X

An Oracle blog about Web Services and Security in the Fusion Cloud

Recent Posts

How to generate PGP keys using the Fusion Security Console

Overview Encrypting and importing data to the HCM Cloud has become much simpler as of Fusion Release 10.  The Security Console now provides functionality to generate and manage certificates and public/private key pairs.  This article describes how to use the Security Console to create a PGP key that can be used to encrypt HCM Data Loader files prior to importing them. System Requirements Fusion release 10+ Fusion user with IT_SECURITY_MANAGER access to the Security Console Step 1 - Generate the key pair 1) Log into Fusion. 2) From the Navigator, launch the Security Console. 3) Select the "Certificates" tab to view the keys installed on your pod. 4) Press the "Generate" button to display the generate certificate form. 5) Select "PGP" as the certificate type 6) Enter the key details Enter "fusion-key" for the alias.  This is very important.  If the alias is something other than "fusion-key", the encryption APIs will not be able to locate the key and will fail. Enter a passphrase.  You will need this passphrase if you ever want to delete this key.  For example, your company may have a policy to regenerate keys at pre-defined intervals for security purposes.  You need to delete the existing key before generating a new one with the same alias. Select RSA as the key algorithm. Select 2048 for the key length. Press the "Save and Close" button to generate the key pair. 7) Close the confirmation dialog.  The key with the alias "fusion-key" will be displayed in the list of certificates. Step 2 - Export the public key 1) Click the "fusion-key" alias link.  The public key will be displayed. 2) Choose "Export -> Public Key" from the "Actions" menu and save the "fusion-key_pub.asc" to your local machine. Step 3 - Import the public key to your local machine The steps to accomplish this will vary depending on the operating system and application you are using for encryption/decryption and key management.  Gpg4win, the official GnuPG distribution for Microsoft Windows and GnuPG for Linux are some common tools used for encryption and key management. You will use this key to encrypt your data files before importing them using the HCM Data Loader. That's it! You are now ready to encrypt and import your HDL data files. For additional information, please refer to the official Oracle documentation.  A link is provided in the References section below. References Oracle Human Capital Management Cloud Integrating with Oracle HCM Cloud - Chapter 24: Transferring Encrypted Data https://docs.oracle.com/cloud/latest/common/FAIHM/FAIHM1693484.htm#FAIHM1693484

Overview Encrypting and importing data to the HCM Cloud has become much simpler as of Fusion Release 10.  The Security Console now provides functionality to generate and manage certificates...

Handling Proxy Server Authentication in SoapUI

Overview If you are having difficulties connecting to a Fusion web (SOAP) service using SoapUI, odds are there is a proxy server on your company's local network.  A proxy server is a computer, device or application that handles requests from clients to access resources on other servers, typically outside the company's internal network.  Resources include services, web pages, files and connections to other devices to name a few.  There are different types and implementations of proxies and proxy servers.  This article focuses on web proxy servers which are commonly deployed on corporate networks to provide an additional layer of security.  These servers filter HTTP and HTTPS traffic and handle all outgoing network requests.  Some proxy servers require authentication to connect to them, others do not.  This article describes how to configure proxy server support in SoapUI for proxy servers that require authentication. System requirements SoapUI 5.3.0 Configuration 1) Launch SoapUI 2) Select Preferences from the File Menu 3) Select the Proxy Settings Tab The SoapUI Preferences dialog will be displayed. 4) Specify proxy server settings You have several options here: Automatic - SoapUI will attempt to automatically determine the proxy server settings by looking at Java settings, browser settings, environment variables and operating system settings. None - No proxy will be used.   Manual - SoapUI will use the proxy host and port that you specify 5) Specify proxy server credentials (Automatic and Manual) If your proxy server requires authentication (you wouldn't be reading this if it didn't), enter the username and password to access the proxy server. Press the OK button to save the changes to your project. That's it!   SoapUI is now configured to use and log into your proxy server. References Wikipedia. (n.d.). Proxy server. Retrieved February 27, 2017, from Wikipedia:https://en.wikipedia.org/wiki/Proxy_server SMARTBEAR. (n.d.). Preferences. Retrieved February 27, 2017, from SoapUI:https://www.soapui.org/getting-started/soapui-interface/preferences-and-settings.html#Proxy-Settings

Overview If you are having difficulties connecting to a Fusion web (SOAP) service using SoapUI, odds are there is a proxy server on your company's local network.  A proxy server is a computer, device...

Fusion HCM Cloud Web Service Policies Demystified

Overview The Fusion HCM Cloud exposes both SOAP and REST services.  This article describes the security policies applied to these services and discusses common policies used by clients to interact with them. Fusion web services are secured with policies that adhere to the WS-Security standards.  These standards enforce authentication (to verify the user is who they claim to be), authorization (to ensure the user has the required privileges to access the service) and message protection.  There are two facets of message protection: confidentiality and integrity.  Confidentiality is enforced by encrypting the message. This prevents unauthorized users from viewing the message content.  Integrity is enforced by signing the message.  This ensures messages have not been tampered with.  As an additional layer of protection, SSL is required for all interactions with Fusion web services.  Clients need to apply a compatible client policy to communicate with the service or the request will be rejected.  I've had numerous questions on this topic and wanted to provide some common approaches to help you start interacting with Fusion web services. System Requirements Fusion HCM Rel 10, 11, 12 (SOAP), Rel 11, 12 (REST) SOAP Services The standard service policy for SOAP services is:oracle/wss11_saml_or_username_token_with_message_protection_service_policy This policy accepts a SAML token or a username and password for authentication, applies message protection (via encryption), assures message integrity (via signing) and enforces the use of SSL. Clients need to apply a compatible client policy to communicate with the service or the request will be rejected.  Typically, client applications accessing would apply the oracle/wss11_saml_or_username_token_with_message_protection_client_policy.  This policy requires the client to configure a keystore and truststore with the appropriate certificates to encrypt and sign SOAP requests.  This can be fairly complicated to set up if you haven't done it before.  Essentially, you need to establish a trust between the client and server.  To do this, you need to import the server certificate into the client truststore.  Alternatively, you can import the root certificate from the CA that issued the server certificate into the client truststore.  You also need to import the server certificate into the client's keystore using any alias you like.  Once imported, you need to set the keystore.recipient.alias to identify the server certificate when you attach the policy.  See Setting up the Keystore for Message Protection in the Oracle Fusion Middleware Security and Administrator's Guide for Web Services for additional details. What isn't obvious is that clients can specify the oracle/wss_username_token_over_ssl_client_policy.  This policy authenticates using a username and password and enforces the use of SSL.  This approach is ideal for prototyping and testing.  It is not recommended for production deployments as message protection (confidentiality and integrity) are not enforced. REST Services The standard service policy for REST services is:oracle/multi_token_over_ssl_rest_service_policy This policy enforces a number of methods to authenticate and authorize user interaction.  All required interaction over SSL.  Clients need to use following client policies to communicate with HCM Fusion REST Services.  The policy used will depend on the type of token that will be set in the HTTP header. Basic: oracle/http_basic_auth_over_ssl_client_policy SAML: oracle/http_saml20_token_bearer_over_ssl_client_policy JWT: oracle/http_jwt_token_over_ssl_client_policy The simplest is Basic HTTP authentication over SSL. In this scenario, credentials are base64 encoded and stored in the Authorization HTTP header.  For example, you can set the Authorization HTTP header in JavaScript by creating an XMLHttpRequest, opening the connection, base64 encoding the credentials and setting them in the request header. The following code snippet provides a basic overview of how to set the credentials in the HTTP header using JavaScript.  Look for a complete implementation in a future blog. // create the requestXMLHttpRequest req = ... // open the connectionreq.open('GET', uri, true); // base64 encode the credentialscreds = window.btoa(username + ':' + password); // set the Authorization headerreq.setRequestHeader('Authorization', 'Basic ' + creds);  The credentials are now properly stored in the HTTP Authorization header.  The service will extract these credentials to authenticate and ensure the user is authorized to call the service. Similarly, SAML 2.0 Bearer tokens and JWT tokens can be stored in the HTTP header to authenticate and authorize a user. Conclusion I hope this article helped shed some light on selecting the appropriate client security policy for your application. References Oracle® Fusion Middleware Understanding Oracle Web Services Managerhttps://docs.oracle.com/middleware/1213/owsm/concepts/toc.htm Oracle Fusion Middleware Security and Administrator's Guide for Web Serviceshttp://docs.oracle.com/cd/E17904_01/web.1111/b32511/toc.htm Overview of Web Service Securityhttps://docs.oracle.com/middleware/1213/owsm/concepts/owsm-security-concepts.htm#OWSMC1508 Setting up the Keystore for Message Protectionhttp://docs.oracle.com/cd/E17904_01/web.1111/b32511/setup_config.htm#WSSEC1970 REST API for Oracle Global Human Resources Cloud Release 11http://docs.oracle.com/cloud/farel11/globalcs_gs/FARWS/ REST API for Oracle Global Human Resources Cloud Release 12http://docs.oracle.com/cloud/latest/globalcs_gs/FARWS/ REST Security Considerations (R11)http://docs.oracle.com/cloud/farel11/globalcs_gs/FARWS/Security_for_REST_Services_and_Atom_Feeds.html REST Authentication and Authorization (R12)http://docs.oracle.com/cloud/latest/globalcs_gs/FARWS/Authentication_and_Authorization_R12Onwards.html

Overview The Fusion HCM Cloud exposes both SOAP and REST services.  This article describes the security policies applied to these services and discusses commonpolicies used by clients to interact with...

How to verify your HDL data file is encrypted with the proper key

OverviewThe HCM Data Loader (HDL) is used to import data into Fusion.  Data is first uploaded to the content repository (UCM), then a process is run to load that data into the database.  Users have the option to encrypt their data prior to uploading it.   Customers who are learning HDL sometimes encounter errors when HDL attempts to decrypt the encrypted file.   This is often because they are using the wrong public key (fusion-key) to encrypt their data.   I have seen this numerous times.  What customers may not be aware of is that a unique key pair is generated for each of their pods (test and production).  The public keys they receive from Oracle both have the same alias (fusion-key), so care must be taken to ensure the correct key is used to encrypt data files for a particular environment.  This article outlines how to verify your HDL data file was encrypted with the proper key. User input is noted in RED text. System Requirements Linux GPG version 1.4.5 Fusion release 10+ Fusion user with access to the Security Console Step 1 - Export the key from your Fusion pod 1) Log into Fusion2) From the Navigator, launch the security console 3) Select the "Certificates" tab to view the keys installed on your pod.  4) Click the "fusion-key" link to view the key. 5) Select Actions -> Export -> Public Key 6) Click "OK" to save the key (The saved file should be named fusion-key_pub.asc)7) Click "Done" Step 2 - Determine the ID of the fusion-key exported in step 1 1) List the keys on your key ring$ gpg --list-keys/home/tmunday/.gnupg/pubring.gpg--------------------------------pub   2048R/A4B01C08 2016-04-14uid                  fusion-keyIn this example, I already have a key on my key ring with the alias "fusion-key". 2) Import the key exported in step 1.$ gpg --import fusion-key_pub.ascgpg: key 2B65888A: public key "fusion-key" importedgpg: Total number processed: 1gpg:               imported: 1  (RSA: 1)Note the ID of the key (2B65888A)3) List the keys on your key ring again$ gpg --list-keys/home/tmunday/.gnupg/pubring.gpg--------------------------------pub   2048R/A4B01C08 2016-04-14uid                  fusion-keypub   2048R/2B65888A 2016-11-21uid                  fusion-keyListing the keys again, you can see there are now two keys with the same alias.  When this happens, you refer to the key by the key ID when performing gpg operations. Step 3 - Determine the ID of the key used to encrypt your file 1) Display information about the encrypted file.$ gpg --list-packets HDLData.zip.gpg:pubkey enc packet: version 3, algo 1, keyid 60CD12832B65888A        data: [2041 bits]:encrypted data packet:        length: 155        mdc_method: 2gpg: encrypted with 2048-bit RSA key, ID 2B65888A, created 2016-11-21      "fusion-key"gpg: decryption failed: secret key not availableYou will see the ID of the public key used to encrypt the file (ID 2B65888A)The ID must match the ID of the key you exported from fusion and imported to your local key ring.  If it doesn't, you need to encrypt your data file with the proper key.  See step 4. Step 4 - Encrypt your data file (HDLData.zip) with the proper key Note: Perform this step if the key ID in step 3 does not match the key ID you imported in step 2.1) Encrypt using the key id (2B65888A) instead of the alias (fusion-key)$ gpg --encrypt -r 2B65888A HDLData.zipgpg: 2B65888A: There is no assurance this key belongs to the named userpub  2048R/2B65888A 2016-11-21 fusion-key Primary key fingerprint: C11C A1BA EAE0 3428 692F  BFC5 60CD 1283 2B65 888AIt is NOT certain that the key belongs to the person namedin the user ID.  If you *really* know what you are doing,you may answer the next question with yes.Use this key anyway? (y/N) yThis will create an encrypted archive named HDLData.zip.gpg That's it! You now have an HDL data file encrypted with the proper key for your pod.

Overview The HCM Data Loader (HDL) is used to import data into Fusion.  Data is first uploaded to the content repository (UCM), then a process is run to load that data into the database.  Users have...

Handling Proxy Server Authentication Requests in Java

OverviewCorporate networks often employ a proxy server to provide an additional layer of security when communicating with servers outside the company's firewall. The proxy server is typically configured to control and restrict access to web content. Internal clients connect to the proxy server and request external resources.  The proxy server establishes the connection with the external resource and forwards responses back to the client.  Java provides a mechanism to support communication through proxy servers.  Simply set the following system properties at runtime and java will use them:-Dhttp.proxyHost=<proxy host>-Dhttp.proxyPort=<proxy port>Some proxy servers are configured to require authentication.  If this is the case, you need to add code to your java client to support authentication or you will receive connection refused messages.  The following figure illustrates a very basic authentication flow between the client, proxy server and endpoint.Fig 1: Basic proxy server authentication flow In this example, the Java client is sending an HTTP request to an external web server.  By specifying the Java system properties identified above, the client connects to proxy server.  The proxy server sends a request back to the client for credentials.  The client provides the credentials and the proxy server authenticates the client.  If authentication is successful, the proxy server forwards the request to the external server.  The external server sends the response back to the proxy server which in turn sends the response to the client.This blog describes how to implement the necessary code to properly handle authentication when a proxy server requests it. Implementation When a proxy server requires authentication, it responds to connection requests with a credential request.  In Java, this is handled by setting a default authenticator.  There are numerous authentication types that are supported by Java.  In this example, we will be using a simple username and password authenticator.Add the following code to your client and initialize the proxy authenticator before creating any connections: private void initializeProxyAuthenticator() {    final String proxyUser = System.getProperty("http.proxyUser");    final String proxyPassword = System.getProperty("http.proxyPassword");    if (proxyUser != null && proxyPassword != null) {        Authenticator.setDefault(          new Authenticator() {            public PasswordAuthentication getPasswordAuthentication() {              return new PasswordAuthentication(                proxyUser, proxyPassword.toCharArray()              );            }          }        );    }} Finally, set the following Java system properties:-Dhttp.proxyUser=<proxy user>-Dhttp.proxyPassword=<proxy password> That's it!  Your Java client should now properly handle authentication requests from your proxy server.

Overview Corporate networks often employ a proxy server to provide an additional layer of security when communicating with servers outside the company's firewall. The proxy server is...

Generating a Web Service Client and Proxy with JDeveloper 12c

Overview This blog describes how to generate a web service client and proxy that can be used to invoke Fusion web services.  This example shows how to create a proxy to invoke the HCM WorkerService.  This blog represents a portion of a more detailed blog: Using Fusion web services to terminate a work relationship. System Requirements JDeveloper 12c (Studio Edition 12.1.2.0.0 or greater) Java 7 Fusion SaaS release 9+ environment Step 1 - Create the project 1a) Create a new "custom application" in JDeveloper. 1b) Follow the steps in the wizard to create the project.  Be sure to select "SOAP Web Services" from the "Project Features" tab on the Name your project step. This will add the required libraries to make service calls as shown below. 1c) Press the Finish button to generate your project. Step 2 - Generate the proxy 2a) Right click on your project in the application pane and select "New - From Gallery". 2b) Then select "Web Services" from the "Business Tier" and choose "Web Service Client and Proxy". 2c) Follow the steps in the wizard.  Step 2 of the wizard prompts you for the WSDL location.  Enter the following and press "Next" to parse the WSDL.  Make sure to replace<server-name> with your server.  https://hcm-<server-name>.oracleoutsourcing.com/hcmEmploymentCoreWorkerV2/WorkerService?WSDL Note:  It can take a fair amount of time to parse the WSDL, so be patient. 2d) Step 3 of the wizard asks you to specify default mapping options. Make sure the "Generate as Async" checkbox is NOT checked. 2e) Step 5 of the wizard asks you to specify asynchronous method settings.  Select the "Don't generate any asynchronous methods" option. 2f) Step 6 of the wizard asks you to specify the client security policy.  Select "oracle/wss_username_token_over_ssl_client_policy". 2g) Press the Finish button to generate the proxy. Note:  It can take a fair amount of time to generate the proxy, so be patient.  When the proxy generation is complete, the WorkerServiceSoapHttpPortClient class will be generated for you. public class WorkerServiceSoapHttpPortClient {    public static void main(String[] args) {    WorkerService_Service workerService_Service = new WorkerService_Service();    // Configure security feature    SecurityPoliciesFeature securityFeatures =        new SecurityPoliciesFeature(new String[] {            "oracle/wss_username_token_over_ssl_client_policy"        }    );    WorkerService workerService =         workerService_Service.getWorkerServiceSoapHttpPort(securityFeatures);    // Add your code to call the desired methods.    }} Step 3 - Configure credentials 3a) Now that we have a client, we need to provide credentials.  This is done by adding the following lines of code after retrieving the workerService. Note: You should retrieve the credentials from the program arguments, java properties or from a credential store. // Configure credentialsString user = "myUser";String password = "myPassword";BindingProvider wsbp = (BindingProvider)workerService;wsbp.getRequestContext().put(BindingProvider.USERNAME_PROPERTY, user);wsbp.getRequestContext().put(BindingProvider.PASSWORD_PROPERTY, password); Step 4 - Configure security Finally, we need to enable security before we can run the client.  This will generate a file that is required to invoke the secured service. 4a) Select "Secure - Configure ADF Security" from the Application menu. 4b) Select "ADF Authentication" in the Enable ADF Security pane and click Finish.  This will create a jps-config.xml file in src/META-INF directory in your application directory (e.g. C:\JDeveloper\mywork\MyApplication\src\META-INF\jps-config.xml).  4c) Create a "config" directory in the same directory as your project (e.g. C:\JDeveloper\mywork\MyApplication\TerminateEmployee\config). 4d) Copy the jps-config.xml file generated in step 6b to this directory (e.g. C:\JDeveloper\mywork\MyApplication\TerminateEmployee\config\jps-config.xml). Note: If this step is not done, you will receive ./config/jps-config.xml file not found exceptions when running the client. Step 5 - Run the client 5a) Right click in the client source and select "Run" to run the client. Client code listing (Full) public class WorkerServiceSoapHttpPortClient {    public static void main(String[] args) {        WorkerService_Service workerService_Service = new WorkerService_Service();        // Configure security feature        SecurityPoliciesFeature securityFeatures =            new SecurityPoliciesFeature(new String[] {                "oracle/wss_username_token_over_ssl_client_policy"            }        );        WorkerService workerService =            workerService_Service.getWorkerServiceSoapHttpPort(securityFeatures);        // Configure credentials        String user = "myUser";        String password = "myPassword";        BindingProvider wsbp = (BindingProvider)workerService;        wsbp.getRequestContext().put(BindingProvider.USERNAME_PROPERTY, user);        wsbp.getRequestContext().put(BindingProvider.PASSWORD_PROPERTY, password);         // Add your code to call the desired methods.        try {                // Invoke the service         }        catch (Exception e) {            e.printStackTrace();        }    }}  That's it!  You now have a Java client to call the HCM WorkerService in the Fusion Cloud.

Overview This blog describes how to generate a web service client and proxy that can be used to invoke Fusion web services.  This example shows how to create a proxy to invoke the HCM WorkerService. ...

Using Fusion web services to terminate a work relationship

Overview This blog describes how to use Fusion web services to terminate a work relationship. System Requirements JDeveloper 12c (Studio Edition 12.1.2.0.0 or greater) Java 7 Fusion SaaS release 9+ environment Step 1 - Create the project 1a) Create a new "custom application" in JDeveloper. 1b) Follow the steps in the wizard to create the project.  Be sure to select "SOAP Web Services" from the "Project Features" tab on the Name your project step. This will add the required libraries to make service calls as shown below. 1c) Press the Finish button to generate your project. Step 2 - Generate the proxy 2a) Right click on your project in the application pane and select "New - From Gallery". 2b) Then select "Web Services" from the "Business Tier" and choose "Web Service Client and Proxy". 2c) Follow the steps in the wizard.  Step 2 of the wizard prompts you for the WSDL location.  Enter the following and press "Next" to parse the WSDL.  Make sure to replace<server-name> with your server.  https://hcm-<server-name>.oracleoutsourcing.com/hcmEmploymentCoreWorkerV2/WorkerService?WSDL Note:  It can take a fair amount of time to parse the WSDL, so be patient. 2d) Step 3 of the wizard asks you to specify default mapping options. Make sure the "Generate as Async" checkbox is NOT checked. 2e) Step 5 of the wizard asks you to specify asynchronous method settings.  Select the "Don't generate any asynchronous methods" option. 2f) Step 6 of the wizard asks you to specify the client security policy.  Select "oracle/wss_username_token_over_ssl_client_policy". 2g) Press the Finish button to generate the proxy. Note:  It can take a fair amount of time to generate the proxy, so be patient.  When the proxy generation is complete, the WorkerServiceSoapHttpPortClient class will be generated for you. public class WorkerServiceSoapHttpPortClient {    public static void main(String[] args) {    WorkerService_Service workerService_Service = new WorkerService_Service();    // Configure security feature    SecurityPoliciesFeature securityFeatures =        new SecurityPoliciesFeature(new String[] {            "oracle/wss_username_token_over_ssl_client_policy"        }    );    WorkerService workerService =         workerService_Service.getWorkerServiceSoapHttpPort(securityFeatures);    // Add your code to call the desired methods.    }} Step 3 - Configure credentials 3a) Now that we have a client, we need to provide credentials.  This is done by adding the following lines of code after retrieving the workerService. Note: You should retrieve the credentials from the program arguments, java properties or from a credential store. // Configure credentialsString user = "myUser";String password = "myPassword";BindingProvider wsbp = (BindingProvider)workerService;wsbp.getRequestContext().put(BindingProvider.USERNAME_PROPERTY, user);wsbp.getRequestContext().put(BindingProvider.PASSWORD_PROPERTY, password); Step 4 - Populate data structures 4a)  The next step is to create the required data structures and assign values to them.  The service is expecting JAXB compatible objects, so we use the generated ObjectFactory class to accomplish this. // Populate data structures String personNumber = "TEST_PERSON108";Long periodOfServiceId = 100000000995966L;String legalEmployerName = "Oracle USA Inc";String actionCode = "TERMINATION";    String reasonCode = "WORK_RELATED";        try {        ObjectFactory factory = new ObjectFactory();    WorkRelationshipUserKey wrk =         factory.createWorkRelationshipUserKey();    wrk.setPersonNumber(        factory.createWorkRelationshipUserKeyPersonNumber(personNumber));    wrk.setPeriodOfServiceId(        factory.createAssignmentOrganizationId(periodOfServiceId));    wrk.setLegalEmployerName(        factory.createWorkRelationshipUserKeyLegalEmployerName(            legalEmployerName));    GregorianCalendar gc = new GregorianCalendar(2016,10,11);    XMLGregorianCalendar termDate =         DatatypeFactory.newInstance().newXMLGregorianCalendar(gc);    Termination termDetails = factory.createTermination();    termDetails.setLastWorkingDate(        factory.createTerminationActualTerminationDate(termDate));    termDetails.setNotifiedTerminationDate(        factory.createTerminationActualTerminationDate(termDate));    termDetails.setActualTerminationDate(        factory.createTerminationActualTerminationDate(termDate));    ActionsList actionList = new ActionsList();    actionList.setActionCode(        factory.createActionsListActionCode(actionCode));    actionList.setReasonCode(        factory.createActionsListReasonCode(reasonCode));            }catch (Exception e) {    e.printStackTrace();} Step 5 - Invoke the service 5a) Next, we invoke the service with our populated data structures to terminate the employee. // Invoke the service workerService.terminateWorkRelationship(wrk, termDetails, actionList); Step 6 - Configure security Finally, we need to enable security before we can run the client.  This will generate a file that is required to invoke the secured service. 6a) Select "Secure - Configure ADF Security" from the Application menu. 6b) Select "ADF Authentication" in the Enable ADF Security pane and click Finish.  This will create a jps-config.xml file in src/META-INF directory in your application directory (e.g. C:\JDeveloper\mywork\MyApplication\src\META-INF\jps-config.xml).  6c) Create a "config" directory in the same directory as your project (e.g. C:\JDeveloper\mywork\MyApplication\TerminateEmployee\config). 6d) Copy the jps-config.xml file generated in step 6b to this directory (e.g. C:\JDeveloper\mywork\MyApplication\TerminateEmployee\config\jps-config.xml). Note: If this step is not done, you will receive ./config/jps-config.xml file not found exceptions when running the client. Step 7 - Run the client 7a) Right click in the client source and select "Run" to run the client. Client code listing (Full) public class WorkerServiceSoapHttpPortClient {    public static void main(String[] args) {        WorkerService_Service workerService_Service = new WorkerService_Service();        // Configure security feature        SecurityPoliciesFeature securityFeatures =            new SecurityPoliciesFeature(new String[] {                "oracle/wss_username_token_over_ssl_client_policy"            }        );        WorkerService workerService =            workerService_Service.getWorkerServiceSoapHttpPort(securityFeatures);        // Configure credentials        String user = "myUser";        String password = "myPassword";        BindingProvider wsbp = (BindingProvider)workerService;        wsbp.getRequestContext().put(BindingProvider.USERNAME_PROPERTY, user);        wsbp.getRequestContext().put(BindingProvider.PASSWORD_PROPERTY, password);         // Populate data structures        String personNumber = "TEST_PERSON108";        Long periodOfServiceId = 100000000995966L;        String legalEmployerName = "Oracle USA Inc";        String actionCode = "TERMINATION";            String reasonCode = "WORK_RELATED";                try {                ObjectFactory factory = new ObjectFactory();            WorkRelationshipUserKey wrk =                 factory.createWorkRelationshipUserKey();            wrk.setPersonNumber(                factory.createWorkRelationshipUserKeyPersonNumber(personNumber));            wrk.setPeriodOfServiceId(                factory.createAssignmentOrganizationId(periodOfServiceId));            wrk.setLegalEmployerName(                factory.createWorkRelationshipUserKeyLegalEmployerName(                    legalEmployerName));            GregorianCalendar gc = new GregorianCalendar(2016,10,11);            XMLGregorianCalendar termDate =                 DatatypeFactory.newInstance().newXMLGregorianCalendar(gc);            Termination termDetails = factory.createTermination();            termDetails.setLastWorkingDate(                factory.createTerminationActualTerminationDate(termDate));            termDetails.setNotifiedTerminationDate(                factory.createTerminationActualTerminationDate(termDate));            termDetails.setActualTerminationDate(                factory.createTerminationActualTerminationDate(termDate));            ActionsList actionList = new ActionsList();            actionList.setActionCode(                factory.createActionsListActionCode(actionCode));            actionList.setReasonCode(                factory.createActionsListReasonCode(reasonCode));                        // Invoke the service            workerService.terminateWorkRelationship(wrk, termDetails, actionList);         }        catch (Exception e) {            e.printStackTrace();        }    }}  That's it!  You now have a Java client to terminate a work relationship in the HCM Fusion Cloud.

Overview This blog describes how to use Fusion web services to terminate a work relationship. System Requirements JDeveloper 12c (Studio Edition 12.1.2.0.0 or greater) Java 7 Fusion SaaS release 9+...

How to generate PGP keys using GPG 1.4.5 on Linux

Overview This blog describes how to generate a private/public key pair using GPG version 1.4.5.  The resulting public key will contain two keys, one key for signing and a subkey for encryption.  This key can be used with HCM Fusion SaaS to encrypt/decrypt files as they are transferred to and from the UCM server. User input is noted in RED text. System Requirements Linux GPG version 1.4.5 Step 1 - Confirm GPG version The GPG version must be version 1.4.5. Enter the following command to display the version: gpg --help gpg (GnuPG) 1.4.5Copyright (C) 2006 Free Software Foundation, Inc. Step 2 - Start the key generation process Enter the following command to start generating your key: gpg --gen-keySelect the type of keyPlease select what kind of key you want:   (1) DSA and Elgamal (default)   (2) DSA (sign only)   (5) RSA (sign only) -- SELECT THIS OPTIONYour selection? 5Select the key sizeRSA keys may be between 1024 and 4096 bits long.What keysize do you want? (2048) 2048Requested keysize is 2048 bitsSelect the expiration timePlease specify how long the key should be valid.         0 = key does not expire -- SELECT THIS OPTION      <n>  = key expires in n days      <n>w = key expires in n weeks      <n>m = key expires in n months      <n>y = key expires in n yearsKey is valid for? (0) 0Key does not expire at allIs this correct? (y/N) yEnter user name and emailYou need a user ID to identify your key; the software constructs the user IDfrom the Real Name, Comment and Email Address in this form:    "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"Real name: Your NameEmail address: your.name@somedomain.comComment: your commentYou selected this USER-ID:    "Your Name (your comment) <your.name@somedomain.com>"Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? OEnter passphrase to protect secret keyYou need a Passphrase to protect your secret key.Enter passphrase: *******Repeat passphrase: *******We need to generate a lot of random bytes. It is a good idea to performsome other action (type on the keyboard, move the mouse, utilize thedisks) during the prime generation; this gives the random numbergenerator a better chance to gain enough entropy. You may see the following message.  If you do, follow the instructions and the key generation process will start automatically. Not enough random bytes available.  Please do some other work to givethe OS a chance to collect more entropy! (Need 284 more bytes) ..+++++...+++++gpg: key F709C771 marked as ultimately trustedpublic and secret key created and signedgpg: checking the trustdbgpg: 3 marginal(s) needed.  1 complete(s) needed, PGP trust modelgpg: depth: 0  valid: 1  signed: 0  trust: 0-, 0q, 0m, 0n, 0f, 1upub: 2048R/F709C771 2015-05-27     key fingerprint = BDC2 5293 DB14 C218 D2DA  711C EB0A 564A F709 C771uid                 Your Name (your comment) <your.name@somedomain.com>Note that this key cannot be used for encryption.  You may want to usethe command "--edit-key" to generate a subkey for this purpose.Key generation is complete.  At this point, you have generated a private/public key pair with a public key that can be used for signing purposes. The next step is to add a subkey that will be used for encryption. Step 3 - Add a subkey for encryption Enter the following command to start generating your key:gpg --edit-key 'Your Name' gpg (GnuPG) 1.4.5; Copyright (C) 2006 Free Software Foundation, Inc.This program comes with ABSOLUTELY NO WARRANTY.This is free software, and you are welcome to redistribute itunder certain conditions. See the file COPYING for details.Secret key is available.pub  2048R/F709C771  created: 2015-05-27  expires: never       usage: SC                       trust: ultimate      validity: ultimate[ultimate] (1). Your Name (your comment) <your.name@somedomain.com> Enter the edit-key command Command> addkeyKey is protected. Enter the passphrase you specified in step 2 You need a passphrase to unlock the secret key foruser: "Your Name (your comment) <your.name@somedomain.com>"2048-bit RSA key, ID F709C771, created 2015-05-27Enter passphrase: *******user: "Your Name (your comment) <your.name@somedomain.com>"2048-bit RSA key, ID F709C771, created 2015-05-27 Select the type of key Please select what kind of key you want:   (2) DSA (sign only)   (4) Elgamal (encrypt only)   (5) RSA (sign only)   (6) RSA (encrypt only) -- SELECT THIS OPTIONYour selection? 6 Select the key size RSA keys may be between 1024 and 4096 bits long.What keysize do you want? (2048) 2048Requested keysize is 2048 bits Select the expiration time Please specify how long the key should be valid.         0 = key does not expire -- SELECT THIS OPTION      <n>  = key expires in n days      <n>w = key expires in n weeks      <n>m = key expires in n months      <n>y = key expires in n yearsKey is valid for? (0) 0Key does not expire at allIs this correct? (y/N) YReally create? (y/N)  YWe need to generate a lot of random bytes. It is a good idea to performsome other action (type on the keyboard, move the mouse, utilize thedisks) during the prime generation; this gives the random numbergenerator a better chance to gain enough entropy. You may see the following message.  If you do, follow the instructions and the subkey generation process will start automatically. Not enough random bytes available.  Please do some other work to givethe OS a chance to collect more entropy! (Need 277 more bytes) ..........+++++......+++++pub  2048R/F709C771  created: 2015-05-27  expires: never       usage: SC                       trust: ultimate      validity: ultimatesub  2048R/13DA9D02  created: 2015-05-27  expires: never       usage: E   [ultimate] (1). Your Name (your comment) <your.name@somedomain.com> Note, pub is for signing (SC), sub is for encryption (E) Exit the edit-key editor and save your changes Command> qSave changes? (y/N) y Subkey generation for encryption purposes is complete.  The next step is to verity and export the keys. Step 4 - List your keys Enter the following command to list the key on your keyring:gpg -k /home/yourname/.gnupg/pubring.gpg--------------------------------pub   2048R/F709C771 2015-05-27uid                  Your Name(your comment) <your.name@somedomain.com>sub   2048R/13DA9D02 2015-05-27 Step 5 -  Export the public key (including subkey) in ASCII format Enter the following command to list the keys:gpg --armor --output yourname-pub-sub.asc --export 'Your Name' cat yourname-pub-sub.asc -----BEGIN PGP PUBLIC KEY BLOCK-----Version: GnuPG v1.4.5 (GNU/Linux)mQENBFVl4UwBCADmaSjdDpEjBtuKhb/m2W4W1I9WD8xiU0Kkg2wXeL4QbCL1RylEhiCqJuPsZd/0zRKPGDpT5XeJrYPVGlaYsPuB+zppY29bhuFLQqZlYSHHCd3Fd0auEkchOjT5YyXNXgYdyBFA+g8WX/Tn+Ju5ROIyXzkBo4QOdfCoU0NbF1kHXpM6J+XUM99FEguiPd8VwOOqbWMMjxvgmiOFxSRWtrIcktdh0IOBJ6d5Saj5uthOViJi/qQsSWvEkxXN74rj1j0kdrly64DLF6JczXJfKVVsCL6cLBtpp2Otbh74mTj8ikMEueP1pEguBTpckRYyE7j7S71+rOeu5tYrQWmM6PydABEBAAG0M1RlcnJ5IE11bmRheSAoS2V5IHRlc3QgMSkgPHRlcnJ5Lm11bmRheUBvcmFjbGUuY29tPokBNgQTAQIAIAUCVWXhTAIbAwYLCQgHAwIEFQIIAwQWAgMBAh4BAheAAAoJEOsKVkr3CcdxTJUIALJqrWTzEBZh3dC2FVxA2TuaEGdj0yYkbgqm4BxSDd0YFVlAqqBANG6KLQCKTU2BBzZ+lAd3Z35CYSPjJsWFAzuuQX1ZCgvA4K0G1ym353qsFRWgMySzZu9xpnPJM2GyHQX14or4TtAD+WTnoJ3TDxqDEY2httmjeCj4/d3XnxzWH16XbEhPIsiBQ/jxWbupnq5JoAC9R/L0vBKD4YuYDsvyVlbEwG/T4RM9PZITZPM7pE9fbAIC8y2jSrD9v7cv++bAjCCYZl/lniRQs0BXL9kQGOwLEEd8q/N8tdUJh6T+7flo/4TXS/atNPCm5XibUEgi5TID0BxkcfnM3peoSsa5AQ0EVWX1UAEIAOBuTMQ9P6fPVDaqro4QhXsHvgaU429nhRDxAat0IQRQasS0FcJeyIPnoH4h1QUcyQSSQ5yo/COpukpjW1zC9m4VFajIcjsXG1XCMozr/CCsJUkoOMDQA/nunXrBw9AK26yqL57apOQb7pSitU0VXxjEsEtp8Yv9m7Cy7upgr/NvDD80YBsLQDXU6Zykd4oJc1cZ9IrMQOOghCvtjcz/FET3Y4yrmSHba2+/5MmAuKpSsSXOwJKASkFXCPRqbcji2bmOPtbHGtmKfVWLJtXSPW5eMqsuaVIlDQKRV9IvD9rd4bZHOHKJ6fFPH4Dl2iUZ6iEmLhx2MWo/6qVO+qJ7cWsAEQEAAYkBHwQYAQIACQUCVWX1UAIbDAAKCRDrClZK9wnHcRtOB/9TvvZrjtBJEPMbC87eFRXJRf4TxOGB1qFbu+19t7r+pEeS/pOt53S0XSLo5ial0itlmaGJfK+HI8ohpmd5MqjHWhjyvVc9XPOc0YX+E2DqpBHUqvjoVdW3YsBPKpBtAzgdkXRKDqfGWL8I6F9WUbTE6Ap+f8jFO15eLOg9q5htnMk5L5Q28pdHDlZibJ5KfMrOyJo1ZI72+M0wVUl6TO2dneOEyvY/XH8IrPOKB0dV4gfUI9eY4RW4I4AoSFlvAwTZh3FItHkWX4yzY0QzJTlATrmlhy13e2Ghj/2zWaw+0ONffUZ3tjGhumZwM9tVeEwJ7DCcRXgB76XEPkduCdh9=fqFm-----END PGP PUBLIC KEY BLOCK----- Thats it!  You now have a public key that contains a key for signing and a subkey for encryption.

Overview This blog describes how to generate a private/public key pair using GPG version 1.4.5.  The resulting public key will contain two keys, one key for signing and a subkey for encryption.  This...