Oracle® Fusion Middleware OES-11g Release 2 (11.1.2.2.0) - Secure the XACML Authorization Web Service

Oracle® Fusion Middleware OES-11g Release 2 (11.1.2.2.0) - Secure the XACML Authorization Web Service 

To associate a WS-Policy file with a Web service:

• If you have not already done so, in the Change Center of the Administration Console, click Lock & Edit  
• In the left pane of the Administration Console, select Deployments.
• In the right pane, navigate within the Deployments table until you find the Web service for which you want to configure a WS-Policy file.Note: Web services are deployed as part of an Enterprise application, Web application, or EJB. To understand how Web services are displayed in the Administration Console.

• In the Deployments table, click the name of the Web service.

• Select Configuration -> WS-Policy.The table lists the WS-Policy files that are currently associated with the Web service. The top level lists all the ports of the Web service. Click the + next to a Web service port to see its operations and associated WS-Policy files.

• To associate a WS-Policy file with an entire Web service endpoint (port):
• Click the name of the Web service port. A page appears which includes two columns: one labelled Available Endpoint Policies that lists the names of the WS-Policy files that you can attach to a Web service endpoint and one labelled Chosen Endpoint Policies that lists the WS-Policy files that are currently configured for this endpoint.
• Use the arrows to move WS-Policy files between the available and chosen columns. The WS-Policy files that are in the Chosen column are attached to the Web service endpoint.
• Click OK.If your Web service already has a deployment plan associated to it, then the newly attached WS-Policy files are displayed in the Policies column in the table.
  If the J2EE module of which the Web service is a part does not currently have a deployment plan associated with it, the assistant asks you for the directory that should contain the deployment plan. Use the navigation tree to specify a directory, then click Finish.

• To associate a WS-Policy file with a Web service operation:
• Click the name of the operation. A page appears which includes two columns: one labeled Available Message Policies that lists the names of the WS-Policy files that are available to attach to the inbound (request) and outbound (response) SOAP message of the operation invoke and one labeled Chosen Message Policies that lists the WS-Policy files that are currently attached to the inbound and outbound SOAP message of the operation invoke.
• Use the arrows to move WS-Policy files between the available and chosen columns. The WS-Policy files that are in the Chosen column are the ones that are attached to the inbound and outbound SOAP message when this operation is invoked by a client application.
• Click Next.
• A page appears which includes two columns: one labeled Available Inbound Message Policies that lists the names of the WS-Policy files that are available to attach to the inbound (request) SOAP message of the operation invoke and one labeled Chosen Outbound Message Policies that lists the WS-Policy files that are currently attached to the inbound SOAP message of the operation invoke.
• Use the arrows to move WS-Policy files between the available and chosen columns. The WS-Policy files that are in the Chosen column are the ones that are attached to the inbound (request) SOAP message when this operation is invoked by a client application.
• Click Next.
• A page appears which includes two columns: one labeled Available Outbound Message Policies that lists the names of the WS-Policy files that are available to attach to the outbound (response) SOAP message of the operation invoke and one labeled Chosen Outbound Message Policies that lists the WS-Policy files that are currently attached to the outbound SOAP message of the operation invoke.
• Use the arrows to move WS-Policy files between the available and chosen columns. The WS-Policy files that are in the Chosen column are the ones that are attached to the outbound (response) SOAP message when this operation is invoked by a client application.
• Click Finish.If your Web service already has a deployment plan associated with it, the attached WS-Policy files are displayed in the Policies column in the table.
  If the J2EE module of which the Web service is a part does not currently have a deployment plan associated with it, the assistant asks you for the directory that should contain the deployment plan. Use the navigation tree to specify a directory, then click Finish.

• To activate these changes, in the Change Center of the Administration Console, click Activate Changes.

Oracle® Fusion Middleware SOA-11g Release 2 (11.1.1.7.0) XML Gateway Integration (Inbound) Part 2. Steps to build Oracle Apps Adapter connection from JDeveloper

Oracle® Fusion Middleware SOA-11g  XML Gateway Integration (Inbound) Part  2. Steps to build Oracle Apps Adapter connection from JDeveloper

• Prior to building the composite, please ensure that the Oracle Apps Connection pool is built using this thread.

• Open JDeveloper and create a new SOA Project

• On the composite design screen, click on Oracle Applications. This will bring up the Adapter Configuration Screen. Click Next.

• Enter the Service Name and press Next.

• Enter the DB Connection Name and the JNDI Connection Name that was created using Post  http://oraclesoaandoim.blogspot.com/2014/12/oracle-fusion-middleware-soa-11g.html
• Press Next

• Navigate to Other Interfaces Custom Objects and Choose XML Gateway as an option and select the desired Map in XML Gateway

• Choose the specific schema tied to XML Gateway.

• This creates Oracle Apps Adapter for the use within the composite.
• Please ensure that the following header properties are set from withing Invoke of BPEL process 

    <invoke name="InvokeWriteToECXQueue"

                  inputVariable="InvokeWriteToECXQueue_Enqueue_InputVariable"

                  partnerLink="WriteToECXQueue" portType="ns7:Enqueue_ptt"

                  operation="Enqueue" bpelx:invokeAsDetail="no">

            <bpelx:inputProperty name="jca.apps.ecx.TransactionType"

                                 expression='"MINDTELLIGENT"'/>

            <bpelx:inputProperty name="jca.apps.ecx.TransactionSubtype"

                                 expression='"MINDTELLIGENT_RECV"'/>

            <bpelx:inputProperty name="jca.apps.ecx.PartySiteId"

                                 expression='"112233"'/>

            <bpelx:inputProperty name="jca.apps.ecx.MessageType"

                                 expression='"XML"'/>

            <bpelx:inputProperty name="jca.apps.ecx.MessageStandard"

                                 expression='"OAG"'/>

            <bpelx:inputProperty name="jca.apps.ecx.DocumentNumber"

                                 expression='"1234"'/>

          </invoke>

        </sequence>

Oracle® Fusion Middleware SOA-11g Release 2 (11.1.1.7.0) INBOUND XML Gateway Integration (Inbound) Part 1. Create Oracle Apps Adapter Connection Pool

Oracle® Fusion Middleware SOA-11g   (11.1.1.7.0) XML Gateway Integration (Inbound) Part 1. Create Oracle Apps Adapter Connection Pool

This thread discusses steps to build a SOA composite with Oracle Applications Adapter using JDeveloper.

• Using the Admin Console, navigate to Deployments-> OracleAppsAdapter

• Click on Configuration->Outbound Connection Pools -> New-> Choose  javax.resource.cci.ConnectionFactory

• Enter JNDI Name and press finish. 

• Ensure XA Data Source Name is created correctly and press Save.

• Go Back To Deployments->OracleAppsAdapter. Click on the Check Box and Press Update.

• Restart the Server

Oracle® Fusion Middleware OES-11g Release 2 (11.1.2.2.0) Create delegated administrator

Oracle® Fusion Middleware OES-11g Release 2 (11.1.2.2.0) Create delegated administrator 

• Expand the Applications node in the Navigation Panel.
• Select the Application to modify.
• Right-click the Application name and select Open from the menu. The General, Delegated Administrators, Policy Distribution and Simulation tabs are all active.
• Click the Delegated Administrators tab. The Application name is listed in the displayed table. Click the arrow next to the Application name to see the default ApplicationPolicyAdmin created when the Application object was created. Click the Administrator Role name to display its details, in tabs, below the Delegated Administrators table. 
• Role Details
• External Role Mapping
•  External User Mapping
• Click New to create a new Administrator Role. Be sure to select the name of the Application to activate New. Alternately, select the Application and select New from the Actions menu. A New Administrator Role dialog is displayed.

• Provide the following values for the new Administrator Role and click OK. Delegating Application Administration  Name: The entry must be a unique.  Display Name and  Description

• Select the new Administrator Role to activate its configuration tabs. The Role Details tab is active.
• Click Edit to define the role details. An Edit Administrator Role dialog is displayed.
•  Grant View or Manage privileges for the appropriate policy objects and click Save.

Select View or Manage for the listed policy objects. For example, Admin Policy allows the administrator to assign new permissions to an Admin Role. Admin Role, however, allows the administrator to assign members to an Admin Role. 

• Click the External Role Mapping tab to grant the Administrator Role to members of External Roles. User and groups displayed are from the first LDAP provider with sufficient flag defined in WebLogic Server.
• Click Add to display the Search Principals dialog.
•  Complete the query fields in the External Roles search box and click Search. Empty strings fetch all roles. The results display in the Search Results table.
• Select the external role to map to by clicking its name in the table. Use Ctrl+click to select multiple roles.
• Click Add Principals. The selected roles display in the External Role Mapping tab.

Oracle® Fusion Middleware OES-11g Release 2 (11.1.2.2.0) Steps to create an obligation

Oracle® Fusion Middleware OES-11g Release 2 (11.1.2.2.0) Steps to create an obligation

The Security Module PDP evaluates the request and returns a response (and applicable obligations) to the PEP in the form of an authorization decision to grant or deny access. 

The PEP fulfills any obligations, if applicable. An obligation is information returned with the decision upon which the PEP may or may not act. For example, an obligation may contain additional information concerning a decision to deny. The PEP entity is responsible for obligation fulfillment based on its settings. Oracle Entitlements Server is only responsible for forwarding the obligation based on policy configuration.

This thread discusses steps to create an Obligation for a policy.

• Create an attribute as shown in the examples getChildPersons. The attribute should of Category: Dynamic; Input Values:  Multiple; Type: String

• Navigate to the authorization policy and create a new obligation by choosing the getChildPersons from the List of Attributes from the window.

•        In the PIP AttributeRetriever code populate the attribute to return the obligation "getChildPersons" 
          } else if ("getChildPersons".equals(string)) {            return ( ............);
          }

Oracle® Fusion Middleware OES-11g Release 2 (11.1.2.2.0) Add the PIP JAR files to CLASSPATH

Oracle® Fusion Middleware OES-11g Release 2 (11.1.2.2.0) Add the PIP JAR files to CLASSPATH

• Build the directories where the JAR files will be stored.
• Copy necessary .jar files that are needed to by the attribute retrievers/PIP.
• Add the following lines to the $DOMAIN_HOME/bin/setDomainEnv.sh file.  Setting of the CLASSPPATH variable is toward the bottom of the file, these line should be added immediately following the definition of the variable.

MIND_DOMAIN_APP_DIR=/u01/app/oracle/admin/PIP_LIBS

export MIND_DOMAIN_APP_DIR

CLASSPATH=${CLASSPATH}:${MIND_DOMAIN_APP_DIR}/lib/*:${MIND_DOMAIN_APP_DIR}/lib/dependent/

export CLASSPATH

• Restart the Admin and SM Servers

Connect ToUrl Using Basic Authentication

Connect ToUrl Using Basic Authentication

com.util.mindtelligent.util

import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.net.MalformedURLException;
import java.net.URL;
import java.net.URLConnection;

import org.apache.commons.codec.binary.Base64;

public class ConnectToUrlUsingBasicAuthentication {

 public static void main(String[] args) {

  try {
   String webPage = "http://192.168.1.1";
   String name = "admin";
   String password = "admin";

   String authString = name + ":" + password;
   System.out.println("auth string: " + authString);
   byte[] authEncBytes = Base64.encodeBase64(authString.getBytes());
   String authStringEnc = new String(authEncBytes);
   System.out.println("Base64 encoded auth string: " + authStringEnc);

   URL url = new URL(webPage);
   URLConnection urlConnection = url.openConnection();
   urlConnection.setRequestProperty("Authorization", "Basic " + authStringEnc);
   InputStream is = urlConnection.getInputStream();
   InputStreamReader isr = new InputStreamReader(is);

   int numCharsRead;
   char[] charArray = new char[1024];
   StringBuffer sb = new StringBuffer();
   while ((numCharsRead = isr.read(charArray)) > 0) {
    sb.append(charArray, 0, numCharsRead);
   }
   String result = sb.toString();

   System.out.println("*** BEGIN ***");
   System.out.println(result);
   System.out.println("*** END ***");
  } catch (MalformedURLException e) {
   e.printStackTrace();
  } catch (IOException e) {
   e.printStackTrace();
  }
 }

}

Oracle® Fusion Middleware OES-11g Release 2 (11.1.2.2.0) - Secure the XACML Authorization Web Service

Oracle® Fusion Middleware OES-11g Release 2 (11.1.2.2.0) - Secure the XACML Authorization Web Service

Migrating From Database to XML

Following is the procedure to migrate policies from a database to an XML-based

policy store.

Note: The value of the bootstrap.security.principal.key property needs to be populated with the key generated during reassociation of the policy, credential, and key stores from one repository type to another



1. On the OES server  installed box create a folder migration. Eg: /OES/migration

2. Create a file jps-config.xml Eg: /OES/migration/jps-config.xml

3. Copy the content below to the jps-config.xml file create above and edit the DB connection parameters.

4. Copy the bootstrap folder

5. Copy the system-jazn-data.xml from the following location
$ORACLE_HOME/user_projects/domains/oes_domain/config/fmwconfig to /OES/migration

<!-- Source DB-based policy store instance -->

<serviceInstance provider="policystore.provider"
name="policystore.db.source">
<description>DB Based Policy Store Service Instance</description>
<property name="policystore.type" value="DB_ORACLE"/>
<property name="jdbc.url"
value="jdbc:oracle:thin:@sc.domainexample.com:1722:orcl"/>
<property name="jdbc.driver" value="oracle.jdbc.driver.OracleDriver"/>
<property name="bootstrap.security.principal.key"
value="bootstrap_DWgpEJgXwhDIoLYVZ2OWd4R8wOA=" />
<property name="oracle.security.jps.ldap.root.name" value="cn=jpsTestNode"/>
<property name="oracle.security.jps.farm.name" value="cn=view_steph.atz"/>
</serviceInstance>

<!-- Destination XML-based policy store instance -->
<serviceInstance name="dst.xml" provider="policystore.xml.provider"
location="/scratch/divyasin/WithPSR/jazn-data-fscm.xml">
<description>File Based Policy Store Service Instance</description>
</serviceInstance>


<!-- Bootstrap credentials to access source and destination stores -->
<serviceInstance location="./bootstrap" provider="credstoressp"
name="bootstrap.cred">
<description>Replace location with the full path of the directory where
the bootstrap file cwallet.sso is located; typically found in
destinationDomain/config/fmwconfig/</description>

</serviceInstance>

<jpsContext name="sourceContext">
<serviceInstanceRef ref="policystore.db.source"/>

</jpsContext>

<jpsContext name="destinationContext">
<serviceInstanceRef ref="dst.xml"/>
</jpsContext>

<jpsContext name="bootstrap_credstore_context">
<serviceInstanceRef ref="bootstrap.cred"/>

</jpsContext>

6. On the OES server  installed box navigate to the following location $ORACLE_HOME/Oracle_IDM1/common/bin/

7. Run the follwing command ./wlst.sh

8. If you need to migrate entire policystore use this command:
Eg: migrateSecurityStore(type=”policyStore”,src=”sourceContext”,dst=”destinationContext”,configFile=”OES/migration/jps-config.xml”)

If you need to migration only a specific application policy:

 migrateSecurityStore
(type="policyStore", src="sourceContext",
dst="destinationContext",
configFile="/scratch/divyasin/WithPSR/jps-config.xml")

Amazon EC2: Authorizing Inbound Traffic for Your Instances

Amazon EC2: Authorizing Inbound Traffic for Your Instances

Adding a Rule for Inbound SSH Traffic to a Linux Instance

• In the navigation pane of the Amazon EC2 console, click Instances. Select your instance and look at the Description tab; Security groups lists the security groups that are associated with the instance. Click view rules to display a list of the rules that are in effect for the instance.

• In the navigation pane, click Security Groups. Select one of the security groups associated with your instance.
• In the details pane, on the Inbound tab, click Edit. In the dialog, click Add Rule, and then select SSH from the Type list.

• In the Source field, specify the public IP address of your computer, in CIDR notation. For example, if your IP address is 203.0.113.25, specify 203.0.113.25/32 to list this single IP address in CIDR notation. If your company allocates addresses from a range, specify the entire range, such as 203.0.113.0/24.
   Use the url  http://checkip.amazonaws.com/ to find you IP Address

• Click Save.

Amazon EC2: Converting Your Private Key Using PuTTYgen

Amazon EC2: Converting Your Private Key Using PuTTYgen

PuTTY does not natively support the private key format (.pem) generated by Amazon EC2. PuTTY has a tool named PuTTYgen, which can convert keys to the required PuTTY format (.ppk). You must convert your private key into this format (.ppk) before attempting to connect to your instance using PuTTY.

To convert your private key

• Start PuTTYgen (for example, from the Start menu, click All Programs > PuTTY > PuTTYgen).
• Under Type of key to generate, select SSH-2 RSA.

• Click Load. By default, PuTTYgen displays only files with the extension .ppk. To locate your .pem file, select the option to display files of all types.

• Click OK

• Click Save private key to save the key in the format that PuTTY can use. PuTTYgen displays a warning about saving the key without a passphrase. Click Yes.

Note

A passphrase on a private key is an extra layer of protection, so even if your private key is discovered, it can't be used without the passphrase. The downside to using a passphrase is that it makes automation harder because human intervention is needed to log on to an instance, or copy files to an instance.

• Specify the same name for the key that you used for the key pair (for example, my-key-pair). PuTTY automatically adds the .ppk file extension.

• 
  

• Your private key is now in the correct format for use with PuTTY. You can now connect to your instance using PuTTY's SSH client.

Amazon Elastic EC2: Steps to launch an Amazon EC2 Instance

Amazon Elastic EC2: Steps to launch an Amazon EC2 Instance

This thread discusses the steps to launch a Linux instance using AWS Management Console.

• To launch an Amazon EC2 instance, open the Amazon EC2 console using the URL https://console.aws.amazon.com/ec2
• This will take you the following page.

• Click on Launch Instance
• Select The Amazon Machine Image (AMI).  Select the 64 bit Amazon Linux AMI. Marked

• Select t1.micro from the instance type page. Click on Next: Configure Instance Details. This will navigate you to the "Configure Instance Details" Page

• Click on Review and Launch.

• Select "Make General Purpose SSD the default boot volume for all instances from the console going forward " as the option.

• Click on Edit Security Groups from the Review Instance Launch screen

• Select an existing security group. Select the check box and click on Review and Launch

• Click on Launch

• Choose and Existing Key pair if the key pair exists OR create another pair of key.
• Click on Launch Instance

• On the Resource screen, click on Running Instance

Amazon EC2 : Connecting to Your Linux Instance from Windows Using PuTTY

Amazon EC2 : Connecting to Your Linux Instance from Windows Using PuTTY

1. Start PuTTY (from the Start menu, click All Programs > PuTTY > PuTTY).
2. In the Category pane, select Session and complete the following fields:
   1. In the Host Name box, enter user_name@public_dns_name. Be sure to specify the appropriate user name for your AMI. For example:
      • For an Amazon Linux AMI, the user name is ec2-user.
      • For a RHEL5 AMI, the user name is either root or ec2-user.
      • For an Ubuntu AMI, the user name is ubuntu.
      • For a Fedora AMI, the user name is either fedora or ec2-user.
      • For SUSE Linux, the user name is root.
      • Otherwise, if ec2-user and root don't work, check with the AMI provider.
   2. Under Connection type, select SSH.
   3. Ensure that Port is 22.
   
   
3. In the Category pane, expand Connection, expand SSH, and then select Auth. Complete the following:
   1. Click Browse.
   2. Select the .ppk file that you generated for your key pair, and then click Open.
   3. (Optional) If you plan to start this session again later, you can save the session information for future use. Select Session in the Category tree, enter a name for the session in Saved Sessions, and then click Save.
   4. Click Open to start the PuTTY session.
   
4. If this is the first time you have connected to this instance, PuTTY displays a security alert dialog box that asks whether you trust the host you are connecting to.
5. (Optional) Verify that the fingerprint in the security alert matches the fingerprint that you obtained in step 1. If these fingerprints don't match, someone might be attempting a "man-in-the-middle" attack. If they match, continue to the next step.
6. Click Yes. A window opens and you are connected to your instance

Oracle® Fusion Middleware SOA-11g Release 2 (11.1.1.7) Configure SAP IDocs On Oracle SOA-B2B platform

Oracle® Fusion Middleware SOA-11g Release 2 (11.1.1.7) Configure SAP IDocs On Oracle SOA-B2B platform

This BLOG thread discusses the steps for Oracle B2B setup for SAP IDocs. The thread discusses the use of

• Oracle EDIFECS Spec Builder Version 7.0.5
• Oracle B2B Console for version 11.1.1.7  

Steps for building the ECS file, the Parser and XSD

• Start the B2B Document Editor 
• Click on File->New
• Choose Positional Flat File
• Choose Blank Positional

• Press Next
• You should be able to see a blank PFF guideline

• Click on File-> Import
• Select the SAP IDoc Guideline. Press next

• Ensure the IDoc type is correct.

• Please see below when the IDocs file is sucessfully imported

• Click on File
• Click Save
• Give the Name to the ECS File

• On the Analyzer /  Data window, open a sample Data File

• On the Analyzer Wizard, verify the record terminator, Un-check the "First record in the guideline starts a new message and press Next, Press Finish in the subsequent window.

• For each tag in the sample data displayed on the Analyzer / Data window, verify the tags, in the event the tags are different, 

• Select the Record ID whose tag needs to be set, 

• Click Edit, set Tag Value E2EDK14 (in this case). Click Set Current. Click Close

• Ensure the Tag field is set to "Value" and  Tag Value is set to "E2EDk14"

• Repeat this for all the elements.

Generate the Parser File

• Click on Edit.Click on Generate Parser Schema

• Ensure that the Record Terminator is correct and click on the browse button and give tne name to the parser file.

• Give the name to the parser file and Click o Save

• Copy the parser ecs  file in the directory $Oracle_SOA_Home\soa\thirdparty\edifecs\XEngine\config\schema (for eg. - D:\OFMW11g\PS3MWHome\Oracle_SOA1\soa\thirdparty\edifecs\XEngine\config\schema)

• Add an entry for this parser ecs in $Oracle_SOA_Home\soa\thirdparty\edifecs\XEngine\config\XERegistry.xml

• To add this entry, edit the XERegistry.xml in a text editor and add below “Positional flat parser schemas”