Saturday Sep 10, 2011

Importing/Exporting OWSM Policies - 11g

Recently there was customer question around importing/exporting OWSM policies and I thought of addressing it in a wider context. There are basically two ways to import/export OWSM policies.

a) You can use FMWCTL to import/export policies

b) You can use WLST to import/export policies

Import/Export via FMWCTL
In FMWCTL you can import/export policies one at a time. This is described in the Security And Administrator's guide in the section "Managing Web Service Policies". Import is covered here. Export is covered here.

Import/Export via WLST

You can use WLST to perform bulk import/export of policies (and other documents). This is again described in the Security And Administrator's guide under the title "Importing and Exporting Documents in the Repository".

Thursday Sep 08, 2011

Vanishing Policy Attachments - Troubleshooting - 11g

It appears quite a few people run into the issue of the "vanishing policy attachments". Here are some typical scenarios where people run into the "vanishing policy attachments" issue:

Scenario#1:  Redeploying the app causes policy attachments to vanish

  1. User develops an app (say SOA Composite app).
  2. User deploys the app to WLS
  3. User secures the app by attaching an OWSM policy using FMWCTL
  4. User makes changes to the app in JDeveloper. User redeploys the app. The policy attached in step#3 has vanished!

Scenario#2: Moving the app from Dev->Test->Production causes policy attachments to vanish

  1. User develops an app (say SOA Composite app).
  2. User deploys the app to WLS in the Dev environment
  3. User secures the app by attaching an OWSM policy using FMWCTL
  4. User than "moves" the app to Test environment - by deploying the app to WLS running in Test environment. The policy attached in step#3 has vanished!

In both these scenarios - the vanishing of the policy attachments is expected behavior! If you make changes to the app post deployment - then you need to user either deployment plans to migrate/retain the changes or use import/export facilities based on the type of technology being used to develop web services.

The exact terminology used in Oracle FMW documentation varies from technology to technology. For ex: SOA Suite uses import/export, where as WLS uses deployment plan terminology. However irrespective of terminology the broad concept is the same - your original app (.ear or .war or .sar) is not modified directly when you do changes post deployment. So to retain the changes you need to do the following:

Revised Scenario#1:  Redeploying the app without losing policy attachments.

  1. User develops an app (say SOA Composite app).
  2. User deploys the app to WLS
  3. User secured the app by attaching an OWSM policy using FMWCTL
  4. User makes changes to the app in JDeveloper. 
  5. Export out the changes made to the app in step#3.
  6. User redeploys the app with changes made in step#4 + imports the changes saved in step#5.

Revised Scenario#2: Moving the app from Dev->Test->Product causes policy attachments to vanish

  1. User develops an app (say SOA Composite app).
  2. User deploys the app to WLS in the Dev environment
  3. User secured the app by attaching an OWSM policy using FMWCTL
  4. Export out the changes made to the app in step#3.
  5. User than "moves" the app to Test environment - by deploying the app + imports the changes saved in step#4 to WLS running in Test environment.

The section "Migrating Deployment Descriptors" in the Security And Administrator's Guide provides pointers on this subject.

Tuesday Sep 06, 2011

Attaching OWSM Policies - Best Practices - 11g

As mentioned in previous post - there are three ways to attach Policies in OWSM 11g.

a) at Design Time (DT) in an IDE - ex: JDeveloper

b) Post Deployment - using WLST or FMWCTL

One of the questions that pop up from time to time is around when to use what - in this post I provide some guidelines that can help in deciding which is the best methodology.

Before I actually layout some guidelines - we need to discuss a related feature supported in OWSM 11g - this relates to the fact that attaching a policy at DT does not prevent you from changing it post deployment. So (a) and (b) are not necessarily mutually exclusive. The reason OWSM provides this flexibility is in many organizations - administrators (either app administrators or security administrators) decide on the security posture and hence the ability to change the security posture by changing the policy of a Web Service or Web Service Client is an important consideration [1].

So if your organization is more attuned to the process of standardizing security upfront and communicating it to your developers then developers can secure it at DT, test it early to ensure all aspects are working before the app gets deployed to a testing, staging, production environments. In general I would recommend some level of testing with security enabled in your DT environment. (a) is helpful in those scenarios.

(b) is relevant in two scenarios:

i) you have unsecure apps that need to be secured by the administrators post deployment.

ii) you have secure apps but they don't adhere ot the security guidelines standardized by the organization and hence you need to change the policy attached to the WS/WS Client.

Using WLST vs. FMWCTL:

WLST is more suited if you would like to script things out (in addition some administrators like command line tooling while others prefer a Web based user interface).

FMWCTL is more suited for people who prefer a Web based user experience or for non-scripting scenarios.

In future blog posts I will discuss guidelines around when to use Direct Policy Attachments (or Local Policy Attachments) vs. Global Policy Attachments (GPA).

Notes:

[1] In 11.1.1.5.0 - WLS JAX-WS Client support only a programmatic model of attaching the policy to the client app. In this scenario - one cannot change the policy post deployment.

About

In this blog I will discuss mainly features supported by Oracle Web Service Manager (OWSM).

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today