Securing a proxy service by protecting the message

Apart from requiring the user to authenticate themselves to the proxy service, we can also enforce that a message be encrypted and signed using the message protection policies. In this recipe, we will enable the message protection to guarantee message integrity through digital signature and message confidentiality through XML encryption.

For this to work, we need to have te public key of the server certificate.

Getting ready

For this we will use the same simple OSB project as in the previous Securing a proxy service using Username Token authentication recipe.

Import the getting-ready project into Eclipse from chapter-11getting-readysecuring-a-proxy-service-with-message-protection.

How to do it...

The steps to execute in this recipe are the same as in the previous Securing a proxy service using Username Token Authentication recipe, only another policy needs to be selected. In the Eclipse OEPE, perform the following steps:

  1. Open the CustomerManagement.proxy in the proxy folder of the securing-a-proxy-service-with-message-protection project.
  2. Navigate to the Policy tab.
  3. Enable From OWSM Policy Store.
  4. Click Service Level Policies, which will enable the Add button.
  5. Click Add and the OWSM Policy Configuration window will open.
  6. Click Browse.
  7. In the Select OWSM Policy window, we need to choose a security or management policy.
  8. Enter *message_protection_service* in the Name field and click Search.
  9. Select the oracle/wss11_message_protection_service_policy from the list of policies.
  10. Click OK.
  11. The message protection policy will be displayed in the Policy tab of the proxy service
    How to do it...
  12. Save the project and deploy it to the OSB server.

    Instead of oracle/wss11_message_protection_service_policy, we could also use oracle/wss10_message_protection_service_policy on this proxy service.

    In the Service Bus console, perform the following steps for testing the service:

  13. Navigate to the CustomerManagement proxy service (in Project Explorer, click on the securing-a-proxy-service-with-message-protection project and then on the proxy folder) and click on the Launch Test Console icon (the bug).
  14. Click on Execute (the value passed in the ID does not have an effect; the answer of the proxy service is hardcoded).
  15. We may get an error because we have not defined a certificate.
  16. Click Back to specify the username and password
  17. In the test console, scroll down until the Security area is visible.
  18. Enter serverkey into the Override Value field for the property keystore.recipient.alias.
  19. Enter enc-csf-key into the Override Value field for the property keystore.enc.csf.key.
  20. Click Execute.
    How to do it...
  21. The test should now work and a valid response should be returned by the proxy service. The test console also shows the SOAP headers passed in the request message with the encrypted key.

How it works...

With the message protection policy, the public key of the server is used to encrypt the SOAP body. OWSM will use the private key of the server to decrypt the SOAP body.

The CSF keys used in the Service Bus test console match the entries we have sn when setting up the credential store (WebLogic Domain | Security | Credentials)

How it works...

There's more...

Policies can also be directly manipulated on the OSB server through the OSB console.

To remove the old policy and add the new one for the message protection used in this recipe, perform the following steps in the Service Bus console:

  1. Click on the Project Explorer.
  2. Click on the securing-a-proxy-service-with-username-token project.
  3. Click on the proxy folder.
  4. Click on Create in the Change Center in the upper-left corner, to start a new change session.
  5. Click on the CustomerManagement proxy service.
    There's more...
  6. Navigate to the Policies tab.
  7. Click on the garbage bin icon to delete the oracle/wss_username_token_policy service-level policies.
  8. Click Add.
  9. The Select OWSM Policy window is shown.
  10. Enter *message_protection_service* into the Name field of the Search section and click Search.
  11. Select oracle/wss11_message_protection_service_policy and click Submit.
  12. Click Update.
  13. Click Activate in the Change Center section to apply the changes.
  14. Enter Replaced wss_username_token_policy by message_protection_service_policy into the Description field to document the change and click Submit.
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset