Securing SOA 11g Web Services with OWSM AD authentication

I have SOA 11g with Weblogic 10.3.5 installed and running a Web Service and a Client I want to protect with Active Directory auth and perhaps some other access rules. As I read, I can use OWSM policies to do that. Most guides I found concern OWSM 10g.
How can I make WL use AD authentication? Do I have to use Access Manager?

I finally figured it out. The nullpointer exception is related to the SAML assertion. The SAML assertion in my requests is signed with embedded signature and this seems to be not supported with the used OWSM policy. Without the signature is the exception gone.
Marian

Similar Messages

  • UCM 11g web services with HTTP authentication

    Is it possible to setup UCM 11g web services with HTTP authentication?
    I did setup UCM 11g web services using OWSM policies and are working well.
    But my development team wants to consume web services with only HTTP authentication (simple user name and password), do not want to use Keystore files and encryption.
    Please help me guys.
    Thank you in advance

    Hi ,
    If you are looking to use the WSDL to execute ucm services then use SoapUI IDE on development , there it requires only the http authentication method .
    Let me know if this is the actual requirement which you were looking for or if I have missed the point .
    I use this to quickly test WSDL and verify if the service being invoked is actually correct or not .
    Thanks,
    Srinath
    Edited by: Srinath Menon on Apr 26, 2013 11:32 AM

  • Calling UCM 11g web services with SSO

    Hello, I have read the documentation about Single Sign-On in UCM 11G but I haven't understood how I could use SSO on UCM 11g web services calls.
    The document I have read is
    [http://docs.oracle.com/cd/E15586_01/doc.1111/e10792/c03_security.htm]
    and I only see info about SSO when using "Windows Native Authentication" (WNA).
    I have to send soap calls from applications deployed in other application servers and use the SSO mechanism.
    Does anyone knows how can I configure UCM and weblogic?
    Thank you very much in advance!
    Regards.

    Hi ,
    If you are looking to use the WSDL to execute ucm services then use SoapUI IDE on development , there it requires only the http authentication method .
    Let me know if this is the actual requirement which you were looking for or if I have missed the point .
    I use this to quickly test WSDL and verify if the service being invoked is actually correct or not .
    Thanks,
    Srinath
    Edited by: Srinath Menon on Apr 26, 2013 11:32 AM

  • BPEL Web Service with OWSM Server Agent  NOT AUTHENTICATING

    I have deployed OWSM Server Agent to enable WS-Security Username/Password Authentication following the steps in the below URL.
    http://www.oracle.com/technology/obe/fusion_middleware/owsm/secure%20soa/securing%20soa%20with%20owsm.htm
    Section: Creating and Installing an Oracle WSM Server Agent
    The OWSM agent configuration is working fine with individual Web Services.
    For BPEL, the authentication is not happening if we call the default endpoint from JAVA proxy or Soap UI e.g
    http://host.domainame:7777/orabpel/bpelprocess1/050101 - Authenticates as per the OWSM policy and WORKS FINE
    http://host.domainame:7777/orabpel/bpelprocess1 - Executes the process WITHOUT authenticating
    Any help would be appreciated.
    Thanks
    Shehzad

    Did you resolve this issue ? We are having same issue with one of our BPEL process ........ any help would be highly appreciated .....
    Thanks in Advance

  • From CC&B, consume web service with Integrated Windows Authentication

    Most of the web services to be consumed from CC&B are exposed by external applications under Integrated Windows Authenticaton. Our CC&B 2.3 is running on Bea Weblogic on AIX 6.1.
    We need to find out, how CC&B can obtain a ticket (kerberos) in this context. Already checked documentation : XAI Best Practices, OUAF Framework Security Overview.Thanks.

    For the system to function properly you would need to configure both your Web Server and your Application (CC&B) Server. Since the authentication is done by your webLogic, you would first need to configure your Windows AD to recognise the WebLogic Server to accept the communication and transfer of tokens (TGS, TGT) betwen user,weblogic and AD.
    Kerberos authentication in a Microsoft AD enviroronment is dependant on a SPN (Service Principal Name). Therefore your Weglogic host must have a user account and enabled for Kerberos within your AD.
    The following link provides detailed steps for SSO for Weblogic (Windows & Unix) with AD
    [http://download-llnw.oracle.com/docs/cd/E13222_01/wls/docs81/secmanage/sso.html]
    Secondly, since the authroization is done by your application server, you will need to import the user accounts using LDAP and configure their rghts.

  • Calling Web Service with Http Basic authentication in SOA 11g

    I am calling a webservice which has http basic authentication attached to it. Thus i am adding 'oracle/wss_http_token_client_policy' OWSM policy to the WS refrence in my composite in Jdeveloper,but it doesn't showme the option of providing the http Username and http Password. The only key it is showing me is cf.key.
    Am i missing some steps?
    Please let me know.
    Note - I am working on SOA 11.1.1.4.
    Regards
    Ayush

    Hi Ayush,
    Please refer -
    http://biemond.blogspot.com/2010/08/http-basic-authentication-with-soa.html
    Regards,
    Anuj

  • Web Service, SSL and Client Authentication

    I tried to enable SSL with client authentication over a web service. I am using App Server 10.1.3.4.
    The test page requires my certificate (firefox asks me to choose the certificate) the response page of the web service returns this error:
    java.security.PrivilegedActionException: javax.xml.soap.SOAPException: Bad response: 405 Method Not Allowed
    Has anyone used web services with SSL client authentication?
    Any clue why?
    Regards

    Any comment?
    Thank you.

  • JDeveloper Web Service Client/Proxy Basic Authentication

    Hi I recently migrated a 10g Web Service to an 11g Web Service that uses basic authentication.
    I then generated the client/proxy using the WSDL for my consumer application in JDeveloper 11g. however I cannot find any functions that will allow me to set the username and password to access the web service.
    For instance, in 10g Client, I simply had to this:
    myPort = new SoapHttpPortClient();
    myPort.setUsername("username");
    myPort.setPassword("password");
    I am not sure how I do the same in the generated Web Service client in 11g.
    Thanks in advance.

    Thanks Frank. I was able to get it to work!
    I did google it but I always add "jdeveloper 11g" in my searches so that must be why this did not come up. :) Thanks again!

  • Securing web services with Sun Access Manager

    Hi!
    I have gone through some documentation about Sun Access Manager, and I'm a little bit confused.
    What I want is to secure some web services which are deployed on a BEA WebLogic 9.1 server (WLS). Two solutions are possible: To install some kind of plugin into WLS or to place some kind of proxy in front of WLS. In both cases, the purpose would be to authenticate the caller based on some kind of ticket (SAML or similar) and authorize access to the web service.
    I have read about the "Sun Java System Access Manager Policy Agent 2.2 for Weblogic 9.1" (those guys really like long names....), but in this documentation web services aren't mentioned at all. They only seem to care about HTTP requests from a browser.
    I have also read about the Policy Agent 2.2 in the documentation called "Sun Java System Access Manager Policy Agent 2.2 Guide for Sun Java System Application Server 9.0/Web Services" (puh...). This document explicitly talks about securing web services the way I want.
    My questions are:
    1) Is it possible to secure WLS based web services in the same way using the Policy Agent for WLS?
    2) Are there any documentation/tutorials/etc?
    Thanks in advance :-)
    Anders

    what you need is a webservices agent that would enable you to "protect" your webservice provider, which I assume is on a BEA weblogic provider.
    the "Sun Java System Access Manager Policy Agent 2.2 for Weblogic 9.1" is "NOT" awebservices agent, but a normal J2EE policy agent.
    So.. having said that. here's what I'd recommend.
    1. install the webservices agent on bea weblogic. (note: NOT the J2EE policy agent)
    2. configure it to use your access manager instance for authentication.
    3. configure your webservices client to use the webservice provider. (note: you'd need the webservices APi's available on the client too... so the quick dirty method would be to install the webservices agent on your client too....) you can later bundle the webservices client independently and provide your"customers" with a webservices client bundle...
    4. voila... your webservices are not "protected" by acces manager ;-)

  • Connect to Secure web service with certificate from SAP EP

    Hi Experts,
    Here is the current situation:
    1. Our business requirement is to connect 3rd party RESTful web service which requires secure connection with private client certificate attached
    2. I've tested in my Java test application and successfully attached private certificate to HttpsURLConection request to the web service and made a connection. No problem at all.
    KeyStore keyStore  = KeyStore.getInstance("PKCS12");
    InputStream inputStream = new FileInputStream("privateKeyCert.p12");
    keyStore.load(inputStream, "myPassword".toCharArray());
    KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
    keyManagerFactory.init(keyStore, "myPassword".toCharArray());
    KeyManager[] kms = keyManagerFactory.getKeyManagers();
    SSLContext sslContext = SSLContext.getInstance("SSL");
    sslContext.init(kms, null, new SecureRandom());
    SSLSocketFactory sockFact = sslContext.getSocketFactory();
    URL url = new URL("https://www.thirdpartywebservice.com/testroot/");
    HttpsURLConnection conn = (HttpsURLConnection) url.openConnection();
    conn.setSSLSocketFactory(sockFact);
    conn.setRequestMethod("POST");
    conn.setDoOutput(true);
    conn.setDoInput(true);
    conn.setUseCaches(false);
    conn.setDefaultUseCaches (false);
    conn.setRequestProperty("Content-Type", "text/xml");
    3. Next, I tried to apply my Java application to SAP EP NetWeaver, and found that I have to use SecureConnectionFactory:
    https://help.sap.com/saphelp_nw70ehp1/helpdata/en/e2/71c83edf72e16be10000000a114084/content.htm
    4. So, I modified my Java code for SAP EP:
    KeyStore keyStore  = KeyStore.getInstance("PKCS12");
    InputStream inputStream = this.getClass().getClassLoader().getResourceAsStream("privateKeyCert.p12");
    keyStore.load(inputStream, "myPassword".toCharArray());
    SecureConnectionFactory scFactory = new SecureConnectionFactory(keyStore);
    HttpURLConnection conn = scFactory.createURLConnection("https://www.thirdpartywebservice.com/testroot/");
    conn.setRequestMethod("POST");
    conn.setDoOutput(true);
    conn.setDoInput(true);
    conn.setUseCaches(false);
    conn.setDefaultUseCaches (false);
    conn.setRequestProperty("Content-Type", "text/xml");
    And I'm facing the following error message:
    Exception: java.security.UnrecoverableKeyException: ja
    va.security.GeneralSecurityException: Unable to decrypt private key: javax.crypto.BadPaddingException: Invalid PKCS#5 padding length: 253
    Could you please help me what this error message means?
    Do you think do I need to to do some other configuration to make connection to web service with client certificate?
    This is our first approach. Please help...
    Thank you in advance.

    SunJSSE implement SSL server CertificateRequest in a strict mode, if client failed to find a proper certificate corresponding the server request, it does not guess what's the proper certificate and send to the server. In your case, because there is no intermediate certificate in the client context, so there is no way to make the decision which certificate would be acceptable by server, so client does not send any cert to server. That's why you got a handshaking error.
    I guess your client key store does not contains a full certificate path from the client end-entity certificate to the root CA. Please import the full certificate path into the key store.
    BTW, these approaches should work, but I found no reason why one does not adopt #1:
    1. import the full certification path of client certificate into client key store.
    2. as a workaround, configure the server to send a list including the intermediate certificates;
    3. as a workaround, you will have to customize the client KeyManager if you don't want to or are not able to configure the server to send a list including the intermediate certificates.

  • Need idea : Integration of CRM On Demand web services with Oracle SOA 10g

    Hi Al,
    Can anyone have any idea on integration of CRM on Demand Web service with Oracle SOA 10g specially BPEL 10g.
    If you have any idea please share with us. Or if you know any good link on the same... please let me know.....
    Thanks in advance
    Debarshi

    AFAIK there is no such mapping available, however you may want to take a look at this Support Community thread that discusses the migration and even gives some samples.
    Jani Rautiainen
    Fusion Applications Developer Relations
    https://blogs.oracle.com/fadevrel/

  • Importing external web service with SSL certificate security

    Hello,
    I'm trying to import an external web service (that resides in another server, independent of ours). However, right after I enter the WSDL in the import window I get the following error in the NWDS:
    sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target      [Error: com.sap.ide.es.core.ui.internal.wizards.fragments  Thread[ModalContext,6,main]]
    javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
              at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
              at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1649)
              at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:241)
              at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:235)
              at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1206)
              at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:136)
              at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:593)
              at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:529)
              at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:893)
              at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1138)
              at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1165)
              at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1149)
              at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:434)
              at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:166)
              at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1172)
              at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:234)
              at com.sap.ide.es.core.ui.internal.wizards.fragments.UrlValidationRunnable.getURLAsStream(UrlValidationRunnable.java:137)
              at com.sap.ide.es.core.ui.internal.wizards.fragments.UrlValidationRunnable.validate(UrlValidationRunnable.java:75)
              at com.sap.ide.es.core.ui.internal.wizards.fragments.UrlValidationRunnable.run(UrlValidationRunnable.java:55)
              at org.eclipse.jface.operation.ModalContext$ModalContextThread.run(ModalContext.java:121)
    Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
              at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:323)
              at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:217)
              at sun.security.validator.Validator.validate(Validator.java:218)
              at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:126)
              at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:209)
              at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:249)
              at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1185)
              ... 15 more
    Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
              at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:174)
              at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238)
              at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:318)
              ... 21 more
    Has anyone ever consumed an external web service with SSL certificate security? How do you import this in your Web Dynpro project?
    Cheers!

    Hi Alain,
    I just checked on a newer NW environment (NW 7.2) and was presented an empty list as well... It seems the mapping procedure I described is deprecated since NW 7.11, and the modeled CAF application service is already exposed as a web service.
    You may want to have a look at http://help.sap.com/saphelp_nwce711/helpdata/en/43/f173947bbb025be10000000a1553f7/content.htm or http://scn.sap.com/message/7852996 for more info

  • Secured Sybase Web Service with outside certificate authority

    Hello,
    I would like to use Secured Sybase Web Service with outside certificate authority, like Symantec. Could you let me know how I can create CSR for sending to Symantec? What other steps do I need to do?
    Thanks,
    Sudarat.

    Hello Jason,
    Thanks for your reply. The certificate authority require the CSR file before issue a signed certificate. If this is a signed certificate for IIS web server, I can create CSR from IIS. But I cannot use a signed certificate created from CSR of IIS with Sybase Web Service. The below steps are what I have tried.
    1. I use CreateCert.exe with /r parameter to create CSR and private key.
    2. I sent CSR to a certificate authority and they send back a signed certificate.
    3. I have to combine a signed certificate from #2 with private key created from #1. Then use that file to specify with -xs{https …when starting the service.
    Are the above steps what I have to do?  If so, do I need to redistribute createcert.exe to my customers who want to use my application and how? Why I cannot use the signed certificate created from CSR of IIS?
    Thanks,
    Sudarat.

  • Security for SOA and Web Services

    Dipak Chopra's 09 Dec 04 "Security for SOA and Web Services" piece has been a terrific starter for me as I start to delve into this topic. Does SAP/the SDN plan to publish an SAP-specific roadmap to show the adherence to and adoption of these standards in NetWeaver? (Or maybe there is such a published roadmap that I am unaware of?)

    Hi Randy
    SAP follows and participates in Security and other Web services standards very closely as we recognize the opportunity they present our customers for developing solutions and integrating systems faster at lower cost.
    However many of the standards are still in development and so are not quite yet ready for "prime time". This means that we can't really publish a "road map" as it would be continually changing. However, if you want an idea on which standards SAP thinks are important, please take a look at this presentation [1] which was delivered at the last Tech Ed.
    David
    [1] https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/documents/a1-8-4/the impact of industry standards on sap netweaver.pdf

  • RIDC client using JAX-WS Web Service requires OWSM policy

    Hi
    For development purposes, I want to invoke the RIDC JAX-WS Web Service (I believe this to be the 11g idc native ws) but an error is thrown stating the various policies are invalid. The fact is my instance of Weblogic is not set up with OWSM and there are no security policies applied or configured.
    I was wondering if there was a way to invoke this web service using http basic authentication and bypass the requirement to have a policy attached.
    If not, does anyone have steps on how to enable OWSM and policies, and attach these to the IDC native web services).
    Thanks
    M

    Hi Ryan
    Yes, I have tried to use the JAX-WS with configuration that I was hoping would set Basic Auth on the request, however an error is thrown stating that the required policies are invalid on the server.
    In summary:
    I create a JaxWSClient client.
    I create a binder using the client.
    I create a IdcContext using a valid username and password.
    I set up the service details and params in the binder.
    I send the request by invoking the client and passing the binder and IdcContext.
    With this basic set-up, I get a SOAP fault from the server stating that policy 'oracle/no_authentication_service_policy' and oracle/no_messageprotection_service_policy are invalid. It makes sense that there are invalid as they are not present on my weblogic instance, and it seems that because I have not specified any other configuration, that these are treated as the default policies.
    Setting up basic auth would be ideal, as I do not have control of the Weblogic instances, and so getting OWSM would be a pain. There may be some way to set up the client to use Basic Auth, but unfortunately I cannot see how.
    Cheers

Maybe you are looking for