Owsm saml policies

Similar Messages

• OWSM 11g : Authentication Providers for X.509 and SAML policies

  Hi All,
  I am currently trying to implement the X.509 and SAML policies. As per the documentation for these polices I need to configure an authentication provider(or Identity Assertion provider) that can handle perimeter authentication via the NameCallback. I had configured an authentication provider(default authentication provider) that handled the namecallback and passwordcallback. What I can't figure out is how do these two authentication providers differs. And, incase one has to configure for the X.509 and SAML policies how to do the same.
  Any pointers will be useful. Especially, from anyone who has worked and implemented the above policies.
  Thanks in advance.
  Edited by: Shomit Sahdev on ८ अप्रैल, २०१० १२:२५ पूर्वाह्न

  After research by Oracle Support it actually turns out that this problem was a combination of factors:
  1) some clients were effectively using an invalid certificate so it is corrrect they got an error and everything worked fine when they started using the right certificate
  2) it does, however, turn out that, in the case of an error the error handling has been obfuscated in WLS 10.3.6 as compared to WLS 10.3.4 which gives a more descriptive error stating the nature of the problem (missing certificate, invalid certificate, unknown user, ...). Apparently this was deemed a security issue and has thus been replaced by a generic "internal server error". It is however possible to re-activate this older behaviour using a couple of JAVA_OPTS that you pass during server startup:
  -Dweblogic.wsee.security.debug=true -Dweblogic.wsee.security.verbose=true
  The above reintroduced the behaviour we had in WLS 10.3.4 and thus solves our problem!

• OWSM SAML verification and Must Understand error

  Has anyone verified SAML tokens generated by JDev proxies by OWSM?
  I tried to use the simplest scenario (similar to what I had tested when verifying SAML with Application Server) with OWSM. I don't use signature and just sender vouches at the proxy side. On the other side, OWSM, I have a gateway which has one step in the request pipeline which verifies SAML.
  I get this response message:
  <?xml version = '1.0' encoding = 'UTF-8'?>
  <env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:ns0="http://project1/types/">
  <env:Body>
  <env:Fault>
  <faultcode>env:MustUnderstand</faultcode>
  <faultstring>*SOAP must understand error: {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security*</faultstring>
  </env:Fault>
  </env:Body>
  </env:Envelope>
  Regards
  Farbod
  P.S. this is my request message:
  <env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:ns0="http://project1/">
  <env:Header>
  <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" env:mustUnderstand="1">
  <wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" wsu:Id="B1tdL86gkmAN00oYpfTmOw22" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
  <wsse:KeyIdentifier xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID">lrLlLdbWLda851vHdngAEA22</wsse:KeyIdentifier>
  </wsse:SecurityTokenReference>
  <saml:Assertion MajorVersion="1" MinorVersion="1" xmlns="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" AssertionID="lrLlLdbWLda851vHdngAEA22" IssueInstant="2008-10-11T08:46:36Z" Issuer="www.oracle.com">
  <saml:Conditions NotBefore="2008-10-11T08:46:36Z" NotOnOrAfter="2008-10-12T08:46:36Z"/>
  <saml:AuthenticationStatement AuthenticationInstant="2008-10-11T08:46:36Z" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password">
  <saml:Subject>
  <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">www.oracle.com</saml:NameIdentifier>
  <saml:SubjectConfirmation>
  <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:sender-vouches</saml:ConfirmationMethod>
  </saml:SubjectConfirmation>
  </saml:Subject>
  </saml:AuthenticationStatement>
  </saml:Assertion>
  </wsse:Security>
  </env:Header>
  <env:Body>
  <ns0:jamshidElement/>
  </env:Body>
  </env:Envelope>

  Without more specific about the SOAP Fault you are getting, the version and the type of client you built, it will be hard to give you specifics.
  You may want to verify that the policy used to configure the client proxy does match with the server-side.
  Usually, this error is generated during deserialization of a SOAP envelope when some SOAP header contains the mustUnderstand attribute with the value set to true and are not ready (configured) to process this specific header.
  It could be just a version mismatch; I process header in the foo namespace, but this one was in the bar namespace.
  Hope it helps,
  -Eric

• OWSM SAML Verify step problem: Missing Security Header in SOAP message

  I'm having a problem with SAML steps. From gateway log:
  2008-09-17 13:21:32,987 INFO [HTTPThreadGroup-58] saml.InsertSAMLSVStep - User attributes map set to generate the attribute assertions: null
  2008-09-17 13:21:33,034 INFO [HTTPThreadGroup-60] saml.SAMLProcessor - Assertion Major Version :1 , Minor Version :1
  2008-09-17 13:21:33,034 WARNING [HTTPThreadGroup-60] saml.SAMLProcessor - SAML Assertion verification error: An invalid token was provided
  2008-09-17 13:21:33,034 WARNING [HTTPThreadGroup-60] saml.VerifySAMLStep - SAML Token verification failed:
  2008-09-17 13:21:33,096 SEVERE [HTTPThreadGroup-58] wssecurity.OSDTWSSecurity - Missing Security Header in SOAP message
  2008-09-17 13:21:33,096 WARNING [HTTPThreadGroup-58] wssecurity.SecurityBaseStep - Failure while applying XML Security
  FAULT CODE: InvalidSecurity FAULT MESSAGE: Missing WS Security header in the SOAP message
  at com.cfluent.policysteps.security.wssecurity.OSDTWSSecurity.decryptVerify(OSDTWSSecurity.java:369)
  at com.cfluent.policysteps.security.wssecurity.DecryptStep.performXmlSecurity(DecryptStep.java:131)
  at com.cfluent.policysteps.security.wssecurity.SecurityBaseStep.execute(SecurityBaseStep.java:238)
  at com.cfluent.pipelineengine.container.DefaultPipeline.executeStep(DefaultPipeline.java:124)
  but the wsse:Security header with SAML assertion IS confirmed in the incoming message log. Anybody seen this issue?

  Below is the log of the incoming message just prior to the failing SAML Verify step:
  <?xml version="1.0" encoding="UTF-8" ?>
  - <env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:ns0="http://exception.common.periop.gehc.com" xmlns:ns1="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:ns2="http://www.patient.patientmanager.periop.gehc.com/service/" xmlns:ns3="http://entity.common.periop.gehc.com" xmlns:ns4="http://entity.patient.patientmanager.periop.gehc.com" xmlns:ns5="http://entity.allergy.patientmanager.periop.gehc.com" xmlns:ns6="http://pdo.domain.customizer.periop.gehc.com" xmlns:ns7="http://entity.cases.scheduler.periop.gehc.com" xmlns:ns8="http://entity.insurance.patientmanager.periop.gehc.com">
  - <env:Header>
  - <ns1:Security>
  - <saml:Assertion MajorVersion="1" MinorVersion="1" AssertionID="158RBY2QvCFPiTqdXYWh9A22" IssueInstant="2008-09-17T19:58:43Z" Issuer="GE" xmlns="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
  <saml:Conditions NotBefore="2008-09-17T19:58:13Z" NotOnOrAfter="2008-09-17T19:59:43Z" />
  - <saml:AuthenticationStatement AuthenticationInstant="2008-09-17T19:58:43Z" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password">
  - <saml:Subject>
  <saml:NameIdentifier NameQualifier="www.ge.com" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">gowri</saml:NameIdentifier>
  - <saml:SubjectConfirmation>
  <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:sender-vouches</saml:ConfirmationMethod>
  </saml:SubjectConfirmation>
  </saml:Subject>
  </saml:AuthenticationStatement>
  </saml:Assertion>
  </ns1:Security>
  </env:Header>
  - <env:Body>
  - <ns2:getPatient>
  <ns2:patientId>137115</ns2:patientId>
  </ns2:getPatient>
  </env:Body>
  </env:Envelope>

• OWSM: SAML Verify WSS 1.0 Token

  Hi,
  I have created a policy for a service registered with the gateway with 'SAML - Verify WSS 1.0 Token' as one of the steps in the Request pipeline. I am using JKS as the store type. When a client tries to invoke the service, it gets the following error from the gateway:
  javax.xml.rpc.soap.SOAPFaultException: Did not understand "MustUnderstand" header(s)
  On the other hand gateway.log shows the following message:
  saml.SAMLProcessor - SAML assertion confirmation method: urn:oasis:names:tc:SAML:1.0:cm:sender-vouches
  The client is a J2SE client created using JDeveloper.
  Am I missing something important here?
  Any help would appreciated.
  Thanks

  Normally, the mustUnderstand error is given out by the OC4J web service when the service receives a SOAP request with a security header with mustUnderstand attribute set to 1.
  What is the SOAP message being received by the web service itself?
  Vikas Jain
  http://ws-security.blogspot.com

• OWSM: SAML message protection policy question

  My web services are protected with SAML message protection policy. according to document:
  http://download.oracle.com/docs/cd/E15523_01/web.1111/b32511/setup_config.htm#BABJAIHD
  On the web service side, "+Needs the intermediary and root certificate corresponding to the client's public key in the keystore.These certificates will be used to verify the signature by generating a trusted certificate chain+."
  Also says "+Generally, the recipient does not need to have the sender's public key in its keystore to validate the certificate. It is sufficient to have the root certificate in the keystore to verify the certificate chain+."
  Since weblogic default trust store have more than 60 well known CA's trust intermediary and root certificate by default, does this mean that if web service client own a key signed by one of these well know CA, he will be able to access my web service through SAML policy?
  What if I would like to limit my web service only to specified client instead of public access, should I remove those well known intermediary and root certificate from weblogic trust store?
  Thanks

  Hi RaJdeep,
  Thank you for your inputs.But I couldnot get what I have to do here.
  Could you please pass on your contact details so that I can contact you.
  Thank you in advance.
  Regards
  Narendra

• Customizing OWSM 11g SAML policy

  Hi,
  The current OWSM SAML policy validates only one token against Identity store.
  Our requirement is to validate against couple of atributes, is there any option available in existing policy or do we need to write custom policy extending the exisitng policy.
  Any pointers on this will be more helpfull.
  Thanks,
  Sowmya

  me too am facing same problem..did you manage to solve this?
  please suggest..

• Custom OWSM Authorization Policy Not Visible in OSB 11g

  I am trying to configure custom OWSM authorization policies to grant web service access in OSB to userids associated with custom WebLogic groups. Both OSB and SOA are version 11.1.1.5 with an Oracle Enterprise 11g database backend. To help rule out some possible operational errors, here are things that ARE working with the combination of SOA and OSB servcies:
  * the underlying SOA service functions in the /em console test page
  * the OSB proxy service works from the /sbconsole test page with OWSM oracle/wss_username_token_policy enabled
  * the oracle/log_policy can be added to the OSB business service and generates log entries
  * the outer proxy service can be successfully invoked from a remote client with no security policies,
  with HTTP transport security and authorization policies and with OWSM authentication policies
  attached (given the correct request payloads)
  These findings would appear to rule out connection errors from the OSB engine to the jdbc/mds/owsm DataSource or proper startup of the "OWSM Policy Support in OSB Initializer Application" service within WebLogic. (By the way, that deploys with a typo in its registered name -- "Aplication" with a single p.)
  Here are the steps that were performed:
  1) created group myfirmIdentityData in WebLogic console (/console)
  2) created userid myappuser in WebLogic console
  3) added myappuser to the myfirmIdentityData group in WebLogic console
  4) cloned the oracle/component_authorization_permitall Security policy to myfirm/authorize_IdentityData
  using the Fusion console (/em on the SOA domain)
  5) edied myfirm/authorize_IdentityData to add the "role" myfirmIdentityGroup to the
  list of permitted roles (***)
  *** note -- "roles" referenced within the OWSM policy configuration dialogs actually correspond to "groups" at the WebLogic Server level. A bit confusing at first but harmless.
  6) accessed the SOA service in the Fusion console (/em), clicked on the Policies tab and verified
  the myfirm/authorize_IdentityData policy is available for application to the SOA service (BUT DID
  NOT ATTACH IT HERE -- I'm trying to attach it at the "outer" layer in OSB, not SOA Suite)
  7) accessed the Service Bus console (/sbconsole), started a change session, selected the
  proxy service, then clicked on the Policies tab, then clicked the Add button in the
  Service Level Policies section
  At that point, the only services listed are the factory supplied oracle/********* policies. There are two pages listed and flipping between the two doesn't show any other policies other than the oracle/***** policies.
  I even tried stopping and starting the domain thinking maybe OSB caches all of the OWSM policies at startup rather than querying the mds_owsm schema dynamically to no avail. No myfirm/****** policies are displayed after a domain restart.
  Any insight?
  Thanks.

  Once again, I wound up opening a Support Request with the TAC for direction on this issue. The policies were not appearing for assignment to OSB proxy / business services because they were being created against the wrong type of object within OWSM.
  In a nutshell, policies in OWSM can be created to be applied against:
  * Components --- only usable against SOA services
  * Service Endpoints --- against URLs used as access points into services
  * Service Clients -- against consumers of services as identified by credentials
  * All -- all of the above
  However, policies built against Components can only be applied to SOA composite services. When I cloned the existing oracle/component_authorization_permitall Security policy to myfirm/authorize_IdentityData policy then limited it to the myfirmIdentityGroup group, that policy would only be assignable to SOA composities since it applied to only Components.
  To allow the group based authorization policy to be enforced in the outer OSB tier, the oracle/binding_authorization_permitall_policy was cloned to myfirm/authorize_IdentityGroup. That policy was defined to apply to endpoints and once saved, appeared in the GUI of the Service Bus console to assign to the proxy service for the service being implemented. A second component policy named myfirm/componentauthorize_IdentityGroup was cloned from oracle/component_authorize_permitall_policy to perform the group authorization at the SOA layer.
  A different issue is being encountered configuring the OSB business service to forward the OWSM headers from the outer proxy service to the SOA service so the authorization succeeds at the inner layer but that's a different problem. With the SOA layer authorization policy disabled, client tests to the proxy service function correctly with a userid in the myfirmIdentityGroup group and generate an authorization failure when another client credential is used that does not belong to myfirmIdentityGroup.

• OWSM 11g: Message Protection

  Hi All,
  I have earlier woked on OWSM 10g and implemented XML encryption and decryption. Now,I am trying to implement message protection(encryption and decryption) using OWSM 11g policies. The sample scenario consists of two web services OWSM_11g and OWSM_11g_client. The message send from OWSM_11g_client should be encrypted and signed and OWSM_11g needs to verify the signature and decrypt the message.
  Here is what i have done so far.
  a.) I have attached oracle/wss10_message_protection_client_policy to OWSM_11g and oracle/wss10_message_protection_service_policy to OWSM_11g_client.
  b.) I have configured a keystore for weblogic domain exactly as explained in the following article http://www.ora600.be/node/5000
  c.) I have enabled the logging assertion for oracle/wss10_message_protection_client_policy & oracle/wss10_message_protection_service_policy.
  The message flow between the services is proceeding without any errors. There are two problems that I am facing here:
  a.) I cannot view SOAP message in the message logs to verify the encrytion and decryption.
  b.) It seems that I may be missing out some configuration parameters as specified in the documentation required to apply above policies.
  Any inputs regarding this would be greatly helpful.

  Hi there,
  I can suggest the following to you and hopefully it should work:
  a.) Instead of using the default keystore you should set up a new keystore for the weblogic domain. You may follow the guidelines as described in the following article: http://www.ora600.be/node/5000
  b.) Specify the keystore.recipient.alias (public key which maps to client_key according to the above article) at per-client basis using the Security Configuration Details and keystore.enc.csf.key (private key which again maps to client_key according to the above article).
  c.) message_protection_client_policy and message_protection_service policy are made up of assertion templates. So, Go to the web services policy page and enable the loggin assertion for each of the policies. Here, in case both the composites are on the same soa server then, you need to turn off the local optimization. Read the above post by Ronald which explains this lucidly. On this page you may change setting for the request and response messages.
  d.) You need to check the following log file to view the soap messages logged by the assertions to verify encryption and decryption domains\soa_domain\servers\AdminServer\logs\owsm\msglogging\diagonstic.log
  Here I was able to encrypt and sign the message when both the composites were in the same soa server. However when they were in different soa server some server side error was occuring. You may try the same as an addtional exercise and update me in case you succeed.
  In case you still face any problems I will be glad to help you out.
  Regards,
  Shomit

• WLS10.3 and wssp1.1 policies support

  Hi,
  I try to use SAML policies in OSB 10.3 ( ALSB). But the OSB only supports the wssp1.1 policies and the web services I try to call in the OSB are deployed on a wls 10.3 server which supports the wssp1.2 policies
  Can I use the wss1.1 policies on a wls 10.3 server
  I want to use the wssp1.1 saml1.1 sender vouches policy
  thanks Edwin

  Try this policy:
  <?xml version="1.0"?>
  <wsp:Policy
  xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
  xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"
  >
  <sp:AsymmetricBinding>
  <wsp:Policy>
  <sp:InitiatorToken>
  <wsp:Policy>
  <sp:X509Token
  sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
  <wsp:Policy>
  <sp:WssX509V3Token10/>
  </wsp:Policy>
  </sp:X509Token>
  </wsp:Policy>
  </sp:InitiatorToken>
  <sp:RecipientToken>
  <wsp:Policy>
  <sp:X509Token
  sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
  <wsp:Policy>
  <sp:WssX509V3Token10/>
  </wsp:Policy>
  </sp:X509Token>
  </wsp:Policy>
  </sp:RecipientToken>
  <sp:AlgorithmSuite>
  <wsp:Policy>
  <sp:Basic256/>
  </wsp:Policy>
  </sp:AlgorithmSuite>
  <sp:Layout>
  <wsp:Policy>
  <sp:Lax/>
  </wsp:Policy>
  </sp:Layout>
  <sp:IncludeTimestamp/>
  <sp:ProtectTokens/>
  <sp:OnlySignEntireHeadersAndBody/>
  </wsp:Policy>
  </sp:AsymmetricBinding>
  <sp:SignedSupportingTokens>
  <wsp:Policy>
  <sp:SamlToken
  sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
  <wsp:Policy>
  <sp:WssSamlV11Token10/>
  </wsp:Policy>
  </sp:SamlToken>
  </wsp:Policy>
  </sp:SignedSupportingTokens>
  <sp:Wss10>
  <wsp:Policy>
  <sp:MustSupportRefKeyIdentifier/>
  <sp:MustSupportRefIssuerSerial/>
  </wsp:Policy>
  </sp:Wss10>
  </wsp:Policy>

• How validate user.attributes in SAML assertation?

  Hello!
  I'm using WebLogic Server 10.3.6.0 + Oracle Service Bus 11.1.1.6 + Oracle Enterprise Manager 11g.
  I deploy my Web Service on Weblogic Server and protect this by OWSM SAML-based policy (now it is oracle/wss_saml_token_bearer_over_ssl_service_policy).
  It is working, but some things I don't understand.
  My main question: how can I configure to validation of user.attributes in the saml assertation?
  For example, inbound requests has 3 attributes in saml assertation tag: role, email and dept.
  <?xml version="1.0" encoding="utf-8"?>
  <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
  xmlns:xsi="http://www.w3.org/2000/10/XMLSchema-instance">
  <soap:Header>
  <wsse:Security>
  <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
  ID="Id-0000010a3c4ff12c-0000000000000002"
  IssueInstant="2006-03-27T15:26:12Z" Version="2.0">
  <saml:Issuer Format="urn:oasis ... WindowsDomainQualifiedName">
  TestCA
  </saml:Issuer>
  <saml:Subject>
  <saml:NameIdentifier Format="urn:oasis ... WindowsDomainQualifiedName">
  TestUser
  </saml:NameIdentifier>
  </saml:Subject>
  <saml:Conditions NotBefore="2005-03-27T15:20:40Z"
  NotOnOrAfter="2028-03-27T17:20:40Z"/>
  *<saml:AttributeStatement>*
  *<saml:Attribute Name="role" NameFormat="http://www.oracle.com">*
  *<saml:AttributeValue>admin</saml:AttributeValue>*
  *</saml:Attribute>*
  *<saml:Attribute Name="email" NameFormat="http://www.oracle.com">*
  *<saml:AttributeValue>[email protected]</saml:AttributeValue>*
  *</saml:Attribute>*
  *<saml:Attribute Name="dept" NameFormat="">*
  *<saml:AttributeValue>engineering</saml:AttributeValue>*
  *</saml:Attribute>*
  *</saml:AttributeStatement>*
  </saml:Assertion>
  </wsse:Security>
  </soap:Header>
  <soap:Body>
  <product>
  <name>Enterprise Gateway</name>
  <company>Oracle</company>
  <description>Web Services Security</description>
  </product>
  </soap:Body>
  </soap:Envelope>
  But I want permit only request's with 4 attibutes (for example, role + email + dept + city) or something like? How I can configure this in OWSM-policy settings or WebLogic settings?
  Thanks for any help.

  That would be the easiest route but isn't it against the standards to use triggers on tables. I was thinking of doing the validation before the item is created on the page, by customizing the create item and update item pages.
  Did anyone work on PIM to do this sort of customization, the pages are all dynamic and are pretty complex, I am not able to figure out where to fit in my validation.

• RIDC client using JAX-WS Web Service requires OWSM policy

  Hi
  For development purposes, I want to invoke the RIDC JAX-WS Web Service (I believe this to be the 11g idc native ws) but an error is thrown stating the various policies are invalid. The fact is my instance of Weblogic is not set up with OWSM and there are no security policies applied or configured.
  I was wondering if there was a way to invoke this web service using http basic authentication and bypass the requirement to have a policy attached.
  If not, does anyone have steps on how to enable OWSM and policies, and attach these to the IDC native web services).
  Thanks
  M

  Hi Ryan
  Yes, I have tried to use the JAX-WS with configuration that I was hoping would set Basic Auth on the request, however an error is thrown stating that the required policies are invalid on the server.
  In summary:
  I create a JaxWSClient client.
  I create a binder using the client.
  I create a IdcContext using a valid username and password.
  I set up the service details and params in the binder.
  I send the request by invoking the client and passing the binder and IdcContext.
  With this basic set-up, I get a SOAP fault from the server stating that policy 'oracle/no_authentication_service_policy' and oracle/no_messageprotection_service_policy are invalid. It makes sense that there are invalid as they are not present on my weblogic instance, and it seems that because I have not specified any other configuration, that these are treated as the default policies.
  Setting up basic auth would be ideal, as I do not have control of the Weblogic instances, and so getting OWSM would be a pain. There may be some way to set up the client to use Basic Auth, but unfortunately I cannot see how.
  Cheers

• SOAP must understand error error when calling composite

  Hi,
  I am trying to invoke composite application in soa suite 11g from soapui. In soapui my soap request contains following part of security info under header part.
  <wsse:Security soap:mustUnderstand="1" xsi:schemaLocation="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
  ..\Schemas\oasis-200401-wss-wssecurity-secext-1.0.xsd http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd ..\Schemas\oasis-wss-wssecurity-secext-1.1.xsd http://www.w3.org/2001/10/xml-exc-c14n# ..\Schemas\xml-exc-c14n.xsd">
  But when I try to execute in soapui I am getting following error
  <env:Fault>
  <faultcode>env:MustUnderstand</faultcode>
  <faultstring>SOAP must understand error:{http://docs.oasis-open.org/wss/2004  /01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security, {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security.
  </faultstring>
  </env:Fault>
  I think I need to copy these xsd files in my composite application? if yes where should I and how to refer those in soap request?
  Appreciate your quick help.
  Thanks,
  Sri

  Without attaching policy can't I execute?No. You have to attach policy. If none of the pre-seeded policies fulfill your requirement then you may always create your won custom policy. Please refer -
  http://technology.amis.nl/blog/11138/owsm-custom-policies-still-some-sharp-edges-so-beware-dont-cut-yourself
  http://ws-security.blogspot.com/2010/01/howto-owsm-11g-creating-custom-policy.html
  Regards,
  Anuj

• Disable Webservices access through web

  Hi All,
  In OFMW and AIA 11g ps3, how can we disable webservices access through web i.e. restrict webservice call from outside
  world using OWSM security policies?
  We dont want to use username based authentication or any other policies that is based on authentication and authorization.
  Please let me know how can we achieve this?
  Thanks in advance.

  Hi,
  I think the best way would be to block the access to services at firewall so that these services have restricted access within the network. This can be achieved only if none of the services need to be exposed over to the internet.
  Regards,
  Neeraj Sehgal

• BPEL - SOAP must understand error - Partner Link Reply Contains WSSE in Soa

  Hello,
  I'm trying to call a WS-Secured partner link from a BPEL process. The SOAP request looks perfect, however the partner link's reply contains a WSSE security element in the SOAP header. Is there a way to configure the BPEL process to expect this and not throw a 'SOAP must understand error'. Both Request and reply SOAP envelopes are below.
  Any help would be much appreciated - thanks.
  Request:
  <?xml version="1.0" encoding="UTF-8"?>
  <env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><env:Header><wsse:Security xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"><wsse:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><wsse:Username>username</wsse:Username><wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">password</wsse:Password></wsse:UsernameToken></wsse:Security></env:Header><env:Body>soapBody</env:Body></env:Envelope>
  Response:
  <env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:ns0="http://xmlns.domain.com/service/soa/ServiceEntitlementWS" xmlns:ns1="http://xmlns.domain.com/services" xmlns:ns2="http://xmlns.domain.com/service/contract" xmlns:ns3="http://xmlns.ni.com/support/customer/serviceLevel" xmlns:ns4="http://xmlns.ni.com/support/customer/linkageSet"><env:Header> *<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" env:mustUnderstand="1"/>* </env:Header><env:Body>soapBody</env:Body></env:Envelope>
  Edited by: user639053 on Oct 6, 2009 2:33 PM

  Without attaching policy can't I execute?No. You have to attach policy. If none of the pre-seeded policies fulfill your requirement then you may always create your won custom policy. Please refer -
  http://technology.amis.nl/blog/11138/owsm-custom-policies-still-some-sharp-edges-so-beware-dont-cut-yourself
  http://ws-security.blogspot.com/2010/01/howto-owsm-11g-creating-custom-policy.html
  Regards,
  Anuj