oracle web service manager 11...sample/field_level_encryption_client_policy...

Oracle Web Service Manager 11g Field level Encryption (in SOA WLS) March 2012

Step-by-Step Instruction Guide

Author Prakash Yamuna Senior Development Manager

Oracle Corporation

Field level Encryption in WLS SOA using Oracle Web Services Manager 11g

Oracle Corporation | Field level Encryption | Version 10 2

Table of Contents Use Case 3

Description 3

Objective 3

Scenario 4

Software Requirements 5

Prerequisites 5

Verified Product Version 5

Potentially Applies to Product Version(s) 5

Download Main Page 5

Product URLs 5

Step by Step Instructions 6

Create Purchase Order WLS JAX-WS POJO Web Service 6

Create Custom Policy for Field level Encryption 11

Attach Custom Policy created previously to the Purchase Order WLS JAX-WS Web Service 22

Create Purchase Order Composite App 28

Attach Custom Policy created previously to the Purchase Order Composite App Reference 41

Create Keystore and Credentials in Credential Store 47



Use Case

Description

In this How-To I will demonstrate how one can do field level encryption By default all the message protection

related policies that ship out of the box with OWSM encrypt the entire body of the SOAP message However in

many cases customerrsquos may want to encrypt only certain fields in the SOAP message that are sensitive rather

than the entire body of the SOAP message

Ex

a) Customer wants to encrypt the SSN in the SOAP message

b) Customer wants to encrypt the credit card number in the SOAP message

For the purposes of this How To we will build a SOA Composite app which will act as a web service client and

a WLS JAX-WS which will act as the backend web service

Objective

Show How to create OWSM custom policies in that will encrypt certain fields in a SOAP message and use these custom

policies to secure a web service client and web service



Scenario

This How-To will demonstrate

1 We will use a simple PurcahseOrder WLS POJO JAX-WS 2 A PurchaseOrder SOA Composite calling the PurchaseOrder WLS JAX-WS Web Service 3 Create Field level encryption client and service policy

OWSM Policy Store

Purchase Order

SOA Composite App

JDeveloper

bull Policy Attachment

bull Override Config

bull Find Matching Policy

SOAP HTTP

Enterprise Manager

bull Policy Authoring

bull Versioning

bull Usage Tracking

bull Violation Metrics

bull Migration

CRUD

Purchase Order

WLS JAX-WS Service

OWSM Agent OWSM Agent

Policy Manager

samplefield_level_encryption_client_policy

samplefield_level_encryption_service_policy



4 Secure the PurchaseOrder WLS POJO JAX-WS with OWSM field level encryption service policy 5 Secure the PurchaseOrder SOA Composite Reference with the OWSM field level encryption client policy 6 Set up the Keystore and Credential Store required for encryption

Software Requirements

Prerequisites

Product Download URL

1 Install SOA Suite 11116 with

JDeveloper

Verified Product Version

Product Release Version

1 WebLogic 1036

2 SOA 11116

3 JDeveloper 11116

Potentially Applies to Product Version(s)


1 WebLogic 1033 1034 1035 1036

2 SOA 11114 11115 11116

Download Main Page

httpwwworaclecomtechnetworkmiddlewaresoasuitedownloadsindexhtml

Product URLs

Product URL LoginPassword

EM Fusion Middle Control httpadmin_hostadmin_portem User weblogic

Password welcome1



Step by Step Instructions

Create Purchase Order WLS JAX-WS POJO Web Service

POJO based WLS JAX-WS PurchaseOrder Web Service



The PurchaseOrder sample takes 4 parameters

1 creditCardNumber ndash this is a sensitive field which we want to encrypt

package samplepurchaseorder

import javautilDate

import javaxjwsWebService

WebService

public class PurchaseOrder

public PurchaseOrder()

super()

public int createPurchaseOrder(String creditCardNumber int orderQuantity int orderPrice String itemType)

int discount = 5

if (itemTypestartsWith(BOOK))

discount = 10

int purchaseAmount = orderPrice orderQuantity

if (purchaseAmount lt 0)

purchaseAmount = 0

if (creditCardNumberstartsWith(1111))

throw new RuntimeException(Illegal Credit Card Number)

return purchaseAmount



2 orderQuantity 3 orderPrice 4 itemType

itemType is used to calculate discount The createPurchaseOder method basically returns the total amount of the

purchased order

Figure 1 shows the Schema for the JAX-WS Web Service

Figure 1 Schema for PurchaseOrder Sample



Here is a sample message for testing with this Web Service

Figure 2 Sample Request Message for PurchaseOrder POJO WLS JAX-WS Web Service

You can test the Web Service via the FMWCTL Test page as shown in Figure 3

ltsoapEnvelope xmlnssoap=httpschemasxmlsoaporgsoapenvelopegt

ltsoapBody xmlnsns1=httppurchaseordersamplegt

ltns1createPurchaseOrdergt

ltarg0gt1111-2345-4560ltarg0gt

ltarg1gt100ltarg1gt

ltarg2gt90ltarg2gt

ltarg3gtBOOKltarg3gt


ltsoapBodygt

ltsoapEnvelopegt



Figure 3 Testing the POJO PurchaseOrder WLS JAX-WS



Create Custom Policy for Field level Encryption

The next step is creating a Policy in OWSM to handle field level encryptiondecryption For this sample ndash we will start

with the wss11_message_protection_[client|service]_policy

First we will create a field level decryption policy from the wss11_message_protection_service_policy

1 Search for wss11_message_protection_service_policy and Click on ldquoCreate Likerdquo in FMWCTL as shown in Figure 4



Figure 4 Creating a Field level Decryption Policy from wss11_message_protection_service_policy

2 Give the new policy a name ndash we will call it ldquosamplefield_level_decryption_service_policy as shown in Figure 5



Figure 5 New samplefield_level_decryption_service_policy



3 Turn off Body Signing and Body Encryption for Request as show in Figure 6

Figure 6 Turn off Body SigningEncryption for Request



4 Turn off Body Signing and Body Encryption for Response as show in Figure 7

Figure 7 Turn off Body SigningEncryption for Response



5 Specify the Xpath expression in Request tab for the field to be decrypted in the payload as shown in Figure 8 This is done by clicking on the ldquoAddrdquo Button This will launch a pop-up as shown Figure 8 Enter the namespace for the element and the element name that needs to be decrypted In this case we want to decrypt the credit card number This is arg0 in the sample message posted earlier in this document See Figure 2

Figure 8 Adding specific fields to be decrypted



6 Figure 9 Shows the end result of adding the XML Element to be decrypted

Figure 9 Policy after adding Xpath Expression for field level encryption



Next we will create create a field level encryption policy from the wss11_messsage_protection_client_policy

7 Search for wss11_message_protection_client_policy and Click on ldquoCreate Likerdquo in FMWCTL as shown in Figure 10

Figure 10 Creating a Field level Encryption Policy from wss11_message_protection_client_policy



8 Give the new policy a name ndash we will call it ldquosamplefield_level_encryption_client_policy as shown in Figure 11

Figure 11 Provide a name for the new policy samplefield_level_encryption_client_policy




Figure 12 Turn off Body Signing and Body Encryption for Request



10 Specify the Xpath expression in Request tab for the field to be decrypted in the payload as shown in Figure 13 This is done by clicking on the ldquoAddrdquo Button This will launch a pop-up as shownFigure 13 Enter the namespace for the element and the element name that needs to be decrypted In this case we want to decrypt the credit card number This is arg0 in the sample message posted earlier in this document See Figure 2

Figure 13 Add specific elements to encrypt



Attach Custom Policy created previously to the Purchase Order WLS JAX-WS Web Service

11 Attach the new created ldquosamplefield_level_decryption_service_policyrdquo to the PurchaseOder WLS JAX-WS Web

Service This is shown in Figure 14 - Figure 19

Figure 14 Click on FieldLevelEncryption-Project1-context-root Application



Figure 15 Navigate to the Web Services in the Application via the Application Deployment Menu



Figure 16 Click on PurchaseOrderPort to navigate to the Web Service Port



Figure 17 Click on OWSM Policies tab Click on AttachDetach Button to launch the OWSM Policy Attachment Wizard



Figure 18 Attach samplefield_level_decryption_service_policy to PurchaseOrder POJO WLS JAX-WS Web Service



Figure 19 The PurchaseOrderPort after completion of the OWSM Policy Attachment

Check the WSDL of the Service



The part highlighted in bold indicates that the service expects arg0 to be encrypted

Now the Purchase Order POJO WLS JAX-WS is secured with ldquosamplefield_level_decryption_service_policyrdquo

Create Purchase Order Composite App

Now we will create the PurchaseOrderComposite App Figure 21 - Figure 32 shows the steps for creating the

PurchaseOderComposite app

ltwspPolicy xmlnswsp=httpschemasxmlsoaporgws200409policy

xmlnswsu=httpdocsoasis-openorgwss200401oasis-200401-wss-wssecurity-utility-

10xsd wsuId=PurchaseOrderPort_Input_Policygt

ltspSignedParts xmlnssp=httpschemasxmlsoaporgws200507securitypolicygt

ltspHeader Name=fmw-context Namespace=httpxmlnsoraclecomfmwcontext10gt

ltspHeader Name= Namespace=httpwwww3org200508addressinggt

ltspHeader Name= Namespace=httpschemasxmlsoaporgws200408addressinggt

ltspSignedPartsgt

ltspSignedElements xmlnssp=httpschemasxmlsoaporgws200507securitypolicygt

ltspEncryptedParts xmlnssp=httpschemasxmlsoaporgws200507securitypolicygt


ltspEncryptedPartsgt

ltspEncryptedElements xmlnssp=httpschemasxmlsoaporgws200507securitypolicygt

ltspXPathgtdescendant-or-self[namespace-uri()=httppurchaseordersample and

local-name()=arg0]ltspXPathgt

ltspEncryptedElementsgt

ltwspPolicygt

Figure 20 WSDL of the PurchaseOrder POJO WLS JAX-WS after attaching the samplefield_level_decryption_service_policy



Figure 21 Insert a BPEL Process into an Empty Composite App



Figure 22 Create the BPEL Process by choosing the Base on a WSDL option Provide the WSDL of the PurchaseOrder

POJO WLS JAX-WS



Figure 23 Result of creating a BPEL Process using the Base on a WSDL option



Figure 24 In the BPEL Process create a PartnerLink Again Provide the WSDL of the PurchaseOrder POJO WLS JAX-WS as

the WSDL URL



Figure 25 Walkthrough the PartnerLink creation process



Figure 26 Completion of the Partner Link creation process



Figure 27 Add an Invoke activity in the BPEL Process and wite it to the PurchaseOrderRefrence PartnerLink created

previously



Figure 28 The Invoke is now wired to the PartnerLink PurchaseOrderReference



Figure 29 Add an Assign activity after the receiveInput and before the Invoke activity Wire the variables to copy the input on

the receive to the input of the Invoke



Figure 30 Add another assign activity after the Invoke to copy the output of the invoke to the output of the replyOutput



Figure 31 BPEL Process after adding the Assign Invoke Assign activities



Figure 32 Completed PurchaseOrderComposite App



Attach Custom Policy created previously to the Purchase Order Composite App Reference

The next step is to now attach the ldquosamplefield_level_encryption_client_policyrdquo to the PurchaseOrderReferencerdquo of

PurchaseOrderComposite App These steps are shown in Figure 33 - Figure 38

Figure 33 Click on the PurchaseOrderComposite App on the left hand side



Figure 34 Click on the PurchaseOrderReference shown in the Dashboard of the PurchaseOrderComposite



Figure 35 On the PurchaseOrderReferece - click on the Policies tab



Figure 36 Click on the AttachDetach Button



Figure 37 Attach the samplefield_level_encryption_client_policy



Figure 38 The Policy is now attached to the PurchaseOrderReference



Create Keystore and Credentials in Credential Store

Create a Keystore called default-keystorejks using keytool

For complete details on keytool commands please refer to

httpjavasuncomj2se142docstooldocswindowskeytoolhtml

Copy the keystore created into $FMW_DOMAIN_HOMEconfigfmwconfig

Add the following credentials into the credential store either via EM or using WLST

This assumes that the keystore password is welcome1

wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=keystore-csf-key user=owsm

password=welcome1 desc=Keystore key)

wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=enc-csf-key user=orakey

password=welcome1 desc=Encryption key)

wlsDefaultDomainserverConfiggt createCred(map=oraclewsmsecurity key=sign-csf-key user=orakey

password=welcome1 desc=Signing key)

$gtkeytool -genkeypair -keyalg RSA -alias orakey -keypass welcome1 -keystore default-keystorejks -storepass

welcome1 -validity 3600



This will add a key namely enc-csf-key to map oraclewsmsecurity with username as orakey and password as

welcome1 This alias should exist in your configured keystore

This will add a key namely sign-csf-key to map oraclewsmsecurity with username as orakey and password as


You can verify the contents of the credential store in FMWCTL as show in Figure 39 and Figure 40



Figure 39 View the Credential Store from the Weblogic Domain menu



Figure 40 Contents of the oraclewsmsecurity Credential Map



Oracle Web Services Manager

March 2012

Author Prakash Yamuna

Oracle Corporation

World Headquarters

500 Oracle Parkway

Redwood Shores CA 94065

USA

Worldwide Inquiries

Phone +16505067000

Fax +16505067200

oraclecom

Copyright copy 2011 Oracle andor its affiliates All rights reserved This document is provided for

information purposes only and the contents hereof are subject to change without notice This

document is not warranted to be error-free nor subject to any other warranties or conditions whether

expressed orally or implied in law including implied warranties and conditions of merchantability or

fitness for a particular purpose We specifically disclaim any liability with respect to this document and

no contractual obligations are formed either directly or indirectly by this document This document may

not be reproduced or transmitted in any form or by any means electronic or mechanical for any

purpose without our prior written permission

Oracle is a registered trademark of Oracle Corporation andor its affiliates Other names may be

trademarks of their respective owners

0109



Table of Contents Use Case 3

Description 3

Objective 3

Scenario 4

Software Requirements 5

Prerequisites 5

Verified Product Version 5

Potentially Applies to Product Version(s) 5

Download Main Page 5

Product URLs 5

Step by Step Instructions 6

Create Purchase Order WLS JAX-WS POJO Web Service 6

Create Custom Policy for Field level Encryption 11

Attach Custom Policy created previously to the Purchase Order WLS JAX-WS Web Service 22

Create Purchase Order Composite App 28

Attach Custom Policy created previously to the Purchase Order Composite App Reference 41

Create Keystore and Credentials in Credential Store 47



Use Case

Description





Ex





Objective





Scenario



OWSM Policy Store

Purchase Order

SOA Composite App

JDeveloper




SOAP HTTP

Enterprise Manager


bull Versioning

bull Usage Tracking


bull Migration

CRUD

Purchase Order

WLS JAX-WS Service


Policy Manager







Prerequisites



JDeveloper



1 WebLogic 1036

2 SOA 11116

3 JDeveloper 11116



1 WebLogic 1033 1034 1035 1036

2 SOA 11114 11115 11116

Download Main Page


Product URLs



Password welcome1











import javautilDate


WebService



super()


int discount = 5


discount = 10



purchaseAmount = 0








purchased order












ltarg1gt100ltarg1gt

ltarg2gt90ltarg2gt



ltsoapBodygt

ltsoapEnvelopegt























































































ltspSignedPartsgt









ltwspPolicygt








POJO WLS JAX-WS







the WSDL URL










previously







































































March 2012


Oracle Corporation

World Headquarters

500 Oracle Parkway


USA

Worldwide Inquiries

Phone +16505067000

Fax +16505067200

oraclecom











0109



Use Case

Description





Ex





Objective





Scenario



OWSM Policy Store

Purchase Order

SOA Composite App

JDeveloper




SOAP HTTP

Enterprise Manager


bull Versioning

bull Usage Tracking


bull Migration

CRUD

Purchase Order

WLS JAX-WS Service


Policy Manager







Prerequisites



JDeveloper



1 WebLogic 1036

2 SOA 11116

3 JDeveloper 11116



1 WebLogic 1033 1034 1035 1036

2 SOA 11114 11115 11116

Download Main Page


Product URLs



Password welcome1











import javautilDate


WebService



super()


int discount = 5


discount = 10



purchaseAmount = 0








purchased order












ltarg1gt100ltarg1gt

ltarg2gt90ltarg2gt



ltsoapBodygt

ltsoapEnvelopegt























































































ltspSignedPartsgt









ltwspPolicygt








POJO WLS JAX-WS







the WSDL URL










previously







































































March 2012


Oracle Corporation

World Headquarters

500 Oracle Parkway


USA

Worldwide Inquiries

Phone +16505067000

Fax +16505067200

oraclecom











0109



Scenario



OWSM Policy Store

Purchase Order

SOA Composite App

JDeveloper




SOAP HTTP

Enterprise Manager


bull Versioning

bull Usage Tracking


bull Migration

CRUD

Purchase Order

WLS JAX-WS Service


Policy Manager







Prerequisites



JDeveloper



1 WebLogic 1036

2 SOA 11116

3 JDeveloper 11116



1 WebLogic 1033 1034 1035 1036

2 SOA 11114 11115 11116

Download Main Page


Product URLs



Password welcome1











import javautilDate


WebService



super()


int discount = 5


discount = 10



purchaseAmount = 0








purchased order












ltarg1gt100ltarg1gt

ltarg2gt90ltarg2gt



ltsoapBodygt

ltsoapEnvelopegt























































































ltspSignedPartsgt









ltwspPolicygt








POJO WLS JAX-WS







the WSDL URL










previously







































































March 2012


Oracle Corporation

World Headquarters

500 Oracle Parkway


USA

Worldwide Inquiries

Phone +16505067000

Fax +16505067200

oraclecom











0109





Prerequisites



JDeveloper



1 WebLogic 1036

2 SOA 11116

3 JDeveloper 11116



1 WebLogic 1033 1034 1035 1036

2 SOA 11114 11115 11116

Download Main Page


Product URLs



Password welcome1











import javautilDate


WebService



super()


int discount = 5


discount = 10



purchaseAmount = 0








purchased order












ltarg1gt100ltarg1gt

ltarg2gt90ltarg2gt



ltsoapBodygt

ltsoapEnvelopegt























































































ltspSignedPartsgt









ltwspPolicygt








POJO WLS JAX-WS







the WSDL URL










previously







































































March 2012


Oracle Corporation

World Headquarters

500 Oracle Parkway


USA

Worldwide Inquiries

Phone +16505067000

Fax +16505067200

oraclecom











0109











import javautilDate


WebService



super()


int discount = 5


discount = 10



purchaseAmount = 0








purchased order












ltarg1gt100ltarg1gt

ltarg2gt90ltarg2gt



ltsoapBodygt

ltsoapEnvelopegt























































































ltspSignedPartsgt









ltwspPolicygt








POJO WLS JAX-WS







the WSDL URL










previously







































































March 2012


Oracle Corporation

World Headquarters

500 Oracle Parkway


USA

Worldwide Inquiries

Phone +16505067000

Fax +16505067200

oraclecom











0109





purchased order












ltarg1gt100ltarg1gt

ltarg2gt90ltarg2gt



ltsoapBodygt

ltsoapEnvelopegt























































































ltspSignedPartsgt









ltwspPolicygt








POJO WLS JAX-WS







the WSDL URL










previously







































































March 2012


Oracle Corporation

World Headquarters

500 Oracle Parkway


USA

Worldwide Inquiries

Phone +16505067000

Fax +16505067200

oraclecom











0109










ltarg1gt100ltarg1gt

ltarg2gt90ltarg2gt



ltsoapBodygt

ltsoapEnvelopegt























































































ltspSignedPartsgt









ltwspPolicygt








POJO WLS JAX-WS







the WSDL URL










previously







































































March 2012


Oracle Corporation

World Headquarters

500 Oracle Parkway


USA

Worldwide Inquiries

Phone +16505067000

Fax +16505067200

oraclecom











0109























































































ltspSignedPartsgt









ltwspPolicygt








POJO WLS JAX-WS







the WSDL URL










previously







































































March 2012


Oracle Corporation

World Headquarters

500 Oracle Parkway


USA

Worldwide Inquiries

Phone +16505067000

Fax +16505067200

oraclecom











0109







POJO WLS JAX-WS







the WSDL URL










previously







































































March 2012


Oracle Corporation

World Headquarters

500 Oracle Parkway


USA

Worldwide Inquiries

Phone +16505067000

Fax +16505067200

oraclecom











0109







the WSDL URL










previously







































































March 2012


Oracle Corporation

World Headquarters

500 Oracle Parkway


USA

Worldwide Inquiries

Phone +16505067000

Fax +16505067200

oraclecom











0109










previously







































































March 2012


Oracle Corporation

World Headquarters

500 Oracle Parkway


USA

Worldwide Inquiries

Phone +16505067000

Fax +16505067200

oraclecom











0109







































































March 2012


Oracle Corporation

World Headquarters

500 Oracle Parkway


USA

Worldwide Inquiries

Phone +16505067000

Fax +16505067200

oraclecom











0109

oracle web service manager 11...sample/field_level_encryption_client_policy...

Documents