Enabling ws-security UserNameToken using OWSM

Hi,
I am using BPEL PM with OWSM; I need to enable WS-security for the incoming messages to a service running on BPEL server.
I completed the initial steps such as creating a gateway and registering the service in that gateway after that I could see a WSDL generated by the OWSM.
After this I dont know how to enable WS-security (UserNameToken only), iam not finding anything in the documents,Could any one through some light on this??
Best Regards,
Chandra

I'm a bit confused by these questions.
There's nothing you need to do to ENABLE this.
OWSM can convert credentials (http headers, etc.) to WS-security if you want (proper sequence of "Extract Credentials" and "Insert Credentials" in the pipeline should do this)
OWSM cannot insert any identity "out of the blue", the information should be somewhere in the request coming into the gateway...
Marc

Similar Messages

Using OWSM to secure Services based on http binding

Hi,
We are using OWSM Gateway in DMZ as a proxy server to communicate with systems beyond the firewall. We have two specific requirements:
1) The BPEL/ESB services should invoke http POST/GET services on the third party systems which are located beyond the firewall.
2) Third party services uses http POST/GET to access the BPEL/ESB services.
My queries are:
Are these possible with OWSM?
For reqmnt 1, when we tried with OWSM we are getting the following error
"No policies found for service "SID0003001/servletclasstest?Locality=Chennai.Make sure the service is registered correctly and gateway policies are up to date"
Can any one help us out with solution. We are running on tight timelines any help is highly appreciated

Have you resolved your issue. I am in the same situation. Can you please let me know how you have resolved your issue.

Problem using OWSM wss_username_token_client_policy

Hi,
We are trying to call an webservice B from a composite service A and the webservice expects the standard userName/password token to be part of the soap header. I have done the following stepts to achive this.
Composite A is a SOA Serrice and B is an external service.
1) Created a credential store Key.
2) Attached the policy wsse_username_token_client_policy to reference to service B(In service A) in em.
3) Attached the csf key required for the policy.
I am assuming these are the only steps required. But we are not able to go forward with this as we are getting the following error while invoking the webservice B from composite service A.
Thanks,
Ajay
SOAP must understand error:{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security, {http:
//docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security.
at oracle.j2ee.ws.client.jaxws.DispatchImpl.throwJAXWSSoapFaultException(DispatchImpl.java:955)
at oracle.j2ee.ws.client.jaxws.DispatchImpl.invoke(DispatchImpl.java:750)
at oracle.j2ee.ws.client.jaxws.OracleDispatchImpl.synchronousInvocationWithRetry(OracleDispatchImpl.java:234)
at oracle.j2ee.ws.client.jaxws.OracleDispatchImpl.invoke(OracleDispatchImpl.java:105)
at oracle.integration.platform.blocks.soap.AbstractWebServiceBindingComponent.dispatchRequest(AbstractWebServiceBindingComponent.java:464)
at oracle.integration.platform.blocks.soap.WebServiceExternalBindingComponent.processOutboundMessage(WebServiceExternalBindingComponent.java:194)
at oracle.integration.platform.blocks.soap.WebServiceExternalBindingComponent.sendSOAPMessage(WebServiceExternalBindingComponent.java:696)
at oracle.integration.platform.blocks.soap.WebServiceExternalBindingComponent.request(WebServiceExternalBindingComponent.java:562)
at oracle.integration.platform.blocks.mesh.SynchronousMessageHandler.doRequest(SynchronousMessageHandler.java:139)
at oracle.integration.platform.blocks.mesh.MessageRouter.request(MessageRouter.java:179)
at oracle.integration.platform.blocks.mesh.MeshImpl.request(MeshImpl.java:155)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307)
at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
at oracle.integration.platform.metrics.PhaseEventAspect.invoke(PhaseEventAspect.java:71)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
at $Proxy276.request(Unknown Source)
at oracle.fabric.CubeServiceEngine.requestToMesh(CubeServiceEngine.java:793)
at com.collaxa.cube.ws.WSInvocationManager.invoke(WSInvocationManager.java:262)
at com.collaxa.cube.engine.ext.common.InvokeHandler.__invoke(InvokeHandler.java:1073)
at com.collaxa.cube.engine.ext.common.InvokeHandler.handleNormalInvoke(InvokeHandler.java:526)
at com.collaxa.cube.engine.ext.common.InvokeHandler.handle(InvokeHandler.java:127)
at com.collaxa.cube.engine.ext.bpel.common.wmp.BPELInvokeWMP.__executeStatements(BPELInvokeWMP.java:69)
at com.collaxa.cube.engine.ext.bpel.common.wmp.BaseBPELActivityWMP.perform(BaseBPELActivityWMP.java:162)
at com.collaxa.cube.engine.CubeEngine.performActivity(CubeEngine.java:2465)
at com.collaxa.cube.engine.CubeEngine.handleWorkItem(CubeEngine.java:1132)
at com.collaxa.cube.engine.dispatch.message.instance.PerformMessageHandler.handleLocal(PerformMessageHandler.java:73)
at com.collaxa.cube.engine.dispatch.DispatchHelper.handleLocalMessage(DispatchHelper.java:219)
at com.collaxa.cube.engine.dispatch.DispatchHelper.sendMemory(DispatchHelper.java:327)
at com.collaxa.cube.engine.CubeEngine.endRequest(CubeEngine.java:4350)
at com.collaxa.cube.engine.CubeEngine.endRequest(CubeEngine.java:4281)
at com.collaxa.cube.engine.CubeEngine._createAndInvoke(CubeEngine.java:713)
at com.collaxa.cube.engine.CubeEngine.createAndInvoke(CubeEngine.java:545)
at com.collaxa.cube.engine.ejb.impl.CubeEngineBean.createAndInvoke(CubeEngineBean.java:108)
at com.collaxa.cube.engine.ejb.impl.CubeEngineBean.syncCreateAndInvoke(CubeEngineBean.java:150)
at com.collaxa.cube.engine.ejb.impl.bpel.BPELEngineBean.syncCreateAndInvoke(BPELEngineBean.java:111)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.bea.core.repackaged.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:310)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
Edited by: ajaykumar on Mar 11, 2011 2:45 PM
Edited by: ajaykumar on Mar 11, 2011 4:07 PM
Edited by: ajaykumar on Mar 14, 2011 1:16 PM

Attached the policy wsse_username_token_client_policy to service B from em.This made me to think that the webservice B is also co hosted on the soa domain and you were configuring the ws security for this service.
In the blog he talks about http authentication, but I am trying to use userName/Password being send in the soap header.Yes. That blog shows how to apply a policy to a composite reference . In that e.g. it was http_basic_auth, you can use the same method, but chose ws-ut_client policy instead of http basic auth
In your case it looks more like an issue at the remote service ..Check with them whether they have enabled the security.

Calling A Secured webservice using Username and password in the Soap header

I want to call a secured webservice.
The Username and password should be sent with the payload in the SOAP Header
as
<wsse:Security S:mustunderstand="0" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:UsernameToken wsu:Id="SecurityToken-XXXXXXXXXXXXXXXXXXXXXXXXX" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:Username>uname</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">pwd</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
Can you please send me the steps?
I tried with giving the username and password under Service Account.
I tried to create a wspolicy under business service. But nothing works...
Please help me at the earliest.
Also please give me steps in sequence.

Now i made sure that the endpoint is available!
Now am getting this error:
<soapenv:Fault>
<faultcode>soapenv:Server</faultcode>
<faultstring>BEA-380002: localhost1</faultstring>
<detail>
<con:fault xmlns:con="http://www.bea.com/wli/sb/context">
<con:errorCode>BEA-380002</con:errorCode>
<con:reason>localhost1</con:reason>
<con:location>
<con:node>RouteNode1</con:node>
<con:path>request-pipeline</con:path>
</con:location>
</con:fault>
</detail>
</soapenv:Fault>
Also in the invocation trace i can observe the following things:
Under Invocation Trace:-
========================
     Receiving request =====> Initial Message context
     ===============================================
     under added header:-
     ==================
     <soap:Header xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
     </soap:Header>
     under RouteNode1
================
     Route to "TargetMyService_BS"
$header (request):-
<soap:Header xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
</soap:Header>
Under Message Context changes:-
*===============================*
I can find this element also:-
con:security>
*<con:doOutboundWss>false</con:doOutboundWss>*
*</con:security>*
eventhough we enabled ws security, how the above tag can be false?
I think its getting failed to populate the header with the required login credentials.
The other doubt i have is:-
=================
I have chosen the service account type is static...is this right?

'Disable or enable software Secure Attention Sequence' GPO setting | Security Risk

Hello,
In implementing SCCM we discovered that the 'ctrl+alt+del' button for the SCCM Remote Control client, will not work, unless we enable the 'enable software Secure Attention Sequence' GPO setting with 'Services and Ease of Access Applications' set.
Our info sec team is looking for some reassurance that this introducing a lot of risk to our orgnization. Does anyone have any guidance they can provide for this?
Thanks

Hi jh，
As you mentioned In Configuration Manager 2012 does bring the 'ctrl+alt+del' back which required enable the 'enable software Secure Attention Sequence' GPO setting.
by default, only Ease of Access applications running on the secure desktop can simulate the SAS. If you set this policy setting to "Services and Ease of Access applications," both services and Ease of Access applications can simulate the SAS.
When services or other application simulate the SAS, since services or application which could launches at logon it takes risks.
We suggest you refer to system center configuration manager forum because you might get more useful suggestion there
https://social.technet.microsoft.com/Forums/en-US/home?category=systemcenter2012configurationmanager
Regards
D. Wu

Settings for enabling message security tab in message display tool

Hi Experts,
We have a scenario where we are sending data by applying web service security using SOAP receiver communication channel .
I want to check message security log along with audit log in message display tool in RWB.
Can anybody know what are the required settings to enable message security tab in message display toolin RWB?
Regards,
Sari

Hello
Check the link, [Security Configuration at Message Level |http://help.sap.com/saphelp_nwpi71/helpdata/EN/ea/c91141e109ef6fe10000000a1550b0/content.htm], which describes the steps required.
Regards
Mark

Enable the security configuration for this panel

Why do my panels built with Configurator sometimes display
this in Ps Cs4?
"Please close all panels or restart Photoshop to enable the
security configuration for this panel"
Closing panels or restarting Photoshop does not enable the
panels but exporting from Configurator does enable them. Why do I
have to keep exporting?

I believe I have stumbled on the answer to this problem, so I
would like to pass it along to any other users who have a similar
problem.
My experience is that this is an intermittent problem, so I
asked myself what do I do from time to time that could be causing
this difficulty. The answer is I use a program called CC cleaner to
clean out temporary files (that in theory I don't need). I found
that after running CC cleaner, I have to re-export the
configuration file (as I get the error message described in an
earlier posting) so that the configurator panel subsequently opens
properly when I open up C S 4.
I immediately ran CC cleaner again and found that it wanted
to delete only one group of files that were located in the
following folder:
C:\Documents and settings\user's name\application
data\Macromedia\flash player\*.*
Accordingly, I instructed " CC cleaner", to exclude this
folder and everything in it (from deletion):
Now if I run CC cleaner to get rid of all my temporary
Internet files and other temporary files, but it leaves the above
folder untouched, and so far the configurator panel opens up
properly in Photoshop.
I don't use Windows "disk cleaner" so I'm not sure whether or
not this cleaner represents a potential problem. In any event it's
the Macromedia folder described above that causes the problem.
It's clear that Adobe configurator uses Macromedia flash to
do its thing, so hopefully I've solve this problem
long-term.

Using OWSM for SAML verification and LDAP authorization

I can verify SAML tokens by using EM security (verifying SAML tokens) but when I use OWSM I get this error at the proxy (by adding the step : SAML - Verify WSS 1.0 Token to the policy of a server agent)
Exception in thread "main" java.lang.NoSuchMethodError: oracle.security.wss.saml.SAMLAssertionIssuer.<init>(Ljavax/xml/rpc/handler/soap/SOAPMessageContext;Lorg/w3c/dom/Document;Loracle/security/wss/config/SamlTokenConfigType;Z)V
Also I need to LDAP authorize the subject of SAML after verification of SAML token. Is it just enough to put the LDAP authorize step after SAML verification?
Won't I need any EXTRACT CREDENTIAL step?
Regards
Farbod

When we were asked to combine OBIEE 10g with Active Directory, we chose external Table Authorization to get information on the groups, a user is part of.
In general, one could follow these articles to achieve AD Authentication:
[http://www.oraclebidwh.com/2008/10/obiee-ldap-authentication-using-microsoft-ad/|http://www.oraclebidwh.com/2008/10/obiee-ldap-authentication-using-microsoft-ad/]
[http://www.oraclebidwh.com/2008/11/obiee-ldap-authentication-using-microsoft-ad-2/|http://www.oraclebidwh.com/2008/11/obiee-ldap-authentication-using-microsoft-ad-2/]
To sum it up: Read User-information from AD. Knowing a user's login-name then, one could query an external table, which consists of user and group information. Everything is setup within initializationBlocks, which could be created in the administration tool.
Problem: As you already said, the problem is, that this external user--group table has to be filled and updated "manually". That is, someone has to input new users or at least assign them to the existing groups.
In our case, there's an admin who knows what sql is and how to work with it.
Another solution could be, to prepare a xml-file, containing user and group information and add it to your repository. The tables could then be queried, too. Although, xml files can become quite unhandy, if a lot of information is held within it, they can be edited via external tools or at least with a standard text editor.

No Protection Tools! I have enabled enhanced security. This is Acrobat XI on Windows 7 64-bit. Did same install on a Win8 server and it's fine.

I just want the protection tools to show on the Tools dropdown! So I can use them...

Hi Sara,
Thanks for putting me in the right place. I'm not much of an
online-community person!
Here's what happened after your email:
1. I went into Acrobat and clicked the down arrow as you described. I
previously had been clicking in the View menu. I saw the Protection
tools and I was so excited.
2. So then I clicked on "allow multiple panels open" whereupon the
Protection tools disappeared! They did not reappear when I unclicked the
"allow multiple panels open".
3. Remembered that I hadn't reinstalled the updates after reinstalling
Acrobat in hopes that would fix this problem, so I installed the
updates. I'm now on 11.0.07.
Sadly, still no protection tools appearing in either the View-> Toolsets
or the down-arrow in the upper-right corners of the Tools panel. Bummer.
This is so strange, since the same installation worked great on our Win8
server!
PNG Karen
On 2014-06-11 15:14, Sara.Forsberg wrote:
NO PROTECTION TOOLS! I HAVE ENABLED ENHANCED SECURITY. THIS IS ACROBAT XI ON WINDOWS 7 64-BIT. DID SAME INSTALL ON A WIN8 SERVER AND IT'S FINE.
created by Sara.Forsberg in Acrobat Installation & Update Issues - View the full discussion

How to create and configure proxies in ADF mobile using OWSM client agent?

Hi
Can anyone please tell me how to create and configure proxies in ADF mobile application using Oracle Web Services Manager (OWSM) Lite Mobile ADF Application Agent. I read it in mobile document that,
For secured web services, the user credentials are dynamically injected using ADF Mobile uses Oracle Web Services Manager (OWSM) Lite Mobile ADF Application Agent to create and configure proxies, as well as to request services through the proxies. The user credentials are injected into the OWSM enforcement context when proxies are configured.
I am new with this OWSM, can anyone please give me some hints like how to proceed further for implementing authentication using OWSM lite mobile ADF Application Agent??
Thanks in advance
Raj

Hi Juan
The demo is very useful, and in that Shay describes about the remote login using a regular ADF webapplication as a secured one and deploying it into the server. But I would like to know how to create a local login using OWSM client agent? .
Without creating a regular ADF webapplication, how can i call secured webservices(i.e., by using OWSM client agent how to create and configure proxies to call secured webservice, where the user credentials are injected into webservice request by OWSM client as mentioned in ADF mobile document)??
Regards
Raj

How to enable Advanced Security (ANO) on SQL Developer connections?

I would like to enable Advanced Security (ANO) in some of the connections in SQL Developer 1.2. Is it possible? It seems not possible to specify it in JDBC URL. I tried to use a TNS connection and put a sqlnet.ora in $TNS_ADMIN but it seems to be ignored (garbage algorithm names does not give any error).

In SQL Developer go to Tools -> Schema Diff !
in SQL* Plus you will need to write PL/SQL for this.
Amardeep Sidhu

Secure OSB10g with owsm 10g

Hi,
I have a customer who have some flows exposed as webservices via proxy services on OSB 10g, he would like to implement authentication and authorisation, what is the best architecture to do it ? he is thinking to use OWSM 10g but don't know what is the best implementation architecture ?
He is also asking this questions : OWSM 10g is it compatible with OSB 10g or not ?
Thanks for your help.

OSB 10g is compatible with OWSM ( 10.1.3.x and later & 11.1.1). Please refer to the following links for more details:
http://docs.oracle.com/cd/E13159_01/osb/docs10gr3/security/owsm.html
http://docs.oracle.com/cd/E13159_01/osb/docs10gr3/interopmatrix/matrix.html (Refer to Platform Interoperability section)
Hope this helps.
Thanks,
Patrick

Secure FTP using ABAP

Hello,
Can we do a secure FTP using ABAP code ??
Thanks
John

Hi John,
Sorry, I think the SAP function modules FTP_CONNECT, FTP_COMMAND und FTP_DISCONNECT are implemented according to RFC859 which is far behind secure connections. As SAP ftp goes throug SAP RFC destinations, this may be the spot where something has to be done to enable a secure connection.
Regards,
Clemens

Enabling wireless security + WDS

I want a Belkin wireless router to access the Billion 7401VGP so I can extend it's range. I enabled WPA security on my 7401 VGP and now can't enable WDS.
Any ideas on how to enable some level of security and still have WDS?
iBook 1.33GHz Mac OS X (10.4.4)

Using a table like the one on www.lookuptables.com/ can help.
If your password is "nofreElunch01" it would convert to:
n = 6E
o = 6F
f = 66
r = 72
e = 65
E = 45 (note that capitalization counts)
l = 6C ('el' not one)
u = 75
n = 6E
c = 63
h = 68
0 = 30 (zero not 'Oh')
1 = 31 (one not 'el')
putting it all together, the complete hexadecimal password is:
6E6F667265456C756E63683031

How to configure Oracle 10g Advanced Security to use SSL concurrently with

How to configure Oracle 10g Advanced Security to use SSL concurrently with database User names and passwords
In Oracle Advanced Security Documentation it is mentioned that i can use SSL concurrently with DB user names and passwords. But when i configure the client certificate on the client my DB connection is getting authenticated using the certificate, which out passing user id or password.
We want to connect to Oracle DB over SSL channel so that the data packets are not in clear text. Also we want the user to make a connection using user id and password.
Basically we want SSL with out authentication.
Need your expert advice

Read the documentation (I have given following links assuming you are running a 32 bit architecture)
Server installations:
http://www.oracle.com/pls/db102/to_toc?pathname=install.102%2Fb14316%2Ftoc.htm&remark=portal+%28Books%29
Client installations:
http://www.oracle.com/pls/db102/to_toc?pathname=install.102%2Fb14312%2Ftoc.htm&remark=portal+%28Books%29
You can find the required books (if not using 32 bit architecture) from
http://www.oracle.com/pls/db102/portal.portal_db?selected=3

Enabling ws-security UserNameToken using OWSM

Similar Messages

Maybe you are looking for