Securing an ESB Service using OWSM

Recently I was organizing a seminar regarding Oracle Soa Suite and the focus lied on Securing web services and integration.

In my demo I wanted to show the different features of BPEL, ESB and OWSM and of course the ease of integration of these different technologies.

The ame was to secure as well existing web services as the ESB services itself which are called inside my bpel processes.

In this way I can call stand-alone BPEL processes, ESB services and web services or integrate these technologies with eachother when required.

The difficulty of this exercise lies in calling secured soap services inside an ESB Service. Using a gateway we can secure the ESB Services and BPEL Processes used throughout the organization. The external webservices we need to integrate with are secured as well, and these security requirements need to be met by the calling service, which in our case is an existing BPEL Process or an ESB Service.

First lets have a look on how to call a secured external webservice, a partnerlink, in a bpel process. The webservice expects user-credentials to be able to call the webservice, these credentials can be added to the secured webservice using by editing the partnerlink.

Go to the partnerlink and click ‘edit’, go to the 3d tab which is the ‘Property’ tab and add the needed parameters to your webservice call. These parameters will define that credentials are added to the header of the web service call and the username and password which are required in this header. The properties you need to add are shown in the printscreen, for each property you need to define the proper values.
Such as for the wsseHeaders property, you need to define ‘credentials’ to state that the header will contain user credentials. This is standard web service security we’re using.

To be able to add these same credentials to the external web service, which is invoked from an ESB Service now, we need to come up with another solution. In the demo the same integration exercise is defined, once integration of external web service with BPEL and once through integration of ESB Routing Service with a SOAP Service. The only difficulty in the ESB Service is, that we can’t add these properties in a declarative way to the ESB Service. Instead we need to work with transformations to be able to add the credentials to the SOAP Service call.
How can we accomplish this, by adding parameters to the xsl-stylesheet which is used to transform the call that’s being made to the SOAP Service.

Have a look at the screenshot below to have a clear view on the needed parameters to add to the SOAP Service using an xsl-stylesheet in the transformation-property of our ESB Routing Service.

About these ads

6 thoughts on “Securing an ESB Service using OWSM

  1. Hi I want to know how do i secure my bpel service that i have created. How would OWSM be used in case it has to be ?Thanks-Pradip

  2. Hi Pradip,You can secure a bpel process in different ways:- using basic authentication defined on container level using JAZN- using owsm to define policy rules (encryption, saml, authentication) by pointing to the endpoint url of your bpel process- using ws-security headers for your deployed bpel process– using httpsMost straight-forward approach is by using basic authentication or owsm.

  3. Hi Nathalie,
    Let’s say there is an external secured web service, which is handling the security using Security Certificates (so unlike your blog post, it is not expecting user credentials).
    If we need to invoke that web service from ESB, how can we indicate the service certificate details in ESB? Adding the credentials to the SOAP Service Call using the ESB Transformations might not help in this regard.
    Any thoughts?
    Thanks
    Kaushik

    • Hi,

      If you call a secured external webservice you need to propagate the security credentials to the webservice, in other words you need to give the parameters to the webservice via properties defined in the ESB.
      You can find a lot of information regarding calling secured webservices:
      http://soa-howto.blogspot.com/2008/09/how-to-pass-security-credentials-from.html
      – have a look on otn at ‘Calling secured services from ESB’ and how you can add the credentials in your transformation

      Kind regards,
      Nathalie

  4. Hi
    Can you plz give me the exact code that you have included in the xsl transformation. Can’t read it from the snapshot. Need to use it as-it-is.

    Thanks
    Pulkit

    • Hi Pulkit,

      I’m not able to send you the code, if you have a specific question regarding ESB, XSL or OWSM I will try to help you from there.

      Kind regards,
      Nathalie

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s