Wednesday Dec 18, 2013

Newbie to SOA/OWSM

Just came across this blog post that provides a one minute overview in Q&A form that I thought would be useful for those who are new to Oracle SOA Suite and OWSM.

You can find other posts on SOA, BPM, OSB, etc as well on the blog:

Tuesday Dec 17, 2013

How To - Videos!!

It has been quite sometime since I have posted on the blog...but I thought I would share a How To video that we have created in Oracle to make it easier to use OWSM.

Here is a link to the you tube video. The video demonstrates how to do global policy attachments for REST services (resources) using OWSM in Enterprise Manager Fusion Middleware Control!

This video supplements some of the blog entries here, here and here on the topic of Global Policy Attachments (GPA).

We hope to have more videos soon!

Happy viewing!!

Sunday Aug 11, 2013

How To - Identity Propagation for REST using OWSM - 12.1.2

This is a follow up to my previous blog post, in that post I provided step by step instructions on how to secure a REST service and client built using Jersey JAX-RS technology that ships with Weblogic.

In this post I am providing a pointer to a detailed step-by-step instructions on how to do identity propagation for REST.

I strong encourage people read up on the previous How Tos covered in the following blog posts before attempting the How to provided in this post:

Friday Feb 08, 2013

Dynamic Policy Selection among alternatives - 11g

A few weeks back I was discussing some requirements a few teams had within Oracle and I thought it would be a good topic to address on this blog. One of the most common scenarios that customers seem to run into is the following:

Let's say you have a Web Service. The Web Service supports SAML. Now if Web Service Clients are able to support SAML you are in good shape and they can talk to your Web Services. However if a Web Service Client cannot support SAML then you have a problem. Let's assume for  a second that the Web Service Client can support Kerberos but not SAML.

This mismatch in security capabilities is a fairly common occurrence. 

Before I talk about the specific feature of Dynamic Policy Selection that is supported in OWSM - let's see what are the various ways to solve this problem:

a) Option#1: Use Oracle STS to do Token Exchange/Conversion

b) Option#2: Build SAML capability in the Web Service Client or use Web Services Security technology that supports SAML

c) Option#3: Add Kerberos support to the Web Service.

Here we have two scenarios:

Scenario#3.1: Expose two Web Service Ports one using SAML and the other using Kerberos.

Scenario#3.2: Dynamic Policy Selection on the Service

d) Option#4: Use Oracle Enterprise Gateway or Oracle Service Bus

I will describe briefly each of the options and the advantages and disadvantages of each option.

So a customer has four options. Different options have different implications on different parties.

Option#1: Use Oracle STS to do Token Exchange/Conversion

As I mentioned in a previous blog post - you can use a Oracle STS. Just to reiterate - this will look as follows:

Oracle STS - Token Exchange/Conversion


a) The Security story on the Web Service side is fairly simple - you can standardize on one particular token - ex: SAML that all clients need to adhere to...


a) The onus is on the Client to bridge the difference b/w what the Web Service supports and what the client supports.

b) The Client needs to have the capability to be able to talk to an STS.

Option#2: Build SAML capability in the Web Service Client or use Web Services Security technology that supports SAML

 Well this fairly self evident - if you can add the SAML support on the client - then there is not mismatch! Ex: use OWSM for example to secure your Web Service client and viola problem solved :-)


a) The Security story on the Web Service side is fairly simple - you can standardize on one particular token - ex: SAML that all clients need to adhere to...

b) No new components into the mix - ex: Oracle STS


a) It may not always be possible to add SAML support - depending on the technology stack being used on the Web Service Client side!

Option#3: Add Kerberos support to the Web Service

In this approach instead of client changing, the service side is modified to add Kerberos support. There are two ways to address this:

Scenario#3.1: Expose two Web Service Ports one using SAML and the other using Kerberos.

This is shown in the figure below (click for larger image).

different web service ports for different security


a) The advantage of this approach is the clients are not impacted.


a) The Web Service has to support multiple web services - one for each security token or security requirement.

b) More overhead in terms of maintaining, testing.

c) If a technology stack does not support adding Web Service Ports dynamically  - then the application has to go back to the Development and so the administrator cannot address this requirement.

d) Assumes the Web Service/Web Service Security stack on the service side can support Kerberos.

Scenario#3.2: Dynamic Policy Selection on the Service

OWSM - Dynamic Policy Selection

In this model the Web Service is configured with a policy that basically supports both SAML "OR" Kerberos [1]. When the Web Service Client invokes the Web Service - based on the contents of the message the appropriate option is selected. So if the Desktop application sends Kerberos Token - then the Kerberos Option in the policy is executed. If the On Premise App sends the SAML token in the SOAP message the SAML Option in the policy is executed.

High level Description:

So the way to achieve this in OWSM is by constructing an ExactlyOne Policy which contains two assertions - one is a SAML authentication assertion and the other is the Kerberos Authentication assertion.


<SAML Authentication>

<Kerberos Authentication>


You can author such a policy using Enterprise Manager Fusion Middleware Control as described in the OWSM documentation here.


a) No changes to the Web Service/Application itself. So a customer does not have to go back to the Development teams to add new Web Service Port every time the security requirement changes.

b) Administrator can make the changes by creating new combinations based on requirements

c) Web Service Clients  are not impacted


a) The customer hosting the Web Service has to still test two security models! So there is still some testing, maintenance overhead.

b) Assumes the Web Service/Web Service Security stack on the service side can support Kerberos and Dynamic Policy Selection.


[1] For purposes of simplicity - I use the terminology "OR" above but "OR" operator and ExactlyOne are not identical in semantics.

[2] OWSM currently ships a few policies Out of the box (OOTB) that have this capability. Ex: See here and here. This section in the OWSM doc - describes the client policy and service policy compatibility which provides you a good overview.

Option#4: Use Oracle Enterprise Gateway or Oracle Service Bus

In this option OEG or OSB will act as an intermediary and do the token conversion - potentially in conjunction with an STS.

OEG as an intermediary for token mediation


a) No impact for Client or the actual backend Web Service. The onus shifts to the intermediary in this case OEG or OSB.

b) If the Client cannot be modified or the backend Web Service cannot be modified - this is pretty much becomes the only option!


a) You need a new component - OSB or OEG in the mix

b) The intermediary has to easily support Scenario#3.1 or Scenario#3.2 itself - otherwise we have just shifted the problem to a different layer!

 In this blog post - I took a concrete example - i.e. Kerberos and SAML - but the concept applies in general to any mismatch in security capabilities that customers may find between a Web Service Client and Web Service.

Wednesday Nov 14, 2012

Cloud Integration Using Oracle SOA Suite - 11g

There is a very good blog post by Rajesh Raheja on how you can use Oracle SOA Suite for Cloud Integration. He also has a link to white paper on his blog as well.

In a future blog post I will describe some of the security challenges and how to address them using OWSM for Web Services.

OWSM HowTo for starters/newbies - 11g

Not much blogging the past few months as I have been a bit busy with my day job!

In the meantime I thought I would share a blog post from Vinay on OWSM that people may find useful. Happy reading!

Thursday Aug 16, 2012

Interop with Microsoft - OWSM 11g

As they say when it rains it pours! So it has been with my blog posts:-) Anyway this is another short post - I was talking about all things Microsoft and lucky me - I found this article dealing with Microsoft silverlight and OSB and OWSM and I thought I would share a link!

Custom assertion/policy examples in the wild - OWSM 11g

Since recently i have been talking about custom assertions and policies quite a bit (here, here and here)- I thought I would share some more concrete samples (and looks like rather than me having to build it on my own - i can just point to others who have done this already!!)

So here is a quick pointer:

Happy coding!

Wednesday Aug 15, 2012

.NET interoperability, Kerberos, SPNEGO, Id Propagation - All things Microsoft! - OWSM 11g

One of the most common questions I run into relates to .NET/WCF interoperability with OWSM.

First - officially OWSM certifies a few interop scenarios with .NET. These are covered in the OWSM Interop guide

They key scenarios certified for interop involve Username Token, X509 Token and Kerberos Token via the WS-Security Kerberos Token Profile.

The next question I hear is around how do we do Identity Propagation when we have .NET.

Scenario#1: Identity Propagation b/w WCF Client and OWSM/Fusion Middleware using Kerberos and SAML with OSB as active intermediary

Note: Instead of OSB you can use SOA Suite as well and that would work as well.

Scenario#2: Identity Propagation b/w WCF Client and OWSM/Fusion Middleware using Kerberos with OSB as passive intermediary

Note: The passive intermediary model applies for OSB (or OEG) but not for SOA, since SOA does not support passive intermediary model.

Scenario#3: Kerbeors based Multi-hop Identity Propagation b/w WCF Client & OWSM/Fusion Middleware and OSB as active intermediary

In this scenario - customer's want to use Kerberos for Identity propagation across multiple hops. This is currently not supported.

Scenario#4: Kerbeors based Multi-hop Identity Propagation b/w WCF Client & WCF Service and OSB as active intermediary

In both scenario#3 and scenario#4 in order to use Kerberos for multi-hop end-user identity propagation, you need to support either the end user TGT or the S4U Extension. Neither of these are currently supported in OWSM.

Scenario#5: Using SAML for end-to-end identity propagation.

So another way to do end-to-end identity propagation that will work with OSB or SOA Suite is to SAML. WCF/.NET supports talking to an STS to exchange a kerberos token for a SAML token and then SAML can be used across multiple hops.


1) While this scenario has not been certified explicitly by OWSM, it should work since OWSM supports WS-Trust.

2) In the diagram I use Oracle STS but any STS can be used as long as that STS supports exchanging a Kerberos token for SAML token.

I have not listed all the possible scenarios here - but hopefully this provides a sense of what is possible today and what is not possible.


I also see a lot of questions around SPNEGO support. OWSM currently does not support SPNEGO. You can read all about SPNEGO here

One could build a custom assertion to add SPENGO support in OWSM. However you need to keep in mind that with SPNEGO unlike the WS-Security Kerberos Token Profile, the Kerberos Token is actually in the HTTP reader rather than in the SOAP WS-Security header.

So the Kerberos token is wrapped in the HTTP header under the auth-scheme called "Negotiate". The WWW-Authenticate and Authorization headers are used to communicate the SPNEGO token between client and service. This is explained in the steps below:

  1. The client requests access to a protected document on the server without any Authorization Header.
  2. Since there is no Authorization Header in the request, server responds with 401 Unauthorized and WWW-Authenticate: Negotiate.
  3. The client will use the user credentials to obtain the token and then send it to the server in the Authorization header of the new request.For e.g.,   Authorization: Negotiate a87421000000492aa874209
  4. The server will decode this token by passing it to the acceptSecContext() GSSAPI. If the context is not complete (in the case of Mutual Authentication) the server will respond with a 401 status code with a WWW-Authenticate header containing the GSS-API data. For e.g., WWW-Authentiate: Negotiate 74900a2a...
  5. The client will decode this data and send new data back to the server. This cycle will continue until the security context is established.

Since there is request/challenge model - typically the SPNEGO security model is harder to accomplish in intermediaries like OSB/OEG - if they are acting as "passive intermediaries". An active intermediary model maybe more appropriate.

For OSB itself there may be an alternate model to supporting SPNEGO. There is an excellent post from the A-Team on OSB & SPNEGO (Note: It deals with OSB 10gR3). Here is another post that covers SPNEGO


The next question that often comes up is around NTLML support.OWSM currently does not support NTLM. As this wikipedia entry on SPENGO describes - NTLM is a variant.As you can see Microsoft no longer recommends NTLM. However if customers really want to support NTLM - they can build a custom policy.

Tuesday Aug 14, 2012

Custom Assertion in OWSM - OES, OSDT (Oracle Security Developer Toolkit) & OWSM - 11g

Another quick note on OES, OSDT and OWSM. As I have mentioned in a previous post here, OWSM provides an Extensibility Guide that allows customers to build custom policies and custom assertions. 

So the question is: When should one have to build a custom assertion in OWSM 11g?

The short answer is when something is not supported in OWSM directly.

Here are a few scenarios:

a) If you want to build say OES integration for fine grained authorization based on content. OWSM in 11gR1 as of the writing of this post does not provide OES integration, but you can build an OES integration using the custom assertion support in OWSM 11g.

Here is an example that illustrates OWSM-OES integration using the custom assertion support in OWSM 11g. There is another example in the OWSM Extensibility Guide.

b) Another example would be - if you want to build OAuth support to secure your services with OAuth. OWSM 11g currently does not have OAuth support - but if you wanted to secure your services with OAuth - you could build a custom assertion to do the same.

c) Or you want to use a particular canoncalization method (ex:. The OOTB policies, assertion templates do not provide the flexibility of implementing your own canoncalization method) or want to use particular security transformations.

d) You wanted Liberty support in OWSM, etc.

In the rest of the post I will focus on building custom assertions that require a particular type of signing or encryption.

Custom Assertion, Signing, Encryption

Now one of things one has to worry about when building a custom assertion that deals with signing, encryption, etc is what XML security toolkit to use.

As you will notice - the OWSM Extensibility Guide does NOT provide any APIs that you can use for signing, encryption, etc.

The good news is you can use OSDT (Oracle Security Developer Toolkit) that actually exposes a lot of APIs to perform various XML security operations including signing, encryption, decryption, signature validation, etc.

Here are some doc pointers to OSDT:

Here are some OSDT javadocs:

Web Services Security:

XML Security:

JCE Crypto APIs:

SAML related APIs:

Liberty APIs :

Note: The combination of OSDT and OWSM Extensibility Guide provides you a really powerful APIs and toolkits to build various types of security policies that deal with either XML security or Web Services (SOAP) security.

WARNING: You really need to know what you are doing when using these APIs. These are fairly low level APIs and the docs expect the developer using these APIs to be extremely knowledgeable about security technologies and concepts and how to use the various low level building blocks.

Hopefully this provides some guidance on how one can use OWSM custom assertion and OSDT to build various types of policies in OWSM.

Sunday Jul 29, 2012

OPSS vs. OWSM 11g

Have been a bit busy and so blogging has been slow - but I recently came across this blog entry and I thought it would be worth clarifying about the relationship between OPSS and OWSM.

OPSS - Oracle Platform Security Services - provides a security framework and acts as the underlying security layer that addresses both FMW security requirements as well as the base for all the Identity and Access Management products.

Details can be found here.

There is a nice white paper accompanying the recent IDM 11gR2 release - that describes the foundational nature of OPSS. (Yet more material on IDM 11gR2 can be found here.)

The primary security services provided by OPSS include:

a) Authentication Services via Login Modules

b) Keystore Service

c) Credential Store Service - used for storing secrets like passwords (credentials).

d) Audit service

e) Authorization

OWSM is primarily focused on security for Web Services and provides a policy based security model. OWSM implements the various WS-* standards and  leverages OPSS authentication service, Keystore service, Audit service, credential store service, authorization service, etc.

Tuesday Jun 12, 2012

Identity Propagation for Web Service - 11g

I came across this post from Beimond on how to do identity propagation using OWSM.As I have mentioned in the past here, here and here - Beimond has a number of excellent posts on OWSM. However I found one part of his comment puzzling. I quote:

"OWSM allows you to pass on the identity of the authenticated user to your OWSM protected web service ( thanks to OPSS ), this username can then be used by your service. This will work on one or between different WebLogic domains. Off course when you don't want to use OWSM you can always use Oracle Access Manager OAM which can do the same." The sentence in red highlights the issue i find puzzling.

In fact I just discussed this particular topic recently here.

So let me try and clarify on a few points:

a) OAM is used for Web SSO.

b) OWSM is used for securing Web Services. You cannot do identity propagation using OAM for Web Services.

c) You use SAML to do identity propagation across Web Services. OAM also supports SAML - but that is the browser profile of SAML relevant in the context of Web SSO and is not related to the SAML Token Profile defined as part of the WS-Security spec.

Wednesday May 23, 2012

WLS Custom Authenticator, OPSS Custom Identity Store Service, OWSM Custom Assertion - custom everything!! - 11g

Between WLS, OWSM, OPSS - Oracle supports a lot of flexibility in building custom security. However sometimes customer's maybe overwhelmed and find all this very confusing. This post provides a brief overview of the purpose of each and when to use them.

WLS Custom Authenticator (or Custom Authentication Provider)

Weblogic provides the ability to build Custom Authentication Providers. WLS documentation describing how to build "Security Providers" is described here.

When should you build it?

Typically you build a custom authentication provider - when your users are stored in "custom" repository.

Ex#1: Let's say you have users in a mainframe repository and you cannot use the OOTB Ldap or SQL Authentication Providers.

Ex#2: The users are stored in DB but the schema is custom and so the OOTB SQL Authentication Provider does not work.

We will use the terminology "Identity Store" to identify a repository where users are stored.

OPSS Custom Identity Store Service

OPSS supports the ability to configure the "Identity Store" service as part of a weblogic domain via the "jps-config.xml". OPSS OOTB currently does not support Oracle DB as an "Identity Store". If you have users in a DB or mainframe system - you may want to build a custom identity store service.


When should you build it?

The OPSS Identity Store service can be used to retrieve user profile information. Ex: If you want to retrieve the email of user in the "Identity Store".

OPSS provides what is called User/Role APIs and these APIs ultimately need to talk to the "Identity Store" to retrieve user profile information.

You can find details about the OPSS Identity Store service here.

OWSM Custom Assertion

I have briefly described about OWSM Custom Assertion/Policy support in this blog post.

When should you build it?

There are many scenarios where you may want to build a custom assertion.

Ex#1: Let's say you need to support a proprietary token (ex: CA SiteMinder Token) in your Web Services for authentication.

Ex#2: You want to support say a JWT token for your Web Services for authentication.

Hopefully this clarifies some of the confusion.

Note: There are a lot of nuances to each of the scenarios described in this post. I have tried to keep the post at a high level and gloss over many of nuances for purposes of brevity.

Monday Apr 16, 2012

Oracle BPM and OWSM - 11g

The Oracle BPM team has an article on how to use OWSM with Oracle BPM. The article covers specifically how to use OWSM SAML based identity switching policy (I briefly talked about the SAML identity switching feature in OWSM in the blog post).

Hope people find it useful! (There is a typo in the title it should say BPM 11g: Configuring SAML Web Service Clients for Identity Switching without Message Protection).

Thursday Apr 12, 2012

OEG integration with OSB/OWSM - 11g

This is a follow up to my post on Oracle's layered SOA Security vision. There is a very nice article from Fabio Mazanatti & co describing How to integrate OEG with OSB/OWSM

Check it out!

Friday Mar 30, 2012

OSB Security using OWSM - 11g

Here is a very nice video showing how OWSM can be used to secure OSB from Oracle.

Wednesday Mar 21, 2012

OWSM vs. OEG - When to use which component - 11g

A lot of people both internal to Oracle and customers keep asking about when should OWSM be used vs. OEG. Sometime back I posted Oracle's vision for layered SOA security

Here is a quick summary:

Use OWSM in Green Zone

Use OEG in Red Zone (DMZ)

If you need end-to-end security in which case they will want both OWSM and OEG. This is the topology I would recommend for most customers.

If you need only Green Zone security - then use OWSM in conjunction with Oracle FMW products like SOA Suite, OSB, ADF, WLS, BI, etc both on the Client Side and Service Side (assuming you are using FMW technologies for both Clients and Services).

If you need only Red Zone security - then use OEG on the Service Side. You can use OWSM for the Client Side if you are using FMW to build your clients.

Sunday Mar 18, 2012

How To - Securing a JAX-WS with OWSM Message Protection Policy in JDeveloper - 11g

As promised in this post, here is a How-To that describes how to secure a simple HelloWorld JAX-WS with OWSM message protection policy and test it with SOAP UI.

The How-To reuses the picture I posted earlier about the relationship and interplay b/w Keystore, Credential store, jps-config.xml ,etc.

One of the other more frequent requests I hear from folks within Oracle and customers is how to test OWSM with SOAP UI. SOAP UI in general works very well as testing tool for web services secure with wss10 policies.

Saturday Mar 17, 2012

Podcast on SOA Governance and OWSM - 11g

Anand Kothari the Product Manager for OWSM has a great podcast on SOA Governance and how OWSM, OEG help the SOA Governance story.

Friday Mar 16, 2012

OWSM Policy Repository in JDeveloper - Tips & Tricks - 11g

In this blog post I discussed about the OWSM Policy Repository that is embedded in JDeveloper. However some times people may run into issues with the embedded repository. Here is screen snapshot that shows the error you may run into (click on the image for larger image):

If you run into "java.lang.IllegalArgumentException: WSM-04694 : An invalid directory was provided to connect to a file-base MDS repository." this caused due to spaces in the folder name. Here is a quick way to workaround this issue by running "Jdeveloper.exe - su".

Hope people find this useful!

Wednesday Mar 14, 2012

How To - SOA Component level Role based Authorization using OWSM - 11g

Here is another How-To that provides detailed instructions for How To perform role based authorization for a SOA Composite app.

These are fairly large documents since I am providing a detailed step by step instructions. If you are familiar with some or all of the technologies - you can jump around the How-To to the relevant sections.


In many cases the How-To's may have typos and other mistakes - please let me know if you see any issues in the How-To and I will try and fix them.

Tuesday Mar 13, 2012

How To - OWSM and WLS WS-Security Interop - 11g

Here is another How To that provides a detailed step by step guide for getting OWSM to Interop with WLS WS-Security using the Username Token with message protection policy.

Happy Reading!


A few things I forgot before I posted this entry:

  • The OWSM interop guide provides a high level overview of the steps involved in achieving this interop - however it does not provide a detailed step by step instructions and so I thought I would provide a more detailed How To for customers who are having problems following the interop guide.
  • As the doc makes it clear you only need to configure the "Confidentiality Key" - however in the How To I cover configuring both "Confidentiality and Signing Key". You can safely skip the steps relating to configuring the "Signing Key".
  • I have simplified things to a large extent in terms of the keystore setup. This setup is not always practical from a production setup perspective. However since I have not had a chance to post more on keystores, credential stores, etc - I have tried to keep it simple here. I hope to post more on the topic of Keystores, certificates, credentials, credential stores, etc in a future post.

Monday Mar 12, 2012

How To - Field level encryption using OWSM 11g

Finally I have figured out a mechanism to host some How To's that I can share on this blog and here is my first How To on Field level encryption (partial encryption) using OWSM 11g.

I hope to post more How To's in the future...

Comments welcome.


A few bookkeeping rules:

a) This is not part of official documentation from Oracle.

b) The steps may change from one version to another - so please keep that in mind. I have not tested this against all versions of the product - but I expect it to work with the versions I mentioned in the pdf.

Friday Feb 24, 2012

Constraint based Global Policy Attachments (CGPA) - 11gR1

There are quite a few new features that were delivered as part of OWSM 11gR1 PS5 ( One of the new features that was delivered is the ability define Constraint based Global Policy Attachments (or sometimes referred to as Conditional Global Policy Attachments). 

In this post - i will provide a brief illustration of the use-case that motivated addition of that feature.

Consider you have a Web Service. In many cases Web Services are exposed both within the internal network of an organization and/or in many cases the same Web Services are exposed outside the organization so that clients such as partners, etc can access these Web Services. So we can categorize Web Services into three categories:
  • External facing Web Services i.e. web services accessed by external web service clients.
  • Internal facing Web Services i.e. web services accessed by internal web service clients.
  • Mixed Web Services i.e. web services that are accessed by both internal and external Web Service Clients.

In many cases customers want to have different levels of security for web services accessed by internal web service clients, compared to those web services that are accessed by external web service clients (ex: Partners or clients accessing services hosted on a public or private cloud).

Web Service Type
Security Level
 Internal Web Services
 External Web Services
 Mixed Web Services

Here is a pictorial representation of the use-case.

Typically the only way to solve this to use High level security for Mixed Web Services - this results in Internal Web Services also using High level of security. The Conditional Global Policy Attachments feature is designed to address this scenario. It allows Internal access to continue to use Low level security, while External access can continue to use High level security.

Another relevant aspect that customer's typically run into is sometimes Web Services that are flagged as Internal may then need to be exposed Externally and this transition requires changing the Security level. Conditional Global Policy Attachments obviates the need for handling these type of scenarios.

OWSM 11gR1 PS5 ( released!!!

Haven't had a chance to blog in quite sometime - but this is a quick post to note that - FMW 11gR1 PS5 was released a few days back and that includes OWSM 11gR1 PS5.

The OWSM documentation lists what is new in 11gR1 PS5 at:

I hope to blog more on some of the new features in 11gR1 PS5 and the use-cases driving the support for these features.


In this blog I will discuss mainly features supported by Oracle Web Service Manager (OWSM).


« April 2014