Pages

Wednesday, June 24, 2009

WS security in OSB

In OSB you can protect your WSDL proxy services with XML Signature / encryption, authentication or your own custom ws-policy. In this blog entry I will give you all the information how to do this.
First we start by adding a standard OSB WS-Policy. Open the WSDL of a proxy service where we add for example the signing policy. We always need to add wsp:UsingPolicy element else OSB won't detect the wanted security policy

<?xml version="1.0" encoding="UTF-8"?>
<definitions targetNamespace="http://saml.ws.whitehorses.nl/"
name="HelloWorldService" xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"
xmlns:tns="http://saml.ws.whitehorses.nl/" xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns="http://schemas.xmlsoap.org/wsdl/" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
<wsp:UsingPolicy wsdl:Required="true" xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"/>
<types>
<xsd:schema>
<xsd:import namespace="http://saml.ws.whitehorses.nl/" schemaLocation="Helloworld.xsd"/>
</xsd:schema>
</types>

Add the Signing policy to a operation or put this in a other part of the WSDL see this url for more information. In this case I can use wsp:Policy with a PolicyReference and the URI is policy:Sign.xml . If you want encryption then you can use policy:Encrypt.xml as URI or use policy:Auth.xml for ws authentication. Off course you can combine policies.

<binding name="HelloWorldServiceSoapHttpPortBinding" type="tns:HelloWorldService">
<soap:binding transport="http://schemas.xmlsoap.org/soap/http" style="document"/>
<operation name="sayHello">
<wsp:Policy>
<wsp:PolicyReference URI="policy:Sign.xml"/>
</wsp:Policy>

You don't have to use the OSB standard policies, you can also add your own ws-policy ( in OSB 10.3 you can only use the policy definition of WLS 9, so don't expect you can make policies which uses the 2005 or 2007 WS-Security standard). Here is a example of a custom policy.

<?xml version="1.0"?>
<wsp:Policy wsu:Id="X509v3"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:RequireThumbprintReference />
<sp:WssX509V3Token10 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
<wsp:Policy>
<sp:RequireThumbprintReference />
<sp:WssX509V3Token10 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:TripleDesRsa15 />
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict />
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp />
<sp:OnlySignEntireHeadersAndBody />
</wsp:Policy>

The value of the wsu:Id attribute if important for the WS policy reference in the WSDL of the proxy service

<binding name="HelloWorldServiceSoapHttpPortBinding" type="tns:HelloWorldService">
<soap:binding transport="http://schemas.xmlsoap.org/soap/http" style="document"/>
<operation name="sayHello">
<wsp:Policy>
<wsp:PolicyReference URI="policy:X509v3"/>
</wsp:Policy>

In this case the URI has policy:X509v3 as value

The next step is to make some keystores for WebLogic and OSB. We need to create 509 v3 certificates and import these certificates in a java 1.6 keystore for signing and encryption.
We need to have 509 version 3 certificates because we need the SubjectKeyIdentifier extension. This is only supported in version 3 of 509 and only OpenSSL can generate these certificates.

You can use self signed v3 certificates, for more info see this Glen Mazza's weblog. I'll use a CA.
#first make a CA request
C:\tools\OpenSSL\bin\openssl genrsa -des3 -out C:\projecten\certs2\ca.key 4096 -rand random
#self sign our CA certificate
C:\tools\OpenSSL\bin\\openssl req -new -x509 -days 3650 -config C:\projecten\certs2\ca.conf -key C:\projecten\certs2\ca.key -out C:\projecten\certs2\ca.crt

# make serial.txt file in C:\projecten\certs2\ and add 01 in this file

# make an empty index.txt file in C:\projecten\certs2\

Download the ca.conf which will be used to sign the certificates


# generate a server request and use servername with the domain name as common name CN
c:\tools\openssl\bin\openssl genrsa -des3 -out C:\projecten\certs2\server.key 4096
c:\tools\openssl\bin\openssl req -newkey rsa:1024 -nodes -keyout C:\projecten\certs2\server.key -out C:\projecten\certs2\server.csr -config C:\projecten\certs2\ca.conf


# sign the server request with your CA key
c:\tools\openssl\bin\openssl ca -in C:\projecten\certs2\server.csr -out C:\projecten\certs2\server.pem -keyfile C:\projecten\certs2\ca.key -cert c:\projecten\certs2\ca.crt -config C:\projecten\certs2\ca.conf

# export server
c:\tools\openssl\bin\openssl pkcs12 -export -inkey C:\projecten\certs2\server.key -in C:\projecten\certs2\server.pem -out C:\projecten\certs2\server.p12 -name server


C:\java\jdk160_05\bin\keytool -importkeystore -destkeystore C:\projecten\certs2\keystore.jks -deststorepass welcome -srckeystore C:\projecten\certs2\server.p12 -srcstorepass welcome -srcstoretype pkcs12
C:\java\jdk160_05\bin\keytool -list -keystore C:\projecten\certs2\keystore.jks -storepass welcome
C:\java\jdk160_05\bin\keytool -exportcert -alias server -storepass welcome -keystore C:\projecten\certs2\keystore.jks -file C:\projecten\certs2\server.cer
C:\java\jdk160_05\bin\keytool -printcert -file C:\projecten\certs2\server.cer


# generate client request
c:\tools\openssl\bin\openssl genrsa -des3 -out C:\projecten\certs2\client.key 4096
c:\tools\openssl\bin\openssl req -newkey rsa:1024 -nodes -keyout C:\projecten\certs2\client.key -out C:\projecten\certs2\client.csr -config C:\projecten\certs2\ca.conf


# sign client request
c:\tools\openssl\bin\openssl ca -in C:\projecten\certs2\client.csr -out C:\projecten\certs2\client.pem -keyfile C:\projecten\certs2\ca.key -cert c:\projecten\certs2\ca.crt -config C:\projecten\certs2\ca.conf

# export client
c:\tools\openssl\bin\openssl pkcs12 -export -inkey C:\projecten\certs2\client.key -in C:\projecten\certs2\client.pem -out C:\projecten\certs2\client.p12 -name client


C:\java\jdk160_05\bin\keytool -importkeystore -destkeystore C:\projecten\certs2\keystore.jks -deststorepass welcome -srckeystore C:\projecten\certs2\client.p12 -srcstorepass welcome -srcstoretype pkcs12
C:\java\jdk160_05\bin\keytool -list -keystore C:\projecten\certs2\keystore.jks -storepass welcome
C:\java\jdk160_05\bin\keytool -exportcert -alias client -storepass welcome -keystore C:\projecten\certs2\keystore.jks -file C:\projecten\certs2\client.cer
C:\java\jdk160_05\bin\keytool -printcert -file C:\projecten\certs2\client.cer

# make a truststore with the ca and the public keys
C:\java\jdk160_05\bin\keytool -import -file c:\projecten\certs2\ca.crt -alias ca -trustcacerts -keystore C:\projecten\certs2\trust.jks -storepass welcome -keypass welcome
C:\java\jdk160_05\bin\keytool -import -file C:\projecten\certs2\client.cer -alias client -keystore C:\projecten\certs2\trust.jks -storepass welcome -keypass welcome
C:\java\jdk160_05\bin\keytool -import -file C:\projecten\certs2\server.cer -alias server -keystore C:\projecten\certs2\trust.jks -storepass welcome -keypass welcome
C:\java\jdk160_05\bin\keytool -list -keystore C:\projecten\certs2\trust.jks -storepass welcome

The next step is to configure Weblogic. First we add the new keystores and configure SSL and add a new PKI Credential mapping provider. The PKI Credential mapping provider will be used by OSB for the XMLsignature and encryption. The trust keystore will be used to check if the signer certificate is trusted.
Go to the OSB server in the WLS console
In the keystore tab we will add our keystores

In the SSL tab we will use the server certificate which has the server + domain name as Common name so Internet explorer won't complain that the certificate and server name does not match.


Select the myrealm Security Realm where we will add a new PKI Credential Mapping provider

In the Providers tab we will create a new PKI Credential Mapping
Select the just created PKI credential mapping and fill the values in the Provider Specific tab. Use the keystore and not the trust keystore for this

We are finished in the Weblogic Console and we can go the OSB console where we have to create a new Service Key provider and configure the Proxy service so it uses this provider.

Create a new Service Key provider. This how it looks like in the Workshop but this does not work because eclipse can't retrieve the certificates of the PKI credential mapping provider.

So we have to use the OSB console to add the right certificate for signing and encryption to the Service Key Provider.
Now we see the certificates of the Weblogic PKI Credential mapping. If you don't see this then probably you don't use 509 version 3 certifcates.

The last step is to configure the proxy service. Here we have to disable XOP/MTOM support
And select the Service Key Provider


Now we can test the proxy service by invoking the WS and selecting the Service Key Provider.

With this as result

And this is how the WSDL with signing looks like

That's all.


If you want to use OSB 10.3 security with Soa Suite 11g R1 then you should read this 11g documentation, This explains how to change the OSB encrypt and sign policy so it works with FMW 11g.

71 comments:

  1. Why must MTOM be disabled? Is this because you can't use MTOM and WS-Security with OSB? Or just becaues you aren't using MTOM in this example?

    ReplyDelete
  2. Hi,
    for MTOM, reliable message policy is needed , somehow this conflicts with ws security.

    thanks

    ReplyDelete
  3. Could you share your source code?
    Thanks,

    ReplyDelete
  4. Here is the example test project

    http://www.sbsframes.nl/jdeveloper/security.zip

    thanks

    ReplyDelete
  5. Hi ,

    DTD can be parsed in jdev 10g if how please let me know the steps..

    I am planning to implement a user/pass security to my OSB services which has the url with HTTPS
    PLEASE LET ME KNOW

    thanks

    ReplyDelete
  6. Hi,

    I think you can use the auth policy. HTTPS is also default.

    thanks Edwin

    ReplyDelete
  7. wer to find that authorization policy

    ReplyDelete
  8. Hi,

    use policy:Auth.xml for ws authentication and see this link http://download.oracle.com/docs/cd/E13159_01/osb/docs10gr3/security/ws_policy.html#wp1067934

    thanks Edwin

    ReplyDelete
  9. Hi Edwin, how I configure only policy usernametoken, in the OSB Security ?

    But I get error because I don't have wssu:id, so I configure inside of my application and deploy in the WLS, but I get the error :

    Exception in thread "main" com.sun.xml.ws.server.UnsupportedMediaException: Unsupported Content-Type: text/html Supported ones are: [application/soap+xml]
    at com.sun.xml.ws.encoding.StreamSOAPCodec.decode(StreamSOAPCodec.java:291)
    at com.sun.xml.ws.encoding.StreamSOAPCodec.decode(StreamSOAPCodec.java:128)
    at com.sun.xml.ws.encoding.SOAPBindingCodec.decode(SOAPBindingCodec.java:287)

    What I do ?

    ReplyDelete
  10. Hi,

    Did you make your own policy or used policy:Auth.xml.

    thanks Edwin

    ReplyDelete
  11. Hi, I make my policy, Thanks. ¿Maybe do you know: when can I use TopLink Esentials and when can I use TopLink JPA ?

    ReplyDelete
  12. I have to implement XML Digital signatures for my OSB process.Is certificates and XML digital signatures same.Please let me know it is very urgent thanks

    ReplyDelete
  13. Hi,

    Yes, You can do xml signature with certificates. signature without certificates is not possible.

    thanks

    ReplyDelete
  14. Hi Edwin, I have a Proxy and I can call of Java.
    But When I add the policie Auth then from jdeveloper11 a get error about JAX - WS styles policies no support Weblogic 9.x. Also when I executed the proxy from OSB I get the error: BEA-380001. I hope that you help me.

    ReplyDelete
  15. Hi,

    You have to make your own policy file and add them to OSB proxy wsdl.
    And this must be compatiable in OSB and in OWSM 11g

    This blog can help you.

    http://fusionsecurity.blogspot.com/

    thanks Edwin

    ReplyDelete
  16. Thank you Edwin
    Maybe do you know where I found the WS-Policy 2007-Https-UsernameToken-Plain.xml o only http for add in the proxy, because my webservice have this policy

    Thank
    Jose Luis

    ReplyDelete
  17. Hi,

    you can find them here MiddlewareJdev11gR1PS1\oracle_common\modules\oracle.webservices_11.1.1

    and the jar is called wsclient.jar

    thanks

    ReplyDelete
  18. Sorry

    this is the right path \oracle_common\modules\oracle.wsm.policies_11.1.1

    and jar wsm-seed-policies.jar

    thanks

    ReplyDelete
  19. Here is some extra info in the Oracle documentation owsm 10/11 -> osb 10 -> owsm 10 / 11

    http://download.oracle.com/docs/cd/E15523_01/web.1111/e16098/interop_osb.htm#BABJDGJJ

    ReplyDelete
  20. Hi Edwin thank you for you answer.
    this wsm-seed-policies.jar has the files and are not xml, maybe I put xml extension for the policy and Can I add as WS-Policy inside OSB?

    Thanks
    Jose Luis

    ReplyDelete
  21. Hi,

    be carefull not everything is possible

    please read this

    As a general rule, Oracle Service Bus does not support WS-Security Policy (WSSP) 1.2 assertions. The exception to this rule is the WS transport.


    http://download.oracle.com/docs/cd/E13159_01/osb/docs10gr3/security/ws_policy.html#wp1067934

    and

    http://download.oracle.com/docs/cd/E13159_01/osb/docs10gr3/security/message_level.html

    ReplyDelete
  22. Hi Mr. Biemond, thanks for the useful post. The only thing I'm having trouble is about the step to configure the Encryption Key in the Service Key Provider Configuration in OSB. My clients are going to send SOAP requests with their X.509 certificate included (and so their public key). So the encryption key will be potentialy different for every request, so I doesn't make sense to hard code a single encryption key in the configuration, so how should I configure this? Hope I've could be clear !
    Thanks

    ReplyDelete
  23. Hi,

    I know what you mean, I do the same but then with smime. I made a custom application with has it's own keystore mechanism and I use bouncycastle framework for decrypting and encryting.

    Don't know if that is possible with oracle soa products. OSB should check the new public key and update the keystore.

    thanks

    ReplyDelete
  24. I need to consume an HTTPS web service self signed ¿how do I do? I have the file .cert and .key

    ReplyDelete
  25. Hi,

    You must check which keystores you are using on the soa server. check in the wls console , go to servers.

    and import this key in the keystore or truststore.

    here are the default password for the default keystores


    Trust store DemoTrust.jks
    Trust store password DemoTrustKeyStorePassPhrase

    Key store DemoIdentity.jks
    Key store password DemoIdentityKeyStorePassPhrase

    Private key password DemoIdentityPassPhrase

    thanks

    ReplyDelete
  26. Hi

    I was trying to add oracle predefined Auth.xml to Proxy but I'm getting the following error


    NotUnderstood qname="wsse:Security" xmlns="http://www.w3.org/2003/05/soap-envelope"
    env:Header

    Value>env:MustUnderstand

    Reason xmlns="http://www.w3.org/2003/05/soap-envelope">

    One or more mandatory SOAP header blocks not understood



    Do I have to configure private keys and keystores even if I'm using auth.xml?

    thanks
    Vick

    ReplyDelete
  27. Hi Edwin,

    I am a beginner with OSB. Apologies if I sound dumb.

    I want to use MTOM streaming with my webservice deployed in weblogic and will be standing up OSB proxy and business service infront.

    Can I use basic authentication with MTOM streaming and partial parsing with OSB ?

    ReplyDelete
  28. Hi Edwin
    I m knew to OSB and want to configure HTTPS inbound security for a ProxyService i.e. Two-way SSL, CLIENT CERT authentication. I have followed the steps from Oracle doc

    http://download.oracle.com/docs/html/E15866_01/transport_level.htm#i1066908 but I m not able to map client CN to username and always getting 401.
    Is two-way SSL possible in OSB only Transport layer security ?

    Any help is appreciated

    Thanks
    KR

    ReplyDelete
  29. Hi,

    Yes it is possible two way ssl in OSB.
    Did you allow cn common name on the default authentication provider of the myrealm security provider.

    thanks

    ReplyDelete
  30. Hi Edwin, does this process (the steps you have mentioned), encrypt the message WHILE sending the message to the back end service? I mean, in my case, the request coming in to my proxy service would be a simple soap message without any security on it, and we need to encrypt it before sending to the backend service.

    ReplyDelete
  31. Hi,

    you can add the security on the business service. And when you use OWSM then you can select the right OWSM client policy which matches with the backend ws security

    thanks

    ReplyDelete
  32. Hi Biemond,

    Regarding your first line of command using the open SSL tool

    "C:\projecten\certs2\ca.key"

    where exactly can i get this key?

    Thanks!

    ReplyDelete
  33. Hi,

    You Will generate a new key and it's stored in ca.key. So it doesn't exists yet.

    Thanks Edwin

    ReplyDelete
  34. Hi Edwin,
    I am getting the following error when I am trying to execute this command:

    # export server
    c:\tools\openssl\bin\openssl pkcs12 -export -inkey C:\projecten\certs2\server.key -in C:\projecten\certs2\server.pem -out C:\projecten\certs2\server.p12 -name server


    4768:error:0D0BA041:asn1 encoding routines:ASN1_STRING_set:malloc failure:./crypto/asn1/asn1_lib.c:381:
    4768:error:0B08A041:x509 certificate routines:X509_ATTRIBUTE_set1_data:malloc failure:./crypto/x509/x509_att.c:317:
    error in pkcs12

    Could you please help me on that? Thanks!

    ReplyDelete
  35. Hi Edwin, got the answer for my previous question. that was happening due to some bug in the openssl tool. previous or latest versions work.

    ReplyDelete
  36. Hi Edwin,

    Thanks for the directions, would have saved me a lot of hassle the last 3 weeks. I've got a OSB 11g Proxy service running with the built-in Auth.xml and Sign.xml, but need to add SAML with X509. I believe I can't use OWSM because it needs a heavy duty DB like Oracle's, so I'm trying to create a custom policy. In fact, I thought I would grab a policy out of weblogic.jar, but the ones I've tried have generated complaints in Eclipse that WSSP 1.2 message level security isn't supported in OSB. What's my best route? Is it dumb to try this without OWSM? Why can WLS support WSSP 1.2 but not OSB? Also FYI, I think I was able to generate the v3 certs using the Jrockit keytool, and configured the keystore in Eclipse OEPE so I can create Service Key Providers. I assume you were referring to some older products, like workshop maybe? Or have I just not seem the I'll effects yet? Thanks again for the helpful post and for any help you can provide!

    ReplyDelete
  37. Hi,

    just use OWSM, the database will only be used to store the policies. You only need to install a weblogic mds schema.

    you can use sqlserver or install the oracle xe database which is free and light.

    the weblogic 9 policies won't be supported in the next release. OWSM has the future and support.

    thanks

    ReplyDelete
  38. (SPLIT JOIN PATTERN)
    Hello sir,
    Actually i hav an xsd with account as complex type and account number and account name as child nodes.I have written a java program that takes these two as inputs(account name and account number) and concats the two,the concatenates form output is nothing but an account creation.
    So, in a split join pattern i will be calling dis java program as business service paralleley and three accounts shall be created at a shot.So,three concatenated accounts.and finally all three results will be concatenated.okay..So can u suggest me how to accomplish dis using split join..

    ReplyDelete
  39. Hi,

    Please check my split join osb example, you can search on my blog. It contains a simple example

    Thanks

    ReplyDelete
  40. hello Edwin Biemond. i am TSOGOO from Mongolia(asian country) and freshman on SOA suite. i'm researching osb webservice security (service account, service key provider, owsm policy, webservice attentication). please give me a advice !! and tested following example : http://tim.blackamber.org.uk/?p=825 i can create adf datacontrol from webservice. how can i create adf data control from web service with owsm policy on jdev 11.1.1.5

    ReplyDelete
  41. Hi,

    when you use add a ws proxy client then it will be in one of tabs. and it will autodetects this.

    in a adf ws datacontrol you can add the policy in one of the datacontrol windows.

    thanks

    ReplyDelete
  42. Hi Edwin,
    is it possible to use SOAPUI to test OSB Proxy service which has Encrypt.xml policy ?
    I can test it using Service bus test console, but i'm using SOAPUI ws-security feature, but i receive:


    "wsse:InvalidSecurityCould n
    t validate encryption against any of the supported token types
    eblogic.xml.crypto.wss.WSSecurityException: Could not validate encryption against any of the supported token types"

    ReplyDelete
  43. Hi Edwin!!

    Great post! Congratulations!

    Do you know if there is a way to create web services clients that works with Sign.xml (9.x policy)

    We are working in this at this moment and we are having a lot of problems with actual tools to do this.

    Thanks

    ReplyDelete
  44. Hi,

    Can you look at this blog.
    http://kingsfleet.blogspot.com/2009/01/security-policy-worked-example.html

    basically everything is there.

    thanks

    ReplyDelete
  45. Hi Edwin

    I am trying with the OSB to invoke a webservice that have security with a digital signature, I am looking for this but I can`t find anything, can you help me with this.

    Thanks a lot!!!

    ReplyDelete
    Replies
    1. Hi,

      check the ws security policies on the ws, is it only signing or also encryption. What is your client technology, java / osb something else.

      thanks

      Delete
  46. Hi Edwin,

    OSB11g: We have imported "wss_http_token_service_policy" from OWSM and attached it to Service A via OSB console. However, i am unsure on how to configure the Access Control for Service A. We would like to perform authorization check on the HTTP Basic Authentication UserID that was sent.

    I tried configuring Authorization via:
    Security tab -> Access Control -> Transport Access Control: add existing userId.
    Error Encountered:
    •[OSB Security - OWSM:387196]The service has both OWSM Transport Policy 'oracle/wss_http_token_service_policy' and transport level access controls. This combination is not supported. If OWSM Transport Policy is used, OWSM authorization policy should be used. Solution: Either remove OWSM Transport Policy and replace that intent by configuring authentication directly on the transport OR remove transport ACLs from the Security page and replace them with OWSM Authorization Policy.

    How do we maintain to use OWSM to import "wss_http_token_service_policy" and use the http authentication credentials to perform authorization as well?

    Many thanks in advance.

    KJ

    ReplyDelete
    Replies
    1. Hi,

      You can't do both and OWSM is the way to go. There is a OWSM policy who can check if the user has a particular role, don't know which one it is. This is the one you should use. I think you should copy this policy and add the required role value .

      Good luck

      Delete
  47. Hello Biemond,

    There is any way to sign the body instead of the header?
    I mean if I can write down on the body for each part I need to sign.

    Thanks in advance.

    ReplyDelete
    Replies
    1. Hi,

      the signing is always over the body contents ( to detect changes ) and a token is added to the soap header. The encryption policy encrypts the body. but you can say which parts should be encrypted or signed ( define this in the wsdl ).

      thanks

      Delete
  48. Hi Edwin,
    We are using OSB and would like to know if RSA-SHA256 and RSA-SHA512 could be supported as WS-Policy and also if it could be achieve with OWSM or withour OWSM.

    Thanks a lot for your help.
    Merry Christmas

    ReplyDelete
    Replies
    1. Hi,

      I know RSA-SHA256 is possible with OWSM but don't know about sha512 and with the default weblogic security policies.

      thanks

      Delete
  49. hi

    i have added a custom an existing WS Policy Sign.xml in my proxy. but when i am testing i can see that the request document has two soap envelops of the input message. in the response document i can see that there are two soap envelops. the first is a successful response, but the second fails. "weblogic.xml.dom.marshal.MarshalException: weblogic.xml.crypto.wss.WSSecurityException: Security token failed to validate"

    m not sure why two request envelops are being sent.

    thanks

    ReplyDelete
  50. Hi, I've a external web service from PGW System using SPML approach, that requires a xml signature look like apache santuario, can I use custom owsm, to do this sign?

    ReplyDelete
    Replies
    1. Hi,

      I don't know Apache santuario but I think you can change an existing OWSM policy

      Thanks

      Delete
  51. Hi Edwin,

    I have configured osb to use client certificates correctly and everything works fine thanks to your post! :D
    Do you know how i can get the CN of the certificate that is used to call the proxy service because i want to add it with transformation and then call the BS??

    ReplyDelete
    Replies
    1. Hi,

      Don't know exactly but can you check the soap header / transport options in the proxy service.

      I think it should be there .

      thanks

      Delete
  52. Hi Biemond,

    I have requirement to encrypt part of data logged into server log file. Do you have any pointers.

    This has to be used for SOA and OSB both.

    BR!

    ReplyDelete
    Replies
    1. Hi,

      I don't think this is possible in the 11g versions. I saw something like this in soa suite 12c beta

      Thanks

      Delete
  53. I have a Base64 encoded string from Provider and need to encrypt the data using that key and sign the message body which in JSON format. Is that something I can do without much customization in OSB or I need to write custom java code.

    ReplyDelete
    Replies
    1. Hi,

      I think you got two options , make a custom OWSM policy or do it all in a OSB java callout.

      Thanks

      Delete
  54. Hi

    '500 Internal Server Error' Reported for SOA for a particular web service

    ReplyDelete
  55. Hi Edwin,

    I am new to osb and i want to achieve the below functionality:

    • Use 2-way SSL authentication for accessing another secured service from OSB
    • Use HTTP basic authentication for accessing a secured service from OSB

    Could you please help me in this. I need some material to start.

    Thanks in Advance

    ReplyDelete
  56. Hello Biemond,

    Excellent article so far I found in context of Securing web services with OSB.
    Another issue that I came across is that every example available on the web for OSB secured webservices, when it comes to consuming those services its always importing some classes from weblogic jar's such as SecurityPoliciesFeature or ClientConstants etc.

    My doubt is if i'm going to develop a service and secured using WS-Policy in OSB isn't it getting my service bounded to weblogic clients only? What if I need to develop a standalone java client which have no access to weblogic jar or let say a .net client in that case no possibility of weblogic jar to be placed in classpath.

    I request you to kindly provide some example of java client consuming the above service without making use of any weblogic specific classes such as ClientConstants.

    ReplyDelete
  57. Hi I have one query on web security
    We have requirement of authenticating web service client. We have custom authentication provider that generates authentication token string which client pass to OSB server and OSB server has implemented security provider and validates this token string.
    for this purpose we created custom soap header and passing token string in header I would like to know is this a correct approach? Format looks like in soap request as below.


    MQkyCUg… base64binary string … euJSa


    We come to know that this is not as per security standards and so I was searching WS-Securtiy example that can support custom token for authentication but i did not found any. Our requirement is to authenticate client based on token string provided and we do not want to apply any message level encryption or signing.
    Can you please tell me is this possible to use WS-Security specification to create custom token like above security token and do not require additional signing or encryption requirement construct in soap request should look like as below


    [binary data for token]



    ValueType= typeA or TypeB we have two different types of security token string one is base64Binary and another is normal string so typeA has EncodingType as base64Binary and typeB has has EncodingType as String

    Or is there any other way of specifying custom token within WS-Security?

    ReplyDelete
  58. Hi I have one query on web security
    We have requirement of authenticating web service client. We have custom authentication provider that generates authentication token string which client pass to OSB server and OSB server has implemented security provider and validates this token string.
    for this purpose we created custom soap header and passing token string in header I would like to know is this a correct approach? Format looks like in soap request as below.


    MQkyCUg… base64binary string … euJSa


    We come to know that this is not as per security standards and so I was searching WS-Securtiy example that can support custom token for authentication but i did not found any. Our requirement is to authenticate client based on token string provided and we do not want to apply any message level encryption or signing.
    Can you please tell me is this possible to use WS-Security specification to create custom token like above security token and do not require additional signing or encryption requirement construct in soap request should look like as below


    [binary data for token]



    ValueType= typeA or TypeB we have two different types of security token string one is base64Binary and another is normal string so typeA has EncodingType as base64Binary and typeB has has EncodingType as String

    Or is there any other way of specifying custom token within WS-Security?

    ReplyDelete
  59. Hi Edwin,
    Is WLST script for security selection (OWSM policy from OWSM policy store option) is available in OSB 12c ? Is it need to be done manually only on each service or is it possible to do it using the scripts? We have wls policies attached to proxy services(in 11g) now want to make use of OWSM wss_username_token_service_policy (jn 12c), have to do it for more than 100 proxies, so I believe there should be an option to perform it using scripts instead of making manual change. Please advice. Thanks a lot.

    ReplyDelete
  60. Nice Information! I personally really appreciate your article. This is a great website. I will make sure that I stop back again!.

    RFID Access Control System

    ReplyDelete
  61. I Have a quick question about the signatures. Is there a way in Proxy service where when a encrypted and signed message is received, we can find out which certificate was used to verify the signature and store that cert (say CN name) in a variable within in proxy without writing any custom code(java for example)? Thank you very much in advance!

    Thanks,
    Krish.

    ReplyDelete
  62. I Have a quick question about the signatures. Is there a way in Proxy service where when a encrypted and signed message is received, we can find out which certificate was used to verify the signature and store that cert (say CN name) in a variable within in proxy without writing any custom code(java for example)? Thank you very much in advance!

    Thanks,
    Krish

    ReplyDelete
  63. I Have a quick question about the signatures. Is there a way in Proxy service where when a encrypted and signed message is received, we can find out which certificate was used to verify the signature and store that cert (say CN name) in a variable within in proxy without writing any custom code(java for example)? Thank you very much in advance!

    Thanks,
    Krish.

    ReplyDelete