SlideShare une entreprise Scribd logo

Oracle OSB Security Enforcement with OWSM

Rakesh Gujjarlapudi
Rakesh Gujjarlapudi

Leveraging Web Service Manager to Enforce Security Policy on Oracle Service Bus

1  sur  20
Oracle Service Bus – Lesson 5 Name – Rakesh Gujjarlapudi Email Address – rakesh_gujj@yahoo.com Leveraging Web Service Manager to Enforce Security Policy
1. Introduction Use Oracle Service Bus and SOA Composite to  Invoke a Proxy Service requiring User Name Token authentication from a SOA Composite  Propagate Identity of the authenticated user from Oracle Service Bus to the SOA Composite by specifying a SAML OWSM Policy Use OSB to mediate security to standardized on UserNameToken as the corporate authentication protocol. ValidateCredit Proxy Service on OSB will require UserNameToken based authentication. The getCreditCardStatus reference in the POProcessing Composite will provide credentials (username/password) to authenticate itself with the ValidateCredit OSB Proxy Service. The identity of the authenticated user in OSB will be propagated to the credit validation service using SAML. For the purpose of this lab, the getStatusByCC exposed service in the validationForCC SOA Composite will require SAML. Once this chapter is complete, the execution flow will look as below 2. What is being done? This chapter is divided into two sections  In the first section, you will add the User Name Token service OWSM Policy to secure the ValidateCredit Proxy Service. Next, you will add User Name Token client OWSM policy to the getCreditCardStatus Reference in the POProcessing composite.  In the second section, you will protect the getStatusByCC service from the validationForCC SOA Composite with the SAML service OWSM Policy. You will then update the validationForCC Business Service in Oracle Service Bus with the SAML client OWSM Policy. With the SAML Policy applied on the Business Service, Oracle Service Bus will propagate the Identity of the authenticated user to the SOA Composite
3. Setup Before you process with the lab you must complete the following steps to setup OWSM and create the required user. Register Keystore using Enterprise Manager. This step is required so OSB test console or SOA reference can use the OWSM csf-key to look up the username/password to send the ValidateCredit Proxy Service secured with the UserNameToken OWSM policy. Setup default keystore - Copy sample keystore file, default-keystore.jks to domain home’s fmwconfig directory, /$mwhome/user_projects/domains/soa-osb/config/fmwconfig Navigate to EM Expand Weblogic Domain as shown below and click on soa_osb_domain Domain Expand Weblogic Domain, expand Security and click on Security Provider Configuration as shown below In the Security Provider Configuration, find Keystore under Web Services Manager Authentication Providers. Expand Keystore and Click Configure
Since you copied the default-keystore.jks file to the fmwconfig directory you don’t have to change the Keystore Path. Password: welcome1 Key Alias: orakey Signature Password: welcome1 Crypt Alias: orakey Crypt Password: welcome1 Click OK Restart server Create user in WLS using OSB console. OSB Proxy Service will use WLS Default Authenticator to authenticate the username/password in the WS-Security SOAP Headers received from the client. The user created using OSB console is available to the WLS Default Authenticator Click on Security Configuration
Click Add New Add User Name: joe Password: welcome1. Click Save Add csf-key for user joe created in step 2. This step is required so the OSB test console/SOA reference can lookup the username/password using the csf-key. In Enterprise Manager, select soa_osb_domain Weblogic Domain. Expand Security and select Credentials as shown below.
Create Map with name oracle.wsm.security if it does not already exist. (Note: The name MUST match oracle.wsm.security, otherwise OWSM will NOT recognize it). Add Key to the oracle.wsm.security Map. - Map: oracle.wsm.security - Key: joe-key - Type: Password - User Name: joe (same as entered in OSB console) - Password: welcome1 (same as entered in OSB console) - Click OK 4. Secure Proxy Service In this section, you will add oracle/wss_username_token_service_policy OWSM policy to the ValidateCredit Proxy Service and test it using OSB test console. Next, you will apply oracle/ wss_username_token_client_policy to the getCreditCardStatus reference in the POProcessing composite in order to invoke the ValidateCredit Proxy Service. Add User Name Token Service OWSM Policy to Proxy Service In OSB Console, Click Resource Browser, click Proxy Services and click on ValidateCredit proxy service to edit the configuration Navigate to Policies tab Select OWSM Policy Bindings Expand Service Click Add to add an OWSM Policy
Select OWSM Policy dialog is displayed. Navigate to Page 2 (you can filter by specifying *username* in the search field) and select oracle/wss_username_token_service_policy. Click Submit Click Update Navigate to Security tab Set Process WS-Security Header flag to YES (Do not miss this step)
Click Update at the bottom of the page Click Activate to activate the changes made in this session Click Submit to confirm session activation Positive Test Navigate to Proxy Services (Click Resource Browser, Click Proxy Services) Click on for the ValidateCredit Proxy Service to test it Paste the following into the Payload field in the Test Console <cca:creditcardStatusRequest xmlns:cca="http://www.globalcompany.com/ns/CCAuthorizationService"> <cca:CCNumber>1234-1234-1234-1234</cca:CCNumber> </cca:creditcardStatusRequest> Since the ValidateCredit Proxy Service has the User Name Token OWSM policy you will see a Security section in the Test Console with an oracle/wss_username_token_client_policy with a csf-key property.
Specify joe-key as the override value. The user joe with password welcome1 has already been created using OSB console; and a joe-key csf-key with the credentials used in the OSB Console when creating the user has also already created using Fusion middleware control. Click Execute You should see the following response (in addition to SOAP headers) <env:Body> <inp1:creditcardStatus xmlns:inp1="http://www.globalcompany.com/ns/CCAuthorizationService">VALID</in p1:creditcardStatus> </env:Body> Negative Test Navigate to Security Configuration Select Users Click on the user joe Click on Reconfigure
Change the password from welcome1 to something else and click Save Changes Repeat Steps from the Positive test You will see the request fail with the following response as joe’s password does not match the value used in the Credential Map The invocation resulted in an error: . <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Body> <soapenv:Fault> <faultcode>soapenv:Server</faultcode> <faultstring> BEA-386200: General web service security error </faultstring> <detail> <con:fault xmlns:con="http://www.bea.com/wli/sb/context"> <con:errorCode>BEA-386200</con:errorCode> <con:reason>General web service security error</con:reason> <con:location> <con:path>request-pipeline</con:path> </con:location> </con:fault> </detail> </soapenv:Fault> </soapenv:Body> </soapenv:Envelope>
You can go to the Operations Dashboard and select Pipeline Alerts. You will see the following alert. This is due to the pipeline alert that is present in the Service-level Error Handler in the ValidateCredit proxy service message flow. When WS- Security validation fails for a proxy service the Service-level Error Handler in the proxy service is invoked. Reset the password of joe to welcome1 Add UserNameToken Client OWSM policy to SOA Reference In POProcessing composite right click on the getCreditCardStatus Reference. Select Configure WS policies On the Security policies section select Select oracle/wss_username_token_client_policy and click OK. Select the policy and click (Edit)
Type joe-key for the csf-key override and click OK Click OK Deploy POProcessing composite (override the 1.0 version). You will see the following message after successful re-deployment Positive Test Invoke Requisition/ProxyServices/createRequisition with sample data. This will trigger the getCreditCardStatus WS Binding reference from the POProcessing composite. Since the getCreditCardStatus reference has the UserNameToken client OWSM policy, username/password corresponding to joe-key csf-key will be sent to the ValidateCredit Proxy Service. These credentials will be successfully authenticated by OSB <cre:OsbRequisitionCollection xmlns:cre="http://xmlns.oracle.com/pcbpel/adapter/db/top/createRe quisition"> <cre:OsbRequisition> <cre:requisitioner>Bob</cre:requisitioner>
<cre:reqid>3333</cre:reqid> <cre:productname>iPod Shuffle</cre:productname> <cre:item>1GB</cre:item> <cre:itemtype>Electronics</cre:itemtype> <cre:reqDate>March 16, 2010</cre:reqDate> <cre:description>string</cre:description> <cre:quantity>5.00</cre:quantity> <cre:price>500.00</cre:price> <cre:currency>USD</cre:currency> <cre:deliverydate>April 16, 2010</cre:deliverydate> <cre:plant>Boulder</cre:plant> <cre:cctype>Mastercard</cre:cctype> <cre:ccnumber>8765-8765-8765-8765</cre:ccnumber> </cre:OsbRequisition> </cre:OsbRequisitionCollection> To see that ValidateCredit was successfully executed, go to Operations->Message Reports in OSB console. You will see the following reports. Notice that the report from ValidateCredit (CCNumber=8765-8765-8765-8765) can be seen indicating that the ValidateCredit HTTP proxy service was invoked from POProcessing composite. Next, navigate to Fusion Middleware Control (http://localhost:7001/em) Expand SOA/soa-infra/default and click on POProcessing Click on Instance ID of the latest instance in the Recent Instances table of the Dashboard You should see the following. Notice that the POProcessing composite invoked the WS binding reference (to OSB HTTP Proxy Service, ValidateCredit)
Negative Test Perform Steps to change the password for user joe to welcome1bad. In OSB console, navigate to Operations, followed by Pipeline Alerts. You will see the following Alert. This is due to authentication failure as the username/password sent by the SOA reference (joe/welcome1) did not match the credentials in the DefaultAuthenticator (joe/welcome1bad). This Alert is generated by the Pipeline Alert that is in the Service level Error Handler in the ValidateCredit Proxy Service. In Enterprise Manager, navigate to the POProcessing composite. You will see the latest instance faulted. Click on the faulted instance to see the details. You will see the trace as below Click on the second error message to see the following details. This is the error message from the OSB Proxy Service. Since the error was a authentication failure, the error message does not pin point the exact failure as it is a security vulnerability. You can go to the server log to see detailed error message stating that authentication failed for user joe. NOTE: If you see the following errors in Enterprise Manager when you select the Faulted instance, please restart server and test again. This is a bug in the product.
If you expand the errors in the first table by clicking on the Error Message you will see the following Reset the password of joe to welcome1 Repeat Steps in this test to update the password of joe back to welcome1 Rerun the test and it must succeed.
5. Propagate Identity from OSB to Composite In this section, you will propagate the identity of the user authenticated in Oracle Service Bus to the SOA Composite. You will perform the following steps.  Protect the getStatusByCC service from the validationForCC SOA Composite with the oracle/wss10_saml_token_service_policy service OWSM Policy  Update the validationForCC Business Service in Oracle Service Bus with the  oracle/wss10_saml_token_client_policy client OWSM Policy  Test Add SAML Service OWSM Policy to SOA Composite Service Navigate to Fusion middleware control (http://localhost:7001/em) Select validationForCC composite Click the Policies tab Click on Attach To/Detach From, Select getStatusByCC Select oracle/wss10_saml_token_service_policy
Click Attach Click OK You will see the policy attached to the service as shown below Add SAML Client OWSM Policy to OSB Business Service Navigate to Oracle Service Bus Console (http://localhost:7001/sbconsole) Create a Session Navigate to Project Explorer, expand Credit_Services project. Select BusinessServices folder
Click on validationForCC Business Service Click on Policies tab Select OWSM Policy Bindings Expand service Click Add to add OWSM policy to the service Select oracle/wss10_saml_token_client_policy and click Submit
Click Update Activate Session Confirm session activation, Click Submit
Test Navigate to Proxy Services (Click Resource Browser, Click Proxy Services) Click on for the ValidateCredit Proxy Service to test it Paste the following into the Payload field in the Test Console <cca:creditcardStatusRequest xmlns:cca="http://www.globalcompany.com/ns/CCAuthorizationService "> <cca:CCNumber>1234-1234-1234-1234</cca:CCNumber> </cca:creditcardStatusRequest> Specify joe-key as the override value for csf-key property of the oracle/wss_username_token_client_policy. Click Execute You should see the following response (in addition to SOAP headers) <env:Body> <inp1:creditcardStatus xmlns:inp1="http://www.globalcompany.com/ns/CCAuthorizationServic e">VALID</inp1:creditcardStatus> </env:Body> Navigate to validationForCC composite in Enterprise Manager and click on the latest instance from the Recent Instances table. You should see the following. This indicates the service was successfully invoked with SAML identity propagated

Recommandé

Componenets of osb12c
Componenets of osb12cComponenets of osb12c
Componenets of osb12cTUSHAR VARSHNEY
 
01 oracle application integration overview
01 oracle application integration overview01 oracle application integration overview
01 oracle application integration overviewnksolanki
 
Oracle fusion hrms_for_uae_payroll_setup_white_paper_rel11
Oracle fusion hrms_for_uae_payroll_setup_white_paper_rel11Oracle fusion hrms_for_uae_payroll_setup_white_paper_rel11
Oracle fusion hrms_for_uae_payroll_setup_white_paper_rel11Feras Ahmad
 
Oracle Succession Planning Setup
Oracle Succession Planning SetupOracle Succession Planning Setup
Oracle Succession Planning SetupFeras Ahmad
 
Oracle Applications R12 architecture
Oracle Applications R12 architectureOracle Applications R12 architecture
Oracle Applications R12 architectureSekhar Byna
 
Query Worker Contracts Details Oracle Fusion Cloud
Query Worker Contracts Details Oracle Fusion CloudQuery Worker Contracts Details Oracle Fusion Cloud
Query Worker Contracts Details Oracle Fusion CloudFeras Ahmad
 
The Goal with performance details Oracle Fusion Cloud
The Goal with performance details Oracle Fusion CloudThe Goal with performance details Oracle Fusion Cloud
The Goal with performance details Oracle Fusion CloudFeras Ahmad
 
Oracle HCM Cloud Core HR Workforce Structures Table Relationships
Oracle HCM Cloud Core HR Workforce Structures Table RelationshipsOracle HCM Cloud Core HR Workforce Structures Table Relationships
Oracle HCM Cloud Core HR Workforce Structures Table RelationshipsSricharan
 

Recommandé

Componenets of osb12c
Componenets of osb12cComponenets of osb12c
Componenets of osb12cTUSHAR VARSHNEY
 
01 oracle application integration overview
01 oracle application integration overview01 oracle application integration overview
01 oracle application integration overviewnksolanki
 
Oracle fusion hrms_for_uae_payroll_setup_white_paper_rel11
Oracle fusion hrms_for_uae_payroll_setup_white_paper_rel11Oracle fusion hrms_for_uae_payroll_setup_white_paper_rel11
Oracle fusion hrms_for_uae_payroll_setup_white_paper_rel11Feras Ahmad
 
Oracle Succession Planning Setup
Oracle Succession Planning SetupOracle Succession Planning Setup
Oracle Succession Planning SetupFeras Ahmad
 
Oracle Applications R12 architecture
Oracle Applications R12 architectureOracle Applications R12 architecture
Oracle Applications R12 architectureSekhar Byna
 
Query Worker Contracts Details Oracle Fusion Cloud
Query Worker Contracts Details Oracle Fusion CloudQuery Worker Contracts Details Oracle Fusion Cloud
Query Worker Contracts Details Oracle Fusion CloudFeras Ahmad
 
The Goal with performance details Oracle Fusion Cloud
The Goal with performance details Oracle Fusion CloudThe Goal with performance details Oracle Fusion Cloud
The Goal with performance details Oracle Fusion CloudFeras Ahmad
 
Oracle HCM Cloud Core HR Workforce Structures Table Relationships
Oracle HCM Cloud Core HR Workforce Structures Table RelationshipsOracle HCM Cloud Core HR Workforce Structures Table Relationships
Oracle HCM Cloud Core HR Workforce Structures Table RelationshipsSricharan
 
Oracle fusion hrms_for_uae_hr_setup_white_paper_rel11
Oracle fusion hrms_for_uae_hr_setup_white_paper_rel11Oracle fusion hrms_for_uae_hr_setup_white_paper_rel11
Oracle fusion hrms_for_uae_hr_setup_white_paper_rel11Feras Ahmad
 
Oracle Database View
Oracle Database ViewOracle Database View
Oracle Database ViewEryk Budi Pratama
 
Important scheduled processes list in fusion hcm
Important scheduled processes list in fusion hcmImportant scheduled processes list in fusion hcm
Important scheduled processes list in fusion hcmFeras Ahmad
 
Oracle hcm cloud overview
Oracle hcm cloud overviewOracle hcm cloud overview
Oracle hcm cloud overviewTrevor Hewitt
 
15 maintain worker directories
15 maintain worker directories15 maintain worker directories
15 maintain worker directoriesmohamed refaei
 
Đề tài: Tìm hiểu cơ chế đăng nhập một lần và thử nghiệm, HOT
Đề tài: Tìm hiểu cơ chế đăng nhập một lần và thử nghiệm, HOTĐề tài: Tìm hiểu cơ chế đăng nhập một lần và thử nghiệm, HOT
Đề tài: Tìm hiểu cơ chế đăng nhập một lần và thử nghiệm, HOTDịch vụ viết bài trọn gói ZALO: 0909232620
 
Oracle Real Application Clusters 19c- Best Practices and Internals- EMEA Tour...
Oracle Real Application Clusters 19c- Best Practices and Internals- EMEA Tour...Oracle Real Application Clusters 19c- Best Practices and Internals- EMEA Tour...
Oracle Real Application Clusters 19c- Best Practices and Internals- EMEA Tour...Sandesh Rao
 
Oracle EBS Self service from A to Z
Oracle EBS Self service from A to ZOracle EBS Self service from A to Z
Oracle EBS Self service from A to ZFeras Ahmad
 
Oracle Database on ACFS: a perfect marriage?
Oracle Database on ACFS: a perfect marriage?Oracle Database on ACFS: a perfect marriage?
Oracle Database on ACFS: a perfect marriage?Ludovico Caldara
 
Training Guide Oracle EBS R12 Performance Management
Training Guide Oracle EBS R12 Performance ManagementTraining Guide Oracle EBS R12 Performance Management
Training Guide Oracle EBS R12 Performance ManagementFeras Ahmad
 
Less11 auditing
Less11 auditingLess11 auditing
Less11 auditingAmit Bhalla
 
PostgreSQL Tutorial for Beginners | Edureka
PostgreSQL Tutorial for Beginners | EdurekaPostgreSQL Tutorial for Beginners | Edureka
PostgreSQL Tutorial for Beginners | EdurekaEdureka!
 
Hire employee in Oracle Fusion Cloud HCM
Hire employee in Oracle Fusion Cloud HCMHire employee in Oracle Fusion Cloud HCM
Hire employee in Oracle Fusion Cloud HCMFeras Ahmad
 
AWR & ASH Analysis
AWR & ASH AnalysisAWR & ASH Analysis
AWR & ASH Analysisaioughydchapter
 
Oracle HCM Presentation 2020
Oracle HCM Presentation 2020Oracle HCM Presentation 2020
Oracle HCM Presentation 2020Feras Ahmad
 
Oracle hcm cloud configuring approval workflow
Oracle hcm cloud configuring approval workflowOracle hcm cloud configuring approval workflow
Oracle hcm cloud configuring approval workflowFeras Ahmad
 
Oracle Core HR with Screen Shots
Oracle Core HR with Screen ShotsOracle Core HR with Screen Shots
Oracle Core HR with Screen Shotsrunjithrocking
 
Oracle forms and reports 11g installation on linux
Oracle forms and reports 11g installation on linuxOracle forms and reports 11g installation on linux
Oracle forms and reports 11g installation on linuxVenu Palakolanu
 
Oracle EBS HRMS SETUP
Oracle EBS HRMS SETUPOracle EBS HRMS SETUP
Oracle EBS HRMS SETUPHussain Abbas
 
Ame how to diagnose issues with the default approver list in purchasing when ...
Ame how to diagnose issues with the default approver list in purchasing when ...Ame how to diagnose issues with the default approver list in purchasing when ...
Ame how to diagnose issues with the default approver list in purchasing when ...Abdul Rahman Fouad Thabit
 
Oracle OSB Tutorial 2
Oracle OSB Tutorial 2Oracle OSB Tutorial 2
Oracle OSB Tutorial 2Rakesh Gujjarlapudi
 
Deploy sql express and share point foundation
Deploy sql express and share point foundationDeploy sql express and share point foundation
Deploy sql express and share point foundationTep Chanveasna
 

Contenu connexe

Tendances

Oracle fusion hrms_for_uae_hr_setup_white_paper_rel11
Oracle fusion hrms_for_uae_hr_setup_white_paper_rel11Oracle fusion hrms_for_uae_hr_setup_white_paper_rel11
Oracle fusion hrms_for_uae_hr_setup_white_paper_rel11Feras Ahmad
 
Important scheduled processes list in fusion hcm
Important scheduled processes list in fusion hcmImportant scheduled processes list in fusion hcm
Important scheduled processes list in fusion hcmFeras Ahmad
 
Oracle hcm cloud overview
Oracle hcm cloud overviewOracle hcm cloud overview
Oracle hcm cloud overviewTrevor Hewitt
 
15 maintain worker directories
15 maintain worker directories15 maintain worker directories
15 maintain worker directoriesmohamed refaei
 
Oracle Real Application Clusters 19c- Best Practices and Internals- EMEA Tour...
Oracle Real Application Clusters 19c- Best Practices and Internals- EMEA Tour...Oracle Real Application Clusters 19c- Best Practices and Internals- EMEA Tour...
Oracle Real Application Clusters 19c- Best Practices and Internals- EMEA Tour...Sandesh Rao
 
Oracle EBS Self service from A to Z
Oracle EBS Self service from A to ZOracle EBS Self service from A to Z
Oracle EBS Self service from A to ZFeras Ahmad
 
Oracle Database on ACFS: a perfect marriage?
Oracle Database on ACFS: a perfect marriage?Oracle Database on ACFS: a perfect marriage?
Oracle Database on ACFS: a perfect marriage?Ludovico Caldara
 
Training Guide Oracle EBS R12 Performance Management
Training Guide Oracle EBS R12 Performance ManagementTraining Guide Oracle EBS R12 Performance Management
Training Guide Oracle EBS R12 Performance ManagementFeras Ahmad
 
PostgreSQL Tutorial for Beginners | Edureka
PostgreSQL Tutorial for Beginners | EdurekaPostgreSQL Tutorial for Beginners | Edureka
PostgreSQL Tutorial for Beginners | EdurekaEdureka!
 
Hire employee in Oracle Fusion Cloud HCM
Hire employee in Oracle Fusion Cloud HCMHire employee in Oracle Fusion Cloud HCM
Hire employee in Oracle Fusion Cloud HCMFeras Ahmad
 
Oracle HCM Presentation 2020
Oracle HCM Presentation 2020Oracle HCM Presentation 2020
Oracle HCM Presentation 2020Feras Ahmad
 
Oracle hcm cloud configuring approval workflow
Oracle hcm cloud configuring approval workflowOracle hcm cloud configuring approval workflow
Oracle hcm cloud configuring approval workflowFeras Ahmad
 
Oracle Core HR with Screen Shots
Oracle Core HR with Screen ShotsOracle Core HR with Screen Shots
Oracle Core HR with Screen Shotsrunjithrocking
 
Oracle forms and reports 11g installation on linux
Oracle forms and reports 11g installation on linuxOracle forms and reports 11g installation on linux
Oracle forms and reports 11g installation on linuxVenu Palakolanu
 
Oracle EBS HRMS SETUP
Oracle EBS HRMS SETUPOracle EBS HRMS SETUP
Oracle EBS HRMS SETUPHussain Abbas
 
Ame how to diagnose issues with the default approver list in purchasing when ...
Ame how to diagnose issues with the default approver list in purchasing when ...Ame how to diagnose issues with the default approver list in purchasing when ...
Ame how to diagnose issues with the default approver list in purchasing when ...Abdul Rahman Fouad Thabit
 

Tendances (20)

Oracle fusion hrms_for_uae_hr_setup_white_paper_rel11
Oracle fusion hrms_for_uae_hr_setup_white_paper_rel11Oracle fusion hrms_for_uae_hr_setup_white_paper_rel11
Oracle fusion hrms_for_uae_hr_setup_white_paper_rel11
 
Oracle Database View
Oracle Database ViewOracle Database View
Oracle Database View
 
Important scheduled processes list in fusion hcm
Important scheduled processes list in fusion hcmImportant scheduled processes list in fusion hcm
Important scheduled processes list in fusion hcm
 
Oracle hcm cloud overview
Oracle hcm cloud overviewOracle hcm cloud overview
Oracle hcm cloud overview
 
15 maintain worker directories
15 maintain worker directories15 maintain worker directories
15 maintain worker directories
 
Đề tài: Tìm hiểu cơ chế đăng nhập một lần và thử nghiệm, HOT
Đề tài: Tìm hiểu cơ chế đăng nhập một lần và thử nghiệm, HOTĐề tài: Tìm hiểu cơ chế đăng nhập một lần và thử nghiệm, HOT
Đề tài: Tìm hiểu cơ chế đăng nhập một lần và thử nghiệm, HOT
 
Oracle Real Application Clusters 19c- Best Practices and Internals- EMEA Tour...
Oracle Real Application Clusters 19c- Best Practices and Internals- EMEA Tour...Oracle Real Application Clusters 19c- Best Practices and Internals- EMEA Tour...
Oracle Real Application Clusters 19c- Best Practices and Internals- EMEA Tour...
 
Oracle EBS Self service from A to Z
Oracle EBS Self service from A to ZOracle EBS Self service from A to Z
Oracle EBS Self service from A to Z
 
Oracle Database on ACFS: a perfect marriage?
Oracle Database on ACFS: a perfect marriage?Oracle Database on ACFS: a perfect marriage?
Oracle Database on ACFS: a perfect marriage?
 
Training Guide Oracle EBS R12 Performance Management
Training Guide Oracle EBS R12 Performance ManagementTraining Guide Oracle EBS R12 Performance Management
Training Guide Oracle EBS R12 Performance Management
 
Less11 auditing
Less11 auditingLess11 auditing
Less11 auditing
 
PostgreSQL Tutorial for Beginners | Edureka
PostgreSQL Tutorial for Beginners | EdurekaPostgreSQL Tutorial for Beginners | Edureka
PostgreSQL Tutorial for Beginners | Edureka
 
Hire employee in Oracle Fusion Cloud HCM
Hire employee in Oracle Fusion Cloud HCMHire employee in Oracle Fusion Cloud HCM
Hire employee in Oracle Fusion Cloud HCM
 
AWR & ASH Analysis
AWR & ASH AnalysisAWR & ASH Analysis
AWR & ASH Analysis
 
Oracle HCM Presentation 2020
Oracle HCM Presentation 2020Oracle HCM Presentation 2020
Oracle HCM Presentation 2020
 
Oracle hcm cloud configuring approval workflow
Oracle hcm cloud configuring approval workflowOracle hcm cloud configuring approval workflow
Oracle hcm cloud configuring approval workflow
 
Oracle Core HR with Screen Shots
Oracle Core HR with Screen ShotsOracle Core HR with Screen Shots
Oracle Core HR with Screen Shots
 
Oracle forms and reports 11g installation on linux
Oracle forms and reports 11g installation on linuxOracle forms and reports 11g installation on linux
Oracle forms and reports 11g installation on linux
 
Oracle EBS HRMS SETUP
Oracle EBS HRMS SETUPOracle EBS HRMS SETUP
Oracle EBS HRMS SETUP
 
Ame how to diagnose issues with the default approver list in purchasing when ...
Ame how to diagnose issues with the default approver list in purchasing when ...Ame how to diagnose issues with the default approver list in purchasing when ...
Ame how to diagnose issues with the default approver list in purchasing when ...
 

Similaire à Oracle OSB Security Enforcement with OWSM

Deploy sql express and share point foundation
Deploy sql express and share point foundationDeploy sql express and share point foundation
Deploy sql express and share point foundationTep Chanveasna
 
Ame configuration process end to end
Ame configuration process end to endAme configuration process end to end
Ame configuration process end to enderpnavin-11i
 
Microservice Protection With WSO2 Identity Server
Microservice Protection With WSO2 Identity ServerMicroservice Protection With WSO2 Identity Server
Microservice Protection With WSO2 Identity ServerAnupam Gogoi
 
Claims Based Identity In Share Point 2010
Claims Based Identity In Share Point 2010Claims Based Identity In Share Point 2010
Claims Based Identity In Share Point 2010Steve Sofian
 
Exploration note - none windows based authentication for WCF
Exploration note - none windows based authentication for WCFExploration note - none windows based authentication for WCF
Exploration note - none windows based authentication for WCFShahzad
 
Symantec CryptoExec for WHMCS - Installation and Management Guide
Symantec CryptoExec for WHMCS - Installation and Management GuideSymantec CryptoExec for WHMCS - Installation and Management Guide
Symantec CryptoExec for WHMCS - Installation and Management GuideSSLRenewals
 
Configuring kerberos based sso in weblogic
Configuring kerberos based sso in weblogicConfiguring kerberos based sso in weblogic
Configuring kerberos based sso in weblogicHarihara sarma
 
Microsoft OCSP LUNA SA PCI Integration Guide
Microsoft OCSP LUNA SA PCI Integration GuideMicrosoft OCSP LUNA SA PCI Integration Guide
Microsoft OCSP LUNA SA PCI Integration GuideChris x-MS
 
Psn3661u
Psn3661uPsn3661u
Psn3661uAnu R.N
 
IBM Streams V4.1 and User Authentication with Client Certificates
IBM Streams V4.1 and User Authentication with Client CertificatesIBM Streams V4.1 and User Authentication with Client Certificates
IBM Streams V4.1 and User Authentication with Client Certificateslisanl
 
Implementing lockbox
Implementing lockboxImplementing lockbox
Implementing lockboxsri1srinu2
 
Stronger Authentication with Biometric SSO
Stronger Authentication with Biometric SSOStronger Authentication with Biometric SSO
Stronger Authentication with Biometric SSORamesh Nagappan
 
S-Controls for Dummies
S-Controls for DummiesS-Controls for Dummies
S-Controls for Dummiesdreamforce2006
 
S-Controls for Dummies
S-Controls for DummiesS-Controls for Dummies
S-Controls for Dummiesdreamforce2006
 
Balancing performance, accuracy, and precision for secure cloud transactions
Balancing performance, accuracy, and precision for secure cloud transactionsBalancing performance, accuracy, and precision for secure cloud transactions
Balancing performance, accuracy, and precision for secure cloud transactionsPapitha Velumani
 
Learn to Add an SSL Certificate Boost Your Site's Security.pdf
Learn to Add an SSL Certificate Boost Your Site's Security.pdfLearn to Add an SSL Certificate Boost Your Site's Security.pdf
Learn to Add an SSL Certificate Boost Your Site's Security.pdfReliqusConsulting
 
Actor Model Import Connector for Microsoft Active Directory
Actor Model Import Connector for Microsoft Active DirectoryActor Model Import Connector for Microsoft Active Directory
Actor Model Import Connector for Microsoft Active Directoryprotect724rkeer
 

Similaire à Oracle OSB Security Enforcement with OWSM (20)

Oracle OSB Tutorial 2
Oracle OSB Tutorial 2Oracle OSB Tutorial 2
Oracle OSB Tutorial 2
 
Deploy sql express and share point foundation
Deploy sql express and share point foundationDeploy sql express and share point foundation
Deploy sql express and share point foundation
 
OpenSSO Tech Overview Aquarium
OpenSSO Tech Overview AquariumOpenSSO Tech Overview Aquarium
OpenSSO Tech Overview Aquarium
 
Ame configuration process end to end
Ame configuration process end to endAme configuration process end to end
Ame configuration process end to end
 
Microservice Protection With WSO2 Identity Server
Microservice Protection With WSO2 Identity ServerMicroservice Protection With WSO2 Identity Server
Microservice Protection With WSO2 Identity Server
 
Claims Based Identity In Share Point 2010
Claims Based Identity In Share Point 2010Claims Based Identity In Share Point 2010
Claims Based Identity In Share Point 2010
 
Exploration note - none windows based authentication for WCF
Exploration note - none windows based authentication for WCFExploration note - none windows based authentication for WCF
Exploration note - none windows based authentication for WCF
 
Symantec CryptoExec for WHMCS - Installation and Management Guide
Symantec CryptoExec for WHMCS - Installation and Management GuideSymantec CryptoExec for WHMCS - Installation and Management Guide
Symantec CryptoExec for WHMCS - Installation and Management Guide
 
Configuring kerberos based sso in weblogic
Configuring kerberos based sso in weblogicConfiguring kerberos based sso in weblogic
Configuring kerberos based sso in weblogic
 
Microsoft OCSP LUNA SA PCI Integration Guide
Microsoft OCSP LUNA SA PCI Integration GuideMicrosoft OCSP LUNA SA PCI Integration Guide
Microsoft OCSP LUNA SA PCI Integration Guide
 
Psn3661u
Psn3661uPsn3661u
Psn3661u
 
IBM Streams V4.1 and User Authentication with Client Certificates
IBM Streams V4.1 and User Authentication with Client CertificatesIBM Streams V4.1 and User Authentication with Client Certificates
IBM Streams V4.1 and User Authentication with Client Certificates
 
Oracle OSB Tutorial 1
Oracle OSB Tutorial 1Oracle OSB Tutorial 1
Oracle OSB Tutorial 1
 
Implementing lockbox
Implementing lockboxImplementing lockbox
Implementing lockbox
 
Stronger Authentication with Biometric SSO
Stronger Authentication with Biometric SSOStronger Authentication with Biometric SSO
Stronger Authentication with Biometric SSO
 
S-Controls for Dummies
S-Controls for DummiesS-Controls for Dummies
S-Controls for Dummies
 
S-Controls for Dummies
S-Controls for DummiesS-Controls for Dummies
S-Controls for Dummies
 
Balancing performance, accuracy, and precision for secure cloud transactions
Balancing performance, accuracy, and precision for secure cloud transactionsBalancing performance, accuracy, and precision for secure cloud transactions
Balancing performance, accuracy, and precision for secure cloud transactions
 
Learn to Add an SSL Certificate Boost Your Site's Security.pdf
Learn to Add an SSL Certificate Boost Your Site's Security.pdfLearn to Add an SSL Certificate Boost Your Site's Security.pdf
Learn to Add an SSL Certificate Boost Your Site's Security.pdf
 
Actor Model Import Connector for Microsoft Active Directory
Actor Model Import Connector for Microsoft Active DirectoryActor Model Import Connector for Microsoft Active Directory
Actor Model Import Connector for Microsoft Active Directory
 

Plus de Rakesh Gujjarlapudi

Reference architectures shows a microservices deployed to Kubernetes
Reference architectures shows a microservices deployed to KubernetesReference architectures shows a microservices deployed to Kubernetes
Reference architectures shows a microservices deployed to KubernetesRakesh Gujjarlapudi
 
Oracle SOA, BPM, OSB, BAM, & B2B 12C
Oracle SOA, BPM, OSB, BAM, & B2B 12COracle SOA, BPM, OSB, BAM, & B2B 12C
Oracle SOA, BPM, OSB, BAM, & B2B 12CRakesh Gujjarlapudi
 
Lesson1 - SOA Governance Overview
Lesson1 - SOA Governance OverviewLesson1 - SOA Governance Overview
Lesson1 - SOA Governance OverviewRakesh Gujjarlapudi
 
Weblogic Administration Managed Server migration
Weblogic Administration Managed Server migrationWeblogic Administration Managed Server migration
Weblogic Administration Managed Server migrationRakesh Gujjarlapudi
 
Oracle fusionmiddlewarecontinuosintegration slideshare_v1
Oracle fusionmiddlewarecontinuosintegration slideshare_v1Oracle fusionmiddlewarecontinuosintegration slideshare_v1
Oracle fusionmiddlewarecontinuosintegration slideshare_v1Rakesh Gujjarlapudi
 
SOA OSB suite cluster installation
SOA OSB suite cluster installationSOA OSB suite cluster installation
SOA OSB suite cluster installationRakesh Gujjarlapudi
 
Enterprise managerclodcontrolinstallconfiguration emc12c
Enterprise managerclodcontrolinstallconfiguration emc12cEnterprise managerclodcontrolinstallconfiguration emc12c
Enterprise managerclodcontrolinstallconfiguration emc12cRakesh Gujjarlapudi
 
Oracle ADF 11g Skinning Tutorial
Oracle ADF 11g Skinning TutorialOracle ADF 11g Skinning Tutorial
Oracle ADF 11g Skinning TutorialRakesh Gujjarlapudi
 
Oracle WebLogic Server 11g for IT OPS
Oracle WebLogic Server 11g for IT OPSOracle WebLogic Server 11g for IT OPS
Oracle WebLogic Server 11g for IT OPSRakesh Gujjarlapudi
 

Plus de Rakesh Gujjarlapudi (19)

Reference architectures shows a microservices deployed to Kubernetes
Reference architectures shows a microservices deployed to KubernetesReference architectures shows a microservices deployed to Kubernetes
Reference architectures shows a microservices deployed to Kubernetes
 
Oracle SOA, BPM, OSB, BAM, & B2B 12C
Oracle SOA, BPM, OSB, BAM, & B2B 12COracle SOA, BPM, OSB, BAM, & B2B 12C
Oracle SOA, BPM, OSB, BAM, & B2B 12C
 
Lesson1 - SOA Governance Overview
Lesson1 - SOA Governance OverviewLesson1 - SOA Governance Overview
Lesson1 - SOA Governance Overview
 
Oracle API Gateway Installation
Oracle API Gateway InstallationOracle API Gateway Installation
Oracle API Gateway Installation
 
Oracle API Gateway
Oracle API GatewayOracle API Gateway
Oracle API Gateway
 
Weblogic Administration Managed Server migration
Weblogic Administration Managed Server migrationWeblogic Administration Managed Server migration
Weblogic Administration Managed Server migration
 
Oracle fusionmiddlewarecontinuosintegration slideshare_v1
Oracle fusionmiddlewarecontinuosintegration slideshare_v1Oracle fusionmiddlewarecontinuosintegration slideshare_v1
Oracle fusionmiddlewarecontinuosintegration slideshare_v1
 
SOA OSB suite cluster installation
SOA OSB suite cluster installationSOA OSB suite cluster installation
SOA OSB suite cluster installation
 
Enterprise managerclodcontrolinstallconfiguration emc12c
Enterprise managerclodcontrolinstallconfiguration emc12cEnterprise managerclodcontrolinstallconfiguration emc12c
Enterprise managerclodcontrolinstallconfiguration emc12c
 
Oracle OSB Tutorial 3
Oracle OSB Tutorial 3Oracle OSB Tutorial 3
Oracle OSB Tutorial 3
 
Oracle WebLogic 11g Topology
Oracle WebLogic 11g TopologyOracle WebLogic 11g Topology
Oracle WebLogic 11g Topology
 
Oracle ADF 11g Skinning Tutorial
Oracle ADF 11g Skinning TutorialOracle ADF 11g Skinning Tutorial
Oracle ADF 11g Skinning Tutorial
 
Oracle ADF 11g Tutorial
Oracle ADF 11g TutorialOracle ADF 11g Tutorial
Oracle ADF 11g Tutorial
 
Oracle EMC 12C Grand Tour
Oracle EMC 12C Grand TourOracle EMC 12C Grand Tour
Oracle EMC 12C Grand Tour
 
Oracle BPM 11g Lesson 1
Oracle BPM 11g Lesson 1Oracle BPM 11g Lesson 1
Oracle BPM 11g Lesson 1
 
Oracle BPM 11g Lesson 2
Oracle BPM 11g Lesson 2Oracle BPM 11g Lesson 2
Oracle BPM 11g Lesson 2
 
Oracle EMC 12 Installation
Oracle EMC 12 InstallationOracle EMC 12 Installation
Oracle EMC 12 Installation
 
Oracle WebLogic Server 11g for IT OPS
Oracle WebLogic Server 11g for IT OPSOracle WebLogic Server 11g for IT OPS
Oracle WebLogic Server 11g for IT OPS
 
Oracle Web Logic server
Oracle Web Logic serverOracle Web Logic server
Oracle Web Logic server
 

Oracle OSB Security Enforcement with OWSM

  • 1. Oracle Service Bus – Lesson 5 Name – Rakesh Gujjarlapudi Email Address – rakesh_gujj@yahoo.com Leveraging Web Service Manager to Enforce Security Policy
  • 2. 1. Introduction Use Oracle Service Bus and SOA Composite to  Invoke a Proxy Service requiring User Name Token authentication from a SOA Composite  Propagate Identity of the authenticated user from Oracle Service Bus to the SOA Composite by specifying a SAML OWSM Policy Use OSB to mediate security to standardized on UserNameToken as the corporate authentication protocol. ValidateCredit Proxy Service on OSB will require UserNameToken based authentication. The getCreditCardStatus reference in the POProcessing Composite will provide credentials (username/password) to authenticate itself with the ValidateCredit OSB Proxy Service. The identity of the authenticated user in OSB will be propagated to the credit validation service using SAML. For the purpose of this lab, the getStatusByCC exposed service in the validationForCC SOA Composite will require SAML. Once this chapter is complete, the execution flow will look as below 2. What is being done? This chapter is divided into two sections  In the first section, you will add the User Name Token service OWSM Policy to secure the ValidateCredit Proxy Service. Next, you will add User Name Token client OWSM policy to the getCreditCardStatus Reference in the POProcessing composite.  In the second section, you will protect the getStatusByCC service from the validationForCC SOA Composite with the SAML service OWSM Policy. You will then update the validationForCC Business Service in Oracle Service Bus with the SAML client OWSM Policy. With the SAML Policy applied on the Business Service, Oracle Service Bus will propagate the Identity of the authenticated user to the SOA Composite
  • 3. 3. Setup Before you process with the lab you must complete the following steps to setup OWSM and create the required user. Register Keystore using Enterprise Manager. This step is required so OSB test console or SOA reference can use the OWSM csf-key to look up the username/password to send the ValidateCredit Proxy Service secured with the UserNameToken OWSM policy. Setup default keystore - Copy sample keystore file, default-keystore.jks to domain home’s fmwconfig directory, /$mwhome/user_projects/domains/soa-osb/config/fmwconfig Navigate to EM Expand Weblogic Domain as shown below and click on soa_osb_domain Domain Expand Weblogic Domain, expand Security and click on Security Provider Configuration as shown below In the Security Provider Configuration, find Keystore under Web Services Manager Authentication Providers. Expand Keystore and Click Configure
  • 4. Since you copied the default-keystore.jks file to the fmwconfig directory you don’t have to change the Keystore Path. Password: welcome1 Key Alias: orakey Signature Password: welcome1 Crypt Alias: orakey Crypt Password: welcome1 Click OK Restart server Create user in WLS using OSB console. OSB Proxy Service will use WLS Default Authenticator to authenticate the username/password in the WS-Security SOAP Headers received from the client. The user created using OSB console is available to the WLS Default Authenticator Click on Security Configuration
  • 5. Click Add New Add User Name: joe Password: welcome1. Click Save Add csf-key for user joe created in step 2. This step is required so the OSB test console/SOA reference can lookup the username/password using the csf-key. In Enterprise Manager, select soa_osb_domain Weblogic Domain. Expand Security and select Credentials as shown below.
  • 6. Create Map with name oracle.wsm.security if it does not already exist. (Note: The name MUST match oracle.wsm.security, otherwise OWSM will NOT recognize it). Add Key to the oracle.wsm.security Map. - Map: oracle.wsm.security - Key: joe-key - Type: Password - User Name: joe (same as entered in OSB console) - Password: welcome1 (same as entered in OSB console) - Click OK 4. Secure Proxy Service In this section, you will add oracle/wss_username_token_service_policy OWSM policy to the ValidateCredit Proxy Service and test it using OSB test console. Next, you will apply oracle/ wss_username_token_client_policy to the getCreditCardStatus reference in the POProcessing composite in order to invoke the ValidateCredit Proxy Service. Add User Name Token Service OWSM Policy to Proxy Service In OSB Console, Click Resource Browser, click Proxy Services and click on ValidateCredit proxy service to edit the configuration Navigate to Policies tab Select OWSM Policy Bindings Expand Service Click Add to add an OWSM Policy
  • 7. Select OWSM Policy dialog is displayed. Navigate to Page 2 (you can filter by specifying *username* in the search field) and select oracle/wss_username_token_service_policy. Click Submit Click Update Navigate to Security tab Set Process WS-Security Header flag to YES (Do not miss this step)
  • 8. Click Update at the bottom of the page Click Activate to activate the changes made in this session Click Submit to confirm session activation Positive Test Navigate to Proxy Services (Click Resource Browser, Click Proxy Services) Click on for the ValidateCredit Proxy Service to test it Paste the following into the Payload field in the Test Console <cca:creditcardStatusRequest xmlns:cca="http://www.globalcompany.com/ns/CCAuthorizationService"> <cca:CCNumber>1234-1234-1234-1234</cca:CCNumber> </cca:creditcardStatusRequest> Since the ValidateCredit Proxy Service has the User Name Token OWSM policy you will see a Security section in the Test Console with an oracle/wss_username_token_client_policy with a csf-key property.
  • 9. Specify joe-key as the override value. The user joe with password welcome1 has already been created using OSB console; and a joe-key csf-key with the credentials used in the OSB Console when creating the user has also already created using Fusion middleware control. Click Execute You should see the following response (in addition to SOAP headers) <env:Body> <inp1:creditcardStatus xmlns:inp1="http://www.globalcompany.com/ns/CCAuthorizationService">VALID</in p1:creditcardStatus> </env:Body> Negative Test Navigate to Security Configuration Select Users Click on the user joe Click on Reconfigure
  • 10. Change the password from welcome1 to something else and click Save Changes Repeat Steps from the Positive test You will see the request fail with the following response as joe’s password does not match the value used in the Credential Map The invocation resulted in an error: . <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Body> <soapenv:Fault> <faultcode>soapenv:Server</faultcode> <faultstring> BEA-386200: General web service security error </faultstring> <detail> <con:fault xmlns:con="http://www.bea.com/wli/sb/context"> <con:errorCode>BEA-386200</con:errorCode> <con:reason>General web service security error</con:reason> <con:location> <con:path>request-pipeline</con:path> </con:location> </con:fault> </detail> </soapenv:Fault> </soapenv:Body> </soapenv:Envelope>
  • 11. You can go to the Operations Dashboard and select Pipeline Alerts. You will see the following alert. This is due to the pipeline alert that is present in the Service-level Error Handler in the ValidateCredit proxy service message flow. When WS- Security validation fails for a proxy service the Service-level Error Handler in the proxy service is invoked. Reset the password of joe to welcome1 Add UserNameToken Client OWSM policy to SOA Reference In POProcessing composite right click on the getCreditCardStatus Reference. Select Configure WS policies On the Security policies section select Select oracle/wss_username_token_client_policy and click OK. Select the policy and click (Edit)
  • 12. Type joe-key for the csf-key override and click OK Click OK Deploy POProcessing composite (override the 1.0 version). You will see the following message after successful re-deployment Positive Test Invoke Requisition/ProxyServices/createRequisition with sample data. This will trigger the getCreditCardStatus WS Binding reference from the POProcessing composite. Since the getCreditCardStatus reference has the UserNameToken client OWSM policy, username/password corresponding to joe-key csf-key will be sent to the ValidateCredit Proxy Service. These credentials will be successfully authenticated by OSB <cre:OsbRequisitionCollection xmlns:cre="http://xmlns.oracle.com/pcbpel/adapter/db/top/createRe quisition"> <cre:OsbRequisition> <cre:requisitioner>Bob</cre:requisitioner>
  • 13. <cre:reqid>3333</cre:reqid> <cre:productname>iPod Shuffle</cre:productname> <cre:item>1GB</cre:item> <cre:itemtype>Electronics</cre:itemtype> <cre:reqDate>March 16, 2010</cre:reqDate> <cre:description>string</cre:description> <cre:quantity>5.00</cre:quantity> <cre:price>500.00</cre:price> <cre:currency>USD</cre:currency> <cre:deliverydate>April 16, 2010</cre:deliverydate> <cre:plant>Boulder</cre:plant> <cre:cctype>Mastercard</cre:cctype> <cre:ccnumber>8765-8765-8765-8765</cre:ccnumber> </cre:OsbRequisition> </cre:OsbRequisitionCollection> To see that ValidateCredit was successfully executed, go to Operations->Message Reports in OSB console. You will see the following reports. Notice that the report from ValidateCredit (CCNumber=8765-8765-8765-8765) can be seen indicating that the ValidateCredit HTTP proxy service was invoked from POProcessing composite. Next, navigate to Fusion Middleware Control (http://localhost:7001/em) Expand SOA/soa-infra/default and click on POProcessing Click on Instance ID of the latest instance in the Recent Instances table of the Dashboard You should see the following. Notice that the POProcessing composite invoked the WS binding reference (to OSB HTTP Proxy Service, ValidateCredit)
  • 14. Negative Test Perform Steps to change the password for user joe to welcome1bad. In OSB console, navigate to Operations, followed by Pipeline Alerts. You will see the following Alert. This is due to authentication failure as the username/password sent by the SOA reference (joe/welcome1) did not match the credentials in the DefaultAuthenticator (joe/welcome1bad). This Alert is generated by the Pipeline Alert that is in the Service level Error Handler in the ValidateCredit Proxy Service. In Enterprise Manager, navigate to the POProcessing composite. You will see the latest instance faulted. Click on the faulted instance to see the details. You will see the trace as below Click on the second error message to see the following details. This is the error message from the OSB Proxy Service. Since the error was a authentication failure, the error message does not pin point the exact failure as it is a security vulnerability. You can go to the server log to see detailed error message stating that authentication failed for user joe. NOTE: If you see the following errors in Enterprise Manager when you select the Faulted instance, please restart server and test again. This is a bug in the product.
  • 15. If you expand the errors in the first table by clicking on the Error Message you will see the following Reset the password of joe to welcome1 Repeat Steps in this test to update the password of joe back to welcome1 Rerun the test and it must succeed.
  • 16. 5. Propagate Identity from OSB to Composite In this section, you will propagate the identity of the user authenticated in Oracle Service Bus to the SOA Composite. You will perform the following steps.  Protect the getStatusByCC service from the validationForCC SOA Composite with the oracle/wss10_saml_token_service_policy service OWSM Policy  Update the validationForCC Business Service in Oracle Service Bus with the  oracle/wss10_saml_token_client_policy client OWSM Policy  Test Add SAML Service OWSM Policy to SOA Composite Service Navigate to Fusion middleware control (http://localhost:7001/em) Select validationForCC composite Click the Policies tab Click on Attach To/Detach From, Select getStatusByCC Select oracle/wss10_saml_token_service_policy
  • 17. Click Attach Click OK You will see the policy attached to the service as shown below Add SAML Client OWSM Policy to OSB Business Service Navigate to Oracle Service Bus Console (http://localhost:7001/sbconsole) Create a Session Navigate to Project Explorer, expand Credit_Services project. Select BusinessServices folder
  • 18. Click on validationForCC Business Service Click on Policies tab Select OWSM Policy Bindings Expand service Click Add to add OWSM policy to the service Select oracle/wss10_saml_token_client_policy and click Submit
  • 19. Click Update Activate Session Confirm session activation, Click Submit
  • 20. Test Navigate to Proxy Services (Click Resource Browser, Click Proxy Services) Click on for the ValidateCredit Proxy Service to test it Paste the following into the Payload field in the Test Console <cca:creditcardStatusRequest xmlns:cca="http://www.globalcompany.com/ns/CCAuthorizationService "> <cca:CCNumber>1234-1234-1234-1234</cca:CCNumber> </cca:creditcardStatusRequest> Specify joe-key as the override value for csf-key property of the oracle/wss_username_token_client_policy. Click Execute You should see the following response (in addition to SOAP headers) <env:Body> <inp1:creditcardStatus xmlns:inp1="http://www.globalcompany.com/ns/CCAuthorizationServic e">VALID</inp1:creditcardStatus> </env:Body> Navigate to validationForCC composite in Enterprise Manager and click on the latest instance from the Recent Instances table. You should see the following. This indicates the service was successfully invoked with SAML identity propagated