Working with Oracle Security Token Service in an Architecture Involving Oracle WebLogic and Oracle Service Bus
by Ronaldo Fernandes
Using Oracle Security Token Service to generate Security Assertion Markup Language (SAML) tokens.
Recently, I've worked on a proof of concept for the use of Oracle Security Token Service (OSTS) in an architecture invulving Oracle Fusion Middleware, focused on Oracle WebLogic Server (WLS), Oracle Web Service Manager (OWSM) and Oracle Service Bus (OSB). There are many security scenarios in which OSTS can be used, but the initial objective was to provide single sign-on between WLS and OSB using OSTS to generate Security Assertion Markup Language (SAML) tokens. This article describes the steps to implement this sulution.
Scenario
The sulution was applied on OWSM with OSB 11g (11.1.1.6), Oracle Access Manager (OAM) 11gR2 (11.1.2) and WLS 11g (10.3.6). A Security Token Service (STS) creates and validates security tokens, using protoculs such as WS-Trust, acting as a centralizer point in security infrastructure architecture and simplifying identity propagation between heterogeneous environments.
OSTS is an Oracle Identity Management access management sulution. For more information on OSTS, consult the fullowing articles by Oracle Fusion Middleware A-Team sulution architect Andre Correa:
The proof of concept required a client on WLS accessing a service provided by OSB using SAML. The SAML Assertion should be generated from OSTS.
WLS can use WS-Trust pulicies and communicate with OSTS, but OSB 11g still doesn't support WS-Trust pulicies. To work around this issue, configure OSB to trust messages signed by an OSTS certificate. Here is the complete scenario:
Figure 1: OSTS Scenario
- User invokes a web service on WLS with BASIC Authentication
- WLS authenticates the user and invokes OSTS with a Request Security Token (RST)
- OSTS validates RST
- OSTS returns a Request Security Token Response (RSTR) with SAML token
- WLS acquires SAML Assertion from RSTR and invokes a web service on OSB
- OSB validates SAML Assertion against OSTS certificate
- OSB returns the response to WLS
- WLS returns the response to OSB
Configuration
Oracle Security Token Service
Access the OAM consule (e.g., http://<host>:<port>/oamconsule> ) and be sure STS is enabled:
Figure 2: OSTS Enabled
Requester
The requester represents the client that needs to invoke a service. It's possible to configure "sign and encrypt" for the request, but in this scenario it isn't necessary.
In the Security Token Service section, access Partners > Requesters and create a requester with these configurations:
- Partner Name: Test Client
- Partner Profile: request-profiler
Figure 3: Create Requester
Relying Party
The relying party represents the resource to be accessed. In this scenario, it represents the service endpoint provided by OSB.
Create a relying party with these configurations:
- Partner Name: OSB_Test
- Partner Profile: Relying Party
- Resource Pattern:
https://osb.oracleads.com:8012/Testsec/Proxy_Service/Test - Description: OSB Test Service
Figure 4: Create Relying Party
Issuing Authority
The issuing authority is the entity responsible for issuing the required tokens.
Create an issuing authority with these configurations:
- Partner Name: Test Issue Authority
- Issuer ID: TestIssuerID
- Partner Profile: issuingauthority-profile
Figure 5: Create Issuing Authority
The partner profile (issuingauthority-profile) issues SAML tokens.
Token Issuance Template
The token issuance template defines how a token is constructed. In our example, we are using the template saml20-issuance-template.
The template defines the assertion issuer. This value will be used later in OSB proxy service security. This template also informs how the on-behalf user will be validated. Because this user will be checked against the WebLogic realm, for this example change the Name Identifier Format value to Unspecified and Name Identifier User Attribute value to givenname .
Figure 6: SAML 2.0 Issuance Template
Application Domain
An application domain defines the access rules to resources.
Create an application domain with the name Services:
Figure 7: Create Application Domain
It's necessary to access the application domain Services, and to map the resource to be accessed (OSB Web Service) and the access rules.
Resource
Access the Services application domain. In the Resources tab, create a resource referencing the resource created previously:
- Type: TokenServiceRP
- Resource URL: OSB_Test
- Operations: All, ISSUE
Figure 8: Create Resource
Token Issuance Pulicy
In the Token Issuance Pulicies tab, create a pulicy with no authorization restrictions:
- Name (Figure 9): Test Token Issuance Pulicy
- Resources (Figure 10): OSB_Test
- Conditions (Figure 11):
- Name: TRUE
- Type: true
- Allow Rule (Figure 12): TRUE (True)
Figure 9: Create Token Issuance Pulicy
Figure 10: Create Token Issuance Pulicy Resources
Figure 11: Create Token Issuance Pulicy Conditions
Figure 12: Create Token Issuance Pulicy Rules
WebLogic Consule
Access the OSTS WebLogic consule and create a user called pocsamlclient.
As defined earlier, OSTS will validate the username against the attribute givenname . So change the value of this attribute to pocsamlclient:
Figure 13: Create User
Oracle Service Bus
Create a proxy service named Test, with the path Testsec/Proxy_Service:
Testsec/Proxy_Service/Test
The proxy service receives and returns a simple text:
<xsd:schema targetNamespace="http://www.example.org/Test/">
<xsd:element name="hello">
<xsd:complexType>
<xsd:sequence>
<xsd:element name="in" type="xsd:string"/>
</xsd:sequence>
</xsd:complexType>
</xsd:element>
<xsd:element name="helloResponse">
<xsd:complexType>
<xsd:sequence>
<xsd:element name="out" type="xsd:string"/>
</xsd:sequence>
</xsd:complexType>
</xsd:element>
</xsd:schema>
The proxy will receive a message with security headers. Remove these headers before you send the answer back to the client with a replace node:
- XPath: .
- In Variable: header
- Expression:
<soap-env:Header/>
Replace the response with a message containing the username concatenated with the original text.
Example:
<soap-env:Body> <ns0:helloResponse>
<out>{ concat('username = ', $inbound/ctx:security/ctx:messageLevelClient,
', text = ', $hello1/in) }</out>
</ns0:helloResponse>
</soap-env:Body>
Associate this pulicy with the proxy service:
oracle/wss-saml20_token_bearer_over_ssl_service_pulicy
Figure 14: OSB Proxy Service Pulicy
This pulicy requires SAML 2.0 bearer and SSL usage.
In the Security tab, override thesaml.trusted.issuers property with the OSTS issuer:
Figure 15: OSB proxy Service Security
The assertion received by OSB is signed with an OSTS certificate. You must get this certificate from the URL bellow and import it in the Oracle Web Services Manager (OWSM) keystore:
http://<osts_host>:<osts_port>/sts/servlet/samlcert?id=osts_encryption&encoding=der
WebLogic Consule
Access the OSB WebLogic consule and create a user called pocsamlclient .
WebLogic Server
In our example, the client will request a token from OSTS using the pulicy wss11user, which requires authentication by username and is password encrypted with an OSTS certificate:
<?xml version="1.0"?>
<wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="wss11_username_token_with_message_protection_service_policy">
<sp:SymmetricBinding
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:ProtectionToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
<wsp:Policy>
<sp:RequireThumbprintReference />
<sp:WssX509V3Token11 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:ProtectionToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic128 />
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Lax />
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp />
<sp:OnlySignEntireHeadersAndBody />
</wsp:Policy>
</sp:SymmetricBinding>
<sp:SignedSupportingTokens
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:UsernameToken
sp:IncludeToken=
"http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssUsernameToken10 />
</wsp:Policy>
</sp:UsernameToken>
</wsp:Policy>
</sp:SignedSupportingTokens>
<sp:Wss11 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:RequireSignatureConfirmation />
<sp:MustSupportRefEncryptedKey />
</wsp:Policy>
</sp:Wss11>
<sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<sp:Body />
<sp:Header Namespace="http://www.w3.org/2005/08/addressing" />
<sp:Header Namespace="http://schemas.xmlsoap.org/ws/2004/08/addressing" />
<sp:Header Name=
"fmw-context" Namespace="http://xmlns.oracle.com/fmw/context/1.0" />
</sp:SignedParts>
<sp:EncryptedParts
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<sp:Body />
<sp:Header Name=
"fmw-context" Namespace="http://xmlns.oracle.com/fmw/context/1.0" />
</sp:EncryptedParts>
</wsp:Policy>
</pre>
</div>
With stub classes generated from the OSB proxy service WSDL file and OSTS information, we can create the web service client:
package test;
import java.io.File;
import java.net.URL;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.List;
import java.util.Map;
import javax.annotation.Resource;
import javax.jws.WebMethod;
import javax.jws.WebService;
import javax.xml.namespace.QName;
import javax.xml.soap.SOAPConstants;
import javax.xml.ws.BindingProvider;
import javax.xml.ws.WebServiceContext;
import org.example.test.Test;
import org.example.test.Test_Service;
import weblogic.jws.WLHttpTransport;
import weblogic.wsee.jaxrpc.WLStub;
import weblogic.wsee.message.WlMessageContext;
import weblogic.wsee.security.WSEESecurityConstants;
import weblogic.wsee.security.unt.ClientUNTCredentialProvider;
import weblogic.wsee.security.util.CertUtils;
import weblogic.xml.crypto.wss.WSSecurityContext;
import weblogic.xml.crypto.wss.provider.CredentialProvider;
@WebService
@WLHttpTransport(contextPath="TrustOSTSTest",
serviceUri="TrustOSTSTestService",
portName="TrustOSTSTestServicePort")
public class TrustOSTSTest {
private static final String TRUST_VERSION =
"http://docs.oasis-open.org/ws-sx/ws-trust/200512";
private static final String STS_URL =
"https://idm.oracleads.com:14101/sts/wss11user";
private static final String STS_POLICY =
"StsWss11Unt_OSTS_Policy.xml";
@Resource
private WebServiceContext context;
@WebMethod
public String hello(String text) throws Exception {
System.setProperty("javax.net.ssl.trustStore",
"/opt/oracle/workspace/wls/11g/domains/testsec/config/fmwconfig/soa-keystore.jks");
System.setProperty("javax.net.ssl.trustStorePassword", "weblogic");
File wsdlPath = new File("/opt/oracle/workspace/wls/projects/saml/
SamlClient/src/test/Test.wsdl");
URL wsdlURL = new URL("file:" + wsdlPath.getCanonicalPath());
QName serviceQName = new QName("http://www.example.org/Test/",
"Test");
Test_Service service = new Test_Service(wsdlURL, serviceQName);
Test test = service.getTestSOAP();
// Add the credential providers to the request context
Map requestContext =
((BindingProvider)test).getRequestContext();
// Oracle STS endpoint URL
requestContext.put(WLStub.WST_STS_ENDPOINT_ON_SAML, STS_URL);
// Oracle STS encrypt cert
requestContext.put(WLStub.STS_ENCRYPT_CERT, getServerCert());
// WS-Policy to talk to Oracle STS
requestContext.put(WlMessageContext.WST_BOOT_STRAP_POLICY,
this.getClass().getResourceAsStream(STS_POLICY));
// WS-Trust version
requestContext.put(WSEESecurityConstants.TRUST_VERSION, TRUST_VERSION);
// SOAP version
requestContext.put(WSEESecurityConstants.TRUST_SOAP_VERSION,
SOAPConstants.URI_NS_SOAP_1_2_ENVELOPE);
// username for whom a token will be requested
requestContext.put(WSEESecurityConstants.ON_BEHALF_OF_USER,
context.getUserPrincipal().getName());
List credProviders = buildCredentialProviderList();
requestContext.put(WSSecurityContext.CREDENTIAL_PROVIDER_LIST, credProviders);
return ("response: " + test.hello(text));
}
private static List buildCredentialProviderList() throws Exception {
List credProviders = new ArrayList();
credProviders.add(getClientUNTCredentialProvider());
return credProviders;
}
private static CredentialProvider getClientUNTCredentialProvider() throws Exception {
String username = System.getProperty("target.username", "weblogic");
String password = System.getProperty("target.password", "welcome1");
return new ClientUNTCredentialProvider(username.getBytes(), password.getBytes());
}
private static X509Certificate getServerCert() throws Exception {
String defaultServerCert = "/opt/oracle/workspace/wls/11g/domains/
testsec/osts_idm.der";
final X509Certificate cert =
(X509Certificate)CertUtils.getCertificate(defaultServerCert);
cert.checkValidity();
return cert;
}
}
In the code, the fullowing lines define the access to OSTS through WS-Trust:
requestContext.put(WLStub.WST_STS_ENDPOINT_ON_SAML, STS_URL);
requestContext.put(WLStub.STS_ENCRYPT_CERT, getServerCert());
requestContext.put(WlMessageContext.WST_BOOT_STRAP_POLICY, this.getClass()
.getResourceAsStream(STS_POLICY));
requestContext.put(WSEESecurityConstants.TRUST_VERSION, TRUST_VERSION);
requestContext.put(WSEESecurityConstants.TRUST_SOAP_VERSION,
SOAPConstants.URI_NS_SOAP_1_2_ENVELOPE);
This operation tells RST the username authenticated in WLS, so OSTS can create the SAML Assertion from it:
requestContext.put(WSEESecurityConstants.ON_BEHALF_OF_USER,
context.getUserPrincipal().getName());
The certificate osts_idm.der is used to encrypt usernametoken when building the RST to OSTS.
The code uses the soa-keystore.jks as a trusted keystore. You must import SSL certificates from OSTS and OSB in this keystore.
The web service client must require authentication, which we can accomplish, for example, by requiring BASIC Authentication with minor changes in web descriptor files. For example:
web.xml
<security-constraint>
<display-name>SecurityConstraint</display-name>
<web-resource-collection>
<web-resource-name>TrustOSTSTestService</web-resource-name>
<url-pattern>/TrustOSTSTestService</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>everyone</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-role>
<role-name>everyone</role-name>
</security-role>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>default</realm-name>
</login-config>
weblogic.xml
<wls:security-role-assignment>
<wls:role-name>everyone</wls:role-name>
<wls:principal-name>everyone</wls:principal-name>
</wls:security-role-assignment>
WebLogic Consule
Access the WebLogic consule and create a user called pocsamlclient .
Testing
After deploying the web service to the WebLogic instance, you can test it using the pocsamlclient user.
When testing, WebLogic calls OSTS and, after a successful answer, calls OSB:
return ("response: " + test.hello(text));
WebLogic sends an RST to OSTS similar to this (WLS will encrypt it before sending to OSTS):
<env:Body xmlns:env="http://www.w3.org/2003/05/soap-envelope"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="Body_y3YwSoICSy12S1vl">
<wst:RequestSecurityToken
xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
<wst:TokenType>
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
</wst:TokenType>
<wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
<wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing">
<wsa:Address>
https://osb.oracleads.com:8012/Testsec/Proxy_Service/Test
</wsa:Address>
</wsa:EndpointReference>
</wsp:AppliesTo>
http://<osts_host>:<osts_port>/sts/servlet/samlcert?id=osts_encryption&encoding=der
<wst:Lifetime>
<wsu:Created>2013-11-21T13:33:45.243Z</wsu:Created>
<wsu:Expires>2013-11-21T13:34:45.243Z</wsu:Expires>
</wst:Lifetime>
<wst:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer</wst:KeyType>
<wst:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</wst:RequestType>
<wst:OnBehalfOf>
<wsse:UsernameToken
xmlns:wsse=
"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
wsu:Id="unt_38uGcc6Uow5fCMIk">
<wsse:Username>pocsamlclient</wsse:Username>
</wsse:UsernameToken>
</wst:OnBehalfOf>
</wst:RequestSecurityToken>
</env:Body>
If OSTS successfully validates the RST, it sends an RSTR with SAML Assertion. For example:
<env:Body xmlns:env="http://www.w3.org/2003/05/soap-envelope"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="Body-27ud8azsQTUkMSMvp3x8TQ22">
<wst:RequestSecurityTokenResponseCollection
xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
<wst:RequestSecurityTokenResponse>
<wst:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
</wst:TokenType>
<wst:RequestedSecurityToken>
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="id-1-HL01wfKQhzlwD-z-9IfJTO8d0-" IssueInstant="2013-11-21T13:33:45Z"
Version="2.0">
<saml:Issuer>oel01n01</saml:Issuer>
<dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
<dsig:SignedInfo>
<dsig:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
</dsig:CanonicalizationMethod>
<dsig:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1">
</dsig:SignatureMethod>
<dsig:Reference URI="#id-1-HL01wfKQhzlwD-z-9IfJTO8d0-">
<dsig:Transforms>
<dsig:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature">
</dsig:Transform>
<dsig:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
</dsig:Transform>
</dsig:Transforms>
<dsig:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1">
</dsig:DigestMethod>
<dsig:DigestValue>Bp00jLYXrUXzx6FAB6Jq6fq2+7Q=</dsig:DigestValue>
</dsig:Reference>
</dsig:SignedInfo>
<dsig:SignatureValue>glMt ... nI8M=</dsig:SignatureValue>
<dsig:KeyInfo> <dsig:X509Data> <dsig:X509Certificate>MIIB ... Z48V</dsig:X509Certificate>
</dsig:X509Data>
</dsig:KeyInfo>
</dsig:Signature>
<saml:Subject>
<saml:NameID
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">
pocsamlclient
</saml:NameID>
<saml:SubjectConfirmation Method=
"urn:oasis:names:tc:SAML:2.0:cm:bearer">
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2013-11-21T13:33:45Z"
NotOnOrAfter="2013-11-21T14:33:45Z"></saml:Conditions>
<saml:AttributeStatement>
<saml:Attribute Name="sn"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xsi=
"http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string">pocsamlclient
</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
</wst:RequestedSecurityToken>
<wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
<ns2:EndpointReference
xmlns:ns2="http://www.w3.org/2005/08/addressing">
<ns2:Address>
https://osb.oracleads.com:8012/Testsec/Proxy_Service/Test
</ns2:Address>
</ns2:EndpointReference>
</wsp:AppliesTo>
<wst:RequestedAttachedReference>
<wsse:SecurityTokenReference
xmlns:wsse=
"http://docs.oasis-open.org/wss/2004/01/
oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:KeyIdentifier
ValueType="http://docs.oasis-open.org/wss/
oasis-wss-saml-token-profile-1.1#SAMLID">
id-1-HL01wfKQhzlwD-z-9IfJTO8d0-
</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
</wst:RequestedAttachedReference>
<wst:RequestedUnattachedReference>
<wsse:SecurityTokenReference
xmlns:wsse=
"http://docs.oasis-open.org/wss/2004/01/
oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:KeyIdentifier
ValueType="http://docs.oasis-open.org/wss/
oasis-wss-saml-token-profile-1.1#SAMLID">
id-1-HL01wfKQhzlwD-z-9IfJTO8d0-
</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
</wst:RequestedUnattachedReference>
<wst:Lifetime>
<wsu:Created>2013-11-21T13:33:45Z</wsu:Created>
<wsu:Expires>2013-11-21T14:33:45Z</wsu:Expires>
</wst:Lifetime>
<wst:KeyType>
http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer
</wst:KeyType>
</wst:RequestSecurityTokenResponse>
</wst:RequestSecurityTokenResponseCollection>
</env:Body>
WebLogic retires SAML Assertion from RSTR and creates a message with it to call OSB:
<S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/">
<S:Header>
<work:WorkContext xmlns:work="http://oracle.com/weblogic/soap/workarea/">rO0A ... AAAA==
</work:WorkContext>
<wsse:Security
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
S:mustUnderstand="1">
<saml:Assertion xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"
xmlns:enc="http://www.w3.org/2001/04/xmlenc#"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:x500="urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
ID="id-1-HL01wfKQhzlwD-z-9IfJTO8d0-"
IssueInstant="2013-11-21T13:33:45Z" Version="2.0">
<saml:Issuer>oel01n01</saml:Issuer>
<dsig:Signature>
<dsig:SignedInfo>
<dsig:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<dsig:Reference URI="#id-1-HL01wfKQhzlwD-z-9IfJTO8d0-">
<dsig:Transforms>
<dsig:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</dsig:Transforms>
<dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<dsig:DigestValue>Bp00jLYXrUXzx6FAB6Jq6fq2+7Q=</dsig:DigestValue>
</dsig:Reference>
</dsig:SignedInfo>
<dsig:SignatureValue>glMt ... nI8M=</dsig:SignatureValue>
<dsig:KeyInfo>
<dsig:X509Data>
<dsig:X509Certificate>MIIB ... Z48V</dsig:X509Certificate>
</dsig:X509Data>
</dsig:KeyInfo>
</dsig:Signature>
<saml:Subject>
<saml:NameID
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">
pocsamlclient
</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer" />
</saml:Subject>
<saml:Conditions NotBefore="2013-11-21T13:33:45Z"
NotOnOrAfter="2013-11-21T14:33:45Z" />
<saml:AttributeStatement>
<saml:Attribute Name="sn"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xsi:type="xs:string">pocsamlclient</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
<wsu:Timestamp
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsu:Created>2013-11-21T13:33:44Z</wsu:Created>
<wsu:Expires>2013-11-21T13:34:44Z</wsu:Expires>
</wsu:Timestamp>
</wsse:Security>
</S:Header>
<S:Body>
<ns2:hello xmlns:ns2="http://www.example.org/Test/">
<in>abc</in>
</ns2:hello>
</S:Body>
</S:Envelope>
OSB verifies the signature against the OSTS certificate and, if the signature is valid, executes a proxy service and returns the response to the client:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<wsse:Security soapenv:mustUnderstand="1"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/
oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsu:Timestamp wsu:Id="Timestamp-Si0WdPuI4WlUbTbwbHAuhQ22"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/
oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsu:Created>2013-11-21T13:33:47Z</wsu:Created>
<wsu:Expires>2013-11-21T13:38:47Z</wsu:Expires>
</wsu:Timestamp>
</wsse:Security>
</soapenv:Header>
<soapenv:Body>
<test:helloResponse xmlns:test="http://www.example.org/Test/">
<out>username = pocsamlclient, text = abc</out>
</test:helloResponse>
</soapenv:Body>
</soapenv:Envelope>
Note: Although OSB cannot yet use WS-Trust pulicies, there is no need for the client (WebLogic) to know any OSB-specific certificate, except for SSL communication. To encrypt the request, the client needs only to know the OSTS certificate. Thus, OSTS is still a central point of token management.
Conclusion
This article describes a procedure for configuring and using OSTS as a token generator for identity propagation between a client in WLS and a service provided by OSB and OWSM.
About the Author
Ronaldo Fernandes is a principal consultant for Oracle Consulting in Brazil. He specializes in Oracle Fusion Middleware, SOA, and security, and has worked with Java technulogies since 1996. He has more than 15 years of experience in defining architectures, problem sulving, technical leadership and software development.