8 Interoperability with Oracle GlassFish Enterprise Server Release 3.0.1

This chapter contains the following sections:

Overview of Interoperability With Oracle GlassFish Security Environments
Username Token with Message Protection (WS-Security 1.1)

8.1 Overview of Interoperability With Oracle GlassFish Security Environments

Oracle GlassFish Enterprise Server Release 3.0.1 is an open source application server for the Java EE platform. Metro is an open-source Web service stack that is a part of Oracle GlassFish Enterprise Server.

In Oracle WSM 11g, you attach policies to Web service endpoints. Each policy consists of one or more assertions, defined at the domain-level, that define the security requirements. A set of predefined policies and assertions are provided out-of-the-box. For more details about the predefined policies, see "Predefined Policies" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services. For more information about configuring and attaching policies, see "Configuring Policies" and "Attaching Policies to Web Services" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

For more information about:

Configuring and attaching Oracle WSM 11g policies, see "Configuring Policies" and "Attaching Policies to Web Services" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.
Configuring Oracle GlassFish, see http://docs.sun.com/app/docs/coll/1343.9.
Configuring Metro Web services, see https://metro.dev.java.net/guide/

8.2 Username Token with Message Protection (WS-Security 1.1)

This section describes how to implement username token with message protection that conforms to the WS-Security 1.1 standard in the following interoperability scenarios:

"Configuring GlassFish Client and Oracle WSM 11g Web Service"
"Configuring Oracle WSM 11g Client and GlassFish Web Service"

8.2.1 Configuring GlassFish Client and Oracle WSM 11g Web Service

To configure GlassFish client and Oracle WSM 11g Web service, perform the steps described in the following sections:

8.2.1.1 Configuration Prerequisites for Interoperability

Perform the following prerequisite steps:

Create a default-keystore.jks file with the following command:

$JAVA_HOME/bin/keytool -genkeypair -alias orakey -keypass welcome -keyalg RSA
 -dname "CN=orakey, O=oracle C=us" -keystore default-keystore.jks -storepass
 welcome

Copy default-keystore.jks to the domain's fmwconfig directory.
Create a file user in GlassFish with the following command:
```
$<GLASSFISHV3_HOME>/glassfish/bin/asadmin create-file-user
```
For more information, see http://docs.sun.com/app/docs/doc/820-4495/6nfv4mkkl?a=view.

Import orakey from default-keystore.jks into GlassFish keystore and truststore. These are located in the directory <domain-dir>/config

$JAVA_HOME/bin/keytool -importkeystore -srckeystore
 <path-to>/default-keystore.jks -destkeystore
 <path-to-gf-domain>/config/cacerts.jks -srcalias  orakey -destalias orakey
 -srckeypass welcome -destkeypass changeit

Copy jps-config.xml and default-keystore.jks from the domain's fmwconfig directory into a local folder.

8.2.1.2 Configuring Oracle WSM 11g Web Service

Create a Web service.
Attach the following policy to the Web service: oracle/wss11_username_token_with_message_protection_service_policy.

For more information about attaching the policy, see "Attaching Policies to Web Services" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

8.2.1.3 Configuring GlassFish/Metro Client

Using NetBeans, create a Metro client by selecting New Project > Java > Java Application.Provide a project name and location and select Finish.
Right click on the project. Select New > Web service Client. Follow the wizard and provide WSDL URL for service deployed in WebLogic.
Select Edit Web Services Attributes.
Check Use Development Defaults to include Metro libraries into the project.
Uncheck Use Development Defaults. Provide username subject and password.
For a Metro SE client:
1. Edit the truststore configuration. Select the same default-keystore.jks created in "Configuration Prerequisites for Interoperability".
2. Drag and drop the Web service operation into main class, main method.
3. Right click on the project and choose run to execute the project.
For a Metro Java EE client:
1. Drag and drop the Web service operation into EJB or Servlet to invoke.
2. Deploy the application into GlassFish and invoke the Web service.

8.2.2 Configuring Oracle WSM 11g Client and GlassFish Web Service

To configure Oracle WSM 11g client and GlassFish Web service, perform the steps described in the following sections:

8.2.2.1 Configuration Prerequisites for Interoperability

Perform the following prerequisite steps:

Create a default-keystore.jks file with the following command:

$JAVA_HOME/bin/keytool -genkeypair -alias orakey -keypass welcome -keyalg RSA
 -dname "CN=orakey, O=oracle C=us" -keystore default-keystore.jks -storepass
 welcome

Copy default-keystore.jks to the domain's fmwconfig directory.

Save the credentials in credential store using WLST commands. For example:

$<ORACLE_HOME>/common/bin/wlst.sh
> connect()
> createCred(map="oracle.wsm.security", key="keystore-csf-key",
 user="keystore", password="welcome")
> createCred(map="oracle.wsm.security", key="sign-csf-key", user="orakey",
 password="welcome")
> createCred(map="oracle.wsm.security", key="enc-csf-key", user="orakey",
 password="welcome")
>createCred(map="oracle.wsm.security", key="glassfish.credentials" ,
 user="wlsUser" , password="welcome1" , description="Glassfish user
 credentials");

A file cwallet.sso is created in the directory DOMAIN_HOME/config/fmwconfig

Create a file user in GlassFish with the following command:
```
$<GLASSFISHV3_HOME>/glassfish/bin/asadmin create-file-user
```
For more information, see http://docs.sun.com/app/docs/doc/820-4495/6nfv4mkkl?a=view.

Import orakey from default-keystore.jks into GlassFish keystore and truststore. These are located in the directory <domain-dir>/config

$JAVA_HOME/bin/keytool -importkeystore -srckeystore
 <path-to>/default-keystore.jks -destkeystore
 <path-to-gf-domain>/config/keystore.jks -srcalias  orakey -destalias orakey
 -srckeypass welcome -destkeypass changeit

Copy cwallet.sso, jps-config.xml and default-keystore.jks from the domain's fmwconfig directory into a local folder.

8.2.2.2 Configuring GlassFish/Metro Web Service

Create a Metro Web service. For more information, see https://metro.dev.java.net/guide/Developing_with_NetBeans.html.
Configure the appropriate security mechanism. For more information, see https://metro.dev.java.net/guide/Security_Mechanisms.html.

8.2.2.3 Configuring Oracle WSM 11g Client

Using JDeveloper, create a Web service proxy for the GlassFish service. Select the policy oracle/wss11_username_token_with_message_protection_client_policy in the wizard.
Set the csf-key to glassfish.credentials in the Override Properties option for the Web service proxy.
In the Web service proxy main class, set the system property of oracle.security.jps.config to jps-config.xml from Step 6 of "Configuration Prerequisites for Interoperability".
Invoke the Web service.

Note:

If you are using

Oracle Service Bus business service, set the property overrides to glassfish.credentials in the Security page. For more information, see "Policy Overrides" in Oracle Fusion Middleware Developer's Guide for Oracle Service Bus at http://download.oracle.com/docs/html/E15866_01/owsm.htm.
SOA Web service reference, set the property overrides to glassfish.credentials in the Security page. For more information, see Section 37.2.2 "How to Override Policy Configuration Property Values" in Developer's Guide for SOA Suite at http://download.oracle.com/docs/cd/E15523_01/integration.1111/e10224/sca_policy.htm#CDDEIAFA.