WS-Security, WSE, Web Services, Authentication and Flex 2

Similar Messages

• Security of Web Services, Agents and Sequantial Calling of Web Services

  I want to ask about the secure invocation of web services and the role of agents.
  Suppose that I have greet() web service:
  public String greet() {
  String S1=sayHello(); // A web service, actually its proxy
  String S2=sayGoodMorning(); // A web service, actually its proxy
  return S1+" "+S2;
  It calls two other webservices and they return "HELLO" and "Good Morning". Also assume that I need to secure all my web services but I need these calls to work!
  I put an agent in front of those two web services and require them to check a SAML token. I also attach an agent to greet() to authenticate the inbound and sign and add SAML token for outbound.
  But I think these two calls fail because the SAML is not created on each call. (Is it?)
  How can I make those two calls, secure each web service and at the same time keep the security code out of business code, in other words keep my web service security agnostic?
  Thank you in advance.
  Best Regards
  Farbod

  Any Comments on this?

• Web Service authentication and PROXY Issue

  HI All,
  Recently I developed an application in Flex 2 which uses
  webservices to access remote data.One more point to be noted, that
  these webservices are secured( i.e they need username and password
  to access)
  I got a production server ( say
  myProduction server) and all my webservices are deployed on
  it. We have a SAP portal running on this server. I have created a
  PAR file of my applications .SWF file and hosted it on the portal.
  When I run my application from myProduction, it runs fine, no
  issues with it.
  Now, I have a proxy server ( say
  myProxy server), which is used to make my application
  available on the internet.
  This proxy redirects all the requests to myProduction server.
  When I try to run my application from myProxy Server, I am
  getting the following error:
  [RPC Fault faultString="Security error accessing url"
  faultCode=
  Channel.Security.Error"
  faultDetail="Unable to load WSDL". If currently online,
  please verify the URI and/or format of the WSDL (
  http://myProduction:50000/WS_Resource/Config1?wsdl&style=rpc_enc)"
  at mx.rpc.soap::WSDLParser/::dispatchFault()
  at mx.rpc.soap::WSDLParser/
  http://www.adobe.com/2006/flex/mx/internal::httpFaultHandler()
  at
  flash.events::EventDispatcher/flash.events:EventDispatcher::dispatchEventFunction()
  at flash.events::EventDispatcher/dispatchEvent()
  at mx.rpc::AbstractInvoker/
  http://www.adobe.com/2006/flex/mx/internal::dispatchRpcEvent()
  at mx.rpc::AbstractInvoker/
  http://www.adobe.com/2006/flex/mx/internal::faultHandler()
  at mx.rpc::Responder/fault()
  at mx.rpc::AsyncRequest/fault()
  at ::DirectHTTPMessageResponder/securityErrorHandler()
  at
  flash.events::EventDispatcher/flash.events:EventDispatcher::dispatchEventFunction()
  at flash.events::EventDispatcher/dispatchEvent()
  at flash.net::URLLoader/flash.net:URLLoader::redirectEvent()
  Do I need any configuration files to be maintained? How do I
  resolve this proxy issue??
  myProxy server is not able to load the WSDL from
  myProduction.I am not usinfgFlex Data Services. I am directly
  accessing the services.
  If anyone knows about this issue please help me. Any help
  would be greatly appreciated.
  This issues has been unresolved since 15 days now.
  Thanks in advance

  Hi,
  I am not sure if what I am suggesting may be the source for
  the problem, but it could be that you will need a
  crossdomain.xml file deployed on your production server, so
  that it can accept the requests from the Portal. Also, I guess you
  will be using a
  flex-config.xml or
  services-config.xml. Just make sure that all server paths
  have been properly mapped to the values entered in the destination
  attributes of the WebService tags.
  I hope that helps.

• [ANN] Online seminar - Web services management and security seminar

  Join us now (Thu 09:00am) for a live seminar about Web services management and security here:
  http://www.oracle.com/technology/tech/java/newsletter/seminars.html

  I have got the following error when i run the WebServicesAssembler.jar
  D:\Oracle\Oc4j\j2ee\home>java -jar d:/oracle/oc4j/webservices/lib/WebServicesAss
  embler.jar -config etc/config.xml
  Exception in thread "main" java.util.zip.ZipException: The system cannot find th
  e path specified
  at java.util.zip.ZipFile.open(Native Method)
  at java.util.zip.ZipFile.<init>(ZipFile.java:105)
  at java.util.jar.JarFile.<init>(JarFile.java:110)
  at java.util.jar.JarFile.<init>(JarFile.java:52)
  D:\Oracle\Oc4j\j2ee\home>java -jar WebServicesAssembler.jar -config etc/config.x
  ml
  Exception in thread "main" java.lang.InstantiationException: Unknown deployment
  tag in JMS Web Service Example: <option>
  at com.evermind.xml.XMLConfig.parseDeploymentMainNode(XMLConfig.java:293
  at oracle.j2ee.ws.tools.WsAssemblerConfig.parseDeploymentMainNode(WsAsse
  mblerConfig.java:68)
  at com.evermind.xml.XMLConfig.parseRootNode(XMLConfig.java:268)
  at com.evermind.xml.XMLConfig.init(XMLConfig.java:147)
  at com.evermind.xml.XMLConfig.init(XMLConfig.java:88)
  at oracle.j2ee.ws.tools.WsAssemblerConfig.init(WsAssemblerConfig.java:30
  at oracle.j2ee.ws.tools.WsAssembler.main(WsAssembler.java:17)

• MDM Web Service authentication issue. How to use ?

  Hi,
  I' am a Microsoft technology person I' am working on integrating SAP MDM 7.1 to SharePoint 2010 using MDM Web Services interface and consuming the same in .NET custom component.
  I tried the WS with "None" authentication and it worked great.
  I' am having issues understanding how HTTPAuthentication with SAP Logon ticket authentication works in MDM.
  Created the authentication enabled web service and while testing in NetWeaver WS Navigator, it throws me exception, not able to establish session with repository for user XYZ.
  Please help me with the following queries I have:
  1) How to test a authentication enabled web service in NetWeaver WS Navigator ? Do the user id/password needs to be set in the "Invocation Parameters" ? Link to any article etc will be appreciated.
  2) How to pass the MDM user credentials (or just the username) in the MDM web service in .NET code. I didn't see any parameter in the Client class constructor to pass the same, nothing related to that found in the code that gets generated on adding the service reference.
  As per the documentation on the MDM security, looks like a trust relationship also needs to be configured on MDM - allow.ip file entries.
  However first I want to understand how to pass this information in Web Services through code.
  SharePoint   -
  (1)--> SAP PI  -(2)--
  > SAP MDM                                             
  (integrated with Active Directory                        (Where Web services are deployed     (have its own user accounts)
  so logged in user is already authenticated)          and have its own user accounts)
  The trust relationship configuration could solve the problem of authentication marked in second hop (2) by registering the IP address of PI server.
  Please help me understand how would it work to solve the first hop (1) problem and what needs to be done.
  Thanks,
  Parvinder

  Thanks Gaurav.
  The link talks about setting up the Trust with MDM server.
  The code sample provided there has the following step where user name is being set and passed to MDM:
  Use  command to authenticate user session on trusted connection
         TrustedUserSessionCommand  tuscTrustedUser =
         new TrustedUserSessionCommand(mySimpleConnection);
         //  Set the user name to use
         tuscTrustedUser.setUserName(UsernameAsString);
         tuscTrustedUser.setSession(session);
         tuscTrustedUser.execute();
         session =  tuscTrustedUser.getSession();
  I want to understand how to do that for MDM Web Services.
  I didn't see any method accepting this user name while calling the web service method / creating client object.
  So that link is still missing.
  Appreciate if anyone can help me with that.
  This is for MDM 7.1
  Thanks,
  Parvinder

• Unable to call WSS (WS-Security) enabled Web Service using UTL_DBWS

  We are attempting to call a WSS (WS-Security) enabled Web Service from PL/SQL using the UTL_DBWS package (see [http://download.oracle.com/docs/cd/B19306_01/appdev.102/b14258/u_dbws.htm#CHDIDGJH] ). We are doing this in similar fashion to [http://www.oracle-base.com/articles/10g/utl_dbws10g.php] with calls to utl_dbws.create_service, utl_dbws.create_call and utl_dbws.invoke.
  Using this method we can successfully call an unsecured Web Service, but calls to WSS-enabled Web Services fail. We are currently using Oracle Database 10.2.0.3.
  The failure we are getting is:
  ORA-29532: Java call terminated by uncaught Java exception: javax.xml.rpc.soap.SOAPFaultException:
  com.sun.xml.wss.XWSSecurityException: Message does not conform to configured
  policy ( AuthenticationTokenPolicy(S) ): No Security Header found;nested
  exception is com.sun.xml.wss.XWSSecurityException:
  com.sun.xml.wss.XWSSecurityException: Message does not conform to configured
  policy ( AuthenticationTokenPlicy(S) ): No Security Header found
  Apparently UTL_DBWS does not support calling WSS enabled services, although this doesn't appear to be an officially recognised position. Does anyone know if Oracle are planning to support this soon (if ever)? Looking at Re: Calling WS from PL/SQL using WS-security suggests that support has been considered before, but not yet realised.
  Thanks,
  Tom

  Having raised a Service Request with Oracle support on this, I got the following response from Oracle Development (On unpublished bug [8542959|https://metalink2.oracle.com/metalink/plsql/ml2_documents.showDocument?p_database_id=BUG&p_id=8542959]):
  Development has confirmed that WS-Security is not supported through UTL_DBWS. They have also acknowledged that this is not documented and they will change the official Oracle documentation will reflect this fact. From what is being stated, it would appear that there is no plan to support the use of WS-Security through UTL_DBWS in any release in the near future.
  So, in short, without developing your own home-grown SOAP request, there is no way to call a WSS enabled web service from within PL/SQL.
  -Tom

• SOAP Web Service Authentication configuration

  Hello,
  I've got a little problem with Web Service authentication configuration.
  I'm working on the SAP NetWeaver CE EHP1 7.11. I also have a XMII application deployed on the server and there are some SOAP Web Services(over XMII Transactions) that require basic authentication.
  I use all Web Services in the EJB layer. So, I've generated proxy using SAP NetWeaver as a Web Service Runtime for generation. And Iuse an injection mechanism to get a service implementation:
  @WebServiceRef(name="GetBatchListService")
  private XacuteWS batchListWS;
  In this case I could use Single Service Administration application in the NetWeaver Administrator@SOA Management@Application and Scenario Communication to configure basic authentication for EVERY Web Service. And this configuration disappears after every redeploy.
  The question is how and where could I configure authentication for all web services?
  I've read a lot of documentation, but, unfortunately, I haven't found needed one. I could see 2 direction of searching now, it might help:
  1) Destination: Configure HTTP Destination or Web Service Template Destination and use it in all Web Services proxies somehow.
  2) Find Configuration way: Create a configuration group or anything else to configure all services from one screen.
  Best Regards,
  Dmitry

  Dimtris,
  If your WSDL url is pointing to the URL of the Adapter Engine as shownin the Hot to Use the SOAP adapter there is no option. You cannot add it to the SOAP Url.
  But, if you change the SOAP Url to the Url shown in this blog by Stefan Grube then you can add the user id and pasword to the url by adding sap- user=userid and sap-password = password.
  The optin shown ion the blog by Grube can be used as long as you do not have to use SOAP attachments and in this  case you would not need both sender SOAP adapter and a sender agreement.
  /people/stefan.grube/blog/2006/09/21/using-the-soap-inbound-channel-of-the-integration-engine
  Regards
  Bhavesh
  Regards
  Bhavesh

• Using WS-Security with Web Service Controls in WLI 8.1 SP3

  We have a process that calls a web service hosted on a .NET environment. The technique we have used is to generate a service control from the web service WSDL and call that control from a process. The web service is protected using a WS-Security usernameToken policy. The problem is that the .NET environment requires the wsse:Nonce and wsu:Created elements to be provided along with the token and I cannot see how I can specify this using a wsse policy file in WebLogic workshop. Does anyone have any advice for the best way to add this information to the security element in the SOAP header from within a WLI process? I've seen some example code for a java web service client, but that would not really fit with the control-based approach normally adopted in a WLI environment.

  You won't be able to do this using the WSSE file.
  An easy way to get around this is to use an XML Bean built from the WS-Security XML Schema. You'll have to read the WS-Security spec to determine how to create the nonce, but you'll be able to convert this XML Bean into the Element[] that the setOutputHeaders() method, which is on the service control you call the .NET Web Service with.
  Regards,
  Mike Wooten

• X.509 Web Service Authentication for ABAP AS Web Service Interaction

  We are trying to use X.509 web service authentication with SAP Web AS ABAP between 2 different SAP installations. Company 1 is trying to consume a web service set up by Company 2.
  Company 1 has installed Company 2's public key, generated the client proxy using Company 2's WSDL and created a corresponding lpconfig entry.
  Then company 2 has set up the profile parameter ICM/HTTPS/verify_client to accept certificates and imported Company 1's SLL client certificate and mapped the user in USREXTID.  Note that Company 1 uses self-signed certificates, so it does not have a root certificate, which is what the documentation says should be imported into the PSE instead of the SSL client certificate.
  When Company 1 tries the web service call, it receives a request to authenticate the web service from Company 2. (basic authentication logon screen, even though the web service configuration is set to X.509 Client Certificate.
  Should this work or is there a problem because Company 1 uses self-signed certificates or is there something else we are missing?

  >
  Connie Begovich wrote:
  > We are trying to use X.509 web service authentication with SAP Web AS ABAP between 2 different SAP installations. Company 1 is trying to consume a web service set up by Company 2.
  >
  > Company 1 has installed Company 2's public key, generated the client proxy using Company 2's WSDL and created a corresponding lpconfig entry.
  >
  > Then company 2 has set up the profile parameter ICM/HTTPS/verify_client to accept certificates and imported Company 1's SLL client certificate and mapped the user in USREXTID.  Note that Company 1 uses self-signed certificates, so it does not have a root certificate, which is what the documentation says should be imported into the PSE instead of the SSL client certificate.
  >
  > When Company 1 tries the web service call, it receives a request to authenticate the web service from Company 2. (basic authentication logon screen, even though the web service configuration is set to X.509 Client Certificate.
  >
  > Should this work or is there a problem because Company 1 uses self-signed certificates or is there something else we are missing?
  I think that the problem is in Service Authentication (in transaction sicf). You have to consume web-service, transmitting user-password for access.

• Exception while accessing web service secure through web services Manager

  Hi All,
  I deployed sime Hello World web service on JWSDP1.6 and secure it through web service manager(gateway) using Certificate based security.But when I try to access this web service using JWSDP client,I got the following Error while monitoring the soap messages through TCP-Monitor:
  /////////////////////////////////Request///////////////////////////////////////////////////////////////
  POST /gateway/services/SID0003009 HTTP/1.1
  Content-Type: text/xml; charset=utf-8
  Accept: text/xml, text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
  Content-Length: 5631
  SOAPAction: ""
  User-Agent: Java/1.5.0_05
  Host: ivy.cs.ucl.ac.uk:8082
  Connection: keep-alive
  <?xml version="1.0" encoding="UTF-8"?><env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:enc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:ns0="http://hello.org/wsdl" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" env:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><env:Header>
  <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" env:mustUnderstand="1"><xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
  <wsse:SecurityTokenReference>
  <wsse:KeyIdentifier EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier">eN9famBBWzHNUIwWRhMPktcM+VQ=</wsse:KeyIdentifier>
  </wsse:SecurityTokenReference>
  </ds:KeyInfo><xenc:CipherData><xenc:CipherValue>MHjtgA4wOtvI1B+SuRVEmD07yE+jl6axd4XbJ0nvQ3EzSuVVoST9vHzURh+B47yj41187s8T+yjt
  Bmpk9OB278Jghonkacv6r+q+LVlxRrQDudNGir7plzFeM6bUadMxf+FLgn5O0a44vU/tvy6V9+zi
  yqFdhTvS21No/aW62No=</xenc:CipherValue></xenc:CipherData><xenc:ReferenceList><xenc:DataReference URI="#XWSSGID-1155126003241-1198323932"/></xenc:ReferenceList></xenc:EncryptedKey><wsse:BinarySecurityToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="XWSSGID-11551260018331598979688">MIIC3TCCAkagAwIBAgIBATANBgkqhkiG9w0BAQQFADBJMQswCQYDVQQGEwJVUzEMMAoGA1UECBMD
  U0NBMQwwCgYDVQQKEwNTVU4xHjAcBgNVBAMTFWNlcnRpZmljYXRlLWF1dGhvcml0eTAeFw0wNjAz
  MTkxMzQ5MDJaFw0xNjAzMTYxMzQ5MDJaMEcxCzAJBgNVBAYTAlVTMQwwCgYDVQQIEwNTQ0ExDDAK
  BgNVBAoTA1NVTjEcMBoGA1UEAxMTeHdzLXNlY3VyaXR5LWNsaWVudDCBnzANBgkqhkiG9w0BAQEF
  AAOBjQAwgYkCgYEAzNDPKUz1MhUH1LsrLqXKxciOKSWeTrdoe/SVwe/4uy5eobAWSsSTposaOYFy
  uxf3cGCCIs7u0jMAXLQ9jzobDbt9XQ4tXPoBzKKzS+yU6hDk2TcOCkioeT9A9db5LF8yevhwXKB4
  AJ1Eh//Dp/djoonXCCxsxupQZp3ueRJrR98CAwEAAaOB1jCB0zAJBgNVHRMEAjAAMCwGCWCGSAGG
  +EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUECH05VC3/WGW
  H4AGD6tnH0h+kFUweQYDVR0jBHIwcIAUdry1wGRZ2fyJSKisVSxpMEmIiaahTaRLMEkxCzAJBgNV
  BAYTAlVTMQwwCgYDVQQIEwNTQ0ExDDAKBgNVBAoTA1NVTjEeMBwGA1UEAxMVY2VydGlmaWNhdGUt
  YXV0aG9yaXR5ggkA4HaEvd6hq8YwDQYJKoZIhvcNAQEEBQADgYEA0RhOk67pCrO6MgZZGqrmAMW6
  76fZowBxTKlFq88nrf8v1MUxV8H9wgbTDrwR0HtxY3TGpDFw2tNAww2pyDX/pQ2Wt46ichluGxjf
  aEV53loKTOM7syAmlicWqViGzBfgzriIl918TzFaX9BD/Y55bKZQk057maBCSkUuFfF453s=</wsse:BinarySecurityToken><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><InclusiveNamespaces xmlns="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="wsse enc env ns0 xsd xsi"/></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference URI="#XWSSGID-1155126002593447652186"><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>UJ1kuwI+WuF/RkrQpZrj1GvraLI=</ds:DigestValue></ds:Reference><ds:Reference URI="#XWSSGID-1155126002602761294100"><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>sKG/z5OIGgqJ2nw7JtpXyJzr8pY=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>SBc65VTG1xpEkRUTz70H0fVGIgoBJ0QnNad0k07RMSfw4vG1WHJdt19R05pO2AvU5aoYuBSaguJe
  ZGEjmWzw8mnSWKBi+zeDMeJiwgqwW6HHHX9P7JDslxuTIqoJIVUbSjUTSVz6ww8siIK65quXdkMT
  ZzLfp7Cd0gBuA3EEZpg=</ds:SignatureValue><ds:KeyInfo><wsse:SecurityTokenReference xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="XWSSGID-11551260025411896275738">
  <wsse:Reference URI="#XWSSGID-11551260018331598979688" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
  </wsse:SecurityTokenReference></ds:KeyInfo></ds:Signature><wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="XWSSGID-1155126002602761294100"><wsu:Created>2006-08-09T12:20:02Z</wsu:Created><wsu:Expires>2006-08-09T12:20:07Z</wsu:Expires></wsu:Timestamp></wsse:Security></env:Header><env:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="XWSSGID-1155126002593447652186"><xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="XWSSGID-1155126003241-1198323932" Type="http://www.w3.org/2001/04/xmlenc#Content"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/><xenc:CipherData><xenc:CipherValue>XNqEzHNp47ILtOagAUNCXYkxOCWv4CjHqmZ7j6VKN/NO96ce4BsNSL6lKzqa9dPxHB1sTVGZQ8KA
  COQ6DGwyWCP8ip+CU2hor3uUAml7nzHTx1LUw3Db+0p31VAT3EqKJA3aFy38GQrBTr9ojMOUA6tm
  Cj71yucN3UCKRUl3RpE8qU68y7AwNxPsyAZeSa2AVm2cmWvSDZlxgMsx+JCEZaf3+D0o1zMp0Fxb
  MSISPt/JrEolt1H5UM1AoFGU4QkckWrQNLPyEF9oxEgZ8oCE5U8v/YJwZIAHFrx67XfaLwQLjzXw
  VPigsH9gLkfbP2BU8Vp31GsPwBZtUeNz9S35+CZPD7EiqoAB1QuAxZkJV7n00VChYH+scT64tNja
  c81bcD8tf4sAr7toCMNDAU6+74+Qy0EyPqgwLtotDxErn4kF8e72cONMMQBQ91tQs+iI+D6C1I6+
  f9UiSfgtm/MTuKQK1CRqarEtI9N6lpqVH8k7ulUwH/jFstihxmhMJ3aZY+qQgSwSs3pwSSim+e18
  eR7dOEq4vG8ivKuGvTDO4sSV2RP/nL/3eXr0y7eM0kMFKwTUA4JqL4Y/l8Bo/rie/ZXkkbF6hwEu
  dX1QmB0gf5k=</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData></env:Body></env:Envelope>
  ////////////////////////////////Response///////////////////////////////////////////////////////////////
  HTTP/1.1 100 Continue
  Server: Oracle Application Server Containers for J2EE 10g (10.1.2.0.0)
  Date: Wed, 09 Aug 2006 12:28:47 GMT
  HTTP/1.1 500 Internal Server Error
  Date: Wed, 09 Aug 2006 12:28:47 GMT
  Server: Oracle Application Server Containers for J2EE 10g (10.1.2.0.0)
  Connection: Keep-Alive
  Keep-Alive: timeout=15, max=100
  Content-Type: text/xml
  Transfer-Encoding: chunked
  157
  <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Body><SOAP-ENV:Fault><faultcode xmlns:p="http://schemas.oblix.com/ws/2003/08/Faults">c</faultcode><faultstring>Step execution failed with an exception</faultstring><detail></detail></SOAP-ENV:Fault></SOAP-ENV:Body></SOAP-ENV:Envelope>
  0
  So basically, what I am doing here as follows:
  HelloClient(using JWSPD1.6)->gateway(web service manager for securing the web service using message level security through certificate )->helloservice(deployed using JWSDP1.6)
  I would appreciate if someone could tell me the cause of this errror.Thanks.
  Kashif

  time to look into the gateway logs as stated by the fault ..
  <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Body><SOAP-ENV:Fault><faultcode xmlns:p="http://schemas.oblix.com/ws/2003/08/Faults">c</faultcode><faultstring>Step execution failed with an exception</faultstring><detail></detail></SOAP-ENV:Fault></SOAP-ENV:Body></SOAP-ENV:Envelope>
  looks like the cipher step might have failed

• Special Character XML Web Service call from Flex

  Hi,
  Let me first give a little background.
  I have to query and return data in XML format. To do so, I have created a custom DSC component. In cases where XML has special characters, LC throws error saying that XML is not properly formed. To over come this issue I used CDATA tag at DSC component. Now LC works as it should and I returns correct result.
  I have a web service call from Flex to get this XML result. Every time i trigger this web service I get an error message saying </document> tag is missing.
  I understand in Flex, web service returned data is wrapped in CDATA tag, thats what i causing all this issue.
  I am not sure, how to handle this situation, I am sure this is a common problem and there should be ways to work around it.
  I would really appreciate if any one could point me in the right direction.
  Thank you ..

  The web service has four operations in it, I need pingQuery operation execution code since it doesnot need any input value.
  I have used code something like this.. Any one please correct me if I am wrong..
  <mx:WebService 
  <mx:WebService> id="webService" wsdl=""https://hydrogen.csd.sc.edu/axis2/services/AcademicHistoryService?wsdl
  >
  <mx:operation name="pingQuery"resultFormat="
  object"result="resultHandler(event);"
  fault="faultHandler(event);"
  >
  <mx:request>
  <PingQuerySpecification>
  <value>
  fsdf
  </value>
  </PingQuerySpecification>
  </mx:request>
  </mx:operation>
  </mx:WebService>
  private function resultHandler(evt:ResultEvent):void {Alert.show(ObjectUtil.toString(evt.result));
  private function faultHandler(evt:FaultEvent):void {Alert.show(evt.message.toString());

• Web Service (SSL) and certificates (keytool) with INternet Explorer

  Hi,
  Followed this steps http://www.grallandco.com/blog/archives/2006/10/using_htts_with.html to have a secure SSL WEb service (with client authorization).
  Tested from Jdeveloper it worked O.K.
  Now I would like to test it with Internet explorer, but now server ask for certificate before internet show parameters page to invoke Web Service.
  I generated self signed certificates and keystore using keytool. (This keystore is used by the OC4J and my proxy client).
  Imported this certificate (.cer) to internet explorer succesfully, but when access URL for the web service (https) internet does not show this certificate to use it, so failed to connect...
  keytool certificates could be used by INternet explorer for this purposes?, what am I doing wrong?
  Thanks
  J.

  Hi,
  I already configured HTTPS - client authenticate for OC4J, and you can work with follow step:
  1: Create keystore for OC4J by java keytool
  2: Using openssl to create certificate for your server (privatekey, certificate)
  3. Using keytool to import your server's certificate (2) to keystore (1)
  4. Generate client certificate (4)
  5. Sign on client certificate (4) by privatekey and server certificate (20
  6. Import client certificate to windows - (should create keystore with format pkcs12)
  You can using "Java Certificate Services" to help you create keystore with multi format or sign cert....
  Rgs

• Security in Web services

  I am new to web services so please pardon me if what I am asking is really dumb.....
  I have created a simple PL/SQL web service using JDeveloper that I have published to an installation of 9iAS. My client is calling this URL directly passing the parameters in the URL and getting the SOAP message back. Everything works great.
  Now I need to secure this somehow. This is an internal application, so I am not terribly concerned with security, but we do need something that will prevent somebody who stumbles across this URL to start using it.
  I have read a lot of documentation on securing web services, but it all seems to be around creating clients, but I don't want a client, I just want to be able to call the URL directly from external systems programmatically.
  One option is obviously to pass username / pw in as parameters and then validate this in PL/SQL, but this is obviously not very secure.
  Another things I was thinking was to use the owa_util.get_cgi_env('REMOTE_ADDR') inside by PL?SQL function to get the IP Address of the client calling and then validate this to make sure this client is allowed to access the web service. This function returns ORA-06502. Does anybody know anything about how to get the IP address of the client calling? I know there are ways to limit access to certain IP addresses on the web server level, but this server is used for other things so I don’t want to do that.
  Is there anything else I can do to secure a web service like this?
  Any help is appreciated.

  More reading and code sample (see end of this post) of what is coming and what is possible today:
  http://www.oracle.com/oramag/oracle/02-jul/index.html?o42special_web.html
  http://otn.oracle.com/oramag/webcolumns/2003/techarticles/smith_wss.html
  This article from Vipin Samar gives the state of WS-Security pretty accurately:
  http://otn.oracle.com/tech/webservices/standards/Samar_Security.htm
  Accompanying paper:
  http://otn.oracle.com/tech/webservices/pdf/33206.pdf
  And, this code sample/tutorial illustrates SSL with Web services:
  http://otn.oracle.com/sample_code/tutorials/wspki/toc.htm
  Mike.

• Use of security in web service

  Hi,
  I have tried to use security from the example jaas-sample of jwsdp 1.5 .
  I just want to secure my web service with a username/password.
  When I called my service from the client...I see the xml flow :
  <?xml version="1.0" encoding="UTF-8"?>
  <env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:enc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" env:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
  <env:Header>
  <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" env:mustUnderstand="1">
  <wsse:UsernameToken>
  <wsse:Username>Ron</wsse:Username>
  <wsse:Password>****</wsse:Password>
  <wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">3k18Sv+DMhcO3aoq6YWLB4xa</wsse:Nonce>
  <wsu:Created xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2005-03-01T15:26:05Z</wsu:Created>
  </wsse:UsernameToken>
  </wsse:Security>
  </env:Header>
  <env:Body>
  <ns0:getInformations/>
  </env:Body>
  </env:Envelope>
  it seems to be correct but I have an exception :
  Thread : main at 01 mars 2005 16:10:06,593 ERROR Error occured during retrieving informations
  java.rmi.ServerException: JAXRPCSERVLET28 : Informations sur le port manquant
       at com.sun.xml.rpc.client.StreamingSender._raiseFault(StreamingSender.java:497)
       at com.sun.xml.rpc.client.StreamingSender._send(StreamingSender.java:294)
  It works when I not use the security option (in wscompile) ...
  Have you any idea for a solution?

  Hi,
  I tried the xws-security samples and everything worked fine.
  After editing the "java.security" according to the manual with:
  security.provider.2=org.bouncycastle.jce.provider.BouncyCastleProvider
  After that change and a restart of the application server I get the same error message.
  I copied the jar file "bcprov-jdk14-127.jar" from bouncycastle to the jre/lib/ext folder.
  I will check further.
  br
  Dieter

• Secured Sybase Web Service with outside certificate authority

  Hello,
  I would like to use Secured Sybase Web Service with outside certificate authority, like Symantec. Could you let me know how I can create CSR for sending to Symantec? What other steps do I need to do?
  Thanks,
  Sudarat.

  Hello Jason,
  Thanks for your reply. The certificate authority require the CSR file before issue a signed certificate. If this is a signed certificate for IIS web server, I can create CSR from IIS. But I cannot use a signed certificate created from CSR of IIS with Sybase Web Service. The below steps are what I have tried.
  1. I use CreateCert.exe with /r parameter to create CSR and private key.
  2. I sent CSR to a certificate authority and they send back a signed certificate.
  3. I have to combine a signed certificate from #2 with private key created from #1. Then use that file to specify with -xs{https …when starting the service.
  Are the above steps what I have to do?  If so, do I need to redistribute createcert.exe to my customers who want to use my application and how? Why I cannot use the signed certificate created from CSR of IIS?
  Thanks,
  Sudarat.