Skip Headers
Oracle® Fusion Middleware Developer's Guide for Content Server
11g Release 1 (11.1.1)
Part Number E10807-01
Go to Documentation Home
Home		 Go to Book List
Book List		 Go to Table of Contents
Contents		 Go to Index
Index		 Go to Master Index
Master Index		 Go to Feedback page
Contact Us
Go to previous page
Previous		 Go to current chapter
Up		 Go to next page
Next
View PDF

7.4 Security

The following topics covers security configuration for Oracle UCM Web services.

7.4.1 Configuring WS-Security through WS-Policy

Web service security (WS-Security) is set through the use of Web service policies (WS-Policy). Security policies can be set to Web services in order to define their security protocol. In particular, the Oracle UCM Web services support OWSM policies.

Two general classes of policies are supported: username-token, and SAML. The following is a list of supported OWSM policies:

  • oracle/wss11_saml_token_with_message_protection_service_policy

  • oracle/wss11_username_token_with_message_protection_service_policy

To set WS-Policy

  1. Access the Oracle WebLogic Server administration console.

  2. Select Deployments from the side panel, then expand either the Oracle UCM native Web services or the Oracle UCM generic Web services.

  3. Click IdcWebLogicService or GenericSoapService, then select the Configuration tab, then the WS-Policy tab.

  4. Click the main service. From here you can choose which OWSM policies to add.

  5. When you have finished adding OWSM policies, you must update the Oracle UCM native Web services or the Oracle UCM generic Web services.

7.4.2 Configuring SAML Support

To provide SAML support so that the client can be the identity provider (that is, assert credentials) then additional steps must be taken to configure a keystore, configure a JPS provider to use the keystore, create a client credential store (CSF), and configure a Java client to use the keystore and CSF.

7.4.2.1 Configuring a Keystore

Both the server and client need a copy of a keystore. The server uses the keystore to authenticate the credentials passed by the client. A self-signed certificate can work for this situation, because the keystore is used only as a shared secret. You can use the keytool to generate a self-signed certificate. Note: many of the values used in the following example are the defaults for the domain's config/fmwconfig/jps-config.xml (explained in the next section):

$ keytool -genkey -alias orakey -keyalg RSA -keystore default-keystore.jks -keypass welcome -storepass welcome

Any relevant data can be entered within the keytool, but the specifics do not matter except for the password for the keystore and the certificate, which the client uses.

7.4.2.2 Configuring Server JPS to Use the Keystore

Configuring the keystore on the Oracle WebLogic Server domain involves editing the $domain/config/fmwconfig/jps-config.xml file.A provider must be defined in <serviceProviders>. A provider should be defined by default.

<serviceProvider type="KEY_STORE" name="keystore.provider"
    class="oracle.security.jps.internal.keystore.KeyStoreProvider">
    <description>PKI Based Keystore Provider</description>
    <property name="provider.property.name" value="owsm"/>
</serviceProvider>

When you have verified the provider, or created or modified a provider, a keystore instance must be defined in <serviceInstances>. A keystore instance should be defined by default.

<serviceInstance name="keystore" provider="keystore.provider"
    location="./default-keystore.jks">    <description>Default JPS Keystore Service</description>    <property name="keystore.type" value="JKS"/>    <property name="keystore.csf.map" value="oracle.wsm.security"/>    <property name="keystore.pass.csf.key" value="keystore-csf-key"/>    <property name="keystore.sig.csf.key" value="sign-csf-key"/>    <property name="keystore.enc.csf.key" value="enc-csf-key"/></serviceInstance>

The location of the keystore instance must be set to the same location as when you created the keystore. Additionally, the keystore must be added to the <jpsContexts>. This setting should be in the jps-config.xml file by default.

<jpsContext name="default">    <serviceInstanceRef ref="credstore"/>    <serviceInstanceRef ref="keystore"/>    <serviceInstanceRef ref="policystore.xml"/>    <serviceInstanceRef ref="audit"/>    <serviceInstanceRef ref="idstore.ldap"/></jpsContext>

7.4.2.3 Creating a Client CSF

On the client, there must be a credential store to store the keys to unlock the keystore. A Credential Store Framework (CSF) can be made in a variety of ways, but one way is to use the Oracle WebLogic Server Scripting Tool (WLST). You must use the wlst command from the EM interface. In order to use WLST to create a credential, you must be connected to the Oracle WebLogic Server domain. Note that the resulting wallet can only be used on the client.

$ ./wlst.sh

$ connect()

$ createCred(map="oracle.wsm.security", key="keystore-csf-key", user="keystore", password="welcome")
$ createCred(map="oracle.wsm.security", key="sign-csf-key", user="orakey", password="welcome")
$ createCred(map="oracle.wsm.security", key="enc-csf-key", user="orakey", password="welcome")

The preceding example creates a CSF wallet at $domain/config/fmwconfig/cwallet.sso that must be given to the client. You need to change the values from the example to match the alias and passwords from the keystore you created.

7.4.2.4 Configuring a Java Client to Use the Keystore and CSF

In order to configure a Java client to use the keystore and CSF, there are two requirements:

  • The Java client must have a copy of both the keystore and the CSF wallet.

  • There must be a client version of the jps-config.xml file. This file must contain entries for locating the keystore as well as the CSF wallet. To configure security, the Java system property “oracle.security.jps.config” must point towards the jps-config.xml file. This can be set during execution in the client.

    System.setProperty("oracle.security.jps.config", “jps-config.xml”);

The following example shows a jps-config.xml file for clients based on the configuration provided in previous examples.

<jpsConfig xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="jps-config.xsd">    <serviceProviders>        <serviceProvider name="credstoressp" class="oracle.security.jps.internal.credstore.ssp.SspCredentialStoreProvider">            <description>SecretStore-based CSF Provider</description>        </serviceProvider>               <serviceProvider type="KEY_STORE" name="keystore.provider" class="oracle.security.jps.internal.keystore.KeyStoreProvider">            <description>PKI Based Keystore Provider</description>            <property name="provider.property.name" value="owsm"/>        </serviceProvider>    </serviceProviders>    <serviceInstances>        <serviceInstance name="credstore" provider="credstoressp" location="./">            <description>File Based Credential Store Service Instance</description>        </serviceInstance>               <serviceInstance name="keystore" provider="keystore.provider" location="./default-keystore.jks">            <description>Default JPS Keystore Service</description>            <property name="keystore.type" value="JKS"/>            <property name="keystore.csf.map" value="oracle.wsm.security"/>            <property name="keystore.pass.csf.key" value="keystore-csf-key"/>            <property name="keystore.sig.csf.key" value="sign-csf-key"/>            <property name="keystore.enc.csf.key" value="enc-csf-key"/>         </serviceInstance>    </serviceInstances>    <jpsContexts default="default">        <jpsContext name="default">            <serviceInstanceRef ref="credstore"/>            <serviceInstanceRef ref="keystore"/>        </jpsContext>    </jpsContexts></jpsConfig>
Go to previous page
Previous		 Go to current chapter
Up		 Go to next page
Next
Go to Documentation Home
Home		 Go to Book List
Book List		 Go to Table of Contents
Contents		 Go to Index
Index		 Go to Master Index
Master Index		 Go to Feedback page
Contact Us