Oracle Web Service Manager 11g Field level Encryption (in SOA, WLS) March, 2012

(1)

Oracle Web Service Manager 11g

Field level Encryption (in SOA, WLS)

March, 2012

Step-by-Step Instruction Guide

Author: Prakash Yamuna

Senior Development Manager

Oracle Corporation

(2)

Oracle Corporation | Field level Encryption | Version 1.0 2

Use Case

Description

In this How-To I will demonstrate how one can do field level encryption. By default all the message protection

related policies that ship out of the box with OWSM encrypt the entire body of the SOAP message. However in

many cases customer’s may want to encrypt only certain fields in the SOAP message that are sensitive rather

than the entire body of the SOAP message.

Ex:

a) Customer wants to encrypt the SSN in the SOAP message.

b) Customer wants to encrypt the credit card number in the SOAP message.

For the purposes of this How To we will build a SOA Composite app which will act as a web service client and

a WLS JAX-WS which will act as the backend web service.

Objective

Show How to create OWSM custom policies in that will encrypt certain fields in a SOAP message and use these custom policies to secure a web service client and web service.

(4)

Scenario

This How-To will demonstrate:

1. We will use a simple PurcahseOrder WLS POJO JAX-WS.

2. A PurchaseOrder SOA Composite calling the PurchaseOrder WLS JAX-WS Web Service. 3. Create Field level encryption client and service policy

OWSM Policy

Store

Purchase Order

SOA Composite App

JDeveloper

• Policy Attachment

• Override

Config

• Find Matching Policy

SOAP HTTP

Enterprise

Manager

• Policy Authoring

• Versioning

• Usage Tracking

• Violation Metrics

• Migration

CRUD

Purchase Order

WLS JAX-WS Service

OWSM Agent _{OWSM Agent}

Policy Manager

sample/field_level_encryption_client_policy

(5)

Oracle Corporation | Field level Encryption | Version 1.0 5 4. Secure the PurchaseOrder WLS POJO JAX-WS with OWSM field level encryption service policy

5. Secure the PurchaseOrder SOA Composite Reference with the OWSM field level encryption client policy 6. Set up the Keystore and Credential Store required for encryption.

Software Requirements

Prerequisites

# Product Download URL

1 Install SOA Suite 11.1.1.6 with JDeveloper

Verified Product Version

# Product Release Version

1 WebLogic 10.3.6

2 SOA 11.1.1.6

3 JDeveloper 11.1.1.6

Potentially Applies to Product Version(s)

# Product Release Version

1 WebLogic 10.3.3, 10.3.4, 10.3.5, 10.3.6

2 SOA 11.1.1.4, 11.1.1.5, 11.1.1.6

Download Main Page

http://www.oracle.com/technetwork/middleware/soasuite/downloads/index.html

Product URLs

Product URL Login/Password

EM Fusion Middle Control http://admin_host:admin_port/em User: weblogic Password: welcome1

(6)

Step by Step Instructions

Create Purchase Order WLS JAX-WS POJO Web Service

(7)

Oracle Corporation | Field level Encryption | Version 1.0 7 The PurchaseOrder sample takes 4 parameters:

1. creditCardNumber – this is a sensitive field which we want to encrypt. package sample.purchaseorder;

import java.util.Date;

import javax.jws.WebService; @WebService

public class PurchaseOrder { public PurchaseOrder() { super();

}

public int createPurchaseOrder(String creditCardNumber, int orderQuantity, int orderPrice, String itemType) { int discount = 5;

if (itemType.startsWith("BOOK")) { discount = 10;

}

int purchaseAmount = orderPrice * orderQuantity; if (purchaseAmount < 0) {

purchaseAmount = 0; }

if (!creditCardNumber.startsWith("1111")) {

throw new RuntimeException("Illegal Credit Card Number"); }

return purchaseAmount; }

(8)

Oracle Corporation | Field level Encryption | Version 1.0 8 2. orderQuantity

3. orderPrice 4. itemType

itemType is used to calculate discount. The createPurchaseOder method basically returns the total amount of the purchased order.

Figure 1 shows the Schema for the JAX-WS Web Service.

(9)

Oracle Corporation | Field level Encryption | Version 1.0 9 Here is a sample message for testing with this Web Service:

Figure 2. Sample Request Message for PurchaseOrder POJO WLS JAX-WS Web Service

You can test the Web Service via the FMWCTL Test page as shown in Figure 3. <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"> <soap:Body xmlns:ns1="http://purchaseorder.sample/"> <ns1:createPurchaseOrder> <arg0>1111-2345-4560</arg0> <arg1>100</arg1> <arg2>90</arg2> <arg3>BOOK</arg3> </ns1:createPurchaseOrder> </soap:Body> </soap:Envelope>

(10)

(11)

Create Custom Policy for Field level Encryption

The next step is creating a Policy in OWSM to handle field level encryption/decryption. For this sample – we will start with the wss11_message_protection_[client|service]_policy.

First we will create a field level decryption policy from the wss11_message_protection_service_policy.

(12)

Figure 4. Creating a Field level Decryption Policy from wss11_message_protection_service_policy

(13)

(14)

Oracle Corporation | Field level Encryption | Version 1.0 14 3. Turn off Body Signing and Body Encryption for Request as show in Figure 6.

(15)

Oracle Corporation | Field level Encryption | Version 1.0 15 4. Turn off Body Signing and Body Encryption for Response as show in Figure 7.

(16)

Oracle Corporation | Field level Encryption | Version 1.0 16 5. Specify the Xpath expression in Request tab for the field to be decrypted in the payload as shown in Figure 8. This is

done by clicking on the “Add” Button. This will launch a pop-up as shown Figure 8. Enter the namespace for the element and the element name that needs to be decrypted. In this case we want to decrypt the credit card number. This is arg0 in the sample message posted earlier in this document. See Figure 2.

(17)

Oracle Corporation | Field level Encryption | Version 1.0 17 6. Figure 9 Shows the end result of adding the XML Element to be decrypted.

(18)

Oracle Corporation | Field level Encryption | Version 1.0 18 Next we will create create a field level encryption policy from the wss11_messsage_protection_client_policy.

7. Search for wss11_message_protection_client_policy and Click on “Create Like” in FMWCTL as shown in Figure 10.

(19)

Oracle Corporation | Field level Encryption | Version 1.0 19 8. Give the new policy a name – we will call it “sample/field_level_encryption_client_policy as shown in Figure 11.

(20)

Oracle Corporation | Field level Encryption | Version 1.0 20 9. Turn off Body Signing and Body Encryption for Request as show in Figure 12

(21)

Oracle Corporation | Field level Encryption | Version 1.0 21 10. Specify the Xpath expression in Request tab for the field to be decrypted in the payload as shown in Figure 13. This is

done by clicking on the “Add” Button. This will launch a pop-up as shownFigure 13. Enter the namespace for the element and the element name that needs to be decrypted. In this case we want to decrypt the credit card number. This is arg0 in the sample message posted earlier in this document. See Figure 2.

(22)

Attach Custom Policy created previously to the Purchase Order WLS JAX-WS Web Service

11. Attach the new created “sample/field_level_decryption_service_policy” to the PurchaseOder WLS JAX-WS Web Service. This is shown in Figure 14 - Figure 19.

(23)

(24)

(25)

(26)

(27)

Figure 19. The PurchaseOrderPort after completion of the OWSM Policy Attachment

(28)

Oracle Corporation | Field level Encryption | Version 1.0 28 The part highlighted in bold indicates that the service expects arg0 to be encrypted.

Now the Purchase Order POJO WLS JAX-WS is secured with “sample/field_level_decryption_service_policy”

Create Purchase Order Composite App

Now we will create the PurchaseOrderComposite App. Figure 21 - Figure 32 shows the steps for creating the PurchaseOderComposite app.

<wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"

xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="PurchaseOrderPort_Input_Policy">

<sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"> <sp:Header Name="fmw-context" Namespace="http://xmlns.oracle.com/fmw/context/1.0"/> <sp:Header Name="" Namespace="http://www.w3.org/2005/08/addressing"/>

<sp:Header Name="" Namespace="http://schemas.xmlsoap.org/ws/2004/08/addressing"/> </sp:SignedParts>

<sp:SignedElements xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"/> <sp:EncryptedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"> <sp:Header Name="fmw-context" Namespace="http://xmlns.oracle.com/fmw/context/1.0"/> </sp:EncryptedParts> <sp:EncryptedElements xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"> <sp:XPath>descendant-or-self::*[namespace-uri()='http://purchaseorder.sample/' and local-name()='arg0']</sp:XPath> </sp:EncryptedElements> </wsp:Policy>

(29)

(30)

Figure 22. Create the BPEL Process by choosing the "Base on a WSDL" option. Provide the WSDL of the PurchaseOrder POJO WLS JAX-WS

(31)

(32)

Figure 24 In the BPEL Process create a PartnerLink. Again Provide the WSDL of the PurchaseOrder POJO WLS JAX-WS as the WSDL URL

(33)

(34)

(35)

Figure 27. Add an "Invoke" activity in the BPEL Process and wite it to the PurchaseOrderRefrence PartnerLink created previously

(36)

(37)

Figure 29 Add an Assign activity after the receiveInput and before the Invoke activity. Wire the variables to copy the input on the receive to the input of the Invoke

(38)

(39)

(40)

(41)

Attach Custom Policy created previously to the Purchase Order Composite App Reference

The next step is to now attach the “sample/field_level_encryption_client_policy” to the PurchaseOrderReference” of PurchaseOrderComposite App. These steps are shown in Figure 33 - Figure 38.

(42)

(43)

(44)

(45)

(46)

(47)

Create Keystore and Credentials in Credential Store

Create a Keystore called default-keystore.jks using keytool:

For complete details on keytool commands please refer to

http://java.sun.com/j2se/1.4.2/docs/tooldocs/windows/keytool.html

Copy the keystore created into: $FMW_DOMAIN_HOME/config/fmwconfig/

Add the following credentials into the credential store either via EM or using WLST.

This assumes that the keystore password is welcome1.

wls:/DefaultDomain/serverConfig> createCred(map="oracle.wsm.security", key="keystore-csf-key", user="owsm", password="welcome1", desc="Keystore key")

wls:/DefaultDomain/serverConfig> createCred(map="oracle.wsm.security", key="enc-csf-key", user="orakey", password="welcome1", desc="Encryption key")

wls:/DefaultDomain/serverConfig> createCred(map="oracle.wsm.security", key="sign-csf-key", user="orakey", password="welcome1", desc="Signing key")

$>keytool -genkeypair -keyalg RSA -alias orakey -keypass welcome1 -keystore default-keystore.jks -storepass welcome1 -validity 3600

(48)

Oracle Corporation | Field level Encryption | Version 1.0 48 This will, add a key namely enc-csf-key to map oracle.wsm.security with username as orakey and password as welcome1. This alias should exist in your configured keystore.

This will, add a key namely sign-csf-key to map oracle.wsm.security with username as orakey and password as welcome1. This alias should exist in your configured keystore.

(49)

(50)

(51)

Oracle Web Services Manager March 2012

Author: Prakash Yamuna Oracle Corporation World Headquarters 500 Oracle Parkway Redwood Shores, CA 94065 U.S.A. Worldwide Inquiries: Phone: +1.650.506.7000 Fax: +1.650.506.7200 oracle.com

Copyright © 2011, Oracle and/or its affiliates. All rights reserved. This document is provided for information purposes only and the contents hereof are subject to change without notice. This document is not warranted to be error-free, nor subject to any other warranties or conditions, whether expressed orally or implied in law, including implied warranties and conditions of merchantability or fitness for a particular purpose. We specifically disclaim any liability with respect to this document and no contractual obligations are formed either directly or indirectly by this document. This document may not be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without our prior written permission.

Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners.

Oracle Web Service Manager 11g Field level Encryption (in SOA, WLS) March, 2012