Pages

Monday, September 12, 2011

Calling an OWSM protected service with Axis 1.4 and WSS4J

Not the whole world uses Fusion Middleware so sometimes it is necessary to call an Oracle Web Service Manager protected Web Service from a different java framework like Apache Axis 1.4 combined with WSS4J 1.5. In this blogpost I will show you the steps how to do this.

First you can't use every OWSM policy with Axis. Oracle made an interoperability documentation page what is possible with Axis 1.4 and OWSM 11g, please check this first.

In this post I will use the oracle/wss10_username_token_with_message_protection_service_policy OWSM server policy on a protected OSB proxy service and will call this from axis / wss4j and these frameworks will use the following policies UsernameToken, Timestamp, Signature and Encrypt.

In this demo I will used self signed keys and these are generated by the keytool of java 1.6. Basically I create two keystores and exchange the public keys. The server keystore is imported in the OWSM configuration page and the client keystore will be used in Axis.

keytool -genkey -alias serverKey -keyalg "RSA" -sigalg "SHA1withRSA" -dname "CN=server, C=US" -keypass welcome -keystore c:\temp\server.jks -storepass welcome -validity 3650

keytool -genkey -alias clientKey -keyalg "RSA" -sigalg "SHA1withRSA" -dname "CN=client, C=US" -keypass welcome -keystore c:\temp\client_2.jks -storepass welcome -validity 3650 

keytool -exportcert -alias serverKey -storepass welcome -keystore c:\temp\server.jks -file c:\temp\server.cer

keytool -exportcert -alias clientKey -storepass welcome -keystore c:\temp\client_2.jks -file c:\temp\client.cer

keytool -import -alias serverKey -file c:\temp\server.cer -storepass welcome -keystore c:\temp\client_2.jks keytool -import -alias clientKey -file c:\temp\client.cer -storepass welcome -keystore c:\temp\server.jks 

keytool -list -storepass welcome -keystore c:\temp\client_2.jks
keytool -list -storepass welcome -keystore c:\temp\server.jks

For this policy we also need to create a user called osbbook and with password weblogic1 in the myrealm security realm of WebLogic.

The next step is to check if all is fine by creating an OWSM client in Jdeveloper 11g and using the oracle/wss10_username_token_with_message_protection_client_policy OWSM client policy . First generate a web service client and use the following code to check if it works.


If all is fine we can go to the Axis and WSS4J part.
We need to download the following software frameworks from Apache.

Download the WSDL and it's XML Schemas of the remote service and fix the schema imports of the WSDL. Put these files in your project folder.

The first step is to generate a Web Service Proxy client based on this WSDL, for this we don't use JAX-WS but we will use the AXIS libraries.
Here is the ANT build file to generate the Java classes from WSDL with Axis 1.4,  I put the build.xml in my project folder of JDeveloper.

Add the following libraries to the project. Wss4j-1.5.12.jar, Axis.jar, Jaxrpc.jar, Saaj.jar, Wsdl4j-1.5.1.jar, Commons-discovery-0.2.jar, Commons-logging-1.0.4.jar, Log4j-1.2.8.jar, Javax.activation_1.1.0.0_1-1.jar, Javax.mail_1.1.0.0_1-4-1.jar ,Xmlsec-1.4.5.jar, Xml-apis-1.3.03.jar, Serializer-2.7.1.jar, Xalan-2.7.1.jar, XercesImpl-2.9.1.jar

We also need to create a security property file called crypto.properties and put this in the src folder. This file contains the keystore path with its keystore password.

Create a Password callback class for all the password used in this ws client ( the password of the usernametoken and the keystore passwords )
We also need an Axis deployment file WSDD with the WSS4J configuration, put this file called client_deployment.wsdd in your project folder.

For the response I need to do the following policies Signature, Timestamp and then Encrypt , this is wrong in the documentation

Use the log4j.properties to see all the messages, else you won't see the debug information of WSS4J and Axis 1.4.
Put this file in the src folder.

And at last the Axis test client where we load the client_deployment.wsdd file.

8 comments:

  1. Use the Apache Rampart module in Axis, which implements WS Security. Works like a charm with OWSM.

    ReplyDelete
  2. Hi ,

    I know but show me how Laurens. Make some nice blog at WH.

    Axis2 with Rampert which uses wss4j 1.6 is much better and which OWSM policies can you use.

    Thanks

    ReplyDelete
  3. Hello Edwin,
    Can you plz let me know How to Invoke OWSSE enabled webservice from Oracle SOA 11.1.1.4.

    I have downloaded the Certificates(.cer) of third party webservice and would like to know the further steps.

    Got to know that we need to configure the Keystore in order to access the service, I did try to config the keystore, but solution didn't work.

    I was wondering if you could help me on this..

    Thanks,
    AB

    ReplyDelete
  4. Hi,

    what do you know of the remote ws, like technology etc. what are the security policies in the wsdl.

    what did you get from them ( keys )

    thanks

    ReplyDelete
  5. Hi Edwin,

    I am facing problem while implementing owsm policies async service.Please guide me with policies and the way to implement them as i am new to this system.

    Thank you.

    ReplyDelete
  6. Hi,

    Async can be hard because you cant wait in your tool for the response , like I described here http://biemond.blogspot.com/2011/02/building-asynchronous-web-service-with.html

    What is your client tool and maybe you need to use soapUI and create a mock service to receive the response.

    thanks

    ReplyDelete
  7. Hi Edwin,

    I am having trouble calling the proxy jar created within my another application. Basically I am having Swing application and when I import the proxy jar created and run it throws exceptions . It runs fine when I call the operation from the proxy project (i.e) standalone project works fine but when I create the proxy jar and include it in my other projects and call the operations via the proxy client jar it does not work . Kind of confusing.. Can you please guide.

    EVERE: WSM-00016 The username/password credentials or certificates null are missing.
    SEVERE: WSM-00005 Error in sending the request.
    SEVERE: WSM-07607 Failure in execution of assertion {http://schemas.oracle.com/ws/2006/01/securitypolicy}wss11-username-with-certificates executor class oracle.wsm.security.policy.scenario.executor.Wss11UsernameWithCertsScenarioExecutor.
    SEVERE: WSM-07602 Failure in WS-Policy Execution due to exception.
    SEVERE: WSM-07501 Failure in Oracle WSM Agent processRequest, category=security, function=agent.function.client, application=null, composite=null, modelObj=CalculatorWSService, policy=oracle/wss11_username_token_with_message_protection_client_policy, policyVersion=null, assertionName={http://schemas.oracle.com/ws/2006/01/securitypolicy}wss11-username-with-certificates.
    oracle.wsm.common.sdk.WSMException: WSM-00015 : The user name is missing.
    at oracle.wsm.security.policy.scenario.executor.Wss11UsernameWithCertsScenarioExecutor.sendRequest(Wss11UsernameWithCertsScenarioExecutor.java:244)
    at oracle.wsm.security.policy.scenario.executor.SecurityScenarioExecutor.execute(SecurityScenarioExecutor.java:611)
    at oracle.wsm.policyengine.impl.runtime.AssertionExecutor.execute(AssertionExecutor.java:41)

    ReplyDelete
    Replies
    1. Hi,

      Do you set the username or retrieve it somehow and maybe you got a classloading problem or a sandbox problem ( java web start).

      thanks

      Delete