Usage of Evaluate WSS Username Token Action

1. INTRODUCTION

This tutorial will explain the configuration and usage of the runtime action "Evaluate WSS Username Token Action" using CentraSite and wM Mediator

The Evaluate WSS Username Token runtime policy enforcement will help in the following

  • Identify the consumer application WSS Username Token making the request for the virtual service if identify attribute is turned ON

  • Validate against a set of global or pre-registered consumer applications with the WSS Username Token in wM Mediator

Refer introduction page to get general information on consumer identification in wM Mediator.

2. PRE-REQUISITE

  1. Knowledge in basics of wM Mediator runtime.
  2. Configure the Keystore & Truststore in Integration Server and Mediator : refer " Configuration of Certificates in Integration Server and wM Mediator " in Overview of WS-Security documentation here

3. Summary

Steps involved when using of Evaluate WSS Username Token action in CentraSite and wM Mediator

  1. Create a Consumer Application (eg. MyConsumers) with Identification token and deploy it to wM Mediator which can be used during the virtual service invocation
  2. Create a virtual alias (eg. VS_EchoWS_WSSUsername) in CentraSite BusinessUI with Evaluate WSS Username Token action.
  3. Deploy the virtual alias to wM Mediator target.
  4. Invoke the virtual alias deployed in Mediator using SoapUI with one of a consumer from the previously created Consumer Application
  5. Validation and troubleshooting

4. CONFIGURATIONS

4.1. Create a Consumer Application with Identification token

  1. Login to CentraSite ControlUI and create a Consumer Application asset with one or more values to “Identification Token” attribute. Eg. Administrator, Developers, …

  2. Navigate to Operations → Deployment and access " Deploy Consumers " tab. Select " Pending Changes " and invoke “Syncronize…” to deploy the Consumer Application to wM Mediator

  3. Validate deployed consumer application with expected attribute in wM Mediator

Open wM Mediator page, http://:5555/WmMediator and click on “Consumers” link.

Verify the deployed Consumer Application is listed as in the example below

4.2. Create a virtual alias in BusinessUI with Evaluate WSS Username Token action

Perform the following steps to create a virtual alias with WSS Username Token action

  1. Login to BusinessUI and open a service details page.
  • Click on “Virtualize” action to get Virtualization wizard screen.
  • Provide alias name in “Create a New Virtual Alias” input box (eg.VS_EchoWS_WSSUsername)
  • Select an endpoint from the list of “Endpoints of to Virtualize” and click “Next”.

4.3. Configure WSS Username token policy

  1. Navigate to “Policy Enforcement” heading → " Security " and drag & drop " Evaluate WSS Username Token " action into “Enforce” message flow.
  2. Click on the configure icon, which appears on mouse hover “Evaluate WSS Username Token” text in message flow.
  3. Select one of the following option to identify the consumer(s)
  4. " Global Consumers " (relax) - wM Mediator will try to verify the client’s WSS Username against a list of all global consumers available in wM Mediator.
  5. " Registered Consumers " (strict) - wM Mediator will try to verify the client’s WSS Username against the list of consumer applications which are registered as consumers for this specific API.
  6. " Do not identify" if don’t want to identify the consumers.

Do not identify – Does not identify the consumer, nevertheless it will evaluate the value presents in the header and the request will be sent to the native service.
This policy will fail if the expected value(s) is not present in the request header.

  1. Invoke " Virtualize " to complete the virtualization

Optional Step: Apply Log Invocation Policy to the virtual service and select CentraSite to send the log data. This step is only required to generate and validate the events

  1. Native service asset details page will be displayed when successful completion of virtualization

5. DEPLOY AND VALIDATE THE DEPLOYMENT

Open a native service (eg. EchoWS) asset details and invoke "Publish" action
Choose the alias in "Virtual Alias" (eg.VS_EchoWS_WSSUsername) list from the Publish action wizard. 
Select desired one or more Target(s) by selecting the check box(s) and trigger "Publish"

  • When the Publish is initiated, the publish progress window will appear until complete the publish process.
    To verify the deployed service(s) in wM Mediator page
  1. Invoke http://<mediator_host>:5555/WmMediator from a web browser and provide credentials to access the page
  2. Click “Services” link to get list of deployed services in the wM Mediator and find the virtual service named VS_EchoWS_WSSUsername.
  • After the successful deployment, you should be able to find ( SupportingTokens policy) in the VSD as follows.
    Policy node entries

<policy id="WSSecurityPolicy">
      <wsp:Policy xmlns:wsp=" xmlns:wsu=" wsu:Id="WSSecurityPolicy">
        <wsp:ExactlyOne>
          <wsp:All>
            <sp:SupportingTokens xmlns:sp=">
              <wsp:Policy>
                <sp:UsernameToken sp:IncludeToken=" />
              </wsp:Policy>
            </sp:SupportingTokens>
          <ramp:RampartConfig xmlns:ramp=">
                <!-- username of UsernameToken to be used  -->
                <ramp:user />
                <!-- alias of the key to be used to sign -->
                <ramp:userCertAlias>policygateway</ramp:userCertAlias>
                <ramp:passwordCallbackClass>com.softwareag.pg.security.ISPGPWCallback</ramp:passwordCallbackClass>
                <ramp:policyValidatorCbClass>com.wm.app.b2b.server.wss.ISPolicyValidatorCallback</ramp:policyValidatorCbClass>
                <ramp:encryptionUser>useReqSigCert</ramp:encryptionUser>
                <ramp:signatureCrypto>
                    <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
                        <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
                        <ramp:property name="org.apache.ws.security.crypto.merlin.file">C:\SoftwareAG\IntegrationServer\instances\default\packages\WmMediator\config\resources\security\pgkeystore.jks</ramp:property>
                        <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">********</ramp:property>
                    </ramp:crypto>
                </ramp:signatureCrypto>
                <ramp:encryptionCrypto>
                    <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
                        <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
                        <ramp:property name="org.apache.ws.security.crypto.merlin.file">C:\SoftwareAG\IntegrationServer\instances\default\packages\WmMediator\config\resources\security\pgkeystore.jks</ramp:property>
                        <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">********</ramp:property>
                    </ramp:crypto>
                </ramp:encryptionCrypto>
            </ramp:RampartConfig></wsp:All>
        </wsp:ExactlyOne>
      </wsp:Policy>
</policy>

Enforcement


<enforcement-actions allow-anon="false">
        <expressions>
          <expression>
            <params identify="relax" type="wssecUsernameToken" />
          </expression>
    </expressions>
</enforcement-actions>

6. EXECUTION AND VERIFICATION OF VIRTUAL SERVICE RUNTIME INVOCATION

  1. Find the Consumer Service WSDL URL in Consumer Overview profile of the native service (eg.EchoWS) as show below
  2. Invoke the service from a SOAP client with WSS Username Token attached in the SOAP Request header.

The service request looks like
Service Request


<soapenv:Envelope xmlns:axis=" xmlns:soapenv=">
   <soapenv:Header>
      <wsse:Security soapenv:mustUnderstand="1" xmlns:wsse=">
         <wsse:UsernameToken wsu:Id="UsernameToken-7" xmlns:wsu=">
            <wsse:Username>Administrator</wsse:Username>
            <wsse:Password Type=">password</wsse:Password>
            <wsse:Nonce EncodingType=">Ls/qfj5IonWmZlQwLtZpWg==</wsse:Nonce>
            <wsu:Created>2014-06-11T08:37:49.130Z</wsu:Created>
         </wsse:UsernameToken>
      </wsse:Security>
   </soapenv:Header>
   <soapenv:Body>
      <axis:sayHello>
         <axis:name>Software AG!</axis:name>
      </axis:sayHello>
   </soapenv:Body>
</soapenv:Envelope>

Sample response looks like

<soapenv:Envelope xmlns:soapenv=">
   <soapenv:Body>
      <ns:sayHelloResponse xmlns:ns=">
         <ns:return>Hello Software AG!</ns:return>
      </ns:sayHelloResponse>
   </soapenv:Body>
</soapenv:Envelope>

Verifying the result

  1. Open the Virtual service (eg. VS_EchoWS_WSSUsername )
  2. Navigate to Runtime Events under Advanced Information
  3. Select the desired target or all targets. And refine the search criteria
  4. Invoke “Refine” button
  5. Select the desired view of Graphical or Tabular

Graphical view looks like
image

Tabular view looks as follows. Verify the consumers list. In this example it is identified as " MyConsumers "

7. TROUBLESHOOTING WITH EVALUATE WSS USERNAME TOKEN ACTION

1 Exception
Failed to publish the following targets

Message
VirtualServiceDeployer.convertToService - caught this: type(com.softwareag.pg.exceptions.PGException) message(Exception Required configuration information to enable WS-Security processing is missing. Unable to process service: VS_EchoWS_WSSUsername.

Please ensure Keystore/Truststore information is configured for PGService: VS_EchoWS_WSSUsername)

Possible Solution
Configure Keystore/Truststore information in Mediator and IS to avoid the following exception during VS deployment

2 Exception
Fault code: wsse:InvalidSecurity

Message
Fault String:

Nonce value : Ls/qfj5IonWmZlQwLtZpWg==, already seen before for user name : Administrator. Possibly this could be a replay attack.

Possible Solution
Generate a new request and try again.

or remove the following line from the request if Nonce value is not interested

<wsse:Nonce EncodingType=“http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary”>Ls/qfj5IonWmZlQwLtZpWg==</wsse:Nonce>

3 Exception
Fault Code:

wsse:InvalidSecurity

Message
Fault String:

JAAS login with message level credentials has failed due to invalid credentials.

Login failure cause: ‘Login Failure: all modules ignored’

Possible Solution
Make sure the correct credentials in the SOAP request header and try again.