Understanding Oracle RightNow Adapter Security Management

4.4 Understanding Oracle RightNow Adapter Security Management

The Oracle RightNow adapter uses the Credentials Store Framework to store credentials captured during the configuration of connections within the Oracle RightNow adapter configuration wizard. This ensures that the credentials captured during configuration are stored in secured form and are not stored with the SOA Composite or Oracle Service Bus flow.

At runtime, the adapter automatically retrieves the credentials from the Credentials Store Framework based on the CSF_KEY that was specified during design time. These credentials are injected into the SOAP header of the document that is sent to the RightNow Cx Server for authentication.

4.4.1 Authenticating on the Oracle RightNow Cx Server with Account Passwords

The following section provides information about authenticating on the Oracle RightNow Cx Server with account passwords. This section includes:

4.4.1.1 Understanding Access Control on the Oracle RightNow CX Server

When the Oracle Cloud Connect Web Services for SOAP API receives a request, a series of access control measures are enforced:

The site configuration is checked to ensure the API has been enabled at a site level.
The user credentials supplied in the request are validated.
The profile for the supplied account is checked to ensure the correct profile bit is enabled. The profile is the mechanism for controlling access to administrative functions and for assigning staff members specific permissions, default workspaces, a default navigation set, and report access.

Note:

Server-side access control is enforced on all core API calls made by Oracle Cloud Connect Web Services for SOAP. The current permissions map to read, edit, delete, and move check boxes on the Profile Permissions editor in Oracle RightNow. Although server-side access is enabled by default on new May 2013 sites and later, it is disabled on upgraded sites before the May 2013 release. If you are an existing Oracle RightNow customer and plan to upgrade your site to a May 2013 or later build, contact customer care to have this security-enhancing functionality enabled.

If you already have server-side access control enabled on your site, be careful of changes you make to Profile permissions. If an Oracle RightNow administrator changes the permissions on a profile for an Oracle Cloud Connect Web Services for SOAP integration, they might break that integration.

4.4.2 Oracle Cloud Connect Web Services for SOAP Site Configuration

Access to the Oracle Cloud Connect Web Services for SOAP is available only on those sites that have it enabled. If Oracle Cloud Connect Web Services for SOAP is not enabled, contact your Oracle account manager, as the API will not function and a request error will be returned.

Request errors are generated any time there is a validation failure or a data related error of the inbound request. The exception code will be ACCESS_DENIED and the message will be the message base string for SOAP_SERVER_DISABLED.

For complete information on request errors and exception codes, see Oracle Connect Web Services for SOAP.

Before staff accounts can be authenticated through Oracle RightNow Cx, their profile(s) must be updated on the Profile Permissions editor in Oracle RightNow Cx. The permissions check boxes are located at Staff Management > Profiles > Permissions.

Figure 4-5 Location of Permissions Checkboxes

Description of "Figure 4-5 Location of Permissions Checkboxes "

In addition, RightNow Cx administrators can restrict access to Oracle Cloud Connect Web Services for SOAP integrations by IP address using the configuration settings in the Oracle RightNow Cx platform. The following setting is located at Site Configuration > Configuration Setting.

SEC_PAPI_INTEG_HOSTS_SOAP: Defines which hosts are allowed to access the SOAP interface. Valid entries include a comma-separated list of domain names with wild cards, specific IP addresses, or IP subnet masks (for example, *.rightnow.com,1.2.3.4, 10.11.12.0/255.255.255.0).

Only users logging in from hosts matching entries in this list are allowed access to the SOAP interface. The default is blank.

4.4.2.1 Configuring Restricted Access Permissions on RightNow Cx

To configure restricted access permissions:

Install the Oracle RightNow Cx client.
Log in to the Oracle RightNow Cx client installed on your workstation. You can immediately begin configuring and customizing the application.

To access the same site in the future, you can launch the client by selecting Start menu > All Programs > RightNow > RightNow (<site_name>). The client application is site-based, meaning that a separate client must be deployed for each site you access.

However, a single client application can be used to access all interfaces on a single site. Interfaces are added to the client in the same way the client is deployed.

Access the interface's Launch page and click the Install Oracle RightNow CX Cloud Service button (as described in the Oracle RightNow Cx User's Guide), and the deployment tool adds the interface to the Interface drop-down menu on the client's Login window.
Configure the SEC_PAPI_INTEG_HOSTS_SOAP setting. Refer to the Oracle RightNow Cx User's Guide.

4.4.3 Validating Account Credentials

When a request is sent to the API and the site configuration has been validated, the next step is to validate the account credentials. If the credentials do not verify, a request error is returned. The exception code will be INVALID_LOGIN, and the message will be the message base string LOGIN_ID_PASSWD_COMBINATION_INV_MSG.

4.4.4 Profile Configuration

The profile for the staff account which is used in the security header must have the Public SOAP API profile bit enabled. If this bit is not enabled, a request error is returned. The exception code will be ACCESS_DENIED, and the message will be the message base string PROFILE_NO_SOAP_ACCESS_MSG.

4.4.5 Password-based Authentication

Oracle Cloud Connect Web Service for SOAP utilizes Web Services Policy 1.2 is defined by http://specs.xmlsoap.org/ws/2004/09/policy/ws-policy.pdf for client authentication.

The supporting XSD for the security policy is located at http://schemas.xmlsoap.org/ws/2004/09/policy/ws-policy.xsd.

To authenticate with single sign-on, refer to Authenticating with SAML 2.0.

The WS-Security specification calls for a Security tag in the SOAP Header with a namespace of

http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd.

Inside the Security tag is a UsernameToken tag (part of the WS-Security UsernameToken Profile 1.0 specification). The UsernameToken tag contains elements for Username, Password, Nonce, and Created. The Password element has a Type attribute which specifies if the content of the Password element is PasswordText. Oracle Cloud Connect Web Services for SOAP does not support PasswordDigest.

The Nonce and Created elements are not supported. If a request is received that contains the PasswordDigest type or the Created/Nonce elements, the server rejects the request as a malformed request.

The following is an example SOAP request with username and password credentials:

Example 4-1 Example SOAP Request with Username and Password Credentials

 soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
    <soapenv:Header>
        <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004
             /01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
                   soapenv:mustUnderstand="1">
            <wsse:UsernameToken
                xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/
                  oasis-200401-wss-wssecurity-utility-1.0.xsd" 
                      wsu:Id="UsernameToken-3902281">
                <wsse:Username>comland</wsse:Username>
                <wsse:Password Type=
                     "http://docs.oasis-open.org/wss/2004
                      /01/oasis-200401-wss-username-token-profile-1.0
                       #PasswordText">Connect1</wsse:Password>
            </wsse:UsernameToken>
        </wsse:Security>
    </soapenv:Header>
</soapenv:Envelope>