为 OTN 撰稿
为 Oracle 技术网撰写技术文章,获得报酬的同时可提升技术技能。
了解更多信息
密切关注
OTN 架构师社区
OTN ArchBeat 博客 Facebook Twitter YouTube 随身播图标

使用安全断言标记语言实现 Oracle 和 SAP 间的一次性登录

作者:Ronaldo Fernandes

实现安全断言标记语言 (SAML) 以提供从 Oracle Service Bus (OSB) 中的 Oracle Web Service Manager (OWSM) 到 SAP Enterprise Central Component (ECC) 的身份传播

2013 年 7 月

下载
download-icon13-1Oracle Service Bus
download-icon13-1Oracle SOA Suite

使用企业资源规划 (ERP) 应用程序访问和更新数据和流程时,跟踪用户活动非常重要。因为关键数据(如财务和销售数据)可通过 Web 服务公开,所以您需要提供一个能在不同系统之间传播用户身份的安全环境。

本文介绍如何实现安全断言标记语言 (SAML) 才能通过 Web 服务提供从 Oracle Service Bus (OSB) 中的 Oracle Web Service Manager (OWSM) 到 SAP Enterprise Central Component (ECC) 的身份传播,介绍了必要的配置,并且提供了一个 Oracle 环境示例。

情景

该解决方案适用于集成了 Oracle Web Service Manager 的 Oracle Service Bus 11g (11.1.1.6) 和 SAP ECC 6.06 SP2 环境中的客户。每种应用都将验证不同存储上的用户身份。SAP ERP 以前被称作 R/3。

在该情景中,Oracle Service Bus(充当身份提供者)使用 SAP ECC(充当服务提供者)上发布的 SAML 1.1 发送方担保来访问 Web 服务。使用的是 SAML 1.1 而非 SAML 2.0,这是因为客户打算对架构进行改动。

1964573.gif
图 1:Oracle Service Bus/ECC 环境

用户使用他的凭证访问代理;Oracle Service Bus 验证其身份、执行流程并调用业务服务。

应用于业务服务的 Oracle Web Services Manager 策略需要生成 SAML 断言。Oracle Web Services Manager 生成一个包含安全信息(包括断言)且正文已签名的消息,然后调用 ECC。

ECC 使用 SAML 断言验证安全信息并验证用户存储中是否存在该用户。如果消息得到验证,ECC 向 Oracle Service Bus 返回响应。

ECC 上发布的服务仅收到一个文本参数,它将这个参数加上用户名(使用 SAML 进行验证)一起返回。这是一个很简单的测试,但足以验证平台之间的身份传播。

配置


WebLogic Server

在 Oracle WebLogic 中创建一个用户(例如:testsamlclient)。

在我们的测试中,该用户将验证代理服务中客户的身份。ECC 中必须存在相同的用户或对应的用户。

Oracle Web Services Manager


配置 Oracle Web Services Manager 使用的密钥库并导入通信过程中使用的证书:Oracle Web Services Manager 私钥、ECC 公钥和 CA。该场景使用客户生成的证书,因此颁发机构是公司 CA。

访问 Access Enterprise Manager 控制台:

http://<host>:<port>/em


进入密钥库配置屏幕,设置密钥库和证书值。在我们的测试中,签名密钥签署 SAML 断言和 SOAP 请求正文。

单击 <FARM>/Weblogic Domain/<domain_name>,访问菜单 WebLogic Domain > Security > Security Provider Configuration,然后选择 Configure Keystore

1964574.gif
图 2:Oracle Web Services Manager Keystore Configuration

重新启动服务器。

再次访问 EM 控制台,配置一个新安全策略。

单击 <FARM>/Weblogic Domain/<domain_name>,访问菜单 WebLogic Domain > Web Services > Policies.

在 Web Service Policies 界面中,搜索适用于服务客户端的策略。

选择 oracle/wss10_saml_token_with_message_integrity_client_policy

单击 Create Like:

1964575.gif
图 3:创建一个 Web 服务策略

重命名该策略。(示例:oracle/wss10_saml_token_with_message_integrity_client_policy_sap

1964578.gif
图 4:重命名该策略

因为 ECC SAML Web 服务需要一个有签名时间戳的消息,所以选中 Settings 选项卡中的 Include Timestamp 选项:

1964579.gif
图 5:包括时间戳

因此,Oracle Web Services Manager 在请求中添加了一个签名时间戳,预计响应中也会有一个签名时间戳。然而,ECC 在响应中发送一个未签名的时间戳,Oracle Service Bus 中将出现错误:

oracle.wsm.security.policy.scenario.policycompliance.PolicyComplianceException: WSM-00036 : 
The signed message elements or parts do not comply with the policy. The following 
headers/elements (<name space: local name>) or attachments (<attachment ID: 
attachment type>) must be signed:-
< http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd: Timestamp >


为了解决该问题,转到 Configurations 选项卡,添加属性 ignore.timestamp.in.response,然后将其值设置为 true。有了该配置,Oracle Web Services Manager 将不再验证响应中的时间戳。

1964580.gif
图 6:添加一个属性

saml.issuer.name 字段定义了 SAML 断言的颁发机构 — 默认情况下是 www.oracle.com。您可以更改该值,但是必须在 SAP ECC 中配置颁发机构以接受来自 Oracle Service Bus 的 SAML 断言。

csf-key 属性定义为使用 basic.credentials 作为默认值。单击 <FARM>/Weblogic Domain/<domain_name>,访问菜单 WebLogic Domain > Security > Credentials。在 oracle.wsm.security 下方创建一个名为 basic.credentials 的新键来通知 testsamlclient 用户:

1964582.gif
图 7:创建密钥

您也可以定义一个新的凭证密钥,然后更改 csf-key 属性的值。

实现

打开 Oracle Enterprise Pack for Eclipse (OEPE),利用 ECC WSDL 创建一个业务服务并进行命名(例如:TestSamlClient)。

这是一个 ECC wsdl 示例:

<?xml version="1.0" encoding="utf-8"?>
<wsdl:definitions targetNamespace="urn:sap-com:document:sap:soap:functions:mc-style"
     xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"	 
	 xmlns:xsd="http://www.w3.org/2001/XMLSchema"
     xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"
	 xmlns:wsoap12="http://schemas.xmlsoap.org/wsdl/soap12/"
	 xmlns:http="http://schemas.xmlsoap.org/wsdl/http/"
     xmlns:mime="http://schemas.xmlsoap.org/wsdl/mime/"
     xmlns:tns="urn:sap-com:document:sap:soap:functions:mc-style"
     xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
     xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
     xmlns:n1="urn:sap-com:document:sap:rfc:functions">
     <wsdl:documentation>
     <sidl:sidl xmlns:sidl="http://www.sap.com/2007/03/sidl" />
     </wsdl:documentation>
     <wsp:UsingPolicy wsdl:required="true" />
     <wsp:Policy wsu:Id="BN_BN_YS_SAMLTEST">
          <saptrnbnd:OptimizedXMLTransfer 
uri="http://xml.sap.com/2006/11/esi/esp/binxml"
xmlns:saptrnbnd="http://www.sap.com/webas/710/soap/features/transportbinding/"
wsp:Optional="true" />
          <saptrnbnd:OptimizedMimeSerialization
xmlns:saptrnbnd="http://schemas.xmlsoap.org/ws/2004/09/policy/optimizedmimeserialization"
               wsp:Optional="true" />
          <wsp:ExactlyOne xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
               <wsp:All>
                    <sp:AsymmetricBinding
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"
xmlns:sapsp="http://www.sap.com/webas/630/soap/features/security/policy"
xmlns:wsa="http://www.w3.org/2005/08/addressing"
xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512"
xmlns:wsu="http://schemas.xmlsoap.org/ws/2002/07/utility"
xmlns:wsx="http://schemas.xmlsoap.org/ws/2004/09/mex">
               <wsp:Policy>
                 <sp:InitiatorSignatureToken>
               <wsp:Policy>
                 <sp:X509Token
                   sp:IncludeToken=
"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
               <wsp:Policy>
                 <sp:WssX509V3Token10 />
               </wsp:Policy>
                 </sp:X509Token>
               </wsp:Policy>
                </sp:InitiatorSignatureToken>
                <sp:AlgorithmSuite>
               <wsp:Policy>
                <sp:Basic128Rsa15 />
               </wsp:Policy>
                </sp:AlgorithmSuite>
                <sp:Layout>
               <wsp:Policy>
                <sp:Strict />
               </wsp:Policy>
                </sp:Layout>
                 <sp:IncludeTimestamp />
                 <sp:OnlySignEntireHeadersAndBody />
               </wsp:Policy>
                 </sp:AsymmetricBinding>
                 <sp:Wss10
                  xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"
                  xmlns:sapsp="http://www.sap.com/webas/630/soap/features/security/policy"
		  xmlns:wsa="http://www.w3.org/2005/08/addressing"
		  xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512"
                  xmlns:wsu="http://schemas.xmlsoap.org/ws/2002/07/utility"
                  xmlns:wsx="http://schemas.xmlsoap.org/ws/2004/09/mex">
                <wsp:Policy>
                  <sp:MustSupportRefKeyIdentifier />
                  <sp:MustSupportRefIssuerSerial />
                </wsp:Policy>
                   </sp:Wss10>
                   <sp:SignedParts
                    xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"
                    xmlns:sapsp="http://www.sap.com/webas/630/soap/features/security/policy"
                    xmlns:wsa="http://www.w3.org/2005/08/addressing"
		    xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512"
                    xmlns:wsu="http://schemas.xmlsoap.org/ws/2002/07/utility"
                    xmlns:wsx="http://schemas.xmlsoap.org/ws/2004/09/mex">
                   <sp:Body />
                   <sp:Header Name="Trace"
                    Namespace="http://www.sap.com/webas/630/soap/features/runtime/tracing/" />
                   <sp:Header Name="messageId"
                    Namespace="http://www.sap.com/webas/640/soap/features/messageId/" />
                   <sp:Header Name="CallerInformation"
                    Namespace="http://www.sap.com/webas/712/soap/features/runtime/metering/" />
                   <sp:Header Name="Session"
                    Namespace="http://www.sap.com/webas/630/soap/features/session/" />
                   <sp:Header Name="To"
                    Namespace="http://schemas.xmlsoap.org/ws/2004/08/addressing" />
                   <sp:Header Name="From"
                    Namespace="http://schemas.xmlsoap.org/ws/2004/08/addressing" />
                   <sp:Header Name="FaultTo"
                    Namespace="http://schemas.xmlsoap.org/ws/2004/08/addressing" />
                   <sp:Header Name="ReplyTo"
                    Namespace="http://schemas.xmlsoap.org/ws/2004/08/addressing" />
                   <sp:Header Name="MessageID"
                    Namespace="http://schemas.xmlsoap.org/ws/2004/08/addressing" />
                   <sp:Header Name="RelatesTo"
                    Namespace="http://schemas.xmlsoap.org/ws/2004/08/addressing" />
                   <sp:Header Name="Action"
                    Namespace="http://schemas.xmlsoap.org/ws/2004/08/addressing" />
                   <sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing" />
                   <sp:Header Name="From" Namespace="http://www.w3.org/2005/08/addressing" />
                   <sp:Header Name="FaultTo" Namespace="http://www.w3.org/2005/08/addressing" />
                   <sp:Header Name="ReplyTo" Namespace="http://www.w3.org/2005/08/addressing" />
                   <sp:Header Name="MessageID" Namespace="http://www.w3.org/2005/08/addressing" />
                   <sp:Header Name="RelatesTo" Namespace="http://www.w3.org/2005/08/addressing" />
                   <sp:Header Name="Action" Namespace="http://www.w3.org/2005/08/addressing" />
                   <sp:Header Name="ReferenceParameters" 
                    Namespace="http://www.w3.org/2005/08/addressing" />
                   <sp:Header Name="Sequence"
                    Namespace="http://schemas.xmlsoap.org/ws/2005/02/rm" />
                   <sp:Header Name="SequenceAcknowledgement"
                    Namespace="http://schemas.xmlsoap.org/ws/2005/02/rm" />
                   <sp:Header Name="AckRequested"
                    Namespace="http://schemas.xmlsoap.org/ws/2005/02/rm" />
                   <sp:Header Name="SequenceFault"
                    Namespace="http://schemas.xmlsoap.org/ws/2005/02/rm" />
                   <sp:Header Name="Sequence"
                    Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702" />
                   <sp:Header Name="AckRequested"
                    Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702" />
                   <sp:Header Name="SequenceAcknowledgement"
                    Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702" />
                   <sp:Header Name="SequenceFault"
                    Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702" />
                   <sp:Header Name="UsesSequenceSTR"
                    Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702" />
                   <sp:Header Name="UsesSequenceSSL"
                    Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702" />
                   </sp:SignedParts>
                   <sp:SignedSupportingTokens
                    xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"
                    xmlns:sapsp="http://www.sap.com/webas/630/soap/features/security/policy"
                    xmlns:wsa="http://www.w3.org/2005/08/addressing" 
                    xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512"
                    xmlns:wsu="http://schemas.xmlsoap.org/ws/2002/07/utility"
                    xmlns:wsx="http://schemas.xmlsoap.org/ws/2004/09/mex">
                  <wsp:Policy>
                   <sp:SamlToken
                    sp:IncludeToken=
 "http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
                  <wsp:Policy>
                   <sp:WssSamlV11Token10 />
                  </wsp:Policy>
                  </sp:SamlToken>
                  </wsp:Policy>
                  </sp:SignedSupportingTokens>
               </wsp:All>
          </wsp:ExactlyOne>
          <wsaw:UsingAddressing xmlns:wsaw="http://www.w3.org/2006/05/addressing/wsdl"
               wsp:Optional="true" />
     </wsp:Policy>
     <wsp:Policy wsu:Id="BN_BN_YS_SAMLTEST_SOAP12">
          <saptrnbnd:OptimizedXMLTransfer
            uri="http://xml.sap.com/2006/11/esi/esp/binxml"
xmlns:saptrnbnd="http://www.sap.com/webas/710/soap/features/transportbinding/"
               wsp:Optional="true" />
          <saptrnbnd:OptimizedMimeSerialization
xmlns:saptrnbnd="http://schemas.xmlsoap.org/ws/2004/09/policy/optimizedmimeserialization"
               wsp:Optional="true" />
          <wsp:ExactlyOne xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
               <wsp:All>
                 <sp:AsymmetricBinding
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"
xmlns:sapsp="http://www.sap.com/webas/630/soap/features/security/policy"
xmlns:wsa="http://www.w3.org/2005/08/addressing" 
xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512"
xmlns:wsu="http://schemas.xmlsoap.org/ws/2002/07/utility"
xmlns:wsx="http://schemas.xmlsoap.org/ws/2004/09/mex">
        <wsp:Policy>
         <sp:InitiatorSignatureToken>
        <wsp:Policy>
         <sp:X509Token
          sp:IncludeToken=
 "http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
        <wsp:Policy>
         <sp:WssX509V3Token10 />
        </wsp:Policy>
        </sp:X509Token>
        </wsp:Policy>
        </sp:InitiatorSignatureToken>
        <sp:AlgorithmSuite>
        <wsp:Policy>
        <sp:Basic128Rsa15 />
        </wsp:Policy>
        </sp:AlgorithmSuite>
        <sp:Layout>
        <wsp:Policy>
         <sp:Strict />
        </wsp:Policy>
         </sp:Layout>
         <sp:IncludeTimestamp />
         <sp:OnlySignEntireHeadersAndBody />
        </wsp:Policy>
         </sp:AsymmetricBinding>
          <sp:Wss10
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"
xmlns:sapsp="http://www.sap.com/webas/630/soap/features/security/policy"
xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512"
xmlns:wsu="http://schemas.xmlsoap.org/ws/2002/07/utility"
xmlns:wsx="http://schemas.xmlsoap.org/ws/2004/09/mex">
        <wsp:Policy>
         <sp:MustSupportRefKeyIdentifier />
         <sp:MustSupportRefIssuerSerial />
       </wsp:Policy>
       </sp:Wss10>
      <sp:SignedParts
 xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"
 xmlns:sapsp="http://www.sap.com/webas/630/soap/features/security/policy"
 xmlns:wsa="http://www.w3.org/2005/08/addressing" 
 xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512"
 xmlns:wsu="http://schemas.xmlsoap.org/ws/2002/07/utility"
 xmlns:wsx="http://schemas.xmlsoap.org/ws/2004/09/mex">
      <sp:Body />
      <sp:Header Name="Trace"
        Namespace="http://www.sap.com/webas/630/soap/features/runtime/tracing/" />
      <sp:Header Name="messageId"
        Namespace="http://www.sap.com/webas/640/soap/features/messageId/" />
      <sp:Header Name="CallerInformation"
        Namespace="http://www.sap.com/webas/712/soap/features/runtime/metering/" />
      <sp:Header Name="Session"
        Namespace="http://www.sap.com/webas/630/soap/features/session/" />
      <sp:Header Name="To"
        Namespace="http://schemas.xmlsoap.org/ws/2004/08/addressing" />
      <sp:Header Name="From"
        Namespace="http://schemas.xmlsoap.org/ws/2004/08/addressing" />
      <sp:Header Name="FaultTo"
        Namespace="http://schemas.xmlsoap.org/ws/2004/08/addressing" />
      <sp:Header Name="ReplyTo"
        Namespace="http://schemas.xmlsoap.org/ws/2004/08/addressing" />
      <sp:Header Name="MessageID"
        Namespace="http://schemas.xmlsoap.org/ws/2004/08/addressing" />
      <sp:Header Name="RelatesTo"
        Namespace="http://schemas.xmlsoap.org/ws/2004/08/addressing" />
      <sp:Header Name="Action"
        Namespace="http://schemas.xmlsoap.org/ws/2004/08/addressing" />
      <sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing" />
      <sp:Header Name="From" Namespace="http://www.w3.org/2005/08/addressing" />
      <sp:Header Name="FaultTo" Namespace="http://www.w3.org/2005/08/addressing" />
      <sp:Header Name="ReplyTo" Namespace="http://www.w3.org/2005/08/addressing" />
      <sp:Header Name="MessageID" Namespace="http://www.w3.org/2005/08/addressing" />
      <sp:Header Name="RelatesTo" Namespace="http://www.w3.org/2005/08/addressing" />
      <sp:Header Name="Action" Namespace="http://www.w3.org/2005/08/addressing" />
      <sp:Header Name="ReferenceParameters" 
        Namespace="http://www.w3.org/2005/08/addressing" />
      <sp:Header Name="Sequence"
        Namespace="http://schemas.xmlsoap.org/ws/2005/02/rm" />
      <sp:Header Name="SequenceAcknowledgement"
        Namespace="http://schemas.xmlsoap.org/ws/2005/02/rm" />
      <sp:Header Name="AckRequested"
        Namespace="http://schemas.xmlsoap.org/ws/2005/02/rm" />
      <sp:Header Name="SequenceFault"
        Namespace="http://schemas.xmlsoap.org/ws/2005/02/rm" />
      <sp:Header Name="Sequence"
        Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702" />
      <sp:Header Name="AckRequested"
        Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702" />
      <sp:Header Name="SequenceAcknowledgement"
        Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702" />
      <sp:Header Name="SequenceFault"
        Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702" />
      <sp:Header Name="UsesSequenceSTR"
        Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702" />
      <sp:Header Name="UsesSequenceSSL"
        Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702" />
      </sp:SignedParts>
      <sp:SignedSupportingTokens
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"
xmlns:sapsp="http://www.sap.com/webas/630/soap/features/security/policy"
xmlns:wsa="http://www.w3.org/2005/08/addressing" 
xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512"
xmlns:wsu="http://schemas.xmlsoap.org/ws/2002/07/utility"
xmlns:wsx="http://schemas.xmlsoap.org/ws/2004/09/mex">
     <wsp:Policy>
      <sp:SamlToken
       sp:IncludeToken=
"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
     <wsp:Policy>
       <sp:WssSamlV11Token10 />
     </wsp:Policy>
       </sp:SamlToken>
     </wsp:Policy>
     </sp:SignedSupportingTokens>
     </wsp:All>
     </wsp:ExactlyOne>
     <wsaw:UsingAddressing xmlns:wsaw="http://www.w3.org/2006/05/addressing/wsdl"
       wsp:Optional="true" />
     </wsp:Policy>
     <wsp:Policy wsu:Id="IF_IF_YS_SAMLTEST">
     <sapsession:Session
xmlns:sapsession="http://www.sap.com/webas/630/soap/features/session/">
       <sapsession:enableSession>false</sapsession:enableSession>
     </sapsession:Session>
       <sapcentraladmin:CentralAdministration
xmlns:sapcentraladmin="http://www.sap.com/webas/700/soap/features/CentralAdministration/"
        wsp:Optional="true">
       <sapcentraladmin:BusinessApplicationID>4FF6C4A0570F00E9E10000000A1D140F
       </sapcentraladmin:BusinessApplicationID>
       </sapcentraladmin:CentralAdministration>
     </wsp:Policy>
     <wsp:Policy wsu:Id="OP_IF_OP_YsSamltest">
       <sapcomhnd:enableCommit
xmlns:sapcomhnd="http://www.sap.com/NW05/soap/features/commit/">false</sapcomhnd:enableCommit>
       <sapblock:enableBlocking
xmlns:sapblock="http://www.sap.com/NW05/soap/features/blocking/">true</sapblock:enableBlocking>
       <saptrhnw05:required
xmlns:saptrhnw05="http://www.sap.com/NW05/soap/features/transaction/">no</saptrhnw05:required>
       <saprmnw05:enableWSRM xmlns:saprmnw05="http://www.sap.com/NW05/soap/features/wsrm/">false
     </saprmnw05:enableWSRM>
     </wsp:Policy>
     <wsdl:types>
   <xsd:schema attributeFormDefault="qualified"
      targetNamespace="urn:sap-com:document:sap:rfc:functions">
   <xsd:simpleType name="char10">
   <xsd:restriction base="xsd:string">
   <xsd:maxLength value="10" />
   </xsd:restriction>
   </xsd:simpleType>
   <xsd:simpleType name="char40">
   <xsd:restriction base="xsd:string">
     <xsd:maxLength value="40" />
   </xsd:restriction>
   </xsd:simpleType>
   </xsd:schema>
   <xsd:schema attributeFormDefault="qualified"
     targetNamespace="urn:sap-com:document:sap:soap:functions:mc-style"
xmlns:n0="urn:sap-com:document:sap:rfc:functions">
   <xsd:import namespace="urn:sap-com:document:sap:rfc:functions" />
   <xsd:element name="YsSamltest">
   <xsd:complexType>
   <xsd:sequence>
     <xsd:element name="Text" type="n0:char10" minOccurs="0" />
   </xsd:sequence>
   </xsd:complexType>
     </xsd:element>
      <xsd:element name="YsSamltestResponse">
      <xsd:complexType>
    <xsd:sequence>
    <xsd:element name="Result" type="n0:char40" />
   </xsd:sequence>
   </xsd:complexType>
   </xsd:element>
   </xsd:schema>
   </wsdl:types>
   <wsdl:message name="YsSamltest">
   <wsdl:part name="parameters" element="tns:YsSamltest" />
   </wsdl:message>
   <wsdl:message name="YsSamltestResponse">
   <wsdl:part name="parameter" element="tns:YsSamltestResponse" />
   </wsdl:message>
   <wsdl:portType name="YS_SAMLTEST">
   <wsp:Policy>
    <wsp:PolicyReference URI="#IF_IF_YS_SAMLTEST" />
   </wsp:Policy>
   <wsdl:operation name="YsSamltest">
    <wsp:Policy>
    <wsp:PolicyReference URI="#OP_IF_OP_YsSamltest" />
   </wsp:Policy>
   <wsdl:input message="tns:YsSamltest" />
   <wsdl:output message="tns:YsSamltestResponse" />
   </wsdl:operation>
   </wsdl:portType>
   <wsdl:binding name="YS_SAMLTEST" type="tns:YS_SAMLTEST">
         <wsp:Policy>
           <wsp:PolicyReference URI="#BN_BN_YS_SAMLTEST" />
          </wsp:Policy>
          <soap:binding transport="http://schemas.xmlsoap.org/soap/http"
               style="document" />
          <wsdl:operation name="YsSamltest">
               <soap:operation style="document" />
               <wsdl:input>
                    <soap:body use="literal" />
               </wsdl:input>
               <wsdl:output>
                    <soap:body use="literal" />
               </wsdl:output>
          </wsdl:operation>
     </wsdl:binding>
     <wsdl:binding name="YS_SAMLTEST_SOAP12" type="tns:YS_SAMLTEST">
          <wsp:Policy>
               <wsp:PolicyReference URI="#BN_BN_YS_SAMLTEST_SOAP12" />
          </wsp:Policy>
          <wsoap12:binding transport="http://schemas.xmlsoap.org/soap/http"
               style="document" />
          <wsdl:operation name="YsSamltest">
               <wsoap12:operation style="document" />
               <wsdl:input>
                    <wsoap12:body use="literal" />
               </wsdl:input>
               <wsdl:output>
                    <wsoap12:body use="literal" />
               </wsdl:output>
          </wsdl:operation>
     </wsdl:binding>
     <wsdl:service name="YS_SAMLTEST">
          <wsdl:port name="YS_SAMLTEST" binding="tns:YS_SAMLTEST">
            <soap:address
 location="http://poc-sap:8021/sap/bc/srt/rfc/sap/ys_samltest/200/ys_samltest/ys_samltest" />
          </wsdl:port>
          <wsdl:port name="YS_SAMLTEST_SOAP12" binding="tns:YS_SAMLTEST_SOAP12">
             <wsoap12:address
 location="http://poc-sap:8021/sap/bc/srt/rfc/sap/ys_samltest/200/ys_samltest/ys_samltest" />
          </wsdl:port>
     </wsdl:service>
</wsdl:definitions>


创建了业务服务之后,您将看到这个错误:

“[OSB Kernel:398133]The service is based on WSDL with Web Services Security Policies that are not natively supported by Oracle Service Bus. Please select OWSM Policies - From OWSM Policy Store option and attach equivalent OWSM security policy.”(参见图 8)

1964583.gif
图 8:策略错误

之所以出现这个错误,是因为 Oracle WebLogic 与 Oracle Web Services Manager 不同,它不支持 ECC WSDL 中的策略。现在,为了避免出现该错误,将服务策略配置更改为 From OWSM Policy Store。我们只能通过 Oracle 服务控制台来设置该策略。如果 Oracle Service Bus 服务器已启动,可通过 OEPE 添加 Oracle Web Service Manager 策略。

从业务服务创建代理服务。您将看到相同的策略错误。在 Policy 选项卡中,将 Service Policy Configuration 更改为 From Pre-defined Policy or WS-Policy Resource。在图 9 中,代理服务不需要任何策略。

1964584.gif
图 9:创建代理服务

HTTP Transport 选项卡中,将 Authentication 更改为 Basic。这是必需的,因为在业务服务中,Oracle Web Services Manager 使用生成的 SAML 断言中经过身份验证的用户的名称。

导出 Oracle Service Bus 配置 JAR。

Oracle Service Bus 配置


访问 Oracle Service Bus 控制台,将 OSB 配置 JAR 导入到服务器。

配置业务服务,添加 Oracle Web Services Manager 中创建的自定义策略:

1964585.gif
图 10:Service Policy Configuration

应用策略之后,可以更改 Security 选项卡的任何属性值:

1964586.gif
图 11:Policy Overrides

注意: 如果您希望从业务服务获取其他行为(例如,其他签名证书),可以更改该策略的任何一个属性。

测试前


测试之前有几点需要验证。

验证 Oracle 和 SAP 计算机的时钟是否同步,然后在 ECC 中配置一个适当的时钟偏移。如果 Oracle Service Bus 发送一个带有未来时间或大于定义时间差的请求,ECC 将拒绝调用。在 ECC 中,SAML 断言中包括的用户必须映射到其用户存储中的一个现有断言。ECC 中的用户名区分大小写。

验证 ECC 是否配置为接受 Oracle Web Services Manager 使用的 SAML 颁发机构。

验证所需的所有证书是否已导入 Oracle Web Services Manager 密钥库和 ECC 环境。

测试


获取代理服务 WSDL URL 并测试该服务。例如:

http://<host>:<port>/TestSecSap/ProxyServices/TestSamlClient?WSDL


可以使用任何 Web 服务客户端工具(如 SoapUI)测试该服务。

记住为 WebLogic 中创建的用户设置凭证。

以下是请求示例:

<soapenv:Envelope
 xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
  xmlns:urn="urn:sap-com:document:sap:soap:functions:mc-style">    
  <soapenv:Header/>
   <soapenv:Body>
      <urn:YsSamltest>
         <Text>test</Text>
      </urn:YsSamltest>
   </soapenv:Body>
</soapenv:Envelope>


Oracle Web Services Manager 应用该策略后,发送到 ECC 的请求将发生变化:

<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:urn="urn:sap-com:document:sap:soap:functions:mc-style">
<soapenv:Header>
 <wsse:Security soapenv:mustUnderstand="1"
  xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
 <wsse:SecurityTokenReference wsu:Id="STR-SAML-bCgQ6C7G7d3xvJEZ0Ap9Ag22"
  xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
 <wsse:KeyIdentifier
  ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID">
  SAML-l0sKvVtSFWBxVSfO8DOYOQ22</wsse:KeyIdentifier>
 </wsse:SecurityTokenReference>
 <wsu:Timestamp wsu:Id="Timestamp-B8oMUcneIEM0FBP1WSzqiw22"
  xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
  <wsu:Created>2013-04-15T20:04:41Z</wsu:Created>
  <wsu:Expires>2013-04-15T20:09:41Z</wsu:Expires>
 </wsu:Timestamp>
  <wsse:BinarySecurityToken
   ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
EncodingType="http://docs.oasis-open.org/wss/2004/01/
oasis-200401-wss-soap-message-security-1.0#Base64Binary"
   wsu:Id="BST-umEAXBVw2Neuu90Yk43M6A22"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
   MIIG1jCCBb6gAwI...CreDzVTHZz/xXtD2Vl8JsTN/QaKkZ1n88=</wsse:BinarySecurityToken>
  <saml:Assertion MajorVersion="1" MinorVersion="1"
    AssertionID="SAML-l0sKvVtSFWBxVSfO8DOYOQ22" IssueInstant="2013-04-15T20:04:41Z"
    Issuer="www.oracle.com" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
  <saml:Conditions NotBefore="2013-04-15T20:04:41Z"
    NotOnOrAfter="2013-04-15T20:09:41Z" />
  <saml:AuthenticationStatement
    AuthenticationInstant="2013-04-15T20:04:41Z" 
    AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password">
  <saml:Subject>
  <saml:NameIdentifier
    Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">
    testsamlclient</saml:NameIdentifier>
  <saml:SubjectConfirmation>
  <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:sender-vouches
  </saml:ConfirmationMethod>
  </saml:SubjectConfirmation>
  </saml:Subject>
  </saml:AuthenticationStatement>
  </saml:Assertion>
    <dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
    <dsig:SignedInfo>
    <dsig:CanonicalizationMethod
      Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
    <dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
    <dsig:Reference URI="#BST-umEAXBVw2Neuu90Yk43M6A22">
      <dsig:Transforms>
        <dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
      </dsig:Transforms>
      <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
      <dsig:DigestValue>buSz7W4V5OQ4FTBZKf8YBIpBC1Y=</dsig:DigestValue>
    </dsig:Reference>
    <dsig:Reference URI="#Timestamp-B8oMUcneIEM0FBP1WSzqiw22">
      <dsig:Transforms>
        <dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
      </dsig:Transforms>
      <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
      <dsig:DigestValue>psj9Sjk+bPTxUbqu1h8xUahVkrA=</dsig:DigestValue>
    </dsig:Reference>
    <dsig:Reference URI="#STR-SAML-bCgQ6C7G7d3xvJEZ0Ap9Ag22">
      <dsig:Transforms>
        <dsig:Transform
          Algorithm=
"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform">
	   <wsse:TransformationParameters>
	   <dsig:CanonicalizationMethod
	   Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
	   </wsse:TransformationParameters>
        </dsig:Transform>
       </dsig:Transforms>
       <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
       <dsig:DigestValue>gMV488pINPLCAhWMzF6YGmBXySc=</dsig:DigestValue>
      </dsig:Reference>
      <dsig:Reference URI="#Body-qp7LuhCcRiNgYpIFe3OIyA22">
        <dsig:Transforms>
	 <dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
	</dsig:Transforms>
	<dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
	<dsig:DigestValue>n6fRqeZ5AOg7GUSST0Y23bIftSg=</dsig:DigestValue>
      </dsig:Reference>
      </dsig:SignedInfo>
      <dsig:SignatureValue>
f6TPUUzWLbpPCnpbBBNeIhmy8vp+03V7YWLxCPcSbbPeN1AcUBijFPsH35V90IBmhgbPX366S9Ouu52lYiKNTgWn8UPIEVe
KHYKp742dHBSlqyxxVagJ7ddHjHgNbNn5QFuu/re6gcDAOVYwcGRDwpNPg+RnywQKkOfpgxtSdkLWz5ok7TjQcfApnur5gC
QvmRsBJwuQcaI3WTuFfWLg5gCj+yazOgUkwb+l7Vbssl8LdTQ1WiQdBKmoAbWci2GL+VFfkaq0dGcYd2/oJLJtrehPiTW6GY
/o7TmWY9L8cJOCJo86YPbKjfjn8WHuANe/AQRMAMkKnymUd424xS+C8g==
      </dsig:SignatureValue>
      <dsig:KeyInfo Id="KeyInfo-KYpO2OdhC7Q6fmBL1fonww22">
        <wsse:SecurityTokenReference>
	<wsse:Reference URI="#BST-umEAXBVw2Neuu90Yk43M6A22"
	  ValueType=
       "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" />
	</wsse:SecurityTokenReference>
       </dsig:KeyInfo>
      </dsig:Signature>
     </wsse:Security>
    </soapenv:Header>
    <soapenv:Body wsu:Id="Body-qp7LuhCcRiNgYpIFe3OIyA22"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
	<urn:YsSamltest>
	  <!--Optional: -->
	  <Text>test</Text>
	</urn:YsSamltest>
     </soapenv:Body>
</soapenv:Envelope>


ECC 验证该请求,然后向 Oracle Service Bus 发送响应:

<soap-env:Envelope xmlns:soap-env="http://schemas.xmlsoap.org/soap/envelope/">
  <soap-env:Header
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
   <wsse:Security
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
   <wsu:Timestamp wsu:Id="ts-516B5F24AE9D1010E10080000A1D123D">
     <wsu:Created>2013-04-15T20:04:41Z</wsu:Created>
     <wsu:Expires>2013-04-15T20:06:11Z</wsu:Expires>
   </wsu:Timestamp>
  </wsse:Security>
    </soap-env:Header>
    <soap-env:Body>
       <n0:YsSamltestResponse
	  xmlns:n0="urn:sap-com:document:sap:soap:functions:mc-style">
	  <Result>Hello testsamlclient - PARAM: test</Result>
       </n0:YsSamltestResponse>
	</soap-env:Body>
</soap-env:Envelope>


Oracle Service Bus 向客户端发送响应:

<soap-env:Envelope xmlns:soap-env="http://schemas.xmlsoap.org/soap/envelope/">
   <soap-env:Header 
      xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"/>
   <soap-env:Body>       
      <n0:YsSamltestResponse 
         xmlns:n0="urn:sap-com:document:sap:soap:functions:mc-style">          
   <Result>Hello testsamlclient - PARAM: test</Result>
      </n0:YsSamltestResponse>
   </soap-env:Body>
</soap-env:Envelope>


总结


身份传播在安全集成中非常重要,但是如何应用 SAML 之类的技术来解决此问题并不总是很清楚。我希望本文对具有类似情况的人们有所帮助。


关于作者

Ronaldo Fernandes 是巴西 Oracle 顾问咨询部的首席顾问。他专门从事 Oracle 融合中间件、SOA 以及安全性工作,从 1996 年起就使用 Java 技术。他拥有超过 15 年的架构定义、问题解决以及技术领导和软件开发经验。LinkedIn</a>