OWSM: SAML message protection policy question

Similar Messages

• Require Inputs on OWSM 11g message protection policy

  Hi All,
  we are trying to achieve encryption and decryption of payload in SOA 11g using OWSM. We have configured keystores in the weblogic domain.
  I have two composites namely client and service. The client will invoke the service composite using a partner link with a payload. I have attached oracle/wss11_message_protection_client_policy to the partner link of Client composite and also attached oracle/wss11_message_protection_service_policy to the Service composite.
  When i test the composites there are no errors but i cannot see any encryption and decryption happening. I cannot see any information in the logs as well.
  If anyone has achieved message protection using OWSM 11g then please throw some light on how to go about doing it.
  Thank you in advance.
  Regards
  Narendra

  Narendra,
  Were you able to figure out solution for this.
  Thanks

• OWSM 11g: Message Protection

  Hi All,
  I have earlier woked on OWSM 10g and implemented XML encryption and decryption. Now,I am trying to implement message protection(encryption and decryption) using OWSM 11g policies. The sample scenario consists of two web services OWSM_11g and OWSM_11g_client. The message send from OWSM_11g_client should be encrypted and signed and OWSM_11g needs to verify the signature and decrypt the message.
  Here is what i have done so far.
  a.) I have attached oracle/wss10_message_protection_client_policy to OWSM_11g and oracle/wss10_message_protection_service_policy to OWSM_11g_client.
  b.) I have configured a keystore for weblogic domain exactly as explained in the following article http://www.ora600.be/node/5000
  c.) I have enabled the logging assertion for oracle/wss10_message_protection_client_policy & oracle/wss10_message_protection_service_policy.
  The message flow between the services is proceeding without any errors. There are two problems that I am facing here:
  a.) I cannot view SOAP message in the message logs to verify the encrytion and decryption.
  b.) It seems that I may be missing out some configuration parameters as specified in the documentation required to apply above policies.
  Any inputs regarding this would be greatly helpful.

  Hi there,
  I can suggest the following to you and hopefully it should work:
  a.) Instead of using the default keystore you should set up a new keystore for the weblogic domain. You may follow the guidelines as described in the following article: http://www.ora600.be/node/5000
  b.) Specify the keystore.recipient.alias (public key which maps to client_key according to the above article) at per-client basis using the Security Configuration Details and keystore.enc.csf.key (private key which again maps to client_key according to the above article).
  c.) message_protection_client_policy and message_protection_service policy are made up of assertion templates. So, Go to the web services policy page and enable the loggin assertion for each of the policies. Here, in case both the composites are on the same soa server then, you need to turn off the local optimization. Read the above post by Ronald which explains this lucidly. On this page you may change setting for the request and response messages.
  d.) You need to check the following log file to view the soap messages logged by the assertions to verify encryption and decryption domains\soa_domain\servers\AdminServer\logs\owsm\msglogging\diagonstic.log
  Here I was able to encrypt and sign the message when both the composites were in the same soa server. However when they were in different soa server some server side error was occuring. You may try the same as an addtional exercise and update me in case you succeed.
  In case you still face any problems I will be glad to help you out.
  Regards,
  Shomit

• 12c: Signature digest verification failure with SAML msg protection policy

  Hi,
  I am using the policy wss10_saml_token_with_message_protection_service_policy for Service Bus 12c proxy service and getting the error while verifying the signature digest. I am doing the testing using SOAP Ui.
  I am able to understand it's an issue in verifying the signature digest but unable to debug and conclude the cause of this issue as i did the necessary setup. And using the appropriate keys for encryption and signing. Also tried overriding the policy configuration at policy level and Service bus end point level too.
  Policy Settings are:
  - Time Stamp included, Signing entire request body, no signing for SAML token and X 509 token.
  - No signature encryption checked and kept default values for all other attributes.
  Configured only Message Security section in WSM Domain Configuration and used JKS as the key store. Used the trusted certificate entry of client as signing alias and own public key as enc alias.
  Following is the error stack trace i am seeing. Please let me know if there is any thing missing or any other insights into this issue. The logs generated by setting xml.debug.verify also did not help much. I am thinking the issue may be something to do with Canonicalization of XML.
  Caused by: com.bea.wli.sb.security.wss.WssHandlerException: General web service security error
  at com.bea.wli.sb.security.wss.WssHandlerImpl.generateInboundRequestBLE(WssHandlerImpl.java:1499)
  at com.bea.wli.sb.security.wss.WssHandlerImpl.handleInboundRequestException(WssHandlerImpl.java:1457)
  at com.bea.wli.sb.security.wss.WssHandlerImpl.handleInboundRequestException(WssHandlerImpl.java:1444)
  at com.bea.wli.sb.service.disi.handlerchain.handlers.InboundWssPhase1DISIHandler.dispatch(InboundWssPhase1DISIHandler.java:107)
  ... 43 more
  Caused by: com.bea.wli.sb.security.wss.WssException: oracle.wsm.security.SecurityException: WSM-00061 : Signature digest verification failure. The system property xml.debug.verify should be enabled for the details about the digest calculations during verification phase (note xml.debug.verify slows down the signature verification for very large messages).
  Caused by:-
  at com.bea.wli.sb.security.wss.wsm.WsmInboundHandler.handleRequestException(WsmInboundHandler.java:350)
  at com.bea.wli.sb.security.wss.WssHandlerImpl.handleInboundRequestException(WssHandlerImpl.java:1442)
  ... 44 more
  Caused by: oracle.wsm.security.SecurityException: WSM-00061 : Signature digest verification failure. The system property xml.debug.verify should be enabled for the details about the digest calculations during verification phase (note xml.debug.verify slows down the signature verification for very large messages).
  Caused by:-
  at oracle.wsm.security.policy.scenario.processor.Wss10MessageSecurityProcessor.verify(Wss10MessageSecurityProcessor.java:482)
  at oracle.wsm.security.policy.scenario.processor.Wss10X509TokenProcessor.verify(Wss10X509TokenProcessor.java:301)
  at oracle.wsm.security.policy.scenario.executor.Wss10SamlWithCertsScenarioExecutor.receiveRequest(Wss10SamlWithCertsScenarioExecutor.java:184)
  at oracle.wsm.security.policy.scenario.executor.SecurityScenarioExecutor.execute(SecurityScenarioExecutor.java:642)
  at oracle.wsm.policyengine.impl.runtime.AssertionExecutor.execute(AssertionExecutor.java:44)
  at oracle.wsm.policyengine.impl.runtime.WSPolicyRuntimeExecutor.executeSimpleAssertion(WSPolicyRuntimeExecutor.java:515)
  at oracle.wsm.policyengine.impl.runtime.WSPolicyRuntimeExecutor.executeAndAssertion(WSPolicyRuntimeExecutor.java:427)
  at oracle.wsm.policyengine.impl.runtime.WSPolicyRuntimeExecutor.execute(WSPolicyRuntimeExecutor.java:374)
  at oracle.wsm.policyengine.impl.PolicyExecutionEngine.execute(PolicyExecutionEngine.java:103)
  at oracle.wsm.agent.WSMAgent.processCommon(WSMAgent.java:1270)
  at oracle.wsm.agent.WSMAgent.processRequest(WSMAgent.java:563)
  at oracle.j2ee.ws.common.wsm.SecurityAgentTube.processRequest(SecurityAgentTube.java:201)
  at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:1136)
  at com.sun.xml.ws.api.pipe.Fiber.access$100(Fiber.java:127)

  Please do let me know if anybody has insights into this issue. I am testing it from SOAP UI and i am completely stuck and can't proceed further.. We did face similar issue in 11g which was gone after upgrading to later OSB releases.

• Message protection (Encryption) through OWSM in BPEL process 11g

  What is my requirements ?_
  I want to encrypt the messages in BPEl process using OWSM message protection policies
  What is the configuration i am using ?_
  Weblogic Server 10.3.3
  Soa Server 11.1.1.3.0
  Oracle JDeveloper 11.1.1.3.0
  What I have done so far ?_
  (1) Created one Sync BPEl process (CalledAddition) which take two input and add them and give the output
  (2) Created one more Sync BPEL process (CallerProcess) which takes two input and call the above created bpel process
  (CalledAddition) and get the response back as addition of two number.
  Now I want to Add OWSM Message protection policy to Encrypt the message in Main BPEl process(CallerProcess) and the called service (CalledAddition) decrypt the message upon invocation. It is a very simple scenario.
  For this purpose I have done the following OWSM Policy Configuration:
  (1) Created a java keystore as follows
  keytool -genkey -keyalg RSA -keystore test_keystore.jks -storepass welcome1 -alias client_key -keypass welcome1 -dname "CN=Client, OU=WEB AGE, C=US" -keysize 1024 -validity 1460
  (2) Copy the keystore (test_keystore.jks) to location domain/config/fmwconfig.
  (3) Go to EM console/WeblogicDomain/Security/Credential and delete the map oracle.wsm.security and then again created it, with no key inside.
  (4) Go to EM console/WeblogicDomain/Security/SecurityProviderConfiguration and configure the above created keystore as follows:
  (i) Keystore Type=JKS, Keystore Path=./test_keystore.jks, password=welcome1, confirmPassword=welcome1
  (ii) Signature Key:
  Key Alias=client_key, Signature Password=welcome1, confirmPassword=welcome1
  (iii)Encryption Key:
  Crypt Alias=client_key, Crypt Password=welcome1, confirmPassword=welcome1
  (5) Now restart the server (both Weblogic and SOA server)
  (6) Now again go to EM console/WeblogicDomain/Security/Credential and open expand the oracle.wsm.security map, Automatically
  the following keys are made inside it:
  (i) sign-csf-key
  (ii) enc-csf-key
  (iii) keystore-csf-key
  Created one more key inside it explicitly:
  (iv) basic.credentials with username=weblogic and password=welcome1
  (7) Go to EM console/WeblogicDomain/WebServices/Policy and cretaed the following policies:
  oracle/wss11_message_protection_service_policy:
  (i) select policy oracle/wss11_message_protection_service_policy from list and click on create like button. This will create a copy of the policy with different name.
  (ii) Give the new name as oracle/wss11_message_protection_service_policy_Copy ( which is by default)
  (iii) Local Optimization = off and enabled is checked
  (iv) Attachment Attributes …..
  Applies To=Service BIndings and Service Category=Service Clients
  (v) Assertions …..
  Select middle assertion MessageProtection and Advertised=checked and Enforced=checked
  (vi) Configuration....
  Add following Configure properties, if present already edit them as follows:
  (a) name=keystore.enc.csf.key, property set=standard-security-properites, value=enc-csf-key, Type=Optional
  (b) name=keystore.sig.csf.key, property set=standard-security-properites, value=sign-csf-key, Type=Optional
  (c) name=role, property set=standard-security-properites, Default=ultimateReceiver, Type=Optional
  (v) Setting.........
  Done the following setting
  - Message Security/include timestamp=unchecked
  - Message Signing Setting/Include entire body=unchecked (since we need only encryption, no signing of message)
  - Message Encrypt Setting/include entire body=checked
  (vi) Validate and save
  (vi) Thus a new policy is made in domain with name oracle/wss11_message_protection_service_policy_Copy
  Simmilarly create oracle/wss11_message_protection_client_policy:
  (ii) Give the new name as oracle/wss11_message_protection_client_policy_Copy ( which is by default)
  (iv) Attachment Attributes …..
  Applies To=Service BIndings and Service Category=Service Endpoint
  (vi) Configuration....
  Add following Configure properties, if present already edit them as follows:
  (a) name=keystore.recipient.alias, property set=standard-security-properites, value=client_key, Type=Optional
  (b) name=role, property set=standard-security-properites, Default=ultimateReceiver, Type=Optional
  (vi) Thus a new policy is made in domain with name oracle/wss11_message_protection_client_policy_Copy
  Rest of the steps(i,iii and v) are same as described above in case of service policy
  After creating the policies in domain attach them to the bpel process as follows:
  (1) Go to SOA project (CallerProcess) in EM console.
  (2) Click on policy tab
  (3) First attach the client policy (oracle/wss11_message_protection_client_policy_Copy) to the endpoint of the process CallerProcess.
  (4) Then attach the service policy (oracle/wss11_message_protection_serivce_policy_Copy) to the reference in CallerProcess which is calling CalledAddition.
  (5) Now test the process (CallerProcess)
  pass input say 10 and 20 in input
  Upon testing it give the following error_
  Web Service invocation Failed:
  oracle.sysman.emSDK.webservices.wsdlapi.SoapTestException: InvalidSecurity : error in processing the WS-Security security header
  I have made all thing clear. I have gone through several documents but unable to find the solution. If anyone please help me in this case.
  Thanks

  I have followed same steps and getting same errror.
  User 868153, were you able to resolve this issue.
  Appreciate your help.
  Thanks

• OWSM 11g: Difference between Message Protection Policies

  Hi all,
  I am using OWSM11g for securing web services. There are two separate policies provided oracle/wss10_message_protection_service_policy and oracle/wss10_x509_token_with_message_protection_client_policy. How does these policies differ in providing message protection?
  Additionally, I have the documentations provided by oracle regarding OWSM11g. In case, there are some addtional resources or tutorials for OWSM 11g which might help me please suggest me the same.
  Thanks in advance.

  Hi,
  In OWSM 10g there was concept of Server Agent and Client agents.The server agents were attached with the service providers and client agents were attached with client consumers.Similarly there are two types of policies available with 11g for service endpoints.One is attached with the service provider endpoint and one is attached with the consumer.
  For e.g- If there is a credit validation webservice which requires the payload to be signed and encrypted,then u attach oracle/wss10_message_protection_service_policy with it and if there is a SOA composite invoking this service,then u attach oracle/wss10_message_protection_client_policy with it.For each of the service side and client side policies some configurations/settings can be modified or overridden.
  Now oracle/wss10_message_protection_service_policy is message integrity and confidentiality service policy implementing WS-1.0 security standards.While oracle/wss10_x509_token_with_message_protection_client_policy is X509 token based authentication with message protection client policy implementing WS-1.0 security standards.
  Hence while implementing security always use the same dual pairs for service and client policies.Currently there are not many samples available but the 'Security and Administrator’s Guide for Web Services' guide is good documentation to start with for configuring security using OWSM 11g.
  Rgds,
  Mandrita

• OWSM gateway : Message not encrypted error

  Hi,
  I have a BPEL process which invokes a web service via partner link. Both BPEL and service are secured with OWSM gateway.In the policy defined for BPEL I'm doing Sign Message And Encrypt using XPath expression( which is working). In the policy for webservice I'm doing a Decrypt and Verify Signature . But its not invoking the service and throws a Client:GenericFault saying Message is not encrypted.
  In fact the logs from BPEL after encryption shows encrypted data. But logs in service does not contain the same data.
  Am I doing something wrong? Should I copy something ? I'm using the same keystore for both the policies. The version is 10.1.3.1
  Please help me
  Thanks
  Meer

  All of them are running with Win XP SP2 at work. NAT-Traversal: is Disabled. DMZ is enabled. Thanks

• Deciphering a SAML Message in ColdFusion

  I'm working on an SSO solution for a client.  At this time I'm able to encode an authentication message and successfully send it to the ADFS server.  The ADFS server handles my login and then returns to my site with an HTTP-POST response.  In the POST there is an ADFS encoded SAML message I need to decipher.  I found a few samples of code but none have worked.  This one seemed to have the most promise but...
  <cfscript>
  // Decode the query string from Base 64 
    Decoder = CreateObject("Java", "sun.misc.BASE64Decoder").init();
    SamlByte = Decoder.decodeBuffer(Form.SAMLResponse);
  // Create Byte Array used for the inflation, the CF way 
    ByteClass = CreateObject("Java", "java.lang.Byte").TYPE;
    ByteArray = CreateObject("Java", "java.lang.reflect.Array").NewInstance(ByteClass, 1024);
  // Create Byte Streams needed for inflation
    ByteIn   = CreateObject("Java", "java.io.ByteArrayInputStream").init(SamlByte);
    ByteOut  = CreateObject("Java", "java.io.ByteArrayOutputStream").init();
  // Create Objects needed for inflation 
    Inflater = CreateObject("Java", "java.util.zip.Inflater").init(true);
    InflaterStream = CreateObject("Java", "java.util.zip.InflaterInputStream").init(ByteIn, Inflater);
  // Complete the inflation 
    Count = InflaterStream.read(ByteArray);
    while (Count != -1) {
    ByteOut.write(ByteArray, 0, Count);
    Count = InflaterStream.read(ByteArray);
  // Finished with inflation 
    Inflater.end();
    InflaterStream.close();
  // Convert SAML request back to a string 
    SamlString = CreateObject("Java", "java.lang.String").init(ByteOut.toByteArray());
    </cfscript>
  When the code get to the Count = InflaterStream.read(ByteArray); statement the following error message is returned: oversubscribed dynamic bit lengths tree
  My question is does anybody have a snippet of code that is used to successfully decipher an ADFS encoded SAML response?

  Whatever version came with MX7. When I run it and go to help
  and about, it just shows the version info for cold fusion server.
  Not the report builder. I know it is the latest version however as
  I also downloaded and installed the latest version from
  online.

• OEG and OSB - username token with message protection

  Salve,
  I've got a simple example of OEG / OSB integration up and running -
  Scenario 1 - username token validation works fine
  Scenario 2 - username token /message protection has issues.
  I register the web service with OEG and the security policy is auto-generated. I configure as appropriate but get the error -
  No asymmetric key foundERROR12/5/11 1:46 PM signature error: not specified/not specified, key is not found:
  A doc detailing all the steps I took is available at -
  https://docs.google.com/open?id=0B7YrnfO7h717ODI5NGExODAtNjI0Yy00ZGE0LWI3NzQtZTg4YjM2ZDQzOWQ1
  any help --> greatly appreciated.

  Replied offline as forum was down. Issue sorted.
  Many thanks for detailed analysis.

• My mac book pro does not start but has error message with a question mark on screen. took it in and was told probably the hard drive as could not reconize it so bought new one but still not connecting.what do i do

  My mac book pro does not connect but shows an error message with a question mark on the screen.I took it to a retailer that said it was not reconizing the hard drive.He said i needed a new hard drive but it may be something else as well but he was sure a new hard drive would fix it.So putting faith in someone who deals with them i purchased a new hard drive to find it was still not working although he said the computer did know reconize the hard drive and i may have to send it away to get it checked .After already paying 120 pounds for a new hard drive and they wanting another 80.00 pounds to diagnose it i am a little sceptical.
  That's why i am interested on anyone's help.

  Welcome to the Apple Support Communities
  I think that your Mac detects your hard disk, but the problem is that your new hard disk doesn't contain any operating system, so your Mac doesn't find any bootable partition and you see a question mark.
  If your Mac came with DVDs, insert the Mac OS X Install DVD and hold the C key while your Mac is starting. Then, just install Mac OS X. If the hard disk isn't prepared to install Mac OS X, you will have to erase it using "Mac OS Extended (Journaled)". See > http://pondini.org/OSX/DU1.html

• I backed up my viber messages so my question is, when i restore it on my new iphone are the viber messages still there?

  I backed up my viber messages, so my question is when I restore them on my new ipho

  I don't know anything about viber messages, but the iCloud backup includes app data.  Presumably this would include your viber messages if the app was included in your backup.  You would have to check with the viber app developer to confirm if the app data includes your messges though.
  You can check to confirm the app was included in the backup by going to Settings>iCloud>Storage & Backup>Manage Storage, tap the name of your phone under Backups, then tap Show All Apps under Backup Options and make sure it's listed.

• Bad Error Message Protection

  Hi,
  The Security team has requested that they look over our router and switch configs before we deploy them in production.
  One thing they mentioned:
  "Bad Error Message Protection" 
  They recommend "setting icmp ignore bogus error responses to 1". I haven't found any Cisco docs on the subject or any commands to enable this. That being said, I haven't tried to configure any bad error message commands because if this is a real concern I want to make sure I am doing it correctly.
  Any advice?
  Thank you.

  ok - it seems problem has been fixed - I was on messenger 3.3 - I downloaded messenger 3.4 and everything seems to work as it should

• Unity Message Aging Policy

  All,
  is there anyway to customize the Message aging policy beyond the options that are present?  As an example any way to move a message from New Directly to Deleted Folder after 10 days but bypass the Move to Saved folder?
  Thanks,
  All replies rated.

  Hi Trevor,
  One nice way with Unity Connection is with the use of this excellent tool from the great suite of Unity Tools (use the ** reset" feature **).
  Unity Connection Bulk User Delete   
  For resetting users you have the option of emptying the mailbox,  resetting greetings, deleting voice names,  resetting passwords,  removing private lists and a number of other  options you may choose.   For installations where the user base “changes  over” frequently such as  schools this may be a nicer option.  This  option is also allowed for  CoRes installations since it does not involve  the removal of user  objects from the Connection database.
  http://www.ciscounitytools.com/Applications/CxN/BulkUserDelete/BulkUserDelete.html
  Cheers!
  Rob
  Please support CSC helps Kiva
  https://supportforums.cisco.com/blog/12122171/cisco-support-community-helps-kiva

• Message aging policy

  Dear folks,
  I need to create message aging policy (based on the age of the message) and mbox aging policy( if there is no login /incoming message in n number of days).
  The users that are affected by these policies will be based on an private LDAP attribute. Is there a way that I can incoopperate this LDAP attribute value to setup the aging policy filter?
  Thanks,
  T Dang

  Dear Jay,
  mboxutil is your friend, here. I suggest writing something that calls mboxutil, and parses the output. These are not orphaned, unless they've been deprovisioned in ldap, not something you mentin.I can use "mboxutil -l" for the ZERO size case.
  But for the inactivity case, the comand "mboxutil -l" ==> list of mbox which include the time of last msg. For mail box without message, no date returned ... I guess that since your earlier post, you have indicated that there is no way to determine the time of the last login (activity)
  mbox -o -t n ==> I guess I won't be able to use this option, since this will output only orphan mail boxes.
  Thanks,
  T Dang
  Message was edited by:
  tindang

• TS3212 Tried to install itunes and I got this message. Policy 8.0 microsoft VC80.CRT type="win 32-policy' version=8.050727 6195 public key token='1fc8b3b9a1e18e3b processor architecture='x86'

  Tried to install itunes and I got this message. Policy 8.0 microsoft.VC80.CRT type=win32-policy version=8.050727.6195 public key token=1fc8b3b9a1e18e3b. Processor Architecture='x86'

  Hi M2i7guel,
  Welcome to Apple Support Communities.
  It sounds like there is an issue installing iTunes and other Windows updates on your PC. The article linked below provides troubleshooting suggestions that will resolve most issues like the one that you've described.
  Issues installing iTunes or QuickTime for Windows
  http://support.apple.com/kb/HT1926
  I hope this helps.
  -Jason