Securing Services with OWSM 10g gateway

Similar Messages

• Secure OSB10g with owsm 10g

  Hi,
  I have a customer who have some flows exposed as webservices via proxy services on OSB 10g, he would like to implement authentication and authorisation, what is the best architecture to do it ? he is thinking to use OWSM 10g but don't know what is the best implementation architecture ?
  He is also asking this questions : OWSM 10g is it compatible with OSB 10g or not ?
  Thanks for your help.

  OSB 10g is compatible with OWSM ( 10.1.3.x and later & 11.1.1). Please refer to the following links for more details:
  http://docs.oracle.com/cd/E13159_01/osb/docs10gr3/security/owsm.html
  http://docs.oracle.com/cd/E13159_01/osb/docs10gr3/interopmatrix/matrix.html (Refer to Platform Interoperability section)
  Hope this helps.
  Thanks,
  Patrick

• Securing SOA 11g Web Services with OWSM AD authentication

  I have SOA 11g with Weblogic 10.3.5 installed and running a Web Service and a Client I want to protect with Active Directory auth and perhaps some other access rules. As I read, I can use OWSM policies to do that. Most guides I found concern OWSM 10g.
  How can I make WL use AD authentication? Do I have to use Access Manager?

  I finally figured it out. The nullpointer exception is related to the SAML assertion. The SAML assertion in my requests is signed with embedded signature and this seems to be not supported with the used OWSM policy. Without the signature is the exception gone.
  Marian

• Osb proxy service with owsm policy auth slow when soap request very large

  I have a proxy service which is security with owsm policy: oracle/wss_username_token_service_policy, the proxy service simply route to Business Service which directly invoke a bpel exposed web service, when I call the proxy service with soap envelope large than 15MB(not attachment), waiting about 4~5 minutes, the bpel instance created ; but when I remove the security policy:oracle/wss_username_token_service_policy, it will cost only 20 seconds, why authentication cost so long? How can I deal with the problem?
  My English is poor, please don't mind!
  besides, with my OSB version is 11.1.1.6.0

  I finally figured it out. The nullpointer exception is related to the SAML assertion. The SAML assertion in my requests is signed with embedded signature and this seems to be not supported with the used OWSM policy. Without the signature is the exception gone.
  Marian

• Securing FTPS with Oracle WSM gateway (10g)

  Does anyone know whether it is possible to secure FTPS traffic using the OWSM gateway (10g)
  I have a service which is sending encrypted files into our system using FTPS and we would like to check and decrypt the files before we persist them on the FTP server. Is it possible to use the OWSM gateway to authenticate and decrypt the files in a DMZ before processing them any further?
  Please note that I understand that 11g does not currently have a gateway and we are not looking to upgrade and therefore 10g OWSM gateway is an option for us.

  Yes, true,
  I was assuming a firewall protecting internal zone is part of DMZ setup, and infrastructure is on 10g, and owsm gateway, according to initial poster.
  Protecting the internal URL, only allowing gateway requests to pass through would require the requesthandler (service URL) to look into the request.
  What we did was to let the owsm gateway do the authentication/authorization, and adding a policy step to "insert SAML".
  So the client request contains a valid username/password to be authenticated towards LDAP. After authZ an additional SAML header is added, containing a magic token known only to owsm gateway, and internal requesthandler, processing the service URL request.
  If the request did not pass through gateway it will not contain the saml magic token, and thus be rejected by requesthandler.
  11g has some improvements when it comes to protection using agents, but as long as the weaknesses are not covered (lack of gw-functionality) it would be wise to handle this in current infrastructure.
  Suggesting a switch to 11g infrastructure to solve his issue is a bit over the top., switching the entire SOA infrastructure is not something done overnight.

• Securing BPEL services with OWSM: problem resolving schema

  Hi,
  With the introduction of SOA Suite 10131 specification of XML objects types and elements is handled in a separate XSD file which is imported in the WSDL for the BPEL process. This is fine, it prevents cluttering up the WSDL.
  The import is like this:
  <import namespace="http://xmlns.oracle.com/MyFirstBPEL" schemaLocation="MyFirstBPEL.xsd" />
  Now, when I secure this service using an OWSM gateway, OWSM is not able to generate a test page for this service. It cannot resolve the XSD that it needs for constructing the test form. The same happens when you try to generate a proxy for the Web Service.
  A solution is to put the schema file in BPEL's xmllib and change the schemaLocation of the import tag accordingly, e.g.:
  <import namespace="http://xmlns.oracle.com/MyFirstBPEL" schemaLocation="http://localhost/orabpel/xmllib/MyFirstBPEL.xsd" />
  Can anyone think of a better solution, i.e. one that does not require changing the WSDL and avoids dragging the XSD around?
  Thanks. Regards, Sjoerd

  Hi Bastiaan,
  The XSD that is generated is automatically packaged and deployed with the BPEL process. And publishing it in a place is exactly what I do by putting it in /xmllib. I am all for controlled publication of XML Schema, but I would rather choose which XML constructs to publish (e.g. for re-use).
  Thanks. Sjoerd

• BPEL Web Service with OWSM Server Agent  NOT AUTHENTICATING

  I have deployed OWSM Server Agent to enable WS-Security Username/Password Authentication following the steps in the below URL.
  http://www.oracle.com/technology/obe/fusion_middleware/owsm/secure%20soa/securing%20soa%20with%20owsm.htm
  Section: Creating and Installing an Oracle WSM Server Agent
  The OWSM agent configuration is working fine with individual Web Services.
  For BPEL, the authentication is not happening if we call the default endpoint from JAVA proxy or Soap UI e.g
  http://host.domainame:7777/orabpel/bpelprocess1/050101 - Authenticates as per the OWSM policy and WORKS FINE
  http://host.domainame:7777/orabpel/bpelprocess1 - Executes the process WITHOUT authenticating
  Any help would be appreciated.
  Thanks
  Shehzad

  Did you resolve this issue ? We are having same issue with one of our BPEL process ........ any help would be highly appreciated .....
  Thanks in Advance

• Database Web Services with Oracle 10g

  Forgive my lack of knowledge on this issue, but we are still researching our options and we have very little experience with these new technologies.
  We have been using Oracle Database server for years and we are looking now into integrating or applications to offer farther solutions to our customer as well as to implement a b2b solution.
  Our b2b solution consist of a relationship between Partners of our customer via a hub server that would reside on our quarters. In other words our customers servers would communicate with their partners via our server and vice versa.
  We are planning to use Fusion to implement our Hub server and my question is:
  "Should we deploy A J2EE container to our customer where 'client services' would run to maintain a runtime communication with our hub or can we skip the J2EE container by using Database Web Services?"
  And a related question:
  "What Oracle components are required for Database Web Services to work? How are they implemented?"
  Thank you!

  After farther reading about Database Web Services, it seems that you still need at least OC4J on the customer side to run Database Web Services. Is that correct?
  So if the best approach is to deploy OC4J to our customers, how difficult is to do so and how can I configure each one of my customers so my hub server can uniquely identify each one of them?

• Securing UDDI registered services using OWSM-Failing

  Hi all,
  I am running into issues in integrating UDDI registered services with OWSM 10.1.3.1.Are there really any integration issues of UDDI 10.1.3.1 with OWSM 10.1.3.1 or am I going wrong?
  Thanks.

  Have you resolved your issue. I am in the same situation. Can you please let me know how you have resolved your issue.

• Strange error protecting BPEL service with WSM server agent

  I'm trying to protect a BPEL service with OWSM (SOA Suite 10.1.3.3 MLR#19). Everything looks fine as far as I can see, but when the service is called with WSM active it always fails with internal server error. There are no errors in the logs (BPEL logs, OPMN logs, OWSM logs, ...) except the following in the Apache access logs:
  "POST /policymanager/services/RegistrationService HTTP/1.0" 200 525
  I can connect to /policymanager/services/RegistrationService with a browser, it shows a message saying it is an Axis web service. Without WSM the BPEL service works fine.
  I have tried to fix this for two full days now and nothing I have tried makes a difference. Any suggestions for what I should do in order to solve the issue or at least get more data on what the root cause could be?
  -Erik
  Edit: There were two issues. The built-in test page doesn't work, when invoked with a real external client it works better. In addition the properties for file-based policies seem to be used even when the online check has been enabled (so they cannot be omitted/blank) and a restart is required to make the changes bite.
  Edited by: ew on Oct 4, 2010 2:50 PM

  Did you resolve this issue ? We are having same issue with one of our BPEL process ........ any help would be highly appreciated .....
  Thanks in Advance

• Error connecting OData service with Appbuilder

  Hello,
  I have created an OData service with SAP Netweaver Gateway and there isn't any problem while testing the service on the browser.
  I made all the right settings in SMP 3.0 and the system is reached successfully from the server.I am developing the app with appbuilder so when trying to connect with SMP onboarding service there is the following error. Failed to get Service metadata.I can see the metadata in the browser so i can not understand what this error means.
  If anybody can help it would be very useful because im in a deadlock.
  Thank you in advance!

  Hi IIliona,
  I am facing the same error
  I can see the metadata in the browser.
  The operation of entity set returns correct results as well.
  Did you fix the it?  If yes, do you mind sharing your solution?
  Thanks!!

• Testing a gateway service with UDDI looked up service registered-Failing

  Hi All,
  I have imported a service to OWSM gateway using UDDI.The service has been imported successfully,however when I am testing the gateway I am getting the following error:-
  <SOAP-ENV:Envelope
  xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
  <SOAP-ENV:Body>
  <SOAP-ENV:Fault>
  <faultcode xmlns:p="http://schemas.oblix.com/ws/2003/08/Faults">p:Client.UndeliverableFault</faultcode>
  <faultstring>Cannot perform client request</faultstring>
  null</SOAP-ENV:Fault>
  </SOAP-ENV:Body>
  </SOAP-ENV:Envelope>
  But the same UDDI service is working well with BPEL.Please let me know where am I going wrong?It's urgent I have a present delivery to make.Please help me out.
  Thanks.

  Hi,
  Have you resolved the error message. As I am also getting the same error message. My webservices are BPEl web service (third party) but they work fine. I am trying to secure it using OWSM and getting the same error message. It works fine on its own.
  Please let me know How did you resolve it?

• My itunes in pc fails to secure link with itunes store it shows the process bar it automatically quits the process it also does not shows any on the screen. i am using windows xp service pack 3. what shoul i do?

  my itunes in pc fails to secure link with itunes store it shows the process bar it automatically quits the process it also does not shows any on the screen. i am using windows xp service pack 3. what shoul i do?
  Diagnostics test
  Microsoft Windows XP Professional Service Pack 3 (Build 2600)
  ECS G31T-M7
  iTunes 10.5.2.11
  QuickTime 7.6.9
  FairPlay 1.13.37
  Apple Application Support 2.1.6
  iPod Updater Library 10.0d2
  CD Driver 2.2.0.1
  CD Driver DLL 2.1.1.1
  Apple Mobile Device 4.0.0.97
  Apple Mobile Device Driver 1.57.0.0
  Bonjour 3.0.0.10 (333.10)
  Gracenote SDK 1.9.5.502
  Gracenote MusicID 1.9.5.115
  Gracenote Submit 1.9.5.143
  Gracenote DSP 1.9.5.45
  iTunes Serial Number 0012ABAC07F3CCB0
  Current user is an administrator.
  The current local date and time is 2011-12-31 14:06:21.
  iTunes is not running in safe mode.
  WebKit accelerated compositing is enabled.
  HDCP is not supported.
  Core Media is not supported. (16005)
  Video Display Information
  Intel(R) G33/G31 Express Chipset Family
  **** External Plug-ins Information ****
  No external plug-ins installed.
  **** Network Connectivity Tests ****
  Network Adapter Information
  Adapter Name:        {7599FAD1-1BB9-4AC6-80AF-404253DC519E}
  Description:            Atheros L2 Fast Ethernet 10/100 Base-T Controller - Packet Scheduler Miniport
  IP Address:             192.168.1.5
  Subnet Mask:          255.255.255.0
  Default Gateway:    192.168.1.1
  DHCP Enabled:      Yes
  DHCP Server:         192.168.1.1
  Lease Obtained:     Sat Dec 31 13:46:09 2011
  Lease Expires:       Tue Jan 03 13:46:09 2012
  DNS Servers:         192.168.1.1
  Active Connection: LAN Connection
  Connected:             Yes
  Online:                    Yes
  Using Modem:        No
  Using LAN:             Yes
  Using Proxy:           No
  SSL 3.0 Support:     Enabled
  TLS 1.0 Support:     Enabled
  Firewall Information
  Windows Firewall is on.
  iTunes is enabled in Windows Firewall.
  Connection attempt to Apple web site was successful.
  Connection attempt to browsing iTunes Store was successful.
  Connection attempt to purchasing from iTunes Store was successful.
  Connection attempt to iPhone activation server was unsuccessful.
  The network connection timed out.
  Connection attempt to firmware update server was unsuccessful.
  The network connection timed out.
  Connection attempt to Gracenote server was successful.
  Last successful iTunes Store access was 2011-12-31 14:00:02.
  **** Device Connectivity Tests ****
  iPodService 10.5.2.11 is currently running.
  iTunesHelper 10.5.2.11 is currently running.
  Apple Mobile Device service 3.3.0.0 is currently running.
  Universal Serial Bus Controllers:
  Intel(R) 82801G (ICH7 Family) USB Universal Host Controller - 27C8.  Device is working properly.
  Intel(R) 82801G (ICH7 Family) USB Universal Host Controller - 27C9.  Device is working properly.
  Intel(R) 82801G (ICH7 Family) USB Universal Host Controller - 27CA.  Device is working properly.
  Intel(R) 82801G (ICH7 Family) USB Universal Host Controller - 27CB.  Device is working properly.
  Intel(R) 82801G (ICH7 Family) USB2 Enhanced Host Controller - 27CC.  Device is working properly.
  No FireWire (IEEE 1394) Host Controller found.
  Connected Device Information:
  rawkiss’s iPhone, iPhone 3G running firmware version 4.0
  Serial Number:       86931UEAY7H
  **** Device Sync Tests ****
  Sync tests completed successfully.

  I have found a fix after doing additional research through this forum. Tech Note #328730 addresses this problem and it works for Photoshop Album 3.2 even though it was written for release 1.0.
  Here is a link that will take you directly to the Tech Note:
  http://kb.adobe.com/selfservice/viewContent.do?externalId=328730
  When using this fix the Tech Note indicates:
  "Imported image data and tags are lost when you re-create the My Catalog.psa file, so you need to reimport images and reapply any tags"
  however it did retain the captions (at least it did for me).

• Using OWSM to secure Services based on http binding

  Hi,
  We are using OWSM Gateway in DMZ as a proxy server to communicate with systems beyond the firewall. We have two specific requirements:
  1) The BPEL/ESB services should invoke http POST/GET services on the third party systems which are located beyond the firewall.
  2) Third party services uses http POST/GET to access the BPEL/ESB services.
  My queries are:
  Are these possible with OWSM?
  For reqmnt 1, when we tried with OWSM we are getting the following error
  "No policies found for service "SID0003001/servletclasstest?Locality=Chennai.Make sure the service is registered correctly and gateway policies are up to date"
  Can any one help us out with solution. We are running on tight timelines any help is highly appreciated

  Have you resolved your issue. I am in the same situation. Can you please let me know how you have resolved your issue.

• Error: [NQSError:13037] cannot connect to BI security service,Please make sure this is running properly (with SSL or not) in EM

  Hi,
  Im unable to open the RPD online  getting following error.
  Note: Im not done any changes. Its works good till yesterday EOD.
  Error:
  [NQSError:13037] cannot connect to BI security service,Please make sure this is running properly (with SSL or not) in EM.
  [NQSError:37001] could not connect to the oracle BI server instance..
  Kindly help me to fix this issue.

  Hi,
  Could you access the answer side.
  Could you see the reports.
  Do one thing, take a back up of NQS config file from <Oracle Location>\instance\instance1\config\obiserver folder\nqsconfig.ini file.
  Copy nqs config file if you have already have a back up.
  Restart the services and try once.
  http://mkashu.blogspot.com
  Regards,
  VG