The Latest Technology Stack News Directly from EBS Development

Securing E-Business Suite Web Services with Integrated SOA Gateway

The Oracle E-Business Suite Integrated SOA Gateway service-enables Oracle E-Business Suite public APIs for Service Oriented Architecture.  This feature was released in Oracle E-Business Suite Release 12.1.1.  One of the most common questions that Oracle E-Business Suite developers have is, "How do you secure E-Business Suite web services?"  Generally, web service security consists of authentication, message integrity and confidentiality.  I'll discuss the authentication aspect of web service security in this article. The WS-Security specification describes enhancements to SOAP that increase the protection and confidentiality of messages. It provides this protection by defining mechanisms for associating tokens with Simple Object Access Protocol (SOAP) messages.
To secure and authenticate Oracle E-Business Suite web service operations, the E-Business Suite Integrated SOA Gateway supports Username Token-based WS-Security.  In addition, it supports SAML Token (Sender Vouches) based security in Oracle E-Business Suite 12.1.3 and higher. An Oracle E-Business Suite Integration Repository administrator can select the appropriate authentication type for each Web service-enabled interface.  The authentication type should be selected before deploying the API as a standard web service.  Integration Repository administrators can grant user access to E-Business Suite web service operations.  
Username Token based security
The username token carries basic authentication information.  The username-token element propagates user name and password information to authenticate the message.  The information provided in the token and the trust relationship provides the basis for establishing the identity of the user.  
A typical WS-Security header in a SOAP Request looks like this:  
When invoking Oracle E-Business Suite Web services through SOA Provider using username token-based security, these security headers should be passed along with the SOAP request. The username/password discussed here in wsse:security is the Oracle E-Business Suite username/password (or the username/password created through the Users window in defining an application user).
SAML Token-based security
SAML security tokens (Sender Vouches) are composed of assertions: one or more statements about a user, such as an authentication or attribute statement.  SAML tokens are attached to SOAP messages by placing assertion elements inside the header. SAML security tokens enable interoperable single-sign-on and federated identity for E-Business Suite Web services.  
When invoking Oracle E-Business Suite Web services through SOA Provider using SAML Tokens, the SOAP request should contain a sender-vouches SAML assertion. The Assertion and the Body elements should be digitally signed.  A reference to the certificate used to verify the signature should be provided in the header.  The basis of trust is the Web service Requester's certificate.  The Requester's private key is used to sign both the SAML Assertion and the message Body. The SOA Provider relies on the Web service Requester, who vouches for the contents of the User message and the SAML Assertion. Your Feedback is Welcome We're extremely interested in hearing about your use cases and your experiences with our Integrated SOA Gateway.  If you've used this product -- or are evaluating it -- please post a comment here or drop us a line with your thoughts.
References Related Articles

Join the discussion

Comments ( 64 )
  • Gopal Thursday, October 7, 2010

    We've succesfully implemented ISG for a set of complex interfaces between EBS 12.1.1 and third party systems. Custom pl/sql programs in EBS were exposed as webservices which are being invoked by the third-party system. While everything is running smoothly, we sometimes get memory errors and the Webservice invocation by the third-party system fails with Java heap space errors. Bouncing the oafm fixes the issue. Any idea why this would happen?

    Also what is the maximum SOAP request size when invoking a webservice? How do we calculate the optimum SOAP request size? Any pointers would be highly appreciated.

  • Steven Chan Monday, October 11, 2010

    Hello, Gopal,

    I'm sorry to hear that you've encountered an issue with this.

    We can provide general conceptual guidance here, but I'm afraid that this blog isn't the best place to get technical support for specific issues like the one that you're working through.

    Your best bet would be to log a formal Service Request via My Oracle Support (formerly Metalink) to get one of our specialists engaged.

    Please feel free to forward your Service Request number to me if it gets stuck in the support process for some reason.



  • guest Thursday, August 11, 2011


    While using the username token-based security, in the SOAP headers the username and password is passed in clear text or in encrypted format ?



  • Ara Thursday, August 11, 2011

    Hi Makarand,

    They are passed in clear text. However, if you have set up SSL, then the whole message is encrypted. I don't believe there is any way to encrypt the password unless you handle authentication yourself.

    If you use SAML authentication, I believe then the credentials are encrypted.

  • Ara Thursday, August 11, 2011

    Related comment about security: We discovered a bug in SOA Gateway having to do with grants. If you update your interface after assigning grants to it, the existing grants no longer become active, even though they still show up in the Integration Repository and in User Management. Also, if you assign a public grant (i.e., the service is available to any authenticated user), it does not show up in the Integration Repository GUI, although it does show up in User Management. I believe this has been elevated to Development. The workaround is to drop the grants and reassign them when you update your interface.

    An underlying question, however, is this: If the interface gets updated, should the old version of the interface remain active (or, even better, is there a way for the administrator to choose)? Public interfaces are very touchy subjects. Once they are published, people expect them to remain available "forever". Providing a way of smoothly transitioning from one version to the other would be very valuable functionality.

  • Ara Thursday, August 11, 2011

    Not, by the way, that I'm complaining. I think the Integrated SOA Gateway is a very nifty feature of EBS R12.

  • guest Friday, August 12, 2011

    Hi Makarand,

    Oracle E-Business Suite Integrated SOA Gateway supports Username Token based security with Username & Password in plain text format (password type http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText) in SOAP headers.



  • Rekha Ayothi Tuesday, August 16, 2011

    Hi Ara,

    I am sorry to hear about the issue you mentioned. Please forward me the Service Request number.

    Regarding your query on retaining older version of interface in active state: as of now, we do not have an ability to retain older version of interface. So, when you upload an updated interface, it overwrites existing older version of interface in Integration Repository.

    I have noted the above requirement. To track your requirement, you may file Service Request in My Oracle Support.



  • Murat Thursday, November 17, 2011


    I need to get soa header on plsql. Is there ann way to getting soa header on plsql WS.



  • guest Friday, November 18, 2011

    Hi Murat,

    SOA Header is SOAP Header defined for web services provided by Integrated SOA Gateway. It is defined by SOA Provider while generating the web service artifacts for the PLSQL API or other web service enabled interfaces. Integration Repository Administrator need not perform any additional step to get SOA Header as part of E-Business Suite Web service request definition.

    The values passed for SOA Header elements will be used to set application context, and these values depend on the respective API; you may have to refer the respective product documentation for the same.



  • guest Monday, November 21, 2011

    Hi Rekha,

    Thanks for your response. I will develop a custom Web Service. I need additional security fields(such as hash or token) on WS. Thats why, I ask how can I get SOA Header . I will add hash parameter to WS. Thanks again.

    Best regards,


  • guest Tuesday, May 15, 2012

    Hi Steven

    Do you know if there is anyway to create a custom interface in the Integrated SOA repository that calls a procedure that has a ref_cursor as an out variable? I have hunted high and low but all examples seem to include simple data types such as varchar2 or number. I would like to create an web service published in the integration repository that would return a multi row data set from a select statement.

    I can see solutions that use the Oracle SOA suite connecting to the database via a JCA connection but ideally would like all web services to be delivered by the Integration Repository.

    Thanks in advance


  • guest Tuesday, May 15, 2012

    Hi Matt,

    I believe it may be possible. Just follow the usual steps. When you generate the WSDL in the Integrated Repository, SOA Gateway should map the REF_CURSOR to an array (in XML format). However, this is risky, because if the result set is very large, the response could take a very long time, eat up a lot of memory, etc.

  • Rajesh Wednesday, August 22, 2012

    Hi, I am trying to create a BPEL service and call ISG service but i get an error(SSL Handshake) as soon as i refer the wsdl.

    Under Integrated SOA Gateway responsibility I generated and deployed the wsdl and then trying to use the wsdl as a partner link in BPEL process.

  • Steven Chan Wednesday, August 22, 2012

    Hi, Rajesh,

    I'm sorry to hear that you've encountered an issue with this.

    We can provide general conceptual guidance here, but I'm afraid that this blog isn't the best place to get technical support for specific issues like the one that you're working through.

    Your best bet would be to log a formal Service Request via My Oracle Support (formerly Metalink) to get one of our specialists engaged.

    Please feel free to forward your Service Request number to either Rekha or I if it gets stuck in the support process for some reason.



  • Sarathy Iyer Monday, October 29, 2012

    I am trying use SAML token from BPEL process to access ISG web service. The Oracle note 1144313.1 provides a clear direction on how to call from a SOAP UI using saml. However, I am following http://biemond.blogspot.com/2011/08/do-saml-with-owsm.html trying to create OWSM assertion. Is there a better documentation which specifies how to connect to ISG from BPEL or OSB using SAML?

  • Rekha Ayothi Thursday, November 1, 2012

    Hi Sarathy,

    Thanks for your inquiry. My Oracle Support Knowledge Document 1144313.1 provides the steps to test ISG web service deployed with SAML token policy from SoapUI and JAX-WS Client. Unfortunately, the steps to invoke ISG web service using SAML token from BPEL is not yet covered in ISG documentation. I have noted your request, you are welcome to monitor or subscribe to this blog for updates.

    Meanwhile, you may refer following links from Oracle SOA Suite & Oracle Web Services Manager.

    - Attaching security policy, Oracle Fusion Middleware Developer's Guide for Oracle SOA Suite 11g Release 1 (


    - Adding assertion to policy, Oracle Fusion Middleware Security and Administrator's Guide for Web Services 11g Release 1 (


    Please note - The above documents provide general guidance for web service security in SOA composites.



  • sreekumar Tuesday, December 11, 2012


    How can we implement SAML ans SSO with R12. We want to implement that when users click link in other applications they will be redirected to R12.

    Can SAML alone handle this OR do we need to have all the applications in OID/SSO.



  • Rekha Ayothi Thursday, December 13, 2012

    Hi Sree,

    Thank you for the inquiry. I am not sure I understand your query - 'Can SAML alone handle this OR do we need to have all the applications in OID/SSO'. I will reach you directly to understand your query.

    Meanwhile, here are few pointers to SSO and SAML configurations:

    - Integrating Oracle E-Business Suite Release 12 with Oracle Access Manager 11gR2 (11.1.2) using Oracle E-Business Suite AccessGate [MOS Note: 1484024.1]

    - Setting Up SAML Token Security for Oracle E-Business Suite Integrated SOA Gateway Release 12.1.3 [MOS Note: 1144313.1]



  • Bharat Jain Monday, December 17, 2012


    I have published custom pl/sql package as web service. Generation of WSDL and deployment went successful, but when we invoke any operation using SOAP UI we get following error message. We are facing this issue even to call any seeded web service from the SOA integrated repository.

    Below example is when invoking HZ_PARTY_V2PUB.Update_Person opreation.



    Mon Dec 17 02:01:50 EST 2012:ERROR:Exception in request: javax.net.ssl.SSLException: Received fatal alert: illegal_parameter

    Mon Dec 17 02:01:50 EST 2012:ERROR:An error occured [Received fatal alert: illegal_parameter], see error log for details

    Mon Dec 17 02:01:50 EST 2012:INFO:Error getting response for [HZ_PARTY_V2PUB_Binding.UPDATE_PERSON:Request 1]; javax.net.ssl.SSLException: Received fatal alert: illegal_parameter



    Mon Dec 17 02:01:50 EST 2012:ERROR:javax.net.ssl.SSLException: Received fatal alert: illegal_parameter

    javax.net.ssl.SSLException: Received fatal alert: illegal_parameter

    at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)

    at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)

    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.recvAlert(Unknown Source)

    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source)

    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)

    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(Unknown Source)

    at com.sun.net.ssl.internal.ssl.AppOutputStream.write(Unknown Source)

    at java.io.BufferedOutputStream.flushBuffer(Unknown Source)

    at java.io.BufferedOutputStream.write(Unknown Source)

    at java.io.FilterOutputStream.write(Unknown Source)

    at org.apache.commons.httpclient.WireLogOutputStream.write(WireLogOutputStream.java:86)

    at org.apache.commons.httpclient.methods.ByteArrayRequestEntity.writeRequest(ByteArrayRequestEntity.java:90)

    at org.apache.commons.httpclient.methods.EntityEnclosingMethod.writeRequestBody(EntityEnclosingMethod.java:499)

    at org.apache.commons.httpclient.HttpMethodBase.writeRequest(HttpMethodBase.java:2114)

    at com.eviware.soapui.impl.wsdl.submit.transports.http.support.methods.ExtendedPostMethod.writeRequest(ExtendedPostMethod.java:107)

    at org.apache.commons.httpclient.HttpMethodBase.execute(HttpMethodBase.java:1096)

    at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:398)

    at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171)

    at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397)

    at com.eviware.soapui.impl.wsdl.submit.transports.http.HttpClientRequestTransport.sendRequest(HttpClientRequestTransport.java:187)

    at com.eviware.soapui.impl.wsdl.WsdlSubmit.run(WsdlSubmit.java:122)

    at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)

    at java.util.concurrent.FutureTask$Sync.innerRun(Unknown Source)

    at java.util.concurrent.FutureTask.run(Unknown Source)

    at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)

    at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)

    at java.lang.Thread.run(Unknown Source)

  • Rekha Ayothi Monday, December 17, 2012

    Hi Bharat,

    I am sorry to hear that you are facing this issue. Please log service request in My Oracle Support, one of our Support Engineers will help you.



  • Bharat Jain Monday, December 17, 2012


    I have opened the SR 3-6562514831. In meanwhile, i'm wondering if anyone can share there thoughts on this issue.

    Appreciate your help in advance.

    Thanks, Bharat Jain

  • sreekumar Wednesday, January 9, 2013


    Our client is having existing and applications and LDAP.

    We are imlementing R12 EBS. Client wants to integrate R12 with existing applications using SAML 2.0 (without using OID/SSO).

    Thanks in advance.


  • guest Wednesday, May 1, 2013

    Hi Sree

    Have you able to implement R12 with existing applications using SAML 2.0? If so, could you please share your implemention steps.

  • Rekha Ayothi Thursday, May 2, 2013

    Dear Guest,

    Recently, we published a blog article on SAML support in EBS Integrated SOA Gateway (ISG): https://blogs.oracle.com/stevenChan/entry/saml_based_authentication_for_web

    Please refer the same for links to SAML configuration. Also, as of 12.1.3, ISG supports SAML Sender Vouches as per SAML 1.0 (http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0.pdf) for inbound web services.



  • Raj Thursday, May 2, 2013

    Hi Rekha,

    I seek your help in getting information on below requirement.

    1. We want to invoke external webservice (.net product) to get xml data from Oracle EBiz -R12

    How to achieve this from Oracle E-BIZ. User will give request from EBIZ which in- turn access webservice and get xml data based on parameter value passing from oracle e-biz.

    Can you please share some idea to achieve this.

    Thanks in Advance.

  • Rekha Ayothi Friday, May 3, 2013

    Hi Raj,

    One of the components of Integrated SOA Gateway is Service Invocation Framework (SIF). Using SIF, you can invoke external web service from EBS. For details, refer Chapter 9 of Oracle E-Business Suite Implementation Guide (http://docs.oracle.com/cd/B53825_08/current/acrobat/121isgig.pdf ) and, Chapter 11 of Oracle E-Business Suite Integrated SOA Gateway Developer Guide (http://docs.oracle.com/cd/B53825_08/current/acrobat/121isgdg.zip ).

    If you have any specific requirements on web service, feel free to drop me an email.



  • guest Sunday, May 5, 2013

    Hi Rekha,

    Thanks for your reply and time.

    Can you please share your email id. Moreover, is there any way we can achieve mentioned scenario.

    Actually, i tried using webservice proxy client to do that. But we are not sure, whether that will help us. Kindly give some hints on that.

    Meanwhile, you share you email id i will send the more detail about our requirement.



  • Raj Sunday, May 5, 2013

    Hi Rekha,

    Thanks for your time and help...

    Is there any way we can invoke webservice apart from soa gateway.. we heard, we can use Webservice client proxy will fit for our requirement.

    Please provide some information on the same. Moreover, kindly share ur email id. So that i will give you the detailed information about