Sunday, July 27, 2014

Credential Store Access from BPEL

Some times we need to pass restricted information like credentials in web service request payload to end point systems. In this case, we have to manage the credentials in source system to pass it in run time. As a best practice, we can store this information in Credential Key store or in database(encrypted). Here I will share the steps to manage it in Credential Key Store.

Create Credential Map and Key in Key Store:
1. Login to Weblogic EM. Go to WLS domain --> Security --> Credentials.
2. Click Create Map. Provide map name.
For Ex: kakarla_map
3. Select newly created map and click on Create Key. Provide Key name and credentials info.
For Ex: Key --> kakarla_key
4. Click on Ok to save changes.

Add jps-manifest.jar file path to BpelClassPath:
1. Login to Weblogic EM. Go to soa-infra --> SOA Administration --> BPEL Engine Properties --> More BPEL Configuration Properties.
2. Add jps-manifest.jar file path to BpelClassPath attribute. Typically jps-manifest.jar file will be located in $WLS_HOME/oracle_common/modules/oracle.jps_11.1.1/jps-manifest.jar
3. Click on apply to save changes

Update system-jazn-data.xml (In case OPSS store refers to file system):
1. Login to host machine and go to domains home.
2. Change to $DOMAIN_HOME/config/fmwconfig. Edit system-jazn-data.xml
3. Add following permission to <jazn-policy> grant section
Note: If you want to restrict the access to specific map & key, replace * with map/key name.
    <permission>
          <class>oracle.security.jps.service.credstore.CredentialAccessPermission</class>
          <name>context=SYSTEM,mapName=kakarla_map,keyName=*</name>
          <actions>read</actions>
   </permission>
4. Reboot weblogic admin & managed servers.

Add Java Embedded activity to BPEL process to retrieve CSF key:
1. Add jps-manifest.jar file from JDeveloper installation to SOA project.
2. Add following imports to BPEL component.
    <bpelx:exec import="oracle.security.jps.service.credstore.*"/>
    <bpelx:exec import="oracle.security.jps.*"/>
    <bpelx:exec import="java.security.PrivilegedAction"/>
    <bpelx:exec import="java.security.AccessController"/>
3. Add following code snippet to Java Embedded activity to access key store.
Note: CSF Map & Key (created in prev steps) hard coded here for example,
try  
{  
    String csfUserName = "";  
    String csfPassword = "";  
    JpsContext ctx = JpsContextFactory.getContextFactory().getContext();  
    final CredentialStore cs = (CredentialStore)ctx.getServiceInstance(CredentialStore.class);  
    CredentialMap cmap = cs.getCredentialMap("kakarla_map");  
    Credential cred = cmap.getCredential("kakarla_key");  
    if ((cred instanceof PasswordCredential)) {  
        PasswordCredential pcred = (PasswordCredential)cred;  
        char[] p = pcred.getPassword();  
        csfUserName = pcred.getName();  
        csfPassword = new String(p);  
        addAuditTrailEntry(csfUserName);  
        addAuditTrailEntry(csfPassword);          
   }  
} catch (Exception e) {  
   addAuditTrailEntry(e.getMessage());  
}
4. Use setVariableData and getVariableData methods in Java Embedded to set and get values in BPEL variables.
5. Deploy BPEL process to SOA server and test.
6. If you are getting any BPEL compilation errors, check BpelClassPath value set in previous steps.

No comments:

Post a Comment

Provide your thoughts !