Securing Services Using the AquaLogic Service Bus
Pages: 1, 2, 3, 4

ALSB Secure Proxy Service Creation

Now that ALSB and the underlying WebLogic Server have the keystores properly configured, the proxy service and associated security policy can be created in ALSB.

1. From a browser, run the ALSB Admin Console (for example, http://localhost:7001/sbconsole), and create a new project (for example, called "demo").

2. Using the ALSB Admin Console, create a new proxy service provider (for example, called "SecureProxyServiceProvider") for securing proxy services, similar to the screenshot shown in Figure 6:

Figure 6
Figure 6. Proxy service provider definition (click the image for a full-size screen shot)

3. Using the ALSB Admin Console, create a new security configuration credential of resource type "Proxy Service Provider," which defines the alias of the key pair that was set up in the WebLogic Server identity keystore earlier. This keystore resource can subsequently be used by any ALSB proxy services that need to encrypt or sign SOAP responses back to client applications (not the case in this specific example). Select the resource type as Figure 7 shows:

Figure 7
Figure 7. Proxy service provider configuration, part 1 (click the image for a full-size screen shot)

Specify the provider purpose as Figure 8 shows:

Figure 8
Figure 8. Proxy service provider configuration, part 2 (click the image for a full-size screen shot)

Specify the provider type as Figure 9 shows:

Figure 9
Figure 9. Proxy service provider configuration, part 3 (click the image for a full-size screen shot)

Check the provider settings and press Finish as displayed in Figure 10:

Figure 10
Figure 10. Proxy service provider configuration, part 4 (click the image for a full-size screen shot)

4. Using the ALSB Admin Console, add the following example custom WS-Policy file (SigningPolicy.xml). The policy file specifies that a message's body, WLS-specific headers, and timestamp header should be signed by the sender of the message. The policy also states that a timestamp header should be included by the client in the message with expiration set to 300 seconds:

<?xml version="1.0"?>

<wsp:Policy
 xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
 xmlns:wssp="http://www.bea.com/wls90/security/policy"
 xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
 xmlns:wls="http://www.bea.com/wls90/security/policy/wsee#part"
 wsu:Id="signMessage">
 
<wssp:Integrity>
    
 <wssp:SignatureAlgorithm
    URI="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
       
 <wssp:CanonicalizationAlgorithm
    URI="http://www.w3.org/2001/10/xml-exc-c14n#"/>
       
 <wssp:Target>
   <wssp:DigestAlgorithm
     URI="http://www.w3.org/2000/09/xmldsig#sha1" />
   <wssp:MessageParts
     Dialect="http://www.bea.com/wls90/security/policy/wsee#part">
    wls:SystemHeaders()
   </wssp:MessageParts>
 </wssp:Target>
       
 <wssp:Target>
  <wssp:DigestAlgorithm
   URI="http://www.w3.org/2000/09/xmldsig#sha1" />
  <wssp:MessageParts
   Dialect="http://www.bea.com/wls90/security/policy/wsee#part">
  wls:SecurityHeader(wsu:Timestamp)
  </wssp:MessageParts>
 </wssp:Target>
       
 <wssp:Target>
           
  <wssp:DigestAlgorithm
    URI="http://www.w3.org/2000/09/xmldsig#sha1" />
  <wssp:MessageParts
    Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">
   wsp:Body()
  </wssp:MessageParts>
 </wssp:Target>
</wssp:Integrity>
<wssp:MessageAge Age="300"/>
</wsp:Policy>

This policy file is the one place where a Web service policy can be deemed ready to apply to one or more proxy services. It is perfectly acceptable to define multiple different policy files if many different security constraints were to be supported for the same set of services. However, in situations where one security policy should be applied uniformly to all services, this security policy definition can be made. This policy could also include encryption and authentication enforcement elements as well, if required.

5. Using the ALSB Admin Console, add the following example WSDL file (EchoServiceSecure.wsdl) for a fictitious "Echo" Web service and, after saving it, choose to Edit References for the WSDL and link up its policy file dependency to the policy file added in the previous step. The WSDL file defines an Echo Web service and states that the WS-Policy file should be applied on the service input message only:

<?xml version="1.0" encoding="UTF-8"?>

<wsdl:definitions targetNamespace="http://MyNamespace"
xmlns="http://schemas.xmlsoap.org/wsdl/"
xmlns:impl="http://MyNamespace"
xmlns:wsdlsoap="http://schemas.xmlsoap.org/wsdl/soap/"
xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
> 

 <wsp:UsingPolicy wsdl:Required="true" 
                  xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"/>

 <wsdl:message name="EchoRequest">
    <wsdl:part name="in0" type="xsd:string"/>
 </wsdl:message>

 <wsdl:message name="EchoResponse">
    <wsdl:part name="out0" type="xsd:string"/>
 </wsdl:message>

 <wsdl:portType name="Echo">
   <wsdl:operation name="DoEcho" parameterOrder="in0">
     <wsdl:input name="EchoRequest" message="impl:EchoRequest"/>
     <wsdl:output name="EchoResponse" message="impl:EchoResponse"/>
   </wsdl:operation>
 </wsdl:portType>

 <wsdl:binding name="EchoSoapBinding" type="impl:Echo">
    <wsdlsoap:binding style="document" 
                transport="http://schemas.xmlsoap.org/soap/http"/>
      <wsdl:operation name="DoEcho">
         <wsdlsoap:operation soapAction=""/>
         <wsdl:input name="EchoRequest">
             <wsp:Policy> 
               <wsp:PolicyReference 
                 URI="file://SigningPolicy.xml"/> 
             </wsp:Policy>
             <wsdlsoap:body use="literal" 
                            namespace="http://MyNamespace"/>
         </wsdl:input>
         <wsdl:output name="EchoResponse">
           <wsdlsoap:body use="literal" 
                            namespace="http://MyNamespace"/> 
         </wsdl:output>
    </wsdl:operation>
 </wsdl:binding>

 <wsdl:service name="EchoService">
    <wsdl:port name="Echo" binding="impl:EchoSoapBinding">
        <wsdlsoap:address 
             location="http://localhost/services/MyEchoService"/>
    </wsdl:port>
 </wsdl:service>
</wsdl:definitions>

Note: In situations where the proxy service is used to route to a real business service, this WSDL file invariably will be sourced from the WSDL file from the real business service, from which this proxy service's interface will be generated.

6. Using the ALSB Admin Console, create a proxy service (for example, EchoProxyService) based on the WSDL port of the added WSDL file, and reference the previously created proxy service provider. Ensure that the Process WS-Security Header checkbox is selected as Figure 11 shows:

Figure 11
Figure 11. Proxy WS-Security header configuration (click the image for a full-size screen shot)

Leave the default Echo pipeline for this proxy intact to enable this service to just echo back a response copied directly from the request. Figure 12 displays the summary settings for an example of the proxy service:

Figure 12
Figure 12. Proxy settings summary (click the image for a full-size screen shot)

Note: For this particular proxy, a proxy service provider does not actually need to be defined because the server does not need to sign or encrypt the response messages that it sends back to the client application (as dictated by the WS-Policy file). For validating the signed Web service request is trusted, ALSB has to consult only WebLogic Server's trust keystore configured in an earlier step.

7. From a browser, enter the URL of the new ALSB proxy service's WSDL file (for example, http://localhost:7001/EchoProxyService?WSDL) to ensure the WSDL file includes the WS-Policy settings to indicate to client applications that the SOAP request must be signed.

Pages: 1, 2, 3, 4

Next Page ยป