oracle web service manager 11...sample/field_level_encryption_client_policy...
TRANSCRIPT
Oracle Web Service Manager 11g Field level Encryption (in SOA WLS) March 2012
Step-by-Step Instruction Guide
Author Prakash Yamuna Senior Development Manager
Oracle Corporation
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 2
Table of Contents Use Case 3
Description 3
Objective 3
Scenario 4
Software Requirements 5
Prerequisites 5
Verified Product Version 5
Potentially Applies to Product Version(s) 5
Download Main Page 5
Product URLs 5
Step by Step Instructions 6
Create Purchase Order WLS JAX-WS POJO Web Service 6
Create Custom Policy for Field level Encryption 11
Attach Custom Policy created previously to the Purchase Order WLS JAX-WS Web Service 22
Create Purchase Order Composite App 28
Attach Custom Policy created previously to the Purchase Order Composite App Reference 41
Create Keystore and Credentials in Credential Store 47
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 3
Use Case
Description
In this How-To I will demonstrate how one can do field level encryption By default all the message protection
related policies that ship out of the box with OWSM encrypt the entire body of the SOAP message However in
many cases customerrsquos may want to encrypt only certain fields in the SOAP message that are sensitive rather
than the entire body of the SOAP message
Ex
a) Customer wants to encrypt the SSN in the SOAP message
b) Customer wants to encrypt the credit card number in the SOAP message
For the purposes of this How To we will build a SOA Composite app which will act as a web service client and
a WLS JAX-WS which will act as the backend web service
Objective
Show How to create OWSM custom policies in that will encrypt certain fields in a SOAP message and use these custom
policies to secure a web service client and web service
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 4
Scenario
This How-To will demonstrate
1 We will use a simple PurcahseOrder WLS POJO JAX-WS 2 A PurchaseOrder SOA Composite calling the PurchaseOrder WLS JAX-WS Web Service 3 Create Field level encryption client and service policy
OWSM Policy Store
Purchase Order
SOA Composite App
JDeveloper
bull Policy Attachment
bull Override Config
bull Find Matching Policy
SOAP HTTP
Enterprise Manager
bull Policy Authoring
bull Versioning
bull Usage Tracking
bull Violation Metrics
bull Migration
CRUD
Purchase Order
WLS JAX-WS Service
OWSM Agent OWSM Agent
Policy Manager
samplefield_level_encryption_client_policy
samplefield_level_encryption_service_policy
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 5
4 Secure the PurchaseOrder WLS POJO JAX-WS with OWSM field level encryption service policy 5 Secure the PurchaseOrder SOA Composite Reference with the OWSM field level encryption client policy 6 Set up the Keystore and Credential Store required for encryption
Software Requirements
Prerequisites
Product Download URL
1 Install SOA Suite 11116 with
JDeveloper
Verified Product Version
Product Release Version
1 WebLogic 1036
2 SOA 11116
3 JDeveloper 11116
Potentially Applies to Product Version(s)
Product Release Version
1 WebLogic 1033 1034 1035 1036
2 SOA 11114 11115 11116
Download Main Page
httpwwworaclecomtechnetworkmiddlewaresoasuitedownloadsindexhtml
Product URLs
Product URL LoginPassword
EM Fusion Middle Control httpadmin_hostadmin_portem User weblogic
Password welcome1
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 6
Step by Step Instructions
Create Purchase Order WLS JAX-WS POJO Web Service
POJO based WLS JAX-WS PurchaseOrder Web Service
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 7
The PurchaseOrder sample takes 4 parameters
1 creditCardNumber ndash this is a sensitive field which we want to encrypt
package samplepurchaseorder
import javautilDate
import javaxjwsWebService
WebService
public class PurchaseOrder
public PurchaseOrder()
super()
public int createPurchaseOrder(String creditCardNumber int orderQuantity int orderPrice String itemType)
int discount = 5
if (itemTypestartsWith(BOOK))
discount = 10
int purchaseAmount = orderPrice orderQuantity
if (purchaseAmount lt 0)
purchaseAmount = 0
if (creditCardNumberstartsWith(1111))
throw new RuntimeException(Illegal Credit Card Number)
return purchaseAmount
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 8
2 orderQuantity 3 orderPrice 4 itemType
itemType is used to calculate discount The createPurchaseOder method basically returns the total amount of the
purchased order
Figure 1 shows the Schema for the JAX-WS Web Service
Figure 1 Schema for PurchaseOrder Sample
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 9
Here is a sample message for testing with this Web Service
Figure 2 Sample Request Message for PurchaseOrder POJO WLS JAX-WS Web Service
You can test the Web Service via the FMWCTL Test page as shown in Figure 3
ltsoapEnvelope xmlnssoap=httpschemasxmlsoaporgsoapenvelopegt
ltsoapBody xmlnsns1=httppurchaseordersamplegt
ltns1createPurchaseOrdergt
ltarg0gt1111-2345-4560ltarg0gt
ltarg1gt100ltarg1gt
ltarg2gt90ltarg2gt
ltarg3gtBOOKltarg3gt
ltns1createPurchaseOrdergt
ltsoapBodygt
ltsoapEnvelopegt
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 10
Figure 3 Testing the POJO PurchaseOrder WLS JAX-WS
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 11
Create Custom Policy for Field level Encryption
The next step is creating a Policy in OWSM to handle field level encryptiondecryption For this sample ndash we will start
with the wss11_message_protection_[client|service]_policy
First we will create a field level decryption policy from the wss11_message_protection_service_policy
1 Search for wss11_message_protection_service_policy and Click on ldquoCreate Likerdquo in FMWCTL as shown in Figure 4
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 12
Figure 4 Creating a Field level Decryption Policy from wss11_message_protection_service_policy
2 Give the new policy a name ndash we will call it ldquosamplefield_level_decryption_service_policy as shown in Figure 5
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 13
Figure 5 New samplefield_level_decryption_service_policy
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 14
3 Turn off Body Signing and Body Encryption for Request as show in Figure 6
Figure 6 Turn off Body SigningEncryption for Request
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 15
4 Turn off Body Signing and Body Encryption for Response as show in Figure 7
Figure 7 Turn off Body SigningEncryption for Response
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 16
5 Specify the Xpath expression in Request tab for the field to be decrypted in the payload as shown in Figure 8 This is done by clicking on the ldquoAddrdquo Button This will launch a pop-up as shown Figure 8 Enter the namespace for the element and the element name that needs to be decrypted In this case we want to decrypt the credit card number This is arg0 in the sample message posted earlier in this document See Figure 2
Figure 8 Adding specific fields to be decrypted
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 17
6 Figure 9 Shows the end result of adding the XML Element to be decrypted
Figure 9 Policy after adding Xpath Expression for field level encryption
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 18
Next we will create create a field level encryption policy from the wss11_messsage_protection_client_policy
7 Search for wss11_message_protection_client_policy and Click on ldquoCreate Likerdquo in FMWCTL as shown in Figure 10
Figure 10 Creating a Field level Encryption Policy from wss11_message_protection_client_policy
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 19
8 Give the new policy a name ndash we will call it ldquosamplefield_level_encryption_client_policy as shown in Figure 11
Figure 11 Provide a name for the new policy samplefield_level_encryption_client_policy
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 20
9 Turn off Body Signing and Body Encryption for Request as show in Figure 12
Figure 12 Turn off Body Signing and Body Encryption for Request
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 21
10 Specify the Xpath expression in Request tab for the field to be decrypted in the payload as shown in Figure 13 This is done by clicking on the ldquoAddrdquo Button This will launch a pop-up as shownFigure 13 Enter the namespace for the element and the element name that needs to be decrypted In this case we want to decrypt the credit card number This is arg0 in the sample message posted earlier in this document See Figure 2
Figure 13 Add specific elements to encrypt
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 22
Attach Custom Policy created previously to the Purchase Order WLS JAX-WS Web Service
11 Attach the new created ldquosamplefield_level_decryption_service_policyrdquo to the PurchaseOder WLS JAX-WS Web
Service This is shown in Figure 14 - Figure 19
Figure 14 Click on FieldLevelEncryption-Project1-context-root Application
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 23
Figure 15 Navigate to the Web Services in the Application via the Application Deployment Menu
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 24
Figure 16 Click on PurchaseOrderPort to navigate to the Web Service Port
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 25
Figure 17 Click on OWSM Policies tab Click on AttachDetach Button to launch the OWSM Policy Attachment Wizard
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 26
Figure 18 Attach samplefield_level_decryption_service_policy to PurchaseOrder POJO WLS JAX-WS Web Service
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 27
Figure 19 The PurchaseOrderPort after completion of the OWSM Policy Attachment
Check the WSDL of the Service
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 28
The part highlighted in bold indicates that the service expects arg0 to be encrypted
Now the Purchase Order POJO WLS JAX-WS is secured with ldquosamplefield_level_decryption_service_policyrdquo
Create Purchase Order Composite App
Now we will create the PurchaseOrderComposite App Figure 21 - Figure 32 shows the steps for creating the
PurchaseOderComposite app
ltwspPolicy xmlnswsp=httpschemasxmlsoaporgws200409policy
xmlnswsu=httpdocsoasis-openorgwss200401oasis-200401-wss-wssecurity-utility-
10xsd wsuId=PurchaseOrderPort_Input_Policygt
ltspSignedParts xmlnssp=httpschemasxmlsoaporgws200507securitypolicygt
ltspHeader Name=fmw-context Namespace=httpxmlnsoraclecomfmwcontext10gt
ltspHeader Name= Namespace=httpwwww3org200508addressinggt
ltspHeader Name= Namespace=httpschemasxmlsoaporgws200408addressinggt
ltspSignedPartsgt
ltspSignedElements xmlnssp=httpschemasxmlsoaporgws200507securitypolicygt
ltspEncryptedParts xmlnssp=httpschemasxmlsoaporgws200507securitypolicygt
ltspHeader Name=fmw-context Namespace=httpxmlnsoraclecomfmwcontext10gt
ltspEncryptedPartsgt
ltspEncryptedElements xmlnssp=httpschemasxmlsoaporgws200507securitypolicygt
ltspXPathgtdescendant-or-self[namespace-uri()=httppurchaseordersample and
local-name()=arg0]ltspXPathgt
ltspEncryptedElementsgt
ltwspPolicygt
Figure 20 WSDL of the PurchaseOrder POJO WLS JAX-WS after attaching the samplefield_level_decryption_service_policy
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 29
Figure 21 Insert a BPEL Process into an Empty Composite App
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 30
Figure 22 Create the BPEL Process by choosing the Base on a WSDL option Provide the WSDL of the PurchaseOrder
POJO WLS JAX-WS
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 31
Figure 23 Result of creating a BPEL Process using the Base on a WSDL option
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 32
Figure 24 In the BPEL Process create a PartnerLink Again Provide the WSDL of the PurchaseOrder POJO WLS JAX-WS as
the WSDL URL
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 33
Figure 25 Walkthrough the PartnerLink creation process
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 34
Figure 26 Completion of the Partner Link creation process
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 35
Figure 27 Add an Invoke activity in the BPEL Process and wite it to the PurchaseOrderRefrence PartnerLink created
previously
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 36
Figure 28 The Invoke is now wired to the PartnerLink PurchaseOrderReference
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 37
Figure 29 Add an Assign activity after the receiveInput and before the Invoke activity Wire the variables to copy the input on
the receive to the input of the Invoke
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 38
Figure 30 Add another assign activity after the Invoke to copy the output of the invoke to the output of the replyOutput
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 39
Figure 31 BPEL Process after adding the Assign Invoke Assign activities
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 40
Figure 32 Completed PurchaseOrderComposite App
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 41
Attach Custom Policy created previously to the Purchase Order Composite App Reference
The next step is to now attach the ldquosamplefield_level_encryption_client_policyrdquo to the PurchaseOrderReferencerdquo of
PurchaseOrderComposite App These steps are shown in Figure 33 - Figure 38
Figure 33 Click on the PurchaseOrderComposite App on the left hand side
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 42
Figure 34 Click on the PurchaseOrderReference shown in the Dashboard of the PurchaseOrderComposite
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 43
Figure 35 On the PurchaseOrderReferece - click on the Policies tab
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 44
Figure 36 Click on the AttachDetach Button
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 45
Figure 37 Attach the samplefield_level_encryption_client_policy
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 46
Figure 38 The Policy is now attached to the PurchaseOrderReference
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 47
Create Keystore and Credentials in Credential Store
Create a Keystore called default-keystorejks using keytool
For complete details on keytool commands please refer to
httpjavasuncomj2se142docstooldocswindowskeytoolhtml
Copy the keystore created into $FMW_DOMAIN_HOMEconfigfmwconfig
Add the following credentials into the credential store either via EM or using WLST
This assumes that the keystore password is welcome1
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=keystore-csf-key user=owsm
password=welcome1 desc=Keystore key)
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=enc-csf-key user=orakey
password=welcome1 desc=Encryption key)
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=sign-csf-key user=orakey
password=welcome1 desc=Signing key)
$gtkeytool -genkeypair -keyalg RSA -alias orakey -keypass welcome1 -keystore default-keystorejks -storepass
welcome1 -validity 3600
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 48
This will add a key namely enc-csf-key to map oraclewsmsecurity with username as orakey and password as
welcome1 This alias should exist in your configured keystore
This will add a key namely sign-csf-key to map oraclewsmsecurity with username as orakey and password as
welcome1 This alias should exist in your configured keystore
You can verify the contents of the credential store in FMWCTL as show in Figure 39 and Figure 40
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 49
Figure 39 View the Credential Store from the Weblogic Domain menu
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 50
Figure 40 Contents of the oraclewsmsecurity Credential Map
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 51
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 2
Table of Contents Use Case 3
Description 3
Objective 3
Scenario 4
Software Requirements 5
Prerequisites 5
Verified Product Version 5
Potentially Applies to Product Version(s) 5
Download Main Page 5
Product URLs 5
Step by Step Instructions 6
Create Purchase Order WLS JAX-WS POJO Web Service 6
Create Custom Policy for Field level Encryption 11
Attach Custom Policy created previously to the Purchase Order WLS JAX-WS Web Service 22
Create Purchase Order Composite App 28
Attach Custom Policy created previously to the Purchase Order Composite App Reference 41
Create Keystore and Credentials in Credential Store 47
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 3
Use Case
Description
In this How-To I will demonstrate how one can do field level encryption By default all the message protection
related policies that ship out of the box with OWSM encrypt the entire body of the SOAP message However in
many cases customerrsquos may want to encrypt only certain fields in the SOAP message that are sensitive rather
than the entire body of the SOAP message
Ex
a) Customer wants to encrypt the SSN in the SOAP message
b) Customer wants to encrypt the credit card number in the SOAP message
For the purposes of this How To we will build a SOA Composite app which will act as a web service client and
a WLS JAX-WS which will act as the backend web service
Objective
Show How to create OWSM custom policies in that will encrypt certain fields in a SOAP message and use these custom
policies to secure a web service client and web service
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 4
Scenario
This How-To will demonstrate
1 We will use a simple PurcahseOrder WLS POJO JAX-WS 2 A PurchaseOrder SOA Composite calling the PurchaseOrder WLS JAX-WS Web Service 3 Create Field level encryption client and service policy
OWSM Policy Store
Purchase Order
SOA Composite App
JDeveloper
bull Policy Attachment
bull Override Config
bull Find Matching Policy
SOAP HTTP
Enterprise Manager
bull Policy Authoring
bull Versioning
bull Usage Tracking
bull Violation Metrics
bull Migration
CRUD
Purchase Order
WLS JAX-WS Service
OWSM Agent OWSM Agent
Policy Manager
samplefield_level_encryption_client_policy
samplefield_level_encryption_service_policy
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 5
4 Secure the PurchaseOrder WLS POJO JAX-WS with OWSM field level encryption service policy 5 Secure the PurchaseOrder SOA Composite Reference with the OWSM field level encryption client policy 6 Set up the Keystore and Credential Store required for encryption
Software Requirements
Prerequisites
Product Download URL
1 Install SOA Suite 11116 with
JDeveloper
Verified Product Version
Product Release Version
1 WebLogic 1036
2 SOA 11116
3 JDeveloper 11116
Potentially Applies to Product Version(s)
Product Release Version
1 WebLogic 1033 1034 1035 1036
2 SOA 11114 11115 11116
Download Main Page
httpwwworaclecomtechnetworkmiddlewaresoasuitedownloadsindexhtml
Product URLs
Product URL LoginPassword
EM Fusion Middle Control httpadmin_hostadmin_portem User weblogic
Password welcome1
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 6
Step by Step Instructions
Create Purchase Order WLS JAX-WS POJO Web Service
POJO based WLS JAX-WS PurchaseOrder Web Service
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 7
The PurchaseOrder sample takes 4 parameters
1 creditCardNumber ndash this is a sensitive field which we want to encrypt
package samplepurchaseorder
import javautilDate
import javaxjwsWebService
WebService
public class PurchaseOrder
public PurchaseOrder()
super()
public int createPurchaseOrder(String creditCardNumber int orderQuantity int orderPrice String itemType)
int discount = 5
if (itemTypestartsWith(BOOK))
discount = 10
int purchaseAmount = orderPrice orderQuantity
if (purchaseAmount lt 0)
purchaseAmount = 0
if (creditCardNumberstartsWith(1111))
throw new RuntimeException(Illegal Credit Card Number)
return purchaseAmount
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 8
2 orderQuantity 3 orderPrice 4 itemType
itemType is used to calculate discount The createPurchaseOder method basically returns the total amount of the
purchased order
Figure 1 shows the Schema for the JAX-WS Web Service
Figure 1 Schema for PurchaseOrder Sample
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 9
Here is a sample message for testing with this Web Service
Figure 2 Sample Request Message for PurchaseOrder POJO WLS JAX-WS Web Service
You can test the Web Service via the FMWCTL Test page as shown in Figure 3
ltsoapEnvelope xmlnssoap=httpschemasxmlsoaporgsoapenvelopegt
ltsoapBody xmlnsns1=httppurchaseordersamplegt
ltns1createPurchaseOrdergt
ltarg0gt1111-2345-4560ltarg0gt
ltarg1gt100ltarg1gt
ltarg2gt90ltarg2gt
ltarg3gtBOOKltarg3gt
ltns1createPurchaseOrdergt
ltsoapBodygt
ltsoapEnvelopegt
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 10
Figure 3 Testing the POJO PurchaseOrder WLS JAX-WS
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 11
Create Custom Policy for Field level Encryption
The next step is creating a Policy in OWSM to handle field level encryptiondecryption For this sample ndash we will start
with the wss11_message_protection_[client|service]_policy
First we will create a field level decryption policy from the wss11_message_protection_service_policy
1 Search for wss11_message_protection_service_policy and Click on ldquoCreate Likerdquo in FMWCTL as shown in Figure 4
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 12
Figure 4 Creating a Field level Decryption Policy from wss11_message_protection_service_policy
2 Give the new policy a name ndash we will call it ldquosamplefield_level_decryption_service_policy as shown in Figure 5
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 13
Figure 5 New samplefield_level_decryption_service_policy
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 14
3 Turn off Body Signing and Body Encryption for Request as show in Figure 6
Figure 6 Turn off Body SigningEncryption for Request
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 15
4 Turn off Body Signing and Body Encryption for Response as show in Figure 7
Figure 7 Turn off Body SigningEncryption for Response
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 16
5 Specify the Xpath expression in Request tab for the field to be decrypted in the payload as shown in Figure 8 This is done by clicking on the ldquoAddrdquo Button This will launch a pop-up as shown Figure 8 Enter the namespace for the element and the element name that needs to be decrypted In this case we want to decrypt the credit card number This is arg0 in the sample message posted earlier in this document See Figure 2
Figure 8 Adding specific fields to be decrypted
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 17
6 Figure 9 Shows the end result of adding the XML Element to be decrypted
Figure 9 Policy after adding Xpath Expression for field level encryption
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 18
Next we will create create a field level encryption policy from the wss11_messsage_protection_client_policy
7 Search for wss11_message_protection_client_policy and Click on ldquoCreate Likerdquo in FMWCTL as shown in Figure 10
Figure 10 Creating a Field level Encryption Policy from wss11_message_protection_client_policy
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 19
8 Give the new policy a name ndash we will call it ldquosamplefield_level_encryption_client_policy as shown in Figure 11
Figure 11 Provide a name for the new policy samplefield_level_encryption_client_policy
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 20
9 Turn off Body Signing and Body Encryption for Request as show in Figure 12
Figure 12 Turn off Body Signing and Body Encryption for Request
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 21
10 Specify the Xpath expression in Request tab for the field to be decrypted in the payload as shown in Figure 13 This is done by clicking on the ldquoAddrdquo Button This will launch a pop-up as shownFigure 13 Enter the namespace for the element and the element name that needs to be decrypted In this case we want to decrypt the credit card number This is arg0 in the sample message posted earlier in this document See Figure 2
Figure 13 Add specific elements to encrypt
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 22
Attach Custom Policy created previously to the Purchase Order WLS JAX-WS Web Service
11 Attach the new created ldquosamplefield_level_decryption_service_policyrdquo to the PurchaseOder WLS JAX-WS Web
Service This is shown in Figure 14 - Figure 19
Figure 14 Click on FieldLevelEncryption-Project1-context-root Application
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 23
Figure 15 Navigate to the Web Services in the Application via the Application Deployment Menu
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 24
Figure 16 Click on PurchaseOrderPort to navigate to the Web Service Port
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 25
Figure 17 Click on OWSM Policies tab Click on AttachDetach Button to launch the OWSM Policy Attachment Wizard
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 26
Figure 18 Attach samplefield_level_decryption_service_policy to PurchaseOrder POJO WLS JAX-WS Web Service
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 27
Figure 19 The PurchaseOrderPort after completion of the OWSM Policy Attachment
Check the WSDL of the Service
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 28
The part highlighted in bold indicates that the service expects arg0 to be encrypted
Now the Purchase Order POJO WLS JAX-WS is secured with ldquosamplefield_level_decryption_service_policyrdquo
Create Purchase Order Composite App
Now we will create the PurchaseOrderComposite App Figure 21 - Figure 32 shows the steps for creating the
PurchaseOderComposite app
ltwspPolicy xmlnswsp=httpschemasxmlsoaporgws200409policy
xmlnswsu=httpdocsoasis-openorgwss200401oasis-200401-wss-wssecurity-utility-
10xsd wsuId=PurchaseOrderPort_Input_Policygt
ltspSignedParts xmlnssp=httpschemasxmlsoaporgws200507securitypolicygt
ltspHeader Name=fmw-context Namespace=httpxmlnsoraclecomfmwcontext10gt
ltspHeader Name= Namespace=httpwwww3org200508addressinggt
ltspHeader Name= Namespace=httpschemasxmlsoaporgws200408addressinggt
ltspSignedPartsgt
ltspSignedElements xmlnssp=httpschemasxmlsoaporgws200507securitypolicygt
ltspEncryptedParts xmlnssp=httpschemasxmlsoaporgws200507securitypolicygt
ltspHeader Name=fmw-context Namespace=httpxmlnsoraclecomfmwcontext10gt
ltspEncryptedPartsgt
ltspEncryptedElements xmlnssp=httpschemasxmlsoaporgws200507securitypolicygt
ltspXPathgtdescendant-or-self[namespace-uri()=httppurchaseordersample and
local-name()=arg0]ltspXPathgt
ltspEncryptedElementsgt
ltwspPolicygt
Figure 20 WSDL of the PurchaseOrder POJO WLS JAX-WS after attaching the samplefield_level_decryption_service_policy
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 29
Figure 21 Insert a BPEL Process into an Empty Composite App
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 30
Figure 22 Create the BPEL Process by choosing the Base on a WSDL option Provide the WSDL of the PurchaseOrder
POJO WLS JAX-WS
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 31
Figure 23 Result of creating a BPEL Process using the Base on a WSDL option
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 32
Figure 24 In the BPEL Process create a PartnerLink Again Provide the WSDL of the PurchaseOrder POJO WLS JAX-WS as
the WSDL URL
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 33
Figure 25 Walkthrough the PartnerLink creation process
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 34
Figure 26 Completion of the Partner Link creation process
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 35
Figure 27 Add an Invoke activity in the BPEL Process and wite it to the PurchaseOrderRefrence PartnerLink created
previously
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 36
Figure 28 The Invoke is now wired to the PartnerLink PurchaseOrderReference
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 37
Figure 29 Add an Assign activity after the receiveInput and before the Invoke activity Wire the variables to copy the input on
the receive to the input of the Invoke
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 38
Figure 30 Add another assign activity after the Invoke to copy the output of the invoke to the output of the replyOutput
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 39
Figure 31 BPEL Process after adding the Assign Invoke Assign activities
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 40
Figure 32 Completed PurchaseOrderComposite App
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 41
Attach Custom Policy created previously to the Purchase Order Composite App Reference
The next step is to now attach the ldquosamplefield_level_encryption_client_policyrdquo to the PurchaseOrderReferencerdquo of
PurchaseOrderComposite App These steps are shown in Figure 33 - Figure 38
Figure 33 Click on the PurchaseOrderComposite App on the left hand side
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 42
Figure 34 Click on the PurchaseOrderReference shown in the Dashboard of the PurchaseOrderComposite
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 43
Figure 35 On the PurchaseOrderReferece - click on the Policies tab
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 44
Figure 36 Click on the AttachDetach Button
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 45
Figure 37 Attach the samplefield_level_encryption_client_policy
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 46
Figure 38 The Policy is now attached to the PurchaseOrderReference
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 47
Create Keystore and Credentials in Credential Store
Create a Keystore called default-keystorejks using keytool
For complete details on keytool commands please refer to
httpjavasuncomj2se142docstooldocswindowskeytoolhtml
Copy the keystore created into $FMW_DOMAIN_HOMEconfigfmwconfig
Add the following credentials into the credential store either via EM or using WLST
This assumes that the keystore password is welcome1
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=keystore-csf-key user=owsm
password=welcome1 desc=Keystore key)
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=enc-csf-key user=orakey
password=welcome1 desc=Encryption key)
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=sign-csf-key user=orakey
password=welcome1 desc=Signing key)
$gtkeytool -genkeypair -keyalg RSA -alias orakey -keypass welcome1 -keystore default-keystorejks -storepass
welcome1 -validity 3600
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 48
This will add a key namely enc-csf-key to map oraclewsmsecurity with username as orakey and password as
welcome1 This alias should exist in your configured keystore
This will add a key namely sign-csf-key to map oraclewsmsecurity with username as orakey and password as
welcome1 This alias should exist in your configured keystore
You can verify the contents of the credential store in FMWCTL as show in Figure 39 and Figure 40
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 49
Figure 39 View the Credential Store from the Weblogic Domain menu
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 50
Figure 40 Contents of the oraclewsmsecurity Credential Map
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 51
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 3
Use Case
Description
In this How-To I will demonstrate how one can do field level encryption By default all the message protection
related policies that ship out of the box with OWSM encrypt the entire body of the SOAP message However in
many cases customerrsquos may want to encrypt only certain fields in the SOAP message that are sensitive rather
than the entire body of the SOAP message
Ex
a) Customer wants to encrypt the SSN in the SOAP message
b) Customer wants to encrypt the credit card number in the SOAP message
For the purposes of this How To we will build a SOA Composite app which will act as a web service client and
a WLS JAX-WS which will act as the backend web service
Objective
Show How to create OWSM custom policies in that will encrypt certain fields in a SOAP message and use these custom
policies to secure a web service client and web service
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 4
Scenario
This How-To will demonstrate
1 We will use a simple PurcahseOrder WLS POJO JAX-WS 2 A PurchaseOrder SOA Composite calling the PurchaseOrder WLS JAX-WS Web Service 3 Create Field level encryption client and service policy
OWSM Policy Store
Purchase Order
SOA Composite App
JDeveloper
bull Policy Attachment
bull Override Config
bull Find Matching Policy
SOAP HTTP
Enterprise Manager
bull Policy Authoring
bull Versioning
bull Usage Tracking
bull Violation Metrics
bull Migration
CRUD
Purchase Order
WLS JAX-WS Service
OWSM Agent OWSM Agent
Policy Manager
samplefield_level_encryption_client_policy
samplefield_level_encryption_service_policy
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 5
4 Secure the PurchaseOrder WLS POJO JAX-WS with OWSM field level encryption service policy 5 Secure the PurchaseOrder SOA Composite Reference with the OWSM field level encryption client policy 6 Set up the Keystore and Credential Store required for encryption
Software Requirements
Prerequisites
Product Download URL
1 Install SOA Suite 11116 with
JDeveloper
Verified Product Version
Product Release Version
1 WebLogic 1036
2 SOA 11116
3 JDeveloper 11116
Potentially Applies to Product Version(s)
Product Release Version
1 WebLogic 1033 1034 1035 1036
2 SOA 11114 11115 11116
Download Main Page
httpwwworaclecomtechnetworkmiddlewaresoasuitedownloadsindexhtml
Product URLs
Product URL LoginPassword
EM Fusion Middle Control httpadmin_hostadmin_portem User weblogic
Password welcome1
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 6
Step by Step Instructions
Create Purchase Order WLS JAX-WS POJO Web Service
POJO based WLS JAX-WS PurchaseOrder Web Service
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 7
The PurchaseOrder sample takes 4 parameters
1 creditCardNumber ndash this is a sensitive field which we want to encrypt
package samplepurchaseorder
import javautilDate
import javaxjwsWebService
WebService
public class PurchaseOrder
public PurchaseOrder()
super()
public int createPurchaseOrder(String creditCardNumber int orderQuantity int orderPrice String itemType)
int discount = 5
if (itemTypestartsWith(BOOK))
discount = 10
int purchaseAmount = orderPrice orderQuantity
if (purchaseAmount lt 0)
purchaseAmount = 0
if (creditCardNumberstartsWith(1111))
throw new RuntimeException(Illegal Credit Card Number)
return purchaseAmount
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 8
2 orderQuantity 3 orderPrice 4 itemType
itemType is used to calculate discount The createPurchaseOder method basically returns the total amount of the
purchased order
Figure 1 shows the Schema for the JAX-WS Web Service
Figure 1 Schema for PurchaseOrder Sample
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 9
Here is a sample message for testing with this Web Service
Figure 2 Sample Request Message for PurchaseOrder POJO WLS JAX-WS Web Service
You can test the Web Service via the FMWCTL Test page as shown in Figure 3
ltsoapEnvelope xmlnssoap=httpschemasxmlsoaporgsoapenvelopegt
ltsoapBody xmlnsns1=httppurchaseordersamplegt
ltns1createPurchaseOrdergt
ltarg0gt1111-2345-4560ltarg0gt
ltarg1gt100ltarg1gt
ltarg2gt90ltarg2gt
ltarg3gtBOOKltarg3gt
ltns1createPurchaseOrdergt
ltsoapBodygt
ltsoapEnvelopegt
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 10
Figure 3 Testing the POJO PurchaseOrder WLS JAX-WS
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 11
Create Custom Policy for Field level Encryption
The next step is creating a Policy in OWSM to handle field level encryptiondecryption For this sample ndash we will start
with the wss11_message_protection_[client|service]_policy
First we will create a field level decryption policy from the wss11_message_protection_service_policy
1 Search for wss11_message_protection_service_policy and Click on ldquoCreate Likerdquo in FMWCTL as shown in Figure 4
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 12
Figure 4 Creating a Field level Decryption Policy from wss11_message_protection_service_policy
2 Give the new policy a name ndash we will call it ldquosamplefield_level_decryption_service_policy as shown in Figure 5
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 13
Figure 5 New samplefield_level_decryption_service_policy
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 14
3 Turn off Body Signing and Body Encryption for Request as show in Figure 6
Figure 6 Turn off Body SigningEncryption for Request
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 15
4 Turn off Body Signing and Body Encryption for Response as show in Figure 7
Figure 7 Turn off Body SigningEncryption for Response
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 16
5 Specify the Xpath expression in Request tab for the field to be decrypted in the payload as shown in Figure 8 This is done by clicking on the ldquoAddrdquo Button This will launch a pop-up as shown Figure 8 Enter the namespace for the element and the element name that needs to be decrypted In this case we want to decrypt the credit card number This is arg0 in the sample message posted earlier in this document See Figure 2
Figure 8 Adding specific fields to be decrypted
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 17
6 Figure 9 Shows the end result of adding the XML Element to be decrypted
Figure 9 Policy after adding Xpath Expression for field level encryption
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 18
Next we will create create a field level encryption policy from the wss11_messsage_protection_client_policy
7 Search for wss11_message_protection_client_policy and Click on ldquoCreate Likerdquo in FMWCTL as shown in Figure 10
Figure 10 Creating a Field level Encryption Policy from wss11_message_protection_client_policy
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 19
8 Give the new policy a name ndash we will call it ldquosamplefield_level_encryption_client_policy as shown in Figure 11
Figure 11 Provide a name for the new policy samplefield_level_encryption_client_policy
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 20
9 Turn off Body Signing and Body Encryption for Request as show in Figure 12
Figure 12 Turn off Body Signing and Body Encryption for Request
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 21
10 Specify the Xpath expression in Request tab for the field to be decrypted in the payload as shown in Figure 13 This is done by clicking on the ldquoAddrdquo Button This will launch a pop-up as shownFigure 13 Enter the namespace for the element and the element name that needs to be decrypted In this case we want to decrypt the credit card number This is arg0 in the sample message posted earlier in this document See Figure 2
Figure 13 Add specific elements to encrypt
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 22
Attach Custom Policy created previously to the Purchase Order WLS JAX-WS Web Service
11 Attach the new created ldquosamplefield_level_decryption_service_policyrdquo to the PurchaseOder WLS JAX-WS Web
Service This is shown in Figure 14 - Figure 19
Figure 14 Click on FieldLevelEncryption-Project1-context-root Application
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 23
Figure 15 Navigate to the Web Services in the Application via the Application Deployment Menu
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 24
Figure 16 Click on PurchaseOrderPort to navigate to the Web Service Port
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 25
Figure 17 Click on OWSM Policies tab Click on AttachDetach Button to launch the OWSM Policy Attachment Wizard
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 26
Figure 18 Attach samplefield_level_decryption_service_policy to PurchaseOrder POJO WLS JAX-WS Web Service
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 27
Figure 19 The PurchaseOrderPort after completion of the OWSM Policy Attachment
Check the WSDL of the Service
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 28
The part highlighted in bold indicates that the service expects arg0 to be encrypted
Now the Purchase Order POJO WLS JAX-WS is secured with ldquosamplefield_level_decryption_service_policyrdquo
Create Purchase Order Composite App
Now we will create the PurchaseOrderComposite App Figure 21 - Figure 32 shows the steps for creating the
PurchaseOderComposite app
ltwspPolicy xmlnswsp=httpschemasxmlsoaporgws200409policy
xmlnswsu=httpdocsoasis-openorgwss200401oasis-200401-wss-wssecurity-utility-
10xsd wsuId=PurchaseOrderPort_Input_Policygt
ltspSignedParts xmlnssp=httpschemasxmlsoaporgws200507securitypolicygt
ltspHeader Name=fmw-context Namespace=httpxmlnsoraclecomfmwcontext10gt
ltspHeader Name= Namespace=httpwwww3org200508addressinggt
ltspHeader Name= Namespace=httpschemasxmlsoaporgws200408addressinggt
ltspSignedPartsgt
ltspSignedElements xmlnssp=httpschemasxmlsoaporgws200507securitypolicygt
ltspEncryptedParts xmlnssp=httpschemasxmlsoaporgws200507securitypolicygt
ltspHeader Name=fmw-context Namespace=httpxmlnsoraclecomfmwcontext10gt
ltspEncryptedPartsgt
ltspEncryptedElements xmlnssp=httpschemasxmlsoaporgws200507securitypolicygt
ltspXPathgtdescendant-or-self[namespace-uri()=httppurchaseordersample and
local-name()=arg0]ltspXPathgt
ltspEncryptedElementsgt
ltwspPolicygt
Figure 20 WSDL of the PurchaseOrder POJO WLS JAX-WS after attaching the samplefield_level_decryption_service_policy
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 29
Figure 21 Insert a BPEL Process into an Empty Composite App
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 30
Figure 22 Create the BPEL Process by choosing the Base on a WSDL option Provide the WSDL of the PurchaseOrder
POJO WLS JAX-WS
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 31
Figure 23 Result of creating a BPEL Process using the Base on a WSDL option
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 32
Figure 24 In the BPEL Process create a PartnerLink Again Provide the WSDL of the PurchaseOrder POJO WLS JAX-WS as
the WSDL URL
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 33
Figure 25 Walkthrough the PartnerLink creation process
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 34
Figure 26 Completion of the Partner Link creation process
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 35
Figure 27 Add an Invoke activity in the BPEL Process and wite it to the PurchaseOrderRefrence PartnerLink created
previously
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 36
Figure 28 The Invoke is now wired to the PartnerLink PurchaseOrderReference
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 37
Figure 29 Add an Assign activity after the receiveInput and before the Invoke activity Wire the variables to copy the input on
the receive to the input of the Invoke
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 38
Figure 30 Add another assign activity after the Invoke to copy the output of the invoke to the output of the replyOutput
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 39
Figure 31 BPEL Process after adding the Assign Invoke Assign activities
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 40
Figure 32 Completed PurchaseOrderComposite App
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 41
Attach Custom Policy created previously to the Purchase Order Composite App Reference
The next step is to now attach the ldquosamplefield_level_encryption_client_policyrdquo to the PurchaseOrderReferencerdquo of
PurchaseOrderComposite App These steps are shown in Figure 33 - Figure 38
Figure 33 Click on the PurchaseOrderComposite App on the left hand side
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 42
Figure 34 Click on the PurchaseOrderReference shown in the Dashboard of the PurchaseOrderComposite
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 43
Figure 35 On the PurchaseOrderReferece - click on the Policies tab
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 44
Figure 36 Click on the AttachDetach Button
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 45
Figure 37 Attach the samplefield_level_encryption_client_policy
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 46
Figure 38 The Policy is now attached to the PurchaseOrderReference
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 47
Create Keystore and Credentials in Credential Store
Create a Keystore called default-keystorejks using keytool
For complete details on keytool commands please refer to
httpjavasuncomj2se142docstooldocswindowskeytoolhtml
Copy the keystore created into $FMW_DOMAIN_HOMEconfigfmwconfig
Add the following credentials into the credential store either via EM or using WLST
This assumes that the keystore password is welcome1
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=keystore-csf-key user=owsm
password=welcome1 desc=Keystore key)
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=enc-csf-key user=orakey
password=welcome1 desc=Encryption key)
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=sign-csf-key user=orakey
password=welcome1 desc=Signing key)
$gtkeytool -genkeypair -keyalg RSA -alias orakey -keypass welcome1 -keystore default-keystorejks -storepass
welcome1 -validity 3600
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 48
This will add a key namely enc-csf-key to map oraclewsmsecurity with username as orakey and password as
welcome1 This alias should exist in your configured keystore
This will add a key namely sign-csf-key to map oraclewsmsecurity with username as orakey and password as
welcome1 This alias should exist in your configured keystore
You can verify the contents of the credential store in FMWCTL as show in Figure 39 and Figure 40
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 49
Figure 39 View the Credential Store from the Weblogic Domain menu
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 50
Figure 40 Contents of the oraclewsmsecurity Credential Map
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 51
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 4
Scenario
This How-To will demonstrate
1 We will use a simple PurcahseOrder WLS POJO JAX-WS 2 A PurchaseOrder SOA Composite calling the PurchaseOrder WLS JAX-WS Web Service 3 Create Field level encryption client and service policy
OWSM Policy Store
Purchase Order
SOA Composite App
JDeveloper
bull Policy Attachment
bull Override Config
bull Find Matching Policy
SOAP HTTP
Enterprise Manager
bull Policy Authoring
bull Versioning
bull Usage Tracking
bull Violation Metrics
bull Migration
CRUD
Purchase Order
WLS JAX-WS Service
OWSM Agent OWSM Agent
Policy Manager
samplefield_level_encryption_client_policy
samplefield_level_encryption_service_policy
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 5
4 Secure the PurchaseOrder WLS POJO JAX-WS with OWSM field level encryption service policy 5 Secure the PurchaseOrder SOA Composite Reference with the OWSM field level encryption client policy 6 Set up the Keystore and Credential Store required for encryption
Software Requirements
Prerequisites
Product Download URL
1 Install SOA Suite 11116 with
JDeveloper
Verified Product Version
Product Release Version
1 WebLogic 1036
2 SOA 11116
3 JDeveloper 11116
Potentially Applies to Product Version(s)
Product Release Version
1 WebLogic 1033 1034 1035 1036
2 SOA 11114 11115 11116
Download Main Page
httpwwworaclecomtechnetworkmiddlewaresoasuitedownloadsindexhtml
Product URLs
Product URL LoginPassword
EM Fusion Middle Control httpadmin_hostadmin_portem User weblogic
Password welcome1
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 6
Step by Step Instructions
Create Purchase Order WLS JAX-WS POJO Web Service
POJO based WLS JAX-WS PurchaseOrder Web Service
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 7
The PurchaseOrder sample takes 4 parameters
1 creditCardNumber ndash this is a sensitive field which we want to encrypt
package samplepurchaseorder
import javautilDate
import javaxjwsWebService
WebService
public class PurchaseOrder
public PurchaseOrder()
super()
public int createPurchaseOrder(String creditCardNumber int orderQuantity int orderPrice String itemType)
int discount = 5
if (itemTypestartsWith(BOOK))
discount = 10
int purchaseAmount = orderPrice orderQuantity
if (purchaseAmount lt 0)
purchaseAmount = 0
if (creditCardNumberstartsWith(1111))
throw new RuntimeException(Illegal Credit Card Number)
return purchaseAmount
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 8
2 orderQuantity 3 orderPrice 4 itemType
itemType is used to calculate discount The createPurchaseOder method basically returns the total amount of the
purchased order
Figure 1 shows the Schema for the JAX-WS Web Service
Figure 1 Schema for PurchaseOrder Sample
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 9
Here is a sample message for testing with this Web Service
Figure 2 Sample Request Message for PurchaseOrder POJO WLS JAX-WS Web Service
You can test the Web Service via the FMWCTL Test page as shown in Figure 3
ltsoapEnvelope xmlnssoap=httpschemasxmlsoaporgsoapenvelopegt
ltsoapBody xmlnsns1=httppurchaseordersamplegt
ltns1createPurchaseOrdergt
ltarg0gt1111-2345-4560ltarg0gt
ltarg1gt100ltarg1gt
ltarg2gt90ltarg2gt
ltarg3gtBOOKltarg3gt
ltns1createPurchaseOrdergt
ltsoapBodygt
ltsoapEnvelopegt
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 10
Figure 3 Testing the POJO PurchaseOrder WLS JAX-WS
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 11
Create Custom Policy for Field level Encryption
The next step is creating a Policy in OWSM to handle field level encryptiondecryption For this sample ndash we will start
with the wss11_message_protection_[client|service]_policy
First we will create a field level decryption policy from the wss11_message_protection_service_policy
1 Search for wss11_message_protection_service_policy and Click on ldquoCreate Likerdquo in FMWCTL as shown in Figure 4
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 12
Figure 4 Creating a Field level Decryption Policy from wss11_message_protection_service_policy
2 Give the new policy a name ndash we will call it ldquosamplefield_level_decryption_service_policy as shown in Figure 5
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 13
Figure 5 New samplefield_level_decryption_service_policy
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 14
3 Turn off Body Signing and Body Encryption for Request as show in Figure 6
Figure 6 Turn off Body SigningEncryption for Request
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 15
4 Turn off Body Signing and Body Encryption for Response as show in Figure 7
Figure 7 Turn off Body SigningEncryption for Response
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 16
5 Specify the Xpath expression in Request tab for the field to be decrypted in the payload as shown in Figure 8 This is done by clicking on the ldquoAddrdquo Button This will launch a pop-up as shown Figure 8 Enter the namespace for the element and the element name that needs to be decrypted In this case we want to decrypt the credit card number This is arg0 in the sample message posted earlier in this document See Figure 2
Figure 8 Adding specific fields to be decrypted
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 17
6 Figure 9 Shows the end result of adding the XML Element to be decrypted
Figure 9 Policy after adding Xpath Expression for field level encryption
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 18
Next we will create create a field level encryption policy from the wss11_messsage_protection_client_policy
7 Search for wss11_message_protection_client_policy and Click on ldquoCreate Likerdquo in FMWCTL as shown in Figure 10
Figure 10 Creating a Field level Encryption Policy from wss11_message_protection_client_policy
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 19
8 Give the new policy a name ndash we will call it ldquosamplefield_level_encryption_client_policy as shown in Figure 11
Figure 11 Provide a name for the new policy samplefield_level_encryption_client_policy
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 20
9 Turn off Body Signing and Body Encryption for Request as show in Figure 12
Figure 12 Turn off Body Signing and Body Encryption for Request
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 21
10 Specify the Xpath expression in Request tab for the field to be decrypted in the payload as shown in Figure 13 This is done by clicking on the ldquoAddrdquo Button This will launch a pop-up as shownFigure 13 Enter the namespace for the element and the element name that needs to be decrypted In this case we want to decrypt the credit card number This is arg0 in the sample message posted earlier in this document See Figure 2
Figure 13 Add specific elements to encrypt
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 22
Attach Custom Policy created previously to the Purchase Order WLS JAX-WS Web Service
11 Attach the new created ldquosamplefield_level_decryption_service_policyrdquo to the PurchaseOder WLS JAX-WS Web
Service This is shown in Figure 14 - Figure 19
Figure 14 Click on FieldLevelEncryption-Project1-context-root Application
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 23
Figure 15 Navigate to the Web Services in the Application via the Application Deployment Menu
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 24
Figure 16 Click on PurchaseOrderPort to navigate to the Web Service Port
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 25
Figure 17 Click on OWSM Policies tab Click on AttachDetach Button to launch the OWSM Policy Attachment Wizard
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 26
Figure 18 Attach samplefield_level_decryption_service_policy to PurchaseOrder POJO WLS JAX-WS Web Service
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 27
Figure 19 The PurchaseOrderPort after completion of the OWSM Policy Attachment
Check the WSDL of the Service
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 28
The part highlighted in bold indicates that the service expects arg0 to be encrypted
Now the Purchase Order POJO WLS JAX-WS is secured with ldquosamplefield_level_decryption_service_policyrdquo
Create Purchase Order Composite App
Now we will create the PurchaseOrderComposite App Figure 21 - Figure 32 shows the steps for creating the
PurchaseOderComposite app
ltwspPolicy xmlnswsp=httpschemasxmlsoaporgws200409policy
xmlnswsu=httpdocsoasis-openorgwss200401oasis-200401-wss-wssecurity-utility-
10xsd wsuId=PurchaseOrderPort_Input_Policygt
ltspSignedParts xmlnssp=httpschemasxmlsoaporgws200507securitypolicygt
ltspHeader Name=fmw-context Namespace=httpxmlnsoraclecomfmwcontext10gt
ltspHeader Name= Namespace=httpwwww3org200508addressinggt
ltspHeader Name= Namespace=httpschemasxmlsoaporgws200408addressinggt
ltspSignedPartsgt
ltspSignedElements xmlnssp=httpschemasxmlsoaporgws200507securitypolicygt
ltspEncryptedParts xmlnssp=httpschemasxmlsoaporgws200507securitypolicygt
ltspHeader Name=fmw-context Namespace=httpxmlnsoraclecomfmwcontext10gt
ltspEncryptedPartsgt
ltspEncryptedElements xmlnssp=httpschemasxmlsoaporgws200507securitypolicygt
ltspXPathgtdescendant-or-self[namespace-uri()=httppurchaseordersample and
local-name()=arg0]ltspXPathgt
ltspEncryptedElementsgt
ltwspPolicygt
Figure 20 WSDL of the PurchaseOrder POJO WLS JAX-WS after attaching the samplefield_level_decryption_service_policy
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 29
Figure 21 Insert a BPEL Process into an Empty Composite App
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 30
Figure 22 Create the BPEL Process by choosing the Base on a WSDL option Provide the WSDL of the PurchaseOrder
POJO WLS JAX-WS
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 31
Figure 23 Result of creating a BPEL Process using the Base on a WSDL option
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 32
Figure 24 In the BPEL Process create a PartnerLink Again Provide the WSDL of the PurchaseOrder POJO WLS JAX-WS as
the WSDL URL
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 33
Figure 25 Walkthrough the PartnerLink creation process
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 34
Figure 26 Completion of the Partner Link creation process
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 35
Figure 27 Add an Invoke activity in the BPEL Process and wite it to the PurchaseOrderRefrence PartnerLink created
previously
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 36
Figure 28 The Invoke is now wired to the PartnerLink PurchaseOrderReference
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 37
Figure 29 Add an Assign activity after the receiveInput and before the Invoke activity Wire the variables to copy the input on
the receive to the input of the Invoke
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 38
Figure 30 Add another assign activity after the Invoke to copy the output of the invoke to the output of the replyOutput
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 39
Figure 31 BPEL Process after adding the Assign Invoke Assign activities
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 40
Figure 32 Completed PurchaseOrderComposite App
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 41
Attach Custom Policy created previously to the Purchase Order Composite App Reference
The next step is to now attach the ldquosamplefield_level_encryption_client_policyrdquo to the PurchaseOrderReferencerdquo of
PurchaseOrderComposite App These steps are shown in Figure 33 - Figure 38
Figure 33 Click on the PurchaseOrderComposite App on the left hand side
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 42
Figure 34 Click on the PurchaseOrderReference shown in the Dashboard of the PurchaseOrderComposite
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 43
Figure 35 On the PurchaseOrderReferece - click on the Policies tab
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 44
Figure 36 Click on the AttachDetach Button
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 45
Figure 37 Attach the samplefield_level_encryption_client_policy
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 46
Figure 38 The Policy is now attached to the PurchaseOrderReference
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 47
Create Keystore and Credentials in Credential Store
Create a Keystore called default-keystorejks using keytool
For complete details on keytool commands please refer to
httpjavasuncomj2se142docstooldocswindowskeytoolhtml
Copy the keystore created into $FMW_DOMAIN_HOMEconfigfmwconfig
Add the following credentials into the credential store either via EM or using WLST
This assumes that the keystore password is welcome1
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=keystore-csf-key user=owsm
password=welcome1 desc=Keystore key)
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=enc-csf-key user=orakey
password=welcome1 desc=Encryption key)
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=sign-csf-key user=orakey
password=welcome1 desc=Signing key)
$gtkeytool -genkeypair -keyalg RSA -alias orakey -keypass welcome1 -keystore default-keystorejks -storepass
welcome1 -validity 3600
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 48
This will add a key namely enc-csf-key to map oraclewsmsecurity with username as orakey and password as
welcome1 This alias should exist in your configured keystore
This will add a key namely sign-csf-key to map oraclewsmsecurity with username as orakey and password as
welcome1 This alias should exist in your configured keystore
You can verify the contents of the credential store in FMWCTL as show in Figure 39 and Figure 40
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 49
Figure 39 View the Credential Store from the Weblogic Domain menu
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 50
Figure 40 Contents of the oraclewsmsecurity Credential Map
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 51
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 5
4 Secure the PurchaseOrder WLS POJO JAX-WS with OWSM field level encryption service policy 5 Secure the PurchaseOrder SOA Composite Reference with the OWSM field level encryption client policy 6 Set up the Keystore and Credential Store required for encryption
Software Requirements
Prerequisites
Product Download URL
1 Install SOA Suite 11116 with
JDeveloper
Verified Product Version
Product Release Version
1 WebLogic 1036
2 SOA 11116
3 JDeveloper 11116
Potentially Applies to Product Version(s)
Product Release Version
1 WebLogic 1033 1034 1035 1036
2 SOA 11114 11115 11116
Download Main Page
httpwwworaclecomtechnetworkmiddlewaresoasuitedownloadsindexhtml
Product URLs
Product URL LoginPassword
EM Fusion Middle Control httpadmin_hostadmin_portem User weblogic
Password welcome1
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 6
Step by Step Instructions
Create Purchase Order WLS JAX-WS POJO Web Service
POJO based WLS JAX-WS PurchaseOrder Web Service
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 7
The PurchaseOrder sample takes 4 parameters
1 creditCardNumber ndash this is a sensitive field which we want to encrypt
package samplepurchaseorder
import javautilDate
import javaxjwsWebService
WebService
public class PurchaseOrder
public PurchaseOrder()
super()
public int createPurchaseOrder(String creditCardNumber int orderQuantity int orderPrice String itemType)
int discount = 5
if (itemTypestartsWith(BOOK))
discount = 10
int purchaseAmount = orderPrice orderQuantity
if (purchaseAmount lt 0)
purchaseAmount = 0
if (creditCardNumberstartsWith(1111))
throw new RuntimeException(Illegal Credit Card Number)
return purchaseAmount
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 8
2 orderQuantity 3 orderPrice 4 itemType
itemType is used to calculate discount The createPurchaseOder method basically returns the total amount of the
purchased order
Figure 1 shows the Schema for the JAX-WS Web Service
Figure 1 Schema for PurchaseOrder Sample
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 9
Here is a sample message for testing with this Web Service
Figure 2 Sample Request Message for PurchaseOrder POJO WLS JAX-WS Web Service
You can test the Web Service via the FMWCTL Test page as shown in Figure 3
ltsoapEnvelope xmlnssoap=httpschemasxmlsoaporgsoapenvelopegt
ltsoapBody xmlnsns1=httppurchaseordersamplegt
ltns1createPurchaseOrdergt
ltarg0gt1111-2345-4560ltarg0gt
ltarg1gt100ltarg1gt
ltarg2gt90ltarg2gt
ltarg3gtBOOKltarg3gt
ltns1createPurchaseOrdergt
ltsoapBodygt
ltsoapEnvelopegt
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 10
Figure 3 Testing the POJO PurchaseOrder WLS JAX-WS
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 11
Create Custom Policy for Field level Encryption
The next step is creating a Policy in OWSM to handle field level encryptiondecryption For this sample ndash we will start
with the wss11_message_protection_[client|service]_policy
First we will create a field level decryption policy from the wss11_message_protection_service_policy
1 Search for wss11_message_protection_service_policy and Click on ldquoCreate Likerdquo in FMWCTL as shown in Figure 4
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 12
Figure 4 Creating a Field level Decryption Policy from wss11_message_protection_service_policy
2 Give the new policy a name ndash we will call it ldquosamplefield_level_decryption_service_policy as shown in Figure 5
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 13
Figure 5 New samplefield_level_decryption_service_policy
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 14
3 Turn off Body Signing and Body Encryption for Request as show in Figure 6
Figure 6 Turn off Body SigningEncryption for Request
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 15
4 Turn off Body Signing and Body Encryption for Response as show in Figure 7
Figure 7 Turn off Body SigningEncryption for Response
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 16
5 Specify the Xpath expression in Request tab for the field to be decrypted in the payload as shown in Figure 8 This is done by clicking on the ldquoAddrdquo Button This will launch a pop-up as shown Figure 8 Enter the namespace for the element and the element name that needs to be decrypted In this case we want to decrypt the credit card number This is arg0 in the sample message posted earlier in this document See Figure 2
Figure 8 Adding specific fields to be decrypted
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 17
6 Figure 9 Shows the end result of adding the XML Element to be decrypted
Figure 9 Policy after adding Xpath Expression for field level encryption
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 18
Next we will create create a field level encryption policy from the wss11_messsage_protection_client_policy
7 Search for wss11_message_protection_client_policy and Click on ldquoCreate Likerdquo in FMWCTL as shown in Figure 10
Figure 10 Creating a Field level Encryption Policy from wss11_message_protection_client_policy
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 19
8 Give the new policy a name ndash we will call it ldquosamplefield_level_encryption_client_policy as shown in Figure 11
Figure 11 Provide a name for the new policy samplefield_level_encryption_client_policy
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 20
9 Turn off Body Signing and Body Encryption for Request as show in Figure 12
Figure 12 Turn off Body Signing and Body Encryption for Request
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 21
10 Specify the Xpath expression in Request tab for the field to be decrypted in the payload as shown in Figure 13 This is done by clicking on the ldquoAddrdquo Button This will launch a pop-up as shownFigure 13 Enter the namespace for the element and the element name that needs to be decrypted In this case we want to decrypt the credit card number This is arg0 in the sample message posted earlier in this document See Figure 2
Figure 13 Add specific elements to encrypt
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 22
Attach Custom Policy created previously to the Purchase Order WLS JAX-WS Web Service
11 Attach the new created ldquosamplefield_level_decryption_service_policyrdquo to the PurchaseOder WLS JAX-WS Web
Service This is shown in Figure 14 - Figure 19
Figure 14 Click on FieldLevelEncryption-Project1-context-root Application
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 23
Figure 15 Navigate to the Web Services in the Application via the Application Deployment Menu
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 24
Figure 16 Click on PurchaseOrderPort to navigate to the Web Service Port
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 25
Figure 17 Click on OWSM Policies tab Click on AttachDetach Button to launch the OWSM Policy Attachment Wizard
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 26
Figure 18 Attach samplefield_level_decryption_service_policy to PurchaseOrder POJO WLS JAX-WS Web Service
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 27
Figure 19 The PurchaseOrderPort after completion of the OWSM Policy Attachment
Check the WSDL of the Service
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 28
The part highlighted in bold indicates that the service expects arg0 to be encrypted
Now the Purchase Order POJO WLS JAX-WS is secured with ldquosamplefield_level_decryption_service_policyrdquo
Create Purchase Order Composite App
Now we will create the PurchaseOrderComposite App Figure 21 - Figure 32 shows the steps for creating the
PurchaseOderComposite app
ltwspPolicy xmlnswsp=httpschemasxmlsoaporgws200409policy
xmlnswsu=httpdocsoasis-openorgwss200401oasis-200401-wss-wssecurity-utility-
10xsd wsuId=PurchaseOrderPort_Input_Policygt
ltspSignedParts xmlnssp=httpschemasxmlsoaporgws200507securitypolicygt
ltspHeader Name=fmw-context Namespace=httpxmlnsoraclecomfmwcontext10gt
ltspHeader Name= Namespace=httpwwww3org200508addressinggt
ltspHeader Name= Namespace=httpschemasxmlsoaporgws200408addressinggt
ltspSignedPartsgt
ltspSignedElements xmlnssp=httpschemasxmlsoaporgws200507securitypolicygt
ltspEncryptedParts xmlnssp=httpschemasxmlsoaporgws200507securitypolicygt
ltspHeader Name=fmw-context Namespace=httpxmlnsoraclecomfmwcontext10gt
ltspEncryptedPartsgt
ltspEncryptedElements xmlnssp=httpschemasxmlsoaporgws200507securitypolicygt
ltspXPathgtdescendant-or-self[namespace-uri()=httppurchaseordersample and
local-name()=arg0]ltspXPathgt
ltspEncryptedElementsgt
ltwspPolicygt
Figure 20 WSDL of the PurchaseOrder POJO WLS JAX-WS after attaching the samplefield_level_decryption_service_policy
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 29
Figure 21 Insert a BPEL Process into an Empty Composite App
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 30
Figure 22 Create the BPEL Process by choosing the Base on a WSDL option Provide the WSDL of the PurchaseOrder
POJO WLS JAX-WS
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 31
Figure 23 Result of creating a BPEL Process using the Base on a WSDL option
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 32
Figure 24 In the BPEL Process create a PartnerLink Again Provide the WSDL of the PurchaseOrder POJO WLS JAX-WS as
the WSDL URL
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 33
Figure 25 Walkthrough the PartnerLink creation process
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 34
Figure 26 Completion of the Partner Link creation process
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 35
Figure 27 Add an Invoke activity in the BPEL Process and wite it to the PurchaseOrderRefrence PartnerLink created
previously
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 36
Figure 28 The Invoke is now wired to the PartnerLink PurchaseOrderReference
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 37
Figure 29 Add an Assign activity after the receiveInput and before the Invoke activity Wire the variables to copy the input on
the receive to the input of the Invoke
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 38
Figure 30 Add another assign activity after the Invoke to copy the output of the invoke to the output of the replyOutput
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 39
Figure 31 BPEL Process after adding the Assign Invoke Assign activities
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 40
Figure 32 Completed PurchaseOrderComposite App
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 41
Attach Custom Policy created previously to the Purchase Order Composite App Reference
The next step is to now attach the ldquosamplefield_level_encryption_client_policyrdquo to the PurchaseOrderReferencerdquo of
PurchaseOrderComposite App These steps are shown in Figure 33 - Figure 38
Figure 33 Click on the PurchaseOrderComposite App on the left hand side
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 42
Figure 34 Click on the PurchaseOrderReference shown in the Dashboard of the PurchaseOrderComposite
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 43
Figure 35 On the PurchaseOrderReferece - click on the Policies tab
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 44
Figure 36 Click on the AttachDetach Button
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 45
Figure 37 Attach the samplefield_level_encryption_client_policy
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 46
Figure 38 The Policy is now attached to the PurchaseOrderReference
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 47
Create Keystore and Credentials in Credential Store
Create a Keystore called default-keystorejks using keytool
For complete details on keytool commands please refer to
httpjavasuncomj2se142docstooldocswindowskeytoolhtml
Copy the keystore created into $FMW_DOMAIN_HOMEconfigfmwconfig
Add the following credentials into the credential store either via EM or using WLST
This assumes that the keystore password is welcome1
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=keystore-csf-key user=owsm
password=welcome1 desc=Keystore key)
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=enc-csf-key user=orakey
password=welcome1 desc=Encryption key)
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=sign-csf-key user=orakey
password=welcome1 desc=Signing key)
$gtkeytool -genkeypair -keyalg RSA -alias orakey -keypass welcome1 -keystore default-keystorejks -storepass
welcome1 -validity 3600
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 48
This will add a key namely enc-csf-key to map oraclewsmsecurity with username as orakey and password as
welcome1 This alias should exist in your configured keystore
This will add a key namely sign-csf-key to map oraclewsmsecurity with username as orakey and password as
welcome1 This alias should exist in your configured keystore
You can verify the contents of the credential store in FMWCTL as show in Figure 39 and Figure 40
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 49
Figure 39 View the Credential Store from the Weblogic Domain menu
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 50
Figure 40 Contents of the oraclewsmsecurity Credential Map
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 51
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 6
Step by Step Instructions
Create Purchase Order WLS JAX-WS POJO Web Service
POJO based WLS JAX-WS PurchaseOrder Web Service
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 7
The PurchaseOrder sample takes 4 parameters
1 creditCardNumber ndash this is a sensitive field which we want to encrypt
package samplepurchaseorder
import javautilDate
import javaxjwsWebService
WebService
public class PurchaseOrder
public PurchaseOrder()
super()
public int createPurchaseOrder(String creditCardNumber int orderQuantity int orderPrice String itemType)
int discount = 5
if (itemTypestartsWith(BOOK))
discount = 10
int purchaseAmount = orderPrice orderQuantity
if (purchaseAmount lt 0)
purchaseAmount = 0
if (creditCardNumberstartsWith(1111))
throw new RuntimeException(Illegal Credit Card Number)
return purchaseAmount
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 8
2 orderQuantity 3 orderPrice 4 itemType
itemType is used to calculate discount The createPurchaseOder method basically returns the total amount of the
purchased order
Figure 1 shows the Schema for the JAX-WS Web Service
Figure 1 Schema for PurchaseOrder Sample
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 9
Here is a sample message for testing with this Web Service
Figure 2 Sample Request Message for PurchaseOrder POJO WLS JAX-WS Web Service
You can test the Web Service via the FMWCTL Test page as shown in Figure 3
ltsoapEnvelope xmlnssoap=httpschemasxmlsoaporgsoapenvelopegt
ltsoapBody xmlnsns1=httppurchaseordersamplegt
ltns1createPurchaseOrdergt
ltarg0gt1111-2345-4560ltarg0gt
ltarg1gt100ltarg1gt
ltarg2gt90ltarg2gt
ltarg3gtBOOKltarg3gt
ltns1createPurchaseOrdergt
ltsoapBodygt
ltsoapEnvelopegt
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 10
Figure 3 Testing the POJO PurchaseOrder WLS JAX-WS
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 11
Create Custom Policy for Field level Encryption
The next step is creating a Policy in OWSM to handle field level encryptiondecryption For this sample ndash we will start
with the wss11_message_protection_[client|service]_policy
First we will create a field level decryption policy from the wss11_message_protection_service_policy
1 Search for wss11_message_protection_service_policy and Click on ldquoCreate Likerdquo in FMWCTL as shown in Figure 4
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 12
Figure 4 Creating a Field level Decryption Policy from wss11_message_protection_service_policy
2 Give the new policy a name ndash we will call it ldquosamplefield_level_decryption_service_policy as shown in Figure 5
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 13
Figure 5 New samplefield_level_decryption_service_policy
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 14
3 Turn off Body Signing and Body Encryption for Request as show in Figure 6
Figure 6 Turn off Body SigningEncryption for Request
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 15
4 Turn off Body Signing and Body Encryption for Response as show in Figure 7
Figure 7 Turn off Body SigningEncryption for Response
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 16
5 Specify the Xpath expression in Request tab for the field to be decrypted in the payload as shown in Figure 8 This is done by clicking on the ldquoAddrdquo Button This will launch a pop-up as shown Figure 8 Enter the namespace for the element and the element name that needs to be decrypted In this case we want to decrypt the credit card number This is arg0 in the sample message posted earlier in this document See Figure 2
Figure 8 Adding specific fields to be decrypted
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 17
6 Figure 9 Shows the end result of adding the XML Element to be decrypted
Figure 9 Policy after adding Xpath Expression for field level encryption
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 18
Next we will create create a field level encryption policy from the wss11_messsage_protection_client_policy
7 Search for wss11_message_protection_client_policy and Click on ldquoCreate Likerdquo in FMWCTL as shown in Figure 10
Figure 10 Creating a Field level Encryption Policy from wss11_message_protection_client_policy
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 19
8 Give the new policy a name ndash we will call it ldquosamplefield_level_encryption_client_policy as shown in Figure 11
Figure 11 Provide a name for the new policy samplefield_level_encryption_client_policy
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 20
9 Turn off Body Signing and Body Encryption for Request as show in Figure 12
Figure 12 Turn off Body Signing and Body Encryption for Request
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 21
10 Specify the Xpath expression in Request tab for the field to be decrypted in the payload as shown in Figure 13 This is done by clicking on the ldquoAddrdquo Button This will launch a pop-up as shownFigure 13 Enter the namespace for the element and the element name that needs to be decrypted In this case we want to decrypt the credit card number This is arg0 in the sample message posted earlier in this document See Figure 2
Figure 13 Add specific elements to encrypt
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 22
Attach Custom Policy created previously to the Purchase Order WLS JAX-WS Web Service
11 Attach the new created ldquosamplefield_level_decryption_service_policyrdquo to the PurchaseOder WLS JAX-WS Web
Service This is shown in Figure 14 - Figure 19
Figure 14 Click on FieldLevelEncryption-Project1-context-root Application
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 23
Figure 15 Navigate to the Web Services in the Application via the Application Deployment Menu
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 24
Figure 16 Click on PurchaseOrderPort to navigate to the Web Service Port
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 25
Figure 17 Click on OWSM Policies tab Click on AttachDetach Button to launch the OWSM Policy Attachment Wizard
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 26
Figure 18 Attach samplefield_level_decryption_service_policy to PurchaseOrder POJO WLS JAX-WS Web Service
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 27
Figure 19 The PurchaseOrderPort after completion of the OWSM Policy Attachment
Check the WSDL of the Service
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 28
The part highlighted in bold indicates that the service expects arg0 to be encrypted
Now the Purchase Order POJO WLS JAX-WS is secured with ldquosamplefield_level_decryption_service_policyrdquo
Create Purchase Order Composite App
Now we will create the PurchaseOrderComposite App Figure 21 - Figure 32 shows the steps for creating the
PurchaseOderComposite app
ltwspPolicy xmlnswsp=httpschemasxmlsoaporgws200409policy
xmlnswsu=httpdocsoasis-openorgwss200401oasis-200401-wss-wssecurity-utility-
10xsd wsuId=PurchaseOrderPort_Input_Policygt
ltspSignedParts xmlnssp=httpschemasxmlsoaporgws200507securitypolicygt
ltspHeader Name=fmw-context Namespace=httpxmlnsoraclecomfmwcontext10gt
ltspHeader Name= Namespace=httpwwww3org200508addressinggt
ltspHeader Name= Namespace=httpschemasxmlsoaporgws200408addressinggt
ltspSignedPartsgt
ltspSignedElements xmlnssp=httpschemasxmlsoaporgws200507securitypolicygt
ltspEncryptedParts xmlnssp=httpschemasxmlsoaporgws200507securitypolicygt
ltspHeader Name=fmw-context Namespace=httpxmlnsoraclecomfmwcontext10gt
ltspEncryptedPartsgt
ltspEncryptedElements xmlnssp=httpschemasxmlsoaporgws200507securitypolicygt
ltspXPathgtdescendant-or-self[namespace-uri()=httppurchaseordersample and
local-name()=arg0]ltspXPathgt
ltspEncryptedElementsgt
ltwspPolicygt
Figure 20 WSDL of the PurchaseOrder POJO WLS JAX-WS after attaching the samplefield_level_decryption_service_policy
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 29
Figure 21 Insert a BPEL Process into an Empty Composite App
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 30
Figure 22 Create the BPEL Process by choosing the Base on a WSDL option Provide the WSDL of the PurchaseOrder
POJO WLS JAX-WS
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 31
Figure 23 Result of creating a BPEL Process using the Base on a WSDL option
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 32
Figure 24 In the BPEL Process create a PartnerLink Again Provide the WSDL of the PurchaseOrder POJO WLS JAX-WS as
the WSDL URL
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 33
Figure 25 Walkthrough the PartnerLink creation process
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 34
Figure 26 Completion of the Partner Link creation process
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 35
Figure 27 Add an Invoke activity in the BPEL Process and wite it to the PurchaseOrderRefrence PartnerLink created
previously
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 36
Figure 28 The Invoke is now wired to the PartnerLink PurchaseOrderReference
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 37
Figure 29 Add an Assign activity after the receiveInput and before the Invoke activity Wire the variables to copy the input on
the receive to the input of the Invoke
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 38
Figure 30 Add another assign activity after the Invoke to copy the output of the invoke to the output of the replyOutput
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 39
Figure 31 BPEL Process after adding the Assign Invoke Assign activities
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 40
Figure 32 Completed PurchaseOrderComposite App
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 41
Attach Custom Policy created previously to the Purchase Order Composite App Reference
The next step is to now attach the ldquosamplefield_level_encryption_client_policyrdquo to the PurchaseOrderReferencerdquo of
PurchaseOrderComposite App These steps are shown in Figure 33 - Figure 38
Figure 33 Click on the PurchaseOrderComposite App on the left hand side
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 42
Figure 34 Click on the PurchaseOrderReference shown in the Dashboard of the PurchaseOrderComposite
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 43
Figure 35 On the PurchaseOrderReferece - click on the Policies tab
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 44
Figure 36 Click on the AttachDetach Button
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 45
Figure 37 Attach the samplefield_level_encryption_client_policy
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 46
Figure 38 The Policy is now attached to the PurchaseOrderReference
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 47
Create Keystore and Credentials in Credential Store
Create a Keystore called default-keystorejks using keytool
For complete details on keytool commands please refer to
httpjavasuncomj2se142docstooldocswindowskeytoolhtml
Copy the keystore created into $FMW_DOMAIN_HOMEconfigfmwconfig
Add the following credentials into the credential store either via EM or using WLST
This assumes that the keystore password is welcome1
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=keystore-csf-key user=owsm
password=welcome1 desc=Keystore key)
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=enc-csf-key user=orakey
password=welcome1 desc=Encryption key)
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=sign-csf-key user=orakey
password=welcome1 desc=Signing key)
$gtkeytool -genkeypair -keyalg RSA -alias orakey -keypass welcome1 -keystore default-keystorejks -storepass
welcome1 -validity 3600
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 48
This will add a key namely enc-csf-key to map oraclewsmsecurity with username as orakey and password as
welcome1 This alias should exist in your configured keystore
This will add a key namely sign-csf-key to map oraclewsmsecurity with username as orakey and password as
welcome1 This alias should exist in your configured keystore
You can verify the contents of the credential store in FMWCTL as show in Figure 39 and Figure 40
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 49
Figure 39 View the Credential Store from the Weblogic Domain menu
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 50
Figure 40 Contents of the oraclewsmsecurity Credential Map
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 51
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 7
The PurchaseOrder sample takes 4 parameters
1 creditCardNumber ndash this is a sensitive field which we want to encrypt
package samplepurchaseorder
import javautilDate
import javaxjwsWebService
WebService
public class PurchaseOrder
public PurchaseOrder()
super()
public int createPurchaseOrder(String creditCardNumber int orderQuantity int orderPrice String itemType)
int discount = 5
if (itemTypestartsWith(BOOK))
discount = 10
int purchaseAmount = orderPrice orderQuantity
if (purchaseAmount lt 0)
purchaseAmount = 0
if (creditCardNumberstartsWith(1111))
throw new RuntimeException(Illegal Credit Card Number)
return purchaseAmount
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 8
2 orderQuantity 3 orderPrice 4 itemType
itemType is used to calculate discount The createPurchaseOder method basically returns the total amount of the
purchased order
Figure 1 shows the Schema for the JAX-WS Web Service
Figure 1 Schema for PurchaseOrder Sample
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 9
Here is a sample message for testing with this Web Service
Figure 2 Sample Request Message for PurchaseOrder POJO WLS JAX-WS Web Service
You can test the Web Service via the FMWCTL Test page as shown in Figure 3
ltsoapEnvelope xmlnssoap=httpschemasxmlsoaporgsoapenvelopegt
ltsoapBody xmlnsns1=httppurchaseordersamplegt
ltns1createPurchaseOrdergt
ltarg0gt1111-2345-4560ltarg0gt
ltarg1gt100ltarg1gt
ltarg2gt90ltarg2gt
ltarg3gtBOOKltarg3gt
ltns1createPurchaseOrdergt
ltsoapBodygt
ltsoapEnvelopegt
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 10
Figure 3 Testing the POJO PurchaseOrder WLS JAX-WS
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 11
Create Custom Policy for Field level Encryption
The next step is creating a Policy in OWSM to handle field level encryptiondecryption For this sample ndash we will start
with the wss11_message_protection_[client|service]_policy
First we will create a field level decryption policy from the wss11_message_protection_service_policy
1 Search for wss11_message_protection_service_policy and Click on ldquoCreate Likerdquo in FMWCTL as shown in Figure 4
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 12
Figure 4 Creating a Field level Decryption Policy from wss11_message_protection_service_policy
2 Give the new policy a name ndash we will call it ldquosamplefield_level_decryption_service_policy as shown in Figure 5
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 13
Figure 5 New samplefield_level_decryption_service_policy
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 14
3 Turn off Body Signing and Body Encryption for Request as show in Figure 6
Figure 6 Turn off Body SigningEncryption for Request
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 15
4 Turn off Body Signing and Body Encryption for Response as show in Figure 7
Figure 7 Turn off Body SigningEncryption for Response
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 16
5 Specify the Xpath expression in Request tab for the field to be decrypted in the payload as shown in Figure 8 This is done by clicking on the ldquoAddrdquo Button This will launch a pop-up as shown Figure 8 Enter the namespace for the element and the element name that needs to be decrypted In this case we want to decrypt the credit card number This is arg0 in the sample message posted earlier in this document See Figure 2
Figure 8 Adding specific fields to be decrypted
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 17
6 Figure 9 Shows the end result of adding the XML Element to be decrypted
Figure 9 Policy after adding Xpath Expression for field level encryption
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 18
Next we will create create a field level encryption policy from the wss11_messsage_protection_client_policy
7 Search for wss11_message_protection_client_policy and Click on ldquoCreate Likerdquo in FMWCTL as shown in Figure 10
Figure 10 Creating a Field level Encryption Policy from wss11_message_protection_client_policy
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 19
8 Give the new policy a name ndash we will call it ldquosamplefield_level_encryption_client_policy as shown in Figure 11
Figure 11 Provide a name for the new policy samplefield_level_encryption_client_policy
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 20
9 Turn off Body Signing and Body Encryption for Request as show in Figure 12
Figure 12 Turn off Body Signing and Body Encryption for Request
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 21
10 Specify the Xpath expression in Request tab for the field to be decrypted in the payload as shown in Figure 13 This is done by clicking on the ldquoAddrdquo Button This will launch a pop-up as shownFigure 13 Enter the namespace for the element and the element name that needs to be decrypted In this case we want to decrypt the credit card number This is arg0 in the sample message posted earlier in this document See Figure 2
Figure 13 Add specific elements to encrypt
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 22
Attach Custom Policy created previously to the Purchase Order WLS JAX-WS Web Service
11 Attach the new created ldquosamplefield_level_decryption_service_policyrdquo to the PurchaseOder WLS JAX-WS Web
Service This is shown in Figure 14 - Figure 19
Figure 14 Click on FieldLevelEncryption-Project1-context-root Application
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 23
Figure 15 Navigate to the Web Services in the Application via the Application Deployment Menu
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 24
Figure 16 Click on PurchaseOrderPort to navigate to the Web Service Port
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 25
Figure 17 Click on OWSM Policies tab Click on AttachDetach Button to launch the OWSM Policy Attachment Wizard
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 26
Figure 18 Attach samplefield_level_decryption_service_policy to PurchaseOrder POJO WLS JAX-WS Web Service
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 27
Figure 19 The PurchaseOrderPort after completion of the OWSM Policy Attachment
Check the WSDL of the Service
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 28
The part highlighted in bold indicates that the service expects arg0 to be encrypted
Now the Purchase Order POJO WLS JAX-WS is secured with ldquosamplefield_level_decryption_service_policyrdquo
Create Purchase Order Composite App
Now we will create the PurchaseOrderComposite App Figure 21 - Figure 32 shows the steps for creating the
PurchaseOderComposite app
ltwspPolicy xmlnswsp=httpschemasxmlsoaporgws200409policy
xmlnswsu=httpdocsoasis-openorgwss200401oasis-200401-wss-wssecurity-utility-
10xsd wsuId=PurchaseOrderPort_Input_Policygt
ltspSignedParts xmlnssp=httpschemasxmlsoaporgws200507securitypolicygt
ltspHeader Name=fmw-context Namespace=httpxmlnsoraclecomfmwcontext10gt
ltspHeader Name= Namespace=httpwwww3org200508addressinggt
ltspHeader Name= Namespace=httpschemasxmlsoaporgws200408addressinggt
ltspSignedPartsgt
ltspSignedElements xmlnssp=httpschemasxmlsoaporgws200507securitypolicygt
ltspEncryptedParts xmlnssp=httpschemasxmlsoaporgws200507securitypolicygt
ltspHeader Name=fmw-context Namespace=httpxmlnsoraclecomfmwcontext10gt
ltspEncryptedPartsgt
ltspEncryptedElements xmlnssp=httpschemasxmlsoaporgws200507securitypolicygt
ltspXPathgtdescendant-or-self[namespace-uri()=httppurchaseordersample and
local-name()=arg0]ltspXPathgt
ltspEncryptedElementsgt
ltwspPolicygt
Figure 20 WSDL of the PurchaseOrder POJO WLS JAX-WS after attaching the samplefield_level_decryption_service_policy
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 29
Figure 21 Insert a BPEL Process into an Empty Composite App
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 30
Figure 22 Create the BPEL Process by choosing the Base on a WSDL option Provide the WSDL of the PurchaseOrder
POJO WLS JAX-WS
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 31
Figure 23 Result of creating a BPEL Process using the Base on a WSDL option
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 32
Figure 24 In the BPEL Process create a PartnerLink Again Provide the WSDL of the PurchaseOrder POJO WLS JAX-WS as
the WSDL URL
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 33
Figure 25 Walkthrough the PartnerLink creation process
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 34
Figure 26 Completion of the Partner Link creation process
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 35
Figure 27 Add an Invoke activity in the BPEL Process and wite it to the PurchaseOrderRefrence PartnerLink created
previously
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 36
Figure 28 The Invoke is now wired to the PartnerLink PurchaseOrderReference
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 37
Figure 29 Add an Assign activity after the receiveInput and before the Invoke activity Wire the variables to copy the input on
the receive to the input of the Invoke
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 38
Figure 30 Add another assign activity after the Invoke to copy the output of the invoke to the output of the replyOutput
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 39
Figure 31 BPEL Process after adding the Assign Invoke Assign activities
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 40
Figure 32 Completed PurchaseOrderComposite App
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 41
Attach Custom Policy created previously to the Purchase Order Composite App Reference
The next step is to now attach the ldquosamplefield_level_encryption_client_policyrdquo to the PurchaseOrderReferencerdquo of
PurchaseOrderComposite App These steps are shown in Figure 33 - Figure 38
Figure 33 Click on the PurchaseOrderComposite App on the left hand side
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 42
Figure 34 Click on the PurchaseOrderReference shown in the Dashboard of the PurchaseOrderComposite
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 43
Figure 35 On the PurchaseOrderReferece - click on the Policies tab
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 44
Figure 36 Click on the AttachDetach Button
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 45
Figure 37 Attach the samplefield_level_encryption_client_policy
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 46
Figure 38 The Policy is now attached to the PurchaseOrderReference
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 47
Create Keystore and Credentials in Credential Store
Create a Keystore called default-keystorejks using keytool
For complete details on keytool commands please refer to
httpjavasuncomj2se142docstooldocswindowskeytoolhtml
Copy the keystore created into $FMW_DOMAIN_HOMEconfigfmwconfig
Add the following credentials into the credential store either via EM or using WLST
This assumes that the keystore password is welcome1
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=keystore-csf-key user=owsm
password=welcome1 desc=Keystore key)
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=enc-csf-key user=orakey
password=welcome1 desc=Encryption key)
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=sign-csf-key user=orakey
password=welcome1 desc=Signing key)
$gtkeytool -genkeypair -keyalg RSA -alias orakey -keypass welcome1 -keystore default-keystorejks -storepass
welcome1 -validity 3600
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 48
This will add a key namely enc-csf-key to map oraclewsmsecurity with username as orakey and password as
welcome1 This alias should exist in your configured keystore
This will add a key namely sign-csf-key to map oraclewsmsecurity with username as orakey and password as
welcome1 This alias should exist in your configured keystore
You can verify the contents of the credential store in FMWCTL as show in Figure 39 and Figure 40
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 49
Figure 39 View the Credential Store from the Weblogic Domain menu
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 50
Figure 40 Contents of the oraclewsmsecurity Credential Map
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 51
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 8
2 orderQuantity 3 orderPrice 4 itemType
itemType is used to calculate discount The createPurchaseOder method basically returns the total amount of the
purchased order
Figure 1 shows the Schema for the JAX-WS Web Service
Figure 1 Schema for PurchaseOrder Sample
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 9
Here is a sample message for testing with this Web Service
Figure 2 Sample Request Message for PurchaseOrder POJO WLS JAX-WS Web Service
You can test the Web Service via the FMWCTL Test page as shown in Figure 3
ltsoapEnvelope xmlnssoap=httpschemasxmlsoaporgsoapenvelopegt
ltsoapBody xmlnsns1=httppurchaseordersamplegt
ltns1createPurchaseOrdergt
ltarg0gt1111-2345-4560ltarg0gt
ltarg1gt100ltarg1gt
ltarg2gt90ltarg2gt
ltarg3gtBOOKltarg3gt
ltns1createPurchaseOrdergt
ltsoapBodygt
ltsoapEnvelopegt
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 10
Figure 3 Testing the POJO PurchaseOrder WLS JAX-WS
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 11
Create Custom Policy for Field level Encryption
The next step is creating a Policy in OWSM to handle field level encryptiondecryption For this sample ndash we will start
with the wss11_message_protection_[client|service]_policy
First we will create a field level decryption policy from the wss11_message_protection_service_policy
1 Search for wss11_message_protection_service_policy and Click on ldquoCreate Likerdquo in FMWCTL as shown in Figure 4
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 12
Figure 4 Creating a Field level Decryption Policy from wss11_message_protection_service_policy
2 Give the new policy a name ndash we will call it ldquosamplefield_level_decryption_service_policy as shown in Figure 5
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 13
Figure 5 New samplefield_level_decryption_service_policy
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 14
3 Turn off Body Signing and Body Encryption for Request as show in Figure 6
Figure 6 Turn off Body SigningEncryption for Request
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 15
4 Turn off Body Signing and Body Encryption for Response as show in Figure 7
Figure 7 Turn off Body SigningEncryption for Response
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 16
5 Specify the Xpath expression in Request tab for the field to be decrypted in the payload as shown in Figure 8 This is done by clicking on the ldquoAddrdquo Button This will launch a pop-up as shown Figure 8 Enter the namespace for the element and the element name that needs to be decrypted In this case we want to decrypt the credit card number This is arg0 in the sample message posted earlier in this document See Figure 2
Figure 8 Adding specific fields to be decrypted
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 17
6 Figure 9 Shows the end result of adding the XML Element to be decrypted
Figure 9 Policy after adding Xpath Expression for field level encryption
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 18
Next we will create create a field level encryption policy from the wss11_messsage_protection_client_policy
7 Search for wss11_message_protection_client_policy and Click on ldquoCreate Likerdquo in FMWCTL as shown in Figure 10
Figure 10 Creating a Field level Encryption Policy from wss11_message_protection_client_policy
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 19
8 Give the new policy a name ndash we will call it ldquosamplefield_level_encryption_client_policy as shown in Figure 11
Figure 11 Provide a name for the new policy samplefield_level_encryption_client_policy
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 20
9 Turn off Body Signing and Body Encryption for Request as show in Figure 12
Figure 12 Turn off Body Signing and Body Encryption for Request
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 21
10 Specify the Xpath expression in Request tab for the field to be decrypted in the payload as shown in Figure 13 This is done by clicking on the ldquoAddrdquo Button This will launch a pop-up as shownFigure 13 Enter the namespace for the element and the element name that needs to be decrypted In this case we want to decrypt the credit card number This is arg0 in the sample message posted earlier in this document See Figure 2
Figure 13 Add specific elements to encrypt
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 22
Attach Custom Policy created previously to the Purchase Order WLS JAX-WS Web Service
11 Attach the new created ldquosamplefield_level_decryption_service_policyrdquo to the PurchaseOder WLS JAX-WS Web
Service This is shown in Figure 14 - Figure 19
Figure 14 Click on FieldLevelEncryption-Project1-context-root Application
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 23
Figure 15 Navigate to the Web Services in the Application via the Application Deployment Menu
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 24
Figure 16 Click on PurchaseOrderPort to navigate to the Web Service Port
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 25
Figure 17 Click on OWSM Policies tab Click on AttachDetach Button to launch the OWSM Policy Attachment Wizard
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 26
Figure 18 Attach samplefield_level_decryption_service_policy to PurchaseOrder POJO WLS JAX-WS Web Service
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 27
Figure 19 The PurchaseOrderPort after completion of the OWSM Policy Attachment
Check the WSDL of the Service
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 28
The part highlighted in bold indicates that the service expects arg0 to be encrypted
Now the Purchase Order POJO WLS JAX-WS is secured with ldquosamplefield_level_decryption_service_policyrdquo
Create Purchase Order Composite App
Now we will create the PurchaseOrderComposite App Figure 21 - Figure 32 shows the steps for creating the
PurchaseOderComposite app
ltwspPolicy xmlnswsp=httpschemasxmlsoaporgws200409policy
xmlnswsu=httpdocsoasis-openorgwss200401oasis-200401-wss-wssecurity-utility-
10xsd wsuId=PurchaseOrderPort_Input_Policygt
ltspSignedParts xmlnssp=httpschemasxmlsoaporgws200507securitypolicygt
ltspHeader Name=fmw-context Namespace=httpxmlnsoraclecomfmwcontext10gt
ltspHeader Name= Namespace=httpwwww3org200508addressinggt
ltspHeader Name= Namespace=httpschemasxmlsoaporgws200408addressinggt
ltspSignedPartsgt
ltspSignedElements xmlnssp=httpschemasxmlsoaporgws200507securitypolicygt
ltspEncryptedParts xmlnssp=httpschemasxmlsoaporgws200507securitypolicygt
ltspHeader Name=fmw-context Namespace=httpxmlnsoraclecomfmwcontext10gt
ltspEncryptedPartsgt
ltspEncryptedElements xmlnssp=httpschemasxmlsoaporgws200507securitypolicygt
ltspXPathgtdescendant-or-self[namespace-uri()=httppurchaseordersample and
local-name()=arg0]ltspXPathgt
ltspEncryptedElementsgt
ltwspPolicygt
Figure 20 WSDL of the PurchaseOrder POJO WLS JAX-WS after attaching the samplefield_level_decryption_service_policy
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 29
Figure 21 Insert a BPEL Process into an Empty Composite App
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 30
Figure 22 Create the BPEL Process by choosing the Base on a WSDL option Provide the WSDL of the PurchaseOrder
POJO WLS JAX-WS
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 31
Figure 23 Result of creating a BPEL Process using the Base on a WSDL option
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 32
Figure 24 In the BPEL Process create a PartnerLink Again Provide the WSDL of the PurchaseOrder POJO WLS JAX-WS as
the WSDL URL
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 33
Figure 25 Walkthrough the PartnerLink creation process
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 34
Figure 26 Completion of the Partner Link creation process
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 35
Figure 27 Add an Invoke activity in the BPEL Process and wite it to the PurchaseOrderRefrence PartnerLink created
previously
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 36
Figure 28 The Invoke is now wired to the PartnerLink PurchaseOrderReference
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 37
Figure 29 Add an Assign activity after the receiveInput and before the Invoke activity Wire the variables to copy the input on
the receive to the input of the Invoke
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 38
Figure 30 Add another assign activity after the Invoke to copy the output of the invoke to the output of the replyOutput
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 39
Figure 31 BPEL Process after adding the Assign Invoke Assign activities
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 40
Figure 32 Completed PurchaseOrderComposite App
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 41
Attach Custom Policy created previously to the Purchase Order Composite App Reference
The next step is to now attach the ldquosamplefield_level_encryption_client_policyrdquo to the PurchaseOrderReferencerdquo of
PurchaseOrderComposite App These steps are shown in Figure 33 - Figure 38
Figure 33 Click on the PurchaseOrderComposite App on the left hand side
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 42
Figure 34 Click on the PurchaseOrderReference shown in the Dashboard of the PurchaseOrderComposite
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 43
Figure 35 On the PurchaseOrderReferece - click on the Policies tab
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 44
Figure 36 Click on the AttachDetach Button
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 45
Figure 37 Attach the samplefield_level_encryption_client_policy
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 46
Figure 38 The Policy is now attached to the PurchaseOrderReference
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 47
Create Keystore and Credentials in Credential Store
Create a Keystore called default-keystorejks using keytool
For complete details on keytool commands please refer to
httpjavasuncomj2se142docstooldocswindowskeytoolhtml
Copy the keystore created into $FMW_DOMAIN_HOMEconfigfmwconfig
Add the following credentials into the credential store either via EM or using WLST
This assumes that the keystore password is welcome1
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=keystore-csf-key user=owsm
password=welcome1 desc=Keystore key)
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=enc-csf-key user=orakey
password=welcome1 desc=Encryption key)
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=sign-csf-key user=orakey
password=welcome1 desc=Signing key)
$gtkeytool -genkeypair -keyalg RSA -alias orakey -keypass welcome1 -keystore default-keystorejks -storepass
welcome1 -validity 3600
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 48
This will add a key namely enc-csf-key to map oraclewsmsecurity with username as orakey and password as
welcome1 This alias should exist in your configured keystore
This will add a key namely sign-csf-key to map oraclewsmsecurity with username as orakey and password as
welcome1 This alias should exist in your configured keystore
You can verify the contents of the credential store in FMWCTL as show in Figure 39 and Figure 40
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 49
Figure 39 View the Credential Store from the Weblogic Domain menu
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 50
Figure 40 Contents of the oraclewsmsecurity Credential Map
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 51
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 9
Here is a sample message for testing with this Web Service
Figure 2 Sample Request Message for PurchaseOrder POJO WLS JAX-WS Web Service
You can test the Web Service via the FMWCTL Test page as shown in Figure 3
ltsoapEnvelope xmlnssoap=httpschemasxmlsoaporgsoapenvelopegt
ltsoapBody xmlnsns1=httppurchaseordersamplegt
ltns1createPurchaseOrdergt
ltarg0gt1111-2345-4560ltarg0gt
ltarg1gt100ltarg1gt
ltarg2gt90ltarg2gt
ltarg3gtBOOKltarg3gt
ltns1createPurchaseOrdergt
ltsoapBodygt
ltsoapEnvelopegt
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 10
Figure 3 Testing the POJO PurchaseOrder WLS JAX-WS
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 11
Create Custom Policy for Field level Encryption
The next step is creating a Policy in OWSM to handle field level encryptiondecryption For this sample ndash we will start
with the wss11_message_protection_[client|service]_policy
First we will create a field level decryption policy from the wss11_message_protection_service_policy
1 Search for wss11_message_protection_service_policy and Click on ldquoCreate Likerdquo in FMWCTL as shown in Figure 4
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 12
Figure 4 Creating a Field level Decryption Policy from wss11_message_protection_service_policy
2 Give the new policy a name ndash we will call it ldquosamplefield_level_decryption_service_policy as shown in Figure 5
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 13
Figure 5 New samplefield_level_decryption_service_policy
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 14
3 Turn off Body Signing and Body Encryption for Request as show in Figure 6
Figure 6 Turn off Body SigningEncryption for Request
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 15
4 Turn off Body Signing and Body Encryption for Response as show in Figure 7
Figure 7 Turn off Body SigningEncryption for Response
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 16
5 Specify the Xpath expression in Request tab for the field to be decrypted in the payload as shown in Figure 8 This is done by clicking on the ldquoAddrdquo Button This will launch a pop-up as shown Figure 8 Enter the namespace for the element and the element name that needs to be decrypted In this case we want to decrypt the credit card number This is arg0 in the sample message posted earlier in this document See Figure 2
Figure 8 Adding specific fields to be decrypted
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 17
6 Figure 9 Shows the end result of adding the XML Element to be decrypted
Figure 9 Policy after adding Xpath Expression for field level encryption
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 18
Next we will create create a field level encryption policy from the wss11_messsage_protection_client_policy
7 Search for wss11_message_protection_client_policy and Click on ldquoCreate Likerdquo in FMWCTL as shown in Figure 10
Figure 10 Creating a Field level Encryption Policy from wss11_message_protection_client_policy
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 19
8 Give the new policy a name ndash we will call it ldquosamplefield_level_encryption_client_policy as shown in Figure 11
Figure 11 Provide a name for the new policy samplefield_level_encryption_client_policy
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 20
9 Turn off Body Signing and Body Encryption for Request as show in Figure 12
Figure 12 Turn off Body Signing and Body Encryption for Request
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 21
10 Specify the Xpath expression in Request tab for the field to be decrypted in the payload as shown in Figure 13 This is done by clicking on the ldquoAddrdquo Button This will launch a pop-up as shownFigure 13 Enter the namespace for the element and the element name that needs to be decrypted In this case we want to decrypt the credit card number This is arg0 in the sample message posted earlier in this document See Figure 2
Figure 13 Add specific elements to encrypt
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 22
Attach Custom Policy created previously to the Purchase Order WLS JAX-WS Web Service
11 Attach the new created ldquosamplefield_level_decryption_service_policyrdquo to the PurchaseOder WLS JAX-WS Web
Service This is shown in Figure 14 - Figure 19
Figure 14 Click on FieldLevelEncryption-Project1-context-root Application
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 23
Figure 15 Navigate to the Web Services in the Application via the Application Deployment Menu
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 24
Figure 16 Click on PurchaseOrderPort to navigate to the Web Service Port
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 25
Figure 17 Click on OWSM Policies tab Click on AttachDetach Button to launch the OWSM Policy Attachment Wizard
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 26
Figure 18 Attach samplefield_level_decryption_service_policy to PurchaseOrder POJO WLS JAX-WS Web Service
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 27
Figure 19 The PurchaseOrderPort after completion of the OWSM Policy Attachment
Check the WSDL of the Service
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 28
The part highlighted in bold indicates that the service expects arg0 to be encrypted
Now the Purchase Order POJO WLS JAX-WS is secured with ldquosamplefield_level_decryption_service_policyrdquo
Create Purchase Order Composite App
Now we will create the PurchaseOrderComposite App Figure 21 - Figure 32 shows the steps for creating the
PurchaseOderComposite app
ltwspPolicy xmlnswsp=httpschemasxmlsoaporgws200409policy
xmlnswsu=httpdocsoasis-openorgwss200401oasis-200401-wss-wssecurity-utility-
10xsd wsuId=PurchaseOrderPort_Input_Policygt
ltspSignedParts xmlnssp=httpschemasxmlsoaporgws200507securitypolicygt
ltspHeader Name=fmw-context Namespace=httpxmlnsoraclecomfmwcontext10gt
ltspHeader Name= Namespace=httpwwww3org200508addressinggt
ltspHeader Name= Namespace=httpschemasxmlsoaporgws200408addressinggt
ltspSignedPartsgt
ltspSignedElements xmlnssp=httpschemasxmlsoaporgws200507securitypolicygt
ltspEncryptedParts xmlnssp=httpschemasxmlsoaporgws200507securitypolicygt
ltspHeader Name=fmw-context Namespace=httpxmlnsoraclecomfmwcontext10gt
ltspEncryptedPartsgt
ltspEncryptedElements xmlnssp=httpschemasxmlsoaporgws200507securitypolicygt
ltspXPathgtdescendant-or-self[namespace-uri()=httppurchaseordersample and
local-name()=arg0]ltspXPathgt
ltspEncryptedElementsgt
ltwspPolicygt
Figure 20 WSDL of the PurchaseOrder POJO WLS JAX-WS after attaching the samplefield_level_decryption_service_policy
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 29
Figure 21 Insert a BPEL Process into an Empty Composite App
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 30
Figure 22 Create the BPEL Process by choosing the Base on a WSDL option Provide the WSDL of the PurchaseOrder
POJO WLS JAX-WS
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 31
Figure 23 Result of creating a BPEL Process using the Base on a WSDL option
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 32
Figure 24 In the BPEL Process create a PartnerLink Again Provide the WSDL of the PurchaseOrder POJO WLS JAX-WS as
the WSDL URL
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 33
Figure 25 Walkthrough the PartnerLink creation process
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 34
Figure 26 Completion of the Partner Link creation process
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 35
Figure 27 Add an Invoke activity in the BPEL Process and wite it to the PurchaseOrderRefrence PartnerLink created
previously
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 36
Figure 28 The Invoke is now wired to the PartnerLink PurchaseOrderReference
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 37
Figure 29 Add an Assign activity after the receiveInput and before the Invoke activity Wire the variables to copy the input on
the receive to the input of the Invoke
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 38
Figure 30 Add another assign activity after the Invoke to copy the output of the invoke to the output of the replyOutput
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 39
Figure 31 BPEL Process after adding the Assign Invoke Assign activities
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 40
Figure 32 Completed PurchaseOrderComposite App
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 41
Attach Custom Policy created previously to the Purchase Order Composite App Reference
The next step is to now attach the ldquosamplefield_level_encryption_client_policyrdquo to the PurchaseOrderReferencerdquo of
PurchaseOrderComposite App These steps are shown in Figure 33 - Figure 38
Figure 33 Click on the PurchaseOrderComposite App on the left hand side
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 42
Figure 34 Click on the PurchaseOrderReference shown in the Dashboard of the PurchaseOrderComposite
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 43
Figure 35 On the PurchaseOrderReferece - click on the Policies tab
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 44
Figure 36 Click on the AttachDetach Button
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 45
Figure 37 Attach the samplefield_level_encryption_client_policy
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 46
Figure 38 The Policy is now attached to the PurchaseOrderReference
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 47
Create Keystore and Credentials in Credential Store
Create a Keystore called default-keystorejks using keytool
For complete details on keytool commands please refer to
httpjavasuncomj2se142docstooldocswindowskeytoolhtml
Copy the keystore created into $FMW_DOMAIN_HOMEconfigfmwconfig
Add the following credentials into the credential store either via EM or using WLST
This assumes that the keystore password is welcome1
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=keystore-csf-key user=owsm
password=welcome1 desc=Keystore key)
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=enc-csf-key user=orakey
password=welcome1 desc=Encryption key)
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=sign-csf-key user=orakey
password=welcome1 desc=Signing key)
$gtkeytool -genkeypair -keyalg RSA -alias orakey -keypass welcome1 -keystore default-keystorejks -storepass
welcome1 -validity 3600
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 48
This will add a key namely enc-csf-key to map oraclewsmsecurity with username as orakey and password as
welcome1 This alias should exist in your configured keystore
This will add a key namely sign-csf-key to map oraclewsmsecurity with username as orakey and password as
welcome1 This alias should exist in your configured keystore
You can verify the contents of the credential store in FMWCTL as show in Figure 39 and Figure 40
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 49
Figure 39 View the Credential Store from the Weblogic Domain menu
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 50
Figure 40 Contents of the oraclewsmsecurity Credential Map
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 51
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 10
Figure 3 Testing the POJO PurchaseOrder WLS JAX-WS
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 11
Create Custom Policy for Field level Encryption
The next step is creating a Policy in OWSM to handle field level encryptiondecryption For this sample ndash we will start
with the wss11_message_protection_[client|service]_policy
First we will create a field level decryption policy from the wss11_message_protection_service_policy
1 Search for wss11_message_protection_service_policy and Click on ldquoCreate Likerdquo in FMWCTL as shown in Figure 4
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 12
Figure 4 Creating a Field level Decryption Policy from wss11_message_protection_service_policy
2 Give the new policy a name ndash we will call it ldquosamplefield_level_decryption_service_policy as shown in Figure 5
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 13
Figure 5 New samplefield_level_decryption_service_policy
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 14
3 Turn off Body Signing and Body Encryption for Request as show in Figure 6
Figure 6 Turn off Body SigningEncryption for Request
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 15
4 Turn off Body Signing and Body Encryption for Response as show in Figure 7
Figure 7 Turn off Body SigningEncryption for Response
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 16
5 Specify the Xpath expression in Request tab for the field to be decrypted in the payload as shown in Figure 8 This is done by clicking on the ldquoAddrdquo Button This will launch a pop-up as shown Figure 8 Enter the namespace for the element and the element name that needs to be decrypted In this case we want to decrypt the credit card number This is arg0 in the sample message posted earlier in this document See Figure 2
Figure 8 Adding specific fields to be decrypted
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 17
6 Figure 9 Shows the end result of adding the XML Element to be decrypted
Figure 9 Policy after adding Xpath Expression for field level encryption
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 18
Next we will create create a field level encryption policy from the wss11_messsage_protection_client_policy
7 Search for wss11_message_protection_client_policy and Click on ldquoCreate Likerdquo in FMWCTL as shown in Figure 10
Figure 10 Creating a Field level Encryption Policy from wss11_message_protection_client_policy
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 19
8 Give the new policy a name ndash we will call it ldquosamplefield_level_encryption_client_policy as shown in Figure 11
Figure 11 Provide a name for the new policy samplefield_level_encryption_client_policy
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 20
9 Turn off Body Signing and Body Encryption for Request as show in Figure 12
Figure 12 Turn off Body Signing and Body Encryption for Request
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 21
10 Specify the Xpath expression in Request tab for the field to be decrypted in the payload as shown in Figure 13 This is done by clicking on the ldquoAddrdquo Button This will launch a pop-up as shownFigure 13 Enter the namespace for the element and the element name that needs to be decrypted In this case we want to decrypt the credit card number This is arg0 in the sample message posted earlier in this document See Figure 2
Figure 13 Add specific elements to encrypt
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 22
Attach Custom Policy created previously to the Purchase Order WLS JAX-WS Web Service
11 Attach the new created ldquosamplefield_level_decryption_service_policyrdquo to the PurchaseOder WLS JAX-WS Web
Service This is shown in Figure 14 - Figure 19
Figure 14 Click on FieldLevelEncryption-Project1-context-root Application
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 23
Figure 15 Navigate to the Web Services in the Application via the Application Deployment Menu
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 24
Figure 16 Click on PurchaseOrderPort to navigate to the Web Service Port
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 25
Figure 17 Click on OWSM Policies tab Click on AttachDetach Button to launch the OWSM Policy Attachment Wizard
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 26
Figure 18 Attach samplefield_level_decryption_service_policy to PurchaseOrder POJO WLS JAX-WS Web Service
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 27
Figure 19 The PurchaseOrderPort after completion of the OWSM Policy Attachment
Check the WSDL of the Service
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 28
The part highlighted in bold indicates that the service expects arg0 to be encrypted
Now the Purchase Order POJO WLS JAX-WS is secured with ldquosamplefield_level_decryption_service_policyrdquo
Create Purchase Order Composite App
Now we will create the PurchaseOrderComposite App Figure 21 - Figure 32 shows the steps for creating the
PurchaseOderComposite app
ltwspPolicy xmlnswsp=httpschemasxmlsoaporgws200409policy
xmlnswsu=httpdocsoasis-openorgwss200401oasis-200401-wss-wssecurity-utility-
10xsd wsuId=PurchaseOrderPort_Input_Policygt
ltspSignedParts xmlnssp=httpschemasxmlsoaporgws200507securitypolicygt
ltspHeader Name=fmw-context Namespace=httpxmlnsoraclecomfmwcontext10gt
ltspHeader Name= Namespace=httpwwww3org200508addressinggt
ltspHeader Name= Namespace=httpschemasxmlsoaporgws200408addressinggt
ltspSignedPartsgt
ltspSignedElements xmlnssp=httpschemasxmlsoaporgws200507securitypolicygt
ltspEncryptedParts xmlnssp=httpschemasxmlsoaporgws200507securitypolicygt
ltspHeader Name=fmw-context Namespace=httpxmlnsoraclecomfmwcontext10gt
ltspEncryptedPartsgt
ltspEncryptedElements xmlnssp=httpschemasxmlsoaporgws200507securitypolicygt
ltspXPathgtdescendant-or-self[namespace-uri()=httppurchaseordersample and
local-name()=arg0]ltspXPathgt
ltspEncryptedElementsgt
ltwspPolicygt
Figure 20 WSDL of the PurchaseOrder POJO WLS JAX-WS after attaching the samplefield_level_decryption_service_policy
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 29
Figure 21 Insert a BPEL Process into an Empty Composite App
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 30
Figure 22 Create the BPEL Process by choosing the Base on a WSDL option Provide the WSDL of the PurchaseOrder
POJO WLS JAX-WS
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 31
Figure 23 Result of creating a BPEL Process using the Base on a WSDL option
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 32
Figure 24 In the BPEL Process create a PartnerLink Again Provide the WSDL of the PurchaseOrder POJO WLS JAX-WS as
the WSDL URL
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 33
Figure 25 Walkthrough the PartnerLink creation process
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 34
Figure 26 Completion of the Partner Link creation process
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 35
Figure 27 Add an Invoke activity in the BPEL Process and wite it to the PurchaseOrderRefrence PartnerLink created
previously
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 36
Figure 28 The Invoke is now wired to the PartnerLink PurchaseOrderReference
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 37
Figure 29 Add an Assign activity after the receiveInput and before the Invoke activity Wire the variables to copy the input on
the receive to the input of the Invoke
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 38
Figure 30 Add another assign activity after the Invoke to copy the output of the invoke to the output of the replyOutput
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 39
Figure 31 BPEL Process after adding the Assign Invoke Assign activities
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 40
Figure 32 Completed PurchaseOrderComposite App
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 41
Attach Custom Policy created previously to the Purchase Order Composite App Reference
The next step is to now attach the ldquosamplefield_level_encryption_client_policyrdquo to the PurchaseOrderReferencerdquo of
PurchaseOrderComposite App These steps are shown in Figure 33 - Figure 38
Figure 33 Click on the PurchaseOrderComposite App on the left hand side
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 42
Figure 34 Click on the PurchaseOrderReference shown in the Dashboard of the PurchaseOrderComposite
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 43
Figure 35 On the PurchaseOrderReferece - click on the Policies tab
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 44
Figure 36 Click on the AttachDetach Button
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 45
Figure 37 Attach the samplefield_level_encryption_client_policy
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 46
Figure 38 The Policy is now attached to the PurchaseOrderReference
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 47
Create Keystore and Credentials in Credential Store
Create a Keystore called default-keystorejks using keytool
For complete details on keytool commands please refer to
httpjavasuncomj2se142docstooldocswindowskeytoolhtml
Copy the keystore created into $FMW_DOMAIN_HOMEconfigfmwconfig
Add the following credentials into the credential store either via EM or using WLST
This assumes that the keystore password is welcome1
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=keystore-csf-key user=owsm
password=welcome1 desc=Keystore key)
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=enc-csf-key user=orakey
password=welcome1 desc=Encryption key)
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=sign-csf-key user=orakey
password=welcome1 desc=Signing key)
$gtkeytool -genkeypair -keyalg RSA -alias orakey -keypass welcome1 -keystore default-keystorejks -storepass
welcome1 -validity 3600
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 48
This will add a key namely enc-csf-key to map oraclewsmsecurity with username as orakey and password as
welcome1 This alias should exist in your configured keystore
This will add a key namely sign-csf-key to map oraclewsmsecurity with username as orakey and password as
welcome1 This alias should exist in your configured keystore
You can verify the contents of the credential store in FMWCTL as show in Figure 39 and Figure 40
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 49
Figure 39 View the Credential Store from the Weblogic Domain menu
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 50
Figure 40 Contents of the oraclewsmsecurity Credential Map
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 51
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 11
Create Custom Policy for Field level Encryption
The next step is creating a Policy in OWSM to handle field level encryptiondecryption For this sample ndash we will start
with the wss11_message_protection_[client|service]_policy
First we will create a field level decryption policy from the wss11_message_protection_service_policy
1 Search for wss11_message_protection_service_policy and Click on ldquoCreate Likerdquo in FMWCTL as shown in Figure 4
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 12
Figure 4 Creating a Field level Decryption Policy from wss11_message_protection_service_policy
2 Give the new policy a name ndash we will call it ldquosamplefield_level_decryption_service_policy as shown in Figure 5
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 13
Figure 5 New samplefield_level_decryption_service_policy
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 14
3 Turn off Body Signing and Body Encryption for Request as show in Figure 6
Figure 6 Turn off Body SigningEncryption for Request
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 15
4 Turn off Body Signing and Body Encryption for Response as show in Figure 7
Figure 7 Turn off Body SigningEncryption for Response
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 16
5 Specify the Xpath expression in Request tab for the field to be decrypted in the payload as shown in Figure 8 This is done by clicking on the ldquoAddrdquo Button This will launch a pop-up as shown Figure 8 Enter the namespace for the element and the element name that needs to be decrypted In this case we want to decrypt the credit card number This is arg0 in the sample message posted earlier in this document See Figure 2
Figure 8 Adding specific fields to be decrypted
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 17
6 Figure 9 Shows the end result of adding the XML Element to be decrypted
Figure 9 Policy after adding Xpath Expression for field level encryption
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 18
Next we will create create a field level encryption policy from the wss11_messsage_protection_client_policy
7 Search for wss11_message_protection_client_policy and Click on ldquoCreate Likerdquo in FMWCTL as shown in Figure 10
Figure 10 Creating a Field level Encryption Policy from wss11_message_protection_client_policy
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 19
8 Give the new policy a name ndash we will call it ldquosamplefield_level_encryption_client_policy as shown in Figure 11
Figure 11 Provide a name for the new policy samplefield_level_encryption_client_policy
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 20
9 Turn off Body Signing and Body Encryption for Request as show in Figure 12
Figure 12 Turn off Body Signing and Body Encryption for Request
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 21
10 Specify the Xpath expression in Request tab for the field to be decrypted in the payload as shown in Figure 13 This is done by clicking on the ldquoAddrdquo Button This will launch a pop-up as shownFigure 13 Enter the namespace for the element and the element name that needs to be decrypted In this case we want to decrypt the credit card number This is arg0 in the sample message posted earlier in this document See Figure 2
Figure 13 Add specific elements to encrypt
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 22
Attach Custom Policy created previously to the Purchase Order WLS JAX-WS Web Service
11 Attach the new created ldquosamplefield_level_decryption_service_policyrdquo to the PurchaseOder WLS JAX-WS Web
Service This is shown in Figure 14 - Figure 19
Figure 14 Click on FieldLevelEncryption-Project1-context-root Application
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 23
Figure 15 Navigate to the Web Services in the Application via the Application Deployment Menu
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 24
Figure 16 Click on PurchaseOrderPort to navigate to the Web Service Port
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 25
Figure 17 Click on OWSM Policies tab Click on AttachDetach Button to launch the OWSM Policy Attachment Wizard
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 26
Figure 18 Attach samplefield_level_decryption_service_policy to PurchaseOrder POJO WLS JAX-WS Web Service
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 27
Figure 19 The PurchaseOrderPort after completion of the OWSM Policy Attachment
Check the WSDL of the Service
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 28
The part highlighted in bold indicates that the service expects arg0 to be encrypted
Now the Purchase Order POJO WLS JAX-WS is secured with ldquosamplefield_level_decryption_service_policyrdquo
Create Purchase Order Composite App
Now we will create the PurchaseOrderComposite App Figure 21 - Figure 32 shows the steps for creating the
PurchaseOderComposite app
ltwspPolicy xmlnswsp=httpschemasxmlsoaporgws200409policy
xmlnswsu=httpdocsoasis-openorgwss200401oasis-200401-wss-wssecurity-utility-
10xsd wsuId=PurchaseOrderPort_Input_Policygt
ltspSignedParts xmlnssp=httpschemasxmlsoaporgws200507securitypolicygt
ltspHeader Name=fmw-context Namespace=httpxmlnsoraclecomfmwcontext10gt
ltspHeader Name= Namespace=httpwwww3org200508addressinggt
ltspHeader Name= Namespace=httpschemasxmlsoaporgws200408addressinggt
ltspSignedPartsgt
ltspSignedElements xmlnssp=httpschemasxmlsoaporgws200507securitypolicygt
ltspEncryptedParts xmlnssp=httpschemasxmlsoaporgws200507securitypolicygt
ltspHeader Name=fmw-context Namespace=httpxmlnsoraclecomfmwcontext10gt
ltspEncryptedPartsgt
ltspEncryptedElements xmlnssp=httpschemasxmlsoaporgws200507securitypolicygt
ltspXPathgtdescendant-or-self[namespace-uri()=httppurchaseordersample and
local-name()=arg0]ltspXPathgt
ltspEncryptedElementsgt
ltwspPolicygt
Figure 20 WSDL of the PurchaseOrder POJO WLS JAX-WS after attaching the samplefield_level_decryption_service_policy
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 29
Figure 21 Insert a BPEL Process into an Empty Composite App
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 30
Figure 22 Create the BPEL Process by choosing the Base on a WSDL option Provide the WSDL of the PurchaseOrder
POJO WLS JAX-WS
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 31
Figure 23 Result of creating a BPEL Process using the Base on a WSDL option
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 32
Figure 24 In the BPEL Process create a PartnerLink Again Provide the WSDL of the PurchaseOrder POJO WLS JAX-WS as
the WSDL URL
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 33
Figure 25 Walkthrough the PartnerLink creation process
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 34
Figure 26 Completion of the Partner Link creation process
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 35
Figure 27 Add an Invoke activity in the BPEL Process and wite it to the PurchaseOrderRefrence PartnerLink created
previously
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 36
Figure 28 The Invoke is now wired to the PartnerLink PurchaseOrderReference
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 37
Figure 29 Add an Assign activity after the receiveInput and before the Invoke activity Wire the variables to copy the input on
the receive to the input of the Invoke
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 38
Figure 30 Add another assign activity after the Invoke to copy the output of the invoke to the output of the replyOutput
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 39
Figure 31 BPEL Process after adding the Assign Invoke Assign activities
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 40
Figure 32 Completed PurchaseOrderComposite App
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 41
Attach Custom Policy created previously to the Purchase Order Composite App Reference
The next step is to now attach the ldquosamplefield_level_encryption_client_policyrdquo to the PurchaseOrderReferencerdquo of
PurchaseOrderComposite App These steps are shown in Figure 33 - Figure 38
Figure 33 Click on the PurchaseOrderComposite App on the left hand side
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 42
Figure 34 Click on the PurchaseOrderReference shown in the Dashboard of the PurchaseOrderComposite
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 43
Figure 35 On the PurchaseOrderReferece - click on the Policies tab
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 44
Figure 36 Click on the AttachDetach Button
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 45
Figure 37 Attach the samplefield_level_encryption_client_policy
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 46
Figure 38 The Policy is now attached to the PurchaseOrderReference
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 47
Create Keystore and Credentials in Credential Store
Create a Keystore called default-keystorejks using keytool
For complete details on keytool commands please refer to
httpjavasuncomj2se142docstooldocswindowskeytoolhtml
Copy the keystore created into $FMW_DOMAIN_HOMEconfigfmwconfig
Add the following credentials into the credential store either via EM or using WLST
This assumes that the keystore password is welcome1
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=keystore-csf-key user=owsm
password=welcome1 desc=Keystore key)
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=enc-csf-key user=orakey
password=welcome1 desc=Encryption key)
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=sign-csf-key user=orakey
password=welcome1 desc=Signing key)
$gtkeytool -genkeypair -keyalg RSA -alias orakey -keypass welcome1 -keystore default-keystorejks -storepass
welcome1 -validity 3600
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 48
This will add a key namely enc-csf-key to map oraclewsmsecurity with username as orakey and password as
welcome1 This alias should exist in your configured keystore
This will add a key namely sign-csf-key to map oraclewsmsecurity with username as orakey and password as
welcome1 This alias should exist in your configured keystore
You can verify the contents of the credential store in FMWCTL as show in Figure 39 and Figure 40
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 49
Figure 39 View the Credential Store from the Weblogic Domain menu
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 50
Figure 40 Contents of the oraclewsmsecurity Credential Map
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 51
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 12
Figure 4 Creating a Field level Decryption Policy from wss11_message_protection_service_policy
2 Give the new policy a name ndash we will call it ldquosamplefield_level_decryption_service_policy as shown in Figure 5
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 13
Figure 5 New samplefield_level_decryption_service_policy
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 14
3 Turn off Body Signing and Body Encryption for Request as show in Figure 6
Figure 6 Turn off Body SigningEncryption for Request
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 15
4 Turn off Body Signing and Body Encryption for Response as show in Figure 7
Figure 7 Turn off Body SigningEncryption for Response
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 16
5 Specify the Xpath expression in Request tab for the field to be decrypted in the payload as shown in Figure 8 This is done by clicking on the ldquoAddrdquo Button This will launch a pop-up as shown Figure 8 Enter the namespace for the element and the element name that needs to be decrypted In this case we want to decrypt the credit card number This is arg0 in the sample message posted earlier in this document See Figure 2
Figure 8 Adding specific fields to be decrypted
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 17
6 Figure 9 Shows the end result of adding the XML Element to be decrypted
Figure 9 Policy after adding Xpath Expression for field level encryption
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 18
Next we will create create a field level encryption policy from the wss11_messsage_protection_client_policy
7 Search for wss11_message_protection_client_policy and Click on ldquoCreate Likerdquo in FMWCTL as shown in Figure 10
Figure 10 Creating a Field level Encryption Policy from wss11_message_protection_client_policy
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 19
8 Give the new policy a name ndash we will call it ldquosamplefield_level_encryption_client_policy as shown in Figure 11
Figure 11 Provide a name for the new policy samplefield_level_encryption_client_policy
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 20
9 Turn off Body Signing and Body Encryption for Request as show in Figure 12
Figure 12 Turn off Body Signing and Body Encryption for Request
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 21
10 Specify the Xpath expression in Request tab for the field to be decrypted in the payload as shown in Figure 13 This is done by clicking on the ldquoAddrdquo Button This will launch a pop-up as shownFigure 13 Enter the namespace for the element and the element name that needs to be decrypted In this case we want to decrypt the credit card number This is arg0 in the sample message posted earlier in this document See Figure 2
Figure 13 Add specific elements to encrypt
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 22
Attach Custom Policy created previously to the Purchase Order WLS JAX-WS Web Service
11 Attach the new created ldquosamplefield_level_decryption_service_policyrdquo to the PurchaseOder WLS JAX-WS Web
Service This is shown in Figure 14 - Figure 19
Figure 14 Click on FieldLevelEncryption-Project1-context-root Application
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 23
Figure 15 Navigate to the Web Services in the Application via the Application Deployment Menu
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 24
Figure 16 Click on PurchaseOrderPort to navigate to the Web Service Port
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 25
Figure 17 Click on OWSM Policies tab Click on AttachDetach Button to launch the OWSM Policy Attachment Wizard
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 26
Figure 18 Attach samplefield_level_decryption_service_policy to PurchaseOrder POJO WLS JAX-WS Web Service
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 27
Figure 19 The PurchaseOrderPort after completion of the OWSM Policy Attachment
Check the WSDL of the Service
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 28
The part highlighted in bold indicates that the service expects arg0 to be encrypted
Now the Purchase Order POJO WLS JAX-WS is secured with ldquosamplefield_level_decryption_service_policyrdquo
Create Purchase Order Composite App
Now we will create the PurchaseOrderComposite App Figure 21 - Figure 32 shows the steps for creating the
PurchaseOderComposite app
ltwspPolicy xmlnswsp=httpschemasxmlsoaporgws200409policy
xmlnswsu=httpdocsoasis-openorgwss200401oasis-200401-wss-wssecurity-utility-
10xsd wsuId=PurchaseOrderPort_Input_Policygt
ltspSignedParts xmlnssp=httpschemasxmlsoaporgws200507securitypolicygt
ltspHeader Name=fmw-context Namespace=httpxmlnsoraclecomfmwcontext10gt
ltspHeader Name= Namespace=httpwwww3org200508addressinggt
ltspHeader Name= Namespace=httpschemasxmlsoaporgws200408addressinggt
ltspSignedPartsgt
ltspSignedElements xmlnssp=httpschemasxmlsoaporgws200507securitypolicygt
ltspEncryptedParts xmlnssp=httpschemasxmlsoaporgws200507securitypolicygt
ltspHeader Name=fmw-context Namespace=httpxmlnsoraclecomfmwcontext10gt
ltspEncryptedPartsgt
ltspEncryptedElements xmlnssp=httpschemasxmlsoaporgws200507securitypolicygt
ltspXPathgtdescendant-or-self[namespace-uri()=httppurchaseordersample and
local-name()=arg0]ltspXPathgt
ltspEncryptedElementsgt
ltwspPolicygt
Figure 20 WSDL of the PurchaseOrder POJO WLS JAX-WS after attaching the samplefield_level_decryption_service_policy
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 29
Figure 21 Insert a BPEL Process into an Empty Composite App
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 30
Figure 22 Create the BPEL Process by choosing the Base on a WSDL option Provide the WSDL of the PurchaseOrder
POJO WLS JAX-WS
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 31
Figure 23 Result of creating a BPEL Process using the Base on a WSDL option
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 32
Figure 24 In the BPEL Process create a PartnerLink Again Provide the WSDL of the PurchaseOrder POJO WLS JAX-WS as
the WSDL URL
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 33
Figure 25 Walkthrough the PartnerLink creation process
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 34
Figure 26 Completion of the Partner Link creation process
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 35
Figure 27 Add an Invoke activity in the BPEL Process and wite it to the PurchaseOrderRefrence PartnerLink created
previously
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 36
Figure 28 The Invoke is now wired to the PartnerLink PurchaseOrderReference
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 37
Figure 29 Add an Assign activity after the receiveInput and before the Invoke activity Wire the variables to copy the input on
the receive to the input of the Invoke
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 38
Figure 30 Add another assign activity after the Invoke to copy the output of the invoke to the output of the replyOutput
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 39
Figure 31 BPEL Process after adding the Assign Invoke Assign activities
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 40
Figure 32 Completed PurchaseOrderComposite App
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 41
Attach Custom Policy created previously to the Purchase Order Composite App Reference
The next step is to now attach the ldquosamplefield_level_encryption_client_policyrdquo to the PurchaseOrderReferencerdquo of
PurchaseOrderComposite App These steps are shown in Figure 33 - Figure 38
Figure 33 Click on the PurchaseOrderComposite App on the left hand side
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 42
Figure 34 Click on the PurchaseOrderReference shown in the Dashboard of the PurchaseOrderComposite
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 43
Figure 35 On the PurchaseOrderReferece - click on the Policies tab
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 44
Figure 36 Click on the AttachDetach Button
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 45
Figure 37 Attach the samplefield_level_encryption_client_policy
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 46
Figure 38 The Policy is now attached to the PurchaseOrderReference
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 47
Create Keystore and Credentials in Credential Store
Create a Keystore called default-keystorejks using keytool
For complete details on keytool commands please refer to
httpjavasuncomj2se142docstooldocswindowskeytoolhtml
Copy the keystore created into $FMW_DOMAIN_HOMEconfigfmwconfig
Add the following credentials into the credential store either via EM or using WLST
This assumes that the keystore password is welcome1
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=keystore-csf-key user=owsm
password=welcome1 desc=Keystore key)
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=enc-csf-key user=orakey
password=welcome1 desc=Encryption key)
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=sign-csf-key user=orakey
password=welcome1 desc=Signing key)
$gtkeytool -genkeypair -keyalg RSA -alias orakey -keypass welcome1 -keystore default-keystorejks -storepass
welcome1 -validity 3600
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 48
This will add a key namely enc-csf-key to map oraclewsmsecurity with username as orakey and password as
welcome1 This alias should exist in your configured keystore
This will add a key namely sign-csf-key to map oraclewsmsecurity with username as orakey and password as
welcome1 This alias should exist in your configured keystore
You can verify the contents of the credential store in FMWCTL as show in Figure 39 and Figure 40
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 49
Figure 39 View the Credential Store from the Weblogic Domain menu
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 50
Figure 40 Contents of the oraclewsmsecurity Credential Map
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 51
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 13
Figure 5 New samplefield_level_decryption_service_policy
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 14
3 Turn off Body Signing and Body Encryption for Request as show in Figure 6
Figure 6 Turn off Body SigningEncryption for Request
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 15
4 Turn off Body Signing and Body Encryption for Response as show in Figure 7
Figure 7 Turn off Body SigningEncryption for Response
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 16
5 Specify the Xpath expression in Request tab for the field to be decrypted in the payload as shown in Figure 8 This is done by clicking on the ldquoAddrdquo Button This will launch a pop-up as shown Figure 8 Enter the namespace for the element and the element name that needs to be decrypted In this case we want to decrypt the credit card number This is arg0 in the sample message posted earlier in this document See Figure 2
Figure 8 Adding specific fields to be decrypted
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 17
6 Figure 9 Shows the end result of adding the XML Element to be decrypted
Figure 9 Policy after adding Xpath Expression for field level encryption
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 18
Next we will create create a field level encryption policy from the wss11_messsage_protection_client_policy
7 Search for wss11_message_protection_client_policy and Click on ldquoCreate Likerdquo in FMWCTL as shown in Figure 10
Figure 10 Creating a Field level Encryption Policy from wss11_message_protection_client_policy
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 19
8 Give the new policy a name ndash we will call it ldquosamplefield_level_encryption_client_policy as shown in Figure 11
Figure 11 Provide a name for the new policy samplefield_level_encryption_client_policy
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 20
9 Turn off Body Signing and Body Encryption for Request as show in Figure 12
Figure 12 Turn off Body Signing and Body Encryption for Request
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 21
10 Specify the Xpath expression in Request tab for the field to be decrypted in the payload as shown in Figure 13 This is done by clicking on the ldquoAddrdquo Button This will launch a pop-up as shownFigure 13 Enter the namespace for the element and the element name that needs to be decrypted In this case we want to decrypt the credit card number This is arg0 in the sample message posted earlier in this document See Figure 2
Figure 13 Add specific elements to encrypt
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 22
Attach Custom Policy created previously to the Purchase Order WLS JAX-WS Web Service
11 Attach the new created ldquosamplefield_level_decryption_service_policyrdquo to the PurchaseOder WLS JAX-WS Web
Service This is shown in Figure 14 - Figure 19
Figure 14 Click on FieldLevelEncryption-Project1-context-root Application
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 23
Figure 15 Navigate to the Web Services in the Application via the Application Deployment Menu
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 24
Figure 16 Click on PurchaseOrderPort to navigate to the Web Service Port
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 25
Figure 17 Click on OWSM Policies tab Click on AttachDetach Button to launch the OWSM Policy Attachment Wizard
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 26
Figure 18 Attach samplefield_level_decryption_service_policy to PurchaseOrder POJO WLS JAX-WS Web Service
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 27
Figure 19 The PurchaseOrderPort after completion of the OWSM Policy Attachment
Check the WSDL of the Service
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 28
The part highlighted in bold indicates that the service expects arg0 to be encrypted
Now the Purchase Order POJO WLS JAX-WS is secured with ldquosamplefield_level_decryption_service_policyrdquo
Create Purchase Order Composite App
Now we will create the PurchaseOrderComposite App Figure 21 - Figure 32 shows the steps for creating the
PurchaseOderComposite app
ltwspPolicy xmlnswsp=httpschemasxmlsoaporgws200409policy
xmlnswsu=httpdocsoasis-openorgwss200401oasis-200401-wss-wssecurity-utility-
10xsd wsuId=PurchaseOrderPort_Input_Policygt
ltspSignedParts xmlnssp=httpschemasxmlsoaporgws200507securitypolicygt
ltspHeader Name=fmw-context Namespace=httpxmlnsoraclecomfmwcontext10gt
ltspHeader Name= Namespace=httpwwww3org200508addressinggt
ltspHeader Name= Namespace=httpschemasxmlsoaporgws200408addressinggt
ltspSignedPartsgt
ltspSignedElements xmlnssp=httpschemasxmlsoaporgws200507securitypolicygt
ltspEncryptedParts xmlnssp=httpschemasxmlsoaporgws200507securitypolicygt
ltspHeader Name=fmw-context Namespace=httpxmlnsoraclecomfmwcontext10gt
ltspEncryptedPartsgt
ltspEncryptedElements xmlnssp=httpschemasxmlsoaporgws200507securitypolicygt
ltspXPathgtdescendant-or-self[namespace-uri()=httppurchaseordersample and
local-name()=arg0]ltspXPathgt
ltspEncryptedElementsgt
ltwspPolicygt
Figure 20 WSDL of the PurchaseOrder POJO WLS JAX-WS after attaching the samplefield_level_decryption_service_policy
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 29
Figure 21 Insert a BPEL Process into an Empty Composite App
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 30
Figure 22 Create the BPEL Process by choosing the Base on a WSDL option Provide the WSDL of the PurchaseOrder
POJO WLS JAX-WS
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 31
Figure 23 Result of creating a BPEL Process using the Base on a WSDL option
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 32
Figure 24 In the BPEL Process create a PartnerLink Again Provide the WSDL of the PurchaseOrder POJO WLS JAX-WS as
the WSDL URL
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 33
Figure 25 Walkthrough the PartnerLink creation process
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 34
Figure 26 Completion of the Partner Link creation process
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 35
Figure 27 Add an Invoke activity in the BPEL Process and wite it to the PurchaseOrderRefrence PartnerLink created
previously
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 36
Figure 28 The Invoke is now wired to the PartnerLink PurchaseOrderReference
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 37
Figure 29 Add an Assign activity after the receiveInput and before the Invoke activity Wire the variables to copy the input on
the receive to the input of the Invoke
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 38
Figure 30 Add another assign activity after the Invoke to copy the output of the invoke to the output of the replyOutput
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 39
Figure 31 BPEL Process after adding the Assign Invoke Assign activities
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 40
Figure 32 Completed PurchaseOrderComposite App
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 41
Attach Custom Policy created previously to the Purchase Order Composite App Reference
The next step is to now attach the ldquosamplefield_level_encryption_client_policyrdquo to the PurchaseOrderReferencerdquo of
PurchaseOrderComposite App These steps are shown in Figure 33 - Figure 38
Figure 33 Click on the PurchaseOrderComposite App on the left hand side
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 42
Figure 34 Click on the PurchaseOrderReference shown in the Dashboard of the PurchaseOrderComposite
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 43
Figure 35 On the PurchaseOrderReferece - click on the Policies tab
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 44
Figure 36 Click on the AttachDetach Button
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 45
Figure 37 Attach the samplefield_level_encryption_client_policy
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 46
Figure 38 The Policy is now attached to the PurchaseOrderReference
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 47
Create Keystore and Credentials in Credential Store
Create a Keystore called default-keystorejks using keytool
For complete details on keytool commands please refer to
httpjavasuncomj2se142docstooldocswindowskeytoolhtml
Copy the keystore created into $FMW_DOMAIN_HOMEconfigfmwconfig
Add the following credentials into the credential store either via EM or using WLST
This assumes that the keystore password is welcome1
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=keystore-csf-key user=owsm
password=welcome1 desc=Keystore key)
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=enc-csf-key user=orakey
password=welcome1 desc=Encryption key)
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=sign-csf-key user=orakey
password=welcome1 desc=Signing key)
$gtkeytool -genkeypair -keyalg RSA -alias orakey -keypass welcome1 -keystore default-keystorejks -storepass
welcome1 -validity 3600
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 48
This will add a key namely enc-csf-key to map oraclewsmsecurity with username as orakey and password as
welcome1 This alias should exist in your configured keystore
This will add a key namely sign-csf-key to map oraclewsmsecurity with username as orakey and password as
welcome1 This alias should exist in your configured keystore
You can verify the contents of the credential store in FMWCTL as show in Figure 39 and Figure 40
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 49
Figure 39 View the Credential Store from the Weblogic Domain menu
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 50
Figure 40 Contents of the oraclewsmsecurity Credential Map
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 51
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 14
3 Turn off Body Signing and Body Encryption for Request as show in Figure 6
Figure 6 Turn off Body SigningEncryption for Request
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 15
4 Turn off Body Signing and Body Encryption for Response as show in Figure 7
Figure 7 Turn off Body SigningEncryption for Response
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 16
5 Specify the Xpath expression in Request tab for the field to be decrypted in the payload as shown in Figure 8 This is done by clicking on the ldquoAddrdquo Button This will launch a pop-up as shown Figure 8 Enter the namespace for the element and the element name that needs to be decrypted In this case we want to decrypt the credit card number This is arg0 in the sample message posted earlier in this document See Figure 2
Figure 8 Adding specific fields to be decrypted
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 17
6 Figure 9 Shows the end result of adding the XML Element to be decrypted
Figure 9 Policy after adding Xpath Expression for field level encryption
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 18
Next we will create create a field level encryption policy from the wss11_messsage_protection_client_policy
7 Search for wss11_message_protection_client_policy and Click on ldquoCreate Likerdquo in FMWCTL as shown in Figure 10
Figure 10 Creating a Field level Encryption Policy from wss11_message_protection_client_policy
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 19
8 Give the new policy a name ndash we will call it ldquosamplefield_level_encryption_client_policy as shown in Figure 11
Figure 11 Provide a name for the new policy samplefield_level_encryption_client_policy
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 20
9 Turn off Body Signing and Body Encryption for Request as show in Figure 12
Figure 12 Turn off Body Signing and Body Encryption for Request
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 21
10 Specify the Xpath expression in Request tab for the field to be decrypted in the payload as shown in Figure 13 This is done by clicking on the ldquoAddrdquo Button This will launch a pop-up as shownFigure 13 Enter the namespace for the element and the element name that needs to be decrypted In this case we want to decrypt the credit card number This is arg0 in the sample message posted earlier in this document See Figure 2
Figure 13 Add specific elements to encrypt
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 22
Attach Custom Policy created previously to the Purchase Order WLS JAX-WS Web Service
11 Attach the new created ldquosamplefield_level_decryption_service_policyrdquo to the PurchaseOder WLS JAX-WS Web
Service This is shown in Figure 14 - Figure 19
Figure 14 Click on FieldLevelEncryption-Project1-context-root Application
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 23
Figure 15 Navigate to the Web Services in the Application via the Application Deployment Menu
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 24
Figure 16 Click on PurchaseOrderPort to navigate to the Web Service Port
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 25
Figure 17 Click on OWSM Policies tab Click on AttachDetach Button to launch the OWSM Policy Attachment Wizard
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 26
Figure 18 Attach samplefield_level_decryption_service_policy to PurchaseOrder POJO WLS JAX-WS Web Service
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 27
Figure 19 The PurchaseOrderPort after completion of the OWSM Policy Attachment
Check the WSDL of the Service
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 28
The part highlighted in bold indicates that the service expects arg0 to be encrypted
Now the Purchase Order POJO WLS JAX-WS is secured with ldquosamplefield_level_decryption_service_policyrdquo
Create Purchase Order Composite App
Now we will create the PurchaseOrderComposite App Figure 21 - Figure 32 shows the steps for creating the
PurchaseOderComposite app
ltwspPolicy xmlnswsp=httpschemasxmlsoaporgws200409policy
xmlnswsu=httpdocsoasis-openorgwss200401oasis-200401-wss-wssecurity-utility-
10xsd wsuId=PurchaseOrderPort_Input_Policygt
ltspSignedParts xmlnssp=httpschemasxmlsoaporgws200507securitypolicygt
ltspHeader Name=fmw-context Namespace=httpxmlnsoraclecomfmwcontext10gt
ltspHeader Name= Namespace=httpwwww3org200508addressinggt
ltspHeader Name= Namespace=httpschemasxmlsoaporgws200408addressinggt
ltspSignedPartsgt
ltspSignedElements xmlnssp=httpschemasxmlsoaporgws200507securitypolicygt
ltspEncryptedParts xmlnssp=httpschemasxmlsoaporgws200507securitypolicygt
ltspHeader Name=fmw-context Namespace=httpxmlnsoraclecomfmwcontext10gt
ltspEncryptedPartsgt
ltspEncryptedElements xmlnssp=httpschemasxmlsoaporgws200507securitypolicygt
ltspXPathgtdescendant-or-self[namespace-uri()=httppurchaseordersample and
local-name()=arg0]ltspXPathgt
ltspEncryptedElementsgt
ltwspPolicygt
Figure 20 WSDL of the PurchaseOrder POJO WLS JAX-WS after attaching the samplefield_level_decryption_service_policy
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 29
Figure 21 Insert a BPEL Process into an Empty Composite App
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 30
Figure 22 Create the BPEL Process by choosing the Base on a WSDL option Provide the WSDL of the PurchaseOrder
POJO WLS JAX-WS
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 31
Figure 23 Result of creating a BPEL Process using the Base on a WSDL option
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 32
Figure 24 In the BPEL Process create a PartnerLink Again Provide the WSDL of the PurchaseOrder POJO WLS JAX-WS as
the WSDL URL
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 33
Figure 25 Walkthrough the PartnerLink creation process
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 34
Figure 26 Completion of the Partner Link creation process
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 35
Figure 27 Add an Invoke activity in the BPEL Process and wite it to the PurchaseOrderRefrence PartnerLink created
previously
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 36
Figure 28 The Invoke is now wired to the PartnerLink PurchaseOrderReference
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 37
Figure 29 Add an Assign activity after the receiveInput and before the Invoke activity Wire the variables to copy the input on
the receive to the input of the Invoke
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 38
Figure 30 Add another assign activity after the Invoke to copy the output of the invoke to the output of the replyOutput
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 39
Figure 31 BPEL Process after adding the Assign Invoke Assign activities
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 40
Figure 32 Completed PurchaseOrderComposite App
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 41
Attach Custom Policy created previously to the Purchase Order Composite App Reference
The next step is to now attach the ldquosamplefield_level_encryption_client_policyrdquo to the PurchaseOrderReferencerdquo of
PurchaseOrderComposite App These steps are shown in Figure 33 - Figure 38
Figure 33 Click on the PurchaseOrderComposite App on the left hand side
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 42
Figure 34 Click on the PurchaseOrderReference shown in the Dashboard of the PurchaseOrderComposite
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 43
Figure 35 On the PurchaseOrderReferece - click on the Policies tab
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 44
Figure 36 Click on the AttachDetach Button
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 45
Figure 37 Attach the samplefield_level_encryption_client_policy
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 46
Figure 38 The Policy is now attached to the PurchaseOrderReference
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 47
Create Keystore and Credentials in Credential Store
Create a Keystore called default-keystorejks using keytool
For complete details on keytool commands please refer to
httpjavasuncomj2se142docstooldocswindowskeytoolhtml
Copy the keystore created into $FMW_DOMAIN_HOMEconfigfmwconfig
Add the following credentials into the credential store either via EM or using WLST
This assumes that the keystore password is welcome1
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=keystore-csf-key user=owsm
password=welcome1 desc=Keystore key)
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=enc-csf-key user=orakey
password=welcome1 desc=Encryption key)
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=sign-csf-key user=orakey
password=welcome1 desc=Signing key)
$gtkeytool -genkeypair -keyalg RSA -alias orakey -keypass welcome1 -keystore default-keystorejks -storepass
welcome1 -validity 3600
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 48
This will add a key namely enc-csf-key to map oraclewsmsecurity with username as orakey and password as
welcome1 This alias should exist in your configured keystore
This will add a key namely sign-csf-key to map oraclewsmsecurity with username as orakey and password as
welcome1 This alias should exist in your configured keystore
You can verify the contents of the credential store in FMWCTL as show in Figure 39 and Figure 40
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 49
Figure 39 View the Credential Store from the Weblogic Domain menu
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 50
Figure 40 Contents of the oraclewsmsecurity Credential Map
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 51
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 15
4 Turn off Body Signing and Body Encryption for Response as show in Figure 7
Figure 7 Turn off Body SigningEncryption for Response
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 16
5 Specify the Xpath expression in Request tab for the field to be decrypted in the payload as shown in Figure 8 This is done by clicking on the ldquoAddrdquo Button This will launch a pop-up as shown Figure 8 Enter the namespace for the element and the element name that needs to be decrypted In this case we want to decrypt the credit card number This is arg0 in the sample message posted earlier in this document See Figure 2
Figure 8 Adding specific fields to be decrypted
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 17
6 Figure 9 Shows the end result of adding the XML Element to be decrypted
Figure 9 Policy after adding Xpath Expression for field level encryption
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 18
Next we will create create a field level encryption policy from the wss11_messsage_protection_client_policy
7 Search for wss11_message_protection_client_policy and Click on ldquoCreate Likerdquo in FMWCTL as shown in Figure 10
Figure 10 Creating a Field level Encryption Policy from wss11_message_protection_client_policy
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 19
8 Give the new policy a name ndash we will call it ldquosamplefield_level_encryption_client_policy as shown in Figure 11
Figure 11 Provide a name for the new policy samplefield_level_encryption_client_policy
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 20
9 Turn off Body Signing and Body Encryption for Request as show in Figure 12
Figure 12 Turn off Body Signing and Body Encryption for Request
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 21
10 Specify the Xpath expression in Request tab for the field to be decrypted in the payload as shown in Figure 13 This is done by clicking on the ldquoAddrdquo Button This will launch a pop-up as shownFigure 13 Enter the namespace for the element and the element name that needs to be decrypted In this case we want to decrypt the credit card number This is arg0 in the sample message posted earlier in this document See Figure 2
Figure 13 Add specific elements to encrypt
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 22
Attach Custom Policy created previously to the Purchase Order WLS JAX-WS Web Service
11 Attach the new created ldquosamplefield_level_decryption_service_policyrdquo to the PurchaseOder WLS JAX-WS Web
Service This is shown in Figure 14 - Figure 19
Figure 14 Click on FieldLevelEncryption-Project1-context-root Application
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 23
Figure 15 Navigate to the Web Services in the Application via the Application Deployment Menu
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 24
Figure 16 Click on PurchaseOrderPort to navigate to the Web Service Port
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 25
Figure 17 Click on OWSM Policies tab Click on AttachDetach Button to launch the OWSM Policy Attachment Wizard
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 26
Figure 18 Attach samplefield_level_decryption_service_policy to PurchaseOrder POJO WLS JAX-WS Web Service
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 27
Figure 19 The PurchaseOrderPort after completion of the OWSM Policy Attachment
Check the WSDL of the Service
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 28
The part highlighted in bold indicates that the service expects arg0 to be encrypted
Now the Purchase Order POJO WLS JAX-WS is secured with ldquosamplefield_level_decryption_service_policyrdquo
Create Purchase Order Composite App
Now we will create the PurchaseOrderComposite App Figure 21 - Figure 32 shows the steps for creating the
PurchaseOderComposite app
ltwspPolicy xmlnswsp=httpschemasxmlsoaporgws200409policy
xmlnswsu=httpdocsoasis-openorgwss200401oasis-200401-wss-wssecurity-utility-
10xsd wsuId=PurchaseOrderPort_Input_Policygt
ltspSignedParts xmlnssp=httpschemasxmlsoaporgws200507securitypolicygt
ltspHeader Name=fmw-context Namespace=httpxmlnsoraclecomfmwcontext10gt
ltspHeader Name= Namespace=httpwwww3org200508addressinggt
ltspHeader Name= Namespace=httpschemasxmlsoaporgws200408addressinggt
ltspSignedPartsgt
ltspSignedElements xmlnssp=httpschemasxmlsoaporgws200507securitypolicygt
ltspEncryptedParts xmlnssp=httpschemasxmlsoaporgws200507securitypolicygt
ltspHeader Name=fmw-context Namespace=httpxmlnsoraclecomfmwcontext10gt
ltspEncryptedPartsgt
ltspEncryptedElements xmlnssp=httpschemasxmlsoaporgws200507securitypolicygt
ltspXPathgtdescendant-or-self[namespace-uri()=httppurchaseordersample and
local-name()=arg0]ltspXPathgt
ltspEncryptedElementsgt
ltwspPolicygt
Figure 20 WSDL of the PurchaseOrder POJO WLS JAX-WS after attaching the samplefield_level_decryption_service_policy
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 29
Figure 21 Insert a BPEL Process into an Empty Composite App
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 30
Figure 22 Create the BPEL Process by choosing the Base on a WSDL option Provide the WSDL of the PurchaseOrder
POJO WLS JAX-WS
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 31
Figure 23 Result of creating a BPEL Process using the Base on a WSDL option
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 32
Figure 24 In the BPEL Process create a PartnerLink Again Provide the WSDL of the PurchaseOrder POJO WLS JAX-WS as
the WSDL URL
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 33
Figure 25 Walkthrough the PartnerLink creation process
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 34
Figure 26 Completion of the Partner Link creation process
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 35
Figure 27 Add an Invoke activity in the BPEL Process and wite it to the PurchaseOrderRefrence PartnerLink created
previously
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 36
Figure 28 The Invoke is now wired to the PartnerLink PurchaseOrderReference
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 37
Figure 29 Add an Assign activity after the receiveInput and before the Invoke activity Wire the variables to copy the input on
the receive to the input of the Invoke
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 38
Figure 30 Add another assign activity after the Invoke to copy the output of the invoke to the output of the replyOutput
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 39
Figure 31 BPEL Process after adding the Assign Invoke Assign activities
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 40
Figure 32 Completed PurchaseOrderComposite App
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 41
Attach Custom Policy created previously to the Purchase Order Composite App Reference
The next step is to now attach the ldquosamplefield_level_encryption_client_policyrdquo to the PurchaseOrderReferencerdquo of
PurchaseOrderComposite App These steps are shown in Figure 33 - Figure 38
Figure 33 Click on the PurchaseOrderComposite App on the left hand side
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 42
Figure 34 Click on the PurchaseOrderReference shown in the Dashboard of the PurchaseOrderComposite
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 43
Figure 35 On the PurchaseOrderReferece - click on the Policies tab
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 44
Figure 36 Click on the AttachDetach Button
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 45
Figure 37 Attach the samplefield_level_encryption_client_policy
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 46
Figure 38 The Policy is now attached to the PurchaseOrderReference
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 47
Create Keystore and Credentials in Credential Store
Create a Keystore called default-keystorejks using keytool
For complete details on keytool commands please refer to
httpjavasuncomj2se142docstooldocswindowskeytoolhtml
Copy the keystore created into $FMW_DOMAIN_HOMEconfigfmwconfig
Add the following credentials into the credential store either via EM or using WLST
This assumes that the keystore password is welcome1
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=keystore-csf-key user=owsm
password=welcome1 desc=Keystore key)
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=enc-csf-key user=orakey
password=welcome1 desc=Encryption key)
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=sign-csf-key user=orakey
password=welcome1 desc=Signing key)
$gtkeytool -genkeypair -keyalg RSA -alias orakey -keypass welcome1 -keystore default-keystorejks -storepass
welcome1 -validity 3600
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 48
This will add a key namely enc-csf-key to map oraclewsmsecurity with username as orakey and password as
welcome1 This alias should exist in your configured keystore
This will add a key namely sign-csf-key to map oraclewsmsecurity with username as orakey and password as
welcome1 This alias should exist in your configured keystore
You can verify the contents of the credential store in FMWCTL as show in Figure 39 and Figure 40
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 49
Figure 39 View the Credential Store from the Weblogic Domain menu
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 50
Figure 40 Contents of the oraclewsmsecurity Credential Map
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 51
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 16
5 Specify the Xpath expression in Request tab for the field to be decrypted in the payload as shown in Figure 8 This is done by clicking on the ldquoAddrdquo Button This will launch a pop-up as shown Figure 8 Enter the namespace for the element and the element name that needs to be decrypted In this case we want to decrypt the credit card number This is arg0 in the sample message posted earlier in this document See Figure 2
Figure 8 Adding specific fields to be decrypted
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 17
6 Figure 9 Shows the end result of adding the XML Element to be decrypted
Figure 9 Policy after adding Xpath Expression for field level encryption
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 18
Next we will create create a field level encryption policy from the wss11_messsage_protection_client_policy
7 Search for wss11_message_protection_client_policy and Click on ldquoCreate Likerdquo in FMWCTL as shown in Figure 10
Figure 10 Creating a Field level Encryption Policy from wss11_message_protection_client_policy
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 19
8 Give the new policy a name ndash we will call it ldquosamplefield_level_encryption_client_policy as shown in Figure 11
Figure 11 Provide a name for the new policy samplefield_level_encryption_client_policy
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 20
9 Turn off Body Signing and Body Encryption for Request as show in Figure 12
Figure 12 Turn off Body Signing and Body Encryption for Request
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 21
10 Specify the Xpath expression in Request tab for the field to be decrypted in the payload as shown in Figure 13 This is done by clicking on the ldquoAddrdquo Button This will launch a pop-up as shownFigure 13 Enter the namespace for the element and the element name that needs to be decrypted In this case we want to decrypt the credit card number This is arg0 in the sample message posted earlier in this document See Figure 2
Figure 13 Add specific elements to encrypt
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 22
Attach Custom Policy created previously to the Purchase Order WLS JAX-WS Web Service
11 Attach the new created ldquosamplefield_level_decryption_service_policyrdquo to the PurchaseOder WLS JAX-WS Web
Service This is shown in Figure 14 - Figure 19
Figure 14 Click on FieldLevelEncryption-Project1-context-root Application
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 23
Figure 15 Navigate to the Web Services in the Application via the Application Deployment Menu
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 24
Figure 16 Click on PurchaseOrderPort to navigate to the Web Service Port
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 25
Figure 17 Click on OWSM Policies tab Click on AttachDetach Button to launch the OWSM Policy Attachment Wizard
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 26
Figure 18 Attach samplefield_level_decryption_service_policy to PurchaseOrder POJO WLS JAX-WS Web Service
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 27
Figure 19 The PurchaseOrderPort after completion of the OWSM Policy Attachment
Check the WSDL of the Service
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 28
The part highlighted in bold indicates that the service expects arg0 to be encrypted
Now the Purchase Order POJO WLS JAX-WS is secured with ldquosamplefield_level_decryption_service_policyrdquo
Create Purchase Order Composite App
Now we will create the PurchaseOrderComposite App Figure 21 - Figure 32 shows the steps for creating the
PurchaseOderComposite app
ltwspPolicy xmlnswsp=httpschemasxmlsoaporgws200409policy
xmlnswsu=httpdocsoasis-openorgwss200401oasis-200401-wss-wssecurity-utility-
10xsd wsuId=PurchaseOrderPort_Input_Policygt
ltspSignedParts xmlnssp=httpschemasxmlsoaporgws200507securitypolicygt
ltspHeader Name=fmw-context Namespace=httpxmlnsoraclecomfmwcontext10gt
ltspHeader Name= Namespace=httpwwww3org200508addressinggt
ltspHeader Name= Namespace=httpschemasxmlsoaporgws200408addressinggt
ltspSignedPartsgt
ltspSignedElements xmlnssp=httpschemasxmlsoaporgws200507securitypolicygt
ltspEncryptedParts xmlnssp=httpschemasxmlsoaporgws200507securitypolicygt
ltspHeader Name=fmw-context Namespace=httpxmlnsoraclecomfmwcontext10gt
ltspEncryptedPartsgt
ltspEncryptedElements xmlnssp=httpschemasxmlsoaporgws200507securitypolicygt
ltspXPathgtdescendant-or-self[namespace-uri()=httppurchaseordersample and
local-name()=arg0]ltspXPathgt
ltspEncryptedElementsgt
ltwspPolicygt
Figure 20 WSDL of the PurchaseOrder POJO WLS JAX-WS after attaching the samplefield_level_decryption_service_policy
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 29
Figure 21 Insert a BPEL Process into an Empty Composite App
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 30
Figure 22 Create the BPEL Process by choosing the Base on a WSDL option Provide the WSDL of the PurchaseOrder
POJO WLS JAX-WS
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 31
Figure 23 Result of creating a BPEL Process using the Base on a WSDL option
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 32
Figure 24 In the BPEL Process create a PartnerLink Again Provide the WSDL of the PurchaseOrder POJO WLS JAX-WS as
the WSDL URL
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 33
Figure 25 Walkthrough the PartnerLink creation process
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 34
Figure 26 Completion of the Partner Link creation process
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 35
Figure 27 Add an Invoke activity in the BPEL Process and wite it to the PurchaseOrderRefrence PartnerLink created
previously
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 36
Figure 28 The Invoke is now wired to the PartnerLink PurchaseOrderReference
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 37
Figure 29 Add an Assign activity after the receiveInput and before the Invoke activity Wire the variables to copy the input on
the receive to the input of the Invoke
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 38
Figure 30 Add another assign activity after the Invoke to copy the output of the invoke to the output of the replyOutput
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 39
Figure 31 BPEL Process after adding the Assign Invoke Assign activities
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 40
Figure 32 Completed PurchaseOrderComposite App
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 41
Attach Custom Policy created previously to the Purchase Order Composite App Reference
The next step is to now attach the ldquosamplefield_level_encryption_client_policyrdquo to the PurchaseOrderReferencerdquo of
PurchaseOrderComposite App These steps are shown in Figure 33 - Figure 38
Figure 33 Click on the PurchaseOrderComposite App on the left hand side
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 42
Figure 34 Click on the PurchaseOrderReference shown in the Dashboard of the PurchaseOrderComposite
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 43
Figure 35 On the PurchaseOrderReferece - click on the Policies tab
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 44
Figure 36 Click on the AttachDetach Button
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 45
Figure 37 Attach the samplefield_level_encryption_client_policy
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 46
Figure 38 The Policy is now attached to the PurchaseOrderReference
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 47
Create Keystore and Credentials in Credential Store
Create a Keystore called default-keystorejks using keytool
For complete details on keytool commands please refer to
httpjavasuncomj2se142docstooldocswindowskeytoolhtml
Copy the keystore created into $FMW_DOMAIN_HOMEconfigfmwconfig
Add the following credentials into the credential store either via EM or using WLST
This assumes that the keystore password is welcome1
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=keystore-csf-key user=owsm
password=welcome1 desc=Keystore key)
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=enc-csf-key user=orakey
password=welcome1 desc=Encryption key)
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=sign-csf-key user=orakey
password=welcome1 desc=Signing key)
$gtkeytool -genkeypair -keyalg RSA -alias orakey -keypass welcome1 -keystore default-keystorejks -storepass
welcome1 -validity 3600
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 48
This will add a key namely enc-csf-key to map oraclewsmsecurity with username as orakey and password as
welcome1 This alias should exist in your configured keystore
This will add a key namely sign-csf-key to map oraclewsmsecurity with username as orakey and password as
welcome1 This alias should exist in your configured keystore
You can verify the contents of the credential store in FMWCTL as show in Figure 39 and Figure 40
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 49
Figure 39 View the Credential Store from the Weblogic Domain menu
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 50
Figure 40 Contents of the oraclewsmsecurity Credential Map
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 51
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 17
6 Figure 9 Shows the end result of adding the XML Element to be decrypted
Figure 9 Policy after adding Xpath Expression for field level encryption
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 18
Next we will create create a field level encryption policy from the wss11_messsage_protection_client_policy
7 Search for wss11_message_protection_client_policy and Click on ldquoCreate Likerdquo in FMWCTL as shown in Figure 10
Figure 10 Creating a Field level Encryption Policy from wss11_message_protection_client_policy
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 19
8 Give the new policy a name ndash we will call it ldquosamplefield_level_encryption_client_policy as shown in Figure 11
Figure 11 Provide a name for the new policy samplefield_level_encryption_client_policy
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 20
9 Turn off Body Signing and Body Encryption for Request as show in Figure 12
Figure 12 Turn off Body Signing and Body Encryption for Request
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 21
10 Specify the Xpath expression in Request tab for the field to be decrypted in the payload as shown in Figure 13 This is done by clicking on the ldquoAddrdquo Button This will launch a pop-up as shownFigure 13 Enter the namespace for the element and the element name that needs to be decrypted In this case we want to decrypt the credit card number This is arg0 in the sample message posted earlier in this document See Figure 2
Figure 13 Add specific elements to encrypt
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 22
Attach Custom Policy created previously to the Purchase Order WLS JAX-WS Web Service
11 Attach the new created ldquosamplefield_level_decryption_service_policyrdquo to the PurchaseOder WLS JAX-WS Web
Service This is shown in Figure 14 - Figure 19
Figure 14 Click on FieldLevelEncryption-Project1-context-root Application
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 23
Figure 15 Navigate to the Web Services in the Application via the Application Deployment Menu
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 24
Figure 16 Click on PurchaseOrderPort to navigate to the Web Service Port
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 25
Figure 17 Click on OWSM Policies tab Click on AttachDetach Button to launch the OWSM Policy Attachment Wizard
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 26
Figure 18 Attach samplefield_level_decryption_service_policy to PurchaseOrder POJO WLS JAX-WS Web Service
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 27
Figure 19 The PurchaseOrderPort after completion of the OWSM Policy Attachment
Check the WSDL of the Service
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 28
The part highlighted in bold indicates that the service expects arg0 to be encrypted
Now the Purchase Order POJO WLS JAX-WS is secured with ldquosamplefield_level_decryption_service_policyrdquo
Create Purchase Order Composite App
Now we will create the PurchaseOrderComposite App Figure 21 - Figure 32 shows the steps for creating the
PurchaseOderComposite app
ltwspPolicy xmlnswsp=httpschemasxmlsoaporgws200409policy
xmlnswsu=httpdocsoasis-openorgwss200401oasis-200401-wss-wssecurity-utility-
10xsd wsuId=PurchaseOrderPort_Input_Policygt
ltspSignedParts xmlnssp=httpschemasxmlsoaporgws200507securitypolicygt
ltspHeader Name=fmw-context Namespace=httpxmlnsoraclecomfmwcontext10gt
ltspHeader Name= Namespace=httpwwww3org200508addressinggt
ltspHeader Name= Namespace=httpschemasxmlsoaporgws200408addressinggt
ltspSignedPartsgt
ltspSignedElements xmlnssp=httpschemasxmlsoaporgws200507securitypolicygt
ltspEncryptedParts xmlnssp=httpschemasxmlsoaporgws200507securitypolicygt
ltspHeader Name=fmw-context Namespace=httpxmlnsoraclecomfmwcontext10gt
ltspEncryptedPartsgt
ltspEncryptedElements xmlnssp=httpschemasxmlsoaporgws200507securitypolicygt
ltspXPathgtdescendant-or-self[namespace-uri()=httppurchaseordersample and
local-name()=arg0]ltspXPathgt
ltspEncryptedElementsgt
ltwspPolicygt
Figure 20 WSDL of the PurchaseOrder POJO WLS JAX-WS after attaching the samplefield_level_decryption_service_policy
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 29
Figure 21 Insert a BPEL Process into an Empty Composite App
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 30
Figure 22 Create the BPEL Process by choosing the Base on a WSDL option Provide the WSDL of the PurchaseOrder
POJO WLS JAX-WS
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 31
Figure 23 Result of creating a BPEL Process using the Base on a WSDL option
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 32
Figure 24 In the BPEL Process create a PartnerLink Again Provide the WSDL of the PurchaseOrder POJO WLS JAX-WS as
the WSDL URL
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 33
Figure 25 Walkthrough the PartnerLink creation process
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 34
Figure 26 Completion of the Partner Link creation process
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 35
Figure 27 Add an Invoke activity in the BPEL Process and wite it to the PurchaseOrderRefrence PartnerLink created
previously
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 36
Figure 28 The Invoke is now wired to the PartnerLink PurchaseOrderReference
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 37
Figure 29 Add an Assign activity after the receiveInput and before the Invoke activity Wire the variables to copy the input on
the receive to the input of the Invoke
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 38
Figure 30 Add another assign activity after the Invoke to copy the output of the invoke to the output of the replyOutput
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 39
Figure 31 BPEL Process after adding the Assign Invoke Assign activities
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 40
Figure 32 Completed PurchaseOrderComposite App
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 41
Attach Custom Policy created previously to the Purchase Order Composite App Reference
The next step is to now attach the ldquosamplefield_level_encryption_client_policyrdquo to the PurchaseOrderReferencerdquo of
PurchaseOrderComposite App These steps are shown in Figure 33 - Figure 38
Figure 33 Click on the PurchaseOrderComposite App on the left hand side
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 42
Figure 34 Click on the PurchaseOrderReference shown in the Dashboard of the PurchaseOrderComposite
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 43
Figure 35 On the PurchaseOrderReferece - click on the Policies tab
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 44
Figure 36 Click on the AttachDetach Button
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 45
Figure 37 Attach the samplefield_level_encryption_client_policy
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 46
Figure 38 The Policy is now attached to the PurchaseOrderReference
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 47
Create Keystore and Credentials in Credential Store
Create a Keystore called default-keystorejks using keytool
For complete details on keytool commands please refer to
httpjavasuncomj2se142docstooldocswindowskeytoolhtml
Copy the keystore created into $FMW_DOMAIN_HOMEconfigfmwconfig
Add the following credentials into the credential store either via EM or using WLST
This assumes that the keystore password is welcome1
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=keystore-csf-key user=owsm
password=welcome1 desc=Keystore key)
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=enc-csf-key user=orakey
password=welcome1 desc=Encryption key)
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=sign-csf-key user=orakey
password=welcome1 desc=Signing key)
$gtkeytool -genkeypair -keyalg RSA -alias orakey -keypass welcome1 -keystore default-keystorejks -storepass
welcome1 -validity 3600
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 48
This will add a key namely enc-csf-key to map oraclewsmsecurity with username as orakey and password as
welcome1 This alias should exist in your configured keystore
This will add a key namely sign-csf-key to map oraclewsmsecurity with username as orakey and password as
welcome1 This alias should exist in your configured keystore
You can verify the contents of the credential store in FMWCTL as show in Figure 39 and Figure 40
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 49
Figure 39 View the Credential Store from the Weblogic Domain menu
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 50
Figure 40 Contents of the oraclewsmsecurity Credential Map
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 51
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 18
Next we will create create a field level encryption policy from the wss11_messsage_protection_client_policy
7 Search for wss11_message_protection_client_policy and Click on ldquoCreate Likerdquo in FMWCTL as shown in Figure 10
Figure 10 Creating a Field level Encryption Policy from wss11_message_protection_client_policy
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 19
8 Give the new policy a name ndash we will call it ldquosamplefield_level_encryption_client_policy as shown in Figure 11
Figure 11 Provide a name for the new policy samplefield_level_encryption_client_policy
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 20
9 Turn off Body Signing and Body Encryption for Request as show in Figure 12
Figure 12 Turn off Body Signing and Body Encryption for Request
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 21
10 Specify the Xpath expression in Request tab for the field to be decrypted in the payload as shown in Figure 13 This is done by clicking on the ldquoAddrdquo Button This will launch a pop-up as shownFigure 13 Enter the namespace for the element and the element name that needs to be decrypted In this case we want to decrypt the credit card number This is arg0 in the sample message posted earlier in this document See Figure 2
Figure 13 Add specific elements to encrypt
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 22
Attach Custom Policy created previously to the Purchase Order WLS JAX-WS Web Service
11 Attach the new created ldquosamplefield_level_decryption_service_policyrdquo to the PurchaseOder WLS JAX-WS Web
Service This is shown in Figure 14 - Figure 19
Figure 14 Click on FieldLevelEncryption-Project1-context-root Application
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 23
Figure 15 Navigate to the Web Services in the Application via the Application Deployment Menu
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 24
Figure 16 Click on PurchaseOrderPort to navigate to the Web Service Port
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 25
Figure 17 Click on OWSM Policies tab Click on AttachDetach Button to launch the OWSM Policy Attachment Wizard
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 26
Figure 18 Attach samplefield_level_decryption_service_policy to PurchaseOrder POJO WLS JAX-WS Web Service
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 27
Figure 19 The PurchaseOrderPort after completion of the OWSM Policy Attachment
Check the WSDL of the Service
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 28
The part highlighted in bold indicates that the service expects arg0 to be encrypted
Now the Purchase Order POJO WLS JAX-WS is secured with ldquosamplefield_level_decryption_service_policyrdquo
Create Purchase Order Composite App
Now we will create the PurchaseOrderComposite App Figure 21 - Figure 32 shows the steps for creating the
PurchaseOderComposite app
ltwspPolicy xmlnswsp=httpschemasxmlsoaporgws200409policy
xmlnswsu=httpdocsoasis-openorgwss200401oasis-200401-wss-wssecurity-utility-
10xsd wsuId=PurchaseOrderPort_Input_Policygt
ltspSignedParts xmlnssp=httpschemasxmlsoaporgws200507securitypolicygt
ltspHeader Name=fmw-context Namespace=httpxmlnsoraclecomfmwcontext10gt
ltspHeader Name= Namespace=httpwwww3org200508addressinggt
ltspHeader Name= Namespace=httpschemasxmlsoaporgws200408addressinggt
ltspSignedPartsgt
ltspSignedElements xmlnssp=httpschemasxmlsoaporgws200507securitypolicygt
ltspEncryptedParts xmlnssp=httpschemasxmlsoaporgws200507securitypolicygt
ltspHeader Name=fmw-context Namespace=httpxmlnsoraclecomfmwcontext10gt
ltspEncryptedPartsgt
ltspEncryptedElements xmlnssp=httpschemasxmlsoaporgws200507securitypolicygt
ltspXPathgtdescendant-or-self[namespace-uri()=httppurchaseordersample and
local-name()=arg0]ltspXPathgt
ltspEncryptedElementsgt
ltwspPolicygt
Figure 20 WSDL of the PurchaseOrder POJO WLS JAX-WS after attaching the samplefield_level_decryption_service_policy
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 29
Figure 21 Insert a BPEL Process into an Empty Composite App
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 30
Figure 22 Create the BPEL Process by choosing the Base on a WSDL option Provide the WSDL of the PurchaseOrder
POJO WLS JAX-WS
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 31
Figure 23 Result of creating a BPEL Process using the Base on a WSDL option
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 32
Figure 24 In the BPEL Process create a PartnerLink Again Provide the WSDL of the PurchaseOrder POJO WLS JAX-WS as
the WSDL URL
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 33
Figure 25 Walkthrough the PartnerLink creation process
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 34
Figure 26 Completion of the Partner Link creation process
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 35
Figure 27 Add an Invoke activity in the BPEL Process and wite it to the PurchaseOrderRefrence PartnerLink created
previously
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 36
Figure 28 The Invoke is now wired to the PartnerLink PurchaseOrderReference
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 37
Figure 29 Add an Assign activity after the receiveInput and before the Invoke activity Wire the variables to copy the input on
the receive to the input of the Invoke
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 38
Figure 30 Add another assign activity after the Invoke to copy the output of the invoke to the output of the replyOutput
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 39
Figure 31 BPEL Process after adding the Assign Invoke Assign activities
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 40
Figure 32 Completed PurchaseOrderComposite App
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 41
Attach Custom Policy created previously to the Purchase Order Composite App Reference
The next step is to now attach the ldquosamplefield_level_encryption_client_policyrdquo to the PurchaseOrderReferencerdquo of
PurchaseOrderComposite App These steps are shown in Figure 33 - Figure 38
Figure 33 Click on the PurchaseOrderComposite App on the left hand side
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 42
Figure 34 Click on the PurchaseOrderReference shown in the Dashboard of the PurchaseOrderComposite
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 43
Figure 35 On the PurchaseOrderReferece - click on the Policies tab
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 44
Figure 36 Click on the AttachDetach Button
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 45
Figure 37 Attach the samplefield_level_encryption_client_policy
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 46
Figure 38 The Policy is now attached to the PurchaseOrderReference
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 47
Create Keystore and Credentials in Credential Store
Create a Keystore called default-keystorejks using keytool
For complete details on keytool commands please refer to
httpjavasuncomj2se142docstooldocswindowskeytoolhtml
Copy the keystore created into $FMW_DOMAIN_HOMEconfigfmwconfig
Add the following credentials into the credential store either via EM or using WLST
This assumes that the keystore password is welcome1
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=keystore-csf-key user=owsm
password=welcome1 desc=Keystore key)
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=enc-csf-key user=orakey
password=welcome1 desc=Encryption key)
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=sign-csf-key user=orakey
password=welcome1 desc=Signing key)
$gtkeytool -genkeypair -keyalg RSA -alias orakey -keypass welcome1 -keystore default-keystorejks -storepass
welcome1 -validity 3600
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 48
This will add a key namely enc-csf-key to map oraclewsmsecurity with username as orakey and password as
welcome1 This alias should exist in your configured keystore
This will add a key namely sign-csf-key to map oraclewsmsecurity with username as orakey and password as
welcome1 This alias should exist in your configured keystore
You can verify the contents of the credential store in FMWCTL as show in Figure 39 and Figure 40
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 49
Figure 39 View the Credential Store from the Weblogic Domain menu
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 50
Figure 40 Contents of the oraclewsmsecurity Credential Map
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 51
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 19
8 Give the new policy a name ndash we will call it ldquosamplefield_level_encryption_client_policy as shown in Figure 11
Figure 11 Provide a name for the new policy samplefield_level_encryption_client_policy
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 20
9 Turn off Body Signing and Body Encryption for Request as show in Figure 12
Figure 12 Turn off Body Signing and Body Encryption for Request
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 21
10 Specify the Xpath expression in Request tab for the field to be decrypted in the payload as shown in Figure 13 This is done by clicking on the ldquoAddrdquo Button This will launch a pop-up as shownFigure 13 Enter the namespace for the element and the element name that needs to be decrypted In this case we want to decrypt the credit card number This is arg0 in the sample message posted earlier in this document See Figure 2
Figure 13 Add specific elements to encrypt
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 22
Attach Custom Policy created previously to the Purchase Order WLS JAX-WS Web Service
11 Attach the new created ldquosamplefield_level_decryption_service_policyrdquo to the PurchaseOder WLS JAX-WS Web
Service This is shown in Figure 14 - Figure 19
Figure 14 Click on FieldLevelEncryption-Project1-context-root Application
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 23
Figure 15 Navigate to the Web Services in the Application via the Application Deployment Menu
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 24
Figure 16 Click on PurchaseOrderPort to navigate to the Web Service Port
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 25
Figure 17 Click on OWSM Policies tab Click on AttachDetach Button to launch the OWSM Policy Attachment Wizard
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 26
Figure 18 Attach samplefield_level_decryption_service_policy to PurchaseOrder POJO WLS JAX-WS Web Service
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 27
Figure 19 The PurchaseOrderPort after completion of the OWSM Policy Attachment
Check the WSDL of the Service
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 28
The part highlighted in bold indicates that the service expects arg0 to be encrypted
Now the Purchase Order POJO WLS JAX-WS is secured with ldquosamplefield_level_decryption_service_policyrdquo
Create Purchase Order Composite App
Now we will create the PurchaseOrderComposite App Figure 21 - Figure 32 shows the steps for creating the
PurchaseOderComposite app
ltwspPolicy xmlnswsp=httpschemasxmlsoaporgws200409policy
xmlnswsu=httpdocsoasis-openorgwss200401oasis-200401-wss-wssecurity-utility-
10xsd wsuId=PurchaseOrderPort_Input_Policygt
ltspSignedParts xmlnssp=httpschemasxmlsoaporgws200507securitypolicygt
ltspHeader Name=fmw-context Namespace=httpxmlnsoraclecomfmwcontext10gt
ltspHeader Name= Namespace=httpwwww3org200508addressinggt
ltspHeader Name= Namespace=httpschemasxmlsoaporgws200408addressinggt
ltspSignedPartsgt
ltspSignedElements xmlnssp=httpschemasxmlsoaporgws200507securitypolicygt
ltspEncryptedParts xmlnssp=httpschemasxmlsoaporgws200507securitypolicygt
ltspHeader Name=fmw-context Namespace=httpxmlnsoraclecomfmwcontext10gt
ltspEncryptedPartsgt
ltspEncryptedElements xmlnssp=httpschemasxmlsoaporgws200507securitypolicygt
ltspXPathgtdescendant-or-self[namespace-uri()=httppurchaseordersample and
local-name()=arg0]ltspXPathgt
ltspEncryptedElementsgt
ltwspPolicygt
Figure 20 WSDL of the PurchaseOrder POJO WLS JAX-WS after attaching the samplefield_level_decryption_service_policy
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 29
Figure 21 Insert a BPEL Process into an Empty Composite App
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 30
Figure 22 Create the BPEL Process by choosing the Base on a WSDL option Provide the WSDL of the PurchaseOrder
POJO WLS JAX-WS
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 31
Figure 23 Result of creating a BPEL Process using the Base on a WSDL option
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 32
Figure 24 In the BPEL Process create a PartnerLink Again Provide the WSDL of the PurchaseOrder POJO WLS JAX-WS as
the WSDL URL
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 33
Figure 25 Walkthrough the PartnerLink creation process
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 34
Figure 26 Completion of the Partner Link creation process
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 35
Figure 27 Add an Invoke activity in the BPEL Process and wite it to the PurchaseOrderRefrence PartnerLink created
previously
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 36
Figure 28 The Invoke is now wired to the PartnerLink PurchaseOrderReference
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 37
Figure 29 Add an Assign activity after the receiveInput and before the Invoke activity Wire the variables to copy the input on
the receive to the input of the Invoke
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 38
Figure 30 Add another assign activity after the Invoke to copy the output of the invoke to the output of the replyOutput
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 39
Figure 31 BPEL Process after adding the Assign Invoke Assign activities
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 40
Figure 32 Completed PurchaseOrderComposite App
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 41
Attach Custom Policy created previously to the Purchase Order Composite App Reference
The next step is to now attach the ldquosamplefield_level_encryption_client_policyrdquo to the PurchaseOrderReferencerdquo of
PurchaseOrderComposite App These steps are shown in Figure 33 - Figure 38
Figure 33 Click on the PurchaseOrderComposite App on the left hand side
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 42
Figure 34 Click on the PurchaseOrderReference shown in the Dashboard of the PurchaseOrderComposite
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 43
Figure 35 On the PurchaseOrderReferece - click on the Policies tab
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 44
Figure 36 Click on the AttachDetach Button
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 45
Figure 37 Attach the samplefield_level_encryption_client_policy
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 46
Figure 38 The Policy is now attached to the PurchaseOrderReference
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 47
Create Keystore and Credentials in Credential Store
Create a Keystore called default-keystorejks using keytool
For complete details on keytool commands please refer to
httpjavasuncomj2se142docstooldocswindowskeytoolhtml
Copy the keystore created into $FMW_DOMAIN_HOMEconfigfmwconfig
Add the following credentials into the credential store either via EM or using WLST
This assumes that the keystore password is welcome1
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=keystore-csf-key user=owsm
password=welcome1 desc=Keystore key)
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=enc-csf-key user=orakey
password=welcome1 desc=Encryption key)
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=sign-csf-key user=orakey
password=welcome1 desc=Signing key)
$gtkeytool -genkeypair -keyalg RSA -alias orakey -keypass welcome1 -keystore default-keystorejks -storepass
welcome1 -validity 3600
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 48
This will add a key namely enc-csf-key to map oraclewsmsecurity with username as orakey and password as
welcome1 This alias should exist in your configured keystore
This will add a key namely sign-csf-key to map oraclewsmsecurity with username as orakey and password as
welcome1 This alias should exist in your configured keystore
You can verify the contents of the credential store in FMWCTL as show in Figure 39 and Figure 40
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 49
Figure 39 View the Credential Store from the Weblogic Domain menu
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 50
Figure 40 Contents of the oraclewsmsecurity Credential Map
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 51
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 20
9 Turn off Body Signing and Body Encryption for Request as show in Figure 12
Figure 12 Turn off Body Signing and Body Encryption for Request
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 21
10 Specify the Xpath expression in Request tab for the field to be decrypted in the payload as shown in Figure 13 This is done by clicking on the ldquoAddrdquo Button This will launch a pop-up as shownFigure 13 Enter the namespace for the element and the element name that needs to be decrypted In this case we want to decrypt the credit card number This is arg0 in the sample message posted earlier in this document See Figure 2
Figure 13 Add specific elements to encrypt
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 22
Attach Custom Policy created previously to the Purchase Order WLS JAX-WS Web Service
11 Attach the new created ldquosamplefield_level_decryption_service_policyrdquo to the PurchaseOder WLS JAX-WS Web
Service This is shown in Figure 14 - Figure 19
Figure 14 Click on FieldLevelEncryption-Project1-context-root Application
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 23
Figure 15 Navigate to the Web Services in the Application via the Application Deployment Menu
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 24
Figure 16 Click on PurchaseOrderPort to navigate to the Web Service Port
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 25
Figure 17 Click on OWSM Policies tab Click on AttachDetach Button to launch the OWSM Policy Attachment Wizard
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 26
Figure 18 Attach samplefield_level_decryption_service_policy to PurchaseOrder POJO WLS JAX-WS Web Service
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 27
Figure 19 The PurchaseOrderPort after completion of the OWSM Policy Attachment
Check the WSDL of the Service
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 28
The part highlighted in bold indicates that the service expects arg0 to be encrypted
Now the Purchase Order POJO WLS JAX-WS is secured with ldquosamplefield_level_decryption_service_policyrdquo
Create Purchase Order Composite App
Now we will create the PurchaseOrderComposite App Figure 21 - Figure 32 shows the steps for creating the
PurchaseOderComposite app
ltwspPolicy xmlnswsp=httpschemasxmlsoaporgws200409policy
xmlnswsu=httpdocsoasis-openorgwss200401oasis-200401-wss-wssecurity-utility-
10xsd wsuId=PurchaseOrderPort_Input_Policygt
ltspSignedParts xmlnssp=httpschemasxmlsoaporgws200507securitypolicygt
ltspHeader Name=fmw-context Namespace=httpxmlnsoraclecomfmwcontext10gt
ltspHeader Name= Namespace=httpwwww3org200508addressinggt
ltspHeader Name= Namespace=httpschemasxmlsoaporgws200408addressinggt
ltspSignedPartsgt
ltspSignedElements xmlnssp=httpschemasxmlsoaporgws200507securitypolicygt
ltspEncryptedParts xmlnssp=httpschemasxmlsoaporgws200507securitypolicygt
ltspHeader Name=fmw-context Namespace=httpxmlnsoraclecomfmwcontext10gt
ltspEncryptedPartsgt
ltspEncryptedElements xmlnssp=httpschemasxmlsoaporgws200507securitypolicygt
ltspXPathgtdescendant-or-self[namespace-uri()=httppurchaseordersample and
local-name()=arg0]ltspXPathgt
ltspEncryptedElementsgt
ltwspPolicygt
Figure 20 WSDL of the PurchaseOrder POJO WLS JAX-WS after attaching the samplefield_level_decryption_service_policy
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 29
Figure 21 Insert a BPEL Process into an Empty Composite App
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 30
Figure 22 Create the BPEL Process by choosing the Base on a WSDL option Provide the WSDL of the PurchaseOrder
POJO WLS JAX-WS
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 31
Figure 23 Result of creating a BPEL Process using the Base on a WSDL option
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 32
Figure 24 In the BPEL Process create a PartnerLink Again Provide the WSDL of the PurchaseOrder POJO WLS JAX-WS as
the WSDL URL
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 33
Figure 25 Walkthrough the PartnerLink creation process
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 34
Figure 26 Completion of the Partner Link creation process
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 35
Figure 27 Add an Invoke activity in the BPEL Process and wite it to the PurchaseOrderRefrence PartnerLink created
previously
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 36
Figure 28 The Invoke is now wired to the PartnerLink PurchaseOrderReference
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 37
Figure 29 Add an Assign activity after the receiveInput and before the Invoke activity Wire the variables to copy the input on
the receive to the input of the Invoke
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 38
Figure 30 Add another assign activity after the Invoke to copy the output of the invoke to the output of the replyOutput
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 39
Figure 31 BPEL Process after adding the Assign Invoke Assign activities
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 40
Figure 32 Completed PurchaseOrderComposite App
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 41
Attach Custom Policy created previously to the Purchase Order Composite App Reference
The next step is to now attach the ldquosamplefield_level_encryption_client_policyrdquo to the PurchaseOrderReferencerdquo of
PurchaseOrderComposite App These steps are shown in Figure 33 - Figure 38
Figure 33 Click on the PurchaseOrderComposite App on the left hand side
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 42
Figure 34 Click on the PurchaseOrderReference shown in the Dashboard of the PurchaseOrderComposite
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 43
Figure 35 On the PurchaseOrderReferece - click on the Policies tab
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 44
Figure 36 Click on the AttachDetach Button
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 45
Figure 37 Attach the samplefield_level_encryption_client_policy
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 46
Figure 38 The Policy is now attached to the PurchaseOrderReference
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 47
Create Keystore and Credentials in Credential Store
Create a Keystore called default-keystorejks using keytool
For complete details on keytool commands please refer to
httpjavasuncomj2se142docstooldocswindowskeytoolhtml
Copy the keystore created into $FMW_DOMAIN_HOMEconfigfmwconfig
Add the following credentials into the credential store either via EM or using WLST
This assumes that the keystore password is welcome1
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=keystore-csf-key user=owsm
password=welcome1 desc=Keystore key)
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=enc-csf-key user=orakey
password=welcome1 desc=Encryption key)
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=sign-csf-key user=orakey
password=welcome1 desc=Signing key)
$gtkeytool -genkeypair -keyalg RSA -alias orakey -keypass welcome1 -keystore default-keystorejks -storepass
welcome1 -validity 3600
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 48
This will add a key namely enc-csf-key to map oraclewsmsecurity with username as orakey and password as
welcome1 This alias should exist in your configured keystore
This will add a key namely sign-csf-key to map oraclewsmsecurity with username as orakey and password as
welcome1 This alias should exist in your configured keystore
You can verify the contents of the credential store in FMWCTL as show in Figure 39 and Figure 40
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 49
Figure 39 View the Credential Store from the Weblogic Domain menu
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 50
Figure 40 Contents of the oraclewsmsecurity Credential Map
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 51
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 21
10 Specify the Xpath expression in Request tab for the field to be decrypted in the payload as shown in Figure 13 This is done by clicking on the ldquoAddrdquo Button This will launch a pop-up as shownFigure 13 Enter the namespace for the element and the element name that needs to be decrypted In this case we want to decrypt the credit card number This is arg0 in the sample message posted earlier in this document See Figure 2
Figure 13 Add specific elements to encrypt
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 22
Attach Custom Policy created previously to the Purchase Order WLS JAX-WS Web Service
11 Attach the new created ldquosamplefield_level_decryption_service_policyrdquo to the PurchaseOder WLS JAX-WS Web
Service This is shown in Figure 14 - Figure 19
Figure 14 Click on FieldLevelEncryption-Project1-context-root Application
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 23
Figure 15 Navigate to the Web Services in the Application via the Application Deployment Menu
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 24
Figure 16 Click on PurchaseOrderPort to navigate to the Web Service Port
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 25
Figure 17 Click on OWSM Policies tab Click on AttachDetach Button to launch the OWSM Policy Attachment Wizard
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 26
Figure 18 Attach samplefield_level_decryption_service_policy to PurchaseOrder POJO WLS JAX-WS Web Service
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 27
Figure 19 The PurchaseOrderPort after completion of the OWSM Policy Attachment
Check the WSDL of the Service
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 28
The part highlighted in bold indicates that the service expects arg0 to be encrypted
Now the Purchase Order POJO WLS JAX-WS is secured with ldquosamplefield_level_decryption_service_policyrdquo
Create Purchase Order Composite App
Now we will create the PurchaseOrderComposite App Figure 21 - Figure 32 shows the steps for creating the
PurchaseOderComposite app
ltwspPolicy xmlnswsp=httpschemasxmlsoaporgws200409policy
xmlnswsu=httpdocsoasis-openorgwss200401oasis-200401-wss-wssecurity-utility-
10xsd wsuId=PurchaseOrderPort_Input_Policygt
ltspSignedParts xmlnssp=httpschemasxmlsoaporgws200507securitypolicygt
ltspHeader Name=fmw-context Namespace=httpxmlnsoraclecomfmwcontext10gt
ltspHeader Name= Namespace=httpwwww3org200508addressinggt
ltspHeader Name= Namespace=httpschemasxmlsoaporgws200408addressinggt
ltspSignedPartsgt
ltspSignedElements xmlnssp=httpschemasxmlsoaporgws200507securitypolicygt
ltspEncryptedParts xmlnssp=httpschemasxmlsoaporgws200507securitypolicygt
ltspHeader Name=fmw-context Namespace=httpxmlnsoraclecomfmwcontext10gt
ltspEncryptedPartsgt
ltspEncryptedElements xmlnssp=httpschemasxmlsoaporgws200507securitypolicygt
ltspXPathgtdescendant-or-self[namespace-uri()=httppurchaseordersample and
local-name()=arg0]ltspXPathgt
ltspEncryptedElementsgt
ltwspPolicygt
Figure 20 WSDL of the PurchaseOrder POJO WLS JAX-WS after attaching the samplefield_level_decryption_service_policy
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 29
Figure 21 Insert a BPEL Process into an Empty Composite App
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 30
Figure 22 Create the BPEL Process by choosing the Base on a WSDL option Provide the WSDL of the PurchaseOrder
POJO WLS JAX-WS
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 31
Figure 23 Result of creating a BPEL Process using the Base on a WSDL option
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 32
Figure 24 In the BPEL Process create a PartnerLink Again Provide the WSDL of the PurchaseOrder POJO WLS JAX-WS as
the WSDL URL
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 33
Figure 25 Walkthrough the PartnerLink creation process
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 34
Figure 26 Completion of the Partner Link creation process
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 35
Figure 27 Add an Invoke activity in the BPEL Process and wite it to the PurchaseOrderRefrence PartnerLink created
previously
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 36
Figure 28 The Invoke is now wired to the PartnerLink PurchaseOrderReference
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 37
Figure 29 Add an Assign activity after the receiveInput and before the Invoke activity Wire the variables to copy the input on
the receive to the input of the Invoke
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 38
Figure 30 Add another assign activity after the Invoke to copy the output of the invoke to the output of the replyOutput
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 39
Figure 31 BPEL Process after adding the Assign Invoke Assign activities
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 40
Figure 32 Completed PurchaseOrderComposite App
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 41
Attach Custom Policy created previously to the Purchase Order Composite App Reference
The next step is to now attach the ldquosamplefield_level_encryption_client_policyrdquo to the PurchaseOrderReferencerdquo of
PurchaseOrderComposite App These steps are shown in Figure 33 - Figure 38
Figure 33 Click on the PurchaseOrderComposite App on the left hand side
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 42
Figure 34 Click on the PurchaseOrderReference shown in the Dashboard of the PurchaseOrderComposite
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 43
Figure 35 On the PurchaseOrderReferece - click on the Policies tab
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 44
Figure 36 Click on the AttachDetach Button
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 45
Figure 37 Attach the samplefield_level_encryption_client_policy
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 46
Figure 38 The Policy is now attached to the PurchaseOrderReference
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 47
Create Keystore and Credentials in Credential Store
Create a Keystore called default-keystorejks using keytool
For complete details on keytool commands please refer to
httpjavasuncomj2se142docstooldocswindowskeytoolhtml
Copy the keystore created into $FMW_DOMAIN_HOMEconfigfmwconfig
Add the following credentials into the credential store either via EM or using WLST
This assumes that the keystore password is welcome1
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=keystore-csf-key user=owsm
password=welcome1 desc=Keystore key)
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=enc-csf-key user=orakey
password=welcome1 desc=Encryption key)
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=sign-csf-key user=orakey
password=welcome1 desc=Signing key)
$gtkeytool -genkeypair -keyalg RSA -alias orakey -keypass welcome1 -keystore default-keystorejks -storepass
welcome1 -validity 3600
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 48
This will add a key namely enc-csf-key to map oraclewsmsecurity with username as orakey and password as
welcome1 This alias should exist in your configured keystore
This will add a key namely sign-csf-key to map oraclewsmsecurity with username as orakey and password as
welcome1 This alias should exist in your configured keystore
You can verify the contents of the credential store in FMWCTL as show in Figure 39 and Figure 40
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 49
Figure 39 View the Credential Store from the Weblogic Domain menu
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 50
Figure 40 Contents of the oraclewsmsecurity Credential Map
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 51
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 22
Attach Custom Policy created previously to the Purchase Order WLS JAX-WS Web Service
11 Attach the new created ldquosamplefield_level_decryption_service_policyrdquo to the PurchaseOder WLS JAX-WS Web
Service This is shown in Figure 14 - Figure 19
Figure 14 Click on FieldLevelEncryption-Project1-context-root Application
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 23
Figure 15 Navigate to the Web Services in the Application via the Application Deployment Menu
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 24
Figure 16 Click on PurchaseOrderPort to navigate to the Web Service Port
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 25
Figure 17 Click on OWSM Policies tab Click on AttachDetach Button to launch the OWSM Policy Attachment Wizard
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 26
Figure 18 Attach samplefield_level_decryption_service_policy to PurchaseOrder POJO WLS JAX-WS Web Service
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 27
Figure 19 The PurchaseOrderPort after completion of the OWSM Policy Attachment
Check the WSDL of the Service
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 28
The part highlighted in bold indicates that the service expects arg0 to be encrypted
Now the Purchase Order POJO WLS JAX-WS is secured with ldquosamplefield_level_decryption_service_policyrdquo
Create Purchase Order Composite App
Now we will create the PurchaseOrderComposite App Figure 21 - Figure 32 shows the steps for creating the
PurchaseOderComposite app
ltwspPolicy xmlnswsp=httpschemasxmlsoaporgws200409policy
xmlnswsu=httpdocsoasis-openorgwss200401oasis-200401-wss-wssecurity-utility-
10xsd wsuId=PurchaseOrderPort_Input_Policygt
ltspSignedParts xmlnssp=httpschemasxmlsoaporgws200507securitypolicygt
ltspHeader Name=fmw-context Namespace=httpxmlnsoraclecomfmwcontext10gt
ltspHeader Name= Namespace=httpwwww3org200508addressinggt
ltspHeader Name= Namespace=httpschemasxmlsoaporgws200408addressinggt
ltspSignedPartsgt
ltspSignedElements xmlnssp=httpschemasxmlsoaporgws200507securitypolicygt
ltspEncryptedParts xmlnssp=httpschemasxmlsoaporgws200507securitypolicygt
ltspHeader Name=fmw-context Namespace=httpxmlnsoraclecomfmwcontext10gt
ltspEncryptedPartsgt
ltspEncryptedElements xmlnssp=httpschemasxmlsoaporgws200507securitypolicygt
ltspXPathgtdescendant-or-self[namespace-uri()=httppurchaseordersample and
local-name()=arg0]ltspXPathgt
ltspEncryptedElementsgt
ltwspPolicygt
Figure 20 WSDL of the PurchaseOrder POJO WLS JAX-WS after attaching the samplefield_level_decryption_service_policy
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 29
Figure 21 Insert a BPEL Process into an Empty Composite App
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 30
Figure 22 Create the BPEL Process by choosing the Base on a WSDL option Provide the WSDL of the PurchaseOrder
POJO WLS JAX-WS
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 31
Figure 23 Result of creating a BPEL Process using the Base on a WSDL option
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 32
Figure 24 In the BPEL Process create a PartnerLink Again Provide the WSDL of the PurchaseOrder POJO WLS JAX-WS as
the WSDL URL
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 33
Figure 25 Walkthrough the PartnerLink creation process
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 34
Figure 26 Completion of the Partner Link creation process
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 35
Figure 27 Add an Invoke activity in the BPEL Process and wite it to the PurchaseOrderRefrence PartnerLink created
previously
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 36
Figure 28 The Invoke is now wired to the PartnerLink PurchaseOrderReference
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 37
Figure 29 Add an Assign activity after the receiveInput and before the Invoke activity Wire the variables to copy the input on
the receive to the input of the Invoke
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 38
Figure 30 Add another assign activity after the Invoke to copy the output of the invoke to the output of the replyOutput
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 39
Figure 31 BPEL Process after adding the Assign Invoke Assign activities
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 40
Figure 32 Completed PurchaseOrderComposite App
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 41
Attach Custom Policy created previously to the Purchase Order Composite App Reference
The next step is to now attach the ldquosamplefield_level_encryption_client_policyrdquo to the PurchaseOrderReferencerdquo of
PurchaseOrderComposite App These steps are shown in Figure 33 - Figure 38
Figure 33 Click on the PurchaseOrderComposite App on the left hand side
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 42
Figure 34 Click on the PurchaseOrderReference shown in the Dashboard of the PurchaseOrderComposite
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 43
Figure 35 On the PurchaseOrderReferece - click on the Policies tab
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 44
Figure 36 Click on the AttachDetach Button
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 45
Figure 37 Attach the samplefield_level_encryption_client_policy
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 46
Figure 38 The Policy is now attached to the PurchaseOrderReference
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 47
Create Keystore and Credentials in Credential Store
Create a Keystore called default-keystorejks using keytool
For complete details on keytool commands please refer to
httpjavasuncomj2se142docstooldocswindowskeytoolhtml
Copy the keystore created into $FMW_DOMAIN_HOMEconfigfmwconfig
Add the following credentials into the credential store either via EM or using WLST
This assumes that the keystore password is welcome1
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=keystore-csf-key user=owsm
password=welcome1 desc=Keystore key)
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=enc-csf-key user=orakey
password=welcome1 desc=Encryption key)
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=sign-csf-key user=orakey
password=welcome1 desc=Signing key)
$gtkeytool -genkeypair -keyalg RSA -alias orakey -keypass welcome1 -keystore default-keystorejks -storepass
welcome1 -validity 3600
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 48
This will add a key namely enc-csf-key to map oraclewsmsecurity with username as orakey and password as
welcome1 This alias should exist in your configured keystore
This will add a key namely sign-csf-key to map oraclewsmsecurity with username as orakey and password as
welcome1 This alias should exist in your configured keystore
You can verify the contents of the credential store in FMWCTL as show in Figure 39 and Figure 40
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 49
Figure 39 View the Credential Store from the Weblogic Domain menu
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 50
Figure 40 Contents of the oraclewsmsecurity Credential Map
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 51
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 23
Figure 15 Navigate to the Web Services in the Application via the Application Deployment Menu
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 24
Figure 16 Click on PurchaseOrderPort to navigate to the Web Service Port
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 25
Figure 17 Click on OWSM Policies tab Click on AttachDetach Button to launch the OWSM Policy Attachment Wizard
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 26
Figure 18 Attach samplefield_level_decryption_service_policy to PurchaseOrder POJO WLS JAX-WS Web Service
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 27
Figure 19 The PurchaseOrderPort after completion of the OWSM Policy Attachment
Check the WSDL of the Service
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 28
The part highlighted in bold indicates that the service expects arg0 to be encrypted
Now the Purchase Order POJO WLS JAX-WS is secured with ldquosamplefield_level_decryption_service_policyrdquo
Create Purchase Order Composite App
Now we will create the PurchaseOrderComposite App Figure 21 - Figure 32 shows the steps for creating the
PurchaseOderComposite app
ltwspPolicy xmlnswsp=httpschemasxmlsoaporgws200409policy
xmlnswsu=httpdocsoasis-openorgwss200401oasis-200401-wss-wssecurity-utility-
10xsd wsuId=PurchaseOrderPort_Input_Policygt
ltspSignedParts xmlnssp=httpschemasxmlsoaporgws200507securitypolicygt
ltspHeader Name=fmw-context Namespace=httpxmlnsoraclecomfmwcontext10gt
ltspHeader Name= Namespace=httpwwww3org200508addressinggt
ltspHeader Name= Namespace=httpschemasxmlsoaporgws200408addressinggt
ltspSignedPartsgt
ltspSignedElements xmlnssp=httpschemasxmlsoaporgws200507securitypolicygt
ltspEncryptedParts xmlnssp=httpschemasxmlsoaporgws200507securitypolicygt
ltspHeader Name=fmw-context Namespace=httpxmlnsoraclecomfmwcontext10gt
ltspEncryptedPartsgt
ltspEncryptedElements xmlnssp=httpschemasxmlsoaporgws200507securitypolicygt
ltspXPathgtdescendant-or-self[namespace-uri()=httppurchaseordersample and
local-name()=arg0]ltspXPathgt
ltspEncryptedElementsgt
ltwspPolicygt
Figure 20 WSDL of the PurchaseOrder POJO WLS JAX-WS after attaching the samplefield_level_decryption_service_policy
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 29
Figure 21 Insert a BPEL Process into an Empty Composite App
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 30
Figure 22 Create the BPEL Process by choosing the Base on a WSDL option Provide the WSDL of the PurchaseOrder
POJO WLS JAX-WS
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 31
Figure 23 Result of creating a BPEL Process using the Base on a WSDL option
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 32
Figure 24 In the BPEL Process create a PartnerLink Again Provide the WSDL of the PurchaseOrder POJO WLS JAX-WS as
the WSDL URL
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 33
Figure 25 Walkthrough the PartnerLink creation process
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 34
Figure 26 Completion of the Partner Link creation process
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 35
Figure 27 Add an Invoke activity in the BPEL Process and wite it to the PurchaseOrderRefrence PartnerLink created
previously
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 36
Figure 28 The Invoke is now wired to the PartnerLink PurchaseOrderReference
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 37
Figure 29 Add an Assign activity after the receiveInput and before the Invoke activity Wire the variables to copy the input on
the receive to the input of the Invoke
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 38
Figure 30 Add another assign activity after the Invoke to copy the output of the invoke to the output of the replyOutput
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 39
Figure 31 BPEL Process after adding the Assign Invoke Assign activities
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 40
Figure 32 Completed PurchaseOrderComposite App
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 41
Attach Custom Policy created previously to the Purchase Order Composite App Reference
The next step is to now attach the ldquosamplefield_level_encryption_client_policyrdquo to the PurchaseOrderReferencerdquo of
PurchaseOrderComposite App These steps are shown in Figure 33 - Figure 38
Figure 33 Click on the PurchaseOrderComposite App on the left hand side
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 42
Figure 34 Click on the PurchaseOrderReference shown in the Dashboard of the PurchaseOrderComposite
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 43
Figure 35 On the PurchaseOrderReferece - click on the Policies tab
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 44
Figure 36 Click on the AttachDetach Button
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 45
Figure 37 Attach the samplefield_level_encryption_client_policy
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 46
Figure 38 The Policy is now attached to the PurchaseOrderReference
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 47
Create Keystore and Credentials in Credential Store
Create a Keystore called default-keystorejks using keytool
For complete details on keytool commands please refer to
httpjavasuncomj2se142docstooldocswindowskeytoolhtml
Copy the keystore created into $FMW_DOMAIN_HOMEconfigfmwconfig
Add the following credentials into the credential store either via EM or using WLST
This assumes that the keystore password is welcome1
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=keystore-csf-key user=owsm
password=welcome1 desc=Keystore key)
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=enc-csf-key user=orakey
password=welcome1 desc=Encryption key)
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=sign-csf-key user=orakey
password=welcome1 desc=Signing key)
$gtkeytool -genkeypair -keyalg RSA -alias orakey -keypass welcome1 -keystore default-keystorejks -storepass
welcome1 -validity 3600
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 48
This will add a key namely enc-csf-key to map oraclewsmsecurity with username as orakey and password as
welcome1 This alias should exist in your configured keystore
This will add a key namely sign-csf-key to map oraclewsmsecurity with username as orakey and password as
welcome1 This alias should exist in your configured keystore
You can verify the contents of the credential store in FMWCTL as show in Figure 39 and Figure 40
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 49
Figure 39 View the Credential Store from the Weblogic Domain menu
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 50
Figure 40 Contents of the oraclewsmsecurity Credential Map
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 51
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 24
Figure 16 Click on PurchaseOrderPort to navigate to the Web Service Port
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 25
Figure 17 Click on OWSM Policies tab Click on AttachDetach Button to launch the OWSM Policy Attachment Wizard
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 26
Figure 18 Attach samplefield_level_decryption_service_policy to PurchaseOrder POJO WLS JAX-WS Web Service
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 27
Figure 19 The PurchaseOrderPort after completion of the OWSM Policy Attachment
Check the WSDL of the Service
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 28
The part highlighted in bold indicates that the service expects arg0 to be encrypted
Now the Purchase Order POJO WLS JAX-WS is secured with ldquosamplefield_level_decryption_service_policyrdquo
Create Purchase Order Composite App
Now we will create the PurchaseOrderComposite App Figure 21 - Figure 32 shows the steps for creating the
PurchaseOderComposite app
ltwspPolicy xmlnswsp=httpschemasxmlsoaporgws200409policy
xmlnswsu=httpdocsoasis-openorgwss200401oasis-200401-wss-wssecurity-utility-
10xsd wsuId=PurchaseOrderPort_Input_Policygt
ltspSignedParts xmlnssp=httpschemasxmlsoaporgws200507securitypolicygt
ltspHeader Name=fmw-context Namespace=httpxmlnsoraclecomfmwcontext10gt
ltspHeader Name= Namespace=httpwwww3org200508addressinggt
ltspHeader Name= Namespace=httpschemasxmlsoaporgws200408addressinggt
ltspSignedPartsgt
ltspSignedElements xmlnssp=httpschemasxmlsoaporgws200507securitypolicygt
ltspEncryptedParts xmlnssp=httpschemasxmlsoaporgws200507securitypolicygt
ltspHeader Name=fmw-context Namespace=httpxmlnsoraclecomfmwcontext10gt
ltspEncryptedPartsgt
ltspEncryptedElements xmlnssp=httpschemasxmlsoaporgws200507securitypolicygt
ltspXPathgtdescendant-or-self[namespace-uri()=httppurchaseordersample and
local-name()=arg0]ltspXPathgt
ltspEncryptedElementsgt
ltwspPolicygt
Figure 20 WSDL of the PurchaseOrder POJO WLS JAX-WS after attaching the samplefield_level_decryption_service_policy
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 29
Figure 21 Insert a BPEL Process into an Empty Composite App
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 30
Figure 22 Create the BPEL Process by choosing the Base on a WSDL option Provide the WSDL of the PurchaseOrder
POJO WLS JAX-WS
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 31
Figure 23 Result of creating a BPEL Process using the Base on a WSDL option
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 32
Figure 24 In the BPEL Process create a PartnerLink Again Provide the WSDL of the PurchaseOrder POJO WLS JAX-WS as
the WSDL URL
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 33
Figure 25 Walkthrough the PartnerLink creation process
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 34
Figure 26 Completion of the Partner Link creation process
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 35
Figure 27 Add an Invoke activity in the BPEL Process and wite it to the PurchaseOrderRefrence PartnerLink created
previously
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 36
Figure 28 The Invoke is now wired to the PartnerLink PurchaseOrderReference
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 37
Figure 29 Add an Assign activity after the receiveInput and before the Invoke activity Wire the variables to copy the input on
the receive to the input of the Invoke
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 38
Figure 30 Add another assign activity after the Invoke to copy the output of the invoke to the output of the replyOutput
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 39
Figure 31 BPEL Process after adding the Assign Invoke Assign activities
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 40
Figure 32 Completed PurchaseOrderComposite App
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 41
Attach Custom Policy created previously to the Purchase Order Composite App Reference
The next step is to now attach the ldquosamplefield_level_encryption_client_policyrdquo to the PurchaseOrderReferencerdquo of
PurchaseOrderComposite App These steps are shown in Figure 33 - Figure 38
Figure 33 Click on the PurchaseOrderComposite App on the left hand side
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 42
Figure 34 Click on the PurchaseOrderReference shown in the Dashboard of the PurchaseOrderComposite
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 43
Figure 35 On the PurchaseOrderReferece - click on the Policies tab
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 44
Figure 36 Click on the AttachDetach Button
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 45
Figure 37 Attach the samplefield_level_encryption_client_policy
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 46
Figure 38 The Policy is now attached to the PurchaseOrderReference
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 47
Create Keystore and Credentials in Credential Store
Create a Keystore called default-keystorejks using keytool
For complete details on keytool commands please refer to
httpjavasuncomj2se142docstooldocswindowskeytoolhtml
Copy the keystore created into $FMW_DOMAIN_HOMEconfigfmwconfig
Add the following credentials into the credential store either via EM or using WLST
This assumes that the keystore password is welcome1
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=keystore-csf-key user=owsm
password=welcome1 desc=Keystore key)
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=enc-csf-key user=orakey
password=welcome1 desc=Encryption key)
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=sign-csf-key user=orakey
password=welcome1 desc=Signing key)
$gtkeytool -genkeypair -keyalg RSA -alias orakey -keypass welcome1 -keystore default-keystorejks -storepass
welcome1 -validity 3600
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 48
This will add a key namely enc-csf-key to map oraclewsmsecurity with username as orakey and password as
welcome1 This alias should exist in your configured keystore
This will add a key namely sign-csf-key to map oraclewsmsecurity with username as orakey and password as
welcome1 This alias should exist in your configured keystore
You can verify the contents of the credential store in FMWCTL as show in Figure 39 and Figure 40
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 49
Figure 39 View the Credential Store from the Weblogic Domain menu
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 50
Figure 40 Contents of the oraclewsmsecurity Credential Map
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 51
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 25
Figure 17 Click on OWSM Policies tab Click on AttachDetach Button to launch the OWSM Policy Attachment Wizard
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 26
Figure 18 Attach samplefield_level_decryption_service_policy to PurchaseOrder POJO WLS JAX-WS Web Service
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 27
Figure 19 The PurchaseOrderPort after completion of the OWSM Policy Attachment
Check the WSDL of the Service
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 28
The part highlighted in bold indicates that the service expects arg0 to be encrypted
Now the Purchase Order POJO WLS JAX-WS is secured with ldquosamplefield_level_decryption_service_policyrdquo
Create Purchase Order Composite App
Now we will create the PurchaseOrderComposite App Figure 21 - Figure 32 shows the steps for creating the
PurchaseOderComposite app
ltwspPolicy xmlnswsp=httpschemasxmlsoaporgws200409policy
xmlnswsu=httpdocsoasis-openorgwss200401oasis-200401-wss-wssecurity-utility-
10xsd wsuId=PurchaseOrderPort_Input_Policygt
ltspSignedParts xmlnssp=httpschemasxmlsoaporgws200507securitypolicygt
ltspHeader Name=fmw-context Namespace=httpxmlnsoraclecomfmwcontext10gt
ltspHeader Name= Namespace=httpwwww3org200508addressinggt
ltspHeader Name= Namespace=httpschemasxmlsoaporgws200408addressinggt
ltspSignedPartsgt
ltspSignedElements xmlnssp=httpschemasxmlsoaporgws200507securitypolicygt
ltspEncryptedParts xmlnssp=httpschemasxmlsoaporgws200507securitypolicygt
ltspHeader Name=fmw-context Namespace=httpxmlnsoraclecomfmwcontext10gt
ltspEncryptedPartsgt
ltspEncryptedElements xmlnssp=httpschemasxmlsoaporgws200507securitypolicygt
ltspXPathgtdescendant-or-self[namespace-uri()=httppurchaseordersample and
local-name()=arg0]ltspXPathgt
ltspEncryptedElementsgt
ltwspPolicygt
Figure 20 WSDL of the PurchaseOrder POJO WLS JAX-WS after attaching the samplefield_level_decryption_service_policy
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 29
Figure 21 Insert a BPEL Process into an Empty Composite App
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 30
Figure 22 Create the BPEL Process by choosing the Base on a WSDL option Provide the WSDL of the PurchaseOrder
POJO WLS JAX-WS
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 31
Figure 23 Result of creating a BPEL Process using the Base on a WSDL option
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 32
Figure 24 In the BPEL Process create a PartnerLink Again Provide the WSDL of the PurchaseOrder POJO WLS JAX-WS as
the WSDL URL
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 33
Figure 25 Walkthrough the PartnerLink creation process
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 34
Figure 26 Completion of the Partner Link creation process
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 35
Figure 27 Add an Invoke activity in the BPEL Process and wite it to the PurchaseOrderRefrence PartnerLink created
previously
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 36
Figure 28 The Invoke is now wired to the PartnerLink PurchaseOrderReference
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 37
Figure 29 Add an Assign activity after the receiveInput and before the Invoke activity Wire the variables to copy the input on
the receive to the input of the Invoke
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 38
Figure 30 Add another assign activity after the Invoke to copy the output of the invoke to the output of the replyOutput
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 39
Figure 31 BPEL Process after adding the Assign Invoke Assign activities
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 40
Figure 32 Completed PurchaseOrderComposite App
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 41
Attach Custom Policy created previously to the Purchase Order Composite App Reference
The next step is to now attach the ldquosamplefield_level_encryption_client_policyrdquo to the PurchaseOrderReferencerdquo of
PurchaseOrderComposite App These steps are shown in Figure 33 - Figure 38
Figure 33 Click on the PurchaseOrderComposite App on the left hand side
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 42
Figure 34 Click on the PurchaseOrderReference shown in the Dashboard of the PurchaseOrderComposite
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 43
Figure 35 On the PurchaseOrderReferece - click on the Policies tab
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 44
Figure 36 Click on the AttachDetach Button
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 45
Figure 37 Attach the samplefield_level_encryption_client_policy
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 46
Figure 38 The Policy is now attached to the PurchaseOrderReference
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 47
Create Keystore and Credentials in Credential Store
Create a Keystore called default-keystorejks using keytool
For complete details on keytool commands please refer to
httpjavasuncomj2se142docstooldocswindowskeytoolhtml
Copy the keystore created into $FMW_DOMAIN_HOMEconfigfmwconfig
Add the following credentials into the credential store either via EM or using WLST
This assumes that the keystore password is welcome1
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=keystore-csf-key user=owsm
password=welcome1 desc=Keystore key)
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=enc-csf-key user=orakey
password=welcome1 desc=Encryption key)
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=sign-csf-key user=orakey
password=welcome1 desc=Signing key)
$gtkeytool -genkeypair -keyalg RSA -alias orakey -keypass welcome1 -keystore default-keystorejks -storepass
welcome1 -validity 3600
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 48
This will add a key namely enc-csf-key to map oraclewsmsecurity with username as orakey and password as
welcome1 This alias should exist in your configured keystore
This will add a key namely sign-csf-key to map oraclewsmsecurity with username as orakey and password as
welcome1 This alias should exist in your configured keystore
You can verify the contents of the credential store in FMWCTL as show in Figure 39 and Figure 40
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 49
Figure 39 View the Credential Store from the Weblogic Domain menu
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 50
Figure 40 Contents of the oraclewsmsecurity Credential Map
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 51
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 26
Figure 18 Attach samplefield_level_decryption_service_policy to PurchaseOrder POJO WLS JAX-WS Web Service
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 27
Figure 19 The PurchaseOrderPort after completion of the OWSM Policy Attachment
Check the WSDL of the Service
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 28
The part highlighted in bold indicates that the service expects arg0 to be encrypted
Now the Purchase Order POJO WLS JAX-WS is secured with ldquosamplefield_level_decryption_service_policyrdquo
Create Purchase Order Composite App
Now we will create the PurchaseOrderComposite App Figure 21 - Figure 32 shows the steps for creating the
PurchaseOderComposite app
ltwspPolicy xmlnswsp=httpschemasxmlsoaporgws200409policy
xmlnswsu=httpdocsoasis-openorgwss200401oasis-200401-wss-wssecurity-utility-
10xsd wsuId=PurchaseOrderPort_Input_Policygt
ltspSignedParts xmlnssp=httpschemasxmlsoaporgws200507securitypolicygt
ltspHeader Name=fmw-context Namespace=httpxmlnsoraclecomfmwcontext10gt
ltspHeader Name= Namespace=httpwwww3org200508addressinggt
ltspHeader Name= Namespace=httpschemasxmlsoaporgws200408addressinggt
ltspSignedPartsgt
ltspSignedElements xmlnssp=httpschemasxmlsoaporgws200507securitypolicygt
ltspEncryptedParts xmlnssp=httpschemasxmlsoaporgws200507securitypolicygt
ltspHeader Name=fmw-context Namespace=httpxmlnsoraclecomfmwcontext10gt
ltspEncryptedPartsgt
ltspEncryptedElements xmlnssp=httpschemasxmlsoaporgws200507securitypolicygt
ltspXPathgtdescendant-or-self[namespace-uri()=httppurchaseordersample and
local-name()=arg0]ltspXPathgt
ltspEncryptedElementsgt
ltwspPolicygt
Figure 20 WSDL of the PurchaseOrder POJO WLS JAX-WS after attaching the samplefield_level_decryption_service_policy
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 29
Figure 21 Insert a BPEL Process into an Empty Composite App
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 30
Figure 22 Create the BPEL Process by choosing the Base on a WSDL option Provide the WSDL of the PurchaseOrder
POJO WLS JAX-WS
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 31
Figure 23 Result of creating a BPEL Process using the Base on a WSDL option
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 32
Figure 24 In the BPEL Process create a PartnerLink Again Provide the WSDL of the PurchaseOrder POJO WLS JAX-WS as
the WSDL URL
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 33
Figure 25 Walkthrough the PartnerLink creation process
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 34
Figure 26 Completion of the Partner Link creation process
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 35
Figure 27 Add an Invoke activity in the BPEL Process and wite it to the PurchaseOrderRefrence PartnerLink created
previously
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 36
Figure 28 The Invoke is now wired to the PartnerLink PurchaseOrderReference
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 37
Figure 29 Add an Assign activity after the receiveInput and before the Invoke activity Wire the variables to copy the input on
the receive to the input of the Invoke
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 38
Figure 30 Add another assign activity after the Invoke to copy the output of the invoke to the output of the replyOutput
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 39
Figure 31 BPEL Process after adding the Assign Invoke Assign activities
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 40
Figure 32 Completed PurchaseOrderComposite App
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 41
Attach Custom Policy created previously to the Purchase Order Composite App Reference
The next step is to now attach the ldquosamplefield_level_encryption_client_policyrdquo to the PurchaseOrderReferencerdquo of
PurchaseOrderComposite App These steps are shown in Figure 33 - Figure 38
Figure 33 Click on the PurchaseOrderComposite App on the left hand side
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 42
Figure 34 Click on the PurchaseOrderReference shown in the Dashboard of the PurchaseOrderComposite
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 43
Figure 35 On the PurchaseOrderReferece - click on the Policies tab
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 44
Figure 36 Click on the AttachDetach Button
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 45
Figure 37 Attach the samplefield_level_encryption_client_policy
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 46
Figure 38 The Policy is now attached to the PurchaseOrderReference
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 47
Create Keystore and Credentials in Credential Store
Create a Keystore called default-keystorejks using keytool
For complete details on keytool commands please refer to
httpjavasuncomj2se142docstooldocswindowskeytoolhtml
Copy the keystore created into $FMW_DOMAIN_HOMEconfigfmwconfig
Add the following credentials into the credential store either via EM or using WLST
This assumes that the keystore password is welcome1
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=keystore-csf-key user=owsm
password=welcome1 desc=Keystore key)
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=enc-csf-key user=orakey
password=welcome1 desc=Encryption key)
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=sign-csf-key user=orakey
password=welcome1 desc=Signing key)
$gtkeytool -genkeypair -keyalg RSA -alias orakey -keypass welcome1 -keystore default-keystorejks -storepass
welcome1 -validity 3600
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 48
This will add a key namely enc-csf-key to map oraclewsmsecurity with username as orakey and password as
welcome1 This alias should exist in your configured keystore
This will add a key namely sign-csf-key to map oraclewsmsecurity with username as orakey and password as
welcome1 This alias should exist in your configured keystore
You can verify the contents of the credential store in FMWCTL as show in Figure 39 and Figure 40
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 49
Figure 39 View the Credential Store from the Weblogic Domain menu
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 50
Figure 40 Contents of the oraclewsmsecurity Credential Map
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 51
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 27
Figure 19 The PurchaseOrderPort after completion of the OWSM Policy Attachment
Check the WSDL of the Service
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 28
The part highlighted in bold indicates that the service expects arg0 to be encrypted
Now the Purchase Order POJO WLS JAX-WS is secured with ldquosamplefield_level_decryption_service_policyrdquo
Create Purchase Order Composite App
Now we will create the PurchaseOrderComposite App Figure 21 - Figure 32 shows the steps for creating the
PurchaseOderComposite app
ltwspPolicy xmlnswsp=httpschemasxmlsoaporgws200409policy
xmlnswsu=httpdocsoasis-openorgwss200401oasis-200401-wss-wssecurity-utility-
10xsd wsuId=PurchaseOrderPort_Input_Policygt
ltspSignedParts xmlnssp=httpschemasxmlsoaporgws200507securitypolicygt
ltspHeader Name=fmw-context Namespace=httpxmlnsoraclecomfmwcontext10gt
ltspHeader Name= Namespace=httpwwww3org200508addressinggt
ltspHeader Name= Namespace=httpschemasxmlsoaporgws200408addressinggt
ltspSignedPartsgt
ltspSignedElements xmlnssp=httpschemasxmlsoaporgws200507securitypolicygt
ltspEncryptedParts xmlnssp=httpschemasxmlsoaporgws200507securitypolicygt
ltspHeader Name=fmw-context Namespace=httpxmlnsoraclecomfmwcontext10gt
ltspEncryptedPartsgt
ltspEncryptedElements xmlnssp=httpschemasxmlsoaporgws200507securitypolicygt
ltspXPathgtdescendant-or-self[namespace-uri()=httppurchaseordersample and
local-name()=arg0]ltspXPathgt
ltspEncryptedElementsgt
ltwspPolicygt
Figure 20 WSDL of the PurchaseOrder POJO WLS JAX-WS after attaching the samplefield_level_decryption_service_policy
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 29
Figure 21 Insert a BPEL Process into an Empty Composite App
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 30
Figure 22 Create the BPEL Process by choosing the Base on a WSDL option Provide the WSDL of the PurchaseOrder
POJO WLS JAX-WS
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 31
Figure 23 Result of creating a BPEL Process using the Base on a WSDL option
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 32
Figure 24 In the BPEL Process create a PartnerLink Again Provide the WSDL of the PurchaseOrder POJO WLS JAX-WS as
the WSDL URL
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 33
Figure 25 Walkthrough the PartnerLink creation process
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 34
Figure 26 Completion of the Partner Link creation process
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 35
Figure 27 Add an Invoke activity in the BPEL Process and wite it to the PurchaseOrderRefrence PartnerLink created
previously
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 36
Figure 28 The Invoke is now wired to the PartnerLink PurchaseOrderReference
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 37
Figure 29 Add an Assign activity after the receiveInput and before the Invoke activity Wire the variables to copy the input on
the receive to the input of the Invoke
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 38
Figure 30 Add another assign activity after the Invoke to copy the output of the invoke to the output of the replyOutput
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 39
Figure 31 BPEL Process after adding the Assign Invoke Assign activities
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 40
Figure 32 Completed PurchaseOrderComposite App
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 41
Attach Custom Policy created previously to the Purchase Order Composite App Reference
The next step is to now attach the ldquosamplefield_level_encryption_client_policyrdquo to the PurchaseOrderReferencerdquo of
PurchaseOrderComposite App These steps are shown in Figure 33 - Figure 38
Figure 33 Click on the PurchaseOrderComposite App on the left hand side
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 42
Figure 34 Click on the PurchaseOrderReference shown in the Dashboard of the PurchaseOrderComposite
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 43
Figure 35 On the PurchaseOrderReferece - click on the Policies tab
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 44
Figure 36 Click on the AttachDetach Button
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 45
Figure 37 Attach the samplefield_level_encryption_client_policy
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 46
Figure 38 The Policy is now attached to the PurchaseOrderReference
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 47
Create Keystore and Credentials in Credential Store
Create a Keystore called default-keystorejks using keytool
For complete details on keytool commands please refer to
httpjavasuncomj2se142docstooldocswindowskeytoolhtml
Copy the keystore created into $FMW_DOMAIN_HOMEconfigfmwconfig
Add the following credentials into the credential store either via EM or using WLST
This assumes that the keystore password is welcome1
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=keystore-csf-key user=owsm
password=welcome1 desc=Keystore key)
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=enc-csf-key user=orakey
password=welcome1 desc=Encryption key)
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=sign-csf-key user=orakey
password=welcome1 desc=Signing key)
$gtkeytool -genkeypair -keyalg RSA -alias orakey -keypass welcome1 -keystore default-keystorejks -storepass
welcome1 -validity 3600
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 48
This will add a key namely enc-csf-key to map oraclewsmsecurity with username as orakey and password as
welcome1 This alias should exist in your configured keystore
This will add a key namely sign-csf-key to map oraclewsmsecurity with username as orakey and password as
welcome1 This alias should exist in your configured keystore
You can verify the contents of the credential store in FMWCTL as show in Figure 39 and Figure 40
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 49
Figure 39 View the Credential Store from the Weblogic Domain menu
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 50
Figure 40 Contents of the oraclewsmsecurity Credential Map
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 51
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 28
The part highlighted in bold indicates that the service expects arg0 to be encrypted
Now the Purchase Order POJO WLS JAX-WS is secured with ldquosamplefield_level_decryption_service_policyrdquo
Create Purchase Order Composite App
Now we will create the PurchaseOrderComposite App Figure 21 - Figure 32 shows the steps for creating the
PurchaseOderComposite app
ltwspPolicy xmlnswsp=httpschemasxmlsoaporgws200409policy
xmlnswsu=httpdocsoasis-openorgwss200401oasis-200401-wss-wssecurity-utility-
10xsd wsuId=PurchaseOrderPort_Input_Policygt
ltspSignedParts xmlnssp=httpschemasxmlsoaporgws200507securitypolicygt
ltspHeader Name=fmw-context Namespace=httpxmlnsoraclecomfmwcontext10gt
ltspHeader Name= Namespace=httpwwww3org200508addressinggt
ltspHeader Name= Namespace=httpschemasxmlsoaporgws200408addressinggt
ltspSignedPartsgt
ltspSignedElements xmlnssp=httpschemasxmlsoaporgws200507securitypolicygt
ltspEncryptedParts xmlnssp=httpschemasxmlsoaporgws200507securitypolicygt
ltspHeader Name=fmw-context Namespace=httpxmlnsoraclecomfmwcontext10gt
ltspEncryptedPartsgt
ltspEncryptedElements xmlnssp=httpschemasxmlsoaporgws200507securitypolicygt
ltspXPathgtdescendant-or-self[namespace-uri()=httppurchaseordersample and
local-name()=arg0]ltspXPathgt
ltspEncryptedElementsgt
ltwspPolicygt
Figure 20 WSDL of the PurchaseOrder POJO WLS JAX-WS after attaching the samplefield_level_decryption_service_policy
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 29
Figure 21 Insert a BPEL Process into an Empty Composite App
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 30
Figure 22 Create the BPEL Process by choosing the Base on a WSDL option Provide the WSDL of the PurchaseOrder
POJO WLS JAX-WS
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 31
Figure 23 Result of creating a BPEL Process using the Base on a WSDL option
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 32
Figure 24 In the BPEL Process create a PartnerLink Again Provide the WSDL of the PurchaseOrder POJO WLS JAX-WS as
the WSDL URL
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 33
Figure 25 Walkthrough the PartnerLink creation process
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 34
Figure 26 Completion of the Partner Link creation process
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 35
Figure 27 Add an Invoke activity in the BPEL Process and wite it to the PurchaseOrderRefrence PartnerLink created
previously
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 36
Figure 28 The Invoke is now wired to the PartnerLink PurchaseOrderReference
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 37
Figure 29 Add an Assign activity after the receiveInput and before the Invoke activity Wire the variables to copy the input on
the receive to the input of the Invoke
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 38
Figure 30 Add another assign activity after the Invoke to copy the output of the invoke to the output of the replyOutput
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 39
Figure 31 BPEL Process after adding the Assign Invoke Assign activities
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 40
Figure 32 Completed PurchaseOrderComposite App
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 41
Attach Custom Policy created previously to the Purchase Order Composite App Reference
The next step is to now attach the ldquosamplefield_level_encryption_client_policyrdquo to the PurchaseOrderReferencerdquo of
PurchaseOrderComposite App These steps are shown in Figure 33 - Figure 38
Figure 33 Click on the PurchaseOrderComposite App on the left hand side
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 42
Figure 34 Click on the PurchaseOrderReference shown in the Dashboard of the PurchaseOrderComposite
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 43
Figure 35 On the PurchaseOrderReferece - click on the Policies tab
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 44
Figure 36 Click on the AttachDetach Button
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 45
Figure 37 Attach the samplefield_level_encryption_client_policy
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 46
Figure 38 The Policy is now attached to the PurchaseOrderReference
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 47
Create Keystore and Credentials in Credential Store
Create a Keystore called default-keystorejks using keytool
For complete details on keytool commands please refer to
httpjavasuncomj2se142docstooldocswindowskeytoolhtml
Copy the keystore created into $FMW_DOMAIN_HOMEconfigfmwconfig
Add the following credentials into the credential store either via EM or using WLST
This assumes that the keystore password is welcome1
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=keystore-csf-key user=owsm
password=welcome1 desc=Keystore key)
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=enc-csf-key user=orakey
password=welcome1 desc=Encryption key)
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=sign-csf-key user=orakey
password=welcome1 desc=Signing key)
$gtkeytool -genkeypair -keyalg RSA -alias orakey -keypass welcome1 -keystore default-keystorejks -storepass
welcome1 -validity 3600
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 48
This will add a key namely enc-csf-key to map oraclewsmsecurity with username as orakey and password as
welcome1 This alias should exist in your configured keystore
This will add a key namely sign-csf-key to map oraclewsmsecurity with username as orakey and password as
welcome1 This alias should exist in your configured keystore
You can verify the contents of the credential store in FMWCTL as show in Figure 39 and Figure 40
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 49
Figure 39 View the Credential Store from the Weblogic Domain menu
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 50
Figure 40 Contents of the oraclewsmsecurity Credential Map
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 51
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 29
Figure 21 Insert a BPEL Process into an Empty Composite App
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 30
Figure 22 Create the BPEL Process by choosing the Base on a WSDL option Provide the WSDL of the PurchaseOrder
POJO WLS JAX-WS
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 31
Figure 23 Result of creating a BPEL Process using the Base on a WSDL option
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 32
Figure 24 In the BPEL Process create a PartnerLink Again Provide the WSDL of the PurchaseOrder POJO WLS JAX-WS as
the WSDL URL
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 33
Figure 25 Walkthrough the PartnerLink creation process
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 34
Figure 26 Completion of the Partner Link creation process
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 35
Figure 27 Add an Invoke activity in the BPEL Process and wite it to the PurchaseOrderRefrence PartnerLink created
previously
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 36
Figure 28 The Invoke is now wired to the PartnerLink PurchaseOrderReference
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 37
Figure 29 Add an Assign activity after the receiveInput and before the Invoke activity Wire the variables to copy the input on
the receive to the input of the Invoke
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 38
Figure 30 Add another assign activity after the Invoke to copy the output of the invoke to the output of the replyOutput
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 39
Figure 31 BPEL Process after adding the Assign Invoke Assign activities
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 40
Figure 32 Completed PurchaseOrderComposite App
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 41
Attach Custom Policy created previously to the Purchase Order Composite App Reference
The next step is to now attach the ldquosamplefield_level_encryption_client_policyrdquo to the PurchaseOrderReferencerdquo of
PurchaseOrderComposite App These steps are shown in Figure 33 - Figure 38
Figure 33 Click on the PurchaseOrderComposite App on the left hand side
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 42
Figure 34 Click on the PurchaseOrderReference shown in the Dashboard of the PurchaseOrderComposite
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 43
Figure 35 On the PurchaseOrderReferece - click on the Policies tab
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 44
Figure 36 Click on the AttachDetach Button
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 45
Figure 37 Attach the samplefield_level_encryption_client_policy
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 46
Figure 38 The Policy is now attached to the PurchaseOrderReference
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 47
Create Keystore and Credentials in Credential Store
Create a Keystore called default-keystorejks using keytool
For complete details on keytool commands please refer to
httpjavasuncomj2se142docstooldocswindowskeytoolhtml
Copy the keystore created into $FMW_DOMAIN_HOMEconfigfmwconfig
Add the following credentials into the credential store either via EM or using WLST
This assumes that the keystore password is welcome1
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=keystore-csf-key user=owsm
password=welcome1 desc=Keystore key)
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=enc-csf-key user=orakey
password=welcome1 desc=Encryption key)
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=sign-csf-key user=orakey
password=welcome1 desc=Signing key)
$gtkeytool -genkeypair -keyalg RSA -alias orakey -keypass welcome1 -keystore default-keystorejks -storepass
welcome1 -validity 3600
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 48
This will add a key namely enc-csf-key to map oraclewsmsecurity with username as orakey and password as
welcome1 This alias should exist in your configured keystore
This will add a key namely sign-csf-key to map oraclewsmsecurity with username as orakey and password as
welcome1 This alias should exist in your configured keystore
You can verify the contents of the credential store in FMWCTL as show in Figure 39 and Figure 40
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 49
Figure 39 View the Credential Store from the Weblogic Domain menu
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 50
Figure 40 Contents of the oraclewsmsecurity Credential Map
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 51
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 30
Figure 22 Create the BPEL Process by choosing the Base on a WSDL option Provide the WSDL of the PurchaseOrder
POJO WLS JAX-WS
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 31
Figure 23 Result of creating a BPEL Process using the Base on a WSDL option
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 32
Figure 24 In the BPEL Process create a PartnerLink Again Provide the WSDL of the PurchaseOrder POJO WLS JAX-WS as
the WSDL URL
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 33
Figure 25 Walkthrough the PartnerLink creation process
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 34
Figure 26 Completion of the Partner Link creation process
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 35
Figure 27 Add an Invoke activity in the BPEL Process and wite it to the PurchaseOrderRefrence PartnerLink created
previously
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 36
Figure 28 The Invoke is now wired to the PartnerLink PurchaseOrderReference
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 37
Figure 29 Add an Assign activity after the receiveInput and before the Invoke activity Wire the variables to copy the input on
the receive to the input of the Invoke
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 38
Figure 30 Add another assign activity after the Invoke to copy the output of the invoke to the output of the replyOutput
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 39
Figure 31 BPEL Process after adding the Assign Invoke Assign activities
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 40
Figure 32 Completed PurchaseOrderComposite App
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 41
Attach Custom Policy created previously to the Purchase Order Composite App Reference
The next step is to now attach the ldquosamplefield_level_encryption_client_policyrdquo to the PurchaseOrderReferencerdquo of
PurchaseOrderComposite App These steps are shown in Figure 33 - Figure 38
Figure 33 Click on the PurchaseOrderComposite App on the left hand side
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 42
Figure 34 Click on the PurchaseOrderReference shown in the Dashboard of the PurchaseOrderComposite
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 43
Figure 35 On the PurchaseOrderReferece - click on the Policies tab
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 44
Figure 36 Click on the AttachDetach Button
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 45
Figure 37 Attach the samplefield_level_encryption_client_policy
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 46
Figure 38 The Policy is now attached to the PurchaseOrderReference
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 47
Create Keystore and Credentials in Credential Store
Create a Keystore called default-keystorejks using keytool
For complete details on keytool commands please refer to
httpjavasuncomj2se142docstooldocswindowskeytoolhtml
Copy the keystore created into $FMW_DOMAIN_HOMEconfigfmwconfig
Add the following credentials into the credential store either via EM or using WLST
This assumes that the keystore password is welcome1
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=keystore-csf-key user=owsm
password=welcome1 desc=Keystore key)
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=enc-csf-key user=orakey
password=welcome1 desc=Encryption key)
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=sign-csf-key user=orakey
password=welcome1 desc=Signing key)
$gtkeytool -genkeypair -keyalg RSA -alias orakey -keypass welcome1 -keystore default-keystorejks -storepass
welcome1 -validity 3600
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 48
This will add a key namely enc-csf-key to map oraclewsmsecurity with username as orakey and password as
welcome1 This alias should exist in your configured keystore
This will add a key namely sign-csf-key to map oraclewsmsecurity with username as orakey and password as
welcome1 This alias should exist in your configured keystore
You can verify the contents of the credential store in FMWCTL as show in Figure 39 and Figure 40
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 49
Figure 39 View the Credential Store from the Weblogic Domain menu
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 50
Figure 40 Contents of the oraclewsmsecurity Credential Map
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 51
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 31
Figure 23 Result of creating a BPEL Process using the Base on a WSDL option
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 32
Figure 24 In the BPEL Process create a PartnerLink Again Provide the WSDL of the PurchaseOrder POJO WLS JAX-WS as
the WSDL URL
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 33
Figure 25 Walkthrough the PartnerLink creation process
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 34
Figure 26 Completion of the Partner Link creation process
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 35
Figure 27 Add an Invoke activity in the BPEL Process and wite it to the PurchaseOrderRefrence PartnerLink created
previously
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 36
Figure 28 The Invoke is now wired to the PartnerLink PurchaseOrderReference
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 37
Figure 29 Add an Assign activity after the receiveInput and before the Invoke activity Wire the variables to copy the input on
the receive to the input of the Invoke
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 38
Figure 30 Add another assign activity after the Invoke to copy the output of the invoke to the output of the replyOutput
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 39
Figure 31 BPEL Process after adding the Assign Invoke Assign activities
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 40
Figure 32 Completed PurchaseOrderComposite App
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 41
Attach Custom Policy created previously to the Purchase Order Composite App Reference
The next step is to now attach the ldquosamplefield_level_encryption_client_policyrdquo to the PurchaseOrderReferencerdquo of
PurchaseOrderComposite App These steps are shown in Figure 33 - Figure 38
Figure 33 Click on the PurchaseOrderComposite App on the left hand side
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 42
Figure 34 Click on the PurchaseOrderReference shown in the Dashboard of the PurchaseOrderComposite
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 43
Figure 35 On the PurchaseOrderReferece - click on the Policies tab
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 44
Figure 36 Click on the AttachDetach Button
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 45
Figure 37 Attach the samplefield_level_encryption_client_policy
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 46
Figure 38 The Policy is now attached to the PurchaseOrderReference
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 47
Create Keystore and Credentials in Credential Store
Create a Keystore called default-keystorejks using keytool
For complete details on keytool commands please refer to
httpjavasuncomj2se142docstooldocswindowskeytoolhtml
Copy the keystore created into $FMW_DOMAIN_HOMEconfigfmwconfig
Add the following credentials into the credential store either via EM or using WLST
This assumes that the keystore password is welcome1
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=keystore-csf-key user=owsm
password=welcome1 desc=Keystore key)
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=enc-csf-key user=orakey
password=welcome1 desc=Encryption key)
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=sign-csf-key user=orakey
password=welcome1 desc=Signing key)
$gtkeytool -genkeypair -keyalg RSA -alias orakey -keypass welcome1 -keystore default-keystorejks -storepass
welcome1 -validity 3600
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 48
This will add a key namely enc-csf-key to map oraclewsmsecurity with username as orakey and password as
welcome1 This alias should exist in your configured keystore
This will add a key namely sign-csf-key to map oraclewsmsecurity with username as orakey and password as
welcome1 This alias should exist in your configured keystore
You can verify the contents of the credential store in FMWCTL as show in Figure 39 and Figure 40
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 49
Figure 39 View the Credential Store from the Weblogic Domain menu
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 50
Figure 40 Contents of the oraclewsmsecurity Credential Map
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 51
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 32
Figure 24 In the BPEL Process create a PartnerLink Again Provide the WSDL of the PurchaseOrder POJO WLS JAX-WS as
the WSDL URL
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 33
Figure 25 Walkthrough the PartnerLink creation process
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 34
Figure 26 Completion of the Partner Link creation process
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 35
Figure 27 Add an Invoke activity in the BPEL Process and wite it to the PurchaseOrderRefrence PartnerLink created
previously
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 36
Figure 28 The Invoke is now wired to the PartnerLink PurchaseOrderReference
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 37
Figure 29 Add an Assign activity after the receiveInput and before the Invoke activity Wire the variables to copy the input on
the receive to the input of the Invoke
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 38
Figure 30 Add another assign activity after the Invoke to copy the output of the invoke to the output of the replyOutput
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 39
Figure 31 BPEL Process after adding the Assign Invoke Assign activities
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 40
Figure 32 Completed PurchaseOrderComposite App
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 41
Attach Custom Policy created previously to the Purchase Order Composite App Reference
The next step is to now attach the ldquosamplefield_level_encryption_client_policyrdquo to the PurchaseOrderReferencerdquo of
PurchaseOrderComposite App These steps are shown in Figure 33 - Figure 38
Figure 33 Click on the PurchaseOrderComposite App on the left hand side
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 42
Figure 34 Click on the PurchaseOrderReference shown in the Dashboard of the PurchaseOrderComposite
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 43
Figure 35 On the PurchaseOrderReferece - click on the Policies tab
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 44
Figure 36 Click on the AttachDetach Button
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 45
Figure 37 Attach the samplefield_level_encryption_client_policy
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 46
Figure 38 The Policy is now attached to the PurchaseOrderReference
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 47
Create Keystore and Credentials in Credential Store
Create a Keystore called default-keystorejks using keytool
For complete details on keytool commands please refer to
httpjavasuncomj2se142docstooldocswindowskeytoolhtml
Copy the keystore created into $FMW_DOMAIN_HOMEconfigfmwconfig
Add the following credentials into the credential store either via EM or using WLST
This assumes that the keystore password is welcome1
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=keystore-csf-key user=owsm
password=welcome1 desc=Keystore key)
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=enc-csf-key user=orakey
password=welcome1 desc=Encryption key)
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=sign-csf-key user=orakey
password=welcome1 desc=Signing key)
$gtkeytool -genkeypair -keyalg RSA -alias orakey -keypass welcome1 -keystore default-keystorejks -storepass
welcome1 -validity 3600
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 48
This will add a key namely enc-csf-key to map oraclewsmsecurity with username as orakey and password as
welcome1 This alias should exist in your configured keystore
This will add a key namely sign-csf-key to map oraclewsmsecurity with username as orakey and password as
welcome1 This alias should exist in your configured keystore
You can verify the contents of the credential store in FMWCTL as show in Figure 39 and Figure 40
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 49
Figure 39 View the Credential Store from the Weblogic Domain menu
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 50
Figure 40 Contents of the oraclewsmsecurity Credential Map
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 51
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 33
Figure 25 Walkthrough the PartnerLink creation process
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 34
Figure 26 Completion of the Partner Link creation process
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 35
Figure 27 Add an Invoke activity in the BPEL Process and wite it to the PurchaseOrderRefrence PartnerLink created
previously
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 36
Figure 28 The Invoke is now wired to the PartnerLink PurchaseOrderReference
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 37
Figure 29 Add an Assign activity after the receiveInput and before the Invoke activity Wire the variables to copy the input on
the receive to the input of the Invoke
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 38
Figure 30 Add another assign activity after the Invoke to copy the output of the invoke to the output of the replyOutput
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 39
Figure 31 BPEL Process after adding the Assign Invoke Assign activities
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 40
Figure 32 Completed PurchaseOrderComposite App
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 41
Attach Custom Policy created previously to the Purchase Order Composite App Reference
The next step is to now attach the ldquosamplefield_level_encryption_client_policyrdquo to the PurchaseOrderReferencerdquo of
PurchaseOrderComposite App These steps are shown in Figure 33 - Figure 38
Figure 33 Click on the PurchaseOrderComposite App on the left hand side
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 42
Figure 34 Click on the PurchaseOrderReference shown in the Dashboard of the PurchaseOrderComposite
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 43
Figure 35 On the PurchaseOrderReferece - click on the Policies tab
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 44
Figure 36 Click on the AttachDetach Button
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 45
Figure 37 Attach the samplefield_level_encryption_client_policy
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 46
Figure 38 The Policy is now attached to the PurchaseOrderReference
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 47
Create Keystore and Credentials in Credential Store
Create a Keystore called default-keystorejks using keytool
For complete details on keytool commands please refer to
httpjavasuncomj2se142docstooldocswindowskeytoolhtml
Copy the keystore created into $FMW_DOMAIN_HOMEconfigfmwconfig
Add the following credentials into the credential store either via EM or using WLST
This assumes that the keystore password is welcome1
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=keystore-csf-key user=owsm
password=welcome1 desc=Keystore key)
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=enc-csf-key user=orakey
password=welcome1 desc=Encryption key)
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=sign-csf-key user=orakey
password=welcome1 desc=Signing key)
$gtkeytool -genkeypair -keyalg RSA -alias orakey -keypass welcome1 -keystore default-keystorejks -storepass
welcome1 -validity 3600
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 48
This will add a key namely enc-csf-key to map oraclewsmsecurity with username as orakey and password as
welcome1 This alias should exist in your configured keystore
This will add a key namely sign-csf-key to map oraclewsmsecurity with username as orakey and password as
welcome1 This alias should exist in your configured keystore
You can verify the contents of the credential store in FMWCTL as show in Figure 39 and Figure 40
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 49
Figure 39 View the Credential Store from the Weblogic Domain menu
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 50
Figure 40 Contents of the oraclewsmsecurity Credential Map
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 51
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 34
Figure 26 Completion of the Partner Link creation process
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 35
Figure 27 Add an Invoke activity in the BPEL Process and wite it to the PurchaseOrderRefrence PartnerLink created
previously
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 36
Figure 28 The Invoke is now wired to the PartnerLink PurchaseOrderReference
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 37
Figure 29 Add an Assign activity after the receiveInput and before the Invoke activity Wire the variables to copy the input on
the receive to the input of the Invoke
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 38
Figure 30 Add another assign activity after the Invoke to copy the output of the invoke to the output of the replyOutput
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 39
Figure 31 BPEL Process after adding the Assign Invoke Assign activities
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 40
Figure 32 Completed PurchaseOrderComposite App
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 41
Attach Custom Policy created previously to the Purchase Order Composite App Reference
The next step is to now attach the ldquosamplefield_level_encryption_client_policyrdquo to the PurchaseOrderReferencerdquo of
PurchaseOrderComposite App These steps are shown in Figure 33 - Figure 38
Figure 33 Click on the PurchaseOrderComposite App on the left hand side
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 42
Figure 34 Click on the PurchaseOrderReference shown in the Dashboard of the PurchaseOrderComposite
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 43
Figure 35 On the PurchaseOrderReferece - click on the Policies tab
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 44
Figure 36 Click on the AttachDetach Button
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 45
Figure 37 Attach the samplefield_level_encryption_client_policy
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 46
Figure 38 The Policy is now attached to the PurchaseOrderReference
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 47
Create Keystore and Credentials in Credential Store
Create a Keystore called default-keystorejks using keytool
For complete details on keytool commands please refer to
httpjavasuncomj2se142docstooldocswindowskeytoolhtml
Copy the keystore created into $FMW_DOMAIN_HOMEconfigfmwconfig
Add the following credentials into the credential store either via EM or using WLST
This assumes that the keystore password is welcome1
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=keystore-csf-key user=owsm
password=welcome1 desc=Keystore key)
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=enc-csf-key user=orakey
password=welcome1 desc=Encryption key)
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=sign-csf-key user=orakey
password=welcome1 desc=Signing key)
$gtkeytool -genkeypair -keyalg RSA -alias orakey -keypass welcome1 -keystore default-keystorejks -storepass
welcome1 -validity 3600
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 48
This will add a key namely enc-csf-key to map oraclewsmsecurity with username as orakey and password as
welcome1 This alias should exist in your configured keystore
This will add a key namely sign-csf-key to map oraclewsmsecurity with username as orakey and password as
welcome1 This alias should exist in your configured keystore
You can verify the contents of the credential store in FMWCTL as show in Figure 39 and Figure 40
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 49
Figure 39 View the Credential Store from the Weblogic Domain menu
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 50
Figure 40 Contents of the oraclewsmsecurity Credential Map
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 51
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 35
Figure 27 Add an Invoke activity in the BPEL Process and wite it to the PurchaseOrderRefrence PartnerLink created
previously
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 36
Figure 28 The Invoke is now wired to the PartnerLink PurchaseOrderReference
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 37
Figure 29 Add an Assign activity after the receiveInput and before the Invoke activity Wire the variables to copy the input on
the receive to the input of the Invoke
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 38
Figure 30 Add another assign activity after the Invoke to copy the output of the invoke to the output of the replyOutput
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 39
Figure 31 BPEL Process after adding the Assign Invoke Assign activities
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 40
Figure 32 Completed PurchaseOrderComposite App
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 41
Attach Custom Policy created previously to the Purchase Order Composite App Reference
The next step is to now attach the ldquosamplefield_level_encryption_client_policyrdquo to the PurchaseOrderReferencerdquo of
PurchaseOrderComposite App These steps are shown in Figure 33 - Figure 38
Figure 33 Click on the PurchaseOrderComposite App on the left hand side
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 42
Figure 34 Click on the PurchaseOrderReference shown in the Dashboard of the PurchaseOrderComposite
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 43
Figure 35 On the PurchaseOrderReferece - click on the Policies tab
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 44
Figure 36 Click on the AttachDetach Button
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 45
Figure 37 Attach the samplefield_level_encryption_client_policy
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 46
Figure 38 The Policy is now attached to the PurchaseOrderReference
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 47
Create Keystore and Credentials in Credential Store
Create a Keystore called default-keystorejks using keytool
For complete details on keytool commands please refer to
httpjavasuncomj2se142docstooldocswindowskeytoolhtml
Copy the keystore created into $FMW_DOMAIN_HOMEconfigfmwconfig
Add the following credentials into the credential store either via EM or using WLST
This assumes that the keystore password is welcome1
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=keystore-csf-key user=owsm
password=welcome1 desc=Keystore key)
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=enc-csf-key user=orakey
password=welcome1 desc=Encryption key)
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=sign-csf-key user=orakey
password=welcome1 desc=Signing key)
$gtkeytool -genkeypair -keyalg RSA -alias orakey -keypass welcome1 -keystore default-keystorejks -storepass
welcome1 -validity 3600
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 48
This will add a key namely enc-csf-key to map oraclewsmsecurity with username as orakey and password as
welcome1 This alias should exist in your configured keystore
This will add a key namely sign-csf-key to map oraclewsmsecurity with username as orakey and password as
welcome1 This alias should exist in your configured keystore
You can verify the contents of the credential store in FMWCTL as show in Figure 39 and Figure 40
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 49
Figure 39 View the Credential Store from the Weblogic Domain menu
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 50
Figure 40 Contents of the oraclewsmsecurity Credential Map
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 51
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 36
Figure 28 The Invoke is now wired to the PartnerLink PurchaseOrderReference
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 37
Figure 29 Add an Assign activity after the receiveInput and before the Invoke activity Wire the variables to copy the input on
the receive to the input of the Invoke
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 38
Figure 30 Add another assign activity after the Invoke to copy the output of the invoke to the output of the replyOutput
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 39
Figure 31 BPEL Process after adding the Assign Invoke Assign activities
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 40
Figure 32 Completed PurchaseOrderComposite App
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 41
Attach Custom Policy created previously to the Purchase Order Composite App Reference
The next step is to now attach the ldquosamplefield_level_encryption_client_policyrdquo to the PurchaseOrderReferencerdquo of
PurchaseOrderComposite App These steps are shown in Figure 33 - Figure 38
Figure 33 Click on the PurchaseOrderComposite App on the left hand side
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 42
Figure 34 Click on the PurchaseOrderReference shown in the Dashboard of the PurchaseOrderComposite
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 43
Figure 35 On the PurchaseOrderReferece - click on the Policies tab
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 44
Figure 36 Click on the AttachDetach Button
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 45
Figure 37 Attach the samplefield_level_encryption_client_policy
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 46
Figure 38 The Policy is now attached to the PurchaseOrderReference
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 47
Create Keystore and Credentials in Credential Store
Create a Keystore called default-keystorejks using keytool
For complete details on keytool commands please refer to
httpjavasuncomj2se142docstooldocswindowskeytoolhtml
Copy the keystore created into $FMW_DOMAIN_HOMEconfigfmwconfig
Add the following credentials into the credential store either via EM or using WLST
This assumes that the keystore password is welcome1
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=keystore-csf-key user=owsm
password=welcome1 desc=Keystore key)
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=enc-csf-key user=orakey
password=welcome1 desc=Encryption key)
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=sign-csf-key user=orakey
password=welcome1 desc=Signing key)
$gtkeytool -genkeypair -keyalg RSA -alias orakey -keypass welcome1 -keystore default-keystorejks -storepass
welcome1 -validity 3600
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 48
This will add a key namely enc-csf-key to map oraclewsmsecurity with username as orakey and password as
welcome1 This alias should exist in your configured keystore
This will add a key namely sign-csf-key to map oraclewsmsecurity with username as orakey and password as
welcome1 This alias should exist in your configured keystore
You can verify the contents of the credential store in FMWCTL as show in Figure 39 and Figure 40
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 49
Figure 39 View the Credential Store from the Weblogic Domain menu
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 50
Figure 40 Contents of the oraclewsmsecurity Credential Map
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 51
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 37
Figure 29 Add an Assign activity after the receiveInput and before the Invoke activity Wire the variables to copy the input on
the receive to the input of the Invoke
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 38
Figure 30 Add another assign activity after the Invoke to copy the output of the invoke to the output of the replyOutput
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 39
Figure 31 BPEL Process after adding the Assign Invoke Assign activities
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 40
Figure 32 Completed PurchaseOrderComposite App
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 41
Attach Custom Policy created previously to the Purchase Order Composite App Reference
The next step is to now attach the ldquosamplefield_level_encryption_client_policyrdquo to the PurchaseOrderReferencerdquo of
PurchaseOrderComposite App These steps are shown in Figure 33 - Figure 38
Figure 33 Click on the PurchaseOrderComposite App on the left hand side
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 42
Figure 34 Click on the PurchaseOrderReference shown in the Dashboard of the PurchaseOrderComposite
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 43
Figure 35 On the PurchaseOrderReferece - click on the Policies tab
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 44
Figure 36 Click on the AttachDetach Button
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 45
Figure 37 Attach the samplefield_level_encryption_client_policy
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 46
Figure 38 The Policy is now attached to the PurchaseOrderReference
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 47
Create Keystore and Credentials in Credential Store
Create a Keystore called default-keystorejks using keytool
For complete details on keytool commands please refer to
httpjavasuncomj2se142docstooldocswindowskeytoolhtml
Copy the keystore created into $FMW_DOMAIN_HOMEconfigfmwconfig
Add the following credentials into the credential store either via EM or using WLST
This assumes that the keystore password is welcome1
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=keystore-csf-key user=owsm
password=welcome1 desc=Keystore key)
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=enc-csf-key user=orakey
password=welcome1 desc=Encryption key)
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=sign-csf-key user=orakey
password=welcome1 desc=Signing key)
$gtkeytool -genkeypair -keyalg RSA -alias orakey -keypass welcome1 -keystore default-keystorejks -storepass
welcome1 -validity 3600
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 48
This will add a key namely enc-csf-key to map oraclewsmsecurity with username as orakey and password as
welcome1 This alias should exist in your configured keystore
This will add a key namely sign-csf-key to map oraclewsmsecurity with username as orakey and password as
welcome1 This alias should exist in your configured keystore
You can verify the contents of the credential store in FMWCTL as show in Figure 39 and Figure 40
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 49
Figure 39 View the Credential Store from the Weblogic Domain menu
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 50
Figure 40 Contents of the oraclewsmsecurity Credential Map
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 51
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 38
Figure 30 Add another assign activity after the Invoke to copy the output of the invoke to the output of the replyOutput
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 39
Figure 31 BPEL Process after adding the Assign Invoke Assign activities
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 40
Figure 32 Completed PurchaseOrderComposite App
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 41
Attach Custom Policy created previously to the Purchase Order Composite App Reference
The next step is to now attach the ldquosamplefield_level_encryption_client_policyrdquo to the PurchaseOrderReferencerdquo of
PurchaseOrderComposite App These steps are shown in Figure 33 - Figure 38
Figure 33 Click on the PurchaseOrderComposite App on the left hand side
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 42
Figure 34 Click on the PurchaseOrderReference shown in the Dashboard of the PurchaseOrderComposite
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 43
Figure 35 On the PurchaseOrderReferece - click on the Policies tab
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 44
Figure 36 Click on the AttachDetach Button
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 45
Figure 37 Attach the samplefield_level_encryption_client_policy
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 46
Figure 38 The Policy is now attached to the PurchaseOrderReference
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 47
Create Keystore and Credentials in Credential Store
Create a Keystore called default-keystorejks using keytool
For complete details on keytool commands please refer to
httpjavasuncomj2se142docstooldocswindowskeytoolhtml
Copy the keystore created into $FMW_DOMAIN_HOMEconfigfmwconfig
Add the following credentials into the credential store either via EM or using WLST
This assumes that the keystore password is welcome1
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=keystore-csf-key user=owsm
password=welcome1 desc=Keystore key)
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=enc-csf-key user=orakey
password=welcome1 desc=Encryption key)
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=sign-csf-key user=orakey
password=welcome1 desc=Signing key)
$gtkeytool -genkeypair -keyalg RSA -alias orakey -keypass welcome1 -keystore default-keystorejks -storepass
welcome1 -validity 3600
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 48
This will add a key namely enc-csf-key to map oraclewsmsecurity with username as orakey and password as
welcome1 This alias should exist in your configured keystore
This will add a key namely sign-csf-key to map oraclewsmsecurity with username as orakey and password as
welcome1 This alias should exist in your configured keystore
You can verify the contents of the credential store in FMWCTL as show in Figure 39 and Figure 40
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 49
Figure 39 View the Credential Store from the Weblogic Domain menu
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 50
Figure 40 Contents of the oraclewsmsecurity Credential Map
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 51
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 39
Figure 31 BPEL Process after adding the Assign Invoke Assign activities
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 40
Figure 32 Completed PurchaseOrderComposite App
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 41
Attach Custom Policy created previously to the Purchase Order Composite App Reference
The next step is to now attach the ldquosamplefield_level_encryption_client_policyrdquo to the PurchaseOrderReferencerdquo of
PurchaseOrderComposite App These steps are shown in Figure 33 - Figure 38
Figure 33 Click on the PurchaseOrderComposite App on the left hand side
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 42
Figure 34 Click on the PurchaseOrderReference shown in the Dashboard of the PurchaseOrderComposite
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 43
Figure 35 On the PurchaseOrderReferece - click on the Policies tab
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 44
Figure 36 Click on the AttachDetach Button
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 45
Figure 37 Attach the samplefield_level_encryption_client_policy
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 46
Figure 38 The Policy is now attached to the PurchaseOrderReference
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 47
Create Keystore and Credentials in Credential Store
Create a Keystore called default-keystorejks using keytool
For complete details on keytool commands please refer to
httpjavasuncomj2se142docstooldocswindowskeytoolhtml
Copy the keystore created into $FMW_DOMAIN_HOMEconfigfmwconfig
Add the following credentials into the credential store either via EM or using WLST
This assumes that the keystore password is welcome1
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=keystore-csf-key user=owsm
password=welcome1 desc=Keystore key)
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=enc-csf-key user=orakey
password=welcome1 desc=Encryption key)
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=sign-csf-key user=orakey
password=welcome1 desc=Signing key)
$gtkeytool -genkeypair -keyalg RSA -alias orakey -keypass welcome1 -keystore default-keystorejks -storepass
welcome1 -validity 3600
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 48
This will add a key namely enc-csf-key to map oraclewsmsecurity with username as orakey and password as
welcome1 This alias should exist in your configured keystore
This will add a key namely sign-csf-key to map oraclewsmsecurity with username as orakey and password as
welcome1 This alias should exist in your configured keystore
You can verify the contents of the credential store in FMWCTL as show in Figure 39 and Figure 40
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 49
Figure 39 View the Credential Store from the Weblogic Domain menu
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 50
Figure 40 Contents of the oraclewsmsecurity Credential Map
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 51
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 40
Figure 32 Completed PurchaseOrderComposite App
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 41
Attach Custom Policy created previously to the Purchase Order Composite App Reference
The next step is to now attach the ldquosamplefield_level_encryption_client_policyrdquo to the PurchaseOrderReferencerdquo of
PurchaseOrderComposite App These steps are shown in Figure 33 - Figure 38
Figure 33 Click on the PurchaseOrderComposite App on the left hand side
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 42
Figure 34 Click on the PurchaseOrderReference shown in the Dashboard of the PurchaseOrderComposite
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 43
Figure 35 On the PurchaseOrderReferece - click on the Policies tab
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 44
Figure 36 Click on the AttachDetach Button
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 45
Figure 37 Attach the samplefield_level_encryption_client_policy
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 46
Figure 38 The Policy is now attached to the PurchaseOrderReference
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 47
Create Keystore and Credentials in Credential Store
Create a Keystore called default-keystorejks using keytool
For complete details on keytool commands please refer to
httpjavasuncomj2se142docstooldocswindowskeytoolhtml
Copy the keystore created into $FMW_DOMAIN_HOMEconfigfmwconfig
Add the following credentials into the credential store either via EM or using WLST
This assumes that the keystore password is welcome1
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=keystore-csf-key user=owsm
password=welcome1 desc=Keystore key)
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=enc-csf-key user=orakey
password=welcome1 desc=Encryption key)
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=sign-csf-key user=orakey
password=welcome1 desc=Signing key)
$gtkeytool -genkeypair -keyalg RSA -alias orakey -keypass welcome1 -keystore default-keystorejks -storepass
welcome1 -validity 3600
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 48
This will add a key namely enc-csf-key to map oraclewsmsecurity with username as orakey and password as
welcome1 This alias should exist in your configured keystore
This will add a key namely sign-csf-key to map oraclewsmsecurity with username as orakey and password as
welcome1 This alias should exist in your configured keystore
You can verify the contents of the credential store in FMWCTL as show in Figure 39 and Figure 40
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 49
Figure 39 View the Credential Store from the Weblogic Domain menu
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 50
Figure 40 Contents of the oraclewsmsecurity Credential Map
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 51
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 41
Attach Custom Policy created previously to the Purchase Order Composite App Reference
The next step is to now attach the ldquosamplefield_level_encryption_client_policyrdquo to the PurchaseOrderReferencerdquo of
PurchaseOrderComposite App These steps are shown in Figure 33 - Figure 38
Figure 33 Click on the PurchaseOrderComposite App on the left hand side
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 42
Figure 34 Click on the PurchaseOrderReference shown in the Dashboard of the PurchaseOrderComposite
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 43
Figure 35 On the PurchaseOrderReferece - click on the Policies tab
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 44
Figure 36 Click on the AttachDetach Button
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 45
Figure 37 Attach the samplefield_level_encryption_client_policy
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 46
Figure 38 The Policy is now attached to the PurchaseOrderReference
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 47
Create Keystore and Credentials in Credential Store
Create a Keystore called default-keystorejks using keytool
For complete details on keytool commands please refer to
httpjavasuncomj2se142docstooldocswindowskeytoolhtml
Copy the keystore created into $FMW_DOMAIN_HOMEconfigfmwconfig
Add the following credentials into the credential store either via EM or using WLST
This assumes that the keystore password is welcome1
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=keystore-csf-key user=owsm
password=welcome1 desc=Keystore key)
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=enc-csf-key user=orakey
password=welcome1 desc=Encryption key)
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=sign-csf-key user=orakey
password=welcome1 desc=Signing key)
$gtkeytool -genkeypair -keyalg RSA -alias orakey -keypass welcome1 -keystore default-keystorejks -storepass
welcome1 -validity 3600
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 48
This will add a key namely enc-csf-key to map oraclewsmsecurity with username as orakey and password as
welcome1 This alias should exist in your configured keystore
This will add a key namely sign-csf-key to map oraclewsmsecurity with username as orakey and password as
welcome1 This alias should exist in your configured keystore
You can verify the contents of the credential store in FMWCTL as show in Figure 39 and Figure 40
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 49
Figure 39 View the Credential Store from the Weblogic Domain menu
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 50
Figure 40 Contents of the oraclewsmsecurity Credential Map
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 51
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 42
Figure 34 Click on the PurchaseOrderReference shown in the Dashboard of the PurchaseOrderComposite
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 43
Figure 35 On the PurchaseOrderReferece - click on the Policies tab
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 44
Figure 36 Click on the AttachDetach Button
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 45
Figure 37 Attach the samplefield_level_encryption_client_policy
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 46
Figure 38 The Policy is now attached to the PurchaseOrderReference
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 47
Create Keystore and Credentials in Credential Store
Create a Keystore called default-keystorejks using keytool
For complete details on keytool commands please refer to
httpjavasuncomj2se142docstooldocswindowskeytoolhtml
Copy the keystore created into $FMW_DOMAIN_HOMEconfigfmwconfig
Add the following credentials into the credential store either via EM or using WLST
This assumes that the keystore password is welcome1
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=keystore-csf-key user=owsm
password=welcome1 desc=Keystore key)
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=enc-csf-key user=orakey
password=welcome1 desc=Encryption key)
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=sign-csf-key user=orakey
password=welcome1 desc=Signing key)
$gtkeytool -genkeypair -keyalg RSA -alias orakey -keypass welcome1 -keystore default-keystorejks -storepass
welcome1 -validity 3600
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 48
This will add a key namely enc-csf-key to map oraclewsmsecurity with username as orakey and password as
welcome1 This alias should exist in your configured keystore
This will add a key namely sign-csf-key to map oraclewsmsecurity with username as orakey and password as
welcome1 This alias should exist in your configured keystore
You can verify the contents of the credential store in FMWCTL as show in Figure 39 and Figure 40
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 49
Figure 39 View the Credential Store from the Weblogic Domain menu
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 50
Figure 40 Contents of the oraclewsmsecurity Credential Map
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 51
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 43
Figure 35 On the PurchaseOrderReferece - click on the Policies tab
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 44
Figure 36 Click on the AttachDetach Button
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 45
Figure 37 Attach the samplefield_level_encryption_client_policy
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 46
Figure 38 The Policy is now attached to the PurchaseOrderReference
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 47
Create Keystore and Credentials in Credential Store
Create a Keystore called default-keystorejks using keytool
For complete details on keytool commands please refer to
httpjavasuncomj2se142docstooldocswindowskeytoolhtml
Copy the keystore created into $FMW_DOMAIN_HOMEconfigfmwconfig
Add the following credentials into the credential store either via EM or using WLST
This assumes that the keystore password is welcome1
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=keystore-csf-key user=owsm
password=welcome1 desc=Keystore key)
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=enc-csf-key user=orakey
password=welcome1 desc=Encryption key)
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=sign-csf-key user=orakey
password=welcome1 desc=Signing key)
$gtkeytool -genkeypair -keyalg RSA -alias orakey -keypass welcome1 -keystore default-keystorejks -storepass
welcome1 -validity 3600
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 48
This will add a key namely enc-csf-key to map oraclewsmsecurity with username as orakey and password as
welcome1 This alias should exist in your configured keystore
This will add a key namely sign-csf-key to map oraclewsmsecurity with username as orakey and password as
welcome1 This alias should exist in your configured keystore
You can verify the contents of the credential store in FMWCTL as show in Figure 39 and Figure 40
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 49
Figure 39 View the Credential Store from the Weblogic Domain menu
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 50
Figure 40 Contents of the oraclewsmsecurity Credential Map
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 51
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 44
Figure 36 Click on the AttachDetach Button
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 45
Figure 37 Attach the samplefield_level_encryption_client_policy
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 46
Figure 38 The Policy is now attached to the PurchaseOrderReference
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 47
Create Keystore and Credentials in Credential Store
Create a Keystore called default-keystorejks using keytool
For complete details on keytool commands please refer to
httpjavasuncomj2se142docstooldocswindowskeytoolhtml
Copy the keystore created into $FMW_DOMAIN_HOMEconfigfmwconfig
Add the following credentials into the credential store either via EM or using WLST
This assumes that the keystore password is welcome1
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=keystore-csf-key user=owsm
password=welcome1 desc=Keystore key)
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=enc-csf-key user=orakey
password=welcome1 desc=Encryption key)
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=sign-csf-key user=orakey
password=welcome1 desc=Signing key)
$gtkeytool -genkeypair -keyalg RSA -alias orakey -keypass welcome1 -keystore default-keystorejks -storepass
welcome1 -validity 3600
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 48
This will add a key namely enc-csf-key to map oraclewsmsecurity with username as orakey and password as
welcome1 This alias should exist in your configured keystore
This will add a key namely sign-csf-key to map oraclewsmsecurity with username as orakey and password as
welcome1 This alias should exist in your configured keystore
You can verify the contents of the credential store in FMWCTL as show in Figure 39 and Figure 40
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 49
Figure 39 View the Credential Store from the Weblogic Domain menu
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 50
Figure 40 Contents of the oraclewsmsecurity Credential Map
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 51
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 45
Figure 37 Attach the samplefield_level_encryption_client_policy
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 46
Figure 38 The Policy is now attached to the PurchaseOrderReference
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 47
Create Keystore and Credentials in Credential Store
Create a Keystore called default-keystorejks using keytool
For complete details on keytool commands please refer to
httpjavasuncomj2se142docstooldocswindowskeytoolhtml
Copy the keystore created into $FMW_DOMAIN_HOMEconfigfmwconfig
Add the following credentials into the credential store either via EM or using WLST
This assumes that the keystore password is welcome1
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=keystore-csf-key user=owsm
password=welcome1 desc=Keystore key)
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=enc-csf-key user=orakey
password=welcome1 desc=Encryption key)
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=sign-csf-key user=orakey
password=welcome1 desc=Signing key)
$gtkeytool -genkeypair -keyalg RSA -alias orakey -keypass welcome1 -keystore default-keystorejks -storepass
welcome1 -validity 3600
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 48
This will add a key namely enc-csf-key to map oraclewsmsecurity with username as orakey and password as
welcome1 This alias should exist in your configured keystore
This will add a key namely sign-csf-key to map oraclewsmsecurity with username as orakey and password as
welcome1 This alias should exist in your configured keystore
You can verify the contents of the credential store in FMWCTL as show in Figure 39 and Figure 40
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 49
Figure 39 View the Credential Store from the Weblogic Domain menu
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 50
Figure 40 Contents of the oraclewsmsecurity Credential Map
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 51
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 46
Figure 38 The Policy is now attached to the PurchaseOrderReference
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 47
Create Keystore and Credentials in Credential Store
Create a Keystore called default-keystorejks using keytool
For complete details on keytool commands please refer to
httpjavasuncomj2se142docstooldocswindowskeytoolhtml
Copy the keystore created into $FMW_DOMAIN_HOMEconfigfmwconfig
Add the following credentials into the credential store either via EM or using WLST
This assumes that the keystore password is welcome1
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=keystore-csf-key user=owsm
password=welcome1 desc=Keystore key)
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=enc-csf-key user=orakey
password=welcome1 desc=Encryption key)
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=sign-csf-key user=orakey
password=welcome1 desc=Signing key)
$gtkeytool -genkeypair -keyalg RSA -alias orakey -keypass welcome1 -keystore default-keystorejks -storepass
welcome1 -validity 3600
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 48
This will add a key namely enc-csf-key to map oraclewsmsecurity with username as orakey and password as
welcome1 This alias should exist in your configured keystore
This will add a key namely sign-csf-key to map oraclewsmsecurity with username as orakey and password as
welcome1 This alias should exist in your configured keystore
You can verify the contents of the credential store in FMWCTL as show in Figure 39 and Figure 40
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 49
Figure 39 View the Credential Store from the Weblogic Domain menu
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 50
Figure 40 Contents of the oraclewsmsecurity Credential Map
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 51
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 47
Create Keystore and Credentials in Credential Store
Create a Keystore called default-keystorejks using keytool
For complete details on keytool commands please refer to
httpjavasuncomj2se142docstooldocswindowskeytoolhtml
Copy the keystore created into $FMW_DOMAIN_HOMEconfigfmwconfig
Add the following credentials into the credential store either via EM or using WLST
This assumes that the keystore password is welcome1
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=keystore-csf-key user=owsm
password=welcome1 desc=Keystore key)
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=enc-csf-key user=orakey
password=welcome1 desc=Encryption key)
wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=sign-csf-key user=orakey
password=welcome1 desc=Signing key)
$gtkeytool -genkeypair -keyalg RSA -alias orakey -keypass welcome1 -keystore default-keystorejks -storepass
welcome1 -validity 3600
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 48
This will add a key namely enc-csf-key to map oraclewsmsecurity with username as orakey and password as
welcome1 This alias should exist in your configured keystore
This will add a key namely sign-csf-key to map oraclewsmsecurity with username as orakey and password as
welcome1 This alias should exist in your configured keystore
You can verify the contents of the credential store in FMWCTL as show in Figure 39 and Figure 40
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 49
Figure 39 View the Credential Store from the Weblogic Domain menu
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 50
Figure 40 Contents of the oraclewsmsecurity Credential Map
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 51
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 48
This will add a key namely enc-csf-key to map oraclewsmsecurity with username as orakey and password as
welcome1 This alias should exist in your configured keystore
This will add a key namely sign-csf-key to map oraclewsmsecurity with username as orakey and password as
welcome1 This alias should exist in your configured keystore
You can verify the contents of the credential store in FMWCTL as show in Figure 39 and Figure 40
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 49
Figure 39 View the Credential Store from the Weblogic Domain menu
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 50
Figure 40 Contents of the oraclewsmsecurity Credential Map
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 51
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 49
Figure 39 View the Credential Store from the Weblogic Domain menu
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 50
Figure 40 Contents of the oraclewsmsecurity Credential Map
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 51
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 50
Figure 40 Contents of the oraclewsmsecurity Credential Map
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 51
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109
Field level Encryption in WLS SOA using Oracle Web Services Manager 11g
Oracle Corporation | Field level Encryption | Version 10 51
Oracle Web Services Manager
March 2012
Author Prakash Yamuna
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores CA 94065
USA
Worldwide Inquiries
Phone +16505067000
Fax +16505067200
oraclecom
Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for
information purposes only and the contents hereof are subject to change without notice This
document is not warranted to be error-free nor subject to any other warranties or conditions whether
expressed orally or implied in law including implied warranties and conditions of merchantability or
fitness for a particular purpose We specifically disclaim any liability with respect to this document and
no contractual obligations are formed either directly or indirectly by this document This document may
not be reproduced or transmitted in any form or by any means electronic or mechanical for any
purpose without our prior written permission
Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be
trademarks of their respective owners
0109