Quantcast
Channel: CodeSection,代码区,网络安全 - CodeSec
Viewing all articles
Browse latest Browse all 12749

AMIS Technology blog: Oracle Public Cloud Invoking ICS endpoints from SOA CS ...

0
0

As part of the Soaring through the Clouds demo of 17 Oracle Public Cloud services, I had to integrate SOA CS with both ACCS (Application Container Cloud) and ICS (Integration Cloud Service).


AMIS Technology blog: Oracle Public Cloud   Invoking ICS endpoints from SOA CS  ...

Calls from Service Bus and SOA Composites running in SOA Suite 12c on SOA CS to endpoints on ACCS (Node.js Express applications) and ICS (REST connector endpoint) were required in this demo. These calls are over SSL (to https endpoints) and for ICS also require basic authentication (at present, ICS endpoints cannot be invoked anonymously).

This article shows the steps for taking care of these two aspects:

ensure that the JVM under SOA Suite on SOA CS knows and trusts the SSL certificate for ACCS or ICS ensure that the call from SOA CS to ICS carries basic authentication details

The starting point is a SOA Composite that corresponds with the preceding figure with external references to DBaaS (through Database Adapter), ICS (to call an integration that talks to Twitter) and ACCS (to invoke a REST API on NodeJS that calls out to the Spotify API):


AMIS Technology blog: Oracle Public Cloud   Invoking ICS endpoints from SOA CS  ...
Configure SSL Certificate on JVM under SOA Suite on SOA CS

I have tried to deploy the SOA composite (successful) and invoke the TweetServiceSOAP endpoint (that invokes ICS) (not successful). The first error I run into is:

env:Serverjavax.ws.rs.ProcessingException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested targetoracle.sysman.emInternalSDK.webservices.util.SoapTestException: Client received SOAP Fault from server : javax.ws.rs.ProcessingException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target


AMIS Technology blog: Oracle Public Cloud   Invoking ICS endpoints from SOA CS  ...

This may sound a little cryptic, but is actually quite simple: the endpoint for the ICS service I am trying to invoke is: https://ics4emeapartner-partnercloud17.integration.us2.oraclecloud.com/integration/flowapi/rest/ACEDEM_RESTME_… The essential is right at the beginning: http s . The communication with the endpoint is secure, over SSL. This requires the certificate of the ICS server to be used by SOA CS (in particular the JVM under WebLogic running SOA Suite on the SOA CS instance). For this to happen, the certificate needs to be configured with the JVM as a trusted certificate.

With WebLogic 12c it has become a lot easier to register certificates with the server going through the Enterprise Manager Fusion Middleware Control. These are the steps:

1. Paste the endpoint for the ICS service in the browser’s location bar and try to access it; this will not result in a meaningful response. It will however initiate an SSL connection between browser and server, as you can tell from the padlock icon displayed to the left of the location bar


AMIS Technology blog: Oracle Public Cloud   Invoking ICS endpoints from SOA CS  ...

2. Click on the padlock icon, to open the details for the SSL certificate


AMIS Technology blog: Oracle Public Cloud   Invoking ICS endpoints from SOA CS  ...

Open the Security tab and click on View Certificate


AMIS Technology blog: Oracle Public Cloud   Invoking ICS endpoints from SOA CS  ...

3. Open the Details tab and Export the Certificate


AMIS Technology blog: Oracle Public Cloud   Invoking ICS endpoints from SOA CS  ...

Save the certificate to a file:


AMIS Technology blog: Oracle Public Cloud   Invoking ICS endpoints from SOA CS  ...

4. Open the Enterprise Manager Fusion Middleware Control for the WebLogic Domain under the SOA CS instance. Navigate to Security | Keystore:


AMIS Technology blog: Oracle Public Cloud   Invoking ICS endpoints from SOA CS  ...

5. Select Stripe system | trust and click on the Manage button


AMIS Technology blog: Oracle Public Cloud   Invoking ICS endpoints from SOA CS  ...

6. Click on Import to import a new certificate:


AMIS Technology blog: Oracle Public Cloud   Invoking ICS endpoints from SOA CS  ...

Select Trusted Certificate as the Certificate Type. Provide an alias to identify the certificate.

Click browse and select the file that was saved when exporting the certificate in step 3:


AMIS Technology blog: Oracle Public Cloud   Invoking ICS endpoints from SOA CS  ...

Click OK.

The Certificate is imported and added to the keystore:


AMIS Technology blog: Oracle Public Cloud   Invoking ICS endpoints from SOA CS  ...

7. Restart the WebLogic Domain (admin server and all managed servers)

Unfortunately for the new certificate to become truly available, a restart is (still) required. (or at least, that is my understanding, perhaps you can try without because it seems like a very heavy step)

This blog by Adam DesJardin from our REAL partner AVIO Consulting provided much of the answer: http://www.avioconsulting.com/blog/soa-suite-12c-and-opss-keystore-service

Add basic authentication to the call from SOA CS to ICS

When I again tested my call to the TweetServiceSOAP endpoint (that invokes ICS), I was again not successful. This time, a different exception occurred:

env:ServerAuthorization Requiredoracle.sysman.emInternalSDK.webservices.util.SoapTestException: Client received SOAP Fault from server : Authorization Required

This is not really a surprise: all calls to ICS endpoints require basic authentication (because at present, ICS endpoints cannot be invoked anonymously). These are the steps to make this successful:

1. Create an Oracle Public Cloud user account with one permission: call ICS services: johndoe

Now we need to a credential for jonhdoe in a credential map in the credential store in WebLogic, and refer to that credential in a OWMS Security Policy that we add to the Reference in the SOA Composite that makes the call to ICS.

2. Open the Enterprise Manager Fusion Middleware Control for the WebLogic Domain under the SOA CS instance. Navigate to Security | Credentials:


AMIS Technology blog: Oracle Public Cloud   Invoking ICS endpoints from SOA CS  ...

3. If the map oracle.wsm.security does not yet exist, click on Create Map. Enter the name oracle.wsm.security in the Map Name field and click on OK.


AMIS Technology blog: Oracle Public Cloud   Invoking ICS endpoints from SOA CS  ...

4. Select the map oracle.wsm.security and click on Create Key


AMIS Technology blog: Oracle Public Cloud   Invoking ICS endpoints from SOA CS  ...

Set the Key for this credential; the key is used to refer to the credential in the security policy. Here I use ICSJohnDoe.


AMIS Technology blog: Oracle Public Cloud   Invoking ICS endpoints from SOA CS  ...

Set the type of Password and the username and password to the correct values for the ICS user. Click on OK to create.


AMIS Technology blog: Oracle Public Cloud   Invoking ICS endpoints from SOA CS  ...

5. Add a security policy to the Reference in the SOA Composite.

In JDeveloper open the SOA Composite. Right click on the Reference. Select Configure SOA WS Policies from the context menu.


AMIS Technology blog: Oracle Public Cloud   Invoking ICS endpoints from SOA CS  ...

Click on the plus icon in the category Security. Select oracle/http_basic_auth_over_ssl_client_policy.


AMIS Technology blog: Oracle Public Cloud   Invoking ICS endpoints from SOA CS  ...

Set the value of property csf-key to the Key value defined for the credential in step 4, in my case ICSJohnDoe.

Click on OK.

6. Redeploy the SOA Composite to SOA CS.

This time when I invoke the Web Service, my Tweet gets published:


AMIS Technology blog: Oracle Public Cloud   Invoking ICS endpoints from SOA CS  ...

The flow trace for the SOA Composite:


AMIS Technology blog: Oracle Public Cloud   Invoking ICS endpoints from SOA CS  ...
Resources

A-Team Article add certificate to JCS and invoke JCS from ICS http://www.ateam-oracle.com/configuring-https-between-integration-cloud-service-and-java-cloud-service/


Viewing all articles
Browse latest Browse all 12749