http://cerebro.com.au/2012/11/05/osb-adding-owsm-wsse-username-policy-with-static-username-credential-keys/
Copying in case original post is removed.. ...
This assumes that you already have a project with a web service that you want to secure with WSSE Username Token with a Static username / password. This is generally when we are doing system level integration and have a system user. We recommend that each system would have a separate user created to enable meaningful auditing.
There is a concept of the Service Accounts within OSB, this can be used for HTTP user access but we are using an OWSM SOAP based policy that does not use these accounts. The OWSM policy needs to either have a user supplied (forwarded via service calls) or override the credentials with a credential key. If for example you are consuming from a JMS or database we may not have a user identity or we have only a static system user we will user credential keys.
We will now run through how to set up a credential key and connect it up to a business service.
ENTERPRISE MANAGER CONFIGURATION
We start by logging into the EM (Enterprise Manager), and then open the Weblogic Domain and right click on the domain to show the context menu.
In the domain context menu we will select Security > Credentials.
The existing credentials are shown; we are using an OWSM policy (oracle/wss_username_token_client_policy) therefore we need to create an oracle.wsm.security credential key.
We then hit the ‘Create Key’ button.
This will create a pop window for creating new credential keys.
The map needs to be ‘oracle.wsm.security’; the Key needs to be unique and should be something that explains the usage for operational support. The type is password and user is the system user ‘osbuser’ and the password is the actual system password setup in the system we are invoking. I also recommend entering a description of the key for later identification.
The server will show you a message for successful creation.
The key will now appear in the oracle.wsm.security group, the key must appear in here and in the correct group for the OWSM policy to use it. This is the end of the EM configurations, now we move over to the OSB console.
OSB CONFIGURATION
The first thing we need to do is to create an administration session (required to make modification). Once we have a session need to select the service that we want to add the security policy; we have selected a project and then select the outgoing business service BusinessService.
We need to go to the ‘Policies’ tab to see the applied policies.
We are using OWSM Policy Store; therefore we select the radio button which will enable the selection window.
The Add button will prompt you with a policy selection window. The policy that we want is ‘oracle/wss_username_token_client_policy’.
There are two pages the username policy is on the second page.
We will select the policy and hit the submit button.
The policy will appear in the policies tab; this then needs to applied via ‘Update’ button.
This will then show the successful message in the information panel.
This update will enable an additional tab, Security.
The security tab shows the configuration options for the policies that have been applied to the osb service.
The username token client policy will try to forward the identity; we want to set a system username. We will use the override value to set a static username/password.
We will return to the EM console to get the name of our ‘Credential Key’.
The credential key name is copied from the EM.
Into the ‘Override Value’ of the security tab in the service.
Once we entered the override value we will need to ‘Update’ the configuration to apply.
The information panel will display the confirmation of the update.
These changes are not yet active; we need to activate the session to apply these changes to the OSB.
As always we should enter a description and submit it to take effect.
We can then test that we have configured the security up correct. We have created a SOAPUI mock service and set the endpoint of the business service and do an execution. We can now see the message we have received.
As you can see the user token is now in the message and the username is that which we entered in the Enterprise Manager.
No comments:
Post a Comment