BPEL & WS-Security
Hello,
Where can i find more information about BPEL's WS-Security support.
We have services which use certificates for authentication. Will it be possible to orchestrate them with BPEL?
For example passing an encrypted and signed request (and the certificate of course) from one SOAP to another request/call.
BPEL with jBoss and Jdeveloper designer. The secure services are running on Tomcat.
Thanks in advance
Try the BPEL page http://otn.oracle.com/bpel
and their forum:
BPEL
Similar Messages
-
BPEL invocation securely from client using JAZN security not working.
HI,
We are trying to invoke the BPEL process securely from the client application using JAZN security settings, this is not working, with any credentilas or with out providing the security credentilas BPEL invocation is happening. Need the solution for this security credentials while invoking the BPEL process.
Please provide the update at the earliest. Thanks in advance. Your quick update is greatly appreciated.Hi James,
Thanks for the update.
Please find the attached docs.
Bpel.xml:
<?xml version = '1.0' encoding = 'UTF-8'?>
<BPELSuitcase>
<BPELProcess id="HelloWorld" src="HelloWorld.bpel">
<partnerLinkBindings>
<partnerLinkBinding name="client">
<property name="wsdlLocation">HelloWorld.wsdl</property>
</partnerLinkBinding>
</partnerLinkBindings>
<configurations>
<property name="role">oc4j-administrators</property>
</configurations>
</BPELProcess>
</BPELSuitcase>
orion-application.xml: folder location: C:\product1\10.1.3.1\OracleAS_1\j2ee\home\applications\orabpel\META-INF\orion-application.xml
<?xml version="1.0"?>
<orion-application xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://xmlns.oracle.com/oracleas/schema/orion-application-10_0.xsd"
schema-major-version="10"
schema-minor-version="0" component-classification="internal-BPEL">
<connectors path="./oc4j-connectors.xml"/>
<ejb-module remote="false" path="ejb_ob_engine.jar" />
<ejb-module remote="false" path="ejb_services.jar" />
<web-module id="httpbinding" path="httpbinding.war" />
<web-module id="admin_war" path="admin_war" />
<web-module id="startup_war" path="startup_war" />
<web-module id="console_war" path="console_war" />
<persistence path="persistence" />
<principals path="principals.xml" />
<jazn provider="XML" location="../../config/system-jazn-data.xml" jaas-mode="doAsPrivileged">
<!-- <jazn-web-app auth-method="CUSTOM_AUTH"/> -->
</jazn>
<imported-shared-libraries>
<inherited-shared-libraries/>
<import-shared-library name="oracle.bpel.common" parent="api" />
<import-shared-library name="oracle.ws.client" parent="oracle.ws.jaxrpc" version="10.1.3" />
<import-shared-library name="oracle.ws.jaxrpc" />
<import-shared-library name="oracle.toplink" />
<import-shared-library name="oracle.ws.testpage" />
</imported-shared-libraries>
<log>
<file path="application.log" />
</log>
<namespace-access>
<read-access>
<namespace-resource root="">
<security-role-mapping name="oc4j-administrators">
<group name="oc4j-administrators" />
</security-role-mapping>
</namespace-resource>
</read-access>
<write-access>
<namespace-resource root="">
<security-role-mapping name="oc4j-administrators">
<group name="oc4j-administrators" />
</security-role-mapping>
</namespace-resource>
</write-access>
</namespace-access>
<security-role-mapping name="PUBLIC">
<group name="{{PUBLIC}}" />
</security-role-mapping>
</orion-application>
web.xml file: C:\product1\10.1.3.1\OracleAS_1\j2ee\home\applications\orabpel\startup\WEB-INF\web.xml
<?xml version="1.0" ?>
<!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd">
<web-app id="StartupWebApp_Id">
<!--servlet id="BPEL_Axis_Servlet_Id">
<servlet-name>BPEL_Axis_Servlet</servlet-name>
<display-name>BPEL Axis Servlet</display-name>
<servlet-class>com.collaxa.cube.ws.soap.axis.BPELAxisServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet-->
<servlet id="BPEL_OC4J_Servlet_Id">
<servlet-name>BPEL_OC4J_Servlet</servlet-name>
<display-name>BPEL OC4J JAX/RPC Servlet</display-name>
<description>BPEL endpoint Provider Port via oc4j jax/rpc</description>
<servlet-class>com.collaxa.cube.ws.soap.oc4j.BPELOC4JServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet id="LoaderServlet_Id">
<servlet-name>cxloader</servlet-name>
<servlet-class>com.collaxa.cube.admin.CXLoaderServlet</servlet-class>
<load-on-startup>3</load-on-startup>
</servlet>
<!--servlet-mapping id="BPEL_Axis_Servlet_Mapping_id">
<servlet-name>BPEL_Axis_Servlet</servlet-name>
<url-pattern>/*</url-pattern>
</servlet-mapping-->
<servlet-mapping id="BPEL_OC4J_Servlet_Mapping_Id">
<servlet-name>BPEL_OC4J_Servlet</servlet-name>
<url-pattern>/*</url-pattern>
</servlet-mapping>
<security-constraint>
<web-resource-collection>
<web-resource-name>Default Domain Pages</web-resource-name>
<description>These pages are only accessible by authenticated users.</description>
<url-pattern>*orabpel/default/HelloWorld/v2010_05_02__62961</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>oc4j-administrators</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>jazn.com</realm-name>
</login-config>
<security-role>
<description>BPEL Admins</description>
<role-name>oc4j-administrators</role-name>
</security-role>
<distributable/>
<resource-ref id="ResRef_BPELContainerDataSource_Id">
<res-ref-name>jdbc/BPELServerDataSource</res-ref-name>
<res-type>javax.sql.DataSource</res-type>
<res-auth>Container</res-auth>
</resource-ref>
<!--ejb-local-ref id="EjbRef_AdaptorManager_Id">
<ejb-ref-name>ejb/local/AdaptorManagerLocalBean</ejb-ref-name>
<ejb-ref-type>Session</ejb-ref-type>
<local-home>com.collaxa.cube.engine.ejb.interfaces.IAdaptorManagerLocalBeanHome</local-home>
<local>com.collaxa.cube.engine.ejb.interfaces.IAdaptorManagerLocalBean</local>
<ejb-link>AdaptorManagerBean</ejb-link>
</ejb-local-ref>
-->
<ejb-ref id="EjbRef_CubeFinder_Id">
<ejb-ref-name>ejb/collaxa/system/CubeFinderBean</ejb-ref-name>
<ejb-ref-type>Session</ejb-ref-type>
<home>com.collaxa.cube.engine.ejb.interfaces.ICubeFinderBeanHome</home>
<remote>com.collaxa.cube.engine.ejb.interfaces.ICubeFinderBean</remote>
</ejb-ref>
<ejb-ref id="EjbRef_Dispatcher_Id">
<ejb-ref-name>ejb/collaxa/system/DispatcherBean</ejb-ref-name>
<ejb-ref-type>Session</ejb-ref-type>
<home>com.collaxa.cube.engine.ejb.interfaces.IDispatcherBeanHome</home>
<remote>com.collaxa.cube.engine.ejb.interfaces.IDispatcherBean</remote>
</ejb-ref>
<ejb-local-ref>
<ejb-ref-name>ejb/local/CubeEngineLocalBean</ejb-ref-name>
<ejb-ref-type>Session</ejb-ref-type>
<local-home>com.collaxa.cube.engine.ejb.interfaces.ICubeEngineLocalBeanHome</local-home>
<local>com.collaxa.cube.engine.ejb.interfaces.ICubeEngineLocalBean</local>
<ejb-link>CubeEngineBean</ejb-link>
</ejb-local-ref>
<ejb-local-ref>
<ejb-ref-name>ejb/local/ProcessManagerLocalBean</ejb-ref-name>
<ejb-ref-type>Session</ejb-ref-type>
<local-home>com.oracle.bpel.client.ejb.interfaces.IBPELProcessManagerLocalBeanHome</local-home>
<local>com.oracle.bpel.client.ejb.interfaces.IBPELProcessManagerLocalBean</local>
<ejb-link>ProcessManagerBean</ejb-link>
</ejb-local-ref>
<ejb-local-ref>
<ejb-ref-name>ejb/local/CubeDeliveryLocalBean</ejb-ref-name>
<ejb-ref-type>Session</ejb-ref-type>
<local-home>com.collaxa.cube.engine.ejb.interfaces.ICubeDeliveryLocalBeanHome</local-home>
<local>com.collaxa.cube.engine.ejb.interfaces.ICubeDeliveryLocalBean</local>
<ejb-link>CubeDeliveryBean</ejb-link>
</ejb-local-ref>
<ejb-local-ref>
<ejb-ref-name>ejb/local/KeyGeneratorLocalBean</ejb-ref-name>
<ejb-ref-type>Session</ejb-ref-type>
<local-home>com.collaxa.cube.engine.ejb.interfaces.IKeyGeneratorLocalBeanHome</local-home>
<local>com.collaxa.cube.engine.ejb.interfaces.IKeyGeneratorLocalBean</local>
<ejb-link>KeyGeneratorBean</ejb-link>
</ejb-local-ref>
<ejb-local-ref>
<ejb-ref-name>ejb/local/MessageLocalBean</ejb-ref-name>
<ejb-ref-type>Session</ejb-ref-type>
<local-home>com.collaxa.cube.engine.ejb.interfaces.IMessageLocalBeanHome</local-home>
<local>com.collaxa.cube.engine.ejb.interfaces.IMessageLocalBean</local>
<ejb-link>MessageBean</ejb-link>
</ejb-local-ref>
<ejb-local-ref>
<ejb-ref-name>ejb/local/ServerLocalBean</ejb-ref-name>
<ejb-ref-type>Session</ejb-ref-type>
<local-home>com.oracle.bpel.client.ejb.interfaces.IServerLocalBeanHome</local-home>
<local>com.oracle.bpel.client.ejb.interfaces.IServerLocalBean</local>
<ejb-link>ServerBean</ejb-link>
</ejb-local-ref>
</web-app>
jazn.xml : C:\product1\10.1.3.1\OracleAS_1\j2ee\home\config
<?xml version = '1.0' encoding = 'UTF-8' standalone = 'yes'?>
<jazn xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://xmlns.oracle.com/oracleas/schema/jazn-10_0.xsd" schema-major-version="10" schema-minor-version="0" provider="XML" location="./system-jazn-data.xml" default-realm="jazn.com" persistence="ALL">
<property name="custom.sso.url.login" value="/jsso/SSOLogin"/>
<property name="custom.sso.key.alias" value="{AES-128}dpvTz49oIQWnM1gZfdpZ1w=="/>
<property name="idm.token.asserter.class" value="oracle.security.jazn.sso.SSOCookieTokenAsserter"/>
<property name="idm.token.collector.class" value="oracle.security.jazn.sso.SSOCookieTokenCollector"/>
<property name="idm.token.type" value="HTTP_COOKIE"/>
<property name="idm.token.collector.cookie.1" value="ORA_OC4J_SSO"/>
<property name="custom.sso.url.logout" value="/jsso/SSOLogout"/>
<property name="idm.authentication.name" value="JavaSSO"/>
</jazn>
system-jazn-data.xml
<?xml version="1.0" encoding="UTF-8" standalone='yes'?>
<jazn-data
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="http://xmlns.oracle.com/oracleas/schema/jazn-data-10_0.xsd"
schema-major-version="10"
schema-minor-version="0"
>
<!-- JAZN Realm Data -->
<jazn-realm>
<realm>
<name>jazn.com</name>
<users>
<user>
<name>Bharani</name>
<guid>99116C7155E211DFBFB59D7811B59628</guid>
<credentials>{903}26NFSvxAeBAo3nBkbvJ/e2BCD+actZzi</credentials>
</user>
</users>
<role>
<name>oc4j-administrators</name>
<display-name>OC4J Admin Role</display-name>
<description>Administrative role for OC4J</description>
<guid>8A00C8701A0511DFBF99734349FF0592</guid>
<members>
<member>
<type>user</type>
<name>oc4jadmin</name>
</member>
</members>
</role>
</roles>
</realm>
</jazn-realm>
<!-- JACC Repository Data -->
<jacc-repository>
</jacc-repository>
<jazn-policy>
<grant>
<grantee>
<principals>
<principal>
<realm-name>jazn.com</realm-name>
<type>role</type>
<class>oracle.security.jazn.spi.xml.XMLRealmRole</class>
<name>jazn.com/oc4j-administrators</name>
</principal>
</principals>
</grantee>
<permissions>
<permission>
<class>oracle.security.jazn.policy.AdminPermission</class>
<name>oracle.security.jazn.realm.RealmPermission$jazn.com$createrole</name>
</permission>
<permission>
<class>oracle.security.jazn.policy.AdminPermission</class>
<name>oracle.security.jazn.realm.RealmPermission$jazn.com$modifyrealmmetadata</name>
</permission>
<permission>
<class>oracle.security.jazn.policy.AdminPermission</class>
<name>oracle.security.jazn.policy.RoleAdminPermission$jazn.com/*$</name>
</permission>
<permission>
<class>oracle.security.jazn.policy.AdminPermission</class>
<name>oracle.security.jazn.realm.RealmPermission$jazn.com$createrealm</name>
</permission>
<permission>
<class>oracle.security.jazn.policy.AdminPermission</class>
<name>oracle.security.jazn.realm.RealmPermission$jazn.com$droprealm</name>
</permission>
<permission>
<class>oracle.security.jazn.policy.AdminPermission</class>
<name>oracle.security.jazn.realm.RealmPermission$jazn.com$droprole</name>
</permission>
<permission>
<class>oracle.security.jazn.policy.RoleAdminPermission</class>
<name>jazn.com/*</name>
</permission>
<permission>
<class>com.evermind.server.AdministrationPermission</class>
<name>administration</name>
<actions>administration</actions>
</permission>
<permission>
<class>oracle.security.jazn.realm.RealmPermission</class>
<name>jazn.com</name>
<actions>modifyrealmmetadata</actions>
</permission>
<permission>
<class>oracle.security.jazn.realm.RealmPermission</class>
<name>jazn.com</name>
<actions>createrealm</actions>
</permission>
<permission>
<class>oracle.security.jazn.realm.RealmPermission</class>
<name>jazn.com</name>
<actions>dropuser</actions>
</permission>
<permission>
<class>oracle.security.jazn.realm.RealmPermission</class>
<name>jazn.com</name>
<actions>droprealm</actions>
</permission>
<permission>
<class>com.evermind.server.rmi.RMIPermission</class>
<name>login</name>
</permission>
<permission>
<class>com.evermind.server.rmi.RMIPermission</class>
<name>subject.propagation</name>
</permission>
</permissions>
</grant>
<grant>
<grantee>
<principals>
<principal>
<realm-name>jazn.com</realm-name>
<type>role</type>
<class>oracle.security.jazn.spi.xml.XMLRealmRole</class>
<name>jazn.com/ascontrol_admin</name>
</principal>
</principals>
</grantee>
<permissions>
<permission>
<class>oracle.security.jazn.policy.AdminPermission</class>
<name>oracle.security.jazn.realm.RealmPermission$jazn.com$createrole</name>
</permission>
<permission>
<class>oracle.security.jazn.policy.AdminPermission</class>
<name>oracle.security.jazn.realm.RealmPermission$jazn.com$modifyrealmmetadata</name>
</permission>
<permission>
<class>oracle.security.jazn.policy.AdminPermission</class>
<name>oracle.security.jazn.policy.RoleAdminPermission$jazn.com/*$</name>
</permission>
<permission>
<class>oracle.security.jazn.policy.AdminPermission</class>
<name>oracle.security.jazn.realm.RealmPermission$jazn.com$createrealm</name>
</permission>
<permission>
<class>oracle.security.jazn.policy.AdminPermission</class>
<name>oracle.security.jazn.realm.RealmPermission$jazn.com$droprealm</name>
</permission>
<permission>
<class>oracle.security.jazn.policy.AdminPermission</class>
<name>oracle.security.jazn.realm.RealmPermission$jazn.com$droprole</name>
</permission>
<permission>
<class>oracle.security.jazn.policy.RoleAdminPermission</class>
<name>jazn.com/*</name>
</permission>
<permission>
<class>com.evermind.server.AdministrationPermission</class>
<name>administration</name>
<actions>administration</actions>
</permission>
<permission>
<class>oracle.security.jazn.realm.RealmPermission</class>
<name>jazn.com</name>
<actions>modifyrealmmetadata</actions>
</permission>
<permission>
<class>oracle.security.jazn.realm.RealmPermission</class>
<name>jazn.com</name>
<actions>createrealm</actions>
</permission>
<permission>
<class>oracle.security.jazn.realm.RealmPermission</class>
<name>jazn.com</name>
<actions>dropuser</actions>
</permission>
<permission>
<class>oracle.security.jazn.realm.RealmPermission</class>
<name>jazn.com</name>
<actions>droprealm</actions>
</permission>
<permission>
<class>com.evermind.server.rmi.RMIPermission</class>
<name>login</name>
</permission>
<permission>
<class>com.evermind.server.rmi.RMIPermission</class>
<name>subject.propagation</name>
</permission>
</permissions>
</grant>
<grant>
<grantee>
<principals>
<principal>
<realm-name>jazn.com</realm-name>
<type>role</type>
<class>oracle.security.jazn.spi.xml.XMLRealmRole</class>
<name>jazn.com/oc4j-app-administrators</name>
</principal>
</principals>
</grantee>
<permissions>
<permission>
<class>com.evermind.server.rmi.RMIPermission</class>
<name>login</name>
</permission>
</permissions>
</grant>
<grant>
<grantee>
<principals>
<principal>
<realm-name>jazn.com</realm-name>
<type>role</type>
<class>oracle.security.jazn.spi.xml.XMLRealmRole</class>
<name>jazn.com/users</name>
</principal>
</principals>
</grantee>
<permissions>
<permission>
<class>com.evermind.server.rmi.RMIPermission</class>
<name>login</name>
</permission>
</permissions>
</grant>
<grant>
<grantee>
<principals>
<principal>
<realm-name>jazn.com</realm-name>
<type>user</type>
<class>oracle.security.jazn.spi.xml.XMLRealmUser</class>
<name>jazn.com/anonymous</name>
</principal>
</principals>
</grantee>
<permissions>
<permission>
<class>com.evermind.server.rmi.RMIPermission</class>
<name>login</name>
</permission>
</permissions>
</grant>
<grant>
<grantee>
<principals>
<principal>
<realm-name>jazn.com</realm-name>
<type>role</type>
<class>oracle.security.jazn.spi.xml.XMLRealmRole</class>
<name>jazn.com/BPMSystemAdmin</name>
</principal>
</principals>
</grantee>
<permissions>
<permission>
<class>com.collaxa.security.ServerPermission</class>
<name>server</name>
<actions>all</actions>
</permission>
</permissions>
</grant>
<grant>
<grantee>
<principals>
<principal>
<realm-name>jazn.com</realm-name>
<type>role</type>
<class>oracle.security.jazn.spi.xml.XMLRealmRole</class>
<name>jazn.com/BPMDefaultDomainAdmin</name>
</principal>
</principals>
</grantee>
<permissions>
<permission>
<class>com.collaxa.security.DomainPermission</class>
<name>default</name>
<actions>all</actions>
</permission>
</permissions>
</grant>
<grant>
<grantee>
<principals>
<principal>
<realm-name>jazn.com</realm-name>
<type>role</type>
<class>oracle.security.jazn.spi.xml.XMLRealmRole</class>
<name>bpel_users</name>
</principal>
</principals>
</grantee>
<permissions>
<permission>
<class>com.evermind.server.AdministrationPermission</class>
<name>administration</name>
<actions>administration</actions>
</permission>
<permission>
<class>com.evermind.server.rmi.RMIPermission</class>
<name>login</name>
</permission>
</permissions>
</grant>
<grant>
<grantee>
<principals>
<principal>
<class>sun.security.acl.PrincipalImpl</class>
<name>oc4j-administrators</name>
</principal>
</principals>
</grantee>
<permissions>
<permission>
<class>java.lang.RuntimePermission</class>
<name>setContextClassLoader</name>
</permission>
</permissions>
</grant>
</jazn-policy>
<!-- Login Module Data -->
<jazn-loginconfig>
<application>
<name>oracle.security.jazn.oc4j.CertificateAuthenticator</name>
<login-modules>
<login-module>
<class>oracle.security.jazn.login.module.X509LoginModule</class>
<control-flag>required</control-flag>
<options>
<option>
<name>addAllRoles</name>
<value>true</value>
</option>
</options>
</login-module>
</login-modules>
</application>
<application>
<name>oracle.security.jazn.tools.Admintool</name>
<login-modules>
<login-module>
<class>oracle.security.jazn.login.module.RealmLoginModule</class>
<control-flag>required</control-flag>
<options>
<option>
<name>addAllRoles</name>
<value>true</value>
</option>
</options>
</login-module>
</login-modules>
</application>
<application>
<name>oracle.security.jazn.oc4j.WebCoreIDSSOAuthenticator</name>
<login-modules>
<login-module>
<class>oracle.security.jazn.login.module.coreid.CoreIDLoginModule</class>
<control-flag>required</control-flag>
<options>
<option>
<name>coreid.name.attribute</name>
<value>your credential mapping variable name</value>
</option>
<option>
<name>addAllRoles</name>
<value>true</value>
</option>
<option>
<name>coreid.resource.operation</name>
<value>your oreid resource operation</value>
</option>
<option>
<name>coreid.resource.type</name>
<value>your coreid resource type</value>
</option>
<option>
<name>coreid.name.header</name>
<value>your http header name variable</value>
</option>
<option>
<name>coreid.resource.name</name>
<value>your coreid resource name</value>
</option>
<option>
<name>coreid.password.attribute</name>
<value>your password authentication variable</value>
</option>
<option>
<name>coreid.password.header</name>
<value>your http header password variable</value>
</option>
</options>
</login-module>
</login-modules>
</application>
<application>
<name>oracle.security.wss.jaas.SAMLAuthManager</name>
<login-modules>
<login-module>
<class>oracle.security.jazn.login.module.saml.SAMLLoginModule</class>
<control-flag>required</control-flag>
<options>
<option>
<name>issuer.name.1</name>
<value>www.oracle.com</value>
</option>
<option>
<name>addAllRoles</name>
<value>true</value>
</option>
</options>
</login-module>
</login-modules>
</application>
<application>
<name>oracle.security.jazn.oc4j.DigestAuthenticator</name>
<login-modules>
<login-module>
<class>oracle.security.jazn.login.module.digest.DigestLoginModule</class>
<control-flag>required</control-flag>
<options>
<option>
<name>addAllRoles</name>
<value>true</value>
</option>
</options>
</login-module>
</login-modules>
</application>
<application>
<name>oracle.security.jazn.oc4j.JAZNUserManager</name>
<login-modules>
<login-module>
<class>oracle.security.jazn.login.module.RealmLoginModule</class>
<control-flag>required</control-flag>
<options>
<option>
<name>addAllRoles</name>
<value>true</value>
</option>
</options>
</login-module>
</login-modules>
</application>
<application>
<name>oracle.security.wss.jaas.JAASAuthManager</name>
<login-modules>
<login-module>
<class>oracle.security.jazn.login.module.WSSLoginModule</class>
<control-flag>required</control-flag>
<options>
<option>
<name>addAllRoles</name>
<value>true</value>
</option>
</options>
</login-module>
</login-modules>
</application>
</jazn-loginconfig>
<jazn-permission-classes>
</jazn-permission-classes>
</jazn-data>
It is huge to check all these files, but for reference providing all the files for checking the security details.
Thanks for your help... -
Does the BPM engine work with the security layer or is it required that the BPEL programmer explicitly write or interact with a security layer (e.g. checking network access credentials?)
HI,
I hope that depends on how you want to secure the BPEL service.
Either you can define the username and password in BPEL. Or
If you use OWSM, you need to again authenticate the username and password else just extacting the credentials does not make sense.
For example, if you do not use File authenticate in OWSM policy then only security the OWSM gateway will provide is "proxifying the BPEL Web Service".
Also can you clarify, if BPEL PM is sending out WSS headers then I think it is message producer not consumer. -
How to make bpel process secure?
Currently, I have a bpel process that can be accessed by anyone who knows its endpoint. I now need to add some basic authentication to ensure that only authenticated users access the BPEL process. I am thinking about using the http basic authentication but I don't know how to set it up in bpel. I don't know whether or not I can add the web.xml and sun-web.xml files to the bpel process to set up the security constraint like web applications. Does anyone know how to do it?
thanksYou can find useful information here
http://wiki.open-esb.java.net/Wiki.jsp?page=HTTPBasicAuthentication -
Hello,
My 10g BPEL process has a partner link to a non-secured(http) service. Now it should point to a secured(https) service.
To achieve that I think, I need to get the security certificate and import it in keystore.
Could anyone guide me the other steps which needs to be done to access the secured service from BPEL.
Thanks for any suggestion.
Thanks and Regards,
Dev...i want to install OAS 10 for using form and reportInstall Forms & Reports Services Standalone, from http://www.oracle.com/technetwork/middleware/ias/downloads/101202-095224.html
-
Error while invoking the WSDL service of EBS from BPEL process
Hi Team,
when we are calling webservice client to call WSDL service which is published in Oracle EBS integrated SOA Gateway from BPEL process.
After invoking, we are getting the below error
<bpelFault><faultType>0</faultType><remoteFault xmlns="http://schemas.oracle.com/bpel/extension"><part name="summary"><summary>FND_SOA_SERVICE_EXECUTION_ERR:oracle.apps.fnd.soa.util.SOAException: ServiceExecutionError: Error while executing the service Exception returned from JCA Service Runtime. Exception returned from JCA Service Runtime. null :Please see service monitor logs for full error trace</summary></part><part name="detail"><detail>oracle.j2ee.ws.client.jaxws.JRFSOAPFaultException: Client received SOAP Fault from server : FND_SOA_SERVICE_EXECUTION_ERR:oracle.apps.fnd.soa.util.SOAException: ServiceExecutionError: Error while executing the service Exception returned from JCA Service Runtime. Exception returned from JCA Service Runtime. null :Please see service monitor logs for full error trace</detail></part><part name="code"><code>{http://schemas.xmlsoap.org/soap/envelope/}Server</code></part></remoteFault></bpelFault>
API Name : OE_ORDER_PUB.PROCESS_ORDER
could you please let me know the exact problem and provide the solution.
Thanks
Phani Ch.Hi Phani,
Are you able to reproduce issue as below:
1. Login to Application as sysadmin.
2. Navigate to Intergrated SOA Gateway > Integration Repository.
3. Click on search on right hand side of the page.
4. In the Internal Name type "FND_USER_PKG" and click Go.
5. Click on the User link.
6. Under the "Web Service - SOA Provider", click in the "View WSDL". Copy the complete URL "http://test:8003/webservices/SOAProvider/plsql/fnd_user_pkg/?wsdl"
7. Open the soapUI.
8. Click File > new soapUI Project.
9. Test the web service.
If yes,
I think you might be need to execute a patch:
solution:
To implement the solution, please execute the following steps:
1. Download and review the readme and pre-requisites for iAS Patch 18855074.
Note: Above Merge Label Request (MLR) is build for EBS 12.1.3 having OC4J 10.1.3.5.
2. Enable the profile option "EBS Adapter for BPEL, Function Security Enabled".
a. Login as SYSADMIN user and Navigate to System >Profile and Search for "EBS Adapter for BPEL, Function Security Enabled" (Internal name :EBS_ADAPTER_FUNCTION_SEC_ENABLED)
b. Set the Value to 'Y' at SITE level . This means function security feature is enabled and all API calls for PL/SQL APIs, Oracle e-Commerce Gateway, and concurrent programs will be checked for user security before they are invoked.
3. Retest the issue by Generating and Deploying the required package.
4. Migrate the solution as appropriate to other environments.
Thanks
Ranjan -
Secured Invoking Process - Error ORABPEL-02175 .... Urgent
Hi
I am currently using SOA Suite 10.1.3.1.0 using oracle Lite database, I am trying to invoke my BPEL process securely.
I used the DetailedSecuredProcess under samples\tutorials and it works fine.
I have created a process and am trying to invoke it securely, I get the following error on BPEL console :
<Faulthttp://schemas.xmlsoap.org/soap/envelope/>
<faultcode>env:Server</faultcode>
<faultstring>ORABPEL-02175 Error while invoking inbound message handler. An error has occurred while attempting to invoke the inbound message handler class "class com.collaxa.cube.security.Authenticator" for the message "". The exception reported was: Could not apply security [No username provided, security expects user] </faultstring>
</Fault>
I have configured my BPEL suitcase as follows:
<?xml version = '1.0' encoding = 'UTF-8'?>
<BPELSuitcase>
<BPELProcess id="PICInventorySharing" src="PICInventorySharing.bpel">
<partnerLinkBindings>
<partnerLinkBinding name="client">
<property name="wsdlLocation">PICInventorySharing.wsdl</property>
</partnerLinkBinding>
<partnerLinkBinding name="SelectInventoryDataByLastUpdated">
<property name="wsdlLocation">SelectInventoryDataByLastUpdated.wsdl</property>
<property name="retryInterval">60</property>
</partnerLinkBinding>
</partnerLinkBindings>
<configurations>
<property name="user">clemens</property>
<property name="pw">!welcome1</property>
<property name="role">administrators</property>
</configurations>
</BPELProcess>
</BPELSuitcase>
I have modified the message-handlers.xml file as follows
<property id="SecuredProcesses">
<value>SecuredCreditRatingService, MasterSecuredProcess, DetailSecuredProcess, PICInventorySharing</value>
<comment>Processes can be secured explicitely without having effect on the whole domain, put their names in here and comma seperate them</comment>
</property>
</message-handler>
<inbound-flow>
<message-handler id="default" />
<message-handler id="security" />
<!-- uncomment for inbound security
<message-handler id="security" />
-->
Any suugestion to resolve is much appreciation.
Thanks in advance.
Brett
Edited by: user11688998 on Oct 19, 2009 5:04 AMYour client is not providing a username or password in your soap request.
The configuration you have there is for connection to a remote endpoint. The error you are getting is related to what is being sent to you. -
Getting Error While Triggered the Internal Service Request Process Accelerator
Hi
I installed Oracle Process Accelerators(Internal Service Request and Employee On Boarding) PS6 in windows7.Installation was successful and I checked the installpa.log file there its showing "Build Successful" and then we assign the roles in BPM workspace and also put the security relams in in enterprise manager as per installation Document provided by the Oracle after that everything was fine to test the Internal Service Request(ISR) I triggered few instances but they terminated abruptly and giving these Errors in EnterpriseManager(EM)
while triggered ISR Error message that was shown in EM is
Non Recoverable Business Fault :
<bpelFault><faultType>1</faultType><operationErroredFault xmlns="http://xmlns.oracle.com/bpel/workflow/taskService"><part name="payload"><operationErroredFault xmlns="http://xmlns.oracle.com/bpel/workflow/taskService"><faultInfo>ORABPEL-30082 WorkflowServiceEngine request to another component failed. Request operation CallFunctionStateless from default/InternalServiceRequest!1.0/ManagerApproveRequest to ManagerApproveRequestRules_ManagementChainRuleSet failed with Business Fault: null. Check the underlying fault. Check target SOA component for cause. </faultInfo></operationErroredFault></part></operationErroredFault></bpelFault>
Non Recoverable Business Fault :
Attempted to access property 'id' in class 'oracle.bpel.services.identity.hierarchy.HierarchyPrincipal' with a null object reference. at line 292 column 34 in /Ruleset(ManagerApproveRequestRulesBase)/Function(CreateSupervisoryList)/Action[11]
if anybody who did this ever and facing the same issue can you please let me know as early as possible
Thanks and Regards
Rajesh.Hi Phani,
Are you able to reproduce issue as below:
1. Login to Application as sysadmin.
2. Navigate to Intergrated SOA Gateway > Integration Repository.
3. Click on search on right hand side of the page.
4. In the Internal Name type "FND_USER_PKG" and click Go.
5. Click on the User link.
6. Under the "Web Service - SOA Provider", click in the "View WSDL". Copy the complete URL "http://test:8003/webservices/SOAProvider/plsql/fnd_user_pkg/?wsdl"
7. Open the soapUI.
8. Click File > new soapUI Project.
9. Test the web service.
If yes,
I think you might be need to execute a patch:
solution:
To implement the solution, please execute the following steps:
1. Download and review the readme and pre-requisites for iAS Patch 18855074.
Note: Above Merge Label Request (MLR) is build for EBS 12.1.3 having OC4J 10.1.3.5.
2. Enable the profile option "EBS Adapter for BPEL, Function Security Enabled".
a. Login as SYSADMIN user and Navigate to System >Profile and Search for "EBS Adapter for BPEL, Function Security Enabled" (Internal name :EBS_ADAPTER_FUNCTION_SEC_ENABLED)
b. Set the Value to 'Y' at SITE level . This means function security feature is enabled and all API calls for PL/SQL APIs, Oracle e-Commerce Gateway, and concurrent programs will be checked for user security before they are invoked.
3. Retest the issue by Generating and Deploying the required package.
4. Migrate the solution as appropriate to other environments.
Thanks
Ranjan -
Does Interconnect FTP Adapter support SFTP/SSH?
Does Interconnect FTP Adapter support SFTP/SSH?
Thanks!
-mbNo it doesn't!
Actually, FTP adapter in BPEL support secure FTP (FTPS, FTP over SSL), but only on Solaris platform if believe documentation.
You can try to connect BPEL FTP adapter to InterConnect using new JCA adapter (in IC 10.1.2.0.2), but I'm not sure wether BPEL FTP adapter is JCA-compatable or not (since it is not in Oracle AS adapters package but inside BPEL)... -
Regarding SOA Fundation Certification
Hi All,
Can anybody calarify my doubt.
To do certification in SOA Foundation, As a individual can i apply. Why becoz when i am creating user in parterner link it is asking me What is company's profile. But i want to do this ceriftion individually not from the comapny. So can anybody guide me how to do thiss?.
Regards,
AdhiHi Anuj,
Can you check the below listed topic are sufficient whihc i got from oracle site.
Regards,
Adhi
Exam Topics
SOAPractitioner Foundation
Service-Oriented Architecture Concepts
Describe Service-Oriented Architecture (SOA) concepts
Identify standards that enable SOA
Review Service Component Architecture (SCA)
Describe Event Driven Architecture (EDA)
SOA Composite Applications
Understand the concepts of SCA Technologies
Describe Oracle SOA Suite 11g components
Describe the Service Components
Define a composite application
Describe SOA Composite Editor
Adapters
Describe adapter concepts and framework
Describe Technology adapters: File, Database, JMS, etc
Describe Applications Adapters Ebiz suite,Peoplesoft, Siebel, etc
Explain adapter run-time configuration
Explain adapter design-time configuration
Orchestrating Services with BPEL
Explain BPEL Components activities and partner Links
Describe Synchronous and Asynchronous BPEL Processes
Describe Message Transformations and XSLT
Explain Parallel Flow and Conditional branching
Explain BPEL integration with Java
Advanced BPEL Concepts
Describe Exception Handling in Compsite Applications
Describe the Fault Management Framework
Describe Compensation handling within a BPEL process
Describe Correlation concepts
Manage Transactions with SDO
Working with Mediator Components
Explain the Mediator component and its features
Define business events and the Event Delivery Network (EDN)
Create and configure a Mediator service component
Create Mediator routing rules
Human Workflow
Describe Human Workflow Concepts, Features and Architecture
Design Human Tasks and Services
Invoke a Human Task from a BPEL process
Oracle Business Rules Concepts
Explain business rules concepts
Describe the Oracle Business Rules architecture
Describe Oracle Rules Engine
Create a rules with the Jdeveloper Rules Designer
Integrate a simple rule with a BPEL Process
Secure services and Composite Applications
Explain Web Services and Composite Security
Describe the Fusion Middleware security architecture
Understand Security Policy Management, Identity Propagation
Describe OWSM Agents
SOA 11g Integration Points
Describe Oracle Service Bus Concepts and Architecture
Describe Oracle Business Activity Monitoring
Describe Oracle B2B
Describe EDA and Oracle Complex Event Processing
Monitoring and managing SOA 11g Deployment
Describe Deploy and Un-deploy SOA Composite application
Describe Management of SOA Composite application using the Enterprise Manager
Describe Enterprise Manager Grid Control SOA Management Packs -
Error while invoking a WS-Security secured web service from Oracle BPEL..
Hi ,
We are facing some error while invoking a WS-Security secured web service from our BPEL Process on the windows platform(SOA 10.1.3.3.0).
For the BPEL process we are following the same steps as given in an AMIS blog : - [http://technology.amis.nl/blog/1607/how-to-call-a-ws-security-secured-web-service-from-oracle-bpel]
but sttill,after deploying it and passing values in it,we are getting the following error on the console :-
“Header [http://schemas.xmlsoap.org/ws/2004/08/addressing:Action] for ultimate recipient is required but not present in the message”
Any pointers in this regard will be highly appreciated.
Thanks,
SaurabhHi James,
Thanks for the quick reply.
We've tried to call that web service from an HTML designed in Visual Studios with the same username and password and its working fine.
But on the BPEL console, we are getting the error as mentioned.
Also if you can tell me how to set the user name and password in the header of the parter link.I could not find how to do it.
Thanks,
Saurabh -
Best Practice for Securing Web Services in the BPEL Workflow
What is the best practice for securing web services which are part of a larger service (a business process) and are defined through BPEL?
They are all deployed on the same oracle application server.
Defining agent for each?
Gateway for all?
BPEL security extension?
The top level service that is defined as business process is secure itself through OWSM and username and passwords, but what is the best practice for security establishment for each low level services?
Regards
FarbodIt doesnt matter whether the service is invoked as part of your larger process or not, if it is performing any business critical operation then it should be secured.
The idea of SOA / designing services is to have the services available so that it can be orchestrated as part of any other business process.
Today you may have secured your parent services and tomorrow you could come up with a new service which may use one of the existing lower level services.
If all the services are in one Application server you can make the configuration/development environment lot easier by securing them using the Gateway.
Typical probelm with any gateway architecture is that the service is available without any security enforcement when accessed directly.
You can enforce rules at your network layer to allow access to the App server only from Gateway.
When you have the liberty to use OWSM or any other WS-Security products, i would stay away from any extensions. Two things to consider
The next BPEL developer in your project may not be aware of Security extensions
Centralizing Security enforcement will make your development and security operations as loosely coupled and addresses scalability.
Thanks
Ram -
How to get security context in BPEL to get Logged in UserId
Hi All,
We have a requirement of getting security context in BPEL flow and from that we want to extract currentUserId. The requirement is to know who has initiated the composite flow. We are not passing userId in the event payload. In ADF we get the same through following expression:
ADFContext.getCurrent().getSecurityContext().getUserName()
Is there any similar api which we can access to get currentUserId?
Thanks,
NagaHi,
If your BPEL has oracle/wss_username_token_service_policy you can retrieve the username from the SOAP headers...
Have a look at this...
http://yuanmengblog.blogspot.com.au/2012/09/extracting-and-passing-wss-name-token.html
Cheers,
Vlad -
Error while calling secured OSB proxy from BPEL
Hi,
I have a OSB Proxy service to which I have applied OWSM Policy:
oracle/wss_username_token_service_policy
In the Setting:
Process WS-Security Header is set to Yes
While calling this Proxy from BPEL I tried to append binding properties, I tried the following options:
option1:
wsseHeaders=credentials
wssePassword=welcome1
wsseUsername=weblogic
option2:
oracle.webservices.auth.password=welcome1
oracle.webservices.auth.username=weblogic
But neither of them work and I get the following error:
<con:fault xmlns:con="http://www.bea.com/wli/sb/context">
<con:errorCode>BEA-386200</con:errorCode>
<con:reason>General web service security error</con:reason>
<con:location>
<con:path>request-pipeline</con:path>
</con:location>
</con:fault>
<Sep 21, 2010 9:49:30 AM PDT> <Error> <OSB Security> <BEA-387022> <An error ocur
red during web service security inbound request processing [error-code: Security
HeaderUnmarshallingError, message-id: 3659922647318344420--645cdd1d.12b2fe0c158.
-7e45, proxy: OSBTest/Proxy Services/PrivatePersonnelDB_PS, operation: null]
--- Error message:
oracle.wsm.security.SecurityException: WSM-00069 : The security header is missin
g.
at oracle.wsm.security.policy.scenario.processor.UsernameTokenProcessor.
verify(UsernameTokenProcessor.java:218)
at oracle.wsm.security.policy.scenario.executor.WssUsernameTokenScenario
Executor.receiveRequest(WssUsernameTokenScenarioExecutor.java:123)
at oracle.wsm.security.policy.scenario.executor.SecurityScenarioExecutor
.execute(SecurityScenarioExecutor.java:530)
at oracle.wsm.policyengine.impl.runtime.AssertionExecutor.execute(Assert
ionExecutor.java:41)
at oracle.wsm.policyengine.impl.runtime.WSPolicyRuntimeExecutor.executeS
impleAssertion(WSPolicyRuntimeExecutor.java:608)
Truncated. see log file for complete stacktrace
I have even tried to enable HTTP basic Authentication for the service, but did not work.
Any help is highly appreciated.
Thanks.Hi,
I have applied oracle/wss_username_token_service_policy for my proxy service and trying to test that from OSB Test Console. I am getting below error,
"[OSB Security - OWSM:387253]Failed to initialize Owsm Credential Manager. Please validate the Keystore Configuration"
When i have launched Test Console for this proxy, i have observed in Security part, oracle/wss_username_token_client_policy is appearing. I am not sure why oracle/wss_username_token_client_policy is appearing there when i applied oracle/wss_username_token_service_policy to my proxy service.
Also do i have to need to configure any Keystore for oracle/wss_username_token_service_policy, If so please tell me the process.
If no key store is required where will the credentials be stored.
Thanks
Rajesh -
How to invoke secure web service from BPEL in SOA 11g
In SOA 11g I have a simple bpel process in which I am invoking a secured webservice as partnerlink. The webservice which is used in bpel process is deployed in weblogic and the SSL port is enabled on weblogic server. The wsdl url starts with "https:\\hostname:port\servicename?wsdl"
But I am getting compilation errors when i compiled the BPEL code
Error(16,65): Load of wsdl "AddressBookManager.wsdl" failed
Error(19,30): Load of wsdl "https://hostname:port/DV900/AddressBookManager?wsdl" failed
Error(35,102): Cannot find Port Type "{http://oracle.e1.bssv.JP010000/}Oracle_E1_SBF_SEI_PkgBldFile_AddressBookManager" for "AddressBookManager" in WSDL Manager
Can anyone please help me out in resolving this.
Thanks,
Shameem banu.Solution is you need to import the keystore into Jdeveloper jdk first.
keytool -import -alias <name> -file <name>.pem -keystore <name>.jks -storepass <passwd>
All details in <> are your specific keystore,pwd details.
Then go to Jdeveloper/jdev/bin
add the following to
jdev.conf file
AddVMOption -Djavax.net.ssl.trustStore=path_to_keystore\keystorename.jks
AddVMOption -Djavax.net.ssl.trustStorePassword=password
Then you can create partner link for https based wsdl
Good Luck
Maybe you are looking for
-
Crystal Report Viewer Control error
Please Help, I have a web application developed in .net 2005 which is using crystal reports developer product version 10.0.0.533. This web application with crystal is working fine on my local machine with OS windows xp, but on the windows server 2003
-
How to print a report on A3 page instead of A4?
Hi all, I have an RDF report which is printing on A4 size page, but now I wnat to print same report on A3 size page. My question is. Is it possible to change the paper size from A4 to A3 if yes how can i do that. Please guide me. Regards, Roshan
-
Hello All, I have an iPhone 5 that is running IOS 8 and I have a mail question. I am currently using Exchange server for mail and would like to assign a recipient as a VIP. Everything I have been reading talks about adding a sender as a VIP. Here is
-
Hi, I am asked to install oracle 11.2 and OMS. I don't have any idea about OMS. How to configure that? Can i install and configure 11g and OMS in same machine(Vm ware). can i use the OMS for testing purpose? please anyone tell about download path for
-
FM - Period problem while block the Sale Order
We are trying to block sales order by using transaction code VA02 with below error message. 1. Posting in fis yr2009 is not possible in FM open doc 1234 in year2008 2. Document item 1234/00010 has not yet been carried forward to the current year. The