Tuesday, June 24, 2014

Weblogic OWSM Username/Toket



http://cerebro.com.au/2012/11/05/osb-adding-owsm-wsse-username-policy-with-static-username-credential-keys/


Copying in case original post is removed.. ...

OSB ADDING OWSM (WSSE USERNAME POLICY) WITH STATIC USERNAME (CREDENTIAL KEYS).

November 5, 2012
cred12-osb-security-keyoverride
This assumes that you already have a project with a web service that you want to secure with WSSE Username Token with a Static username / password. This is generally when we are doing system level integration and have a system user. We recommend that each system would have a separate user created to enable meaningful auditing.
There is a concept of the Service Accounts within OSB, this can be used for HTTP user access but we are using an OWSM SOAP based policy that does not use these accounts. The OWSM policy needs to either have a user supplied (forwarded via service calls) or override the credentials with a credential key. If for example you are consuming from a JMS or database we may not have a user identity or we have only a static system user we will user credential keys.
We will now run through how to set up a credential key and connect it up to a business service.

ENTERPRISE MANAGER CONFIGURATION

We start by logging into the EM (Enterprise Manager), and then open the Weblogic Domain and right click on the domain to show the context menu.
In the domain context menu we will select Security > Credentials.
The existing credentials are shown; we are using an OWSM policy (oracle/wss_username_token_client_policy) therefore we need to create an oracle.wsm.security credential key.
We then hit the ‘Create Key’ button.
This will create a pop window for creating new credential keys.
The map needs to be ‘oracle.wsm.security’; the Key needs to be unique and should be something that explains the usage for operational support. The type is password and user is the system user ‘osbuser’ and the password is the actual system password setup in the system we are invoking. I also recommend entering a description of the key for later identification.
The server will show you a message for successful creation.

The key will now appear in the oracle.wsm.security group, the key must appear in here and in the correct group for the OWSM policy to use it. This is the end of the EM configurations, now we move over to the OSB console.

OSB CONFIGURATION

The first thing we need to do is to create an administration session (required to make modification). Once we have a session need to select the service that we want to add the security policy; we have selected a project and then select the outgoing business service BusinessService.
We need to go to the ‘Policies’ tab to see the applied policies.
We are using OWSM Policy Store; therefore we select the radio button which will enable the selection window.
The Add button will prompt you with a policy selection window. The policy that we want is ‘oracle/wss_username_token_client_policy’.
There are two pages the username policy is on the second page.
We will select the policy and hit the submit button.
The policy will appear in the policies tab; this then needs to applied via ‘Update’ button.
This will then show the successful message in the information panel.
This update will enable an additional tab, Security.
The security tab shows the configuration options for the policies that have been applied to the osb service.
The username token client policy will try to forward the identity; we want to set a system username. We will use the override value to set a static username/password.
We will return to the EM console to get the name of our ‘Credential Key’.
The credential key name is copied from the EM.
Into the ‘Override Value’ of the security tab in the service.
Once we entered the override value we will need to ‘Update’ the configuration to apply.
The information panel will display the confirmation of the update.
These changes are not yet active; we need to activate the session to apply these changes to the OSB.

As always we should enter a description and submit it to take effect.

We can then test that we have configured the security up correct. We have created a SOAPUI mock service and set the endpoint of the business service and do an execution. We can now see the message we have received.
As you can see the user token is now in the message and the username is that which we entered in the Enterprise Manager.

Posted by at No comments:

Friday, June 20, 2014

Weblogic SSL

http://techworldrocks.wordpress.com/2011/09/28/certicom-vs-jsse/

http://mavroprovato.net/blog/2013/05/16/use-jsse-ssl-for-weblogic-10/


http://docs.oracle.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html#SSLOverview


Posted by at No comments:

Tuesday, June 17, 2014

Single-Sign On with HttpClient

Recently we have to get rid of our Old Single Sign on Software(Siteminder) and had to onboard a new Single Sign on (OID/OIM). While doing so, not all of our applications are compatible with the new SSO application.

One of the requirements is,
We got an Production Existing Portal Application, (Say Portal-P) which is having a navigation link to another Web Application(Miserable-M).  Portal-P is just having the static URL for Miserable-M and since both are SSO protected by Siteminder, the user specific credentials are being handled by Siteminder.  Since we are  removing Siteminder, the question is how the user credentials will be passed going P to M.   To add to our woes, "Miserable-M" is also not LDAP compatible.  But "M" has its own database where it will look for a "User Id"(No Passwords) for "Authorization" purposes.

So we removed the Siteminder protection to M and using Fiddler I captured all the http events happening at the background.  There are multiple http request/responses that were happening before the actual user look up in M.   Then I used Apache HttpClient Code to connect to M for authenticating a session.  I got this code embedded into Portal-P.  So when a user clicks on the Navigation link for "M", there will be a server call(Ajax or Servlet or Managed Bean) to get an authenticated session id and then a window.open() is used to open the new window in a popup.

http://stackoverflow.com/questions/133925/javascript-post-request-like-a-form-submit

http://stackoverflow.com/questions/5554896/window-open-post

http://www.mywebexperiences.com/2008/01/26/send-a-post-request-to-a-popup/

http://taswar.zeytinsoft.com/2010/07/08/javascript-http-post-data-to-new-window-or-pop-up/

http://stackoverflow.com/questions/220231/accessing-the-web-pages-http-headers-in-javascript

http://stackoverflow.com/questions/17829983/window-open-location-no-address-bar-is-not-visible-in-ie

http://stackoverflow.com/questions/14146883/how-can-i-open-a-window-popup-in-servlet-and-then-redirect-a-page

http://www.java-forums.org/javaserver-pages-jsp-jstl/38370-how-use-window-open-jsp-call-servlet-open-jsp-new-window.html

http://stackoverflow.com/questions/245124/setting-onload-event-for-newly-opened-window-in-ie6

http://stackoverflow.com/questions/1185305/add-onload-function-to-an-opening-window

http://stackoverflow.com/questions/14146883/how-can-i-open-a-window-popup-in-servlet-and-then-redirect-a-page

http://www.w3schools.com/jsref/met_win_open.asp

http://www.howtocreate.co.uk/perfectPopups.html

http://theheat.dk/blog/?p=2059
Posted by at No comments:

Thursday, June 5, 2014

Datasource/Admin Password Decryption in Weblogic


Original Source: http://techtapas.blogspot.com/2011/05/how-to-decrypt-weblogic-passwords-with.html




How to decrypt WebLogic passwords with WLST

Sooner or later you will find the situation where you do not remember any of the WebLogic Server password’s stored in the configuration files.

Some examples are:
a) The WebLogic Server administrator credentials (username and password) stored in the files config.xml and boot.properties
b) Node Manager password, stored also in the config.xml file (if you still have the default password, don’t wait and change it know!!)
c) Database password used by the JDBC Data Sources and stored in the file[DOMAIN_HOME]/config/jdbc/[datasource_name].xml

So, how to decrypt this data in 3 easy steps. Just follow this techtapa recipe:

Ingredients:
- 1 WLST script
- The path of the WebLogic Server domain
- The encrypted field, for example, username and password from boot.properties

Preparation:
1. Copy this WLST script (you can also download it here).


import os
import weblogic.security.internal.SerializedSystemIni
import weblogic.security.internal.encryption.ClearOrEncryptedService

def decrypt(domainHomeName, encryptedPwd):
    domainHomeAbsolutePath = os.path.abspath(domainHomeName)
    encryptionService = weblogic.security.internal.SerializedSystemIni.getEncryptionService(domainHomeAbsolutePath)
    ces = weblogic.security.internal.encryption.ClearOrEncryptedService(encryptionService)
    clear = ces.decrypt(encryptedPwd)
    print "RESULT:" + clear

try:
    if len(sys.argv) == 3:
        decrypt(sys.argv[1], sys.argv[2])
    else:
  print "INVALID ARGUMENTS"
  print " Usage: java weblogic.WLST decryptPassword.py DOMAIN_HOME ENCRYPTED_PASSWORD"
  print " Example:"
  print " java weblogic.WLST decryptPassword.py D:/Oracle/Middleware/user_projects/domains/base_domain {AES}819R5h3JUS9fAcPmF58p9Wb3syTJxFl0t8NInD/ykkE="
except:
    print "Unexpected error: ", sys.exc_info()[0]
    dumpStack()
    raise

2. Set your environment (CLASSPATH, PATH,..). Open a console, go to[FMW_HOME]/wlserver_10.3/server/bin/ and run the script setWLSEnv.sh:
$ . ./setWLSEnv.sh

3.Run the script. Go to the path where you copied the WLST script ( decryptPassword.py) and run it. You must provide two arguments, the WebLogic Server domain Home full path and the string you want to decrypt, for example:

$ java weblogic.WLST decryptPassword.py /opt/oracle/Middleware/user_projects/domains/base_domain {AES}LU5dLPP0PliNb5Ml1Fo7rD2AbNFwLcyLtYUEDTb+8zY\=
Posted by at No comments:

Thursday, May 29, 2014

Oracle SQL Developer - Display Time for any Date fields in Oracle DB Tables



By default, Oracle SQLDeveloper displays date fields with day, month and year information.


 If we need time as well for all the date fields below should be done.



n Oracle SQLDeveloper Go to: Tools >> Preferences >> Database > NLS Parameters and update your Date Format field to DD-MON-RR HH:MI:SS value
Posted by at No comments:

Wednesday, April 23, 2014

OSB Build Scripts

http://oraclefusionguru.blogspot.com/2013/10/getting-started-with-continuous.html
Posted by at No comments:

Friday, February 28, 2014

AIX - Top 20 Folders with Size

du -xk /utl | sort -n | tail -20
/utl is the folder under which the  

Delete all files inside a directory including sub directories

 find . type f –exec rm {} \;
Posted by at No comments:
Subscribe to: Posts (Atom)