Applying the WS-RM and WS-Security specifications to web services in WebSphere Application Server and WebSphere Message Broker: Part 2

The Web Services Reliable Messaging (WS-RM) and Web Services Security (WS-Security) specifications describe protocols that enable encrypted messages to be delivered reliably between distributed applications, even when there are software component, system, or network failures. This two-part article series shows you how to implement a web services application with WS-RM and WS-Security enabled on WebSphere Application Server V8 and WebSphere Message Broker V8.

Share:

Shelly Gupta (shellgup@in.ibm.com), Software Engineer, WebSphere Message Broker Development Team, IBM

Photo of Shelly GuptaShelly Gupta is a Software Engineer on the WebSphere Message Broker Development Team in India. She is a post-graduate from Banasthali Vidhyapeeth in Jaipur, India, and has been working for IBM for five years. You can contact Shelly at shellgup@in.ibm.com.



23 January 2013

Integrating a Web Service Client on WebSphere Message Broker with a web service on WebSphere Application Server

Import a web service into WebSphere Application Server

The first step is to import a server application in Rational Application Developer V8 that you can use it to deploy and run your web service server. The server must be set up to let you configure applications directly in the administrative console.

  1. Download the WSRM_WSS.zip file at the bottom of this article and extract the RAD_BankServer.zip file.
  2. Start Rational Application Developer V8.
  3. Import the project by selecting File => Import. In the Import window, select Other => Project Interchange and then select Next.
  4. Browse to the RAD project file that you downloaded, select All, and then select Finish.
  5. After importing the project, you may get a Java build path error, so make sure that all JAR files are added in the build path to eliminate those errors. You should see the project structures as shown below:
    Figure 1. BankClient and BankServer project structure in Rational Application Developer
    BankClient and BankServer project structure in Application Developer
  6. To deploy BankServerEAR on WebSphere Application Server, right-click on the WebSphere Application Server V8 runtime and click Add and Remove Projects, as shown below:
    Figure 2. Open Add and Remove Projects
    Open Add and Remove Projects
  7. Under Available projects, select BankServerEAR and then click Add. After it is added under Configured projects, click Finish, as shown below:
    Figure 3. Deploy BankServerEAR on WebSphere Application Server
    Deploy BankServerEAR on WAS

If you want to create your own server application, import the RAD_WSDL.zip file provided with this article.

Import Web Service Client in WebSphere Message Broker

The next step is to import the Consumer/Client flow in WebSphere Message Broker V8 so that you can use it to deploy and run your web service and web service client.

  1. Start WebSphere Message Broker V8 Toolkit.
  2. WMB_BankApplication_PI.zip has already been imported. You should see the project structures as shown in Figure 1.
  3. In the BankMessageFlowProject, double-click on WSRM_ConsumerFlow.msgflow. You should see the flow shown below:
    Figure 4. WSRM_ConsumerFlow message flow
    WSRM_ConsumerFlow message flow

    This flow behaves like a web service client. SOAPRequest nodes in of this flow can send SOAP requests to provider applications.

    1. The WSRMINPUTQ (MQInput) node receives the message. The Compute node after the MQInput node gets the operation name and sets it into the local environment variable to route the message.
    2. The RoutetoLable node routes the message to the appropriate Label node. The message sent to the Label node will be in XMLNSC format and therefore must be converted into a SOAP message. For that purpose, a Compute node is included after every Label node.
    3. The CreateAccount Label receives CreateAccount requests and propagates them to the ComputeCreateAccount node. Then the CreateAccount SOAPRequest node sends the SOAP request to the service application and waits for a response. After a response is received, it is propagated to the CreateResponse Compute node. If a fault message is received, it is propagated to the CreateFaultResponse Compute node.
    4. The CreditRequest Label receives the CreditRequest requests and propagates them to the ComputeCreditRequest node. Then the CreditRequest SOAPRequest node sends the request to the service application. No response is sent back to the SOAPRequest node because it is a one-way operation. The DebitRequest Label receives DebitRequest requests and propagates them to the ComputeDebitRequest node. Then the SOAPRequest node sends the request to the service application. No response is sent back to the SOAPRequest node as it is a one-way operation.
    5. The CheckBalance Label receives CheckBalance requests and propagates them to the ComputeCheckBalance node. Then the SOAPRequest node sends the request to the service application and waits for a response. After the response is received, it is propagated to the CreateResponse Compute node. If a fault message is received, it is propagated to the CreateFaultResponse Compute node.
    6. The CreateResponse compute node converts the SOAP message into the XMLNSC message and propagates it to the WSRMRESPONSEQ (MQOutput) node.
    7. The CreateFaultResponse Compute node propagates the same message to the WSRMFAULTRESPONSEQ (MQOutput) node.
  4. Create an execution group named BankConsumer.
  5. Create the following local queues:
    • WSRMINPUTQ
    • WSRMRESPONSEQ
    • WSRMFAULTRESPONSEQ
  6. You must check the port used by the WebSphere Application Service on WebSphere Application Server. To do so, complete the following steps:
    1. Open Rational Application Developer.
    2. Navigate to BankServer => ejbModule => META-INF => wsdl. Right-click on BankMessageSetService.wsdl and select Open With => Text Editor.
    3. In BankMessageSetService.wsdl, search for <soap:address and check the port value.
  7. In the BankMessageFlowProject, open WSRM_ConsumerFlow.msgflow. Open the HTTP Transport tab in the Properties view of each SOAPRequest node, and check the port. If the port is already correct, you do not need to do anything. Otherwise, change the port in the web service URL field to the correct port for your web service server, and save the flow.
  8. In the BankMessageFlowProject, open the BankConsumer BAR file. Select the Prepare tab and ensure that the WSRM_ConsumerFlow message flow and its message set are selected. Click Build and Save.
  9. Deploy the BAR file on the BankConsumer execution group.
  10. Under BankMessageFlowProject => Flow Tests, open Requester.mbtest. Use the first Enqueue to send a message.
  11. Select Dequeue and click Get Message. You should get the response shown below:
    Figure 5. Create account response message
    Create account response message

Now both client and server applications are ready to apply WS-RM and WS-Security.

Importing and applying the policy set and bindings to the client and server applications

All the required EAR, keystore, XML, and ZIP files for policy sets and bindings are provided with this article. Complete the following steps to make use of them.

Import and apply the policy set and binding in Rational Application Developer

  1. Import the WMB_Provider_Policy.zip file provided with this article into Rational Application Developer using the following steps:
    1. Select File => Import in Rational Application Developer.
    2. Select WebSphere Policy Sets under Web service and click Next as shown in Figure 12.
    3. Browse to the WMB_Provider_Policy.zip file in the next window and click Finish.
  2. Now attach this policy set and binding to BankServer service, using the following steps:
    1. Navigate to BankServer => Services.
    2. Right-click on BankMessageSetSOAP_HTTP_Service and select Manage Policy Set Attachment, as shown below:
      Figure 6. Attach policy set in Rational Application Developer
      Attach policy set in Application Developer
    3. In the Add Policy Set Attachment window, click Add.
    4. In Configure Policy Set and Binding window, select WMB Provider Policy under Policy Set and select Provider sample under Binding, as shown below:
      Figure 7. Attach policy set and binding in Rational Application Developer
      Attach policy set and binding in Application Developer
    5. Click OK and then click Finish.

Import and apply the policy set and binding in WebSphere Application Server

The next step is to import the WMB Provider policy and apply it to the BankServerEAR file in the administrative console, using the following steps:

  1. To launch the administrative console, right-click the WebSphere Application Server V8 runtime and click Administration => Run administrative console, as shown in Figure 13.
  2. Select Services => Policy Sets => Application policy sets, as shown in Figure 14. You will see some of the most common policy set configurations already available. For the banking example, import Bank Provider Policy: click Import and select from the selected location.
  3. Browse to WMB_Provider_Policy.zip and click OK.
  4. After you save the changes, you should see WMB Provider Policy in the Application Policy Sets list.
  5. Select Applications => Application Types => WebSphere enterprise applications, as shown below. You should see that BankServerEAR is already available.
    Figure 8. BankServerEAR in administrative console
    BankServerEAR in administrative console
  6. Click on BankServerEAR.
  7. Select Service client policy set and bindings under Web services properties.
  8. Select the check boxes for BankServerEAR and BankMessageSetSOAP_HTTP_Service. Click the Attach Client Policy Set dropdown box and select WMB Provider Policy:
    Figure 9. Attach server policy set in the administrative console
    Attach server policy set in the administrative console
  9. Save the changes.
  10. Again, select the check boxes for BankServerEAR and BankMessageSetSOAP_HTTP_Service. Click the Assign Binding dropdown box and select WMB Provider custom Binding. After you save the changes, you should see the screen shown below. Go back to Applications => Application Types => WebSphere enterprise applications and restart BankServerEAR.
    Figure 10. Attach server policy and binding in administrative console
    Attach server policy and binding in administrative console

If you face any issues while attaching the policy set or binding, import the BankServerEAR.ear file provided with this article into the administrative console using the following steps:

  1. In the administrative console, select Applications => Application Types => WebSphere enterprise applications. Select the checkbox for BankServerEAR and click Uninstall.
  2. In the next window, click OK and save the changes.
  3. Click Install. Browse to BankServerEAR.ear and click Next.
  4. Complete the installation with the default configuration by clicking Next.
  5. Save the installation and start BankServerEAR.

Set up keystore and truststore and import the policy set and bindings in WebSphere Message Broker

  1. You have already downloaded keystore and XML files into the KeyStore folder on your local system.
  2. Store WSSecurity-WSRMConsumerBinding.xml as well in the KeyStore folder on the local system.
  3. The BankConsumer execution group is used as a consumer. To set up the keystore and truststore on the BankConsumer execution group, run the following commands on the runtime command console:
    Listing 1. Setup keystore and truststore on BankConsumer execution group
    mqsichangeproperties <Broker Name> -e BankConsumer -o ComIbmJVMManager 
    -n truststoreFile -v c:\KeyStore\client.keystore
    
    mqsichangeproperties <Broker Name> -e BankConsumer -o ComIbmJVMManager 
    -n keystoreFile -v c:\KeyStore\client.keystore
    
    mqsichangeproperties <Broker Name> -e BankConsumer -o ComIbmJVMManager 
    -n keystorePass -v clientKeystore::password
    
    mqsichangeproperties <Broker Name> -e BankConsumer -o ComIbmJVMManager 
    -n truststorePass -v clientTruststore::password
    
    mqsichangeproperties <Broker Name> -e BankConsumer -o ComIbmJVMManager 
    -n keystoreType -v jks
    
    mqsichangeproperties <Broker Name> -e BankConsumer -o ComIbmJVMManager 
    -n truststoreType -v jks
    
    mqsistop <Broker Name>
    mqsisetdbparms <Broker Name> -n clientKeystore::password -u NA -p clientpass
    mqsisetdbparms <Broker Name> -n clientTruststore::password -u NA -p clientpass
    mqsistart <Broker Name>
  4. You have already created a policy set with WS-Security and WS_RM, and this policy set can be used here as well. Run the following commands to create and import the consumer policy binding on runtime command console:
    Listing 2. Create and Import the consumer policy binding on runtime command console
    mqsicreateconfigurableservice <broker name> -c PolicySetBindings 
    -o WSSecurity-WSRMConsumerBinding
    
    mqsichangeproperties <broker name> -c PolicySetBindings 
    -o WSSecurity-WSRMConsumerBinding -n associatedPolicySet -v WSSecurity-WSRMPolicySet
    
    mqsichangeproperties <broker name> -c PolicySetBindings 
    -o WSSecurity-WSRMConsumerBinding -n ws-security 
    -p c:\KeyStore\WSSecurity-WSRMConsumerBinding.xml
  5. Open WebSphere Message Broker Explorer. Right click on <BrokerName> and select Properties.
  6. Under Security and Policy, select Policy Sets.
  7. The WSSecurity-WSRMPolicySet (with WS-RM and WS-Security) policy set, WSSecurity-WSRMProviderBinding binding, and WSSecurity-WSRMConsumerBinding binding must be listed there as shown below:
    Figure 11. Policy set with WS-RM, WS-Security, and bindings in WebSphere Message Broker Explorer
    Policy Set with WS-RM, WS-Security, and bindings in WebSphere Message Broker Explorer

Now your execution group, policy set, and binding are ready to use.

Apply the policy set and bindings to the consumer flow

You must apply the policy set and bindings on the flow so that they can run with WS-RM and WS-Security enabled.

  1. You can call the consumer by using WebSphere MQ. Only application messages reach the message flow, and if you want to see the additional WS-RM protocol messages such as create sequence, terminate sequence, message number, and the signed and encrypted messages that are passed between the provider and consumer, then you must set up a TCP/IP Monitor, as shown below:
    1. The port used by the application server should be same as before.
    2. In the workbench, go to Window => Preferences => Run/Debug => TCP/IP Monitor.
    3. Ensure that Show the TCP/IP Monitor view when there is activity is selected.
    4. Click Add. Set the Local monitoring port to an unused port on your system, such as 6666.
    5. Set the Type to TCP/IP.
    6. Set the Host name to localhost.
    7. Set Port to the port on which the application server is running.
    8. Click OK. You should see the screen shown below:
      Figure 12. TCP/IP Monitor configuration
      TCP/IP Monitor configuration
    9. Select the TCP/IP Monitor that you have just created and click Start.
    10. You have set up a TCP/IP Monitor to receive messages sent to an unused port on your system, such as 6666, and forward them to the server.
  2. In the BankMessageFlowProject, open WSRM_ConsumerFlow.msgflow. Open the HTTP Transport tab in the Properties view of each SOAPRequest node, and check the port. If the port is already correct, you do not need to do anything. Otherwise, change the port in the Web service URL field to the correct port for your TCP/IP and save the flow.
  3. In the BankMessageFlowProject, open the BankConsumer BAR file and rebuild it. Select the Manage at bottom left and select WSRM_ConsumerFlow.cmf.
  4. In the Consumer Policy Set field, click Edit and select the WSSecurity-WSRMPolicySet policy that you associated with the provider flow.
  5. In the Consumer Policy Set Bindings field, click Edit and select the WSSecurity-WSRMConsumerBinding binding that you imported, which is not the same binding that you associated with the provider flow. You should see the screen shown below:
    Figure 13. BankConsumer BAR file with policy set and bindings applied
    BankConsumer BAR file with policy set and bindings applied
  6. Save and deploy the BAR file on the BankConsumer execution group.

Test the web service application with WS-RM and WS-Security enabled

  1. Open Requester.mbtest under BankMessageFlowProject => Flow Tests. Use the first Enqueue to send a request message to create an account. You can see in the TCP/IP monitor that the message is encrypted and has a sequence number in it. For example: <wsrm:MessageNumber>1</wsrm:MessageNumber>. Now select Dequeue and click Get Message. You should get the message shown below:
    Figure 14. Create Account Response Message
    Create Account Response Message
  2. Select the second Enqueue to send a CreditRequest and the third Enqueue to send a DebitRequest. No response will be received, since they are one-way operations.
  3. Select the fourth Enqueue to send a CheckBalance request. Now select Dequeue and click Get Message. The balance value should be 50.00 as one credit request credits the account with 100.00 while one debit request debits the account with 50.00. You should get the message shown below:
    Figure 15. Check Balance Response Message
    Check Balance Response Message
  4. You can check in the TCP/IP Monitor that all requests and responses are encrypted and in sequence. You should get the create sequence messages and SOAP header as shown below:
    Figure 16. Messages in TCP/IP Monitor
    Messages in TCP/IP Monitor
    Figure 17. Messages in TCP/IP Monitor
    Messages in TCP/IP Monitor

Conclusion

This article showed you how to configure WebSphere Message Broker to use WS-RM and WS-Security together to communicate with JAX-WS clients and web services running on WebSphere Application Server. Enabling WS-RM and WS-Security on client and server enables the reliable message delivery of encrypted data without additional coding by the client or web service provider.


Download

DescriptionNameSize
Code samplesWSRM_WSS.zip250 KB

Resources

Comments

developerWorks: Sign in

Required fields are indicated with an asterisk (*).


Need an IBM ID?
Forgot your IBM ID?


Forgot your password?
Change your password

By clicking Submit, you agree to the developerWorks terms of use.

 


The first time you sign into developerWorks, a profile is created for you. Information in your profile (your name, country/region, and company name) is displayed to the public and will accompany any content you post, unless you opt to hide your company name. You may update your IBM account at any time.

All information submitted is secure.

Choose your display name



The first time you sign in to developerWorks, a profile is created for you, so you need to choose a display name. Your display name accompanies the content you post on developerWorks.

Please choose a display name between 3-31 characters. Your display name must be unique in the developerWorks community and should not be your email address for privacy reasons.

Required fields are indicated with an asterisk (*).

(Must be between 3 – 31 characters.)

By clicking Submit, you agree to the developerWorks terms of use.

 


All information submitted is secure.

Dig deeper into WebSphere on developerWorks


static.content.url=http://www.ibm.com/developerworks/js/artrating/
SITE_ID=1
Zone=WebSphere
ArticleID=856140
ArticleTitle=Applying the WS-RM and WS-Security specifications to web services in WebSphere Application Server and WebSphere Message Broker: Part 2
publish-date=01232013