Tuesday, December 23, 2014

Oracle® Fusion Middleware OES-11g Release 2 (11.1.2.2.0) - Secure the XACML Authorization Web Service

Oracle® Fusion Middleware OES-11g Release 2 (11.1.2.2.0) - Secure the XACML Authorization Web Service 


To associate a WS-Policy file with a Web service:
  • If you have not already done so, in the Change Center of the Administration Console, click Lock & Edit  
  • In the left pane of the Administration Console, select Deployments.
  • In the right pane, navigate within the Deployments table until you find the Web service for which you want to configure a WS-Policy file.Note: Web services are deployed as part of an Enterprise application, Web application, or EJB. To understand how Web services are displayed in the Administration Console.
  • In the Deployments table, click the name of the Web service.




  • Select Configuration -> WS-Policy.The table lists the WS-Policy files that are currently associated with the Web service. The top level lists all the ports of the Web service. Click the + next to a Web service port to see its operations and associated WS-Policy files.


  • To associate a WS-Policy file with an entire Web service endpoint (port):
    • Click the name of the Web service port. A page appears which includes two columns: one labelled Available Endpoint Policies that lists the names of the WS-Policy files that you can attach to a Web service endpoint and one labelled Chosen Endpoint Policies that lists the WS-Policy files that are currently configured for this endpoint.
    • Use the arrows to move WS-Policy files between the available and chosen columns. The WS-Policy files that are in the Chosen column are attached to the Web service endpoint.
    • Click OK.If your Web service already has a deployment plan associated to it, then the newly attached WS-Policy files are displayed in the Policies column in the table.
      If the J2EE module of which the Web service is a part does not currently have a deployment plan associated with it, the assistant asks you for the directory that should contain the deployment plan. Use the navigation tree to specify a directory, then click Finish.


  • To associate a WS-Policy file with a Web service operation:
    • Click the name of the operation. A page appears which includes two columns: one labeled Available Message Policies that lists the names of the WS-Policy files that are available to attach to the inbound (request) and outbound (response) SOAP message of the operation invoke and one labeled Chosen Message Policies that lists the WS-Policy files that are currently attached to the inbound and outbound SOAP message of the operation invoke.
    • Use the arrows to move WS-Policy files between the available and chosen columns. The WS-Policy files that are in the Chosen column are the ones that are attached to the inbound and outbound SOAP message when this operation is invoked by a client application.
    • Click Next.
    • A page appears which includes two columns: one labeled Available Inbound Message Policies that lists the names of the WS-Policy files that are available to attach to the inbound (request) SOAP message of the operation invoke and one labeled Chosen Outbound Message Policies that lists the WS-Policy files that are currently attached to the inbound SOAP message of the operation invoke.
    • Use the arrows to move WS-Policy files between the available and chosen columns. The WS-Policy files that are in the Chosen column are the ones that are attached to the inbound (request) SOAP message when this operation is invoked by a client application.
    • Click Next.
    • A page appears which includes two columns: one labeled Available Outbound Message Policies that lists the names of the WS-Policy files that are available to attach to the outbound (response) SOAP message of the operation invoke and one labeled Chosen Outbound Message Policies that lists the WS-Policy files that are currently attached to the outbound SOAP message of the operation invoke.
    • Use the arrows to move WS-Policy files between the available and chosen columns. The WS-Policy files that are in the Chosen column are the ones that are attached to the outbound (response) SOAP message when this operation is invoked by a client application.
    • Click Finish.If your Web service already has a deployment plan associated with it, the attached WS-Policy files are displayed in the Policies column in the table.
      If the J2EE module of which the Web service is a part does not currently have a deployment plan associated with it, the assistant asks you for the directory that should contain the deployment plan. Use the navigation tree to specify a directory, then click Finish.

  • To activate these changes, in the Change Center of the Administration Console, click Activate Changes.




Friday, December 19, 2014

Oracle® Fusion Middleware SOA-11g Release 2 (11.1.1.7.0) XML Gateway Integration (Inbound) Part 2. Steps to build Oracle Apps Adapter connection from JDeveloper

Oracle® Fusion Middleware SOA-11g  XML Gateway Integration (Inbound) Part  2. Steps to build Oracle Apps Adapter connection from JDeveloper


  • Open JDeveloper and create a new SOA Project




























  • On the composite design screen, click on Oracle Applications. This will bring up the Adapter Configuration Screen. Click Next.


  • Enter the Service Name and press Next.


  • Enter the DB Connection Name and the JNDI Connection Name that was created using Post  http://oraclesoaandoim.blogspot.com/2014/12/oracle-fusion-middleware-soa-11g.html
  • Press Next



  • Navigate to Other Interfaces Custom Objects and Choose XML Gateway as an option and select the desired Map in XML Gateway




  • Choose the specific schema tied to XML Gateway.

  • This creates Oracle Apps Adapter for the use within the composite.
  • Please ensure that the following header properties are set from withing Invoke of BPEL process 

    <invoke name="InvokeWriteToECXQueue"
                  inputVariable="InvokeWriteToECXQueue_Enqueue_InputVariable"
                  partnerLink="WriteToECXQueue" portType="ns7:Enqueue_ptt"
                  operation="Enqueue" bpelx:invokeAsDetail="no">
            <bpelx:inputProperty name="jca.apps.ecx.TransactionType"
                                 expression='"MINDTELLIGENT"'/>
            <bpelx:inputProperty name="jca.apps.ecx.TransactionSubtype"
                                 expression='"MINDTELLIGENT_RECV"'/>
            <bpelx:inputProperty name="jca.apps.ecx.PartySiteId"
                                 expression='"112233"'/>
            <bpelx:inputProperty name="jca.apps.ecx.MessageType"
                                 expression='"XML"'/>
            <bpelx:inputProperty name="jca.apps.ecx.MessageStandard"
                                 expression='"OAG"'/>
            <bpelx:inputProperty name="jca.apps.ecx.DocumentNumber"
                                 expression='"1234"'/>
          </invoke>
        </sequence>


Oracle® Fusion Middleware SOA-11g Release 2 (11.1.1.7.0) INBOUND XML Gateway Integration (Inbound) Part 1. Create Oracle Apps Adapter Connection Pool


Oracle® Fusion Middleware SOA-11g   (11.1.1.7.0) XML Gateway Integration (Inbound) Part 1. Create Oracle Apps Adapter Connection Pool

This thread discusses steps to build a SOA composite with Oracle Applications Adapter using JDeveloper.


  • Using the Admin Console, navigate to Deployments-> OracleAppsAdapter





  • Click on Configuration->Outbound Connection Pools -> New-> Choose  javax.resource.cci.ConnectionFactory


















  • Enter JNDI Name and press finish. 














  • Ensure XA Data Source Name is created correctly and press Save.










  • Go Back To Deployments->OracleAppsAdapter. Click on the Check Box and Press Update.


























  • Restart the Server

Tuesday, December 16, 2014

Oracle® Fusion Middleware OES-11g Release 2 (11.1.2.2.0) Integration OES with OID

Oracle® Fusion Middleware OES-11g Release 2 (11.1.2.2.0) Integration OES with OID




This is the architecture that depicts the configuration of an OID LDAP-based authentication provider used by OPSS applications deployed on a WebLogic Server environment. 

Follow the steps below to configure an OID authentication provider using the Weblogic Administration Console:
1.Open the Firefox web browser using the  icon on the launch panel. Make sure the WebLogic Server is running before continuing on to the next step.
2.Open the WebLogic Administration Console by browsing to http://localhost:7001/console.
Screenshot for Step
Login using the following credentials:
Username: weblogic
Password: welcome1
Screenshot for Step
3.Click the Security Realms link in the Domain Structure pane to show the list of security realms for the domain.
Screenshot for Step
4.Click the myrealm link in the Realms pane to show the settings for the domain's security realm.
Screenshot for Step
5.Click the Providers tab to show the security providers configured for myrealm.
Screenshot for Step
6.Click the Authentication tab to list the currently configured authentication providers for this domain's security realm. The default out-of-the-box providers are shown for the embedded LDAP authentication provider and identity asserter. This is where you configure the new OID authentication provider.
Screenshot for Step
7.Click New to create a new authentication provider for this domain.
Screenshot for Step
8.The Create a new Authentication Provider page is displayed. Give your new authentication provider a name, such as OID Authenticator, select the type called OracleInternetDirectoryAuthenticator, and click OK.
Screenshot for Step
9.You should now see your new OID authenticator in the list of authentication providers, at the bottom of the list.
Screenshot for Step
10.Click the link for your OID authentication provider to configure its settings.
Screenshot for Step
11.The Settings for OID Authenticator is displayed. Click the Provider Specific tab to configure the detailed settings for this provider.
Screenshot for Step
12.This step guides you through all of the settings for configuring your new OID authentication provider. All the settings are made on a single configuration page, however we go through them one section at a time in this instruction.
The first section contains the Connection settings for the OID server. Use the values from the table below for this section:
NameValuePurpose
Host:localhostThe OID host name
Port:3060The standard OID listening port
Principal:cn=orcladminThe LDAP user that logs into OID on behalf of your authentication provider
Credentials:welcome1Password for the principal user
Confirm Credentials:welcome1Confirmation of the password
SSL Enabled:UncheckedEnables or disables SSL connectivity
Validate your settings against the screen shot below:
Screenshot for Step
The next section contains the Users settings for the OID provider. Use the values from the table below for this section:
NameValuePurpose
User Base DN:cn=Users,dc=us,dc=oracle,dc=comThe root (base DN) of the LDAP tree where searches are performed for user data
All Users Filter:Leave as defaultThe LDAP search filter that is used to show all the users below the User Base DN
User From Name Filter:Leave as defaultThe LDAP search filter used to find the LDAP user by name
User Search Scope:Leave as defaultSpecifies how deep in the LDAP tree to search for users
User Name Attribute:Leave as defaultThe attribute of the LDAP user that specifies the user name
User Object Class:Leave as defaultThe LDAP object class that stores users
Use Retrieved User Name as Principal:CheckedSpecifies if the user name retrieved from the LDAP directory will be used as the Principal in the Subject
Validate your settings against the screen shot below:
Screenshot for Step
The next section contains the Groups settings for the OID provider. Use the values from the table below for this section:
NameValuePurpose
Group Base DN:cn=Groups,dc=us,dc=oracle,dc=comThe root (base DN) of the LDAP tree where searches are performed for group data
All Groups Filter:Leave as defaultThe LDAP search filter that is used to show all the groups below the Group Base DN
Group From Name Filter:Leave as defaultThe LDAP search filter used to find the LDAP group by name
Group Search Scope:Leave as defaultSpecifies how deep in the LDAP tree to search for groups
Group Membership Searching:Leave as defaultSpecifies whether group searches into nested groups are limited or unlimited
Max Group Membership Search Level:Leave as defaultSpecifies how many levels of group membership can be searched. This setting is only valid if GroupMembershipSearching is set to limited
Ignore Duplicate Membership:UncheckedDetermines whether duplicates members are ignored when adding groups.
Validate your settings against the screen shot below:
Screenshot for Step
Click Save to persist your changes.
Screenshot for Step
13.Click the Common tab in the Settings for OID Authenticator pane to show settings common to all authentication providers.
Screenshot for Step
14.Change the Control Flag setting to SUFFICIENT and click Save. This setting allows this provider to participate in the authentication process without requiring the user to be in its identity store.
Screenshot for Step
15.Click the Providers link the breadcrumb displayed near the top of the page to quickly navigate back to theAuthentication Providers page.
Screenshot for Step
16.Click the DefaultAuthenticator link to display its common settings so you can change its control flag toSUFFICIENT as well.
Screenshot for Step
17.Change the Control Flag setting to SUFFICIENT and click Save. This setting allows this provider to participate in the authentication process without requiring the user to be in its identity store.
Screenshot for Step
18.Click the Providers link the breadcrumb displayed near the top of the page to quickly navigate back to theAuthentication Providers page.
Screenshot for Step
19.Click Reorder to change the order of your configured authentication providers.
If you remember from the OPSS Concepts self-study course, OPSS obtains its authentication configuration from the authentication provider configuration found in the WebLogic Server domain. It also states that OPSS first looks at all of the LDAP-based authentication providers in the list, and chooses the first one in the list with the highest control flag setting. Because we configured both LDAP-based authentication providers to use the SUFFICIENTcontrol flag setting, OPSS would use the default authenticator if we left the configuration as it is now. In order to ensure that OPSS recognizes your new OID authenticator as its authentication provider, you must reorder your list of authentication providers so that the OID authentication provider is first in the list.
Screenshot for Step
20.Select the OID Authenticator and use the arrows on the right to move it into the first position. Click OK.
Screenshot for Step

21. Navigate to APM (OES Admin Console) using url http://hostname:7001/apm
22. Click on System Configuration -> Administrators->New
24. You have an option of Creating a New Role or Adding the AD groups to Existing Default System Administrator.
        Adding it to the Default System Administrator will make this AD group have APM Admin Console privileges
23. Create a new role for a finer gran authorization












24. Click on Search to search on External AD Groups to be added, Add Selected to add Group and then click on Add Principals 



Monday, December 15, 2014

Oracle® Fusion Middleware OES-11g Release 2 (11.1.2.2.0) Create delegated administrator

Oracle® Fusion Middleware OES-11g Release 2 (11.1.2.2.0) Create delegated administrator 


  • Expand the Applications node in the Navigation Panel.
  • Select the Application to modify.
  • Right-click the Application name and select Open from the menu. The General, Delegated Administrators, Policy Distribution and Simulation tabs are all active.
  • Click the Delegated Administrators tab. The Application name is listed in the displayed table. Click the arrow next to the Application name to see the default ApplicationPolicyAdmin created when the Application object was created. Click the Administrator Role name to display its details, in tabs, below the Delegated Administrators table. 
    • Role Details
    • External Role Mapping
    •  External User Mapping
  • Click New to create a new Administrator Role. Be sure to select the name of the Application to activate New. Alternately, select the Application and select New from the Actions menu. A New Administrator Role dialog is displayed.



  • Provide the following values for the new Administrator Role and click OK. Delegating Application Administration  Name: The entry must be a unique.  Display Name and  Description



  • Select the new Administrator Role to activate its configuration tabs. The Role Details tab is active.
  • Click Edit to define the role details. An Edit Administrator Role dialog is displayed.
  •  Grant View or Manage privileges for the appropriate policy objects and click Save.

Select View or Manage for the listed policy objects. For example, Admin Policy allows the administrator to assign new permissions to an Admin Role. Admin Role, however, allows the administrator to assign members to an Admin Role. 


  • Click the External Role Mapping tab to grant the Administrator Role to members of External Roles. User and groups displayed are from the first LDAP provider with sufficient flag defined in WebLogic Server.
  • Click Add to display the Search Principals dialog.
  •  Complete the query fields in the External Roles search box and click Search. Empty strings fetch all roles. The results display in the Search Results table.
  • Select the external role to map to by clicking its name in the table. Use Ctrl+click to select multiple roles.
  • Click Add Principals. The selected roles display in the External Role Mapping tab.


Oracle® Fusion Middleware OES-11g Release 2 (11.1.2.2.0) Steps to create an obligation

Oracle® Fusion Middleware OES-11g Release 2 (11.1.2.2.0) Steps to create an obligation


The Security Module PDP evaluates the request and returns a response (and applicable obligations) to the PEP in the form of an authorization decision to grant or deny access. 

The PEP fulfills any obligations, if applicable. An obligation is information returned with the decision upon which the PEP may or may not act. For example, an obligation may contain additional information concerning a decision to deny. The PEP entity is responsible for obligation fulfillment based on its settings. Oracle Entitlements Server is only responsible for forwarding the obligation based on policy configuration.

This thread discusses steps to create an Obligation for a policy.


  • Create an attribute as shown in the examples getChildPersons. The attribute should of Category: Dynamic; Input Values:  Multiple; Type: String

  • Navigate to the authorization policy and create a new obligation by choosing the getChildPersons from the List of Attributes from the window.

  •        In the PIP AttributeRetriever code populate the attribute to return the obligation "getChildPersons" 
            } else if ("getChildPersons".equals(string)) {            return ( ............);
            }













Sunday, December 14, 2014

Oracle® Fusion Middleware OES-11g Release 2 (11.1.2.2.0) Add the PIP JAR files to CLASSPATH

Oracle® Fusion Middleware OES-11g Release 2 (11.1.2.2.0) Add the PIP JAR files to CLASSPATH


  • Build the directories where the JAR files will be stored.
  • Copy necessary .jar files that are needed to by the attribute retrievers/PIP.
  • Add the following lines to the $DOMAIN_HOME/bin/setDomainEnv.sh file.  Setting of the CLASSPPATH variable is toward the bottom of the file, these line should be added immediately following the definition of the variable.


MIND_DOMAIN_APP_DIR=/u01/app/oracle/admin/PIP_LIBS
export MIND_DOMAIN_APP_DIR

CLASSPATH=${CLASSPATH}:${MIND_DOMAIN_APP_DIR}/lib/*:${MIND_DOMAIN_APP_DIR}/lib/dependent/
export CLASSPATH

  • Restart the Admin and SM Servers



Monday, December 1, 2014

Connect ToUrl Using Basic Authentication

Connect ToUrl Using Basic Authentication


com.util.mindtelligent.util
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.net.MalformedURLException;
import java.net.URL;
import java.net.URLConnection;

import org.apache.commons.codec.binary.Base64;

public class ConnectToUrlUsingBasicAuthentication {

 public static void main(String[] args) {

  try {
   String webPage = "http://192.168.1.1";
   String name = "admin";
   String password = "admin";

   String authString = name + ":" + password;
   System.out.println("auth string: " + authString);
   byte[] authEncBytes = Base64.encodeBase64(authString.getBytes());
   String authStringEnc = new String(authEncBytes);
   System.out.println("Base64 encoded auth string: " + authStringEnc);

   URL url = new URL(webPage);
   URLConnection urlConnection = url.openConnection();
   urlConnection.setRequestProperty("Authorization", "Basic " + authStringEnc);
   InputStream is = urlConnection.getInputStream();
   InputStreamReader isr = new InputStreamReader(is);

   int numCharsRead;
   char[] charArray = new char[1024];
   StringBuffer sb = new StringBuffer();
   while ((numCharsRead = isr.read(charArray)) > 0) {
    sb.append(charArray, 0, numCharsRead);
   }
   String result = sb.toString();

   System.out.println("*** BEGIN ***");
   System.out.println(result);
   System.out.println("*** END ***");
  } catch (MalformedURLException e) {
   e.printStackTrace();
  } catch (IOException e) {
   e.printStackTrace();
  }
 }

}

Oracle® Fusion Middleware OES-11g Release 2 (11.1.2.2.0) - Secure the XACML Authorization Web Service

Oracle® Fusion Middleware OES-11g Release 2 (11.1.2.2.0) - Secure the XACML Authorization Web Service



Migrating From Database to XML

Following is the procedure to migrate policies from a database to an XML-based

policy store.

Note: The value of the bootstrap.security.principal.key property needs to be populated with the key generated during reassociation of the policy, credential, and key stores from one repository type to another



1. On the OES server  installed box create a folder migration. Eg: /OES/migration

2. Create a file jps-config.xml Eg: /OES/migration/jps-config.xml

3. Copy the content below to the jps-config.xml file create above and edit the DB connection parameters.

4. Copy the bootstrap folder

5. Copy the system-jazn-data.xml from the following location
$ORACLE_HOME/user_projects/domains/oes_domain/config/fmwconfig to /OES/migration


<!-- Source DB-based policy store instance -->

<serviceInstance provider="policystore.provider"
name="policystore.db.source">
<description>DB Based Policy Store Service Instance</description>
<property name="policystore.type" value="DB_ORACLE"/>
<property name="jdbc.url"
value="jdbc:oracle:thin:@sc.domainexample.com:1722:orcl"/>
<property name="jdbc.driver" value="oracle.jdbc.driver.OracleDriver"/>
<property name="bootstrap.security.principal.key"
value="bootstrap_DWgpEJgXwhDIoLYVZ2OWd4R8wOA=" />
<property name="oracle.security.jps.ldap.root.name" value="cn=jpsTestNode"/>
<property name="oracle.security.jps.farm.name" value="cn=view_steph.atz"/>
</serviceInstance>

<!-- Destination XML-based policy store instance -->
<serviceInstance name="dst.xml" provider="policystore.xml.provider"
location="/scratch/divyasin/WithPSR/jazn-data-fscm.xml">
<description>File Based Policy Store Service Instance</description>
</serviceInstance>


<!-- Bootstrap credentials to access source and destination stores -->
<serviceInstance location="./bootstrap" provider="credstoressp"
name="bootstrap.cred">
<description>Replace location with the full path of the directory where
the bootstrap file cwallet.sso is located; typically found in
destinationDomain/config/fmwconfig/</description>

</serviceInstance>

<jpsContext name="sourceContext">
<serviceInstanceRef ref="policystore.db.source"/>

</jpsContext>

<jpsContext name="destinationContext">
<serviceInstanceRef ref="dst.xml"/>
</jpsContext>

<jpsContext name="bootstrap_credstore_context">
<serviceInstanceRef ref="bootstrap.cred"/>

</jpsContext>

6. On the OES server  installed box navigate to the following location $ORACLE_HOME/Oracle_IDM1/common/bin/

7. Run the follwing command ./wlst.sh

8. If you need to migrate entire policystore use this command:
Eg: migrateSecurityStore(type=”policyStore”,src=”sourceContext”,dst=”destinationContext”,configFile=”OES/migration/jps-config.xml”)

If you need to migration only a specific application policy:

 migrateSecurityStore
(type="policyStore", src="sourceContext",
dst="destinationContext",
configFile="/scratch/divyasin/WithPSR/jps-config.xml")

Thursday, November 6, 2014

Amazon EC2: Authorizing Inbound Traffic for Your Instances

Amazon EC2: Authorizing Inbound Traffic for Your Instances


Adding a Rule for Inbound SSH Traffic to a Linux Instance


  • In the navigation pane of the Amazon EC2 console, click Instances. Select your instance and look at the Description tab; Security groups lists the security groups that are associated with the instance. Click view rules to display a list of the rules that are in effect for the instance.








  • In the navigation pane, click Security Groups. Select one of the security groups associated with your instance.
  • In the details pane, on the Inbound tab, click Edit. In the dialog, click Add Rule, and then select SSH from the Type list.






  • In the Source field, specify the public IP address of your computer, in CIDR notation. For example, if your IP address is 203.0.113.25, specify 203.0.113.25/32 to list this single IP address in CIDR notation. If your company allocates addresses from a range, specify the entire range, such as 203.0.113.0/24.
     Use the url  http://checkip.amazonaws.com/ to find you IP Address



  • Click Save.