web service secure

8/14/2019 Web Service Secure

1/67

utorial: Security for Web Services

Tutorial: Security for Web Services

his tutorial describes how to make Web Services secure using the Public Key

frastructure (PKI), Secure Sockets Layer (SSL), and other features provided by

racle9iApplication Server (Oracle9iAS).

ontents

1. Concepts

2. Design

3. Required Software

4. Setup

5. Implementation

6. Resources

7. Feedback

le:///D|/otnDocs/sample_code/tutorials/wspki/toc.htm [01/29/2003 12:12:41 PM]
http://tech/webservices/htdocs/series/content.htmlhttp://www.oracle.com/forums/message.jsp?id=1440460&gid=428078


2/67

Concepts

Concepts

ffective Internet security requires secure information exchange mechanisms that arecalable and that support the security of distributed systems. Public Key Infrastructure

PKI) meets these requirements with minimal inconvenience.

racle9iApplication Server (Oracle9iAS) can use elements of PKI to provide a secure

silient environment for deploying electronic commerce. This reliable environment

upports building systems to handle virtually any type of electronic interaction, from

orporate intranets to e-business applications designed for deployment on the Interne

trong system security starts with the physical security of systems and the

ustworthiness of personnel. With these in place, PKI enhances secure electronic

ommerce and Internet communications by supporting the following processes:

q Authentication. Verifying the identity of users and machines becomes crucial

when an organization opens its doors to the Internet. Strong authentication

mechanisms, of which PKI is one, verify identities without allowing transmission

storage of reusable passwords. They ensure that persons and machines are theentities they claim to be. This is typically done by a trusted third-party

authentication or certification service using conventional cryptography. Proper u

of PKI makes impersonation virtually impossible and supports mechanisms

enabling systems and applications to trust each other's connections and

transmissions.

q Encryption. Encryption and integrity algorithms are used to secure

communications and ensure the privacy of data sent from one computer to

another. They ensure that data remains confidential, that it cannot be modified,

that lost packets can be detected.

q Non-repudiation. Non-repudiation means that senders of digitally signed

transactions or email cannot claim they did not do so. Digital signatures using P

can provide reliable proof that the person signing the electronic transmission re

is that person, since no one else can create their unique digital signature. This f

also prevents impersonation, because the impostor cannot create that person's

le:///D|/otnDocs/sample_code/tutorials/wspki/concepts.htm (1 of 3) [01/29/2003 12:12:43 PM]


3/67

Concepts

digital signature. A PKI digital signature proves that a specific user performed

certain operations.

or public-key cryptography, entities that want to communicate in a secure manner m

ossess certain security credentials. This collection of security credentials is stored in

allet. Security credentials consist of:

q Public and private keys. This form of cryptography uses a secret private key a

a mathematically-related public key. Only the public key can be used to encrypt

information, and only the corresponding private key can be used to decrypt that

information. Only the owner of the key pair knows the private key; the public ke

can be distributed widely and remains associated with its owner. A message

encrypted with the public key can only be decrypted by the owner who knows th

associated private key. Such keys are also used in digital signatures to prevent

Internet impersonation and repudiation of valid messages. In the process ofseeting up this sample application, you will obtain and install certificates for the

client and server.

q Digital certificates. Certificates are digital identities, issued by trusted third

parties, that identify users and machines. Certificates are issued when that third

party receives trusted information proving to its satisfaction the validity of those

identities. The certificates can then be securely stored in wallets or in directorie

and used to prove the claimed identity to anyone on the Internet who trusts that

third party.q Certificate Authority (CA). A CA is a third party that acts as a trusted,

independent provider of digital certificates.

se of a cryptographic key pair to set up a secure, encrypted channel ensures the

ivacy of a message and can validate the authenticity of the sender of the message.

Wide distribution of the public key on a server, or in a central directory, does not

opardize security because the private key is never shared. The public key for an ent

published by a certificate authority in a user certificate. Entities that want to send

ecure information can encrypt the information with the recipient entity's public key. A

ntity that receives a communication encrypted by this method can use its own private

ey to decrypt the message. (In some cases, the sender might need to reassure the

cipient regarding who sent the message. Encrypting the coded message again usin

s own public key would do the trick. The recipient could decrypt the doubly-encoded

essage using his private key, and then decrypt the resulting coded message using t



4/67

Concepts

ender's public key. If the original message was not encoded using both public keys,

sult of decrypting will be unreadable.)



5/67






ontents

1. Concepts

2. Design


4. Setup

5. Implementation

6. Resources

7. Feedback



6/67

Concepts

Concepts

















transmissions.












7/67

Concepts


certain operations.












client and server.





















8/67

Concepts





9/67






ontents

1. Concepts

2. Design


4. Setup

5. Implementation

6. Resources

7. Feedback



10/67

Concepts

Concepts

















transmissions.












11/67

Concepts


certain operations.












client and server.





















12/67

Concepts





13/67

Design

Design

he Online Product Store demonstrates an e-Business application that uses Web

ervices to handle credit card-based transactions.There are two ways to ensure secu

th Web Services:

q Security at XML level. Options include XML Encryption, XML Digital signature A

XKMS (XML Key Management Specification), and SAML (Security Assertion

Markup Language).q Security at the transport level. Implementing security at the transport level mean

securing the network protocol a Web Service uses for communication. SSL is th

industry-accepted standard protocol for secured encrypted communications ove

TCP/IP. In this model, a Web Service client uses SSL to open a secure socket t

Web Service. The client then sends and receives SOAP messages over this

secured socket using HTTPS. The SSL implementation takes care of ensuring

privacy by encrypting all the network traffic on the socket. SSL can also

authenticate the Web Service to the client using the PKI infrastructure.

ecause the standards for enabling security at XML level are in their infancy, OTN

evelopers opted for security at the transport level using SSL and the PKI infrastructu

racle9iAS provides a solid framework for building and deploying Web applications u

e Apache-based Oracle HTTP Server, Oracle9iAS Containers for J2EE, and

racle9iAS Portal, which use the advanced security functionality provided by Oracle9

frastructure. Oracle9iAS Infrastructure consists of Oracle9iAS Metadata Repository

racle Internet Directory, Oracle9iAS Single Sign-On, and Oracle Management Serve

his sample application requires a user ID and a password for login. Three users are

eated by running SQL scripts given in the Install.html file. Following is the informatio

r accessing this application.

le:///D|/otnDocs/sample_code/tutorials/wspki/design.htm (1 of 3) [12/04/2002 3:37:57 PM]


14/67

Design

User ID PasswordCredit Card

Number

C101 welc0me 1234567887654321

C102 otn 1234567887654322

C103 welcome 1234567887654323

y providing credentials, a user gains access to a catalog of products from which they

an add items to their shopping cart. To buy products, a user checks out and enters a

edit card number, and this application contacts the Credit Card Web Service via SS

ereby demonstrating how to access a Web Service securely.

he directory structure of the sample code is as shown below (Xxx represents the top

vel directory).

Directory Files Description

Xxx\docs

Readme.htmlGives an overview of

the application.

Install.html,

InstallContd.html

These files describe

how to install and

deploy the application.

Xxx\sql

Security.sql

Sets up the data

required by the Online

Product Store which

will be created in the

"security" user

schema.

Creditdb.sql

Sets up up the datarequired by the Credit

Card Web Service

which will be created

in the "creditdb" user

schema.



15/67

Design

Xxx\CreditCardService *.java

Directory containing

the source of the

Credit Card Web

Service and the

supporting files

Xxx\JSPApplication *.java


the source code and

supporting files for the

Online Product Store.



16/67

Required Software

Required Software

ou can download the sample application source code (35 KB) from:

q http://otn.oracle.com/sample_code/tech/java/web_services/wssecurity/ws_securit

he following software is required to build and run this tutorial. OTN members can

ownload developer-license versions of these products for free.

q Oracle9iDatabase Server Version 9.2.0 or higher .

q Oracle9iAS Release 2 - Installation must include Oracle HTTP Server and OC4J.

q Oracle9iJDeveloper - Version 9.0.2 or higher.

ee the Setup section for information about installing and running the tutorial.

le:///D|/otnDocs/sample_code/tutorials/wspki/reqsw.htm [12/04/2002 3:37:58 PM]
http://otn.oracle.com/sample_code/tech/java/web_services/wssecurity/ws_security.jarhttp://software/content.htmlhttp://software/products/oracle9i/content.htmlhttp://software/products/oracle9i/content.htmlhttp://software/products/oracle9i/content.htmlhttp://software/products/ias/content.htmlhttp://software/products/ias/content.htmlhttp://software/products/ias/content.htmlhttp://software/products/jdev/content.htmlhttp://software/products/jdev/content.htmlhttp://software/products/jdev/content.htmlhttp://tech/webservices/htdocs/series/content.htmlhttp://www.oracle.com/forums/message.jsp?id=1440460&gid=428078http://software/products/jdev/content.htmlhttp://software/products/ias/content.htmlhttp://software/products/oracle9i/content.htmlhttp://software/content.htmlhttp://otn.oracle.com/sample_code/tech/java/web_services/wssecurity/ws_security.jarhttp://tech/webservices/htdocs/series/content.htmlhttp://www.oracle.com/forums/message.jsp?id=1440460&gid=428078


17/67

etup

Setup

his section lists the steps to install and configure the tutorial. It assumes that you hav

stalled and configured the software described in the Required Software section.

1. Extract the Sample

2. Get a Server Certificate

3. Get a Client Certificate

4. Set up Oracle9iAS to use this Certificate5. Database Setup

6. Oracle Java SSL libraries

7. Compile the Web Service

8. Deploy the Web Service to Oracle9iAS through Enterprise Manager

9. Prepare the Online Store application

10. Deploy the Online Store application to Oracle9iAS through Enterprise Manager

le:///D|/otnDocs/sample_code/tutorials/wspki/setup.htm [12/04/2002 3:37:59 PM]
http://-/?-http://-/?-http://-/?-http://-/?-http://tech/webservices/htdocs/series/content.htmlhttp://www.oracle.com/forums/message.jsp?id=1440460&gid=428078http://-/?-http://-/?-http://-/?-http://-/?-http://tech/webservices/htdocs/series/content.htmlhttp://www.oracle.com/forums/message.jsp?id=1440460&gid=428078


18/67

mplementation

Implementation

his sample application achieves security by deployment to Oracle9iApplication Serv

Oracle9iAS). There is nothing unusual about the code that implements the Web Serv

he key is to follow the steps presented in the Setup section of this tutorial. The steps

volve a slight modification of the Web Service source code, as explained in the Prep

e Online Store application section.

racle9iAS security starts from the well-tested and highly configurable Web securityervices provided by Oracle HTTP Server, adds a comprehensive set of Web single s

n services, and extends them further with centralized user provisioning that is availa

Oracle Internet Directory, an LDAP, version 3-compliant directory service. In additio

racle9iAS provides the Oracle implementation of Java Authorization and Authentica

ervices (JAAS) for J2EE application security, and extensive portal authorization and

pplication integration mechanisms. Oracle9iAS also supports secure access to Orac

atabase systems using Oracle Advanced Security.

Oracle9i Application Server Implementation of Public Key

nfrastructure (PKI)

he Oracle9i Application Server PKI implementation provides a variety of security

ervices, in compliance with industry-standard specifications. It incorporates a whole

uite of products and features, including the following:

Secure Sockets Layer The Secure Sockets Layer (SSL) is an application layer

protocol that can be employed for certificate-based

authentication. All of the major components of Oracle9iAS

support SSL.

le:///D|/otnDocs/sample_code/tutorials/wspki/impl.htm (1 of 2) [12/04/2002 3:38:00 PM]


19/67

mplementation

Oracle Wallets An Oracle wallet is a container in which certificates and

trusted certificates are stored and managed. These data

structures securely store a user private key, a user

certificate, and a set of trusted certificates (the list of root

certificates which the user trusts).

Oracle Wallet Manager This is a Java-based application that security administratouse to manage public-key security credentials on both

Oracle clients and servers. It creates an Oracle wallet.

Oracle Wallet Manager creates a public-private key pair a

manages credentials for a user. It issues PKCS#10

certificate requests to the certificate authority, and installs

the certificate in the wallet. It ships with trusted certificates

from VeriSign, RSA, and Baltimore CyberTrust, and can u

a site's own in-house certificate authority.

Oracle Internet

Directory

Oracle Internet Directory, an LDAP V3-compliant directory

built on the Oracle9idatabase, helps to enable PKI-based

single sign-on. It enables you to securely manage the use

and system configuration environment, including security

attributes and privileges, for users authenticated using X.5

certificates. Oracle Internet Directory enforces attribute-levaccess control, enabling the directory to restrict read, write

or update privileges on specific attributes to specific name

users (for example, a security administrator). It also suppo

protection and authentication of directory queries and

responses through SSL encryption.



20/67

Resources

Resources

llowing are links to resources that can help you understand and apply the concepts and techniques

esented in this tutorial. See the Required Software section to obtain the tutorial source code and re

es.

Resource URL

Oracle9i

pplication

erver

ecurityGuide

http://otn.oracle.com/docs/products/ias/doc_library/90200doc_otn/core.902/a90146/toc

OTN Web

ervices

echnolgy

enter

http://otn.oracle.com/tech/webservices/content.html

Oracle by

xample:

uild a

ecure

nternet

ata

enter

http://otn.oracle.com/products/oracle9i/htdocs/9iober2/obe9ir2/player_otn.htm

le:///D|/otnDocs/sample_code/tutorials/wspki/rsrc.htm [12/04/2002 3:38:00 PM]
http://otn.oracle.com/docs/products/ias/doc_library/90200doc_otn/core.902/a90146/toc.htmhttp://otn.oracle.com/tech/webservices/content.htmlhttp://otn.oracle.com/products/oracle9i/htdocs/9iober2/obe9ir2/player_otn.htmhttp://tech/webservices/htdocs/series/content.htmlhttp://www.oracle.com/forums/message.jsp?id=1440460&gid=428078http://otn.oracle.com/products/oracle9i/htdocs/9iober2/obe9ir2/player_otn.htmhttp://otn.oracle.com/tech/webservices/content.htmlhttp://otn.oracle.com/docs/products/ias/doc_library/90200doc_otn/core.902/a90146/toc.htmhttp://tech/webservices/htdocs/series/content.htmlhttp://www.oracle.com/forums/message.jsp?id=1440460&gid=428078


21/67

eedback

Feedback

you have questions or comments about this tutorial, you can:

q Post a message in the OTN Sample Code discussion forum. OTN developers a

other experts monitor the forum.

q Send email to the author. mailto:[email protected]

you have suggestions or ideas for future tutorials, please send email to:

q mailto:[email protected]

le:///D|/otnDocs/sample_code/tutorials/wspki/fdbk.htm [12/04/2002 3:38:01 PM]
http://www.oracle.com/forums/message.jsp?id=1153142&gid=428078mailto:[email protected]?subject=WS%20and%20PKImailto:[email protected]?subject=Tutorial%20Suggestionhttp://tech/webservices/htdocs/series/content.htmlhttp://www.oracle.com/forums/message.jsp?id=1440460&gid=428078mailto:[email protected]?subject=Tutorial%20Suggestionmailto:[email protected]?subject=WS%20and%20PKIhttp://www.oracle.com/forums/message.jsp?id=1153142&gid=428078http://tech/webservices/htdocs/series/content.htmlhttp://www.oracle.com/forums/message.jsp?id=1440460&gid=428078


22/67

Design

Design



th Web Services:























23/67

Design


Number

C101 welc0me 1234567887654321

C102 otn 1234567887654322

C103 welcome 1234567887654323






vel directory).


Xxx\docs


the application.

Install.html,

InstallContd.html


how to install and


Xxx\sql

Security.sql

Sets up the data


Product Store which


"security" user

schema.

Creditdb.sql


Card Web Service



schema.



24/67

Design



the source of the

Credit Card Web

Service and the

supporting files



the source code and





25/67

Required Software

Required Software











26/67

etup

Setup














27/67

mplementation

Implementation














nfrastructure (PKI)







support SSL.



28/67

mplementation














Oracle Internet

Directory













29/67

Resources

Resources

llowing are links to resources that can help you understand and apply the concepts and techniques

esented in this tutorial. See the Required Software section to obtain the tutorial source code and re

es.

Resource URL

Oracle9i

pplication

erver

ecurityGuide

http://otn.oracle.com/docs/products/ias/doc_library/90200doc_otn/core.902/a90146/toc

OTN Web

ervices

echnolgy

enter

http://otn.oracle.com/tech/webservices/content.html

Oracle by

xample:

uild a

ecure

nternet

ata

enter

http://otn.oracle.com/products/oracle9i/htdocs/9iober2/obe9ir2/player_otn.htm

le:///D|/otnDocs/sample_code/tutorials/wspki/rsrc.htm [01/29/2003 12:06:56 PM]
http://otn.oracle.com/docs/products/ias/doc_library/90200doc_otn/core.902/a90146/toc.htmhttp://otn.oracle.com/tech/webservices/content.htmlhttp://otn.oracle.com/products/oracle9i/htdocs/9iober2/obe9ir2/player_otn.htmhttp://tech/webservices/htdocs/series/content.htmlhttp://www.oracle.com/forums/message.jsp?id=1440460&gid=428078http://otn.oracle.com/products/oracle9i/htdocs/9iober2/obe9ir2/player_otn.htmhttp://otn.oracle.com/tech/webservices/content.htmlhttp://otn.oracle.com/docs/products/ias/doc_library/90200doc_otn/core.902/a90146/toc.htmhttp://tech/webservices/htdocs/series/content.htmlhttp://www.oracle.com/forums/message.jsp?id=1440460&gid=428078


30/67

eedback

Feedback

you have questions or comments about this tutorial, you can:

q Post a message in the OTN Sample Code discussion forum. OTN developers a

other experts monitor the forum.

q Send email to the author. mailto:[email protected]

you have suggestions or ideas for future tutorials, please send email to:

q mailto:[email protected]

le:///D|/otnDocs/sample_code/tutorials/wspki/fdbk.htm [01/29/2003 12:06:56 PM]
http://www.oracle.com/forums/message.jsp?id=1153142&gid=428078mailto:[email protected]?subject=WS%20and%20PKImailto:[email protected]?subject=Tutorial%20Suggestionhttp://tech/webservices/htdocs/series/content.htmlhttp://www.oracle.com/forums/message.jsp?id=1440460&gid=428078mailto:[email protected]?subject=Tutorial%20Suggestionmailto:[email protected]?subject=WS%20and%20PKIhttp://www.oracle.com/forums/message.jsp?id=1153142&gid=428078http://tech/webservices/htdocs/series/content.htmlhttp://www.oracle.com/forums/message.jsp?id=1440460&gid=428078


31/67

Web Services Security Sample Install document

Web Services Security Sample Installation

atabase Setup

Log into SQLPlus as system/manager.

Create two users "security" and "creditdb" as follows:

SQL> create user security identified by security;SQL> grant all privileges to security;SQL> create user creditdb identified by creditdb;SQL> grant all privileges to creditdb;

Log into SQLPlus as security/security. Run the file Security.sql which creates the tables

eeded by thisapplication and populates the tables with data.

SQL> @d:\\sql\Security.sql

where is the directory where you have extracted this sample.

Log into SQLPlus as creditdb/creditdb. Run the file Creditdb.sql which creates the tableseeded by this

application and populates the tables with data.

SQL> @d:\\sql\Creditdb.sql


racle Java SSL libraries

he files jcert.jar, jsse.jar and jssl-1_2.jar are needed for running this sample. They are availa

the following directories

jsse.jar - /libjcert.jar - /jdk/jre/lib/extjssl-1_2.jar - /jlib

opy them to /jdk/jre/lib/ext directory so that these classes are loaded by theystem class loader.

le:///D|/otnDocs/sample_code/tutorials/wspki/wspki_files/InstallContd.html (1 of 5) [01/29/2003 12:06:57 PM]


32/67


ote: If this step is not followed, the application will throw a ClassNotFoundException.

ompile the Web Service

From the command prompt, traverse to the CreditCardService\src directory.

Edit the file ConnectionParams.java and substitute the variable values with your settings. M

ure to have theusername and password as "creditdb" and creditdb"

Make sure to have classes12.jar (JDBC library) in the CLASSPATH. This library is availableIAS_HOME/jdbc/lib directory.

Compile the source files as follows

javac *.java

Copy the created class files into WEB-INF\classes directory.

Go to the parent directory CreditCardService and create a WAR file as follows

jar -Mcvf CreditCardValidator.war WEB-INF\*

his creates a WAR file in the CreditCardService directory.

eploy the Web Service to Oracle9iAS through Enterprise Manager

Access the Enterprise Manager Web Site as follows http://:1810Provide the admin user name and password as per your settings. Default username is

s_admin and thepassword should be the one given during Oracle9iAS installation.

Go the OC4J_home component by clicking on the link.

Click on the "Deploy WAR file" button in the OC4J_home page.

In the Deploy Web Application page, click on the "Browse" button and select thereditCardValidator.warfilefrom the CreditCardService directory. Please note that this WAR file was created during the

xecution of step fin the previous section.



33/67


Mention the name of the application as "CreditCardService".

Provide "/CreditCardValidator" as the value to the Map to URL attribute.

Click Deploy.

he above steps completes the deployment of the Credit card Web Service to Oracle9iAS.

repare the Online Store application

Open the workspace "WS_Security.jws" from the JSPApplication directory.

Edit the file ConnectionParams.java and substitute the variable values with your settings.ake sure to have theusername and password as "security" and "security".

This application needs a proxy stub for accessing the Web Service. This stub can be acquiry accessing theWeb Service as followshttp://:/CreditCardValidator/CreditCardValidator?proxy_sourcewhere is the machine on which Oracle9iAS is running and is Oracle HT

erver port.

Save the zip file in any convenient directory and extract the filereditCardValidatorInterfaceProxy.java in

/JSPApplication/src/oracle/otnsamples/webservices/security directory.Note: is the directory where you had initially extracted this application.

Click on the project WS_Security.jpr and add the file CreditCardValidatorInterfaceProxy.javis project.

Walk through the source to understand this file. Add the following lines in the methodalidateCard()

System.setProperty("ssl.SocketFactory.provider","oracle.security.ssl.OracleSSLSocketFactoryImpl");

ystem.setProperty("ssl.ServerSocketFactory.provider","oracle.security.ssl.OracleSSLServerSocketFactoryIm

System.setProperty("java.protocol.handler.pkgs","HTTPClient");System.setProperty("oracle.wallet.location","/home1/otn9i/ClientCert/wallet.txt");System.setProperty("oracle.wallet.password","client12");

ote : The parameters oracle.wallet.location and oracle.wallet.password should be changed a

er your settings. Remember, we exported the client certificate in text format. The value for



34/67


racle.wallet.location should be the complete path to this text file. Ensure to specify client12 ae value to the oracle.wallet.password parameter as this was mentioned while creating the clallet.

Edit the file CreditCardValidatorInterfaceProxy.javaChange the value of the m_soapURLariable to https and

the port to https port.

For eg.private String m_soapURL = "http://insn104a.idc.oracle.com:7777/CreditCardValidator/CreditCardValidato

should be changed toprivate String m_soapURL = "https://insn104a.idc.oracle.com:4443/CreditCardValidator/CreditCardValidato

ote: This is the port with which we have setup Oracle HTTP Server to use SSL.

Now we have to compile this application. For compiling this, we need to have the Oracle Ja

SL libraries inthe CLASSPATH. The libraries jsse.jar, jcert.jar and jssl-1_2.jar can be added to the projec

asspath asfollows:

Right click on WS_Security.jpr -> Project Settings -> Development -> Libraries -> New. Proname to thislibrary and click on Edit to add the jar files. Click OK to dismiss this dialog box. Make sure to

ave this library in

the "Selected Libraries" list.

Right click on WS_Security.jpr -> Build Project. The project should compile without any error

Right click on webapp2.deploy and choose to deploy to an EAR file. This step creates an EAtheJSPApplication directory.

he above steps prepares the application which can now be deployed.

eploy the Online Store application to Oracle9iAS

Access the Enterprise Manager Web Site as follows http://:1810

Provide the admin user name and password as per your settings. Default username iss_admin and thepassword should be the one given during Oracle9iAS installation.

Go the OC4J_home component by clicking on the link.



35/67


Click on the "Deploy EAR file" button in the OC4J_home page.

Skip Step 1 of 8. In Step 2, click on the "Browse" button and choose the file OTNStore.earfeJSPApplication directory. This EAR file was created as part of preparing this application.ention the name of

the application as OTNStore. Click Next.

In Step 3, make sure that the value for URL Binding is/WS_Security. Click Next.

Skip Steps 4, 5, 6 and 7. In Step 8, Click on the "Deploy" button.

he application will now be deployed as an Enterprise application to Oracle9iAS. The applicatan now be accessed as shown here.

http://-/?-http://-/?-


36/67

Web Services Security with PKI

Online Product Storemplementing security with Web

Services through PKI

Table Of Contents

q Overview of the sample application

q Installation and Configurationq Description of Sample files

q Running the sample on Oracle9iAS

Overview of the sample application

his Sample demonstrates an e-Business Application which implementsecurity with Web services using PKI. As we are aware, Web Services is

aining momentum in the Industry and companies have started accepting its a new way to conduct business over the Web. Web Services currentlyevolves around three important protocols: SOAP, WSDL and UDDI. Theserotocols have reached a stage of maturity and the focus now is onecurity with Web Services. There are two ways with which we can ensureecurity with Web Services. They are:

q Security at Transport levelq Security at XML level

ecurity at Transport level

mplementing security at the transport level means, securing the networkrotocol, a Web Service uses for communication. SSL is the Industryccepted standard protocol for secured encrypted communications overCP/IP. In this model, a Web Service client will use SSL to open a secureocket to a Web Service. The client then sends and receives SOAP

le:///D|/otnDocs/sample_code/tutorials/wspki/wspki_files/Readme.html (1 of 4) [01/29/2003 12:06:59 PM]
http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-


37/67


messages over this secured socket using HTTP. The SSL implementationakes care of ensuring privacy by encrypting all the network traffic on theocket. SSL can also authenticate the Web Service to the client using agital certificate issued by a Certificate authority.

ecurity at XML level

here are some standards available for securing Web Services at XMLvel. They are:

q XML Encryptionq XML Digital Signature APIq XKMS (XML Key Management Specification)q SAML (Security Assertion Markup Language)

ince the standards for enabling security at XML level is at its infancy, thisample aims on securing Web Services at the transport level using the PKIfrastructure.

application users are created as part of running the SQL scripts as given the Install.html file. Following is the information for accessing thispplication

User Id Password Credit Card NumberC101 welc0me 1234567887654321

C102 otn 1234567887654322

C103 welcome 1234567887654323

his sample application requires an User Id and a password for login. Oncehe sample users provide the above mentioned credentials, they canccess the functionality provided by this application. Once the users

uccessfully login to this application, they will be shown a catalog ofroducts from which they can add items to their shopping cart. Once theyecide to purchase the items, they can choose to buy the products where

his application mandates the users to enter their credit card numbers.Once the users enter the credit card number shown above depending uponhe User Id they have used, this application will contact the Credit Card

Web Service via SSL thereby demonstrating how to access a Web Serviceecurely.



38/67


nstallation and Configuration

efer to Install.html for step-by-step instructions on extracting files,

stalling and configuring any other systems to successfully run this sample

pplication.

Description of Sample Files

he sample is provided as a jar file. This jar file contains all the filesequired for the sample.

Filename Description

Readme.html This file

nstall.htmlInstructions for setting up this sampleapplication on Oracle9iAS

nstallContd.htmlContinuation of the instructions for setting upthis sample

sql\Security.sqlSQL script required for setting up the datarequired by the Online store which will be

created in the "security" user schema

sql\Creditdb.sql

SQL script required for setting up the datarequired by the Credit Card Web Servicewhich will be created in the "creditdb" userschema

CreditCardService directoryDirectory containing the source of the CreditCard Web Service and the supporting files

JSPApplication directoryDirectory containing the source of the Online

Product store and the supporting files

Running the sample using Oracle9iAS

1. Install the sample application on Oracle9iAS using the instructionsgiven in the Install.html file.



39/67


2. Access the application using the following URL

http://:/WS_Security/Login.jsp,

where is the machine on which your Oracle9iAS isunning and is the port at which

your Oracle HTTP Server is running.

Example: http://incq210a.idc.oracle.com:7777/WS_Security/Login.jsp

lease enter your comments about this sample in the OTN Sample

ode discussion forum.

http://www.oracle.com/forums/forum.jsp?id=466592http://www.oracle.com/forums/forum.jsp?id=466592http://www.oracle.com/forums/forum.jsp?id=466592http://www.oracle.com/forums/forum.jsp?id=466592


40/67



his document presents following topics:

q Required software

q Installation steps

equired Software

q Oracle Database Server Version 9.2.0 or higher

q Oracle9iAS Release 2 - Installation should contain Oracle HTTP Server and

OC4J

q Oracle9i JDeveloper

You may download this software from OTN site.

nstallation Steps




4. Set up Oracle9iAS to use this Certificate

5. Database Setup





10. Deploy the Online Store application to Oracle9iAS through Enterprise

Manager

xtract the Sample

his sample is provided as a jar file. Extract WS_Security.jar in any of your

vorite directories. The jar can be extracted as follows

r xvf WS_Security.jar

le:///D|/otnDocs/sample_code/tutorials/wspki/wspki_files/Install.html (1 of 5) [01/29/2003 12:07:00 PM]
http://otn.oracle.com/software/content.htmlhttp://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://otn.oracle.com/software/content.html


41/67


et a Server Certificate

or setting up PKI infrastructure, this sample needs digital certificates which can

e acquired from any one of the CAs. For this sample, we will get a test certificate

om Verisign.

Create directory called ServerCert in the machine where Oracle9iAS is installed.

Start Oracle Wallet Manager by running the following command from

AS_HOME/bin directory:

./owm

Click on Wallet/New Option, to create a new Wallet. This step asks for a wallet

assword.

nter "client12" as the wallet password.

nter "client12" to confirm the wallet password. Then click on Yes to create a new

ertification request.

Enter the following information :

ommon Name : OTN_SAMPLE

rganization Unit : Your Group Name e.g. 'OTN'rganization : Your company Name e.g. 'Oracle'

ocality\City : Your City Name e.g. 'Bangalore'

tate/Province : Your State Name e.g. 'Karnataka'

ountry : Choose Appropriate Country Name

hoose key size as 1024 bits. Click OK, OK. This generates a Certificate Request

hich you can send to any Certificate Authority.

Click on the menu 'Certificate:[Requested]'. This displays a window in whichertificate Request is displayed. Note that the Certificate Request starts

ith

----- BEGIN NEW CERTIFICATE REQUEST -----

nd ends with

----- END NEW CERTIFICATE REQUEST -----



42/67


Click on 'Operations/ Export Certificate Request' to export the Certificate

equest to a local file.

nter the file name as 'client.cer.req'. Save this file in the ServerCert directory

eated as part of step 2.

Minimize Oracle Wallet Manager. Note: Do not close OWM but just minimize.

Generating Test certificates:

sing your favorite editor, open the file 'client.cer.req' created in Step 6.

pen your favorite browser. Go to the location :

tp://www.verisign.com

ollow the steps as given below.

Click on Free SSL trial ID link on right hand side.

In the resulting page, enter your personal information as applicable.

Read the instructions and click Continue.

In Step 1, click Continue.

In Step 2, copy and paste the CSR from client.cer.req file in the textbox shown

nd click Continue.

In Step 3, provide your information. Make sure you provide a valid email

ddress. Click Accept.

ou will get the certificate at the mail address you specified in Step 3.

opy and paste your certificate to a local file namely 'client.cer' in the ServerCert

rectory.

ote : Please copy and paste the lines from and including line ---BEGIN

ERTIFICATE----- till the line

-- END CERTIFICATE----.

The mail also contains links to the Root Certificate using whose key yourertificate was signed. Follow the link and click Accept. This install the root

ertificate in your browser.(Use Internet Explorer).

0.Then Open IE, choose Tools -> Internet Options -> Content -> Certificates ->

rusted Root Certificate Authorities .

earch for For VeriSign authorized testing only.No assurances. and click on

xport. Choose "Base64 encoded X.509 (.CER)" format

nd click Next. Save the file as verisignroot.cer in the ServerCert directory. You



43/67


ill be importing this verisignroot.cer file into the

racle Wallet.

1.Now, open (maximize) your Oracle Wallet Manager. Click on 'Trusted

ertificates'. Using 'Operations/Import Trusted Certificate',

mport the root certificate as follows. Check the option 'Select a file that contains

rusted Certificate'. Click OK. Choose the file

erisignroot.cer' from the ServerCert directory.

2.Now import the user certificate obtained earlier into this wallet. Select

Operations/Import User Certificate' . Check the option 'Select a

le that contains the Certificate'. Click OK. Choose the file 'client.cer' from the

erverCert directory.

3.Using 'Wallet/Close' option, close the Wallet. Using 'Wallet/Exit' option, exit

e OWM.

his completes the steps for preparing a Wallet for PKI Credential Management.

et a Client Certificate

Follow the steps c through m in the "Get a Server Certificate" section. Give

client12" as the password for this wallet. While providing information for creating

Certificate Signing Request, give wss as the value for the Common Name

tribute. Save the generated certificate in the ClientCert directory as client.cer and

ot.cer. Save the wallet in the ClientCert directory. The remaining steps will be

e same.

One more additional step is needed. Click on Operations -> Export Wallet

ption. Save the file as wallet.txt in ClientCert directory.

etup Oracle9iAS to use this Certificate

Open the file httpd.conf available in the IAS_HOME/Apache/Apache/confrectory.

Search for a parameter called "SSLWallet" and provide the directory where you

ave saves the first wallet.

E.g. ServerCert

SSLWallet file:/home1/otn9i/ServerCert

Search for a parameter called "SSLWalletPassword" and provide "server12" as



44/67


e value. This was given by us

while creating the wallet

SSLWalletPassword server12

Restart Oracle HTTP Server. Restarting Oracle HTTP Server with the new

ettings will enable Oracle9iAS to

use the newly acquired certificate for SSL. You can check this by accessing theRL

https://:4443/

where is the host on which Oracle9iAS is running and 4443 is

e https port. The server will throw the certificate issued by Verisign thereby

lowing you to ensure that your setup is proper.



45/67

Design

Design



th Web Services:























46/67

Design


Number

C101 welc0me 1234567887654321

C102 otn 1234567887654322

C103 welcome 1234567887654323






vel directory).


Xxx\docs


the application.

Install.html,

InstallContd.html


how to install and


Xxx\sql

Security.sql

Sets up the data


Product Store which


"security" user

schema.

Creditdb.sql


Card Web Service



schema.



47/67

Design



the source of the

Credit Card Web

Service and the

supporting files



the source code and





48/67

Required Software

Required Software











49/67

etup

Setup














50/67

mplementation

Implementation














nfrastructure (PKI)







support SSL.



51/67

mplementation














Oracle Internet

Directory













52/67



his document presents following topics:

q Required software

q Installation steps

equired Software

q Oracle Database Server Version 9.2.0 or higher

q Oracle9iAS Release 2 - Installation should contain Oracle HTTP Server and

OC4J

q Oracle9i JDeveloper

You may download this software from OTN site.

nstallation Steps




4. Set up Oracle9iAS to use this Certificate

5. Database Setup





10. Deploy the Online Store application to Oracle9iAS through Enterprise

Manager

xtract the Sample

his sample is provided as a jar file. Extract WS_Security.jar in any of your

vorite directories. The jar can be extracted as follows

r xvf WS_Security.jar

http://otn.oracle.com/software/content.htmlhttp://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://otn.oracle.com/software/content.html


53/67


et a Server Certificate

or setting up PKI infrastructure, this sample needs digital certificates which can

e acquired from any one of the CAs. For this sample, we will get a test certificate

om Verisign.

Create directory called ServerCert in the machine where Oracle9iAS is installed.

Start Oracle Wallet Manager by running the following command from

AS_HOME/bin directory:

./owm

Click on Wallet/New Option, to create a new Wallet. This step asks for a wallet

assword.

nter "client12" as the wallet password.

nter "client12" to confirm the wallet password. Then click on Yes to create a new

ertification request.

Enter the following information :

ommon Name : OTN_SAMPLE

rganization Unit : Your Group Name e.g. 'OTN'rganization : Your company Name e.g. 'Oracle'

ocality\City : Your City Name e.g. 'Bangalore'

tate/Province : Your State Name e.g. 'Karnataka'

ountry : Choose Appropriate Country Name

hoose key size as 1024 bits. Click OK, OK. This generates a Certificate Request

hich you can send to any Certificate Authority.

Click on the menu 'Certificate:[Requested]'. This displays a window in whichertificate Request is displayed. Note that the Certificate Request starts

ith

----- BEGIN NEW CERTIFICATE REQUEST -----

nd ends with

----- END NEW CERTIFICATE REQUEST -----



54/67


Click on 'Operations/ Export Certificate Request' to export the Certificate

equest to a local file.

nter the file name as 'client.cer.req'. Save this file in the ServerCert directory

eated as part of step 2.

Minimize Oracle Wallet Manager. Note: Do not close OWM but just minimize.

Generating Test certificates:

sing your favorite editor, open the file 'client.cer.req' created in Step 6.

pen your favorite browser. Go to the location :

tp://www.verisign.com

ollow the steps as given below.

Click on Free SSL trial ID link on right hand side.

In the resulting page, enter your personal information as applicable.

Read the instructions and click Continue.

In Step 1, click Continue.

In Step 2, copy and paste the CSR from client.cer.req file in the textbox shown

nd click Continue.

In Step 3, provide your information. Make sure you provide a valid email

ddress. Click Accept.

ou will get the certificate at the mail address you specified in Step 3.

opy and paste your certificate to a local file namely 'client.cer' in the ServerCert

rectory.

ote : Please copy and paste the lines from and including line ---BEGIN

ERTIFICATE----- till the line

-- END CERTIFICATE----.

The mail also contains links to the Root Certificate using whose key yourertificate was signed. Follow the link and click Accept. This install the root

ertificate in your browser.(Use Internet Explorer).

0.Then Open IE, choose Tools -> Internet Options -> Content -> Certificates ->

rusted Root Certificate Authorities .

earch for For VeriSign authorized testing only.No assurances. and click on

xport. Choose "Base64 encoded X.509 (.CER)" format

nd click Next. Save the file as verisignroot.cer in the ServerCert directory. You



55/67


ill be importing this verisignroot.cer file into the

racle Wallet.

1.Now, open (maximize) your Oracle Wallet Manager. Click on 'Trusted

ertificates'. Using 'Operations/Import Trusted Certificate',

mport the root certificate as follows. Check the option 'Select a file that contains

rusted Certificate'. Click OK. Choose the file

erisignroot.cer' from the ServerCert directory.

2.Now import the user certificate obtained earlier into this wallet. Select

Operations/Import User Certificate' . Check the option 'Select a

le that contains the Certificate'. Click OK. Choose the file 'client.cer' from the

erverCert directory.

3.Using 'Wallet/Close' option, close the Wallet. Using 'Wallet/Exit' option, exit

e OWM.

his completes the steps for preparing a Wallet for PKI Credential Management.

et a Client Certificate

Follow the steps c through m in the "Get a Server Certificate" section. Give

client12" as the password for this wallet. While providing information for creating

Certificate Signing Request, give wss as the value for the Common Name

tribute. Save the generated certificate in the ClientCert directory as client.cer and

ot.cer. Save the wallet in the ClientCert directory. The remaining steps will be

e same.

One more additional step is needed. Click on Operations -> Export Wallet

ption. Save the file as wallet.txt in ClientCert directory.

etup Oracle9iAS to use this Certificate

Open the file httpd.conf available in the IAS_HOME/Apache/Apache/confrectory.

Search for a parameter called "SSLWallet" and provide the directory where you

ave saves the first wallet.

E.g. ServerCert

SSLWallet file:/home1/otn9i/ServerCert

Search for a parameter called "SSLWalletPassword" and provide "server12" as



56/67


e value. This was given by us

while creating the wallet

SSLWalletPassword server12

Restart Oracle HTTP Server. Restarting Oracle HTTP Server with the new

ettings will enable Oracle9iAS to

use the newly acquired certificate for SSL. You can check this by accessing theRL

https://:4443/

where is the host on which Oracle9iAS is running and 4443 is

e https port. The server will throw the certificate issued by Verisign thereby

lowing you to ensure that your setup is proper.



57/67



atabase Setup

Log into SQLPlus as system/manager.

Create two users "security" and "creditdb" as follows:

SQL> create user security identified by security;SQL> grant all privileges to security;SQL> create user creditdb identified by creditdb;SQL> grant all privileges to creditdb;

Log into SQLPlus as security/security. Run the file Security.sql which creates the tables

eeded by thisapplication and populates the tables with data.

SQL> @d:\\sql\Security.sql


Log into SQLPlus as creditdb/creditdb. Run the file Creditdb.sql which creates the tableseeded by this

application and populates the tables with data.

SQL> @d:\\sql\Creditdb.sql


racle Java SSL libraries

he files jcert.jar, jsse.jar and jssl-1_2.jar are needed for running this sample. They are availa

the following directories

jsse.jar - /libjcert.jar - /jdk/jre/lib/extjssl-1_2.jar - /jlib

opy them to /jdk/jre/lib/ext directory so that these classes are loaded by theystem class loader.



58/67


ote: If this step is not followed, the application will throw a ClassNotFoundException.

ompile the Web Service

From the command prompt, traverse to the CreditCardService\src directory.

Edit the file ConnectionParams.java and substitute the variable values with your settings. M

ure to have theusername and password as "creditdb" and creditdb"

Make sure to have classes12.jar (JDBC library) in the CLASSPATH. This library is availableIAS_HOME/jdbc/lib directory.

Compile the source files as follows

javac *.java

Copy the created class files into WEB-INF\classes directory.

Go to the parent directory CreditCardService and create a WAR file as follows

jar -Mcvf CreditCardValida

web service secure

Documents