OSB: Custom OWSM policy with Assertions

Similar Messages

• Custom WS Policy with Service account in OSB while invoking a https service

  Hi,
  I need your help on one of my issue in invoking an https service from OSB. I read through various posting and tried the below steps in this forum
  -Added the certificate for the https site to soa domain
  -Registered the https webservice as a Business service
  -Registerd a proxy service on top of this Business service
  -In the service call out on Proxy service I did a replace operation on the entire soap header with the below string
  <soapenv:Header xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
  <wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
       <wsse:UsernameToken wsu:Id="UsernameToken-4" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
            <wsse:Username>sysuser@yahoo</wsse:Username>
            <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">ABIHAIKLPLKLPMLERLER</wsse:Password>
       </wsse:UsernameToken>
  </wsse:Security>
  </soapenv:Header>
  -After doing all the above steps my call out worked from the test console, If you see closely the userid(sysuser@yahoo) and password(ABIHAIKLPLKLPMLERLER) is hard coded here.
  I need a way to mask the credentials and have the user pass them when they invoke the proxy service. I read through some posting and it was listed that we can create a custom policy and attach that custom policy to the Business service. But my problem here is the userid has an extra char @, so I wasn't able to create the user account with those credentials in OSB, but I was able to create the userid and password using a service account. Iam not sure how I can use this service account along with the custom policy.
  Can you please provide me a suitable approach, which will solve my issue. I appreciate your time and help
  Thanks
  Jagan.

  Hi,
  Below are the steps followed
  - OSB Proxy service has 'oracle/wss_username_token_service_policy' attached to it.
  - Iam invoking this from BPEL. BPEL process has 'oracle/wss_username_token_client_policy' attached.
  - I can invoke the osb proxy from bpel by passing credentials - No Issues.
  Now I need to put some authorization restriction to the proxy service, so only specific users can access that.
  -I used Role=Admin as a policy condition restriction under security in Proxy service.
  -Then I went to proxy test console and I added the 'oracle/wss_username_token_client_policy' credentials and weblogic/xxxxx at Transport section and I was able to invoke the process. Here weblogic has a Admin Role.
  -I cannot invoke the same proxy service from BPEL in Jdeveloper now.
  All Iam trying to do is to protect my proxy by authrorization policy.
  Thanks
  Jagan.

• ClassNotFoundException with Custom OWSM Policy in Oracle Service Bus

  Hi All,
  I have a situation where I have created a custom web service manager policy. When I attach this policy to an Oracle Service Bus Proxy Service and invoke the service I get a ClassNotFoundError
  Caused By: java.lang.ClassNotFoundException: au.com.MyClass
  at java.net.URLClassLoader$1.run(URLClassLoader.java:202)
  at java.security.AccessController.doPrivileged(Native Method)
  at java.net.URLClassLoader.findClass(URLClassLoader.java:190)
  at java.lang.ClassLoader.loadClass(ClassLoader.java:307)
  at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:301)
  at java.lang.ClassLoader.loadClass(ClassLoader.java:248)
  at oracle.wsm.policy.util.Loader.loadClass(Loader.java:369)
  at oracle.wsm.policy.util.Loader.loadClass(Loader.java:389)
  at oracle.wsm.policyengine.impl.runtime.WSPolicyRuntimeExecutor.populateAssertionExecutors(WSPolicyRuntimeExecutor.java:238)
  at oracle.wsm.policyengine.impl.runtime.WSPolicyRuntimeExecutor.populateAssertionExecutors(WSPolicyRuntimeExecutor.java:279)
  at oracle.wsm.policyengine.impl.runtime.WSPolicyRuntimeExecutor.init(WSPolicyRuntimeExecutor.java:162)
  at oracle.wsm.policyengine.impl.PolicyExecutionEngine.getPolicyExecutor(PolicyExecutionEngine.java:137)
  at oracle.wsm.policyengine.impl.PolicyExecutionEngine.execute(PolicyExecutionEngine.java:101)
  at oracle.wsm.agent.WSMAgent.processCommon(WSMAgent.java:937)
  at oracle.wsm.agent.WSMAgent.processRequest(WSMAgent.java:454)
  at oracle.wsm.agent.handler.WSMEngineInvoker.handleRequest(WSMEngineInvoker.java:366)
  at com.bea.wli.sb.security.wss.wsm.WsmInboundHandler.processRequest(WsmInboundHandler.java:150)
  at com.bea.wli.sb.security.wss.WssHandlerImpl.doInboundRequest(WssHandlerImpl.java:223)
  at com.bea.wli.sb.context.BindingLayerImpl.addRequest(BindingLayerImpl.java:289)
  at com.bea.wli.sb.pipeline.MessageProcessor.processRequest(MessageProcessor.java:87)
  at com.bea.wli.sb.pipeline.RouterManager$1.run(RouterManager.java:593)
  at com.bea.wli.sb.pipeline.RouterManager$1.run(RouterManager.java:591)
  The jar file is in the user_projects/domains/mydomain/lib directory.
  Attaching the policy to BPEL services has no issue and the policy is invoked successfully.
  I am unable to determine why the OSB would behave differently in this regard, or what I need to configure differently in order to have it found by the class loaders for the OSB.
  Any help or suggestions appreciated.
  I am using 11.1.1.4.0
  The jar file has the necessary policy_config.xml file and the META-INF/mylabel/mypolicy.xml files in situ. As I said, it is working in the soa_server but not the OSB.

  Have you restarted servers after putting jar in $Domain_Home/lib directory? Also try after explicitly adding this jar in classpath by editing server startup script (startManagedWeblogic.cmd or .sh) or in domain env setting script (setDonainEnv.cmd or .sh) and restarting the servers.
  Regards,
  Anuj
  Edited by: Anuj Dwivedi on Mar 21, 2011 1:10 PM

• [OSB and OWSM] - External Web service stacks and frameworks

  Hi everyone ! I'm starting to read about OSB and OWSM and I'm having some doubts. I've some developments of Web services with external Stacks like CXF, JBossWS, Metro and I'd like to ask some questions:
  1- Will I be able to productively leverage all features of OSB and OWSM like creating a proxy service to add WS-* standards policies and features (WS-Security, for instance) even with these web services implemented in different stacks other than Weblogic's ?
  2- If it is possible, do these web services need to be deployed at the Weblogic server to enable the OWSM and OSB to work effectively ?
  3- Even if it is possible to use the OSB and OWSM nicely with webservices developed at external stacks and deployed at other application servers is there any reason to quit using these external web service stacks in favor of Weblogic's (like features only enabled on OSB/OWSM when the services use the Weblogic stack) ?
  I suppose that if I ignore the JAX-WS stack from Weblogic and use an external framework (like CXF) I'll lose most of the application server administration capabilities since the Weblogic server won't be able to recognize the CXF stack as it does with its own.But, the main doubt I'm in is, since OSB and OWSM might be used with external providers I probably won't need to develop my web services using the Weblogic implementation (which my team does not yet know) since there will be no features of the OSB and OWSM which can only be used with the Weblogic's stack. I would like, please, to know your oppinions about these considerations. Sorry about the long post and possible errors (I just started learning).
  Thank you!

  Hi Lupan,
  I can speak mostly to OWSM as my experience with OSB is small thus far.
  +1- Will I be able to productively leverage all features of OSB and OWSM like creating a proxy service to add WS-* standards policies and features (WS-Security, for instance) even with these web services implemented in different stacks other than Weblogic's ?+
  OWSM (10gR3) has two types of policy enforcement point (PEP) -- Gateway and Agent. The Gateway acts as a remote proxy and is neutral to the service implementation technology as long as it adheres to SOAP 1.1. In this regard you can use OWSM freely with CXF, MS implementations, etc. Agents run in-process with the service and thus have far greater restrictions on what service implementation frameworks and containers that are supported. There is some certification for AXIS 1.x running in OAS and Tomcat; but practically speaking, my recommendation for Agents is to only use within OAS 10gR3 where it is built in (and using OC4J Web Services through JAX-RPC).
  OWSM 11gR1 initially supports only agent-style (in process) PEP and is built-in to Fusion Middleware and WLS. It is only for Fusion and WLS Web Service implementations.
  OWSM is quite full-featured for WS-*.
  +2- If it is possible, do these web services need to be deployed at the Weblogic server to enable the OWSM and OSB to work effectively ?+
  "No" if using OWSM Gateway PEP. A qualified "Yes" if using OWSM Agent PEP.
  +3- Even if it is possible to use the OSB and OWSM nicely with webservices developed at external stacks and deployed at other application servers is there any reason to quit using these external web service stacks in favor of Weblogic's (like features only enabled on OSB/OWSM when the services use the Weblogic stack) ?+
  There is the manageability that you mention, but also there is the identity propagation scenario and tight security integration. Both OAS and WLS hosted services in the native stacks (JAX-RPC and JAX-WS) allow sophisticated and secure passing of identity in the request -- for instance, via SAML Assertions in the WS-Sec header -- and built-in capabilities to map the passed identity into the running service's Subject (i.e. enabling JAAS security etc.).
  In my experience this type of identity propagation functionality has either been absent or less complete in other typical implementation frameworks not closely aligned with the container security mechanisms.
  Hope this helps,
  Todd

• OWSM policy configurations export mechanism

  Hi,
  We have a requirement of applying owsm policies on OSB 11g proxy and business services.
  What is the best way to apply policies is it at
  1. Design time (in eclipse)
  2.Run time from from SB console
  When we shift the entire OSB projects from development environment to production how does migration takes place is it a project level configuration or server level configuration.
  Do we have two configuration files.
  1. one is OWSM policy configuration file and
  2. OWSM policy and OSB project configuration file.
  If above is the scenario we cna directly edit the config files instaed of changing the OSB project artefacts.
  Any suggetsions on OSB and OWSM policy configurations and environment chnge setup process will be of great help.
  Thanks,
  Sowmya

  Ok got it! Just followed the oracle documentation and copied it in below path and Jdev 11.1.1.4 picked it up!
  C:\Users\Amit\AppData\Roaming\JDeveloper\system11.1.1.4.37.59.23\DefaultDomain\oracle\store\gmds\owsm\policies (not copying it within oracle folder within policies as its a custom policy)
  Strange, I have Jdev 11.1.1.3 in office and it doesnt pick up the policy but Jdev 11.1.1.4 (at home) picks it up without a problem.
  is this a bug in Jdev 11.1.1.3 or my jdev in offic is corrupt?

• Custom OWSM Authorization Policy Not Visible in OSB 11g

  I am trying to configure custom OWSM authorization policies to grant web service access in OSB to userids associated with custom WebLogic groups. Both OSB and SOA are version 11.1.1.5 with an Oracle Enterprise 11g database backend. To help rule out some possible operational errors, here are things that ARE working with the combination of SOA and OSB servcies:
  * the underlying SOA service functions in the /em console test page
  * the OSB proxy service works from the /sbconsole test page with OWSM oracle/wss_username_token_policy enabled
  * the oracle/log_policy can be added to the OSB business service and generates log entries
  * the outer proxy service can be successfully invoked from a remote client with no security policies,
  with HTTP transport security and authorization policies and with OWSM authentication policies
  attached (given the correct request payloads)
  These findings would appear to rule out connection errors from the OSB engine to the jdbc/mds/owsm DataSource or proper startup of the "OWSM Policy Support in OSB Initializer Application" service within WebLogic. (By the way, that deploys with a typo in its registered name -- "Aplication" with a single p.)
  Here are the steps that were performed:
  1) created group myfirmIdentityData in WebLogic console (/console)
  2) created userid myappuser in WebLogic console
  3) added myappuser to the myfirmIdentityData group in WebLogic console
  4) cloned the oracle/component_authorization_permitall Security policy to myfirm/authorize_IdentityData
  using the Fusion console (/em on the SOA domain)
  5) edied myfirm/authorize_IdentityData to add the "role" myfirmIdentityGroup to the
  list of permitted roles (***)
  *** note -- "roles" referenced within the OWSM policy configuration dialogs actually correspond to "groups" at the WebLogic Server level. A bit confusing at first but harmless.
  6) accessed the SOA service in the Fusion console (/em), clicked on the Policies tab and verified
  the myfirm/authorize_IdentityData policy is available for application to the SOA service (BUT DID
  NOT ATTACH IT HERE -- I'm trying to attach it at the "outer" layer in OSB, not SOA Suite)
  7) accessed the Service Bus console (/sbconsole), started a change session, selected the
  proxy service, then clicked on the Policies tab, then clicked the Add button in the
  Service Level Policies section
  At that point, the only services listed are the factory supplied oracle/********* policies. There are two pages listed and flipping between the two doesn't show any other policies other than the oracle/***** policies.
  I even tried stopping and starting the domain thinking maybe OSB caches all of the OWSM policies at startup rather than querying the mds_owsm schema dynamically to no avail. No myfirm/****** policies are displayed after a domain restart.
  Any insight?
  Thanks.

  Once again, I wound up opening a Support Request with the TAC for direction on this issue. The policies were not appearing for assignment to OSB proxy / business services because they were being created against the wrong type of object within OWSM.
  In a nutshell, policies in OWSM can be created to be applied against:
  * Components --- only usable against SOA services
  * Service Endpoints --- against URLs used as access points into services
  * Service Clients -- against consumers of services as identified by credentials
  * All -- all of the above
  However, policies built against Components can only be applied to SOA composite services. When I cloned the existing oracle/component_authorization_permitall Security policy to myfirm/authorize_IdentityData policy then limited it to the myfirmIdentityGroup group, that policy would only be assignable to SOA composities since it applied to only Components.
  To allow the group based authorization policy to be enforced in the outer OSB tier, the oracle/binding_authorization_permitall_policy was cloned to myfirm/authorize_IdentityGroup. That policy was defined to apply to endpoints and once saved, appeared in the GUI of the Service Bus console to assign to the proxy service for the service being implemented. A second component policy named myfirm/componentauthorize_IdentityGroup was cloned from oracle/component_authorize_permitall_policy to perform the group authorization at the SOA layer.
  A different issue is being encountered configuring the OSB business service to forward the OWSM headers from the outer proxy service to the SOA service so the authorization succeeds at the inner layer but that's a different problem. With the SOA layer authorization policy disabled, client tests to the proxy service function correctly with a userid in the myfirmIdentityGroup group and generate an authorization failure when another client credential is used that does not belong to myfirmIdentityGroup.

• Osb proxy service with owsm policy auth slow when soap request very large

  I have a proxy service which is security with owsm policy: oracle/wss_username_token_service_policy, the proxy service simply route to Business Service which directly invoke a bpel exposed web service, when I call the proxy service with soap envelope large than 15MB(not attachment), waiting about 4~5 minutes, the bpel instance created ; but when I remove the security policy:oracle/wss_username_token_service_policy, it will cost only 20 seconds, why authentication cost so long? How can I deal with the problem?
  My English is poor, please don't mind!
  besides, with my OSB version is 11.1.1.6.0

  I finally figured it out. The nullpointer exception is related to the SAML assertion. The SAML assertion in my requests is signed with embedded signature and this seems to be not supported with the used OWSM policy. Without the signature is the exception gone.
  Marian

• Osb 10gR3 - Active Intermediary proxy with custom WS-Policy files

  I'm setting up an Active Intermediary proxy, and the Security option on the proxy to "Process WS-Security header" is only usable when Custom Policy Bindings are assigned to the proxy. But I don't want to use the default Oracle policies.
  The "Select WS-Policy" popup within OSB only shows entries under the Predefined Policy tab. Yet I have custom WS-Policy files which have been imported into OSB.
  So what's the trick?

  Hi,
  Below are the steps followed
  - OSB Proxy service has 'oracle/wss_username_token_service_policy' attached to it.
  - Iam invoking this from BPEL. BPEL process has 'oracle/wss_username_token_client_policy' attached.
  - I can invoke the osb proxy from bpel by passing credentials - No Issues.
  Now I need to put some authorization restriction to the proxy service, so only specific users can access that.
  -I used Role=Admin as a policy condition restriction under security in Proxy service.
  -Then I went to proxy test console and I added the 'oracle/wss_username_token_client_policy' credentials and weblogic/xxxxx at Transport section and I was able to invoke the process. Here weblogic has a Admin Role.
  -I cannot invoke the same proxy service from BPEL in Jdeveloper now.
  All Iam trying to do is to protect my proxy by authrorization policy.
  Thanks
  Jagan.

• Attaching OWSM Policy to OSB Services

  Hi,
  Can anyone please share the detailed procedure of how to attach the OWSM policy to a Proxy Service in OSB 11g.
  The documentaion of OSB 11g doesnt provide the information of attaching the OWSM polic to OSB services.
  please refer
  http://download.oracle.com/docs/cd/E14571_01/doc.1111/e15866/owsm.htm#CHDBIJHD
  I created a Custom Policy with the predefined assertion wss_username_token_service_template .
  But i couldnt find a way to attach this policy to OSB Service. Also the OSB 11g Documentation didnt help much.
  Thanks in Advance

  Hi All,
  I figured out a way of how to attach the OWSM policy to a prox service.
  Its pretty simple in that way.
  After you create a proxy service, Click on the proxy you created which opens the "View a Proxy Service" page.
  In that there are many tabs such as
  1. Configuration Details
  2. Operational Settings
  3. SLA Alert Rules
  4. Policies
  5. Security
  In Policies tab, you can select "OWSM Policy Bindings" and then choose the policy you want.
  The only thing bothering me now is how to test it?
  I have used the following assertion to create the policy "wss_username_token_service_template "
  Any help would be appreciated.
  Cheers.

• OWSM Policy Binding Disabled for proxy/business server with SOAP 1.1

  Hi,
  I am using 11pPS2.
  In osb, i created a proxy service with soap 1.1. and business proxy with soap 1.1
  Now I click Policies tab of each service,
  In Service Policy Configuration,
  OWSM Policy Bindings is disabled to choose.
  So I can't attach any OWSM policy to osb service.
  Only Custom Policy bidings are enabled.
  appreciate any help and comments on this issue

  Need check if you Extend your Oracle Service Bus domain with Oracle Web Services Manager and Oracle Enterprise Manager.
  Select the following domain templates when running the Oracle Fusion Middleware Configuration Wizard
  Oracle Service Bus OWSM Extension
  Oracle WSM Policy Manager (automatically selected when you select the OWSM Extension)
  Oracle Enterprise Manager (optional, needed for creating and managing Oracle Web Services Manager policies)

• Probem attaching OWSM Policy to OSB Proxy Service

  Hi all,
  I am working with OSB 11g R1 and I am trying secure one proxy service by attaching one OWSM predefined policy. However, the "OWSM Policy Binding" is disabled in the Policy section of the proxy service.
  I found this thread in the forum [1] wich seems to have the same problem and I have checked that all the extensions are installed in my domain.
  Sure I missing something but I haven't found anything in the docs.
  Any tip or hint is appreciated
  Thanks in advance
  My enviroment:
  - Weblogic Server (10.3.4.0)
  - Oracle Service Bus (11.1.1.4)
  - Oracle Service Bus OWSM Extension (11.1.1.0)
  [1] OWSM Policy Binding Disabled for proxy/business server with SOAP 1.1
  Edited by: user10102092 on 27-jul-2011 2:42

  I presume you already did a fresh restart of the managed servers?Yeap, I've restarted the OSB server.
  Looking at the logs I can find this message:
  +####<Jul 27, 2011 1:25:52 PM CEST> <Info> <Common> <mydomain.com> <osb_server1> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<anonymous>> <> <0000J5fLsXLFw0WFLzNM8A1EBzMW000001> <1311765952760> <BEA-000628> <Created "1" resources for pool "mds-owsm", out of which "1" are available and "0" are unavailable.>+
  So I understand that the pool is created correctly, isn't it?

• OWSM Policy in OSB

  I am trying to build a sample OSB service having the OWSM policy attached to it.I am using the option of "From OWSM Policy Store " and used the policy oracle/wss_username_token_service_policy.
  When i tried to exceute the OSB,i am getting an error as
  "oracle.wsm.policymanager.PolicyManagerException: WSM-02128 : Cannot read WSDL. [Possible Cause : unknown protocol: servicebus]"
  Looking like,some issue with the parsing of the WSDL that i used upon the service.Do i need to refer the wsdl from MDS.If,yes how can i do that in OSB.

  You may refer below blog for configuration -
  http://niallcblogs.blogspot.com/2010/07/osb-11g-and-wsm.html
  Regards,
  Anuj

• Doubt in implementing OWSM policy in osb 11g

  Hi,
  Can anybody tell me how to implement basic username-token policy in wsdl based paroxy service in osb 11 G.
  I am able to select service policy configuartion from the policies tab of proxy service in sb console,but after that i can not find any OWSM policy there to add.Pls assist me

  have you run rcu to create mds storage for the policies?
  and after that you run the configuration wizard to expand your domain with "Oracle Service Bus OWSM Extension" ?

• OSB 10.3 and custom signing policy

  Good morning.
  I had several problems receiving signed messages from a customer. We have an active intermediary proxy, with a custom policy based on "Sign.xml" to require signing of message body.
  But out customer is signing using a third-party solution, so our proxy can't validate his message. We are trying to create a custom policy without "bea" namespaces, that is:
  <?xml version="1.0"?>
  <wsp:Policy
    xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
  xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"
  xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
    wsu:Id="firma"
    >
    <sp:SignedParts>
      <sp:Body/>
    </sp:SignedParts>
  </wsp:Policy>This policy seems to be ok, but when we try to attach this as a "Custom policy" in the proxy, it is not in the list of custom policies.
  Can't Oracle process non-propietary policy file?.
  Thanks.

  Please refer section "Creating and Using Custom WS-Policy Statements" at -
  http://download.oracle.com/docs/cd/E13159_01/osb/docs10gr3/security/ws_policy.html
  Regards,
  Anuj

• Issue while attaching OWSM policy to OSB Business Service

  How to configure OWSM policy to NON WSDL based Business service.
  We are not able to encrypt the data for NON WSDL based Business service.
  Please help.
  Thanks,
  Mihir

  I presume you already did a fresh restart of the managed servers?Yeap, I've restarted the OSB server.
  Looking at the logs I can find this message:
  +####<Jul 27, 2011 1:25:52 PM CEST> <Info> <Common> <mydomain.com> <osb_server1> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<anonymous>> <> <0000J5fLsXLFw0WFLzNM8A1EBzMW000001> <1311765952760> <BEA-000628> <Created "1" resources for pool "mds-owsm", out of which "1" are available and "0" are unavailable.>+
  So I understand that the pool is created correctly, isn't it?