Attaching OWSM Policy to OSB Services

Similar Messages

• Probem attaching OWSM Policy to OSB Proxy Service

  Hi all,
  I am working with OSB 11g R1 and I am trying secure one proxy service by attaching one OWSM predefined policy. However, the "OWSM Policy Binding" is disabled in the Policy section of the proxy service.
  I found this thread in the forum [1] wich seems to have the same problem and I have checked that all the extensions are installed in my domain.
  Sure I missing something but I haven't found anything in the docs.
  Any tip or hint is appreciated
  Thanks in advance
  My enviroment:
  - Weblogic Server (10.3.4.0)
  - Oracle Service Bus (11.1.1.4)
  - Oracle Service Bus OWSM Extension (11.1.1.0)
  [1] OWSM Policy Binding Disabled for proxy/business server with SOAP 1.1
  Edited by: user10102092 on 27-jul-2011 2:42

  I presume you already did a fresh restart of the managed servers?Yeap, I've restarted the OSB server.
  Looking at the logs I can find this message:
  +####<Jul 27, 2011 1:25:52 PM CEST> <Info> <Common> <mydomain.com> <osb_server1> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<anonymous>> <> <0000J5fLsXLFw0WFLzNM8A1EBzMW000001> <1311765952760> <BEA-000628> <Created "1" resources for pool "mds-owsm", out of which "1" are available and "0" are unavailable.>+
  So I understand that the pool is created correctly, isn't it?

• Issue while attaching OWSM policy to OSB Business Service

  How to configure OWSM policy to NON WSDL based Business service.
  We are not able to encrypt the data for NON WSDL based Business service.
  Please help.
  Thanks,
  Mihir

  I presume you already did a fresh restart of the managed servers?Yeap, I've restarted the OSB server.
  Looking at the logs I can find this message:
  +####<Jul 27, 2011 1:25:52 PM CEST> <Info> <Common> <mydomain.com> <osb_server1> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<anonymous>> <> <0000J5fLsXLFw0WFLzNM8A1EBzMW000001> <1311765952760> <BEA-000628> <Created "1" resources for pool "mds-owsm", out of which "1" are available and "0" are unavailable.>+
  So I understand that the pool is created correctly, isn't it?

• ClassNotFoundException with Custom OWSM Policy in Oracle Service Bus

  Hi All,
  I have a situation where I have created a custom web service manager policy. When I attach this policy to an Oracle Service Bus Proxy Service and invoke the service I get a ClassNotFoundError
  Caused By: java.lang.ClassNotFoundException: au.com.MyClass
  at java.net.URLClassLoader$1.run(URLClassLoader.java:202)
  at java.security.AccessController.doPrivileged(Native Method)
  at java.net.URLClassLoader.findClass(URLClassLoader.java:190)
  at java.lang.ClassLoader.loadClass(ClassLoader.java:307)
  at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:301)
  at java.lang.ClassLoader.loadClass(ClassLoader.java:248)
  at oracle.wsm.policy.util.Loader.loadClass(Loader.java:369)
  at oracle.wsm.policy.util.Loader.loadClass(Loader.java:389)
  at oracle.wsm.policyengine.impl.runtime.WSPolicyRuntimeExecutor.populateAssertionExecutors(WSPolicyRuntimeExecutor.java:238)
  at oracle.wsm.policyengine.impl.runtime.WSPolicyRuntimeExecutor.populateAssertionExecutors(WSPolicyRuntimeExecutor.java:279)
  at oracle.wsm.policyengine.impl.runtime.WSPolicyRuntimeExecutor.init(WSPolicyRuntimeExecutor.java:162)
  at oracle.wsm.policyengine.impl.PolicyExecutionEngine.getPolicyExecutor(PolicyExecutionEngine.java:137)
  at oracle.wsm.policyengine.impl.PolicyExecutionEngine.execute(PolicyExecutionEngine.java:101)
  at oracle.wsm.agent.WSMAgent.processCommon(WSMAgent.java:937)
  at oracle.wsm.agent.WSMAgent.processRequest(WSMAgent.java:454)
  at oracle.wsm.agent.handler.WSMEngineInvoker.handleRequest(WSMEngineInvoker.java:366)
  at com.bea.wli.sb.security.wss.wsm.WsmInboundHandler.processRequest(WsmInboundHandler.java:150)
  at com.bea.wli.sb.security.wss.WssHandlerImpl.doInboundRequest(WssHandlerImpl.java:223)
  at com.bea.wli.sb.context.BindingLayerImpl.addRequest(BindingLayerImpl.java:289)
  at com.bea.wli.sb.pipeline.MessageProcessor.processRequest(MessageProcessor.java:87)
  at com.bea.wli.sb.pipeline.RouterManager$1.run(RouterManager.java:593)
  at com.bea.wli.sb.pipeline.RouterManager$1.run(RouterManager.java:591)
  The jar file is in the user_projects/domains/mydomain/lib directory.
  Attaching the policy to BPEL services has no issue and the policy is invoked successfully.
  I am unable to determine why the OSB would behave differently in this regard, or what I need to configure differently in order to have it found by the class loaders for the OSB.
  Any help or suggestions appreciated.
  I am using 11.1.1.4.0
  The jar file has the necessary policy_config.xml file and the META-INF/mylabel/mypolicy.xml files in situ. As I said, it is working in the soa_server but not the OSB.

  Have you restarted servers after putting jar in $Domain_Home/lib directory? Also try after explicitly adding this jar in classpath by editing server startup script (startManagedWeblogic.cmd or .sh) or in domain env setting script (setDonainEnv.cmd or .sh) and restarting the servers.
  Regards,
  Anuj
  Edited by: Anuj Dwivedi on Mar 21, 2011 1:10 PM

• Attaching OWSM policy to only request side

  Hi all,
  I am using OSB11gr1 with OWSM extended domain. Is there a way to attach OWSM policy to only request side?
  I am using wss11_x509_token_with_message_protection_client_policy. Can I override this policy somehow to disable message protection on the response side. I looked into policy editor in OEM, there are ways to disable signing/encrypting body/header but not found any way to disable the message protection policy on response side completely
  Please suggest

  You can attach Oracle Web Services Manager policies only at the service level, and you cannot embed them in service WSDLs.
  Regards,
  Anuj

• OWSM Policy in OSB

  I am trying to build a sample OSB service having the OWSM policy attached to it.I am using the option of "From OWSM Policy Store " and used the policy oracle/wss_username_token_service_policy.
  When i tried to exceute the OSB,i am getting an error as
  "oracle.wsm.policymanager.PolicyManagerException: WSM-02128 : Cannot read WSDL. [Possible Cause : unknown protocol: servicebus]"
  Looking like,some issue with the parsing of the WSDL that i used upon the service.Do i need to refer the wsdl from MDS.If,yes how can i do that in OSB.

  You may refer below blog for configuration -
  http://niallcblogs.blogspot.com/2010/07/osb-11g-and-wsm.html
  Regards,
  Anuj

• Doubt in implementing OWSM policy in osb 11g

  Hi,
  Can anybody tell me how to implement basic username-token policy in wsdl based paroxy service in osb 11 G.
  I am able to select service policy configuartion from the policies tab of proxy service in sb console,but after that i can not find any OWSM policy there to add.Pls assist me

  have you run rcu to create mds storage for the policies?
  and after that you run the configuration wizard to expand your domain with "Oracle Service Bus OWSM Extension" ?

• OWSM Policy Binding Disabled for proxy/business server with SOAP 1.1

  Hi,
  I am using 11pPS2.
  In osb, i created a proxy service with soap 1.1. and business proxy with soap 1.1
  Now I click Policies tab of each service,
  In Service Policy Configuration,
  OWSM Policy Bindings is disabled to choose.
  So I can't attach any OWSM policy to osb service.
  Only Custom Policy bidings are enabled.
  appreciate any help and comments on this issue

  Need check if you Extend your Oracle Service Bus domain with Oracle Web Services Manager and Oracle Enterprise Manager.
  Select the following domain templates when running the Oracle Fusion Middleware Configuration Wizard
  Oracle Service Bus OWSM Extension
  Oracle WSM Policy Manager (automatically selected when you select the OWSM Extension)
  Oracle Enterprise Manager (optional, needed for creating and managing Oracle Web Services Manager policies)

• OWSM policy configurations export mechanism

  Hi,
  We have a requirement of applying owsm policies on OSB 11g proxy and business services.
  What is the best way to apply policies is it at
  1. Design time (in eclipse)
  2.Run time from from SB console
  When we shift the entire OSB projects from development environment to production how does migration takes place is it a project level configuration or server level configuration.
  Do we have two configuration files.
  1. one is OWSM policy configuration file and
  2. OWSM policy and OSB project configuration file.
  If above is the scenario we cna directly edit the config files instaed of changing the OSB project artefacts.
  Any suggetsions on OSB and OWSM policy configurations and environment chnge setup process will be of great help.
  Thanks,
  Sowmya

  Ok got it! Just followed the oracle documentation and copied it in below path and Jdev 11.1.1.4 picked it up!
  C:\Users\Amit\AppData\Roaming\JDeveloper\system11.1.1.4.37.59.23\DefaultDomain\oracle\store\gmds\owsm\policies (not copying it within oracle folder within policies as its a custom policy)
  Strange, I have Jdev 11.1.1.3 in office and it doesnt pick up the policy but Jdev 11.1.1.4 (at home) picks it up without a problem.
  is this a bug in Jdev 11.1.1.3 or my jdev in offic is corrupt?

• Osb proxy service with owsm policy auth slow when soap request very large

  I have a proxy service which is security with owsm policy: oracle/wss_username_token_service_policy, the proxy service simply route to Business Service which directly invoke a bpel exposed web service, when I call the proxy service with soap envelope large than 15MB(not attachment), waiting about 4~5 minutes, the bpel instance created ; but when I remove the security policy:oracle/wss_username_token_service_policy, it will cost only 20 seconds, why authentication cost so long? How can I deal with the problem?
  My English is poor, please don't mind!
  besides, with my OSB version is 11.1.1.6.0

  I finally figured it out. The nullpointer exception is related to the SAML assertion. The SAML assertion in my requests is signed with embedded signature and this seems to be not supported with the used OWSM policy. Without the signature is the exception gone.
  Marian

• OWSM user name token service policy for a proxy service at OSB

  Hi Friends,
  I am facing an issue while trying for the OWSM user name token service policy Authentication for a proxy service at OSB. I am using the PS4 SOA suite with AIA foundation pack. very first I am login into the EM console and choose the domain<soaosb_domain> form web logic domain I moved to security->security provide configuration. Inside the security provide configuration we have to key store section and I expand that and we have a configure button inside the keys tore. I click that button and it open a new page. In that page I got the Java key store (JKS) as the default key store and in the access Attributes I keep the default key store path and fill password and confirm password fields. Then in Identity certificates I fill the signature key and Encryption key with key Alias as 'orakey' and same password which I am mentioned at access Attributes. I got the message like the key store is created successfully. Then I restarted the server and again I am login into the EM console and choose the domain<soaosb_domain> form web logic domain I moved to security. In security I choose the credentials. In credentials we have create key. In the create key I add the key as hari-key and provide the hari as a user and his password.
  While trying to test the proxy service i am getting the [OSB Security - OWSM: 387253] Failed to initialize OWSM Credential Manager. Please validate the Key store Configuration.
  can anyone please look at this and suggest me how can I proceed for this.
  Thanks
  Hari

  anyone please respond to the above request.
  Thanks
  Hari

• Failing to attach WS-Policy to ProxyService in OSB

  Im trying to attach a policy to a proxyservice. I'm attaching wss_username_token_service_policy from the list from the OWSM. I also set it to consume the ws-security headers but when i deploy i get the following message:
  [OSB Kernel:398139]The binding type of service Common/ProxyServices/PS_CardManagementService is based on wsdl, the service should have ws-policy configuration.
  The weird thing is that i've build other services in exact the same way (wsdl wise) and they all deployed and worked without a problem. I've rebuild the PS from the wsdl a couple of times but it doesnt seem to fix the problem.
  I can add the policy using the SB console without a problem and it also works correct.
  Can anyone tell me what is wrong?
  Thanks in advance!

  Seems it has something to do with the mds-owsm. When i look in the log i see:
  [2011-06-20T20:42:59.897+02:00] [osb_server1] [WARNING] [WSM-02101] [oracle.wsm.resources.policymanager] [tid: [ACTIVE].ExecuteThread: '16' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: OracleSystemUser] [ecid: 0000J2iNDuu7y0G_yx0FyW1Dvr15000G7J,0] [APP: wsm-pm] [dcid: ae78371b7bf314eb:1452020e:1306f4fcdbe:-7ffd-0000000000000117] Generic Oracle WSM Policy Manager error.[[
  oracle.mds.exception.MDSRuntimeException: weblogic.common.resourcepool.ResourceDisabledException: Pool mds-owsm is Suspended, cannot allocate resources to applications..
       at oracle.mds.internal.persistence.db.BaseReposAccess.<init>(BaseReposAccess.java:360)
       at oracle.mds.internal.persistence.db.shredded.ShreddedReposAccess.<init>(ShreddedReposAccess.java:274)
       at oracle.mds.internal.persistence.db.shredded.ShreddedDBMSConnection.createReposAccess(ShreddedDBMSConnection.java:444)
       at oracle.mds.internal.persistence.db.BaseDBMSConnection.getOrCreateReposAccess(BaseDBMSConnection.java:2072)
       at oracle.mds.internal.persistence.db.BaseDBMSCVersionSupport.getDocument(BaseDBMSCVersionSupport.java:286)
       at oracle.mds.persistence.DelegatingMSConnectionVersionSupport.getDocument(DelegatingMSConnectionVersionSupport.java:72)
       at oracle.mds.internal.persistence.PManagerVersionSupportImpl.getDocument(PManagerVersionSupportImpl.java:255)
       at oracle.mds.core.MOState.getTipPDocument(MOState.java:981)
       at oracle.mds.core.MOState.checkStaleVersion(MOState.java:893)
       at oracle.mds.core.MOState.checkStalenessDocFromBuilder(MOState.java:723)
       at oracle.mds.core.MOState.getIsStaleLastModified(MOState.java:537)
       at oracle.mds.core.MOContent.getIsStaleLastModified(MOContent.java:267)
       at oracle.mds.core.MetadataObject.isStale(MetadataObject.java:721)
       at oracle.wsm.mds.MDSAccessor.getLatestMOCopy(MDSAccessor.java:1388)
       at oracle.wsm.mds.MDSAccessor.getMetadataObjectAsMO(MDSAccessor.java:1506)
       at oracle.wsm.mds.MDSAccessor.getStoreLastUpdatedDate(MDSAccessor.java:1629)
       at oracle.wsm.policymanager.impl.UpdateService.seed(UpdateService.java:1885)
       at oracle.wsm.policymanager.impl.UpdateService.<init>(UpdateService.java:238)
       at oracle.wsm.policymanager.impl.QueryService.seed(QueryService.java:2443)
       at oracle.wsm.policymanager.impl.QueryService.<init>(QueryService.java:217)
       at oracle.wsm.policymanager.impl.PolicyAccessService.getQueryService(PolicyAccessService.java:259)
       at oracle.wsm.policymanager.impl.PolicyAccessService.getPoliciesByPolicyReferencesMap(PolicyAccessService.java:214)
       at oracle.wsm.policymanager.impl.PolicyAccessService.getPoliciesAsStringsByPolicyReferencesMap(PolicyAccessService.java:348)
       at sun.reflect.GeneratedMethodAccessor925.invoke(Unknown Source)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:597)
       at com.bea.core.repackaged.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:310)
       at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
       at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
       at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.doProceed(DelegatingIntroductionInterceptor.java:131)
       at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.invoke(DelegatingIntroductionInterceptor.java:119)
       at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
       at com.bea.core.repackaged.springframework.jee.spi.MethodInvocationVisitorImpl.visit(MethodInvocationVisitorImpl.java:37)
       at weblogic.ejb.container.injection.EnvironmentInterceptorCallbackImpl.callback(EnvironmentInterceptorCallbackImpl.java:54)
       at com.bea.core.repackaged.springframework.jee.spi.EnvironmentInterceptor.invoke(EnvironmentInterceptor.java:50)
       at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
       at com.bea.core.repackaged.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:89)
       at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
       at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.doProceed(DelegatingIntroductionInterceptor.java:131)
       at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.invoke(DelegatingIntroductionInterceptor.java:119)
       at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
       at com.bea.core.repackaged.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
       at $Proxy216.getPoliciesAsStringsByPolicyReferencesMap(Unknown Source)
       at oracle.wsm.policymanager.ejb.impl.PolicyAccessService_elx95s_IStringPolicyAccessServiceRemoteImpl.getPoliciesAsStringsByPolicyReferencesMap(PolicyAccessService_elx95s_IStringPolicyAccessServiceRemoteImpl.java:188)
       at oracle.wsm.policymanager.ejb.impl.PolicyAccessService_elx95s_IStringPolicyAccessServiceRemoteImpl_WLSkel.invoke(Unknown Source)
       at weblogic.rmi.internal.BasicServerRef.invoke(BasicServerRef.java:589)
       at weblogic.rmi.cluster.ClusterableServerRef.invoke(ClusterableServerRef.java:230)
       at weblogic.rmi.internal.BasicServerRef$1.run(BasicServerRef.java:477)
       at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:363)
       at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:147)
       at weblogic.rmi.internal.BasicServerRef.handleRequest(BasicServerRef.java:473)
       at weblogic.rmi.internal.wls.WLSExecuteRequest.run(WLSExecuteRequest.java:118)
       at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
       at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
  Caused by: oracle.mds.internal.persistence.db.fcf.MDSDBIOException: weblogic.common.resourcepool.ResourceDisabledException: Pool mds-owsm is Suspended, cannot allocate resources to applications..
       at oracle.mds.internal.persistence.db.JNDIConnectionManagerImpl.fetchConnection(JNDIConnectionManagerImpl.java:96)
       at oracle.mds.internal.persistence.db.ConnectionManager.getConnection(ConnectionManager.java:347)
       at oracle.mds.internal.persistence.db.BaseReposAccess.<init>(BaseReposAccess.java:347)
       ... 53 more
  Caused by: weblogic.jdbc.extensions.PoolDisabledSQLException: weblogic.common.resourcepool.ResourceDisabledException: Pool mds-owsm is Suspended, cannot allocate resources to applications..
       at weblogic.jdbc.common.internal.JDBCUtil.wrapAndThrowResourceException(JDBCUtil.java:251)
       at weblogic.jdbc.common.internal.RmiDataSource.getPoolConnection(RmiDataSource.java:344)
       at weblogic.jdbc.common.internal.RmiDataSource.getConnection(RmiDataSource.java:360)
       at oracle.mds.internal.persistence.db.JNDIConnectionManagerImpl.fetchConnection(JNDIConnectionManagerImpl.java:91)
       ... 55 moreI tried stopping an starting the datasource but that didnt do much. Can anyone tell me how I can fix this?
  Much thanks!

• Securing web services SOAP headers against OWSM policy

  Hi,
  I need to authenticate the user against the OWSM policy. The caller will pass username and password in SOAP headers and I need to attach WSS policy to my exposed web service.
  How to extract the Header information and then validate them against the policy.
  A simple HelloWorld sample will be of great help.
  regards
  Sanjeev

  Hi,
  For service authentication add policy wss_username_token_service_policy to client composite.Create user in security realms in adminstration console.
  While testing the service select wss username token option under security tab and test with valid credentails or from, soap UI
  <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
  xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
  <wsse:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
  <wsse:Username>USER CREATED IN SECURITY REALMS</wsse:Username>
  <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">PSWD ENTERED FOR THE SAME USER IN SECURITY REALMS</wsse:Password>
  </wsse:UsernameToken></wsse:Security> WITH INPUT

• OWSM security for a OSB service- authenticate from weblogic security realms

  Hello,
  I have a requirement to add security to a OSB service.
  The user details are configured in weblogic security realms. lets say there are ten different users.
  I need to protect my osb service using OWSM policy & the policy should be configured to authenticate the user from realms.
  I am new to OWSM & wondering if this is possible?
  Can the experts please direct me to any docs or steps?
  Thanks
  Ganesh

  Hi,
  Thanks for the links.
  I followed the blog and configured it using oracle/wss_username_token_service_policy.
  Now my requirement is to send the username,password from proxy to business and to the BPEL. (the bpel needs this username /password & and in header)
  The issue I am facing is the proxy service is not sending the soap header details to business service.
  I dont want to make the proxy as passthrough. (ie set Process WS-Security Header to NO)
  I have to authorize on proxy level and then send the same credential details to business service?
  So the question is, how can I retrieve the header after osb process it?
  Can anyone please help me here?
  Thanks
  Ganesh

• HTTP 503 after enabling OWSM policy on an ADF BC Service

  I deployed an ADF BC Service to soa_server1 and tested (no problem). But when I added an OWSM policy, I could no longer access the service, nor its WSDL contract.
  Here's the steps:
  1. Deploy and test your ADF BC Service with no policy
  2. In EM, go to the Web Services menu item for the deployed service application, then Policies tab.
  3. Attach the "oracle/log_policy" policy to the service's endpoint
  4. Restart the application after saving the change (as EM tells you to do).
  5. Try to access your Service and/or the Service's WSDL ==> *503 Error*
  6. Use EM to Detach the policy on the service's endpoint
  7. Restart the application after saving the change
  8. Retest -- works fine.

  Note that I can apply the same policy at Develop-Time and deploy and that works.  i.e. Specific to Attaching the policy through EM.
  Actually, Firefox fooled me with a browser cache. The same problem occurs whether the policy is applied at Develop-Time or through EM.
  -Todd
  Edited by: tbeets on May 22, 2009 1:29 PM