Secure OSB10g with owsm 10g

Hi,
I have a customer who have some flows exposed as webservices via proxy services on OSB 10g, he would like to implement authentication and authorisation, what is the best architecture to do it ? he is thinking to use OWSM 10g but don't know what is the best implementation architecture ?
He is also asking this questions : OWSM 10g is it compatible with OSB 10g or not ?
Thanks for your help.

OSB 10g is compatible with OWSM ( 10.1.3.x and later & 11.1.1). Please refer to the following links for more details:
http://docs.oracle.com/cd/E13159_01/osb/docs10gr3/security/owsm.html
http://docs.oracle.com/cd/E13159_01/osb/docs10gr3/interopmatrix/matrix.html (Refer to Platform Interoperability section)
Hope this helps.
Thanks,
Patrick

Similar Messages

  • Securing Services with OWSM 10g gateway

    Hi
    I have a small issue with an application we are trying to secure with the Oracle SOA suite 10g Gateway.
    We have 2 application servers which we are trying to configure in a HA configuration.
    We have several internal services that are used within our ocre application and 2 services we wish to expose to the outside world.
    We initially wanted to expose these through the OWSM gateway but seem to have problems stopping external users from invoking internal services.
    We have the BPEL, ESB, WSM Monitor, Manager, Rules installed on one oracle home and the owsm gateway and policy manager installed on a seperate Oracle home. The OHS is installed on the same machine with 2 virtual hosts with different ports externalSOA:7777 and internalSOA:8888
    We have configured the OHS to filter out certain urls for the externalSOA VH such as /em, /esb_dt, /ccore which seems to work.
    However services deployed into internalSOA:8888 are still invokable but externalSOA:7777/servicename
    does anyone have a better solution or some ideas as to what we are doing wrong?
    Regards

    Yes, true,
    I was assuming a firewall protecting internal zone is part of DMZ setup, and infrastructure is on 10g, and owsm gateway, according to initial poster.
    Protecting the internal URL, only allowing gateway requests to pass through would require the requesthandler (service URL) to look into the request.
    What we did was to let the owsm gateway do the authentication/authorization, and adding a policy step to "insert SAML".
    So the client request contains a valid username/password to be authenticated towards LDAP. After authZ an additional SAML header is added, containing a magic token known only to owsm gateway, and internal requesthandler, processing the service URL request.
    If the request did not pass through gateway it will not contain the saml magic token, and thus be rejected by requesthandler.
    11g has some improvements when it comes to protection using agents, but as long as the weaknesses are not covered (lack of gw-functionality) it would be wise to handle this in current infrastructure.
    Suggesting a switch to 11g infrastructure to solve his issue is a bit over the top., switching the entire SOA infrastructure is not something done overnight.

  • Securing SOA 11g Web Services with OWSM AD authentication

    I have SOA 11g with Weblogic 10.3.5 installed and running a Web Service and a Client I want to protect with Active Directory auth and perhaps some other access rules. As I read, I can use OWSM policies to do that. Most guides I found concern OWSM 10g.
    How can I make WL use AD authentication? Do I have to use Access Manager?

    I finally figured it out. The nullpointer exception is related to the SAML assertion. The SAML assertion in my requests is signed with embedded signature and this seems to be not supported with the used OWSM policy. Without the signature is the exception gone.
    Marian

  • Restricting IP's with OWSM?

    Hi guys.
    Just started looking at OWSM, cause we're deploying web services by the dozen and I want to get it all into a centrally managed environment before its too late :)
    Question: Is it possible with OWSM to restrict the ip's that are allowed to call a WS. In other words to make sure that WS1 can only be called from 127.1.2.3 and not from 128.3.4.5? Never mind any other security layers built into the WS call, just pure IP restrictions. I suspect it is possible to do that on the application server where the WS is really deployed, but if I put a gateway in via OWSM, then all the IP's at the application server level will be the ip of the OSWM where the gateway is running, thus defeating the purpose. Or am I completely off track? (Not an impossible scenario :) )
    Eagerly awaiting your replies/comments/wild speculations.
    Elmar

    Hi,
    OWSM can run in two different modes, as a gateway or with agents. When acting as a gateway the original webservices will be proxied via the OWSM gateway. So yes all services will be accessed via the same ip. The original ws however is still accessible if somebody knows its ip address and endpoint. In OWSM you can not restrict the ip addresses that can access the gateway, if you want that you need to do it at a network level. If using only webservices on oracle application servers (and others that have a owsm agent available, ... eg .Net does not have an agent) you can install the agent for your services which will make the webservice itself forward the requests to OWSM. Still this does not allow you to only access the services from certain ip addresses. So the conclusion is, if you need to allow only certain ip addresses to access your webservices it is best to do it at a network level.
    Andre

  • Security issues for Discoverer 10g apps 12i

    gurus,
    I have couple of things to get it done at client.
    We are on Oracle Apps rel 12i with dicoverer 10g.
    Did anyone setup MOAC to be enabled and operational in business areas?
    Setting up secure responsibilities in discoverer for MOAC?
    Any setup needs to be done for custom report security in discoverer ?
    thx

    Hi,
    I did setup new MOAC security profiles and assigned multiple organizations to that profile for testing purpose.
    After this, I did run concurrent program "Security List Maintennce" etc...
    Tested Upding profile at user level or responsibility level.
    On APPS side fine.
    I need the some basic steps on setup of security issues for discoverer side.
    1) Business areas (any security steps need to be followed in order to access data for single or multi-org)
    2) Custom Reports ( any security setup or any moac security profile setting against responsibilty for accessing single or multi-org data)
    Since we dont have default operating unit parameter as specified in the concurrent program, how do you restrict data?
    3) Reconciling security approach r12 with discoverer (any steps need to be followed here after r12 configuration with security issues)
    4) Custom Views ( any steps to be followed for single or multi-org data as security aspect)
    Looking for info on these setups.
    Thx

  • Osb proxy service with owsm policy auth slow when soap request very large

    I have a proxy service which is security with owsm policy: oracle/wss_username_token_service_policy, the proxy service simply route to Business Service which directly invoke a bpel exposed web service, when I call the proxy service with soap envelope large than 15MB(not attachment), waiting about 4~5 minutes, the bpel instance created ; but when I remove the security policy:oracle/wss_username_token_service_policy, it will cost only 20 seconds, why authentication cost so long? How can I deal with the problem?
    My English is poor, please don't mind!
    besides, with my OSB version is 11.1.1.6.0

    I finally figured it out. The nullpointer exception is related to the SAML assertion. The SAML assertion in my requests is signed with embedded signature and this seems to be not supported with the used OWSM policy. Without the signature is the exception gone.
    Marian

  • Enabling ws-security UserNameToken using OWSM

    Hi,
    I am using BPEL PM with OWSM; I need to enable WS-security for the incoming messages to a service running on BPEL server.
    I completed the initial steps such as creating a gateway and registering the service in that gateway after that I could see a WSDL generated by the OWSM.
    After this I don’t know how to enable WS-security (UserNameToken only), iam not finding anything in the documents,Could any one through some light on this??
    Best Regards,
    Chandra

    I'm a bit confused by these questions.
    There's nothing you need to do to ENABLE this.
    OWSM can convert credentials (http headers, etc.) to WS-security if you want (proper sequence of "Extract Credentials" and "Insert Credentials" in the pipeline should do this)
    OWSM cannot insert any identity "out of the blue", the information should be somewhere in the request coming into the gateway...
    Marc

  • Applying security patch to Oracle 10G on Linux

    Hello,
    I'm new to Oracle DBA world, need to apply security patch to Oracle 10G on Linux server, any tips and notes would be appreciated.
    thanks
    Sam

    Manish,
    1. I have to upgrade the database version from 10.2.0.2 to 10.2.0.4 on Linux, Is there any proper documentation which will help me out?Please refer to the following document.
    Note: 454750.1 - Oracle Apps Release 12 with Oracle Database 10.2.0 interoperability notes
    https://metalink.oracle.com/metalink/plsql/ml2_documents.showDocument?p_database_id=NOT&p_id=454750.1
    2. What are the types of oracle database patches? what is the proper procedure to apply those kind of patches to Oracle 10g on Linux?
    Most of the patches in this upgrade are database patches (which should be applied using opatch). The main upgrade patch (Patch 6810189 - 10.2.0.4 patch set) should be applied using Oracle Universal Installer (runInstaller).
    Always follow the steps in the patch README file before applying any patch.
    Regards,
    Hussein

  • How do I reset my apple id security question with out a rescue email

    How do I reset my apple id security question with out a rescue email?

    You need to ask Apple to reset your security questions; ways of contacting them include clicking here and picking a method for your country, phoning AppleCare and asking for the Account Security team, and filling out and submitting this form.
    They wouldn't be security questions if they could be bypassed without Apple verifying your identity.
    (101013)

  • My itunes in pc fails to secure link with itunes store it shows the process bar it automatically quits the process it also does not shows any on the screen. i am using windows xp service pack 3. what shoul i do?

    my itunes in pc fails to secure link with itunes store it shows the process bar it automatically quits the process it also does not shows any on the screen. i am using windows xp service pack 3. what shoul i do?
    Diagnostics test
    Microsoft Windows XP Professional Service Pack 3 (Build 2600)
    ECS G31T-M7
    iTunes 10.5.2.11
    QuickTime 7.6.9
    FairPlay 1.13.37
    Apple Application Support 2.1.6
    iPod Updater Library 10.0d2
    CD Driver 2.2.0.1
    CD Driver DLL 2.1.1.1
    Apple Mobile Device 4.0.0.97
    Apple Mobile Device Driver 1.57.0.0
    Bonjour 3.0.0.10 (333.10)
    Gracenote SDK 1.9.5.502
    Gracenote MusicID 1.9.5.115
    Gracenote Submit 1.9.5.143
    Gracenote DSP 1.9.5.45
    iTunes Serial Number 0012ABAC07F3CCB0
    Current user is an administrator.
    The current local date and time is 2011-12-31 14:06:21.
    iTunes is not running in safe mode.
    WebKit accelerated compositing is enabled.
    HDCP is not supported.
    Core Media is not supported. (16005)
    Video Display Information
    Intel(R) G33/G31 Express Chipset Family
    **** External Plug-ins Information ****
    No external plug-ins installed.
    **** Network Connectivity Tests ****
    Network Adapter Information
    Adapter Name:        {7599FAD1-1BB9-4AC6-80AF-404253DC519E}
    Description:            Atheros L2 Fast Ethernet 10/100 Base-T Controller - Packet Scheduler Miniport
    IP Address:             192.168.1.5
    Subnet Mask:          255.255.255.0
    Default Gateway:    192.168.1.1
    DHCP Enabled:      Yes
    DHCP Server:         192.168.1.1
    Lease Obtained:     Sat Dec 31 13:46:09 2011
    Lease Expires:       Tue Jan 03 13:46:09 2012
    DNS Servers:         192.168.1.1
    Active Connection: LAN Connection
    Connected:             Yes
    Online:                    Yes
    Using Modem:        No
    Using LAN:             Yes
    Using Proxy:           No
    SSL 3.0 Support:     Enabled
    TLS 1.0 Support:     Enabled
    Firewall Information
    Windows Firewall is on.
    iTunes is enabled in Windows Firewall.
    Connection attempt to Apple web site was successful.
    Connection attempt to browsing iTunes Store was successful.
    Connection attempt to purchasing from iTunes Store was successful.
    Connection attempt to iPhone activation server was unsuccessful.
    The network connection timed out.
    Connection attempt to firmware update server was unsuccessful.
    The network connection timed out.
    Connection attempt to Gracenote server was successful.
    Last successful iTunes Store access was 2011-12-31 14:00:02.
    **** Device Connectivity Tests ****
    iPodService 10.5.2.11 is currently running.
    iTunesHelper 10.5.2.11 is currently running.
    Apple Mobile Device service 3.3.0.0 is currently running.
    Universal Serial Bus Controllers:
    Intel(R) 82801G (ICH7 Family) USB Universal Host Controller - 27C8.  Device is working properly.
    Intel(R) 82801G (ICH7 Family) USB Universal Host Controller - 27C9.  Device is working properly.
    Intel(R) 82801G (ICH7 Family) USB Universal Host Controller - 27CA.  Device is working properly.
    Intel(R) 82801G (ICH7 Family) USB Universal Host Controller - 27CB.  Device is working properly.
    Intel(R) 82801G (ICH7 Family) USB2 Enhanced Host Controller - 27CC.  Device is working properly.
    No FireWire (IEEE 1394) Host Controller found.
    Connected Device Information:
    rawkiss’s iPhone, iPhone 3G running firmware version 4.0
    Serial Number:       86931UEAY7H
    **** Device Sync Tests ****
    Sync tests completed successfully.

    I have found a fix after doing additional research through this forum. Tech Note #328730 addresses this problem and it works for Photoshop Album 3.2 even though it was written for release 1.0.
    Here is a link that will take you directly to the Tech Note:
    http://kb.adobe.com/selfservice/viewContent.do?externalId=328730
    When using this fix the Tech Note indicates:
    "Imported image data and tags are lost when you re-create the My Catalog.psa file, so you need to reimport images and reapply any tags"
    however it did retain the captions (at least it did for me).

  • SAP R/3 4.7 EXt200 installation on RedHat Linux 5.2 with Oracle 10G

    Hi,
    I got this error during Database Instance Installation:
    All file system node operations of table tORA_SapdataNodes processed successfully.
    ERROR      2009-08-31 11:04:39 [iaxxinscbk.cpp:289]
               abortInstallation
    MDB-06020  File not found: [no oracle rdbms file found].
    I am done with CI Installation.
    Any help would be appreciated.

    Hi ,
         First of all please check availability of your OS + DB requiremnts whether it is supported by SAP or not.You can check this at Product Availability Matrix at ::
    http://service.sap.com/pam
         If this support for your environment i.e.RedHat Linux 5.2 with Oracle 10G then be informed that after starting sapinst in step create database it will prompt you for installing your oracle DB. So open a new window & install your databse ,do the patching of your DB & then continue with sapinst after successfull installation of oracle.Rest of details sapinst will prompot you during instal;lation.
        Hope this will guide you for your query.
    Thanks..
    Mohit

  • Using latest version of fireFox to access Think Central, pages will not load and they say that this is a security issue with FireFox?

    Teachers in our district are supposed to use www.thinkcentral.com with FireFox.
    Some have no problem accessing the lesson plans.
    Most when they login click on a lesson plan and an icon shows up that says loading but never does.
    If you reboot the computer and login you can open a page once but not a second time and no other lessons will open.
    Think Central support says this is a security issue with Firefox.
    I have updated FireFox, all the Adobe, Reader, Flash, Air and Shockwave. As well as Java.
    I have allowed the pop ups to the think Central web site.
    Any help would be appreciated

    Are there any notification icons on the left end of the address bar? If so, please click them to see whether they related to security issues (such as blocked content - shield icon: [[How does content that isn't secure affect my safety?]]) or a plugin requiring permission (Lego-like icon).
    Does Think Central have any help pages about this issue? Without an account, it is difficult to explore the issue first-hand.

  • Webinar: How to implement secure scenarios with SAP NW PI 7.1

    SAP Intelligence Platform & NetWeaver RIG APJ Expert Call
    Dear valued SAP Experts,
    Next SAP Intelligence Platform & NetWeaver RIG Expert Call Session will take place on Tuesday, August 18.
    The SAP Intelligence Platform & NetWeaver RIG Expert Call Sessions are designed to support consultants, partners and customers  during their implementation projects. The sessions cover all different aspects of SAP NetWeaver and are aimed at
    thus provide knowledge which is not available via standard training courses. The session duration is typically 60min and includes questions and answers.
    Tuesday, August 18, 2009:
    How to implement secure scenarios with SAP NetWeaver Process Integration 7.1
    Time: 2.00 - 3.00 p.m. Singapore Time (UTC +8)
    This event will feature Makoto Sugishita with the SAP Intelligence Platform & NetWeaver Regional Implementation Group.
    Makoto provides the following abstract:
    In this session you will learn more about the core security concepts that are provided with the service-oriented architecture (SOA)
    management capabilities in SAP NetWeaver Process Integration (SAP NetWeaver PI). This session will cover main use cases and
    supported scenarios of secure SAP NetWeaver PI deployments. 
    SAP Connect Link: https://sap.emea.pgiconnect.com/I016095
    (no passcode needed)
    Dial in:
    For dial in details please register here http://www.surveymonkey.com/s.aspx?sm=EFeuZl9PxrwKOW5i5W556g_3d_3d
    Kind regards,
    Sarma Sishta
    SAP Intelligence Platform & NetWeaver RIG APJ

    hi,
    I'm making this a sticky thread till August 18 so it will have better visibility
    Regards,
    Michal Krawczyk

  • [svn] 1720: Bugs: LCDS-304 - Authentication not working in all cases when using security constraint with NIO endpoints .

    Revision: 1720
    Author: [email protected]
    Date: 2008-05-14 14:50:06 -0700 (Wed, 14 May 2008)
    Log Message:
    Bugs: LCDS-304 - Authentication not working in all cases when using security constraint with NIO endpoints.
    QA: Yes
    Doc: No
    Details:
    Update to the TomcatLoginCommand to work correctly with NIO endpoints.
    Ticket Links:
    http://bugs.adobe.com/jira/browse/LCDS-304
    Modified Paths:
    blazeds/branches/3.0.x/modules/opt/src/tomcat/flex/messaging/security/TomcatLoginCommand. java

    Revision: 1720
    Author: [email protected]
    Date: 2008-05-14 14:50:06 -0700 (Wed, 14 May 2008)
    Log Message:
    Bugs: LCDS-304 - Authentication not working in all cases when using security constraint with NIO endpoints.
    QA: Yes
    Doc: No
    Details:
    Update to the TomcatLoginCommand to work correctly with NIO endpoints.
    Ticket Links:
    http://bugs.adobe.com/jira/browse/LCDS-304
    Modified Paths:
    blazeds/branches/3.0.x/modules/opt/src/tomcat/flex/messaging/security/TomcatLoginCommand. java

  • Safari cannot create secure connection with certain websites

    I have OS X 10.10 with every available updates, and Safari's currently unable to 'establish secure connection' with some site I'm trying to connect, most disturbing being the whole Steam network (store/support.steampowered.com, steamcommunity.com, etc). IE (via Bootcamp), Chrome (both standalone and integrated into Steam client) and Firefox have no problem doing so.
    Considering sometime before the in Steam browser indicated the site as insecure (a red lock icon with a cross, typically used to indicate bad cert) for a short time, and hearing of certs issued to gov agencies for man in the middle, I compared the cert for store.steampowered.com/login (which, in contrary to most content on that domain, forces a secure connection) and this discussions.apple.com. Well Firefox and IE do show a normal grey lock icon without organization name, and Chrome admits the website's ownership is unverified (in details, it says ownership is verified by the CA but there's no public verification record; the secure setting of that site has outdated, too) despite having Valve's name and green lock icon. So the cert could be a fake since it's an ordinary (I guess?) cert from a EV authority (DigiCert High Assurance EV CA-1 in this case). The certificate shown from Chrome is totally fine (not a single red cross in the chain), though.
    Well there're other https resources Safari fails to create a secure connection with every now and then. I just forgot/ am unable to test them with other browsers (Sometimes it's not the page itself that can't be retrieved via https, but some resource it loads. Sadly I only know how to use Inspector in Safari, though I'm sure other browsers have similar functions, too). I suspect Safari just refuses such certificates (or the AES_128_CBC method maybe) while other browsers accept it. Is there an override for this?
    Weird enough, https://ev-root.digicert.com/ has grey lock on Firefox and Safari. Seems overriding is the only workaround.
    As a side note, my Safari freezes upon loading PayPal, being ir-responsive for tens of seconds on every activity such as clicking a link. For most of duration of the freeze no high CPU usage is monitored, though ocspd does sometimes take 50% or so, and the web process bursts into 100% immediately before unfreezing. Guess Yosemite has some issues with TLS on the system level.

    This could be a complicated problem to solve, as there are several possible causes for it.
    Back up all data, then take each of the following steps that you haven't already taken. Stop when the problem is resolved.
    Step 1
    From the menu bar, select
               ▹ System Preferences... ▹ Date & Time
    Select the Time Zone tab in the preference pane that opens and check that the time zone matches your location. Then select the Date & Time tab. Check that the data and time shown (including the year) are correct, and correct them if not.
    Check the box marked 
              Set date and time automatically
    if it's not already checked, and select one of the Apple time servers from the menu next to it.
    Step 2
    Triple-click anywhere in the line below on this page to select it:
    /System/Library/Keychains/SystemCACertificates.keychain
    Right-click or control-click the highlighted line and select
              Services ▹ Show Info
    from the contextual menu.* An Info dialog should open. The dialog should show "You can only read" in the Sharing & Permissions section.
    Repeat with this line:
    /System/Library/Keychains/SystemRootCertificates.keychain
    If instead of the Info dialog, you get a message that either file can't be found, reinstall OS X.
    *If you don't see the contextual menu item, copy the selected text to the Clipboard by pressing the key combination command-C. Open a TextEdit window and paste into it by pressing command-V. Select the line you just pasted and continue as above.
    Step 3
    Launch the Keychain Access application in any of the following ways:
    ☞ Enter the first few letters of its name into a Spotlight search. Select it in the results (it should be at the top.)
    ☞ In the Finder, select Go ▹ Utilities from the menu bar, or press the key combination shift-command-U. The application is in the folder that opens.
    ☞ Open LaunchPad. Click Utilities, then Keychain Access in the icon grid.
    In the upper left corner of the window, you should see a list headed Keychains. If not, click the button in the lower left corner that looks like a triangle inside a square.
    In the Keychains list, there should be items named System and System Roots. If not, select
              File ▹ Add Keychain
    from the menu bar and add the following items:
    /Library/Keychains/System.keychain
    /System/Library/Keychains/SystemRootCertificates.keychain
    Open the View menu in the menu bar. If one of the items in the menu is
              Show Expired Certificates
    select it. Otherwise it will show
              Hide Expired Certificates
    which is what you want.
    From the Category list in the lower left corner of the window, select Certificates. Look carefully at the list of certificates in the right side of the window. If any of them has a blue-and-white plus sign or a red "X" in the icon, double-click it. An inspection window will open. Click the disclosure triangle labeled Trust to disclose the trust settings for the certificate. From the menu labeled
              Secure Sockets Layer (SSL)
    select
              no value specified
    Close the inspection window. You'll be prompted for your administrator password to update the settings.
    Now open the same inspection window again, and select
              When using this certificate: Use System Defaults
    Save the change in the same way as before.
    Revert all the certificates with non-default trust settings. Never again change any of those settings.
    Step 4
    Select My Certificates from the Category list. From the list of certificates shown, delete any that are marked with a red X as expired or invalid.
    Export all remaining certificates, delete them from the keychain, and reimport. For instructions, select
              Help ▹ Keychain Access Help
    from the menu bar and search for the term "export" in the help window. Export each certificate as an individual file; don't combine them into one big file.
    Step 5
    From the menu bar, select
              Keychain Access ▹ Preferences... ▹ Certificates
    There are three menus in the window. Change the selection in the top two to Best attempt, and in the bottom one to  CRL.
    Step 6
    Triple-click anywhere in the line of text below on this page to select it:
    /var/db/crls
    Copy the selected text to the Clipboard by pressing the key combination command-C. In the Finder, select
              Go ▹ Go to Folder...
    from the menu bar and paste into the box that opens by pressing command-V. You won't see what you pasted because a line break is included. Press return.
    A folder named "crls" should open. Move all the files in that folder to the Trash. You’ll be prompted for your administrator login password.
    Restart the computer, empty the Trash, and test.
    Step 7
    Triple-click anywhere in the line below on this page to select it:
    open -e /etc/hosts
    Copy the selected text to the Clipboard by pressing the key combination command-C.
    Launch the built-in Terminal application in any of the following ways:
    ☞ Enter the first few letters of its name into a Spotlight search. Select it in the results (it should be at the top.)
    ☞ In the Finder, select Go ▹ Utilities from the menu bar, or press the key combination shift-command-U. The application is in the folder that opens.
    ☞ Open LaunchPad. Click Utilities, then Terminal in the icon grid.
    Paste into the Terminal window by pressing command-V. I've tested these instructions only with the Safari web browser. If you use another browser, you may have to press the return key after pasting. A TextEdit window should open. At the top of the window, you should see this:
    # Host Database
    # localhost is used to configure the loopback interface
    # when the system is booting.  Do not change this entry.
    127.0.0.1                              localhost
    255.255.255.255          broadcasthost
    ::1                                        localhost
    fe80::1%lo0                    localhost
    If that's not what you see, post the contents of the window.

Maybe you are looking for