OSB inbound http webservice integration with OAM

Hi,
I have a requirment where I need to protect OSB inbound http webservice with OAM. So that OAM can fetch the user details from webservice SOAP header & authenticate the user against LDAP.
Can someone tell me if this is a feasible approach. If yes, please share the details as to what configuration changes need to be done at OAM & OSB end.
If not, is there any alternative approach to secure webservice with OAM.
This webservice is not called from any web application. External sources dirctly make a call to this webservice through some java client.

The solution to this issue is to put following line in mod_wl_ohs.conf file
MatchExpression /imaging WebLogicHost=test-ipm.atfoods.com|WebLogicPort=16000
The complete element will look like this.
<IfModule weblogic_module>
WebLogicHost test-ipm.atfoods.com
WebLogicPort 7001
Debug ALL
WLLogFile e:/logs/weblogic_ohs.log
MatchExpression /imaging WebLogicHost=test-ipm.domain.com|WebLogicPort=16000
</IfModule>
<Location /imaging>
SetHandler weblogic-handler
WebLogicHost 192.168.140.74
WeblogicPort 16000
Debug ALL
WLLogFile f:/log/wlipm.log
</Location>
Make sure that you use IP for Weblogic host in 2nd element and not the host name.
Thanks & Regards,
Vikrant Korde

Similar Messages

Obiee 11.1.1.5 integration with OAM

Hi,
I integrated OBIEE 11.1.1.5 with OID11g (as a part of OAM integration),all OID users are getting reflected into obiee.Im able to login in to the ‘analytics’ but not able to access the reports.Also I'm not able to assign any BI groups to OID users.
Have anyone faced this kind of a scenario?Can anyone please help me?
If anyone have done obiee 11.1.1.5 integration with oam 11g,please provide me the document which you followed.
Thanks in advance,
Fathima farsatha.
Edited by: 927873 on Jul 16, 2012 12:11 AM

Hi,
Please try to access Analytics Webservices by using 'analytics-ws' instead of only 'analytics' in the URL as below,
http://<Host Name>:<Port>/analytics-ws/saw.dll?WSDL
Give a try with below link it may help you..
http://onlineappsdba.com/index.php/2011/12/05/integrate-obiee-11g-with-oam-11g-for-single-sign-on-in-13-steps/
http://fusionsecurity.blogspot.com/2012/06/integrating-obiee-11g-into-weblogics.html
http://docs.oracle.com/cd/E23943_01/bi.1111/e10543/sso.htm#CEGJBAED
Thanks
Deva

IBM websphere 6.1 integration with OAM

Hi,
1) Is the "interceptorClassName" Clases Name important? can i name it as other thing rather than what is stated in the documentation?
example:
According to the WAS integtraion guide the Interceptor classname is as: com.oblix.tai.was5.WebGate2TrustAssociationInterceptor
Can i change it to com.oblix.tai.was5.WebGateTrustAssociationInterceptor
2) Is there anywhere to verify that TAI is loaded properly and how do i test it?
================================================================================
Interceptor classname is under WAS, Secure administration -> applications, and infrastructure -> Trust association -> Interceptors
Thanks and Regards,
Grey

Thanks! i got the figure out. but i encouter something else while integrating with WAS
im trying to integrate OAM with WAS without reverse proxy and i followed the documentation religiously. in the documentation
Defining an Oracle Access Manager Policy Domain for WebSphere without Reverse Proxy_
Without reverse proxy, disabling SSO in WAS is required. I will need to protect the WebSphere Administrative Console SSL URL. Otherwise, I will not be able to access the console after disabling SSO in WAS. I have create the policy domain as the documentation.
■ Resource Type: http
■ Host Identifier: xxx
■ URL Prefix: _/ibm/console; and /admin_
■ Description: Used by NetPointWASRegistry TAI component.
Authorization Rules: Click the Authorization Rules tab, click Add, and then create and save an authorization rule to allow access to WebSphere Administrative
Console resources. For example:
a. Click General, then enter and save:
* Name: Allow Administrator.
* Description: Allow access to WebSphere Administrative Console resources.
* Enabled: Yes
* Allow takes Precedence: Yes
Without Reverse Proxy: Click Actions, then enter and save the following WebSphere Administrative Console SSL URL for Authentication Success. For example:
Redirect to: https://hostname:port/ibm/console *<- i found out that once I had this implemented. I will be going in an authentication cycle (keep getting authenticated and redirected back to the same page) because it is part of the resources I had it declare previously to be protected.*
Is there a work around or is it due to documentation error?

OBIEE 11.1.1.5 SSO integration with OAM 11gR1 (11.1.1.5)

Hi,
I am integrating OBIEE 11.1.1.5 with OAM 11gR1 (11.1.1.5).
I have configured as per section 12.3 of following link:
http://docs.oracle.com/cd/E22203_01/doc.31/e20664/chapter_12.htm#CHDFAFHH
After making all these configurtions, when i access:
http://<OHS server>:<OHS port>/analytics
User is getting prompted for auth from OAM. After successful auth, request gets redirected to WebLogic server hosting the OBIEE app. I have verified in OBI logs that the header value OAM_REMOTE_USER gets passed to OBI.
But even with all this, after successful OAM authentication, user is getting prompted with OBI login page.
Pls help.
Thanks

Hi Abhinay,
I have already make the following configurations as per the documentation:
To enable SSO:
1.Log in to OBIEE at
http://[OBIEE server:port]/em.
2.Click Farm_<OBIEEDomain>_domain > Business Intelligence > Coreapplication.
3.Click the Security tab.
4.Select Enable SSO.
5.Select SSO Provider: Oracle Access Manager.
6.Click Apply and Activate Changes.
Do we need to make some other configurations also at OBIEE EM ?
Thanks

OSB - call HTTPS webservice

Hi!
I have to call a HTTPS (external) webservice from OSB. I created a business service with the HTTPS webservice wsdl, but I don't know how I should configure the business service. I have a client and a server certificate.
Could anyone help me?
Thank You very much!
Viktor

Hi Manoj!
Thanks for help! Yes, you are right, I missed some configuration. I got a new error, which I cannot solve. I tested the call of secure webservice in the test console but I cannot get back the control, because the console just prints 'Executing requests...' and it waits...
There is an error at the end of log, but i think the SSL handshake is successful, doesn't it?
Could You help me please?
Thanks!
<May 10, 2010 2:36:05 PM CEST> <Debug> <SecuritySSL> <BEA-000000> <Use Certicom SSL with Domestic strength>
<May 10, 2010 2:36:05 PM CEST> <Debug> <SecuritySSL> <BEA-000000> <Empty CA List is enabled :false>
<May 10, 2010 2:36:05 PM CEST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HmacSHA1>
<May 10, 2010 2:36:05 PM CEST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm HmacSHA1>
<May 10, 2010 2:36:05 PM CEST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HmacMD5>
<May 10, 2010 2:36:05 PM CEST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm HmacMD5>
<May 10, 2010 2:36:05 PM CEST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE KeyAgreement: SunJCE version 1.6 for algorithm DiffieHellman>
<May 10, 2010 2:36:05 PM CEST> <Debug> <SecuritySSL> <BEA-000000> <Will use default KeyAgreement for algorithm DiffieHellman>
<May 10, 2010 2:36:05 PM CEST> <Debug> <SecuritySSL> <BEA-000000> <Will use default KeyAgreement for algorithm ECDH>
<May 10, 2010 2:36:05 PM CEST> <Debug> <SecuritySSL> <BEA-000000> <Using JCE Cipher: SunJCE version 1.6 for algorithm DESede/CBC/NoPadding>
<May 10, 2010 2:36:05 PM CEST> <Debug> <SecuritySSL> <BEA-000000> <Using JCE Cipher: SunJCE version 1.6 for algorithm DES/CBC/NoPadding>
<May 10, 2010 2:36:05 PM CEST> <Debug> <SecuritySSL> <BEA-000000> <Using JCE Cipher: SunJCE version 1.6 for algorithm AES/CBC/NoPadding>
<May 10, 2010 2:36:05 PM CEST> <Debug> <SecuritySSL> <BEA-000000> <Using JCE Cipher: SunJCE version 1.6 for algorithm RC4>
<May 10, 2010 2:36:05 PM CEST> <Debug> <SecuritySSL> <BEA-000000> <Using JCE Cipher: SunJCE version 1.6 for algorithm RSA>
<May 10, 2010 2:36:05 PM CEST> <Debug> <SecuritySSL> <BEA-000000> <Using JCE Cipher: SunJCE version 1.6 for algorithm RSA/ECB/NoPadding>
<May 10, 2010 2:36:05 PM CEST> <Debug> <SecuritySSL> <BEA-000000> <SSL Session TTL :90000>
<May 10, 2010 2:36:05 PM CEST> <Debug> <SecuritySSL> <BEA-000000> <DefaultHostnameVerifier: allowReverseDNS=false>
<May 10, 2010 2:36:05 PM CEST> <Debug> <SecuritySSL> <BEA-000000> <SSLSetup: loading trusted CA certificates>
<May 10, 2010 2:36:05 PM CEST> <Debug> <SecuritySSL> <BEA-000000> <SSL enableUnencryptedNullCipher= false>
<May 10, 2010 2:36:05 PM CEST> <Debug> <SecuritySSL> <BEA-000000> <SSLContextManager: loading server SSL identity>
<May 10, 2010 2:36:05 PM CEST> <Notice> <Security> <BEA-090171> <Loading the identity certificate and private key stored under the alias mavir from the JKS keystore file /opt/oracle/osb_home/user_projects/domains/osb_domain/security/mavir.jks.>
<May 10, 2010 2:36:05 PM CEST> <Debug> <SecuritySSL> <BEA-000000> <Loaded public identity certificate chain:>
<May 10, 2010 2:36:05 PM CEST> <Debug> <SecuritySSL> <BEA-000000> <Subject: CN=kapalk1.mavir.hu, OU=FIO, O=MAVIR ZRt., L=Budapest, ST=Budapest, C=HU; Issuer: CN=NetLock Uzleti (Class B) Tanusitvanykiado, OU=Tanusitvanykiadok, O=NetLock Halozatbiztonsagi Kft., L=Budapest, C=HU>
<May 10, 2010 2:36:05 PM CEST> <Debug> <SecuritySSL> <BEA-000000> <Subject: CN=NetLock Uzleti (Class B) Tanusitvanykiado, OU=Tanusitvanykiadok, O=NetLock Halozatbiztonsagi Kft., L=Budapest, C=HU; Issuer: CN=NetLock Uzleti (Class B) Tanusitvanykiado, OU=Tanusitvanykiadok, O=NetLock Halozatbiztonsagi Kft., L=Budapest, C=HU>
<May 10, 2010 2:36:05 PM CEST> <Debug> <SecuritySSL> <BEA-000000> <Using JCE Cipher: SunJCE version 1.6 for algorithm RSA/ECB/NoPadding>
<May 10, 2010 2:36:29 PM CEST> <Info> <Health> <BEA-310002> <32% of the total memory in the server is free>
<May 10, 2010 2:36:41 PM CEST> <Notice> <Security> <BEA-090169> <Loading trusted certificates from the JKS keystore file /opt/oracle/osb_home/user_projects/domains/osb_domain/security/mavir.jks.>
<May 10, 2010 2:36:41 PM CEST> <Debug> <SecuritySSL> <BEA-000000> <SSLContextManager: loaded 2 trusted CAs from /opt/oracle/osb_home/user_projects/domains/osb_domain/security/mavir.jks>
<May 10, 2010 2:36:41 PM CEST> <Debug> <SecuritySSL> <BEA-000000> <Subject: SERIALNUMBER=ICA - 595029, OU=Damas Energy, O="Slovenska elektrizacna prenosova sustava, a.s.", L=Bratislava, ST=Slovakia, CN=damas.sepsas.sk, C=SK; Issuer: O=Prvni certifikacni autorita a.s., CN=I.CA - Standard root certificate, C=CZ>
<May 10, 2010 2:36:41 PM CEST> <Debug> <SecuritySSL> <BEA-000000> <Subject: CN=NetLock Uzleti (Class B) Tanusitvanykiado, OU=Tanusitvanykiadok, O=NetLock Halozatbiztonsagi Kft., L=Budapest, C=HU; Issuer: CN=NetLock Uzleti (Class B) Tanusitvanykiado, OU=Tanusitvanykiadok, O=NetLock Halozatbiztonsagi Kft., L=Budapest, C=HU>
<May 10, 2010 2:36:41 PM CEST> <Info> <WebLogicServer> <BEA-000307> <Exportable key maximum lifespan set to 500 uses.>
<May 10, 2010 2:36:41 PM CEST> <Debug> <SecuritySSL> <BEA-000000> <clientInfo has new style certificate and key>
<May 10, 2010 2:36:43 PM CEST> <Debug> <SecuritySSL> <BEA-000000> <Filtering JSSE SSLSocket>
<May 10, 2010 2:36:43 PM CEST> <Debug> <SecuritySSL> <BEA-000000> <SSLIOContextTable.addContext(ctx): 24258873>
<May 10, 2010 2:36:43 PM CEST> <Debug> <SecuritySSL> <BEA-000000> <SSLSocket will be Muxing>
<May 10, 2010 2:36:43 PM CEST> <Debug> <SecuritySSL> <BEA-000000> <write SSL_20_RECORD>
<May 10, 2010 2:36:43 PM CEST> <Debug> <SecuritySSL> <BEA-000000> <isMuxerActivated: false>
<May 10, 2010 2:36:43 PM CEST> <Debug> <SecuritySSL> <BEA-000000> <2219121 SSL3/TLS MAC>
<May 10, 2010 2:36:43 PM CEST> <Debug> <SecuritySSL> <BEA-000000> <2219121 received HANDSHAKE>
<May 10, 2010 2:36:43 PM CEST> <Debug> <SecuritySSL> <BEA-000000> <HANDSHAKEMESSAGE: ServerHello>
<May 10, 2010 2:36:43 PM CEST> <Debug> <SecuritySSL> <BEA-000000> <HANDSHAKEMESSAGE: Certificate>
<May 10, 2010 2:36:43 PM CEST> <Debug> <SecuritySSL> <BEA-000000> <Validating certificate 0 in the chain: Serial number: 1398096
Issuer:C=CZ, CN=I.CA - Standard root certificate, O=Prvni certifikacni autorita a.s.
Subject:C=SK, CN=damas.sepsas.sk, ST=Slovakia, L=Bratislava, O=Slovenska elektrizacna prenosova sustava, a.s., OU=Damas Energy, ?=ICA - 595029
Not Valid Before:Tue Aug 11 12:07:51 CEST 2009
Not Valid After:Wed Aug 11 12:07:51 CEST 2010
Signature Algorithm:SHA1withRSA
>
<May 10, 2010 2:36:43 PM CEST> <Debug> <SecuritySSL> <BEA-000000> <validationCallback: validateErr = 0>
<May 10, 2010 2:36:43 PM CEST> <Debug> <SecuritySSL> <BEA-000000> < cert[0] = Serial number: 1398096
Issuer:C=CZ, CN=I.CA - Standard root certificate, O=Prvni certifikacni autorita a.s.
Subject:C=SK, CN=damas.sepsas.sk, ST=Slovakia, L=Bratislava, O=Slovenska elektrizacna prenosova sustava, a.s., OU=Damas Energy, ?=ICA - 595029
Not Valid Before:Tue Aug 11 12:07:51 CEST 2009
Not Valid After:Wed Aug 11 12:07:51 CEST 2010
Signature Algorithm:SHA1withRSA
>
<May 10, 2010 2:36:43 PM CEST> <Debug> <SecuritySSL> <BEA-000000> <weblogic user specified trustmanager validation status 0>
<May 10, 2010 2:36:43 PM CEST> <Debug> <SecuritySSL> <BEA-000000> <SSLTrustValidator returns: 0>
<May 10, 2010 2:36:43 PM CEST> <Debug> <SecuritySSL> <BEA-000000> <Trust status (0): NONE>
<May 10, 2010 2:36:43 PM CEST> <Debug> <SecuritySSL> <BEA-000000> <Performing hostname validation checks: damas.sepsas.sk>
<May 10, 2010 2:36:43 PM CEST> <Debug> <SecuritySSL> <BEA-000000> <HANDSHAKEMESSAGE: ServerHelloDone>
<May 10, 2010 2:36:43 PM CEST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HmacMD5>
<May 10, 2010 2:36:43 PM CEST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm HmacMD5>
<May 10, 2010 2:36:43 PM CEST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HmacSHA1>
<May 10, 2010 2:36:43 PM CEST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm HmacSHA1>
<May 10, 2010 2:36:43 PM CEST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm MD5>
<May 10, 2010 2:36:43 PM CEST> <Debug> <SecuritySSL> <BEA-000000> <Using JCE Cipher: SunJCE version 1.6 for algorithm RC4>
<May 10, 2010 2:36:43 PM CEST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HmacMD5>
<May 10, 2010 2:36:43 PM CEST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm HmacMD5>
<May 10, 2010 2:36:43 PM CEST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HmacSHA1>
<May 10, 2010 2:36:43 PM CEST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm HmacSHA1>
<May 10, 2010 2:36:43 PM CEST> <Debug> <SecuritySSL> <BEA-000000> <Using JCE Cipher: SunJCE version 1.6 for algorithm RSA>
<May 10, 2010 2:36:43 PM CEST> <Debug> <SecuritySSL> <BEA-000000> <write HANDSHAKE, offset = 0, length = 134>
<May 10, 2010 2:36:43 PM CEST> <Debug> <SecuritySSL> <BEA-000000> <write CHANGE_CIPHER_SPEC, offset = 0, length = 1>
<May 10, 2010 2:36:43 PM CEST> <Debug> <SecuritySSL> <BEA-000000> <Using JCE Cipher: SunJCE version 1.6 for algorithm RC4>
<May 10, 2010 2:36:43 PM CEST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HMACMD5>
<May 10, 2010 2:36:43 PM CEST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm HMACMD5>
<May 10, 2010 2:36:43 PM CEST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HmacMD5>
<May 10, 2010 2:36:43 PM CEST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm HmacMD5>
<May 10, 2010 2:36:43 PM CEST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HmacSHA1>
<May 10, 2010 2:36:43 PM CEST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm HmacSHA1>
<May 10, 2010 2:36:43 PM CEST> <Debug> <SecuritySSL> <BEA-000000> <write HANDSHAKE, offset = 0, length = 16>
<May 10, 2010 2:36:43 PM CEST> <Debug> <SecuritySSL> <BEA-000000> <isMuxerActivated: false>
<May 10, 2010 2:36:44 PM CEST> <Debug> <SecuritySSL> <BEA-000000> <2219121 SSL3/TLS MAC>
<May 10, 2010 2:36:44 PM CEST> <Debug> <SecuritySSL> <BEA-000000> <2219121 received CHANGE_CIPHER_SPEC>
<May 10, 2010 2:36:44 PM CEST> <Debug> <SecuritySSL> <BEA-000000> <Using JCE Cipher: SunJCE version 1.6 for algorithm RC4>
<May 10, 2010 2:36:44 PM CEST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HMACMD5>
<May 10, 2010 2:36:44 PM CEST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm HMACMD5>
<May 10, 2010 2:36:44 PM CEST> <Debug> <SecuritySSL> <BEA-000000> <isMuxerActivated: false>
<May 10, 2010 2:36:44 PM CEST> <Debug> <SecuritySSL> <BEA-000000> <2219121 SSL3/TLS MAC>
<May 10, 2010 2:36:44 PM CEST> <Debug> <SecuritySSL> <BEA-000000> <2219121 received HANDSHAKE>
<May 10, 2010 2:36:44 PM CEST> <Debug> <SecuritySSL> <BEA-000000> <HANDSHAKEMESSAGE: Finished>
<May 10, 2010 2:36:44 PM CEST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HmacMD5>
<May 10, 2010 2:36:44 PM CEST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm HmacMD5>
<May 10, 2010 2:36:44 PM CEST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HmacSHA1>
<May 10, 2010 2:36:44 PM CEST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm HmacSHA1>
<May 10, 2010 2:36:44 PM CEST> <Debug> <SecuritySSL> <BEA-000000> <write APPLICATION_DATA, offset = 0, length = 293>
<May 10, 2010 2:36:44 PM CEST> <Debug> <SecuritySSL> <BEA-000000> <write APPLICATION_DATA, offset = 0, length = 360>
<May 10, 2010 2:36:44 PM CEST> <Debug> <SecuritySSL> <BEA-000000> <write APPLICATION_DATA, offset = 0, length = 8>
<May 10, 2010 2:36:44 PM CEST> <Debug> <SecuritySSL> <BEA-000000> <SSLIOContextTable.findContext(sock): 668702>
<May 10, 2010 2:36:44 PM CEST> <Debug> <SecuritySSL> <BEA-000000> <SSLIOContextTable.findContext(sock): 668702>
<May 10, 2010 2:36:44 PM CEST> <Debug> <SecuritySSL> <BEA-000000> <activateNoRegister()>
<May 10, 2010 2:36:44 PM CEST> <Debug> <SecuritySSL> <BEA-000000> <SSLFilterImpl.activate(): activated: 19707054 5292918>
<May 10, 2010 2:36:50 PM CEST> <Debug> <SecuritySSL> <BEA-000000> <15246932 read(offset=0, length=4080)>
<May 10, 2010 2:36:50 PM CEST> <Debug> <SecuritySSL> <BEA-000000> <isMuxerActivated: true>
<May 10, 2010 2:36:50 PM CEST> <Debug> <SecuritySSL> <BEA-000000> <hasSSLRecord()>
<May 10, 2010 2:36:50 PM CEST> <Debug> <SecuritySSL> <BEA-000000> <hasSSLRecord returns true>
<May 10, 2010 2:36:50 PM CEST> <Debug> <SecuritySSL> <BEA-000000> <2219121 SSL3/TLS MAC>
<May 10, 2010 2:36:50 PM CEST> <Debug> <SecuritySSL> <BEA-000000> <2219121 received HANDSHAKE>
<May 10, 2010 2:36:50 PM CEST> <Debug> <SecuritySSL> <BEA-000000> <NEW ALERT with Severity: WARNING, Type: 100
java.lang.Exception: New alert stack
at com.certicom.tls.record.alert.Alert.<init>(Unknown Source)
at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessages(Unknown Source)
at com.certicom.tls.record.MessageInterpreter.interpretContent(Unknown Source)
at com.certicom.tls.record.MessageInterpreter.decryptMessage(Unknown Source)
at com.certicom.tls.record.ReadHandler.processRecord(Unknown Source)
at com.certicom.tls.record.ReadHandler.readRecord(Unknown Source)
at com.certicom.tls.record.ReadHandler.read(Unknown Source)
at com.certicom.io.InputSSLIOStreamWrapper.read(Unknown Source)
at weblogic.socket.SSLFilterImpl.isMessageComplete(SSLFilterImpl.java:202)
at weblogic.socket.SocketMuxer.readReadySocketOnce(SocketMuxer.java:896)
at weblogic.socket.SocketMuxer.readReadySocket(SocketMuxer.java:840)
at weblogic.socket.PosixSocketMuxer.processSockets(PosixSocketMuxer.java:130)
at weblogic.socket.SocketReaderRequest.run(SocketReaderRequest.java:29)
at weblogic.socket.SocketReaderRequest.execute(SocketReaderRequest.java:42)
at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:145)
at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:117)
>
<May 10, 2010 2:36:50 PM CEST> <Debug> <SecuritySSL> <BEA-000000> <write ALERT, offset = 0, length = 2>
<May 10, 2010 2:36:50 PM CEST> <Debug> <SecuritySSL> <BEA-000000> <isMuxerActivated: true>
<May 10, 2010 2:36:50 PM CEST> <Debug> <SecuritySSL> <BEA-000000> <hasSSLRecord()>
<May 10, 2010 2:36:50 PM CEST> <Debug> <SecuritySSL> <BEA-000000> <hasSSLRecord returns false 1>
<May 10, 2010 2:36:50 PM CEST> <Debug> <SecuritySSL> <BEA-000000> <15246932 Rethrowing InterruptedIOException>
<May 10, 2010 2:36:50 PM CEST> <Debug> <SecuritySSL> <BEA-000000> <15246932 read(offset=0, length=8192)>
<May 10, 2010 2:36:50 PM CEST> <Debug> <SecuritySSL> <BEA-000000> <isMuxerActivated: false>

OSB, REST, and browser authentication with OAM

All,
I'm looking for some advice regarding the consumption of REST services (from the users browser) in an environment that utilizes OAM security and the Oracle Service Bus. Let me set the stage.
We've configured an instance of OAM with OHS acting as a proxy to our applications. One of our apps wants to pull some data (using an AJAX call) from a service directly to the browser. The service is currently protected using HTTP Basic authentication. This works fine for Java apps that want to make those service calls directly, but not so well when it is the browser that wants to make the call.
My assumption (up to this point) had been that I would be able to utilize the OAM Identity Asserter on the service bus in much the same way that we have been using it to propagate identity to our application servers. After speaking with some of the service developers (guys more intimately familiar with the OSB than I am) we haven't tried to do this before and are unsure of the proper implementation to acheive our goal.
So, with all of that being said, am I barking up the wrong tree? Would it be incorrect to have a REST service written that is serviced by two different OSB proxies? One that enforces HTTP Basic, and one that (somehow) uses the OAM_REMOTE_USER and an appropriate identity asserter to pass identity in such a manner that the OSB would be able to enforce security in that manner?
Is there a better way to secure REST services being made from the browser?
Thank you for any help/direction you can provide.
--james

If you want to use custom authentication plugin then OAM provides a way to create a custom authentication module and you can orchestrate your steps based on your conditions. See http://docs.oracle.com/cd/E21764_01/doc.1111/e12491/authnapi.htm for more details.
Hope this helps,
Sagar

OSB invoking RESTful webservices:issue with relative-URI instead of

Hi,
We have a requirement where we need to pass the request content as string in the URL.
we need to send the request in the URL like:
http://abc.com/rest/xvf/nas<Employee><name>abc</name><empid>1234</empid>...<Employee>
we have used a servicecallout action which is invoking a business service which has the base uri value like:
http://abc.com/rest
and in the insert action we are trying to appened the remaining uri in the rest command i.e
<http:relative-URI>/xvf/nas{fn-bea:serialize($xmldata)}</http:relative-URI>
here $xmldata is <Employee><name>abc</name><empid>1234</empid>...<Employee>
while trying to invoke the service we are getting the error like:
BEA-380000: General runtime error: Illegal character in path at index 36: http://abc.com/rest/xvf/nas& lt ; Employee>& lt ; name>abc& lt ; /name>& lt ; empid>1234>...& lt ; Employee>
before to that we used fn-bea:inlinedXML and fn:bea:serialize functions on the retrieved xml and stored it into the xmldata variable and this variable is displaying the request in the proper xml file, but while appending it to the relative URI method the xml data is changing as like shown above i.e instead of < it is coming as & lt ; and at the end with out invoking the servie it is stoppeing at the OSB with the above error as illegal character, please advice..
how to append the proper xml to the URL/URI in the relative-URI method in the proxy transport??
as here it is coming & lt ; (combined with out space) as < i am changing it as like & lt ; for better understanding
Thanks..
Edited by: user12679330 on May 13, 2010 9:36 AM
Edited by: user12679330 on May 13, 2010 9:40 AM
Edited by: user12679330 on May 13, 2010 9:40 AM

Not sure what you are trying to do but if I am not wrong, you are trying to use HTTP get with REST. You may refer -
http://download.oracle.com/docs/cd/E13159_01/osb/docs10gr3/httppollertransport/transports.html#wp1083292
http://blogs.oracle.com/jeffdavies/2009/06/restful_services_with_oracle_s_1.html
http://blogs.oracle.com/jamesbayer/2008/07/using_rest_with_oracle_service.html
http://blogs.oracle.com/woa/2009/04/restify_your_world_and_put_it.html
Regards,
Anuj

OSB - Setting http Authorization header with Proxy Service

Hi,
I have the following scenario:
PS1 -> PS2 -> BS (with a SA configured to pass through)
I need to set the Authorization http header based on some information in payload, so:
PS1 receives the payload and route to PS2, where username/password are extracted and using a java call out the base64 hash is generated.
In the PS2 route i'm trying to set the Authorization header using the set Transport Headers option.
When i do a request to test this operation, osb show me a beautiful CredentialNotFound exception.
I have tryied to set the Authorization header in the route on the PS1, without success.
Someone can help me ?

I can't set the Proxy Service to do the authentication. I will try to explain better:
I have a Business Service which have a Service Account associated to pass through the Authorization header to the service provider do the validation.
I front of this business service i have a Proxy Service which route the requests to the BS.
All partners send this Authorization header, but now, i have one that will not send no matter what.
The username and passwrod will come into the payload (and will be variable).
In some point before the proccess i need to extract the information from payload and set the Authorization header.
Ty for you time.
Edited by: GSanches on 09/07/2010 09:59

SIbel webservice integration with BPEL

Hi,
While invoking a siebel webservice having endpoint
soap:address
location="http://10.24.5.16/callcenter_enu/start.swe?SWEExtSource=WebService&SWEExtCmd=Execute&UserName=sadmin&Password=sadmin"
I'm getting
exception on JaxRpc invoke: HTTP transport error: javax.xml.soap.SOAPException: java.security.PrivilegedActionException: oracle.j2ee.ws.saaj.ContentTypeException: Not a valid SOAP Content-Type: text/html; charset=UTF-8
error from BPEL Console.
Would anybody update what need to done or changed?

I've seen this before. The key part is "Not a valid SOAP Content-Type: text/html". Basically Siebel is throwing up an HTML error screen because something went wrong with the service invocation. BPEL sees this and doesn't know what to do with because it's not SOAP/XML.
You can use a tool like SOAPUI to invoke the service and see what the error screen is saying -- but it's usually something generic. I'm not a Siebel person but it might be easier to look in the logs on the Siebel side.

Webservice Integration with SAP using SAP XI

On a periodic basis, say end-of-shift, My product(Web service) sends to the SAP system the total production for that period, for example, Hot Metal produced. The data packet contains all theinformation required to uniquely identify the production period (plant name, location, furnace number, shift
number, date & time).
SAP receives the data packet, stores the data in appropriate tables and acknowledges the status to My Product. The acknowledgement contains total revenue generated based on the production (computed based on the unit cost of Hot Metal). If the data is incorrect, SAP sends a fault message. The revenue value received as response is stored in an appropriate tag in the My Product model.
I want to use SAP XI as the connector between my webservice application and SAP. Please suggest me what scenario should I implement in this case. Do I need to use BPM here ?
Also please suggest what are relevant IDocs and BAPIs for this scenario.

Got it...

OAM 11g integration with Kerberos on cluster with load-balanced virtualhost

Hello!
I need to make a Kerberos integration with OAM.
I find following notes about OAM 11g: WNA Configuration for HA Clusters [ID 1365888.1] (https://support.oracle.com/epmos/faces/ui/km/SearchDocDisplay.jspx?_afrLoop=223640518878014&type=DOCUMENT&id=1365888.1&displayIndex=1&_afrWindowMode=0&_adf.ctrl-state=14ehvbh4z2_61).
"In an OAM Clustered environment, the OAM Principal for WNA must be the same on all tiers i.e. the load-balanced virtualhost for the OAM cluster.
Therefore each OAM managed server will reference the same keytab file, generated for Principal HTTP/<virtualhost.domain>, and the keytab file will be in the same location on all OAM managed servers.
For example: ${DOMAIN_HOME}/domains/${DOMAIN_NAME}/config/fmwconfig/oam/<keytab filename>.
After copying the keytab file to the same directory on all OAM managed server machines, complete the configuration of the Kerberos authentication module in OAM Administration Console (/oamconsole).
The AdminServer will ensure that the oam-config.xml file on all OAM managed server tiers in the cluster is updated with this configuration."
The question is; When I generate oam.keytab with following command, What is the name of the server that I will must put in the command? Virtualhost (load-balanced), Node1 or Node2?
ktpass -princ HTTP/<servername>@DOMAIN -pass XXXXXXX mapuser DOMAIN\user -out oam.keytab.
Thanks in advance and best regards!
PS: Sorry if my english is not clear.

David,
Your Principal name should be the SSO LB URL.(ie :sso.mycomany.com)
ktpass -princ HTTP/sso.mycomany.com@DOMAIN -pass XXXXXXX mapuser DOMAIN\user -out oam.keytab.
Also make sure sso.mycomany.com has a reverse DNS configured correctly.
you can check using dig command
ping sso.mycomany.com
What ever the ip-address
dig -x <IP-ADDRESS>
Check in the reverse DNS section there should be 1 record.
;; ANSWER SECTION:
1.1.1.1.in-addr.arpa. 3600 IN PTR sso.mycomany.com.
Let me know if you have more questions.
Thanks
Saurabh

Integrating Webcenter 11g (Discussions) with OAM for SSO

Hi,
I need some help in integrating Webcenter 11g with OAM 10g.
Objective:
=========
My customer is using Webcenter 11.1.1.2.0 and they are primarily using Discussions and wiki .I would like to integrate OAM with Webcenter for providing SSO.
Steps Followed:
============
I have followed the steps mentioned in the section 23.7.1 and 23.7.1.7 in the doc
http://download.oracle.com/docs/cd/E15523_01/webcenter.1111/e12405/wcadm_security.htm#BGBCEHGE
and also referred metalink note ID 829122.1
Scenario after integrating with OAM:
===========================
1.Accessed the dicussions url through OHS proxy http://<ohs_host>:<ohs_proxy>/owc_discussions
2.Click on Login button
3.OAM Login page appears
4.Provide credentials for orcladmin (admin user of OAM OID LDAP)
5.Discussions default login screen appears ( I dont expect this default login page,as I have already authenticated with OAM)
6.Provide orcladmin credentials
7.Login screen is keep on popping and not able to login
if i set owc_discussions.sso.mode=false,then looping (Step 7) is not occuring and could able to login.
Am I doing anything wrong here? Or is there a way I can make it work.
Thanks in Advance.

Did you setup weblogic as per this doc? - http://download.oracle.com/docs/cd/E17904_01/webcenter.1111/e12405/wcadm_security_sso.htm#WCADM8175

External HTTP-Webservice with empty response

Hi community,
I have implemented an external http webservice which is working fine when I test it directly via se80 - I receive the results I want.
Now I want to capsulate it into a function module but always receive a empty response structure. I call it the way
TRY.
       CALL METHOD WSProxy->GET_ITEMS
         exporting
           INPUT = ls_request
         importing
           OUTPUT = ls_response.
         catch CX_AI_SYSTEM_FAULT.    " Application Integration: Technischer Fehler
         catch ZCX_TECHNICAL_FAULT_MESSAGE.    " Proxy Class (generated)
         catch CX_AI_APPLICATION_FAULT.    " Application Integration: Applikations Fehler
   ENDTRY.
I receive no exception about missing parameters...

Hi Daniel,
I am facing the same problem calling an external WS from SAP.
How did you solve it? In my case i receive non empty response from the WS call in the SE80 with the test service consumer but not from Abap.
Thank you very much.
Kind Regards
Jon

OAM 11.1.6 integration with Ebusiness 12.1.3 throws error on login

I have integrated the OAM 11.1.6 SSO with E-business 12.1.3 instance.If I login to E-business it will redirect to the the error "There was an error processing your request. The Login/Portal Server Installation may be incomplete. Please contact your System Administrator".
Please note i'm seeing the error in access log -
oracle.apps.fnd.ext.sso.FndSsoException: FND-9930
at oracle.apps.fnd.ext.sso.FndSsoLogin.doPost(Unknown Source)
at oracle.apps.fnd.ext.sso.FndSsoLogin.doGet(Unknown Source)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
I tried the metalink note "Applications Login Using OAM Fails with 'The Login/Portal Server Installation may be incomplete' Caused by 'java.sql.SQLException: ORA-01465: invalid hex number' [ID 1538812.1]" in my case value is already 'False'.
Please suggest me,if you any once faced the similar issue

Investigations often get quite complex and specific to your environment, so an SR with Oracle Support is probably the best way to go.
My initial thought would be to re-review "Integrating Oracle E-Business Suite Release 12 with Oracle Access Manager 11gR2 (11.1.2) using Oracle E-Business Suite AccessGate" (Doc ID 1484024.1) and confirm that all the right hostname/ports have been used in the right places, as it is easy to mix up what is required at the different stages
Next would suggest to test your OAM setup using the Oracle Access Manager tester tool
Review "Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager with Oracle Security Token Service 11g Release 1 (11.1.1)" (http://docs.oracle.com/cd/E21764_01/doc.1111/e15478/tester.htm#CACBEJDC) details of installing and using this tool
a. Test the protected resource URL
/ebsauth_[instance]/
where [instance] is the name of your Oracle E-Business Suite instance/
Enter Username and Password and select both the "Authenticate" and "Authorize" buttons
b. Save the status messages to a file and upload this (Disk icon at the bottom of the screen)
c. Also use the "save configuration" button (at the top of the screen) and upload the resulting configuration XML file (Remove the password from this file before uploading)
If the above does not work, then the issue is not eBiz specific so need to review the OAM/Webgate setup for sure
Hope that sets you on the right path
regards
Mike

Only one UPN suffix works with OAM plugin for RSA-integrated Authentication

Only one UPN suffix works with OAM plugin for RSA-integrated Authentication while others give "CredentialsRejected" error
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-
Has anyone seen this before and might know the answer? Any suggestions? Thanks!
I have setup an OAM authentication scheme that uses a custom plugin to use RSA ACE server - all pretty much exactly as it is outlined in the chapter called "Integrating the RSA SecurID Authentication Plug-in" in Oracle Access Manager Integration Guide. Here's the problem:
Everything works fine when I use a particular UPN suffix to login to the RSA Securid Login form that is presented, eg. [email protected], but if I create another user that uses a different UPN suffix as defined in Active Directory, (eg. [email protected]), the credentials are rejected. This happens before the secuirid.pl script even gets a chance to run. After hitting "POST" the user is present with the same login screen he was just at, as expected during an authentication failure.
More info:
- I have performed successful anonymous ldap queries for both users in Active Directory using LDP. Both users exist in the same domain and in the same OU. If I change the UPN (in AD and the RSA database) to something different from the "good" one, on either user, it fails. If I change the UPN to the "good one" on either user (in AD and the RSA database) it works.
- if I test users with either the "good" or the "bad" UPN via the RSA agent tester that sits on the OAM box, both of them show as authenticating successfully. However, it doesn't work for the "bad" UPN when I try to access via a web browser on a remote client (but does work with the "Good" UPN)
- I am not using SSL in any of this yet, it's all http://
- yes, I already got rid of the "-w" parameter in the first line of the perl script, as per the "login can fail if the Login Attribute Contains an "@" Character in Integration Guide Troubleshooting section
- here's an example of the settings in rsa securid authentication scheme:
action:/OracleAccessManager/securid-cgi/securid.pl
form:/OracleAccessManager/securid-forms-adforest/securid-std-login.html
creds:login password domain newpin newpin2
passthrough:yes
authn_securid fullformdir="C:\apache\Apache2\htdocs/OracleAccessManager/securid-forms-adforest/",machine="MyComputer.mydomain.com:80"
credential_mapping obMappingBase="%domain%",obMappingFilter="(&(objectclass=user)(userPrincipalName=%login%))"
Environment:
OAM 7.0.4.3
RSA Ace Server 5.2
Windows 2003 domain with multiple UPNs defined in Active Direcory Domains and Trusts
Error as seen in the oblog.log for the webgate on the server that holds the RSA login pages and perl script:
Message^A plugin for the authentication scheme SecurID Authentication has denied authentication for credentials ([email protected]
password=(omitted) domain=dc=ourdomain,dc=com newpin= newpin2= Resource=/OracleAccessManager/securid-cgi/securid.pl RequesterIP=10.250.1.2 Operation=POST).
ReqReq^POST /OracleAccessManager/securid-cgi/securid.pl HTTP/1.1 ReqProto^HTTP/1.1 ReqHost^www.MyComputer.mydomain.com. ReqStatLine^
ReqStatus^200 ReqRawUri^/OracleAccessManager/securid-cgi/securid.pl ReqUri^/OracleAccessManager/securid-cgi/securid.pl
ReqFilename^C:/apache/Apache2/htdocs/OracleAccessManager/securid-cgi/securid.pl ReqPath^ ReqArgs^
2009/07/13@15:19:49.665000 45688 46472 AUTHENTICATION ERROR 0x00001515
\Oblix\coreid\palantir\webgate\src\authentication_event_handler.cpp:1361 "Authentication failed" HTTPStatus^401
authenticationSchemeName^SecurID Authentication AuthenticationStatus^majorCode = 11[CredentialsRejected], minorCode = 47[AuthnPluginDenied],
StatusMsg = , GSN = 0, needInfo = NONE Creds^[email protected] password=(omitted) domain=dc=ourdomain,dc=com newpin= newpin2=
Resource=/OracleAccessManager/securid-cgi/securid.pl RequesterIP=10.250.1.2 Operation=POST
Only error seen in log produced by the RSA agent that sits on the Access server:
[20804] 12:27:08.915 File:ACNETSUB.C Line:326 # CheckServerAddress: server 0 detected from address 10.250.88.100
[20804] 12:27:08.915 File:udpmsg.c Line:968 # Entering decrypts_ok_legacy()
[20804] 12:27:08.915 File:udpmsg.c Line:999 # decrypts_ok_legacy: decrypt() wpcode1 failed; wpcode0 next ***********
[20804] 12:27:08.915 File:udpmsg.c Line:1089 # Leaving decrypts_ok_legacy(), result=1
[20804] 12:27:08.915 File:ACEXPORT.C Line:820 # Entering AceGetUserData()
[20804] 12:27:08.915 File:ACEXPORT.C Line:833 # Leaving AceGetUserData() return: ACE_SUCCESS
[20804] 12:27:08.915 File:ACEXPORT.C Line:579 # Entering AceGetAuthenticationStatus()
[20804] 12:27:08.915 File:ACEXPORT.C Line:592 # Leaving AceGetAuthenticationStatus() return: ACE_SUCCESS

What are the logs you see at the ACE server end? You can try passing an additional parameter debug="true" to the authn_securid plug-in - it should generate some more logs at the access server - I think in apps\common\bin.
Also does "ReqHost^www.MyComputer.mydomain.com" look right in the logs?
-Vinod

OSB inbound http webservice integration with OAM

Similar Messages

Maybe you are looking for