Using Identity Management for Securing Web Services

Similar Messages

• Best Practice for Securing Web Services in the BPEL Workflow

  What is the best practice for securing web services which are part of a larger service (a business process) and are defined through BPEL?
  They are all deployed on the same oracle application server.
  Defining agent for each?
  Gateway for all?
  BPEL security extension?
  The top level service that is defined as business process is secure itself through OWSM and username and passwords, but what is the best practice for security establishment for each low level services?
  Regards
  Farbod

  It doesnt matter whether the service is invoked as part of your larger process or not, if it is performing any business critical operation then it should be secured.
  The idea of SOA / designing services is to have the services available so that it can be orchestrated as part of any other business process.
  Today you may have secured your parent services and tomorrow you could come up with a new service which may use one of the existing lower level services.
  If all the services are in one Application server you can make the configuration/development environment lot easier by securing them using the Gateway.
  Typical probelm with any gateway architecture is that the service is available without any security enforcement when accessed directly.
  You can enforce rules at your network layer to allow access to the App server only from Gateway.
  When you have the liberty to use OWSM or any other WS-Security products, i would stay away from any extensions. Two things to consider
  The next BPEL developer in your project may not be aware of Security extensions
  Centralizing Security enforcement will make your development and security operations as loosely coupled and addresses scalability.
  Thanks
  Ram

• Session management for a web service

  I am building a web service where the user will need to login and the application will need to maintain a persistent session. I am using Apache Axis2 for client/server communication via SOAP/XML. What would the simplest and most common way of doing this? I know I could implement session management from scratch similarly to how a browser does it, using cookies, but I'd rather use standard Java libraries for this. Am I correct in assuming that even though I'm using Axis2, the solution doesn't really have anything to do with Axis2 since Axis2 is basically just a way for the client/server to send messages to each other?
  I've read a lot of information online about this, but there's so much information that it's hard to know where to start. Basically I'm just looking for someone to point me in the right direction on what classes to use and so on. I just need a simple username password authentication and session management system for a web service.

  Container Managed Authentication. Does everything you need.

• Users for secure web services

  Hello,
  if i define a secure web service, i also have to define one or more users which are allowed to access this web service. I only found instruction for defining such users on the application level. If i undeploy or redeploy the web service i lost this users.
  Is there any possibility to store users for an application permanently or to define allowed users during the deployment?

  Hello,
  I suppose that you are in OracleAS 10.1.3.x and you are using the WS-Security built in the product. If this is the case...
  The WS-Security handlers are based on the JAAS security model, this means that the security processing is based on the container security. The user credentials are not related to the WS application but how the J2EE application security provider has been configured.
  So by default you are using the FileBased Security provided that stores the data in the system-jazn-data.xml, but you can easily configure your application to use any other system to store user information such as a LDAP server for example.
  I am inviting you to take a look to the Security Provider documentation:
  - Introducing the OracleAS JAAS Provider and Security Providers
  Regards
  Tugdual Grall

• Can config wallet on cloud DB for security web service invoke ?

  Currently, I can invoke the security web service by APEX at my local DB env.
  based the apex_web_service API
  http://docs.oracle.com/cd/E37546_01/doc/doc.41/e28475/apex_web_service.htm#AEAPI537
  we need wallet to store the cert files.
  want to confirm that
  --> Can we config wallet to import cert files on cloud DB?
  Thanks
  Edited by: 985754 on Feb 6, 2013 2:17 AM

  Hello 985754,
  Unfortunately, you cannot import your own certificates into the wallet used by Application Express in the Database Cloud Service. However, this wallet already contains many common CA certificates. Unless the web service you are consuming uses a self-signed certificate, chances are you will be able to use this functionality in the Cloud.
  -- Vlad

• Using exsitingOracle infra to secure web services

  Our system currently uses an Oracle RDBMS for security - users and roles are defined
  within the database. We are now adding web services and EJBs using WLS 8.1. I'd
  like to leverage the existing security database by either having WLS use it directly
  or somehow intialize the necessary WLS security structures from the Oracle database.
  The idea is to not change the way security is handled now (and thereby not perturb
  legacy apps) but also not add additional administrative tasks such as defining
  users and roles to WLS. I've read almost all the security related documentation
  and theres so much there that one or both approaches seem feasible but I'm not
  sure. Is either or both approaches feasible and can someone layout the high-level
  steps needed?
  Thanks in advance,
  Jack

  See:
  http://newsgroups.bea.com/cgi-bin/dnewsweb?cmd=article&group=weblogic.developer.interest.security&item=9930&utag=
  Jack Ottofaro wrote:
  >
  Our system currently uses an Oracle RDBMS for security - users and roles are defined
  within the database. We are now adding web services and EJBs using WLS 8.1. I'd
  like to leverage the existing security database by either having WLS use it directly
  or somehow intialize the necessary WLS security structures from the Oracle database.
  The idea is to not change the way security is handled now (and thereby not perturb
  legacy apps) but also not add additional administrative tasks such as defining
  users and roles to WLS. I've read almost all the security related documentation
  and theres so much there that one or both approaches seem feasible but I'm not
  sure. Is either or both approaches feasible and can someone layout the high-level
  steps needed?
  Thanks in advance,
  Jack

• Confirming method to secure web services through oracle web service manager

  Hi All,
  I am just wondering about the method to secure web service through oracle web service manager.
  I have a unsecure web service "helloworld" which is deployed on JWSDP1.6 toolkit.I want to secure it through oracle web service manager.
  Inorder to secure this unsecure web service,I use gateway(web service manager for securing web service using message level security through certificate).
  So when client want to access the helloworld service,it contacts the gateway securely and gateway intern connect to original web service after decrypting and verification of the signature.When gateway gets response from the web service,it signs the response message and then encrypt and passs on to the client.
  So my question is,is it the right way to secure web service?
  As I am getting the following fault exception :
  <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
  <SOAP-ENV:Body>
  <SOAP-ENV:Fault>
  <faultcode "http://schemas.oblix.com/ws/2003/08/Faults">c</faultcode>
  <faultstring>Step execution failed with an exception
  </faultstring>
  <detail></detail>
  </SOAP-ENV:Fault>
  </SOAP-ENV:Body>
  </SOAP-ENV:Envelope>
  I checked the log at :
  C:\coresv_install_home\external\oc4j-10.1.2.0.0\j2ee\home\log\http-web-access
  but there is no helpful information available.Thanks for any help.
  Kash

  Hi Rajesh,
  Thanks for your reply.I am using the following policy steps:
  1)for Request (Decrypt and Verify signature).
  2)for Response(Sign Message and Encrypt).
  The configuration for Request is shown below:
  Pipeline "Request"
  Pipeline Steps:
  Start Pipeline
  Log
  Decrypt and Verify Signature
  Basic Properties Type Default Value
  Enabled (*) boolean true true
  XML Decryption Properties Type Default Value
  Decryptor''s keystore location (*) string C:\Sun\jwsdp-2.0\xws-security\etc\server-keystore.jks
  Decrypt Keystore Type (*) string jks jks
  Decryptor''s keystore password string *******
  Decryptor''s private-key alias (*) string s1as
  Decryptor''s private-key password string *******
  Enforce Encryption (*) boolean true true
  XML Signature Verification Properties Type Default Value
  Verifying Keystore location (*) string C:\Sun\jwsdp-2.0\xws-security\etc\server-truststore.jks
  Verifying Keystore type (*) string jks jks
  Verifying Keystore password string *******
  Signer''s public-key alias (*) string xws-security-client
  Enforce Signing (*) boolean true true
  End Pipeline
  And the configuration for Response is shown below:
  Pipeline "Response"
  Pipeline Steps:
  Start Pipeline
  Log
  Sign Message and Encrypt
  Basic Properties Type Default Value
  Enabled (*) boolean true true
  Signing Properties Type Default Value
  Signing Keystore location (*) string C:\Sun\jwsdp-2.0\xws-security\etc\server-keystore.jks
  Signing Keystore Type (*) string jks jks
  Signing Keystore password string *******
  Signer''s private-key alias (*) string s1as
  Signer''s private-key password string *******
  Signed Content (*) string BODY BODY
  Sign XPATH Expression string
  Sign XML Namespace string[]
  Encryption Properties Type Default Value
  Encryption Keystore location (*) string C:\Sun\jwsdp-2.0\xws-security\etc\server-truststore.jks
  Encrypt Keystore Type (*) string jks jks
  Encryption Keystore password string *******
  Decryptor''s public-key alias (*) string xws-security-client
  Encrypted Content (*) string BODY BODY
  Encrypt XPATH Expression string
  Encrypt XML Namespace string[]
  End Pipeline
  I checked the log again but nothing useful there,it is just giving the following values:
  2006-08-14 16:32:50,372 INFO [Thread-21] mstore.OLiteMStore - SELECT MEASUREMENT_STR FROM MEASUREMENT_PERSISTED_STORE WHERE ID=? FOR UPDATE
  2006-08-14 16:34:50,364 INFO [Thread-16] mstore.OLiteMStore - INSERT INTO MEASUREMENT_PERSISTED_STORE (ID,DEF_ID,CONTEXT_ID,PARENT_CONTEXT_ID,TIME,STORETIME,KEY0,KEY1,KEY2,KEY3,KEY4,KEY5,KEY6,KEY7,KEY8,KEY9,KEY10,KEY11,KEY12,KEY13,KEY14,KEY15,KEY16,KEY17,KEY18,KEY19,KEY20,KEY21,KEY22,KEY23,KEY24,KEY25,KEY26,KEY27,KEY28,KEY29,KEY30,KEY31,KEY32,KEY33,KEY34,KEY35,KEY36,KEY37,KEY38,KEY39,DBM0,MEASUREMENT_STR) VALUES(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,'R',empty_clob())
  2006-08-14 16:34:50,364 INFO [Thread-16] mstore.OLiteMStore - SELECT MEASUREMENT_STR FROM MEASUREMENT_PERSISTED_STORE WHERE ID=? FOR UPDATE
  Any help would be appreciated.Thanks.
  Kash

• Securing Web Services

  I am hoping others in this forum will share their experiences involving securing web services. What I would like to know is your thoughts on industry best practices for securing web services.
  I have been asked to look at the different industry approaches. From what I have read SUN, the simplest approach may be using WS-Security standard. This uses XML Signatures and XML encryption and can be placed in the header portion of the SOAP message. On the other hand, the most complicated is using an LDAP server for single sign.
  What is our driving forces is the least amount of effort is the best solution as long as security is not compromised.
  Thanks in advance for all your comments.

  The first thing you need to do is understand what your requirements are. The solution needs to match your requirements.
  You need to distinguish authentication from authorization from data security and what your requirements are for each.
  You need to understand the administrative overhead and how you will manage sertificates or userid/passwords. This can oftentimes involve more work than the web service itself.
  Don't "overkill" the solution. For example, don't use message-level encryption when an SSL connection will suffice for data security.
  -- Frank
  http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/ThreatCounter.asp
  http://searchwebservices.techtarget.com/qna/0,289202,sid26_gci995388,00.html
  IBM: sg246891_WebSphere_Web_Services_Handbook_5_1_1.pdf

• Securing web services with Sun Access Manager

  Hi!
  I have gone through some documentation about Sun Access Manager, and I'm a little bit confused.
  What I want is to secure some web services which are deployed on a BEA WebLogic 9.1 server (WLS). Two solutions are possible: To install some kind of plugin into WLS or to place some kind of proxy in front of WLS. In both cases, the purpose would be to authenticate the caller based on some kind of ticket (SAML or similar) and authorize access to the web service.
  I have read about the "Sun Java System Access Manager Policy Agent 2.2 for Weblogic 9.1" (those guys really like long names....), but in this documentation web services aren't mentioned at all. They only seem to care about HTTP requests from a browser.
  I have also read about the Policy Agent 2.2 in the documentation called "Sun Java System Access Manager Policy Agent 2.2 Guide for Sun Java System Application Server 9.0/Web Services" (puh...). This document explicitly talks about securing web services the way I want.
  My questions are:
  1) Is it possible to secure WLS based web services in the same way using the Policy Agent for WLS?
  2) Are there any documentation/tutorials/etc?
  Thanks in advance :-)
  Anders

  what you need is a webservices agent that would enable you to "protect" your webservice provider, which I assume is on a BEA weblogic provider.
  the "Sun Java System Access Manager Policy Agent 2.2 for Weblogic 9.1" is "NOT" awebservices agent, but a normal J2EE policy agent.
  So.. having said that. here's what I'd recommend.
  1. install the webservices agent on bea weblogic. (note: NOT the J2EE policy agent)
  2. configure it to use your access manager instance for authentication.
  3. configure your webservices client to use the webservice provider. (note: you'd need the webservices APi's available on the client too... so the quick dirty method would be to install the webservices agent on your client too....) you can later bundle the webservices client independently and provide your"customers" with a webservices client bundle...
  4. voila... your webservices are not "protected" by acces manager ;-)

• Nyone who had success using sign-encrypt policy(oracle web service manager)

  Hi All,
  I could not succeed in using sign Message and Encrypt and decrypt and verify signature policy using oracle web services manager.So I would be grateful if somebody who had success in using it would shed light on its use.
  Basically,I am using the following policy steps in securing a helloworld web service using gateway(oracle web services manager) :
  1)for Request (Decrypt and Verify signature).
  2)for Response(Sign Message and Encrypt).
  The configuration for Request is shown below:
  Pipeline "Request"
  Pipeline Steps:
  Start Pipeline
  Log
  Decrypt and Verify Signature
  Basic Properties Type Default Value
  Enabled (*) boolean true true
  XML Decryption Properties Type Default Value
  Decryptor''s keystore location (*) string C:\Sun\jwsdp-2.0\xws-security\etc\server-keystore.jks
  Decrypt Keystore Type (*) string jks jks
  Decryptor''s keystore password string *******
  Decryptor''s private-key alias (*) string s1as
  Decryptor''s private-key password string *******
  Enforce Encryption (*) boolean true true
  XML Signature Verification Properties Type Default Value
  Verifying Keystore location (*) string C:\Sun\jwsdp-2.0\xws-security\etc\server-truststore.jks
  Verifying Keystore type (*) string jks jks
  Verifying Keystore password string *******
  Signer''s public-key alias (*) string xws-security-client
  Enforce Signing (*) boolean true true
  End Pipeline
  And the configuration for Response is shown below:
  Pipeline "Response"
  Pipeline Steps:
  Start Pipeline
  Log
  Sign Message and Encrypt
  Basic Properties Type Default Value
  Enabled (*) boolean true true
  Signing Properties Type Default Value
  Signing Keystore location (*) string C:\Sun\jwsdp-2.0\xws-security\etc\server-keystore.jks
  Signing Keystore Type (*) string jks jks
  Signing Keystore password string *******
  Signer''s private-key alias (*) string s1as
  Signer''s private-key password string *******
  Signed Content (*) string BODY BODY
  Sign XPATH Expression string
  Sign XML Namespace string[]
  Encryption Properties Type Default Value
  Encryption Keystore location (*) string C:\Sun\jwsdp-2.0\xws-security\etc\server-truststore.jks
  Encrypt Keystore Type (*) string jks jks
  Encryption Keystore password string *******
  Decryptor''s public-key alias (*) string xws-security-client
  Encrypted Content (*) string BODY BODY
  Encrypt XPATH Expression string
  Encrypt XML Namespace string[]
  End Pipeline
  But I am getting the following fault exception while accessing this secure web service :
  <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
  <SOAP-ENV:Body>
  <SOAP-ENV:Fault>
  <faultcode "http://schemas.oblix.com/ws/2003/08/Faults">c</faultcode>
  <faultstring>Step execution failed with an exception
  </faultstring>
  <detail></detail>
  </SOAP-ENV:Fault>
  </SOAP-ENV:Body>
  </SOAP-ENV:Envelope>
  I would appreciate your help.Thanks.
  Kash

  Hi clemens,
  Actually I installed OracleWebServices_Manager_4_0_3 and I see my installation directory does not contain any of the directory structure you mention.
  It installed oracle web services manager in the following location:
  C:\coresv_install_home
  and it contains the following subdirectories:
  1)bin
  2)config
  3)db
  4)ears
  5)external
  6)extlicences
  7)lib
  8)samples
  9)scripts
  10)wars
  So I like to ask did you install the same version of the oracle web services manager, if not which version you install in which security is working for you.Thanks for any help.
  Kash

• Trouble connecting to https secure web service using Adobe Livecycle Designer

  I am attempting to use Adobe Livecycle Designer ES2 to create a data connection in a Form to a secure (https) web service and I'm having some difficulty.
  I'm new to Livecycle and have tried searching online for an answer, but the help isn't very clear and the only tutorials online that I can find are ones that connect to non-https services.
  The WSDL I'm trying to connect to is: https://uk.ws.ondemand.qas.com/ProOnDemand/V3/ProOnDemandService.asmx?WSDL
  My questions are:
  Q1. Does Adobe Livecycle support https web service connections? The following link suggests that this isn't possible: http://books.google.co.uk/books?id=yOOcM3Bn4BAC&pg=PA179&lpg=PA179&dq=secure+web+service+w ith+adobe+livecycle&source=bl&ots=jm1GIZflOJ&sig=uLfv5Xda4eXXJl5o_7vBViwU-w0&hl=en&sa=X&ei =WLvIT5P4OujW0QWmv7nDAQ&ved=0CI4BEOgBMAk#v=onepage&q=secure%20web%20service%20with%20adobe %20livecycle&f=false
  Q2. I've managed to consume the WSDL but can only see the body of the XML request for a particular SOAP action. Where can I add the username/password credentials? I've selected "Requires Message-Level Authentication" during the new connection wizard, but it doesn't prompt me at all for these details.

  Hi,
  I tried using SOAP.Connect too..
  But I am facing the same problem.
  Any solution found yet?
  Rgerads, Amith

• Secured web service for secured AM method

  Hello,
  I need to invoke method of secured Application Module (jbo.security.enforce = Must) from secured web service.
  I have a simple java class with Configuration.createRootApplicationModule ... and a web service built for this java class.
  I found I have to authentificate users twice. First time when invoking web service (this is ok) and second time when creating application module instance.
  The problem is I can get name of user logged in web service but I cannot get his password. So I cannot login to application module with the same user.
  How can I force adf business components to use user authentificated in web service to use him/her as adf bc user?
  Rado

  Hi Mayank,
  Chapter 7, Custom Serialization of Java Value Types, of the Web services developer guide may be a good place to get started.
  All the best,
  -Eric

• Details for 'Is Web service security available?'

  Hi i am working on scenario rfc to webservice.Its as secued webserivce i need to do ssl configuration.
  In component monitoring..for the integration engine its in yellow...
  Details for 'Is Web service security available?'
  Communication error Proxy calls on the sender or receiver side are not permitted on the IS (client)
  can any one please help me out..
  Thanks
  sriram

  I have already installed certificates on the j2ee engine & i have given the paramaters for keystore entry & keystore value.Still i have the same error
  In component monitoring
  For integration engine
  Details for 'Is Web service security available?'
  Communication error Proxy calls on the sender or receiver side are not permitted on the IS (client) 
  In message monitoring
  Audit Log for Message: f614df00-e9e0-11da-95ef-0004ac577b32
  Time Stamp Status Description
  2006-05-22 15:18:58 Success The message was successfully received by the messaging system. Profile: XI URL: http://saptst01:51000/MessagingSystem/receive/AFW/XI
  2006-05-22 15:18:58 Success Using connection AFW. Trying to put the message into the request queue.
  2006-05-22 15:18:58 Success Message successfully put into the queue.
  2006-05-22 15:18:58 Success The message was successfully retrieved from the request queue.
  2006-05-22 15:18:58 Success The message status set to DLNG.
  2006-05-22 15:18:58 Success Delivering to channel: ZCH_VERISIGNPPGR
  2006-05-22 15:18:58 Success SOAP: request message entering the adapter
  2006-05-22 15:18:58 Success SOAP: call failed
  2006-05-22 15:18:58 Error SOAP: error occured: iaik.security.ssl.SSLException: Peer sent alert: Alert Fatal: illegal parameter
  2006-05-22 15:18:58 Error Exception caught by adapter framework: Peer sent alert: Alert Fatal: illegal parameter
  Can any one please help me out.
  Thanks
  sriram

• Identity Management for UNIX (aka Windows Services for Unix) Adding 2012 DC to a prep'd 2003 domain.

  We have been successfully using Windows Services for Unix on a 2003 domain for passwd and group maps.
  I prep'd the domain to allow a 2012 R2 server to be added and then added the IdMU role/feature on this new 2012R2 DC. Now the passwd map is still OK but the group map now shows full usernames rather than short names.
  i.e. what DID show with "ypcat group" as ...
  "infra-shared::65550:gfer,jhug,shig", now shows as
  "infra-shared::65550:Garry Ferguson,Jason Hughes,Steve Higgins"
  and so is not usable. I have had to revert to local /etc/group files on all our unix machines!!
  Help/comments would be really appreciated!
  Garry Ferguson

  Hi Gaz Ferg,
  SFU 3.5 is used to installed on windows 2003 and windows XP. SFU 3.5 cannot used on Windows 2012, that makes customer cannot user NFS and user name Mapping services on Windows
  2012.  From windows 2003 R2, NFS is a build-in component in OS, we need to add Roles/Features to use NFS.
  1. What is change in 2012R2
  IDMU component, which was used to authenticate Linux users has been removed. Now a Windows server cannot play role of NIS Master server. 
  Passwords cannot sync to the Unix Machines. Maps can not sync between Windows and Unix computers.
  2. What has not change in 2012R2
  Following methods to authenticate and map a Unix user to Window user are available:-
  Active Directory
  Active Directory Lightweight Directory Services (AD LDS)
  Username Mapping Protocol store (MS-UNMP
  Local passwd and group files
  Unmapped UNIX Username Access (UUUA) (applies to Server for NFS using AUTH_SYS only)
  You can find more information about this here –
  http://blogs.technet.com/b/filecab/archive/2012/10/09/nfs-identity-mapping-in-windows-server-2012.aspx
  http://blogs.msdn.com/b/shan/archive/2006/12/13/sfu-sua-idmu-fun-with-names.aspx
  More information:
  Install Identity Management for UNIX Components
  http://technet.microsoft.com/en-us/library/cc731178.aspx
  I’m glad to be of help to you!
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• Pros & Cons for consuming web services in ABAP using ABAP PROXY

  Hi,
  Other then performence  is there any other disadvantages like security,etc for consuming web services in ABAP using ABAP proxy?
  I really appreciate if some one provide the more details(Pros & Cons ) regarding cosuming web services and I also want to know is there any other way to consume web services in ABAP.
  Thanks.

  <i> is there any other way to consume web services in ABAP</i>
  you can use cl_http_client class to make your program to act as http client and post the soap message too webservice. This way you dont need to generate proxy, but you should know the soap message format.
  Regards
  Raja