Doubt in implementing OWSM policy in osb 11g

Similar Messages

• Probem attaching OWSM Policy to OSB Proxy Service

  Hi all,
  I am working with OSB 11g R1 and I am trying secure one proxy service by attaching one OWSM predefined policy. However, the "OWSM Policy Binding" is disabled in the Policy section of the proxy service.
  I found this thread in the forum [1] wich seems to have the same problem and I have checked that all the extensions are installed in my domain.
  Sure I missing something but I haven't found anything in the docs.
  Any tip or hint is appreciated
  Thanks in advance
  My enviroment:
  - Weblogic Server (10.3.4.0)
  - Oracle Service Bus (11.1.1.4)
  - Oracle Service Bus OWSM Extension (11.1.1.0)
  [1] OWSM Policy Binding Disabled for proxy/business server with SOAP 1.1
  Edited by: user10102092 on 27-jul-2011 2:42

  I presume you already did a fresh restart of the managed servers?Yeap, I've restarted the OSB server.
  Looking at the logs I can find this message:
  +####<Jul 27, 2011 1:25:52 PM CEST> <Info> <Common> <mydomain.com> <osb_server1> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<anonymous>> <> <0000J5fLsXLFw0WFLzNM8A1EBzMW000001> <1311765952760> <BEA-000628> <Created "1" resources for pool "mds-owsm", out of which "1" are available and "0" are unavailable.>+
  So I understand that the pool is created correctly, isn't it?

• OWSM Policy in OSB

  I am trying to build a sample OSB service having the OWSM policy attached to it.I am using the option of "From OWSM Policy Store " and used the policy oracle/wss_username_token_service_policy.
  When i tried to exceute the OSB,i am getting an error as
  "oracle.wsm.policymanager.PolicyManagerException: WSM-02128 : Cannot read WSDL. [Possible Cause : unknown protocol: servicebus]"
  Looking like,some issue with the parsing of the WSDL that i used upon the service.Do i need to refer the wsdl from MDS.If,yes how can i do that in OSB.

  You may refer below blog for configuration -
  http://niallcblogs.blogspot.com/2010/07/osb-11g-and-wsm.html
  Regards,
  Anuj

• Attaching OWSM Policy to OSB Services

  Hi,
  Can anyone please share the detailed procedure of how to attach the OWSM policy to a Proxy Service in OSB 11g.
  The documentaion of OSB 11g doesnt provide the information of attaching the OWSM polic to OSB services.
  please refer
  http://download.oracle.com/docs/cd/E14571_01/doc.1111/e15866/owsm.htm#CHDBIJHD
  I created a Custom Policy with the predefined assertion wss_username_token_service_template .
  But i couldnt find a way to attach this policy to OSB Service. Also the OSB 11g Documentation didnt help much.
  Thanks in Advance

  Hi All,
  I figured out a way of how to attach the OWSM policy to a prox service.
  Its pretty simple in that way.
  After you create a proxy service, Click on the proxy you created which opens the "View a Proxy Service" page.
  In that there are many tabs such as
  1. Configuration Details
  2. Operational Settings
  3. SLA Alert Rules
  4. Policies
  5. Security
  In Policies tab, you can select "OWSM Policy Bindings" and then choose the policy you want.
  The only thing bothering me now is how to test it?
  I have used the following assertion to create the policy "wss_username_token_service_template "
  Any help would be appreciated.
  Cheers.

• Issue while attaching OWSM policy to OSB Business Service

  How to configure OWSM policy to NON WSDL based Business service.
  We are not able to encrypt the data for NON WSDL based Business service.
  Please help.
  Thanks,
  Mihir

  I presume you already did a fresh restart of the managed servers?Yeap, I've restarted the OSB server.
  Looking at the logs I can find this message:
  +####<Jul 27, 2011 1:25:52 PM CEST> <Info> <Common> <mydomain.com> <osb_server1> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<anonymous>> <> <0000J5fLsXLFw0WFLzNM8A1EBzMW000001> <1311765952760> <BEA-000628> <Created "1" resources for pool "mds-owsm", out of which "1" are available and "0" are unavailable.>+
  So I understand that the pool is created correctly, isn't it?

• OWSM problem in OSB 11g

  I'm running Oracle Service Bug 11gR1 PS3 (11.1.1.4). At installation I choose the domain extension options to enable for OWSM and also included EM to act as an OWSM, but in Proxy service i am not able to see policy tab.
  Please suggest me that any configuration i have to do.
  Thanks in advance

  OWSM for OSB is supported only for SOAP based services.

• OWSM policy configurations export mechanism

  Hi,
  We have a requirement of applying owsm policies on OSB 11g proxy and business services.
  What is the best way to apply policies is it at
  1. Design time (in eclipse)
  2.Run time from from SB console
  When we shift the entire OSB projects from development environment to production how does migration takes place is it a project level configuration or server level configuration.
  Do we have two configuration files.
  1. one is OWSM policy configuration file and
  2. OWSM policy and OSB project configuration file.
  If above is the scenario we cna directly edit the config files instaed of changing the OSB project artefacts.
  Any suggetsions on OSB and OWSM policy configurations and environment chnge setup process will be of great help.
  Thanks,
  Sowmya

  Ok got it! Just followed the oracle documentation and copied it in below path and Jdev 11.1.1.4 picked it up!
  C:\Users\Amit\AppData\Roaming\JDeveloper\system11.1.1.4.37.59.23\DefaultDomain\oracle\store\gmds\owsm\policies (not copying it within oracle folder within policies as its a custom policy)
  Strange, I have Jdev 11.1.1.3 in office and it doesnt pick up the policy but Jdev 11.1.1.4 (at home) picks it up without a problem.
  is this a bug in Jdev 11.1.1.3 or my jdev in offic is corrupt?

• OWSM Policy Binding Disabled for proxy/business server with SOAP 1.1

  Hi,
  I am using 11pPS2.
  In osb, i created a proxy service with soap 1.1. and business proxy with soap 1.1
  Now I click Policies tab of each service,
  In Service Policy Configuration,
  OWSM Policy Bindings is disabled to choose.
  So I can't attach any OWSM policy to osb service.
  Only Custom Policy bidings are enabled.
  appreciate any help and comments on this issue

  Need check if you Extend your Oracle Service Bus domain with Oracle Web Services Manager and Oracle Enterprise Manager.
  Select the following domain templates when running the Oracle Fusion Middleware Configuration Wizard
  Oracle Service Bus OWSM Extension
  Oracle WSM Policy Manager (automatically selected when you select the OWSM Extension)
  Oracle Enterprise Manager (optional, needed for creating and managing Oracle Web Services Manager policies)

• Custom OWSM Authorization Policy Not Visible in OSB 11g

  I am trying to configure custom OWSM authorization policies to grant web service access in OSB to userids associated with custom WebLogic groups. Both OSB and SOA are version 11.1.1.5 with an Oracle Enterprise 11g database backend. To help rule out some possible operational errors, here are things that ARE working with the combination of SOA and OSB servcies:
  * the underlying SOA service functions in the /em console test page
  * the OSB proxy service works from the /sbconsole test page with OWSM oracle/wss_username_token_policy enabled
  * the oracle/log_policy can be added to the OSB business service and generates log entries
  * the outer proxy service can be successfully invoked from a remote client with no security policies,
  with HTTP transport security and authorization policies and with OWSM authentication policies
  attached (given the correct request payloads)
  These findings would appear to rule out connection errors from the OSB engine to the jdbc/mds/owsm DataSource or proper startup of the "OWSM Policy Support in OSB Initializer Application" service within WebLogic. (By the way, that deploys with a typo in its registered name -- "Aplication" with a single p.)
  Here are the steps that were performed:
  1) created group myfirmIdentityData in WebLogic console (/console)
  2) created userid myappuser in WebLogic console
  3) added myappuser to the myfirmIdentityData group in WebLogic console
  4) cloned the oracle/component_authorization_permitall Security policy to myfirm/authorize_IdentityData
  using the Fusion console (/em on the SOA domain)
  5) edied myfirm/authorize_IdentityData to add the "role" myfirmIdentityGroup to the
  list of permitted roles (***)
  *** note -- "roles" referenced within the OWSM policy configuration dialogs actually correspond to "groups" at the WebLogic Server level. A bit confusing at first but harmless.
  6) accessed the SOA service in the Fusion console (/em), clicked on the Policies tab and verified
  the myfirm/authorize_IdentityData policy is available for application to the SOA service (BUT DID
  NOT ATTACH IT HERE -- I'm trying to attach it at the "outer" layer in OSB, not SOA Suite)
  7) accessed the Service Bus console (/sbconsole), started a change session, selected the
  proxy service, then clicked on the Policies tab, then clicked the Add button in the
  Service Level Policies section
  At that point, the only services listed are the factory supplied oracle/********* policies. There are two pages listed and flipping between the two doesn't show any other policies other than the oracle/***** policies.
  I even tried stopping and starting the domain thinking maybe OSB caches all of the OWSM policies at startup rather than querying the mds_owsm schema dynamically to no avail. No myfirm/****** policies are displayed after a domain restart.
  Any insight?
  Thanks.

  Once again, I wound up opening a Support Request with the TAC for direction on this issue. The policies were not appearing for assignment to OSB proxy / business services because they were being created against the wrong type of object within OWSM.
  In a nutshell, policies in OWSM can be created to be applied against:
  * Components --- only usable against SOA services
  * Service Endpoints --- against URLs used as access points into services
  * Service Clients -- against consumers of services as identified by credentials
  * All -- all of the above
  However, policies built against Components can only be applied to SOA composite services. When I cloned the existing oracle/component_authorization_permitall Security policy to myfirm/authorize_IdentityData policy then limited it to the myfirmIdentityGroup group, that policy would only be assignable to SOA composities since it applied to only Components.
  To allow the group based authorization policy to be enforced in the outer OSB tier, the oracle/binding_authorization_permitall_policy was cloned to myfirm/authorize_IdentityGroup. That policy was defined to apply to endpoints and once saved, appeared in the GUI of the Service Bus console to assign to the proxy service for the service being implemented. A second component policy named myfirm/componentauthorize_IdentityGroup was cloned from oracle/component_authorize_permitall_policy to perform the group authorization at the SOA layer.
  A different issue is being encountered configuring the OSB business service to forward the OWSM headers from the outer proxy service to the SOA service so the authorization succeeds at the inner layer but that's a different problem. With the SOA layer authorization policy disabled, client tests to the proxy service function correctly with a userid in the myfirmIdentityGroup group and generate an authorization failure when another client credential is used that does not belong to myfirmIdentityGroup.

• Osb proxy service with owsm policy auth slow when soap request very large

  I have a proxy service which is security with owsm policy: oracle/wss_username_token_service_policy, the proxy service simply route to Business Service which directly invoke a bpel exposed web service, when I call the proxy service with soap envelope large than 15MB(not attachment), waiting about 4~5 minutes, the bpel instance created ; but when I remove the security policy:oracle/wss_username_token_service_policy, it will cost only 20 seconds, why authentication cost so long? How can I deal with the problem?
  My English is poor, please don't mind!
  besides, with my OSB version is 11.1.1.6.0

  I finally figured it out. The nullpointer exception is related to the SAML assertion. The SAML assertion in my requests is signed with embedded signature and this seems to be not supported with the used OWSM policy. Without the signature is the exception gone.
  Marian

• OWSM 11gR1 PS2 agent to secure OSB 11g business service

  Hi,
  Can anyone share any resources/information on how to secure an OSB 11g business service by using OWSM 11g agent? Its a new feature released with OWSM 11gR1 PS2 (11.1.1.3.0) release. Also, can we do the same for OSB 10g?
  Thanks,
  Bijoy

  Hi Bijoy,
  Documentation is here (for PS2 with OSB 11g)-
  http://download.oracle.com/docs/cd/E14571_01/doc.1111/e15866/owsm.htm#CHDEEGJI
  can we do the same for OSB 10g?No, it is not supported.
  Regards,
  Anuj

• OSB 11G - Routing with policy and forwarding authentication headers

  Hi there,
  I'm having problems trying to add authentication to some services developed with OSB 11G.
  One of the requirements is that the services authenticate using the "oracle/wss_username_token_service_policy" policy... So far so good...
  My problem now is that one of the services I'm trying to route messages to needs the same authentication as the OSB router... I've tried everything I found but without any success... The headers aren't being propagated...
  I've found out that the header variable has the Authentication segments so I can remove the routing, add a service callout and add the header variable to it.. But this is kind of a hammered solution...
  Is there any other solution that I'm missing?
  Thanks in advance,
  Best Regards,
  Daniel Alves
  Edited by: 863416 on Sep 18, 2012 9:49 AM

  Hi,
  transporting header setting is described here
  Yuan's SOA Blog: Retrieve and pass around http Authorization header with OSB
  but something is missing, I have to set proxy service Authentication  to Basic. But then OSB authenticate inbound request at local scope and I want to authenticate at called web service level. How to do that?

• OSB: Custom OWSM policy with Assertions

  I have created a custom policy. It does nothing, but just prints Test message.
  I have put the policy implementation in a .jar archive and placed that in the domain's lib directory. Then I have imported the policy to the OWSM in the EM console. All the servers were restarted.
  I have created a business service, and a proxy. In the business service policy tab, I have attached my policy as a OWSM Policy Bindings.
  When I try to test this biz service from test console, I get an error "Assertion Executor not found!"
  I'm posting a stack trace:
  <Sep 25, 2012 5:33:42 PM IST> <Error> <oracle.wsm.policyengine.impl.runtime.WSPolicyRuntimeExecutor> <BEA-000000> <Assertion Executor not found!>
  <Sep 25, 2012 5:33:42 PM IST> <Error> <oracle.wsm.resources.enforcement> <WSM-07501> <Failure in Oracle WSM Agent processRequest, category=security, function=agent.function.client, application=CustomAssertionPOC, composite=null, modelObj=DummyPortBindingQSService, policy=null, policyVersion=null, assertionName=null.
  oracle.wsm.common.sdk.WSMException: WSM-07604 : Internal error during policy enforcement.
       at oracle.wsm.policyengine.impl.runtime.WSPolicyRuntimeExecutor.populateAssertionExecutors(WSPolicyRuntimeExecutor.java:266)
       at oracle.wsm.policyengine.impl.runtime.WSPolicyRuntimeExecutor.populateAssertionExecutors(WSPolicyRuntimeExecutor.java:285)
       at oracle.wsm.policyengine.impl.runtime.WSPolicyRuntimeExecutor.init(WSPolicyRuntimeExecutor.java:168)
       at oracle.wsm.policyengine.impl.PolicyExecutionEngine.getPolicyExecutor(PolicyExecutionEngine.java:137)
       at oracle.wsm.policyengine.impl.PolicyExecutionEngine.execute(PolicyExecutionEngine.java:101)
       at oracle.wsm.agent.WSMAgent.processCommon(WSMAgent.java:1001)
       at oracle.wsm.agent.WSMAgent.processRequest(WSMAgent.java:470)
       at oracle.wsm.agent.handler.WSMEngineInvoker.handleRequest(WSMEngineInvoker.java:373)
       at com.bea.wli.sb.security.wss.wsm.WsmOutboundHandler$1.run(WsmOutboundHandler.java:217)
       at com.bea.wli.sb.security.wss.wsm.WsmOutboundHandler$1.run(WsmOutboundHandler.java:215)
       at java.security.AccessController.doPrivileged(Native Method)
       at oracle.security.jps.util.JpsSubject.doAs(JpsSubject.java:208)
       at com.bea.wli.sb.security.wss.wsm.WsmOutboundHandler.processRequest(WsmOutboundHandler.java:214)
       at com.bea.wli.sb.test.service.wss.WssHandler.processRequest(WssHandler.java:279)
       at com.bea.wli.sb.test.service.ServiceMessageBuilder.buildMessage(ServiceMessageBuilder.java:180)
       at com.bea.wli.sb.test.service.ServiceMessageBuilder.buildMessage(ServiceMessageBuilder.java:99)
       at com.bea.wli.sb.test.service.ServiceMessageSender.send0(ServiceMessageSender.java:261)
       at com.bea.wli.sb.test.service.ServiceMessageSender.access$000(ServiceMessageSender.java:79)
       at com.bea.wli.sb.test.service.ServiceMessageSender$1.run(ServiceMessageSender.java:137)
       at com.bea.wli.sb.test.service.ServiceMessageSender$1.run(ServiceMessageSender.java:135)
       at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:363)
       at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:146)
       at com.bea.wli.sb.security.WLSSecurityContextService.runAs(WLSSecurityContextService.java:55)
       at com.bea.wli.sb.test.service.ServiceMessageSender.send(ServiceMessageSender.java:140)
       at com.bea.wli.sb.test.service.ServiceProcessor.invoke(ServiceProcessor.java:454)
       at com.bea.wli.sb.test.TestServiceImpl.invoke(TestServiceImpl.java:172)
       at com.bea.wli.sb.test.client.ejb.TestServiceEJBBean.invoke(TestServiceEJBBean.java:167)
       at com.bea.wli.sb.test.client.ejb.TestService_sqr59p_EOImpl.__WL_invoke(Unknown Source)
       at weblogic.ejb.container.internal.SessionRemoteMethodInvoker.invoke(SessionRemoteMethodInvoker.java:40)
       at com.bea.wli.sb.test.client.ejb.TestService_sqr59p_EOImpl.invoke(Unknown Source)
       at com.bea.wli.sb.test.client.ejb.TestService_sqr59p_EOImpl_WLSkel.invoke(Unknown Source)
       at weblogic.rmi.internal.ServerRequest.sendReceive(ServerRequest.java:174)
       at weblogic.rmi.cluster.ClusterableRemoteRef.invoke(ClusterableRemoteRef.java:345)
       at weblogic.rmi.cluster.ClusterableRemoteRef.invoke(ClusterableRemoteRef.java:259)
       at com.bea.wli.sb.test.client.ejb.TestService_sqr59p_EOImpl_1036_WLStub.invoke(Unknown Source)
       at com.bea.alsb.console.test.TestServiceClient.invoke(TestServiceClient.java:174)
       at com.bea.alsb.console.test.actions.DefaultRequestAction.invoke(DefaultRequestAction.java:117)
       at com.bea.alsb.console.test.actions.DefaultRequestAction.execute(DefaultRequestAction.java:70)
       at com.bea.alsb.console.test.actions.ServiceRequestAction.execute(ServiceRequestAction.java:143)
       at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:431)
       at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.access$201(PageFlowRequestProcessor.java:97)
       at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor$ActionRunner.execute(PageFlowRequestProcessor.java:2044)
  Is there anything I am doing wrong.

  Have you put the generated jar on the classpath?
  In the weblogic setDomainEnv.cmd put a row like this:
  set POST_CLASSPATH=d:\Middleware\SOASuite11gR1PS4\user_projects\domains\base_domain\lib\YOURPOLICY.jar;%POST_CLASSPATH%

• OWSM POlicy -11g

  Hi All,
  We are working on attaching OWSM policies of SOA suite 11g to secure the composites.
  Attached 'oracle/wss10_saml_token_service_policy' to the composite keeping configurations as default in saml login module.
  When we are trying to test this composite with the below payload
  <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"> <soap:Header> <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" AssertionID="Id-00000127b711fabc-0000000001bda657-2" IssueInstant="2010-04-01T01:52:41Z" Issuer="www.oracle.com" MajorVersion="1" MinorVersion="1"> <saml:Conditions NotBefore="2010-04-01T01:52:41Z" NotOnOrAfter="2010-04-06T01:52:41Z"/> <saml:AuthenticationStatement AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified" AuthenticationInstant="2010-04-01T01:52:41Z"> <saml:Subject> <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">orcladmin</saml:NameIdentifier> <saml:SubjectConfirmation> <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:sender-vouches</saml:ConfirmationMethod> </saml:SubjectConfirmation> </saml:Subject> </saml:AuthenticationStatement> <saml:AttributeStatement> <saml:Attribute Name="username" NameFormat="www.oracle.com"> <saml:AttributeValue>weblogic</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="password" NameFormat="www.oracle.com"> <saml:AttributeValue>Password1</saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement> </saml:Assertion> </wsse:Security> </soap:Header> <soap:Body> <cli:process xmlns:cli="http://xmlns.oracle.com/UserProvisioning_jws/Project1/BPELProcess1"> <!--Element must appear exactly once --><cli:input>abc</cli:input> </cli:process> </soap:Body> </soap:Envelope>
  it is throwing an error
  OWSM Policy Fault : FailedAuthentication : The security token cannot be authenticated.
  Do we need to make any changes in the input payload or configuration files.
  Any pointers on the same will be more helpfull.
  Thanks,
  Sowmya

  Ok got it! Just followed the oracle documentation and copied it in below path and Jdev 11.1.1.4 picked it up!
  C:\Users\Amit\AppData\Roaming\JDeveloper\system11.1.1.4.37.59.23\DefaultDomain\oracle\store\gmds\owsm\policies (not copying it within oracle folder within policies as its a custom policy)
  Strange, I have Jdev 11.1.1.3 in office and it doesnt pick up the policy but Jdev 11.1.1.4 (at home) picks it up without a problem.
  is this a bug in Jdev 11.1.1.3 or my jdev in offic is corrupt?

• OSB 11g Domain Configuration.

  Hello,
  I am having trouble understanding the results of the OSB 11g domain configuration. In creating the domain i have selected the following options:
  Oracle Service Bus OWSM Extension
  Oracle Service Bus Extension - All domain topologies
  Weblogic Advanced Web Services for JAX-RPC Extension
  Oracle WSM Policy Manager
  Oracle JRF
  I have selected the 'all domain topologies' as i wish to end up with an 'AdminServer' (using port 7001) and 'osb_server1' (using port 8011). Everything installs without a problem, its that i just don't understand the outcome. The OSB transport providers and adpaters (FTP, File, Db, AQ, etc) are targeted at both the admin server and the osb managed server. I also notice that the osb console is targeted only at the admin server. The confusion comes from the fact that when i use the OSB console application to create a project which i then test (successfully) it appears to all be deployed and running on the admin server? This is based on the fact that the URL used to invoke the OSB proxy service has to specify the port of the admin server. I would have thought that the url to access the proxy service would have been directed at the managed server?
  Can someone confirm / explain to me what is going on or why it works this way, please?

  The OSB transport providers and adpaters (FTP, File, Db, AQ, etc) are targeted at both the admin server and the osb managed server.Your observation is correct.
  I also notice that the osb console is targeted only at the admin server.Yes. This is by design.
  The confusion comes from the fact that when i use the OSB console application to create a project which i then test (successfully) it appears to all be deployed and running on the admin server?No. This cannot happen. When you activate the configuration, OSB deploys configuration to the managed server.
  This is based on the fact that the URL used to invoke the OSB proxy service has to specify the port of the admin server. I would have thought that the url to access the proxy service would have been directed at the managed server?Are you test console?
  Manoj
  Edited by: Manoj Neelapu on May 24, 2010 9:28 AM