OWSM 11g: Message Protection

Similar Messages

• Require Inputs on OWSM 11g message protection policy

  Hi All,
  we are trying to achieve encryption and decryption of payload in SOA 11g using OWSM. We have configured keystores in the weblogic domain.
  I have two composites namely client and service. The client will invoke the service composite using a partner link with a payload. I have attached oracle/wss11_message_protection_client_policy to the partner link of Client composite and also attached oracle/wss11_message_protection_service_policy to the Service composite.
  When i test the composites there are no errors but i cannot see any encryption and decryption happening. I cannot see any information in the logs as well.
  If anyone has achieved message protection using OWSM 11g then please throw some light on how to go about doing it.
  Thank you in advance.
  Regards
  Narendra

  Narendra,
  Were you able to figure out solution for this.
  Thanks

• OWSM: SAML message protection policy question

  My web services are protected with SAML message protection policy. according to document:
  http://download.oracle.com/docs/cd/E15523_01/web.1111/b32511/setup_config.htm#BABJAIHD
  On the web service side, "+Needs the intermediary and root certificate corresponding to the client's public key in the keystore.These certificates will be used to verify the signature by generating a trusted certificate chain+."
  Also says "+Generally, the recipient does not need to have the sender's public key in its keystore to validate the certificate. It is sufficient to have the root certificate in the keystore to verify the certificate chain+."
  Since weblogic default trust store have more than 60 well known CA's trust intermediary and root certificate by default, does this mean that if web service client own a key signed by one of these well know CA, he will be able to access my web service through SAML policy?
  What if I would like to limit my web service only to specified client instead of public access, should I remove those well known intermediary and root certificate from weblogic trust store?
  Thanks

  Hi RaJdeep,
  Thank you for your inputs.But I couldnot get what I have to do here.
  Could you please pass on your contact details so that I can contact you.
  Thank you in advance.
  Regards
  Narendra

• OWSM 11g: Difference between Message Protection Policies

  Hi all,
  I am using OWSM11g for securing web services. There are two separate policies provided oracle/wss10_message_protection_service_policy and oracle/wss10_x509_token_with_message_protection_client_policy. How does these policies differ in providing message protection?
  Additionally, I have the documentations provided by oracle regarding OWSM11g. In case, there are some addtional resources or tutorials for OWSM 11g which might help me please suggest me the same.
  Thanks in advance.

  Hi,
  In OWSM 10g there was concept of Server Agent and Client agents.The server agents were attached with the service providers and client agents were attached with client consumers.Similarly there are two types of policies available with 11g for service endpoints.One is attached with the service provider endpoint and one is attached with the consumer.
  For e.g- If there is a credit validation webservice which requires the payload to be signed and encrypted,then u attach oracle/wss10_message_protection_service_policy with it and if there is a SOA composite invoking this service,then u attach oracle/wss10_message_protection_client_policy with it.For each of the service side and client side policies some configurations/settings can be modified or overridden.
  Now oracle/wss10_message_protection_service_policy is message integrity and confidentiality service policy implementing WS-1.0 security standards.While oracle/wss10_x509_token_with_message_protection_client_policy is X509 token based authentication with message protection client policy implementing WS-1.0 security standards.
  Hence while implementing security always use the same dual pairs for service and client policies.Currently there are not many samples available but the 'Security and Administrator’s Guide for Web Services' guide is good documentation to start with for configuring security using OWSM 11g.
  Rgds,
  Mandrita

• Message protection (Encryption) through OWSM in BPEL process 11g

  What is my requirements ?_
  I want to encrypt the messages in BPEl process using OWSM message protection policies
  What is the configuration i am using ?_
  Weblogic Server 10.3.3
  Soa Server 11.1.1.3.0
  Oracle JDeveloper 11.1.1.3.0
  What I have done so far ?_
  (1) Created one Sync BPEl process (CalledAddition) which take two input and add them and give the output
  (2) Created one more Sync BPEL process (CallerProcess) which takes two input and call the above created bpel process
  (CalledAddition) and get the response back as addition of two number.
  Now I want to Add OWSM Message protection policy to Encrypt the message in Main BPEl process(CallerProcess) and the called service (CalledAddition) decrypt the message upon invocation. It is a very simple scenario.
  For this purpose I have done the following OWSM Policy Configuration:
  (1) Created a java keystore as follows
  keytool -genkey -keyalg RSA -keystore test_keystore.jks -storepass welcome1 -alias client_key -keypass welcome1 -dname "CN=Client, OU=WEB AGE, C=US" -keysize 1024 -validity 1460
  (2) Copy the keystore (test_keystore.jks) to location domain/config/fmwconfig.
  (3) Go to EM console/WeblogicDomain/Security/Credential and delete the map oracle.wsm.security and then again created it, with no key inside.
  (4) Go to EM console/WeblogicDomain/Security/SecurityProviderConfiguration and configure the above created keystore as follows:
  (i) Keystore Type=JKS, Keystore Path=./test_keystore.jks, password=welcome1, confirmPassword=welcome1
  (ii) Signature Key:
  Key Alias=client_key, Signature Password=welcome1, confirmPassword=welcome1
  (iii)Encryption Key:
  Crypt Alias=client_key, Crypt Password=welcome1, confirmPassword=welcome1
  (5) Now restart the server (both Weblogic and SOA server)
  (6) Now again go to EM console/WeblogicDomain/Security/Credential and open expand the oracle.wsm.security map, Automatically
  the following keys are made inside it:
  (i) sign-csf-key
  (ii) enc-csf-key
  (iii) keystore-csf-key
  Created one more key inside it explicitly:
  (iv) basic.credentials with username=weblogic and password=welcome1
  (7) Go to EM console/WeblogicDomain/WebServices/Policy and cretaed the following policies:
  oracle/wss11_message_protection_service_policy:
  (i) select policy oracle/wss11_message_protection_service_policy from list and click on create like button. This will create a copy of the policy with different name.
  (ii) Give the new name as oracle/wss11_message_protection_service_policy_Copy ( which is by default)
  (iii) Local Optimization = off and enabled is checked
  (iv) Attachment Attributes …..
  Applies To=Service BIndings and Service Category=Service Clients
  (v) Assertions …..
  Select middle assertion MessageProtection and Advertised=checked and Enforced=checked
  (vi) Configuration....
  Add following Configure properties, if present already edit them as follows:
  (a) name=keystore.enc.csf.key, property set=standard-security-properites, value=enc-csf-key, Type=Optional
  (b) name=keystore.sig.csf.key, property set=standard-security-properites, value=sign-csf-key, Type=Optional
  (c) name=role, property set=standard-security-properites, Default=ultimateReceiver, Type=Optional
  (v) Setting.........
  Done the following setting
  - Message Security/include timestamp=unchecked
  - Message Signing Setting/Include entire body=unchecked (since we need only encryption, no signing of message)
  - Message Encrypt Setting/include entire body=checked
  (vi) Validate and save
  (vi) Thus a new policy is made in domain with name oracle/wss11_message_protection_service_policy_Copy
  Simmilarly create oracle/wss11_message_protection_client_policy:
  (ii) Give the new name as oracle/wss11_message_protection_client_policy_Copy ( which is by default)
  (iv) Attachment Attributes …..
  Applies To=Service BIndings and Service Category=Service Endpoint
  (vi) Configuration....
  Add following Configure properties, if present already edit them as follows:
  (a) name=keystore.recipient.alias, property set=standard-security-properites, value=client_key, Type=Optional
  (b) name=role, property set=standard-security-properites, Default=ultimateReceiver, Type=Optional
  (vi) Thus a new policy is made in domain with name oracle/wss11_message_protection_client_policy_Copy
  Rest of the steps(i,iii and v) are same as described above in case of service policy
  After creating the policies in domain attach them to the bpel process as follows:
  (1) Go to SOA project (CallerProcess) in EM console.
  (2) Click on policy tab
  (3) First attach the client policy (oracle/wss11_message_protection_client_policy_Copy) to the endpoint of the process CallerProcess.
  (4) Then attach the service policy (oracle/wss11_message_protection_serivce_policy_Copy) to the reference in CallerProcess which is calling CalledAddition.
  (5) Now test the process (CallerProcess)
  pass input say 10 and 20 in input
  Upon testing it give the following error_
  Web Service invocation Failed:
  oracle.sysman.emSDK.webservices.wsdlapi.SoapTestException: InvalidSecurity : error in processing the WS-Security security header
  I have made all thing clear. I have gone through several documents but unable to find the solution. If anyone please help me in this case.
  Thanks

  I have followed same steps and getting same errror.
  User 868153, were you able to resolve this issue.
  Appreciate your help.
  Thanks

• OWSM 11g:Securing Asynchronous callback

  Hi all,
  I am posting again regarding this hoping that someone may be able help me up this time.
  I am working on soa suite 11g. I have two asynchronous bpel services A and b. I want to ensure message protection for the callback received by A from B using OWSM 11g. I have attached the polices to the respective callback. But the policies are getting by passed and the plain message is transfered from A to B. Additionally I have turned off the local optimization of the policies. however it has also not helped.
  Can anyone point out what additional configuration needs to be done.
  Thanks in advance.
  Edited by: Shomit Sahdev on २५ मई, २०१० १:५८ पूर्वाह्न

  Hi,
  Just a pointer did you configure the keystore path,signing certificate and encryption key alias name and passwords in the Fusion Middleware Control console under 'Security Provider Configuration' and the decryption key password as 'keystore.enc.csf.key' under 'Credentials' in Fusion Middleware Control for both the instances?
  Rgds.

• OWSM 11g: Securing Callback

  Hi All,
  I have two asyn services A and B. I want to secure the callback from B to A. I have attached client policy (u/n authentication and message protection) to the B callback . Additionally I have attached service policy (u/n authentication and message protection) to the callback received by A.
  However the policies are not working.
  Any ideas/suggestions regarding how to secure callback using OWSM 11g will be welcomed.
  Regards

  Hi,
  Just a pointer did you configure the keystore path,signing certificate and encryption key alias name and passwords in the Fusion Middleware Control console under 'Security Provider Configuration' and the decryption key password as 'keystore.enc.csf.key' under 'Credentials' in Fusion Middleware Control for both the instances?
  Rgds.

• OWSM 11g: Kerberos policies

  Hi All,
  I am trying to implement authentication using oracle/wss11_kerberos_token_client_policy and oracle/wss11_kerberos_token_service_policy policies. I have download and installed the kerberos software for windows 2.6.5. Currently i have set the default values for the kerberos login module. As per the documentation i need to initialize and start the kdc. But commands in the documentation are for a unix environment whereas i am trying to run the software on a windows xp machine.
  I dont know how to proceed further.
  Any help in this regard is appreciated.

  Hi,
  In OWSM 10g there was concept of Server Agent and Client agents.The server agents were attached with the service providers and client agents were attached with client consumers.Similarly there are two types of policies available with 11g for service endpoints.One is attached with the service provider endpoint and one is attached with the consumer.
  For e.g- If there is a credit validation webservice which requires the payload to be signed and encrypted,then u attach oracle/wss10_message_protection_service_policy with it and if there is a SOA composite invoking this service,then u attach oracle/wss10_message_protection_client_policy with it.For each of the service side and client side policies some configurations/settings can be modified or overridden.
  Now oracle/wss10_message_protection_service_policy is message integrity and confidentiality service policy implementing WS-1.0 security standards.While oracle/wss10_x509_token_with_message_protection_client_policy is X509 token based authentication with message protection client policy implementing WS-1.0 security standards.
  Hence while implementing security always use the same dual pairs for service and client policies.Currently there are not many samples available but the 'Security and Administrator’s Guide for Web Services' guide is good documentation to start with for configuring security using OWSM 11g.
  Rgds,
  Mandrita

• OWSM 11g file based authentication

  Hi,
  I have to secure a service using the username and password present in file. I'll have to use a file based authentication mechanism. As OWSM 11g doesnt have the gateway, can i achieve this functionality with OWSM 11g agent ?
  Thanks

  Can you please tell me how to create the file .htpassword. When i'm using a text editor to create this file it does not allow and message is specify file name. Is there a special utility to create such a file.

• Bad Error Message Protection

  Hi,
  The Security team has requested that they look over our router and switch configs before we deploy them in production.
  One thing they mentioned:
  "Bad Error Message Protection" 
  They recommend "setting icmp ignore bogus error responses to 1". I haven't found any Cisco docs on the subject or any commands to enable this. That being said, I haven't tried to configure any bad error message commands because if this is a real concern I want to make sure I am doing it correctly.
  Any advice?
  Thank you.

  ok - it seems problem has been fixed - I was on messenger 3.3 - I downloaded messenger 3.4 and everything seems to work as it should

• OWSM 11g: Custom policy implementation

  Hi all,
  I am unable to replicate the example as discussed in the section 14 of Security and Administrator’s Guide for Web Services 11g Release 1 (11.1.1) B32511-03, April 2010. I am applying the custom policy on a osb (11g r3) proxy service. Kindly take a look at the steps mentioned below & suggest suitably where i may be going wrong:
  1. Creation of the IpAssertionExecutor class which holds the implementation logic (same as Step 1)
  2. Creation of the policy-config.xml file (same as Step 2)
  3. oracle.logging-utils_11.1.1.jar was also added to compile the above class.
  4. IpAssertionExecutor Class & policy-config.xml were added as a jar file as mentioned in page no: 4 of the following link: http://www.scribd.com/doc/25941008/How-to-Create-OWSM-11g-Custom-Policy-Assertion (same as Step 4)
  5. Updation of classpath (same as Step 5)
  6. Creation of oracle/ip_assertion_policy file (same as Step 2)
  7. Importing the Custom Policy File (same as Step 6)
  8. Attaching the Custom Policy to a Web Service or Client (same as Step 7)
  For testing purpose, i used soapui and specified the bind address in the request properties. However, the policy is not working as desired.
  Additionally, i hardcoded the String ipAddr (ip address) in the IpAssertionExecutor class & redeployed the jar. But still couldn't get it working.
  I shall be obliged if someone can help me.
  Thanks in advance

  In the security tab for your OSB Service, ensure that you set the radio button for processing of ws header. Otherwise no policies appear to be called.

• OWSM 11g in EM behaving different than documentation

  Hi everyone,
  I'm trying to get OWSM 11g working so I just installed Soa suite 11gR1(11.1.1.2.0). All I need is to attach a predefined policy to an existing web service which exists incide an EJB in an EAR application. I'm following the instructions from http://download.oracle.com/docs/cd/E12839_01/web.1111/b32511/attaching.htm#CEGDGIHD , in the session "Viewing the Policies That are Attached to a Web Service". Unfortunately I'm expecting different screens than those shown in the Manual. In the documentation the figure 8.1 shows the tabs Operations / Policies / Chart / Configuration, but in my case the same screen shows only the operations Tab, making it impossible to attach the policies I need. Here's what I see at my environment: http://img203.imageshack.us/img203/751/erroowsm.png . I don't know if I missed something but it still not works as the documentation says (figure 8.1). Please, any help will be appretiated !
  Thanks,

  Rajesh wrote:
  Is it going above 1GB ?No, current memory utilization is 503MB, but it keeps increasing. Support specialist told me it is OK for agents with large number of targets to utilize up to 1GB of memory even if I told him I have only 11 targets on this host. I do not think 11 targets is "large number" and I do not want to wait until agent will use 1GB of memory.
  You can also check MOS note :
  How To Effectively Investigate & Diagnose Grid Control Agent High Memory Utilization Issues? [ID 1092466.1]I have read this note and did not find solution for my problem and that is why I contacted Oracle Support. I think this agent is leaking memory, but Support specialist suggests reinstalling this agent on other host.
  I do not think he understands problem and that is why I looking for other opinions.

• OEG and OSB - username token with message protection

  Salve,
  I've got a simple example of OEG / OSB integration up and running -
  Scenario 1 - username token validation works fine
  Scenario 2 - username token /message protection has issues.
  I register the web service with OEG and the security policy is auto-generated. I configure as appropriate but get the error -
  No asymmetric key foundERROR12/5/11 1:46 PM signature error: not specified/not specified, key is not found:
  A doc detailing all the steps I took is available at -
  https://docs.google.com/open?id=0B7YrnfO7h717ODI5NGExODAtNjI0Yy00ZGE0LWI3NzQtZTg4YjM2ZDQzOWQ1
  any help --> greatly appreciated.

  Replied offline as forum was down. Issue sorted.
  Many thanks for detailed analysis.

• OWSM gateway : Message not encrypted error

  Hi,
  I have a BPEL process which invokes a web service via partner link. Both BPEL and service are secured with OWSM gateway.In the policy defined for BPEL I'm doing Sign Message And Encrypt using XPath expression( which is working). In the policy for webservice I'm doing a Decrypt and Verify Signature . But its not invoking the service and throws a Client:GenericFault saying Message is not encrypted.
  In fact the logs from BPEL after encryption shows encrypted data. But logs in service does not contain the same data.
  Am I doing something wrong? Should I copy something ? I'm using the same keystore for both the policies. The version is 10.1.3.1
  Please help me
  Thanks
  Meer

  All of them are running with Win XP SP2 at work. NAT-Traversal: is Disabled. DMZ is enabled. Thanks

• I installed twitter but now receive a message " protected tweets " when I try and use twitter can anyone help. I have reinstalled it twice now with same results

  CORRECTION:
       I installed the Twitter application on my ipod, the newest ipod, I believe its the 5th generation, with the iOS 5.0.1 and everytime I open the app, where my timeline should be it just says "Protected Tweets" and whenever I try to compose a tweet it says "Error posting message. There was an error posting your tweet. It has been saved as a draft, please try resending later. (Error:unauthorized)" Can anyone help me out ?

  Go into the iPad settings app and check your settings for twitter. I found that my password was short one character for some reason.