IB Out Bound Soap Messages with WS-Security
By Greg Kelly on May 31, 2009
This introduces one of an occasional series which will be created by the PeopleTools Development Team. (remember, if you have any comments on this or any post, click on the email link on the "About" panel)
WS-Security: Publishing outbound SOAP messages using WS-Security
This document is a set of setup steps for Integration Broker Outbound WSS message on PeopleTools 8.48 and 8.49 ONLY.
PeopleTools provides support for WS-Security standard enabling secure web services. It implements Oasis standard 1.0 WS-Security schema which conforms to Web Services Security Standard 1.0.
Within this framework, PeopleSoft implements:
• Username Token Profile 1.0
• X.509 Token profile 1.0
Peoplesoft use X.509 token profile in conjunction with Username Token Profile.
The PeopleSoft implementation of WS-Security :
A) Username Token Profile.
1. Username Token with Password as ClearText **.
2. Username Token without Password.
Both options above can be enabled with X.509 Token Profile.
B) X.509 Token Profile.
1. Digitally Signed.
3. Digitally Signed and Encrpytion.
Encryption only applies to SOAP header.
Digital Signature applies to both SOAP header and body.
If there is a concern on the password, one can use SSL over HTTP or Encryption from WS-Security.
We’ll discuss how to publish an outbound SOAP message for a service operation for WS-Security.
Steps detailed below assume you have already configured integration gateway and a service operation on your environment. For more details on setting up gateway and service operation refer to 8.49/8.48 Peoplebooks.
To enable Encryption and Digital signature, certificates in Java keystore must be correctly set up and configured. wss.properties file is used to list details about the keystore location and password to it. interop.jks is used as the default keystore file. If you need to use a different keystore you can edit wss.properties file accordingly. You should also ensure the password defined in wss.properties is in sync with the password set for your keystore.
Password in wss.properties can be stored encrypted using pscipher utility. For the default interop.jks keystore it is stored encrypted.
wss.properties file and interop.jks are located at ...\PSIGW.war\WEB-INF\classes on your webserver.
Set Up: For our example below we will use QE_PO_SYNC as our service operation that we will publish with WS-Security. Note: As mentioned at the beginning of the post these instructions only apply for outbound messages
1. To enable the digital signature for the outbound service operation.
a. Create keypair [public key and private key] value through java keytools utility.
b. Alias name for your keypair must match your Default Local node.
For example, if the default local node is defined as “qe_local”, we would generate keypair as below:
keytool -genkey -alias QE_LOCAL -keyalg RSA -keysize 1024 -dname "CN=QE_LOCAL, OU=PeopleTools, O=Oracle, L=Pleasanton, ST=California, C=US" -keypass interop -keystore interop.jks -storepass interop
c. Generate CSR for this public key and get it signed by CA.
d. Downloaded the signed public key cert and Root CA
e. Import Root CA and the signed public key cert.
f. Enable digital signature on the remote node. In our example we have defined QE_IBTGT as the remote node. Navigate to PeopleTools->Integration Broker->Integration Setup->Nodes. On WS-Security tab set authentication token type to ‘Username Token’ and enable ‘Digitally Signed'.
This process will ensure the soap message will be signed. It is signing the header and the body. This means the whole soap message.
2. To enable the encryption for the outbound service operation.
a. Import public key and Root CA of the third party application into your keystore. For our case here it will be interop.jks
b. Ensure third party’s public key with the Alias name must match with the Remote Node name. In our case that would be QE_IBTGT.
Import cert as below:
keytool -import -alias qe_ibtgt -file qe_ibtgt.cer -keypass interop -keystore interop.jks -storepass interop
Note: It is not required for cert file name to match cert alias name.
c. Enable encryption on the remote node, QE_IBTGT. Navigate to PeopleTools->Integration Broker->Integration Setup->Nodes. On WS-Security tab set authentication type to ‘Username Token’ and enable ‘Encrypted’ flag.
If you are signing the message in addition to encrypting it then you would have both the flags, for encryption and signature enabled
One of the common issues is that UserName token is not generated and you get an empty header. In those cases ensure
a. Remote node that tied with the service operation has WS-Security enabled. Navigate to
PeopleTools -> Integration Broker -> Integration Setup -> Nodes. Verify authentication token type is set to ‘Username Token’
b. IB supports various connector types. For Web Service Secruity you need to have HTTPTARGET connector enabled. Verify it accordingly on the Connectors tab.
c. In cases you need to investigate further and report issues to Global Support to help diagnose the problem, turn on the message log set to level 5 in intergrationGateway.properties file. It generates MsgLog.html and ErrorLog.html that provide useful information to support analyst to help identify the problem. It is located at: …\PSIGW.war\WEB-INF.