Security in OSB - 1 Way SSL Inbound/Outbound

Lets secure our proxy service with 1 way ssl(Inbound)

• Just follow the below steps will explain why we need to do this later section
• Create private public key pair using keytool command

cd [JDK_HOME]\bin

keytool -genkey -alias serverKey -keyalg "RSA" -sigalg "SHA1withRSA" -dname CN=server, C=US" -keypass welcome -keystore DOMAIN_HOME\config\fmwconfig\server.jks -storepass welcome

Note : For dev purposes we can use the self signed certificates but for production purposes we need to get the certificates signed by the trusted certificate authority.

• Click on  server
• Navigate to the Configuration | Keystores tab.
• Click Change and change the value to Custom Identity and Custom Trust for the Keystores field.
• Enter ./config/fmwconfig/server.jks into the Custom Identity Keystore field.
• Enter JKS into the Custom Identity Keystore Type field.
• Enter welcome into the Custom Identity Keystore Passphrase field.
• Enter welcome into the Confirm Custom Identity Keystore Passphrase field.
• Enter ./config/fmwconfig/server.jks into the Custom Trust Keystore field.
• Enter JKS into the Custom Trust Keystore Type field.
• Enter welcome into the Custom Trust Keystore Passphrase field.
• Enter welcome into the Confirm Custom Trust Keystore Passphrase field.

• Navigate to the Configuration | SSL tab.
• Enter serverKey into the Private Key Alias field.
• Enter welcome into the Private Key Passphrase field.
• Enter welcome into the Confirm Private Key Passphrase field and click Save.
• Click on the Advanced link.
• Select None for Hostname Verification.
• Select "Client Certs Not Requested" (For 1 Way SSL)
• Select "Use JSSE SSL"

• Navigate to the Configuration | General tab.
• Check the option SSL Listen Port Enabled.
• Leave the SSL Listen Port on the default of 7002.

We are all set now , we just have to select "HTTPS Required" in proxy service transport configuration

Check the option SSL Listen Port Enabled.eave the SSL Listen Port on the default of 7002.

We are all set now , we just have to select "HTTPS Required" in proxy service transport configuration 

We need to share the Public key with the clients so that they can access our proxy service secured over 1 way ssl ,to generate the public key from the keystore

keytool -exportcert –alias serverKey -storepass welcome –keystore
DOMAIN_HOME\config\fmwconfig\server.jks –file serverPublic.cer

To access the proxyService from the browser simply import the serverPublic.cer in browser

To access the proxyService from another weblogic domain, import the serverPublic.cer in the truststore of the client weblogic domain.

keytool -import -file serverPublic.cer -alias serverKey -keystore
client.jks -storepass welcome -keypass welcome

1 Way SSL

• In one way ssl client requests the resource from server over https
• Server sends public certificate
• Client verifies the signature of the received public certificate against the list of public certificates in its trust-store(client.jks)
• If it matches then communication between client and server is encrypted 
• Client encrypts data using the server's public key in its truststore
• Server decrypt's the data using private key in its identity store
• As the communication is now encrypted no middleman can snoop and tamper the data

Note : Weblogic has 2 keystores TrustStore and IdentityStore, normally PrivateKeys are stored in IdentityStore and PublicKeys/RootCACerts/IntermediateCACerts are stored in TrustStores, but here in this example, we have used the same keystore for both Trust and Identity

Invoke web service secured with 1 way SSL(Outbound)

• Get the public certificate from the targetSystem, (you can get the Public Certificate of google from Mozilla, follow the steps)
• Goto https://www.google.com in Mozilla
• Click on the green lock and export the public certificate as shown below

• Import the public certificate(google.crt) into the TrustStore(either in DemoTrust or in CustomTrust, if you are using CustomTrust you should configure the same in Server |Configuration | Keystores)

keytool -import -file google.crt -alias googlePublickey -keystore client.jks -storepass welcome 

• Navigate to the Configuration | SSL tab.
• Select "Use JSSE SSL"
• Invoke the target system service via Business Service
• Set the Enpoint URI as https://www.google.com/#q=osb 
• Select the HTTP Method as "GET"
• Now the communication between OSB and google search query is encrypted

Debugging

• set -Djavax.net.debug=ssl in setDomainEnv to debug and understand SSL Errors

• Weblogic sometimes doesnt recognize CustomtrustStore and IdentityTrustStore configured in weblogic console, in that case set the below in setDomainEnv

                -Djavax.net.ssl.keyStore=[location of the identityStore] 

                -Djavax.net.ssl.keyStorePassword=[identitystore password]

                -Djavax.net.ssl.trustStore=[location of the keyStore] 

                -Djavax.net.ssl.trustStorePassword=[keystore password]

• In server logs you should see similar to the below to confirm weblogic has recognized and loaded the trust certificates

 <trustStore is: C:\Oracle\Middleware\user_projects\domains\osb_domain\config\fmwconfig\client.jks>
 <trustStore type is : jks>
 <trustStore provider is :>
 <init truststore>
 <adding as trusted cert:>
 <Subject: CN=GeoTrust Global CA, O=GeoTrust Inc., C=US>
 <Issuer:  CN=GeoTrust Global CA, O=GeoTrust Inc., C=US>
 <Algorithm: RSA; Serial number: 0x23456>
 <Valid from Tue May 21 06:00:00 CEST 2002 until Sat May 21 06:00:00 CEST 2022>
 <adding as trusted cert:>

Attachment handling in OSB(InBound)

          There might be few scenarios wherein we might have to transfer image files/pdf files or any type of file as attachment between different components,lets see how can we achieve this in OSB. 
         We can process attachments by 3 ways in OSB

• Inline attachments-- Encode the file/binary conent in base64 and place the contents inside XML elements(we cant place the binary content in XML it will break the XML structure,so it is essential to convert binary to base64)
• this works well but the problem is base64 conversion makes the message very huge and it makes handling difficult, probably for smaller size attachments this might be an good option
• Sample XML with Inline base64 contents

<Envelope>
<Body>
<Request>
<filename>loanapprovalform.pdf</filename>
<image>ZHNkc2Rhc2Rhc2Q=[base64 contents]</image>
</Request>
</Body>
</Envelope> 

• SwA -- SOAP with Attachments it is basically a MIME message, try sending a request to OSB ProxyService from SOAPUI, you can see the soap message and attachment will be mime messages, 
• In OSB, to process SwA(MIME) you have to parse $attachments/ctx:attachments/ctx:attachment/ctx:body/ctx:binary-content/
• Note that there are 2 attachments in this request ,  jar file is sent as binary content we can't see the content as only reference to that binary content will be there , we have to pass the reference($attachments/ctx:attachments/ctx:attachment/ctx:body/ctx:binary-content/) to java method to process the same

                        

• the problem with this approach is it breaks the SOAP message format and we can't apply ws policies 
•  inter-operability is a concern

• MTOM/XOP
• SOAP Message Transmission Optimization Mechanism/XML-binary Optimized Packaging (MTOM/XOP) defines a method for optimizing the transmission of XML data of type xs:base64Binary or xs:hexBinary in SOAP messages. When the transport protocol is HTTP, MIME attachments are used to carry that data while at the same time allowing both the sender and the receiver direct access to the XML data in the SOAP message without having to be aware that any MIME artifacts were used to marshal the base64Binary or hexBinary data. The binary data optimization process involves the following steps:
• encode the binary data,
• remove the binary data from the SOAP envelope
• compress the binary data, 
• attach the binary data to the MIME package, and
• add references to the MIME package in the SOAP envelope.
• Enable MTOM/XOP in OSB 
• Oracle Service Bus supports parsing inbound messages & sending outbound messages in MTOM/XOP format. This capability is available for any XML based (or) WSDL based services.
• Include Binary data by Reference - can be used for pass through scenarios where in we don't really need to parse the attachment (or) to pass the attachment directly to MFL or Java callout. The attachment will be available as part of $body/ctx:binary-content variable.
• Include Binary data by Value - can be used when you want to validate the xml schema (or) scenarios where the outbound service doesn't support MTOM. In this case, the xop:include will be replaced with the actual base64 binary content.
• Sample MTOM XML ,cid:973517623829 points to the binary reference in the MIME 
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header/>
<soapenv:Body>
<Request>
<file>
<xop:Include href="cid:973517623829" xmlns:xop="http://www.w3.org/2004/08/xop/include"/>
</file>
</Request>
</soapenv:Body>
</soapenv:Envelope>
• $attachments variable will not be generated for MTOM/XOP

Oracle Service Bus. What , Why ?

What ?

Oracle Service Bus is a lightweight , scalable , stateless integration platform  implemented to achieve 

• Service Virtualization
• Loose Coupling
• Message Transformation
• Protocol transformation
• Rapid Service Enablement
• Dynamic Routing
• Parallel processing
• Security
• High Availability and scalability
• Service Pooling
• Traffic Shaping
• Service Result Caching
• Service Enablement

Why ?

   Let me take an example of e-commerce payment integration process to explain how best we can use capabilities of OSB. 

                                 

  techkart.com want's to integrate its payment functionality with bunch of banks creditcard service, one way we can do this is write separate java service client's to consume each of the bank's service as mentioned in the above diagram, that would work but there are problem's with this design, lets review

• payment service is tightly coupled with creditcard service of the banks
• any protocol/scheme change in the creditcard service impacts the whole core payment service logic
• addition of new creditcard service impacts the whole core payment service logic
• any change in the service takes effort and time
• note the protocol and message format is different for each creditcard service and has different security requirements.
• application developers should concentrate on the core business/application logic rather than the subtleties of the transport protocol/schema design changes/security frameworks, not in this case obviously
• maintaining different versions of CCServiceClients becomes difficult and ugly over time

now we know the drawbacks of this design , lets go back and redesign our implementation, lets introduce service bus to the rescue

                            

Application developer just has to write a simple pojo(CCServiceClient) with cc-no, name, cvv, expiry-date, bank-name attributes ,expose this as web-service and share the WSDL with the Service Bus/middleware guys, service bus guys takes a look at this CCServiceClient wsdl , message formats and transport protocols of creditcard services.

He quickly writes routing and transformation rules based on the bank name and implements in Service Bus, now the CCServiceClient is effectively decoupled from CreditCard services

• We can add new credit card services without any changes to the core application logic--  Service Virtualization,Service Enablement
• Uniform , clean service exposure to service bus
• Any protocol/schema changes in the creditcard services can be accommodated without any impact to the CCServiceClient--  Location transparency, Message transformation, protocol switching, routing
• We can attach and enforce OWSM client/server policies
• Service pooling(in-case multiple endpoints provided by any of the CC services)
• Content based routing(routing based on the bank name in this case)
• Throttling

Note : This is a just a simple example/use case i tried to explain.

How ?

     Will try my level best to explain OSB how to do's in upcoming posts....Stay tuned  :-)   !!!

Security In OSB Part 1

Attachment handling in osb