Saturday, March 05, 2011

OSB: Automatic update of Service Acounts

When you use Service Accounts in the Oracle Service Bus (OSB), you can not customize them during deployment. Until OSB 10g, there was a non documented feature to change Service Accounts via Weblogic Scripting Language (WSLT).  From OSB 11g you can not use ServiceAccountConfigurationMBean to change the Service Accounts (http://download.oracle.com/docs/cd/E14571_01/apirefs.1111/e15033/index.html ).

Oracle said this is a security issue and they will not customize Service Accounts during deployment to different environments. The recommended way is to customize accounts manually using service bus console.

My opion is that the owner of the OSB application should decide if this is a security issue or not. Oracle should give a proper solution to deploy Service Accounts to different environments.

The workaround the use different Service Accounts for multiple envirnoments is using the following approach:
  • Create your Service Accounts in Oracle Workshop based on ${variables}
  • Create an export file with your OSB aritfacts.
  • Unzip the OSB export file
  • Find the all the *.ServiceAcount files
  • Replace the ${variables} with the username/passwords for the environment you want to deploy.
  • Zip all the OSB artifacts back into the OSB export file
  • Use a customization file for your environment (dev/test/accept/production)
  • Deploy it!
Here is an example of my solution based on ANT:

Property file wit two Service Accounts; osb_test.properties:

ServiceAccount.MySecuredLDAPUsername.value=cn=LDAP,ou=Users,o=Services
  ServiceAccount.MySecuredLDAPPassword.value=welcome1

  ServiceAccount.MySecuredHTTPServiceUsername.value=oc4j_admin
  ServiceAccount.MySecuredHTTPServicePassword.value=welcome1

The Service Account file from Oracle Workshop (Eclipse), .sa file:

<?xml version="1.0" encoding="UTF-8"?>
<ser:service-account xsi:type="ser:StaticServiceAccount" 
   xmlns:ser="http://www.bea.com/wli/sb/services"
   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
   xmlns:con="http://www.bea.com/wli/sb/resources/config">
  <ser:static-account>
    <con:username>${ServiceAccount.MySecuredLDAPUsername.value}</con:username>
    <con:password>${ServiceAccount.MySecuredLDAPPassword.value}</con:password>
  </ser:static-account>
</ser:service-account>

The Ant script the extracts and replace the Service Account tags.

<target name="_ReplaceTokens">
    <!-- replace ${} tokens into <param1>.new file -->
    <echo message="Replace Tokens in ${param1}"/>
    <copy file="${param1}" tofile="${param1}.new" overwrite="true">
      <filterchain>
        <replaceregex pattern="\$\{" replace="{"/>
        <filterreader classname="org.apache.tools.ant.filters.ReplaceTokens">
          <param type="propertiesfile" value="${param2}"/>
          <param type="tokenchar" name="begintoken" value="{"/>
          <param type="tokenchar" name="endtoken" value="}"/>
        </filterreader>
      </filterchain>
    </copy>
  </target>
  
    <target name="_replaceServiceAccounts" description="Replace ServiceAccounts with correct passwords">
    <tstamp prefix="Start _replaceServiceAccounts"/>

    <property name="sa.injection.dir" value="${project.derived.dir}/${osbs.env}_${osbs.svntype}"/>
    <delete dir="${sa.injection.dir}" verbose="${OSBVerbose}" failonerror="false" includeemptydirs="true"/>
    <mkdir dir="${sa.injection.dir}"/>
    <unzip src="${config.jar}" dest="${sa.injection.dir}"/>

    <echo message="Parse service accounts"/>

    <for param="sa.file">
      <path>
        <fileset dir="${sa.injection.dir}" includes="**/*.ServiceAccount"/>
      </path>
      <sequential>
        <echo message="Parse service accounts file: @{sa.file}"/>

        <antcall target="_ReplaceTokens" inheritAll="No">
          <param name="param1" value="@{sa.file}"/>
          <param name="param2" value="${project.source.dir}/release/Customization/${osbs.env}/sla.properties"/>
        </antcall>
        <copy file="@{sa.file}.new" tofile="@{sa.file}"/>
        <delete file="@{sa.file}.new" quiet="true"/>

      </sequential>
    </for>
    <zip destfile="${config.jar}" basedir="${sa.injection.dir}" update="false"/>

    <tstamp prefix="finished _replaceServiceAccounts"/>
  </target>

References

Post a Comment