Change security policy on passthrough proxy-service?

Similar Messages

• Probem attaching OWSM Policy to OSB Proxy Service

  Hi all,
  I am working with OSB 11g R1 and I am trying secure one proxy service by attaching one OWSM predefined policy. However, the "OWSM Policy Binding" is disabled in the Policy section of the proxy service.
  I found this thread in the forum [1] wich seems to have the same problem and I have checked that all the extensions are installed in my domain.
  Sure I missing something but I haven't found anything in the docs.
  Any tip or hint is appreciated
  Thanks in advance
  My enviroment:
  - Weblogic Server (10.3.4.0)
  - Oracle Service Bus (11.1.1.4)
  - Oracle Service Bus OWSM Extension (11.1.1.0)
  [1] OWSM Policy Binding Disabled for proxy/business server with SOAP 1.1
  Edited by: user10102092 on 27-jul-2011 2:42

  I presume you already did a fresh restart of the managed servers?Yeap, I've restarted the OSB server.
  Looking at the logs I can find this message:
  +####<Jul 27, 2011 1:25:52 PM CEST> <Info> <Common> <mydomain.com> <osb_server1> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<anonymous>> <> <0000J5fLsXLFw0WFLzNM8A1EBzMW000001> <1311765952760> <BEA-000628> <Created "1" resources for pool "mds-owsm", out of which "1" are available and "0" are unavailable.>+
  So I understand that the pool is created correctly, isn't it?

• OSB & WLST: changing operational settings for a proxy service via WLST

  Hi all,
  we are trying to change the operational settings for a proxy service via WLST.
  In details we would like to change the "Logs" level (Monitoring section).
  We have a lot of deployed services and our 'deployer people' need an automatic way (via WLST for example) for doing that instead of using the OSB console.
  Thanks in advance
  ferp

  Hi,
  OSB is the Oracle Service Bus. Oracle Service Bus is a configuration-based, policy-driven enterprise service bus.
  The OSB is deployed into an Oracle WebLogic Server instance.
  OSB uses also WLST functionality provided by WebLogic Server.
  Best regards
  ferp

• OWSM user name token service policy for a proxy service at OSB

  Hi Friends,
  I am facing an issue while trying for the OWSM user name token service policy Authentication for a proxy service at OSB. I am using the PS4 SOA suite with AIA foundation pack. very first I am login into the EM console and choose the domain<soaosb_domain> form web logic domain I moved to security->security provide configuration. Inside the security provide configuration we have to key store section and I expand that and we have a configure button inside the keys tore. I click that button and it open a new page. In that page I got the Java key store (JKS) as the default key store and in the access Attributes I keep the default key store path and fill password and confirm password fields. Then in Identity certificates I fill the signature key and Encryption key with key Alias as 'orakey' and same password which I am mentioned at access Attributes. I got the message like the key store is created successfully. Then I restarted the server and again I am login into the EM console and choose the domain<soaosb_domain> form web logic domain I moved to security. In security I choose the credentials. In credentials we have create key. In the create key I add the key as hari-key and provide the hari as a user and his password.
  While trying to test the proxy service i am getting the [OSB Security - OWSM: 387253] Failed to initialize OWSM Credential Manager. Please validate the Key store Configuration.
  can anyone please look at this and suggest me how can I proceed for this.
  Thanks
  Hari

  anyone please respond to the above request.
  Thanks
  Hari

• OSB: Proxy Service and Dispatch Policy

  Hi all,
  I'm trying to use OSB (10.3) proxy service with dispatch policy set to WebLogic (10.3) work manager to limit maximum number of threads allocated for request to this proxy service.
  It seems to me that whole dispatch policy setting is ignored in OSB. The situation is like this: I have simple Axis based web service with wait method that just waits for few seconds (based on request parameter). I use this service for testing (hm, so far just for trying to understand) OSB dispatch policy function.
  Using soapUI I created a simple load test which uses 10 threads to call wait(10) - it means "wait for 10 seconds". Time limit for the whole load test is set to 20 seconds. It is clear that the total execution count is 2 x 10 = 20. So far, so good.
  Then I created simple proxy service in OSB that just routes request to business service representing my Axis service with wait method. I set a dispatch policy for the proxy service to WorkManager-2threads (see below) and I expected that running the same load test with endpoint set to OSB would result in significant lower total execution count. I expected that because WebLogic should allocate 2 threads at most for all requests to this proxy service. However, that's not the case as the result is the same as in the first (Axis only) test. Just as there was no dispatch policy settings at all ...
  Where is the problem?
  This is the relevant part of my WebLogic configuration regarding work manager:
  <max-threads-constraint>
  <name>MaxThreadsConstraint-2</name>
  <target>AdminServer</target>
  <count>2</count>
  <connection-pool-name></connection-pool-name>
  </max-threads-constraint>
  <work-manager>
  <name>WorkManager-2threads</name>
  <target>AdminServer</target>
  <max-threads-constraint>MaxThreadsConstraint-2</max-threads-constraint>
  <capacity xsi:nil="true"></capacity>
  <ignore-stuck-threads>false</ignore-stuck-threads>
  </work-manager>

  It's same problem to me. I do pressure test by loadrunner,I deployed two separate proxy service,under same concurrent user,I get same TPS from the two proxy service.but when I add low priority concurrent user,low priority TPS up.
  I set the Route option as you say,but weblogic hanged immediately,and can't be accessed by the console.

• OSB Delete Entire Node (SOAP:header) in Proxy service

  Hi
  I am wanting to delete the SOAP:header node in the response in the SOAP proxy service.
  I am using the Delete action with the following settings
  Xpath: .
  In Variable: header
  All this is doing is deleting the contents of the "Header" node when I want to Delete the entire node.
  What am I doing wrong?
  Thanks in advance
  Edited by: cool.br33ze on 05-Feb-2013 01:40

  The reason for why I need to get rid of the SOAP:header is because the consuming application, SAP, is unable to handle a SOAP:header.If the consuming application is a SOAP client then there is no reason why it cannot handle it. If consuming application is not a SOAP client then better change the type of your proxy service to Any XML service or Messaging Type Service (with request and response type as XML)
  Regards,
  Anuj

• Handling Transport Errors in OSB Proxy Services

  Hi,
  I have a requirement of storing and handling Transport level Security Errors in my proxy services . In fact, my proxy services are secured with HTTP Basic Authentication and i am not able to catch authentication errors. I added a Service Error Handler to my proxy service but unfortunatly it doesn't handle these errors.
  Does anyone know how can we catch these errors in OSB, and if it is possible to execute activities like alerts, reports, logging in these cases.
  I read in some blogs that Error handlers are nested like this : Route Node ->  Proxy Service -> System Error Handler
  so maybe it would be good to customize the System Error Handler Behavior. I don't know if this is possible.
  Any help will be appreciated.
  Best regards
  Farouk

  Transport level authentication is done at transport layer even before the actual proxy service gets initiated. So you wont be able to catch authentication errors in the proxy service (and do alerting/logging/reporting etc). You can probably try enabling debug logging for HTTP protocol and see if you can capture these errors in the Access.log of the servers.    

• How to invoke ALSB proxy service externaly

  Hello,
  I.m trying to understand the ALSB and stumble across an issue and hope one of you guys (from BEA) can help out?
  I've created the services from the Mortgage services tutorial successfully and now I'm trying to invoke the proxy services externally. By externally I mean as a partner link from within Oracle BPEL. So far this does not work. The error message states a missing protocol in the service URL. I checked this and it is true: the wsdl of the proxy service contains only a relative path (/loan/gateway1), so the protocol and server name and port are missing. Further, I tried to change the URI of the proxy service, but ALSB does only allow a relative URI.
  My question is: what am I missing so the proxy service can be invoked externally?
  I am on the right solution path to invoke a proxy service instead of a business service, right!?
  Thank in advance.
  Regards,
  Harm Verschuren

  I tracked down the problem. The proxy service and the business service it routes to use rpc encoded. The RPC encoded message comes to the proxy service from BPEL which transmits it without modification to the business service. The WLS web service that impements the business service is unable to decode the message persumably because it did not like the way BPEL encoded the message. Below is the message part that BPEL sent: All the xsitype attributes are part of RPC encoding.If you use the alsb test console to pass this message directly to the business service, you will see the decoding error thrown by wls.
  <loanRequest xmlns:pns0="java:normal.client"
  xmlns:env="http://schemas.xmlsoap.org/soap/envelope/"
  xmlns:ns0="http://example.org"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xmlns:xsd="http://www.w3.org/2001/XMLSchema">
  <pns0:Name xsi:type="xsd:string">Joe</pns0:Name>
  <pns0:SSN xsi:type="xsd:string">123456789</pns0:SSN>
  <pns0:Rate xsi:type="xsd:double">3</pns0:Rate>
  <pns0:Amount xsi:type="xsd:long">50000</pns0:Amount>
  <pns0:NumOfYear xsi:type="xsd:int">20</pns0:NumOfYear>
  <pns0:Notes xsi:type="xsd:string">test</pns0:Notes>
  </loanRequest>

• WS-Security and proxy service: Unable to add security token for identity

  What the reason of "Unable to add security token for identity" fault in this situation (10.3.1):
  I did simple "hello word" proxy service and tried to apply custom policy binding.
  WS-Policy is next:
  <wsp:Policy wsu:Id="WS-Policy-Siebel"
       xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"
       xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
       xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
       <wssp:Identity
            xmlns:wssp="http://www.bea.com/wls90/security/policy">
            <wssp:SupportedTokens>
                 <wssp:SecurityToken
                      TokenType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken">
                      <wssp:UsePassword
                           Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText" />
                 </wssp:SecurityToken>
            </wssp:SupportedTokens>
       </wssp:Identity>
  </wsp:Policy>
  Process WS-Security is setted to "yes".
  While debugging I see that all works fine - I can authenticate with defined credentials and breakpoints in proxy service flow works fine.
  But at the end I get the fault:
  Soap fault:
  <env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/">
  <env:Header/>
  <env:Body>
  <env:Fault>
  <faultcode>env:Server</faultcode>
  <faultstring>Unable to add security token for identity</faultstring>
  </env:Fault>
  </env:Body>
  </env:Envelope>
  In console:
  <09.06.2010 17:39:18 MSD> <Error> <OSB Security> <BEA-387023> <An error ocurred during web service security inbound response processing [error-code: F
  ault, message-id: 1721282272521583996--57dc4ccc.1291cc2282d.-7fab, proxy: OSB Project WS-Security/WSSecurityService, operation: NewOperation]
  --- Error message:
  <env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/"><env:Header/><env:Body><env:Fault><faultcode>env:Server</faultcode><faultstring>Un
  able to add security token for identity</faultstring></env:Fault></env:Body></env:Envelope>
  weblogic.xml.crypto.wss.WSSecurityException: Unable to add security token for identity
  at weblogic.wsee.security.wss.SecurityPolicyDriver.processIdentity(SecurityPolicyDriver.java:175)
  at weblogic.wsee.security.wss.SecurityPolicyDriver.processOutbound(SecurityPolicyDriver.java:73)
  at weblogic.wsee.security.wss.SecurityPolicyDriver.processOutbound(SecurityPolicyDriver.java:64)
  at weblogic.wsee.security.WssServerHandler.processOutbound(WssServerHandler.java:88)
  at weblogic.wsee.security.WssServerHandler.processResponse(WssServerHandler.java:70)
  Truncated. see log file for complete stacktrace
  Incoming soap message is:
  <soapenv:Envelope      xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Header      xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <wsse:Security      soap:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
  <wsse:UsernameToken      wsu:Id="unt_TNNp0cBwU7HyPKoq" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
  <wsse:Username>testuser</wsse:Username>
  <wsse:Password      Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">testuser</wsse:Password>
  </wsse:UsernameToken>
  </wsse:Security>
  </soap:Header>
  <soapenv:Body>
  <wss:NewOperation      xmlns:wss="http://www.troika.ru/Enterprise/WSSecurityService/">
  <in>string</in>
  </wss:NewOperation>
  </soapenv:Body>
  </soapenv:Envelope>
  Edited by: Andrey L. on Jun 9, 2010 5:55 PM

  I thought you were getting that exception when accessing the proxy.
  No. Authentification works fine. Proxy body works fine. But at the end of proxy appears the exception.
  Sorry for my english - I tried to show this situation on image: http://imglink.ru/show-image.php?id=9c0e0c1719f00289faf11696c6703bc3
  Are you getting this exception when routing to a business service which is configured for WS-Security ??
  I don't use business service in this test project - only simple proxy service with all logic inside.
  PS transformation in replace action is very simple too:
  (:: pragma bea:global-element-parameter parameter="$newOperation1" element="ns0:NewOperation" location="WSSecurityService.wsdl" ::)
  (:: pragma bea:global-element-return element="ns0:NewOperationResponse" location="WSSecurityService.wsdl" ::)
  declare namespace ns0 = "http://www.troika.ru/Enterprise/WSSecurityService/";
  declare namespace xf = "http://tempuri.org/OSB%20Project%20WS-Security/Hello/";
  declare function xf:Hello($newOperation1 as element(ns0:NewOperation))
  as element(ns0:NewOperationResponse) {
  <ns0:NewOperationResponse>
  <out>Hello, { data($newOperation1/in) }!</out>
  </ns0:NewOperationResponse>
  declare variable $newOperation1 as element(ns0:NewOperation) external;
  xf:Hello($newOperation1)
  Edited by: Andrey L. on Jun 10, 2010 12:21 PM

• Osb proxy service with owsm policy auth slow when soap request very large

  I have a proxy service which is security with owsm policy: oracle/wss_username_token_service_policy, the proxy service simply route to Business Service which directly invoke a bpel exposed web service, when I call the proxy service with soap envelope large than 15MB(not attachment), waiting about 4~5 minutes, the bpel instance created ; but when I remove the security policy:oracle/wss_username_token_service_policy, it will cost only 20 seconds, why authentication cost so long? How can I deal with the problem?
  My English is poor, please don't mind!
  besides, with my OSB version is 11.1.1.6.0

  I finally figured it out. The nullpointer exception is related to the SAML assertion. The SAML assertion in my requests is signed with embedded signature and this seems to be not supported with the used OWSM policy. Without the signature is the exception gone.
  Marian

• Error when OWSM policy is applied to Proxy Service in 11gR1

  Hi,
  I have applied oracle/wss_username_token_service_policy for my proxy service and trying to test that from OSB Test Console. I am getting below error,
  When i have launched Test Console for this proxy, i have observed in Security part, oracle/wss_username_token_client_policy is appearing. I am not sure why oracle/wss_username_token_client_policy is appearing there when i applied oracle/wss_username_token_service_policy to my proxy service.
  I have created Keystore and also created oralce.wsm.security map under em console.
  Now when i am trying to Test proxy service using Test Console, I am facing below error,
  An error ocurred during web service security outbound request processing [error-code: InternalError, message-id: <test-message>, proxy: <alsb-test-service>, target: Samples/Proxy Services/HelloWorld_PS, operation: sayHello]
  --- Error message:
  oracle.wsm.common.sdk.WSMException: WSM-00015 : The user name is missing.
  at oracle.wsm.security.policy.scenario.executor.WssUsernameTokenScenarioExecutor.sendRequest(WssUsernameTokenScenarioExecutor.java:219)
  at oracle.wsm.security.policy.scenario.executor.SecurityScenarioExecutor.execute(SecurityScenarioExecutor.java:545)
  at oracle.wsm.policyengine.impl.runtime.AssertionExecutor.execute(AssertionExecutor.java:41)
  at oracle.wsm.policyengine.impl.runtime.WSPolicyRuntimeExecutor.executeSimpleAssertion(WSPolicyRuntimeExecutor.java:608)
  at oracle.wsm.policyengine.impl.runtime.WSPolicyRuntimeExecutor.executeAndAssertion(WSPolicyRuntimeExecutor.java:335)
  at oracle.wsm.policyengine.impl.runtime.WSPolicyRuntimeExecutor.execute(WSPolicyRuntimeExecutor.java:282)
  at oracle.wsm.policyengine.impl.PolicyExecutionEngine.execute(PolicyExecutionEngine.java:102)
  at oracle.wsm.agent.WSMAgent.processCommon(WSMAgent.java:915)
  at oracle.wsm.agent.WSMAgent.processRequest(WSMAgent.java:436)
  at oracle.wsm.agent.handler.WSMEngineInvoker.handleRequest(WSMEngineInvoker.java:393)
  at com.bea.wli.sb.security.wss.wsm.WsmOutboundHandler$1.run(WsmOutboundHandler.java:141)
  at com.bea.wli.sb.security.wss.wsm.WsmOutboundHandler$1.run(WsmOutboundHandler.java:139)
  at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:363)
  at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:147)
  I am using below header to invoke the service
  +<soapenv:Header xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">+
  +<wsse:Security>+
  +<wsse:UsernameToken>+
  +<wsse:Username>weblogic</wsse:Username>+
  +<wsse:Password>welcome1</wsse:Password>+
  +</wsse:UsernameToken>+
  +</wsse:Security>+
  +</soapenv:Header>+
  Please advise me regarding this.
  Thanks
  Rajesh

  Hi,
  Check the below link for your solution.
  http://tim.blackamber.org.uk/?p=825
  Thanks,
  Durga

• Creating Proxy service over a secured BPEL process

  Hi,
  I have a BPEL process project A which I have secured using oracle/wss_username_token_service_policy
  Now, I want to expose it over OSB as a proxy service.
  After registering the WSDL, I tried to create Business Service over it.
  It gave me a warning:
  [OSB Kernel:398133]WSSP 1.2 policy assertions (Web Services Security Policy 1.2) are not allowed on this service.
  What is the best approach to take.
  Thanks.

  Get the wsdl of the OSB proxy service and create webservice parnerlink in BPEL based on this wsdl to invoke the service
  To form the wsdl url, copy the Endpoint URI  configured to the proxy service(just click on the proxy service in the console) from the sbconsole  - /ATHGPUM_GlidePathService/ProxyService/ATHGPUM_GlidePathProxyService
  Pre append <<protocol://OSB Hostname:OSB Port>>  - http://localhost:8000/   and post append with ?WSDL
  The final WSDL url look like  - http://localhost:8000/ATHGPUM_GlidePathService/ProxyService/ATHGPUM_GlidePathProxyService?WSDL
  Regards
  Albin I

• SAML Validation Error  - Proxy Service - Process WS-Security Header

  I am testing a Proxy Service that inspects the WS-Security Header which contains a WS-Policy for a SAML Assertion sender-vouches. The SAML Assertion that is produced is valid according to the oassis schema, but ALSB 2.6 returns a SOAP Fault that the SAML Assertion is not valid. Is there any next steps I should take to diagnose the problem? Also, are there any good tools available for validating a SAML Assertion?
  Here is the response of the ALSB 2.6 running on WebLogic 9.2. It is a simple proxy service we use to test whether SAML is working correctly or not. The client correctly sends the sender-voucher with the username/password/certificate alias and so forth.
  <soapenv:Envelope xmlns:soapenv="http://www.w3.org/2003/05/soap-envelope">
  <soapenv:Body>
  <soapenv:Fault
  xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
  <axis2ns1:Code xmlns:axis2ns1="http://www.w3.org/2003/05/soap-envelope">
  <axis2ns1:Value>soapenv:Sender</axis2ns1:Value>
  <axis2ns1:Subcode>
  <axis2ns1:Value>wsse:InvalidSecurityToken</axis2ns1:Value>
  </axis2ns1:Subcode>
  </axis2ns1:Code>
  <axis2ns2:Reason xmlns:axis2ns2="http://www.w3.org/2003/05/soap-envelope">
  <axis2ns2:Text xml:lang="en-US"
  >Security token failed to validate. weblogic.xml.crypto.wss.SecurityTokenValidateResult@563c52a[status: false][msg The SAML token is not valid.]</axis2ns2:Text>
  </axis2ns2:Reason>
  </soapenv:Fault>
  </soapenv:Body>
  </soapenv:Envelope>
  Thanks,
  Jay Blanton

  Hi, Pls send your client code to my mail [email protected]

• Service level accounts and security policy

  Hello Experts,
  We would like to roll out production environment at a customer. The documentation does not provide very good solution for the scenario when service level accounts are changing.
  Customer's security policy requires all administrative accounts to be named e.g. firstname.lastname@domain. Generic productadmin@domain which are not identifiable can not be used on production servers.
  It is understood that the BPC application server runs using the permissions granted to the user ID which was used during installation (access to the Windows AD, SQL Server &c.
  If specific domain user is also member of local administrators group, he/she can indstall the product. However, if this particular account is made redundant and the administrator's role is appointed to another employee, the latter can not access the system with administrative rights.
  Moreover, if the BPC administrator's account is disabled for whatever reasons, the system fails.
  Is there any good suggestions for this kind of scenario?
  Thanks

  Thanks Scott,
  This is what I have suggested but the problem is that the customer's policy does not allow anonymous accounts controlling their production systems, the administrative accounts can only be personal accounts like firstname.lastname@domain.
  It seems that the only solution is to use administrator's personal credentials and in case those change, they need to go through the Ops guide and change everything manually.
  Lucikly there is a bit simpler way to do this. Instead of manually changing credentials for every COM+ app as Ops Guide suggests, you can olny change three of those:
  OsoftDatabaseADMIN
  OsoftDatabaseSYSADMIN
  OsoftDatabaseUSER
  Then use Service Manager password reset function and it will update all COM+ apps in one go.

• OWSM 11g: Invoking a secured web service through a java proxy service

  Hi All,
  I am trying to call a secured bpel service which is expecting a username token password. I have created a java proxy service for the same. I now need to add the username token to the same. Can anyone please guide me in this regard.
  Thanks in advance.

  Just to add some pointers,
  I added the following code to the proxy still the soap headers is not getting propagated.
  OrderBookingAndShipment orderBookingAndShipment = orderbookingandshipment_client_ep.getOrderBookingAndShipment_pt();
  String username = "OWSM_11g";
  String password = "password";
  List credProviders = new ArrayList();
  //client side UsernameToken credential provider
  CredentialProvider cp = new ClientUNTCredentialProvider(username.getBytes(),password.getBytes());
  credProviders.add(cp);
  Map<String,Object> context = ((BindingProvider) orderBookingAndShipment).getRequestContext();
  context.put(WSSecurityContext.CREDENTIAL_PROVIDER_LIST,credProviders);