Securing web services SOAP headers against OWSM policy

Hi,
I need to authenticate the user against the OWSM policy. The caller will pass username and password in SOAP headers and I need to attach WSS policy to my exposed web service.
How to extract the Header information and then validate them against the policy.
A simple HelloWorld sample will be of great help.
regards
Sanjeev

Hi,
For service authentication add policy wss_username_token_service_policy to client composite.Create user in security realms in adminstration console.
While testing the service select wss username token option under security tab and test with valid credentails or from, soap UI
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:Username>USER CREATED IN SECURITY REALMS</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">PSWD ENTERED FOR THE SAME USER IN SECURITY REALMS</wsse:Password>
</wsse:UsernameToken></wsse:Security> WITH INPUT

Similar Messages

How to call OWSM secured web-service from ADF application

I have a OWSM secured web-service, which takes username/password.
I want to invoke this webservice from ADF application. ADF application has its own security and it takes its own username/password. End user can't provide the username/password for web-service call. My ADF application should call the webservice and provide it appropriate username/password.
What is the best practice to handle such scenario. I don't want to hardcode username/password in Java (ADF) code.
Thanks
Sanjeev.

it is not clear to me if you are having problems with calling java code from OIM or if the problem is the web service API.
Lets do some divide and conquer:
Can you create a simple java class that just writes a couple of lines to the log? Please attach this code to the OIM task and make sure it runs.
Once this works we can start looking at the web service call.
Best regards
/Martin

Failed Calling A X.509 Certificate Secured Web Service From OSB

Hi,
I have wsdl resource, business service and proxy service setup in OSB 11.1.1.6 on Linux. The business service will consume a X.509 certificate secured web service running on a remote server.
Below is my approach:
The consumer of the proxy service of OSB signs its saop request header.
My OSB proxy service authenticates the signature and forward the request to business service.
The business service signs the outbound soap request header. (To do this I configured the keystore in Security Provider Configuration of my SOA_domain in Enterprise Manager. Also I applied Web Service Policy of Service Client type to the business service.)
This is not working yet. Not sure if my approach is correct or not?
Thank you,
Eric

I validated the keystore, all the certificates used and the value for keystore.sig.csf.key / value for keystore.recipient.alias. They are all as expected. Restarted the server. Still failed for OSB to invoke the remote secured web service, but worked if only use soapUI to invoke the same remote secured web service directly.
The error message is:
General security error (WSSecurityEngine: No crypto property file supplied for decryption); nested exception is org.apache.ws.security.WSSecurityException: General security error (WSSecurityEngine: No crypto property file supplied for decryption)
In the soap request / reponse message shown in the OSB Test Console, there seems to be two signature sections in the header and encryption section although I tried not to encrypt the soap request. I am using Web Service Client Policy "calpers/wss11_x509_token_with_message_integrity_client_policy_osb" which was created based on "oracle/wss11_x509_token_with_message_protection_client_policy". The difference between the two policies is my policy not to sign nor to encrypt entire body.
In the "Message Signing Setting" section, I unchecked the "Include Entire Body" and left the three default namespaces under the Header Elements.
In the "Message Encrypt Setting" section, I unchecked the "Include Entire Body" and also left the one default namespace under the Header Elements.
I don't know how to attach document here, so i add long saop message here.
     Business Service Testing - BookSec_Biz_Svc_52
     Request Document
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Header xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
</soap:Header>
<soapenv:Body>
<book:BookRequest xmlns:book="http://www.dortman.com/books/BookService">
<book:bookId>10</book:bookId>
<book:bookTitle>eric</book:bookTitle>
<book:bookAuthor>Z</book:bookAuthor>
</book:BookRequest>
</soapenv:Body>
</soapenv:Envelope>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Header xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<wsse:Security soap:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsu:Timestamp wsu:Id="Timestamp-eEud1RcUOPcnV0fDqd6gZQ22" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsu:Created>2013-03-14T18:10:00Z</wsu:Created>
<wsu:Expires>2013-03-14T18:15:00Z</wsu:Expires>
</wsu:Timestamp>
<wsse:BinarySecurityToken ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" wsu:Id="BST-VnzMtSwHMI8THKi2hhG2SQ22" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
MIICazCCAdSgAwIBAgIEUTY65zANBgkqhkiG9w0BAQUFADB6MQswCQYDVQQGEwJVUzERMA8GA1UECBMITmV3IFlvcmsxEzARBgNVBAcTCk1ldHJvcG9saXMxFjAUBgNVBAoTDUp1c3RpY2UgTGVhZ2UxFjAUBgNVBAsTDUp1c3RpYyBMZWFndWUxEzARBgNVBAMTCkNsYXJrIEtlbnQwHhcNMTMwMzA1MTgzNTE5WhcNMTMwNjAzMTgzNTE5WjB6MQswCQYDVQQGEwJVUzERMA8GA1UECBMITmV3IFlvcmsxEzARBgNVBAcTCk1ldHJvcG9saXMxFjAUBgNVBAoTDUp1c3RpY2UgTGVhZ2UxFjAUBgNVBAsTDUp1c3RpYyBMZWFndWUxEzARBgNVBAMTCkNsYXJrIEtlbnQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJhF0cMUwB/EjAyIOy9Cq8KCDqTXvlnlvMGq6LEhiGOtrATYy+JnHURcPUeusi65Ua3bE7JACWhHJ0fYEl7NtxPPSN3Q1RovkWGQ6I5O2XuEyMHg3MISh2CHhnkGSR+W6riDSUoB0ZC0KTgu14OTwqo54JSY/ugQszY7QC9DAuabAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAWeQ6LjMo12bY65GmnrmLdbRNm95RkL6gJCKa9pyUaMfvaIqKpmMQW8RM+eB90CR5DrM8oO2+8uKcqTt/pGNRYi2UJh2X0CdmyQQTmf3mCfgoZ597VTl+k3mKHKeeST7ZwAyBRL2jI0VisopFHpUhIwABoDgwOMpLcCF974AZ2rA=
</wsse:BinarySecurityToken>
*<dsig:Signature* Id="XSIG-oISn2AADumTdR86sONuz8g22" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
<dsig:SignedInfo>
<dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"/>
<dsig:Reference URI="#Timestamp-eEud1RcUOPcnV0fDqd6gZQ22">
<dsig:Transforms>
<dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</dsig:Transforms>
<dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<dsig:DigestValue>3LQ1IpQR3rKHvP6Ov/m9ZRoecZM=</dsig:DigestValue>
</dsig:Reference>
</dsig:SignedInfo>
<dsig:SignatureValue>X2BUn9TLL26Ay9A3HGEn/mnGCCE=</dsig:SignatureValue>
<dsig:KeyInfo>
<wsse:SecurityTokenReference>
<wsse:Reference URI="#EK-h7saqC1VyBKZw2n1IHz8GQ22" ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey"/>
</wsse:SecurityTokenReference>
</dsig:KeyInfo>
+*</dsig:Signature>*+
*<dsig:Signature* xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
<dsig:SignedInfo>
<dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<dsig:Reference URI="#BST-VnzMtSwHMI8THKi2hhG2SQ22">
<dsig:Transforms>
<dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</dsig:Transforms>
<dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<dsig:DigestValue>dau9qjB2lxIvlaoDIHuWVHqjulI=</dsig:DigestValue>
</dsig:Reference>
<dsig:Reference URI="#STR-QC3ZDBRwsXv8unEWVns9rQ22">
<dsig:Transforms>
<dsig:Transform Algorithm="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform">
<wsse:TransformationParameters>
<dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</wsse:TransformationParameters>
</dsig:Transform>
</dsig:Transforms>
<dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<dsig:DigestValue>nPO9mKSC9cMg2fEkGZI+ujy5O1Q=</dsig:DigestValue>
</dsig:Reference>
<dsig:Reference URI="#XSIG-oISn2AADumTdR86sONuz8g22">
<dsig:Transforms>
<dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</dsig:Transforms>
<dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<dsig:DigestValue>qXkW/ZFFNc8Bu0VL9eF6c4np7IA=</dsig:DigestValue>
</dsig:Reference>
</dsig:SignedInfo>
<dsig:SignatureValue>
MuHCTh5cW8TiVKtkWFl+Of2EFAiHwuPTR7J9b4/n2KZtPy2OCrgi1lBpuzhFKLhoBxYNOK8TMOa/3b223Vv+CQUfUP7z0YVj5Ck7QETYngaQlS07KulnstJjsAgHBV8Zk3A0EafuWF2c3t5wBzEkgEC99v0EdY3mRiCzt7vh2qs=
</dsig:SignatureValue>
<dsig:KeyInfo Id="KeyInfo-0LT1QavoIVXOHesZfrxTwg22">
<wsse:SecurityTokenReference>
<wsse:Reference URI="#BST-VnzMtSwHMI8THKi2hhG2SQ22" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
</wsse:SecurityTokenReference>
</dsig:KeyInfo>
+*</dsig:Signature>*+
*<xenc:EncryptedKey* Id="EK-h7saqC1VyBKZw2n1IHz8GQ22" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
<dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"/>
</xenc:EncryptionMethod>
<dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
<wsse:SecurityTokenReference wsu:Id="STR-QC3ZDBRwsXv8unEWVns9rQ22" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">q9Z9yPxvNw4CvSLQNI4rxVlSF+w=</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
</dsig:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue xmime:contentType="application/octet-stream" xmlns:xmime="http://www.w3.org/2005/05/xmlmime">
Tgdhxy6wMJBBrw23iq1GLCm0TYKBXSVQvBcN+7TXdXL6FPSjhcbfXqtoz7wzirbSwUZuu+DrYuWs
0BjRXqw3auUSCMlkm4IoT1ag3wFQQ/PEbB8HNlYhW3gp/At3toTw+k5p9wOUd4BMFAiXyeHQ8+dQ
8JUiohXhiHErTDn6fFQ=
</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedKey>
</wsse:Security>
</soap:Header>
<soapenv:Body>
<book:BookRequest xmlns:book="http://www.dortman.com/books/BookService">
<book:bookId>10</book:bookId>
<book:bookTitle>eric</book:bookTitle>
<book:bookAuthor>Z</book:bookAuthor>
</book:BookRequest>
</soapenv:Body>
</soapenv:Envelope>
     Response Document
The invocation resulted in an error: Internal Server Error.
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Body>
<soapenv:Fault>
<faultcode>soapenv:Client</faultcode>
<faultstring xmlns:lang="en">
General security error (WSSecurityEngine: No crypto property file supplied for decryption); nested exception is org.apache.ws.security.WSSecurityException: General security error (WSSecurityEngine: No crypto property file supplied for decryption) </faultstring>
</soapenv:Fault>
</soapenv:Body>
</soapenv:Envelope>
     Response Metadata
<con:metadata xmlns:con="http://www.bea.com/wli/sb/test/config">
<tran:headers xsi:type="http:HttpResponseHeaders" xmlns:http="http://www.bea.com/wli/sb/transports/http" xmlns:tran="http://www.bea.com/wli/sb/transports" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<tran:user-header name="Accept" value="text/xml"/>
<tran:user-header name="Expires" value="Thu, 14 Mar 2013 18:10:01 GMT"/>
<tran:user-header name="SOAPAction" value=""""/>
<http:Cache-Control>max-age=0</http:Cache-Control>
<http:Connection>close</http:Connection>
<http:Content-Type>text/xml; charset=UTF-8</http:Content-Type>
<http:Date>Thu, 14 Mar 2013 18:10:01 GMT</http:Date>
<http:Server>Apache</http:Server>
<http:Transfer-Encoding>chunked</http:Transfer-Encoding>
</tran:headers>
<tran:response-code xmlns:tran="http://www.bea.com/wli/sb/transports">2</tran:response-code>
<tran:response-message xmlns:tran="http://www.bea.com/wli/sb/transports">Internal Server Error</tran:response-message>
<tran:encoding xmlns:tran="http://www.bea.com/wli/sb/transports">UTF-8</tran:encoding>
<http:http-response-code xmlns:http="http://www.bea.com/wli/sb/transports/http">500</http:http-response-code>
</con:metadata>

Error while invoking secure web service.

Hi,
I am trying to access a secure web service through a simple BPEL process in SOA Suite 11g. When I test it through enterprise manager I am getting the following error. Since it's a secured websecure i set the WS policy(oracle/wss_username_token_client_policy) in the external reference and also provided the credentials. If anyone has come across similar error or know the solution please let me know. Also I am not sure if its related to security or is it with the way I am trying to call the service.
Error Message:
Fault ID     reference:80014
Fault Time     May 22, 2011 12:54:45 PM
Non Recoverable System Fault :
javax.xml.ws.soap.SOAPFaultException: 99999: Unknown Service
Error Message: {http://schemas.oracle.com/bpel/extension}remoteFault
Fault ID     default/Mocking!1.0*soa_be35cb3e-5f05-49df-a696-a653d5703681/BPELProcess1/30017-BpInv0-BpSeq0.3-3
Fault Time     May 22, 2011 12:54:46 PM
Non Recoverable System Fault :
<bpelFault><faultType>0</faultType><remoteFault xmlns="http://schemas.oracle.com/bpel/extension"><part name="summary"><summary>99999: Unknown Service</summary></part><part name="detail"><detail><con:fault xmlns:con="http://www.bea.com/wli/sb/context"> <con:errorCode>99999</con:errorCode> <con:reason>Unknown Service</con:reason> <con:location> <con:node>PipelinePairNode1</con:node> <con:pipeline>PipelinePairNode1_request</con:pipeline> <con:stage>stage1</con:stage> </con:location> </con:fault> </detail></part><part name="code"><code>soap:Server</code></part></remoteFault></bpelFault>

Thanks very much for your suggestion. I will take a look into the wsdl again and see if something is wrong in that.
I have a peculiar problem with the wsdl. When I created the partner link using the remote wsdl it would throw a compilation error. But when I took a local copy of the remote wsdl and seperated all the schema's from the wsdl and imported them inside wsdl it gets compiled. But I am not sure if this is a appropriate thing to do and if that is creating this problem. Any thoughts on this would be really helpful.

Confirming method to secure web services through oracle web service manager

Hi All,
I am just wondering about the method to secure web service through oracle web service manager.
I have a unsecure web service "helloworld" which is deployed on JWSDP1.6 toolkit.I want to secure it through oracle web service manager.
Inorder to secure this unsecure web service,I use gateway(web service manager for securing web service using message level security through certificate).
So when client want to access the helloworld service,it contacts the gateway securely and gateway intern connect to original web service after decrypting and verification of the signature.When gateway gets response from the web service,it signs the response message and then encrypt and passs on to the client.
So my question is,is it the right way to secure web service?
As I am getting the following fault exception :
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
<SOAP-ENV:Body>
<SOAP-ENV:Fault>
<faultcode "http://schemas.oblix.com/ws/2003/08/Faults">c</faultcode>
<faultstring>Step execution failed with an exception
</faultstring>
<detail></detail>
</SOAP-ENV:Fault>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
I checked the log at :
C:\coresv_install_home\external\oc4j-10.1.2.0.0\j2ee\home\log\http-web-access
but there is no helpful information available.Thanks for any help.
Kash

Hi Rajesh,
Thanks for your reply.I am using the following policy steps:
1)for Request (Decrypt and Verify signature).
2)for Response(Sign Message and Encrypt).
The configuration for Request is shown below:
Pipeline "Request"
Pipeline Steps:
Start Pipeline
Log
Decrypt and Verify Signature
Basic Properties Type Default Value
Enabled (*) boolean true true
XML Decryption Properties Type Default Value
Decryptor''s keystore location (*) string C:\Sun\jwsdp-2.0\xws-security\etc\server-keystore.jks
Decrypt Keystore Type (*) string jks jks
Decryptor''s keystore password string *******
Decryptor''s private-key alias (*) string s1as
Decryptor''s private-key password string *******
Enforce Encryption (*) boolean true true
XML Signature Verification Properties Type Default Value
Verifying Keystore location (*) string C:\Sun\jwsdp-2.0\xws-security\etc\server-truststore.jks
Verifying Keystore type (*) string jks jks
Verifying Keystore password string *******
Signer''s public-key alias (*) string xws-security-client
Enforce Signing (*) boolean true true
End Pipeline
And the configuration for Response is shown below:
Pipeline "Response"
Pipeline Steps:
Start Pipeline
Log
Sign Message and Encrypt
Basic Properties Type Default Value
Enabled (*) boolean true true
Signing Properties Type Default Value
Signing Keystore location (*) string C:\Sun\jwsdp-2.0\xws-security\etc\server-keystore.jks
Signing Keystore Type (*) string jks jks
Signing Keystore password string *******
Signer''s private-key alias (*) string s1as
Signer''s private-key password string *******
Signed Content (*) string BODY BODY
Sign XPATH Expression string
Sign XML Namespace string[]
Encryption Properties Type Default Value
Encryption Keystore location (*) string C:\Sun\jwsdp-2.0\xws-security\etc\server-truststore.jks
Encrypt Keystore Type (*) string jks jks
Encryption Keystore password string *******
Decryptor''s public-key alias (*) string xws-security-client
Encrypted Content (*) string BODY BODY
Encrypt XPATH Expression string
Encrypt XML Namespace string[]
End Pipeline
I checked the log again but nothing useful there,it is just giving the following values:
2006-08-14 16:32:50,372 INFO [Thread-21] mstore.OLiteMStore - SELECT MEASUREMENT_STR FROM MEASUREMENT_PERSISTED_STORE WHERE ID=? FOR UPDATE
2006-08-14 16:34:50,364 INFO [Thread-16] mstore.OLiteMStore - INSERT INTO MEASUREMENT_PERSISTED_STORE (ID,DEF_ID,CONTEXT_ID,PARENT_CONTEXT_ID,TIME,STORETIME,KEY0,KEY1,KEY2,KEY3,KEY4,KEY5,KEY6,KEY7,KEY8,KEY9,KEY10,KEY11,KEY12,KEY13,KEY14,KEY15,KEY16,KEY17,KEY18,KEY19,KEY20,KEY21,KEY22,KEY23,KEY24,KEY25,KEY26,KEY27,KEY28,KEY29,KEY30,KEY31,KEY32,KEY33,KEY34,KEY35,KEY36,KEY37,KEY38,KEY39,DBM0,MEASUREMENT_STR) VALUES(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,'R',empty_clob())
2006-08-14 16:34:50,364 INFO [Thread-16] mstore.OLiteMStore - SELECT MEASUREMENT_STR FROM MEASUREMENT_PERSISTED_STORE WHERE ID=? FOR UPDATE
Any help would be appreciated.Thanks.
Kash

Create a Secure Client for a Secure Web Service- is failing

Hi,
This is actually with reference to the webservice tutorial.I am trying the example on Create a Secure Client for a Secure Web Service and have followed all the steps mentioned,however I am getting the following error:
D:\JDev11gTp\jdk\bin\javaw.exe -client -classpath D:\Jdev11gTpInstance\mywork\WebServiceApplications\.adf;D:\Jdev11gTpInstance\mywork\WebServiceApplications\WebServiceProjects\classes;D:\JDev11gTp\webservices\lib\jaxws-api.jar;D:\JDev11gTp\webservices\lib\jws-api.jar;D:\JDev11gTp\webservices\lib\orawsmetadata.jar;D:\JDev11gTp\webservices\lib\wsclient.jar;D:\JDev11gTp\j2ee\home\lib\activation.jar;D:\JDev11gTp\j2ee\home\lib\ejb.jar;D:\JDev11gTp\j2ee\home\lib\jms.jar;D:\JDev11gTp\j2ee\home\lib\jta.jar;D:\JDev11gTp\j2ee\home\lib\mail.jar;D:\JDev11gTp\j2ee\home\lib\servlet.jar;D:\JDev11gTp\webservices\lib\jaxrpc-api.jar;D:\JDev11gTp\webservices\lib\wsserver.jar;D:\JDev11gTp\webservices\lib\wssecurity.jar;D:\JDev11gTp\webservices\lib\wsdl.jar;D:\JDev11gTp\webservices\lib\orasaaj.jar;D:\JDev11gTp\webservices\lib\saaj-api.jar;D:\JDev11gTp\webservices\lib\orawsdl.jar;D:\JDev11gTp\webservices\lib\orawsrm.jar;D:\JDev11gTp\webservices\lib\orawsrel.jar;D:\JDev11gTp\webservices\lib\jaxr-api.jar;D:\JDev11gTp\webservices\lib\orajaxr.jar;D:\JDev11gTp\webservices\lib\relaxngDatatype.jar;D:\JDev11gTp\webservices\lib\xsdlib.jar;D:\JDev11gTp\webservices\lib\mdds.jar;D:\JDev11gTp\webservices\lib\wsif.jar;D:\JDev11gTp\webservices\lib\fabric-common.jar;D:\JDev11gTp\webservices\lib\fabric-interceptors.jar;D:\JDev11gTp\jlib\jaxen.jar;D:\JDev11gTp\jlib\oraclepki.jar;D:\JDev11gTp\jlib\ojpse.jar;D:\JDev11gTp\jlib\jsr106.jar;D:\JDev11gTp\jlib\jsr105.jar;D:\JDev11gTp\jlib\osdt_xmlsec_jce.jar;D:\JDev11gTp\jlib\osdt_wss_jce.jar;D:\JDev11gTp\jlib\osdt_saml_jce.jar;D:\JDev11gTp\jlib\osdt_saml2_jce.jar;D:\JDev11gTp\jlib\osdt_core.jar;D:\JDev11gTp\jlib\osdt_cert.jar;D:\JDev11gTp\jlib\osdt_xmlsec.jar;D:\JDev11gTp\jlib\osdt_wss.jar;D:\JDev11gTp\jlib\osdt_saml.jar;D:\JDev11gTp\jlib\osdt_saml2.jar;D:\JDev11gTp\jlib\ojmisc.jar;D:\JDev11gTp\j2ee\home\lib\http_client.jar;D:\JDev11gTp\j2ee\home\jazncore.jar;D:\JDev11gTp\j2ee\home\oc4jclient.jar;D:\JDev11gTp\rdbms\jlib\xdb.jar;D:\JDev11gTp\j2ee\home\lib\javax77.jar;D:\JDev11gTp\lib\java\api\jsr173_api.jar;D:\JDev11gTp\lib\java\shared\sun.jaxb\2.0\jaxb-impl.jar;D:\JDev11gTp\lib\java\shared\sun.jaxb\2.0\jaxb-xjc.jar;D:\JDev11gTp\lib\java\shared\sun.jaxb\2.0\jaxb1-impl.jar;D:\JDev11gTp\j2ee\home\lib\oc4j-schemas.jar;D:\JDev11gTp\jlib\ojdl.jar;D:\JDev11gTp\jlib\ojdl2.jar;D:\JDev11gTp\jlib\fmw_audit.jar;D:\JDev11gTp\j2ee\home\lib\jmxri.jar;D:\JDev11gTp\j2ee\home\lib\jmx_remote_api.jar;D:\JDev11gTp\j2ee\home\lib\adminclient.jar;D:\JDev11gTp\j2ee\home\lib\jmxframework.jar;D:\JDev11gTp\j2ee\home\lib\jmxspi.jar;D:\JDev11gTp\j2ee\home\lib\xmlcfg.jar;D:\JDev11gTp\jlib\dms.jar;D:\JDev11gTp\jlib\orai18n.jar;D:\JDev11gTp\j2ee\home\lib\commons-digester.jar;D:\JDev11gTp\j2ee\home\lib\spring.jar;D:\JDev11gTp\lib\java\shared\oracle.wsm\11.1.1.0\wsm-policy-core.jar;D:\JDev11gTp\lib\java\shared\oracle.wsm\11.1.1.0\wsm-pmclient.jar;D:\JDev11gTp\lib\java\shared\oracle.wsm\11.1.1.0\wsm-pap.jar;D:\JDev11gTp\lib\java\shared\oracle.wsm\11.1.1.0\wsm-agent.jar;D:\JDev11gTp\lib\java\shared\oracle.wsm\11.1.1.0\wsm-secpol.jar;D:\JDev11gTp\lib\java\shared\oracle.javatools\11.1.1.0.0\javamodel-rt.jar;D:\JDev11gTp\lib\java\shared\oracle.javatools\11.1.1.0.0\javatools-nodeps.jar;D:\JDev11gTp\lib\java\shared\oracle.toplink\11.1.1.0.0\toplink-sdo.jar;D:\JDev11gTp\lib\java\api\jaxb-api.jar;D:\JDev11gTp\lib\xmlparserv2.jar;D:\JDev11gTp\lib\xml.jar;D:\JDev11gTp\jakarta-taglibs\commons-logging-1.0.3\commons-logging.jar -Dhttp.proxyHost=localhost -Dhttp.proxyPort=8099 -Dhttp.nonProxyHosts= -Dhttps.proxyHost=localhost -Dhttps.proxyPort=8099 -Dhttps.nonProxyHosts= HelloPolicyPortClient
Feb 1, 2008 5:13:43 PM oracle.j2ee.ws.common.context.ContextInterceptor init
INFO: Context provider properties file not found
Feb 1, 2008 5:13:44 PM oracle.wsm.audit.Auditor <init>
INFO: Created J2SE auditor for componentType=OWSM-AGENT busstop=D:\oracle\product\10.2.0\client_1\auditlogs\OWSM-AGENT filter=false auditor=oracle.security.audit.Auditor@143a083
Feb 1, 2008 5:13:44 PM oracle.wsm.audit.Auditor <init>
INFO: Created J2SE auditor for componentType=OWSM-PM-LIB busstop=D:\oracle\product\10.2.0\client_1\auditlogs\OWSM-PM-LIB filter=false auditor=oracle.security.audit.Auditor@15af049
SEVERE: WSM-04514 An MDS error occurred.
SEVERE: WSM-09012 No key, WSM-06002, was found in the resource bundle oracle.wsm.resources.policyvalidation.PolicyValidationMessageBundle.
javax.xml.ws.WebServiceException: oracle.fabric.common.PolicyEnforcementException: PolicySet Invalid: WSM-06002 PolicyReference Invalid policy reference
at oracle.j2ee.ws.client.jaxws.DispatchImpl.invoke(DispatchImpl.java:466)
at oracle.j2ee.ws.client.jaxws.WsClientProxyInvocationHandler.invoke(WsClientProxyInvocationHandler.java:204)
at $Proxy28.sayHello(Unknown Source)
at HelloPolicyPortClient.main(HelloPolicyPortClient.java:35)
Caused by: oracle.fabric.common.PolicyEnforcementException: PolicySet Invalid: WSM-06002 PolicyReference Invalid policy reference
at oracle.integration.platform.common.InterceptorChainImpl.createPolicyEnforcementException(InterceptorChainImpl.java:217)
at oracle.integration.platform.common.InterceptorChainImpl.processRequest(InterceptorChainImpl.java:104)
at oracle.j2ee.ws.client.mgmt.runtime.SuperClientInterceptorPipeline.handleRequest(SuperClientInterceptorPipeline.java:91)
at oracle.j2ee.ws.client.jaxws.DispatchImpl.handleRequest(DispatchImpl.java:309)
at oracle.j2ee.ws.client.jaxws.DispatchImpl.handleRequest(DispatchImpl.java:290)
at oracle.j2ee.ws.client.jaxws.DispatchImpl.invoke(DispatchImpl.java:444)
... 3 more
Process exited with exit code 0.
Can anyone please give any clue as to why this error is coming?
Thanks.

Hi
Please refer to this thread
Re: Can I create a login/password protection in Muse for a HTML5 page or two?

Web Service SOAP Sender Authorization

Hi all
I have been implementing a Web Service (SOAP Sender CC) that should be consumed by an external party. I have been testing it successfully using XMLSpy with the drawback of the authentication box coming up even though I have added sap-user and sap-password to the URL as following:
http://<host>:50000/XISOAPAdapter/MessageServlet?channel=:SOAP_Service:CC_SOAP_Sender&sap-user=<name>&sap-password=<pass>
The user that I have created for this has the profile SAP_XI_APPL_SERV_USER assigned.The request is successfully executed when I enter <name> and <pass> in the box. My understanding of it would be that the box does not show up if the login parameters are provided with the URL. Do I have to do any additional settings so that the login information will be taken from the URL parameters automatically instead bringing up the authoritzation box?
My CC settings are as following:
Adapter Type: SOAP (SAP BASIS 7.00)
Sender
Transport Protocol: HTTP
Message Protocol: SOAP 1.1
Adapter Engine: Integration Server
HTTP Security Level: HTTP
Conversion Parameters: Keep Headers
Quality of Service: Best Effort
Any feedback would be appreciated.
Thank you,
Daniel

Hello Daniel,
1. You can add username and password to the SOAP URL and expose your XI Interface as a webservice. Just that the URL is different than the one you are using and you do not need a Sender SOAP adapter but the blog I have listed above.
2. You can turn of Basic authentication on Sender SOAP adapter's but it is not recommended as it would turn off all authentication for SOAP scenarios and it can lead to security risks.
I have seen a few forum threads describing how to turn of Basic authentication for SOAP adapters but from what I have heard from SAP, they do not recommend using this option.
Regards
Bhavesh

Unable to invoke a secured web service

Hi all
I have been trying to call a secured web service which enforces wss11_saml_token_with_message_protection_client_policy policy. To create a web proxy in JDev, I am using the following wiki - http://aseng-wiki.us.oracle.com/asengwiki/display/ASDevOWSM/How+can+I+create+a+JSE+client+to+invoke+ADF+BC+Web+Service+with+OWSM+wss11_saml_token_with_message_protection_service_policy (scroll down to find "Creating JSE client for above Web service")
I have got the default-keystore.jks, cwallet.sso and jps-config.xml from the webservice env. I am getting this error now -
SEVERE: WSM-00055 The keystore located at xyzabc\default-keystore.jks cannot be loaded due to java.io.IOException: Keystore was tampered with, or password was incorrect. Ensure that valid keystore type and password are configured.
Any pointers would be appreciated.
Thanks,
Pushkal

One more update i tried printing l_http_response.status_code and got 302.
Thanks,
PKV

Calling secured web service from Pl SQL

Hi
I am trying to call a secured web service from pl/sql using utl_http.
Is there a sample pl/sql program that i can refer to call a secured web service.
sample soap header that am trying to acheive.
<soap:Header>
<wsa:Action>http://myactaction</wsa:Action>
<wsa:MessageID>uuid:asdfadrewrwqr</wsa:MessageID>
<wsa:ReplyTo>
<wsa:Address>http://schemas.xmlsoap.org/ws/2004/03/addressing/role/anonymous</wsa:Address>
</wsa:ReplyTo>
<wsa:To>http://myact</wsa:To>
<wsse:Security soap:mustUnderstand="1">
<wsse:UsernameToken wsu:Id="SecurityToken-321321">
<wsse:Username>mordfsafsdae</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">werwqrewrwe</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
</soap:Header>
Thanks a ton in advance

Hi,
On way we can call a web service is to pass the Web Service URL to UTL_HTTP package:
Sample Web Service URL
===================
lv_url :=
'http://67.97.189.151:8888/plsqlsample/dbfunc?invoke=placeOrder'
|| '&'
|| 'param0=1'
|| '&'
|| 'param1=1'
|| '&'
|| 'param2=1';
Sample Call using UTL_HTTP
=====================
SELECT UTL_HTTP.request (lv_url)
INTO lv_result
FROM DUAL;
Thank you.
Regards,
Balu

Error when trying to access a secured web service from Forms 10g 10.1.2.3

Hello,
I'm trying to access a secured web service from Forms10g 10.1.2.3 but i'm getting the next error when pressing the button the first time:
java.rmi.RemoteException: ; nested exception is: HTTP transport error: javax.xml.soap.SOAPException:
java.security.PrivilegedActionException: javax.xml.soap.SOAPException: Bad response: 401 UnauthorizeWhen i press the button a second time i got this error:
javax.xml.rpc.soap.SOAPFaultException: The SOAP request is invalid. The required node 'Envelope' is missingThis is the code i have in my button:
DECLARE
jo ora_java.jobject;
pdfObject ora_java.jobject;
pdf     varchar2(900);
rv varchar2(100);
ex ora_java.jobject;
BEGIN
JO := SEARCHSOAPCLIENT.new;
SEARCHSOAPCLIENT.setUsername(JO,'weblogic');
SEARCHSOAPCLIENT.setPassword(JO,'welcome1');
pdfObject := SEARCHSOAPCLIENT.quicksearch(JO,'1234',NULL);
pdf := SEARCHSOAPCLIENT.tostring(pdfObject);
message(pdf);
message(' ');
EXCEPTION
WHEN ORA_JAVA.JAVA_ERROR then
message('Unable to call out to Java, ' ||ORA_JAVA.LAST_ERROR);
WHEN ORA_JAVA.EXCEPTION_THROWN then
ex := ORA_JAVA.LAST_EXCEPTION;
:error := Exception_.toString(ex);
END;When i run it from JDeveloper it works, this is a portion of java code the proxy web service has:
import oracle.webservices.transport.ClientTransport;
import oracle.webservices.OracleStub;
import javax.xml.rpc.ServiceFactory;
import javax.xml.rpc.Stub;
public class SearchSoapClient {
    private webservicesproxywebcontent.proxy.SearchSoap _port;
    public SearchSoapClient() throws Exception {
        ServiceFactory factory = ServiceFactory.newInstance();
        _port = ((webservicesproxywebcontent.proxy.Search)factory.loadService(webservicesproxywebcontent.proxy.Search.class)).getSearchSoap();
        this.setUsername("weblogic");
        this.setPassword("welcome1");
        System.out.println("callling from _port "+ _port.quickSearch("1234234", null));
     * @param args
    public static void main(String[] args) {
        try {
            webservicesproxywebcontent.proxy.SearchSoapClient myPort = new webservicesproxywebcontent.proxy.SearchSoapClient();
            System.out.println("calling " + myPort.getEndpoint());
        } catch (Exception ex) {
            ex.printStackTrace();
     * delegate all operations to the underlying implementation class.
    public QuickSearchResult quickSearch(String queryText, IdcPropertyList extraProps) throws java.rmi.RemoteException {
        return _port.quickSearch(queryText, extraProps);
    }Also the secured web service was generated from Webcenter Content 11.1.1.6 that is why it's a secured web service.
Kind Regards
Carlos

Without going into any technical discussion about the code, my first question is what JDK version was used to create this which was imported into the form? Understand that Forms 10 runs on JDK 1.4.2, so if you used any newer JDK version, likely there will be problems.

Best Practice for Securing Web Services in the BPEL Workflow

What is the best practice for securing web services which are part of a larger service (a business process) and are defined through BPEL?
They are all deployed on the same oracle application server.
Defining agent for each?
Gateway for all?
BPEL security extension?
The top level service that is defined as business process is secure itself through OWSM and username and passwords, but what is the best practice for security establishment for each low level services?
Regards
Farbod

It doesnt matter whether the service is invoked as part of your larger process or not, if it is performing any business critical operation then it should be secured.
The idea of SOA / designing services is to have the services available so that it can be orchestrated as part of any other business process.
Today you may have secured your parent services and tomorrow you could come up with a new service which may use one of the existing lower level services.
If all the services are in one Application server you can make the configuration/development environment lot easier by securing them using the Gateway.
Typical probelm with any gateway architecture is that the service is available without any security enforcement when accessed directly.
You can enforce rules at your network layer to allow access to the App server only from Gateway.
When you have the liberty to use OWSM or any other WS-Security products, i would stay away from any extensions. Two things to consider
The next BPEL developer in your project may not be aware of Security extensions
Centralizing Security enforcement will make your development and security operations as loosely coupled and addresses scalability.
Thanks
Ram

How to consume a secure web service?

Could someone post me an sample to invoke the certificate based secure web service?
All I have is wsdl, certificate (.pfx file) and password and client jar file. Searching for the sample program to access the secure web service.
I work on weblogic workshop.

Unfortunately, I have just been provided with the endpoint and the SOAP action. Don't have any other details :(

Calling secured Web Service

Hi,
I am new in calling web service from PL/SQL block.
From the code I'm successfully able to call non-secured webservice like this "http://www.ignyte.com/webservices/ignyte.whatsshowing.webservice/moviefunctions.asmx?wsdl"
And also by setting the wallet I'm also able to call secured web service like this "https://www.docusign.net/api/3.0/Credential.asmx?WSDL" (ping method).
For calling this secured service I stored certs with chain into the wallet and that works.
But my problem is a different web service where that web service is authenticating me with my certificate. I have VeriSign certificate with private key and that web service has my public key. Whenever I will send SOAP request I need to send my certificate with the request. And communication will be over SSL.
I have created a wallet with complete chain from the PFX file I received from VeriSign and Wallet is in Ready state, also I have included web service's certificate also.
Whenever I am trying to make SOAP call I'm getting
ORA-00600: internal error code, arguments: [kgazmo_1], [], [], [], [], [], [], []
Please let me know where is the problem. May be I'm not able to send my certificate for authentication or may be I'm not able to establish SSL for communication from PL/SQL.
I'm using 10.1.2 as database. I also have 10g AS installed, if that can help in achieving this.
Code is as follows:
FUNCTION CallWS
RETURN xmltype
AS
l_request soap_api.t_request;
l_response soap_api.t_response;
l_url VARCHAR2(32767);
l_namespace VARCHAR2(32767);
l_method VARCHAR2(32767);
l_soap_action VARCHAR2(32767);
l_doc xmltype;
BEGIN
l_url := 'https://secured.webservice.com/WS/WebService.asmx';
l_namespace := 'xmlns="https://secured.webservice.com/WS"';
l_method := 'GetMe';
l_soap_action := 'https://secured.webservice.com/WS/GetMe';
utl_http.set_wallet('file:c:/wallets','pass123');
l_request := soap_api.new_request(p_method => l_method,
p_namespace => l_namespace);
soap_api.add_parameter(p_request => l_request,
p_name => 'param1',
p_type => 'xsd:string',
p_value => 'val1');
soap_api.add_parameter(p_request => l_request,
p_name => 'param2',
p_type => 'xsd:string',
p_value => 'val2');
l_response := soap_api.invoke(p_request => l_request,
p_url => l_url,
p_action => l_soap_action );
l_doc := l_response.doc;
RETURN l_doc;
END CallWS;
You can find SOAP_API package here [SOAP_API|http://www.oracle-base.com/dba/miscellaneous/soap_api.sql] .
Thanks in advance.
-Smith

Thanks again Billy,
I have configured a wallet with all the necessary certificates. Actually I have purchased a VeriSign trusted certificate and convert that into Oracle Wallet (p12) using openssl with appropriate password. And I'm calling UTL_HTTP.set_wallet('<path_to_wallet>','<pass_to_open_it>');
I have send my public key to them (web service company) and they need me to send my certificate with every request so that they can authenticate.
You are saying we don't have to write any code for TLS/SSL UTL_HTTP will take care of that, thats really good.
One more thing I want to mention here...
In Internet Explorer - When I am importing my certificate without my private key and trying to access web service I'm getting 404 page not found error.
But when I'm importing my certificate with the private key, I can see WSDL and all other methods offered by that web service.
I'm guessing Oracle Wallet that I'm creating with my certificate will store private key also. B'coz it is showing me User Certificate in Ready state.
ORA-00600 is not giving me proper location where I can find any error in my code.
Thanks
-Smith

Securing web services with Sun Access Manager

Hi!
I have gone through some documentation about Sun Access Manager, and I'm a little bit confused.
What I want is to secure some web services which are deployed on a BEA WebLogic 9.1 server (WLS). Two solutions are possible: To install some kind of plugin into WLS or to place some kind of proxy in front of WLS. In both cases, the purpose would be to authenticate the caller based on some kind of ticket (SAML or similar) and authorize access to the web service.
I have read about the "Sun Java System Access Manager Policy Agent 2.2 for Weblogic 9.1" (those guys really like long names....), but in this documentation web services aren't mentioned at all. They only seem to care about HTTP requests from a browser.
I have also read about the Policy Agent 2.2 in the documentation called "Sun Java System Access Manager Policy Agent 2.2 Guide for Sun Java System Application Server 9.0/Web Services" (puh...). This document explicitly talks about securing web services the way I want.
My questions are:
1) Is it possible to secure WLS based web services in the same way using the Policy Agent for WLS?
2) Are there any documentation/tutorials/etc?
Thanks in advance :-)
Anders

what you need is a webservices agent that would enable you to "protect" your webservice provider, which I assume is on a BEA weblogic provider.
the "Sun Java System Access Manager Policy Agent 2.2 for Weblogic 9.1" is "NOT" awebservices agent, but a normal J2EE policy agent.
So.. having said that. here's what I'd recommend.
1. install the webservices agent on bea weblogic. (note: NOT the J2EE policy agent)
2. configure it to use your access manager instance for authentication.
3. configure your webservices client to use the webservice provider. (note: you'd need the webservices APi's available on the client too... so the quick dirty method would be to install the webservices agent on your client too....) you can later bundle the webservices client independently and provide your"customers" with a webservices client bundle...
4. voila... your webservices are not "protected" by acces manager ;-)

Securing Web Services

I am hoping others in this forum will share their experiences involving securing web services. What I would like to know is your thoughts on industry best practices for securing web services.
I have been asked to look at the different industry approaches. From what I have read SUN, the simplest approach may be using WS-Security standard. This uses XML Signatures and XML encryption and can be placed in the header portion of the SOAP message. On the other hand, the most complicated is using an LDAP server for single sign.
What is our driving forces is the least amount of effort is the best solution as long as security is not compromised.
Thanks in advance for all your comments.

The first thing you need to do is understand what your requirements are. The solution needs to match your requirements.
You need to distinguish authentication from authorization from data security and what your requirements are for each.
You need to understand the administrative overhead and how you will manage sertificates or userid/passwords. This can oftentimes involve more work than the web service itself.
Don't "overkill" the solution. For example, don't use message-level encryption when an SSL connection will suffice for data security.
-- Frank
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/ThreatCounter.asp
http://searchwebservices.techtarget.com/qna/0,289202,sid26_gci995388,00.html
IBM: sg246891_WebSphere_Web_Services_Handbook_5_1_1.pdf

Securing web services SOAP headers against OWSM policy

Similar Messages

Maybe you are looking for