS
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 46
Figure 50 Results of a successful test
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 47
Appendix
Log Generated the first time any app is run in Integrated WLS Server
[Waiting for the domain to finish building]
[094756 PM] Creating Integrated Weblogic domain
[095003 PM] Extending Integrated Weblogic domain
[095051 PM] Integrated Weblogic domain processing completed successfully
Using port 7101
DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainbinstartWebLogiccmd
[waiting for the server to complete its initialization]
JAVA Memory arguments -Xms256m -Xmx512m -XXCompileThreshold=8000 -XXPermSize=128m -XXMaxPermSize=512m
WLS Start Mode=Development
CLASSPATH=DORACLE~1MIDDLE~1ORACLE~1modulesoraclejdbc_1111ojdbc6dmsjarDORACLE~1MIDDLE~1patch_wls1035profilesdefaultsys_manifest_classpathweblogic_patchjarDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultsys_manifest_classpathweblogic_patchjarDORACLE~1MIDDLE~1JDK160~1libtoolsjarDORACLE~1MIDDLE~1WLSERV~13serverlibweblogic_spjarDORACLE~1MIDDLE~1WLSERV~13serverlibweblogicjarDORACLE~1MIDDLE~1modulesfeaturesweblogicservermodules_10350jarDORACLE~1MIDDLE~1WLSERV~13serverlibwebservicesjarDORACLE~1MIDDLE~1modulesORGAPA~11libant-alljarDORACLE~1MIDDLE~1modulesNETSFA~10_1libant-contribjarDORACLE~1MIDDLE~1ORACLE~1modulesoraclejrf_1111jrfjarDORACLE~1MIDDLE~1WLSERV~13commonderbylibderbyclientjarDORACLE~1MIDDLE~1WLSERV~13serverlibxqrljar
PATH=DORACLE~1MIDDLE~1patch_wls1035profilesdefaultnativeDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultnativeDORACLE~1MIDDLE~1WLSERV~13servernativewin32DORACLE~1MIDDLE~1WLSERV~13serverbinDORACLE~1MIDDLE~1modulesORGAPA~11binDORACLE~1MIDDLE~1JDK160~1jrebinDORACLE~1MIDDLE~1JDK160~1binDoraclexeapporacleproduct1020serverbinCProgram FilesThinkPadUtilitiesCWINDOWSsystem32CWINDOWSCWINDOWSSystem32WbemCWINDOWSsystem32WindowsPowerShellv10DORACLE~1MIDDLE~1WLSERV~13servernativewin32oci920_8
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 48
To start WebLogic Server use a username and
password assigned to an admin-level user For
server administration use the WebLogic Server
console at httphostnameportconsole
starting weblogic with Java version
java version 160_24
Java(TM) SE Runtime Environment (build 160_24-b50)
Java HotSpot(TM) Client VM (build 191-b02 mixed mode)
Starting WLS with line
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 49
DORACLE~1MIDDLE~1JDK160~1binjava -client -Xms256m -Xmx512m -XXCompileThreshold=8000 -XXPermSize=128m -XXMaxPermSize=512m -DweblogicName=DefaultServer -Djavasecuritypolicy=DORACLE~1MIDDLE~1WLSERV~13serverlibweblogicpolicy -DjavaxnetssltrustStore=DOracle11gMiddlewarewlserver_103serverlibDemoTrustjks -DweblogicnodemanagerServiceEnabled=true -Xverifynone -da -Dplatformhome=DORACLE~1MIDDLE~1WLSERV~13 -Dwlshome=DORACLE~1MIDDLE~1WLSERV~13server -Dweblogichome=DORACLE~1MIDDLE~1WLSERV~13server -Djpsappcredentialoverwriteallowed=true -Dcommoncomponentshome=DORACLE~1MIDDLE~1ORACLE~1 -Djrfversion=1111 -DorgapachecommonsloggingLog=orgapachecommonsloggingimplJdk14Logger -Ddomainhome=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1 -Djrockitoptfile=DORACLE~1MIDDLE~1ORACLE~1modulesoraclejrf_1111jrocket_optfiletxt -Doracleserverconfigdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1serversDefaultServer -Doracledomainconfigdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1 -Digfarisidbeanscarmlloc=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1carml -Digfarisidstackhome=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1arisidprovider -Doraclesecurityjpsconfig=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configfmwconfigjps-configxml -Doracledeployedappdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1serversDefaultServertmp_WL_user -Doracledeployedappext=- -DweblogicalternateTypesDirectory=DORACLE~1MIDDLE~1ORACLE~1modulesoracleossoiap_1111DORACLE~1MIDDLE~1ORACLE~1modulesoracleoamprovider_1111 -Djavaprotocolhandlerpkgs=oraclemdsnetprotocol -DweblogicjdbcremoteEnabled=false -Dwsmrepositorypath=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1oraclestoregmds -Dweblogicmanagementdiscover=true -DwlwiterativeDev= -DwlwtestConsole= -DwlwlogErrorsToConsole= -Dweblogicextdirs=DORACLE~1MIDDLE~1patch_wls1035profilesdefaultsysext_manifest_classpathDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultsysext_manifest_classpath weblogicServer
ltMar 16 2012 95054 PM PDTgt ltInfogt ltSecuritygt ltBEA-090905gt ltDisabling CryptoJ JCE Provider self-integrity check for better startup performance To enable this check specify -DweblogicsecurityallowCryptoJDefaultJCEVerification=truegt
ltMar 16 2012 95054 PM PDTgt ltInfogt ltSecuritygt ltBEA-090906gt ltChanging the default Random Number Generator in RSA CryptoJ from ECDRBG to FIPS186PRNG To disable this change specify -DweblogicsecurityallowCryptoJDefaultPRNG=truegt
ltMar 16 2012 95055 PM PDTgt ltInfogt ltWebLogicServergt ltBEA-000377gt ltStarting WebLogic Server with Java HotSpot(TM) Client VM Version 191-b02 from Sun Microsystems Incgt
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 50
ltMar 16 2012 95055 PM PDTgt ltInfogt ltManagementgt ltBEA-141107gt ltVersion WebLogic Server 10350 Fri Apr 1 202006 PDT 2011 1398638 gt
ltMar 16 2012 95057 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STARTINGgt
ltMar 16 2012 95057 PM PDTgt ltInfogt ltWorkManagergt ltBEA-002900gt ltInitializing self-tuning thread poolgt
ltMar 16 2012 95057 PM PDTgt ltNoticegt ltLog Managementgt ltBEA-170019gt ltThe server log file DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainserversDefaultServerlogsDefaultServerlog is opened All server side log events will be written to this filegt
ltMar 16 2012 95108 PM PDTgt ltNoticegt ltSecuritygt ltBEA-090082gt ltSecurity initializing using security realm myrealmgt
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO ConfigObjectReloaded for ServerConfig PreviousVersion -1 CurrentVersion 0
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification event sent for activating changes
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for Mapping config object reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO ConfigObjectReloaded for ServerConfig PreviousVersion -1 CurrentVersion 0
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification event sent for activating changes
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 51
INFO Notification sent for Mapping config object reloaded
ltMar 16 2012 95122 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STANDBYgt
ltMar 16 2012 95122 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STARTINGgt
ltMar 16 2012 95204 PM PDTgt ltNoticegt ltLog Managementgt ltBEA-170027gt ltThe Server has established connection with the Domain level Diagnostic Service successfullygt
ltMar 16 2012 95204 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to ADMINgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to RESUMINGgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltServergt ltBEA-002613gt ltChannel Default is now listening on 1270017101 for protocols iiop t3 ldap snmp httpgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000331gt ltStarted WebLogic Admin Server DefaultServer for domain DefaultDomain running in Development Modegt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to RUNNINGgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000360gt ltServer started in RUNNING modegt
IntegratedWebLogicServer startup time 74437 ms
IntegratedWebLogicServer started
[Running application HelloWorldJaxWS on Server Instance IntegratedWebLogicServer]
[095206 PM] ---- Deployment started ----
[095206 PM] Target platform is (Weblogic 103)
[095208 PM] Retrieving existing application information
[095208 PM] Running dependency analysis
[095208 PM] Deploying 2 profiles
[095209 PM] Wrote Web Application Module to DOracle11gMiddlewarejdevelopersystem11116386192oj2eedrsHelloWorldJaxWSHelloWorldWebAppwar
[095210 PM] Wrote Enterprise Application Module to DOracle11gMiddlewarejdevelopersystem11116386192oj2eedrsHelloWorldJaxWS
[095210 PM] Deploying Application
[095213 PM] Application Deployed Successfully
[095213 PM] The following URL context root(s) were defined and can be used as a starting point to test your application
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 52
[095213 PM] http1270017101HelloWorldJaxWS-HelloWorld-context-root
[095213 PM] Elapsed time for deployment 6 seconds
[095213 PM] ---- Deployment finished ----
Run startup time 6609 ms
[Application HelloWorldJaxWS deployed to Server Instance IntegratedWebLogicServer]
Target URL -- http1270017101HelloWorldJaxWS-HelloWorld-context-rootHelloWorldPort
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 53
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 37
9 Enter the ldquoNamerdquo of the configuration as ldquowss10rdquo This will create a panel on the lower half of the screen to add relevant WS-Security Configuration for ldquowss10rdquo Click on the ldquo+rdquo icon highlighted with a red circle in Figure 38 We need to add 3 entries in the following order
a Timestamp b Signature c Encryption
Upon clicking the ldquo+rdquo icon an ldquoAdd WSS Entryrdquo popup dialog will be presented which contains a single drop down list Select ldquoTimestamprdquo from the dialog as shown in Figure 39
Figure 38 Adding WSS Configuration for wss10
Figure 39 Add Timestamp
10 Configure the ldquoTimestamprdquo WSS Entry The two fields are shown in Figure 40
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 38
a Time to Live 5000 b Leave the unit for ldquoTime to Liverdquo in milliseconds
Figure 40 Specify Time to Live as part of Timestamp configuration
11 Add the ldquoSignaturerdquo WSS Entry by clicking on the ldquo+rdquo icon again as shown in Figure 38 and selecting ldquoSignaturerdquo from
the ldquoAdd WSS Entryrdquo drop down as shown in Figure 41
Figure 41 Select Signature WSS Entry to Add to wss10 configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 39
12 The ldquoSignaturerdquo configuration is more involved and requires a lot more fields to be filled in as shown in Figure 42 Here is a summary of the fields and values that need to be provided
a Keystore Select ldquodefault-keystorejksrdquo from the drop down (Note Only keystores added in the KeystoreCertificates tab will be displayed in this drop down)
b Alias ldquoorakeyrdquo This particular keystore in the How-To has only a single alias However a keystore can have multiple keys and aliases
c Password ldquowelcome1rdquo This is the password for the alias d Key Identifier Type Select ldquoBinary Security Tokenrdquo from the drop down e Signature Algorithm Select ldquohttpwwww3org200009xmldsigrsa-sha1rdquo from the drop down f Signature Canonicalization Select ldquohttpwwww3org200110xml-exc-c14nrdquo from the drop down g Digest Algorithm Select ldquohttpwwww3org200009xmldsigsha1rdquo from the drop down h Use Single Certificate Ensure ldquoUse single certificate for signingrdquo is checked i Parts
Name Namespace Encode
Body httpschemasxmlsoaporgsoapenvelope Element
Timestamp httpdocsoasis-openorgwss200401oasis-200401-wss-wssecurity-utility-10xsd
Element
Figure 42 Providing Signature configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 40
13 Add the ldquoEncryptionrdquo WSS Entry by clicking on the ldquo+rdquo icon again as shown in Figure 38 and selecting ldquoEncryptionrdquo from the ldquoAdd WSS Entryrdquo drop down as shown in Figure 43
Figure 43 Adding Encryption WSS entry
14 The ldquoEncryptionrdquo configuration is more involved and requires a lot more fields to be filled in as shown in Figure 44
Here is a summary of the fields and values that need to be provided a Keystore Select ldquodefault-keystorejksrdquo from the drop down (Note Only keystores added in the
KeystoreCertificates tab will be displayed in this drop down) b Alias ldquoorakeyrdquo This particular keystore in the How-To has only a single alias However a keystore can have
multiple keys and aliases c Password ldquowelcome1rdquo This is the password for the alias d Key Identifier Type Select ldquoBinary Security Tokenrdquo from the drop down e Embedded Key Name and Embedded Key Password are not relevant and will be readonly fields So skip
these fields f Symmetric Encoding Algorithm Select ldquohttpwwww3org200104xmlencaes128-cbcrdquo from the drop
down g Key Encryption Algorithm Select ldquohttpwwww3org200104xmlencrsa-oaep-mgf1prdquo from the drop
down h Encryption Canonicalization Select ldquohttpwwww3org200110xml-exc-c14nrdquo from the drop down i Create Encrypted Key Ensure the checkbox is checked j Parts
Name Namespace Encode
Body httpschemasxmlsoaporgsoapenvelope Content
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 41
Figure 44 Encryption Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 42
Add Incoming WS-Security Configurations
15 Click on the ldquoIncoming WS-Security Configurationsrdquo sub tab and click on the ldquo+rdquo icon as show in Figure 45 You will be prompted to enter a name for the incoming configuration specify ldquowss10rdquo as the name as shown in Figure 46
Figure 45 Add Incoming WS-Security Configuration
Figure 46 Provide a name for the Incoming WSS Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 43
16 Click on the ldquowss10rdquo entry and select the following a Decrypt Keystore Select ldquodefault-keystorejksrdquo from the drop down b Signature Keystore Select ldquodefault-keystorejksrdquo from the drop down c Password ldquowelcome1rdquo
The final incoming security configuration is shown in Figure 47
Figure 47 Incoming WSS Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 44
17 Now that we have created all the necessary WS-Security Configurations we are ready to test the HelloWorld Service To do so click on the ldquohellordquo operation on the Left hand browse tree This will create a request as show in Figure 48 Click on the ldquoAutrdquo tab on the ldquoRequestrdquo panel on the RHS side of the screen The ldquoAutrdquo tab is in the bottom and has been highlighted in Figure 48 Select the following values
a Outgoing WSS Select ldquowss10rdquo from the drop down b Incoming WSS Select ldquowss10rdquo from the drop down
Figure 48 Select the previosuly created WSS Configuration to be used while testing
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 45
18 Enter ldquoprakashrdquo for arg0 and click on the green arrow button to send the request You will be prompted for password ndash enter ldquowelcome1rdquo Figure 49 and Figure 50 show the steps and the results of a successful test If there is a failure ndash you will see a SOAP response with a fault
Figure 49 Send request to the HelloWorld WS
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 46
Figure 50 Results of a successful test
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 47
Appendix
Log Generated the first time any app is run in Integrated WLS Server
[Waiting for the domain to finish building]
[094756 PM] Creating Integrated Weblogic domain
[095003 PM] Extending Integrated Weblogic domain
[095051 PM] Integrated Weblogic domain processing completed successfully
Using port 7101
DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainbinstartWebLogiccmd
[waiting for the server to complete its initialization]
JAVA Memory arguments -Xms256m -Xmx512m -XXCompileThreshold=8000 -XXPermSize=128m -XXMaxPermSize=512m
WLS Start Mode=Development
CLASSPATH=DORACLE~1MIDDLE~1ORACLE~1modulesoraclejdbc_1111ojdbc6dmsjarDORACLE~1MIDDLE~1patch_wls1035profilesdefaultsys_manifest_classpathweblogic_patchjarDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultsys_manifest_classpathweblogic_patchjarDORACLE~1MIDDLE~1JDK160~1libtoolsjarDORACLE~1MIDDLE~1WLSERV~13serverlibweblogic_spjarDORACLE~1MIDDLE~1WLSERV~13serverlibweblogicjarDORACLE~1MIDDLE~1modulesfeaturesweblogicservermodules_10350jarDORACLE~1MIDDLE~1WLSERV~13serverlibwebservicesjarDORACLE~1MIDDLE~1modulesORGAPA~11libant-alljarDORACLE~1MIDDLE~1modulesNETSFA~10_1libant-contribjarDORACLE~1MIDDLE~1ORACLE~1modulesoraclejrf_1111jrfjarDORACLE~1MIDDLE~1WLSERV~13commonderbylibderbyclientjarDORACLE~1MIDDLE~1WLSERV~13serverlibxqrljar
PATH=DORACLE~1MIDDLE~1patch_wls1035profilesdefaultnativeDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultnativeDORACLE~1MIDDLE~1WLSERV~13servernativewin32DORACLE~1MIDDLE~1WLSERV~13serverbinDORACLE~1MIDDLE~1modulesORGAPA~11binDORACLE~1MIDDLE~1JDK160~1jrebinDORACLE~1MIDDLE~1JDK160~1binDoraclexeapporacleproduct1020serverbinCProgram FilesThinkPadUtilitiesCWINDOWSsystem32CWINDOWSCWINDOWSSystem32WbemCWINDOWSsystem32WindowsPowerShellv10DORACLE~1MIDDLE~1WLSERV~13servernativewin32oci920_8
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 48
To start WebLogic Server use a username and
password assigned to an admin-level user For
server administration use the WebLogic Server
console at httphostnameportconsole
starting weblogic with Java version
java version 160_24
Java(TM) SE Runtime Environment (build 160_24-b50)
Java HotSpot(TM) Client VM (build 191-b02 mixed mode)
Starting WLS with line
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 49
DORACLE~1MIDDLE~1JDK160~1binjava -client -Xms256m -Xmx512m -XXCompileThreshold=8000 -XXPermSize=128m -XXMaxPermSize=512m -DweblogicName=DefaultServer -Djavasecuritypolicy=DORACLE~1MIDDLE~1WLSERV~13serverlibweblogicpolicy -DjavaxnetssltrustStore=DOracle11gMiddlewarewlserver_103serverlibDemoTrustjks -DweblogicnodemanagerServiceEnabled=true -Xverifynone -da -Dplatformhome=DORACLE~1MIDDLE~1WLSERV~13 -Dwlshome=DORACLE~1MIDDLE~1WLSERV~13server -Dweblogichome=DORACLE~1MIDDLE~1WLSERV~13server -Djpsappcredentialoverwriteallowed=true -Dcommoncomponentshome=DORACLE~1MIDDLE~1ORACLE~1 -Djrfversion=1111 -DorgapachecommonsloggingLog=orgapachecommonsloggingimplJdk14Logger -Ddomainhome=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1 -Djrockitoptfile=DORACLE~1MIDDLE~1ORACLE~1modulesoraclejrf_1111jrocket_optfiletxt -Doracleserverconfigdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1serversDefaultServer -Doracledomainconfigdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1 -Digfarisidbeanscarmlloc=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1carml -Digfarisidstackhome=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1arisidprovider -Doraclesecurityjpsconfig=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configfmwconfigjps-configxml -Doracledeployedappdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1serversDefaultServertmp_WL_user -Doracledeployedappext=- -DweblogicalternateTypesDirectory=DORACLE~1MIDDLE~1ORACLE~1modulesoracleossoiap_1111DORACLE~1MIDDLE~1ORACLE~1modulesoracleoamprovider_1111 -Djavaprotocolhandlerpkgs=oraclemdsnetprotocol -DweblogicjdbcremoteEnabled=false -Dwsmrepositorypath=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1oraclestoregmds -Dweblogicmanagementdiscover=true -DwlwiterativeDev= -DwlwtestConsole= -DwlwlogErrorsToConsole= -Dweblogicextdirs=DORACLE~1MIDDLE~1patch_wls1035profilesdefaultsysext_manifest_classpathDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultsysext_manifest_classpath weblogicServer
ltMar 16 2012 95054 PM PDTgt ltInfogt ltSecuritygt ltBEA-090905gt ltDisabling CryptoJ JCE Provider self-integrity check for better startup performance To enable this check specify -DweblogicsecurityallowCryptoJDefaultJCEVerification=truegt
ltMar 16 2012 95054 PM PDTgt ltInfogt ltSecuritygt ltBEA-090906gt ltChanging the default Random Number Generator in RSA CryptoJ from ECDRBG to FIPS186PRNG To disable this change specify -DweblogicsecurityallowCryptoJDefaultPRNG=truegt
ltMar 16 2012 95055 PM PDTgt ltInfogt ltWebLogicServergt ltBEA-000377gt ltStarting WebLogic Server with Java HotSpot(TM) Client VM Version 191-b02 from Sun Microsystems Incgt
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 50
ltMar 16 2012 95055 PM PDTgt ltInfogt ltManagementgt ltBEA-141107gt ltVersion WebLogic Server 10350 Fri Apr 1 202006 PDT 2011 1398638 gt
ltMar 16 2012 95057 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STARTINGgt
ltMar 16 2012 95057 PM PDTgt ltInfogt ltWorkManagergt ltBEA-002900gt ltInitializing self-tuning thread poolgt
ltMar 16 2012 95057 PM PDTgt ltNoticegt ltLog Managementgt ltBEA-170019gt ltThe server log file DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainserversDefaultServerlogsDefaultServerlog is opened All server side log events will be written to this filegt
ltMar 16 2012 95108 PM PDTgt ltNoticegt ltSecuritygt ltBEA-090082gt ltSecurity initializing using security realm myrealmgt
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO ConfigObjectReloaded for ServerConfig PreviousVersion -1 CurrentVersion 0
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification event sent for activating changes
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for Mapping config object reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO ConfigObjectReloaded for ServerConfig PreviousVersion -1 CurrentVersion 0
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification event sent for activating changes
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 51
INFO Notification sent for Mapping config object reloaded
ltMar 16 2012 95122 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STANDBYgt
ltMar 16 2012 95122 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STARTINGgt
ltMar 16 2012 95204 PM PDTgt ltNoticegt ltLog Managementgt ltBEA-170027gt ltThe Server has established connection with the Domain level Diagnostic Service successfullygt
ltMar 16 2012 95204 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to ADMINgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to RESUMINGgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltServergt ltBEA-002613gt ltChannel Default is now listening on 1270017101 for protocols iiop t3 ldap snmp httpgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000331gt ltStarted WebLogic Admin Server DefaultServer for domain DefaultDomain running in Development Modegt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to RUNNINGgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000360gt ltServer started in RUNNING modegt
IntegratedWebLogicServer startup time 74437 ms
IntegratedWebLogicServer started
[Running application HelloWorldJaxWS on Server Instance IntegratedWebLogicServer]
[095206 PM] ---- Deployment started ----
[095206 PM] Target platform is (Weblogic 103)
[095208 PM] Retrieving existing application information
[095208 PM] Running dependency analysis
[095208 PM] Deploying 2 profiles
[095209 PM] Wrote Web Application Module to DOracle11gMiddlewarejdevelopersystem11116386192oj2eedrsHelloWorldJaxWSHelloWorldWebAppwar
[095210 PM] Wrote Enterprise Application Module to DOracle11gMiddlewarejdevelopersystem11116386192oj2eedrsHelloWorldJaxWS
[095210 PM] Deploying Application
[095213 PM] Application Deployed Successfully
[095213 PM] The following URL context root(s) were defined and can be used as a starting point to test your application
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 52
[095213 PM] http1270017101HelloWorldJaxWS-HelloWorld-context-root
[095213 PM] Elapsed time for deployment 6 seconds
[095213 PM] ---- Deployment finished ----
Run startup time 6609 ms
[Application HelloWorldJaxWS deployed to Server Instance IntegratedWebLogicServer]
Target URL -- http1270017101HelloWorldJaxWS-HelloWorld-context-rootHelloWorldPort
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 53
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 38
a Time to Live 5000 b Leave the unit for ldquoTime to Liverdquo in milliseconds
Figure 40 Specify Time to Live as part of Timestamp configuration
11 Add the ldquoSignaturerdquo WSS Entry by clicking on the ldquo+rdquo icon again as shown in Figure 38 and selecting ldquoSignaturerdquo from
the ldquoAdd WSS Entryrdquo drop down as shown in Figure 41
Figure 41 Select Signature WSS Entry to Add to wss10 configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 39
12 The ldquoSignaturerdquo configuration is more involved and requires a lot more fields to be filled in as shown in Figure 42 Here is a summary of the fields and values that need to be provided
a Keystore Select ldquodefault-keystorejksrdquo from the drop down (Note Only keystores added in the KeystoreCertificates tab will be displayed in this drop down)
b Alias ldquoorakeyrdquo This particular keystore in the How-To has only a single alias However a keystore can have multiple keys and aliases
c Password ldquowelcome1rdquo This is the password for the alias d Key Identifier Type Select ldquoBinary Security Tokenrdquo from the drop down e Signature Algorithm Select ldquohttpwwww3org200009xmldsigrsa-sha1rdquo from the drop down f Signature Canonicalization Select ldquohttpwwww3org200110xml-exc-c14nrdquo from the drop down g Digest Algorithm Select ldquohttpwwww3org200009xmldsigsha1rdquo from the drop down h Use Single Certificate Ensure ldquoUse single certificate for signingrdquo is checked i Parts
Name Namespace Encode
Body httpschemasxmlsoaporgsoapenvelope Element
Timestamp httpdocsoasis-openorgwss200401oasis-200401-wss-wssecurity-utility-10xsd
Element
Figure 42 Providing Signature configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 40
13 Add the ldquoEncryptionrdquo WSS Entry by clicking on the ldquo+rdquo icon again as shown in Figure 38 and selecting ldquoEncryptionrdquo from the ldquoAdd WSS Entryrdquo drop down as shown in Figure 43
Figure 43 Adding Encryption WSS entry
14 The ldquoEncryptionrdquo configuration is more involved and requires a lot more fields to be filled in as shown in Figure 44
Here is a summary of the fields and values that need to be provided a Keystore Select ldquodefault-keystorejksrdquo from the drop down (Note Only keystores added in the
KeystoreCertificates tab will be displayed in this drop down) b Alias ldquoorakeyrdquo This particular keystore in the How-To has only a single alias However a keystore can have
multiple keys and aliases c Password ldquowelcome1rdquo This is the password for the alias d Key Identifier Type Select ldquoBinary Security Tokenrdquo from the drop down e Embedded Key Name and Embedded Key Password are not relevant and will be readonly fields So skip
these fields f Symmetric Encoding Algorithm Select ldquohttpwwww3org200104xmlencaes128-cbcrdquo from the drop
down g Key Encryption Algorithm Select ldquohttpwwww3org200104xmlencrsa-oaep-mgf1prdquo from the drop
down h Encryption Canonicalization Select ldquohttpwwww3org200110xml-exc-c14nrdquo from the drop down i Create Encrypted Key Ensure the checkbox is checked j Parts
Name Namespace Encode
Body httpschemasxmlsoaporgsoapenvelope Content
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 41
Figure 44 Encryption Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 42
Add Incoming WS-Security Configurations
15 Click on the ldquoIncoming WS-Security Configurationsrdquo sub tab and click on the ldquo+rdquo icon as show in Figure 45 You will be prompted to enter a name for the incoming configuration specify ldquowss10rdquo as the name as shown in Figure 46
Figure 45 Add Incoming WS-Security Configuration
Figure 46 Provide a name for the Incoming WSS Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 43
16 Click on the ldquowss10rdquo entry and select the following a Decrypt Keystore Select ldquodefault-keystorejksrdquo from the drop down b Signature Keystore Select ldquodefault-keystorejksrdquo from the drop down c Password ldquowelcome1rdquo
The final incoming security configuration is shown in Figure 47
Figure 47 Incoming WSS Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 44
17 Now that we have created all the necessary WS-Security Configurations we are ready to test the HelloWorld Service To do so click on the ldquohellordquo operation on the Left hand browse tree This will create a request as show in Figure 48 Click on the ldquoAutrdquo tab on the ldquoRequestrdquo panel on the RHS side of the screen The ldquoAutrdquo tab is in the bottom and has been highlighted in Figure 48 Select the following values
a Outgoing WSS Select ldquowss10rdquo from the drop down b Incoming WSS Select ldquowss10rdquo from the drop down
Figure 48 Select the previosuly created WSS Configuration to be used while testing
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 45
18 Enter ldquoprakashrdquo for arg0 and click on the green arrow button to send the request You will be prompted for password ndash enter ldquowelcome1rdquo Figure 49 and Figure 50 show the steps and the results of a successful test If there is a failure ndash you will see a SOAP response with a fault
Figure 49 Send request to the HelloWorld WS
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 46
Figure 50 Results of a successful test
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 47
Appendix
Log Generated the first time any app is run in Integrated WLS Server
[Waiting for the domain to finish building]
[094756 PM] Creating Integrated Weblogic domain
[095003 PM] Extending Integrated Weblogic domain
[095051 PM] Integrated Weblogic domain processing completed successfully
Using port 7101
DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainbinstartWebLogiccmd
[waiting for the server to complete its initialization]
JAVA Memory arguments -Xms256m -Xmx512m -XXCompileThreshold=8000 -XXPermSize=128m -XXMaxPermSize=512m
WLS Start Mode=Development
CLASSPATH=DORACLE~1MIDDLE~1ORACLE~1modulesoraclejdbc_1111ojdbc6dmsjarDORACLE~1MIDDLE~1patch_wls1035profilesdefaultsys_manifest_classpathweblogic_patchjarDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultsys_manifest_classpathweblogic_patchjarDORACLE~1MIDDLE~1JDK160~1libtoolsjarDORACLE~1MIDDLE~1WLSERV~13serverlibweblogic_spjarDORACLE~1MIDDLE~1WLSERV~13serverlibweblogicjarDORACLE~1MIDDLE~1modulesfeaturesweblogicservermodules_10350jarDORACLE~1MIDDLE~1WLSERV~13serverlibwebservicesjarDORACLE~1MIDDLE~1modulesORGAPA~11libant-alljarDORACLE~1MIDDLE~1modulesNETSFA~10_1libant-contribjarDORACLE~1MIDDLE~1ORACLE~1modulesoraclejrf_1111jrfjarDORACLE~1MIDDLE~1WLSERV~13commonderbylibderbyclientjarDORACLE~1MIDDLE~1WLSERV~13serverlibxqrljar
PATH=DORACLE~1MIDDLE~1patch_wls1035profilesdefaultnativeDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultnativeDORACLE~1MIDDLE~1WLSERV~13servernativewin32DORACLE~1MIDDLE~1WLSERV~13serverbinDORACLE~1MIDDLE~1modulesORGAPA~11binDORACLE~1MIDDLE~1JDK160~1jrebinDORACLE~1MIDDLE~1JDK160~1binDoraclexeapporacleproduct1020serverbinCProgram FilesThinkPadUtilitiesCWINDOWSsystem32CWINDOWSCWINDOWSSystem32WbemCWINDOWSsystem32WindowsPowerShellv10DORACLE~1MIDDLE~1WLSERV~13servernativewin32oci920_8
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 48
To start WebLogic Server use a username and
password assigned to an admin-level user For
server administration use the WebLogic Server
console at httphostnameportconsole
starting weblogic with Java version
java version 160_24
Java(TM) SE Runtime Environment (build 160_24-b50)
Java HotSpot(TM) Client VM (build 191-b02 mixed mode)
Starting WLS with line
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 49
DORACLE~1MIDDLE~1JDK160~1binjava -client -Xms256m -Xmx512m -XXCompileThreshold=8000 -XXPermSize=128m -XXMaxPermSize=512m -DweblogicName=DefaultServer -Djavasecuritypolicy=DORACLE~1MIDDLE~1WLSERV~13serverlibweblogicpolicy -DjavaxnetssltrustStore=DOracle11gMiddlewarewlserver_103serverlibDemoTrustjks -DweblogicnodemanagerServiceEnabled=true -Xverifynone -da -Dplatformhome=DORACLE~1MIDDLE~1WLSERV~13 -Dwlshome=DORACLE~1MIDDLE~1WLSERV~13server -Dweblogichome=DORACLE~1MIDDLE~1WLSERV~13server -Djpsappcredentialoverwriteallowed=true -Dcommoncomponentshome=DORACLE~1MIDDLE~1ORACLE~1 -Djrfversion=1111 -DorgapachecommonsloggingLog=orgapachecommonsloggingimplJdk14Logger -Ddomainhome=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1 -Djrockitoptfile=DORACLE~1MIDDLE~1ORACLE~1modulesoraclejrf_1111jrocket_optfiletxt -Doracleserverconfigdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1serversDefaultServer -Doracledomainconfigdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1 -Digfarisidbeanscarmlloc=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1carml -Digfarisidstackhome=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1arisidprovider -Doraclesecurityjpsconfig=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configfmwconfigjps-configxml -Doracledeployedappdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1serversDefaultServertmp_WL_user -Doracledeployedappext=- -DweblogicalternateTypesDirectory=DORACLE~1MIDDLE~1ORACLE~1modulesoracleossoiap_1111DORACLE~1MIDDLE~1ORACLE~1modulesoracleoamprovider_1111 -Djavaprotocolhandlerpkgs=oraclemdsnetprotocol -DweblogicjdbcremoteEnabled=false -Dwsmrepositorypath=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1oraclestoregmds -Dweblogicmanagementdiscover=true -DwlwiterativeDev= -DwlwtestConsole= -DwlwlogErrorsToConsole= -Dweblogicextdirs=DORACLE~1MIDDLE~1patch_wls1035profilesdefaultsysext_manifest_classpathDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultsysext_manifest_classpath weblogicServer
ltMar 16 2012 95054 PM PDTgt ltInfogt ltSecuritygt ltBEA-090905gt ltDisabling CryptoJ JCE Provider self-integrity check for better startup performance To enable this check specify -DweblogicsecurityallowCryptoJDefaultJCEVerification=truegt
ltMar 16 2012 95054 PM PDTgt ltInfogt ltSecuritygt ltBEA-090906gt ltChanging the default Random Number Generator in RSA CryptoJ from ECDRBG to FIPS186PRNG To disable this change specify -DweblogicsecurityallowCryptoJDefaultPRNG=truegt
ltMar 16 2012 95055 PM PDTgt ltInfogt ltWebLogicServergt ltBEA-000377gt ltStarting WebLogic Server with Java HotSpot(TM) Client VM Version 191-b02 from Sun Microsystems Incgt
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 50
ltMar 16 2012 95055 PM PDTgt ltInfogt ltManagementgt ltBEA-141107gt ltVersion WebLogic Server 10350 Fri Apr 1 202006 PDT 2011 1398638 gt
ltMar 16 2012 95057 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STARTINGgt
ltMar 16 2012 95057 PM PDTgt ltInfogt ltWorkManagergt ltBEA-002900gt ltInitializing self-tuning thread poolgt
ltMar 16 2012 95057 PM PDTgt ltNoticegt ltLog Managementgt ltBEA-170019gt ltThe server log file DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainserversDefaultServerlogsDefaultServerlog is opened All server side log events will be written to this filegt
ltMar 16 2012 95108 PM PDTgt ltNoticegt ltSecuritygt ltBEA-090082gt ltSecurity initializing using security realm myrealmgt
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO ConfigObjectReloaded for ServerConfig PreviousVersion -1 CurrentVersion 0
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification event sent for activating changes
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for Mapping config object reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO ConfigObjectReloaded for ServerConfig PreviousVersion -1 CurrentVersion 0
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification event sent for activating changes
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 51
INFO Notification sent for Mapping config object reloaded
ltMar 16 2012 95122 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STANDBYgt
ltMar 16 2012 95122 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STARTINGgt
ltMar 16 2012 95204 PM PDTgt ltNoticegt ltLog Managementgt ltBEA-170027gt ltThe Server has established connection with the Domain level Diagnostic Service successfullygt
ltMar 16 2012 95204 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to ADMINgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to RESUMINGgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltServergt ltBEA-002613gt ltChannel Default is now listening on 1270017101 for protocols iiop t3 ldap snmp httpgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000331gt ltStarted WebLogic Admin Server DefaultServer for domain DefaultDomain running in Development Modegt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to RUNNINGgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000360gt ltServer started in RUNNING modegt
IntegratedWebLogicServer startup time 74437 ms
IntegratedWebLogicServer started
[Running application HelloWorldJaxWS on Server Instance IntegratedWebLogicServer]
[095206 PM] ---- Deployment started ----
[095206 PM] Target platform is (Weblogic 103)
[095208 PM] Retrieving existing application information
[095208 PM] Running dependency analysis
[095208 PM] Deploying 2 profiles
[095209 PM] Wrote Web Application Module to DOracle11gMiddlewarejdevelopersystem11116386192oj2eedrsHelloWorldJaxWSHelloWorldWebAppwar
[095210 PM] Wrote Enterprise Application Module to DOracle11gMiddlewarejdevelopersystem11116386192oj2eedrsHelloWorldJaxWS
[095210 PM] Deploying Application
[095213 PM] Application Deployed Successfully
[095213 PM] The following URL context root(s) were defined and can be used as a starting point to test your application
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 52
[095213 PM] http1270017101HelloWorldJaxWS-HelloWorld-context-root
[095213 PM] Elapsed time for deployment 6 seconds
[095213 PM] ---- Deployment finished ----
Run startup time 6609 ms
[Application HelloWorldJaxWS deployed to Server Instance IntegratedWebLogicServer]
Target URL -- http1270017101HelloWorldJaxWS-HelloWorld-context-rootHelloWorldPort
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 53
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 39
12 The ldquoSignaturerdquo configuration is more involved and requires a lot more fields to be filled in as shown in Figure 42 Here is a summary of the fields and values that need to be provided
a Keystore Select ldquodefault-keystorejksrdquo from the drop down (Note Only keystores added in the KeystoreCertificates tab will be displayed in this drop down)
b Alias ldquoorakeyrdquo This particular keystore in the How-To has only a single alias However a keystore can have multiple keys and aliases
c Password ldquowelcome1rdquo This is the password for the alias d Key Identifier Type Select ldquoBinary Security Tokenrdquo from the drop down e Signature Algorithm Select ldquohttpwwww3org200009xmldsigrsa-sha1rdquo from the drop down f Signature Canonicalization Select ldquohttpwwww3org200110xml-exc-c14nrdquo from the drop down g Digest Algorithm Select ldquohttpwwww3org200009xmldsigsha1rdquo from the drop down h Use Single Certificate Ensure ldquoUse single certificate for signingrdquo is checked i Parts
Name Namespace Encode
Body httpschemasxmlsoaporgsoapenvelope Element
Timestamp httpdocsoasis-openorgwss200401oasis-200401-wss-wssecurity-utility-10xsd
Element
Figure 42 Providing Signature configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 40
13 Add the ldquoEncryptionrdquo WSS Entry by clicking on the ldquo+rdquo icon again as shown in Figure 38 and selecting ldquoEncryptionrdquo from the ldquoAdd WSS Entryrdquo drop down as shown in Figure 43
Figure 43 Adding Encryption WSS entry
14 The ldquoEncryptionrdquo configuration is more involved and requires a lot more fields to be filled in as shown in Figure 44
Here is a summary of the fields and values that need to be provided a Keystore Select ldquodefault-keystorejksrdquo from the drop down (Note Only keystores added in the
KeystoreCertificates tab will be displayed in this drop down) b Alias ldquoorakeyrdquo This particular keystore in the How-To has only a single alias However a keystore can have
multiple keys and aliases c Password ldquowelcome1rdquo This is the password for the alias d Key Identifier Type Select ldquoBinary Security Tokenrdquo from the drop down e Embedded Key Name and Embedded Key Password are not relevant and will be readonly fields So skip
these fields f Symmetric Encoding Algorithm Select ldquohttpwwww3org200104xmlencaes128-cbcrdquo from the drop
down g Key Encryption Algorithm Select ldquohttpwwww3org200104xmlencrsa-oaep-mgf1prdquo from the drop
down h Encryption Canonicalization Select ldquohttpwwww3org200110xml-exc-c14nrdquo from the drop down i Create Encrypted Key Ensure the checkbox is checked j Parts
Name Namespace Encode
Body httpschemasxmlsoaporgsoapenvelope Content
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 41
Figure 44 Encryption Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 42
Add Incoming WS-Security Configurations
15 Click on the ldquoIncoming WS-Security Configurationsrdquo sub tab and click on the ldquo+rdquo icon as show in Figure 45 You will be prompted to enter a name for the incoming configuration specify ldquowss10rdquo as the name as shown in Figure 46
Figure 45 Add Incoming WS-Security Configuration
Figure 46 Provide a name for the Incoming WSS Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 43
16 Click on the ldquowss10rdquo entry and select the following a Decrypt Keystore Select ldquodefault-keystorejksrdquo from the drop down b Signature Keystore Select ldquodefault-keystorejksrdquo from the drop down c Password ldquowelcome1rdquo
The final incoming security configuration is shown in Figure 47
Figure 47 Incoming WSS Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 44
17 Now that we have created all the necessary WS-Security Configurations we are ready to test the HelloWorld Service To do so click on the ldquohellordquo operation on the Left hand browse tree This will create a request as show in Figure 48 Click on the ldquoAutrdquo tab on the ldquoRequestrdquo panel on the RHS side of the screen The ldquoAutrdquo tab is in the bottom and has been highlighted in Figure 48 Select the following values
a Outgoing WSS Select ldquowss10rdquo from the drop down b Incoming WSS Select ldquowss10rdquo from the drop down
Figure 48 Select the previosuly created WSS Configuration to be used while testing
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 45
18 Enter ldquoprakashrdquo for arg0 and click on the green arrow button to send the request You will be prompted for password ndash enter ldquowelcome1rdquo Figure 49 and Figure 50 show the steps and the results of a successful test If there is a failure ndash you will see a SOAP response with a fault
Figure 49 Send request to the HelloWorld WS
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 46
Figure 50 Results of a successful test
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 47
Appendix
Log Generated the first time any app is run in Integrated WLS Server
[Waiting for the domain to finish building]
[094756 PM] Creating Integrated Weblogic domain
[095003 PM] Extending Integrated Weblogic domain
[095051 PM] Integrated Weblogic domain processing completed successfully
Using port 7101
DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainbinstartWebLogiccmd
[waiting for the server to complete its initialization]
JAVA Memory arguments -Xms256m -Xmx512m -XXCompileThreshold=8000 -XXPermSize=128m -XXMaxPermSize=512m
WLS Start Mode=Development
CLASSPATH=DORACLE~1MIDDLE~1ORACLE~1modulesoraclejdbc_1111ojdbc6dmsjarDORACLE~1MIDDLE~1patch_wls1035profilesdefaultsys_manifest_classpathweblogic_patchjarDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultsys_manifest_classpathweblogic_patchjarDORACLE~1MIDDLE~1JDK160~1libtoolsjarDORACLE~1MIDDLE~1WLSERV~13serverlibweblogic_spjarDORACLE~1MIDDLE~1WLSERV~13serverlibweblogicjarDORACLE~1MIDDLE~1modulesfeaturesweblogicservermodules_10350jarDORACLE~1MIDDLE~1WLSERV~13serverlibwebservicesjarDORACLE~1MIDDLE~1modulesORGAPA~11libant-alljarDORACLE~1MIDDLE~1modulesNETSFA~10_1libant-contribjarDORACLE~1MIDDLE~1ORACLE~1modulesoraclejrf_1111jrfjarDORACLE~1MIDDLE~1WLSERV~13commonderbylibderbyclientjarDORACLE~1MIDDLE~1WLSERV~13serverlibxqrljar
PATH=DORACLE~1MIDDLE~1patch_wls1035profilesdefaultnativeDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultnativeDORACLE~1MIDDLE~1WLSERV~13servernativewin32DORACLE~1MIDDLE~1WLSERV~13serverbinDORACLE~1MIDDLE~1modulesORGAPA~11binDORACLE~1MIDDLE~1JDK160~1jrebinDORACLE~1MIDDLE~1JDK160~1binDoraclexeapporacleproduct1020serverbinCProgram FilesThinkPadUtilitiesCWINDOWSsystem32CWINDOWSCWINDOWSSystem32WbemCWINDOWSsystem32WindowsPowerShellv10DORACLE~1MIDDLE~1WLSERV~13servernativewin32oci920_8
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 48
To start WebLogic Server use a username and
password assigned to an admin-level user For
server administration use the WebLogic Server
console at httphostnameportconsole
starting weblogic with Java version
java version 160_24
Java(TM) SE Runtime Environment (build 160_24-b50)
Java HotSpot(TM) Client VM (build 191-b02 mixed mode)
Starting WLS with line
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 49
DORACLE~1MIDDLE~1JDK160~1binjava -client -Xms256m -Xmx512m -XXCompileThreshold=8000 -XXPermSize=128m -XXMaxPermSize=512m -DweblogicName=DefaultServer -Djavasecuritypolicy=DORACLE~1MIDDLE~1WLSERV~13serverlibweblogicpolicy -DjavaxnetssltrustStore=DOracle11gMiddlewarewlserver_103serverlibDemoTrustjks -DweblogicnodemanagerServiceEnabled=true -Xverifynone -da -Dplatformhome=DORACLE~1MIDDLE~1WLSERV~13 -Dwlshome=DORACLE~1MIDDLE~1WLSERV~13server -Dweblogichome=DORACLE~1MIDDLE~1WLSERV~13server -Djpsappcredentialoverwriteallowed=true -Dcommoncomponentshome=DORACLE~1MIDDLE~1ORACLE~1 -Djrfversion=1111 -DorgapachecommonsloggingLog=orgapachecommonsloggingimplJdk14Logger -Ddomainhome=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1 -Djrockitoptfile=DORACLE~1MIDDLE~1ORACLE~1modulesoraclejrf_1111jrocket_optfiletxt -Doracleserverconfigdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1serversDefaultServer -Doracledomainconfigdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1 -Digfarisidbeanscarmlloc=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1carml -Digfarisidstackhome=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1arisidprovider -Doraclesecurityjpsconfig=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configfmwconfigjps-configxml -Doracledeployedappdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1serversDefaultServertmp_WL_user -Doracledeployedappext=- -DweblogicalternateTypesDirectory=DORACLE~1MIDDLE~1ORACLE~1modulesoracleossoiap_1111DORACLE~1MIDDLE~1ORACLE~1modulesoracleoamprovider_1111 -Djavaprotocolhandlerpkgs=oraclemdsnetprotocol -DweblogicjdbcremoteEnabled=false -Dwsmrepositorypath=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1oraclestoregmds -Dweblogicmanagementdiscover=true -DwlwiterativeDev= -DwlwtestConsole= -DwlwlogErrorsToConsole= -Dweblogicextdirs=DORACLE~1MIDDLE~1patch_wls1035profilesdefaultsysext_manifest_classpathDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultsysext_manifest_classpath weblogicServer
ltMar 16 2012 95054 PM PDTgt ltInfogt ltSecuritygt ltBEA-090905gt ltDisabling CryptoJ JCE Provider self-integrity check for better startup performance To enable this check specify -DweblogicsecurityallowCryptoJDefaultJCEVerification=truegt
ltMar 16 2012 95054 PM PDTgt ltInfogt ltSecuritygt ltBEA-090906gt ltChanging the default Random Number Generator in RSA CryptoJ from ECDRBG to FIPS186PRNG To disable this change specify -DweblogicsecurityallowCryptoJDefaultPRNG=truegt
ltMar 16 2012 95055 PM PDTgt ltInfogt ltWebLogicServergt ltBEA-000377gt ltStarting WebLogic Server with Java HotSpot(TM) Client VM Version 191-b02 from Sun Microsystems Incgt
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 50
ltMar 16 2012 95055 PM PDTgt ltInfogt ltManagementgt ltBEA-141107gt ltVersion WebLogic Server 10350 Fri Apr 1 202006 PDT 2011 1398638 gt
ltMar 16 2012 95057 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STARTINGgt
ltMar 16 2012 95057 PM PDTgt ltInfogt ltWorkManagergt ltBEA-002900gt ltInitializing self-tuning thread poolgt
ltMar 16 2012 95057 PM PDTgt ltNoticegt ltLog Managementgt ltBEA-170019gt ltThe server log file DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainserversDefaultServerlogsDefaultServerlog is opened All server side log events will be written to this filegt
ltMar 16 2012 95108 PM PDTgt ltNoticegt ltSecuritygt ltBEA-090082gt ltSecurity initializing using security realm myrealmgt
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO ConfigObjectReloaded for ServerConfig PreviousVersion -1 CurrentVersion 0
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification event sent for activating changes
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for Mapping config object reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO ConfigObjectReloaded for ServerConfig PreviousVersion -1 CurrentVersion 0
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification event sent for activating changes
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 51
INFO Notification sent for Mapping config object reloaded
ltMar 16 2012 95122 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STANDBYgt
ltMar 16 2012 95122 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STARTINGgt
ltMar 16 2012 95204 PM PDTgt ltNoticegt ltLog Managementgt ltBEA-170027gt ltThe Server has established connection with the Domain level Diagnostic Service successfullygt
ltMar 16 2012 95204 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to ADMINgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to RESUMINGgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltServergt ltBEA-002613gt ltChannel Default is now listening on 1270017101 for protocols iiop t3 ldap snmp httpgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000331gt ltStarted WebLogic Admin Server DefaultServer for domain DefaultDomain running in Development Modegt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to RUNNINGgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000360gt ltServer started in RUNNING modegt
IntegratedWebLogicServer startup time 74437 ms
IntegratedWebLogicServer started
[Running application HelloWorldJaxWS on Server Instance IntegratedWebLogicServer]
[095206 PM] ---- Deployment started ----
[095206 PM] Target platform is (Weblogic 103)
[095208 PM] Retrieving existing application information
[095208 PM] Running dependency analysis
[095208 PM] Deploying 2 profiles
[095209 PM] Wrote Web Application Module to DOracle11gMiddlewarejdevelopersystem11116386192oj2eedrsHelloWorldJaxWSHelloWorldWebAppwar
[095210 PM] Wrote Enterprise Application Module to DOracle11gMiddlewarejdevelopersystem11116386192oj2eedrsHelloWorldJaxWS
[095210 PM] Deploying Application
[095213 PM] Application Deployed Successfully
[095213 PM] The following URL context root(s) were defined and can be used as a starting point to test your application
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 52
[095213 PM] http1270017101HelloWorldJaxWS-HelloWorld-context-root
[095213 PM] Elapsed time for deployment 6 seconds
[095213 PM] ---- Deployment finished ----
Run startup time 6609 ms
[Application HelloWorldJaxWS deployed to Server Instance IntegratedWebLogicServer]
Target URL -- http1270017101HelloWorldJaxWS-HelloWorld-context-rootHelloWorldPort
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 53
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 40
13 Add the ldquoEncryptionrdquo WSS Entry by clicking on the ldquo+rdquo icon again as shown in Figure 38 and selecting ldquoEncryptionrdquo from the ldquoAdd WSS Entryrdquo drop down as shown in Figure 43
Figure 43 Adding Encryption WSS entry
14 The ldquoEncryptionrdquo configuration is more involved and requires a lot more fields to be filled in as shown in Figure 44
Here is a summary of the fields and values that need to be provided a Keystore Select ldquodefault-keystorejksrdquo from the drop down (Note Only keystores added in the
KeystoreCertificates tab will be displayed in this drop down) b Alias ldquoorakeyrdquo This particular keystore in the How-To has only a single alias However a keystore can have
multiple keys and aliases c Password ldquowelcome1rdquo This is the password for the alias d Key Identifier Type Select ldquoBinary Security Tokenrdquo from the drop down e Embedded Key Name and Embedded Key Password are not relevant and will be readonly fields So skip
these fields f Symmetric Encoding Algorithm Select ldquohttpwwww3org200104xmlencaes128-cbcrdquo from the drop
down g Key Encryption Algorithm Select ldquohttpwwww3org200104xmlencrsa-oaep-mgf1prdquo from the drop
down h Encryption Canonicalization Select ldquohttpwwww3org200110xml-exc-c14nrdquo from the drop down i Create Encrypted Key Ensure the checkbox is checked j Parts
Name Namespace Encode
Body httpschemasxmlsoaporgsoapenvelope Content
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 41
Figure 44 Encryption Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 42
Add Incoming WS-Security Configurations
15 Click on the ldquoIncoming WS-Security Configurationsrdquo sub tab and click on the ldquo+rdquo icon as show in Figure 45 You will be prompted to enter a name for the incoming configuration specify ldquowss10rdquo as the name as shown in Figure 46
Figure 45 Add Incoming WS-Security Configuration
Figure 46 Provide a name for the Incoming WSS Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 43
16 Click on the ldquowss10rdquo entry and select the following a Decrypt Keystore Select ldquodefault-keystorejksrdquo from the drop down b Signature Keystore Select ldquodefault-keystorejksrdquo from the drop down c Password ldquowelcome1rdquo
The final incoming security configuration is shown in Figure 47
Figure 47 Incoming WSS Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 44
17 Now that we have created all the necessary WS-Security Configurations we are ready to test the HelloWorld Service To do so click on the ldquohellordquo operation on the Left hand browse tree This will create a request as show in Figure 48 Click on the ldquoAutrdquo tab on the ldquoRequestrdquo panel on the RHS side of the screen The ldquoAutrdquo tab is in the bottom and has been highlighted in Figure 48 Select the following values
a Outgoing WSS Select ldquowss10rdquo from the drop down b Incoming WSS Select ldquowss10rdquo from the drop down
Figure 48 Select the previosuly created WSS Configuration to be used while testing
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 45
18 Enter ldquoprakashrdquo for arg0 and click on the green arrow button to send the request You will be prompted for password ndash enter ldquowelcome1rdquo Figure 49 and Figure 50 show the steps and the results of a successful test If there is a failure ndash you will see a SOAP response with a fault
Figure 49 Send request to the HelloWorld WS
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 46
Figure 50 Results of a successful test
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 47
Appendix
Log Generated the first time any app is run in Integrated WLS Server
[Waiting for the domain to finish building]
[094756 PM] Creating Integrated Weblogic domain
[095003 PM] Extending Integrated Weblogic domain
[095051 PM] Integrated Weblogic domain processing completed successfully
Using port 7101
DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainbinstartWebLogiccmd
[waiting for the server to complete its initialization]
JAVA Memory arguments -Xms256m -Xmx512m -XXCompileThreshold=8000 -XXPermSize=128m -XXMaxPermSize=512m
WLS Start Mode=Development
CLASSPATH=DORACLE~1MIDDLE~1ORACLE~1modulesoraclejdbc_1111ojdbc6dmsjarDORACLE~1MIDDLE~1patch_wls1035profilesdefaultsys_manifest_classpathweblogic_patchjarDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultsys_manifest_classpathweblogic_patchjarDORACLE~1MIDDLE~1JDK160~1libtoolsjarDORACLE~1MIDDLE~1WLSERV~13serverlibweblogic_spjarDORACLE~1MIDDLE~1WLSERV~13serverlibweblogicjarDORACLE~1MIDDLE~1modulesfeaturesweblogicservermodules_10350jarDORACLE~1MIDDLE~1WLSERV~13serverlibwebservicesjarDORACLE~1MIDDLE~1modulesORGAPA~11libant-alljarDORACLE~1MIDDLE~1modulesNETSFA~10_1libant-contribjarDORACLE~1MIDDLE~1ORACLE~1modulesoraclejrf_1111jrfjarDORACLE~1MIDDLE~1WLSERV~13commonderbylibderbyclientjarDORACLE~1MIDDLE~1WLSERV~13serverlibxqrljar
PATH=DORACLE~1MIDDLE~1patch_wls1035profilesdefaultnativeDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultnativeDORACLE~1MIDDLE~1WLSERV~13servernativewin32DORACLE~1MIDDLE~1WLSERV~13serverbinDORACLE~1MIDDLE~1modulesORGAPA~11binDORACLE~1MIDDLE~1JDK160~1jrebinDORACLE~1MIDDLE~1JDK160~1binDoraclexeapporacleproduct1020serverbinCProgram FilesThinkPadUtilitiesCWINDOWSsystem32CWINDOWSCWINDOWSSystem32WbemCWINDOWSsystem32WindowsPowerShellv10DORACLE~1MIDDLE~1WLSERV~13servernativewin32oci920_8
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 48
To start WebLogic Server use a username and
password assigned to an admin-level user For
server administration use the WebLogic Server
console at httphostnameportconsole
starting weblogic with Java version
java version 160_24
Java(TM) SE Runtime Environment (build 160_24-b50)
Java HotSpot(TM) Client VM (build 191-b02 mixed mode)
Starting WLS with line
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 49
DORACLE~1MIDDLE~1JDK160~1binjava -client -Xms256m -Xmx512m -XXCompileThreshold=8000 -XXPermSize=128m -XXMaxPermSize=512m -DweblogicName=DefaultServer -Djavasecuritypolicy=DORACLE~1MIDDLE~1WLSERV~13serverlibweblogicpolicy -DjavaxnetssltrustStore=DOracle11gMiddlewarewlserver_103serverlibDemoTrustjks -DweblogicnodemanagerServiceEnabled=true -Xverifynone -da -Dplatformhome=DORACLE~1MIDDLE~1WLSERV~13 -Dwlshome=DORACLE~1MIDDLE~1WLSERV~13server -Dweblogichome=DORACLE~1MIDDLE~1WLSERV~13server -Djpsappcredentialoverwriteallowed=true -Dcommoncomponentshome=DORACLE~1MIDDLE~1ORACLE~1 -Djrfversion=1111 -DorgapachecommonsloggingLog=orgapachecommonsloggingimplJdk14Logger -Ddomainhome=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1 -Djrockitoptfile=DORACLE~1MIDDLE~1ORACLE~1modulesoraclejrf_1111jrocket_optfiletxt -Doracleserverconfigdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1serversDefaultServer -Doracledomainconfigdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1 -Digfarisidbeanscarmlloc=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1carml -Digfarisidstackhome=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1arisidprovider -Doraclesecurityjpsconfig=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configfmwconfigjps-configxml -Doracledeployedappdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1serversDefaultServertmp_WL_user -Doracledeployedappext=- -DweblogicalternateTypesDirectory=DORACLE~1MIDDLE~1ORACLE~1modulesoracleossoiap_1111DORACLE~1MIDDLE~1ORACLE~1modulesoracleoamprovider_1111 -Djavaprotocolhandlerpkgs=oraclemdsnetprotocol -DweblogicjdbcremoteEnabled=false -Dwsmrepositorypath=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1oraclestoregmds -Dweblogicmanagementdiscover=true -DwlwiterativeDev= -DwlwtestConsole= -DwlwlogErrorsToConsole= -Dweblogicextdirs=DORACLE~1MIDDLE~1patch_wls1035profilesdefaultsysext_manifest_classpathDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultsysext_manifest_classpath weblogicServer
ltMar 16 2012 95054 PM PDTgt ltInfogt ltSecuritygt ltBEA-090905gt ltDisabling CryptoJ JCE Provider self-integrity check for better startup performance To enable this check specify -DweblogicsecurityallowCryptoJDefaultJCEVerification=truegt
ltMar 16 2012 95054 PM PDTgt ltInfogt ltSecuritygt ltBEA-090906gt ltChanging the default Random Number Generator in RSA CryptoJ from ECDRBG to FIPS186PRNG To disable this change specify -DweblogicsecurityallowCryptoJDefaultPRNG=truegt
ltMar 16 2012 95055 PM PDTgt ltInfogt ltWebLogicServergt ltBEA-000377gt ltStarting WebLogic Server with Java HotSpot(TM) Client VM Version 191-b02 from Sun Microsystems Incgt
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 50
ltMar 16 2012 95055 PM PDTgt ltInfogt ltManagementgt ltBEA-141107gt ltVersion WebLogic Server 10350 Fri Apr 1 202006 PDT 2011 1398638 gt
ltMar 16 2012 95057 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STARTINGgt
ltMar 16 2012 95057 PM PDTgt ltInfogt ltWorkManagergt ltBEA-002900gt ltInitializing self-tuning thread poolgt
ltMar 16 2012 95057 PM PDTgt ltNoticegt ltLog Managementgt ltBEA-170019gt ltThe server log file DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainserversDefaultServerlogsDefaultServerlog is opened All server side log events will be written to this filegt
ltMar 16 2012 95108 PM PDTgt ltNoticegt ltSecuritygt ltBEA-090082gt ltSecurity initializing using security realm myrealmgt
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO ConfigObjectReloaded for ServerConfig PreviousVersion -1 CurrentVersion 0
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification event sent for activating changes
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for Mapping config object reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO ConfigObjectReloaded for ServerConfig PreviousVersion -1 CurrentVersion 0
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification event sent for activating changes
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 51
INFO Notification sent for Mapping config object reloaded
ltMar 16 2012 95122 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STANDBYgt
ltMar 16 2012 95122 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STARTINGgt
ltMar 16 2012 95204 PM PDTgt ltNoticegt ltLog Managementgt ltBEA-170027gt ltThe Server has established connection with the Domain level Diagnostic Service successfullygt
ltMar 16 2012 95204 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to ADMINgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to RESUMINGgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltServergt ltBEA-002613gt ltChannel Default is now listening on 1270017101 for protocols iiop t3 ldap snmp httpgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000331gt ltStarted WebLogic Admin Server DefaultServer for domain DefaultDomain running in Development Modegt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to RUNNINGgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000360gt ltServer started in RUNNING modegt
IntegratedWebLogicServer startup time 74437 ms
IntegratedWebLogicServer started
[Running application HelloWorldJaxWS on Server Instance IntegratedWebLogicServer]
[095206 PM] ---- Deployment started ----
[095206 PM] Target platform is (Weblogic 103)
[095208 PM] Retrieving existing application information
[095208 PM] Running dependency analysis
[095208 PM] Deploying 2 profiles
[095209 PM] Wrote Web Application Module to DOracle11gMiddlewarejdevelopersystem11116386192oj2eedrsHelloWorldJaxWSHelloWorldWebAppwar
[095210 PM] Wrote Enterprise Application Module to DOracle11gMiddlewarejdevelopersystem11116386192oj2eedrsHelloWorldJaxWS
[095210 PM] Deploying Application
[095213 PM] Application Deployed Successfully
[095213 PM] The following URL context root(s) were defined and can be used as a starting point to test your application
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 52
[095213 PM] http1270017101HelloWorldJaxWS-HelloWorld-context-root
[095213 PM] Elapsed time for deployment 6 seconds
[095213 PM] ---- Deployment finished ----
Run startup time 6609 ms
[Application HelloWorldJaxWS deployed to Server Instance IntegratedWebLogicServer]
Target URL -- http1270017101HelloWorldJaxWS-HelloWorld-context-rootHelloWorldPort
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 53
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 41
Figure 44 Encryption Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 42
Add Incoming WS-Security Configurations
15 Click on the ldquoIncoming WS-Security Configurationsrdquo sub tab and click on the ldquo+rdquo icon as show in Figure 45 You will be prompted to enter a name for the incoming configuration specify ldquowss10rdquo as the name as shown in Figure 46
Figure 45 Add Incoming WS-Security Configuration
Figure 46 Provide a name for the Incoming WSS Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 43
16 Click on the ldquowss10rdquo entry and select the following a Decrypt Keystore Select ldquodefault-keystorejksrdquo from the drop down b Signature Keystore Select ldquodefault-keystorejksrdquo from the drop down c Password ldquowelcome1rdquo
The final incoming security configuration is shown in Figure 47
Figure 47 Incoming WSS Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 44
17 Now that we have created all the necessary WS-Security Configurations we are ready to test the HelloWorld Service To do so click on the ldquohellordquo operation on the Left hand browse tree This will create a request as show in Figure 48 Click on the ldquoAutrdquo tab on the ldquoRequestrdquo panel on the RHS side of the screen The ldquoAutrdquo tab is in the bottom and has been highlighted in Figure 48 Select the following values
a Outgoing WSS Select ldquowss10rdquo from the drop down b Incoming WSS Select ldquowss10rdquo from the drop down
Figure 48 Select the previosuly created WSS Configuration to be used while testing
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 45
18 Enter ldquoprakashrdquo for arg0 and click on the green arrow button to send the request You will be prompted for password ndash enter ldquowelcome1rdquo Figure 49 and Figure 50 show the steps and the results of a successful test If there is a failure ndash you will see a SOAP response with a fault
Figure 49 Send request to the HelloWorld WS
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 46
Figure 50 Results of a successful test
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 47
Appendix
Log Generated the first time any app is run in Integrated WLS Server
[Waiting for the domain to finish building]
[094756 PM] Creating Integrated Weblogic domain
[095003 PM] Extending Integrated Weblogic domain
[095051 PM] Integrated Weblogic domain processing completed successfully
Using port 7101
DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainbinstartWebLogiccmd
[waiting for the server to complete its initialization]
JAVA Memory arguments -Xms256m -Xmx512m -XXCompileThreshold=8000 -XXPermSize=128m -XXMaxPermSize=512m
WLS Start Mode=Development
CLASSPATH=DORACLE~1MIDDLE~1ORACLE~1modulesoraclejdbc_1111ojdbc6dmsjarDORACLE~1MIDDLE~1patch_wls1035profilesdefaultsys_manifest_classpathweblogic_patchjarDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultsys_manifest_classpathweblogic_patchjarDORACLE~1MIDDLE~1JDK160~1libtoolsjarDORACLE~1MIDDLE~1WLSERV~13serverlibweblogic_spjarDORACLE~1MIDDLE~1WLSERV~13serverlibweblogicjarDORACLE~1MIDDLE~1modulesfeaturesweblogicservermodules_10350jarDORACLE~1MIDDLE~1WLSERV~13serverlibwebservicesjarDORACLE~1MIDDLE~1modulesORGAPA~11libant-alljarDORACLE~1MIDDLE~1modulesNETSFA~10_1libant-contribjarDORACLE~1MIDDLE~1ORACLE~1modulesoraclejrf_1111jrfjarDORACLE~1MIDDLE~1WLSERV~13commonderbylibderbyclientjarDORACLE~1MIDDLE~1WLSERV~13serverlibxqrljar
PATH=DORACLE~1MIDDLE~1patch_wls1035profilesdefaultnativeDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultnativeDORACLE~1MIDDLE~1WLSERV~13servernativewin32DORACLE~1MIDDLE~1WLSERV~13serverbinDORACLE~1MIDDLE~1modulesORGAPA~11binDORACLE~1MIDDLE~1JDK160~1jrebinDORACLE~1MIDDLE~1JDK160~1binDoraclexeapporacleproduct1020serverbinCProgram FilesThinkPadUtilitiesCWINDOWSsystem32CWINDOWSCWINDOWSSystem32WbemCWINDOWSsystem32WindowsPowerShellv10DORACLE~1MIDDLE~1WLSERV~13servernativewin32oci920_8
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 48
To start WebLogic Server use a username and
password assigned to an admin-level user For
server administration use the WebLogic Server
console at httphostnameportconsole
starting weblogic with Java version
java version 160_24
Java(TM) SE Runtime Environment (build 160_24-b50)
Java HotSpot(TM) Client VM (build 191-b02 mixed mode)
Starting WLS with line
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 49
DORACLE~1MIDDLE~1JDK160~1binjava -client -Xms256m -Xmx512m -XXCompileThreshold=8000 -XXPermSize=128m -XXMaxPermSize=512m -DweblogicName=DefaultServer -Djavasecuritypolicy=DORACLE~1MIDDLE~1WLSERV~13serverlibweblogicpolicy -DjavaxnetssltrustStore=DOracle11gMiddlewarewlserver_103serverlibDemoTrustjks -DweblogicnodemanagerServiceEnabled=true -Xverifynone -da -Dplatformhome=DORACLE~1MIDDLE~1WLSERV~13 -Dwlshome=DORACLE~1MIDDLE~1WLSERV~13server -Dweblogichome=DORACLE~1MIDDLE~1WLSERV~13server -Djpsappcredentialoverwriteallowed=true -Dcommoncomponentshome=DORACLE~1MIDDLE~1ORACLE~1 -Djrfversion=1111 -DorgapachecommonsloggingLog=orgapachecommonsloggingimplJdk14Logger -Ddomainhome=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1 -Djrockitoptfile=DORACLE~1MIDDLE~1ORACLE~1modulesoraclejrf_1111jrocket_optfiletxt -Doracleserverconfigdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1serversDefaultServer -Doracledomainconfigdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1 -Digfarisidbeanscarmlloc=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1carml -Digfarisidstackhome=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1arisidprovider -Doraclesecurityjpsconfig=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configfmwconfigjps-configxml -Doracledeployedappdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1serversDefaultServertmp_WL_user -Doracledeployedappext=- -DweblogicalternateTypesDirectory=DORACLE~1MIDDLE~1ORACLE~1modulesoracleossoiap_1111DORACLE~1MIDDLE~1ORACLE~1modulesoracleoamprovider_1111 -Djavaprotocolhandlerpkgs=oraclemdsnetprotocol -DweblogicjdbcremoteEnabled=false -Dwsmrepositorypath=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1oraclestoregmds -Dweblogicmanagementdiscover=true -DwlwiterativeDev= -DwlwtestConsole= -DwlwlogErrorsToConsole= -Dweblogicextdirs=DORACLE~1MIDDLE~1patch_wls1035profilesdefaultsysext_manifest_classpathDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultsysext_manifest_classpath weblogicServer
ltMar 16 2012 95054 PM PDTgt ltInfogt ltSecuritygt ltBEA-090905gt ltDisabling CryptoJ JCE Provider self-integrity check for better startup performance To enable this check specify -DweblogicsecurityallowCryptoJDefaultJCEVerification=truegt
ltMar 16 2012 95054 PM PDTgt ltInfogt ltSecuritygt ltBEA-090906gt ltChanging the default Random Number Generator in RSA CryptoJ from ECDRBG to FIPS186PRNG To disable this change specify -DweblogicsecurityallowCryptoJDefaultPRNG=truegt
ltMar 16 2012 95055 PM PDTgt ltInfogt ltWebLogicServergt ltBEA-000377gt ltStarting WebLogic Server with Java HotSpot(TM) Client VM Version 191-b02 from Sun Microsystems Incgt
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 50
ltMar 16 2012 95055 PM PDTgt ltInfogt ltManagementgt ltBEA-141107gt ltVersion WebLogic Server 10350 Fri Apr 1 202006 PDT 2011 1398638 gt
ltMar 16 2012 95057 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STARTINGgt
ltMar 16 2012 95057 PM PDTgt ltInfogt ltWorkManagergt ltBEA-002900gt ltInitializing self-tuning thread poolgt
ltMar 16 2012 95057 PM PDTgt ltNoticegt ltLog Managementgt ltBEA-170019gt ltThe server log file DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainserversDefaultServerlogsDefaultServerlog is opened All server side log events will be written to this filegt
ltMar 16 2012 95108 PM PDTgt ltNoticegt ltSecuritygt ltBEA-090082gt ltSecurity initializing using security realm myrealmgt
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO ConfigObjectReloaded for ServerConfig PreviousVersion -1 CurrentVersion 0
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification event sent for activating changes
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for Mapping config object reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO ConfigObjectReloaded for ServerConfig PreviousVersion -1 CurrentVersion 0
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification event sent for activating changes
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 51
INFO Notification sent for Mapping config object reloaded
ltMar 16 2012 95122 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STANDBYgt
ltMar 16 2012 95122 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STARTINGgt
ltMar 16 2012 95204 PM PDTgt ltNoticegt ltLog Managementgt ltBEA-170027gt ltThe Server has established connection with the Domain level Diagnostic Service successfullygt
ltMar 16 2012 95204 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to ADMINgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to RESUMINGgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltServergt ltBEA-002613gt ltChannel Default is now listening on 1270017101 for protocols iiop t3 ldap snmp httpgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000331gt ltStarted WebLogic Admin Server DefaultServer for domain DefaultDomain running in Development Modegt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to RUNNINGgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000360gt ltServer started in RUNNING modegt
IntegratedWebLogicServer startup time 74437 ms
IntegratedWebLogicServer started
[Running application HelloWorldJaxWS on Server Instance IntegratedWebLogicServer]
[095206 PM] ---- Deployment started ----
[095206 PM] Target platform is (Weblogic 103)
[095208 PM] Retrieving existing application information
[095208 PM] Running dependency analysis
[095208 PM] Deploying 2 profiles
[095209 PM] Wrote Web Application Module to DOracle11gMiddlewarejdevelopersystem11116386192oj2eedrsHelloWorldJaxWSHelloWorldWebAppwar
[095210 PM] Wrote Enterprise Application Module to DOracle11gMiddlewarejdevelopersystem11116386192oj2eedrsHelloWorldJaxWS
[095210 PM] Deploying Application
[095213 PM] Application Deployed Successfully
[095213 PM] The following URL context root(s) were defined and can be used as a starting point to test your application
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 52
[095213 PM] http1270017101HelloWorldJaxWS-HelloWorld-context-root
[095213 PM] Elapsed time for deployment 6 seconds
[095213 PM] ---- Deployment finished ----
Run startup time 6609 ms
[Application HelloWorldJaxWS deployed to Server Instance IntegratedWebLogicServer]
Target URL -- http1270017101HelloWorldJaxWS-HelloWorld-context-rootHelloWorldPort
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 53
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 42
Add Incoming WS-Security Configurations
15 Click on the ldquoIncoming WS-Security Configurationsrdquo sub tab and click on the ldquo+rdquo icon as show in Figure 45 You will be prompted to enter a name for the incoming configuration specify ldquowss10rdquo as the name as shown in Figure 46
Figure 45 Add Incoming WS-Security Configuration
Figure 46 Provide a name for the Incoming WSS Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 43
16 Click on the ldquowss10rdquo entry and select the following a Decrypt Keystore Select ldquodefault-keystorejksrdquo from the drop down b Signature Keystore Select ldquodefault-keystorejksrdquo from the drop down c Password ldquowelcome1rdquo
The final incoming security configuration is shown in Figure 47
Figure 47 Incoming WSS Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 44
17 Now that we have created all the necessary WS-Security Configurations we are ready to test the HelloWorld Service To do so click on the ldquohellordquo operation on the Left hand browse tree This will create a request as show in Figure 48 Click on the ldquoAutrdquo tab on the ldquoRequestrdquo panel on the RHS side of the screen The ldquoAutrdquo tab is in the bottom and has been highlighted in Figure 48 Select the following values
a Outgoing WSS Select ldquowss10rdquo from the drop down b Incoming WSS Select ldquowss10rdquo from the drop down
Figure 48 Select the previosuly created WSS Configuration to be used while testing
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 45
18 Enter ldquoprakashrdquo for arg0 and click on the green arrow button to send the request You will be prompted for password ndash enter ldquowelcome1rdquo Figure 49 and Figure 50 show the steps and the results of a successful test If there is a failure ndash you will see a SOAP response with a fault
Figure 49 Send request to the HelloWorld WS
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 46
Figure 50 Results of a successful test
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 47
Appendix
Log Generated the first time any app is run in Integrated WLS Server
[Waiting for the domain to finish building]
[094756 PM] Creating Integrated Weblogic domain
[095003 PM] Extending Integrated Weblogic domain
[095051 PM] Integrated Weblogic domain processing completed successfully
Using port 7101
DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainbinstartWebLogiccmd
[waiting for the server to complete its initialization]
JAVA Memory arguments -Xms256m -Xmx512m -XXCompileThreshold=8000 -XXPermSize=128m -XXMaxPermSize=512m
WLS Start Mode=Development
CLASSPATH=DORACLE~1MIDDLE~1ORACLE~1modulesoraclejdbc_1111ojdbc6dmsjarDORACLE~1MIDDLE~1patch_wls1035profilesdefaultsys_manifest_classpathweblogic_patchjarDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultsys_manifest_classpathweblogic_patchjarDORACLE~1MIDDLE~1JDK160~1libtoolsjarDORACLE~1MIDDLE~1WLSERV~13serverlibweblogic_spjarDORACLE~1MIDDLE~1WLSERV~13serverlibweblogicjarDORACLE~1MIDDLE~1modulesfeaturesweblogicservermodules_10350jarDORACLE~1MIDDLE~1WLSERV~13serverlibwebservicesjarDORACLE~1MIDDLE~1modulesORGAPA~11libant-alljarDORACLE~1MIDDLE~1modulesNETSFA~10_1libant-contribjarDORACLE~1MIDDLE~1ORACLE~1modulesoraclejrf_1111jrfjarDORACLE~1MIDDLE~1WLSERV~13commonderbylibderbyclientjarDORACLE~1MIDDLE~1WLSERV~13serverlibxqrljar
PATH=DORACLE~1MIDDLE~1patch_wls1035profilesdefaultnativeDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultnativeDORACLE~1MIDDLE~1WLSERV~13servernativewin32DORACLE~1MIDDLE~1WLSERV~13serverbinDORACLE~1MIDDLE~1modulesORGAPA~11binDORACLE~1MIDDLE~1JDK160~1jrebinDORACLE~1MIDDLE~1JDK160~1binDoraclexeapporacleproduct1020serverbinCProgram FilesThinkPadUtilitiesCWINDOWSsystem32CWINDOWSCWINDOWSSystem32WbemCWINDOWSsystem32WindowsPowerShellv10DORACLE~1MIDDLE~1WLSERV~13servernativewin32oci920_8
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 48
To start WebLogic Server use a username and
password assigned to an admin-level user For
server administration use the WebLogic Server
console at httphostnameportconsole
starting weblogic with Java version
java version 160_24
Java(TM) SE Runtime Environment (build 160_24-b50)
Java HotSpot(TM) Client VM (build 191-b02 mixed mode)
Starting WLS with line
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 49
DORACLE~1MIDDLE~1JDK160~1binjava -client -Xms256m -Xmx512m -XXCompileThreshold=8000 -XXPermSize=128m -XXMaxPermSize=512m -DweblogicName=DefaultServer -Djavasecuritypolicy=DORACLE~1MIDDLE~1WLSERV~13serverlibweblogicpolicy -DjavaxnetssltrustStore=DOracle11gMiddlewarewlserver_103serverlibDemoTrustjks -DweblogicnodemanagerServiceEnabled=true -Xverifynone -da -Dplatformhome=DORACLE~1MIDDLE~1WLSERV~13 -Dwlshome=DORACLE~1MIDDLE~1WLSERV~13server -Dweblogichome=DORACLE~1MIDDLE~1WLSERV~13server -Djpsappcredentialoverwriteallowed=true -Dcommoncomponentshome=DORACLE~1MIDDLE~1ORACLE~1 -Djrfversion=1111 -DorgapachecommonsloggingLog=orgapachecommonsloggingimplJdk14Logger -Ddomainhome=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1 -Djrockitoptfile=DORACLE~1MIDDLE~1ORACLE~1modulesoraclejrf_1111jrocket_optfiletxt -Doracleserverconfigdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1serversDefaultServer -Doracledomainconfigdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1 -Digfarisidbeanscarmlloc=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1carml -Digfarisidstackhome=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1arisidprovider -Doraclesecurityjpsconfig=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configfmwconfigjps-configxml -Doracledeployedappdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1serversDefaultServertmp_WL_user -Doracledeployedappext=- -DweblogicalternateTypesDirectory=DORACLE~1MIDDLE~1ORACLE~1modulesoracleossoiap_1111DORACLE~1MIDDLE~1ORACLE~1modulesoracleoamprovider_1111 -Djavaprotocolhandlerpkgs=oraclemdsnetprotocol -DweblogicjdbcremoteEnabled=false -Dwsmrepositorypath=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1oraclestoregmds -Dweblogicmanagementdiscover=true -DwlwiterativeDev= -DwlwtestConsole= -DwlwlogErrorsToConsole= -Dweblogicextdirs=DORACLE~1MIDDLE~1patch_wls1035profilesdefaultsysext_manifest_classpathDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultsysext_manifest_classpath weblogicServer
ltMar 16 2012 95054 PM PDTgt ltInfogt ltSecuritygt ltBEA-090905gt ltDisabling CryptoJ JCE Provider self-integrity check for better startup performance To enable this check specify -DweblogicsecurityallowCryptoJDefaultJCEVerification=truegt
ltMar 16 2012 95054 PM PDTgt ltInfogt ltSecuritygt ltBEA-090906gt ltChanging the default Random Number Generator in RSA CryptoJ from ECDRBG to FIPS186PRNG To disable this change specify -DweblogicsecurityallowCryptoJDefaultPRNG=truegt
ltMar 16 2012 95055 PM PDTgt ltInfogt ltWebLogicServergt ltBEA-000377gt ltStarting WebLogic Server with Java HotSpot(TM) Client VM Version 191-b02 from Sun Microsystems Incgt
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 50
ltMar 16 2012 95055 PM PDTgt ltInfogt ltManagementgt ltBEA-141107gt ltVersion WebLogic Server 10350 Fri Apr 1 202006 PDT 2011 1398638 gt
ltMar 16 2012 95057 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STARTINGgt
ltMar 16 2012 95057 PM PDTgt ltInfogt ltWorkManagergt ltBEA-002900gt ltInitializing self-tuning thread poolgt
ltMar 16 2012 95057 PM PDTgt ltNoticegt ltLog Managementgt ltBEA-170019gt ltThe server log file DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainserversDefaultServerlogsDefaultServerlog is opened All server side log events will be written to this filegt
ltMar 16 2012 95108 PM PDTgt ltNoticegt ltSecuritygt ltBEA-090082gt ltSecurity initializing using security realm myrealmgt
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO ConfigObjectReloaded for ServerConfig PreviousVersion -1 CurrentVersion 0
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification event sent for activating changes
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for Mapping config object reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO ConfigObjectReloaded for ServerConfig PreviousVersion -1 CurrentVersion 0
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification event sent for activating changes
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 51
INFO Notification sent for Mapping config object reloaded
ltMar 16 2012 95122 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STANDBYgt
ltMar 16 2012 95122 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STARTINGgt
ltMar 16 2012 95204 PM PDTgt ltNoticegt ltLog Managementgt ltBEA-170027gt ltThe Server has established connection with the Domain level Diagnostic Service successfullygt
ltMar 16 2012 95204 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to ADMINgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to RESUMINGgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltServergt ltBEA-002613gt ltChannel Default is now listening on 1270017101 for protocols iiop t3 ldap snmp httpgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000331gt ltStarted WebLogic Admin Server DefaultServer for domain DefaultDomain running in Development Modegt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to RUNNINGgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000360gt ltServer started in RUNNING modegt
IntegratedWebLogicServer startup time 74437 ms
IntegratedWebLogicServer started
[Running application HelloWorldJaxWS on Server Instance IntegratedWebLogicServer]
[095206 PM] ---- Deployment started ----
[095206 PM] Target platform is (Weblogic 103)
[095208 PM] Retrieving existing application information
[095208 PM] Running dependency analysis
[095208 PM] Deploying 2 profiles
[095209 PM] Wrote Web Application Module to DOracle11gMiddlewarejdevelopersystem11116386192oj2eedrsHelloWorldJaxWSHelloWorldWebAppwar
[095210 PM] Wrote Enterprise Application Module to DOracle11gMiddlewarejdevelopersystem11116386192oj2eedrsHelloWorldJaxWS
[095210 PM] Deploying Application
[095213 PM] Application Deployed Successfully
[095213 PM] The following URL context root(s) were defined and can be used as a starting point to test your application
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 52
[095213 PM] http1270017101HelloWorldJaxWS-HelloWorld-context-root
[095213 PM] Elapsed time for deployment 6 seconds
[095213 PM] ---- Deployment finished ----
Run startup time 6609 ms
[Application HelloWorldJaxWS deployed to Server Instance IntegratedWebLogicServer]
Target URL -- http1270017101HelloWorldJaxWS-HelloWorld-context-rootHelloWorldPort
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 53
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 43
16 Click on the ldquowss10rdquo entry and select the following a Decrypt Keystore Select ldquodefault-keystorejksrdquo from the drop down b Signature Keystore Select ldquodefault-keystorejksrdquo from the drop down c Password ldquowelcome1rdquo
The final incoming security configuration is shown in Figure 47
Figure 47 Incoming WSS Configuration
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 44
17 Now that we have created all the necessary WS-Security Configurations we are ready to test the HelloWorld Service To do so click on the ldquohellordquo operation on the Left hand browse tree This will create a request as show in Figure 48 Click on the ldquoAutrdquo tab on the ldquoRequestrdquo panel on the RHS side of the screen The ldquoAutrdquo tab is in the bottom and has been highlighted in Figure 48 Select the following values
a Outgoing WSS Select ldquowss10rdquo from the drop down b Incoming WSS Select ldquowss10rdquo from the drop down
Figure 48 Select the previosuly created WSS Configuration to be used while testing
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 45
18 Enter ldquoprakashrdquo for arg0 and click on the green arrow button to send the request You will be prompted for password ndash enter ldquowelcome1rdquo Figure 49 and Figure 50 show the steps and the results of a successful test If there is a failure ndash you will see a SOAP response with a fault
Figure 49 Send request to the HelloWorld WS
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 46
Figure 50 Results of a successful test
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 47
Appendix
Log Generated the first time any app is run in Integrated WLS Server
[Waiting for the domain to finish building]
[094756 PM] Creating Integrated Weblogic domain
[095003 PM] Extending Integrated Weblogic domain
[095051 PM] Integrated Weblogic domain processing completed successfully
Using port 7101
DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainbinstartWebLogiccmd
[waiting for the server to complete its initialization]
JAVA Memory arguments -Xms256m -Xmx512m -XXCompileThreshold=8000 -XXPermSize=128m -XXMaxPermSize=512m
WLS Start Mode=Development
CLASSPATH=DORACLE~1MIDDLE~1ORACLE~1modulesoraclejdbc_1111ojdbc6dmsjarDORACLE~1MIDDLE~1patch_wls1035profilesdefaultsys_manifest_classpathweblogic_patchjarDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultsys_manifest_classpathweblogic_patchjarDORACLE~1MIDDLE~1JDK160~1libtoolsjarDORACLE~1MIDDLE~1WLSERV~13serverlibweblogic_spjarDORACLE~1MIDDLE~1WLSERV~13serverlibweblogicjarDORACLE~1MIDDLE~1modulesfeaturesweblogicservermodules_10350jarDORACLE~1MIDDLE~1WLSERV~13serverlibwebservicesjarDORACLE~1MIDDLE~1modulesORGAPA~11libant-alljarDORACLE~1MIDDLE~1modulesNETSFA~10_1libant-contribjarDORACLE~1MIDDLE~1ORACLE~1modulesoraclejrf_1111jrfjarDORACLE~1MIDDLE~1WLSERV~13commonderbylibderbyclientjarDORACLE~1MIDDLE~1WLSERV~13serverlibxqrljar
PATH=DORACLE~1MIDDLE~1patch_wls1035profilesdefaultnativeDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultnativeDORACLE~1MIDDLE~1WLSERV~13servernativewin32DORACLE~1MIDDLE~1WLSERV~13serverbinDORACLE~1MIDDLE~1modulesORGAPA~11binDORACLE~1MIDDLE~1JDK160~1jrebinDORACLE~1MIDDLE~1JDK160~1binDoraclexeapporacleproduct1020serverbinCProgram FilesThinkPadUtilitiesCWINDOWSsystem32CWINDOWSCWINDOWSSystem32WbemCWINDOWSsystem32WindowsPowerShellv10DORACLE~1MIDDLE~1WLSERV~13servernativewin32oci920_8
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 48
To start WebLogic Server use a username and
password assigned to an admin-level user For
server administration use the WebLogic Server
console at httphostnameportconsole
starting weblogic with Java version
java version 160_24
Java(TM) SE Runtime Environment (build 160_24-b50)
Java HotSpot(TM) Client VM (build 191-b02 mixed mode)
Starting WLS with line
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 49
DORACLE~1MIDDLE~1JDK160~1binjava -client -Xms256m -Xmx512m -XXCompileThreshold=8000 -XXPermSize=128m -XXMaxPermSize=512m -DweblogicName=DefaultServer -Djavasecuritypolicy=DORACLE~1MIDDLE~1WLSERV~13serverlibweblogicpolicy -DjavaxnetssltrustStore=DOracle11gMiddlewarewlserver_103serverlibDemoTrustjks -DweblogicnodemanagerServiceEnabled=true -Xverifynone -da -Dplatformhome=DORACLE~1MIDDLE~1WLSERV~13 -Dwlshome=DORACLE~1MIDDLE~1WLSERV~13server -Dweblogichome=DORACLE~1MIDDLE~1WLSERV~13server -Djpsappcredentialoverwriteallowed=true -Dcommoncomponentshome=DORACLE~1MIDDLE~1ORACLE~1 -Djrfversion=1111 -DorgapachecommonsloggingLog=orgapachecommonsloggingimplJdk14Logger -Ddomainhome=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1 -Djrockitoptfile=DORACLE~1MIDDLE~1ORACLE~1modulesoraclejrf_1111jrocket_optfiletxt -Doracleserverconfigdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1serversDefaultServer -Doracledomainconfigdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1 -Digfarisidbeanscarmlloc=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1carml -Digfarisidstackhome=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1arisidprovider -Doraclesecurityjpsconfig=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configfmwconfigjps-configxml -Doracledeployedappdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1serversDefaultServertmp_WL_user -Doracledeployedappext=- -DweblogicalternateTypesDirectory=DORACLE~1MIDDLE~1ORACLE~1modulesoracleossoiap_1111DORACLE~1MIDDLE~1ORACLE~1modulesoracleoamprovider_1111 -Djavaprotocolhandlerpkgs=oraclemdsnetprotocol -DweblogicjdbcremoteEnabled=false -Dwsmrepositorypath=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1oraclestoregmds -Dweblogicmanagementdiscover=true -DwlwiterativeDev= -DwlwtestConsole= -DwlwlogErrorsToConsole= -Dweblogicextdirs=DORACLE~1MIDDLE~1patch_wls1035profilesdefaultsysext_manifest_classpathDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultsysext_manifest_classpath weblogicServer
ltMar 16 2012 95054 PM PDTgt ltInfogt ltSecuritygt ltBEA-090905gt ltDisabling CryptoJ JCE Provider self-integrity check for better startup performance To enable this check specify -DweblogicsecurityallowCryptoJDefaultJCEVerification=truegt
ltMar 16 2012 95054 PM PDTgt ltInfogt ltSecuritygt ltBEA-090906gt ltChanging the default Random Number Generator in RSA CryptoJ from ECDRBG to FIPS186PRNG To disable this change specify -DweblogicsecurityallowCryptoJDefaultPRNG=truegt
ltMar 16 2012 95055 PM PDTgt ltInfogt ltWebLogicServergt ltBEA-000377gt ltStarting WebLogic Server with Java HotSpot(TM) Client VM Version 191-b02 from Sun Microsystems Incgt
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 50
ltMar 16 2012 95055 PM PDTgt ltInfogt ltManagementgt ltBEA-141107gt ltVersion WebLogic Server 10350 Fri Apr 1 202006 PDT 2011 1398638 gt
ltMar 16 2012 95057 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STARTINGgt
ltMar 16 2012 95057 PM PDTgt ltInfogt ltWorkManagergt ltBEA-002900gt ltInitializing self-tuning thread poolgt
ltMar 16 2012 95057 PM PDTgt ltNoticegt ltLog Managementgt ltBEA-170019gt ltThe server log file DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainserversDefaultServerlogsDefaultServerlog is opened All server side log events will be written to this filegt
ltMar 16 2012 95108 PM PDTgt ltNoticegt ltSecuritygt ltBEA-090082gt ltSecurity initializing using security realm myrealmgt
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO ConfigObjectReloaded for ServerConfig PreviousVersion -1 CurrentVersion 0
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification event sent for activating changes
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for Mapping config object reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO ConfigObjectReloaded for ServerConfig PreviousVersion -1 CurrentVersion 0
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification event sent for activating changes
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 51
INFO Notification sent for Mapping config object reloaded
ltMar 16 2012 95122 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STANDBYgt
ltMar 16 2012 95122 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STARTINGgt
ltMar 16 2012 95204 PM PDTgt ltNoticegt ltLog Managementgt ltBEA-170027gt ltThe Server has established connection with the Domain level Diagnostic Service successfullygt
ltMar 16 2012 95204 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to ADMINgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to RESUMINGgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltServergt ltBEA-002613gt ltChannel Default is now listening on 1270017101 for protocols iiop t3 ldap snmp httpgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000331gt ltStarted WebLogic Admin Server DefaultServer for domain DefaultDomain running in Development Modegt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to RUNNINGgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000360gt ltServer started in RUNNING modegt
IntegratedWebLogicServer startup time 74437 ms
IntegratedWebLogicServer started
[Running application HelloWorldJaxWS on Server Instance IntegratedWebLogicServer]
[095206 PM] ---- Deployment started ----
[095206 PM] Target platform is (Weblogic 103)
[095208 PM] Retrieving existing application information
[095208 PM] Running dependency analysis
[095208 PM] Deploying 2 profiles
[095209 PM] Wrote Web Application Module to DOracle11gMiddlewarejdevelopersystem11116386192oj2eedrsHelloWorldJaxWSHelloWorldWebAppwar
[095210 PM] Wrote Enterprise Application Module to DOracle11gMiddlewarejdevelopersystem11116386192oj2eedrsHelloWorldJaxWS
[095210 PM] Deploying Application
[095213 PM] Application Deployed Successfully
[095213 PM] The following URL context root(s) were defined and can be used as a starting point to test your application
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 52
[095213 PM] http1270017101HelloWorldJaxWS-HelloWorld-context-root
[095213 PM] Elapsed time for deployment 6 seconds
[095213 PM] ---- Deployment finished ----
Run startup time 6609 ms
[Application HelloWorldJaxWS deployed to Server Instance IntegratedWebLogicServer]
Target URL -- http1270017101HelloWorldJaxWS-HelloWorld-context-rootHelloWorldPort
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 53
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 44
17 Now that we have created all the necessary WS-Security Configurations we are ready to test the HelloWorld Service To do so click on the ldquohellordquo operation on the Left hand browse tree This will create a request as show in Figure 48 Click on the ldquoAutrdquo tab on the ldquoRequestrdquo panel on the RHS side of the screen The ldquoAutrdquo tab is in the bottom and has been highlighted in Figure 48 Select the following values
a Outgoing WSS Select ldquowss10rdquo from the drop down b Incoming WSS Select ldquowss10rdquo from the drop down
Figure 48 Select the previosuly created WSS Configuration to be used while testing
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 45
18 Enter ldquoprakashrdquo for arg0 and click on the green arrow button to send the request You will be prompted for password ndash enter ldquowelcome1rdquo Figure 49 and Figure 50 show the steps and the results of a successful test If there is a failure ndash you will see a SOAP response with a fault
Figure 49 Send request to the HelloWorld WS
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 46
Figure 50 Results of a successful test
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 47
Appendix
Log Generated the first time any app is run in Integrated WLS Server
[Waiting for the domain to finish building]
[094756 PM] Creating Integrated Weblogic domain
[095003 PM] Extending Integrated Weblogic domain
[095051 PM] Integrated Weblogic domain processing completed successfully
Using port 7101
DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainbinstartWebLogiccmd
[waiting for the server to complete its initialization]
JAVA Memory arguments -Xms256m -Xmx512m -XXCompileThreshold=8000 -XXPermSize=128m -XXMaxPermSize=512m
WLS Start Mode=Development
CLASSPATH=DORACLE~1MIDDLE~1ORACLE~1modulesoraclejdbc_1111ojdbc6dmsjarDORACLE~1MIDDLE~1patch_wls1035profilesdefaultsys_manifest_classpathweblogic_patchjarDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultsys_manifest_classpathweblogic_patchjarDORACLE~1MIDDLE~1JDK160~1libtoolsjarDORACLE~1MIDDLE~1WLSERV~13serverlibweblogic_spjarDORACLE~1MIDDLE~1WLSERV~13serverlibweblogicjarDORACLE~1MIDDLE~1modulesfeaturesweblogicservermodules_10350jarDORACLE~1MIDDLE~1WLSERV~13serverlibwebservicesjarDORACLE~1MIDDLE~1modulesORGAPA~11libant-alljarDORACLE~1MIDDLE~1modulesNETSFA~10_1libant-contribjarDORACLE~1MIDDLE~1ORACLE~1modulesoraclejrf_1111jrfjarDORACLE~1MIDDLE~1WLSERV~13commonderbylibderbyclientjarDORACLE~1MIDDLE~1WLSERV~13serverlibxqrljar
PATH=DORACLE~1MIDDLE~1patch_wls1035profilesdefaultnativeDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultnativeDORACLE~1MIDDLE~1WLSERV~13servernativewin32DORACLE~1MIDDLE~1WLSERV~13serverbinDORACLE~1MIDDLE~1modulesORGAPA~11binDORACLE~1MIDDLE~1JDK160~1jrebinDORACLE~1MIDDLE~1JDK160~1binDoraclexeapporacleproduct1020serverbinCProgram FilesThinkPadUtilitiesCWINDOWSsystem32CWINDOWSCWINDOWSSystem32WbemCWINDOWSsystem32WindowsPowerShellv10DORACLE~1MIDDLE~1WLSERV~13servernativewin32oci920_8
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 48
To start WebLogic Server use a username and
password assigned to an admin-level user For
server administration use the WebLogic Server
console at httphostnameportconsole
starting weblogic with Java version
java version 160_24
Java(TM) SE Runtime Environment (build 160_24-b50)
Java HotSpot(TM) Client VM (build 191-b02 mixed mode)
Starting WLS with line
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 49
DORACLE~1MIDDLE~1JDK160~1binjava -client -Xms256m -Xmx512m -XXCompileThreshold=8000 -XXPermSize=128m -XXMaxPermSize=512m -DweblogicName=DefaultServer -Djavasecuritypolicy=DORACLE~1MIDDLE~1WLSERV~13serverlibweblogicpolicy -DjavaxnetssltrustStore=DOracle11gMiddlewarewlserver_103serverlibDemoTrustjks -DweblogicnodemanagerServiceEnabled=true -Xverifynone -da -Dplatformhome=DORACLE~1MIDDLE~1WLSERV~13 -Dwlshome=DORACLE~1MIDDLE~1WLSERV~13server -Dweblogichome=DORACLE~1MIDDLE~1WLSERV~13server -Djpsappcredentialoverwriteallowed=true -Dcommoncomponentshome=DORACLE~1MIDDLE~1ORACLE~1 -Djrfversion=1111 -DorgapachecommonsloggingLog=orgapachecommonsloggingimplJdk14Logger -Ddomainhome=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1 -Djrockitoptfile=DORACLE~1MIDDLE~1ORACLE~1modulesoraclejrf_1111jrocket_optfiletxt -Doracleserverconfigdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1serversDefaultServer -Doracledomainconfigdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1 -Digfarisidbeanscarmlloc=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1carml -Digfarisidstackhome=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1arisidprovider -Doraclesecurityjpsconfig=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configfmwconfigjps-configxml -Doracledeployedappdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1serversDefaultServertmp_WL_user -Doracledeployedappext=- -DweblogicalternateTypesDirectory=DORACLE~1MIDDLE~1ORACLE~1modulesoracleossoiap_1111DORACLE~1MIDDLE~1ORACLE~1modulesoracleoamprovider_1111 -Djavaprotocolhandlerpkgs=oraclemdsnetprotocol -DweblogicjdbcremoteEnabled=false -Dwsmrepositorypath=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1oraclestoregmds -Dweblogicmanagementdiscover=true -DwlwiterativeDev= -DwlwtestConsole= -DwlwlogErrorsToConsole= -Dweblogicextdirs=DORACLE~1MIDDLE~1patch_wls1035profilesdefaultsysext_manifest_classpathDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultsysext_manifest_classpath weblogicServer
ltMar 16 2012 95054 PM PDTgt ltInfogt ltSecuritygt ltBEA-090905gt ltDisabling CryptoJ JCE Provider self-integrity check for better startup performance To enable this check specify -DweblogicsecurityallowCryptoJDefaultJCEVerification=truegt
ltMar 16 2012 95054 PM PDTgt ltInfogt ltSecuritygt ltBEA-090906gt ltChanging the default Random Number Generator in RSA CryptoJ from ECDRBG to FIPS186PRNG To disable this change specify -DweblogicsecurityallowCryptoJDefaultPRNG=truegt
ltMar 16 2012 95055 PM PDTgt ltInfogt ltWebLogicServergt ltBEA-000377gt ltStarting WebLogic Server with Java HotSpot(TM) Client VM Version 191-b02 from Sun Microsystems Incgt
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 50
ltMar 16 2012 95055 PM PDTgt ltInfogt ltManagementgt ltBEA-141107gt ltVersion WebLogic Server 10350 Fri Apr 1 202006 PDT 2011 1398638 gt
ltMar 16 2012 95057 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STARTINGgt
ltMar 16 2012 95057 PM PDTgt ltInfogt ltWorkManagergt ltBEA-002900gt ltInitializing self-tuning thread poolgt
ltMar 16 2012 95057 PM PDTgt ltNoticegt ltLog Managementgt ltBEA-170019gt ltThe server log file DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainserversDefaultServerlogsDefaultServerlog is opened All server side log events will be written to this filegt
ltMar 16 2012 95108 PM PDTgt ltNoticegt ltSecuritygt ltBEA-090082gt ltSecurity initializing using security realm myrealmgt
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO ConfigObjectReloaded for ServerConfig PreviousVersion -1 CurrentVersion 0
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification event sent for activating changes
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for Mapping config object reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO ConfigObjectReloaded for ServerConfig PreviousVersion -1 CurrentVersion 0
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification event sent for activating changes
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 51
INFO Notification sent for Mapping config object reloaded
ltMar 16 2012 95122 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STANDBYgt
ltMar 16 2012 95122 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STARTINGgt
ltMar 16 2012 95204 PM PDTgt ltNoticegt ltLog Managementgt ltBEA-170027gt ltThe Server has established connection with the Domain level Diagnostic Service successfullygt
ltMar 16 2012 95204 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to ADMINgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to RESUMINGgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltServergt ltBEA-002613gt ltChannel Default is now listening on 1270017101 for protocols iiop t3 ldap snmp httpgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000331gt ltStarted WebLogic Admin Server DefaultServer for domain DefaultDomain running in Development Modegt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to RUNNINGgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000360gt ltServer started in RUNNING modegt
IntegratedWebLogicServer startup time 74437 ms
IntegratedWebLogicServer started
[Running application HelloWorldJaxWS on Server Instance IntegratedWebLogicServer]
[095206 PM] ---- Deployment started ----
[095206 PM] Target platform is (Weblogic 103)
[095208 PM] Retrieving existing application information
[095208 PM] Running dependency analysis
[095208 PM] Deploying 2 profiles
[095209 PM] Wrote Web Application Module to DOracle11gMiddlewarejdevelopersystem11116386192oj2eedrsHelloWorldJaxWSHelloWorldWebAppwar
[095210 PM] Wrote Enterprise Application Module to DOracle11gMiddlewarejdevelopersystem11116386192oj2eedrsHelloWorldJaxWS
[095210 PM] Deploying Application
[095213 PM] Application Deployed Successfully
[095213 PM] The following URL context root(s) were defined and can be used as a starting point to test your application
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 52
[095213 PM] http1270017101HelloWorldJaxWS-HelloWorld-context-root
[095213 PM] Elapsed time for deployment 6 seconds
[095213 PM] ---- Deployment finished ----
Run startup time 6609 ms
[Application HelloWorldJaxWS deployed to Server Instance IntegratedWebLogicServer]
Target URL -- http1270017101HelloWorldJaxWS-HelloWorld-context-rootHelloWorldPort
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 53
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 45
18 Enter ldquoprakashrdquo for arg0 and click on the green arrow button to send the request You will be prompted for password ndash enter ldquowelcome1rdquo Figure 49 and Figure 50 show the steps and the results of a successful test If there is a failure ndash you will see a SOAP response with a fault
Figure 49 Send request to the HelloWorld WS
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 46
Figure 50 Results of a successful test
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 47
Appendix
Log Generated the first time any app is run in Integrated WLS Server
[Waiting for the domain to finish building]
[094756 PM] Creating Integrated Weblogic domain
[095003 PM] Extending Integrated Weblogic domain
[095051 PM] Integrated Weblogic domain processing completed successfully
Using port 7101
DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainbinstartWebLogiccmd
[waiting for the server to complete its initialization]
JAVA Memory arguments -Xms256m -Xmx512m -XXCompileThreshold=8000 -XXPermSize=128m -XXMaxPermSize=512m
WLS Start Mode=Development
CLASSPATH=DORACLE~1MIDDLE~1ORACLE~1modulesoraclejdbc_1111ojdbc6dmsjarDORACLE~1MIDDLE~1patch_wls1035profilesdefaultsys_manifest_classpathweblogic_patchjarDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultsys_manifest_classpathweblogic_patchjarDORACLE~1MIDDLE~1JDK160~1libtoolsjarDORACLE~1MIDDLE~1WLSERV~13serverlibweblogic_spjarDORACLE~1MIDDLE~1WLSERV~13serverlibweblogicjarDORACLE~1MIDDLE~1modulesfeaturesweblogicservermodules_10350jarDORACLE~1MIDDLE~1WLSERV~13serverlibwebservicesjarDORACLE~1MIDDLE~1modulesORGAPA~11libant-alljarDORACLE~1MIDDLE~1modulesNETSFA~10_1libant-contribjarDORACLE~1MIDDLE~1ORACLE~1modulesoraclejrf_1111jrfjarDORACLE~1MIDDLE~1WLSERV~13commonderbylibderbyclientjarDORACLE~1MIDDLE~1WLSERV~13serverlibxqrljar
PATH=DORACLE~1MIDDLE~1patch_wls1035profilesdefaultnativeDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultnativeDORACLE~1MIDDLE~1WLSERV~13servernativewin32DORACLE~1MIDDLE~1WLSERV~13serverbinDORACLE~1MIDDLE~1modulesORGAPA~11binDORACLE~1MIDDLE~1JDK160~1jrebinDORACLE~1MIDDLE~1JDK160~1binDoraclexeapporacleproduct1020serverbinCProgram FilesThinkPadUtilitiesCWINDOWSsystem32CWINDOWSCWINDOWSSystem32WbemCWINDOWSsystem32WindowsPowerShellv10DORACLE~1MIDDLE~1WLSERV~13servernativewin32oci920_8
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 48
To start WebLogic Server use a username and
password assigned to an admin-level user For
server administration use the WebLogic Server
console at httphostnameportconsole
starting weblogic with Java version
java version 160_24
Java(TM) SE Runtime Environment (build 160_24-b50)
Java HotSpot(TM) Client VM (build 191-b02 mixed mode)
Starting WLS with line
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 49
DORACLE~1MIDDLE~1JDK160~1binjava -client -Xms256m -Xmx512m -XXCompileThreshold=8000 -XXPermSize=128m -XXMaxPermSize=512m -DweblogicName=DefaultServer -Djavasecuritypolicy=DORACLE~1MIDDLE~1WLSERV~13serverlibweblogicpolicy -DjavaxnetssltrustStore=DOracle11gMiddlewarewlserver_103serverlibDemoTrustjks -DweblogicnodemanagerServiceEnabled=true -Xverifynone -da -Dplatformhome=DORACLE~1MIDDLE~1WLSERV~13 -Dwlshome=DORACLE~1MIDDLE~1WLSERV~13server -Dweblogichome=DORACLE~1MIDDLE~1WLSERV~13server -Djpsappcredentialoverwriteallowed=true -Dcommoncomponentshome=DORACLE~1MIDDLE~1ORACLE~1 -Djrfversion=1111 -DorgapachecommonsloggingLog=orgapachecommonsloggingimplJdk14Logger -Ddomainhome=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1 -Djrockitoptfile=DORACLE~1MIDDLE~1ORACLE~1modulesoraclejrf_1111jrocket_optfiletxt -Doracleserverconfigdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1serversDefaultServer -Doracledomainconfigdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1 -Digfarisidbeanscarmlloc=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1carml -Digfarisidstackhome=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1arisidprovider -Doraclesecurityjpsconfig=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configfmwconfigjps-configxml -Doracledeployedappdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1serversDefaultServertmp_WL_user -Doracledeployedappext=- -DweblogicalternateTypesDirectory=DORACLE~1MIDDLE~1ORACLE~1modulesoracleossoiap_1111DORACLE~1MIDDLE~1ORACLE~1modulesoracleoamprovider_1111 -Djavaprotocolhandlerpkgs=oraclemdsnetprotocol -DweblogicjdbcremoteEnabled=false -Dwsmrepositorypath=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1oraclestoregmds -Dweblogicmanagementdiscover=true -DwlwiterativeDev= -DwlwtestConsole= -DwlwlogErrorsToConsole= -Dweblogicextdirs=DORACLE~1MIDDLE~1patch_wls1035profilesdefaultsysext_manifest_classpathDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultsysext_manifest_classpath weblogicServer
ltMar 16 2012 95054 PM PDTgt ltInfogt ltSecuritygt ltBEA-090905gt ltDisabling CryptoJ JCE Provider self-integrity check for better startup performance To enable this check specify -DweblogicsecurityallowCryptoJDefaultJCEVerification=truegt
ltMar 16 2012 95054 PM PDTgt ltInfogt ltSecuritygt ltBEA-090906gt ltChanging the default Random Number Generator in RSA CryptoJ from ECDRBG to FIPS186PRNG To disable this change specify -DweblogicsecurityallowCryptoJDefaultPRNG=truegt
ltMar 16 2012 95055 PM PDTgt ltInfogt ltWebLogicServergt ltBEA-000377gt ltStarting WebLogic Server with Java HotSpot(TM) Client VM Version 191-b02 from Sun Microsystems Incgt
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 50
ltMar 16 2012 95055 PM PDTgt ltInfogt ltManagementgt ltBEA-141107gt ltVersion WebLogic Server 10350 Fri Apr 1 202006 PDT 2011 1398638 gt
ltMar 16 2012 95057 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STARTINGgt
ltMar 16 2012 95057 PM PDTgt ltInfogt ltWorkManagergt ltBEA-002900gt ltInitializing self-tuning thread poolgt
ltMar 16 2012 95057 PM PDTgt ltNoticegt ltLog Managementgt ltBEA-170019gt ltThe server log file DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainserversDefaultServerlogsDefaultServerlog is opened All server side log events will be written to this filegt
ltMar 16 2012 95108 PM PDTgt ltNoticegt ltSecuritygt ltBEA-090082gt ltSecurity initializing using security realm myrealmgt
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO ConfigObjectReloaded for ServerConfig PreviousVersion -1 CurrentVersion 0
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification event sent for activating changes
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for Mapping config object reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO ConfigObjectReloaded for ServerConfig PreviousVersion -1 CurrentVersion 0
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification event sent for activating changes
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 51
INFO Notification sent for Mapping config object reloaded
ltMar 16 2012 95122 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STANDBYgt
ltMar 16 2012 95122 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STARTINGgt
ltMar 16 2012 95204 PM PDTgt ltNoticegt ltLog Managementgt ltBEA-170027gt ltThe Server has established connection with the Domain level Diagnostic Service successfullygt
ltMar 16 2012 95204 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to ADMINgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to RESUMINGgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltServergt ltBEA-002613gt ltChannel Default is now listening on 1270017101 for protocols iiop t3 ldap snmp httpgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000331gt ltStarted WebLogic Admin Server DefaultServer for domain DefaultDomain running in Development Modegt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to RUNNINGgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000360gt ltServer started in RUNNING modegt
IntegratedWebLogicServer startup time 74437 ms
IntegratedWebLogicServer started
[Running application HelloWorldJaxWS on Server Instance IntegratedWebLogicServer]
[095206 PM] ---- Deployment started ----
[095206 PM] Target platform is (Weblogic 103)
[095208 PM] Retrieving existing application information
[095208 PM] Running dependency analysis
[095208 PM] Deploying 2 profiles
[095209 PM] Wrote Web Application Module to DOracle11gMiddlewarejdevelopersystem11116386192oj2eedrsHelloWorldJaxWSHelloWorldWebAppwar
[095210 PM] Wrote Enterprise Application Module to DOracle11gMiddlewarejdevelopersystem11116386192oj2eedrsHelloWorldJaxWS
[095210 PM] Deploying Application
[095213 PM] Application Deployed Successfully
[095213 PM] The following URL context root(s) were defined and can be used as a starting point to test your application
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 52
[095213 PM] http1270017101HelloWorldJaxWS-HelloWorld-context-root
[095213 PM] Elapsed time for deployment 6 seconds
[095213 PM] ---- Deployment finished ----
Run startup time 6609 ms
[Application HelloWorldJaxWS deployed to Server Instance IntegratedWebLogicServer]
Target URL -- http1270017101HelloWorldJaxWS-HelloWorld-context-rootHelloWorldPort
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 53
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 46
Figure 50 Results of a successful test
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 47
Appendix
Log Generated the first time any app is run in Integrated WLS Server
[Waiting for the domain to finish building]
[094756 PM] Creating Integrated Weblogic domain
[095003 PM] Extending Integrated Weblogic domain
[095051 PM] Integrated Weblogic domain processing completed successfully
Using port 7101
DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainbinstartWebLogiccmd
[waiting for the server to complete its initialization]
JAVA Memory arguments -Xms256m -Xmx512m -XXCompileThreshold=8000 -XXPermSize=128m -XXMaxPermSize=512m
WLS Start Mode=Development
CLASSPATH=DORACLE~1MIDDLE~1ORACLE~1modulesoraclejdbc_1111ojdbc6dmsjarDORACLE~1MIDDLE~1patch_wls1035profilesdefaultsys_manifest_classpathweblogic_patchjarDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultsys_manifest_classpathweblogic_patchjarDORACLE~1MIDDLE~1JDK160~1libtoolsjarDORACLE~1MIDDLE~1WLSERV~13serverlibweblogic_spjarDORACLE~1MIDDLE~1WLSERV~13serverlibweblogicjarDORACLE~1MIDDLE~1modulesfeaturesweblogicservermodules_10350jarDORACLE~1MIDDLE~1WLSERV~13serverlibwebservicesjarDORACLE~1MIDDLE~1modulesORGAPA~11libant-alljarDORACLE~1MIDDLE~1modulesNETSFA~10_1libant-contribjarDORACLE~1MIDDLE~1ORACLE~1modulesoraclejrf_1111jrfjarDORACLE~1MIDDLE~1WLSERV~13commonderbylibderbyclientjarDORACLE~1MIDDLE~1WLSERV~13serverlibxqrljar
PATH=DORACLE~1MIDDLE~1patch_wls1035profilesdefaultnativeDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultnativeDORACLE~1MIDDLE~1WLSERV~13servernativewin32DORACLE~1MIDDLE~1WLSERV~13serverbinDORACLE~1MIDDLE~1modulesORGAPA~11binDORACLE~1MIDDLE~1JDK160~1jrebinDORACLE~1MIDDLE~1JDK160~1binDoraclexeapporacleproduct1020serverbinCProgram FilesThinkPadUtilitiesCWINDOWSsystem32CWINDOWSCWINDOWSSystem32WbemCWINDOWSsystem32WindowsPowerShellv10DORACLE~1MIDDLE~1WLSERV~13servernativewin32oci920_8
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 48
To start WebLogic Server use a username and
password assigned to an admin-level user For
server administration use the WebLogic Server
console at httphostnameportconsole
starting weblogic with Java version
java version 160_24
Java(TM) SE Runtime Environment (build 160_24-b50)
Java HotSpot(TM) Client VM (build 191-b02 mixed mode)
Starting WLS with line
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 49
DORACLE~1MIDDLE~1JDK160~1binjava -client -Xms256m -Xmx512m -XXCompileThreshold=8000 -XXPermSize=128m -XXMaxPermSize=512m -DweblogicName=DefaultServer -Djavasecuritypolicy=DORACLE~1MIDDLE~1WLSERV~13serverlibweblogicpolicy -DjavaxnetssltrustStore=DOracle11gMiddlewarewlserver_103serverlibDemoTrustjks -DweblogicnodemanagerServiceEnabled=true -Xverifynone -da -Dplatformhome=DORACLE~1MIDDLE~1WLSERV~13 -Dwlshome=DORACLE~1MIDDLE~1WLSERV~13server -Dweblogichome=DORACLE~1MIDDLE~1WLSERV~13server -Djpsappcredentialoverwriteallowed=true -Dcommoncomponentshome=DORACLE~1MIDDLE~1ORACLE~1 -Djrfversion=1111 -DorgapachecommonsloggingLog=orgapachecommonsloggingimplJdk14Logger -Ddomainhome=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1 -Djrockitoptfile=DORACLE~1MIDDLE~1ORACLE~1modulesoraclejrf_1111jrocket_optfiletxt -Doracleserverconfigdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1serversDefaultServer -Doracledomainconfigdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1 -Digfarisidbeanscarmlloc=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1carml -Digfarisidstackhome=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1arisidprovider -Doraclesecurityjpsconfig=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configfmwconfigjps-configxml -Doracledeployedappdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1serversDefaultServertmp_WL_user -Doracledeployedappext=- -DweblogicalternateTypesDirectory=DORACLE~1MIDDLE~1ORACLE~1modulesoracleossoiap_1111DORACLE~1MIDDLE~1ORACLE~1modulesoracleoamprovider_1111 -Djavaprotocolhandlerpkgs=oraclemdsnetprotocol -DweblogicjdbcremoteEnabled=false -Dwsmrepositorypath=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1oraclestoregmds -Dweblogicmanagementdiscover=true -DwlwiterativeDev= -DwlwtestConsole= -DwlwlogErrorsToConsole= -Dweblogicextdirs=DORACLE~1MIDDLE~1patch_wls1035profilesdefaultsysext_manifest_classpathDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultsysext_manifest_classpath weblogicServer
ltMar 16 2012 95054 PM PDTgt ltInfogt ltSecuritygt ltBEA-090905gt ltDisabling CryptoJ JCE Provider self-integrity check for better startup performance To enable this check specify -DweblogicsecurityallowCryptoJDefaultJCEVerification=truegt
ltMar 16 2012 95054 PM PDTgt ltInfogt ltSecuritygt ltBEA-090906gt ltChanging the default Random Number Generator in RSA CryptoJ from ECDRBG to FIPS186PRNG To disable this change specify -DweblogicsecurityallowCryptoJDefaultPRNG=truegt
ltMar 16 2012 95055 PM PDTgt ltInfogt ltWebLogicServergt ltBEA-000377gt ltStarting WebLogic Server with Java HotSpot(TM) Client VM Version 191-b02 from Sun Microsystems Incgt
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 50
ltMar 16 2012 95055 PM PDTgt ltInfogt ltManagementgt ltBEA-141107gt ltVersion WebLogic Server 10350 Fri Apr 1 202006 PDT 2011 1398638 gt
ltMar 16 2012 95057 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STARTINGgt
ltMar 16 2012 95057 PM PDTgt ltInfogt ltWorkManagergt ltBEA-002900gt ltInitializing self-tuning thread poolgt
ltMar 16 2012 95057 PM PDTgt ltNoticegt ltLog Managementgt ltBEA-170019gt ltThe server log file DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainserversDefaultServerlogsDefaultServerlog is opened All server side log events will be written to this filegt
ltMar 16 2012 95108 PM PDTgt ltNoticegt ltSecuritygt ltBEA-090082gt ltSecurity initializing using security realm myrealmgt
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO ConfigObjectReloaded for ServerConfig PreviousVersion -1 CurrentVersion 0
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification event sent for activating changes
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for Mapping config object reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO ConfigObjectReloaded for ServerConfig PreviousVersion -1 CurrentVersion 0
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification event sent for activating changes
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 51
INFO Notification sent for Mapping config object reloaded
ltMar 16 2012 95122 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STANDBYgt
ltMar 16 2012 95122 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STARTINGgt
ltMar 16 2012 95204 PM PDTgt ltNoticegt ltLog Managementgt ltBEA-170027gt ltThe Server has established connection with the Domain level Diagnostic Service successfullygt
ltMar 16 2012 95204 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to ADMINgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to RESUMINGgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltServergt ltBEA-002613gt ltChannel Default is now listening on 1270017101 for protocols iiop t3 ldap snmp httpgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000331gt ltStarted WebLogic Admin Server DefaultServer for domain DefaultDomain running in Development Modegt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to RUNNINGgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000360gt ltServer started in RUNNING modegt
IntegratedWebLogicServer startup time 74437 ms
IntegratedWebLogicServer started
[Running application HelloWorldJaxWS on Server Instance IntegratedWebLogicServer]
[095206 PM] ---- Deployment started ----
[095206 PM] Target platform is (Weblogic 103)
[095208 PM] Retrieving existing application information
[095208 PM] Running dependency analysis
[095208 PM] Deploying 2 profiles
[095209 PM] Wrote Web Application Module to DOracle11gMiddlewarejdevelopersystem11116386192oj2eedrsHelloWorldJaxWSHelloWorldWebAppwar
[095210 PM] Wrote Enterprise Application Module to DOracle11gMiddlewarejdevelopersystem11116386192oj2eedrsHelloWorldJaxWS
[095210 PM] Deploying Application
[095213 PM] Application Deployed Successfully
[095213 PM] The following URL context root(s) were defined and can be used as a starting point to test your application
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 52
[095213 PM] http1270017101HelloWorldJaxWS-HelloWorld-context-root
[095213 PM] Elapsed time for deployment 6 seconds
[095213 PM] ---- Deployment finished ----
Run startup time 6609 ms
[Application HelloWorldJaxWS deployed to Server Instance IntegratedWebLogicServer]
Target URL -- http1270017101HelloWorldJaxWS-HelloWorld-context-rootHelloWorldPort
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 53
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 47
Appendix
Log Generated the first time any app is run in Integrated WLS Server
[Waiting for the domain to finish building]
[094756 PM] Creating Integrated Weblogic domain
[095003 PM] Extending Integrated Weblogic domain
[095051 PM] Integrated Weblogic domain processing completed successfully
Using port 7101
DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainbinstartWebLogiccmd
[waiting for the server to complete its initialization]
JAVA Memory arguments -Xms256m -Xmx512m -XXCompileThreshold=8000 -XXPermSize=128m -XXMaxPermSize=512m
WLS Start Mode=Development
CLASSPATH=DORACLE~1MIDDLE~1ORACLE~1modulesoraclejdbc_1111ojdbc6dmsjarDORACLE~1MIDDLE~1patch_wls1035profilesdefaultsys_manifest_classpathweblogic_patchjarDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultsys_manifest_classpathweblogic_patchjarDORACLE~1MIDDLE~1JDK160~1libtoolsjarDORACLE~1MIDDLE~1WLSERV~13serverlibweblogic_spjarDORACLE~1MIDDLE~1WLSERV~13serverlibweblogicjarDORACLE~1MIDDLE~1modulesfeaturesweblogicservermodules_10350jarDORACLE~1MIDDLE~1WLSERV~13serverlibwebservicesjarDORACLE~1MIDDLE~1modulesORGAPA~11libant-alljarDORACLE~1MIDDLE~1modulesNETSFA~10_1libant-contribjarDORACLE~1MIDDLE~1ORACLE~1modulesoraclejrf_1111jrfjarDORACLE~1MIDDLE~1WLSERV~13commonderbylibderbyclientjarDORACLE~1MIDDLE~1WLSERV~13serverlibxqrljar
PATH=DORACLE~1MIDDLE~1patch_wls1035profilesdefaultnativeDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultnativeDORACLE~1MIDDLE~1WLSERV~13servernativewin32DORACLE~1MIDDLE~1WLSERV~13serverbinDORACLE~1MIDDLE~1modulesORGAPA~11binDORACLE~1MIDDLE~1JDK160~1jrebinDORACLE~1MIDDLE~1JDK160~1binDoraclexeapporacleproduct1020serverbinCProgram FilesThinkPadUtilitiesCWINDOWSsystem32CWINDOWSCWINDOWSSystem32WbemCWINDOWSsystem32WindowsPowerShellv10DORACLE~1MIDDLE~1WLSERV~13servernativewin32oci920_8
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 48
To start WebLogic Server use a username and
password assigned to an admin-level user For
server administration use the WebLogic Server
console at httphostnameportconsole
starting weblogic with Java version
java version 160_24
Java(TM) SE Runtime Environment (build 160_24-b50)
Java HotSpot(TM) Client VM (build 191-b02 mixed mode)
Starting WLS with line
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 49
DORACLE~1MIDDLE~1JDK160~1binjava -client -Xms256m -Xmx512m -XXCompileThreshold=8000 -XXPermSize=128m -XXMaxPermSize=512m -DweblogicName=DefaultServer -Djavasecuritypolicy=DORACLE~1MIDDLE~1WLSERV~13serverlibweblogicpolicy -DjavaxnetssltrustStore=DOracle11gMiddlewarewlserver_103serverlibDemoTrustjks -DweblogicnodemanagerServiceEnabled=true -Xverifynone -da -Dplatformhome=DORACLE~1MIDDLE~1WLSERV~13 -Dwlshome=DORACLE~1MIDDLE~1WLSERV~13server -Dweblogichome=DORACLE~1MIDDLE~1WLSERV~13server -Djpsappcredentialoverwriteallowed=true -Dcommoncomponentshome=DORACLE~1MIDDLE~1ORACLE~1 -Djrfversion=1111 -DorgapachecommonsloggingLog=orgapachecommonsloggingimplJdk14Logger -Ddomainhome=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1 -Djrockitoptfile=DORACLE~1MIDDLE~1ORACLE~1modulesoraclejrf_1111jrocket_optfiletxt -Doracleserverconfigdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1serversDefaultServer -Doracledomainconfigdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1 -Digfarisidbeanscarmlloc=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1carml -Digfarisidstackhome=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1arisidprovider -Doraclesecurityjpsconfig=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configfmwconfigjps-configxml -Doracledeployedappdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1serversDefaultServertmp_WL_user -Doracledeployedappext=- -DweblogicalternateTypesDirectory=DORACLE~1MIDDLE~1ORACLE~1modulesoracleossoiap_1111DORACLE~1MIDDLE~1ORACLE~1modulesoracleoamprovider_1111 -Djavaprotocolhandlerpkgs=oraclemdsnetprotocol -DweblogicjdbcremoteEnabled=false -Dwsmrepositorypath=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1oraclestoregmds -Dweblogicmanagementdiscover=true -DwlwiterativeDev= -DwlwtestConsole= -DwlwlogErrorsToConsole= -Dweblogicextdirs=DORACLE~1MIDDLE~1patch_wls1035profilesdefaultsysext_manifest_classpathDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultsysext_manifest_classpath weblogicServer
ltMar 16 2012 95054 PM PDTgt ltInfogt ltSecuritygt ltBEA-090905gt ltDisabling CryptoJ JCE Provider self-integrity check for better startup performance To enable this check specify -DweblogicsecurityallowCryptoJDefaultJCEVerification=truegt
ltMar 16 2012 95054 PM PDTgt ltInfogt ltSecuritygt ltBEA-090906gt ltChanging the default Random Number Generator in RSA CryptoJ from ECDRBG to FIPS186PRNG To disable this change specify -DweblogicsecurityallowCryptoJDefaultPRNG=truegt
ltMar 16 2012 95055 PM PDTgt ltInfogt ltWebLogicServergt ltBEA-000377gt ltStarting WebLogic Server with Java HotSpot(TM) Client VM Version 191-b02 from Sun Microsystems Incgt
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 50
ltMar 16 2012 95055 PM PDTgt ltInfogt ltManagementgt ltBEA-141107gt ltVersion WebLogic Server 10350 Fri Apr 1 202006 PDT 2011 1398638 gt
ltMar 16 2012 95057 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STARTINGgt
ltMar 16 2012 95057 PM PDTgt ltInfogt ltWorkManagergt ltBEA-002900gt ltInitializing self-tuning thread poolgt
ltMar 16 2012 95057 PM PDTgt ltNoticegt ltLog Managementgt ltBEA-170019gt ltThe server log file DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainserversDefaultServerlogsDefaultServerlog is opened All server side log events will be written to this filegt
ltMar 16 2012 95108 PM PDTgt ltNoticegt ltSecuritygt ltBEA-090082gt ltSecurity initializing using security realm myrealmgt
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO ConfigObjectReloaded for ServerConfig PreviousVersion -1 CurrentVersion 0
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification event sent for activating changes
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for Mapping config object reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO ConfigObjectReloaded for ServerConfig PreviousVersion -1 CurrentVersion 0
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification event sent for activating changes
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 51
INFO Notification sent for Mapping config object reloaded
ltMar 16 2012 95122 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STANDBYgt
ltMar 16 2012 95122 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STARTINGgt
ltMar 16 2012 95204 PM PDTgt ltNoticegt ltLog Managementgt ltBEA-170027gt ltThe Server has established connection with the Domain level Diagnostic Service successfullygt
ltMar 16 2012 95204 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to ADMINgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to RESUMINGgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltServergt ltBEA-002613gt ltChannel Default is now listening on 1270017101 for protocols iiop t3 ldap snmp httpgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000331gt ltStarted WebLogic Admin Server DefaultServer for domain DefaultDomain running in Development Modegt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to RUNNINGgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000360gt ltServer started in RUNNING modegt
IntegratedWebLogicServer startup time 74437 ms
IntegratedWebLogicServer started
[Running application HelloWorldJaxWS on Server Instance IntegratedWebLogicServer]
[095206 PM] ---- Deployment started ----
[095206 PM] Target platform is (Weblogic 103)
[095208 PM] Retrieving existing application information
[095208 PM] Running dependency analysis
[095208 PM] Deploying 2 profiles
[095209 PM] Wrote Web Application Module to DOracle11gMiddlewarejdevelopersystem11116386192oj2eedrsHelloWorldJaxWSHelloWorldWebAppwar
[095210 PM] Wrote Enterprise Application Module to DOracle11gMiddlewarejdevelopersystem11116386192oj2eedrsHelloWorldJaxWS
[095210 PM] Deploying Application
[095213 PM] Application Deployed Successfully
[095213 PM] The following URL context root(s) were defined and can be used as a starting point to test your application
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 52
[095213 PM] http1270017101HelloWorldJaxWS-HelloWorld-context-root
[095213 PM] Elapsed time for deployment 6 seconds
[095213 PM] ---- Deployment finished ----
Run startup time 6609 ms
[Application HelloWorldJaxWS deployed to Server Instance IntegratedWebLogicServer]
Target URL -- http1270017101HelloWorldJaxWS-HelloWorld-context-rootHelloWorldPort
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 53
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 48
To start WebLogic Server use a username and
password assigned to an admin-level user For
server administration use the WebLogic Server
console at httphostnameportconsole
starting weblogic with Java version
java version 160_24
Java(TM) SE Runtime Environment (build 160_24-b50)
Java HotSpot(TM) Client VM (build 191-b02 mixed mode)
Starting WLS with line
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 49
DORACLE~1MIDDLE~1JDK160~1binjava -client -Xms256m -Xmx512m -XXCompileThreshold=8000 -XXPermSize=128m -XXMaxPermSize=512m -DweblogicName=DefaultServer -Djavasecuritypolicy=DORACLE~1MIDDLE~1WLSERV~13serverlibweblogicpolicy -DjavaxnetssltrustStore=DOracle11gMiddlewarewlserver_103serverlibDemoTrustjks -DweblogicnodemanagerServiceEnabled=true -Xverifynone -da -Dplatformhome=DORACLE~1MIDDLE~1WLSERV~13 -Dwlshome=DORACLE~1MIDDLE~1WLSERV~13server -Dweblogichome=DORACLE~1MIDDLE~1WLSERV~13server -Djpsappcredentialoverwriteallowed=true -Dcommoncomponentshome=DORACLE~1MIDDLE~1ORACLE~1 -Djrfversion=1111 -DorgapachecommonsloggingLog=orgapachecommonsloggingimplJdk14Logger -Ddomainhome=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1 -Djrockitoptfile=DORACLE~1MIDDLE~1ORACLE~1modulesoraclejrf_1111jrocket_optfiletxt -Doracleserverconfigdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1serversDefaultServer -Doracledomainconfigdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1 -Digfarisidbeanscarmlloc=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1carml -Digfarisidstackhome=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1arisidprovider -Doraclesecurityjpsconfig=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configfmwconfigjps-configxml -Doracledeployedappdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1serversDefaultServertmp_WL_user -Doracledeployedappext=- -DweblogicalternateTypesDirectory=DORACLE~1MIDDLE~1ORACLE~1modulesoracleossoiap_1111DORACLE~1MIDDLE~1ORACLE~1modulesoracleoamprovider_1111 -Djavaprotocolhandlerpkgs=oraclemdsnetprotocol -DweblogicjdbcremoteEnabled=false -Dwsmrepositorypath=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1oraclestoregmds -Dweblogicmanagementdiscover=true -DwlwiterativeDev= -DwlwtestConsole= -DwlwlogErrorsToConsole= -Dweblogicextdirs=DORACLE~1MIDDLE~1patch_wls1035profilesdefaultsysext_manifest_classpathDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultsysext_manifest_classpath weblogicServer
ltMar 16 2012 95054 PM PDTgt ltInfogt ltSecuritygt ltBEA-090905gt ltDisabling CryptoJ JCE Provider self-integrity check for better startup performance To enable this check specify -DweblogicsecurityallowCryptoJDefaultJCEVerification=truegt
ltMar 16 2012 95054 PM PDTgt ltInfogt ltSecuritygt ltBEA-090906gt ltChanging the default Random Number Generator in RSA CryptoJ from ECDRBG to FIPS186PRNG To disable this change specify -DweblogicsecurityallowCryptoJDefaultPRNG=truegt
ltMar 16 2012 95055 PM PDTgt ltInfogt ltWebLogicServergt ltBEA-000377gt ltStarting WebLogic Server with Java HotSpot(TM) Client VM Version 191-b02 from Sun Microsystems Incgt
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 50
ltMar 16 2012 95055 PM PDTgt ltInfogt ltManagementgt ltBEA-141107gt ltVersion WebLogic Server 10350 Fri Apr 1 202006 PDT 2011 1398638 gt
ltMar 16 2012 95057 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STARTINGgt
ltMar 16 2012 95057 PM PDTgt ltInfogt ltWorkManagergt ltBEA-002900gt ltInitializing self-tuning thread poolgt
ltMar 16 2012 95057 PM PDTgt ltNoticegt ltLog Managementgt ltBEA-170019gt ltThe server log file DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainserversDefaultServerlogsDefaultServerlog is opened All server side log events will be written to this filegt
ltMar 16 2012 95108 PM PDTgt ltNoticegt ltSecuritygt ltBEA-090082gt ltSecurity initializing using security realm myrealmgt
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO ConfigObjectReloaded for ServerConfig PreviousVersion -1 CurrentVersion 0
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification event sent for activating changes
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for Mapping config object reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO ConfigObjectReloaded for ServerConfig PreviousVersion -1 CurrentVersion 0
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification event sent for activating changes
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 51
INFO Notification sent for Mapping config object reloaded
ltMar 16 2012 95122 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STANDBYgt
ltMar 16 2012 95122 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STARTINGgt
ltMar 16 2012 95204 PM PDTgt ltNoticegt ltLog Managementgt ltBEA-170027gt ltThe Server has established connection with the Domain level Diagnostic Service successfullygt
ltMar 16 2012 95204 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to ADMINgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to RESUMINGgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltServergt ltBEA-002613gt ltChannel Default is now listening on 1270017101 for protocols iiop t3 ldap snmp httpgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000331gt ltStarted WebLogic Admin Server DefaultServer for domain DefaultDomain running in Development Modegt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to RUNNINGgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000360gt ltServer started in RUNNING modegt
IntegratedWebLogicServer startup time 74437 ms
IntegratedWebLogicServer started
[Running application HelloWorldJaxWS on Server Instance IntegratedWebLogicServer]
[095206 PM] ---- Deployment started ----
[095206 PM] Target platform is (Weblogic 103)
[095208 PM] Retrieving existing application information
[095208 PM] Running dependency analysis
[095208 PM] Deploying 2 profiles
[095209 PM] Wrote Web Application Module to DOracle11gMiddlewarejdevelopersystem11116386192oj2eedrsHelloWorldJaxWSHelloWorldWebAppwar
[095210 PM] Wrote Enterprise Application Module to DOracle11gMiddlewarejdevelopersystem11116386192oj2eedrsHelloWorldJaxWS
[095210 PM] Deploying Application
[095213 PM] Application Deployed Successfully
[095213 PM] The following URL context root(s) were defined and can be used as a starting point to test your application
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 52
[095213 PM] http1270017101HelloWorldJaxWS-HelloWorld-context-root
[095213 PM] Elapsed time for deployment 6 seconds
[095213 PM] ---- Deployment finished ----
Run startup time 6609 ms
[Application HelloWorldJaxWS deployed to Server Instance IntegratedWebLogicServer]
Target URL -- http1270017101HelloWorldJaxWS-HelloWorld-context-rootHelloWorldPort
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 53
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 49
DORACLE~1MIDDLE~1JDK160~1binjava -client -Xms256m -Xmx512m -XXCompileThreshold=8000 -XXPermSize=128m -XXMaxPermSize=512m -DweblogicName=DefaultServer -Djavasecuritypolicy=DORACLE~1MIDDLE~1WLSERV~13serverlibweblogicpolicy -DjavaxnetssltrustStore=DOracle11gMiddlewarewlserver_103serverlibDemoTrustjks -DweblogicnodemanagerServiceEnabled=true -Xverifynone -da -Dplatformhome=DORACLE~1MIDDLE~1WLSERV~13 -Dwlshome=DORACLE~1MIDDLE~1WLSERV~13server -Dweblogichome=DORACLE~1MIDDLE~1WLSERV~13server -Djpsappcredentialoverwriteallowed=true -Dcommoncomponentshome=DORACLE~1MIDDLE~1ORACLE~1 -Djrfversion=1111 -DorgapachecommonsloggingLog=orgapachecommonsloggingimplJdk14Logger -Ddomainhome=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1 -Djrockitoptfile=DORACLE~1MIDDLE~1ORACLE~1modulesoraclejrf_1111jrocket_optfiletxt -Doracleserverconfigdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1serversDefaultServer -Doracledomainconfigdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1 -Digfarisidbeanscarmlloc=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1carml -Digfarisidstackhome=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configFMWCON~1arisidprovider -Doraclesecurityjpsconfig=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1configfmwconfigjps-configxml -Doracledeployedappdir=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1serversDefaultServertmp_WL_user -Doracledeployedappext=- -DweblogicalternateTypesDirectory=DORACLE~1MIDDLE~1ORACLE~1modulesoracleossoiap_1111DORACLE~1MIDDLE~1ORACLE~1modulesoracleoamprovider_1111 -Djavaprotocolhandlerpkgs=oraclemdsnetprotocol -DweblogicjdbcremoteEnabled=false -Dwsmrepositorypath=DORACLE~1MIDDLE~1JDEVEL~1SYSTEM~192DEFAUL~1oraclestoregmds -Dweblogicmanagementdiscover=true -DwlwiterativeDev= -DwlwtestConsole= -DwlwlogErrorsToConsole= -Dweblogicextdirs=DORACLE~1MIDDLE~1patch_wls1035profilesdefaultsysext_manifest_classpathDORACLE~1MIDDLE~1patch_jdev1111profilesdefaultsysext_manifest_classpath weblogicServer
ltMar 16 2012 95054 PM PDTgt ltInfogt ltSecuritygt ltBEA-090905gt ltDisabling CryptoJ JCE Provider self-integrity check for better startup performance To enable this check specify -DweblogicsecurityallowCryptoJDefaultJCEVerification=truegt
ltMar 16 2012 95054 PM PDTgt ltInfogt ltSecuritygt ltBEA-090906gt ltChanging the default Random Number Generator in RSA CryptoJ from ECDRBG to FIPS186PRNG To disable this change specify -DweblogicsecurityallowCryptoJDefaultPRNG=truegt
ltMar 16 2012 95055 PM PDTgt ltInfogt ltWebLogicServergt ltBEA-000377gt ltStarting WebLogic Server with Java HotSpot(TM) Client VM Version 191-b02 from Sun Microsystems Incgt
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 50
ltMar 16 2012 95055 PM PDTgt ltInfogt ltManagementgt ltBEA-141107gt ltVersion WebLogic Server 10350 Fri Apr 1 202006 PDT 2011 1398638 gt
ltMar 16 2012 95057 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STARTINGgt
ltMar 16 2012 95057 PM PDTgt ltInfogt ltWorkManagergt ltBEA-002900gt ltInitializing self-tuning thread poolgt
ltMar 16 2012 95057 PM PDTgt ltNoticegt ltLog Managementgt ltBEA-170019gt ltThe server log file DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainserversDefaultServerlogsDefaultServerlog is opened All server side log events will be written to this filegt
ltMar 16 2012 95108 PM PDTgt ltNoticegt ltSecuritygt ltBEA-090082gt ltSecurity initializing using security realm myrealmgt
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO ConfigObjectReloaded for ServerConfig PreviousVersion -1 CurrentVersion 0
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification event sent for activating changes
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for Mapping config object reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO ConfigObjectReloaded for ServerConfig PreviousVersion -1 CurrentVersion 0
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification event sent for activating changes
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 51
INFO Notification sent for Mapping config object reloaded
ltMar 16 2012 95122 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STANDBYgt
ltMar 16 2012 95122 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STARTINGgt
ltMar 16 2012 95204 PM PDTgt ltNoticegt ltLog Managementgt ltBEA-170027gt ltThe Server has established connection with the Domain level Diagnostic Service successfullygt
ltMar 16 2012 95204 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to ADMINgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to RESUMINGgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltServergt ltBEA-002613gt ltChannel Default is now listening on 1270017101 for protocols iiop t3 ldap snmp httpgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000331gt ltStarted WebLogic Admin Server DefaultServer for domain DefaultDomain running in Development Modegt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to RUNNINGgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000360gt ltServer started in RUNNING modegt
IntegratedWebLogicServer startup time 74437 ms
IntegratedWebLogicServer started
[Running application HelloWorldJaxWS on Server Instance IntegratedWebLogicServer]
[095206 PM] ---- Deployment started ----
[095206 PM] Target platform is (Weblogic 103)
[095208 PM] Retrieving existing application information
[095208 PM] Running dependency analysis
[095208 PM] Deploying 2 profiles
[095209 PM] Wrote Web Application Module to DOracle11gMiddlewarejdevelopersystem11116386192oj2eedrsHelloWorldJaxWSHelloWorldWebAppwar
[095210 PM] Wrote Enterprise Application Module to DOracle11gMiddlewarejdevelopersystem11116386192oj2eedrsHelloWorldJaxWS
[095210 PM] Deploying Application
[095213 PM] Application Deployed Successfully
[095213 PM] The following URL context root(s) were defined and can be used as a starting point to test your application
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 52
[095213 PM] http1270017101HelloWorldJaxWS-HelloWorld-context-root
[095213 PM] Elapsed time for deployment 6 seconds
[095213 PM] ---- Deployment finished ----
Run startup time 6609 ms
[Application HelloWorldJaxWS deployed to Server Instance IntegratedWebLogicServer]
Target URL -- http1270017101HelloWorldJaxWS-HelloWorld-context-rootHelloWorldPort
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 53
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 50
ltMar 16 2012 95055 PM PDTgt ltInfogt ltManagementgt ltBEA-141107gt ltVersion WebLogic Server 10350 Fri Apr 1 202006 PDT 2011 1398638 gt
ltMar 16 2012 95057 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STARTINGgt
ltMar 16 2012 95057 PM PDTgt ltInfogt ltWorkManagergt ltBEA-002900gt ltInitializing self-tuning thread poolgt
ltMar 16 2012 95057 PM PDTgt ltNoticegt ltLog Managementgt ltBEA-170019gt ltThe server log file DOracle11gMiddlewarejdevelopersystem11116386192DefaultDomainserversDefaultServerlogsDefaultServerlog is opened All server side log events will be written to this filegt
ltMar 16 2012 95108 PM PDTgt ltNoticegt ltSecuritygt ltBEA-090082gt ltSecurity initializing using security realm myrealmgt
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO ConfigObjectReloaded for ServerConfig PreviousVersion -1 CurrentVersion 0
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification event sent for activating changes
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for Mapping config object reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification sent for AdaptersConfig MBean reloaded
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO ConfigObjectReloaded for ServerConfig PreviousVersion -1 CurrentVersion 0
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
INFO Notification event sent for activating changes
Mar 16 2012 95114 PM oracleodsvirtualizationengineutilVDELogger info
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 51
INFO Notification sent for Mapping config object reloaded
ltMar 16 2012 95122 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STANDBYgt
ltMar 16 2012 95122 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STARTINGgt
ltMar 16 2012 95204 PM PDTgt ltNoticegt ltLog Managementgt ltBEA-170027gt ltThe Server has established connection with the Domain level Diagnostic Service successfullygt
ltMar 16 2012 95204 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to ADMINgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to RESUMINGgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltServergt ltBEA-002613gt ltChannel Default is now listening on 1270017101 for protocols iiop t3 ldap snmp httpgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000331gt ltStarted WebLogic Admin Server DefaultServer for domain DefaultDomain running in Development Modegt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to RUNNINGgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000360gt ltServer started in RUNNING modegt
IntegratedWebLogicServer startup time 74437 ms
IntegratedWebLogicServer started
[Running application HelloWorldJaxWS on Server Instance IntegratedWebLogicServer]
[095206 PM] ---- Deployment started ----
[095206 PM] Target platform is (Weblogic 103)
[095208 PM] Retrieving existing application information
[095208 PM] Running dependency analysis
[095208 PM] Deploying 2 profiles
[095209 PM] Wrote Web Application Module to DOracle11gMiddlewarejdevelopersystem11116386192oj2eedrsHelloWorldJaxWSHelloWorldWebAppwar
[095210 PM] Wrote Enterprise Application Module to DOracle11gMiddlewarejdevelopersystem11116386192oj2eedrsHelloWorldJaxWS
[095210 PM] Deploying Application
[095213 PM] Application Deployed Successfully
[095213 PM] The following URL context root(s) were defined and can be used as a starting point to test your application
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 52
[095213 PM] http1270017101HelloWorldJaxWS-HelloWorld-context-root
[095213 PM] Elapsed time for deployment 6 seconds
[095213 PM] ---- Deployment finished ----
Run startup time 6609 ms
[Application HelloWorldJaxWS deployed to Server Instance IntegratedWebLogicServer]
Target URL -- http1270017101HelloWorldJaxWS-HelloWorld-context-rootHelloWorldPort
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 53
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 51
INFO Notification sent for Mapping config object reloaded
ltMar 16 2012 95122 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STANDBYgt
ltMar 16 2012 95122 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to STARTINGgt
ltMar 16 2012 95204 PM PDTgt ltNoticegt ltLog Managementgt ltBEA-170027gt ltThe Server has established connection with the Domain level Diagnostic Service successfullygt
ltMar 16 2012 95204 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to ADMINgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to RESUMINGgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltServergt ltBEA-002613gt ltChannel Default is now listening on 1270017101 for protocols iiop t3 ldap snmp httpgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000331gt ltStarted WebLogic Admin Server DefaultServer for domain DefaultDomain running in Development Modegt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000365gt ltServer state changed to RUNNINGgt
ltMar 16 2012 95205 PM PDTgt ltNoticegt ltWebLogicServergt ltBEA-000360gt ltServer started in RUNNING modegt
IntegratedWebLogicServer startup time 74437 ms
IntegratedWebLogicServer started
[Running application HelloWorldJaxWS on Server Instance IntegratedWebLogicServer]
[095206 PM] ---- Deployment started ----
[095206 PM] Target platform is (Weblogic 103)
[095208 PM] Retrieving existing application information
[095208 PM] Running dependency analysis
[095208 PM] Deploying 2 profiles
[095209 PM] Wrote Web Application Module to DOracle11gMiddlewarejdevelopersystem11116386192oj2eedrsHelloWorldJaxWSHelloWorldWebAppwar
[095210 PM] Wrote Enterprise Application Module to DOracle11gMiddlewarejdevelopersystem11116386192oj2eedrsHelloWorldJaxWS
[095210 PM] Deploying Application
[095213 PM] Application Deployed Successfully
[095213 PM] The following URL context root(s) were defined and can be used as a starting point to test your application
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 52
[095213 PM] http1270017101HelloWorldJaxWS-HelloWorld-context-root
[095213 PM] Elapsed time for deployment 6 seconds
[095213 PM] ---- Deployment finished ----
Run startup time 6609 ms
[Application HelloWorldJaxWS deployed to Server Instance IntegratedWebLogicServer]
Target URL -- http1270017101HelloWorldJaxWS-HelloWorld-context-rootHelloWorldPort
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 53
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 52
[095213 PM] http1270017101HelloWorldJaxWS-HelloWorld-context-root
[095213 PM] Elapsed time for deployment 6 seconds
[095213 PM] ---- Deployment finished ----
Run startup time 6609 ms
[Application HelloWorldJaxWS deployed to Server Instance IntegratedWebLogicServer]
Target URL -- http1270017101HelloWorldJaxWS-HelloWorld-context-rootHelloWorldPort
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 53
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Message Protection Policy in WLS using Oracle Web Services Manager 11g
Oracle Corporation | Message Protection Policy | Version 10 53
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109