Secure OSB10g with owsm 10g
Hi,
I have a customer who have some flows exposed as webservices via proxy services on OSB 10g, he would like to implement authentication and authorisation, what is the best architecture to do it ? he is thinking to use OWSM 10g but don't know what is the best implementation architecture ?
He is also asking this questions : OWSM 10g is it compatible with OSB 10g or not ?
Thanks for your help.
OSB 10g is compatible with OWSM ( 10.1.3.x and later & 11.1.1). Please refer to the following links for more details:
http://docs.oracle.com/cd/E13159_01/osb/docs10gr3/security/owsm.html
http://docs.oracle.com/cd/E13159_01/osb/docs10gr3/interopmatrix/matrix.html (Refer to Platform Interoperability section)
Hope this helps.
Thanks,
Patrick
Similar Messages
-
Securing Services with OWSM 10g gateway
Hi
I have a small issue with an application we are trying to secure with the Oracle SOA suite 10g Gateway.
We have 2 application servers which we are trying to configure in a HA configuration.
We have several internal services that are used within our ocre application and 2 services we wish to expose to the outside world.
We initially wanted to expose these through the OWSM gateway but seem to have problems stopping external users from invoking internal services.
We have the BPEL, ESB, WSM Monitor, Manager, Rules installed on one oracle home and the owsm gateway and policy manager installed on a seperate Oracle home. The OHS is installed on the same machine with 2 virtual hosts with different ports externalSOA:7777 and internalSOA:8888
We have configured the OHS to filter out certain urls for the externalSOA VH such as /em, /esb_dt, /ccore which seems to work.
However services deployed into internalSOA:8888 are still invokable but externalSOA:7777/servicename
does anyone have a better solution or some ideas as to what we are doing wrong?
RegardsYes, true,
I was assuming a firewall protecting internal zone is part of DMZ setup, and infrastructure is on 10g, and owsm gateway, according to initial poster.
Protecting the internal URL, only allowing gateway requests to pass through would require the requesthandler (service URL) to look into the request.
What we did was to let the owsm gateway do the authentication/authorization, and adding a policy step to "insert SAML".
So the client request contains a valid username/password to be authenticated towards LDAP. After authZ an additional SAML header is added, containing a magic token known only to owsm gateway, and internal requesthandler, processing the service URL request.
If the request did not pass through gateway it will not contain the saml magic token, and thus be rejected by requesthandler.
11g has some improvements when it comes to protection using agents, but as long as the weaknesses are not covered (lack of gw-functionality) it would be wise to handle this in current infrastructure.
Suggesting a switch to 11g infrastructure to solve his issue is a bit over the top., switching the entire SOA infrastructure is not something done overnight. -
Securing SOA 11g Web Services with OWSM AD authentication
I have SOA 11g with Weblogic 10.3.5 installed and running a Web Service and a Client I want to protect with Active Directory auth and perhaps some other access rules. As I read, I can use OWSM policies to do that. Most guides I found concern OWSM 10g.
How can I make WL use AD authentication? Do I have to use Access Manager?I finally figured it out. The nullpointer exception is related to the SAML assertion. The SAML assertion in my requests is signed with embedded signature and this seems to be not supported with the used OWSM policy. Without the signature is the exception gone.
Marian -
Restricting IP's with OWSM?
Hi guys.
Just started looking at OWSM, cause we're deploying web services by the dozen and I want to get it all into a centrally managed environment before its too late :)
Question: Is it possible with OWSM to restrict the ip's that are allowed to call a WS. In other words to make sure that WS1 can only be called from 127.1.2.3 and not from 128.3.4.5? Never mind any other security layers built into the WS call, just pure IP restrictions. I suspect it is possible to do that on the application server where the WS is really deployed, but if I put a gateway in via OWSM, then all the IP's at the application server level will be the ip of the OSWM where the gateway is running, thus defeating the purpose. Or am I completely off track? (Not an impossible scenario :) )
Eagerly awaiting your replies/comments/wild speculations.
ElmarHi,
OWSM can run in two different modes, as a gateway or with agents. When acting as a gateway the original webservices will be proxied via the OWSM gateway. So yes all services will be accessed via the same ip. The original ws however is still accessible if somebody knows its ip address and endpoint. In OWSM you can not restrict the ip addresses that can access the gateway, if you want that you need to do it at a network level. If using only webservices on oracle application servers (and others that have a owsm agent available, ... eg .Net does not have an agent) you can install the agent for your services which will make the webservice itself forward the requests to OWSM. Still this does not allow you to only access the services from certain ip addresses. So the conclusion is, if you need to allow only certain ip addresses to access your webservices it is best to do it at a network level.
Andre -
Security issues for Discoverer 10g apps 12i
gurus,
I have couple of things to get it done at client.
We are on Oracle Apps rel 12i with dicoverer 10g.
Did anyone setup MOAC to be enabled and operational in business areas?
Setting up secure responsibilities in discoverer for MOAC?
Any setup needs to be done for custom report security in discoverer ?
thxHi,
I did setup new MOAC security profiles and assigned multiple organizations to that profile for testing purpose.
After this, I did run concurrent program "Security List Maintennce" etc...
Tested Upding profile at user level or responsibility level.
On APPS side fine.
I need the some basic steps on setup of security issues for discoverer side.
1) Business areas (any security steps need to be followed in order to access data for single or multi-org)
2) Custom Reports ( any security setup or any moac security profile setting against responsibilty for accessing single or multi-org data)
Since we dont have default operating unit parameter as specified in the concurrent program, how do you restrict data?
3) Reconciling security approach r12 with discoverer (any steps need to be followed here after r12 configuration with security issues)
4) Custom Views ( any steps to be followed for single or multi-org data as security aspect)
Looking for info on these setups.
Thx -
Osb proxy service with owsm policy auth slow when soap request very large
I have a proxy service which is security with owsm policy: oracle/wss_username_token_service_policy, the proxy service simply route to Business Service which directly invoke a bpel exposed web service, when I call the proxy service with soap envelope large than 15MB(not attachment), waiting about 4~5 minutes, the bpel instance created ; but when I remove the security policy:oracle/wss_username_token_service_policy, it will cost only 20 seconds, why authentication cost so long? How can I deal with the problem?
My English is poor, please don't mind!
besides, with my OSB version is 11.1.1.6.0I finally figured it out. The nullpointer exception is related to the SAML assertion. The SAML assertion in my requests is signed with embedded signature and this seems to be not supported with the used OWSM policy. Without the signature is the exception gone.
Marian -
Enabling ws-security UserNameToken using OWSM
Hi,
I am using BPEL PM with OWSM; I need to enable WS-security for the incoming messages to a service running on BPEL server.
I completed the initial steps such as creating a gateway and registering the service in that gateway after that I could see a WSDL generated by the OWSM.
After this I dont know how to enable WS-security (UserNameToken only), iam not finding anything in the documents,Could any one through some light on this??
Best Regards,
ChandraI'm a bit confused by these questions.
There's nothing you need to do to ENABLE this.
OWSM can convert credentials (http headers, etc.) to WS-security if you want (proper sequence of "Extract Credentials" and "Insert Credentials" in the pipeline should do this)
OWSM cannot insert any identity "out of the blue", the information should be somewhere in the request coming into the gateway...
Marc -
Applying security patch to Oracle 10G on Linux
Hello,
I'm new to Oracle DBA world, need to apply security patch to Oracle 10G on Linux server, any tips and notes would be appreciated.
thanks
SamManish,
1. I have to upgrade the database version from 10.2.0.2 to 10.2.0.4 on Linux, Is there any proper documentation which will help me out?Please refer to the following document.
Note: 454750.1 - Oracle Apps Release 12 with Oracle Database 10.2.0 interoperability notes
https://metalink.oracle.com/metalink/plsql/ml2_documents.showDocument?p_database_id=NOT&p_id=454750.1
2. What are the types of oracle database patches? what is the proper procedure to apply those kind of patches to Oracle 10g on Linux?
Most of the patches in this upgrade are database patches (which should be applied using opatch). The main upgrade patch (Patch 6810189 - 10.2.0.4 patch set) should be applied using Oracle Universal Installer (runInstaller).
Always follow the steps in the patch README file before applying any patch.
Regards,
Hussein -
How do I reset my apple id security question with out a rescue email
How do I reset my apple id security question with out a rescue email?
You need to ask Apple to reset your security questions; ways of contacting them include clicking here and picking a method for your country, phoning AppleCare and asking for the Account Security team, and filling out and submitting this form.
They wouldn't be security questions if they could be bypassed without Apple verifying your identity.
(101013) -
my itunes in pc fails to secure link with itunes store it shows the process bar it automatically quits the process it also does not shows any on the screen. i am using windows xp service pack 3. what shoul i do?
Diagnostics test
Microsoft Windows XP Professional Service Pack 3 (Build 2600)
ECS G31T-M7
iTunes 10.5.2.11
QuickTime 7.6.9
FairPlay 1.13.37
Apple Application Support 2.1.6
iPod Updater Library 10.0d2
CD Driver 2.2.0.1
CD Driver DLL 2.1.1.1
Apple Mobile Device 4.0.0.97
Apple Mobile Device Driver 1.57.0.0
Bonjour 3.0.0.10 (333.10)
Gracenote SDK 1.9.5.502
Gracenote MusicID 1.9.5.115
Gracenote Submit 1.9.5.143
Gracenote DSP 1.9.5.45
iTunes Serial Number 0012ABAC07F3CCB0
Current user is an administrator.
The current local date and time is 2011-12-31 14:06:21.
iTunes is not running in safe mode.
WebKit accelerated compositing is enabled.
HDCP is not supported.
Core Media is not supported. (16005)
Video Display Information
Intel(R) G33/G31 Express Chipset Family
**** External Plug-ins Information ****
No external plug-ins installed.
**** Network Connectivity Tests ****
Network Adapter Information
Adapter Name: {7599FAD1-1BB9-4AC6-80AF-404253DC519E}
Description: Atheros L2 Fast Ethernet 10/100 Base-T Controller - Packet Scheduler Miniport
IP Address: 192.168.1.5
Subnet Mask: 255.255.255.0
Default Gateway: 192.168.1.1
DHCP Enabled: Yes
DHCP Server: 192.168.1.1
Lease Obtained: Sat Dec 31 13:46:09 2011
Lease Expires: Tue Jan 03 13:46:09 2012
DNS Servers: 192.168.1.1
Active Connection: LAN Connection
Connected: Yes
Online: Yes
Using Modem: No
Using LAN: Yes
Using Proxy: No
SSL 3.0 Support: Enabled
TLS 1.0 Support: Enabled
Firewall Information
Windows Firewall is on.
iTunes is enabled in Windows Firewall.
Connection attempt to Apple web site was successful.
Connection attempt to browsing iTunes Store was successful.
Connection attempt to purchasing from iTunes Store was successful.
Connection attempt to iPhone activation server was unsuccessful.
The network connection timed out.
Connection attempt to firmware update server was unsuccessful.
The network connection timed out.
Connection attempt to Gracenote server was successful.
Last successful iTunes Store access was 2011-12-31 14:00:02.
**** Device Connectivity Tests ****
iPodService 10.5.2.11 is currently running.
iTunesHelper 10.5.2.11 is currently running.
Apple Mobile Device service 3.3.0.0 is currently running.
Universal Serial Bus Controllers:
Intel(R) 82801G (ICH7 Family) USB Universal Host Controller - 27C8. Device is working properly.
Intel(R) 82801G (ICH7 Family) USB Universal Host Controller - 27C9. Device is working properly.
Intel(R) 82801G (ICH7 Family) USB Universal Host Controller - 27CA. Device is working properly.
Intel(R) 82801G (ICH7 Family) USB Universal Host Controller - 27CB. Device is working properly.
Intel(R) 82801G (ICH7 Family) USB2 Enhanced Host Controller - 27CC. Device is working properly.
No FireWire (IEEE 1394) Host Controller found.
Connected Device Information:
rawkiss’s iPhone, iPhone 3G running firmware version 4.0
Serial Number: 86931UEAY7H
**** Device Sync Tests ****
Sync tests completed successfully.I have found a fix after doing additional research through this forum. Tech Note #328730 addresses this problem and it works for Photoshop Album 3.2 even though it was written for release 1.0.
Here is a link that will take you directly to the Tech Note:
http://kb.adobe.com/selfservice/viewContent.do?externalId=328730
When using this fix the Tech Note indicates:
"Imported image data and tags are lost when you re-create the My Catalog.psa file, so you need to reimport images and reapply any tags"
however it did retain the captions (at least it did for me). -
SAP R/3 4.7 EXt200 installation on RedHat Linux 5.2 with Oracle 10G
Hi,
I got this error during Database Instance Installation:
All file system node operations of table tORA_SapdataNodes processed successfully.
ERROR 2009-08-31 11:04:39 [iaxxinscbk.cpp:289]
abortInstallation
MDB-06020 File not found: [no oracle rdbms file found].
I am done with CI Installation.
Any help would be appreciated.Hi ,
First of all please check availability of your OS + DB requiremnts whether it is supported by SAP or not.You can check this at Product Availability Matrix at ::
http://service.sap.com/pam
If this support for your environment i.e.RedHat Linux 5.2 with Oracle 10G then be informed that after starting sapinst in step create database it will prompt you for installing your oracle DB. So open a new window & install your databse ,do the patching of your DB & then continue with sapinst after successfull installation of oracle.Rest of details sapinst will prompot you during instal;lation.
Hope this will guide you for your query.
Thanks..
Mohit -
Teachers in our district are supposed to use www.thinkcentral.com with FireFox.
Some have no problem accessing the lesson plans.
Most when they login click on a lesson plan and an icon shows up that says loading but never does.
If you reboot the computer and login you can open a page once but not a second time and no other lessons will open.
Think Central support says this is a security issue with Firefox.
I have updated FireFox, all the Adobe, Reader, Flash, Air and Shockwave. As well as Java.
I have allowed the pop ups to the think Central web site.
Any help would be appreciatedAre there any notification icons on the left end of the address bar? If so, please click them to see whether they related to security issues (such as blocked content - shield icon: [[How does content that isn't secure affect my safety?]]) or a plugin requiring permission (Lego-like icon).
Does Think Central have any help pages about this issue? Without an account, it is difficult to explore the issue first-hand. -
Webinar: How to implement secure scenarios with SAP NW PI 7.1
SAP Intelligence Platform & NetWeaver RIG APJ Expert Call
Dear valued SAP Experts,
Next SAP Intelligence Platform & NetWeaver RIG Expert Call Session will take place on Tuesday, August 18.
The SAP Intelligence Platform & NetWeaver RIG Expert Call Sessions are designed to support consultants, partners and customers during their implementation projects. The sessions cover all different aspects of SAP NetWeaver and are aimed at
thus provide knowledge which is not available via standard training courses. The session duration is typically 60min and includes questions and answers.
Tuesday, August 18, 2009:
How to implement secure scenarios with SAP NetWeaver Process Integration 7.1
Time: 2.00 - 3.00 p.m. Singapore Time (UTC +8)
This event will feature Makoto Sugishita with the SAP Intelligence Platform & NetWeaver Regional Implementation Group.
Makoto provides the following abstract:
In this session you will learn more about the core security concepts that are provided with the service-oriented architecture (SOA)
management capabilities in SAP NetWeaver Process Integration (SAP NetWeaver PI). This session will cover main use cases and
supported scenarios of secure SAP NetWeaver PI deployments.
SAP Connect Link: https://sap.emea.pgiconnect.com/I016095
(no passcode needed)
Dial in:
For dial in details please register here http://www.surveymonkey.com/s.aspx?sm=EFeuZl9PxrwKOW5i5W556g_3d_3d
Kind regards,
Sarma Sishta
SAP Intelligence Platform & NetWeaver RIG APJhi,
I'm making this a sticky thread till August 18 so it will have better visibility
Regards,
Michal Krawczyk -
Revision: 1720
Author: [email protected]
Date: 2008-05-14 14:50:06 -0700 (Wed, 14 May 2008)
Log Message:
Bugs: LCDS-304 - Authentication not working in all cases when using security constraint with NIO endpoints.
QA: Yes
Doc: No
Details:
Update to the TomcatLoginCommand to work correctly with NIO endpoints.
Ticket Links:
http://bugs.adobe.com/jira/browse/LCDS-304
Modified Paths:
blazeds/branches/3.0.x/modules/opt/src/tomcat/flex/messaging/security/TomcatLoginCommand. javaRevision: 1720
Author: [email protected]
Date: 2008-05-14 14:50:06 -0700 (Wed, 14 May 2008)
Log Message:
Bugs: LCDS-304 - Authentication not working in all cases when using security constraint with NIO endpoints.
QA: Yes
Doc: No
Details:
Update to the TomcatLoginCommand to work correctly with NIO endpoints.
Ticket Links:
http://bugs.adobe.com/jira/browse/LCDS-304
Modified Paths:
blazeds/branches/3.0.x/modules/opt/src/tomcat/flex/messaging/security/TomcatLoginCommand. java -
Safari cannot create secure connection with certain websites
I have OS X 10.10 with every available updates, and Safari's currently unable to 'establish secure connection' with some site I'm trying to connect, most disturbing being the whole Steam network (store/support.steampowered.com, steamcommunity.com, etc). IE (via Bootcamp), Chrome (both standalone and integrated into Steam client) and Firefox have no problem doing so.
Considering sometime before the in Steam browser indicated the site as insecure (a red lock icon with a cross, typically used to indicate bad cert) for a short time, and hearing of certs issued to gov agencies for man in the middle, I compared the cert for store.steampowered.com/login (which, in contrary to most content on that domain, forces a secure connection) and this discussions.apple.com. Well Firefox and IE do show a normal grey lock icon without organization name, and Chrome admits the website's ownership is unverified (in details, it says ownership is verified by the CA but there's no public verification record; the secure setting of that site has outdated, too) despite having Valve's name and green lock icon. So the cert could be a fake since it's an ordinary (I guess?) cert from a EV authority (DigiCert High Assurance EV CA-1 in this case). The certificate shown from Chrome is totally fine (not a single red cross in the chain), though.
Well there're other https resources Safari fails to create a secure connection with every now and then. I just forgot/ am unable to test them with other browsers (Sometimes it's not the page itself that can't be retrieved via https, but some resource it loads. Sadly I only know how to use Inspector in Safari, though I'm sure other browsers have similar functions, too). I suspect Safari just refuses such certificates (or the AES_128_CBC method maybe) while other browsers accept it. Is there an override for this?
Weird enough, https://ev-root.digicert.com/ has grey lock on Firefox and Safari. Seems overriding is the only workaround.
As a side note, my Safari freezes upon loading PayPal, being ir-responsive for tens of seconds on every activity such as clicking a link. For most of duration of the freeze no high CPU usage is monitored, though ocspd does sometimes take 50% or so, and the web process bursts into 100% immediately before unfreezing. Guess Yosemite has some issues with TLS on the system level.This could be a complicated problem to solve, as there are several possible causes for it.
Back up all data, then take each of the following steps that you haven't already taken. Stop when the problem is resolved.
Step 1
From the menu bar, select
▹ System Preferences... ▹ Date & Time
Select the Time Zone tab in the preference pane that opens and check that the time zone matches your location. Then select the Date & Time tab. Check that the data and time shown (including the year) are correct, and correct them if not.
Check the box marked
Set date and time automatically
if it's not already checked, and select one of the Apple time servers from the menu next to it.
Step 2
Triple-click anywhere in the line below on this page to select it:
/System/Library/Keychains/SystemCACertificates.keychain
Right-click or control-click the highlighted line and select
Services ▹ Show Info
from the contextual menu.* An Info dialog should open. The dialog should show "You can only read" in the Sharing & Permissions section.
Repeat with this line:
/System/Library/Keychains/SystemRootCertificates.keychain
If instead of the Info dialog, you get a message that either file can't be found, reinstall OS X.
*If you don't see the contextual menu item, copy the selected text to the Clipboard by pressing the key combination command-C. Open a TextEdit window and paste into it by pressing command-V. Select the line you just pasted and continue as above.
Step 3
Launch the Keychain Access application in any of the following ways:
☞ Enter the first few letters of its name into a Spotlight search. Select it in the results (it should be at the top.)
☞ In the Finder, select Go ▹ Utilities from the menu bar, or press the key combination shift-command-U. The application is in the folder that opens.
☞ Open LaunchPad. Click Utilities, then Keychain Access in the icon grid.
In the upper left corner of the window, you should see a list headed Keychains. If not, click the button in the lower left corner that looks like a triangle inside a square.
In the Keychains list, there should be items named System and System Roots. If not, select
File ▹ Add Keychain
from the menu bar and add the following items:
/Library/Keychains/System.keychain
/System/Library/Keychains/SystemRootCertificates.keychain
Open the View menu in the menu bar. If one of the items in the menu is
Show Expired Certificates
select it. Otherwise it will show
Hide Expired Certificates
which is what you want.
From the Category list in the lower left corner of the window, select Certificates. Look carefully at the list of certificates in the right side of the window. If any of them has a blue-and-white plus sign or a red "X" in the icon, double-click it. An inspection window will open. Click the disclosure triangle labeled Trust to disclose the trust settings for the certificate. From the menu labeled
Secure Sockets Layer (SSL)
select
no value specified
Close the inspection window. You'll be prompted for your administrator password to update the settings.
Now open the same inspection window again, and select
When using this certificate: Use System Defaults
Save the change in the same way as before.
Revert all the certificates with non-default trust settings. Never again change any of those settings.
Step 4
Select My Certificates from the Category list. From the list of certificates shown, delete any that are marked with a red X as expired or invalid.
Export all remaining certificates, delete them from the keychain, and reimport. For instructions, select
Help ▹ Keychain Access Help
from the menu bar and search for the term "export" in the help window. Export each certificate as an individual file; don't combine them into one big file.
Step 5
From the menu bar, select
Keychain Access ▹ Preferences... ▹ Certificates
There are three menus in the window. Change the selection in the top two to Best attempt, and in the bottom one to CRL.
Step 6
Triple-click anywhere in the line of text below on this page to select it:
/var/db/crls
Copy the selected text to the Clipboard by pressing the key combination command-C. In the Finder, select
Go ▹ Go to Folder...
from the menu bar and paste into the box that opens by pressing command-V. You won't see what you pasted because a line break is included. Press return.
A folder named "crls" should open. Move all the files in that folder to the Trash. You’ll be prompted for your administrator login password.
Restart the computer, empty the Trash, and test.
Step 7
Triple-click anywhere in the line below on this page to select it:
open -e /etc/hosts
Copy the selected text to the Clipboard by pressing the key combination command-C.
Launch the built-in Terminal application in any of the following ways:
☞ Enter the first few letters of its name into a Spotlight search. Select it in the results (it should be at the top.)
☞ In the Finder, select Go ▹ Utilities from the menu bar, or press the key combination shift-command-U. The application is in the folder that opens.
☞ Open LaunchPad. Click Utilities, then Terminal in the icon grid.
Paste into the Terminal window by pressing command-V. I've tested these instructions only with the Safari web browser. If you use another browser, you may have to press the return key after pasting. A TextEdit window should open. At the top of the window, you should see this:
# Host Database
# localhost is used to configure the loopback interface
# when the system is booting. Do not change this entry.
127.0.0.1 localhost
255.255.255.255 broadcasthost
::1 localhost
fe80::1%lo0 localhost
If that's not what you see, post the contents of the window.
Maybe you are looking for
-
X121e and Windows XP: only PIO mode (not DMA)
I installed Windows XP on a thinkpad X121e. After actualizing all drivers from Lenovo I found out why the whole system was very slow: The internal hard disk is running only in PIO mode and reaches only 3 MB/s which is far to slow to work. I did not h
-
How can I fix unsupported file type or file that has been damaged?
-
My j2ee jdk1.4.2 is not supporting javx package.
My j2ee jdk1.4.2 is not supporting javx package. i already set all pathh and class path. anybody can help me. details are given below :: C:\AVA\J2EE Programs\JSP\JSPCustomTag>javac ATMTag.java ATMTag.java:5: package javax.servlet does not exist impor
-
Can workflows be triggered by Web Service updates?
Hi, From our testing it appears that the workflows are not triggered by updates via the web services. In particular we have a workflows as follows: Workflow Name: Opportunity Contact Role Delete Record Type: Opportunity Contact Role Trigger Event: Wh
-
New iPhone battery drained by preinstalled Flashlight
The Apple store installed a new battery on my iPhone 5S last week. That did not fix my four to five hour battery life problem. I have followed every article out there on turning off location services, getting rid of Facebook app, etc. But I found tod