How to secure Web Services exposed by OAAM Server (oaam_server)

At the end it turned out very simple but I had spent long time in configuring security (authentication and authorization) for Web Services exposed by OAAM 11gR2, thought about writing a blog post on it.

For native integration, OAAM Server (oaam_server) exposes Web Services. For the enterprise deployment, security of Web Services would be mandatory.  This post will cover following aspects for securing OAAM Web Services:

  • Authentication
  • Authorization

Starting with OAAM 11gR2 (11.1.2.0.0), default mechanism to secure the Web Services is using OWSM policies. In this post, Configuration of OWSM policies for authentication (HTTP Basic authentication with username and password request) and authorization (user’s membership in configured group of users) would be covered in this post.

Authentication

According to documentation in Developer’s Guide, OAAM Web Services (exposed by oaam_server.ear) can be protected by OWSM using policy “oracle/wss_http_token_service_policy”. With this OWSM policy, SOAP requests would be authenticated (HTTP Basic Auth) against configured realm (for now, users in WLS embedded user store).

Documentation can be referred to view/attach/detach policies associated with Web Services.

To get list of Web Service Endpoints exposed by OAAM Server on EM, please go to EM -> Identity and Access -> OAAM [Expand +] -> oaam_server(11.1.2.0.0) [Right click] -> Web Services.

 

Authorization

With Authentication configuration referred above, OAAM Web Services can be accessed by any valid username/password present in configured realm. i.e. all the user credentials which can pass authentication, can access OAAM Web Services. On top of Authentication, it would be desirable to have authorization against user’s membership in group (for now, user/group in WLS embedded user store).

Using OWSM policy “oracle/binding_authorization_permitall_policy”, with following steps, authorization can be configured for OAAM Web Services.

1. Create a Group

Using WebLogic console, create a group in configured realm…

 

2. Create a User and associate the user with group created in step 1.

Using WebLogic console, create a user in configured realm…

 

Update the user for group membership…

 

3. Configure OWSM Policy

a) Log in to Oracle Enterprise Manager Fusion Middleware Control using the URL http://weblogic-admin-hostname:port/em.

b) Expand WebLogic Domain.

c) Right click on domain hosting OAAM Server -> Web Services -> Policies

d) Select “oracle/binding_authorization_permitall_policy”

e) Click on Edit -> Settings Tab

f) Select “Selected Roles” from “Authorization Setting”

g) Click on “+ Add” -> Move the group (created in step 2.) to “Roles Selected To Add” list -> Click OK

h) Click Save (to save policy)

 

To make sure that above policy configuration is working as expected, set property “active.protocol” to “remote”. Value for the property can be checked by navigating to  domain (hosting OAAM Server) -> (right click) -> Web Services -> Platform Policy Configuration -> Policy Accessor Properties.

 

4. Attach Authorization policy to Web Service Endpoints

a) Log in to Oracle Enterprise Manager Fusion Middleware Control using the URL http://weblogic-admin-hostname:port/em.

b) Under weblogic_domain, select the domain and select oaam_server_server1 and right-click and select the Web Services option.

c) Click Attach Policies.

d) Select all the rows corresponding to OAAM Web Services and click the Next button

e) Select the row oracle/binding_authorization_permitall_policy.

f) Click the Next button.

g) Click the Attach button in the next page.

h) Restart OAAM Server if required.

 

For easy configuration and faster way to get authentication/authorization working, in discussion above, external LDAP is not mentioned/configured.

 

Add Your Comment