Sunday, September 21, 2008

Support tribal children in India through grant from AMEX

American Express is providing $2.5 million in funding to carry out winning projects, based on the total votes they receive in the final round of voting. Winning project gets $1.5 million in funding, with the rest $1 million given to the other top 4 out of 5 projects.

The Jharkand Tribal Project is an investment in a bright future for generations of tribal people - education for children and adults, caring for the environment and providing employment through organic farming practices, preserving indigenous crafts such handcrafts & weaving and preserving cultural identity and values through holistic education. We aim to strengthen the individual in every community by teaching life skills such as yoga and meditation.

The fullfilling organization for this project is "Art of Living Foundation".

Thursday, August 7, 2008

Oracle WebLogic Server 10g Release 3 released

After BEA's acquisition by Oracle, the first release of Weblogic server now known as "Oracle Weblogic Server" has been released as Oracle Weblogic Server 10.3. More information including download link is available here.

Monday, August 4, 2008

OWSM Patchset released

OWSM Patchset (as part of SOA Suite patchset) has been released.
  • Download Patchset
  • Documentation (incl. release notes and updated OWSM admin and deployment guides)
In summary, this patchset for OWSM includes
  1. Horizontal migration/SDLC (Test -> Stage -> Prod) tool
  2. Cloning tool
  3. AXIS 1.4 agent
  4. Command line tool for purging old policy versions
  5. Critical bug fixes

Monday, July 28, 2008

Book on Oracle Web Services Manager

A book on Oracle Web Services Manager has just been published written by Sitaraman Lakshminarayanan and reviewed by Marc Chanliau(Oracle). It should complement the official product documentation by providing examples of real life use cases and how to solve them using Oracle Web Services Manager(OWSM).

Monday, June 9, 2008

How To - 10.1.3 OWSM: Changing database location for monitoring data

To change the database where OWSM monitoring metrics are stored, follow these steps.
  1. Load OWSM schema in the target database by running irca script.
  2. Go to ORACLE_HOME/owsm/config/coreman directory, and put new database details in the following properties
    • monitor.repository.* in monitor-config-installer.properties
    • monitor.repository.* in collector-config-installer.properties
  3. Obfuscate the passwords in the above mentioned files using wsmadmin tool
    ORACLE_HOME/owsm/bin/wsmadmin encodePasswords ORACLE_HOME/owsm/config/coreman/monitor-config-installer.properties monitor.repository.password
  4. Redeploy the monitor application by running
    ORACLE_HOME/owsm/bin/wsmadmin deploy monitor
Monitoring metrics will be sent to the newly configured database.

How To - 10.1.3 OWSM: Changing database location for Log policy step

When you configure Log policy step in the policy pipeline to log the SOAP message, the message is stored in OWSM database. You may want to log the message for audit, non-repudiation or debugging.
Anyways, if you want to relocate your SOAP message logging to another database, then follow these steps.
  1. Load OWSM schema in the target database by running irca script.
  2. Login to OWSM Control, go to Policy Management, and click on Edit button for the gateway or agent where you have the Log policy step.
  3. Modify cfluent.messagelog.db.* properties, click the save button, and finally click the commit link.
With the next request received by the gateway/agent message logs will be stored in the new database.

Tuesday, June 3, 2008

FAQ - OWSM 10.1.3 : Does OWSM support FCF with Oracle RAC database?

OWSM supports connections to Oracle RAC database (which is typically used in HA situations) using the multi node syntax for entering jdbc url viz. host1:port^host2:port. But, it doesn't support fast connection failover (FCF) yet.
Note: OWSM uses its own connection pooling mechanism to connect to the database instead of using the application server connection pool.

Wednesday, May 14, 2008

How To - 10.1.3 OWSM: Pass SAML token to the service after verification

The "Verify SAML token" policy step when executed removes the SAML token xml from the request message. This is inline with ws-security processing.

But, sometimes you may require the SAML token to be passed to the web service after it's verified by OWSM. This can be achieved by
Writing a custom policy step, and placing it immediately after the "Verify SAML token" step in the policy request pipeline. The custom step needs to extract the SAML token xml from message context and put it back into the request payload.

public IResult execute(IMessageContext ctx) throws Fault {
MessageContext context = (MessageContext) ctx;
ArrayList samlTokensList = context.getProperty("SAML_ASSERTIONS");
String samlToken = samlTokensList.get(0);
// now you can add this xml to either the SOAP body or a header element.

Sunday, April 13, 2008

My session in RSA 2008 conference at San Francisco

I co-presented a session with Marc Chanliau on "Java and Web Services Security in Action" under the SOA track in RSA 2008 conference held at Moscone Center in San Francisco. Inspite of the session being at 8am on Wed morning, we got a full room of audience. Thanks to everyone who attended.

The presentation can be downloaded from here.

Replay of Thomas Kurian's keynote at RSA conference 2008 in San Francisco

Thomas Kurian delivered keynote at RSA conference 2008 in San Francisco. He highlighted that customers are looking for holistic approach towards security especially in the 3 areas - Data Protection, Identity and Access Management, and Controls Enforcement. He was later joined by John Stewart, Chief Security Officer, Cisco Systems, who addressed how Cisco is using Oracle solutions to secure major portions of it's business.

See replay of the keynote here.

Friday, April 4, 2008

How To - 10.1.3 OWSM: Configure gateway to talk to failover enabled web services

It's a common use case to provide fail over for your web services. If OWSM Gateway is protecting such webservices then one of the following methods can be used for such configuration.

Method 1: Gateway -> Load Balancer (LBR) -> Web Services
This is the most commonly used approach of using a hardware load balancer between gateway and the web services. When performing service registration in the gateway, enter the load balancer endpoint.

Method 2: Gateway -> Oracle HTTP Server (OHS) -> Oracle Web Services
Here OHS acts as a software load balancer.

Method 3: Gateway -> Web Services
Gateway also has a built in mechanism to perform failover on the webservices by passing in bunch of failover urls. You can configure it at the time of service registration (page 2) or later on by editing service details, and clicking "Modify Protocol Parameters".
There are 3 relevant properties that need to be set.

  • FailoverURLs - List of comma separated web service urls. Gateway communicates with the web service endpoint in the order listed.
  • Attempts - Number of failed attempts before which Gateway tries to contact next url from the FailoverURLs list. The default value is 5, but you change it to 1 if you want to failover to next web service after first failed attempt.
  • RetryInterval - Gateway waits for this interval (ms) before retrying the same url based on the number of attempts set.

Monday, March 24, 2008

NIST guide to secure web servies

A well written guide on the topic of securing web services coming from the Computer Security Resource Center (CSRC) of the U.S. National Institute of Standards and Technology (NIST). SP 800-95, “Guide to Secure Web Services” provides detailed information on standards for Web services security.

The document explains the security features of XML, Simple Object Access Protocol (SOAP), the Universal Description, Discovery and Integration (UDDI) protocol, and other open standards related to Web services. It also provides recommendations to ensure the security of Web services-based applications.

A must read ...

FAQ: Understanding Oracle versioning of application server products

Ever wondered what's behind each digit of version of Oracle Middleware (application server) products including OWSM? See the run down of the convention followed below.

10=Major release family number (as in 10g)

1=DB client version consumed by the release (AS10.1.3 uses db client

3=AppServer Release number (as in 10gR3)

3=Patchset number (as in 10gR3 PS3)

0=Platform specific release number (none in this case)

Monday, March 17, 2008

How to get rid of Windows Update restart nag

I stumbled upon this useful post Windows: Get rid of Windows Update restart nag that most of us using Windows face the dreaded restart pop-up.

OWSM FAQ: Types of installations and licensing

OWSM is packaged and licensed as either

  • SOA suite (alongwith BPEL, ESB, etc.)
  • Standalone OWSM
Both install packages comes with 2 options to install - Basic and Advanced
Once the product is installed using Basic install it cannot be migrated to Advanced install.
The following table captures the various combinations, and lists some of the targeted usage for each of them.

Type of installationTargeted usageComments
SOA Suite Basic InstallDemos, Evaluationspre-packaged with Oracle Olite database, runs on production quality OC4J
SOA Suite Advanced InstallProductionallows configuration with Oracle database, runs on production quality OC4J
Standalone OWSM Basic InstallDeveloperspre-packaged with Oracle Olite database, lightweight quick install for developer use, runs on oc4j_extended.zip
Standalone OWSM Advanced InstallProduction, HA topologyallows configuration with Oracle database, runs on production quality OC4J. Required for OWSM HA topology setup. Refer to Configuring OWSM for HA OBE.

OWSM (and any of it's components) comes with per-CPU license inline with other Oracle products except for agents which are offered for free.
Any bundled software such as OracleAS and OLite database comes with restricted use license.

Related links:
Console authentication based on type of install

Thursday, February 28, 2008

FAQ - OWSM 10.1.3 : Dependent jars to use when developing custom steps

OWSM custom step development requires following jars to be used at a minimum to compile the project - saaj.jar and coresv-4.0.jar
Only specific versions of these jars should be used for compiling the project which can be found at
ORACLE_HOME/owsm/lib/extlib/saaj.jar and

If any other saaj.jar is used then you may get the following exception in your logs.


Wednesday, January 16, 2008

News: Oracle agrees to acquire BEA for $19.375 per share in cash

Oracle agrees to acquire BEA for $19.375 per share in cash. The deal represents a 24% premium over BEA Systems' close on Tuesday at $15.58. See the official press release here.

Tuesday, January 15, 2008

News: Oracle SOA suite wins InfoWorld award for 2008

Oracle SOA Suite 10gR3 wins InfoWorld's 2008 Technology of the Year award in applications and middleware. Of special mention is this snippet

Topping the stack are the OWSM (Oracle Web Services Manager) -- locking down services with sturdy security and policy management -- and an easy-to-use rules facility, Oracle Business Rules Engine, for processing business logic and authoring customizable rule sets.

Read full story here.

Monday, January 14, 2008

Whitepaper on SOA security

A whitepaper on "What's required to secure Service Oriented Architecture" has been published on OTN by Marc Chanliau. Check it out here. It's also linked from the OWSM's OTN page.