Custom WS Policy with Service account in OSB while invoking a https service

Similar Messages

• Error: Create customer specific areas with services

  Hi Experts,
  I am facing problem while creating customer specific areas with services. We have a development for Appraisals and trying to make it work via ESS.
  I have defined resource for area page, defined area, assigned area to an area group page.
  Still the Area is not displaying on Area page.
  Please let me know as to where I have gone wrong.
  Thanks!

  You need to create your workset, and check the URL in PCD of the Iview

• OSB: Custom OWSM policy with Assertions

  I have created a custom policy. It does nothing, but just prints Test message.
  I have put the policy implementation in a .jar archive and placed that in the domain's lib directory. Then I have imported the policy to the OWSM in the EM console. All the servers were restarted.
  I have created a business service, and a proxy. In the business service policy tab, I have attached my policy as a OWSM Policy Bindings.
  When I try to test this biz service from test console, I get an error "Assertion Executor not found!"
  I'm posting a stack trace:
  <Sep 25, 2012 5:33:42 PM IST> <Error> <oracle.wsm.policyengine.impl.runtime.WSPolicyRuntimeExecutor> <BEA-000000> <Assertion Executor not found!>
  <Sep 25, 2012 5:33:42 PM IST> <Error> <oracle.wsm.resources.enforcement> <WSM-07501> <Failure in Oracle WSM Agent processRequest, category=security, function=agent.function.client, application=CustomAssertionPOC, composite=null, modelObj=DummyPortBindingQSService, policy=null, policyVersion=null, assertionName=null.
  oracle.wsm.common.sdk.WSMException: WSM-07604 : Internal error during policy enforcement.
       at oracle.wsm.policyengine.impl.runtime.WSPolicyRuntimeExecutor.populateAssertionExecutors(WSPolicyRuntimeExecutor.java:266)
       at oracle.wsm.policyengine.impl.runtime.WSPolicyRuntimeExecutor.populateAssertionExecutors(WSPolicyRuntimeExecutor.java:285)
       at oracle.wsm.policyengine.impl.runtime.WSPolicyRuntimeExecutor.init(WSPolicyRuntimeExecutor.java:168)
       at oracle.wsm.policyengine.impl.PolicyExecutionEngine.getPolicyExecutor(PolicyExecutionEngine.java:137)
       at oracle.wsm.policyengine.impl.PolicyExecutionEngine.execute(PolicyExecutionEngine.java:101)
       at oracle.wsm.agent.WSMAgent.processCommon(WSMAgent.java:1001)
       at oracle.wsm.agent.WSMAgent.processRequest(WSMAgent.java:470)
       at oracle.wsm.agent.handler.WSMEngineInvoker.handleRequest(WSMEngineInvoker.java:373)
       at com.bea.wli.sb.security.wss.wsm.WsmOutboundHandler$1.run(WsmOutboundHandler.java:217)
       at com.bea.wli.sb.security.wss.wsm.WsmOutboundHandler$1.run(WsmOutboundHandler.java:215)
       at java.security.AccessController.doPrivileged(Native Method)
       at oracle.security.jps.util.JpsSubject.doAs(JpsSubject.java:208)
       at com.bea.wli.sb.security.wss.wsm.WsmOutboundHandler.processRequest(WsmOutboundHandler.java:214)
       at com.bea.wli.sb.test.service.wss.WssHandler.processRequest(WssHandler.java:279)
       at com.bea.wli.sb.test.service.ServiceMessageBuilder.buildMessage(ServiceMessageBuilder.java:180)
       at com.bea.wli.sb.test.service.ServiceMessageBuilder.buildMessage(ServiceMessageBuilder.java:99)
       at com.bea.wli.sb.test.service.ServiceMessageSender.send0(ServiceMessageSender.java:261)
       at com.bea.wli.sb.test.service.ServiceMessageSender.access$000(ServiceMessageSender.java:79)
       at com.bea.wli.sb.test.service.ServiceMessageSender$1.run(ServiceMessageSender.java:137)
       at com.bea.wli.sb.test.service.ServiceMessageSender$1.run(ServiceMessageSender.java:135)
       at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:363)
       at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:146)
       at com.bea.wli.sb.security.WLSSecurityContextService.runAs(WLSSecurityContextService.java:55)
       at com.bea.wli.sb.test.service.ServiceMessageSender.send(ServiceMessageSender.java:140)
       at com.bea.wli.sb.test.service.ServiceProcessor.invoke(ServiceProcessor.java:454)
       at com.bea.wli.sb.test.TestServiceImpl.invoke(TestServiceImpl.java:172)
       at com.bea.wli.sb.test.client.ejb.TestServiceEJBBean.invoke(TestServiceEJBBean.java:167)
       at com.bea.wli.sb.test.client.ejb.TestService_sqr59p_EOImpl.__WL_invoke(Unknown Source)
       at weblogic.ejb.container.internal.SessionRemoteMethodInvoker.invoke(SessionRemoteMethodInvoker.java:40)
       at com.bea.wli.sb.test.client.ejb.TestService_sqr59p_EOImpl.invoke(Unknown Source)
       at com.bea.wli.sb.test.client.ejb.TestService_sqr59p_EOImpl_WLSkel.invoke(Unknown Source)
       at weblogic.rmi.internal.ServerRequest.sendReceive(ServerRequest.java:174)
       at weblogic.rmi.cluster.ClusterableRemoteRef.invoke(ClusterableRemoteRef.java:345)
       at weblogic.rmi.cluster.ClusterableRemoteRef.invoke(ClusterableRemoteRef.java:259)
       at com.bea.wli.sb.test.client.ejb.TestService_sqr59p_EOImpl_1036_WLStub.invoke(Unknown Source)
       at com.bea.alsb.console.test.TestServiceClient.invoke(TestServiceClient.java:174)
       at com.bea.alsb.console.test.actions.DefaultRequestAction.invoke(DefaultRequestAction.java:117)
       at com.bea.alsb.console.test.actions.DefaultRequestAction.execute(DefaultRequestAction.java:70)
       at com.bea.alsb.console.test.actions.ServiceRequestAction.execute(ServiceRequestAction.java:143)
       at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:431)
       at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.access$201(PageFlowRequestProcessor.java:97)
       at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor$ActionRunner.execute(PageFlowRequestProcessor.java:2044)
  Is there anything I am doing wrong.

  Have you put the generated jar on the classpath?
  In the weblogic setDomainEnv.cmd put a row like this:
  set POST_CLASSPATH=d:\Middleware\SOASuite11gR1PS4\user_projects\domains\base_domain\lib\YOURPOLICY.jar;%POST_CLASSPATH%

• Osb 10gR3 - Active Intermediary proxy with custom WS-Policy files

  I'm setting up an Active Intermediary proxy, and the Security option on the proxy to "Process WS-Security header" is only usable when Custom Policy Bindings are assigned to the proxy. But I don't want to use the default Oracle policies.
  The "Select WS-Policy" popup within OSB only shows entries under the Predefined Policy tab. Yet I have custom WS-Policy files which have been imported into OSB.
  So what's the trick?

  Hi,
  Below are the steps followed
  - OSB Proxy service has 'oracle/wss_username_token_service_policy' attached to it.
  - Iam invoking this from BPEL. BPEL process has 'oracle/wss_username_token_client_policy' attached.
  - I can invoke the osb proxy from bpel by passing credentials - No Issues.
  Now I need to put some authorization restriction to the proxy service, so only specific users can access that.
  -I used Role=Admin as a policy condition restriction under security in Proxy service.
  -Then I went to proxy test console and I added the 'oracle/wss_username_token_client_policy' credentials and weblogic/xxxxx at Transport section and I was able to invoke the process. Here weblogic has a Admin Role.
  -I cannot invoke the same proxy service from BPEL in Jdeveloper now.
  All Iam trying to do is to protect my proxy by authrorization policy.
  Thanks
  Jagan.

• Custom WS-Policy Files in Console Service Endpoint Polices List

  hi
  Not sure which WLS newsgroup for this so here goes.
  I want to assign custom WS-Policy files to a web service via the console (i.e. post-deployment).
  By default, the Service Endpoint Policies list only shows a small subset of default policy files within weblogic.jar and none of the Wssp1.2-* policy files. (i.e. only the proprietary WLS 9.0 WS-Policy files)
  Is this correct behaviour? I want to experiment with policies based on the current WS Security Policy Standard without hard-coding the names of files into the service.
  Is there a way to make these other supplied WSSecurityPolicy 1.2 policies appear in the list?
  Thanks
  Jim Nicolson

  Hi,
  Below are the steps followed
  - OSB Proxy service has 'oracle/wss_username_token_service_policy' attached to it.
  - Iam invoking this from BPEL. BPEL process has 'oracle/wss_username_token_client_policy' attached.
  - I can invoke the osb proxy from bpel by passing credentials - No Issues.
  Now I need to put some authorization restriction to the proxy service, so only specific users can access that.
  -I used Role=Admin as a policy condition restriction under security in Proxy service.
  -Then I went to proxy test console and I added the 'oracle/wss_username_token_client_policy' credentials and weblogic/xxxxx at Transport section and I was able to invoke the process. Here weblogic has a Admin Role.
  -I cannot invoke the same proxy service from BPEL in Jdeveloper now.
  All Iam trying to do is to protect my proxy by authrorization policy.
  Thanks
  Jagan.

• After BI install SIA and Tomcat could not start with service account.

  Hi BO Gurus,
  I want to install BO child node (Expand the parent install)
  Client IT prepared a system with MS Server 2012 with Windows 8 as OS, and assigned a Service Account for me.
  I gave service account following permissions -
  Act as a part of operating system
  log on as a batch
  log on as a service
  After this I rebooted the system and logged in with Service Account credentials. Started the installer, performed custom/expand install.
  the install was successful.
  When I opened CCM, both Tomcat and SIA are running under 'localsystem' account.
  I want them to run under service account --> i sopped SIA and changed credentials in 'Log on as' box under SIA properties.--> Click on 'apply' and 'OK'
  When I go on and start SIA I get following error -
  ' The Service did not start due to log on failure'.
  The same service account runs services on 3 other BO boxes including parent node of the above install and 2 other DS boxes and everything apart from this machine works exactly fine.
  Please help!
  Thanks,
  Maitreyee

  Maitreyee,
        BI 4.x Platform will NOT work on Desktop OS like Windows 7 / 8.x / 8.1, it required 64bit Server Operating system.   See attached screenshot.
  Regards,
  Ajay

• OSB 10.3 and custom signing policy

  Good morning.
  I had several problems receiving signed messages from a customer. We have an active intermediary proxy, with a custom policy based on "Sign.xml" to require signing of message body.
  But out customer is signing using a third-party solution, so our proxy can't validate his message. We are trying to create a custom policy without "bea" namespaces, that is:
  <?xml version="1.0"?>
  <wsp:Policy
    xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
  xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"
  xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
    wsu:Id="firma"
    >
    <sp:SignedParts>
      <sp:Body/>
    </sp:SignedParts>
  </wsp:Policy>This policy seems to be ok, but when we try to attach this as a "Custom policy" in the proxy, it is not in the list of custom policies.
  Can't Oracle process non-propietary policy file?.
  Thanks.

  Please refer section "Creating and Using Custom WS-Policy Statements" at -
  http://download.oracle.com/docs/cd/E13159_01/osb/docs10gr3/security/ws_policy.html
  Regards,
  Anuj

• Create a service request with the Account confirmed filled out

  Hi all, I'm working on an IC scenario where we have to create a Service Request based on: functional location and customer.
  This is the process steps:
  1) search for the functional location (FL) and confirm it
  2) confirm the account of the FL (we have a list of account related to the FL, partner function)
  3) create a service request referring to the FL and the Account confirmed in the prev-step
  My need is to find an automatic way to replicate the FL and the Account prev-confirmed directly into the Service Request, without repeat the search.
  Any suggestions?

  Hi Anubhav, thanks for your replay. Your idea is good, but unfortunately our process is a little different. We have to manage with the FL, that is the central item of the Service Request, and with one of the several partner function of the FL.
  So, first, the Agent has to search the FL and then confirm the right Account between the FL's partner (each time we have to create a service request, the Customer could be one of the FL's partner function). Now, I'm investigating if with a Badi, I can transfer the FL confirmed with the Account Identification, directly into the Service Request.
  Interaction Center WebClient->Business Transaction->Service Ticket->BADI: Product Assignment for creation of Service Items
  Thanks.
  BR,
  Andrea.

• How i replace default password policy with my custom password policy

  Hi All,
  can anybody help me to replace idm default password policy with my custom password policy?

  1. Go to Security --> Policies
  2. New --> String Quality Policy --> define rules --> save
  3. New --> Identity System account policy --> define rules and set the policy created in step2 to for password policy --> save
  4. Assign the policy created in step 3 to the user
  a. when create a user, under the 'Security' tab , for the 'Account policy' select the policy created in step
  b. Programattically, create /check out user view, assign the step 3 policy
  <set name='user.waveset.assignedLhPolicy'>
  <s>step 3 policy</s>
  </set>
  and checkin the view

• Customer line item report with GL account display

  Hi
  Please guide some customer reports for the following
  Client need a Customer Line item reports with Customer number and repective gl account for each line items.
  for ex: Product A/c xxxxxx
            To Sales A/c xxxxxx(recon A/c)
  Thanks in advance

  Hi
  1.FBL5N -  Customer Line item Display (Customer Line item reports with Customer number )
  2.FBL1N - Vendor Line item Display
  3.FBL3N - General Ledger Line item Display
  The sales entry will be
       DR  Customer - to view this entry FBL5N
             CR Sales - to view this entry FBL3N
  Hope this will be usefull

• Services with multiple account assignment.

  Hi all,
  How can I find out the POs which are having the multiple account assignment for the service line items from tables ?
  I am looking for services with multiple account assignments
  Regards

  Hi
  Go to SE16 , give table name -EKPO
  Now if you have purchase order nos with you then copy paste the PO numbers here , or select company code or site to restrict your entries. It will control the performance of the data execution.
  Then execute this (remove max no 200 ) . Go to Settings-- Format List -- Choose fields. Deselect all and select fields as per your requirement.If field names are coming in technical names you can change this via settings--User parameter and select -Field Label.
  You can extract this report to excel as well. Same PO number with all account assignment category.
  Please note if you have high volume of data then extract all the POs under service orders first from EKKO table and copy all the service PO numbers availbvale and paste in table EKPO, it will increase performance as well.
  Cheers
  Mukta

• Azure AAD Mobile Service Authentication with corporate accounts fails.

  I have been having on-going issue with Authenticating against a Windows Azure mobile service with corporate accounts.
  Here is the complete environment.
  Initially we set up with Office 365 / CRM Online / and Azure for our corporate infrastructure. We have set up single sign on. Everything works well. There is ADFS set up and running to allow us to Authenticate with {username}@{companyDomainName} and everything
  works, including single signon. 
  Along comes Azure Active directory. We have an Automatically created Azure active directory in the corporate azure account. The domain is the default created {accountname}.onmicrosoft.com domain structure. This is set as the Default directory.
  We had a consultant come in, who was organized through Microsoft, to do some work. After everything was set and done we ended up with another active directory created in Azure that is named with the corporate domain name. This second domain has had all of
  the corporate accounts synched to it. 
  I have now created an Azure Mobile Service. The service is a basic service, I haven't updated any of the code yet, except to publish the service. I have followed all of the configuration instructions for setting up the authentication. 
  If configure the Authentication to point at the first active directory, I am able to Authenticate against the service using the credentials for a user that has been created in that domain. The Authentication works correctly, and goes through.
  However if I switch the configuration to use the second Active Directory, the one with the corporate accounts synched to it, the authentication fails. I am able to enter my corporate email address into the web page that is presented. Then the web control
  started to call into the ADFS in order to authenticate the corporate user name and password. At this point the authentication fails with a message about the service not being available.
  The login code is the standard:
  user = await App.MobileService.LoginAsync(MobileServiceAuthenticationProvider.WindowsAzureActiveDirectory);
  The project is a Universal Application as the service needs to be available from both a phone and a desktop. The project was started from the starter project downloaded form the Mobile Service site.
  # Update
  I've just switched the mobile service configuration back to use the AAD with the corporate accounts synchronized. The login through the application fails. However if I log in through IE by browsing to : https://{ServiceName}.azure-mobile.net/login/aad
  The authentication goes through correctly. 

  A few questions on the details:
  What client platform are you using for login. In particular, is this a Windows Store application?
  What do you mean exactly by "authentication fails?" Does an error get thrown, or does the UI just hang?
  Is this being done from a domain-joined machine and/or on a machine connected to a corporate network?
  We have seen an issue where some configurations of ADFS will not play nicely with Windows Store apps since the Web Authentication Broker (WAB) is based on the IE browser, and ADFS will attempt to do SSO in the special IE way instead of presenting a form,
  etc. Unless the WAB is configured to handle this scenario, you will get a non-responsive UI.
  Any details you can provide would be helpful.

• How to reconcile customer balances with control accounts

  Hi!
  Sanjay Here,
  1. how to reconcile the customer balances  pl. explain in details.
  2. how to reconcile the customer balance with control accounts
  3. how to do the automatic clearing through T code f.13. pl. give us the screen shots if available.
  4. how to reset the T-code f.32 clearing documents, if wrongly showing in customer balance.

  1. how to reconcile the customer balances pl. explain in details &
  2. how to reconcile the customer balance with control accounts
  Ans:- Thru report painter T-code FGI4 (Form) & Report FGI1 using cutomer summary table we can define report, which shall give the desired requirement. It give customer wise & controll account wise balances.
  3. how to do the automatic clearing through T code f.13. pl. give us the screen shots if available
  Ans. F.13 is used for GL automatic clearing basing on the required config for GL . Like GR/IR clearing is there in automatic posting we have to define COA, GL & creteria1, creteria2 ..... Incase of GR/IR field name can be VBUND (Purchase order). When configure this in F.13 when we check the check box GR/IR and GL system shall look for setting for automatic clearing based on creteria it shall automatically clear.
  4. how to reset the T-code f.32 clearing documents, if wrongly showing in customer balance
  Ans. To reset a claerinf document Tcode is FBRA. Reset the clearing doc first and reverse the doc Tcode FB08.
  Thanks
  Colin Thomas

• Service PO with service text - Account determination

  Hi experts,
  When we create Service PO without Service Master, Material Master (Only with service text), how the account determination will happen. 
  Is there any other way to get the account determination?
  Regards
  Mohan

  Account determination can also happen through material group if not through account assignment.

• Automatic service setup with network accounts

  Hi all,
  I'm having terrible trouble getting automatic service (e.g. iCal, iChat, etc.) setup to work with network accounts, either with network home directories or local home directories, and I can't work out what I'm doing wrong.
  When I log in as a local user and join the Network Account Server, all services get set up as expected, without problems. When I log in with a network account however, whether the account has a server-hosted home directory or a local home directory, services aren't automatically set up, I don't get the auto configuration wizard/dialogue, and attempting to join the network account server again fails. Surely there's a way for network accounts to have services automatically set up on initial login? Any ideas?

  Hi all,
  I'm having terrible trouble getting automatic service (e.g. iCal, iChat, etc.) setup to work with network accounts, either with network home directories or local home directories, and I can't work out what I'm doing wrong.
  When I log in as a local user and join the Network Account Server, all services get set up as expected, without problems. When I log in with a network account however, whether the account has a server-hosted home directory or a local home directory, services aren't automatically set up, I don't get the auto configuration wizard/dialogue, and attempting to join the network account server again fails. Surely there's a way for network accounts to have services automatically set up on initial login? Any ideas?