Thursday, October 31, 2013

Disabling AIA FP WS Security Policyset

AIA FP comes with global web services security policy set as part of foundation pack installation as below.






Policy sets gets attached to your composite based on name. e.g. "oracle/aia_wss10_saml_token_client_policy_OPT_ON" policy gets attached to all composites with ABCS in it, as per below screen shots. 



WS security header would be required if it is getting called from outside (as I believe internal calls would be supplied with WS security stuff as part of client policies). If you have policy enabled, you can use blog to when you are calling the service from external source.

To disable the policy set attached to your Composites, you can individually goto each Policy Set, and disable it, or run following script:




cd $SOA_HOME/common/bin
wlst
connect('weblogic','***','t3://admin-host:admin-port')

beginRepositorySession()
modifyPolicySet('AIA_EBS_WSClientPolicySet')
enablePolicySet(false)
commitRepositorySession() 

beginRepositorySession()
modifyPolicySet('AIA_EBF_WSClientPolicySet')
enablePolicySet(false)
commitRepositorySession() 

beginRepositorySession()
modifyPolicySet('AIA_ABCS_WSClientPolicySet')
enablePolicySet(false)
commitRepositorySession() 

beginRepositorySession()
modifyPolicySet('AIA_Producer_WSClientPolicySet')
enablePolicySet(false)
commitRepositorySession() 

beginRepositorySession()
modifyPolicySet('AIA_ABF_WSClientPolicySet')
enablePolicySet(false)
commitRepositorySession() 

beginRepositorySession()
modifyPolicySet('AIA_B2BCS_WSClientPolicySet')
enablePolicySet(false)
commitRepositorySession() 

beginRepositorySession()
modifyPolicySet('AIA_Consumer_WSClientPolicySet')
enablePolicySet(false)
commitRepositorySession() 

beginRepositorySession()
modifyPolicySet('AIA_Producer_WSServicePolicySet')
enablePolicySet(false)
commitRepositorySession() 

beginRepositorySession()
modifyPolicySet('AIA_ABCS_WSServicePolicySet')
enablePolicySet(false)
commitRepositorySession() 

beginRepositorySession()
modifyPolicySet('AIA_ABF_WSServicePolicySet')
enablePolicySet(false)
commitRepositorySession() 

beginRepositorySession()
modifyPolicySet('AIA_EBF_WSServicePolicySet')
enablePolicySet(false)
commitRepositorySession() 

beginRepositorySession()
modifyPolicySet('AIA_Adapter_WSServicePolicySet')
enablePolicySet(false)
commitRepositorySession() 

beginRepositorySession()
modifyPolicySet('AIA_EBS_WSServicePolicySet')
enablePolicySet(false)
commitRepositorySession() 

beginRepositorySession()
modifyPolicySet('AIA_B2BCS_WSServicePolicySet')
enablePolicySet(false)
commitRepositorySession() 

beginRepositorySession()
modifyPolicySet('AIA_Adapter_WSClientPolicySet')
enablePolicySet(false)
commitRepositorySession() 

beginRepositorySession()
modifyPolicySet('AIA_Consumer_WSServicePolicySet')                          
enablePolicySet(false)
commitRepositorySession() 


In EM console, sometime you have to re-login or go to one of the policy sets, so that it will refresh the flag and it will show all policy sets disabled.

We also ended up disabling Policy attached to individual Composite, as it doesn't allow disabling Policy via WLST like it does for Policy Set

enableWebServicePolicy(None, 'default/AIASessionPoolManager[1.0]', 'soa', 'client', 'AIASessionPoolManager', 'oracle/aia_wss_saml_or_username_token_service_policy_OPT_ON', false, None )
enableWebServicePolicy(None, 'default/AIAErrorTaskAdministrationProcess[1.0]', 'soa', 'aiaerrortaskadministrationprocess_client_ep', 'AIAErrorTaskAdministrationProcess_pt', 'oracle/aia_wss_saml_or_username_token_service_policy_OPT_ON', false, None )
enableWebServicePolicy(None, 'default/AIAAsyncErrorHandlingBPELProcess[1.0]', 'soa', 'client', 'AIAAsyncErrorHandlingBPELProcess', 'oracle/aia_wss_saml_or_username_or_http_token_service_policy_OPT_ON', false, None )



if you get error : "Try to use server name with application name. Multiple server targets deployed for application", refer to this blog

Saturday, October 12, 2013

Configurable settings and endpoint replacements - II

Almost a year ago, I blogged about Configurable settings and endpoint replacements , just want to reiterate as few more options are available for same functionality.

It feels like a very basic fundamental problem, which I would describe as, a configuration setting (be a URL or anything else), should be :
  • Must not be hard coded inside your code or binary
  • Must be able to replace it from environment to environment, and changing the those value must not cause server to restart

Java or any programming language has solved this problem tens of years ago, but Oracle keep seem to be providing one after another solution for last 10 years in SOA 10g/11g, and makes it really complicated problem than it sounds..

Configuration Settings

DVM
Pros

  • Stored in MDS
  • Changes are independent of deployment
  • Nice UI for update
Cons
  • Hard to modularize per Composite
  • If managed via both UI and SVN, it can quickly can get out of sync in multiple environment.
  • Not too sure about what level of caching is done


DB Lookup (may be with custom XSL)
  • Probably a bit more overhead vs having things in memory


AIA Configuration Properties (More info: http://chintanblog.blogspot.com/2012/10/aia-configuration-and-dynamic.html)
 Pros
  • MDS stored
  • Changes are independent of deployment
  • Different level of modularization - System/System Module/Service
Cons
  • No UI to make changes - hopefully in future release


Preference along with config plan (More info: http://chintanblog.blogspot.com/2012/06/bpel-preference-11g.html)
Pros
  • Run time changes via Mbean browser and changes can withstand server restart
Cons
  • Modularization is not flexible (e.g. two composite cannot share same property)
  • Changes via MBean are still temporary. Deployment will overwrite changes from composite (or config plan).
  • Have to keep config plan in sync with UI changes



Code migration and reference to end point URL
Custom search/replacement
Pros

  • Much better control, as it is raw search and replace
Cons
  • Custom scripting
  • Unless it is highly sophisticated, search term has to be known in advance
  • It breaks my principal #1 - why hardcode stuff in the code at first place?

Token Replacement (link)
Pros:
Cons:




  • Only works in specific files and specific section of composite.xml
  • Requires server restart
  • Can not be used for config other than binding.ws URL

Configuration Plan
Pros

  • OOTB, and it is xpath based replace so no need for search term
Cons
  • It breaks my principal #1 - why hardcode stuff in the code at first place?
  • have to manage one per env
  • If composite is constantly changing, it is really hard to manage multiple plans
  • No support for runtime URL change


Dynamic Partnerlink Lookup (DPL) - using AIAConfig (More info : link)
Pros

  • Centralized config for all end points (and preference) - better governance
  • OOTB functions for lookup and merge during deployment
  • Just one MDS stored file
Cons
  • Changes requires MDS update via script and reloading via AIA console
  • No UI to make changes - hopefully in future release
  • Only supported in AIA, if not AIA, need to have custom XSL function to support same functionality 
  • It comes close to what I would like to have, but involves entire AIA FP infrastructure to be installed plus the licensing cost


Oracle Service Registry (OSR)
  • It's dead, man, get over with it.

Token Replacement in SOA 11g

Since 11.1.1.7, along with what has been previously available (http://chintanblog.blogspot.com/2012/10/configurable-settings-and-endpoint.html) e.g. DVM, DB Lookup, AIA Config, Preference, Config Plan and Dynamic Partnerlink Lookup, Token replacement has been added and it claim to to solve similar problem.

How to use it

Define the Tokens in Enterprise Manager
As shown below, you can create tokens in EM console. Defined tokens gets stored in $DOMAIN_HOME/config/fmwconfig/mdm-url-resolver.xml file, unless you overwrite via -Doracle.soa.url.resolver.properties.file.




Once, it is done, you can use than in binding section of the composite.xml file, as shown below. Token will get replaced at run time.


It looks great at first glance, but from my opinion it is one more failed attempt to solve one very fundamental problem. Here are the issues I see:
  • Requires server restart for change in value of Token
  • Only works in composite.xml - binding sections
    • Even in Binding section, it won't work for endpointURI as below

    • Therefore, it won't work for preference replacement (e.g. below)

    • It won't work if you have live WSDL stored in MDS. It is quite common to have both ui:wsdlLocation and binding.ws location, both as MDS location. However, if you use token inside MDS wsdl, this will not work