Using Fusion Middleware Enterprise Manager to Test UCM Web Service GenericSoapService (GenericSoapPort) (Doc ID 1334114.1)

Last updated on MAY 01, 2017

Applies to:

Oracle WebCenter Content - Version 11.1.1.3.0 and later
Information in this document applies to any platform.

Goal

Web services in UCM 11g differs from the model of web services in UCM 10g. In 10g the WSDLGenerator component was used.  In 11g, several significant improvements to the 10g model of UCM web services have replaced the 10g model:

10.154.59.38 - - [07/Jul/2011:13:36:55 -0500] "POST /idc/idcplg HTTP/1.1" 401 591 "-" "Jakarta Commons-HttpClient/3.1"
10.154.59.38 - sysadmin [07/Jul/2011:13:36:55 -0500] "POST /idc/idcplg HTTP/1.1" 200 489 "-" "Jakarta Commons-HttpClient/3.1"
  
Note: Currently, Webcenter Content 11g supports the SOAP 1.1 specification. The SOAP 1.2 specification will be in addressed in a future release. See Enhancement Bug 21669658.
 
In 11g calling the same UPDATE_DOCINFO service while using the policy oracle/wss11_username_token_with_message_protection_client_policy for web service security, only a single request is made to GenericSoapPort. The authorization information is inside the SOAP message. A single request is needed for authentication and running the service. Thus, using WS-Policy to apply security to web services in 11g can halve the load on the web server. 
10.154.59.38 - - [07/Jul/2011:13:56:40 -0500] "POST /idcws/GenericSoapPort HTTP/1.1" 200 19793

GenericSoapService

Oracle UCM 11g provides a general (generic) JAX-WS based Web service called "GenericSoapService".

This service uses a generic format similar to HDA for its SOAP format. It is almost identical to the generic SOAP calls that you can make to the Oracle UCM Content Server when you set IsSoap=1. Details of the format can be found in the published WSDL at /idcws/GenericSoapPort?WSDL.

http://host:ucmport/idcws/GenericSoapPort?WSDL

Example: http://localhost:16200/idcws/GenericSoapPort?WSDL

You can apply WS-Security to GenericSoapService through WS-Policy, which will be expanded upon in this note. The Content Server supports Oracle Web Services Manager (OWSM) policies for Security Assertion Markup Language (SAML) and username-token.

As a result of allowing WS-Security policies to be applied to this service, streaming Message Transmission Optimization Mechanism (MTOM) is not available for use with this service. Very large files (greater than the memory of the client or the server) cannot be uploaded or downloaded.

Customers that wish to use the UCM GenericSoapService (GenericSoapPort) web service with UCM can verify that their SOAP envelope and security settings are valid using Fusion Middleware Enterprise Manager. Details on testing this way follow an introduction about security options for use with GenericSoapService.

WS-Security options with GenericSoapService

Initially there is not a policy on the service GenericSoapService, which means all request act as anonymous. This is suitable for some customers but others may require WSS security headers, or SAML policies, or other policy.  Adding a policy adds security to the web service.  The following is from the UCM Developer's guide, Section 7.3:

"The Oracle UCM Web services are installed and ready to use by default with the Oracle UCM EAR. However, unless you configure WS-Security on any of the Oracle UCM Web services, all connections to the Oracle UCM content server will use the anonymous user. Additional configuration is required to enable authentication." 

Link to the developer's guide portion on Web Services: http://download.oracle.com/docs/cd/E14571_01/doc.1111/e10807/web_services.htm#CHDDIJJB

 

To use any policy, OWSM (Oracle Web Services Manager) must be installed in the domain where UCM is located. Without OWSM, no policies will be available, and GenericSoapService can only be used with the anonymous or guest access.  To enable OWSM, create or extend the domain according to the instructions in the following note. This must be done before proceeding in applying WS-Security to GenericSoapPort for UCM.

<Note.1332250.1> - Creating a UCM Domain With OWSM Enabled


An overview of supported polcies in UCM 11g:

No policy (default)

All connections to the Oracle UCM content server will use the anonymous user.  If any service is called that doesn't allow anonymous, errors will be returned from UCM with the following StatusMessage: "System needs login authentication credentials."

The default of no policy is very limited in what services can be used. It is essentially only for calling services as a guest or public user of UCM.

oracle/no_mtom_policy

In 11.1.1.6, an additional policy must be added otherwise the GenericSoapService will fail. This policy is only needed if running 11.1.1.6 or later. When attaching policies, always add the policy "oracle/no_mtom_policy" as well. This is because in 11.1.1.6, the oracle/wsmtom_policy policy will be automatically applied, thus the need to use no_mtom_policy to remove that default. If the no_mtom_policy is not applied to GenericSoapService, a "java.lang.RuntimeException: OWS-12015" error can occur when invoking the service. In addition, the error "java.io.IOException: File has already been opened in streaming mode" will occur. Bug 14137878 was opened regarding the need to add the no_mtom_policy. 

oracle/wss_username_token_service_policy

This is the simplest policy to apply, that allows SOAP client to use the WSS Username Tokens in the header of the SOAP request. This option requires no keystore to be created. This option is most like the 10g variety of UCM web services.

Policy Description: This policy uses the credentials in the UsernameToken WS-Security SOAP header to authenticate users. Only plain text mechanism is supported. The credentials are authenticated against the configured identity store. This policy can be attached to any SOAP-based endpoint.

oracle/wss11_username_token_with_message_protection_client_policy

If OWSM is installed in the domain, this policy can be applied to GenericSoapPort as described in the following note.

<Note.1332300.1> - Setting up GenericSoapService in UCM 11g to use WS-Security

For this policy, a keystore is needed. See the following note for steps on creating a keystore for use with UCM 11g and web services.

<Note.1334029.1> - Configuring a Keystore in UCM 11g for Use With Web Services

 

Policy Description: This policy provides message-level protection and authentication for outbound SOAP requests in accordance with the WS-Security 1.1 standard. Messages are protected using WS-Security's Basic 128 suite of symmetric key technologies, specifically RSA key mechanisms for message confidentiality, SHA-1 hashing algorithm for message integrity, and AES-128 bit encryption. The keystore on the client side is configured either on a per-request basis or through the security configuration. Credentials are included in the WS-Security UsernameToken header of outbound SOAP request messages. Only plain text mechanism is supported. Credentials are provided either programmatically through the current Java Authentication and Authorization Service (JAAS) subject or by a reference in the policy to the configured credential store. This policy can be attached to any SOAP-based client.

An example of using a JAX-WS client to call GenericSoapPort with this policy applied can be seen in the following note:

<Note.1332308.1> - Calling GenericSoapService with WS-Security settings in JDeveloper using a Web Service Proxy

Solution

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms