| Oracle® Fusion Middleware Release Notes 11g Release 1 (11.1.1) for Linux x86-64 Part Number E14770-05 |
|
|
View PDF |
| Oracle® Fusion Middleware Release Notes 11g Release 1 (11.1.1) for Linux x86-64 Part Number E14770-05 |
|
|
View PDF |
This chapter describes issues associated with Web services security and administration, including Oracle Web Services Manager. It includes the following topics:
This section describes security issues and their workarounds. It includes the following topics:
Section 23.1.1, "Preventing Denial of Service Attack and Recursive Node Attack"
Section 23.1.2, "Guidelines for Using @SecurityPolicy Annotation"
Section 23.1.3, "Resolving CertificateExpiredException for SAML Holder of Key Policies"
Section 23.1.4, "Restarting Applications After Attaching Policies to ADF and WebCenter Applications"
Section 23.1.5, "Attaching Policies to ADF and WebCenter Web Services in a Cluster"
Section 23.1.6, "Naming Policies—oracle_<policyname> is Not Valid"
Section 23.1.7, "Using Multibyte User Credentials with wss_http_token_* Policy"
Section 23.1.8, "Importing Custom Policies—Delay Before Policy is Available"
Section 23.1.9, "Importing Custom Policies Before Attaching and Deploying to a Service Application"
Section 23.1.11, "Reviewing Policy Configuration Override Values After Detaching a Client Policy"
Section 23.1.12, "Deprecated and Unsupported Oracle Access Manager Policies"
Generally, DoS and recursive node attacks are prevented by XML Firewall solutions. Oracle SOA Suite provides capabilities to prevent denial of service attack and recursive node attack by configuring the envelope size and nesting limits in the SCABindingProperties.xml and oracle-webservices.xml. For more information, see "Configuring Security in Web Services" in Oracle Fusion Middleware Enterprise Deployment Guide for Oracle SOA Suite.
The SecurityPolicy annotations used for policy attachment to ADF and WebCenter versus WebLogic Web services are unique and not interchangeable. A security policy attachment defined in your Web service application will not be enforced in the following scenarios:
If you attach a security policy to a ADF or WebCenter Web service using the weblogic.wsee.jws.jaxws.owsm.SecurityPolicy annotation.
If you attach a security policy to a WebLogic (Java EE) Web service using the oracle.webservices.annotations.SecurityPolicy annotation.
To guarantee that a security policy attachment is enforced in your Web service application, ensure that you use the appropriate annotation in your application code:
oracle.webservices.annotations.SecurityPolicy—Use to attach policies to ADF or WebCenter Web services.
weblogic.wsee.jws.jaxws.owsm.SecurityPolicy—Use to attach policies to WebLogic (Java EE) Web services.
For SAML holder of key policies (for example, oracle/wss10_saml_hok_with_message_protection_service_policy), a CertificateExpiredException is returned if the an expired certificate is present in the keystore, regardless of whether this certificate is being referenced. To resolve this exception, remove the expired certificate from the keystore.
After attaching a policy to a Web service in an ADF or WebCenter Web service application, you need to stop and then restart the application for the change to take effect. You need to wait approximately 30 seconds (or the equivalent of the configured Graceful Shutdown Timeout time) between stopping and restarting the application. During this time, the server is allowing all global transactions to complete before shutting down the application. If you do not wait the configured Graceful Shutdown Timeout time, then the application will not be restarted appropriately and you will not be able to access it.
To avoid waiting the graceful shutdown timeout period, you can restart the application twice.
Policy attachment is not synchronized automatically for ADF and WebCenter Web services in a cluster. When using ADF and WebCenter Web services in a cluster, you must attach and/or detach policies to each instance of the cluster.
You cannot prefix the name of a policy with "oracle_". For example, oracle_wss_http_token_service_policy is not a valid policy name. You must rename the policy to remove "oracle_" as the prefix.
When you export a policy using Oracle Enterprise Manager, the policy XML file is renamed from oracle/<policyname> to oracle_<policyname>. Before importing the policy file, you need to remove "oracle_" from the policy name. Otherwise, you will receive exceptions when trying to use the policy.
You can import the policy file using Oracle Enterprise Manager or MDS WLST. If importing the policy file using the MDS WLST commands, ensure that you import it within the oracle directory. For more information, see "Importing Web Service Policies" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.
In this release, multibyte user credentials are not supported for the wss_http_token_* policies. If multibyte user credentials are required, use a different policy, such as wss_username_token_* policy. For more information about the available policies, see "Predefined Policies" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.
After importing a custom policy, there will be a delay before the policy is available.
It is recommended that you import custom policies before attaching and deploying them to a service application.
If you deploy an application with policies that do not exist in the Metadata Store (MDS), and subsequently import the policies, you need to restart the server for the policy attachment count to be updated.
When performing a bulk import of policies to the MDS repository, if the operation does not succeed initially, retry the operation until the bulk import succeeds.
For the most part, this can occur for an Oracle RAC database when the database is switched during the metadata upload. If there are n databases in the Oracle RAC database, then you may need to retry this operation n times.
For more information about bulk import of policies, see "Migrating Policies" in the Oracle Fusion Middleware Security and Administrator's Guide for Web Services.
If you attach a policy to a client, override policy configuration values, and subsequently detach the policy, the policy configuration override values are not deleted. When attaching new policies to this client, ensure that you review the policy configuration override values and update them appropriately.
The following OAM scenario is deprecated for Oracle Fusion Middleware 11g R1:
Authentication between ADF client and SOA service using Oracle WSM OAM security policies. In this scenario, the ADF client sends the ObSSOCookie in the Oracle proprietary SOAP header. It is recommended that you use a SAML-based policy instead.
The following Oracle Access Manager (OAM) scenarios are not supported in Oracle Fusion Middleware 11g R1:
Authentication through Oracle WSM OAM service policy using ObSSOCookie in the HTTP header.
Authentication through Oracle WSM OAM service policy using ObSSOCookie in a proprietary SOAP header of the request sent by another service.
In each case, clients should send a SAML token instead of an ObSSOCookie.
This section describes general issue and workarounds. It includes the following topic:
Section 23.2.1, "Testing Web Services If Oracle Web Services Manager Is Not Installed"
Section 23.2.2, "Error When Testing a WS-Addressing Policy Attached to a SOA Composite"
Section 23.2.3, "Refreshing Stale Display After Assertion Deletion"
If you do not elect to install Oracle Web Services Manager during your Oracle Fusion Middleware installation, the Web services test page available using Oracle Enterprise Manager will be broken.
To resolve this issue, uncomment the active.protocol property in the $domain_home/config/fmwconfig/policy-accessor-config.xml file and set it as follows:
<property name="active.protocol">classpath</property>
You must restart the server in order for the change to take effect.
If you attach a WS-Addressing policy to a SOA Composite and then attempt to test the Web service in Fusion Middleware Control, you might see the following error:
java.lang.Exception: oracle.sysman.emSDK.webservices.wsdlapi.SoapTestException: A required header representing a Message Addressing Property is not present
To work around this problem, click the Parse WSDL button on the Web services test page, and then re-test the Web service on the Test Web Services page:
Enable the Custom option for WS-Addressing.
Enter the Policy URI.
Click Test Web Service.
If you add an assertion to a policy and subsequently delete it, in some cases the assertion details may still be displayed in the details area. If this occurs, click on another assertion in the Assertions list to refresh the display.
When configuring the Web service endpoint for a SOA, ADF, or WebCenter Web service, if you set the Maximum Request Size to -1, indicating that there is no maximum request size, then the Unit of Maximum Request Size setting is irrelevant and defaults to bytes.
The following information is supported in English only in this release of Oracle Enterprise Manager:
All fields in the policy and assertion template except the orawsp:displayName field.
If using the ?orawsdl browser address, the orawsp:description field.
|
 Copyright © 2009, Oracle and/or its affiliates. All rights reserved. Legal Notices |
|
