Search Results


Friday, January 29, 2016

oracle.fabric.permission.CompositePermission: access denied

Error while deploying application in Oracle 12c 12.1.3 soa suite


Got a new environment installed by the system administrator and I tried deploying the SOA suite projects. Unfortunately it failed with following error.


There was an error deploying the composite on soa_server1: java.security.AccessControlException: access denied ("oracle.fabric.permission.CompositePermission" "default" "provision"): access denied ("oracle.fabric.permission.CompositePermission" "default" "provision").


After hours of debugging we found that the error was because of wrong JDK (jdk1.8) used for SOA suite installation. The supported version for SOA suite 12.1.3 is jdk 1.7. 

Luckily we didn't have to reinstall the weblogic server with the new JDK 1.7. It pretty easy to change the JDK home in the domain config files. 


Steps to change JDK home in Weblogic domain

  • Login to unix/windows machine
  • Edit the setDomainEnv.sh under /bin directory 
  • Search all the JDK 1.8 references and replace it with JDK 1.7 path
Example:

SUN_JAVA_HOME="/u01/app/oracle/products/jdk1.7.0_79"
export SUN_JAVA_HOME

  • Now restart all the servers.

Wednesday, January 27, 2016

SOA Web service security

A simple way of protecting web-services from unauthorized access is to use standard WS security. Web Services Security (WS-Security, WSS) is an extension to SOAP to apply security to Web services.

Oracle SOA suite 11g/12c provides an out of the box WS-Policies to protect web-services and to securely call a protected web service. In this article I'll show you how to do this.


How to protect a web-service with username and password


  • Open the composite.xml
  • Right Click on the exposed services and click Configure SOA WS policies..

  • Under Security click on the + button
  • Scroll down and select oracle/wss_username_token_service_policy and then OK

  • Now deploy and test. Very simple, isn't it?
  • For OSB, the same option is available on the proxy services.
  • To test this webservice WSSE header has to be passed with username and password
    • Please note that the username/password should be defined in the weblogic server. Refer the section below to learn how to create weblogic user.
Example webservice call:

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:bpel="http://xmlns.oracle.com/TestMDSApplication/Project2/BPELProcess1">
   <soapenv:Header>
      <wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
         <wsse:UsernameToken wsu:Id="UsernameToken-4" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
            <wsse:Username>weblogic</wsse:Username>
            <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">welcome1</wsse:Password>
         </wsse:UsernameToken>
      </wsse:Security>
   </soapenv:Header>
   <soapenv:Body>
      <bpel:process>
         <bpel:input>as</bpel:input>
      </bpel:process>
   </soapenv:Body>
</soapenv:Envelope>


How to call a protected web-service


Now that we protected the service from unauthorized access, how do we call it from another webservice?
  • Open the composite.xml
  • Right Click on the external reference and click Configure SOA WS policies..
  • Under Security click on the + button
  • Scroll down and select oracle/wss_username_token_client_policy and then OK
  • For OSB, same option is available on the business-services.
  • Username and password to be passed to the service should be configured as KEYS in EM console > security credentials section. Refer next section to learn how to do that
  • The configured key has to be entered in the csf-key property in the Reference tag in the composite.xml as highlighted below.
composite.xml
<reference name="asyncProc"
             ui:wsdlLocation="http://localhost:7101/soa-infra/services/testing/AsyncProcess!1.0/WSDLs/AsyncBPELProcess.wsdl">
    <interface.wsdl interface="http://xmlns.oracle.com/TestMDSApplication/AsyncProcess/AsyncBPELProcess#wsdl.interface(AsyncBPELProcess)"/>
    <binding.ws port="http://xmlns.oracle.com/TestMDSApplication/AsyncProcess/AsyncBPELProcess#wsdl.endpoint(asyncbpelprocess_client_ep/AsyncBPELProcess_pt)"
                location="http://localhost:7101/soa-infra/services/testing/AsyncProcess/asyncbpelprocess_client_ep?WSDL"
                soapVersion="1.1">
      <property name="weblogic.wsee.wsat.transaction.flowOption" type="xs:string" many="false">WSDLDriven</property>
      <property name="csf-key" type="xs:string" many="false">TestKey</property>
    </binding.ws>
  </reference>


How to configure keys in Weblogic server


  • Log on to weblogic em console
  • Right click on Weblogic Domain > Default Domain
  • Click on Security > Credentials 
  • Create a new map (oracle.wsm.security)and create a key under oracle.wsm.security
    • I think the map name has to oracle.wsm.security




How to create an user in Weblogic server


This is a very simple configuration where there are no external identity stores are configured with weblogic server (like OID or MS Active directory)

  • Go to Weblogic Console home > Security Realms > myrealm
  • Click on Users and Groups tab
  • Click on New button and enter username/password details.


Thursday, January 21, 2016

Lauching Graphical User Interface from putty

How to launch GUI from putty?


I use putty to access weblogic server for installation, maintenance etc, so I never needed graphical user interface in Linux as most of the work could be done on the terminal. However things have changed in the latest version of weblogic server because oracle stopped supporting Weblogic config using console mode.

Running config.sh would throw an error saying "x11 error can't open display" in the log file

sh config.sh -mode=console -log=/tmp/wl_config_sh.log


Here is what you need to do to setup GUI for putty
  • Install xming server
  • Enable X11 forwarding on putty
  • Run the program


Install xming server


Xming is the leading X Window System Server for Microsoft Windows 8/7/Vista/XP (+ server 2012/2008/2003). It is fully featured, small and fast, simple to install and because it is standalone native Microsoft Windows, easily made portable (not needing a machine-specific installation).

Xming can be used with implementations of Secure Shell (SSH) to securely forward X11 sessions from other computers. It supports PuTTY and ssh.exe, and comes with a version of PuTTY's plink.exe.

Note: And this software works even without admin rights on your PC


X11 forwarding in putty


Select the Enable X11 forwarding checkbox and enter localhost:0




Start GUI application


Now any GUI app run from the putty session will open the GUI application in windows. I tried the following and it worked

Oracle universal installer
rcu
config.sh
firefox






Wednesday, January 20, 2016

Decrypt Weblogic passwords


How to decrypt passwords stored by Weblogic

If you ever forget your DB password, Weblogic server password or any other credentials that was entered in the Weblogic console, there is an easy way to get it decrypted using Weblogic scripting.

Encrypted passwords for data-sources can be found under $DOMAIN_HOME/config/jdbc folder.

e.g., 
<password-encrypted>{AES}ceBOdxgwjj3c7VLVSEqsHlAtWU7ov80fOXqgJpg6YIE=</password-encrypted>

Create a new file decrypt.py with the below content and run it as follows

wlst.sh decrypt.py $DOMAIN_HOME $ENCRYPTED_PASSWORD

e.g.,
/fmw/middleware/wlserver_10.3/common/bin/wlst.sh /users/pras/work/decryptPassword.py /fmw/middleware/user_projects/domains/basedomain "{AES}V4KtKYakcSNzIYf6ER4NlPn1234C9RbDzyqbdy0Vec="

File: decrypt.py 


import os
import weblogic.security.internal.SerializedSystemIni
import weblogic.security.internal.encryption.ClearOrEncryptedService

def decrypt(domainHomeName, encryptedPwd):
    domainHomeAbsolutePath = os.path.abspath(domainHomeName)
    encryptionService = weblogic.security.internal.SerializedSystemIni.getEncryptionService(domainHomeAbsolutePath)
    ces = weblogic.security.internal.encryption.ClearOrEncryptedService(encryptionService)
    clear = ces.decrypt(encryptedPwd)
    print "RESULT:" + clear


try:
    if len(sys.argv) == 3:
        decrypt(sys.argv[1], sys.argv[2])
    else:
        print "INVALID ARGUMENTS"
        print " Usage: java weblogic.WLST decryptPassword.py  "
        print " Example:"
        print " java weblogic.WLST decryptPassword.py D:/Oracle/Middleware/user_projects/domains/base_domain {AES}819R5h3JUS9fAcPmF58p9Wb3syTJxFl0t8NInD/ykkE="
except:
    print "Unexpected error: ", sys.exc_info()[0]
    dumpStack()
    raise

Wednesday, January 06, 2016

Convert Async BPEL to Synchronous BPEL

Async BPEL to Syn BPEL

Following are the steps to convert Async BPEL process to Synchronous BPEL process in SOA 12c. Most of these steps should work on 11g as well (additionally the components file need changing to reflect the synchronous process).

Following files need changing


  • composite.xml
  • *.bpel
  • *.wsdl

File: composite.xml


Open Up the composite.xml and remove the highlighted values from the service tag.

<service name="asyncbpelprocess_client_ep" ui:wsdlLocation="WSDLs/AsyncBPELProcess.wsdl">
    <interface.wsdl interface="http://xmlns.oracle.com/TestMDSApplication/AsyncProcess/AsyncBPELProcess#wsdl.interface(AsyncBPELProcess)"            callbackInterface="http://xmlns.oracle.com/TestMDSApplication/AsyncProcess/AsyncBPELProcess#wsdl.interface(AsyncBPELProcessCallback)"/>
    <binding.ws port="http://xmlns.oracle.com/TestMDSApplication/AsyncProcess/AsyncBPELProcess#wsdl.endpoint(asyncbpelprocess_client_ep/AsyncBPELProcess_pt)"/>
    <callback>
      <binding.ws port="http://xmlns.oracle.com/TestMDSApplication/AsyncProcess/AsyncBPELProcess#wsdl.endpoint(asyncbpelprocess_client_ep/AsyncBPELProcessCallback_pt)"/>
    </callback>
  </service>


And remove callbackInterface from the components tag

<component name="AsyncBPELProcess" version="1.1">
    <implementation.bpel src="BPEL/AsyncBPELProcess.bpel"/>
    <componentType>
      <service name="asyncbpelprocess_client" ui:wsdlLocation="WSDLs/AsyncBPELProcess.wsdl">
        <interface.wsdl interface="http://xmlns.oracle.com/TestMDSApplication/AsyncProcess/AsyncBPELProcess#wsdl.interface(AsyncBPELProcess)"
                        callbackInterface="http://xmlns.oracle.com/TestMDSApplication/AsyncProcess/AsyncBPELProcess#wsdl.interface(AsyncBPELProcessCallback)"/>
      </service>
    </componentType>
    <property name="bpel.config.oneWayDeliveryPolicy" type="xs:string" many="false">async.persist</property>
  </component>



Change oneWayDeliveryPolicy from async.persist to required

Before
<property name="bpel.config.oneWayDeliveryPolicy" type="xs:string" many="false">async.persist</property>

After
<property name="bpel.config.transaction" type="xs:string" many="false">required</property>


File: *.wsdl


  • Open up the wsdl file that bpel uses and add output variable to the process operation.
  • Remove the callback port type.
  • Remove requester role from the partnerLinkType.

<!-- portType implemented by the AsyncBPELProcess BPEL process -->
<wsdl:portType name="AsyncBPELProcess">
<wsdl:operation name="process">
<wsdl:input message="client:AsyncBPELProcessRequestMessage"/>
<wsdl:output message="client:AsyncBPELProcessResponseMessage"/>
</wsdl:operation>
</wsdl:portType>

<!-- portType implemented by the requester of AsyncBPELProcess BPEL process
for asynchronous callback purposes
-->
<wsdl:portType name="AsyncBPELProcessCallback">
<wsdl:operation name="processResponse">
<wsdl:input message="client:AsyncBPELProcessResponseMessage"/>
</wsdl:operation>
</wsdl:portType>


<plnk:partnerLinkType name="AsyncBPELProcess">
<plnk:role name="AsyncBPELProcessProvider">
<plnk:portType name="client:AsyncBPELProcess"/>
</plnk:role>
<plnk:role name="AsyncBPELProcessRequester">
<plnk:portType name="client:AsyncBPELProcessCallback"/>
</plnk:role>
</plnk:partnerLinkType>


File: *.bpel


  • Remove partnerRole from the partnerLink tag

 <partnerLink name="asyncbpelprocess_client" partnerLinkType="client:AsyncBPELProcess" myRole="AsyncBPELProcessProvider" partnerRole="AsyncBPELProcessRequester"/>
    </partnerLinks>


  • Replace the invoke operation at the end with the reply operation
    • Before

<invoke name="callbackClient" partnerLink="asyncbpelprocess_client" portType="client:AsyncBPELProcessCallback"
            operation="processResponse" inputVariable="outputVariable"/>

    • After

<reply name="Reply" variable="outputVariable" partnerLink="asyncbpelprocess_client"
           portType="client:AsyncBPELProcess" operation="process"/>


That's it!! Build and deploy!
Finally, the SOA server might need a bounce to refresh the wsdl cache. Please leave a comment if you know an alternative way to refresh the wsdl cache.

Change calling BPEL processes


If the asychronous process is being consumed by any other BPEL processes then use the following steps to change the asynchronous calls to synchronous calls.

Following files need changing


  • composite.xml
  • *.bpel
  • *.wsdl


File: *.wsdl


If the wsdl file of the converted BPEL process is saved locally in the project or stored in the mds then it has to be updated with the latest one.


File: composite.xml


Remove callbackInterface and callback tag from the reference tag.

<reference name="asyncProc"
             ui:wsdlLocation="http://UBM58986.ubm.net:7101/soa-infra/services/testing/AsyncProcess!1.0/WSDLs/AsyncBPELProcess.wsdl">
    <interface.wsdl interface="http://xmlns.oracle.com/TestMDSApplication/AsyncProcess/AsyncBPELProcess#wsdl.interface(AsyncBPELProcess)"
                    callbackInterface="http://xmlns.oracle.com/TestMDSApplication/AsyncProcess/AsyncBPELProcess#wsdl.interface(AsyncBPELProcessCallback)"/>
    <binding.ws port="http://xmlns.oracle.com/TestMDSApplication/AsyncProcess/AsyncBPELProcess#wsdl.endpoint(asyncbpelprocess_client_ep/AsyncBPELProcess_pt)"
                location="http://UBM58986.ubm.net:7101/soa-infra/services/testing/AsyncProcess/asyncbpelprocess_client_ep?WSDL"
                soapVersion="1.1"/>
    <callback>
      <binding.ws port="http://xmlns.oracle.com/TestMDSApplication/AsyncProcess/AsyncBPELProcess#wsdl.endpoint(asyncbpelprocess_client_ep/AsyncBPELProcessCallback_pt)"/>
    </callback>
 </reference>



File: *.bpel


Remove myRole from the partnerLink tag

<partnerLink name="asyncProc" partnerLinkType="ns1:AsyncBPELProcess" myRole="AsyncBPELProcessRequester"
                 partnerRole="AsyncBPELProcessProvider"/>

Add outputVariable to the invoke operation. The output variable from the receive activity could be reused here.

<invoke name="Invoke1" partnerLink="asyncProc" portType="ns1:AsyncBPELProcess"
            operation="process" inputVariable="process_InputVariable"            outputVariable="processResponse_OutputVariable" bpelx:invokeAsDetail="no"/>

Remove the receive activity from the BPEL process

<receive name="Receive1" partnerLink="asyncProc" portType="ns1:AsyncBPELProcessCallback"
             operation="processResponse" variable="processResponse_OutputVariable"/>

All Done!!

Tuesday, January 05, 2016

How to disable Auto-Recovery in BPEL

Auto-Recovery


Auto-recovery is a feature in BPEL engine which automatically retries the failed BPEL processes every night and during server restart. This feature is introduced is 11g version of SOA suite and is available in 12c as well.

However it could be a headache in following scenarios
  • There are no business use cases or requirements for auto recovery.
  • Server gets overloaded when restarted during peak time causing it to fail or delay startup.
  • Not all the exceptions could be retired.

Steps to Disable Auto-Recovery

  • Go to em console (http://hostname:port/em)
  • Expand SOA > soa-infra on the left hand side Target Navigation
  • Right Click on soa-infra (WLS_SOA1) and select SOA Administration > BPEL properties
  • Click on More BPEL Configuration Properties...
  • Click on RecoveryConfig
  • Change following values to disable scheduled recovery
    • maxMessageRaiseSize = 0 
    • startWindowTime = 00:00 
    • stopWindowTime = 00:00
  • Change following values to disable startup recovery
    • maxMessageRaiseSize = 0
    • startupRecoveryDuration = 0
    • subsequentTriggerDelay = 0