Signature Verification by Oracle WSM
Oracle Web Services Manager can actually validate the signature in the incoming i.e. request SOAP message. By using Oracle WSM to validate the signature, organizations can actually centralize the policy enforcement and also the public key management. As organizations deploy more web services that are accessed by other divisions and business partners, managing the signature verification process might become tedious, as with each new consumer, the certificate information should be maintained. Oracle WSM can address such issues by centralizing those operations. In this section I describe how to configure Oracle WSM policy to validate the signature of the SOAP request message.
To view the policy, you can click on Policy Management and then Manage Policies. This will bring you to the screen with the gateway information and a hyperlink for policies (see the following screen capture).
You can then click on Policies to see all the policies and you will see the VerifyAndSign policy too that is created by default.
A default policy is attached to the service. We can now click Edit to edit the policy. When you click Edit, you will see the policy steps as shown in the following screenshot.
In this section, we want to configure the Request pipeline to validate the signature of the incoming SOAP message. To validate the signature, click Add Step Below to add the Verify Signature policy step as shown in the following screenshot.
Once you click OK, the verify signature policy step is added, but that policy step should be confi gured. If you click on the Configure button on the verify signature policy step, it will take you to the screen where you can confi gure the verify signature policy information as shown in the following screen capture. In the previous screenshot, I configured Verify Signature policy steps with:
- Location of the key store
- Key store type as PKCS12
- Password of the key store
- Public key alias in the key store
- Set Remove Signatures to true to remove the digital signature after the signature validation
- Enforce Signing is set to true to make sure that the incoming requests are signed
Note: To generate a PKCS12 key store from certificate that is installed already in Microsoft certificate services, you should fi rst export the certifi cate (with or without private key) and then import that certifi cate in FireFox (Advanced option) and then export back to PKCS12. Once the verify signature policy has been confi gured and saved (Commit Policy), the policy would enforce that any request for the time service with the particular service ID be digitally signed.
Signature Generation by Oracle WSM
In the last section, I discussed how to digitally sign a web service request by Microsoft .NET application and how to validate the signature by Oracle WSM. In this section, I discuss how to digitally sign the web service response message. In the earlier section, we discussed how to register the service and how to attach the verify signature policy step to the request pipeline. To digitally sign the response message, the response pipeline of the policy should be modified to include the sign message policy step. The policy with the request pipeline that is already configured to verify signature would look like:
[Click image to view at full size]Now we have to add the step in the Response pipeline to actually sign the response message. To add the policy step, click on Add Step Below and then select the Sign Message policy step. Once the Sign Message policy step is added, it can then be configured, as shown in the following screenshot, to include the appropriate key store location for the public key to digitally sign the message.
[Click image to view at full size]In the previous figure, the location of the key store that has the private key, along with the Keystore password, alias and part of message to be signed are specified.
Once the policy is created, it would look like:
[Click image to view at full size]In the previous screenshot, the Response pipeline has two log steps -- one to log the message before digitally signing and one to log the message after digitally signing the message. In this sample, we are using the same WSEQuickStartServer certificate to sign the message.
Once the policy is saved, the response message will be digitally signed. The client application (Microsoft .NET) can be configured to validate the signature.
Oracle WSM Test Page as Client Application
Oracle WSM comes with its own test page where you can test the web service and the security policy associated with the web service. In this example, I show how to test the web service policy that was just deployed and which digitally signs the response message.
You get the test page from the Tools menu.
[Click image to view at full size]In the WSDL URL text box, enter the WSDL URL and then click on Submit Query. It will come up with a window to enter any credentials (username and password) and specify if that should be sent in the HTTP header or as a part of the SOAP message. It also has an option to save the test as shown in the following screen capture.
[Click image to view at full size]You can give a name for the test and any description and then click Invoke. When you click the Invoke button, the web service is invoked and the test is also saved. In our example, once the web service is invoked, the security policy is applied and the response message is digitally signed as shown in the next screenshot.
[Click image to view at full size]In the next example, you will see how to create a client application in Microsoft .NET to perform the signature generation and validation.