Sunday Mar 18, 2012

How To - Securing a JAX-WS with OWSM Message Protection Policy in JDeveloper - 11g

As promised in this post, here is a How-To that describes how to secure a simple HelloWorld JAX-WS with OWSM message protection policy and test it with SOAP UI.

The How-To reuses the picture I posted earlier about the relationship and interplay b/w Keystore, Credential store, jps-config.xml ,etc.

One of the other more frequent requests I hear from folks within Oracle and customers is how to test OWSM with SOAP UI. SOAP UI in general works very well as testing tool for web services secure with wss10 policies.

Friday Mar 16, 2012

OWSM Policy Repository in JDeveloper - Tips & Tricks - 11g

In this blog post I discussed about the OWSM Policy Repository that is embedded in JDeveloper. However some times people may run into issues with the embedded repository. Here is screen snapshot that shows the error you may run into (click on the image for larger image):

If you run into "java.lang.IllegalArgumentException: WSM-04694 : An invalid directory was provided to connect to a file-base MDS repository." this caused due to spaces in the folder name. Here is a quick way to workaround this issue by running "Jdeveloper.exe - su".

Hope people find this useful!

Monday Mar 12, 2012

How To - Field level encryption using OWSM 11g

Finally I have figured out a mechanism to host some How To's that I can share on this blog and here is my first How To on Field level encryption (partial encryption) using OWSM 11g.

I hope to post more How To's in the future...

Comments welcome.


A few bookkeeping rules:

a) This is not part of official documentation from Oracle.

b) The steps may change from one version to another - so please keep that in mind. I have not tested this against all versions of the product - but I expect it to work with the versions I mentioned in the pdf.

Tuesday Dec 13, 2011

Time travel for OWSM Administrators - 11g

I liked the title of this post from Antony Reynolds so much that I borrowed it for my post! Antony's post talks about the versioning support in OWSM 10g. This post is about the versioning support in OWSM 11g.

Here I will take a simple example, let's say a customer has decided to standardize on Basic192 as the algorithm suite to be used for all message protection policies. The customer can do so by editing - let's say the oracle/wss10_saml_token_with_message_protection_service_policy.

The default value is Basic128 for the OOTB policy that ships with OWSM. Now we have two versions of the oracle/wss10_saml_token_with_message_protection_service_policy.

This is illustrated in the picture below (Click on the images for a larger image):

You can view the version history for any policy by clicking on the "version history" link.

The version history page looks as shown below:

policy version history

You can view the individual versions by clicking on the "view" button in the above image. Below is the version#1 of the oracle/wss10_saml_token_with_message_protection_service_policy.

 Version#2 of the oracle/wss10_saml_token_with_message_protection_service_policy is shown below:

Like in OWSM 10g - you can revert or activate an older version if you realize that the changes that were made were not satisfactory for any reason.


It is important to note some of the limitations that exist in terms of the versioning support in OWSM 11g.

  1. Enforcement does not take policy version into consideration i.e. enforcement is always based on the latest version (in the above case version#2).
  2. While OWSM maintains the version history it does not provide any tooling to view the differences b/w the two versions. However for each version OWSM does maintain information about who edited the policy and when - hence once can talk to person who edited the policy to find out the changes.
  3. Currently versioning is supported only for policies. Versioning is not supported for Assertion templates and Global Policies.
Detailed documentation on the OWSM 11g versioning support can be found here in the Security and Administrators Guide for Web Services.

Monday Nov 28, 2011

Running OWSM WLST commands - 11g

It has been sometime since I posted some materials. I hope to have more tips, best practices - but here is a quick thing that people seem to trip up on..."How to Run OWSM related WLST commands"

The most common issue people seem to run into is trying to run the OWSM WLST commands from the wrong location. You need to run the WLST commands from "oracle_common/common/bin/" (ex: /home/Oracle/Middleware/oracle_common/common/bin/

This is documented in the OWSM doc (Security And Administrator's Guide) under the section "Accessing the Web Services Custom WLST Commands".

Note: This location is different from the location from where you run the SOA WLST commands.

If you try to run the OWSM WLST command from the wrong location - you will see errors like the following: "The MBean ,@ oracle.wsm:*,name=WSMDocumentManager,type=Repository was not found"


In this blog I will discuss mainly features supported by Oracle Web Service Manager (OWSM).


« April 2014