OWSM 11g: Kerberos policies

Similar Messages

• OWSM 11g: Difference between Message Protection Policies

  Hi all,
  I am using OWSM11g for securing web services. There are two separate policies provided oracle/wss10_message_protection_service_policy and oracle/wss10_x509_token_with_message_protection_client_policy. How does these policies differ in providing message protection?
  Additionally, I have the documentations provided by oracle regarding OWSM11g. In case, there are some addtional resources or tutorials for OWSM 11g which might help me please suggest me the same.
  Thanks in advance.

  Hi,
  In OWSM 10g there was concept of Server Agent and Client agents.The server agents were attached with the service providers and client agents were attached with client consumers.Similarly there are two types of policies available with 11g for service endpoints.One is attached with the service provider endpoint and one is attached with the consumer.
  For e.g- If there is a credit validation webservice which requires the payload to be signed and encrypted,then u attach oracle/wss10_message_protection_service_policy with it and if there is a SOA composite invoking this service,then u attach oracle/wss10_message_protection_client_policy with it.For each of the service side and client side policies some configurations/settings can be modified or overridden.
  Now oracle/wss10_message_protection_service_policy is message integrity and confidentiality service policy implementing WS-1.0 security standards.While oracle/wss10_x509_token_with_message_protection_client_policy is X509 token based authentication with message protection client policy implementing WS-1.0 security standards.
  Hence while implementing security always use the same dual pairs for service and client policies.Currently there are not many samples available but the 'Security and Administrator’s Guide for Web Services' guide is good documentation to start with for configuring security using OWSM 11g.
  Rgds,
  Mandrita

• OWSM 11g: Custom policy implementation

  Hi all,
  I am unable to replicate the example as discussed in the section 14 of Security and Administrator’s Guide for Web Services 11g Release 1 (11.1.1) B32511-03, April 2010. I am applying the custom policy on a osb (11g r3) proxy service. Kindly take a look at the steps mentioned below & suggest suitably where i may be going wrong:
  1. Creation of the IpAssertionExecutor class which holds the implementation logic (same as Step 1)
  2. Creation of the policy-config.xml file (same as Step 2)
  3. oracle.logging-utils_11.1.1.jar was also added to compile the above class.
  4. IpAssertionExecutor Class & policy-config.xml were added as a jar file as mentioned in page no: 4 of the following link: http://www.scribd.com/doc/25941008/How-to-Create-OWSM-11g-Custom-Policy-Assertion (same as Step 4)
  5. Updation of classpath (same as Step 5)
  6. Creation of oracle/ip_assertion_policy file (same as Step 2)
  7. Importing the Custom Policy File (same as Step 6)
  8. Attaching the Custom Policy to a Web Service or Client (same as Step 7)
  For testing purpose, i used soapui and specified the bind address in the request properties. However, the policy is not working as desired.
  Additionally, i hardcoded the String ipAddr (ip address) in the IpAssertionExecutor class & redeployed the jar. But still couldn't get it working.
  I shall be obliged if someone can help me.
  Thanks in advance

  In the security tab for your OSB Service, ensure that you set the radio button for processing of ws header. Otherwise no policies appear to be called.

• OWSM 11g in EM behaving different than documentation

  Hi everyone,
  I'm trying to get OWSM 11g working so I just installed Soa suite 11gR1(11.1.1.2.0). All I need is to attach a predefined policy to an existing web service which exists incide an EJB in an EAR application. I'm following the instructions from http://download.oracle.com/docs/cd/E12839_01/web.1111/b32511/attaching.htm#CEGDGIHD , in the session "Viewing the Policies That are Attached to a Web Service". Unfortunately I'm expecting different screens than those shown in the Manual. In the documentation the figure 8.1 shows the tabs Operations / Policies / Chart / Configuration, but in my case the same screen shows only the operations Tab, making it impossible to attach the policies I need. Here's what I see at my environment: http://img203.imageshack.us/img203/751/erroowsm.png . I don't know if I missed something but it still not works as the documentation says (figure 8.1). Please, any help will be appretiated !
  Thanks,

  Rajesh wrote:
  Is it going above 1GB ?No, current memory utilization is 503MB, but it keeps increasing. Support specialist told me it is OK for agents with large number of targets to utilize up to 1GB of memory even if I told him I have only 11 targets on this host. I do not think 11 targets is "large number" and I do not want to wait until agent will use 1GB of memory.
  You can also check MOS note :
  How To Effectively Investigate & Diagnose Grid Control Agent High Memory Utilization Issues? [ID 1092466.1]I have read this note and did not find solution for my problem and that is why I contacted Oracle Support. I think this agent is leaking memory, but Support specialist suggests reinstalling this agent on other host.
  I do not think he understands problem and that is why I looking for other opinions.

• OWSM 11g: Message Protection

  Hi All,
  I have earlier woked on OWSM 10g and implemented XML encryption and decryption. Now,I am trying to implement message protection(encryption and decryption) using OWSM 11g policies. The sample scenario consists of two web services OWSM_11g and OWSM_11g_client. The message send from OWSM_11g_client should be encrypted and signed and OWSM_11g needs to verify the signature and decrypt the message.
  Here is what i have done so far.
  a.) I have attached oracle/wss10_message_protection_client_policy to OWSM_11g and oracle/wss10_message_protection_service_policy to OWSM_11g_client.
  b.) I have configured a keystore for weblogic domain exactly as explained in the following article http://www.ora600.be/node/5000
  c.) I have enabled the logging assertion for oracle/wss10_message_protection_client_policy & oracle/wss10_message_protection_service_policy.
  The message flow between the services is proceeding without any errors. There are two problems that I am facing here:
  a.) I cannot view SOAP message in the message logs to verify the encrytion and decryption.
  b.) It seems that I may be missing out some configuration parameters as specified in the documentation required to apply above policies.
  Any inputs regarding this would be greatly helpful.

  Hi there,
  I can suggest the following to you and hopefully it should work:
  a.) Instead of using the default keystore you should set up a new keystore for the weblogic domain. You may follow the guidelines as described in the following article: http://www.ora600.be/node/5000
  b.) Specify the keystore.recipient.alias (public key which maps to client_key according to the above article) at per-client basis using the Security Configuration Details and keystore.enc.csf.key (private key which again maps to client_key according to the above article).
  c.) message_protection_client_policy and message_protection_service policy are made up of assertion templates. So, Go to the web services policy page and enable the loggin assertion for each of the policies. Here, in case both the composites are on the same soa server then, you need to turn off the local optimization. Read the above post by Ronald which explains this lucidly. On this page you may change setting for the request and response messages.
  d.) You need to check the following log file to view the soap messages logged by the assertions to verify encryption and decryption domains\soa_domain\servers\AdminServer\logs\owsm\msglogging\diagonstic.log
  Here I was able to encrypt and sign the message when both the composites were in the same soa server. However when they were in different soa server some server side error was occuring. You may try the same as an addtional exercise and update me in case you succeed.
  In case you still face any problems I will be glad to help you out.
  Regards,
  Shomit

• OWSM 11g:Securing Asynchronous callback

  Hi all,
  I am posting again regarding this hoping that someone may be able help me up this time.
  I am working on soa suite 11g. I have two asynchronous bpel services A and b. I want to ensure message protection for the callback received by A from B using OWSM 11g. I have attached the polices to the respective callback. But the policies are getting by passed and the plain message is transfered from A to B. Additionally I have turned off the local optimization of the policies. however it has also not helped.
  Can anyone point out what additional configuration needs to be done.
  Thanks in advance.
  Edited by: Shomit Sahdev on २५ मई, २०१० १:५८ पूर्वाह्न

  Hi,
  Just a pointer did you configure the keystore path,signing certificate and encryption key alias name and passwords in the Fusion Middleware Control console under 'Security Provider Configuration' and the decryption key password as 'keystore.enc.csf.key' under 'Credentials' in Fusion Middleware Control for both the instances?
  Rgds.

• OWSM 11g: Securing Callback

  Hi All,
  I have two asyn services A and B. I want to secure the callback from B to A. I have attached client policy (u/n authentication and message protection) to the B callback . Additionally I have attached service policy (u/n authentication and message protection) to the callback received by A.
  However the policies are not working.
  Any ideas/suggestions regarding how to secure callback using OWSM 11g will be welcomed.
  Regards

  Hi,
  Just a pointer did you configure the keystore path,signing certificate and encryption key alias name and passwords in the Fusion Middleware Control console under 'Security Provider Configuration' and the decryption key password as 'keystore.enc.csf.key' under 'Credentials' in Fusion Middleware Control for both the instances?
  Rgds.

• Require Inputs on OWSM 11g message protection policy

  Hi All,
  we are trying to achieve encryption and decryption of payload in SOA 11g using OWSM. We have configured keystores in the weblogic domain.
  I have two composites namely client and service. The client will invoke the service composite using a partner link with a payload. I have attached oracle/wss11_message_protection_client_policy to the partner link of Client composite and also attached oracle/wss11_message_protection_service_policy to the Service composite.
  When i test the composites there are no errors but i cannot see any encryption and decryption happening. I cannot see any information in the logs as well.
  If anyone has achieved message protection using OWSM 11g then please throw some light on how to go about doing it.
  Thank you in advance.
  Regards
  Narendra

  Narendra,
  Were you able to figure out solution for this.
  Thanks

• OWSM 11g file based authentication

  Hi,
  I have to secure a service using the username and password present in file. I'll have to use a file based authentication mechanism. As OWSM 11g doesnt have the gateway, can i achieve this functionality with OWSM 11g agent ?
  Thanks

  Can you please tell me how to create the file .htpassword. When i'm using a text editor to create this file it does not allow and message is specify file name. Is there a special utility to create such a file.

• OWSM 11g : Authentication Providers for X.509 and SAML policies

  Hi All,
  I am currently trying to implement the X.509 and SAML policies. As per the documentation for these polices I need to configure an authentication provider(or Identity Assertion provider) that can handle perimeter authentication via the NameCallback. I had configured an authentication provider(default authentication provider) that handled the namecallback and passwordcallback. What I can't figure out is how do these two authentication providers differs. And, incase one has to configure for the X.509 and SAML policies how to do the same.
  Any pointers will be useful. Especially, from anyone who has worked and implemented the above policies.
  Thanks in advance.
  Edited by: Shomit Sahdev on ८ अप्रैल, २०१० १२:२५ पूर्वाह्न

  After research by Oracle Support it actually turns out that this problem was a combination of factors:
  1) some clients were effectively using an invalid certificate so it is corrrect they got an error and everything worked fine when they started using the right certificate
  2) it does, however, turn out that, in the case of an error the error handling has been obfuscated in WLS 10.3.6 as compared to WLS 10.3.4 which gives a more descriptive error stating the nature of the problem (missing certificate, invalid certificate, unknown user, ...). Apparently this was deemed a security issue and has thus been replaced by a generic "internal server error". It is however possible to re-activate this older behaviour using a couple of JAVA_OPTS that you pass during server startup:
  -Dweblogic.wsee.security.debug=true -Dweblogic.wsee.security.verbose=true
  The above reintroduced the behaviour we had in WLS 10.3.4 and thus solves our problem!

• OIM 11g - Kerberos Authentication disable

  Hi Experts,
  We have OIM 11g set up with Kerberos SSO authentication enabled for OIM. We want this to be disabled. Can any one help where and how I can do this?
  Thanks and Regards
  Naveen
  Edited by: user4537635 on May 16, 2013 5:52 AM

  download connetor doc from below location(RSA Authentication Manager )
  http://docs.oracle.com/cd/E11223_01/index.htm
  Else try to download the connector extract it and open the connector doc(RSA Authentication Manager 9.1.0.7.0 )
  http://www.oracle.com/technetwork/middleware/id-mgmt/downloads/connectors-101674.html

• OWSM 11g: SAML holder of the key based Authentication

  Hi all,
  I am trying to implement SAML holder of the key method based authentication. As per weblogic documentation, I have disabled the Disable X.509 certificate validation since I am using SAML holder_of_key assertions. I have attached the policies to the composites oracle/wss10_saml_hok_token_with_message_protection_client_policy and oracle/wss10_saml_hok_token_with_message_protection_service_policy. I am using the default values except for keystore.recipient.alias property. When I am testing the policy it says that the saml.assertion.filename named temp could not be found.
  As per the documentation this is file containing SAML holder of the key based authentication. Can anyone provide some idea as to what should be the contents of this file?
  Thanks in advance

  me too am facing same problem..did you manage to solve this?
  please suggest..

• Customizing OWSM 11g SAML policy

  Hi,
  The current OWSM SAML policy validates only one token against Identity store.
  Our requirement is to validate against couple of atributes, is there any option available in existing policy or do we need to write custom policy extending the exisitng policy.
  Any pointers on this will be more helpfull.
  Thanks,
  Sowmya

  me too am facing same problem..did you manage to solve this?
  please suggest..

• OWSM 11g: Invoking a secured web service through a java proxy service

  Hi All,
  I am trying to call a secured bpel service which is expecting a username token password. I have created a java proxy service for the same. I now need to add the username token to the same. Can anyone please guide me in this regard.
  Thanks in advance.

  Just to add some pointers,
  I added the following code to the proxy still the soap headers is not getting propagated.
  OrderBookingAndShipment orderBookingAndShipment = orderbookingandshipment_client_ep.getOrderBookingAndShipment_pt();
  String username = "OWSM_11g";
  String password = "password";
  List credProviders = new ArrayList();
  //client side UsernameToken credential provider
  CredentialProvider cp = new ClientUNTCredentialProvider(username.getBytes(),password.getBytes());
  credProviders.add(cp);
  Map<String,Object> context = ((BindingProvider) orderBookingAndShipment).getRequestContext();
  context.put(WSSecurityContext.CREDENTIAL_PROVIDER_LIST,credProviders);

• OWSM 11g: oracle/wss10_x509_token_with_message_protection_service_policy

  Hi All,
  I have attached the following policy to a SOAP based endpoint. As per the documentaion i need to ensure that the Authentication Provider in the Weblogic Server provides X.509 callback information. How is this supposed to be done?
  In case anybody has an idea about this please suggest me the necessary steps.
  Thanks in advance.

  Hi All,
  I have attached the following policy to a SOAP based endpoint. As per the documentaion i need to ensure that the Authentication Provider in the Weblogic Server provides X.509 callback information. How is this supposed to be done?
  In case anybody has an idea about this please suggest me the necessary steps.
  Thanks in advance.