Tuesday Dec 17, 2013

How To - Videos!!

It has been quite sometime since I have posted on the blog...but I thought I would share a How To video that we have created in Oracle to make it easier to use OWSM.

Here is a link to the you tube video. The video demonstrates how to do global policy attachments for REST services (resources) using OWSM in Enterprise Manager Fusion Middleware Control!

This video supplements some of the blog entries here, here and here on the topic of Global Policy Attachments (GPA).

We hope to have more videos soon!

Happy viewing!!

Saturday Mar 17, 2012

Podcast on SOA Governance and OWSM - 11g

Anand Kothari the Product Manager for OWSM has a great podcast on SOA Governance and how OWSM, OEG help the SOA Governance story.


Wednesday Sep 14, 2011

Global Policy Attachments - Inheritance rules - Part#2 - 11g

In this blog post i briefly mentioned about GPA vs. LPA and when to use GPA. As I mentioned the key difference between GPA and LPA is around granularity (or scope of the policy attachment). So what are inheritance rules - if we define GPA that applies to say "all domains" vs. a GPA for "domain1" vs. a GPA for "app1", etc then the inheritance rules determine which policy get's enforced for a particular web service.

Broadly speaking there are two types of inheritance rules:

  1. Overriding rule
  2. Additive rule.

So here is a simple scenario.

Scenario#1: We have a deployment with two weblogic domains (Domain#1, Domain#2). We want to secure all web services (SOA, ADF, etc) in this deployment with wss11_username_token_with_message_protection_service_policy as shown in the figure below.

GPA all domains

Click here for a larger image.

Here are the WLST commands to setup GPA for the above scenario:

$>connect(...)
$>beginRepositorySession()
$>createPolicySet('all-domains-default-web-service-policies', 

'ws-service', 'Domain("*")')

$>setPolicySetDescription('Default policies for web 

services in any domain')

$>attachPolicySetPolicy('oracle/wss11_username_token_with_message_protection_service_policy')
$>validatePolicySet()
$>commitRepositorySession()

See here for detailed description of these commands.

GPA Overriding rules

Scenario#2: If we now want to consider a scenario where in for a particular app (let's say "GeneralLedger" needs to be secured with oracle/wss11_x509_token_with_message_protection_service_policy) - then we need to define a new GPA. This is shown in figure below:

overriding rules

Click here for a larger image.

Here are the set of commands to define the GPA for GeneralLedger app to be secured with oracle/wss11_x509_token_with_message_protection_service_policy.

$>beginRepositorySession()

$>createPolicySet('generalledger-app-specific-web-service-policies', 
'ws-service', 'Application("GeneralLedger")')
$>setPolicySetDescription('Policies for web services in General ledger app')
$>attachPolicySetPolicy('oracle/wss11_x509_token_with_message_protection_service_policy')
$>validatePolicySet()
$>commitRepositorySession()

In the scenario above - for Web Services in GeneralLedger the policy oracle/wss11_x509_token_with_message_protection_service_policy will be applied. Thus the application specific GPA overrides the deployment wide GPA. So we have the first rule which is basically that the more specific GPA overrides the more generic GPA.

GPA Additive rules

Scenario#3: Now let's consider a scenario where an application with a single WS (say "Reliable & Secure WS" - for lack of a better name!) want's security and WS-RM. Also we want the security to be the same as the deployment wide posture i.e. the app needs to be secured with oracle/wss11_username_token_with_message_protection_service_policy. In this scenario - all you need to do is attach oracle/ws_reliable_messaging_policy via LPA to the "Reliable & Secure WS". In this case OWSM recognizes that the "category" of the policy defined at the GPA level is "security" and specifically it is "authentication" and "message protection" subcategories under security and this in this case adds the policies such that the policies applied for "Reliable & Secure WS" is both oracle/wss11_username_token_with_message_protection_service_policy and oracle/ws_reliable_messaging_policy.

This is depicted in the figure below:

additive inheritance rules

Click here for a larger image.

Since the inheritance rules change based on the "category" of the policy and it may not always be clear as to which policy is being applied to a particular web service - OWSM provides what I call the "Effective Policy View" i.e. the set of policies that will be applied to a Web Service after applying of the inheritance rules I just described above. You can view the "effective policies" either in EM or via WLST. See this section in the documentation for a description around "Effective Policies".

Note: GPA is currently as of 11gR1 PS4 not supported for WLS WS and OSB.

About

In this blog I will discuss mainly features supported by Oracle Web Service Manager (OWSM).

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today