1. Use Cases for Securing Web Services Using Oracle Web Services Manager
  2. Securing Services for Multiple Tenants

4 Securing Services for Multiple Tenants

OWSM supports policy enforcement for multi tenant systems. OWSM can work with multiple tenant specific data-sources. OWSM enforces tenant specific security with GPA.

This chapter contains the following sections:

4.1 Use Case: Secure RESTful Web Services for Multiple Tenants

You can develop a RESTful web services and secure them for multiple tenants through tenant provisioning and enforcing tenant specific GPA.

Use Case

Secure RESTful Web Services for Multiple Tenants.

Implementation Summary

Develop a RESTful web service and secure it for two tenants (tenant1 and tenant2) through tenant provisioning and enforcing tenant specific GPA.

Components

  • Oracle WebLogic Server

  • Oracle Fusion Middleware

  • Oracle Web Services Manager (OWSM)

Required Documentation

To complete this use case, see the following documentation resources:

This use case includes the following steps:

  • Create Weblogic domain and install templates.

  • Provision tenants: Create database schema and data sources for tenants.

  • Create GPA for tenants.

  • Enforce policies for specific tenants at run time.

4.2 Implementing Web Services for Multiple Tenants - Prerequisites

Before implementing Web Services for multiple tenants, download and install product components, configure WebLogic domain, start the Remote Server, and get the access to Oracle Enterprise Manager Fusion Middleware Control and Oracle WebLogic Server Remote Console.

Before you begin, ensure the following:

  • Download and install Oracle Fusion Middleware—includes OWSM.

For more information, see "Preparing for Oracle Fusion Middleware Installation" in Planning an Installation of Oracle Fusion Middleware.

For more information about locating and downloading Oracle Fusion Middleware products, see the Oracle Fusion Middleware Download, Installation, and Configuration Readme Files on OTN.

4.3 Creating Weblogic Domain and Installing Templates

Create Weblogic domain using the following OWSM templates: oracle.wsmpm_cloud_template.jar or oracle.wsmpm_cloud_file_template.jar.

  • oracle.wsmpm_cloud_template.jar: This template require the MDS db schema during domain creation.

  • oracle.wsmpm_cloud_file_template.jar: This is a file based template, and it doesn't require the MDS db schema during domain creation. It creates OWSM seed documents inside domain home. This is the preferred template.

For the complete procedure, see "Creating a WebLogic Domain" in Creating WebLogic Domains Using the Configuration Wizard.

To know the procedure to create the above domain templates, see Creating and Using a Domain Template (Offline) in Understanding the WebLogic Scripting Tool

4.4 Provisioning Tenants

Install MDS schema in db/pdb's for a particular tenant. Then, create a tenant specific data source into the weblogic domain for the MDS schema created.

This chapter contains the following sections:

4.4.1 Creating Database Schemas using RCU

Create database schemas using RCU. RCU is available only on Linux and Windows platforms. Use Linux RCU to install for UNIX supported databases and Windows RCU for supported Windows databases.

Note:

See Using the -silent Command in the Creating Schemas with the Repository Creation Utility to run RCU with —silent mode from the command line to have minimal interactions.

Use the following procedure to create database schemas for tenant1 and tenant2.

To create database schema for a tenant, for example tenant1:

  1. Navigate to the directory into which RCU is installed. For example:

    UNIX: $rcuHome/bin/rcu

    Windows: <rcuHome>\BIN

  2. Start the application.

    UNIX: ./rcu

    Windows: rcu.bat

    The Repository Creation Utility welcome screen appears.

  3. Click Next. The Create Repository page appears.
  4. Make sure Create Repository is selected, then click Next. The Database Connection Details page appears. For simplicity, many users use their sys name here. Enter database details in the fields provided (Database Type, Host Name, Port, Service Name, Username, Password, Role).
    Database Type
    Select the database type as Oracle Database.
    Host Name
    Specify the name of the server where your database is running in the following format: host.example.com.
    Port
    Specify the port number for your database.
    Service Name
    Specify the service name for the database. For example, rdbms.host.example.com.
    Username
    Enter the user name for your database. The default user name is SYS.
    Password
    Enter the password for your database user.
    Role
    Select the database user's role from the drop-down list: Normal or SYSDBA.
  5. Click Next. The Installer checks the prerequisites. When the prerequisite checks are complete, click OK. Click Next. The Components screen appears.
  6. Click the Create a new prefix option and choose a schema prefix (for example: tenant1).
  7. Select the accompanying components Metadata Services and Oracle Platform Security Services, in addition to the components selected by default. Click OK.
  8. Click Next. The Schema Passwords page appears.
  9. Select Use same passwords for all schemas.
  10. Enter your password in the field provided and confirm it.
  11. Click Next. The Map Tablespaces page appears. Click Manage Tablespaces, if you want to modify existing tablespaces.
  12. For this installation, click Next. A Repository Creation notification appears. Click OK. Tablespaces are created, and the progress will be displayed in a pop-up notification. When the operation is completed, click OK. The Summary page appears.
  13. Click Create. The schema is created. A Completion Summary screen appears.
  14. Click Close.
It creates database schema for tenant1. Repeat the above procedure to create database schema for tenant2.

4.4.2 Creating Data Source for Tenants

Use the Oracle WebLogic Server Remote Console to set up a JDBC data source in the WebLogic Server instance for your applications.

Use the following procedure to create data sources for two tenants: tenant1 and tenant2

To configure data source for a particular tenant, tenant1 for example:

  1. Log in to the Oracle WebLogic Server Remote Console.
  2. In the WebLogic Server Remote Console page, select JDBC > Data Sources. Click New.
  3. In the JDBC Data Source Properties page:
    • In the Name field, enter the name of the unique JDBC data source. For example, mds-owsm-tenant1.
    • In the JNDI field, enter the name of the connection. For example, mds/owsm/tenant1.
    • For the Database Type, select Oracle.
    • For the Database Driver, select Oracle Driver (thin)
  4. Click Next.
  5. In the Transactions Options page, accept the default options and click Next.
  6. In the Connection Properties page:
    • For Database Name, enter the Oracle SID. For example, rdbms.example.com.
    • For Host Name, enter the machine name of the database. For example, host.example.com
    • Enter the port number used to access the database.
    • Enter the user name as the Schema name created earlier, for example TENANT1_MDS. Enter the schema password for the database. Click Next.
  7. In the Test Database Connection page, click Test Configuration to test the connection.
  8. In the Select Targets page, select the server for which the JDBC data source is to be deployed.
  9. Click Finish.
It creates data source for tenant1. Repeat the above procedure to create a data source for tenant2. Once the data source has been created in Oracle WebLogic Server, it can be used by an application module.

4.4.3 Setting up Data Sources for Tenants

Generic data sources are data sources that manage the actual database connections, with its underlying connection pool. As part of service instance provisioning, when a new service instance is created in a POD, generic data sources are created. Once all generic data sources are created, update the Switching properties of the proxy datasource.

The switching properties use the following format:

serviceInstanceId1=datasourceJNDIName1;serviceInstanceId2=datasourceJNDIName2;

Example: serviceInstance1=mds/owsm/tenant1;serviceInstance2=mds/owsm/tenant2;

Update Switching properties for Weblogic Server

Generic data sources can be created using WLST scripting shell or JMX. Once the data sources are created, follow the steps below to update proxy data source switching properties using WLST:

  1. Add a new script UpdateSwitchingPropertiesProxyDatasource.py to your local service instance provisioning.

  2. Copy the script provided in the code block below and make the following changes: 

    • Update weblogic admin server credentials, replacing username/password with your weblogic server credentials: connect("weblogic","password","t3://"+example+":7001").

    • Update switching properties of a proxy datasource, changing updateProps provided the service instance Id and the underlying data source JNDI name.

      updatedProps = switchingProps + ';serviceInstance1=jdbc/instancejndi'

    """
Copyright (c) 2016, 2017, Oracle and/or its affiliates. All rights reserved.
This script updates Switching Properties of a Proxy JDBC Datasource.
"""
 
import sys, socket
import os
hostname = socket.gethostname()
connect("weblogic","password","t3://"+hostname+":7001")
edit()
startEdit()
cd ('/JDBCSystemResources/ProxyDS')
jdbcResource = cmo.getJDBCResource()
jdbcDataSourceParams = jdbcResource.getJDBCDataSourceParams()
switchingProps = jdbcDataSourceParams.getProxySwitchingProperties()
if (switchingProps != None):
        updatedProps = switchingProps + ';serviceInstance1=jdbc/instancejndi'
else:
        updatedProps = 'serviceInstance1=jdbc/instancejndi'
jdbcDataSourceParams.setProxySwitchingProperties(updatedProps)
save()
activate()

  3. Execute the following command:

    java weblogic.WLST -i UpdateSwitchingPropertiesProxyDatasource .py

Update Switching properties for JavaSE application

Once the data sources are created, follow the steps below to update proxy data source switching properties:

  • Edit the application server corresponding to context.xml and update switchingProperties value adding ';serviceInstanceId=jdbc/instancejndi' to the existing value.

    Example: switchingProperties="1e8b59b2=jdbc/mds/owsm/tenant1;2efba34c=jdbc/mds/owsm/tenant2"

4.5 Creating OWSM Security Artifacts

You can create OWSM security artifacts by using either online WLST commands or REST API.

See the following sections:

4.5.1 Creating OWSM Security Artifacts by using WLST

You can create OWSM security artifacts by using online WLST commands.

Create security artifacts for tenant1 and tenant2.

To create security artifacts for tenant1 with the oracle/multi_token_rest_service_policy policy, run the following WLST commands in sequence: 

connectWSMRest('weblogic','password','example.com:22001')
startWSMTenantContext('tenant1')
beginWSMSession()
createWSMPolicySet('myPolicySet','rest-resource','Domain("*")')
attachWSMPolicy("oracle/multi_token_rest_service_policy")
commitWSMSession()
listWSMPolicySets()
endWSMTenantContext()

Note:

If you want to create any OWSM security artifacts like Global Policy Set, Token Issuer Trust, Configuration Customization, etc., then at first, run the connectWSMRest() command, and then wrap the corresponding OWSM commands between the startWSMTenantContext() and endWSMTenantContext() commands.

Note:

To see details about the commands see Web Services Custom WLST Commands in WLST Command Reference for Infrastructure Components.

To create security artifacts for tenant2 with the oracle/http_jwt_token_service_policy policy, run the following WLST commands in sequence: 

connectWSMRest('weblogic','password','example.com:22001')
startWSMTenantContext('tenant2')
beginWSMSession()
createWSMPolicySet('myPolicySet','rest-resource','Domain("*")')
attachWSMPolicy("oracle/http_jwt_token_service_policy")
commitWSMSession()
listWSMPolicySets()
endWSMTenantContext()

4.5.2 Creating OWSM Security Artifacts by using REST API

While running REST Commands for creating OWSM artifacts, pass the tenant id value in the X-RESOURCE-IDENTITY-SERVICE-GUID header.

REST API to create OWSM policy set for tenant1:

curl -i -H "X-RESOURCE-IDENTITY-SERVICE-GUID:tenant1" -H "Content-Type:application/json" -u username:password -X POST -d @- http://example.com:22001/wsm-pmrest/v2/policyset
[{
  "name": "myPolicySet",
  "type": "rest-resource",
  "scope": "Domain('*')",
  "policyReferences":[{
                     "uri":"oracle/multi_token_rest_service_policy",
                      "status":"enabled"
                      }
                      ] 
}]

REST API to create OWSM policy set for tenant2:

curl -i -H "X-RESOURCE-IDENTITY-SERVICE-GUID:tenant2" -H "Content-Type:application/json" -u username:password -X POST -d @- http://example.com:22001/wsm-pmrest/v2/policyset
[{
  "name": "myPolicySet",
  "type": "rest-resource",
  "scope": "Domain('*')",
  "policyReferences":[{
                        "uri":"oracle/http_jwt_token_service_policy",
                        "status":"enabled"
                        }
                        ] 
}]

4.6 Enforcing Tenant Specific Policies at Runtime

Enforce tenant specific security policies during runtime by using the tenant id in the http header.

During runtime, OWSM enforces policy for a particular tenant, by reading the tenant id value received through http header (i.e. X-RESOURCE-IDENTITY-SERVICE-GUID).