enable LDAP over SSL (LDAPS) in OC4J

To enable LDAP over SSL in OC4J, the certificate use by the LDAP server must be imported in the LDAP client. More specificaly it will be imported into the default keystore used for the JVM. The steps to do that are:

1.
Upload the certificate (mycert.cer) to your server

2.
Connect to your server and go to directory:
PATH_TO_ORACLE_INSTALL/ias/product/asmt_10131/jdk/jre/lib/security


3.
Import the certificate: keytool -import -keystore cacerts -alias myAlias -file /home/j_smith/sgsroot.cer



4.
By default the password for the keystore is changeit

5.
Accept the import and this is it, certificate has been added to the keystore

6.
Then in OC4J you need to set LDAPS instead of LDAP and probably mention the correct port.
At this point do not try to press the "Test LDAP Authorization" button as it will not work.

Using AD authentication with OC4J within Oracle Enterprise Manager

Here are the steps to authenticate a WAR application using AD.

1. Setup your file WEB-INF/web.xml in your web application with settings similar to above:


2. As I set the group name in web.xml to be the one on the Active Directory, I don't need to edit/add the file META-INF/orion-application.xml. In case you need, you do it with settings similar to above:


3. Deploy your application to your Oracle Enterprise Manager

4. Logon to your Oracle Enterprise Manager, select the applications you want to secure, select administration, select Security Provider, click Change Security Provider and select "Oracle Security Provider for 3rd Party LDAP Server"
Then the setup I used are the following:


you can note that we used LDAPS, that is LDAP over SSL. if you use this option too then you need to add the certificate used to secure your LDAP to your JVM keystore.
Then note that you will not be able to test your connection through the "Test LDAP Authorization" button. It will always respond false.

5.You would then need to restart your application.

Connecting to Ariba with a Java API

To connect to Ariba, you use the Ariba Integration Toolkit. It consists of java libraries and batch scripts.
Using the batch script was uneasy for us, as it means we had to schedule 2 jobs: one to get or retrieve the files from Ariba and another job to process the file.

A much easier solution, was to call the Ariba java library straight away from our java code. To do that we had to dig into the batch file and decompile the java code.
Then to call the Ariba Java API, you simply add Ariba libraries to your classapth and you call the following code:

public class CallAriba {

public static void main(String[] args) {

String[] s = buildArg();

ariba.filetransferclient.Main.main(s);

}

private static String[] buildArg() {

String[] arguments = {

"get",

"-url",

"https://s1.ariba.com/Buyer/filedownload?realm=myCompanyRealm",

"-sharedSecret",

"myCompanySharedSecret",

"-downloadDir",

"C:/temp/ariba",

"-timestampFile",

"C:/temp/ariba/time.txt",

"-filePrefix",

"OK2Pay",

"-logFile",

"C:/temp/ariba/logs/log-test.log",

"-proxyHost",

"10.0.225.201",

"-proxyPort",

"8080",

"-unzipDirs",

"false",

"--",

"-event",

"Export Payment Requests"};

return arguments;

}

Sending SOAP request with JDK library

private static synchronized String sendSOAPRequest(String soapMsg, String webserviceMethod, String soap_Endpoint) throws Exception { try { URL url = new URL(soap_Endpoint); // setup HTTP Connecten to the service HttpURLConnection connection = (HttpURLConnection) url.openConnection(); connection.setRequestMethod("POST"); connection.setDoOutput(true); connection.setDoInput(true); // create SOAP Request connection.setUseCaches(false); connection.setRequestProperty("Content-type", "text/xml; charset=iso-8859-1"); connection.setRequestProperty("SOAPAction", webserviceMethod); System.out.println("SOAP-Endpoint: " + url); System.out.println("SOAP-Action: " + webserviceMethod); // send SOAP-Request byte[] bytes = soapMsg.getBytes(); connection.setRequestProperty("Content-length", String.valueOf(bytes.length)); OutputStream out = connection.getOutputStream(); out.write(bytes); out.close(); // read SOAP-response BufferedReader in; try { in = new BufferedReader(new InputStreamReader(connection.getInputStream())); } catch (IOException e) { if (connection.getResponseCode() == 500) in = new BufferedReader(new InputStreamReader(connection.getErrorStream())); else throw e; } // handle the SOAP response StringBuffer in_buffer = new StringBuffer(8192); String temp = ""; while ((temp = in.readLine()) != null) { in_buffer.append(temp); } in.close(); return in_buffer.toString(); } catch (Exception e) { System.out.println("!!! Exception: " + e); throw e; } // return ""; }

BPEL and Oracle Siebel CRM On Demand

When integrating OCOD (aka Oracle Siebel CRM On Demand) using BPEL and Java application,

issues arise for:

1. keeping credentials session open with Oracle CRM On Demand because OCOD accept only 10 concurrent session + it is faster to re-use existing session

2. OCOD refuse 2 request to be made without 50ms between each requests

3. session need to be reset if OCOD server restart

An option is to add the session id to the end point of the partner link in the BPEL process.
Another option is to use java embedded code in BPEL and login and loggof to OCOD.

Those 2 options did not really fit with our requirements. Too slow, not scalable, dodgy to maintain, etc...

Our approach has been to use a proxy between our BPEL engine and OCOD.

So all partner link to OCOD from our BPEL process use this proxy as the end point for the partner link. Thus all calls from our application to OCOD is going through this proxy.

It consist of a Java web application deployed as a war file (11Kb) it manages:
- sessions
- authentication (so no password in clear text inside our BPEL process)
- the 50 ms wait that must exist between each request to OCOD

The code for this proxy is located here:

http://code.google.com/p/ocod-proxy/source/browse/

you can check it out like that:

# Non-members may check out a read-only working copy anonymously over HTTP.
svn checkout http://ocod-proxy.googlecode.com/svn/trunk/ ocod-proxy-read-only

The idea is to make it public so that anybody can use it and tell if he meets any issues.
Then tell me if you want to modify and enhance it. I would provide an access to the SVN repository.

Using OWSM and BPEL PM behind a proxy

We use OWSM and BPEL PM to consumme services outside our network.
Nothing to fancy so far, we had to modify the JVM settings and add the following parameter:

Dhttp.proxySet=true
Dhttp.proxyHost = proxy_server
Dhttp.proxyPort = listen_port
Dhttp.nonproxyHost = *localhost|*domain.com

in our case this was:
Dhttp.proxySet=true
Dhttp.proxyHost = www-proxy.outsourcing.com
Dhttp.proxyPort = 80
Dhttp.nonproxyHost = *outsourcing.com

Do not forget to add your localhost as non proxy.
The JVM settings can be accessed through the OC4 console or by editing the file

ORACLE_HOME/opmn/conf/opmn.xml

Then we add to consumme an https service and the add the settings:
Dhttps.proxySet=true
Dhttps.proxyHost = www-proxy.outsourcing.com
Dhttps.proxyPort = 80
Dhttps.nonproxyHost = *outsourcing.com

The case has to be exactly that and only a restart of the OC4J instance is not enough- You have to restart the JVM.
Also note that this cannot be changed without a restart.

Consuming Web Services with Jakarta Commons HttpClient

Consuming web services with Jakarta Commons HttpClient can be useful to reuse all the API provided by HttpClient.
The example below query a web service that requires HTTP authentication. We could also use that mechanism for NTLM or proxy authentication.

More generally, for all authentication made in the HTTP layer rather than the SOAP layer, HttpClient is a good candidate.

To run this code you need the library of HttpClient and HttpCore. I used version 4.0 and 4.0.1

http://hc.apache.org/downloads.cgi

you also need commons codec: I used version 1.4

http://commons.apache.org/codec/download_codec.cgi

To consume Web Services protected with NTLM (sic). You can refer to this page: http://www.luigidragone.com/networking/ntlm.html

So here's the code:


package org.apache.http.examples.client;

import org.apache.http.HttpEntity;
import org.apache.http.HttpResponse;
import org.apache.http.auth.AuthScope;
import org.apache.http.auth.UsernamePasswordCredentials;
import org.apache.http.client.methods.HttpPost;
import org.apache.http.entity.StringEntity;
import org.apache.http.impl.client.DefaultHttpClient;
import org.apache.http.message.BasicHeader;
import org.apache.http.util.EntityUtils;

/**
* A simple example that uses HttpClient to execute an HTTP request against a
* target site that requires user authentication.
*/
public class ClientAuthentication {

private static final String XML_DATA =
"<?xml version=\"1.0\" encoding=\"UTF-8\"?>" + "<soap:Envelope xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\"> "
+ "<soap:Body xmlns:ns1=\"http://xmlns.oracle.com/SensorBPEL\">" + "<ns1:SensorBPELProcessRequest><ns1:input>toto</ns1:input></ns1:SensorBPELProcessRequest>"
+ "</soap:Body></soap:Envelope>";

public static void main(String[] args) throws Exception {
DefaultHttpClient httpclient = new DefaultHttpClient();

httpclient.getCredentialsProvider().setCredentials(new AuthScope("ch0016188", 8888), new UsernamePasswordCredentials("frederic_agneray", "pass"));

HttpPost httpPost = new HttpPost("http://ch0016188:8888/gateway/services/SID0003006");
httpPost.setHeader(new BasicHeader("Content-Type", "text/xml;charset=UTF-8"));
httpPost.setHeader(new BasicHeader("SOAPAction", "process"));
StringEntity s = new StringEntity(XML_DATA, "UTF-8");
httpPost.setEntity(s);

System.out.println("executing request" + httpPost.getRequestLine());
HttpResponse response = httpclient.execute(httpPost);
HttpEntity entity = response.getEntity();

System.out.println("----------------------------------------");
System.out.println(response.getStatusLine());
if (entity != null) {
System.out.println("Response content length: " + entity.getContentLength());
System.out.println(EntityUtils.toString(response.getEntity()));
}
if (entity != null) {
entity.consumeContent();
}

// When HttpClient instance is no longer needed,
// shut down the connection manager to ensure
// immediate deallocation of all system resources
httpclient.getConnectionManager().shutdown();
}
}