OraNA :: Oracle News Aggregator

In Fusion Middleware 11g it is not so difficult to protect your JAX-WS Web services or your Composite Services. You just need to add an Oracle Web Service Manager service policy to this Web Service. So that's all the work for the developer or release manager. And now the work starts for the Administrator. This persons need to be familiar with the Enterprise Manager, WebLogic Console, OpenSLL and with the keytool utility of the JDK. In this blogpost I will show what you need to do if you choose for a particular OWSM Policy.


Let's start simple with one of the following policies
oracle/wss_http_token_service_policy
oracle/wss_username_token_service_policy
These policies can be used for HTTP Basic Authentication or for an Username Token in a SOAP message. The only thing you need to do for these policies is to add some Users to the myrealm Security Realm in the WebLogic Console.
On the client side you need to do the following.

execute = new Execute();
SecurityPolicyFeature[] securityFeatures =
            new SecurityPolicyFeature[] { new SecurityPolicyFeature("oracle/wss_username_token_client_policy") };
Request_Response_ptt request_Response_ptt = execute.getRequest_Response_pt(securityFeatures);
    
// Add your code to call the desired methods.
Map<String, Object> reqContext = ((BindingProvider) request_Response_ptt).getRequestContext();
reqContext.put(BindingProvider.USERNAME_PROPERTY, "test" );
reqContext.put(BindingProvider.PASSWORD_PROPERTY, "weblogic1" );
       
Request req = new Request();
req.setName("edwin");
req.setMessage("hi");
Response resp = request_Response_ptt.requestResponse(req);

The Message protection policies
oracle/wss10_message_protection_service_policy
oracle/wss11_message_protection_service_policy
When you choose for one of these policies you need to generate a Server certificate for encryption and put this in a Java keystore and for the Client side you also need to make a Keystore but this contains only the public key of this Server encryption certificate.

To add your Server keystore to FMW, you need to go to the Enterprise Manager and select your Weblogic Domain. In the menu go to the Security / Security Provider Configuration page. And on this page you can import your Java keystore. Before you start you need to copy your keystore to your domain folder and put this in the config/fmwconfig folder.

In this example I used two certificates one for the signature and one for the encryption. For Message protection Service policies you only need the encryption certificate.
On the client side you need to load the client keystore and the public key of server encryption certificate. 

execute = new Execute();
SecurityPolicyFeature[] securityFeatures =
    new SecurityPolicyFeature[] { new SecurityPolicyFeature("oracle/wss11_message_protection_client_policy") };
Request_Response_ptt request_Response_ptt = execute.getRequest_Response_pt(securityFeatures);
// Add your code to call the desired methods.
Map<String, Object> reqContext = ((BindingProvider) request_Response_ptt).getRequestContext();

reqContext.put(ClientConstants.WSSEC_KEYSTORE_TYPE, "JKS");
reqContext.put(ClientConstants.WSSEC_KEYSTORE_LOCATION, "C:/client_keystore.jks");
reqContext.put(ClientConstants.WSSEC_KEYSTORE_PASSWORD, "welcome");

reqContext.put(ClientConstants.WSSEC_ENC_KEY_ALIAS, "server_encr");
reqContext.put(ClientConstants.WSSEC_ENC_KEY_PASSWORD, "welcome");
reqContext.put(ClientConstants.WSSEC_RECIPIENT_KEY_ALIAS, "server_encr");

Request req = new Request();
req.setName("edwin");
req.setMessage("hi");
Response resp = request_Response_ptt.requestResponse(req);

The above policies can also be combined. Like in these policies.
oracle/wss10_username_token_with_message_protection_service_policy
oracle/wss11_username_token_with_message_protection_service_policy

For these policies you need to a create user in the WebLogic Console for the username token and generate a server and client keystore for the message protection part.
On the client side you need to the following.

execute = new Execute();
SecurityPolicyFeature[] securityFeatures =
    new SecurityPolicyFeature[] { new SecurityPolicyFeature("oracle/wss11_message_protection_client_policy") };
Request_Response_ptt request_Response_ptt = execute.getRequest_Response_pt(securityFeatures);
// Add your code to call the desired methods.
Map<String, Object> reqContext = ((BindingProvider) request_Response_ptt).getRequestContext();
reqContext.put(BindingProvider.USERNAME_PROPERTY, "test" );
reqContext.put(BindingProvider.PASSWORD_PROPERTY, "weblogic1" );

reqContext.put(ClientConstants.WSSEC_KEYSTORE_TYPE, "JKS");
reqContext.put(ClientConstants.WSSEC_KEYSTORE_LOCATION, "C:/client_keystore.jks");
reqContext.put(ClientConstants.WSSEC_KEYSTORE_PASSWORD, "welcome");

reqContext.put(ClientConstants.WSSEC_ENC_KEY_ALIAS, "server_encr");
reqContext.put(ClientConstants.WSSEC_ENC_KEY_PASSWORD, "welcome");
reqContext.put(ClientConstants.WSSEC_RECIPIENT_KEY_ALIAS, "server_encr");

Request req = new Request();
req.setName("edwin");
req.setMessage("hi");
Response resp = request_Response_ptt.requestResponse(req);

The last part of this blogpost I will explain the following policies
oracle/wss10_x509_token_with_message_protection_service_policy
oracle/wss11_x509_token_with_message_protection_service_policy

These policies will use the client certificate for the signature and the public key of the server encryption certificate for the encryption.
So we start by making some keystores with some certificates. I don't use self signed certificates because then for every new client I need to update the server keystore and reboot the FMW server. Now I only have to import the CA public certificate in the Server keystore. This is how my Server keystore looks like

It got a private certificate for the server signature and for encryption. The CA public key is trusted.

For the client I have this keystore. ( Every customer / application can have its own client keystore )

The CA and Server encryption certificates are public certificates and are trusted.
Because the FMW Server does not know this client certificate ( it only knows the CA ) you need to add a new user in the myrealm Secuirty Realm in the WebLogic Console. The password of this user is not important, the only requirement is that the common name of this client certificate is the same as the WebLogic Username.

And as last the Client code, where we need to provide the client signature certificate details.

execute = new Execute();
SecurityPolicyFeature[] securityFeatures =
    new SecurityPolicyFeature[] { new SecurityPolicyFeature("oracle/wss11_x509_token_with_message_protection_client_policy") };
Request_Response_ptt request_Response_ptt = execute.getRequest_Response_pt(securityFeatures);
// Add your code to call the desired methods.
Map<String, Object> reqContext = ((BindingProvider) request_Response_ptt).getRequestContext();

reqContext.put(ClientConstants.WSSEC_KEYSTORE_TYPE, "JKS");
reqContext.put(ClientConstants.WSSEC_KEYSTORE_LOCATION, "C:/client_keystore.jks");
reqContext.put(ClientConstants.WSSEC_KEYSTORE_PASSWORD, "welcome");

reqContext.put(ClientConstants.WSSEC_SIG_KEY_ALIAS, "client1");
reqContext.put(ClientConstants.WSSEC_SIG_KEY_PASSWORD, "welcome");

reqContext.put(ClientConstants.WSSEC_ENC_KEY_ALIAS, "server_encr");
reqContext.put(ClientConstants.WSSEC_ENC_KEY_PASSWORD, "welcome");
reqContext.put(ClientConstants.WSSEC_RECIPIENT_KEY_ALIAS, "server_encr");

Request req = new Request();
req.setName("edwin");
req.setMessage("hi");
Response resp = request_Response_ptt.requestResponse(req);

Next time I will try to describe the SAML policies.

Maybe you're interested in hearing about Java strategy and directions from Oracle CEO Larry Ellison and EVP Development Thomas Kurian?

More details here.

 



Since its inception, Java has expanded relentlessly in bringing the power of secure, connected computing to the activities of everyday life. Java is the force behind applications and devices important to every aspect of both our professional and personal worlds--from desktops to mobile phones and handheld devices, to entertainment and navigation systems, to mission-critical enterprise software. In this opening JavaOne keynote, Larry Ellison, Oracle's CEO, and Thomas Kurian, Oracle's executive vice president, Product Development, share Oracle's vision for strengthened investment and innovation in Java and describe how Java will continue to grow as the most powerful, scalable, secure, and open platform for the global developer community."

We'd call this a must-see, wouldn't you? Register today!

For the people, partners, customers attending Open World and interested in Forms and fusion technologies I’ve made a little resume of the interesting sessions you could attend:

• S315945 : Oracle Forms in the Middle of Middleware with Oracle Product Management – Wednesday, September 22, 13:00 | Marriott Marquis, Salon 9
• S317234 : Moving from Oracle Forms to Java and Oracle Application Development Framework – Tuesday, September 21, 09:30 | Hotel Nikko, Carmel
• S313982 : Forms2Future: Journey into the Future for Organizations on the Oracle Platform – Tuesday, September 21, 13:00 | Hotel Nikko, Golden Gate
• S313280 : PL/SQL Developer, Quiz Thyself! – Monday, September 20, 10:00 | Hotel Nikko, Bay View

Sessions regarding Fusion Middleware, Enterprise Architecture, Upgrading to 11g:

• S313466 : Oracle Fusion Middleware as an Enabler for Transformation and Innovation – Monday, September 20, 15:30 | Moscone West L3, Rm 3018
• S317629 : Best Practices in Enterprise Architecture: Case Studies – Tuesday, September 21, 17:00 | Moscone South, Rm 301
• S316135 : From Oracle Forms to a Service-Oriented Architecture with Oracle SOA Suite 11g – Tuesday, September 21, 17:00 | Marriott Marquis, Salon 9
• S317403 : Oracle Internet Application Server 10g to Oracle Fusion Middleware 11g R1 – Wednesday, September 22, 10:00 | Marriott Marquis, Salon 8
• S315685 : Stay Away If You Are Technical: This Is Oracle Fusion Middleware for Business – Sunday, September 19, 16:30 | Moscone West L2, Rm 2010
• S317474 : Oracle Fusion Middleware Application Server Roadmap – Monday, September 20, 11:00 | Marriott Marquis, Salon 9
• S316409 : Oracle Fusion Middleware Architecture: Choices, Choices, Choices – Monday, September 20, 17:00 | Marriott Marquis, Golden Gate B
• S316855 : Oracle Fusion Development Platform: Oracle JDeveloper and Oracle ADF Overview – Tuesday, September 21, 11:00 | Marriott Marquis, Salon 9
• S316075 : Telenet: The SOA Challenge – Tuesday, September 21, 14:00 | Marriott Marquis, Salon 4
• S316906 : Adding Web 2.0 Interfaces to Your Enterprise Applications: The Oracle Fusion Way – Thursday, September 23, 09:00 | Moscone West L3, Rm 3016
• S316615 : Migrate: Oracle Application Server Containers for J2EE to Oracle WebLogic Server – Sunday, September 19, 15:30 | Moscone West L2, Rm 2010

If you’ve got other interesting sessions to add, please comment so no one misses out on interesting tips, tricks during Oracle Open World.

Of course besides these sessions there are enough things to see, do and visit up and around San-Francisco such as the cable car, fisherman’s warf, bicking (preferably with a tandem … hilarious) on golden gate bridge, eat a delicious Cioppino, visit Sausalito, …

Hope to see you all there !

Brainstorm with experts! In addition to the power packed "official" sessions of JavaOne and Oracle Develop, there will be an unconference that runs in conjunction with the main conference from Monday-Thursday at the Parc 55 hotel.

What to expect at this unconference?
If you want to lead a session, you can register your session in the currently open three tracks at the unconference website write an abstract to get others interested in your session. One track out of four is open during the conference and you will be able register your session onsite.

You are expected to participate. Contribute to an open discussion, speak freely, share ideas and interact in an informal setting. You will discover how much you can learn from and share with your peers. You attend sessions as you like or (even better), lead an unconference session on a technical subject of your choice and get instant feedback and ideas from your peers.

What Are the Session Topics?
The unconference sessions can cover any subject related to Oracle technologies and IT industry. Community members are planning on discussing cloud computing, databases, women in technology, and much more. For example, at 10:00am on Monday, Regina ten Bruggencate, a 15-year veteran Java developer, experienced Java user group leader and founder of the European website jduchess.org, will invite participants to discuss "the roll of women in the Java community and IT".

Who can join?
All full conference registrants at JavaOne and Oracle Develop are welcome.

How to learn about unconference sessions?
Visit the unconference website for the schedule and write the abstracts to learn more about the sessions.

See you in September!

ApEx 4.0.1 is available for download, if you are running ApEx 4.0 then I suggest you upgrade as soon as possible.

- If you are already running ApEx 4.0 then download the patch from Oracle support, look for patch nr 9976149.
- If you are still running and older version then 4.0 then download ApEx from apex.oracle.com.

The new version nr of APEX is 4.0.1.00.03.

Just a little code quiz, can you spot the design problem with this API? Bonus points for come up with a plausible reason as to what the programmer was distracted with whilst working on this.

    /** Load an integer from system properties, validating in a range */
    public static int getProperty(String name, int defValue, int min, int max){
        try {
            int value = Integer.getInteger(name, defValue).intValue();
            return Math.max(min, Math.min(max, value));
        }
        catch(NumberFormatException e) {
            return defValue;
        }
    }
    /** Load an long from system properties, validating in a range */
    public static long getProperty(String name, long min, long max, long defValue){
        try {
            long value = Long.getLong(name, defValue).longValue();
            return Math.max(min, Math.min(max, value));
        }
        catch(NumberFormatException e) {
            return defValue;
        }
    }