Introduction
The objective of this blog is to demonstrate how to invoke secured RestFul web services from Fusion Cloud using Oracle Service Oriented Architecture (SOA) as an Integration hub for real time integration with other clouds and on-premise applications. SOA could be on-premise or in the cloud (PAAS). The SOA composites deployed in on-premise SOA can be migrated to SOA in the cloud.
What is REST?
REST stands for Representational State Transfer. It ignores the details of implementation and applies a set of interaction constraints. The web service APIs that adhere to the REST Architectural constraints are called RestFul. The HTTP based RESTFul APIs are defined with the following aspects:
- Exactly one entry point - For example: http://example.com/resources/
- Support of media type data - JavaScript Object Notation (JSON) and XML are common
- Standard HTTP Verbs (GET, PUT, POST, PATCH or DELETE)
- Hypertext links to reference state
- Hypertext links to reference related resources
Resources & Collections
The Resources can be grouped into collections. Each collection is homogeneous and contains only one type of resource. For example:
| URI | Description | Example |
| /api/ | API Entry Point | /fusionApi/resources |
| /api/:coll/ | Top Level Collection :coll | /fusionApi/resources/department |
| /api/:coll/:id | Resource ID inside Collection | /fusionApi/resources/department/10 |
| /api/:coll/:id/:subcoll | Sub-collection | /fusionApi/resources/department/10/employees |
| /api/:coll/:id/:subcoll/:subid | Sub Resource ID | /fusionApi/resources/department/10/employees/1001 |
Invoking Secured RestFul Service using Service Oriented Architecture (SOA)
SOA 12c supports REST Adapter and it can be configured as a service binding component in a SOA Composite application. For more information, please refer to this link. In order to invoke a secured RestFul service, Fusion security requirements must be met. The following are the requirements:
Fusion Applications Security
All external URLs in the Oracle Fusion Cloud, for RESTful Services, are secured using Oracle Web Security Manager (OWSM). The server policy is "oracle/http_jwt_token_client_policy." It allows the following client authentication types:
- HTTP Basic Authentication over Secure Socket Layer (SSL)
- Oracle Access Manager(OAM) Token-service
- Simple and Protected GSS-API Negotiate Mechanism (SPNEGO)
- SAML token
JSON Web Token (JWT) is a light-weight implementation for web services authentication. A client having a valid JWT token is allowed to call the REST service until it expires. The OWSM existing policy "oracle/wss11_saml_or_username_token_with_message_protection_service_policy” has the JWT over SSL assertion. For more information, please refer to this.
The client must provide one of the above policies in the security headers of the invocation call for authentication. In SOA, a client policy may be attached from Enterprise Manager (EM) to decouple it from the design time.
Fusion Security Roles
The user must have appropriate Fusion Roles including respective data security roles to view or change resources in Fusion Cloud. Each product pillar has respective roles. For example in HCM, a user must have any role that inherits the following roles:
- HCM REST Services Duty - Example: "Human Capital Management Integration Specialist"
- Data security Roles that inherit "Person Management Duty" - Example: "Human Resource Specialist - View All"
Design SOA Code using JDeveloper
In your SOA composite editor, right-click the Exposed Services swimlane and select Insert > REST. This action adds REST support as a service binding component to interact with the appropriate service component.
This sample uses SOA Composite with REST Adapter using Mediator component (you can also use BPEL):
These are the following screens on how to configure RestFul Adapter as an external reference:
REST Adapter Binding
REST Operation Binding
REST Adapter converts JSON response to XML using Native Format Builder (NXSD). For more information on configuring NXSD from JSON to XML, please refer to this link.
Attaching Oracle Web Service Manager (OWSM) Policy
Once the SOA composite is deployed to your SOA server, the HTTP Basic Authentication OWSM policy is attached as follows:
Navigate to your composite from EM and click on policies tab as follows:
Identity Propagation
Once the OWSM policy is attached to your REST reference, the HTTP token can be passed using the Credential Store. Please create credential store as follows:
1. Right-Click on SOA Domain and select Security/Credentials.
2. Please see the following screen to create a key under oracle.wsm.security map:
Note: If oracle.wsm.security map is missing, then create this map before creating a key.
By default, OWSM policy uses basic.crendial key. To use newly created key from above, the default key is override using the following instructions:
1. Navigate to REST reference binding as follows:
Replace basic.credentials with your new key value.
Secure Socket Layer (SSL) Configuration
In Oracle Fusion Applications, the OWSM policy mandates HTTPs protocol. For introduction to SSL and detailed configuration, please refer to this link.
The cloud server certificate must be imported in two locations as follows:
1. keytool -import -alias slc08ykt -file /media/sf_C_DRIVE/JDeveloper/mywork/MyRestProject/facert.cer -keystore /oracle/xehome/app/soa12c/wlserver/server/lib/DemoTrust.jks -storepass DemoTrustKeyStorePassPhrase
This is the output:
Owner: CN=*.us.mycompany.com, DC=us, DC=mycompany, DC=com
Issuer: CN=*.us.mycompany.com, DC=us, DC=mycompany, DC=com
Serial number: 7
Valid from: Mon Apr 25 09:08:55 PDT 2011 until: Thu Apr 22 09:08:55 PDT 2021
Certificate fingerprints:
MD5: 30:0E:B4:91:F3:A4:A7:EE:67:6F:73:D3:E1:1B:A6:82
SHA1: 67:93:15:14:3E:64:74:27:32:32:26:43:FF:B8:B9:E6:05:A8:DE:49
SHA256: 01:0E:2A:8A:D3:A9:3B:A4:AE:58:4F:AD:2C:E7:BD:45:B7:97:6F:A0:C4:FA:96:A5:29:DD:77:85:3A:05:B1:B8
Signature algorithm name: MD5withRSA
Version: 1
Trust this certificate? [no]: yes
Certificate was added to keystore
2. keytool -import -alias <name> -file /media/sf_C_DRIVE/JDeveloper/mywork/MyRestPorject/facert.cer -trustcacerts -keystore /oracle/xehome/app/jdk1.7.0_55/jre/lib/security/cacerts
This is the output:
Enter keystore password:
Owner: CN=*.us.mycompany.com, DC=us, DC=mycompany, DC=com
Issuer: CN=*.us.mycompany.com, DC=us, DC=oracle, DC=com
Serial number: 7
Valid from: Mon Apr 25 09:08:55 PDT 2011 until: Thu Apr 22 09:08:55 PDT 2021
Certificate fingerprints:
MD5: 30:0E:B4:91:F3:A4:A7:EE:67:6F:73:D3:E1:1B:A6:82
SHA1: 67:93:15:14:3E:64:74:27:32:32:26:43:FF:B8:B9:E6:05:A8:DE:49
SHA256: 01:0E:2A:8A:D3:A9:3B:A4:AE:58:4F:AD:2C:E7:BD:45:B7:97:6F:A0:C4:FA:96:A5:29:DD:77:85:3A:05:B1:B8
Signature algorithm name: MD5withRSA
Version: 1
Trust this certificate? [no]: yes
Certificate was added to keystore
You must restart Admin and SOA Servers.
Testing
Deploy the above composite in your SOA server. The SOA composite can be invoked from EM or using tools like SOAPUI. Please see the following link to test REST adapter using HTTP Analyzer.
Conclusion
This blog demonstrates how to invoke secured REST services from Fusion Applications cloud using SOA. It provides detailed configuration on importing cloud keystores and attaching OWSM policies. This sample supports multiple patterns such as cloud-to-cloud, cloud-to-OnPremise, cloud-to-BPO, etc.
Jack Desai
A product strategist and “solution and enterprise” integration architect to innovate and automate complex integration patterns with Oracle SaaS applications.
Previous Post
An ODI Journalizing Knowledge Module for GoldenGate Integrated Replicat
Next Post