Web Service Secure

Tutorial: Security for Web Services

This tutorial describes how to make Web Services secure using the Public Key
Infrastructure (PKI), Secure Sockets Layer (SSL), and other features provided by
Oracle9i Application Server (Oracle9iAS).
Contents
1. Concepts
2. Design
3. Required Software
4. Setup
5. Implementation
6. Resources
7. Feedback
file:///D|/otnDocs/sample_code/tutorials/wspki/toc.htm [01/29/2003 12:12:41 PM]

Concepts
Concepts
Effective Internet security requires secure information exchange mechanisms that are
scalable and that support the security of distributed systems. Public Key Infrastructure
(PKI) meets these requirements with minimal inconvenience.
Oracle9i Application Server (Oracle9iAS) can use elements of PKI to provide a secure,
resilient environment for deploying electronic commerce. This reliable environment
supports building systems to handle virtually any type of electronic interaction, from
corporate intranets to e-business applications designed for deployment on the Internet.
Strong system security starts with the physical security of systems and the
trustworthiness of personnel. With these in place, PKI enhances secure electronic
commerce and Internet communications by supporting the following processes:
● Authentication. Verifying the identity of users and machines becomes crucial

when an organization opens its doors to the Internet. Strong authentication
mechanisms, of which PKI is one, verify identities without allowing transmission or
storage of reusable passwords. They ensure that persons and machines are the
entities they claim to be. This is typically done by a trusted third-party
authentication or certification service using conventional cryptography. Proper use
of PKI makes impersonation virtually impossible and supports mechanisms
enabling systems and applications to trust each other's connections and
transmissions.
● Encryption. Encryption and integrity algorithms are used to secure
communications and ensure the privacy of data sent from one computer to
another. They ensure that data remains confidential, that it cannot be modified, and
that lost packets can be detected.
● Non-repudiation. Non-repudiation means that senders of digitally signed
transactions or email cannot claim they did not do so. Digital signatures using PKI
can provide reliable proof that the person signing the electronic transmission really
is that person, since no one else can create their unique digital signature. This fact
also prevents impersonation, because the impostor cannot create that person's
file:///D|/otnDocs/sample_code/tutorials/wspki/concepts.htm (1 of 3) [01/29/2003 12:12:43 PM]

Concepts
digital signature. A PKI digital signature proves that a specific user performed
certain operations.
For public-key cryptography, entities that want to communicate in a secure manner must
possess certain security credentials. This collection of security credentials is stored in a
wallet. Security credentials consist of:
● Public and private keys. This form of cryptography uses a secret private key and
a mathematically-related public key. Only the public key can be used to encrypt
information, and only the corresponding private key can be used to decrypt that
information. Only the owner of the key pair knows the private key; the public key
can be distributed widely and remains associated with its owner. A message
encrypted with the public key can only be decrypted by the owner who knows the
associated private key. Such keys are also used in digital signatures to prevent
Internet impersonation and repudiation of valid messages. In the process of
seeting up this sample application, you will obtain and install certificates for the
client and server.
● Digital certificates. Certificates are digital identities, issued by trusted third
parties, that identify users and machines. Certificates are issued when that third
party receives trusted information proving to its satisfaction the validity of those
identities. The certificates can then be securely stored in wallets or in directories
and used to prove the claimed identity to anyone on the Internet who trusts that
third party.
● Certificate Authority (CA). A CA is a third party that acts as a trusted,
independent provider of digital certificates.
Use of a cryptographic key pair to set up a secure, encrypted channel ensures the
privacy of a message and can validate the authenticity of the sender of the message.
Wide distribution of the public key on a server, or in a central directory, does not
jeopardize security because the private key is never shared. The public key for an entity
is published by a certificate authority in a user certificate. Entities that want to send
secure information can encrypt the information with the recipient entity's public key. An
entity that receives a communication encrypted by this method can use its own private
key to decrypt the message. (In some cases, the sender might need to reassure the
recipient regarding who sent the message. Encrypting the coded message again using
its own public key would do the trick. The recipient could decrypt the doubly-encoded
message using his private key, and then decrypt the resulting coded message using the

Concepts
sender's public key. If the original message was not encoded using both public keys, the
result of decrypting will be unreadable.)


Contents
1. Concepts
2. Design
4. Setup
5. Implementation
6. Resources
7. Feedback

Concepts
Concepts

transmissions.

Concepts
certain operations.
client and server.
third party.

Concepts


Contents
1. Concepts
2. Design
4. Setup
5. Implementation
6. Resources
7. Feedback

Concepts
Concepts

transmissions.

Concepts
certain operations.
client and server.
third party.

Concepts

Design
Design
The Online Product Store demonstrates an e-Business application that uses Web
Services to handle credit card-based transactions.There are two ways to ensure security
with Web Services:
● Security at XML level. Options include XML Encryption, XML Digital signature API,
XKMS (XML Key Management Specification), and SAML (Security Assertion
Markup Language).
● Security at the transport level. Implementing security at the transport level means
securing the network protocol a Web Service uses for communication. SSL is the
industry-accepted standard protocol for secured encrypted communications over
TCP/IP. In this model, a Web Service client uses SSL to open a secure socket to a
Web Service. The client then sends and receives SOAP messages over this
secured socket using HTTPS. The SSL implementation takes care of ensuring
privacy by encrypting all the network traffic on the socket. SSL can also
authenticate the Web Service to the client using the PKI infrastructure.
Because the standards for enabling security at XML level are in their infancy, OTN
developers opted for security at the transport level using SSL and the PKI infrastructure.
Oracle9iAS provides a solid framework for building and deploying Web applications using
the Apache-based Oracle HTTP Server, Oracle9iAS Containers for J2EE, and
Oracle9iAS Portal, which use the advanced security functionality provided by Oracle9iAS
Infrastructure. Oracle9iAS Infrastructure consists of Oracle9iAS Metadata Repository,
Oracle Internet Directory, Oracle9iAS Single Sign-On, and Oracle Management Server.
This sample application requires a user ID and a password for login. Three users are
created by running SQL scripts given in the Install.html file. Following is the information
for accessing this application.
file:///D|/otnDocs/sample_code/tutorials/wspki/design.htm (1 of 3) [12/04/2002 3:37:57 PM]

Design
Credit Card
User ID Password
Number
C101 welc0me 1234567887654321
C102 otn 1234567887654322
C103 welcome 1234567887654323
By providing credentials, a user gains access to a catalog of products from which they
can add items to their shopping cart. To buy products, a user checks out and enters a
credit card number, and this application contacts the Credit Card Web Service via SSL,
thereby demonstrating how to access a Web Service securely.
The directory structure of the sample code is as shown below (Xxx represents the top-
level directory).
Directory Files Description

Gives an overview of
Readme.html
the application.
Xxx\docs Install.html,
These files describe
how to install and
InstallContd.html
deploy the application.
Sets up the data

required by the Online
Product Store which
Security.sql
will be created in the
"security" user
schema.
Xxx\sql
Sets up up the data
required by the Credit
Card Web Service
Creditdb.sql
which will be created
in the "creditdb" user
schema.

Design
Directory containing
the source of the
Xxx\CreditCardService *.java Credit Card Web
Service and the
supporting files
the source code and
Xxx\JSPApplication *.java
supporting files for the
Online Product Store.

Required Software
Required Software
You can download the sample application source code (35 KB) from:
● http://otn.oracle.com/sample_code/tech/java/web_services/wssecurity/ws_security.jar
The following software is required to build and run this tutorial. OTN members can
download developer-license versions of these products for free.
● Oracle9i Database Server Version 9.2.0 or higher .

● Oracle9iAS Release 2 - Installation must include Oracle HTTP Server and OC4J.
● Oracle9i JDeveloper - Version 9.0.2 or higher.
See the Setup section for information about installing and running the tutorial.
file:///D|/otnDocs/sample_code/tutorials/wspki/reqsw.htm [12/04/2002 3:37:58 PM]

Setup
Setup
This section lists the steps to install and configure the tutorial. It assumes that you have
installed and configured the software described in the Required Software section.
1. Extract the Sample

2. Get a Server Certificate
3. Get a Client Certificate
4. Set up Oracle9iAS to use this Certificate
5. Database Setup
6. Oracle Java SSL libraries
7. Compile the Web Service
8. Deploy the Web Service to Oracle9iAS through Enterprise Manager
9. Prepare the Online Store application
10. Deploy the Online Store application to Oracle9iAS through Enterprise Manager
file:///D|/otnDocs/sample_code/tutorials/wspki/setup.htm [12/04/2002 3:37:59 PM]

Implementation
Implementation
This sample application achieves security by deployment to Oracle9i Application Server

(Oracle9iAS). There is nothing unusual about the code that implements the Web Service.
The key is to follow the steps presented in the Setup section of this tutorial. The steps
involve a slight modification of the Web Service source code, as explained in the Prepare
the Online Store application section.
Oracle9iAS security starts from the well-tested and highly configurable Web security
services provided by Oracle HTTP Server, adds a comprehensive set of Web single sign-
on services, and extends them further with centralized user provisioning that is available
in Oracle Internet Directory, an LDAP, version 3-compliant directory service. In addition,
Oracle9iAS provides the Oracle implementation of Java Authorization and Authentication
Services (JAAS) for J2EE application security, and extensive portal authorization and
application integration mechanisms. Oracle9iAS also supports secure access to Oracle
database systems using Oracle Advanced Security.
Oracle9i Application Server Implementation of Public Key

Infrastructure (PKI)
The Oracle9i Application Server PKI implementation provides a variety of security

services, in compliance with industry-standard specifications. It incorporates a whole
suite of products and features, including the following:
Secure Sockets Layer The Secure Sockets Layer (SSL) is an application layer
protocol that can be employed for certificate-based
authentication. All of the major components of Oracle9iAS
support SSL.
file:///D|/otnDocs/sample_code/tutorials/wspki/impl.htm (1 of 2) [12/04/2002 3:38:00 PM]

Implementation
Oracle Wallets An Oracle wallet is a container in which certificates and

trusted certificates are stored and managed. These data
structures securely store a user private key, a user
certificate, and a set of trusted certificates (the list of root
certificates which the user trusts).
Oracle Wallet Manager This is a Java-based application that security administrators

use to manage public-key security credentials on both
Oracle clients and servers. It creates an Oracle wallet.
Oracle Wallet Manager creates a public-private key pair and
manages credentials for a user. It issues PKCS#10
certificate requests to the certificate authority, and installs
the certificate in the wallet. It ships with trusted certificates
from VeriSign, RSA, and Baltimore CyberTrust, and can use
a site's own in-house certificate authority.
Oracle Internet Oracle Internet Directory, an LDAP V3-compliant directory

Directory built on the Oracle9i database, helps to enable PKI-based
single sign-on. It enables you to securely manage the user
and system configuration environment, including security
attributes and privileges, for users authenticated using X.509
certificates. Oracle Internet Directory enforces attribute-level
access control, enabling the directory to restrict read, write,
or update privileges on specific attributes to specific named
users (for example, a security administrator). It also supports
protection and authentication of directory queries and
responses through SSL encryption.

Resources
Resources
Following are links to resources that can help you understand and apply the concepts and techniques
presented in this tutorial. See the Required Software section to obtain the tutorial source code and related
files.
Resource URL
Oracle9i
Application
Server http://otn.oracle.com/docs/products/ias/doc_library/90200doc_otn/core.902/a90146/toc.htm
Security
Guide
OTN Web
Services
http://otn.oracle.com/tech/webservices/content.html
Technolgy
Center
Oracle by
Example:
Build a
http://otn.oracle.com/products/oracle9i/htdocs/9iober2/obe9ir2/player_otn.htm
Secure
Internet
Data
Center
file:///D|/otnDocs/sample_code/tutorials/wspki/rsrc.htm [12/04/2002 3:38:00 PM]

Feedback
Feedback
If you have questions or comments about this tutorial, you can:
● Post a message in the OTN Sample Code discussion forum. OTN developers and
other experts monitor the forum.
● Send email to the author. mailto:Robert.Hall@oracle.com
If you have suggestions or ideas for future tutorials, please send email to:
● mailto:Raghavan.Sarathy@oracle.com
file:///D|/otnDocs/sample_code/tutorials/wspki/fdbk.htm [12/04/2002 3:38:01 PM]

Design
Design
with Web Services:
Markup Language).

Design
Credit Card
User ID Password
Number
C101 welc0me 1234567887654321
C102 otn 1234567887654322
C103 welcome 1234567887654323
level directory).

Readme.html
the application.
how to install and
InstallContd.html
Sets up the data

Product Store which
Security.sql
"security" user
schema.
Xxx\sql
Sets up up the data
Card Web Service
Creditdb.sql
schema.

Design
the source of the
Service and the
supporting files
the source code and

Required Software
Required Software


Setup
Setup

5. Database Setup

Implementation
Implementation



support SSL.

Implementation




Resources
Resources
files.
Resource URL
Oracle9i
Application
Security
Guide
OTN Web
Services
Technolgy
Center
Oracle by
Example:
Build a
Secure
Internet
Data
Center

Feedback
Feedback

Web Services Security Sample Install document
Web Services Security Sample Installation

Database Setup
a. Log into SQLPlus as system/manager.
b. Create two users "security" and "creditdb" as follows:
SQL> create user security identified by security;

SQL> grant all privileges to security;
SQL> create user creditdb identified by creditdb;
SQL> grant all privileges to creditdb;
c. Log into SQLPlus as security/security. Run the file Security.sql which creates the tables
needed by this
application and populates the tables with data.
SQL> @d:\<temp>\sql\Security.sql
where <temp> is the directory where you have extracted this sample.
d. Log into SQLPlus as creditdb/creditdb. Run the file Creditdb.sql which creates the tables
needed by this
SQL> @d:\<temp>\sql\Creditdb.sql
Oracle Java SSL libraries
The files jcert.jar, jsse.jar and jssl-1_2.jar are needed for running this sample. They are available
in the following directories
jsse.jar - <IAS_HOME>/lib
jcert.jar - <IAS_HOME>/jdk/jre/lib/ext
jssl-1_2.jar - <IAS_HOME>/jlib
Copy them to <IAS_HOME>/jdk/jre/lib/ext directory so that these classes are loaded by the
System class loader.
file:///D|/otnDocs/sample_code/tutorials/wspki/wspki_files/InstallContd.html (1 of 5) [01/29/2003 12:06:57 PM]

Note: If this step is not followed, the application will throw a ClassNotFoundException.
Compile the Web Service
a. From the command prompt, traverse to the CreditCardService\src directory.
b. Edit the file ConnectionParams.java and substitute the variable values with your settings. Make
sure to have the
username and password as "creditdb" and creditdb"
c. Make sure to have classes12.jar (JDBC library) in the CLASSPATH. This library is available in
IAS_HOME/jdbc/lib directory.
d. Compile the source files as follows
javac *.java
e. Copy the created class files into WEB-INF\classes directory.
f. Go to the parent directory CreditCardService and create a WAR file as follows
jar -Mcvf CreditCardValidator.war WEB-INF\*
This creates a WAR file in the CreditCardService directory.
Deploy the Web Service to Oracle9iAS through Enterprise Manager
a. Access the Enterprise Manager Web Site as follows http://<hostname>:1810

Provide the admin user name and password as per your settings. Default username is
ias_admin and the
password should be the one given during Oracle9iAS installation.
b. Go the OC4J_home component by clicking on the link.
c. Click on the "Deploy WAR file" button in the OC4J_home page.
d. In the Deploy Web Application page, click on the "Browse" button and select the
CreditCardValidator.war file
from the CreditCardService directory. Please note that this WAR file was created during the
execution of step f
in the previous section.

e. Mention the name of the application as "CreditCardService".
f. Provide "/CreditCardValidator" as the value to the Map to URL attribute.
g. Click Deploy.
The above steps completes the deployment of the Credit card Web Service to Oracle9iAS.
Prepare the Online Store application
a. Open the workspace "WS_Security.jws" from the JSPApplication directory.
b. Edit the file ConnectionParams.java and substitute the variable values with your settings.
Make sure to have the
username and password as "security" and "security".
c. This application needs a proxy stub for accessing the Web Service. This stub can be acquired
by accessing the
Web Service as follows
http://<hostname>:<port>/CreditCardValidator/CreditCardValidator?proxy_source
where <hostname> is the machine on which Oracle9iAS is running and <port> is Oracle HTTP
Server port.
d. Save the zip file in any convenient directory and extract the file
CreditCardValidatorInterfaceProxy.java in
<temp>/JSPApplication/src/oracle/otnsamples/webservices/security directory.
Note: <temp> is the directory where you had initially extracted this application.
e. Click on the project WS_Security.jpr and add the file CreditCardValidatorInterfaceProxy.java in

this project.
f. Walk through the source to understand this file. Add the following lines in the method
validateCard()
System.setProperty("ssl.SocketFactory.provider","oracle.security.ssl.OracleSSLSocketFactoryImpl");
System.setProperty("ssl.ServerSocketFactory.provider","oracle.security.ssl.OracleSSLServerSocketFactoryImpl");
System.setProperty("java.protocol.handler.pkgs","HTTPClient");
System.setProperty("oracle.wallet.location","/home1/otn9i/ClientCert/wallet.txt");
System.setProperty("oracle.wallet.password","client12");
Note : The parameters oracle.wallet.location and oracle.wallet.password should be changed as

per your settings. Remember, we exported the client certificate in text format. The value for

oracle.wallet.location should be the complete path to this text file. Ensure to specify client12 as
the value to the oracle.wallet.password parameter as this was mentioned while creating the client
wallet.
g. Edit the file CreditCardValidatorInterfaceProxy.java Change the value of the m_soapURL

variable to https and
the port to https port.
For eg.
private String m_soapURL = "http://insn104a.idc.oracle.com:7777/CreditCardValidator/CreditCardValidator";
should be changed to
private String m_soapURL = "https://insn104a.idc.oracle.com:4443/CreditCardValidator/CreditCardValidator";
Note: This is the port with which we have setup Oracle HTTP Server to use SSL.
h. Now we have to compile this application. For compiling this, we need to have the Oracle Java
SSL libraries in
the CLASSPATH. The libraries jsse.jar, jcert.jar and jssl-1_2.jar can be added to the project's
classpath as
follows:
Right click on WS_Security.jpr -> Project Settings -> Development -> Libraries -> New. Provide
a name to this
library and click on Edit to add the jar files. Click OK to dismiss this dialog box. Make sure to
have this library in
the "Selected Libraries" list.
i. Right click on WS_Security.jpr -> Build Project. The project should compile without any errors.
j. Right click on webapp2.deploy and choose to deploy to an EAR file. This step creates an EAR
in the
JSPApplication directory.
The above steps prepares the application which can now be deployed.
Deploy the Online Store application to Oracle9iAS

ias_admin and the

c. Click on the "Deploy EAR file" button in the OC4J_home page.
d. Skip Step 1 of 8. In Step 2, click on the "Browse" button and choose the file OTNStore.ear from
the
JSPApplication directory. This EAR file was created as part of preparing this application.
Mention the name of
the application as OTNStore. Click Next.
e. In Step 3, make sure that the value for URL Binding is /WS_Security. Click Next.
f. Skip Steps 4, 5, 6 and 7. In Step 8, Click on the "Deploy" button.
The application will now be deployed as an Enterprise application to Oracle9iAS. The application
can now be accessed as shown here.

Web Services Security with PKI
Online Product Store

implementing security with Web
Services through PKI
Table Of Contents
● Overview of the sample application
● Installation and Configuration
● Description of Sample files
● Running the sample on Oracle9iAS
Overview of the sample application

This Sample demonstrates an e-Business Application which implements
security with Web services using PKI. As we are aware, Web Services is
gaining momentum in the Industry and companies have started accepting it
as a new way to conduct business over the Web. Web Services currently
revolves around three important protocols: SOAP, WSDL and UDDI. These
protocols have reached a stage of maturity and the focus now is on
security with Web Services. There are two ways with which we can ensure
security with Web Services. They are:
● Security at Transport level

● Security at XML level
Security at Transport level
Implementing security at the transport level means, securing the network

protocol, a Web Service uses for communication. SSL is the Industry
accepted standard protocol for secured encrypted communications over
TCP/IP. In this model, a Web Service client will use SSL to open a secure
socket to a Web Service. The client then sends and receives SOAP
file:///D|/otnDocs/sample_code/tutorials/wspki/wspki_files/Readme.html (1 of 4) [01/29/2003 12:06:59 PM]

messages over this secured socket using HTTP. The SSL implementation
takes care of ensuring privacy by encrypting all the network traffic on the
socket. SSL can also authenticate the Web Service to the client using a
digital certificate issued by a Certificate authority.
Security at XML level
There are some standards available for securing Web Services at XML
level. They are:
● XML Encryption
● XML Digital Signature API
● XKMS (XML Key Management Specification)
● SAML (Security Assertion Markup Language)
Since the standards for enabling security at XML level is at its infancy, this
sample aims on securing Web Services at the transport level using the PKI
infrastructure.
3 application users are created as part of running the SQL scripts as given
in the Install.html file. Following is the information for accessing this
application
User Id Password Credit Card Number

C101 welc0me 1234567887654321
C102 otn 1234567887654322
C103 welcome 1234567887654323
This sample application requires an User Id and a password for login. Once
the sample users provide the above mentioned credentials, they can
access the functionality provided by this application. Once the users
successfully login to this application, they will be shown a catalog of
products from which they can add items to their shopping cart. Once they
decide to purchase the items, they can choose to buy the products where
this application mandates the users to enter their credit card numbers.
Once the users enter the credit card number shown above depending upon
the User Id they have used, this application will contact the Credit Card
Web Service via SSL thereby demonstrating how to access a Web Service
securely.

Installation and Configuration

Refer to Install.html for step-by-step instructions on extracting files,
installing and configuring any other systems to successfully run this sample
application.
Description of Sample Files

The sample is provided as a jar file. This jar file contains all the files
required for the sample.
Filename Description
Readme.html This file
Instructions for setting up this sample
Install.html
application on Oracle9iAS
Continuation of the instructions for setting up
InstallContd.html
this sample
SQL script required for setting up the data
sql\Security.sql required by the Online store which will be
created in the "security" user schema
required by the Credit Card Web Service
sql\Creditdb.sql
which will be created in the "creditdb" user
schema
Directory containing the source of the Credit
CreditCardService directory
Card Web Service and the supporting files
Directory containing the source of the Online
JSPApplication directory
Product store and the supporting files
Running the sample using Oracle9iAS

1. Install the sample application on Oracle9iAS using the instructions
given in the Install.html file.

2. Access the application using the following URL
http://<hostname>:<port>/WS_Security/Login.jsp,
where <hostname> is the machine on which your Oracle9iAS is

running and <port> is the port at which
your Oracle HTTP Server is running.
Example: http://incq210a.idc.oracle.com:7777/WS_Security/Login.jsp
Please enter your comments about this sample in the OTN Sample
code discussion forum.

This document presents following topics:
● Required software
● Installation steps
Required Software
● Oracle Database Server Version 9.2.0 or higher

● Oracle9iAS Release 2 - Installation should contain Oracle HTTP Server and
OC4J
● Oracle9i JDeveloper
You may download this software from OTN site.
Installation Steps

5. Database Setup
10. Deploy the Online Store application to Oracle9iAS through Enterprise
Manager
Extract the Sample
This sample is provided as a jar file. Extract WS_Security.jar in any of your

favorite directories. The jar can be extracted as follows
jar xvf WS_Security.jar
file:///D|/otnDocs/sample_code/tutorials/wspki/wspki_files/Install.html (1 of 5) [01/29/2003 12:07:00 PM]

Get a Server Certificate
For setting up PKI infrastructure, this sample needs digital certificates which can
be acquired from any one of the CAs. For this sample, we will get a test certificate
from Verisign.
1.Create directory called ServerCert in the machine where Oracle9iAS is installed.
2.Start Oracle Wallet Manager by running the following command from

IAS_HOME/bin directory:
$ ./owm
3.Click on Wallet/New Option, to create a new Wallet. This step asks for a wallet
password.
Enter "client12" as the wallet password.
Enter "client12" to confirm the wallet password. Then click on Yes to create a new
certification request.
4.Enter the following information :
Common Name : OTN_SAMPLE

Organization Unit : Your Group Name e.g. 'OTN'
Organization : Your company Name e.g. 'Oracle'
Locality\City : Your City Name e.g. 'Bangalore'
State/Province : Your State Name e.g. 'Karnataka'
Country : Choose Appropriate Country Name
Choose key size as 1024 bits. Click OK, OK. This generates a Certificate Request
which you can send to any Certificate Authority.
5.Click on the menu 'Certificate:[Requested]'. This displays a window in which

Certificate Request is displayed. Note that the Certificate Request starts
with
------- BEGIN NEW CERTIFICATE REQUEST -----
and ends with

------- END NEW CERTIFICATE REQUEST -----

6.Click on 'Operations/ Export Certificate Request' to export the Certificate

Request to a local file.
Enter the file name as 'client.cer.req'. Save this file in the ServerCert directory
created as part of step 2.
7.Minimize Oracle Wallet Manager. Note: Do not close OWM but just minimize.
8.Generating Test certificates:
Using your favorite editor, open the file 'client.cer.req' created in Step 6.
Open your favorite browser. Go to the location :
http://www.verisign.com
Follow the steps as given below.
a. Click on Free SSL trial ID link on right hand side.
b. In the resulting page, enter your personal information as applicable.
c. Read the instructions and click Continue.
d. In Step 1, click Continue.
f. In Step 2, copy and paste the CSR from client.cer.req file in the textbox shown
and click Continue.
g. In Step 3, provide your information. Make sure you provide a valid email
address. Click Accept.
You will get the certificate at the mail address you specified in Step 3.
Copy and paste your certificate to a local file namely 'client.cer' in the ServerCert
directory.
Note : Please copy and paste the lines from and including line ---BEGIN
CERTIFICATE----- till the line
---- END CERTIFICATE----.
9.The mail also contains links to the Root Certificate using whose key your
Certificate was signed. Follow the link and click Accept. This install the root
certificate in your browser.(Use Internet Explorer).
10.Then Open IE, choose Tools -> Internet Options -> Content -> Certificates ->
Trusted Root Certificate Authorities .
Search for For VeriSign authorized testing only.No assurances. and click on
Export. Choose "Base64 encoded X.509 (.CER)" format
and click Next. Save the file as verisignroot.cer in the ServerCert directory. You

will be importing this verisignroot.cer file into the

Oracle Wallet.
11.Now, open (maximize) your Oracle Wallet Manager. Click on 'Trusted

Certificates'. Using 'Operations/Import Trusted Certificate',
import the root certificate as follows. Check the option 'Select a file that contains
Trusted Certificate'. Click OK. Choose the file
'verisignroot.cer' from the ServerCert directory.
12.Now import the user certificate obtained earlier into this wallet. Select
'Operations/Import User Certificate' . Check the option 'Select a
file that contains the Certificate'. Click OK. Choose the file 'client.cer' from the
ServerCert directory.
13.Using 'Wallet/Close' option, close the Wallet. Using 'Wallet/Exit' option, exit
the OWM.
This completes the steps for preparing a Wallet for PKI Credential Management.
Get a Client Certificate
a. Follow the steps c through m in the "Get a Server Certificate" section. Give
"client12" as the password for this wallet. While providing information for creating
a Certificate Signing Request, give wss as the value for the Common Name
attribute. Save the generated certificate in the ClientCert directory as client.cer and
root.cer. Save the wallet in the ClientCert directory. The remaining steps will be
the same.
b. One more additional step is needed. Click on Operations -> Export Wallet
option. Save the file as wallet.txt in ClientCert directory.
Setup Oracle9iAS to use this Certificate
a. Open the file httpd.conf available in the IAS_HOME/Apache/Apache/conf

directory.
b. Search for a parameter called "SSLWallet" and provide the directory where you
have saves the first wallet.
E.g. ServerCert
SSLWallet file:/home1/otn9i/ServerCert
c. Search for a parameter called "SSLWalletPassword" and provide "server12" as

the value. This was given by us

while creating the wallet
SSLWalletPassword server12
d. Restart Oracle HTTP Server. Restarting Oracle HTTP Server with the new
settings will enable Oracle9iAS to
use the newly acquired certificate for SSL. You can check this by accessing the
URL
https://<yourhostname>:4443/
where <yourhostname> is the host on which Oracle9iAS is running and 4443 is

the https port. The server will throw the certificate issued by Verisign thereby
allowing you to ensure that your setup is proper.

Design
Design
with Web Services:
Markup Language).

Design
Credit Card
User ID Password
Number
C101 welc0me 1234567887654321
C102 otn 1234567887654322
C103 welcome 1234567887654323
level directory).

Readme.html
the application.
how to install and
InstallContd.html
Sets up the data

Product Store which
Security.sql
"security" user
schema.
Xxx\sql
Sets up up the data
Card Web Service
Creditdb.sql
schema.

Design
the source of the
Service and the
supporting files
the source code and

Required Software
Required Software


Setup
Setup

5. Database Setup

Implementation
Implementation



support SSL.

Implementation




This document presents following topics:
● Required software
● Installation steps
Required Software
● Oracle Database Server Version 9.2.0 or higher

● Oracle9iAS Release 2 - Installation should contain Oracle HTTP Server and
OC4J
● Oracle9i JDeveloper
You may download this software from OTN site.
Installation Steps

5. Database Setup
10. Deploy the Online Store application to Oracle9iAS through Enterprise
Manager
Extract the Sample
This sample is provided as a jar file. Extract WS_Security.jar in any of your

favorite directories. The jar can be extracted as follows
jar xvf WS_Security.jar

Get a Server Certificate
For setting up PKI infrastructure, this sample needs digital certificates which can
be acquired from any one of the CAs. For this sample, we will get a test certificate
from Verisign.
1.Create directory called ServerCert in the machine where Oracle9iAS is installed.
2.Start Oracle Wallet Manager by running the following command from

IAS_HOME/bin directory:
$ ./owm
3.Click on Wallet/New Option, to create a new Wallet. This step asks for a wallet
password.
Enter "client12" as the wallet password.
Enter "client12" to confirm the wallet password. Then click on Yes to create a new
certification request.
4.Enter the following information :
Common Name : OTN_SAMPLE

Organization Unit : Your Group Name e.g. 'OTN'
Organization : Your company Name e.g. 'Oracle'
Locality\City : Your City Name e.g. 'Bangalore'
State/Province : Your State Name e.g. 'Karnataka'
Country : Choose Appropriate Country Name
Choose key size as 1024 bits. Click OK, OK. This generates a Certificate Request
which you can send to any Certificate Authority.
5.Click on the menu 'Certificate:[Requested]'. This displays a window in which

Certificate Request is displayed. Note that the Certificate Request starts
with
------- BEGIN NEW CERTIFICATE REQUEST -----
and ends with

------- END NEW CERTIFICATE REQUEST -----

6.Click on 'Operations/ Export Certificate Request' to export the Certificate

Request to a local file.
Enter the file name as 'client.cer.req'. Save this file in the ServerCert directory
created as part of step 2.
7.Minimize Oracle Wallet Manager. Note: Do not close OWM but just minimize.
8.Generating Test certificates:
Using your favorite editor, open the file 'client.cer.req' created in Step 6.
Open your favorite browser. Go to the location :
http://www.verisign.com
Follow the steps as given below.
a. Click on Free SSL trial ID link on right hand side.
b. In the resulting page, enter your personal information as applicable.
c. Read the instructions and click Continue.
d. In Step 1, click Continue.
f. In Step 2, copy and paste the CSR from client.cer.req file in the textbox shown
and click Continue.
g. In Step 3, provide your information. Make sure you provide a valid email
address. Click Accept.
You will get the certificate at the mail address you specified in Step 3.
Copy and paste your certificate to a local file namely 'client.cer' in the ServerCert
directory.
Note : Please copy and paste the lines from and including line ---BEGIN
CERTIFICATE----- till the line
---- END CERTIFICATE----.
9.The mail also contains links to the Root Certificate using whose key your
Certificate was signed. Follow the link and click Accept. This install the root
certificate in your browser.(Use Internet Explorer).
10.Then Open IE, choose Tools -> Internet Options -> Content -> Certificates ->
Trusted Root Certificate Authorities .
Search for For VeriSign authorized testing only.No assurances. and click on
Export. Choose "Base64 encoded X.509 (.CER)" format
and click Next. Save the file as verisignroot.cer in the ServerCert directory. You

will be importing this verisignroot.cer file into the

Oracle Wallet.
11.Now, open (maximize) your Oracle Wallet Manager. Click on 'Trusted

Certificates'. Using 'Operations/Import Trusted Certificate',
import the root certificate as follows. Check the option 'Select a file that contains
Trusted Certificate'. Click OK. Choose the file
'verisignroot.cer' from the ServerCert directory.
12.Now import the user certificate obtained earlier into this wallet. Select
'Operations/Import User Certificate' . Check the option 'Select a
file that contains the Certificate'. Click OK. Choose the file 'client.cer' from the
ServerCert directory.
13.Using 'Wallet/Close' option, close the Wallet. Using 'Wallet/Exit' option, exit
the OWM.
This completes the steps for preparing a Wallet for PKI Credential Management.
Get a Client Certificate
a. Follow the steps c through m in the "Get a Server Certificate" section. Give
"client12" as the password for this wallet. While providing information for creating
a Certificate Signing Request, give wss as the value for the Common Name
attribute. Save the generated certificate in the ClientCert directory as client.cer and
root.cer. Save the wallet in the ClientCert directory. The remaining steps will be
the same.
b. One more additional step is needed. Click on Operations -> Export Wallet
option. Save the file as wallet.txt in ClientCert directory.
Setup Oracle9iAS to use this Certificate
a. Open the file httpd.conf available in the IAS_HOME/Apache/Apache/conf

directory.
b. Search for a parameter called "SSLWallet" and provide the directory where you
have saves the first wallet.
E.g. ServerCert
SSLWallet file:/home1/otn9i/ServerCert
c. Search for a parameter called "SSLWalletPassword" and provide "server12" as

the value. This was given by us

while creating the wallet
SSLWalletPassword server12
d. Restart Oracle HTTP Server. Restarting Oracle HTTP Server with the new
settings will enable Oracle9iAS to
use the newly acquired certificate for SSL. You can check this by accessing the
URL
https://<yourhostname>:4443/
where <yourhostname> is the host on which Oracle9iAS is running and 4443 is

the https port. The server will throw the certificate issued by Verisign thereby
allowing you to ensure that your setup is proper.


Database Setup
a. Log into SQLPlus as system/manager.
b. Create two users "security" and "creditdb" as follows:
SQL> create user security identified by security;

SQL> grant all privileges to security;
SQL> create user creditdb identified by creditdb;
SQL> grant all privileges to creditdb;
c. Log into SQLPlus as security/security. Run the file Security.sql which creates the tables
needed by this
SQL> @d:\<temp>\sql\Security.sql
d. Log into SQLPlus as creditdb/creditdb. Run the file Creditdb.sql which creates the tables
needed by this
SQL> @d:\<temp>\sql\Creditdb.sql
Oracle Java SSL libraries
The files jcert.jar, jsse.jar and jssl-1_2.jar are needed for running this sample. They are available
in the following directories
jsse.jar - <IAS_HOME>/lib
jcert.jar - <IAS_HOME>/jdk/jre/lib/ext
jssl-1_2.jar - <IAS_HOME>/jlib
Copy them to <IAS_HOME>/jdk/jre/lib/ext directory so that these classes are loaded by the
System class loader.

Note: If this step is not followed, the application will throw a ClassNotFoundException.
Compile the Web Service
a. From the command prompt, traverse to the CreditCardService\src directory.
b. Edit the file ConnectionParams.java and substitute the variable values with your settings. Make
sure to have the
username and password as "creditdb" and creditdb"
c. Make sure to have classes12.jar (JDBC library) in the CLASSPATH. This library is available in
IAS_HOME/jdbc/lib directory.
d. Compile the source files as follows
javac *.java
e. Copy the created class files into WEB-INF\classes directory.
f. Go to the parent directory CreditCardService and create a WAR file as follows
jar -Mcvf CreditCardValidator.war WEB-INF\*
This creates a WAR file in the CreditCardService directory.
Deploy the Web Service to Oracle9iAS through Enterprise Manager

ias_admin and the
c. Click on the "Deploy WAR file" button in the OC4J_home page.
d. In the Deploy Web Application page, click on the "Browse" button and select the
CreditCardValidator.war file
from the CreditCardService directory. Please note that this WAR file was created during the
execution of step f
in the previous section.

e. Mention the name of the application as "CreditCardService".
f. Provide "/CreditCardValidator" as the value to the Map to URL attribute.
g. Click Deploy.
The above steps completes the deployment of the Credit card Web Service to Oracle9iAS.
Prepare the Online Store application
a. Open the workspace "WS_Security.jws" from the JSPApplication directory.
b. Edit the file ConnectionParams.java and substitute the variable values with your settings.
Make sure to have the
username and password as "security" and "security".
c. This application needs a proxy stub for accessing the Web Service. This stub can be acquired
by accessing the
Web Service as follows
http://<hostname>:<port>/CreditCardValidator/CreditCardValidator?proxy_source
where <hostname> is the machine on which Oracle9iAS is running and <port> is Oracle HTTP
Server port.
d. Save the zip file in any convenient directory and extract the file
CreditCardValidatorInterfaceProxy.java in
<temp>/JSPApplication/src/oracle/otnsamples/webservices/security directory.
Note: <temp> is the directory where you had initially extracted this application.
e. Click on the project WS_Security.jpr and add the file CreditCardValidatorInterfaceProxy.java in

this project.
f. Walk through the source to understand this file. Add the following lines in the method
validateCard()
System.setProperty("ssl.SocketFactory.provider","oracle.security.ssl.OracleSSLSocketFactoryImpl");
System.setProperty("ssl.ServerSocketFactory.provider","oracle.security.ssl.OracleSSLServerSocketFactoryImpl");
System.setProperty("java.protocol.handler.pkgs","HTTPClient");
System.setProperty("oracle.wallet.location","/home1/otn9i/ClientCert/wallet.txt");
System.setProperty("oracle.wallet.password","client12");
Note : The parameters oracle.wallet.location and oracle.wallet.password should be changed as

per your settings. Remember, we exported the client certificate in text format. The value for

oracle.wallet.location should be the complete path to this text file. Ensure to specify client12 as
the value to the oracle.wallet.password parameter as this was mentioned while creating the client
wallet.
g. Edit the file CreditCardValidatorInterfaceProxy.java Change the value of the m_soapURL

variable to https and
the port to https port.
For eg.
private String m_soapURL = "http://insn104a.idc.oracle.com:7777/CreditCardValidator/CreditCardValidator";
should be changed to
private String m_soapURL = "https://insn104a.idc.oracle.com:4443/CreditCardValidator/CreditCardValidator";
Note: This is the port with which we have setup Oracle HTTP Server to use SSL.
h. Now we have to compile this application. For compiling this, we need to have the Oracle Java
SSL libraries in
the CLASSPATH. The libraries jsse.jar, jcert.jar and jssl-1_2.jar can be added to the project's
classpath as
follows:
Right click on WS_Security.jpr -> Project Settings -> Development -> Libraries -> New. Provide
a name to this
library and click on Edit to add the jar files. Click OK to dismiss this dialog box. Make sure to
have this library in
the "Selected Libraries" list.
i. Right click on WS_Security.jpr -> Build Project. The project should compile without any errors.
j. Right click on webapp2.deploy and choose to deploy to an EAR file. This step creates an EAR
in the
JSPApplication directory.
The above steps prepares the application which can now be deployed.
Deploy the Online Store application to Oracle9iAS

ias_admin and the

c. Click on the "Deploy EAR file" button in the OC4J_home page.
d. Skip Step 1 of 8. In Step 2, click on the "Browse" button and choose the file OTNStore.ear from
the
JSPApplication directory. This EAR file was created as part of preparing this application.
Mention the name of
the application as OTNStore. Click Next.
e. In Step 3, make sure that the value for URL Binding is /WS_Security. Click Next.
f. Skip Steps 4, 5, 6 and 7. In Step 8, Click on the "Deploy" button.
The application will now be deployed as an Enterprise application to Oracle9iAS. The application
can now be accessed as shown here.

Resources
Resources
files.
Resource URL
Oracle9i
Application
Security
Guide
OTN Web
Services
Technolgy
Center
Oracle by
Example:
Build a
Secure
Internet
Data
Center

Feedback
Feedback

Online Product Store

implementing security with Web
Services through PKI
Table Of Contents
● Overview of the sample application
● Installation and Configuration
● Description of Sample files
● Running the sample on Oracle9iAS
Overview of the sample application

This Sample demonstrates an e-Business Application which implements
security with Web services using PKI. As we are aware, Web Services is
gaining momentum in the Industry and companies have started accepting it
as a new way to conduct business over the Web. Web Services currently
revolves around three important protocols: SOAP, WSDL and UDDI. These
protocols have reached a stage of maturity and the focus now is on
security with Web Services. There are two ways with which we can ensure
security with Web Services. They are:
● Security at Transport level

● Security at XML level
Security at Transport level
Implementing security at the transport level means, securing the network

protocol, a Web Service uses for communication. SSL is the Industry
accepted standard protocol for secured encrypted communications over
TCP/IP. In this model, a Web Service client will use SSL to open a secure
socket to a Web Service. The client then sends and receives SOAP

messages over this secured socket using HTTP. The SSL implementation
takes care of ensuring privacy by encrypting all the network traffic on the
socket. SSL can also authenticate the Web Service to the client using a
digital certificate issued by a Certificate authority.
Security at XML level
There are some standards available for securing Web Services at XML
level. They are:
● XML Encryption
● XML Digital Signature API
● XKMS (XML Key Management Specification)
● SAML (Security Assertion Markup Language)
Since the standards for enabling security at XML level is at its infancy, this
sample aims on securing Web Services at the transport level using the PKI
infrastructure.
3 application users are created as part of running the SQL scripts as given
in the Install.html file. Following is the information for accessing this
application
User Id Password Credit Card Number

C101 welc0me 1234567887654321
C102 otn 1234567887654322
C103 welcome 1234567887654323
This sample application requires an User Id and a password for login. Once
the sample users provide the above mentioned credentials, they can
access the functionality provided by this application. Once the users
successfully login to this application, they will be shown a catalog of
products from which they can add items to their shopping cart. Once they
decide to purchase the items, they can choose to buy the products where
this application mandates the users to enter their credit card numbers.
Once the users enter the credit card number shown above depending upon
the User Id they have used, this application will contact the Credit Card
Web Service via SSL thereby demonstrating how to access a Web Service
securely.

Installation and Configuration

Refer to Install.html for step-by-step instructions on extracting files,
installing and configuring any other systems to successfully run this sample
application.
Description of Sample Files

The sample is provided as a jar file. This jar file contains all the files
required for the sample.
Filename Description
Readme.html This file
Instructions for setting up this sample
Install.html
application on Oracle9iAS
Continuation of the instructions for setting up
InstallContd.html
this sample
sql\Security.sql required by the Online store which will be
created in the "security" user schema
required by the Credit Card Web Service
sql\Creditdb.sql
which will be created in the "creditdb" user
schema
Directory containing the source of the Credit
CreditCardService directory
Card Web Service and the supporting files
Directory containing the source of the Online
JSPApplication directory
Product store and the supporting files
Running the sample using Oracle9iAS

1. Install the sample application on Oracle9iAS using the instructions
given in the Install.html file.

2. Access the application using the following URL
http://<hostname>:<port>/WS_Security/Login.jsp,
where <hostname> is the machine on which your Oracle9iAS is

running and <port> is the port at which
your Oracle HTTP Server is running.
Example: http://incq210a.idc.oracle.com:7777/WS_Security/Login.jsp
Please enter your comments about this sample in the OTN Sample
code discussion forum.

Web Service Secure

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Web Service Secure

Uploaded by

Copyright:

Available Formats

Tutorial: Security for Web Services

Tutorial: Security for Web Services

file:///D|/otnDocs/sample_code/tutorials/wspki/toc.htm [01/29/2003 12:12:41 PM]

● Authentication. Verifying the identity of users and machines becomes crucial

file:///D|/otnDocs/sample_code/tutorials/wspki/concepts.htm (1 of 3) [01/29/2003 12:12:43 PM]

file:///D|/otnDocs/sample_code/tutorials/wspki/concepts.htm (2 of 3) [01/29/2003 12:12:43 PM]

file:///D|/otnDocs/sample_code/tutorials/wspki/concepts.htm (3 of 3) [01/29/2003 12:12:43 PM]

Tutorial: Security for Web Services

file:///D|/otnDocs/sample_code/tutorials/wspki/toc.htm [01/29/2003 12:06:36 PM]

● Authentication. Verifying the identity of users and machines becomes crucial

file:///D|/otnDocs/sample_code/tutorials/wspki/concepts.htm (1 of 3) [01/29/2003 12:06:37 PM]

file:///D|/otnDocs/sample_code/tutorials/wspki/concepts.htm (2 of 3) [01/29/2003 12:06:37 PM]

file:///D|/otnDocs/sample_code/tutorials/wspki/concepts.htm (3 of 3) [01/29/2003 12:06:37 PM]

Tutorial: Security for Web Services

file:///D|/otnDocs/sample_code/tutorials/wspki/toc.htm [12/04/2002 3:37:54 PM]

● Authentication. Verifying the identity of users and machines becomes crucial

file:///D|/otnDocs/sample_code/tutorials/wspki/concepts.htm (1 of 3) [12/04/2002 3:37:56 PM]

file:///D|/otnDocs/sample_code/tutorials/wspki/concepts.htm (2 of 3) [12/04/2002 3:37:56 PM]

file:///D|/otnDocs/sample_code/tutorials/wspki/concepts.htm (3 of 3) [12/04/2002 3:37:56 PM]

file:///D|/otnDocs/sample_code/tutorials/wspki/design.htm (1 of 3) [12/04/2002 3:37:57 PM]

Directory Files Description

Sets up the data

file:///D|/otnDocs/sample_code/tutorials/wspki/design.htm (2 of 3) [12/04/2002 3:37:57 PM]

file:///D|/otnDocs/sample_code/tutorials/wspki/design.htm (3 of 3) [12/04/2002 3:37:57 PM]

● Oracle9i Database Server Version 9.2.0 or higher .

file:///D|/otnDocs/sample_code/tutorials/wspki/reqsw.htm [12/04/2002 3:37:58 PM]

1. Extract the Sample

file:///D|/otnDocs/sample_code/tutorials/wspki/setup.htm [12/04/2002 3:37:59 PM]

This sample application achieves security by deployment to Oracle9i Application Server

Oracle9i Application Server Implementation of Public Key

The Oracle9i Application Server PKI implementation provides a variety of security

file:///D|/otnDocs/sample_code/tutorials/wspki/impl.htm (1 of 2) [12/04/2002 3:38:00 PM]

Oracle Wallets An Oracle wallet is a container in which certificates and

Oracle Wallet Manager This is a Java-based application that security administrators

Oracle Internet Oracle Internet Directory, an LDAP V3-compliant directory

file:///D|/otnDocs/sample_code/tutorials/wspki/impl.htm (2 of 2) [12/04/2002 3:38:00 PM]

file:///D|/otnDocs/sample_code/tutorials/wspki/rsrc.htm [12/04/2002 3:38:00 PM]

If you have questions or comments about this tutorial, you can:

● Send email to the author. mailto:Robert.Hall@oracle.com

file:///D|/otnDocs/sample_code/tutorials/wspki/fdbk.htm [12/04/2002 3:38:01 PM]

file:///D|/otnDocs/sample_code/tutorials/wspki/design.htm (1 of 3) [01/29/2003 12:06:39 PM]

Directory Files Description

Sets up the data

file:///D|/otnDocs/sample_code/tutorials/wspki/design.htm (2 of 3) [01/29/2003 12:06:39 PM]

file:///D|/otnDocs/sample_code/tutorials/wspki/design.htm (3 of 3) [01/29/2003 12:06:39 PM]

● Oracle9i Database Server Version 9.2.0 or higher .

file:///D|/otnDocs/sample_code/tutorials/wspki/reqsw.htm [01/29/2003 12:06:54 PM]

1. Extract the Sample

file:///D|/otnDocs/sample_code/tutorials/wspki/setup.htm [01/29/2003 12:06:54 PM]

This sample application achieves security by deployment to Oracle9i Application Server

Oracle9i Application Server Implementation of Public Key

The Oracle9i Application Server PKI implementation provides a variety of security

file:///D|/otnDocs/sample_code/tutorials/wspki/impl.htm (1 of 2) [01/29/2003 12:06:55 PM]

Oracle Wallets An Oracle wallet is a container in which certificates and

Oracle Wallet Manager This is a Java-based application that security administrators

Oracle Internet Oracle Internet Directory, an LDAP V3-compliant directory

file:///D|/otnDocs/sample_code/tutorials/wspki/impl.htm (2 of 2) [01/29/2003 12:06:55 PM]

file:///D|/otnDocs/sample_code/tutorials/wspki/rsrc.htm [01/29/2003 12:06:56 PM]

If you have questions or comments about this tutorial, you can:

● Send email to the author. mailto:Robert.Hall@oracle.com

file:///D|/otnDocs/sample_code/tutorials/wspki/fdbk.htm [01/29/2003 12:06:56 PM]

Web Services Security Sample Installation

a. Log into SQLPlus as system/manager.

b. Create two users "security" and "creditdb" as follows: