6 Securing SOA Composite Applications

This chapter describes security procedures unique to SOA composite applications.

This chapter includes the following topics:

Section 6.1, "Introduction to Securing SOA Composite Applications"
Section 6.2, "Configuring SOA Composite Applications for Two-Way SSL Communication"
Section 6.3, "Configuring Oracle SOA Suite and Oracle HTTP Server for SSL Communication"
Section 6.4, "Automatically Authenticating Oracle BPM Worklist Users in SAML SSO Environments"
Section 6.5, "Automatically Authenticating Oracle BPM Worklist Users in Windows Native Authentication Environments"
Section 6.6, "Listing Oracle Internet Directory as the First Authentication Provider"
Section 6.7, "Switching from Non-SSL to SSL Configurations with Oracle BPM Worklist"
Section 6.8, "Configuring Security for Human Workflow WSDL Files"
Section 6.9, "Configuring SSL Between SOA Composite Application Instances and Oracle WebCache"

Note:

See the following sections for information on attaching and detaching policies:

6.1 Introduction to Securing SOA Composite Applications

This chapter describes security procedures unique to SOA composite applications. Most SOA composite application security procedures do not require SOA-unique steps and can be performed by following the documentation listed in Table 6-1.

Table 6-1 Security Documentation

For Information On...	See The Following Guide...
Securing Oracle Fusion Middleware	Oracle Fusion Middleware Security Guide
Securing and administering Web services	Oracle Fusion Middleware Security and Administrator's Guide for Web Services
Understanding Oracle WebLogic Server security	Oracle Fusion Middleware Understanding Security for Oracle WebLogic Server
Securing an Oracle WebLogic Server production environment	Oracle Fusion Middleware Securing a Production Environment for Oracle WebLogic Server
Securing Oracle WebLogic Server	Oracle Fusion Middleware Securing Oracle WebLogic Server
Developing new security providers for use with Oracle WebLogic Serverr	Oracle Fusion Middleware Developing Security Providers for Oracle WebLogic Server
Securing Web service for Oracle WebLogic Server	Oracle Fusion Middleware Securing WebLogic Web Services for Oracle WebLogic Server
Programming security for Oracle WebLogic Server	Oracle Fusion Middleware Programming Security for Oracle WebLogic Server

6.2 Configuring SOA Composite Applications for Two-Way SSL Communication

Oracle SOA Suite uses both the Oracle WebLogic Server and Sun secure socket layer (SSL) stacks for two-way SSL configurations.

For the inbound Web service bindings, Oracle SOA Suite uses the Oracle WebLogic Server infrastructure and, therefore, the Oracle WebLogic Server libraries for SSL.
For the outbound Web service bindings, Oracle SOA Suite uses JRF HttpClient and, therefore, the Sun JDK libraries for SSL.

Due to this difference, start Oracle WebLogic Server with the following JVM option.

Open the following file:
- On UNIX operating systems, open $MIDDLEWARE_HOME\user_projects\domains\domain_name\bin\setDomainEnv.sh.
- On Window operating systems, open MIDDLEWARE_HOME/user_projects/domains/domain_name/bin/setDomainEnv.bat.
Add the following lines in the JAVA_OPTIONS section, if the server is enabled for one-way SSL (server authorization only):
```
-Djavax.net.ssl.trustStore=your_truststore_location
```
For two-way SSL, the keystore information (location and password) is required.

6.3 Configuring Oracle SOA Suite and Oracle HTTP Server for SSL Communication

Follow these steps to configure SSL communication between Oracle SOA Suite and Oracle HTTP Server.

6.3.1 Configuring Oracle HTTP Server for SSL Communication

Update mod_ssl.conf with the <Location /integration/services> location directive.

LoadModule weblogic_module   ${ORACLE_HOME}/ohs/modules/mod_wl_ohs.so

<IfModule mod_weblogic.c>
      WebLogicHost host.domain.com
      WLLogFile <logdir>/ohs_ssl.log
      Debug ALL
      DebugConfigInfo ON
      SecureProxy ON
      MatchExpression *.jsp
      WlSSLWallet <OHS_
HOME>/instances/instance1/config/OHS/ohs1/keystores/default
</IfModule>

<Location /soa-infra>
      WebLogicPort 8002
      SetHandler weblogic-handler
      ErrorPage http://host.domain.com:port/error.html
</Location>

<Location /b2b>
      WebLogicPort 8002
      SetHandler weblogic-handler
      ErrorPage http://host.domain.com:port/error.html
</Location>

<Location /integration/worklistapp>
      WebLogicPort 8002
      SetHandler weblogic-handler
      ErrorPage http://host.domain.com:port/error.html
</Location>

<Location /integration/services>
      WebLogicPort 8002
      SetHandler weblogic-handler
      ErrorPage http://host.domain.com:port/error.html
</Location>

<Location /DefaultToDoTaskFlow>
      WebLogicPort 8002
      SetHandler weblogic-handler
      ErrorPage http://host.domain.com:port/error.html
</Location>

<Location /OracleBAM>
      WebLogicPort 9002
      SetHandler weblogic-handler
      ErrorPage http://host.domain.com:port/error.html
</Location>

<Location /OracleBAMWS>
>       WebLogicPort 9002>       SetHandler weblogic-handler
>       ErrorPage  http://host.domain.com:port/error.html
> </Location>

Start the Oracle WebLogic Servers as described in Section 6.2, "Configuring SOA Composite Applications for Two-Way SSL Communication."

6.3.2 Configuring Certificates for Oracle Client, Oracle HTTP Server, Oracle WebLogic Server

Export the user certificate from the Oracle HTTP Server wallet.

orapki wallet export -wallet . -cert cert.txt  -dn 'CN=\"Self-Signed Certificate for ohs1 \",OU=OAS,O=ORACLE,L=REDWOODSHORES,ST=CA,C=US'

Import the above certificate into the Oracle WebLogic Server truststore as a trusted certificate.
```
keytool -file cert.txt -importcert -trustcacerts -keystore DemoTrust.jks
```

Export the certificate from the Oracle WebLogic Server truststore.

keytool -keystore DemoTrust.jks -exportcert -alias wlscertgencab -rfc -file
certgencab.crt

Import the above certificate to the Oracle HTTP Server wallet as a trusted certificate.
```
orapki wallet add -wallet . -trusted_cert -cert certgencab.crt -auto_login_only
```
Restart Oracle HTTP Server.
Restart the Oracle WebLogic Servers as described in Section 6.2, "Configuring SOA Composite Applications for Two-Way SSL Communication."

6.4 Automatically Authenticating Oracle BPM Worklist Users in SAML SSO Environments

In order to be automatically authenticated when accessing a second Oracle BPM Worklist from a first Oracle BPM Worklist in Security Assertion Markup Language (SAML) SSO environments, you must perform the following steps. Otherwise, you are prompted to log in again when you access the second Oracle BPM Worklist. In these environments, the first Oracle BPM Worklist is configured as the SAML identity provider and the second Oracle BPM Worklist that you are attempting to access is configured as the SAML service provider.

Add /integration/worklistapp/* as the redirect URL for worklistapp to the SAML service provider site's SAML2IdentityAsserter configuration as follows.
1. In the Oracle WebLogic Server Administration Console, select Security Realms.
2. Click the realms for the service providers.
3. Select the Providers tab, and then the Authentication subtab.
4. From the provider list, select the provider with the description SAML 2.0 Identity Assertion Provider.
  
  If you do not see the SAML identity assertion provider configuration, follow the instructions in Oracle Fusion Middleware Securing Oracle WebLogic Server.
5. Select the Management tab.
6. Under the Management tab, you can see a list of identity provider partners. These are hosts that have been configured as the SAML identity provider partners for this SAML identity service provider site. Remember that this configuration step is performed on the identity service provider site on which the worklist application is hosted.
7. Select the identity provider site where you want the user to perform the initial login.
8. Scroll down the page until you see the field Redirect URIs.
9. Add /integration/worklistapp/* to the list.
After performing this step, you can log in to Oracle BPM Worklist at the SAML identity provider site though the regular URL of/integration/worklistapp. If necessary, you can then navigate to the URL /integration/worklistapp/ssologin at the SAML service provider site, where you gain access to Oracle BPM Worklist and are automatically authenticated.

For more information on SAML2IdentityAsserter and configuring SSO with Web browsers and HTTP clients, see Oracle Fusion Middleware Securing Oracle WebLogic Server.

6.5 Automatically Authenticating Oracle BPM Worklist Users in Windows Native Authentication Environments

For Windows native authentication through Kerberos to work with Oracle BPM Worklist, you must use the /integration/worklistapp/ssologin protected URL. For example, after configuring Windows native authentication, you access Oracle BPM Worklist as follows:

http://host_name.domain_name:8001/integration/worklistapp/ssologin

For information on configuring SSO with Microsoft clients, see Oracle Fusion Middleware Securing Oracle WebLogic Server.

6.6 Listing Oracle Internet Directory as the First Authentication Provider

The Oracle BPM Worklist and workflow services use Java Platform Security (JPS) and the User and Role API. For this reason, the Oracle Internet Directory authenticator must be the first provider listed when workflow is used with Oracle Internet Directory. If Oracle Internet Directory is not listed first (for example, it is listed below DefaultAuthenticator), login authentication fails.

For information about changing the order of authentication providers, see Oracle Fusion Middleware Securing Oracle WebLogic Server.

6.7 Switching from Non-SSL to SSL Configurations with Oracle BPM Worklist

Switching from non-SSL to SSL configurations with Oracle BPM Worklist requires the Frontend Host and Frontend HTTPS Port fields to be set in Oracle WebLogic Server Administration Console. Not doing so results in exception errors when you attempt to create to-do tasks.

Log in to Oracle WebLogic Server Administration Console.
In the Environment section, select Servers.
Select the name of the managed server (for example, soa_server1).
Select Protocols, then select HTTP.
In the Frontend Host field, enter the host name on which Oracle BPM Worklist is located.
In the Frontend HTTPS Port field, enter the SSL listener port.
Click Save.

6.8 Configuring Security for Human Workflow WSDL Files

If the WSDL files for human workflow services are not exposed to external consumers, then set the flag that exposes the WSDL to false for each of the services:

<expose-wsdl>false</expose-wsdl>

For more information, see Oracle Fusion Middleware Developer's Guide for Oracle Web Services.

6.9 Configuring SSL Between SOA Composite Application Instances and Oracle WebCache

The Test Web Service page, in an Oracle WebCache and Oracle HTTP Server environment, may need to communicate back through Oracle WebCache. Therefore, SSL must be configured between the SOA composite application instance and Oracle WebCache (that is, export the user certificate from the Oracle WebCache wallet and import it as a trusted certificate in the Oracle WebLogic Server truststore).