Customizing OWSM 11g SAML policy

Similar Messages

• OWSM 11g: SAML holder of the key based Authentication

  Hi all,
  I am trying to implement SAML holder of the key method based authentication. As per weblogic documentation, I have disabled the Disable X.509 certificate validation since I am using SAML holder_of_key assertions. I have attached the policies to the composites oracle/wss10_saml_hok_token_with_message_protection_client_policy and oracle/wss10_saml_hok_token_with_message_protection_service_policy. I am using the default values except for keystore.recipient.alias property. When I am testing the policy it says that the saml.assertion.filename named temp could not be found.
  As per the documentation this is file containing SAML holder of the key based authentication. Can anyone provide some idea as to what should be the contents of this file?
  Thanks in advance

  me too am facing same problem..did you manage to solve this?
  please suggest..

• Custom OWSM Authorization Policy Not Visible in OSB 11g

  I am trying to configure custom OWSM authorization policies to grant web service access in OSB to userids associated with custom WebLogic groups. Both OSB and SOA are version 11.1.1.5 with an Oracle Enterprise 11g database backend. To help rule out some possible operational errors, here are things that ARE working with the combination of SOA and OSB servcies:
  * the underlying SOA service functions in the /em console test page
  * the OSB proxy service works from the /sbconsole test page with OWSM oracle/wss_username_token_policy enabled
  * the oracle/log_policy can be added to the OSB business service and generates log entries
  * the outer proxy service can be successfully invoked from a remote client with no security policies,
  with HTTP transport security and authorization policies and with OWSM authentication policies
  attached (given the correct request payloads)
  These findings would appear to rule out connection errors from the OSB engine to the jdbc/mds/owsm DataSource or proper startup of the "OWSM Policy Support in OSB Initializer Application" service within WebLogic. (By the way, that deploys with a typo in its registered name -- "Aplication" with a single p.)
  Here are the steps that were performed:
  1) created group myfirmIdentityData in WebLogic console (/console)
  2) created userid myappuser in WebLogic console
  3) added myappuser to the myfirmIdentityData group in WebLogic console
  4) cloned the oracle/component_authorization_permitall Security policy to myfirm/authorize_IdentityData
  using the Fusion console (/em on the SOA domain)
  5) edied myfirm/authorize_IdentityData to add the "role" myfirmIdentityGroup to the
  list of permitted roles (***)
  *** note -- "roles" referenced within the OWSM policy configuration dialogs actually correspond to "groups" at the WebLogic Server level. A bit confusing at first but harmless.
  6) accessed the SOA service in the Fusion console (/em), clicked on the Policies tab and verified
  the myfirm/authorize_IdentityData policy is available for application to the SOA service (BUT DID
  NOT ATTACH IT HERE -- I'm trying to attach it at the "outer" layer in OSB, not SOA Suite)
  7) accessed the Service Bus console (/sbconsole), started a change session, selected the
  proxy service, then clicked on the Policies tab, then clicked the Add button in the
  Service Level Policies section
  At that point, the only services listed are the factory supplied oracle/********* policies. There are two pages listed and flipping between the two doesn't show any other policies other than the oracle/***** policies.
  I even tried stopping and starting the domain thinking maybe OSB caches all of the OWSM policies at startup rather than querying the mds_owsm schema dynamically to no avail. No myfirm/****** policies are displayed after a domain restart.
  Any insight?
  Thanks.

  Once again, I wound up opening a Support Request with the TAC for direction on this issue. The policies were not appearing for assignment to OSB proxy / business services because they were being created against the wrong type of object within OWSM.
  In a nutshell, policies in OWSM can be created to be applied against:
  * Components --- only usable against SOA services
  * Service Endpoints --- against URLs used as access points into services
  * Service Clients -- against consumers of services as identified by credentials
  * All -- all of the above
  However, policies built against Components can only be applied to SOA composite services. When I cloned the existing oracle/component_authorization_permitall Security policy to myfirm/authorize_IdentityData policy then limited it to the myfirmIdentityGroup group, that policy would only be assignable to SOA composities since it applied to only Components.
  To allow the group based authorization policy to be enforced in the outer OSB tier, the oracle/binding_authorization_permitall_policy was cloned to myfirm/authorize_IdentityGroup. That policy was defined to apply to endpoints and once saved, appeared in the GUI of the Service Bus console to assign to the proxy service for the service being implemented. A second component policy named myfirm/componentauthorize_IdentityGroup was cloned from oracle/component_authorize_permitall_policy to perform the group authorization at the SOA layer.
  A different issue is being encountered configuring the OSB business service to forward the OWSM headers from the outer proxy service to the SOA service so the authorization succeeds at the inner layer but that's a different problem. With the SOA layer authorization policy disabled, client tests to the proxy service function correctly with a userid in the myfirmIdentityGroup group and generate an authorization failure when another client credential is used that does not belong to myfirmIdentityGroup.

• OWSM 11g: Custom policy implementation

  Hi all,
  I am unable to replicate the example as discussed in the section 14 of Security and Administrator’s Guide for Web Services 11g Release 1 (11.1.1) B32511-03, April 2010. I am applying the custom policy on a osb (11g r3) proxy service. Kindly take a look at the steps mentioned below & suggest suitably where i may be going wrong:
  1. Creation of the IpAssertionExecutor class which holds the implementation logic (same as Step 1)
  2. Creation of the policy-config.xml file (same as Step 2)
  3. oracle.logging-utils_11.1.1.jar was also added to compile the above class.
  4. IpAssertionExecutor Class & policy-config.xml were added as a jar file as mentioned in page no: 4 of the following link: http://www.scribd.com/doc/25941008/How-to-Create-OWSM-11g-Custom-Policy-Assertion (same as Step 4)
  5. Updation of classpath (same as Step 5)
  6. Creation of oracle/ip_assertion_policy file (same as Step 2)
  7. Importing the Custom Policy File (same as Step 6)
  8. Attaching the Custom Policy to a Web Service or Client (same as Step 7)
  For testing purpose, i used soapui and specified the bind address in the request properties. However, the policy is not working as desired.
  Additionally, i hardcoded the String ipAddr (ip address) in the IpAssertionExecutor class & redeployed the jar. But still couldn't get it working.
  I shall be obliged if someone can help me.
  Thanks in advance

  In the security tab for your OSB Service, ensure that you set the radio button for processing of ws header. Otherwise no policies appear to be called.

• ClassNotFoundException with Custom OWSM Policy in Oracle Service Bus

  Hi All,
  I have a situation where I have created a custom web service manager policy. When I attach this policy to an Oracle Service Bus Proxy Service and invoke the service I get a ClassNotFoundError
  Caused By: java.lang.ClassNotFoundException: au.com.MyClass
  at java.net.URLClassLoader$1.run(URLClassLoader.java:202)
  at java.security.AccessController.doPrivileged(Native Method)
  at java.net.URLClassLoader.findClass(URLClassLoader.java:190)
  at java.lang.ClassLoader.loadClass(ClassLoader.java:307)
  at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:301)
  at java.lang.ClassLoader.loadClass(ClassLoader.java:248)
  at oracle.wsm.policy.util.Loader.loadClass(Loader.java:369)
  at oracle.wsm.policy.util.Loader.loadClass(Loader.java:389)
  at oracle.wsm.policyengine.impl.runtime.WSPolicyRuntimeExecutor.populateAssertionExecutors(WSPolicyRuntimeExecutor.java:238)
  at oracle.wsm.policyengine.impl.runtime.WSPolicyRuntimeExecutor.populateAssertionExecutors(WSPolicyRuntimeExecutor.java:279)
  at oracle.wsm.policyengine.impl.runtime.WSPolicyRuntimeExecutor.init(WSPolicyRuntimeExecutor.java:162)
  at oracle.wsm.policyengine.impl.PolicyExecutionEngine.getPolicyExecutor(PolicyExecutionEngine.java:137)
  at oracle.wsm.policyengine.impl.PolicyExecutionEngine.execute(PolicyExecutionEngine.java:101)
  at oracle.wsm.agent.WSMAgent.processCommon(WSMAgent.java:937)
  at oracle.wsm.agent.WSMAgent.processRequest(WSMAgent.java:454)
  at oracle.wsm.agent.handler.WSMEngineInvoker.handleRequest(WSMEngineInvoker.java:366)
  at com.bea.wli.sb.security.wss.wsm.WsmInboundHandler.processRequest(WsmInboundHandler.java:150)
  at com.bea.wli.sb.security.wss.WssHandlerImpl.doInboundRequest(WssHandlerImpl.java:223)
  at com.bea.wli.sb.context.BindingLayerImpl.addRequest(BindingLayerImpl.java:289)
  at com.bea.wli.sb.pipeline.MessageProcessor.processRequest(MessageProcessor.java:87)
  at com.bea.wli.sb.pipeline.RouterManager$1.run(RouterManager.java:593)
  at com.bea.wli.sb.pipeline.RouterManager$1.run(RouterManager.java:591)
  The jar file is in the user_projects/domains/mydomain/lib directory.
  Attaching the policy to BPEL services has no issue and the policy is invoked successfully.
  I am unable to determine why the OSB would behave differently in this regard, or what I need to configure differently in order to have it found by the class loaders for the OSB.
  Any help or suggestions appreciated.
  I am using 11.1.1.4.0
  The jar file has the necessary policy_config.xml file and the META-INF/mylabel/mypolicy.xml files in situ. As I said, it is working in the soa_server but not the OSB.

  Have you restarted servers after putting jar in $Domain_Home/lib directory? Also try after explicitly adding this jar in classpath by editing server startup script (startManagedWeblogic.cmd or .sh) or in domain env setting script (setDonainEnv.cmd or .sh) and restarting the servers.
  Regards,
  Anuj
  Edited by: Anuj Dwivedi on Mar 21, 2011 1:10 PM

• Require Inputs on OWSM 11g message protection policy

  Hi All,
  we are trying to achieve encryption and decryption of payload in SOA 11g using OWSM. We have configured keystores in the weblogic domain.
  I have two composites namely client and service. The client will invoke the service composite using a partner link with a payload. I have attached oracle/wss11_message_protection_client_policy to the partner link of Client composite and also attached oracle/wss11_message_protection_service_policy to the Service composite.
  When i test the composites there are no errors but i cannot see any encryption and decryption happening. I cannot see any information in the logs as well.
  If anyone has achieved message protection using OWSM 11g then please throw some light on how to go about doing it.
  Thank you in advance.
  Regards
  Narendra

  Narendra,
  Were you able to figure out solution for this.
  Thanks

• OWSM 11g: Difference between Message Protection Policies

  Hi all,
  I am using OWSM11g for securing web services. There are two separate policies provided oracle/wss10_message_protection_service_policy and oracle/wss10_x509_token_with_message_protection_client_policy. How does these policies differ in providing message protection?
  Additionally, I have the documentations provided by oracle regarding OWSM11g. In case, there are some addtional resources or tutorials for OWSM 11g which might help me please suggest me the same.
  Thanks in advance.

  Hi,
  In OWSM 10g there was concept of Server Agent and Client agents.The server agents were attached with the service providers and client agents were attached with client consumers.Similarly there are two types of policies available with 11g for service endpoints.One is attached with the service provider endpoint and one is attached with the consumer.
  For e.g- If there is a credit validation webservice which requires the payload to be signed and encrypted,then u attach oracle/wss10_message_protection_service_policy with it and if there is a SOA composite invoking this service,then u attach oracle/wss10_message_protection_client_policy with it.For each of the service side and client side policies some configurations/settings can be modified or overridden.
  Now oracle/wss10_message_protection_service_policy is message integrity and confidentiality service policy implementing WS-1.0 security standards.While oracle/wss10_x509_token_with_message_protection_client_policy is X509 token based authentication with message protection client policy implementing WS-1.0 security standards.
  Hence while implementing security always use the same dual pairs for service and client policies.Currently there are not many samples available but the 'Security and Administrator’s Guide for Web Services' guide is good documentation to start with for configuring security using OWSM 11g.
  Rgds,
  Mandrita

• OWSM 11g in EM behaving different than documentation

  Hi everyone,
  I'm trying to get OWSM 11g working so I just installed Soa suite 11gR1(11.1.1.2.0). All I need is to attach a predefined policy to an existing web service which exists incide an EJB in an EAR application. I'm following the instructions from http://download.oracle.com/docs/cd/E12839_01/web.1111/b32511/attaching.htm#CEGDGIHD , in the session "Viewing the Policies That are Attached to a Web Service". Unfortunately I'm expecting different screens than those shown in the Manual. In the documentation the figure 8.1 shows the tabs Operations / Policies / Chart / Configuration, but in my case the same screen shows only the operations Tab, making it impossible to attach the policies I need. Here's what I see at my environment: http://img203.imageshack.us/img203/751/erroowsm.png . I don't know if I missed something but it still not works as the documentation says (figure 8.1). Please, any help will be appretiated !
  Thanks,

  Rajesh wrote:
  Is it going above 1GB ?No, current memory utilization is 503MB, but it keeps increasing. Support specialist told me it is OK for agents with large number of targets to utilize up to 1GB of memory even if I told him I have only 11 targets on this host. I do not think 11 targets is "large number" and I do not want to wait until agent will use 1GB of memory.
  You can also check MOS note :
  How To Effectively Investigate & Diagnose Grid Control Agent High Memory Utilization Issues? [ID 1092466.1]I have read this note and did not find solution for my problem and that is why I contacted Oracle Support. I think this agent is leaking memory, but Support specialist suggests reinstalling this agent on other host.
  I do not think he understands problem and that is why I looking for other opinions.

• OWSM 11g: Message Protection

  Hi All,
  I have earlier woked on OWSM 10g and implemented XML encryption and decryption. Now,I am trying to implement message protection(encryption and decryption) using OWSM 11g policies. The sample scenario consists of two web services OWSM_11g and OWSM_11g_client. The message send from OWSM_11g_client should be encrypted and signed and OWSM_11g needs to verify the signature and decrypt the message.
  Here is what i have done so far.
  a.) I have attached oracle/wss10_message_protection_client_policy to OWSM_11g and oracle/wss10_message_protection_service_policy to OWSM_11g_client.
  b.) I have configured a keystore for weblogic domain exactly as explained in the following article http://www.ora600.be/node/5000
  c.) I have enabled the logging assertion for oracle/wss10_message_protection_client_policy & oracle/wss10_message_protection_service_policy.
  The message flow between the services is proceeding without any errors. There are two problems that I am facing here:
  a.) I cannot view SOAP message in the message logs to verify the encrytion and decryption.
  b.) It seems that I may be missing out some configuration parameters as specified in the documentation required to apply above policies.
  Any inputs regarding this would be greatly helpful.

  Hi there,
  I can suggest the following to you and hopefully it should work:
  a.) Instead of using the default keystore you should set up a new keystore for the weblogic domain. You may follow the guidelines as described in the following article: http://www.ora600.be/node/5000
  b.) Specify the keystore.recipient.alias (public key which maps to client_key according to the above article) at per-client basis using the Security Configuration Details and keystore.enc.csf.key (private key which again maps to client_key according to the above article).
  c.) message_protection_client_policy and message_protection_service policy are made up of assertion templates. So, Go to the web services policy page and enable the loggin assertion for each of the policies. Here, in case both the composites are on the same soa server then, you need to turn off the local optimization. Read the above post by Ronald which explains this lucidly. On this page you may change setting for the request and response messages.
  d.) You need to check the following log file to view the soap messages logged by the assertions to verify encryption and decryption domains\soa_domain\servers\AdminServer\logs\owsm\msglogging\diagonstic.log
  Here I was able to encrypt and sign the message when both the composites were in the same soa server. However when they were in different soa server some server side error was occuring. You may try the same as an addtional exercise and update me in case you succeed.
  In case you still face any problems I will be glad to help you out.
  Regards,
  Shomit

• OWSM 11g: Securing Callback

  Hi All,
  I have two asyn services A and B. I want to secure the callback from B to A. I have attached client policy (u/n authentication and message protection) to the B callback . Additionally I have attached service policy (u/n authentication and message protection) to the callback received by A.
  However the policies are not working.
  Any ideas/suggestions regarding how to secure callback using OWSM 11g will be welcomed.
  Regards

  Hi,
  Just a pointer did you configure the keystore path,signing certificate and encryption key alias name and passwords in the Fusion Middleware Control console under 'Security Provider Configuration' and the decryption key password as 'keystore.enc.csf.key' under 'Credentials' in Fusion Middleware Control for both the instances?
  Rgds.

• Custom Step for SAML Tokens

  Hi All,
  I am working on creating a custom step for SAML assertion in OWSM 10g.
  I did the following things
  1) Extented AbstractStep class, and Implemented its methods (init,destroy,execute...)
  2) Compiled and created java archieve; placed in the custom folder of owsm
  3) Created the step template xml with accordance to the class and imported it.
  In the java class i used com.cfluent.policysteps.security.saml.InsertSAMLSVStep.
  Can any one assist me in finding some documentation on the class?

  I shud have posted this question in SOA Suite forum, but still, any feed back is welcomed. :)

• OWSM 11g: Kerberos policies

  Hi All,
  I am trying to implement authentication using oracle/wss11_kerberos_token_client_policy and oracle/wss11_kerberos_token_service_policy policies. I have download and installed the kerberos software for windows 2.6.5. Currently i have set the default values for the kerberos login module. As per the documentation i need to initialize and start the kdc. But commands in the documentation are for a unix environment whereas i am trying to run the software on a windows xp machine.
  I dont know how to proceed further.
  Any help in this regard is appreciated.

  Hi,
  In OWSM 10g there was concept of Server Agent and Client agents.The server agents were attached with the service providers and client agents were attached with client consumers.Similarly there are two types of policies available with 11g for service endpoints.One is attached with the service provider endpoint and one is attached with the consumer.
  For e.g- If there is a credit validation webservice which requires the payload to be signed and encrypted,then u attach oracle/wss10_message_protection_service_policy with it and if there is a SOA composite invoking this service,then u attach oracle/wss10_message_protection_client_policy with it.For each of the service side and client side policies some configurations/settings can be modified or overridden.
  Now oracle/wss10_message_protection_service_policy is message integrity and confidentiality service policy implementing WS-1.0 security standards.While oracle/wss10_x509_token_with_message_protection_client_policy is X509 token based authentication with message protection client policy implementing WS-1.0 security standards.
  Hence while implementing security always use the same dual pairs for service and client policies.Currently there are not many samples available but the 'Security and Administrator’s Guide for Web Services' guide is good documentation to start with for configuring security using OWSM 11g.
  Rgds,
  Mandrita

• OIM 11g - Authorization Policy

  Hi,
  I am facing issue in OIM 11g Authorization policy configuration. I am using OIM 11.1.1.5 Version.
  I have Created a OU --> Sample Helpdesk OU. Under this OU, i have created a user --> Sample Helpdesk user.
  I have created a role --> Sample Helpdesk Role and assigned this role to the user --> Sample Helpdesk user.
  I have created a Auth Policy --> "HelpDesk Create User - HelpDesk OU" which has to allow the user --> Sample Helpdesk user, to create a new users under the organization "Sample Helpdesk OU".
  During creation of User in OIM, i am not able to search the Organization in the lookup field. I am getting Zero records for the search. I used all type of filters to search the OU in the OIM User Form.
  Thanks,
  Sandy.
  Edited by: Sandy on Dec 6, 2011 9:24 PM
  Edited by: Sandy on Dec 6, 2011 9:25 PM

  Hi,
  Make Helpdesk Role created above as administrative role of OU.
  Regards,
  Raghav.

• OWSM 11g:Securing Asynchronous callback

  Hi all,
  I am posting again regarding this hoping that someone may be able help me up this time.
  I am working on soa suite 11g. I have two asynchronous bpel services A and b. I want to ensure message protection for the callback received by A from B using OWSM 11g. I have attached the polices to the respective callback. But the policies are getting by passed and the plain message is transfered from A to B. Additionally I have turned off the local optimization of the policies. however it has also not helped.
  Can anyone point out what additional configuration needs to be done.
  Thanks in advance.
  Edited by: Shomit Sahdev on २५ मई, २०१० १:५८ पूर्वाह्न

  Hi,
  Just a pointer did you configure the keystore path,signing certificate and encryption key alias name and passwords in the Fusion Middleware Control console under 'Security Provider Configuration' and the decryption key password as 'keystore.enc.csf.key' under 'Credentials' in Fusion Middleware Control for both the instances?
  Rgds.

• OWSM 11g file based authentication

  Hi,
  I have to secure a service using the username and password present in file. I'll have to use a file based authentication mechanism. As OWSM 11g doesnt have the gateway, can i achieve this functionality with OWSM 11g agent ?
  Thanks

  Can you please tell me how to create the file .htpassword. When i'm using a text editor to create this file it does not allow and message is specify file name. Is there a special utility to create such a file.