Wednesday, September 30, 2009

OWSM 11g resources

Here are some resources on OWSM 11g that might be useful.
  • OTN site - contains links to download, documentation, white papers, etc. - worth bookmarking
  • OWSM 11g whitepaper
  • XML Gateway ecosystem partners - Intel, Layer7, Sonoa, Vordel (will write another blogpost covering it)
  • 11g FAQ on Oracle Wiki - It's on public wiki, and I encourage you to contribute to it. This is in addition to FAQs I post on this blog.
  • Troubleshooting tips on Oracle Wiki - It's on public wiki, and I encourage you to contribute to it.
  • Oracle's Youtube channel - Search "OWSM" in youtube's search box

OWSM videos on youtube

We'll be posting OWSM videos to youtube covering features and benefits as well as How-Tos for some common scenarios.
Take a look at the first video posted on Oracle's youtube channel OracleWebVideo. You can also search for "OWSM" directly from youtube.com

You can provide blog comments on areas you wish us to cover.

Why does STS WS-Trust spec differ for SAML usage?

WS-Security SAML token profile lists usage of 3 types of tokens represented using the confirmation-method element.
  • bearer
  • sender-vouches
  • holder-of-key (HOK)
But, WS-Trust RST template (which is also exposed through WS-SecurityPolicy) lists the following token types - SAML 11, SAML 20. It doesn't list any confirmation methods - bearer, sender-vouches, HOK

Instead, it lists key-type with these values
  • Symmetric
  • Public
  • Bearer
To request STS for SAML 2 bearer token one sets
token type = SAML2
key type = Bearer
To request STS for SAML 2 HOK asymmetric token one sets
token type = SAML2
key type = Public
To request STS for SAML 2 HOK symmetric token one sets
token type = SAML2
key type = Symmetric

What does one set to get SAML sender-vouches token? WS-Trust spec doesn't handle it today.
Why did the WS-Trust spec authors come up with another representation mechanism instead of reusing the SAML token profile mechanism of representing tokens using confirmation-method?
Hope these issues can be fixed in a later version of WS-Trust spec.

FAQ - OWSM 11g: Can I deploy OWSM policy manager on a different VLAN?

OWSM policy manager is a JEE application that is deployed on a Weblogic (WLS) managed server. Some customers who like to segregate deployments of security apps and integration/business apps into different VLANs, can deploy OWSM policy manager on a separate Weblogic server running in security VLAN by following these steps.

Step 1: Run RCU to install database schema required for SOA Suite install. This can be running on a server in a database VLAN
Step 2: Install SOA Suite on a server in security VLAN. This will contain OWSM policy manager running on managed server and EM FMW control running on AdminServer.
Step 3: Install WLS managed server (using SOA Suite installer) on a server in application VLAN, joining the WLS domain from step 1 install.
Step 4: Deploy SOA composite apps to the managed server in application VLAN, and start applying OWSM policies to it using EM (or in JDeveloper itself)

FAQ - OWSM 11g: What port does OWSM policy manager listen on?

OWSM 11g policy manager provides an RMI interface for communicating with OWSM agents and Enterprise Manager.
On Weblogic server, it uses the configured RMI port for Weblogic which by default is 7001.
Weblogic multiplexes different protocols (incl. HTTP, RMI, etc.) on the same port.

FAQ - OWSM 11g: How does OWSM/Oracle SOA work with .NET

OWSM works with .NET in 3 areas
  • OWSM 11g policies are WS-* standards compliant and interoperable on the wire with .NET WCF.
  • Oracle and Microsoft have tested interoperability at several interop events.
  • OWSM supports WSS 1.1 Kerberos token profile for both client and service policies to provide identity propagation using kerberos instead of SAML in .NET environments.

Thursday, September 3, 2009

FAQ - OWSM 11g: What is local optimization and impact of it on OWSM policies?

Oracle SOA Suite has a feature called local optimization. When it is ON (by default it's ON), a SOA composite invokes another SOA composite within the same Weblogic (WLS) server or cluster of WLS servers bypasses the whole SOAP stack, and makes a direct java call to optimize the invocation.

What is the impact of local optimization on OWSM policy execution?
When local optimization is ON, OWSM policies are bypassed and hence aren't executed.

How do I turn off local optimization?
In the SOA composite (composite.xml) which invokes another SOA composite, add the following property to the reference calling the service.

    <property name="oracle.webservices.local.optimization">false</property>