Wednesday, January 23, 2008

Invoking Secured Services (https) from Oracle BPEL

Security is one of the main concerns for IT from its initial stages. Nowadays IT is more matured and more aligned with business so securing IT is securing the overall business. When we think about SOA we can apply security at various levels. This is the first post in SOA security series; in this post I would share my experience on invoking Web Services using SSL from Oracle BPEL.

The Web Services are deployed on Axis2. Follow these steps to enable SSL in tomcat:

  • Create a certificate keystore using the following commands:
    • On Windows:

%JAVA_HOME%\bin\keytool -genkey -alias tomcat -keyalg RSA

    • On Unix:

$JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA

  • Provide the required details and set the password to "changeit".

  • Uncomment the "SSL HTTP/1.1 Connector" entry in <TOMCAT_HOME>/conf/server.xml and make changes if necessary.

These configurations are well enough for enabling SSL using JKS, see the following for more information on adding third party certificates:

http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html

Oracle BPEL Process Manager has problems to consume a web service when the WSDL has two bindings one for http over soap and the other for https over soap, so you need to expose the web service on Axis2 for https over soap only.

Open <AXIS_HOME>\samples\quickstart \resources\META-INF\services.xml and add the following xml fragment inside <service > tag to expose the web service on https transport only:

<transports>

<transport>https</transport>

</transports>

Generate a web service for <AXIS_HOME>\ samples\quickstart from the Axis2 distributable by executing the ant script given in <AXIS_HOME>\samples\quickstart folder. The generated web service would go inside the <AXIS_HOME>\samples\quickstart\build folder as “StockQuoteService.aar”.

Deploy the generated web service to Axis2 either manually copying to the <TOMCAT_HOME>\webapps\axis2\WEB-INF\services folder or using the axis2 admin console.

Now service is available on HTTPS so we can move forward to create an Oracle BPEL process project to invoke the service using SSL.

To invoke the service exposed on HTTPS you need to import the server certificate in Oracle BPEL Process Manager and Oracle JDeveloper. Follow these steps to import the SSL certificate in Oracle BPEL Process Manager and Oracle JDeveloper:

  • Open the endpoint URL of the service to invoke in internet explorer After connecting to the server, a pop-up window displays the security alert and asks whether you trust this certificate or not?
  • Click on “yes” to accept the certificate.
  • Wait for the page to load completely. Once the page gets loaded double click on the lock displays in the status bar in the bottom right corner of the browser window.
  • A new popup window titled “Certificate” would be displayed click on the details tab and press “copy the file” button to save the certificate in a file.
  • When you press the “Copy to File” button a wizard would guide to save the certificate. Select “Base-64 encoded X.509(.cer)” for certificate format.
  • Give the file location and file name to store the certificate e.g. Cert.cer. Click on next and finish the wizard by pressing the “Finish” button
  • Use the saved file to import the server certificate to the trust store of Oracle BPEL Process Manager and Oracle JDeveloper.
  • Copy the server certificate into the following folders:
    • <ORACLE_SOA_HOME>\jdk\jre\lib\security folder
    • <JDEVELOPER_JRE_HOME>\jdk\jre\lib\security

Note: To know the JRE home for JDeveloper go to “Tools” menu and select “Project Properties” a new window would be opened. Click on Libraries to see the JRE home.

  • Use the following command to import the certificate into Oracle BPEL Process Manager :

<ORACLE_SOA_HOME>\jdk\bin\keytool -import -v –file <CERTIFICATE_LOCATION>\Cert.cer -keypass <KEYSTORE_PASSWORD> -keystore <ORACLE_SOA_HOME>\jdk\jre\lib\security\cacerts -alias <Any Alias>

  • You need to import the same certificate in the JRE of the JDEveloper. Use the following command to import the certificate into the JRE used by the Oracle JDeveloper:  

<JDEVELOPER_JRE_HOME>\jdk\bin\keytool -import -v -file <CERTIFICATE_LOCATION>\Cert.cer -keypass <KEYSTORE_PASSWORD> -keystore <JDEVELOPER_JRE_HOME>\jdk\jre\lib\security\cacerts -alias <Any Alias>

  • Restart Oracle SOA Suite and Oracle JDeveloper.

Now you are ready to create a BPEL process in JDeveloper. Follow the given steps to create a BPEL Process:

  • Create a new BPEL process project named “InvokeServiceOnHTTPS“ with the Synchronous BPEL Process.

  • Click on next and accept all the defaults and finish the wizard.
  • Right click on the services area and choose “Create Partner Link” from the context menu.
  • Name this partner link “SecuredServicePL”.
  • Browse the WSDL file from the file system. JDeveloper would ask to make a local copy of the external WSDL file and ask to add partner link in the WSDL. Click on “Yes” on both the dialog boxes.

  • Select Partner Link Type and Partner Role and click on “OK” button.

  • Add “invoke” activity named “InvokeSecuredWS” and link it with the partner link. Select the operation “getPrice” and create input and output variables.

  • Add 2 assign activities to assign the input and out variables. Final BPEL process will look like the following image:

  • To deploy the BPEL process project on Oracle BPEL Process manager right click on the BPEL Process Project. From the context menu select “Deploy”, choose the appropriate integration server connection from the Deploy menu and select the appropriate domain.

  • Test the BPEL process from the BPEL Console or from any client.

Now you are able to invoke web services exposed over https from Oracle BPEL Process Manager. In next post I would throw some light on how to invoke WS-Security-Compliant Web Services from Oracle BPEL Process Manager.

11 comments:

IanH said...

Hi,

Firstly just wanted to say that i found the article very clear and helpful. Secondly, I have a quick question:

I was wondering if you had any info on invoking an axis2 web service from BPEL without the https?

Ive been trying for a while and Im told that the endpoint cant be found. (binding fault)

Im wondering if this has something to do with the fact you mentioned BPEL has problems with multiple transports. Ive added:

<transports>
  <transport>http</transport>
</transports>

to my services.xml but to no avail. Have you got a small working example perhaps?

Any help would be greatly appreciated.

Ian Harrigan
(ianharrigan@hotmail.com)

forevermoon said...

Hi,

Your article is really good.

I am trying to use JDeveloper to invoke HTTPS webservice deployed on printable.com. My question is whether I should get server certificate from printable.com. Since I access their wsdl file, I did not have popup window to ask me to accept certificate.

I am looking forward to getting any advice from you.

Thank you very much

forevermoon said...

Hello,

I got server certificate and import it step by step to Jdeveloper 10.1.2. Then I close JDeveloper and started again. I use webservice stub/skeleton to generater wrapper class and I still get the same error: WSDL document location is invalid while I can browse this WSDL.

Please help.

Thanks.

Juan

Antonio Terracina said...

I got server certificate and import it step by step to Jdeve10.1.3.3 and to the trust store of Oracle BPEL Process Manager. I have deployed my BPEL process with a secured partner link, when it calls the service (over ssl) I lost the process instance... I can't audit it, I don't understand what happens because I can't debug it! I obtain the following message: ORABPEL-02152.
Please can you help me?
Thanks!

Sam said...

Goto BPEL Admin console and set logging level to "ALL" for
collaxa.cube.servicess. Then execute your flow once again and check the logs. It will give you more detailed information.

zaloa said...

I have the same question as Ian. I have a BPEL process that invokes an axis2 web service and I'm getting the binding fault all the time. This is the exact error: com.collaxa.cube.ws.wsif.providers.http.WSIFOperation_HTTP@16b16f2 : Could not find binding output for operation insertOrUpdate

I have been looking for the solution to this error for a while and I don't find any hints.

Does anybody know how to solve this issue? Thanks in advance.
Zaloa

srihari said...

well i followed the steps you mentioned but i got the soap transport error saying 401 unauthorized.

please help me

Charlie said...

Wow it seems this security tool BPEL is very useful, I hope the updates are not so complicated to get. This looks kind of complicated as the chemical structure of generic viagra. generic viagra kamagra

John Anderson said...

Great stuff Buy Aldara Cream . The information and the detail were just perfect. Order Biltricide 600mg think that your perspective is deep, its just well thought out and really fantastic to see someone who knows how to put these thoughts down so well. Great job on this.

jake george said...

BPEL Admin Online Training, ONLINE TRAINING – IT SUPPORT – CORPORATE TRAINING http://www.21cssindia.com/courses/bpel-admin-online-training-65.html The 21st Century Software Solutions of India offers one of the Largest conglomerations of Software Training, IT Support, Corporate Training institute in India - +919000444287 - +917386622889 - Visakhapatnam,Hyderabad BPEL Admin Online Training, BPEL Admin Training, BPEL Admin, BPEL Admin Online Training| BPEL Admin Training| BPEL Admin| "Courses at 21st Century Software Solutions
Talend Online Training -Hyperion Online Training - IBM Unica Online Training - Siteminder Online Training - SharePoint Online Training - Informatica Online Training - SalesForce Online Training - Many more… | Call Us +917386622889 - +919000444287 - contact@21cssindia.com
Visit: http://www.21cssindia.com/courses.html"

Prologic Corporation said...

This is a good article & good site.Thank you for sharing this article. It is help us following categorize:
healthcare, e commerce, programming, multi platform,inventory management, cloud-based solutions, it consulting, retail, manufacturing, CRM, technology means, digital supply chain management, Delivering high-quality service for your business applications,
Solutions for all Industries,
Getting your applications talking is the key to better business processes,
Rapid web services solutions for real business problems,
Web-based Corporate Document Management System,
Outsourcing Solution,
Financial and Operations Business Intelligence Solution,

Our address:
2002 Timberloch Place, Suite 200
The Woodlands, TX 77380
281-364-1799

prologic-corp