Wednesday, 28 February 2018

Using Credential Store to store the UserId/password

While using Oracle BPM APIs in a project, quite often most of us come access the requirement of storing the BPM Administrator user's credential to be used to create the BPMContext. One of most commonly used technique is to store the username and password in a properties file. For security reasons, the password is encrypted before storing in the properties file. This addresses the purpose in most of the cases.

In some of my recent engagements I faced challenge with this approach as SOA Infrastructure Team (Managed by Client) said that they would not handover the BPM Administrator user credential to the Application Team to store it at the application side. They also often change the password of the BPM Administrator user, which would require higher co-ordination in case it is stored at the application side ( may be in a properties file).

The solution for this scenario was using WebLogic Credential Store.  We created a credential map through Enterprise Manager, where SOA Infrastructure Team is going to key in the BPM Administrator user name and password. As and when they change the password of the user, it is upto them to login to EM and update the password in the Credential Store. We will programmatically access the username and password from this Credential Store.

Step 1 - Create Credential Store

a. Log on to Enterprise Manager.
b. Go to Weblogic Domain>>Security>>Credentials

c. Create a map and a key within the map –

Remember the map and the key name. In the code we will refer to this map and key to retrieve the username and password.

Step 2 - Edit system-jazn-data.xml file
Open <MW_HOME>\user_projects\domains\<DOMAIN NAME>\config\fmwconfig\system-jazn-data.xml
Scroll to the end of file, add the following block within  <jazn-policy></jazn-policy>
<grant>
                <permissions>
                    <permission>
                        <class>oracle.security.jps.service.credstore.CredentialAccessPermission</class>
                       <name>context=SYSTEM,mapName={mapName},keyName={keyname}</name>
                        <actions>read</actions>
                    </permission>
                </permissions>
                <permission-set-refs>
                </permission-set-refs>
            </grant>

Replace { mapName } and {keyname} with the one that you have configured in step 2


Step 3 - Set BpelcClasspath property

a. Login to Enterprise Manager
b. Goto SOA Infrastructure > SOA Administrator > BPMN properties


c. Goto “More BPMN Configuration Properties...”


d. set the BpelcClasspath property value to <MW_HOME>/oracle_common/modules/oracle.jps/jps-manifest.jar

Step 4 - Edit WebLogic.policy file

a. Open /wlserver/server/lib/weblogic.policy
b. Add the following lines in the file; remember to replace the Middleware Home and Domain name. c. Do this change for weblogic.policy in all the servers/machines of the cluster

grant codeBase "file:/user_projects/domains//servers/-" { permission oracle.security.jps.service.credstore.CredentialAccessPermission "context=SYSTEM,mapName={mapName},keyName={keyName}", "read"; };


Step 5 - Restart the server ( admin and managed servers)
Step 6 - java code to retrieve the credential

Create a java project and add “BC4J Securities library” in the class path.
Create a class CredentialStorePoc as follows -


package com.poc.bpm;

import java.security.AccessController;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import oracle.security.jps.JpsException;
import oracle.security.jps.service.JpsServiceLocator;
import oracle.security.jps.service.ServiceLocator;
import oracle.security.jps.service.credstore.PasswordCredential;
import oracle.security.jps.service.credstore.CredentialStore;


public class CredentialStorePoc {

    public CredentialStorePoc() {
        super();
    }

    private static PasswordCredential _getCredentials(String map, String key) throws JpsException {
        ServiceLocator locator = JpsServiceLocator.getServiceLocator();
        CredentialStore credentialStore = JpsServiceLocator.getServiceLocator().lookup(CredentialStore.class);
        return (PasswordCredential) credentialStore.getCredential(map, key);
    }

    public static String getCredentials(final String map, final String key) {
        PasswordCredential credentials;
        PrivilegedExceptionAction<PasswordCredential> action = new
                PrivilegedExceptionAction<PasswordCredential>() {
            public PasswordCredential run() throws JpsException {
                                return _getCredentials(map, key);
            }
        };

        try {
            credentials = AccessController.doPrivileged(action);
        } catch (PrivilegedActionException e) {
            throw new RuntimeException(e);
        }

        System.out.println(credentials.getName());
        System.out.println(credentials.getPassword());
        return credentials.getName();
    }
}


Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)