Security in OSB

Hi All,
I have a scenario where I am calling a webservice(which is protected with group ABC- using policy conditions in weblogic).I need to call that webservice from OSB.Intially I did like this:From the Service accounts, I passed static username and password from OSB BS service policies(I am passing user who is already is already present in ABC group.It works fine.
But, now I have to use to a java callout(this we are using for custom authentication--We are getting username and password dynamically from the java code...This user belongs to above ABC group).I am struck withthe part ,how can I handle this situation in OSB.I tried to use transport headers...but it doeesnt have option of ws:username and ws:password.How can I pass those security credentails to BS.
Please point me to the right direction.
Thanks in advance.

Depends on how the authentication is implemented in the target service. If the username/password are required as transport headers (if transport level authentication is configure) then you need to set the username/password in $outbout variable while calling the target service. If a username password token is required as part of WS-Security header then you need to assign a SOAP WS-Security username password token (use an XQuery to generate one) and assign it to $header variable while calling the target service.
In both scenarios you can use the username/password returned by the Java callout and set them in correct place depending on the authentication configured on target side.

Similar Messages

Question Enabling WS-Security in OSB

Hi Guys,
I having problem on the WS-Security in OSB.
I wish to have the WS-Security for my proxy. I have do the following step,
Get All header = Yes
Http trasnport default setting
operation default setting
message content default setting
policy= add Auth.xml in Request Policies
security = Process WS- Security Header Yes and custom Authentication Setting none
what next?

http://biemond.blogspot.com/2009/06/ws-security-in-osb.html
Regards,
Anuj

How to install and configure oracle secure backup(osb-10.4.0.3.0_linux.x64) in linux

Hello,
We are planning to install and configure Oracle Secure Backup Version 10.4 in Linux server. I had searched documents and i have not find any relevant steps to install and configure in OEL 6.2.
Can anyone please suggest me how to install and configure OSB.
Regards,
Anil

Hi
Installing OSB on Oracle Linux is just the same as installing on any other supported linux and is described in Installation and Configuration guide. Just stick with the directories and procedure described in install guide and you should be fine.
For media server choose a physical host due to performance considerations. I think it is mentioned in docs somewhere.
Regards,
Mitja

Oracle Secure Backup (OSB) Cloud Module for Amazon

Dear,
I am trying to install cloud module in EC2 instance for Oracle DB backup. I tried with different OS with different java versions an it always fails.
I remember that one year ago I installed this in seconds no single problem at all but now I did everything but don't want to work.
If some one have some ideas please share.
Thanks in advance.
oracle@localhost* ~$ java -jar osbws_install.jar -AWSID ***** -AWSKey ******-otnUser ****** -otnPass ****** -walletDir $OSB_WALLET_DIR -configFile $OSB_CONFIG_DIR/osbcm.conf -libDir $OSB_LIB_DIR -Location eu-west-1a
Oracle Secure Backup Database Web-Service Install Tool, build 2013-10-30.0001
AWS credentials are valid.
Exception in thread "main" java.net.UnknownServiceException: no content-type
at java.net.URLConnection.getContentHandler(URLConnection.java:1251)
at java.net.URLConnection.getContent(URLConnection.java:749)
at oracle.osbws.install.ConfigSetup.config(ConfigSetup.java:284)
at oracle.osbws.install.ConfigSetup.main(ConfigSetup.java:1195)
Info
No firewall, no iptables.
Linux hostanme.com 3.10.0-123.20.1.el7.x86_64 #1 SMP Wed Jan 21 09:45:55 EST 2015 x86_64 x86_64 x86_64 GNU/Linux

Thanks for replay.
Just want to share.
The solution is very simple. Just need to have latest version of this installer. I found it here and it works.
Oracle Secure Backup Cloud Module for Amazon S3

OSB Patch TYBN and U37G - ws-security interoperability

Hi All,
I am using weblogic 9.x style security with OSB 11g which will be communicating with OWSM enabled weblogic server on the server side.
According to the below URL
http://docs.oracle.com/cd/E17904_01/web.1111/e16098/interop_osb.htm
+"Note:+
+Ensure that you have downloaded and applied the TYBN and U37Z patches released for Oracle Service Bus 10.3 using the patch tool."+
I will have to apply patch TYBN and U37Z to oracle service bus domain
where will I find these two patches? I went to oracle support site and searched for these patches, could not find any of these two.

Hi Sebastian,
Have you tried adding a "XML Transform" policy?
(http://download-uk.oracle.com/docs/cd/B31017_01/integrate.1013/b31008/policy_steps.htm#sthref644)
Regards,
Mathias

OWSM 11gR1 PS2 agent to secure OSB 11g business service

Hi,
Can anyone share any resources/information on how to secure an OSB 11g business service by using OWSM 11g agent? Its a new feature released with OWSM 11gR1 PS2 (11.1.1.3.0) release. Also, can we do the same for OSB 10g?
Thanks,
Bijoy

Hi Bijoy,
Documentation is here (for PS2 with OSB 11g)-
http://download.oracle.com/docs/cd/E14571_01/doc.1111/e15866/owsm.htm#CHDEEGJI
can we do the same for OSB 10g?No, it is not supported.
Regards,
Anuj

Secure OSB Service with LDAP

Hi Friends,
Greetings!
Is there a way to secure an OSB service so that user will be able to access it only if they pass their AD/LDAP userid and password?
Note: I know I can add servie accounts. However I want to avoid adding a guge number of users/services acounts manually.
Thanks,
Sachin.

Hi Sachin,
You have to configure webogic security realm to add AD/LDAP Authentication provider.
http://onlineappsdba.com/index.php/2010/02/04/how-to-integrate-weblogic-with-oracle-internet-directory-for-login-authentication/
In order to secure OSB service you can enable HTTPS or have message level security for the same.
>know I can add servie accounts. However I want to avoid adding a guge number of users/services acounts manually.
No Need to maintain n nunber of accounts per n number of users.
use Basic Authentication/Custom Authentication/OWSM username token service policy to to authenticate username/password with AD/LDAP.
For Authorization: Use Transport/Message Level Authorization at OSB Service level
Regards,
Abhinav Gupta

How to call https service from OSB

hi
I need to call thirt party https service. Its a secured service with authentication.
I have Imported ssl certificate in keystore.
It's one way ssl with authentication and I need to pass wsse token (username/password) from Business service to invoke third party service.
What steps do I need to follow to call this service?
I have gone through all other
Thanks
Vibhor

Below note gives the high level steps to be performed for implementing different security requirements with OSB
OSB - Proxy Service HTTPS one way
Configure Identity & Trust Keystore
OSB - Proxy Service HTTPS 2 way
Configure Identity Assertion Provider to support X509
Configure user mapper class for default identity assertion provider
Change 2 way Client Cert behaviour from default
('Client Certificate Not requested”) to “Client Certificate requested but not enforced”
OSB - Business Service HTTPS one way
Add root & intermediate CA certificates of the server to the trust keystore
OSB - Business Service HTTPS 2 way
Add root & intermediate CA certificates of the server to the trust keystore
Configure PKI Credential Provider containing the client certificate
Configure a Service Key provider with SSL Client Authentication key
Associate the service key provider to the proxy service which invokes the business service
OSB - Proxy Service WS-Security User Name Token
Configure Auth.xml or custom username token WS-Security Policy
OSB - Proxy Service WS-Security X509 Token
Configure Auth.xml and Sign.xml Policy
Change UseX509ForIdentity attribute in domain → WS Security → Inbound Mbean Token handlers Page to true
Ensure Certificate passed by client is present in certificate registry or the root CA in trust keystore depending upon weblogic certification path provider configuration
Configure Identity Assertion Provider and Username mapper class.
OSB - Business Service WS-Security User Name Token
Configure Auth or custom username token WS-Security Policy
Configure Service account for username provider
OSB - Business Service WS-Security X509 Token
Configure Sign.xml and Auth.xml policy ( or custom signing and username token policies) in the business service
Configure a PKI credential provider and service key provider containing the certificate to be used for signing and authentication
Associate the service key provider to the proxy service which invokes the business service.
*OSB - Proxy Service Digital Signature     [ Request Only]*
Configure Sign.xml or a custom signing policy to the proxy service
Ensure Certificate passed by client is present in certificate registry or the root CA in trust keystore depending upon weblogic certification path provider configuration
*OSB – Business Service Digital Signature     [ Request Only]*
Configure Sign.xml policy ( or custom signing policy) in the business service
Configure a PKI credential provider and service key provider containing the certificate to be used for signing
Associate the service key provider to the proxy service which invokes the business service.
Edited by: atheek1 on Aug 26, 2010 5:17 AM
Edited by: atheek1 on Aug 26, 2010 8:20 AM

OSB oracle/wss_username_token_service_policy use

I'm trying to secure an OSB Proxy by attaching the OWSM policy oracle/wss_username_token_service_policy , I want to authenticate username and password against Weblogic Security Realm Users, can it be done? or maybe I must use another OWSM policy?
Thanks in advance,
Pablo

http://niallcblogs.blogspot.com/2010/07/osb-11g-and-wsm.html
Regards,
Anuj

OSB: Payload validation required for empty elements inside OSB process.

Hello
I need to validate the payload for non-empty elements. If the payload is completely empty then OSB should throw an error that the submitted payload is empty.
If the payload contains at least one element then it should pass through.
As in process to test this particular one, i have tried with the following code to generally validate for an element.
xquery version "1.0" encoding "Cp1252";
(:: pragma bea:global-element-parameter parameter="$inputParameters1" element="ns0:InputParameters" location="../adapter/StoreProcDB/xsd/StoreProcDBService_sp.xsd" ::)
(:: pragma bea:schema-type-return type="ns1:Validation" location="../xsd/validation.xsd" ::)
declare namespace xf = "http://tempuri.org/StoreProc_osb/transformation/PayloadValidation/";
declare namespace ns1 = "http://www.sigmainfo.com/validation";
declare namespace ns0 = "http://xmlns.oracle.com/pcbpel/adapter/db/sp/StoreProcDBService";
declare function xf:PayloadValidation($inputParameters1 as element(ns0:InputParameters))
as element()
<ns1:Validation>
          <ns1:Payload>{$inputParameters1/.}</ns1:Payload>
          <ns1:ValidationErrorList>
               (: BEGIN - Required Field Validations :)
          (:     if (empty($inputParameters1/ns0:ACCOUNTNUMBER/text())) then
                    <ns1:ValidationError>
                         <ns1:code>1</ns1:code>
                         <ns1:message>ACCOUNTNUMBER: Required Field</ns1:message>
                    </ns1:ValidationError> :)
               if (empty($inputParameters1/ns0:AUDITUSER/text())) then
                    <ns1:ValidationError>
                         <ns1:code>1</ns1:code>
                         <ns1:message>AUDITUSER: Required Field</ns1:message>
                    </ns1:ValidationError>
               else ''
               (: END - Required Field Validations :)
</ns1:ValidationErrorList>
     </ns1:Validation>
declare variable $inputParameters1 as element(ns0:InputParameters) external;
xf:PayloadValidation($inputParameters1)
But it throws the following error:
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
REQUEST DOCUMENT:
<soapenv:Envelope
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Header
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
</soap:Header>
<soapenv:Body>
<stor:InputParameters
xmlns:stor="http://xmlns.oracle.com/pcbpel/adapter/db/sp/StoreProcDBService">

<stor:P_ACCOUNTNUMBER>00101</stor:P_ACCOUNTNUMBER>

<stor:P_AUDITUSER>venkat</stor:P_AUDITUSER>
</stor:InputParameters>
</soapenv:Body>
</soapenv:Envelope>
RESPONSE DOCUMENT:
The invocation resulted in an error: . <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Body><soapenv:Fault><faultcode>soapenv:Server</faultcode><faultstring>BEA-382505: OSB Validate action failed validation</faultstring><detail><con:fault xmlns:con="http://www.bea.com/wli/sb/context">
<con:errorCode>BEA-382505</con:errorCode>
<con:reason>OSB Validate action failed validation</con:reason>
<con:details>
<con1:ValidationFailureDetail xmlns:con1="http://www.bea.com/wli/sb/stages/transform/config">
<con1:message>
Incompatible elements: expected an XML instance of name "{http://xmlns.oracle.com/pcbpel/adapter/db/sp/StoreProcDBService}InputParameters", but found an XML instance of name "{http://schemas.xmlsoap.org/soap/envelope/}Body".
</con1:message>
<con1:xmlLocation/>
</con1:ValidationFailureDetail>
</con:details>
<con:location>
<con:node>PipelinePairNode1</con:node>
<con:pipeline>PipelinePairNode1_request</con:pipeline>
<con:stage>stage1</con:stage>
<con:path>request-pipeline</con:path>
</con:location>
</con:fault>
</detail>
</soapenv:Fault>
</soapenv:Body>
</soapenv:Envelope>
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
But this is not the way it should be done as i progress.
Please suggest a simple way to have a pragma with sample and complete validation for the input payload.
Appreciate your help in advance
Regards
Venkat

Venkat,
Find below url's for implementing security policies in OSB
http://docs.oracle.com/cd/E17904_01/doc.1111/e15866/owsm.htm#CHDEEGJI
http://docs.oracle.com/cd/E17904_01/doc.1111/e15866/owsm.htm#CHDBIJHD
http://niallcblogs.blogspot.in/2010/07/osb-11g-and-wsm.html
http://biemond.blogspot.in/2009/06/ws-security-in-osb.html
Regards,
Abhinav

OSB ERROR

Hello All,
I am trying to clean the tapes on the library and i am using this command:
ob> clean drive dell-tape1 force --use 4
but getting this error:
Error: can't execute command - could not find a usable cleaning tape
please help
Regads
Wessam

Hi,
There is [url http://forums.oracle.com/forums/forum.jspa?forumID=264]Secure Backup that has been created to discuss Oracle's new tape backup software, Oracle Secure Backup (OSB) and Oracle Secure Backup Express ... I hope it can help you.
Cheers
Legatti

X509 message level authentication - Unable to validate identity assertions

Hi All,
I am creating a proxy service that will authenticate a soap request with incoming x509 certificate.
I configured weblogic server following the below blog post
http://tim.blackamber.org.uk/?p=831
I also setup SSL and keystore tab in the weblogic server by following steps in the the below URL
http://biemond.blogspot.com/2009/06/ws-security-in-osb.html
In my proxy service I am using pre-defined policy "Auth.xml"
The proxy service is attached below
I am running the proxy service from test console. I have a security provider created pointing the keystore and selected while running the proxy service from test console ( no user name/password provided)
I was expecting that proxy service will read the security token and map the CN name correspons to the security token key (my default User name mapper attribute is CN) to an user created in weblogic server and able to authenticate it.
But I am getting following error. Please suggest.
<An error ocurred during web service security inbound request processing [error-code: Fault, message-id: 1345281693794990467-5e61805e.1324a2f888f.-7f8a, proxy: myPrototypes/ProxyService/ProxyServiceExtBizV2, operation: null]
--- Error message:
<env:Envelope xmlns:env="http://www.w3.org/2003/05/soap-envelope"><env:Header/><env:Body><env:Fault xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"><Code xmlns="http://www.w3.org/2003/05/soap-envelope"><Value>env:Sender</Value><Subcode><Value>wsse:InvalidSecurity</Value></Subcode></Code><Reason xmlns="http://www.w3.org/2003/05/soap-envelope"><Text xml:lang="en-US">Unable to validate identity assertions.</Text></Reason></env:Fault></env:Body></env:Envelope>
weblogic.xml.crypto.wss.WSSecurityException: Unable to validate identity assertions.
*     at weblogic.wsee.security.wss.SecurityPolicyValidator.doIdentity(SecurityPolicyValidator.java:144)*
*     at weblogic.wsee.security.wss.SecurityPolicyValidator.processIdentity(SecurityPolicyValidator.java:107)*
     at weblogic.wsee.security.wss.SecurityPolicyValidator.processInbound(SecurityPolicyValidator.java:78)
     at weblogic.wsee.security.WssServerPolicyHandler.processInbound(WssServerPolicyHandler.java:54)
     at weblogic.wsee.security.WssServerPolicyHandler.processRequest(WssServerPolicyHandler.java:30)
     at weblogic.wsee.security.WssHandler.handleRequest(WssHandler.java:74)
     at com.bea.wli.sb.security.wss.wls.Wls92InboundHandler.processRequest(Wls92InboundHandler.java:164)
     at com.bea.wli.sb.security.wss.WssHandlerImpl.doInboundRequest(WssHandlerImpl.java:223)
     at com.bea.wli.sb.context.BindingLayerImpl.addRequest(BindingLayerImpl.java:289)
     at com.bea.wli.sb.pipeline.MessageProcessor.processRequest(MessageProcessor.java:87)
     at com.bea.wli.sb.pipeline.RouterManager$1.run(RouterManager.java:593)
     at com.bea.wli.sb.pipeline.RouterManager$1.run(RouterManager.java:591)
     at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:363)
     at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:146)
     at com.bea.wli.sb.security.WLSSecurityContextService.runAs(WLSSecurityContextService.java:55)
     at com.bea.wli.sb.pipeline.RouterManager.processMessage(RouterManager.java:590)
     at com.bea.wli.sb.test.service.ServiceMessageSender.send0(ServiceMessageSender.java:332)
     at com.bea.wli.sb.test.service.ServiceMessageSender.access$000(ServiceMessageSender.java:79)
     at com.bea.wli.sb.test.service.ServiceMessageSender$1.run(ServiceMessageSender.java:137)
     at com.bea.wli.sb.test.service.ServiceMessageSender$1.run(ServiceMessageSender.java:135)
     at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:363)
     at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:146)
proxy service definition:
<?xml version="1.0" encoding="UTF-8"?>
<xml-fragment xmlns:ser="http://www.bea.com/wli/sb/services" xmlns:tran="http://www.bea.com/wli/sb/transports" xmlns:env="http://www.bea.com/wli/config/env" xmlns:http="http://www.bea.com/wli/sb/transports/http" xmlns:con="http://www.bea.com/wli/sb/services/security/config" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:con1="http://www.bea.com/wli/sb/pipeline/config" xmlns:con2="http://www.bea.com/wli/sb/stages/logging/config" xmlns:con3="http://www.bea.com/wli/sb/stages/config" xmlns:con4="http://www.bea.com/wli/sb/stages/publish/config">
<ser:coreEntry isProxy="true" isEnabled="true">
<ser:serviceProvider ref="myPrototypes/x509keyprovider"/>
<ser:security>
<con:inboundWss processWssHeader="true"/>
</ser:security>
<ser:binding type="abstract SOAP" isSoap12="true" xsi:type="con:AnySoapBindingType" xmlns:con="http://www.bea.com/wli/sb/services/bindings/config"/>
<ser:monitoring isEnabled="false">
<ser:aggregationInterval>10</ser:aggregationInterval>
<ser:pipelineMonitoringLevel>Pipeline</ser:pipelineMonitoringLevel>
</ser:monitoring>
<ser:reporting>true</ser:reporting>
<ser:logging isEnabled="true">
<ser:logLevel>debug</ser:logLevel>
</ser:logging>
<ser:sla-alerting isEnabled="true">
<ser:alertLevel>normal</ser:alertLevel>
</ser:sla-alerting>
<ser:pipeline-alerting isEnabled="true">
<ser:alertLevel>normal</ser:alertLevel>
</ser:pipeline-alerting>
<ser:ws-policy>
<ser:binding-mode>service-policy-bindings</ser:binding-mode>
<ser:policies>
<ser:service-policy>
<ser:predefined-policy>Auth.xml</ser:predefined-policy>
</ser:service-policy>
</ser:policies>
</ser:ws-policy>
</ser:coreEntry>
<ser:endpointConfig>
<tran:provider-id>http</tran:provider-id>
<tran:inbound>true</tran:inbound>
<tran:URI>
<env:value>/myPrototypes/ProxyService/ProxyServiceExtBizV2</env:value>
</tran:URI>
<tran:inbound-properties/>
<tran:all-headers>true</tran:all-headers>
<tran:provider-specific>
<http:inbound-properties/>
</tran:provider-specific>
</ser:endpointConfig>
<ser:router>
<con1:pipeline type="request" name="PipelinePairNode1_request">
<con1:stage name="stage1">
<con1:context/>
<con1:actions>
<con2:log>
<con3:id>_ActionId-3973507234039169612-4f70a750.1323cbeae66.-7e09</con3:id>
<con2:logLevel>info</con2:logLevel>
<con2:expr>
<con3:xqueryText>$header</con3:xqueryText>
</con2:expr>
<con2:message>osb_extbiz_log:request side:hdr is</con2:message>
</con2:log>
<con4:route>
<con3:id>_ActionId-3973507234039169612-4f70a750.1323cbeae66.-7866</con3:id>
<con4:service ref="myPrototypes/BizService/BizServiceExtBiz" xsi:type="ref:BusinessServiceRef" xmlns:ref="http://www.bea.com/wli/sb/reference"/>
<con4:outboundTransform/>
</con4:route>
</con1:actions>
</con1:stage>
</con1:pipeline>
<con1:pipeline type="response" name="PipelinePairNode1_response">
<con1:stage name="stage1">
<con1:context/>
<con1:actions>
<con2:log>
<con3:id>_ActionId-3973507234039169612-4f70a750.1323cbeae66.-7cd6</con3:id>
<con2:logLevel>info</con2:logLevel>
<con2:expr>
<con3:xqueryText>$header</con3:xqueryText>
</con2:expr>
<con2:message>osb_extbiz_log:response side:hdr is</con2:message>
</con2:log>
<con2:log>
<con3:id>_ActionId-3973507234039169612-4f70a750.1323cbeae66.-79d3</con3:id>
<con2:logLevel>info</con2:logLevel>
<con2:expr>
<con3:xqueryText>$outbound</con3:xqueryText>
</con2:expr>
<con2:message>osb_extbiz_log:response side:outbound is</con2:message>
</con2:log>
<con2:log>
<con3:id>_ActionId-3973507234039169612-4f70a750.1323cbeae66.-79b6</con3:id>
<con2:logLevel>info</con2:logLevel>
<con2:expr>
<con3:xqueryText>$inbound</con3:xqueryText>
</con2:expr>
<con2:message>osb_extbiz_log:response side:inbound is</con2:message>
</con2:log>
</con1:actions>
</con1:stage>
</con1:pipeline>
<con1:flow>
<con1:pipeline-node name="PipelinePairNode1">
<con1:request>PipelinePairNode1_request</con1:request>
<con1:response>PipelinePairNode1_response</con1:response>
</con1:pipeline-node>
</con1:flow>
</ser:router>
</xml-fragment>
Edited by: 818591 on Sep 8, 2011 4:47 PM

For anyone watching this thread for any relevant information,
after adding sign.xml policy, it started working

Do we need to create workmanager for applns in WL 10.3?

Do we need to create execute threads manually using work manager in weblogic 10.3 (ALSB)/ OSB . or have they been taken care of by default thread pooling mechanisim.
Does creating workmanager and assigning 'n' no of threads to appln really help performance of application?
Appriciate any Suggestion.
Regards,
Sreepad K

Hello Sreepad,
Do we need to create execute threads manually using work manager in weblogic 10.3 (ALSB)/ OSB . or have they been taken care of by default thread pooling mechanisim.For production environments, it is always suggested to use custom work managers to optimize the use of applications and enhance security. OSB has a default work manager but it is not recommended to use it in your production environments. To know more about work managers, please refer -
http://download.oracle.com/docs/cd/E12840_01/wls/docs103/config_wls/self_tuned.html
http://download.oracle.com/docs/cd/E12840_01/wls/docs103/ConsoleHelp/taskhelp/work/CreateGlobalWorkManager.html
Regards,
Anuj

Steps and Docs - Automated Tape backup for LINUX OS

Hi
Currently we are using ARC7 tape (LTO) backup movement in which the product belong to firm CA for windows. We are not having the license to use it for the LINUX os.
In one of our environment we are planning to set up automated tape backup movement for the LINUX OS. (Database Backups such as RMAN and export) It would be great if you suggest few links or procedural steps to use which tape backups , how to configure, which brand, documents, what all procedural steps etc.
Thanks
SHIYAS M
Edited by: 965652 on Apr 23, 2013 12:12 AM

I suggest to look into Oracle Secure Backup (OSB) or Oracle Secure Backup Express. The later is free.
http://docs.oracle.com/cd/E14812_01/doc/doc.103/e12836/toc.htm
http://www.oracle.com/us/products/database/secure-backup/overview/index.html
http://www.oracle.com/technetwork/products/secure-backup/downloads/secbackupexpress-084447.html
There is also a specific forum:
Secure Backup

Configuring certificate authorization

Guys,
I need to configure WebLogic Server and OSB to authorizate an user based on the certificate that he supplies me.
So, there are lots of clients with theirs certificates and based on those certificates I will allow or disallow the client to execute an operation.
I have searched it and found this - http://biemond.blogspot.com/2009/06/ws-security-in-osb.html but it is not working as expected.
And this post seems to be just to specify policy and WS-Security.
My problem is:
1 - How to configure, maybe parsing the CN or a certificate, my domain to authorizate an client when it presents its certificate;
2 - How to configure the OSB Proxy Service to support this authorization.
Thanks a lot

There are some very good links at:
http://download.oracle.com/docs/cd/E13159_01/osb/docs10gr3/security/index.html
http://download.oracle.com/docs/cd/E12840_01/wls/docs103/secmanage/providers.html
http://download.oracle.com/docs/cd/E12840_01/wls/docs103/ConsoleHelp/taskhelp/webservices/webservicesecurity/UseX509ForIdentity.html
http://www.oracle.com/technology/pub/articles/damo-howto.html
http://download.oracle.com/docs/cd/E12840_01/wls/docs103/secmanage/atn.html#wp1213694
This depends on what level of security you want for the proxy service. The choices are:
If you want it to only be invoked by anyone who presents a client certificate that you trust ( you'll need 2-way SSL + Identity Assertion )
Or
If you want it to be only invoked by particular clients who present a certificate ( you'll need 2-way SSL, Identity Assertion and Credentail Mapping )
There is also the question of how your business service in OSB will connect to the endpoint ( 2-way SSL? particular user? )
For both, you'll need to make changes in both the Weblogic admin console and in the OSB console. This presumes you already have 2-way SSL configured and working. I have the checkbox enabled for "Use Server Certs".
For the Identity Assertion, create a new Authentication provider ( using DefaultIdentityAsserter ). Use the reorder button to move this above the existing DefaultIdentityAsserter ). Edit your new Auth provider:
Add X.509 to the Chosen selection on the Settings page
On the Provider specific page, change the "Default User Name Mapper Attribute Type" to CN
Select the checkbox for "Use Default User Name Mapper".
Then you can create users within your security realm. The user name must match - exactly - the CN value of the certificate you want to allow to invoke your service.
In your OSB proxy, change the HTTP Transport configuration to "HTTPS" and "Client Certificate"
At this point, your proxy can be invoked by anyone who presents a client certificate that is mapped to a user in your WL security realm.
For the Credential Mapping option, I've done the following in the WL console
I've created a PKICredentail Mapper Provider and PKICredential Mappings in the security realm.
The Mapper provider needs these pararms:
( type "PKICredentialMapper", Keystore Mapper SUN,
Keystore Type JKS, Keystore File name - full path to your identity keystore, Keystore Pass Phrase - keystore password for the identity keystore )
The Mappings need these params which are specific to the endpoint you're going to invoke. So there could be more than one set. I created 2 mappings for each endpoint host, one for the "ALSBSystemGroup" group principal and one for the default "weblogic" user principal.
On the "Create a New Security Credentail Mapping page, enter values for the protocol (https), remote host ( endpoint's host ) and remote port. I left the path and method blank.
On the Create a New Security Credential Map Entry page, enter Credential Type = "Key Pair", Principal Name ( ALSBSystemGroup or weblogic), Principal Type ( Group or User), Action is blank, Keystore alias ( the identity keystore alias used in your SSL ), passphrase ( private key passphrase ).
In the OSB console, you create a Security Key Provider and then assign that to your proxy
New Project - Add Project - Service Key Provider. Fill in the name ( I used a combination of the SSL alias + the remote host so they are distinct )
Then click the Browse button next to the Encryption key. This should display your Select An Alias popup; enter the same SSL private key passphrase as you used in the Credential Mapping
Then you can save your proxy.
If your business service needs to invoke the endpoint with 2-way SSL, change its Authentication to "Client Certificate"
Edited by: user10939158 on Mar 2, 2010 10:17 AM

Security in OSB

Similar Messages

Maybe you are looking for