Monday Feb 27, 2012

Policy Authorization Example in SOA Suite 11g

Use Case:

We have a composite that we want to limit access to.  We will use HTTP basic authentication and an authorization policy to ensure that access is only granted to users who are members of a particular group.

We will use the WebLogic Server Console to create our users and group.  Authentication and Authorization for the composite will be entirely configured in Enterprise Manager with notes on how some steps can also be done in JDeveloper. Note that all screenshots were taken using 11.1.1.6 (PS5).


Configure the Users and Group

(No screenshots for this section but they will be used extensively in the following sections)
  1. Login to the WLS console ('http://<host>:<port>/console')
  2. In the left menu select 'Security Realms'
  3. Select the realm where you want to create the users and groups.  The default is 'myrealm'
  4. At the top select the 'Users and Groups' tab
  5. You'll start with 'Users' so click 'New' and enter your user name and pwd.  Create as many users as you want.but here we are using 'Bob1', 'Bill1' and 'jane'
  6. Go to the 'Groups' tab and create a new group.  Here we're using 'Group1'
  7. Go back to the users and select 'Bob1'
  8. Select the 'Groups' tab and add 'Group1'.  Do the same for Bill1. We're gong to intentionally leave 'jane' out of the group.

You've got your users and groups configured

If you haven't already done so, deploy your composite now.



Configuration in Enterprise Manager (EM)

The EM configuration is comprised of the following steps:
  1. Add a Domain Credential
  2. Add an Application Role
  3. Add an Application Policy that assigns the Application Role a specific permission
  4. Add 3 WS Policies to the project

Let's first add a domain Credential.  From the left menu expand the domains and right click on the domain name

1.  Add Domain Credential


1.1) Login to EM

1.2) Select 'Security' -> 'Credentials'



(click image for full view)



1.3) Select 'Create Map'




(click image for full view)



1.4) Enter the map name as 'oracle.wsm.security'




(click image for full view)



1.5) Click 'OK'

1.6) Highlight the new Map and select 'Create Key'




(click image for full view)



1.7) Enter the key name as 'basic.credentials'

1.8) Enter the user name and pwd, we're using the admin user 'weblogic' here




(click image for full view)



1.9) Click OK and your Credentials should now look like this:




(click image for full view)



(back to top)

The next steps in our configuration are to configure the Application Role and Application Policy.  These will be used by the Authorization policy.

2.  Create the Application Role


2.1) In the left menu right click the domain name

2.2) Select 'Security' -> 'Application Roles'




(click image for full view)



2.3) Select 'soa-infra' in the 'Application Stripe' drop down

2.4) Select 'Create' as we are going to create a new Application Role




(click image for full view)



We're going to name our new role 'GroupOneRole'

2.5) Under Members click 'Add'




(click image for full view)



The Type should be 'Group'

2.6) Search and select Group1 which we created earlier

2.7) Click 'OK'




(click image for full view)



You should now have Group1 in your Members list.


(click image for full view)



(back to top)

3.  Create the Application Policy


3.1) Right click on the domain name again

3.2) Select 'Security' -> 'Application Policies'




(click image for full view)



The 'Application Stripe' is 'soa-infra'
The 'Principal Type' is 'Application Role'

3.3) Search

3.4) Click 'Create'




(click image for full view)



3.5) Under 'Permissions' click 'Add'




(click image for full view)



3.6) Immediately click the 'Continue' button to get to the custom entry form

Intuitively it seems that the selections here are needed but they're actually not for what we want to do.


(click image for full view)



3.7) For 'Permission Class' enter 'oracle.wsm.security.WSFunctionPermission'

3.8) We're going to cheat a bit and enter '*' for both Resource Name and Permission Actions.  In an actual implementation you would probably specify the web service and relevant actions.




(click image for full view)



3.9) Click 'Select' and here's what we have for Permissions:




(click image for full view)



3,10) Under 'Grantee' click 'Add'




(click image for full view)



3.11) Search with the defaults and select 'GroupOneRole'

3.12) Click 'OK'




(click image for full view)



Your 'Create Application Grant' screen should now look like this:


(click image for full view)



3.13) Click 'OK' at the top right and confirm that the 'GroupOneRole' Principal appears in the list




(click image for full view)



(back to top)

We're now ready to add the policies to the project

4.  Add WS Policies to Project


4.1) Right click on the project name

4.2) Select 'Policies'




(click image for full view)



Here we see that the project has no policies associated with it.  We're going to add 3.

4.3) Select 'Attach To/Detach From'




(click image for full view)



Depending on the complexity of your project you will likely have more components than this.  Here we're going to select the web service that is the entry point for our composite, 'bpelprocess2_client_ep'.  The following window opens.


(click image for full view)



We're going to add 3 policies:

  • 'oracle/wss_http_token_service_policy' for authentication
  • 'oracle/log_policy' for logging the policy activities
  • 'oracle/binding_permission_authorization_policy' for authorization
All of these policies can be added to the web service in JDeveloper by right clicking on the service in the composite design view and selecting 'Configure WS Policies...'. The form is similar to what is shown here in EM.

4.4) Highlight the selections from the list and click 'Attach'.  When completed your 'Directly Attached Policies' should look like this:




(click image for full view)



4.5) Select 'Validate' and then 'OK'

Your policies list should now look like this:


(click image for full view)



The configuration is complete.

(back to top)

For testing we're using JMeter, submitting the request along with the HTTP authentication header.

I won't get into the JMeter configuration but will  provide the responses for two requests.  Let's first try our user 'Bob1'.

HTTP Authorization header value is 'Basic Qm9iMTp3ZWJsb2dpYzE='  (this is the Base64 encoding of 'Bob1:weblogic1')

Response from our server:




(click image for full view)



Now let's try user jane who exists in the domain but is not a member of Group1

HTTP Authorization header value is 'Basic amFuZTp3ZWJsb2dpYzE='  (Base64 encoding of 'jane:weblogic1')

Response from server:




(click image for full view)



Here we see the response code 403 which means the resource is forbidden to the authenticated requester.

In our server standard out we see the following error message:

<Error> <oracle.wsm.resources.security> <WSM-00045> <HTTP authentication/authorization failure.>



I hope this post is helpful for anyone trying to enable authorization for their SOA 11g  composite applications.  It's a very simply example but perhaps will serve as a good starting point.  In the future we may add the complexity in follow up posts.


(back to top)



Wednesday Feb 22, 2012

Introduction to SOA Information Centers

What is an Information Center (IC)?
Information Centers are meant to be your product landing page on My Oracle Support to see what's new, find useful links and hopefully avoid issues. They are specialized documents in our Knowledge Base that aggregate and organize the latest and most relevant information for a product or topic.  Each IC is made up of labeled subsections that display a list of content items.  Some of these subsections are dynamic, automatically picking up new content and dropping aged documents, while others are statically populated.  In either case we do our best to keep all of the content up to date.

Information Centers are product centric and grouped as such.  There will be an Overview IC for the product and a menu containing the associated IC's such as 'Troubleshoot' and 'Install and Configure'.  These documents are handled as a group and ultimately each product should have it's own group of IC's.


What are the Available SOA Information Centers?
The SOA Information Centers are organized in a hierarchical fashion starting with 'Service Oriented Architecture' at the top.  We currently have only a subset of the products covered but will be publishing additional IC's soon.  We've tried to make the navigation between IC's intuitive and simple.

These SOA IC's are currently available:


As we work to make our Information Centers more useful we would appreciate any feedback you have on what works and what doesn't.  At the end of the day they exist to meet your needs and we are here to see that they do.


Monday Feb 13, 2012

Diagnose SOA Suite 11g Issues Using RDA (Remote Diagnostic Agent)

  • RDA is a common tool to collect diagnostic data for Oracle products. Administrators of the Oracle Database will already know it.
  • RDA is easy to install and use
  • Recent versions of RDA (>= 4.26) provide a comprehensive set of analysis data for SOA Suite 11g to analyze different types of issues.
  • Diagnostic data can be viewed in a browser and is also available in a zip file to be uploaded to a Service Request.
  • Use RDA to minimize resolution time for SRs and avoid upload requests for basic diagnostic and product information by uploading a RDA collection while creating your SR!
ยท
  • RDA is a common tool to collect diagnostic data for Oracle products. Administrators of the Oracle Database will already know it.
  • RDA is easy to install and use
  • Recent versions of RDA (>= 4.26) provide a comprehensive set of analysis data for SOA Suite 11g to analyze different types of issues
  • Diagnostic data can be viewed in a browser and is also available in a zip file to be uploaded to a Service Request
  • Use RDA to minimize resolution time for SRs and avoid upload requests for basic diagnostic and product information by uploading a RDA collection while creating your SR!
  • [Read More]

    Thursday Feb 09, 2012

    Welcome to the SOA Proactive Support Blog

    Welcome to the SOA Proactive Support blog.  This is our first post and as such it is an opportunity to introduce ourselves and our mission.

    Who We Are
    We are a small team of support engineers based in both Europe and the United States.  Our expertise covers SOA products from OSB to BPEL to Human Workflow but we work for all products in the SOA stack. We've been in existence for about a year now but have been less visible than we would like to be.


    Our Mission

    • Improve the customer experience
    • Enable customers to avoid / prevent issues when working with our products
    • Enable faster resolution of problems when they occur


    Our Activities

    • Enhancement and maintenance of our knowledgebase
    • Improving product diagnostic capabilities
    • Improvements to the product documentation
    • Coordination with Product Management and Development
    • Outreach to improve awareness of new documents, tools, etc.
    • Maintain an open channel for feedback


    Our hope is that this blog will serve as a two-way communication channel. Although we obviously want new resources to be utilized we are also very interested in feedback on what we can improve. Many suggestions we can act on immediately while others may take more time but all of them will be acknowledged and followed up on.

    Although there are many specific activities that could be discussed here we will leave them for their own posts. Thank you for your time and we look forward to both informing and working with you.

    About

    This is the official blog of the SOA Proactive Support Team. Here we will provide information on our activities, publications, product related information and more. Additionally we look forward to your feedback to improve what we do.

    Search

    Categories
    Archives
    February 2012 »
    SunMonTueWedThuFriSat
       
    1
    2
    3
    4
    5
    6
    7
    8
    10
    11
    12
    14
    15
    16
    17
    18
    19
    20
    21
    23
    24
    25
    26
    28
    29
       
           
    Today