Oracle BPM 11g P6 Workshop

12

Using OWSM To Secure

Serivces

Table of Contents
3

Using OWSM To Secure Serivces .................................................................... 1

3.1

Objective ...................................................................................................... 1

3.2

Use Case Description .................................................................................. 1

3.2.1 Overview ............................................................................................. 1
3.2.2 Securing the Services ......................................................................... 2
3.2.3 Client Side Identity .............................................................................. 3

3.3

Lab Configuration ........................................................................................ 3

3.3.1 Composite Configuration Plan ............................................................ 3
3.3.2 Creating a Credential Mapper key with user/password ...................... 4
3.3.3 Granting WSIdentityPermission to the calling composite ................... 4

3.4

Exercise Instructions.................................................................................... 5
3.4.1 First Pass ............................................................................................ 5
3.4.2 Second Pass ....................................................................................... 6

3.5

Running and Testing the application ........................................................... 8

3.6

Quick Build Instructions ............................................................................... 8

12.1 Objective
The objective of this exercise is to understand how to apply and
configure Oracle Web Service Manager (OWSM) policies to secure
SOA composite services and references. Specifically

Attaching the policies, both at design time and via EM

Creating additional configuration items required to support the

policies (e.g. credential maps and system policy grants)

Understanding relationship between policies and local

optimization of message delivery

12.2 Use Case Description

12.2.1

Overview
The scenario uses a simple BPM process (SecuredProcess) exposed
as a service with a single synchronous WhoAmI operation. The

Page 1 of 8

Using WSM To Secure Services 12.1

Oracle Confidential. For authorized use only. Do not distribute to third parties.

Oracle BPM 11g PS6 Workshop

operation returns the current user from the perspective of the called
process.
There is also a CallingProccess that records the local user and also
the result of the call to WhoAmI on the SecuredProcess.

12.2.2

Securing the Services

The SecuredProcess is exposed via two services. One must be
secured via HTTP basic auth, the second via SAML. The service
names reflect the requirement.
Note: to remove the complexity of setting up SSL, this lab uses
wss10_saml_token_client|service_policy. Note that this policy does
not include any message encryption or signature and should only be
used for demonstration purposes.

12.2 Using OWSM To Secure Serivces

Oracle Confidential. For authorized use only. Do not distribute to third parties.

Page 2 of 8

Oracle BPM 11g P6 Workshop

12.2.3

Client Side Identity

Three forms of identity assertion/propagation must be supported. The
CallingProcess includes a separate service reference for each:
Client Identity Assertion Method

Service Policy

Assert arbitrary identity

wss10_saml_token_service_policy

Propagate callers identity

wss10_saml_token_service_policy

Use user/password from Credential Mapper

wss_http_token_service_policy

Note: The solution for this exercise can be found in

ps6workshop\solutions\xxxx.zip

12.3 Lab Configuration

There are several configuration activities for this lab:

12.3.1

Composite Configuration Plan

The configuration plan includes replacement values for:

The host and port of the SecuredProcess

The identity to use for SAML identity assertion (plan uses

weblogic)

The name of the Credential Mapper key that contains the user
and password for HTTP Basic Authorization (plan uses
basic.credentials.ps6Pilot)

The only value that must be changed is the host and port. The
remaining values must match the deployment environment.

Page 3 of 8

Using WSM To Secure Services 12.3

Oracle Confidential. For authorized use only. Do not distribute to third parties.

Oracle BPM 11g PS6 Workshop

12.3.2

Creating a Credential Mapper key with user/password

The domain must be configured with a valid user and password that
will be used for HTTP basic authentication. The solution project uses
the user vhugo and the value basic.credentials.ps6Pilot for the key.
However you can use any values that are valid in the domain.
The following blog entry provides a good overview of creating the map
and entry:
http://biemond.blogspot.com/2010/08/http-basic-authentication-with-soa.html

12.3.3

Granting WSIdentityPermission to the calling composite

Asserting an arbitrary identity via SAML requires a grant of the
oracle.wsm.security.WSIdentityPermission to the composite. This
can be done via EM or WLST. See the documentation at:
http://docs.oracle.com/cd/E14571_01/web.1111/b32511/setup_config.htm#autoId30

See the specific section:

Configuring SAML Web Service Clients for Identity Switching

Also note that the documentation references the following policy:

ss11_saml_token_identity_switch_with_message_protection_client_policy

However the lab is using wss10_saml_token_client|service_policy to

remove the need for managing certificates.

12.3 Using OWSM To Secure Serivces

Oracle Confidential. For authorized use only. Do not distribute to third parties.

Page 4 of 8

Oracle BPM 11g P6 Workshop

12.4 Exercise Instructions

The lab is organized into two passes. First is to apply and configure
the policies on just the references and services of the CallingProcess
and SecuredProcess. This will enable invocation of SecuredProcess
in all of the scenarios except propagation of callers identity, since the
CallingProcess has no identity.
The second pass of the lab will be to secure the CallingProcess
service using HTTP basic authorization to associate a user with the
CallingProcess.

12.4.1

First Pass
The steps for the first pass:

Attach OWSM policies to the SecuredProcess and

CallingProcess

Deploy the composites (Be sure to include the configuration

plan on the CallingProcess project)

Run the scenarios

The policy attachments should be as follows:

CallingProcess Ref

Reference Policy

Service Policy

SAML-Propagation

wss10_saml_token_client_policy

wss10_saml_token_service_policy

SAML-Impersonation

wss10_saml_token_client_policy

wss10_saml_token_service_policy

Http-CredentialMapper

wss_http_token_client_policy

wss_http_token_service_policy

Note: the policies may require additional configuration properties.

Please review the docs and session slides.

Page 5 of 8

Using WSM To Secure Services 12.4

Oracle Confidential. For authorized use only. Do not distribute to third parties.

Oracle BPM 11g PS6 Workshop

12.4.2

Second Pass
The only change in this pass is to add the
wss_http_token_service_policy to the CallingProcess. This will result
in a Subject being associated with the calling service and will illustrate
an important point about how policies and message optimization are
related.
In the first pass, the policies were attached at design time using
JDeveloper. Its also possible to attach policies at runtime using EM.
In pass 2 you will use EM to attach the policy and then run the same
set of scenarios again (without redeploying), but this time with a user id
provided via HTTP basic authentication.
In EM go to the Policies tab for the CallingProcess service. Note that
the policies bound to the service references at design time are already
there. Use the Attach/Detach menu to select CallingProcess.service.

Select and Attach the wss_http_token_service_policy. Dont forget to

select the OK button:

12.4 Using OWSM To Secure Serivces

Oracle Confidential. For authorized use only. Do not distribute to third parties.

Page 6 of 8

Oracle BPM 11g P6 Workshop

You should now see the new policy attached to the service:

Now run the scenarios again using a valid user, for example mwtain.

You should the local user as the local subject as well as the subject
returned in the service response.

Look carefully at the scenario for identity assertion with SAML. If its
not working as expected, review the notes on policy and local
optimization.

Page 7 of 8

Using WSM To Secure Services 12.4

Oracle Confidential. For authorized use only. Do not distribute to third parties.

Oracle BPM 11g PS6 Workshop

12.5 Running and Testing the application

Enterprise Manager (EM) is used to run the scenarios. The output is
the local and remote representation of the user from the
oracle.fabric.security.identity.subject property.

12.6 Quick Build Instructions

There is no quick build for this lab. You can deploy the solution to see
a completed configuration, but you will need to create the credential
maps and grant the policy to use all but the SAML identity propagation
scenario.

12.5 Using OWSM To Secure Serivces

Oracle Confidential. For authorized use only. Do not distribute to third parties.

Page 8 of 8