Friday, February 4, 2011

Setting up Worklist Service using SAML Token With Message Protection Client Policy at Design Time

Using Oracle WebCenter framework you can create a custom application with desired Webcenter Components and Services. Worklist Service enables you to display BPEL Worklist items assigned to the currently authenticated user. This blog covers the steps required to set up Worklist service using SAML Token with Message Protection Client Policy in a custom application at design time using JDeveloper.

Environment: WebCenter and SOA 11gR1PS2( running in an Oracle Virtual Box and JDeveloper on a Windows 7 platform. (Depending on your OS, your JDeveloper user directory may differ.). SOA and WebCenter are configured under a single “webcenter” domain.

SAML Token with Message Client Policy requires key store set up at both ends, in Integrated WebLogic domain and in SOA domain. We will take the following steps to set up and configure key stores
  1. Generate a key store for Integrated WebLogic domain
  2. Generate a key store for SOA domain
  3. Import public key of Integrated WebLogic key store into SOA key store
  4. Import public key of SOA key store into Integrated WebLogic key store
Before we start, If you need any more details on the parameters used in the key store set up commands, you can refer to “Configuring WS-Security for WebCenter Applications and Components” section in WebCenter Administrator’s guide.

Create a Key Store for Integrated WebLogic

  1. Key Store for Integrated WebLogic Domain can be created by running the keytool command from <jdeveloper_home>/<jdk>/bin directory. In my case it is C:\Oracle\Middleware\jdk160_18\bin.
  2. Run the following commands
  • To generate a keypair
    keytool -genkeypair -keyalg RSA -dname "cn=spaces,dc=example,dc=com" -alias jdev -keypass welcome1 -keystore jdev.jks -storepass welcome1 -validity 1064
  • To export public key of Integrated WebLogic key store
    keytool -exportcert -v -alias jdev -keystore jdev.jks -storepass welcome1 -rfc -file jdev_public.cer

3) Copy the jdev_public.cer file to your <SOA Middleware Home>/<jdk>/bin directory. We will need this to import the public key to SOA domain’s key store

Create and configure Key Store for SOA Domain

1) Key store for SOA domain can be configured by running the keytool from <MW_HOME>/<JDK>/bin directory. In my case this is /u01/app/oracle/product/fmwhome/jdk160_18/bin.
2) In my environment SOA is configured under a webcenter domain so I named the key store as webcenter.jks. You can name it as you like.
3) Run the following commands
  • Generate key pair
    ./keytool -genkeypair -keyalg RSA -dname " cn=spaces,dc=example,dc=com " -alias orakey -keypass welcome1 -keystore webcenter.jks -storepass welcome1 -validity 1064
  • Export certificates for public key
    ./keytool -exportcert -v -alias orakey -keystore webcenter.jks -storepass welcome1 -rfc -file orakey.cer
  • Import the certificate back into keystore
    ./keytool -importcert -alias webcenter_spaces_ws -file orakey.cer -keystore webcenter.jks -storepass welcome1
  • Import the Integrated WebLogic Domain public key into the keystore.
    ./keytool -importcert -alias jdev -file jdev_public.cer -keystore webcenter.jks -storepass welcome1
4) Copy webcenter.jks to <SOA_DOMAIN_HOME>/config/fmwconfig directory.
5) Go to the <SOA_DOMAIN_HOME>/config/fmwconfig directory and open the file jps-config.xml in an editor.
6) Locate the node for the keystore.provider Provider
7) Specify the location as ./webcenter.jks instead of ./default-keystore.jks
8) Configure credential store by running following WLST commands
  • createCred(map="", key="keystore-csf-key", user="owsm", password="welcome1", desc="Keystore key")
  • createCred(map="", key="enc-csf-key", user="orakey", password="welcome1", desc="Encryption key")
  • createCred(map="", key="sign-csf-key", user="orakey", password="welcome1", desc="Signing key")
9) Configure SOA to match SAML policy with that of the client policy using following 3 steps.
10) Find oracle-webservices.xml using the command from <SOA_DOMAIN_HOME>
find . | grep webservices.xml | xargs grep TaskQueryServicePortSAML | grep provider-name
11) Result should have
12) Back up the file and modify
<policy-reference uri="oracle/wss10_saml_token_service_policy" category="security" enabled="true"/>
<policy-reference uri="oracle/wss10_saml_token_with_message_protection_service_policy" category="security" enabled="true"/>
13) Copy orakey.cer to your <JDEV_HOME>/<JDK>/bin directory. We will use this public key to import into Integrated WebLogic domain key store.

Configure Integrated WebLogic Domain Key Store

1) Import the public key of SOA domain into your Integrated WebLogic Domain key store using command
keytool -importcert -alias orakey -file orakey.cer -keystore jdev.jks -storepass welcome1
2) Copy jdev.jks file to <JDEV_USER_HOME>\system11.\DefaultDomain\config\fmwconfig directory.
  • JDEV_USER_HOME value can be determined using the help menu. Help -> About ->Properties. The value of ide.user.dir drives the JDEV_USER_HOME (On my Windows 7 the user directory was defaulted to C:\Users\Tarun\AppData\Roaming\JDeveloper)
  • Be aware this property can be changed by jdev boot file \jdeveloper\jdev\bin/jdev.boot or through command line argument to jdev.exe.
3) Modify the jps-config.xml to use the newly created jdev.jks keystore. Go to<JDEV_USER_HOME>\system11.\DefaultDomain\config\fmwconfig directory and modify the following section in jps-config.xml
  • <serviceInstance name="keystore" provider="keystore.provider" location="./default-keystore.jks">
    <description>Default JPS Keystore Service</description>
    <property name="keystore.type" value="JKS"/>
    <property name="" value=""/>
    <property name="keystore.pass.csf.key" value="keystore-csf-key"/>
    <property name="keystore.sig.csf.key" value="sign-csf-key"/>
    <property name="keystore.enc.csf.key" value="enc-csf-key"/>
  • Modify ./default-keystore.jks to ./jdev.jks
4) Set credentials in the local credential store using WLST commands
5) Go to your <JDEV_HOME>\oracle_common\common\bin (in my case C:\Oracle\middleware\oracle_common\common\bin) and run the following WLST commands
  • connect('weblogic','weblogic1','t3://')
  • createCred(map="", key="keystore-csf-key", user="owsm", password="welcome1", desc="Keystore key")
  • createCred(map="", key="enc-csf-key", user="jdev", password="welcome1", desc="Encryption key")
  • createCred(map="", key="sign-csf-key", user="jdev", password="welcome1", desc="Signing key")

That completes key store configuration. Now create a connection from your JDeveloper to BPEL server.

Setting up worklist service from jdeveloper

1.) Create a connection to BPEL Server with following information.
Name - Anything
URL - <host>:<port>
2.) SAML Token Policy URL – oracle/wss10_saml_token_with_message_protection_client_policy
3.) Drag and drop Worklist service taskflow to your page.
4.) Make sure the page you drop the worklist service in is secured using ADF Security. Worklist service throws exception when placed on an insecure page.
5.) Make sure the users created using ADF security exist on the SOA domain as well.

Restart all the managed instances of SOA domain and Integrated WebLogic Server. Test your changes.

Note: If your SOA installation is on a remote machine or inside a virtual machine then make sure the date, time and time zone of your SOA installation machine matches with your JDeveloper machine. If the time differs more than 5 minutes then you will get timestamp errors. The 5 minute time difference is configurable through “agent.clock.skew” property in /config/fmwconfig/policy-accessor-config.xml.


  1. hy
    thanks for sharing this blog

    plz visit 123movies

  2. Aurionpro has a blog about work list services. They are providing a message to the client for the design-time policy. You can get the academic writing services uk to manage your thesis work easily. They have posted all the services with given number connectivity. Join it for more.

  3. offers a no deposit bonus of up to 30 spins, so you can gauge whether you enjoy the platform before you pay up. In addition to the no deposit bonus, the online casino provides a $100 welcome bonus and over 100 free spins on slot machines of your choice.

  4. Thanks for the best share and i loved it, 192.168.o.1

  5. Investing Secne Helps You Find The Best Brokers And Strategies Online On A Single Platform. With Constant Reviews, Accessible Guest Posts, Blogs, Content Marketing Services, Link Building Services And More - We Help You Find What You're Looking For. We Offer Industry News And Price Quotes In One Place That May Affect Investment Decisions. At Investing Secne We Have Everything From Broker Signups To Registering New Accounts.

  6. This is a great web site. Good sparkling user interface and very informative blogs.

  7. Hey, Your blog is very informative. It is nice to read such high-quality content. Attractive information on your blog, thank you for taking the time and share with us. Thanks Astrolika

  8. I really like your writing so so much! percentage we keep in touch more about your post on AOL? I require a specialist in this house to solve my problem. May be that is you! Having a look ahead to peer you. 토토

  9. I really appreciate this post. I have been looking all over for this! Thank goodness I found it on Bing. You have made my day! Thanks again! 바카라사이트

  10. I am following this blog ragularly. I have saw the article on create a new software for Firestick VPN using a webcenter component. I have learn't lot of thing that help me in the future.

  11. I follow this blog regularly. 1 dollar deposit casino New Zealand to help you have a good time