Friday, February 4, 2011

Setting up Worklist Service using SAML Token With Message Protection Client Policy at Design Time

Using Oracle WebCenter framework you can create a custom application with desired Webcenter Components and Services. Worklist Service enables you to display BPEL Worklist items assigned to the currently authenticated user. This blog covers the steps required to set up Worklist service using SAML Token with Message Protection Client Policy in a custom application at design time using JDeveloper.

Environment: WebCenter and SOA 11gR1PS2( running in an Oracle Virtual Box and JDeveloper on a Windows 7 platform. (Depending on your OS, your JDeveloper user directory may differ.). SOA and WebCenter are configured under a single “webcenter” domain.

SAML Token with Message Client Policy requires key store set up at both ends, in Integrated WebLogic domain and in SOA domain. We will take the following steps to set up and configure key stores
  1. Generate a key store for Integrated WebLogic domain
  2. Generate a key store for SOA domain
  3. Import public key of Integrated WebLogic key store into SOA key store
  4. Import public key of SOA key store into Integrated WebLogic key store
Before we start, If you need any more details on the parameters used in the key store set up commands, you can refer to “Configuring WS-Security for WebCenter Applications and Components” section in WebCenter Administrator’s guide.

Create a Key Store for Integrated WebLogic

  1. Key Store for Integrated WebLogic Domain can be created by running the keytool command from <jdeveloper_home>/<jdk>/bin directory. In my case it is C:\Oracle\Middleware\jdk160_18\bin.
  2. Run the following commands
  • To generate a keypair
    keytool -genkeypair -keyalg RSA -dname "cn=spaces,dc=example,dc=com" -alias jdev -keypass welcome1 -keystore jdev.jks -storepass welcome1 -validity 1064
  • To export public key of Integrated WebLogic key store
    keytool -exportcert -v -alias jdev -keystore jdev.jks -storepass welcome1 -rfc -file jdev_public.cer

3) Copy the jdev_public.cer file to your <SOA Middleware Home>/<jdk>/bin directory. We will need this to import the public key to SOA domain’s key store

Create and configure Key Store for SOA Domain

1) Key store for SOA domain can be configured by running the keytool from <MW_HOME>/<JDK>/bin directory. In my case this is /u01/app/oracle/product/fmwhome/jdk160_18/bin.
2) In my environment SOA is configured under a webcenter domain so I named the key store as webcenter.jks. You can name it as you like.
3) Run the following commands
  • Generate key pair
    ./keytool -genkeypair -keyalg RSA -dname " cn=spaces,dc=example,dc=com " -alias orakey -keypass welcome1 -keystore webcenter.jks -storepass welcome1 -validity 1064
  • Export certificates for public key
    ./keytool -exportcert -v -alias orakey -keystore webcenter.jks -storepass welcome1 -rfc -file orakey.cer
  • Import the certificate back into keystore
    ./keytool -importcert -alias webcenter_spaces_ws -file orakey.cer -keystore webcenter.jks -storepass welcome1
  • Import the Integrated WebLogic Domain public key into the keystore.
    ./keytool -importcert -alias jdev -file jdev_public.cer -keystore webcenter.jks -storepass welcome1
4) Copy webcenter.jks to <SOA_DOMAIN_HOME>/config/fmwconfig directory.
5) Go to the <SOA_DOMAIN_HOME>/config/fmwconfig directory and open the file jps-config.xml in an editor.
6) Locate the node for the keystore.provider Provider
7) Specify the location as ./webcenter.jks instead of ./default-keystore.jks
8) Configure credential store by running following WLST commands
  • createCred(map="", key="keystore-csf-key", user="owsm", password="welcome1", desc="Keystore key")
  • createCred(map="", key="enc-csf-key", user="orakey", password="welcome1", desc="Encryption key")
  • createCred(map="", key="sign-csf-key", user="orakey", password="welcome1", desc="Signing key")
9) Configure SOA to match SAML policy with that of the client policy using following 3 steps.
10) Find oracle-webservices.xml using the command from <SOA_DOMAIN_HOME>
find . | grep webservices.xml | xargs grep TaskQueryServicePortSAML | grep provider-name
11) Result should have
12) Back up the file and modify
<policy-reference uri="oracle/wss10_saml_token_service_policy" category="security" enabled="true"/>
<policy-reference uri="oracle/wss10_saml_token_with_message_protection_service_policy" category="security" enabled="true"/>
13) Copy orakey.cer to your <JDEV_HOME>/<JDK>/bin directory. We will use this public key to import into Integrated WebLogic domain key store.

Configure Integrated WebLogic Domain Key Store

1) Import the public key of SOA domain into your Integrated WebLogic Domain key store using command
keytool -importcert -alias orakey -file orakey.cer -keystore jdev.jks -storepass welcome1
2) Copy jdev.jks file to <JDEV_USER_HOME>\system11.\DefaultDomain\config\fmwconfig directory.
  • JDEV_USER_HOME value can be determined using the help menu. Help -> About ->Properties. The value of ide.user.dir drives the JDEV_USER_HOME (On my Windows 7 the user directory was defaulted to C:\Users\Tarun\AppData\Roaming\JDeveloper)
  • Be aware this property can be changed by jdev boot file \jdeveloper\jdev\bin/jdev.boot or through command line argument to jdev.exe.
3) Modify the jps-config.xml to use the newly created jdev.jks keystore. Go to<JDEV_USER_HOME>\system11.\DefaultDomain\config\fmwconfig directory and modify the following section in jps-config.xml
  • <serviceInstance name="keystore" provider="keystore.provider" location="./default-keystore.jks">
    <description>Default JPS Keystore Service</description>
    <property name="keystore.type" value="JKS"/>
    <property name="" value=""/>
    <property name="keystore.pass.csf.key" value="keystore-csf-key"/>
    <property name="keystore.sig.csf.key" value="sign-csf-key"/>
    <property name="keystore.enc.csf.key" value="enc-csf-key"/>
  • Modify ./default-keystore.jks to ./jdev.jks
4) Set credentials in the local credential store using WLST commands
5) Go to your <JDEV_HOME>\oracle_common\common\bin (in my case C:\Oracle\middleware\oracle_common\common\bin) and run the following WLST commands
  • connect('weblogic','weblogic1','t3://')
  • createCred(map="", key="keystore-csf-key", user="owsm", password="welcome1", desc="Keystore key")
  • createCred(map="", key="enc-csf-key", user="jdev", password="welcome1", desc="Encryption key")
  • createCred(map="", key="sign-csf-key", user="jdev", password="welcome1", desc="Signing key")

That completes key store configuration. Now create a connection from your JDeveloper to BPEL server.

Setting up worklist service from jdeveloper

1.) Create a connection to BPEL Server with following information.
Name - Anything
URL - <host>:<port>
2.) SAML Token Policy URL – oracle/wss10_saml_token_with_message_protection_client_policy
3.) Drag and drop Worklist service taskflow to your page.
4.) Make sure the page you drop the worklist service in is secured using ADF Security. Worklist service throws exception when placed on an insecure page.
5.) Make sure the users created using ADF security exist on the SOA domain as well.

Restart all the managed instances of SOA domain and Integrated WebLogic Server. Test your changes.

Note: If your SOA installation is on a remote machine or inside a virtual machine then make sure the date, time and time zone of your SOA installation machine matches with your JDeveloper machine. If the time differs more than 5 minutes then you will get timestamp errors. The 5 minute time difference is configurable through “agent.clock.skew” property in /config/fmwconfig/policy-accessor-config.xml.