This discussion is archived
4 Replies Latest reply: Jan 21, 2013 9:46 PM by minsoo.jo RSS

How to manage security on Fusion Applications webclient

firsttris Newbie
Currently Being Moderated
Hello,

I have build a Fusion Applications Webclient based on a Java Proxy generated from WSDL. I have successfully deployed & running this project on my local Weblogic server.

The project provides an additional custom use-case. (To extend the functionality of Fusion Applications)

In the future we would prefer to deploy such "Fusion-Extensions" on the "Oracle Public Cloud".


In order to authenticate to Fusion, the server side public certificate must be acquired and added as a trusted cert entry to a keystore used by the client.
This keystore stores a reference to the Fusion public certificate and uses the alias "orakey". The Fusion public certificate is obtained from any Fusion Application object WSDL.
The certificate send by the server and is part of the WSDL:
<dsig:X509Certificate>MIICCzC...</dsig:X509Certificate>



If i want to call the service from a simple Java Class my "main" method looks like this:

public static void main(String [] args)
{
SecurityPolicyFeature[] securityFeature = new SecurityPolicyFeature[] { new SecurityPolicyFeature("oracle/wss11_username_token_with_message_protection_client_policy") };
salesPartyService_Service = new SalesPartyService_Service();
SalesPartyService salesPartyService = salesPartyService_Service.getSalesPartyServiceSoapHttpPort(securityFeature);
// Get the request context to set the outgoing addressing properties
WSBindingProvider wsbp = (WSBindingProvider)salesPartyService;
WSEndpointReference replyTo =
new WSEndpointReference("https://xxxxxxxx.oracleoutsourcing.com:443/crmCommonSalesParties/SalesPartyService", WS_ADDR_VER);
String uuid = "uuid:" + UUID.randomUUID();

BindingProvider bp = (BindingProvider)salesPartyService;
bp.getRequestContext().put(BindingProvider.ENDPOINT_ADDRESS_PROPERTY, "https://xxxxxxxxx.oracleoutsourcing.com:443/crmCommonSalesParties/SalesPartyService");
//wsbp.setOutboundHeaders( new StringHeader(WS_ADDR_VER.messageIDTag, uuid), replyTo.createHeader(WS_ADDR_VER.replyToTag));

// Add Security Headers below if any Authentication is required.
wsbp.getRequestContext().put(WSBindingProvider.USERNAME_PROPERTY, "login");
wsbp.getRequestContext().put(WSBindingProvider.PASSWORD_PROPERTY, "password");
// Add your code to call the desired methods.

// Provide the location of your keystore(.jks file)
wsbp.getRequestContext().put(ClientConstants.WSSEC_KEYSTORE_LOCATION, "c:/keystore.jks");
wsbp.getRequestContext().put(ClientConstants.WSSEC_KEYSTORE_PASSWORD, "password" );
wsbp.getRequestContext().put(ClientConstants.WSSEC_KEYSTORE_TYPE, "JKS" );

// Add your code to call the desired methods.
FindCriteria findCriteria = new FindCriteria();
findCriteria.setFetchSize(10);
findCriteria.setFetchStart(0);
try{
List<SalesParty> sl = salesPartyService.findSalesParty(findCriteria,null);
System.out.println("salesparty number:"+sl.get(0).getPartyId());
} catch (Exception e){
e.printStackTrace();
}
}
}


Q: My first question is how to reference the keystore, if the project is deployed in the oracle public cloud:

// Provide the location of your keystore(.jks file)
wsbp.getRequestContext().put(ClientConstants.WSSEC_KEYSTORE_LOCATION, "c:/keystore.jks");
wsbp.getRequestContext().put(ClientConstants.WSSEC_KEYSTORE_PASSWORD, "password" );
wsbp.getRequestContext().put(ClientConstants.WSSEC_KEYSTORE_TYPE, "JKS" );


Furthermore i had to setup security on my weblogic server:

Go to “C:\Users\tr_te\AppData\Roaming\JDeveloper\system11.1.1.6.38.62.29\DefaultDomain\bin”

Open setDomainEnv.cmd in Text-Editor.

Add the following lines to the JVM Properties:

set EXTRA_JAVA_PROPERTIES=-Dweblogic.security.SSL.ignoreHostnameVerification=true -Dweblogic.security.SSL.allowSmallRSAExponent=true %EXTRA_JAVA_PROPERTIES%

set EXTRA_JAVA_PROPERTIES=-Djavax.net.ssl.trustStore=C:\owsm_test.jks -Djavax.net.ssl.trustStorePassword=welcome1 %EXTRA_JAVA_PROPERTIES%

configuration explained in more detail:
Dweblogic.security.SSL.allowSmallRSAExponent => because the used certificates of Fusion are lower than 2048
Dweblogic.security.SSL.ignoreHostnameVerification => because the subdomain before oracleoutsourcing.com (https://subdomain.oracleoutsourcing.com)
Djavax.net.ssl.trustStore => to setup the same keystore in the weblogic server

Q: how to deal with this challenge in the oracle public cloud?


I tried to deploy the project but its "failed" every time.
Here are some deployment logs:
https://dl.dropbox.com/u/13344648/log/Deploy%20Application_146483_deploy.txt
https://dl.dropbox.com/u/13344648/log/Deploy%20Application_146483_virus-scan.txt
https://dl.dropbox.com/u/13344648/log/Deploy%20Application_146483_whitelist.txt

regards

Tristan
  • 1. Re: How to manage security on Fusion Applications webclient
    firsttris Newbie
    Currently Being Moderated
    Okay progress :)

    its deployed successfull!

    i think it was some technical issue with the cloud...


    Q1: My first question is how to reference the keystore, if the project is deployed in the oracle public cloud?

    Q2: How to deal with weblogic security setup in the oracle public cloud?


    Link to my deployment https://java-trialabbr.java.us1.oraclecloudapps.com/WebCloutTest-web-context-root/faces/index.jspx

    ERROR: "oracle/wsm/agent/WSMAgent"



    Set the init-param debug_mode to "true" to see the complete exception message.

    Where can i set this init-param?

    Edited by: user11168034 on 17.01.2013 04:16

    Edited by: user11168034 on 17.01.2013 04:19
  • 2. Re: How to manage security on Fusion Applications webclient
    firsttris Newbie
    Currently Being Moderated
    even the approach of a relative path was unfortunately not sucessfull:

    wsbp.getRequestContext().put(ClientConstants.WSSEC_KEYSTORE_LOCATION, "/owsm_test.jks");

    Edited by: user11168034 on 17.01.2013 01:47
  • 3. Re: How to manage security on Fusion Applications webclient
    firsttris Newbie
    Currently Being Moderated
    Hello,

    i also tried another policy without success.

    as described here: http://docs.oracle.com/cloud/CSJSU/dev_app.htm#CSJSU7106 i should use: "oracle/wss_username_token_over_ssl_client_policy"

    which works for me in my local environment (weblogic), but not in the oracle public cloud

    i can't find any information how to setup the java keystore....
  • 4. Re: How to manage security on Fusion Applications webclient
    minsoo.jo Newbie
    Currently Being Moderated
    I have met same problem and I make SR, the support said that there is no support for trial cloud account.
    I think Oracle Public Cloud not yet ready to dive into market.

    anyway, I would like to explain something I've found.

    1. any java web services proxy, which is generated by JDeveloper will fail to get the wsdl because the service client use "new File(".").toURL();" but Public cloud does not allow any file system access.
    2. I would like to see weblogic diagnostics log as well as server log but Support said that when I would like to see diagnostics log, I should register SR. How to develope application using cloud?
    3. Oracle Fusion Middleware Security Guide said that Oracle WebLogic Server only use jps-config.xml in <DOMAIN_HOME>/config/fmwconfig and the jps-config.xml said that it uses default-keystore.jks in the same directory by default. and the jps-config.xml is not application specific but weblogic server common. we cannot override that.
    So, I think even though you set -Djavax.security.ssl.keystore and trustedKeystore, that does not affect in weblogic. weblogic uses jps-config.xml.

    Security guide said that we can import server certificate or chained certificate using EM console but Oracle Public Cloud does not open this menu including EM.

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points