OSB 10.3.1 WS-Policy encrypting an optional WSDL element

Similar Messages

• [svn] 4606: Make policy-file-url optional via the ant task.

  Revision: 4606
  Author: [email protected]
  Date: 2009-01-21 09:44:27 -0800 (Wed, 21 Jan 2009)
  Log Message:
  Make policy-file-url optional via the ant task.
  The policy-file-url - takes a empty sting from the command line to separate two urls.
  QE Notes: None
  Doc Notes: None
  Bugs: SDK-18401
  tests: checkintests
  Ticket Links:
  http://bugs.adobe.com/jira/browse/SDK-18401
  Modified Paths:
  flex/sdk/branches/3.x/modules/antTasks/src/flex/ant/types/URLElement.java

  Remember that Arch Arm is a different distribution, but we try to bend the rules and provide limited support for them.  This may or may not be unique to Arch Arm, so you might try asking on their forums as well.

• Osb proxy service with owsm policy auth slow when soap request very large

  I have a proxy service which is security with owsm policy: oracle/wss_username_token_service_policy, the proxy service simply route to Business Service which directly invoke a bpel exposed web service, when I call the proxy service with soap envelope large than 15MB(not attachment), waiting about 4~5 minutes, the bpel instance created ; but when I remove the security policy:oracle/wss_username_token_service_policy, it will cost only 20 seconds, why authentication cost so long? How can I deal with the problem?
  My English is poor, please don't mind!
  besides, with my OSB version is 11.1.1.6.0

  I finally figured it out. The nullpointer exception is related to the SAML assertion. The SAML assertion in my requests is signed with embedded signature and this seems to be not supported with the used OWSM policy. Without the signature is the exception gone.
  Marian

• OSB: Proxy Service and Dispatch Policy

  Hi all,
  I'm trying to use OSB (10.3) proxy service with dispatch policy set to WebLogic (10.3) work manager to limit maximum number of threads allocated for request to this proxy service.
  It seems to me that whole dispatch policy setting is ignored in OSB. The situation is like this: I have simple Axis based web service with wait method that just waits for few seconds (based on request parameter). I use this service for testing (hm, so far just for trying to understand) OSB dispatch policy function.
  Using soapUI I created a simple load test which uses 10 threads to call wait(10) - it means "wait for 10 seconds". Time limit for the whole load test is set to 20 seconds. It is clear that the total execution count is 2 x 10 = 20. So far, so good.
  Then I created simple proxy service in OSB that just routes request to business service representing my Axis service with wait method. I set a dispatch policy for the proxy service to WorkManager-2threads (see below) and I expected that running the same load test with endpoint set to OSB would result in significant lower total execution count. I expected that because WebLogic should allocate 2 threads at most for all requests to this proxy service. However, that's not the case as the result is the same as in the first (Axis only) test. Just as there was no dispatch policy settings at all ...
  Where is the problem?
  This is the relevant part of my WebLogic configuration regarding work manager:
  <max-threads-constraint>
  <name>MaxThreadsConstraint-2</name>
  <target>AdminServer</target>
  <count>2</count>
  <connection-pool-name></connection-pool-name>
  </max-threads-constraint>
  <work-manager>
  <name>WorkManager-2threads</name>
  <target>AdminServer</target>
  <max-threads-constraint>MaxThreadsConstraint-2</max-threads-constraint>
  <capacity xsi:nil="true"></capacity>
  <ignore-stuck-threads>false</ignore-stuck-threads>
  </work-manager>

  It's same problem to me. I do pressure test by loadrunner,I deployed two separate proxy service,under same concurrent user,I get same TPS from the two proxy service.but when I add low priority concurrent user,low priority TPS up.
  I set the Route option as you say,but weblogic hanged immediately,and can't be accessed by the console.

• Windows 2008 R2 - Group Policy Preference - folder option "Open with" Access denied

  Similar to this post:
  social.technet.microsoft.com/Forums/en-US/d42a81bc-96de-4af3-bc41-079e88e6ea4a
  We have Citrix terminal servers running Windows 2008 R2 and attempting to force PDF files to open with Acrobat versus PDF editing software we have installed for a small subset of users.  So I created a Group Policy Preference and added a OpenWith item
  to the Folder Options to use Acrobat as the default and linked it to a Users OU.  However, if I run gpresult the OpenWith setting fails with error code 0x80070005.  You can change it to not run in the user's security context which eliminates the
  error but then it won't actually do anything.
  The problem seems to be that when a user sets another program as their default via Windows Explorer the permissions on HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\UserChoice get changed so that the user is specifically
  denied the ability to set that key.  Remove the special permissions added and the group policy succeeds and changes it back to the default ... until the user changes it back (intentionally or otherwise) and the permissions are changed again.
  Any ideas here?

  > Any ideas here?
  We use GPP Registry to achieve this goal, so we do not run into that
  issue (we unchecked "run in users context", so privs are not an issue)
  But I agree, this really should work as intended...
  Martin
  Mal ein
  GUTES Buch über GPOs lesen?
  NO THEY ARE NOT EVIL, if you know what you are doing:
  Good or bad GPOs?
  And if IT bothers me - coke bottle design refreshment :))

• OneDrive Pro Group Policy & Centralised Configuration Options

  Hi there,
  I would like to guidance as to the available options for controlling and configuring the Office 365 Pro Plus 'OneDrive Pro' application within Group Policy?  What is the most streamlined way of centrally configuring the desktop application on sync'ing
  online OneDrive content from Office 365 to the desktop?  It all seems rather manual and based around individual user subscriptions initially.
  Responses appreciated, with any reference links / guides.
  Thank you.
  MSEBlogger (Technet)

  This might be Group Policy object what you need:
  http://blogs.msdn.com/b/denotation/archive/2013/11/01/disable-windows-skydrive-app-using-group-policy.aspx
  Tony Chen
  TechNet Community Support

• Group Policy for Outlook Option: "Mark Messages as expired after this many days"

  In Outlook, there is a option where you can have Outlook "Mark Messages as expired after this many days".  If you enable this option, you fill in a number of days when Outlook will mark the message as expired.  The default is 180 days.
  The option is located under FILE -> Options -> Mail -> Send Messages.
  Does anyone know how to enable this setting via Group Policy? I can't find it.
  Thanks!

  Hi,
  Do you have the
  Office 2010 Administrative Templates loaded? If so, we can find the GPO setting under:
  Administrative Templates > Microsoft Outlook 2010 > Outlook Options > Preferences > E-mail Options > Advanced E-mail Options
  Double click "When sending a message" setting, select Enable bullet. Now, you can specify the "Messages expire after (days):" option.
  Regards,
  Steve Fan
  TechNet Community Support
  It's recommended to download and install
  Configuration Analyzer Tool (OffCAT), which is developed by Microsoft Support teams. Once the tool is installed, you can run it at any time to scan for hundreds of known issues in Office
  programs.

• How to remove the iPad encrypted backup option?

  Plenty of discussion about how to recover a password. Or find a password from an existing backup, etc.
  I just want to get the option gone.
  A backup is supposed to be a single, manual snapshot in time. I normally use iCloud Backup-Service for continued sync, but every 6-12 months I get a new Apple device through the iBEP program at work.
  Yes, I'm supposed to sell Apple stuff.
  However, to make sure all of my files, settings, etc are active, I use itunes backup to my home PC to take a snapshot to restore onto the new device.
  That's as far as it goes.
  I'm not after breaking into old data, I just want to be able to use backup to my computer again!
  And if you are going to suggest the data is 'lost', or that I need to restore to blank, f-off.
  It is seriously getting to the point I am loathe to recommend them, or even accept the free (returnable) devices from Apple.

  Have removed all existing backups from iTunes. I do that as matter of course, being I only use iTunes to migrate devices and update software that wont go OTA.
  Restarted itunes, Upgraded iTunes, swore at iTunes.. Nothing worked.
  Very frustrating as I have device in left hand, with all of my data and files, but they need to be on device in right hand, that is fresh and blank.
  I get not being able to remove existing encryption without the password, but not even being allowed to make a choice for future without the password? Thats stupid bordering on negligent handling of personal information.

• Group policy Preference - Internet Option setting not applying

  Hi,
  I’m not very sure if any of you have encounter this strange issue when
  configuring GPP -> Internet option setting for window 7 IE9 or IE11.
  The following
  are spec of OS and IE version used in my environment.
  Window Server
  2012 R2 (IE 10)
  Window 7 (IE9
  and IE11)
  Recently I
  have deployed proxy setting via GPP as I do not have IEM under my GPMC console.
  Once the setting is been configured and deployed, I have notice that the GPO do
  not apply after the user login. The following scenarios is what we observed.
  1) User boot up the machine, Login and proxy setting will not applied
  1a) gpupdate /force -> Proxy Settings applied
  1b) setting will be removed after the GPO refreshed
  2) User boot up the machine, Login and proxy setting will not apply
  2a) User logoff and login proxy setting applied.
  2b) Setting will be removed after the GPO refreshed
  Kindy advise
  if there is any solution to ensure that the setting apply whenever the user
  login and stay intact even after the gpo refreshed by itself.

  Hi,
  >>1a) gpupdate /force -> Proxy Settings applied
  >>1b) setting will be removed after the GPO refreshed
  Based on the description, we can run command gpresult/h report.html to collect group policy result reports to compare how the settings are being applied.
  Besides, have we installed the following hotfix on the computers with IE 9? If not, we can try to install the hotfix.
  Internet Explorer Group Policy Preferences do not apply to Internet Explorer 9 in a Windows Server 2008 R2 domain environment
  https://support.microsoft.com/en-us/kb/2530309?wa=wsignin1.0
  Best regards,
  Frank Shen
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• Question - EM and OSB keystore configuration for encryption

  Hello everyone,
  I've been configuring EM and OSB's security key provider by using the manuals ( [Setting keystores|http://download.oracle.com/docs/cd/E14571_01/web.1111/b32511/setup_config.htm#WSSEC1970] ) but I came up with a problem. In both configurations the tools require an encryption key, however in my case I receive soap requests with X.509 client certificates in them (and so their public, encryption key). So, potentially every request will have a different encryption key, not a single hard one like the configurations require. How should I configure this scenario??
  Thanks !

  short answer: Using a policy will force the wsdl to include the server's public key to be used for message encryption. So the incoming message should have a Security element in its header and is encrypted with the server's public key. Since the server has the private key, it can decrypt the message.
  soapUI ( 3.5 ) gives a good view of the client side of the process.

• OWSM Policy in OSB

  I am trying to build a sample OSB service having the OWSM policy attached to it.I am using the option of "From OWSM Policy Store " and used the policy oracle/wss_username_token_service_policy.
  When i tried to exceute the OSB,i am getting an error as
  "oracle.wsm.policymanager.PolicyManagerException: WSM-02128 : Cannot read WSDL. [Possible Cause : unknown protocol: servicebus]"
  Looking like,some issue with the parsing of the WSDL that i used upon the service.Do i need to refer the wsdl from MDS.If,yes how can i do that in OSB.

  You may refer below blog for configuration -
  http://niallcblogs.blogspot.com/2010/07/osb-11g-and-wsm.html
  Regards,
  Anuj

• OSB secure-WS Business Service

  Hello,
  the target is using OSB 11.1.1.0 to call a secure WS and exposing it as clear WS Proxy.
  The requierements are summarized below.
  Can it be done with OSB, (if so, do we just need a custom policy file or additional configuration is needed), or do we need OWSM also?
  Thanks
  Regards
  Standards adopted are:
  1)     WS-Security Core Specification 1.1
  2)     X.509 Token Profile 1.1
  Client security actions
  •     Add <wsu:Timestamp> tag to soap header, with creation and expiration in UTC format xsd:dateTime defined in XML Schema.
  SAMPLE
  <wsu:Timestamp wsu:Id="...” xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
  <wsu:Created>2011-06-05T18:40:11.234Z</wsu:Created>
  <wsu:Expires>2011-06-05T18:45:11.234Z</wsu:Expires>
  </wsu:Timestamp>
  •     Add signature to soap header:
  - Transformation Algorithm     http://www.w3.org/2001/10/xml-exc-c14n#
  - Digest Algorithm     http://www.w3.org/2000/09/xmldsig#sha1
  -     Signature generated encypting (using with client private key) the digest of the following message elements
  <wsu:Timestamp>      xmlns:wsu=”http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd”
  <soap:Body>     xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/”
  •     Encrypt the following message elements
  <ds:Signature>     xmlns:ds="http://www.w3.org/2000/09/xmldsig#/”
  <soap:Body>     xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/”
  USING THE FOLLOWING algorithms
  - Symmetric Encoding Algorithm     http://www.w3.org/2001/04/xmlenc#tripledes-cbc
  - Key Encryption Algorithm     http://www.w3.org/2001/04/xmlenc#rsa-1_5"

  You may do it with OSB and custom policies -
  http://docs.oracle.com/cd/E23943_01/dev.1111/e15866/message_level.htm#g1096101
  OWSM is not mandatory for it.
  Regards,
  Anuj

• OSB 10gR3 - Process WS-Security flag not working with PasswordDigest

  Hi,
  By Oracle documentation when you set the "process ws-security header" in security section of a proxy service, the proxy service act as an active intermediary and consume the ws-security header received in inbound messages. This feature works fine when you call the proxy service using WS-Security Username Token Profile PasswordText, but when you send Username Token with PasswordDigest I got the following error: +"weblogic.xml.crypto.wss.WSSecurityException: Unable to validate identity assertions"+
  I am using SoapUi to call the proxy with passwordDigest, WSS-Password Type option set to PasswordDigest.
  Proxy configured with:
  General tab -> WSDL based proxy service, this wsdl doesn't have ws-policy definitions inside.
  Transport tab -> Get all headers = Yes
  HTTP Transport tab -> HTTPS Required = No / Authentication = Basic
  Operation tab -> Enforce WS-I Compliance = not checked / Selection Algorithm = SOAP Body Type
  Message Content tab -> default settings
  Policy -> Added Auth.xml(predefined) policy to request policies.
  Security tab -> Process WS-Security header = Yes / Custom Authentication settings = none
  Error --->
  +<01/12/2009 09h34min55s BRST> <Error> <OSB Security> <BEA-387022> <An error ocurred during web service security inbound request processing [error-code: Fault, message-id: 6198860737666014185--de42214.12549f82d66.-7fdb, proxy: AlphaTests/MyProxy/Proxy/MyLogProxy, operation: null]+
  --- Error message:
  +<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/"><env:Header/><env:Body><env:Fault xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"><faultcode>wsse:InvalidSecurity</faultcode>*<faultstring>Unable to validate identity assertions.</faultstring>*</env:Fault></env:Body></env:Envelope>+
  weblogic.xml.crypto.wss.WSSecurityException: Unable to validate identity assertions.
  +     at weblogic.wsee.security.wss.SecurityPolicyValidator.processIdentity(SecurityPolicyValidator.java:133)+
  +     at weblogic.wsee.security.wss.SecurityPolicyValidator.processInbound(SecurityPolicyValidator.java:77)+
  +     at weblogic.wsee.security.WssServerPolicyHandler.processInbound(WssServerPolicyHandler.java:54)+
  +     at weblogic.wsee.security.WssServerPolicyHandler.processRequest(WssServerPolicyHandler.java:30)+
  +     at weblogic.wsee.security.WssHandler.handleRequest(WssHandler.java:74)+
  +     at com.bea.wli.sb.security.wss.WssInboundHandler.processRequest(WssInboundHandler.java:155)+
  +     at com.bea.wli.sb.security.wss.WssHandlerImpl.doInboundRequest(WssHandlerImpl.java:201)+
  +     at com.bea.wli.sb.context.BindingLayerImpl.addRequest(BindingLayerImpl.java:257)+
  +     at com.bea.wli.sb.pipeline.MessageProcessor.processRequest(MessageProcessor.java:66)+
  +     at com.bea.wli.sb.pipeline.RouterManager$1.run(RouterManager.java:508)+
  +     at com.bea.wli.sb.pipeline.RouterManager$1.run(RouterManager.java:506)+
  +     at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:363)+
  +     at weblogic.security.service.SecurityManager.runAs(Unknown Source)+
  +     at com.bea.wli.sb.security.WLSSecurityContextService.runAs(WLSSecurityContextService.java:55)+
  +     at com.bea.wli.sb.pipeline.RouterManager.processMessage(RouterManager.java:505)+
  +     at com.bea.wli.sb.transports.TransportManagerImpl.receiveMessage(TransportManagerImpl.java:371)+
  +     at com.bea.wli.sb.transports.http.HttpTransportServlet$RequestHelper$1.run(HttpTransportServlet.java:279)+
  +     at com.bea.wli.sb.transports.http.HttpTransportServlet$RequestHelper$1.run(HttpTransportServlet.java:277)+
  +     at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:363)+
  +     at weblogic.security.service.SecurityManager.runAs(Unknown Source)+
  +     at com.bea.wli.sb.transports.http.HttpTransportServlet$RequestHelper.securedInvoke(HttpTransportServlet.java:276)+
  +     at com.bea.wli.sb.transports.http.HttpTransportServlet$RequestHelper.service(HttpTransportServlet.java:237)+
  +     at com.bea.wli.sb.transports.http.HttpTransportServlet.service(HttpTransportServlet.java:133)+
  +     at weblogic.servlet.FutureResponseServlet.service(FutureResponseServlet.java:24)+
  +     at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)+
  +     at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)+
  +     at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)+
  +     at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:292)+
  +     at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:175)+
  +     at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3498)+
  +     at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)+
  +     at weblogic.security.service.SecurityManager.runAs(Unknown Source)+
  +     at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2180)+
  +     at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2086)+
  +     at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1406)+
  +     at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)+
  +     at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)+

  Eduardo,
  Yes, but the flag "Process WS-Security header" needs to be set to 'No' and I included a delete node to remove the wsse:Security element from header. Attaching Auth.xml predefined policy to my request operation, causes OSB to include the policy directive in my WSDL, but the PasswordText(see below).
  In Oracle security guide we have steps to configure PasswordDigest in the Oracle Service Bus Security Configuration using the WLS Console http://download.oracle.com/docs/cd/E13159_01/osb/docs10gr3/security/model.html#wp1062542
  My doubt is: Is this a bug? "Process WS-Security header" flag is supposed to work with PasswordDigest?
  My WSDL with WS-Policy statements after Auth.xml policy was configured.
  <?xml version="1.0" encoding="UTF-8"?>
  <s2:definitions targetNamespace="http://alpha.tests.org" xmlns:s0="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:s1="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:s2="http://schemas.xmlsoap.org/wsdl/" xmlns:s3="http://alpha.tests.org" xmlns:s4="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
  <s0:Policy s1:Id="encrypt-custom-body-element-and-username-token">
  <wssp:Identity xmlns:wssp="http://www.bea.com/wls90/security/policy">
  <wssp:SupportedTokens>
  <wssp:SecurityToken TokenType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken">
  <wssp:UsePassword Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText"/>
  </wssp:SecurityToken>
  </wssp:SupportedTokens>
  </wssp:Identity>
  </s0:Policy>
  <wsp:UsingPolicy s2:Required="true"/>
  <s2:types>
  <xsd:schema elementFormDefault="qualified" targetNamespace="http://alpha.tests.org" xmlns="http://www.w3.org/2001/XMLSchema" xmlns:impl="http://alpha.tests.org" xmlns:s0="http://schemas.xmlsoap.org/wsdl/" xmlns:s1="http://alpha.tests.org" xmlns:s2="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/" xmlns:wsdlsoap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
  <xsd:element name="EchoRequest">
  <xsd:complexType>
  <xsd:sequence>
  <xsd:element name="send" type="xsd:string"/>
  </xsd:sequence>
  </xsd:complexType>
  </xsd:element>
  <xsd:element name="EchoResponse">
  <xsd:complexType>
  <xsd:sequence>
  <xsd:element name="response" type="xsd:string"/>
  </xsd:sequence>
  </xsd:complexType>
  </xsd:element>
  </xsd:schema>
  </s2:types>
  <s2:message name="echoRequest">
  <s2:part element="s3:EchoRequest" name="echoPartReq"/>
  </s2:message>
  <s2:message name="echoResponse">
  <s2:part element="s3:EchoResponse" name="echoPartResp"/>
  </s2:message>
  <s2:portType name="MyAlphaPort">
  <s2:operation name="echo">
  <s2:input message="s3:echoRequest" name="echoRequest"/>
  <s2:output message="s3:echoResponse" name="echoResponse"/>
  </s2:operation>
  </s2:portType>
  <s2:binding name="MyAlphaBinding" type="s3:MyAlphaPort">
  <s4:binding style="document" transport="http://schemas.xmlsoap.org/soap/http"/>
  <s2:operation name="echo">
  <s2:input name="echoRequest">
  <s4:body use="literal"/>
  <wsp:Policy>
  <wsp:PolicyReference URI="#encrypt-custom-body-element-and-username-token"/>
  </wsp:Policy>
  </s2:input>
  <s2:output name="echoResponse">
  <s4:body use="literal"/>
  </s2:output>
  </s2:operation>
  </s2:binding>
  <s2:service name="MyAlphaBindingQSService">
  <s2:port binding="s3:MyAlphaBinding" name="MyAlphaBindingQSPort">
  <s4:address location="http://CLXSP0272:7001/MyAlphaService"/>
  </s2:port>
  </s2:service>
  </s2:definitions>

• Invoke a business service base in a WSDL with customer WS-Security Policy

  Customer write a Web service (Refer to the attachment file “HTTPS_PartyServicePortType.WSDL”)which declare a WS-Security Policy and apply this it to WS binding ,How can I generate a business service base in this WSDL and invoke it successfully?
  When create a business service in OSB, we get a error with below messages
  [[OSB Kernel:398133]The service is based on WSDL with Web Services Security Policies that are not natively supported by Oracle Service Bus. Please select OWSM Policies - From OWSM Policy Store option and attach equivalent OWSM security policy. For the Business Service, either you can add the necessary client policies manually by clicking Add button or you can let Oracle Service Bus automatically pick and add compatible client policies by clicking Add Compatible button.
  After enhanced the OSB domain with OWSM extension, we found the OOTB OWSM defined cannot support the HttpsToken and OSB cannot support below WS-Policy defined in OWSM, refer to http://docs.oracle.com/cd/E21764_01/doc.1111/e15866/owsm.htm#OSBDV1681
  51.2.8.1 Unsupported Assertion
  •     binding-permission-authorization
  •     http-security
  •     OptimizedMimeSerialization (MTOM)
  •     RMAssertion (Reliable Messaging)
  •     sca-component-authorization
  •     sca-component-permission-authorization
  •     UsingAddressing
  •     wss-saml-token-bearer-over-ssl (Authentication)
  it means that we cannot generate a web service with customer WS-security Policy
  The WS-Security Policy is shown as below:
  <wsp:Policy wsu:Id="WSHttpBinding_IPartyServicePortType_policy">
  <wsp:ExactlyOne>
  <wsp:All>
  <sp:TransportBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
  <wsp:Policy>
  <sp:TransportToken>
  <wsp:Policy>
  <sp:HttpsToken RequireClientCertificate="false"/>
  </wsp:Policy>
  </sp:TransportToken>
  <sp:AlgorithmSuite>
  <wsp:Policy><sp:Basic256/></wsp:Policy>
  </sp:AlgorithmSuite>
  <sp:Layout><wsp:Policy><sp:Strict/></wsp:Policy></sp:Layout>
  </wsp:Policy>
  </sp:TransportBinding>
  <wsaw:UsingAddressing/>
  </wsp:All>
  </wsp:ExactlyOne>
  </wsp:Policy>
  BestRegards!
  Simon

  Hi
  According to
  http://e-docs.bea.com/wls/docs90/webserv/annotations.html#1050414
  If you are going to publish the policy file in the Web Service archive, the policy XML file must be located in either the META-INF/policies or WEB-INF/policies directory of the EJB JAR file (for EJB implemented Web Services) or WAR file (for Java class implemented Web Services), respectively.
  Can you make sure the policy file is in there?
  Also there is a sample from the developer at http://dev2dev.bea.com/blog/jlee/archive/2005/09/how_to_use_anno.html
  Vimala-

• Mediator not detecting faults when WS-Security Message Encryption enabled

  We are using a SOA 11g composite to call a set of OSB proxy/business pairs which in turn call further web services and return the responses. The OSB proxy services are trivial: they each expose the WSDL of the downstream web service and route all messages without any transformation to a business service that also uses the downstream WSDL.
  The SOA composite is composed largely of a mediator that accepts requests, transforms payloads, routes to the correct OSB service, transforms the response, and replies to the caller.
  I have configured my OSB services, in case of a SOAP fault returned from downstream, to simply "Reply with Failure", which causes the body received from the downstream web service (a SOAP fault) to be returned to the SOA composite along with an HTTP 500 error. I have created a Fault processing section in each of my routing rules that maps the downstream fault to a fault that the mediator returns to the caller.
  In my local test instance, this works fine; OSB receives a custom SOAP fault from the downstream service, sends it back to SOA where the mediator recognizes the fault and maps it, and throws a SOAP Fault back to the caller.
  In our formal testing environment, however, it does not work. I have validated that the response comes back to the Mediator in the same way as it does in my local environment, but the Mediator attempts to use the standard response transformation configured for that routing rule rather than the fault transformation. The fundamental difference between my local environment and the formal test environment is that WS-Security has been enabled between SOA and OSB using the wss10_username_token_with_message_protection via OWSM.
  I have a workaround, namely to add a choose clause in my reply transformation XSL file that looks for a SOAP fault and sends it back to the caller if one is found, however this is a nasty hack.
  Has anyone had experience with this scenario, where implementing WS-Security causes SOAP Faults to no longer be recognized? My best guess at this point is that when "Reply with Failure" is used, OSB returns the SOAP Fault body in an encrypted form and SOA assumes that the call succeeded (despite the HTTP 500 error). I have not found a way to tell OSB not to encrypt the response message in the case of "Reply with Failur", but it doesn't encrypt responses when it throws its own faults (BEA-380001, for instance).

  X509V1 is not a valid value for "Valuetype". So I guess this should not be the problem.