Web Service Secure
Web Service Secure
Web Service Secure
Contents
1. Concepts
2. Design
3. Required Software
4. Setup
5. Implementation
6. Resources
7. Feedback
Concepts
Effective Internet security requires secure information exchange mechanisms that are
scalable and that support the security of distributed systems. Public Key Infrastructure
(PKI) meets these requirements with minimal inconvenience.
Oracle9i Application Server (Oracle9iAS) can use elements of PKI to provide a secure,
resilient environment for deploying electronic commerce. This reliable environment
supports building systems to handle virtually any type of electronic interaction, from
corporate intranets to e-business applications designed for deployment on the Internet.
Strong system security starts with the physical security of systems and the
trustworthiness of personnel. With these in place, PKI enhances secure electronic
commerce and Internet communications by supporting the following processes:
digital signature. A PKI digital signature proves that a specific user performed
certain operations.
For public-key cryptography, entities that want to communicate in a secure manner must
possess certain security credentials. This collection of security credentials is stored in a
wallet. Security credentials consist of:
● Public and private keys. This form of cryptography uses a secret private key and
a mathematically-related public key. Only the public key can be used to encrypt
information, and only the corresponding private key can be used to decrypt that
information. Only the owner of the key pair knows the private key; the public key
can be distributed widely and remains associated with its owner. A message
encrypted with the public key can only be decrypted by the owner who knows the
associated private key. Such keys are also used in digital signatures to prevent
Internet impersonation and repudiation of valid messages. In the process of
seeting up this sample application, you will obtain and install certificates for the
client and server.
● Digital certificates. Certificates are digital identities, issued by trusted third
parties, that identify users and machines. Certificates are issued when that third
party receives trusted information proving to its satisfaction the validity of those
identities. The certificates can then be securely stored in wallets or in directories
and used to prove the claimed identity to anyone on the Internet who trusts that
third party.
● Certificate Authority (CA). A CA is a third party that acts as a trusted,
independent provider of digital certificates.
Use of a cryptographic key pair to set up a secure, encrypted channel ensures the
privacy of a message and can validate the authenticity of the sender of the message.
Wide distribution of the public key on a server, or in a central directory, does not
jeopardize security because the private key is never shared. The public key for an entity
is published by a certificate authority in a user certificate. Entities that want to send
secure information can encrypt the information with the recipient entity's public key. An
entity that receives a communication encrypted by this method can use its own private
key to decrypt the message. (In some cases, the sender might need to reassure the
recipient regarding who sent the message. Encrypting the coded message again using
its own public key would do the trick. The recipient could decrypt the doubly-encoded
message using his private key, and then decrypt the resulting coded message using the
sender's public key. If the original message was not encoded using both public keys, the
result of decrypting will be unreadable.)
Contents
1. Concepts
2. Design
3. Required Software
4. Setup
5. Implementation
6. Resources
7. Feedback
Concepts
Effective Internet security requires secure information exchange mechanisms that are
scalable and that support the security of distributed systems. Public Key Infrastructure
(PKI) meets these requirements with minimal inconvenience.
Oracle9i Application Server (Oracle9iAS) can use elements of PKI to provide a secure,
resilient environment for deploying electronic commerce. This reliable environment
supports building systems to handle virtually any type of electronic interaction, from
corporate intranets to e-business applications designed for deployment on the Internet.
Strong system security starts with the physical security of systems and the
trustworthiness of personnel. With these in place, PKI enhances secure electronic
commerce and Internet communications by supporting the following processes:
digital signature. A PKI digital signature proves that a specific user performed
certain operations.
For public-key cryptography, entities that want to communicate in a secure manner must
possess certain security credentials. This collection of security credentials is stored in a
wallet. Security credentials consist of:
● Public and private keys. This form of cryptography uses a secret private key and
a mathematically-related public key. Only the public key can be used to encrypt
information, and only the corresponding private key can be used to decrypt that
information. Only the owner of the key pair knows the private key; the public key
can be distributed widely and remains associated with its owner. A message
encrypted with the public key can only be decrypted by the owner who knows the
associated private key. Such keys are also used in digital signatures to prevent
Internet impersonation and repudiation of valid messages. In the process of
seeting up this sample application, you will obtain and install certificates for the
client and server.
● Digital certificates. Certificates are digital identities, issued by trusted third
parties, that identify users and machines. Certificates are issued when that third
party receives trusted information proving to its satisfaction the validity of those
identities. The certificates can then be securely stored in wallets or in directories
and used to prove the claimed identity to anyone on the Internet who trusts that
third party.
● Certificate Authority (CA). A CA is a third party that acts as a trusted,
independent provider of digital certificates.
Use of a cryptographic key pair to set up a secure, encrypted channel ensures the
privacy of a message and can validate the authenticity of the sender of the message.
Wide distribution of the public key on a server, or in a central directory, does not
jeopardize security because the private key is never shared. The public key for an entity
is published by a certificate authority in a user certificate. Entities that want to send
secure information can encrypt the information with the recipient entity's public key. An
entity that receives a communication encrypted by this method can use its own private
key to decrypt the message. (In some cases, the sender might need to reassure the
recipient regarding who sent the message. Encrypting the coded message again using
its own public key would do the trick. The recipient could decrypt the doubly-encoded
message using his private key, and then decrypt the resulting coded message using the
sender's public key. If the original message was not encoded using both public keys, the
result of decrypting will be unreadable.)
Contents
1. Concepts
2. Design
3. Required Software
4. Setup
5. Implementation
6. Resources
7. Feedback
Concepts
Effective Internet security requires secure information exchange mechanisms that are
scalable and that support the security of distributed systems. Public Key Infrastructure
(PKI) meets these requirements with minimal inconvenience.
Oracle9i Application Server (Oracle9iAS) can use elements of PKI to provide a secure,
resilient environment for deploying electronic commerce. This reliable environment
supports building systems to handle virtually any type of electronic interaction, from
corporate intranets to e-business applications designed for deployment on the Internet.
Strong system security starts with the physical security of systems and the
trustworthiness of personnel. With these in place, PKI enhances secure electronic
commerce and Internet communications by supporting the following processes:
digital signature. A PKI digital signature proves that a specific user performed
certain operations.
For public-key cryptography, entities that want to communicate in a secure manner must
possess certain security credentials. This collection of security credentials is stored in a
wallet. Security credentials consist of:
● Public and private keys. This form of cryptography uses a secret private key and
a mathematically-related public key. Only the public key can be used to encrypt
information, and only the corresponding private key can be used to decrypt that
information. Only the owner of the key pair knows the private key; the public key
can be distributed widely and remains associated with its owner. A message
encrypted with the public key can only be decrypted by the owner who knows the
associated private key. Such keys are also used in digital signatures to prevent
Internet impersonation and repudiation of valid messages. In the process of
seeting up this sample application, you will obtain and install certificates for the
client and server.
● Digital certificates. Certificates are digital identities, issued by trusted third
parties, that identify users and machines. Certificates are issued when that third
party receives trusted information proving to its satisfaction the validity of those
identities. The certificates can then be securely stored in wallets or in directories
and used to prove the claimed identity to anyone on the Internet who trusts that
third party.
● Certificate Authority (CA). A CA is a third party that acts as a trusted,
independent provider of digital certificates.
Use of a cryptographic key pair to set up a secure, encrypted channel ensures the
privacy of a message and can validate the authenticity of the sender of the message.
Wide distribution of the public key on a server, or in a central directory, does not
jeopardize security because the private key is never shared. The public key for an entity
is published by a certificate authority in a user certificate. Entities that want to send
secure information can encrypt the information with the recipient entity's public key. An
entity that receives a communication encrypted by this method can use its own private
key to decrypt the message. (In some cases, the sender might need to reassure the
recipient regarding who sent the message. Encrypting the coded message again using
its own public key would do the trick. The recipient could decrypt the doubly-encoded
message using his private key, and then decrypt the resulting coded message using the
sender's public key. If the original message was not encoded using both public keys, the
result of decrypting will be unreadable.)
Design
The Online Product Store demonstrates an e-Business application that uses Web
Services to handle credit card-based transactions.There are two ways to ensure security
with Web Services:
● Security at XML level. Options include XML Encryption, XML Digital signature API,
XKMS (XML Key Management Specification), and SAML (Security Assertion
Markup Language).
● Security at the transport level. Implementing security at the transport level means
securing the network protocol a Web Service uses for communication. SSL is the
industry-accepted standard protocol for secured encrypted communications over
TCP/IP. In this model, a Web Service client uses SSL to open a secure socket to a
Web Service. The client then sends and receives SOAP messages over this
secured socket using HTTPS. The SSL implementation takes care of ensuring
privacy by encrypting all the network traffic on the socket. SSL can also
authenticate the Web Service to the client using the PKI infrastructure.
Because the standards for enabling security at XML level are in their infancy, OTN
developers opted for security at the transport level using SSL and the PKI infrastructure.
Oracle9iAS provides a solid framework for building and deploying Web applications using
the Apache-based Oracle HTTP Server, Oracle9iAS Containers for J2EE, and
Oracle9iAS Portal, which use the advanced security functionality provided by Oracle9iAS
Infrastructure. Oracle9iAS Infrastructure consists of Oracle9iAS Metadata Repository,
Oracle Internet Directory, Oracle9iAS Single Sign-On, and Oracle Management Server.
This sample application requires a user ID and a password for login. Three users are
created by running SQL scripts given in the Install.html file. Following is the information
for accessing this application.
Credit Card
User ID Password
Number
C101 welc0me 1234567887654321
C102 otn 1234567887654322
C103 welcome 1234567887654323
By providing credentials, a user gains access to a catalog of products from which they
can add items to their shopping cart. To buy products, a user checks out and enters a
credit card number, and this application contacts the Credit Card Web Service via SSL,
thereby demonstrating how to access a Web Service securely.
The directory structure of the sample code is as shown below (Xxx represents the top-
level directory).
Xxx\docs Install.html,
These files describe
how to install and
InstallContd.html
deploy the application.
Directory containing
the source of the
Xxx\CreditCardService *.java Credit Card Web
Service and the
supporting files
Directory containing
the source code and
Xxx\JSPApplication *.java
supporting files for the
Online Product Store.
Required Software
You can download the sample application source code (35 KB) from:
● http://otn.oracle.com/sample_code/tech/java/web_services/wssecurity/ws_security.jar
The following software is required to build and run this tutorial. OTN members can
download developer-license versions of these products for free.
See the Setup section for information about installing and running the tutorial.
Setup
This section lists the steps to install and configure the tutorial. It assumes that you have
installed and configured the software described in the Required Software section.
Implementation
Oracle9iAS security starts from the well-tested and highly configurable Web security
services provided by Oracle HTTP Server, adds a comprehensive set of Web single sign-
on services, and extends them further with centralized user provisioning that is available
in Oracle Internet Directory, an LDAP, version 3-compliant directory service. In addition,
Oracle9iAS provides the Oracle implementation of Java Authorization and Authentication
Services (JAAS) for J2EE application security, and extensive portal authorization and
application integration mechanisms. Oracle9iAS also supports secure access to Oracle
database systems using Oracle Advanced Security.
Secure Sockets Layer The Secure Sockets Layer (SSL) is an application layer
protocol that can be employed for certificate-based
authentication. All of the major components of Oracle9iAS
support SSL.
Resources
Following are links to resources that can help you understand and apply the concepts and techniques
presented in this tutorial. See the Required Software section to obtain the tutorial source code and related
files.
Resource URL
Oracle9i
Application
Server http://otn.oracle.com/docs/products/ias/doc_library/90200doc_otn/core.902/a90146/toc.htm
Security
Guide
OTN Web
Services
http://otn.oracle.com/tech/webservices/content.html
Technolgy
Center
Oracle by
Example:
Build a
http://otn.oracle.com/products/oracle9i/htdocs/9iober2/obe9ir2/player_otn.htm
Secure
Internet
Data
Center
Feedback
● Post a message in the OTN Sample Code discussion forum. OTN developers and
other experts monitor the forum.
If you have suggestions or ideas for future tutorials, please send email to:
● mailto:[email protected]
Design
The Online Product Store demonstrates an e-Business application that uses Web
Services to handle credit card-based transactions.There are two ways to ensure security
with Web Services:
● Security at XML level. Options include XML Encryption, XML Digital signature API,
XKMS (XML Key Management Specification), and SAML (Security Assertion
Markup Language).
● Security at the transport level. Implementing security at the transport level means
securing the network protocol a Web Service uses for communication. SSL is the
industry-accepted standard protocol for secured encrypted communications over
TCP/IP. In this model, a Web Service client uses SSL to open a secure socket to a
Web Service. The client then sends and receives SOAP messages over this
secured socket using HTTPS. The SSL implementation takes care of ensuring
privacy by encrypting all the network traffic on the socket. SSL can also
authenticate the Web Service to the client using the PKI infrastructure.
Because the standards for enabling security at XML level are in their infancy, OTN
developers opted for security at the transport level using SSL and the PKI infrastructure.
Oracle9iAS provides a solid framework for building and deploying Web applications using
the Apache-based Oracle HTTP Server, Oracle9iAS Containers for J2EE, and
Oracle9iAS Portal, which use the advanced security functionality provided by Oracle9iAS
Infrastructure. Oracle9iAS Infrastructure consists of Oracle9iAS Metadata Repository,
Oracle Internet Directory, Oracle9iAS Single Sign-On, and Oracle Management Server.
This sample application requires a user ID and a password for login. Three users are
created by running SQL scripts given in the Install.html file. Following is the information
for accessing this application.
Credit Card
User ID Password
Number
C101 welc0me 1234567887654321
C102 otn 1234567887654322
C103 welcome 1234567887654323
By providing credentials, a user gains access to a catalog of products from which they
can add items to their shopping cart. To buy products, a user checks out and enters a
credit card number, and this application contacts the Credit Card Web Service via SSL,
thereby demonstrating how to access a Web Service securely.
The directory structure of the sample code is as shown below (Xxx represents the top-
level directory).
Xxx\docs Install.html,
These files describe
how to install and
InstallContd.html
deploy the application.
Directory containing
the source of the
Xxx\CreditCardService *.java Credit Card Web
Service and the
supporting files
Directory containing
the source code and
Xxx\JSPApplication *.java
supporting files for the
Online Product Store.
Required Software
You can download the sample application source code (35 KB) from:
● http://otn.oracle.com/sample_code/tech/java/web_services/wssecurity/ws_security.jar
The following software is required to build and run this tutorial. OTN members can
download developer-license versions of these products for free.
See the Setup section for information about installing and running the tutorial.
Setup
This section lists the steps to install and configure the tutorial. It assumes that you have
installed and configured the software described in the Required Software section.
Implementation
Oracle9iAS security starts from the well-tested and highly configurable Web security
services provided by Oracle HTTP Server, adds a comprehensive set of Web single sign-
on services, and extends them further with centralized user provisioning that is available
in Oracle Internet Directory, an LDAP, version 3-compliant directory service. In addition,
Oracle9iAS provides the Oracle implementation of Java Authorization and Authentication
Services (JAAS) for J2EE application security, and extensive portal authorization and
application integration mechanisms. Oracle9iAS also supports secure access to Oracle
database systems using Oracle Advanced Security.
Secure Sockets Layer The Secure Sockets Layer (SSL) is an application layer
protocol that can be employed for certificate-based
authentication. All of the major components of Oracle9iAS
support SSL.
Resources
Following are links to resources that can help you understand and apply the concepts and techniques
presented in this tutorial. See the Required Software section to obtain the tutorial source code and related
files.
Resource URL
Oracle9i
Application
Server http://otn.oracle.com/docs/products/ias/doc_library/90200doc_otn/core.902/a90146/toc.htm
Security
Guide
OTN Web
Services
http://otn.oracle.com/tech/webservices/content.html
Technolgy
Center
Oracle by
Example:
Build a
http://otn.oracle.com/products/oracle9i/htdocs/9iober2/obe9ir2/player_otn.htm
Secure
Internet
Data
Center
Feedback
● Post a message in the OTN Sample Code discussion forum. OTN developers and
other experts monitor the forum.
If you have suggestions or ideas for future tutorials, please send email to:
● mailto:[email protected]
c. Log into SQLPlus as security/security. Run the file Security.sql which creates the tables
needed by this
application and populates the tables with data.
SQL> @d:\<temp>\sql\Security.sql
where <temp> is the directory where you have extracted this sample.
d. Log into SQLPlus as creditdb/creditdb. Run the file Creditdb.sql which creates the tables
needed by this
application and populates the tables with data.
SQL> @d:\<temp>\sql\Creditdb.sql
where <temp> is the directory where you have extracted this sample.
The files jcert.jar, jsse.jar and jssl-1_2.jar are needed for running this sample. They are available
in the following directories
jsse.jar - <IAS_HOME>/lib
jcert.jar - <IAS_HOME>/jdk/jre/lib/ext
jssl-1_2.jar - <IAS_HOME>/jlib
Copy them to <IAS_HOME>/jdk/jre/lib/ext directory so that these classes are loaded by the
System class loader.
Note: If this step is not followed, the application will throw a ClassNotFoundException.
b. Edit the file ConnectionParams.java and substitute the variable values with your settings. Make
sure to have the
username and password as "creditdb" and creditdb"
c. Make sure to have classes12.jar (JDBC library) in the CLASSPATH. This library is available in
IAS_HOME/jdbc/lib directory.
javac *.java
d. In the Deploy Web Application page, click on the "Browse" button and select the
CreditCardValidator.war file
from the CreditCardService directory. Please note that this WAR file was created during the
execution of step f
in the previous section.
g. Click Deploy.
The above steps completes the deployment of the Credit card Web Service to Oracle9iAS.
b. Edit the file ConnectionParams.java and substitute the variable values with your settings.
Make sure to have the
username and password as "security" and "security".
c. This application needs a proxy stub for accessing the Web Service. This stub can be acquired
by accessing the
Web Service as follows
http://<hostname>:<port>/CreditCardValidator/CreditCardValidator?proxy_source
where <hostname> is the machine on which Oracle9iAS is running and <port> is Oracle HTTP
Server port.
d. Save the zip file in any convenient directory and extract the file
CreditCardValidatorInterfaceProxy.java in
<temp>/JSPApplication/src/oracle/otnsamples/webservices/security directory.
Note: <temp> is the directory where you had initially extracted this application.
f. Walk through the source to understand this file. Add the following lines in the method
validateCard()
System.setProperty("ssl.SocketFactory.provider","oracle.security.ssl.OracleSSLSocketFactoryImpl");
System.setProperty("ssl.ServerSocketFactory.provider","oracle.security.ssl.OracleSSLServerSocketFactoryImpl");
System.setProperty("java.protocol.handler.pkgs","HTTPClient");
System.setProperty("oracle.wallet.location","/home1/otn9i/ClientCert/wallet.txt");
System.setProperty("oracle.wallet.password","client12");
oracle.wallet.location should be the complete path to this text file. Ensure to specify client12 as
the value to the oracle.wallet.password parameter as this was mentioned while creating the client
wallet.
For eg.
private String m_soapURL = "http://insn104a.idc.oracle.com:7777/CreditCardValidator/CreditCardValidator";
should be changed to
private String m_soapURL = "https://insn104a.idc.oracle.com:4443/CreditCardValidator/CreditCardValidator";
Note: This is the port with which we have setup Oracle HTTP Server to use SSL.
h. Now we have to compile this application. For compiling this, we need to have the Oracle Java
SSL libraries in
the CLASSPATH. The libraries jsse.jar, jcert.jar and jssl-1_2.jar can be added to the project's
classpath as
follows:
Right click on WS_Security.jpr -> Project Settings -> Development -> Libraries -> New. Provide
a name to this
library and click on Edit to add the jar files. Click OK to dismiss this dialog box. Make sure to
have this library in
the "Selected Libraries" list.
i. Right click on WS_Security.jpr -> Build Project. The project should compile without any errors.
j. Right click on webapp2.deploy and choose to deploy to an EAR file. This step creates an EAR
in the
JSPApplication directory.
The above steps prepares the application which can now be deployed.
d. Skip Step 1 of 8. In Step 2, click on the "Browse" button and choose the file OTNStore.ear from
the
JSPApplication directory. This EAR file was created as part of preparing this application.
Mention the name of
the application as OTNStore. Click Next.
e. In Step 3, make sure that the value for URL Binding is /WS_Security. Click Next.
The application will now be deployed as an Enterprise application to Oracle9iAS. The application
can now be accessed as shown here.
Table Of Contents
● Overview of the sample application
● Installation and Configuration
● Description of Sample files
● Running the sample on Oracle9iAS
messages over this secured socket using HTTP. The SSL implementation
takes care of ensuring privacy by encrypting all the network traffic on the
socket. SSL can also authenticate the Web Service to the client using a
digital certificate issued by a Certificate authority.
There are some standards available for securing Web Services at XML
level. They are:
● XML Encryption
● XML Digital Signature API
● XKMS (XML Key Management Specification)
● SAML (Security Assertion Markup Language)
Since the standards for enabling security at XML level is at its infancy, this
sample aims on securing Web Services at the transport level using the PKI
infrastructure.
3 application users are created as part of running the SQL scripts as given
in the Install.html file. Following is the information for accessing this
application
This sample application requires an User Id and a password for login. Once
the sample users provide the above mentioned credentials, they can
access the functionality provided by this application. Once the users
successfully login to this application, they will be shown a catalog of
products from which they can add items to their shopping cart. Once they
decide to purchase the items, they can choose to buy the products where
this application mandates the users to enter their credit card numbers.
Once the users enter the credit card number shown above depending upon
the User Id they have used, this application will contact the Credit Card
Web Service via SSL thereby demonstrating how to access a Web Service
securely.
Filename Description
Readme.html This file
Instructions for setting up this sample
Install.html
application on Oracle9iAS
Continuation of the instructions for setting up
InstallContd.html
this sample
SQL script required for setting up the data
sql\Security.sql required by the Online store which will be
created in the "security" user schema
SQL script required for setting up the data
required by the Credit Card Web Service
sql\Creditdb.sql
which will be created in the "creditdb" user
schema
Directory containing the source of the Credit
CreditCardService directory
Card Web Service and the supporting files
Directory containing the source of the Online
JSPApplication directory
Product store and the supporting files
http://<hostname>:<port>/WS_Security/Login.jsp,
Example: http://incq210a.idc.oracle.com:7777/WS_Security/Login.jsp
Please enter your comments about this sample in the OTN Sample
code discussion forum.
● Required software
● Installation steps
Required Software
Installation Steps
For setting up PKI infrastructure, this sample needs digital certificates which can
be acquired from any one of the CAs. For this sample, we will get a test certificate
from Verisign.
$ ./owm
3.Click on Wallet/New Option, to create a new Wallet. This step asks for a wallet
password.
Enter "client12" to confirm the wallet password. Then click on Yes to create a new
certification request.
Choose key size as 1024 bits. Click OK, OK. This generates a Certificate Request
which you can send to any Certificate Authority.
7.Minimize Oracle Wallet Manager. Note: Do not close OWM but just minimize.
Using your favorite editor, open the file 'client.cer.req' created in Step 6.
http://www.verisign.com
Follow the steps as given below.
a. Click on Free SSL trial ID link on right hand side.
b. In the resulting page, enter your personal information as applicable.
c. Read the instructions and click Continue.
d. In Step 1, click Continue.
f. In Step 2, copy and paste the CSR from client.cer.req file in the textbox shown
and click Continue.
g. In Step 3, provide your information. Make sure you provide a valid email
address. Click Accept.
You will get the certificate at the mail address you specified in Step 3.
Copy and paste your certificate to a local file namely 'client.cer' in the ServerCert
directory.
Note : Please copy and paste the lines from and including line ---BEGIN
CERTIFICATE----- till the line
---- END CERTIFICATE----.
9.The mail also contains links to the Root Certificate using whose key your
Certificate was signed. Follow the link and click Accept. This install the root
certificate in your browser.(Use Internet Explorer).
10.Then Open IE, choose Tools -> Internet Options -> Content -> Certificates ->
Trusted Root Certificate Authorities .
Search for For VeriSign authorized testing only.No assurances. and click on
Export. Choose "Base64 encoded X.509 (.CER)" format
and click Next. Save the file as verisignroot.cer in the ServerCert directory. You
12.Now import the user certificate obtained earlier into this wallet. Select
'Operations/Import User Certificate' . Check the option 'Select a
file that contains the Certificate'. Click OK. Choose the file 'client.cer' from the
ServerCert directory.
13.Using 'Wallet/Close' option, close the Wallet. Using 'Wallet/Exit' option, exit
the OWM.
This completes the steps for preparing a Wallet for PKI Credential Management.
a. Follow the steps c through m in the "Get a Server Certificate" section. Give
"client12" as the password for this wallet. While providing information for creating
a Certificate Signing Request, give wss as the value for the Common Name
attribute. Save the generated certificate in the ClientCert directory as client.cer and
root.cer. Save the wallet in the ClientCert directory. The remaining steps will be
the same.
b. One more additional step is needed. Click on Operations -> Export Wallet
option. Save the file as wallet.txt in ClientCert directory.
SSLWallet file:/home1/otn9i/ServerCert
SSLWalletPassword server12
d. Restart Oracle HTTP Server. Restarting Oracle HTTP Server with the new
settings will enable Oracle9iAS to
use the newly acquired certificate for SSL. You can check this by accessing the
URL
https://<yourhostname>:4443/
Design
The Online Product Store demonstrates an e-Business application that uses Web
Services to handle credit card-based transactions.There are two ways to ensure security
with Web Services:
● Security at XML level. Options include XML Encryption, XML Digital signature API,
XKMS (XML Key Management Specification), and SAML (Security Assertion
Markup Language).
● Security at the transport level. Implementing security at the transport level means
securing the network protocol a Web Service uses for communication. SSL is the
industry-accepted standard protocol for secured encrypted communications over
TCP/IP. In this model, a Web Service client uses SSL to open a secure socket to a
Web Service. The client then sends and receives SOAP messages over this
secured socket using HTTPS. The SSL implementation takes care of ensuring
privacy by encrypting all the network traffic on the socket. SSL can also
authenticate the Web Service to the client using the PKI infrastructure.
Because the standards for enabling security at XML level are in their infancy, OTN
developers opted for security at the transport level using SSL and the PKI infrastructure.
Oracle9iAS provides a solid framework for building and deploying Web applications using
the Apache-based Oracle HTTP Server, Oracle9iAS Containers for J2EE, and
Oracle9iAS Portal, which use the advanced security functionality provided by Oracle9iAS
Infrastructure. Oracle9iAS Infrastructure consists of Oracle9iAS Metadata Repository,
Oracle Internet Directory, Oracle9iAS Single Sign-On, and Oracle Management Server.
This sample application requires a user ID and a password for login. Three users are
created by running SQL scripts given in the Install.html file. Following is the information
for accessing this application.
Credit Card
User ID Password
Number
C101 welc0me 1234567887654321
C102 otn 1234567887654322
C103 welcome 1234567887654323
By providing credentials, a user gains access to a catalog of products from which they
can add items to their shopping cart. To buy products, a user checks out and enters a
credit card number, and this application contacts the Credit Card Web Service via SSL,
thereby demonstrating how to access a Web Service securely.
The directory structure of the sample code is as shown below (Xxx represents the top-
level directory).
Xxx\docs Install.html,
These files describe
how to install and
InstallContd.html
deploy the application.
Directory containing
the source of the
Xxx\CreditCardService *.java Credit Card Web
Service and the
supporting files
Directory containing
the source code and
Xxx\JSPApplication *.java
supporting files for the
Online Product Store.
Required Software
You can download the sample application source code (35 KB) from:
● http://otn.oracle.com/sample_code/tech/java/web_services/wssecurity/ws_security.jar
The following software is required to build and run this tutorial. OTN members can
download developer-license versions of these products for free.
See the Setup section for information about installing and running the tutorial.
Setup
This section lists the steps to install and configure the tutorial. It assumes that you have
installed and configured the software described in the Required Software section.
Implementation
Oracle9iAS security starts from the well-tested and highly configurable Web security
services provided by Oracle HTTP Server, adds a comprehensive set of Web single sign-
on services, and extends them further with centralized user provisioning that is available
in Oracle Internet Directory, an LDAP, version 3-compliant directory service. In addition,
Oracle9iAS provides the Oracle implementation of Java Authorization and Authentication
Services (JAAS) for J2EE application security, and extensive portal authorization and
application integration mechanisms. Oracle9iAS also supports secure access to Oracle
database systems using Oracle Advanced Security.
Secure Sockets Layer The Secure Sockets Layer (SSL) is an application layer
protocol that can be employed for certificate-based
authentication. All of the major components of Oracle9iAS
support SSL.
● Required software
● Installation steps
Required Software
Installation Steps
For setting up PKI infrastructure, this sample needs digital certificates which can
be acquired from any one of the CAs. For this sample, we will get a test certificate
from Verisign.
$ ./owm
3.Click on Wallet/New Option, to create a new Wallet. This step asks for a wallet
password.
Enter "client12" to confirm the wallet password. Then click on Yes to create a new
certification request.
Choose key size as 1024 bits. Click OK, OK. This generates a Certificate Request
which you can send to any Certificate Authority.
7.Minimize Oracle Wallet Manager. Note: Do not close OWM but just minimize.
Using your favorite editor, open the file 'client.cer.req' created in Step 6.
http://www.verisign.com
Follow the steps as given below.
a. Click on Free SSL trial ID link on right hand side.
b. In the resulting page, enter your personal information as applicable.
c. Read the instructions and click Continue.
d. In Step 1, click Continue.
f. In Step 2, copy and paste the CSR from client.cer.req file in the textbox shown
and click Continue.
g. In Step 3, provide your information. Make sure you provide a valid email
address. Click Accept.
You will get the certificate at the mail address you specified in Step 3.
Copy and paste your certificate to a local file namely 'client.cer' in the ServerCert
directory.
Note : Please copy and paste the lines from and including line ---BEGIN
CERTIFICATE----- till the line
---- END CERTIFICATE----.
9.The mail also contains links to the Root Certificate using whose key your
Certificate was signed. Follow the link and click Accept. This install the root
certificate in your browser.(Use Internet Explorer).
10.Then Open IE, choose Tools -> Internet Options -> Content -> Certificates ->
Trusted Root Certificate Authorities .
Search for For VeriSign authorized testing only.No assurances. and click on
Export. Choose "Base64 encoded X.509 (.CER)" format
and click Next. Save the file as verisignroot.cer in the ServerCert directory. You
12.Now import the user certificate obtained earlier into this wallet. Select
'Operations/Import User Certificate' . Check the option 'Select a
file that contains the Certificate'. Click OK. Choose the file 'client.cer' from the
ServerCert directory.
13.Using 'Wallet/Close' option, close the Wallet. Using 'Wallet/Exit' option, exit
the OWM.
This completes the steps for preparing a Wallet for PKI Credential Management.
a. Follow the steps c through m in the "Get a Server Certificate" section. Give
"client12" as the password for this wallet. While providing information for creating
a Certificate Signing Request, give wss as the value for the Common Name
attribute. Save the generated certificate in the ClientCert directory as client.cer and
root.cer. Save the wallet in the ClientCert directory. The remaining steps will be
the same.
b. One more additional step is needed. Click on Operations -> Export Wallet
option. Save the file as wallet.txt in ClientCert directory.
SSLWallet file:/home1/otn9i/ServerCert
SSLWalletPassword server12
d. Restart Oracle HTTP Server. Restarting Oracle HTTP Server with the new
settings will enable Oracle9iAS to
use the newly acquired certificate for SSL. You can check this by accessing the
URL
https://<yourhostname>:4443/
c. Log into SQLPlus as security/security. Run the file Security.sql which creates the tables
needed by this
application and populates the tables with data.
SQL> @d:\<temp>\sql\Security.sql
where <temp> is the directory where you have extracted this sample.
d. Log into SQLPlus as creditdb/creditdb. Run the file Creditdb.sql which creates the tables
needed by this
application and populates the tables with data.
SQL> @d:\<temp>\sql\Creditdb.sql
where <temp> is the directory where you have extracted this sample.
The files jcert.jar, jsse.jar and jssl-1_2.jar are needed for running this sample. They are available
in the following directories
jsse.jar - <IAS_HOME>/lib
jcert.jar - <IAS_HOME>/jdk/jre/lib/ext
jssl-1_2.jar - <IAS_HOME>/jlib
Copy them to <IAS_HOME>/jdk/jre/lib/ext directory so that these classes are loaded by the
System class loader.
Note: If this step is not followed, the application will throw a ClassNotFoundException.
b. Edit the file ConnectionParams.java and substitute the variable values with your settings. Make
sure to have the
username and password as "creditdb" and creditdb"
c. Make sure to have classes12.jar (JDBC library) in the CLASSPATH. This library is available in
IAS_HOME/jdbc/lib directory.
javac *.java
d. In the Deploy Web Application page, click on the "Browse" button and select the
CreditCardValidator.war file
from the CreditCardService directory. Please note that this WAR file was created during the
execution of step f
in the previous section.
g. Click Deploy.
The above steps completes the deployment of the Credit card Web Service to Oracle9iAS.
b. Edit the file ConnectionParams.java and substitute the variable values with your settings.
Make sure to have the
username and password as "security" and "security".
c. This application needs a proxy stub for accessing the Web Service. This stub can be acquired
by accessing the
Web Service as follows
http://<hostname>:<port>/CreditCardValidator/CreditCardValidator?proxy_source
where <hostname> is the machine on which Oracle9iAS is running and <port> is Oracle HTTP
Server port.
d. Save the zip file in any convenient directory and extract the file
CreditCardValidatorInterfaceProxy.java in
<temp>/JSPApplication/src/oracle/otnsamples/webservices/security directory.
Note: <temp> is the directory where you had initially extracted this application.
f. Walk through the source to understand this file. Add the following lines in the method
validateCard()
System.setProperty("ssl.SocketFactory.provider","oracle.security.ssl.OracleSSLSocketFactoryImpl");
System.setProperty("ssl.ServerSocketFactory.provider","oracle.security.ssl.OracleSSLServerSocketFactoryImpl");
System.setProperty("java.protocol.handler.pkgs","HTTPClient");
System.setProperty("oracle.wallet.location","/home1/otn9i/ClientCert/wallet.txt");
System.setProperty("oracle.wallet.password","client12");
oracle.wallet.location should be the complete path to this text file. Ensure to specify client12 as
the value to the oracle.wallet.password parameter as this was mentioned while creating the client
wallet.
For eg.
private String m_soapURL = "http://insn104a.idc.oracle.com:7777/CreditCardValidator/CreditCardValidator";
should be changed to
private String m_soapURL = "https://insn104a.idc.oracle.com:4443/CreditCardValidator/CreditCardValidator";
Note: This is the port with which we have setup Oracle HTTP Server to use SSL.
h. Now we have to compile this application. For compiling this, we need to have the Oracle Java
SSL libraries in
the CLASSPATH. The libraries jsse.jar, jcert.jar and jssl-1_2.jar can be added to the project's
classpath as
follows:
Right click on WS_Security.jpr -> Project Settings -> Development -> Libraries -> New. Provide
a name to this
library and click on Edit to add the jar files. Click OK to dismiss this dialog box. Make sure to
have this library in
the "Selected Libraries" list.
i. Right click on WS_Security.jpr -> Build Project. The project should compile without any errors.
j. Right click on webapp2.deploy and choose to deploy to an EAR file. This step creates an EAR
in the
JSPApplication directory.
The above steps prepares the application which can now be deployed.
d. Skip Step 1 of 8. In Step 2, click on the "Browse" button and choose the file OTNStore.ear from
the
JSPApplication directory. This EAR file was created as part of preparing this application.
Mention the name of
the application as OTNStore. Click Next.
e. In Step 3, make sure that the value for URL Binding is /WS_Security. Click Next.
The application will now be deployed as an Enterprise application to Oracle9iAS. The application
can now be accessed as shown here.
Resources
Following are links to resources that can help you understand and apply the concepts and techniques
presented in this tutorial. See the Required Software section to obtain the tutorial source code and related
files.
Resource URL
Oracle9i
Application
Server http://otn.oracle.com/docs/products/ias/doc_library/90200doc_otn/core.902/a90146/toc.htm
Security
Guide
OTN Web
Services
http://otn.oracle.com/tech/webservices/content.html
Technolgy
Center
Oracle by
Example:
Build a
http://otn.oracle.com/products/oracle9i/htdocs/9iober2/obe9ir2/player_otn.htm
Secure
Internet
Data
Center
Feedback
● Post a message in the OTN Sample Code discussion forum. OTN developers and
other experts monitor the forum.
If you have suggestions or ideas for future tutorials, please send email to:
● mailto:[email protected]
Table Of Contents
● Overview of the sample application
● Installation and Configuration
● Description of Sample files
● Running the sample on Oracle9iAS
messages over this secured socket using HTTP. The SSL implementation
takes care of ensuring privacy by encrypting all the network traffic on the
socket. SSL can also authenticate the Web Service to the client using a
digital certificate issued by a Certificate authority.
There are some standards available for securing Web Services at XML
level. They are:
● XML Encryption
● XML Digital Signature API
● XKMS (XML Key Management Specification)
● SAML (Security Assertion Markup Language)
Since the standards for enabling security at XML level is at its infancy, this
sample aims on securing Web Services at the transport level using the PKI
infrastructure.
3 application users are created as part of running the SQL scripts as given
in the Install.html file. Following is the information for accessing this
application
This sample application requires an User Id and a password for login. Once
the sample users provide the above mentioned credentials, they can
access the functionality provided by this application. Once the users
successfully login to this application, they will be shown a catalog of
products from which they can add items to their shopping cart. Once they
decide to purchase the items, they can choose to buy the products where
this application mandates the users to enter their credit card numbers.
Once the users enter the credit card number shown above depending upon
the User Id they have used, this application will contact the Credit Card
Web Service via SSL thereby demonstrating how to access a Web Service
securely.
Filename Description
Readme.html This file
Instructions for setting up this sample
Install.html
application on Oracle9iAS
Continuation of the instructions for setting up
InstallContd.html
this sample
SQL script required for setting up the data
sql\Security.sql required by the Online store which will be
created in the "security" user schema
SQL script required for setting up the data
required by the Credit Card Web Service
sql\Creditdb.sql
which will be created in the "creditdb" user
schema
Directory containing the source of the Credit
CreditCardService directory
Card Web Service and the supporting files
Directory containing the source of the Online
JSPApplication directory
Product store and the supporting files
http://<hostname>:<port>/WS_Security/Login.jsp,
Example: http://incq210a.idc.oracle.com:7777/WS_Security/Login.jsp
Please enter your comments about this sample in the OTN Sample
code discussion forum.