Encrypted payload

Similar Messages

• How to encrypt Payload in Composite BPEL 11g

  I'm trying to encrypt payload information like the ssn number or the cc number.
  I did create simple sync process assigned the input -- to -- output variable.
  Then created Properties for Input String
  Then create Properties Aliases for Input String
  The Added the encryptProperties property on the Composite.xml.
  But that doesnt seems be working.
  I did follow this blog to encrypt the payload this link was for 10g , I tried replicating for 11g.
  http://soa-bpel-esb.blogspot.com/2010/06/how-to-encrypt-payloads-in-bpel.html
  Does anyone have any suggestions which would help gets going..
  Regards
  Sabir

  Hi Arun,
  In the sample code for encryption the namespace and xpath are hardcoded. Do you know how we can pass xpath dynamically from the soa process so that every process can use the same java code(so that no need to modify xpath in the java code for each and every process)?

• How to encrypt payload in BPEL 11g,Specific Fileds.

  How to encrypt payload in BPEL 11g,Specific Fileds.

  By adding a wsm policy to the service and encrypt parts of the payload?
  http://download.oracle.com/docs/cd/E12839_01/integration.1111/e10224/sca_policy.htm#CHDHAJIH

• 11g - Encrypt Payload shown in Audit Trail

  How to encrypt payload that's shown in Audit Trail of Composite in 11g ? I want to encrypt information like SSN, that's coming as input to my composite service, so that its protected from support teams monitoring the logs and audit trail through EM console.
  Is it possible to do this for whole composite or atleast within BPEL ?

  Eric,
  Is it possible to make the payload invisible or encrypted inside an 11g BPEL process? The policies will allow to encrypt the payload while sending to external services.
  What if I have a simple BPEL process that uses simple Assign activity and I want to encrypt the payload so that Admin might not be able to comprehend it in the Audit Trail.
  Audit level if set to Production can be changed by the Admin and hence is not a foolproof mechanism.
  Regards,
  Neeraj Sehgal

• AS2 logging payload = encrypted payload in b2b.log, how to see decrypted ?

  I'm trying to diagnose an issue with a Trading Partner which may be sending unexpected characters.
  The b2b.log (DEBUG) has this :
  2009.11.16 at 14:29:52:536: RMI TCP Connection(2)-172.27.24.20: B2B - (DEBUG) oracle.tip.adapter.b2b.document.custom.CustomDocumentPlugin:identifyIncomingDocument Enter
  2009.11.16 at 14:29:53:235: RMI TCP Connection(2)-172.27.24.20: B2B - (DEBUG) oracle.tip.adapter.b2b.document.custom.CustomDocumentPlugin:identifyIncomingDocument non-XML Payload
  2009.11.16 at 14:29:53:235: RMI TCP Connection(2)-172.27.24.20: B2B - (DEBUG) oracle.tip.adapter.b2b.document.custom.CustomDocumentPlugin:identifyIncomingDocument iDoc ECS = null
  2009.11.16 at 14:29:53:236: RMI TCP Connection(2)-172.27.24.20: B2B - (DEBUG) oracle.tip.adapter.b2b.document.custom.CustomDocumentPlugin:identifyIncomingDocument continuing
  2009.11.16 at 14:29:53:236: RMI TCP Connection(2)-172.27.24.20: B2B - (DEBUG) oracle.tip.adapter.b2b.document.custom.CustomDocumentPlugin:identifyIncomingDocument non-XML Payload
  2009.11.16 at 14:29:53:236: RMI TCP Connection(2)-172.27.24.20: B2B - (DEBUG) oracle.tip.adapter.b2b.document.custom.CustomDocumentPlugin:identifyIncomingDocument iDoc ECS = null
  2009.11.16 at 14:29:53:236: RMI TCP Connection(2)-172.27.24.20: B2B - (DEBUG) oracle.tip.adapter.b2b.document.custom.CustomDocumentPlugin:identifyIncomingDocument could not get start pos
  2009.11.16 at 14:29:53:236: RMI TCP Connection(2)-172.27.24.20: B2B - (DEBUG) oracle.tip.adapter.b2b.document.custom.CustomDocumentPlugin:identifyIncomingDocument could not get end pos
  2009.11.16 at 14:29:53:236: RMI TCP Connection(2)-172.27.24.20: B2B - (DEBUG) oracle.tip.adapter.b2b.document.custom.CustomDocumentPlugin:identifyIncomingDocument Exit
  2009.11.16 at 14:29:53:479: RMI TCP Connection(2)-172.27.24.20: B2B - (ERROR) Error -: AIP-50083: Document protocol identification error
  So, I enabled the payload logging, but the payload is still encrypted in the log.
  How can I get the b2b to log the decrypted payload ?
  Protocol : AS2
  Custom document over internet

  Thank you for the suggestion, but the decryption is working already.
  When a valid message is loaded into the b2b schema tables it is visible decrypted (in payload) and encrypted (in wire column).
  However, the problem here is that the message is not parsed correctly and is not written to the b2b schema, so I must rely on the logs.
  The b2b.log shows the errors about not finding the start and end position of the payload, and provides other messages about successful decryption of the payload, so I know the decryption has occurred successfully.
  But, it does not write the decrypted payload to the log file, even though it is successfully decrypting and the logPayload setting = true.

• OWSM: How to encrypt payload and SOAP header?

  Hi,
  Anybody know how I can encrypt the payload and the SOAP header via OWSM? I can only find references on how to do it using SSL. The reason for using OWSM/WS-Security was to move away from using transport based encryption (SSL).
  Regards Pete

  http://download.oracle.com/docs/cd/E10291_01/doc.1013/e10299/policy_steps.htm#sthref612
  if you look at the topic :XML Encrypt
  you will see you can encrypt every part of the xml
  Encrypted Content
  Part of the SOAP envelope to be encrypted. Valid values are: BODY, HEADERS, ENVELOPE, and XPATH. The default is BODY.

• Encrypt payload for jca

  Hi,
  We have our own jca adapter.
  We are passing String as a parameter to the jca api.
  We want to encrypt the String and send it to jca api.
  Does JCA provide anything like SSL or any such thing which can encrypt the payload for jca api's
  Regards
  Harsha

  No, there is no standard API for this. You have to do it youself.

• Encrypt-decrypt xml payload (PI 7.0 vs 7.1)

  Hi Experts.
  I'm working in a web service that receive an encrypted xml payload via SOAP. The problem is that the xml that I'm receiving is partially encryptad.
  I'm using a PI 7.0 communication channel type SOAP to decrypt the info, but it isn't supported because PI 7.0 SOAP Comm Channel only can decrypt the hole message, not only a part of that!!!!!!
  My question is if PI 7.1 SOAP Comm Chanel can decrypt only a part of xml messages instead of a hole message like PI 7.0 is doing??
  Thanks in advance.

  Hi again.
  Thanks a lot Baskar for your answer but I thinks that the envelope isn't my problem.
  I'm receiving a payload that has only one encrypted node. One example could be:
  <Transmisiones>
          <TransmisionDatos>
              <DatosGenericos>
                  <Emisor>
                      <NifEmisor>Qnif_Example</NifEmisor>
                      <NombreEmisor>AEAT</NombreEmisor>
                  </Emisor>
                  <Solicitante>
                      <IdentificadorSolicitante>ID_example</IdentificadorSolicitante>
                      <NombreSolicitante>Junta Castilla-La Mancha</NombreSolicitante>
                      <Finalidad>PROC</Finalidad>
                      <Consentimiento>Si</Consentimiento>
                  </Solicitante>
                  <Titular>
                      <TipoDocumentacion>NIF</TipoDocumentacion>
                      <Documentacion>documentacion_Example</Documentacion>
                  </Titular>
                  <Transmision>
                      <CodigoCertificado>AEAT103I</CodigoCertificado>
                      <IdSolicitud>test</IdSolicitud>
                      <IdTransmision>test</IdTransmision>
                      <FechaGeneracion/>
                  </Transmision>
              </DatosGenericos>
              <ns2:DatosEspecificos >
                      <xenc:EncryptionMethod Algorithm = "http://www.w3.org/2001/04/xmlenc#aes128-cbc" xmlns:xenc = "http://www.w3.org/2001/04/xmlenc#"/>
                      <ds:KeyInfo xmlns:ds = "http://www.w3.org/2000/09/xmldsig#">
                          <wsse:SecurityTokenReference xmlns:wsse = "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
                              <wsse:Reference URI = "test"/>
                          </wsse:SecurityTokenReference>
                      </ds:KeyInfo>
                      <xenc:CipherData xmlns:xenc = "http://www.w3.org/2001/04/xmlenc#">
                          <xenc:CipherValue xmlns:xenc = "http://www.w3.org/2001/04/xmlenc#">
                              7eNid3oVoNLlUcAAjUTZItHkDoPRpe5oSPc1tB/SZyVpi49VhF9Yrv0A0uvNmazIsrtbaahRAvB+
                              Go8KyHNRxsy410lbhFpzb9gqgqNTEKvGFGgDgyc0kpokhVgPfHHOmcmdHxBAGwf5vzUuPEcNw0J+
                              z9kVMRKZK31HndrOXSoiXLtHHkUqTwo4Q2rNlC3gZQKmAawDlFJPiAmUxa4ejeZWWxrnLadC5BD+
                              x=+
                          </xenc:CipherValue>
  So, the xml only has one encrypted node:  CIPHER VALUE.
  In PI 7.0 the SOAP comm channel cannot decypher that kind of payload because that only has a part of payload encrypted instead of a whole encrypted payload.
  My question is if using PI 7.1 this problems will be solved in SOAP comm channel. Or I need to upgrade to PI 7.3??
  thanks a lot

• ACS 5.3 authorization with Juniper WXC-3400

  In the process of migrating from ACS 4.1 to ACS 5.3. Authentication works fine, but having issues with authorization on the Juniper WXC-3400 devices. In ACS  4.1 we were passing TACACS+Shell (exec) Custom attributes Privilege level=15, which allowed a user to login with read/write privileges. In ACS 5.3  tried setting the Shell Profiles common task to 15 for both Default and Maximum (one at a time, and together), as well as setting the Custom Attributes for priv-lvl=15 (with and without Common Tasks set).
  A capture shows Auth Status: 0x11  (ERROR).
  Any ideas?
  Thanks in advance!

  No.     Time               Source                Destination           VLAN Protocol Info
  18 09:14:00.268166580      WX_Juniper             ACS_5_3           TACACS+  Q: Authorization
  Frame 18: 107 bytes on wire (856 bits), 107 bytes captured (856 bits)
  Ethernet II, Src: Cisco_cd:46:af (00:07:7d:cd:46:af), Dst: Ibm_fe:9a:63 (5c:f3:fc:fe:9a:63)
  Internet Protocol, Src: WX_Juniper (WX_Juniper), Dst: ACS_5_3 (ACS_5_3)
  Transmission Control Protocol, Src Port: l2c-control (4371), Dst Port: tacacs (49), Seq: 1, Ack: 1, Len: 49
  TACACS+
      Major version: TACACS+
      Minor version: 0
      Type: Authorization (2)
      Sequence number: 1
      Flags: 0x04 (Encrypted payload, Single connection)
      Session ID: 1491582254
      Packet length: 37
      Encrypted Request
      Decrypted Request
          Auth Method: TACACSPLUS
          Privilege Level: 1
          Authentication type: ASCII
          Service: Login
          User len: 8
          User: stmartin
          Port len: 7
          Port: console
          Remaddr len: 0
          Arg count: 1
          Arg[0] length: 13
          Arg[0] value: service=shell
  No.     Time               Source                Destination           VLAN Protocol Info
       20 09:14:00.271608140 ACS_5_3       WX_Juniper             TACACS+  R: Authorization
  Frame 20: 76 bytes on wire (608 bits), 76 bytes captured (608 bits)
  Ethernet II, Src: Ibm_fe:9a:63 (5c:f3:fc:fe:9a:63), Dst: Cisco_cd:46:af (00:07:7d:cd:46:af)
  Internet Protocol, Src: ACS_5_3 (ACS_5_3), Dst: WX_Juniper (WX_Juniper)
  Transmission Control Protocol, Src Port: tacacs (49), Dst Port: l2c-control (4371), Seq: 1, Ack: 50, Len: 18
  TACACS+
      Major version: TACACS+
      Minor version: 0
      Type: Authorization (2)
      Sequence number: 2
      Flags: 0x00 (Encrypted payload, Multiple Connections)
      Session ID: 1491582254
      Packet length: 6
      Encrypted Reply
      Decrypted Reply
          Auth Status: 0x11 (ERROR)
          Server Msg length: 0
          Data length: 0
          Arg count: 0

• JCO.Server appends null character to string

  I am a complete SAP and JCO newbie so I'll try making as much since as I can, given the fact that I'm not familiar with SAP terminology and technology. I've been lent as a developer to another group which needs a legacy application rewritten. The application processes a RFC and decrypts the RFC encrypted payload and returns it along with a status code.
  I have made progress - I'm able to register my server with the SAP runtime and using the SAP GUI application and the help of a SAP developer, I'm able to make an RFC call to my application. I'm able to read the parameters sent from SAP and write parameters back.
  The problem is that one of the parameters I'm writing back (java.lang.String) appears to have and extra character on SAP side. On the GUI it appears as a '#' (pound) sign. The SAP developer told me the string is terminated with a null character which I know is a C/C++ thing but not a Java thing. I don't think it is a Unicode issue. The Java server is not running in Unicode mode and any attempt to set the jco.server.unicode property (I may have forgotten the exact name) to a value of 1 causes the RFC to fail.
  I think the issue is likely to be the manner in which I defined the function parameters or the manner in which I write them. The following are code snippets:
  Defining the function:
  JCO.MetaData metadata = new JCO.MetaData(Constants.FUNCTION_DECRYPT);
  metadata.addInfo(Constants.PARAMETER_SCHEME,      JCO.TYPE_INT,    255,   0,  0, JCO.IMPORT_PARAMETER, null);
  metadata.addInfo(Constants.PARAMETER_ENCRYPTED,   JCO.TYPE_STRING, 255,   0,  0, JCO.IMPORT_PARAMETER, null);
  metadata.addInfo(Constants.PARAMETER_DECRYPTED,   JCO.TYPE_STRING, 255,   0,  0, JCO.EXPORT_PARAMETER, null);
  metadata.addInfo(Constants.PARAMETER_RETURN_CODE, JCO.TYPE_INT,    255,   0,  0, JCO.EXPORT_PARAMETER, null);
  Server request handling code:
  protected void handleRequest(JCO.Function function)
                  // Obtaining import/export parameter lists.
                  JCO.ParameterList input  = function.getImportParameterList();
                  JCO.ParameterList output = function.getExportParameterList();
                  // Getting scheme and encrypted text parameters.
                  int scheme       = input.getInt(Constants.PARAMETER_SCHEME);
                  String encrypted = input.getString(Constants.PARAMETER_ENCRYPTED);
                  // Decoding base 64 string.
                  byte[] bytes = Base64.decode(encrypted);
                  // Obtaining cipher by scheme and decrypting the text.
                  AppCipher cipher = ApplicationConfiguration.getDecryptor(scheme);
                  if(cipher == null)
                                  logger.error("Unable to get cipher due to an unknown encryption scheme: " + scheme);
                  else
                                  byte[] decrypted = cipher.decrypt(bytes);
                                  String plainText = new String(decrypted);
                                  // Setting decrypted value information and return code.
                                  output.setValue(plainText, Constants.PARAMETER_DECRYPTED);
                                  output.setValue(Constants.RETURN_CODE_SUCCESS, Constants.PARAMETER_RETURN_CODE);

  I seem to have made progress. If I define the parameter type as JCO.TYPE_CHAR instead of JCO.TYPE_STRING, it works:
  metadata.addInfo(Constants.PARAMETER_DECRYPTED,   JCO.TYPE_CHAR,   255,   0,  0, JCO.EXPORT_PARAMETER, null);
  That is the only change I made. I'm still setting the parameter value as java.lang.String. I hope this won't cause issues elsewhere. I was also able to change the field definition and set it as a byte array. However, that had the problem of having to define the exact length of the byte array in the field metadata otherwise the remaining bytes would appear as null bytes on SAP side.

• Custom document over internet encoding

  Hi all!
  While trying to send a custom document over AS2, the payload encoding seems to be dependent on signing and encription:
  If the message is unencrypted and unsigned -- Payload is UTF-8
  If the message is 3DES encrypted OR signed OR both signed and encrypted -- Payload is windows-1251 (our B2B installed on windows server 2003, regional settings = russia)
  i have already tried to insert oracle.tip.adapter.b2b.encoding=UTF-8 line in tip.properties, but it doesnt seem to help me.
  The problem is: Trading partner expects UTF-8 messages. So when sent in windows-1251, the russian characters are misinterpreted.
  If anyone already faced this problem, please help. Thanks.
  Alex.

  Hi,
  I used to get "Unable to identify the trading partner agreemen" due to below reasions,
  1. Agreement is not deployed properly. Please check whether deployed agreement is in active state.
  2. While creating the Operational Capability, please check whether initiator and responder defined correctly.
  For Outbound, Please check Remote trading partner Is Initiator should be false and Host trading partner Is Initiator should be true.
  As far as I know, File name convention should be folllowed for FTP/File and not for HTTP.

• IPSec overhead in ESP Tunnel mode

  Hi,
  I am facing a very simple problem with IPSec in ESP Tunnel mode.
  My objective here is to know the precise overhead added to normal payload by IPSec in ESP tunnel mode.
  As per Cisco docmentation I read some where that it is up to 57 bytes. However in reality it is taking up to 58 bytes, is it correct? or I miss something?
  With the default MTU Size from end to end (I mean 1500 Bytes across the IP Sec peers), I can ping with payload of maximum 1414 bytes from windows PC(This does not include IP header and ICMP Header).
  My test results are as below.
  When I use payload size of 1409, total ip length in outer ip header should be
  1409 data+ 8byte ICMP Header+20 bytes ip header+20 byte new ip header by ESP in tunnel mode+ 16 Byte ESP Header+2Byte ESP Trailer+12 byte ESP Authentication data
  Total makes 1487 but in sniffer I found total ip length as 1488. Where is that 1 byte going?
  IP length is 1488 for data payload of 1409 to 1402 bytes. I think this is due the rule that while doing Encryption payload size should be multiple of 8.
  If I make pay load 1410..........Total IP lenght is becoming 1496.
  From the above my assumption is IPSec In ESP Tunnel mode overhead is from 51~58 Bytes.
  Is above is correct?
  Thanks in advance.
  Subba

  The difference is due to the padding field in the ESP packet, it changes size depending on the original packet size, so yes, the exact additional number of bytes is not always the same.
  A couple of examples (ESP tunnel mode):
  1500 byte packet becomes 1552 bytes:
  20 bytes IPsec header (tunnel mode)
  4 bytes SPI (ESP header)
  4 bytes Sequence (ESP Header)
  8 byte IV (IOS ESP-DES/3DES)
  2 byte pad (ESP-DES/3DES 64 bit)
  1 byte Pad length (ESP Trailer)
  1 byte Next Header (ESP Trailer)
  12 bytes ESP MD5 96 digest
  800 byte packet becomes 856 bytes:
  20 bytes IPsec header (tunnel mode)
  4 bytes SPI (ESP header)
  4 bytes Sequence (ESP Header)
  8 byte IV (IOS ESP-DES/3DES)
  6 byte pad (ESP-DES/3DES 64 bit)
  1 byte Pad length (ESP Trailer)
  1 byte Next Header (ESP Trailer)
  12 bytes ESP MD5 96 digest
  So you can see there that one packet gets an additional 56 bytes, whereas a different size packet gets only 52 added. The least that can get added is 50 bytes with 0 byte pad as shown here:
  790 byte packet becomes 840 bytes:
  20 bytes IPsec header (tunnel mode)
  4 bytes SPI (ESP header)
  4 bytes Sequence (ESP Header)
  8 byte IV (IOS ESP-DES/3DES)
  0 byte pad (ESP-DES/3DES 64 bit)
  1 byte Pad length (ESP Trailer)
  1 byte Next Header (ESP Trailer)
  12 bytes ESP MD5 96 digest
  and then the most that can be added is 57 bytes with a 7 byte pad as seen here:
  799 byte packet becomes 856 bytes:
  20 bytes IPsec header (tunnel mode)
  4 bytes SPI (ESP header)
  4 bytes Sequence (ESP Header)
  8 byte IV (IOS ESP-DES/3DES)
  7 byte pad (ESP-DES/3DES 64 bit)
  1 byte Pad length (ESP Trailer)
  1 byte Next Header (ESP Trailer)
  12 bytes ESP MD5 96 digest

• CSM: Balancing to real URLs instead to Realservers ???

  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Normale Tabelle";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
  mso-para-margin-top:0cm;
  mso-para-margin-right:0cm;
  mso-para-margin-bottom:10.0pt;
  mso-para-margin-left:0cm;
  line-height:115%;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;
  mso-bidi-font-family:"Times New Roman";
  mso-bidi-theme-font:minor-bidi;}
  Hi there,
  I got the following request:
  A virtual server should be balanced to two realservers, but not simply to an IP, but to a specific port and a specific location on those servers, lets say to:
  “realserver1:8002/location” and “realserver2:8002/location”
  The virtual server should be available only by SSL, e.g. by “https://10.10.10.10”
  http connects should be automatically redirected to https.
  My idea was to build a vserver (vserver1) listening on port 443, that virtualizes “realserver[1/2]:8002” by configuring the two reals in a farm with port 8002:
  serverfarm farm1
  real name realserver1 8002
  real name realserver2 8002
  and to configure two vservers (vserver2 and 3) with a farm, that redirects http and https requests to 10.10.10.10 to the above vserver1 appended by the location in the URL, e.g.:
  serverfarm sfarm-redirect
  redirect-server vserver-redirect
     webhost relocation https://vserver1/location
  Any comments if this would work, or is there a more simple way to realize this scenario?
  Thanks in advance
  Hakan

  Hakan,
  for SSL connections if you do not terminate them on the loadbalancer there is no way that the loadbalancer can anyhow modify the request or issue a redirect. The reason for the limitiation is that with SSL connection the CSM won't have the chance to parse the HTTP traffic as this will be in the encrypted payload of the SSL flow, without access to the underlying HTTP it cannot see the requested URL or HOST nor it can issue an HTTP redirect.
  Hope it helps,
  Francesco

• Firewall rules for a IPSec Tunnel mode connection

  I'm using Windows 7 Embedded with a Tunnel mode IPSec Connection. Are firewall rules applied before the traffic is decrypted or after? In other words, will I be able to apply firewall rules to allow only certain application traffic within the tunnel? Any
  KB article would be appreciated.
  Thanks,

    When VPN traffic comes through the firewall it is still encrypted and encapsulated. The firewall will only see the data in the container, not the encrypted payload. So the short answer is no.
  Bill

• Securing Mobile Config files

  I created a mobile config file that would set up wifi access for my companies various locations. I uploaded it to a webserver so that users can browse to it and install the file on the iphone. Everything worked perfect, but I noticed that if someone just downloads the file and opens it in notepad or textedit, our wifi's WPA2 key is just listed there plain as day. Not encrypted or hidden in any way. Is there a way I can do this but keep that information hidden? I want them to be able to do the install but not get information out of the mobile config file.

  You can encrypt the payload information on a mobileconfig file. and put together a poor mans OTA enrollment.
  Extract the payload <array> to </array> after<key>PayloadContent</key>
  to
  <key>PayloadDescription</key>
  use openssl and encrypt the profile say aes128 use a cert to PEM format
  paste it back using the new key
  <key>EncryptedPayloadContent</key>
  <data>Your encrypted payload stuff here</data>
  you can then load a profile containing your cert using IPCU and ship your device
  However you have to load the encrypted profile at the destination through Safari/SMS or email.
  IPCU wont load encrypted profiles unless the same IPCU encrypted them.