OWSM 11g:Securing Asynchronous callback

Similar Messages

• OWSM 11g: Securing Callback

  Hi All,
  I have two asyn services A and B. I want to secure the callback from B to A. I have attached client policy (u/n authentication and message protection) to the B callback . Additionally I have attached service policy (u/n authentication and message protection) to the callback received by A.
  However the policies are not working.
  Any ideas/suggestions regarding how to secure callback using OWSM 11g will be welcomed.
  Regards

  Hi,
  Just a pointer did you configure the keystore path,signing certificate and encryption key alias name and passwords in the Fusion Middleware Control console under 'Security Provider Configuration' and the decryption key password as 'keystore.enc.csf.key' under 'Credentials' in Fusion Middleware Control for both the instances?
  Rgds.

• OWSM 11g: Custom policy implementation

  Hi all,
  I am unable to replicate the example as discussed in the section 14 of Security and Administrator’s Guide for Web Services 11g Release 1 (11.1.1) B32511-03, April 2010. I am applying the custom policy on a osb (11g r3) proxy service. Kindly take a look at the steps mentioned below & suggest suitably where i may be going wrong:
  1. Creation of the IpAssertionExecutor class which holds the implementation logic (same as Step 1)
  2. Creation of the policy-config.xml file (same as Step 2)
  3. oracle.logging-utils_11.1.1.jar was also added to compile the above class.
  4. IpAssertionExecutor Class & policy-config.xml were added as a jar file as mentioned in page no: 4 of the following link: http://www.scribd.com/doc/25941008/How-to-Create-OWSM-11g-Custom-Policy-Assertion (same as Step 4)
  5. Updation of classpath (same as Step 5)
  6. Creation of oracle/ip_assertion_policy file (same as Step 2)
  7. Importing the Custom Policy File (same as Step 6)
  8. Attaching the Custom Policy to a Web Service or Client (same as Step 7)
  For testing purpose, i used soapui and specified the bind address in the request properties. However, the policy is not working as desired.
  Additionally, i hardcoded the String ipAddr (ip address) in the IpAssertionExecutor class & redeployed the jar. But still couldn't get it working.
  I shall be obliged if someone can help me.
  Thanks in advance

  In the security tab for your OSB Service, ensure that you set the radio button for processing of ws header. Otherwise no policies appear to be called.

• OWSM 11g: Difference between Message Protection Policies

  Hi all,
  I am using OWSM11g for securing web services. There are two separate policies provided oracle/wss10_message_protection_service_policy and oracle/wss10_x509_token_with_message_protection_client_policy. How does these policies differ in providing message protection?
  Additionally, I have the documentations provided by oracle regarding OWSM11g. In case, there are some addtional resources or tutorials for OWSM 11g which might help me please suggest me the same.
  Thanks in advance.

  Hi,
  In OWSM 10g there was concept of Server Agent and Client agents.The server agents were attached with the service providers and client agents were attached with client consumers.Similarly there are two types of policies available with 11g for service endpoints.One is attached with the service provider endpoint and one is attached with the consumer.
  For e.g- If there is a credit validation webservice which requires the payload to be signed and encrypted,then u attach oracle/wss10_message_protection_service_policy with it and if there is a SOA composite invoking this service,then u attach oracle/wss10_message_protection_client_policy with it.For each of the service side and client side policies some configurations/settings can be modified or overridden.
  Now oracle/wss10_message_protection_service_policy is message integrity and confidentiality service policy implementing WS-1.0 security standards.While oracle/wss10_x509_token_with_message_protection_client_policy is X509 token based authentication with message protection client policy implementing WS-1.0 security standards.
  Hence while implementing security always use the same dual pairs for service and client policies.Currently there are not many samples available but the 'Security and Administrator’s Guide for Web Services' guide is good documentation to start with for configuring security using OWSM 11g.
  Rgds,
  Mandrita

• OWSM 11g: Message Protection

  Hi All,
  I have earlier woked on OWSM 10g and implemented XML encryption and decryption. Now,I am trying to implement message protection(encryption and decryption) using OWSM 11g policies. The sample scenario consists of two web services OWSM_11g and OWSM_11g_client. The message send from OWSM_11g_client should be encrypted and signed and OWSM_11g needs to verify the signature and decrypt the message.
  Here is what i have done so far.
  a.) I have attached oracle/wss10_message_protection_client_policy to OWSM_11g and oracle/wss10_message_protection_service_policy to OWSM_11g_client.
  b.) I have configured a keystore for weblogic domain exactly as explained in the following article http://www.ora600.be/node/5000
  c.) I have enabled the logging assertion for oracle/wss10_message_protection_client_policy & oracle/wss10_message_protection_service_policy.
  The message flow between the services is proceeding without any errors. There are two problems that I am facing here:
  a.) I cannot view SOAP message in the message logs to verify the encrytion and decryption.
  b.) It seems that I may be missing out some configuration parameters as specified in the documentation required to apply above policies.
  Any inputs regarding this would be greatly helpful.

  Hi there,
  I can suggest the following to you and hopefully it should work:
  a.) Instead of using the default keystore you should set up a new keystore for the weblogic domain. You may follow the guidelines as described in the following article: http://www.ora600.be/node/5000
  b.) Specify the keystore.recipient.alias (public key which maps to client_key according to the above article) at per-client basis using the Security Configuration Details and keystore.enc.csf.key (private key which again maps to client_key according to the above article).
  c.) message_protection_client_policy and message_protection_service policy are made up of assertion templates. So, Go to the web services policy page and enable the loggin assertion for each of the policies. Here, in case both the composites are on the same soa server then, you need to turn off the local optimization. Read the above post by Ronald which explains this lucidly. On this page you may change setting for the request and response messages.
  d.) You need to check the following log file to view the soap messages logged by the assertions to verify encryption and decryption domains\soa_domain\servers\AdminServer\logs\owsm\msglogging\diagonstic.log
  Here I was able to encrypt and sign the message when both the composites were in the same soa server. However when they were in different soa server some server side error was occuring. You may try the same as an addtional exercise and update me in case you succeed.
  In case you still face any problems I will be glad to help you out.
  Regards,
  Shomit

• OWSM 11g file based authentication

  Hi,
  I have to secure a service using the username and password present in file. I'll have to use a file based authentication mechanism. As OWSM 11g doesnt have the gateway, can i achieve this functionality with OWSM 11g agent ?
  Thanks

  Can you please tell me how to create the file .htpassword. When i'm using a text editor to create this file it does not allow and message is specify file name. Is there a special utility to create such a file.

• OWSM 11g: Kerberos policies

  Hi All,
  I am trying to implement authentication using oracle/wss11_kerberos_token_client_policy and oracle/wss11_kerberos_token_service_policy policies. I have download and installed the kerberos software for windows 2.6.5. Currently i have set the default values for the kerberos login module. As per the documentation i need to initialize and start the kdc. But commands in the documentation are for a unix environment whereas i am trying to run the software on a windows xp machine.
  I dont know how to proceed further.
  Any help in this regard is appreciated.

  Hi,
  In OWSM 10g there was concept of Server Agent and Client agents.The server agents were attached with the service providers and client agents were attached with client consumers.Similarly there are two types of policies available with 11g for service endpoints.One is attached with the service provider endpoint and one is attached with the consumer.
  For e.g- If there is a credit validation webservice which requires the payload to be signed and encrypted,then u attach oracle/wss10_message_protection_service_policy with it and if there is a SOA composite invoking this service,then u attach oracle/wss10_message_protection_client_policy with it.For each of the service side and client side policies some configurations/settings can be modified or overridden.
  Now oracle/wss10_message_protection_service_policy is message integrity and confidentiality service policy implementing WS-1.0 security standards.While oracle/wss10_x509_token_with_message_protection_client_policy is X509 token based authentication with message protection client policy implementing WS-1.0 security standards.
  Hence while implementing security always use the same dual pairs for service and client policies.Currently there are not many samples available but the 'Security and Administrator’s Guide for Web Services' guide is good documentation to start with for configuring security using OWSM 11g.
  Rgds,
  Mandrita

• OWSM 11g in EM behaving different than documentation

  Hi everyone,
  I'm trying to get OWSM 11g working so I just installed Soa suite 11gR1(11.1.1.2.0). All I need is to attach a predefined policy to an existing web service which exists incide an EJB in an EAR application. I'm following the instructions from http://download.oracle.com/docs/cd/E12839_01/web.1111/b32511/attaching.htm#CEGDGIHD , in the session "Viewing the Policies That are Attached to a Web Service". Unfortunately I'm expecting different screens than those shown in the Manual. In the documentation the figure 8.1 shows the tabs Operations / Policies / Chart / Configuration, but in my case the same screen shows only the operations Tab, making it impossible to attach the policies I need. Here's what I see at my environment: http://img203.imageshack.us/img203/751/erroowsm.png . I don't know if I missed something but it still not works as the documentation says (figure 8.1). Please, any help will be appretiated !
  Thanks,

  Rajesh wrote:
  Is it going above 1GB ?No, current memory utilization is 503MB, but it keeps increasing. Support specialist told me it is OK for agents with large number of targets to utilize up to 1GB of memory even if I told him I have only 11 targets on this host. I do not think 11 targets is "large number" and I do not want to wait until agent will use 1GB of memory.
  You can also check MOS note :
  How To Effectively Investigate & Diagnose Grid Control Agent High Memory Utilization Issues? [ID 1092466.1]I have read this note and did not find solution for my problem and that is why I contacted Oracle Support. I think this agent is leaking memory, but Support specialist suggests reinstalling this agent on other host.
  I do not think he understands problem and that is why I looking for other opinions.

• Information on 11g security

  Hi,
  DO we need to manually Create AD Authenticator at weblogic level ? As of now we see all LDAPs at RPD level in our project . But at weblogic level we have Default authenticator only . Admin Console-> Security Realms-> Providers .
  What are the steps to be followed while upgrading when we have Microsoft AD and external table for authorization ?
  Do we need to do any manual configurations at Web logic level ?
  now we got all users imported to Admin Console . But all these users are being maintained at External Table level .
  Then why do we need them at web logic level ? If we have users here , will they be in sync with LDAP Users ?
  Thank you,
  Vinay

  Hi,
  Q1. how deploy external database security(users, groups) to OBIEE 11g.
  Solution:
  http://www.varanasisaichand.com/2011/09/external-table-authenticationorder-of.html
  http://www.rittmanmead.com/2012/03/obiee-11g-security-week-connecting-to-active-directory-and-obtaining-group-membership-from-database-tables/
  http://obieeblog.wordpress.com/2009/06/18/obiee-security-enforcement-%E2%80%93-external-database-table-authorization/
  Q2. all the users and roles in LDAP server. in this case how obiee 11g read users and group information?
  Obiee11g is intergated with weblogic fusion middleware (Console,EM). in that console have feature to enable mulitiple LDAP authentication
  while configuring AD via weblogic console we need to give the users and group info
  Solution refer:
  http://obieeelegant.blogspot.com/2012/01/obiee-11g-integration-with-ldap.html
  http://docs.oracle.com/cd/E23943_01/bi.1111/e10543/privileges.htm#BABCDCFE
  Another Links:
  Here are the links http://www.biblogs.com/1969/12/31/obiee-11gr1-security-explained-an-11g-security-overview/
  http://forums.oracle.com/forums/thread.jspa?threadID=1120336
  Award points it is useful.
  thanks,
  Satya
  Edited by: satya R on Apr 24, 2012 8:10 PM

• 1z0-528 (Oracle Database 11g Security Essentials)

  Hi,
  I'm preparing 1z0-528 (Oracle Database 11g Security Essentials) exam. Could anyone recommend some useful books or reading material (except Oracle courses and 11.2 Documentation)?
  Also, If someone has taken 1z0-528, I'm interested how difficult the exam was?
  Thanks,

  Hi;
  All oracle are not easy,so you need to study hardly all course and other pdf and should study hard for exam. I suggest check below link:
  Oracle Database 11g Security Essentials - Training Resources By Exam Topics
  http://www.oracle.com/partners/en/knowledge-zone/database/oracle-database-11g/1z1-528-resources-170324.html
  Oracle Database 11g Security Essentials<< prepration part
  http://education.oracle.com/pls/web_prod-plq-dad/db_pages.getpage?page_id=41&p_org_id=9&lang=CS&p_exam_id=1Z0_528
  Regard
  Helios

• Waiting for "Dequeue" from "dequeueOperationService". Asynchronous callback

  I have created BPEL process which will take input from BPEL console client, put this message into queue using enqueue operation of AQ adaptor.Then i have recieve activity in the same BPEL process to dequeue message from the same queue.
  Process is deployed successfully. When I initiate BPEL process through BPEL console client, the message is enqueued properly into queue but when control come to recieve activity of my process i am getting error like this "Waiting for "Dequeue" from "dequeueOperationService". Asynchronous callback" .
  Can you please tell me what is the problem? How can resolve this issue to work my BPEL process fine.
  Thank you. It would be great help.

  Hello,
  I have got the same problem. I tried set-up CorrelatonSet, but I could not find solution ... Receive activity is still waiting for dequeue from AQ (and what's more - message is removed from queue by AQ adapter immediately after BPEL process is deployed. Receive acitivity hasn't information about this dequeue - it's still waiting).
  Could you pls. write more information???
  Many thanks,
  martin

• Asynchronous callbacks without WS-Addressing

  Hi,
  (Oracle BPEL Process Manager Console v10.1.2.0.2
  Oracle JDeveloper v10.1.2.1.0, Build 1915)
  I have a BPEL process (P1) that calls a second BPEL process (P2), which must reply asynchronously back to P1. P2 is only called from P1, so I would like to "hard wire" the return entry point to some operation in P1's WSDL.
  Is it possible to receive asynchronous callbacks that way (as a call to some operation in the calling process' WSDL)? Is it possible without using WS-Addressing?
  Rationale: the ultimate goal is to replace process P2 by a web service implemented with AXIS 1.4, which doesn't support WS-Addressing.
  Thanks in advance,
  Manuel Quijada

  Hi amo,
  I thank you for your reply, but correlation was not the problem for me. I have been trying "109.CorrelationSets" example and it worked fine: it doesn't use WS-Addressing for correlation but I have observed (through a TCP monitor) that it still uses WS-Addressing for the "ReplyTo" address. So (once again):
  Is there some way of receiving callbacks without the need of WS-Addressing?
  Can I "hard wire" the return address to P1 in the second BPEL process (P2)?
  Say P1 is initiated through operation "op1" in port type "pt1". Is it possible to receive the asynchronous callback from P2 in other operation (say "op2") in the same port type (pt1)?
  Best regards and many thanks in advance,
  Manuel

• Require Inputs on OWSM 11g message protection policy

  Hi All,
  we are trying to achieve encryption and decryption of payload in SOA 11g using OWSM. We have configured keystores in the weblogic domain.
  I have two composites namely client and service. The client will invoke the service composite using a partner link with a payload. I have attached oracle/wss11_message_protection_client_policy to the partner link of Client composite and also attached oracle/wss11_message_protection_service_policy to the Service composite.
  When i test the composites there are no errors but i cannot see any encryption and decryption happening. I cannot see any information in the logs as well.
  If anyone has achieved message protection using OWSM 11g then please throw some light on how to go about doing it.
  Thank you in advance.
  Regards
  Narendra

  Narendra,
  Were you able to figure out solution for this.
  Thanks

• OWSM 11g: Invoking a secured web service through a java proxy service

  Hi All,
  I am trying to call a secured bpel service which is expecting a username token password. I have created a java proxy service for the same. I now need to add the username token to the same. Can anyone please guide me in this regard.
  Thanks in advance.

  Just to add some pointers,
  I added the following code to the proxy still the soap headers is not getting propagated.
  OrderBookingAndShipment orderBookingAndShipment = orderbookingandshipment_client_ep.getOrderBookingAndShipment_pt();
  String username = "OWSM_11g";
  String password = "password";
  List credProviders = new ArrayList();
  //client side UsernameToken credential provider
  CredentialProvider cp = new ClientUNTCredentialProvider(username.getBytes(),password.getBytes());
  credProviders.add(cp);
  Map<String,Object> context = ((BindingProvider) orderBookingAndShipment).getRequestContext();
  context.put(WSSecurityContext.CREDENTIAL_PROVIDER_LIST,credProviders);

• OBIEE 11g Security Structure

  Ok, having an issue with security and will give an overview of security setup and the issue.
  First, security structure. We are using a Web SSO, so users go to this SSL website, enter their LAN ID and password to login which redirects to Answers. The authentication and authorization are done by initialization blocks which were set up in 10g and upgraded to 11g, so the idea is to hold the security structure. There is a database table that has user id and roles. So when a user connects, it looks in the table based on the blocks and allows them to see what they are suppose to. This security is all setup and tested working. Next the idea was to integrate BI Publisher using that security. By default it uses Fusion Middleware, but based on our security I need to set it to use Oracle BI Server. Now when I do this, I can get people to login and then link over to publisher no issues. If I build a report in publisher and embed it in a dashboard page, when a user click that page, including the "weblogic" user, it loads with error: oracle.xdo.XDOException: Unable to create saw session. please verify the server connection. Now, if I go back and change the security structure back to Fusion Middleware and log in as weblogic user, the report loads with no errors, but end users can no longer access BI Publisher.
  So the question is, if I integrate security with BI Publisher using Oracle BI Server as the selection, is there something I may be missing in order to view BI Publisher embedded content in Answers/Dashboards?

  J.A.M wrote:
  So the question is, if I integrate security with BI Publisher using Oracle BI Server as the selection, is there something I may be missing in order to view BI Publisher embedded content in Answers/Dashboards?Yes, there are additional steps that are required. Please check below instructions:
  1) Every user must be a part of the BIConsumer role.
  2) Steps to allow data sources to the BIConsumer in BI Publisher:
  -- Administration->Roles and Permissions->Add Data Sources:BIConsumer-> Your Datasource Name
  3) Add BIConsumer role to all the XMLPRoles in EM and add all your custom/ootb roles that are being used to the BIConsumer role.
  4) In BI Publisher –
  To access OBIEE catalog through BI Publisher
  Administration -> Server Configuration -> Catalog -> Oracle BI EE Catalog -> Test Connection -> Upload to BI Presentation Catalog
  5) In OBIEE -- Make sure the data model and report's permissions are set appropriately in the catalog.
  Hope this helps.
  Thanks,
  -Amith.