Wednesday, January 23, 2008

Invoking Secured Services (https) from Oracle BPEL

Security is one of the main concerns for IT from its initial stages. Nowadays IT is more matured and more aligned with business so securing IT is securing the overall business. When we think about SOA we can apply security at various levels. This is the first post in SOA security series; in this post I would share my experience on invoking Web Services using SSL from Oracle BPEL.

The Web Services are deployed on Axis2. Follow these steps to enable SSL in tomcat:

  • Create a certificate keystore using the following commands:
    • On Windows:

%JAVA_HOME%\bin\keytool -genkey -alias tomcat -keyalg RSA

    • On Unix:

$JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA

  • Provide the required details and set the password to "changeit".

  • Uncomment the "SSL HTTP/1.1 Connector" entry in <TOMCAT_HOME>/conf/server.xml and make changes if necessary.

These configurations are well enough for enabling SSL using JKS, see the following for more information on adding third party certificates:

http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html

Oracle BPEL Process Manager has problems to consume a web service when the WSDL has two bindings one for http over soap and the other for https over soap, so you need to expose the web service on Axis2 for https over soap only.

Open <AXIS_HOME>\samples\quickstart \resources\META-INF\services.xml and add the following xml fragment inside <service > tag to expose the web service on https transport only:

<transports>

<transport>https</transport>

</transports>

Generate a web service for <AXIS_HOME>\ samples\quickstart from the Axis2 distributable by executing the ant script given in <AXIS_HOME>\samples\quickstart folder. The generated web service would go inside the <AXIS_HOME>\samples\quickstart\build folder as “StockQuoteService.aar”.

Deploy the generated web service to Axis2 either manually copying to the <TOMCAT_HOME>\webapps\axis2\WEB-INF\services folder or using the axis2 admin console.

Now service is available on HTTPS so we can move forward to create an Oracle BPEL process project to invoke the service using SSL.

To invoke the service exposed on HTTPS you need to import the server certificate in Oracle BPEL Process Manager and Oracle JDeveloper. Follow these steps to import the SSL certificate in Oracle BPEL Process Manager and Oracle JDeveloper:

  • Open the endpoint URL of the service to invoke in internet explorer After connecting to the server, a pop-up window displays the security alert and asks whether you trust this certificate or not?
  • Click on “yes” to accept the certificate.
  • Wait for the page to load completely. Once the page gets loaded double click on the lock displays in the status bar in the bottom right corner of the browser window.
  • A new popup window titled “Certificate” would be displayed click on the details tab and press “copy the file” button to save the certificate in a file.
  • When you press the “Copy to File” button a wizard would guide to save the certificate. Select “Base-64 encoded X.509(.cer)” for certificate format.
  • Give the file location and file name to store the certificate e.g. Cert.cer. Click on next and finish the wizard by pressing the “Finish” button
  • Use the saved file to import the server certificate to the trust store of Oracle BPEL Process Manager and Oracle JDeveloper.
  • Copy the server certificate into the following folders:
    • <ORACLE_SOA_HOME>\jdk\jre\lib\security folder
    • <JDEVELOPER_JRE_HOME>\jdk\jre\lib\security

Note: To know the JRE home for JDeveloper go to “Tools” menu and select “Project Properties” a new window would be opened. Click on Libraries to see the JRE home.

  • Use the following command to import the certificate into Oracle BPEL Process Manager :

<ORACLE_SOA_HOME>\jdk\bin\keytool -import -v –file <CERTIFICATE_LOCATION>\Cert.cer -keypass <KEYSTORE_PASSWORD> -keystore <ORACLE_SOA_HOME>\jdk\jre\lib\security\cacerts -alias <Any Alias>

  • You need to import the same certificate in the JRE of the JDEveloper. Use the following command to import the certificate into the JRE used by the Oracle JDeveloper:  

<JDEVELOPER_JRE_HOME>\jdk\bin\keytool -import -v -file <CERTIFICATE_LOCATION>\Cert.cer -keypass <KEYSTORE_PASSWORD> -keystore <JDEVELOPER_JRE_HOME>\jdk\jre\lib\security\cacerts -alias <Any Alias>

  • Restart Oracle SOA Suite and Oracle JDeveloper.

Now you are ready to create a BPEL process in JDeveloper. Follow the given steps to create a BPEL Process:

  • Create a new BPEL process project named “InvokeServiceOnHTTPS“ with the Synchronous BPEL Process.

  • Click on next and accept all the defaults and finish the wizard.
  • Right click on the services area and choose “Create Partner Link” from the context menu.
  • Name this partner link “SecuredServicePL”.
  • Browse the WSDL file from the file system. JDeveloper would ask to make a local copy of the external WSDL file and ask to add partner link in the WSDL. Click on “Yes” on both the dialog boxes.

  • Select Partner Link Type and Partner Role and click on “OK” button.

  • Add “invoke” activity named “InvokeSecuredWS” and link it with the partner link. Select the operation “getPrice” and create input and output variables.

  • Add 2 assign activities to assign the input and out variables. Final BPEL process will look like the following image:

  • To deploy the BPEL process project on Oracle BPEL Process manager right click on the BPEL Process Project. From the context menu select “Deploy”, choose the appropriate integration server connection from the Deploy menu and select the appropriate domain.

  • Test the BPEL process from the BPEL Console or from any client.

Now you are able to invoke web services exposed over https from Oracle BPEL Process Manager. In next post I would throw some light on how to invoke WS-Security-Compliant Web Services from Oracle BPEL Process Manager.