Users for secure web services

Similar Messages

• Best Practice for Securing Web Services in the BPEL Workflow

  What is the best practice for securing web services which are part of a larger service (a business process) and are defined through BPEL?
  They are all deployed on the same oracle application server.
  Defining agent for each?
  Gateway for all?
  BPEL security extension?
  The top level service that is defined as business process is secure itself through OWSM and username and passwords, but what is the best practice for security establishment for each low level services?
  Regards
  Farbod

  It doesnt matter whether the service is invoked as part of your larger process or not, if it is performing any business critical operation then it should be secured.
  The idea of SOA / designing services is to have the services available so that it can be orchestrated as part of any other business process.
  Today you may have secured your parent services and tomorrow you could come up with a new service which may use one of the existing lower level services.
  If all the services are in one Application server you can make the configuration/development environment lot easier by securing them using the Gateway.
  Typical probelm with any gateway architecture is that the service is available without any security enforcement when accessed directly.
  You can enforce rules at your network layer to allow access to the App server only from Gateway.
  When you have the liberty to use OWSM or any other WS-Security products, i would stay away from any extensions. Two things to consider
  The next BPEL developer in your project may not be aware of Security extensions
  Centralizing Security enforcement will make your development and security operations as loosely coupled and addresses scalability.
  Thanks
  Ram

• Using Identity Management for Securing Web Services

  My goal is to associate my services with an Oracle Internet Directory. I made some attempts to set up SAML authentication for the web services, but it didn't have the right outcome.
  (My identity management server and OID is up and running and I have successfully made authentication modules for other web applications)
  Here is what I did:
  1. I wrote a simple java file, used jdeveloper tools to create and deploy it as a web service to OC4J. I associated an identity management server with this service through OC4J web tools as security provider.
  2. I made a data control for the web service and put it in an ADF application . (client)
  3. I deployed the client project(2) to OC4J.
  I could use the web service through the page.
  Then
  I secured the webservice to expect SAML for authentication.
  Surprisingly, the client could still communicate with the webservice, Why? Shouldn't it have rejected the request because of the problem in SAML token? (The proxy and the data control were not secured, and didn't provide any SAML tokens)
  4.
  I added login page to my client project (through ADF security wizard). It used idenity management for authentication successfully. login process completes and web service data control is displayed.
  5. I want the authentication information to be propagated through the page so that the web service receives the data and uses Identity Management.
  I know I should add <property name="oracle.security.wss.propagate.identity" value ="true"/>
  to one of the configuration files, but don't know where exactly.
  Best Regards,
  Farbod

  It doesnt matter whether the service is invoked as part of your larger process or not, if it is performing any business critical operation then it should be secured.
  The idea of SOA / designing services is to have the services available so that it can be orchestrated as part of any other business process.
  Today you may have secured your parent services and tomorrow you could come up with a new service which may use one of the existing lower level services.
  If all the services are in one Application server you can make the configuration/development environment lot easier by securing them using the Gateway.
  Typical probelm with any gateway architecture is that the service is available without any security enforcement when accessed directly.
  You can enforce rules at your network layer to allow access to the App server only from Gateway.
  When you have the liberty to use OWSM or any other WS-Security products, i would stay away from any extensions. Two things to consider
  The next BPEL developer in your project may not be aware of Security extensions
  Centralizing Security enforcement will make your development and security operations as loosely coupled and addresses scalability.
  Thanks
  Ram

• Can config wallet on cloud DB for security web service invoke ?

  Currently, I can invoke the security web service by APEX at my local DB env.
  based the apex_web_service API
  http://docs.oracle.com/cd/E37546_01/doc/doc.41/e28475/apex_web_service.htm#AEAPI537
  we need wallet to store the cert files.
  want to confirm that
  --> Can we config wallet to import cert files on cloud DB?
  Thanks
  Edited by: 985754 on Feb 6, 2013 2:17 AM

  Hello 985754,
  Unfortunately, you cannot import your own certificates into the wallet used by Application Express in the Database Cloud Service. However, this wallet already contains many common CA certificates. Unless the web service you are consuming uses a self-signed certificate, chances are you will be able to use this functionality in the Cloud.
  -- Vlad

• Creation of LDAP User for Discoverer Web Services

  Hi all,
  this isn't a Discoverer issue per se, but I couldn't find where to post this in other forums.
  After installing the web services patch for Discoverer (5648158), I need to create a bipublisher user
  in OIDDAS right? However our installation seems a bit ***** up. So I need to do it from the command line.
  I found some instructions in: here
  and created the following bipublisher.ldif file:
  cn=bipublisher,cn=users,dc=company,dc=com
  objectclass=top
  objectclass=person
  objectclass=inetorgperson
  objectclass=organizationalperson
  objectclass=orcluser
  objectclass=orcluserv2
  objectclass=orclUserProvStatus
  givenname=Web
  userpassword=oracle123
  displayname=bipublisher
  orcldefaultprofilegroup=cn=sr_users ,cn=groups,dc=company,dc=com
  preferredlanguage=en-US
  sn=Services
  orcltimezone=Europe/Athens
  mail=[email protected]
  uid=bipublisher
  orclactivestartdate=20080612000000z
  cn=bipublisher
  orclisenabled=ENABLEDthen inserted the entry with:
  ldapadd -h my.host.com -D"cn=orcladmin" -w oracle123 -v -f bipublisher.ldif
  However when I try to login in the web services from Discoverer, I still get invalid credentials
  Any clues? Thanks
  PS I'm talking about the login web service method, not the basic web authentication. I am past that.
  Edited by: dvm on Mar 6, 2009 3:30 AM

  Nevermind, it seems the server was just a bit slow to take the new account under consideration.

• Confirming method to secure web services through oracle web service manager

  Hi All,
  I am just wondering about the method to secure web service through oracle web service manager.
  I have a unsecure web service "helloworld" which is deployed on JWSDP1.6 toolkit.I want to secure it through oracle web service manager.
  Inorder to secure this unsecure web service,I use gateway(web service manager for securing web service using message level security through certificate).
  So when client want to access the helloworld service,it contacts the gateway securely and gateway intern connect to original web service after decrypting and verification of the signature.When gateway gets response from the web service,it signs the response message and then encrypt and passs on to the client.
  So my question is,is it the right way to secure web service?
  As I am getting the following fault exception :
  <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
  <SOAP-ENV:Body>
  <SOAP-ENV:Fault>
  <faultcode "http://schemas.oblix.com/ws/2003/08/Faults">c</faultcode>
  <faultstring>Step execution failed with an exception
  </faultstring>
  <detail></detail>
  </SOAP-ENV:Fault>
  </SOAP-ENV:Body>
  </SOAP-ENV:Envelope>
  I checked the log at :
  C:\coresv_install_home\external\oc4j-10.1.2.0.0\j2ee\home\log\http-web-access
  but there is no helpful information available.Thanks for any help.
  Kash

  Hi Rajesh,
  Thanks for your reply.I am using the following policy steps:
  1)for Request (Decrypt and Verify signature).
  2)for Response(Sign Message and Encrypt).
  The configuration for Request is shown below:
  Pipeline "Request"
  Pipeline Steps:
  Start Pipeline
  Log
  Decrypt and Verify Signature
  Basic Properties Type Default Value
  Enabled (*) boolean true true
  XML Decryption Properties Type Default Value
  Decryptor''s keystore location (*) string C:\Sun\jwsdp-2.0\xws-security\etc\server-keystore.jks
  Decrypt Keystore Type (*) string jks jks
  Decryptor''s keystore password string *******
  Decryptor''s private-key alias (*) string s1as
  Decryptor''s private-key password string *******
  Enforce Encryption (*) boolean true true
  XML Signature Verification Properties Type Default Value
  Verifying Keystore location (*) string C:\Sun\jwsdp-2.0\xws-security\etc\server-truststore.jks
  Verifying Keystore type (*) string jks jks
  Verifying Keystore password string *******
  Signer''s public-key alias (*) string xws-security-client
  Enforce Signing (*) boolean true true
  End Pipeline
  And the configuration for Response is shown below:
  Pipeline "Response"
  Pipeline Steps:
  Start Pipeline
  Log
  Sign Message and Encrypt
  Basic Properties Type Default Value
  Enabled (*) boolean true true
  Signing Properties Type Default Value
  Signing Keystore location (*) string C:\Sun\jwsdp-2.0\xws-security\etc\server-keystore.jks
  Signing Keystore Type (*) string jks jks
  Signing Keystore password string *******
  Signer''s private-key alias (*) string s1as
  Signer''s private-key password string *******
  Signed Content (*) string BODY BODY
  Sign XPATH Expression string
  Sign XML Namespace string[]
  Encryption Properties Type Default Value
  Encryption Keystore location (*) string C:\Sun\jwsdp-2.0\xws-security\etc\server-truststore.jks
  Encrypt Keystore Type (*) string jks jks
  Encryption Keystore password string *******
  Decryptor''s public-key alias (*) string xws-security-client
  Encrypted Content (*) string BODY BODY
  Encrypt XPATH Expression string
  Encrypt XML Namespace string[]
  End Pipeline
  I checked the log again but nothing useful there,it is just giving the following values:
  2006-08-14 16:32:50,372 INFO [Thread-21] mstore.OLiteMStore - SELECT MEASUREMENT_STR FROM MEASUREMENT_PERSISTED_STORE WHERE ID=? FOR UPDATE
  2006-08-14 16:34:50,364 INFO [Thread-16] mstore.OLiteMStore - INSERT INTO MEASUREMENT_PERSISTED_STORE (ID,DEF_ID,CONTEXT_ID,PARENT_CONTEXT_ID,TIME,STORETIME,KEY0,KEY1,KEY2,KEY3,KEY4,KEY5,KEY6,KEY7,KEY8,KEY9,KEY10,KEY11,KEY12,KEY13,KEY14,KEY15,KEY16,KEY17,KEY18,KEY19,KEY20,KEY21,KEY22,KEY23,KEY24,KEY25,KEY26,KEY27,KEY28,KEY29,KEY30,KEY31,KEY32,KEY33,KEY34,KEY35,KEY36,KEY37,KEY38,KEY39,DBM0,MEASUREMENT_STR) VALUES(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,'R',empty_clob())
  2006-08-14 16:34:50,364 INFO [Thread-16] mstore.OLiteMStore - SELECT MEASUREMENT_STR FROM MEASUREMENT_PERSISTED_STORE WHERE ID=? FOR UPDATE
  Any help would be appreciated.Thanks.
  Kash

• Securing Web Services

  I am hoping others in this forum will share their experiences involving securing web services. What I would like to know is your thoughts on industry best practices for securing web services.
  I have been asked to look at the different industry approaches. From what I have read SUN, the simplest approach may be using WS-Security standard. This uses XML Signatures and XML encryption and can be placed in the header portion of the SOAP message. On the other hand, the most complicated is using an LDAP server for single sign.
  What is our driving forces is the least amount of effort is the best solution as long as security is not compromised.
  Thanks in advance for all your comments.

  The first thing you need to do is understand what your requirements are. The solution needs to match your requirements.
  You need to distinguish authentication from authorization from data security and what your requirements are for each.
  You need to understand the administrative overhead and how you will manage sertificates or userid/passwords. This can oftentimes involve more work than the web service itself.
  Don't "overkill" the solution. For example, don't use message-level encryption when an SSL connection will suffice for data security.
  -- Frank
  http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/ThreatCounter.asp
  http://searchwebservices.techtarget.com/qna/0,289202,sid26_gci995388,00.html
  IBM: sg246891_WebSphere_Web_Services_Handbook_5_1_1.pdf

• Secured web service for secured AM method

  Hello,
  I need to invoke method of secured Application Module (jbo.security.enforce = Must) from secured web service.
  I have a simple java class with Configuration.createRootApplicationModule ... and a web service built for this java class.
  I found I have to authentificate users twice. First time when invoking web service (this is ok) and second time when creating application module instance.
  The problem is I can get name of user logged in web service but I cannot get his password. So I cannot login to application module with the same user.
  How can I force adf business components to use user authentificated in web service to use him/her as adf bc user?
  Rado

  Hi Mayank,
  Chapter 7, Custom Serialization of Java Value Types, of the Web services developer guide may be a good place to get started.
  All the best,
  -Eric

• Create a Secure Client for a Secure Web Service- is failing

  Hi,
  This is actually with reference to the webservice tutorial.I am trying the example on Create a Secure Client for a Secure Web Service and have followed all the steps mentioned,however I am getting the following error:
  D:\JDev11gTp\jdk\bin\javaw.exe -client -classpath D:\Jdev11gTpInstance\mywork\WebServiceApplications\.adf;D:\Jdev11gTpInstance\mywork\WebServiceApplications\WebServiceProjects\classes;D:\JDev11gTp\webservices\lib\jaxws-api.jar;D:\JDev11gTp\webservices\lib\jws-api.jar;D:\JDev11gTp\webservices\lib\orawsmetadata.jar;D:\JDev11gTp\webservices\lib\wsclient.jar;D:\JDev11gTp\j2ee\home\lib\activation.jar;D:\JDev11gTp\j2ee\home\lib\ejb.jar;D:\JDev11gTp\j2ee\home\lib\jms.jar;D:\JDev11gTp\j2ee\home\lib\jta.jar;D:\JDev11gTp\j2ee\home\lib\mail.jar;D:\JDev11gTp\j2ee\home\lib\servlet.jar;D:\JDev11gTp\webservices\lib\jaxrpc-api.jar;D:\JDev11gTp\webservices\lib\wsserver.jar;D:\JDev11gTp\webservices\lib\wssecurity.jar;D:\JDev11gTp\webservices\lib\wsdl.jar;D:\JDev11gTp\webservices\lib\orasaaj.jar;D:\JDev11gTp\webservices\lib\saaj-api.jar;D:\JDev11gTp\webservices\lib\orawsdl.jar;D:\JDev11gTp\webservices\lib\orawsrm.jar;D:\JDev11gTp\webservices\lib\orawsrel.jar;D:\JDev11gTp\webservices\lib\jaxr-api.jar;D:\JDev11gTp\webservices\lib\orajaxr.jar;D:\JDev11gTp\webservices\lib\relaxngDatatype.jar;D:\JDev11gTp\webservices\lib\xsdlib.jar;D:\JDev11gTp\webservices\lib\mdds.jar;D:\JDev11gTp\webservices\lib\wsif.jar;D:\JDev11gTp\webservices\lib\fabric-common.jar;D:\JDev11gTp\webservices\lib\fabric-interceptors.jar;D:\JDev11gTp\jlib\jaxen.jar;D:\JDev11gTp\jlib\oraclepki.jar;D:\JDev11gTp\jlib\ojpse.jar;D:\JDev11gTp\jlib\jsr106.jar;D:\JDev11gTp\jlib\jsr105.jar;D:\JDev11gTp\jlib\osdt_xmlsec_jce.jar;D:\JDev11gTp\jlib\osdt_wss_jce.jar;D:\JDev11gTp\jlib\osdt_saml_jce.jar;D:\JDev11gTp\jlib\osdt_saml2_jce.jar;D:\JDev11gTp\jlib\osdt_core.jar;D:\JDev11gTp\jlib\osdt_cert.jar;D:\JDev11gTp\jlib\osdt_xmlsec.jar;D:\JDev11gTp\jlib\osdt_wss.jar;D:\JDev11gTp\jlib\osdt_saml.jar;D:\JDev11gTp\jlib\osdt_saml2.jar;D:\JDev11gTp\jlib\ojmisc.jar;D:\JDev11gTp\j2ee\home\lib\http_client.jar;D:\JDev11gTp\j2ee\home\jazncore.jar;D:\JDev11gTp\j2ee\home\oc4jclient.jar;D:\JDev11gTp\rdbms\jlib\xdb.jar;D:\JDev11gTp\j2ee\home\lib\javax77.jar;D:\JDev11gTp\lib\java\api\jsr173_api.jar;D:\JDev11gTp\lib\java\shared\sun.jaxb\2.0\jaxb-impl.jar;D:\JDev11gTp\lib\java\shared\sun.jaxb\2.0\jaxb-xjc.jar;D:\JDev11gTp\lib\java\shared\sun.jaxb\2.0\jaxb1-impl.jar;D:\JDev11gTp\j2ee\home\lib\oc4j-schemas.jar;D:\JDev11gTp\jlib\ojdl.jar;D:\JDev11gTp\jlib\ojdl2.jar;D:\JDev11gTp\jlib\fmw_audit.jar;D:\JDev11gTp\j2ee\home\lib\jmxri.jar;D:\JDev11gTp\j2ee\home\lib\jmx_remote_api.jar;D:\JDev11gTp\j2ee\home\lib\adminclient.jar;D:\JDev11gTp\j2ee\home\lib\jmxframework.jar;D:\JDev11gTp\j2ee\home\lib\jmxspi.jar;D:\JDev11gTp\j2ee\home\lib\xmlcfg.jar;D:\JDev11gTp\jlib\dms.jar;D:\JDev11gTp\jlib\orai18n.jar;D:\JDev11gTp\j2ee\home\lib\commons-digester.jar;D:\JDev11gTp\j2ee\home\lib\spring.jar;D:\JDev11gTp\lib\java\shared\oracle.wsm\11.1.1.0\wsm-policy-core.jar;D:\JDev11gTp\lib\java\shared\oracle.wsm\11.1.1.0\wsm-pmclient.jar;D:\JDev11gTp\lib\java\shared\oracle.wsm\11.1.1.0\wsm-pap.jar;D:\JDev11gTp\lib\java\shared\oracle.wsm\11.1.1.0\wsm-agent.jar;D:\JDev11gTp\lib\java\shared\oracle.wsm\11.1.1.0\wsm-secpol.jar;D:\JDev11gTp\lib\java\shared\oracle.javatools\11.1.1.0.0\javamodel-rt.jar;D:\JDev11gTp\lib\java\shared\oracle.javatools\11.1.1.0.0\javatools-nodeps.jar;D:\JDev11gTp\lib\java\shared\oracle.toplink\11.1.1.0.0\toplink-sdo.jar;D:\JDev11gTp\lib\java\api\jaxb-api.jar;D:\JDev11gTp\lib\xmlparserv2.jar;D:\JDev11gTp\lib\xml.jar;D:\JDev11gTp\jakarta-taglibs\commons-logging-1.0.3\commons-logging.jar -Dhttp.proxyHost=localhost -Dhttp.proxyPort=8099 -Dhttp.nonProxyHosts= -Dhttps.proxyHost=localhost -Dhttps.proxyPort=8099 -Dhttps.nonProxyHosts= HelloPolicyPortClient
  Feb 1, 2008 5:13:43 PM oracle.j2ee.ws.common.context.ContextInterceptor init
  INFO: Context provider properties file not found
  Feb 1, 2008 5:13:44 PM oracle.wsm.audit.Auditor <init>
  INFO: Created J2SE auditor for componentType=OWSM-AGENT busstop=D:\oracle\product\10.2.0\client_1\auditlogs\OWSM-AGENT filter=false auditor=oracle.security.audit.Auditor@143a083
  Feb 1, 2008 5:13:44 PM oracle.wsm.audit.Auditor <init>
  INFO: Created J2SE auditor for componentType=OWSM-PM-LIB busstop=D:\oracle\product\10.2.0\client_1\auditlogs\OWSM-PM-LIB filter=false auditor=oracle.security.audit.Auditor@15af049
  SEVERE: WSM-04514 An MDS error occurred.
  SEVERE: WSM-09012 No key, WSM-06002, was found in the resource bundle oracle.wsm.resources.policyvalidation.PolicyValidationMessageBundle.
  javax.xml.ws.WebServiceException: oracle.fabric.common.PolicyEnforcementException: PolicySet Invalid: WSM-06002 PolicyReference Invalid policy reference
  at oracle.j2ee.ws.client.jaxws.DispatchImpl.invoke(DispatchImpl.java:466)
  at oracle.j2ee.ws.client.jaxws.WsClientProxyInvocationHandler.invoke(WsClientProxyInvocationHandler.java:204)
  at $Proxy28.sayHello(Unknown Source)
  at HelloPolicyPortClient.main(HelloPolicyPortClient.java:35)
  Caused by: oracle.fabric.common.PolicyEnforcementException: PolicySet Invalid: WSM-06002 PolicyReference Invalid policy reference
  at oracle.integration.platform.common.InterceptorChainImpl.createPolicyEnforcementException(InterceptorChainImpl.java:217)
  at oracle.integration.platform.common.InterceptorChainImpl.processRequest(InterceptorChainImpl.java:104)
  at oracle.j2ee.ws.client.mgmt.runtime.SuperClientInterceptorPipeline.handleRequest(SuperClientInterceptorPipeline.java:91)
  at oracle.j2ee.ws.client.jaxws.DispatchImpl.handleRequest(DispatchImpl.java:309)
  at oracle.j2ee.ws.client.jaxws.DispatchImpl.handleRequest(DispatchImpl.java:290)
  at oracle.j2ee.ws.client.jaxws.DispatchImpl.invoke(DispatchImpl.java:444)
  ... 3 more
  Process exited with exit code 0.
  Can anyone please give any clue as to why this error is coming?
  Thanks.

  Hi
  Please refer to this thread
  Re: Can I create a login/password protection in Muse for a HTML5 page or two?

• Security exception while running the java client for a secured web service.

  hi,
  I created a proxy for a secured web service.
  When I run the client java program I am getting the following exception :
  java.io.IOException: could not load the default-keystore.jks file because The keystore file is tampered or password is incorrect.
  Its saying that password is invalid.
  Can you please help me on this thanks in advance.
  Regards,
  Chandra

  hi,
  I created a proxy for a secured web service.
  When I run the client java program I am getting the following exception :
  java.io.IOException: could not load the default-keystore.jks file because The keystore file is tampered or password is incorrect.
  Its saying that password is invalid.
  Can you please help me on this thanks in advance.
  Regards,
  Chandra

• Details for 'Is Web service security available?'

  Hi i am working on scenario rfc to webservice.Its as secued webserivce i need to do ssl configuration.
  In component monitoring..for the integration engine its in yellow...
  Details for 'Is Web service security available?'
  Communication error Proxy calls on the sender or receiver side are not permitted on the IS (client)
  can any one please help me out..
  Thanks
  sriram

  I have already installed certificates on the j2ee engine & i have given the paramaters for keystore entry & keystore value.Still i have the same error
  In component monitoring
  For integration engine
  Details for 'Is Web service security available?'
  Communication error Proxy calls on the sender or receiver side are not permitted on the IS (client) 
  In message monitoring
  Audit Log for Message: f614df00-e9e0-11da-95ef-0004ac577b32
  Time Stamp Status Description
  2006-05-22 15:18:58 Success The message was successfully received by the messaging system. Profile: XI URL: http://saptst01:51000/MessagingSystem/receive/AFW/XI
  2006-05-22 15:18:58 Success Using connection AFW. Trying to put the message into the request queue.
  2006-05-22 15:18:58 Success Message successfully put into the queue.
  2006-05-22 15:18:58 Success The message was successfully retrieved from the request queue.
  2006-05-22 15:18:58 Success The message status set to DLNG.
  2006-05-22 15:18:58 Success Delivering to channel: ZCH_VERISIGNPPGR
  2006-05-22 15:18:58 Success SOAP: request message entering the adapter
  2006-05-22 15:18:58 Success SOAP: call failed
  2006-05-22 15:18:58 Error SOAP: error occured: iaik.security.ssl.SSLException: Peer sent alert: Alert Fatal: illegal parameter
  2006-05-22 15:18:58 Error Exception caught by adapter framework: Peer sent alert: Alert Fatal: illegal parameter
  Can any one please help me out.
  Thanks
  sriram

• Error while invoking a WS-Security secured web service from Oracle BPEL..

  Hi ,
  We are facing some error while invoking a WS-Security secured web service from our BPEL Process on the windows platform(SOA 10.1.3.3.0).
  For the BPEL process we are following the same steps as given in an AMIS blog : - [http://technology.amis.nl/blog/1607/how-to-call-a-ws-security-secured-web-service-from-oracle-bpel]
  but sttill,after deploying it and passing values in it,we are getting the following error on the console :-
  &ldquo;Header [http://schemas.xmlsoap.org/ws/2004/08/addressing:Action] for ultimate recipient is required but not present in the message&rdquo;
  Any pointers in this regard will be highly appreciated.
  Thanks,
  Saurabh

  Hi James,
  Thanks for the quick reply.
  We've tried to call that web service from an HTML designed in Visual Studios with the same username and password and its working fine.
  But on the BPEL console, we are getting the error as mentioned.
  Also if you can tell me how to set the user name and password in the header of the parter link.I could not find how to do it.
  Thanks,
  Saurabh

• How to call OWSM secured web-service from ADF application

  I have a OWSM secured web-service, which takes username/password.
  I want to invoke this webservice from ADF application. ADF application has its own security and it takes its own username/password. End user can't provide the username/password for web-service call. My ADF application should call the webservice and provide it appropriate username/password.
  What is the best practice to handle such scenario. I don't want to hardcode username/password in Java (ADF) code.
  Thanks
  Sanjeev.

  it is not clear to me if you are having problems with calling java code from OIM or if the problem is the web service API.
  Lets do some divide and conquer:
  Can you create a simple java class that just writes a couple of lines to the log? Please attach this code to the OIM task and make sure it runs.
  Once this works we can start looking at the web service call.
  Best regards
  /Martin

• Calling secured Web Service

  Hi,
  I am new in calling web service from PL/SQL block.
  From the code I'm successfully able to call non-secured webservice like this "http://www.ignyte.com/webservices/ignyte.whatsshowing.webservice/moviefunctions.asmx?wsdl"
  And also by setting the wallet I'm also able to call secured web service like this "https://www.docusign.net/api/3.0/Credential.asmx?WSDL" (ping method).
  For calling this secured service I stored certs with chain into the wallet and that works.
  But my problem is a different web service where that web service is authenticating me with my certificate. I have VeriSign certificate with private key and that web service has my public key. Whenever I will send SOAP request I need to send my certificate with the request. And communication will be over SSL.
  I have created a wallet with complete chain from the PFX file I received from VeriSign and Wallet is in Ready state, also I have included web service's certificate also.
  Whenever I am trying to make SOAP call I'm getting
  ORA-00600: internal error code, arguments: [kgazmo_1], [], [], [], [], [], [], []
  Please let me know where is the problem. May be I'm not able to send my certificate for authentication or may be I'm not able to establish SSL for communication from PL/SQL.
  I'm using 10.1.2 as database. I also have 10g AS installed, if that can help in achieving this.
  Code is as follows:
  FUNCTION CallWS
  RETURN xmltype
  AS
  l_request soap_api.t_request;
  l_response soap_api.t_response;
  l_url VARCHAR2(32767);
  l_namespace VARCHAR2(32767);
  l_method VARCHAR2(32767);
  l_soap_action VARCHAR2(32767);
  l_doc xmltype;
  BEGIN
  l_url := 'https://secured.webservice.com/WS/WebService.asmx';
  l_namespace := 'xmlns="https://secured.webservice.com/WS"';
  l_method := 'GetMe';
  l_soap_action := 'https://secured.webservice.com/WS/GetMe';
  utl_http.set_wallet('file:c:/wallets','pass123');
  l_request := soap_api.new_request(p_method => l_method,
  p_namespace => l_namespace);
  soap_api.add_parameter(p_request => l_request,
  p_name => 'param1',
  p_type => 'xsd:string',
  p_value => 'val1');
  soap_api.add_parameter(p_request => l_request,
  p_name => 'param2',
  p_type => 'xsd:string',
  p_value => 'val2');
  l_response := soap_api.invoke(p_request => l_request,
  p_url => l_url,
  p_action => l_soap_action );
  l_doc := l_response.doc;
  RETURN l_doc;
  END CallWS;
  You can find SOAP_API package here [SOAP_API|http://www.oracle-base.com/dba/miscellaneous/soap_api.sql] .
  Thanks in advance.
  -Smith

  Thanks again Billy,
  I have configured a wallet with all the necessary certificates. Actually I have purchased a VeriSign trusted certificate and convert that into Oracle Wallet (p12) using openssl with appropriate password. And I'm calling UTL_HTTP.set_wallet('<path_to_wallet>','<pass_to_open_it>');
  I have send my public key to them (web service company) and they need me to send my certificate with every request so that they can authenticate.
  You are saying we don't have to write any code for TLS/SSL UTL_HTTP will take care of that, thats really good.
  One more thing I want to mention here...
  In Internet Explorer - When I am importing my certificate without my private key and trying to access web service I'm getting 404 page not found error.
  But when I'm importing my certificate with the private key, I can see WSDL and all other methods offered by that web service.
  I'm guessing Oracle Wallet that I'm creating with my certificate will store private key also. B'coz it is showing me User Certificate in Ready state.
  ORA-00600 is not giving me proper location where I can find any error in my code.
  Thanks
  -Smith

• Failed Calling A X.509 Certificate Secured Web Service From OSB

  Hi,
  I have wsdl resource, business service and proxy service setup in OSB 11.1.1.6 on Linux. The business service will consume a X.509 certificate secured web service running on a remote server.
  Below is my approach:
  The consumer of the proxy service of OSB signs its saop request header.
  My OSB proxy service authenticates the signature and forward the request to business service.
  The business service signs the outbound soap request header. (To do this I configured the keystore in Security Provider Configuration of my SOA_domain in Enterprise Manager. Also I applied Web Service Policy of Service Client type to the business service.)
  This is not working yet. Not sure if my approach is correct or not?
  Thank you,
  Eric

  I validated the keystore, all the certificates used and the value for keystore.sig.csf.key / value for keystore.recipient.alias. They are all as expected. Restarted the server. Still failed for OSB to invoke the remote secured web service, but worked if only use soapUI to invoke the same remote secured web service directly.
  The error message is:
  General security error (WSSecurityEngine: No crypto property file supplied for decryption); nested exception is org.apache.ws.security.WSSecurityException: General security error (WSSecurityEngine: No crypto property file supplied for decryption)
  In the soap request / reponse message shown in the OSB Test Console, there seems to be two signature sections in the header and encryption section although I tried not to encrypt the soap request. I am using Web Service Client Policy "calpers/wss11_x509_token_with_message_integrity_client_policy_osb" which was created based on "oracle/wss11_x509_token_with_message_protection_client_policy". The difference between the two policies is my policy not to sign nor to encrypt entire body.
  In the "Message Signing Setting" section, I unchecked the "Include Entire Body" and left the three default namespaces under the Header Elements.
  In the "Message Encrypt Setting" section, I unchecked the "Include Entire Body" and also left the one default namespace under the Header Elements.
  I don't know how to attach document here, so i add long saop message here.
       Business Service Testing - BookSec_Biz_Svc_52
       Request Document
  <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Header xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  </soap:Header>
  <soapenv:Body>
  <book:BookRequest xmlns:book="http://www.dortman.com/books/BookService">
  <book:bookId>10</book:bookId>
  <book:bookTitle>eric</book:bookTitle>
  <book:bookAuthor>Z</book:bookAuthor>
  </book:BookRequest>
  </soapenv:Body>
  </soapenv:Envelope>
  <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Header xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <wsse:Security soap:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
  <wsu:Timestamp wsu:Id="Timestamp-eEud1RcUOPcnV0fDqd6gZQ22" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
  <wsu:Created>2013-03-14T18:10:00Z</wsu:Created>
  <wsu:Expires>2013-03-14T18:15:00Z</wsu:Expires>
  </wsu:Timestamp>
  <wsse:BinarySecurityToken ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" wsu:Id="BST-VnzMtSwHMI8THKi2hhG2SQ22" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
  MIICazCCAdSgAwIBAgIEUTY65zANBgkqhkiG9w0BAQUFADB6MQswCQYDVQQGEwJVUzERMA8GA1UECBMITmV3IFlvcmsxEzARBgNVBAcTCk1ldHJvcG9saXMxFjAUBgNVBAoTDUp1c3RpY2UgTGVhZ2UxFjAUBgNVBAsTDUp1c3RpYyBMZWFndWUxEzARBgNVBAMTCkNsYXJrIEtlbnQwHhcNMTMwMzA1MTgzNTE5WhcNMTMwNjAzMTgzNTE5WjB6MQswCQYDVQQGEwJVUzERMA8GA1UECBMITmV3IFlvcmsxEzARBgNVBAcTCk1ldHJvcG9saXMxFjAUBgNVBAoTDUp1c3RpY2UgTGVhZ2UxFjAUBgNVBAsTDUp1c3RpYyBMZWFndWUxEzARBgNVBAMTCkNsYXJrIEtlbnQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJhF0cMUwB/EjAyIOy9Cq8KCDqTXvlnlvMGq6LEhiGOtrATYy+JnHURcPUeusi65Ua3bE7JACWhHJ0fYEl7NtxPPSN3Q1RovkWGQ6I5O2XuEyMHg3MISh2CHhnkGSR+W6riDSUoB0ZC0KTgu14OTwqo54JSY/ugQszY7QC9DAuabAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAWeQ6LjMo12bY65GmnrmLdbRNm95RkL6gJCKa9pyUaMfvaIqKpmMQW8RM+eB90CR5DrM8oO2+8uKcqTt/pGNRYi2UJh2X0CdmyQQTmf3mCfgoZ597VTl+k3mKHKeeST7ZwAyBRL2jI0VisopFHpUhIwABoDgwOMpLcCF974AZ2rA=
  </wsse:BinarySecurityToken>
  *<dsig:Signature* Id="XSIG-oISn2AADumTdR86sONuz8g22" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
  <dsig:SignedInfo>
  <dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
  <dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"/>
  <dsig:Reference URI="#Timestamp-eEud1RcUOPcnV0fDqd6gZQ22">
  <dsig:Transforms>
  <dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
  </dsig:Transforms>
  <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
  <dsig:DigestValue>3LQ1IpQR3rKHvP6Ov/m9ZRoecZM=</dsig:DigestValue>
  </dsig:Reference>
  </dsig:SignedInfo>
  <dsig:SignatureValue>X2BUn9TLL26Ay9A3HGEn/mnGCCE=</dsig:SignatureValue>
  <dsig:KeyInfo>
  <wsse:SecurityTokenReference>
  <wsse:Reference URI="#EK-h7saqC1VyBKZw2n1IHz8GQ22" ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey"/>
  </wsse:SecurityTokenReference>
  </dsig:KeyInfo>
  +*</dsig:Signature>*+
  *<dsig:Signature* xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
  <dsig:SignedInfo>
  <dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
  <dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
  <dsig:Reference URI="#BST-VnzMtSwHMI8THKi2hhG2SQ22">
  <dsig:Transforms>
  <dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
  </dsig:Transforms>
  <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
  <dsig:DigestValue>dau9qjB2lxIvlaoDIHuWVHqjulI=</dsig:DigestValue>
  </dsig:Reference>
  <dsig:Reference URI="#STR-QC3ZDBRwsXv8unEWVns9rQ22">
  <dsig:Transforms>
  <dsig:Transform Algorithm="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform">
  <wsse:TransformationParameters>
  <dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
  </wsse:TransformationParameters>
  </dsig:Transform>
  </dsig:Transforms>
  <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
  <dsig:DigestValue>nPO9mKSC9cMg2fEkGZI+ujy5O1Q=</dsig:DigestValue>
  </dsig:Reference>
  <dsig:Reference URI="#XSIG-oISn2AADumTdR86sONuz8g22">
  <dsig:Transforms>
  <dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
  </dsig:Transforms>
  <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
  <dsig:DigestValue>qXkW/ZFFNc8Bu0VL9eF6c4np7IA=</dsig:DigestValue>
  </dsig:Reference>
  </dsig:SignedInfo>
  <dsig:SignatureValue>
  MuHCTh5cW8TiVKtkWFl+Of2EFAiHwuPTR7J9b4/n2KZtPy2OCrgi1lBpuzhFKLhoBxYNOK8TMOa/3b223Vv+CQUfUP7z0YVj5Ck7QETYngaQlS07KulnstJjsAgHBV8Zk3A0EafuWF2c3t5wBzEkgEC99v0EdY3mRiCzt7vh2qs=
  </dsig:SignatureValue>
  <dsig:KeyInfo Id="KeyInfo-0LT1QavoIVXOHesZfrxTwg22">
  <wsse:SecurityTokenReference>
  <wsse:Reference URI="#BST-VnzMtSwHMI8THKi2hhG2SQ22" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
  </wsse:SecurityTokenReference>
  </dsig:KeyInfo>
  +*</dsig:Signature>*+
  *<xenc:EncryptedKey* Id="EK-h7saqC1VyBKZw2n1IHz8GQ22" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
  <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
  <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"/>
  </xenc:EncryptionMethod>
  <dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
  <wsse:SecurityTokenReference wsu:Id="STR-QC3ZDBRwsXv8unEWVns9rQ22" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
  <wsse:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">q9Z9yPxvNw4CvSLQNI4rxVlSF+w=</wsse:KeyIdentifier>
  </wsse:SecurityTokenReference>
  </dsig:KeyInfo>
  <xenc:CipherData>
  <xenc:CipherValue xmime:contentType="application/octet-stream" xmlns:xmime="http://www.w3.org/2005/05/xmlmime">
  Tgdhxy6wMJBBrw23iq1GLCm0TYKBXSVQvBcN+7TXdXL6FPSjhcbfXqtoz7wzirbSwUZuu+DrYuWs
  0BjRXqw3auUSCMlkm4IoT1ag3wFQQ/PEbB8HNlYhW3gp/At3toTw+k5p9wOUd4BMFAiXyeHQ8+dQ
  8JUiohXhiHErTDn6fFQ=
  </xenc:CipherValue>
  </xenc:CipherData>
  </xenc:EncryptedKey>
  </wsse:Security>
  </soap:Header>
  <soapenv:Body>
  <book:BookRequest xmlns:book="http://www.dortman.com/books/BookService">
  <book:bookId>10</book:bookId>
  <book:bookTitle>eric</book:bookTitle>
  <book:bookAuthor>Z</book:bookAuthor>
  </book:BookRequest>
  </soapenv:Body>
  </soapenv:Envelope>
       Response Document
  The invocation resulted in an error: Internal Server Error.
  <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
  <soapenv:Body>
  <soapenv:Fault>
  <faultcode>soapenv:Client</faultcode>
  <faultstring xmlns:lang="en">
  General security error (WSSecurityEngine: No crypto property file supplied for decryption); nested exception is org.apache.ws.security.WSSecurityException: General security error (WSSecurityEngine: No crypto property file supplied for decryption) </faultstring>
  </soapenv:Fault>
  </soapenv:Body>
  </soapenv:Envelope>
       Response Metadata
  <con:metadata xmlns:con="http://www.bea.com/wli/sb/test/config">
  <tran:headers xsi:type="http:HttpResponseHeaders" xmlns:http="http://www.bea.com/wli/sb/transports/http" xmlns:tran="http://www.bea.com/wli/sb/transports" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
  <tran:user-header name="Accept" value="text/xml"/>
  <tran:user-header name="Expires" value="Thu, 14 Mar 2013 18:10:01 GMT"/>
  <tran:user-header name="SOAPAction" value="&quot;&quot;"/>
  <http:Cache-Control>max-age=0</http:Cache-Control>
  <http:Connection>close</http:Connection>
  <http:Content-Type>text/xml; charset=UTF-8</http:Content-Type>
  <http:Date>Thu, 14 Mar 2013 18:10:01 GMT</http:Date>
  <http:Server>Apache</http:Server>
  <http:Transfer-Encoding>chunked</http:Transfer-Encoding>
  </tran:headers>
  <tran:response-code xmlns:tran="http://www.bea.com/wli/sb/transports">2</tran:response-code>
  <tran:response-message xmlns:tran="http://www.bea.com/wli/sb/transports">Internal Server Error</tran:response-message>
  <tran:encoding xmlns:tran="http://www.bea.com/wli/sb/transports">UTF-8</tran:encoding>
  <http:http-response-code xmlns:http="http://www.bea.com/wli/sb/transports/http">500</http:http-response-code>
  </con:metadata>