Archive for the ‘Technology’ Category

Tomcat 2 way SSL Configuration (Step-by-Step)

August 9, 2016 1 comment

The is a working POC for 2 way SSL configuration in Tomcat server, where client and server has OpenSSL key pairs. This POC covers CA, Server & Client all running on same machine.

Step 1: Create your own root CA

~/openssl$ mkdir -m 0700 /home/ubuntu/openssl/CA /home/ubuntu/openssl/CA/certs /home/ubuntu/openssl/CA/crl /home/ubuntu/openssl/CA/newcerts /home/ubuntu/openssl/CA/private

~/openssl$ touch /home/ubuntu/openssl/CA/indext.txt

~/openssl$ echo 1000 >> /home/ubuntu/openssl/CA/serial

~/openssl$ mv karun-tomcat-root-ca.key CA/private/

~/openssl$ sudo vi /etc/openssl.cnf
 # Make changes here
 dir = /home/ubuntu/openssl/CA
 #optionally change policy definitions as well

~/openssl$ openssl genrsa -des3 -out karun-tomcat-root-ca.key 2048
#In below command make sure to use CN=<hostname of your machine>

~/openssl$ openssl req -new -x509 -days 36520 -key karun-tomcat-root-ca.key -out karun-tomcat-root-ca.crt -config openssl.cnf

~$ sudo cp ~/openssl/CA/certs/karun-tomcat-root-ca.crt /usr/share/ca-certificates/

# make sure in the UI you enable/select the certificate created above

~$ sudo dpkg-reconfigure ca-certificates

# Now reboot ubuntu machine just to make sure certificates are loaded successfully and tomcat picks it


Step 2: Create Tomcat Server’s Key Pair

~$ openssl genrsa -out tomcat-server.key 2048

# Use common name =<Give IP address>, department = Tomcat Server CSR

~$ openssl req -new -sha256 -config ~/openssl/openssl.cnf -key tomcat-server.key -out tomcat-server.csr

~$ openssl x509 -req -sha256 -days 36520 -in tomcat-server.csr -signkey tomcat-server.key -CA ~/openssl/CA/certs/karun-tomcat-root-ca.crt -CAkey ~/openssl/CA/private/karun-tomcat-root-ca.key -CAcreateserial -out tomcat-server.crt

~$ openssl pkcs12 -export -name karun-tomcat-server-cert -in tomcat-server.crt -out tomcat-server.p12 -inkey tomcat-server.key -CAfile ~/openssl/CA/certs/karun-tomcat-root-ca.crt -caname karun-root -chain

~$ keytool -importkeystore -destkeystore tomcat-server.jks -srckeystore tomcat-server.p12 -srcstoretype pkcs12 -alias karun-tomcat-server-cert

~$ keytool -import -alias karun-root -keystore tomcat-server.jks -trustcacerts -file ~/openssl/CA/certs/karun-tomcat-root-ca.crt

# Run this once client cert is generated
~$ keytool -importkeystore -alias karun-tomcat-client-cert -srckeystore ~/client-certs/tomcat-client.p12 -srcstoretype PKCS12 -destkeystore tomcat-server.jks -deststoretype JKS

# Run this once tomcat server started successfully
~$ openssl s_client -connect localhost:8443 -cert ~/client-certs/tomcat-client.crt -key ~/client-certs/tomcat-client.key -debug -showcerts 

Step 3: Create Client Side Key Pair

~$ openssl genrsa -out tomcat-client.key 2048
# Use common name = <tomcat-user.xml's user say 'admin'>, department = Tomcat Client CSR

~$ openssl req -new -sha256 -config ~/openssl/openssl.cnf -key tomcat-client.key -out tomcat-client.csr

~$ openssl x509 -req -sha256 -days 36520 -in tomcat-client.csr -signkey tomcat-client.key -CA ~/openssl/CA/certs/karun-tomcat-root-ca.crt -CAkey ~/openssl/CA/private/karun-tomcat-root-ca.key -CAcreateserial -out tomcat-client.crt

~$ openssl pkcs12 -export -name karun-tomcat-client-cert -in tomcat-client.crt -out tomcat-client.p12 -inkey tomcat-client.key -CAfile ~/openssl/CA/certs/karun-tomcat-root-ca.crt -caname karun-root -chain

~$ (optional step) keytool -importkeystore -destkeystore tomcat-client.jks -srckeystore tomcat-client.p12 -srcstoretype pkcs12 -alias karun-tomcat-client-cert

~$ (optional step) keytool -import -alias root -keystore tomcat-client.jks -trustcacerts -file ~/openssl/CA/certs/karun-tomcat-root-ca.crt

<p class="lang-java prettyprint prettyprinted">

Step 4: Tomcat Changes

<p class="lang-java prettyprint prettyprinted"><!-- Make this change in server.xml of tomcat server -->
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="true" sslProtocol="TLS" /></p>
<p class="lang-java prettyprint prettyprinted">

Step 5: Restart Tomcat Server && check logs to ensure no errors at bootup

Step 6: Upload Client cert to browser

In your browser, eg: firefox, navigate Preferences -> Advanced -> Certificate -> View Certificates -> Your Certificates

Import “tomcat-client.p12”



SAML2.0 Weblogic Sender-Vouches Configuration & POC

June 4, 2016 8 comments

This blog post intends to highlight on the SAML2.0 configuration for web services in Weblogic. It details step-by-step guide to configure weblogic domains with a sample test client to test the web service. We will look into SAML2.0 Sender Vouches web service configuration.

What is Sender Vouches?

Sender-Vouches – The asserting party (different from the subject) vouches for the verification of the subject. The receiver must have a trust relationship with the asserting party.

Sender Vouches
1. Rather than authenticating with the STS, here, Client authenticates with an intermediate service.
2. The intermediary gets the security token from the STS.
3. Then it signs the request and sends to the RP.
4. RP trusts both the intermediary and the STS. So, it validates both of them.

Here are the steps:

  • Configure STS (Weblogic Domain – Certificate used is wssipsts
  • Configure Weblogic domain for weblogic web service with SAML2.0 Sender Vouches policy – Bob is used for this
  • Create a stand alone client that which retrieves token from STS and fires a request to web service with SAML1.1 token retrieved from STS – Alice is used for this

Configure STS:

  1. Create a weblogic domain here ‘am using weblogic 10.3.5
  2. We need to configure SSL for this domain
  3. While creating the domain I configure weblogic to use 6001 for Non-SSL and 6002 for SSL port. Let domain name be STSDomain.
  4. Now go to http://localhost:6001/console
  5. Got to STSDomain –> Environment –> Admin Server –> Keystores
    • Select Custom Identity and Custom Trust
    • Custom Identity Keystore: F:\Oracle\Middleware\user_projects\domains\STSDomain\certs\oasis.jks
    • Type: JKS
    • password: password
    • Custom Trust Keystore: F:\Oracle\Middleware\user_projects\domains\STSDomain\certs\cacerts
    • Type: JKS
    • password: changeit
    • Save and restart server if it asks to do so
  6. Got to STSDomain –> Environment –> Admin Server –>SSL
    • Private Key Alias: WssIPSTS
    • Private Key passphrase: password
    • Save and restart if asked to do so
  7. Now build the web service and deploy it in the domain. Check after successful deployment whether you can open the WSDL url or not.
  8. STSDomain–>Security Realms –>myrealm
  9. We need to configure only ‘Credential Mapper’ here. Credential Mapper basically responsible for Issuing SAML tokens. Where as identity Asserter are responsible for validating the SAML tokens. So we will configure Credential Mapper for STS and Identity Asserter for webservice
  10. Go to Providers –> Credential Mapping
  11. Add PKI Credential Mapper
    • In Provider Specific tab, Keystore Provider: SUN
    • Keystore Type: JKS
    • Keystore file name: F:\Oracle\Middleware\user_projects\domains\STSDomain\certs\oasis.jks
    • Keystore pass phrase: password
    • Use resource hierarchy and Initator group names check boxes should be selected.
    • Click on save and restart if asked to do so
  12. Add SAML2CredentialMapper
    • In Configuration –> Provider specific tab, Issuer URI:
    • Name Qualifier:
    • Default time to live: 120
    • offset: 0
    • Webservice Assertion Signing key alias: WssIPSTS
    • Key pass phrase: password
    • Select check box ‘Generate Attributes’
    • Save and go to Management tab in the same section
    • New–>New Webservice Service Provider Partner
    • Add sender vouches relying party: Sendervouches:/echoservicesaml2/EchoServiceSAML2
    • Make sure to select ‘Enabled’ check box
    • Give description
    • Audience URIs:  target:*:http://HYD-69ZRV01-L:7001/echoservicesaml2
    • Generate Attributes checkbox to be selected
    • Select confirmation methods as ‘Sender-Vouches’
    • Save and restart the server if asked to do so
  13. That’s all the configuration from STS side.

Configure Weblogic Webservice:

  1. Create a weblogic domain here ‘am using weblogic 10.3.5
  2. We do not need to configure SSL for this domain
  3. While creating domain configure weblogic to use 7001 port and no SSL port required. Let the domain name be ‘WebserviceDomain’
  4. Login to weblogic console.
  5. WebserviceDomain–>servers–>Adminserver–>keystore
    • Custom Identity and Custom Trust store
    • Custom Identity Keystore: F:\Oracle\Middleware\user_projects\domains\WebserviceDomain\certs\oasis.jks
    • Key type: JKS
    • password: password
    • Trust Keystore: F:\Oracle\Middleware\user_projects\domains\WebserviceDomain\certs\cacerts
    • Type: JKS
    • password: changeit
    • Save and restart the server if asked to do so.
    • SSL
    • Private key alias: Bob
    • password: password
    • Save
  6. Build and deploy the weblogic web service. The scripts and the webservice code is given below.
  7. Go to security realm–>myrealm–>Providers–>Authentication
    • Add SAMLAuthenticator
    • Make control Flag as ‘SUFFICIENT’
    • Make control Flag of Default Authenticator too as ‘SUFFICIENT’
    • (optional step) Also in Default Authenticator’s ‘Provider Specific’ Enable password digest, minimum password length as 1 and save.
    • (optional step) In Default Identity Asserter’s –> Common. chose Active Types ‘wsse:passworddigest’ and ‘x.509’ send it to right and click on save.
    • (optional step) In Defaul Identity Asserter –> Provider Specific. Default Username as @, Mapper attribute type as ‘CN’, select ‘use default user name mapper’ and click on Save button. Restart if asked to do so
  8. Got to security realm–>myrealm–>Providers–> Authentication
    • Add SAML2IdentityAsserterV
    • Go to Management –> New –> New Webservice Identity Provider Partner
    • Name: Sendervouches:/echoservicesaml2/EchoServiceSAML2
    • Chose Enabled
    • Audience URIs: target:*:/echoservicesaml2
    • Issuer URI:
    • Virtual User selected
    • Confirmation Method: Sender-Vouches
    • Process Attributes selected
    • Save and restart if asked to do so.
  9. That’s all the configuration of web service.

Client Testing:

  1. Open a command prompt window
  2. Run setWLSEnv.cmd from that command window to set the paths
  3. ant runsaml2
  4. That’s all for now…

package com.saml.example;</pre>
<pre>import weblogic.jws.Policy;
<pre>import javax.jws.WebMethod;
 import javax.jws.WebService;</pre>
 public class StsUnt {
         static {
     public String dummyMethod(String s) {
         return s;
    static void init() {
         TrustTokenProviderRegistry reg = TrustTokenProviderRegistry.getInstance();
         SAMLTrustTokenProvider provider = <span class="il">new</span> MySAMLTrustTokenProvider();
         reg.registerProvider("<a href="" target="_blank"></a>", provider);
         reg.registerProvider("<a href="" target="_blank"></a>", provider);
         reg.registerProvider("<a href="" target="_blank"></a>",  provider);
         reg.registerProvider("<a href="" target="_blank"></a>",  provider);
         reg.registerProvider("<a href="" target="_blank"></a>",  provider);
    static class MySAMLTrustTokenProvider extends SAMLTrustTokenProvider {</pre>
<pre>    }

build.xml for

<?xml version="1.0"?>
<project name="SenderVouches11" default="all" basedir=".">
<property name="root.dir" value="${basedir}" />
<taskdef name="jwsc" classname="" />
<taskdef name="clientgen" classname="" />
<taskdef name="wldeploy" classname="" />
<taskdef name="wsdlc" classname="" />
<property file="${basedir}/properties.txt" />
<property name="source.dir" value="${basedir}" />
<property name="output.dir" value="${basedir}/build" />
<path id="class.path">
<pathelement path="${java.class.path}" />
<target name="all" depends="clean,jwsc,deploy" />
<target name="build" depends="clean,jwsc" />
<target name="clean">
<delete dir="${output.dir}" />
<target name="jwsc">
<antcall target="jwsc-sts" />
<target name="jwsc-sts">
<jwsc srcdir="${source.dir}" destdir="${output.dir}" debug="on" classpath="${class.path}">
<module contextpath="standalonests" name="standalonests" explode="true">
<jws file="" type="JAXWS">
<WLHttpTransport serviceUri="SamlSTS" />
<target name="deploy">
<antcall target="deploy-sts" />
<target name="deploy-sts">
<wldeploy action="deploy" source="${output.dir}/standalonests" user="${sts-wls-username}" password="${sts-wls-passwd}" verbose="false" adminurl="t3://${sts-wls-server}" debug="false" targets="${sts-wls-target}" />
<target name="undeploy">
<property name="wls-admin-server" value="${wls-server}" />
<wldeploy action="undeploy" name="standalonests" user="${sts-wls-username}" password="${sts-wls-passwd}" verbose="false" adminurl="t3://${sts-wls-server}" debug="false" targets="${sts-wls-target}" />
<property name="extra-server-verbose" value="
-Dweblogic.log.StdoutSeverity=Debug" />

properties.txt for

<pre># common properties

package com.saml.example;</pre>
<pre>import weblogic.jws.Policies;
 import weblogic.jws.Policy;
 import javax.jws.WebService;</pre>
     @Policy(uri = "policy:Wssp1.2-2007-Saml2.0-SenderVouches-Wss1.1-Asymmetric.xml"),
     @Policy(uri = "policy:Wssp1.2-2007-SignBody.xml"),
     @Policy(uri = "policy:Wssp1.2-2007-EncryptBody.xml")
 public class EchoServiceSAML2 {
   public String echo( String hello){
   System.out.println("Inside EchoServiceSAML2!!!");
     return hello;

build.xml for webservice

<?xml version="1.0"?> <project name="SenderVouches11" default="all" basedir=".">     <property name="root.dir" value="${basedir}" />     <taskdef name="jwsc" classname="" />     <taskdef name="clientgen" classname="" />     <taskdef name="wldeploy" classname="" />     <taskdef name="wsdlc" classname="" /></pre>
<pre>    <property file="${basedir}/properties.txt" /></pre>
<pre>    <property name="source.dir" value="${basedir}" />
     <property name="output.dir" value="${basedir}/build" />
     <property name="clientclasses.dir" value="${basedir}/build/client" />
     <property name="clientclassessaml2.dir" value="${basedir}/build/clientsaml2" />
     <path id="class.path">
         <pathelement path="${java.class.path}" />
         <pathelement path="${basedir}/build/client" />
         <pathelement path="${basedir}/build/clientsaml2" />
<pre>    <target name="all" depends="clean,jwsc,deploy,client" /></pre>
<pre>    <target name="build" depends="clean,jwsc,client" /></pre>
<pre>    <target name="clean">
         <delete dir="${output.dir}" />
<pre>    <target name="jwsc">
         <antcall target="jwsc-ws" />
<pre>    <target name="jwsc-ws">
         <jwsc srcdir="${source.dir}" destdir="${output.dir}" debug="on" classpath="${class.path}">
             <module contextpath="echoservice" name="echoservice" explode="true">
                 <jws file="" type="JAXWS">
                     <WLHttpTransport serviceUri="EchoService" />
         <jwsc srcdir="${source.dir}" destdir="${output.dir}" debug="on" classpath="${class.path}">
             <module contextpath="echoservicesaml2" name="echoservicesaml2" explode="true">
                 <jws file="" type="JAXWS">
                     <WLHttpTransport serviceUri="EchoServiceSAML2" />
     <target name="clientgen">
         <mkdir dir="${clientclasses.dir}" />
         <clientgen destdir="${clientclasses.dir}" wsdl="${basedir}/EchoService.wsdl" type="JAXWS" packageName="com.saml.example" />
         <clientgen destdir="${clientclassessaml2.dir}" wsdl="${basedir}/EchoServiceSAML2.wsdl" type="JAXWS" packageName="com.saml.example" />
     <target name="client">
         <mkdir dir="${clientclasses.dir}" />
         <copy todir="${clientclasses.dir}" overwrite="true">
             <fileset dir="${certs.dir}" includes="*" />
         <antcall target="clientgen" />
         <javac debug="true" srcdir="${source.dir}" destdir="${clientclasses.dir}">
             <classpath refid="class.path" />
             <include name="" />
         <javac debug="true" srcdir="${source.dir}" destdir="${clientclassessaml2.dir}">
             <classpath refid="class.path" />
             <include name="" />
<pre>    <target name="deploy">
         <antcall target="deploy-ws" />
<pre>    <target name="deploy-ws">
         <wldeploy action="deploy" source="${output.dir}/echoservice" user="${wls-username}" password="${wls-passwd}" verbose="false" adminurl="t3://${wls-server}" debug="false" targets="${wls-target}" />
         <wldeploy action="deploy" source="${output.dir}/echoservicesaml2" user="${wls-username}" password="${wls-passwd}" verbose="false" adminurl="t3://${wls-server}" debug="false" targets="${wls-target}" />
<pre>    <target name="undeploy">
         <property name="wls-admin-server" value="${wls-server}" />
         <wldeploy action="undeploy" name="echoservice" user="${wls-username}" password="${wls-passwd}" verbose="false" adminurl="t3://${wls-server}" debug="false" targets="${wls-target}" />
         <wldeploy action="undeploy" name="echoservicesaml2" user="${wls-username}" password="${wls-passwd}" verbose="false" adminurl="t3://${wls-server}" debug="false" targets="${wls-target}" />
     <target name="run">
         <java classname="com.saml.example.client.EchoServicePortClient" fork="true">
             <classpath refid="class.path" />
             <jvmarg line="-Xdebug -Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=8453
               -Dweblogic.wsee.verbose=*,!weblogic.wsee.connection.soap.SoapConnectionMessage" /></pre>
<pre>        </java>
     <target name="runsaml2">
         <java classname="com.saml.example.client.EchoServiceSAML2PortClient" fork="true">
             <classpath refid="class.path" />
             <jvmarg line="-Xdebug -Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=8453
               -Dweblogic.wsee.verbose=*,!weblogic.wsee.connection.soap.SoapConnectionMessage" /></pre>
<pre>        </java>
     <property name="extra-server-verbose" value="
       -Dweblogic.log.StdoutSeverity=Debug" />

properties.txt for webservice

certs.dir=${root.dir}/../certs/ config.dir=${root.dir}/../config/ build.dir=${root.dir}/../build</pre>

package com.saml.example.client;
import java.util.ArrayList;
import java.util.List;
import java.util.Map;
import javax.xml.namespace.QName;
import weblogic.wsee.message.WlMessageContext;
import weblogic.xml.crypto.wss.provider.CredentialProvider;
import com.saml.example.*;
import weblogic.wsee.jaxrpc.WLStub;
import weblogic.jws.Policies;
import weblogic.jws.Policy;
import weblogic.xml.crypto.wss.WSSecurityContext;
import weblogic.wsee.jaxrpc.WLStub;
import javax.jws.WebMethod;
import javax.jws.WebParam;
import javax.jws.WebResult;
import javax.jws.WebService;
import java.util.*;
public class EchoServiceSAML2PortClient {
     private static EchoServiceSAML2Service echoServiceService;
    private static String stsUntPolicy = "&lt;?xml version=\"1.0\"?&gt;\n"
             + "&lt;wsp:Policy\n"
             + "  xmlns:wsp=\"\"\n"
             + "  xmlns:sp=\"\"\n"
             + "  &gt;\n"
             + "  &lt;sp:TransportBinding&gt;\n"
             + "    &lt;wsp:Policy&gt;\n"
             + "      &lt;sp:TransportToken&gt;\n"
             + "        &lt;wsp:Policy&gt;\n"
             + "          &lt;sp:HttpsToken/&gt;\n"
             + "        &lt;/wsp:Policy&gt;\n"
             + "      &lt;/sp:TransportToken&gt;\n"
             + "      &lt;sp:AlgorithmSuite&gt;\n"
             + "        &lt;wsp:Policy&gt;\n"
             + "          &lt;sp:Basic256/&gt;\n"
             + "        &lt;/wsp:Policy&gt;\n"
             + "      &lt;/sp:AlgorithmSuite&gt;\n"
             + "      &lt;sp:Layout&gt;\n"
             + "        &lt;wsp:Policy&gt;\n"
             + "          &lt;sp:Lax/&gt;\n"
             + "        &lt;/wsp:Policy&gt;\n"
             + "      &lt;/sp:Layout&gt;\n"
             + "      &lt;sp:IncludeTimestamp/&gt;\n"
             + "    &lt;/wsp:Policy&gt;\n"
             + "  &lt;/sp:TransportBinding&gt;\n"
             + "  &lt;sp:SupportingTokens&gt;\n"
             + "    &lt;wsp:Policy&gt;\n"
             + "      &lt;sp:UsernameToken\n"
             + "        sp:IncludeToken=\"\"&gt;\n"
             + "        &lt;wsp:Policy&gt;\n" + "          &lt;sp:WssUsernameToken10/&gt;\n"
             + "        &lt;/wsp:Policy&gt;\n" + "      &lt;/sp:UsernameToken&gt;\n"
             + "    &lt;/wsp:Policy&gt;\n" + "  &lt;/sp:SupportingTokens&gt;\n"
             + "&lt;/wsp:Policy&gt;";
    public static void main(String[] args) {
         try {
            String wsURL = "http://HYD-69ZRV01-L:7001/echoservicesaml2/EchoServiceSAML2?WSDL";
            echoServiceService = new EchoServiceSAML2Service(new URL(wsURL),
                     new QName("",
             EchoServiceSAML2 echoService = echoServiceService.getEchoServiceSAML2Port();
            Map&lt;String, Object&gt; requestContext = ((BindingProvider) echoService)
            List&lt;CredentialProvider&gt; credList = new ArrayList&lt;CredentialProvider&gt;();
            // Add the necessary credential providers to the list
             InputStream policy = new ByteArrayInputStream(stsUntPolicy
             requestContext.put(WlMessageContext.WST_BOOT_STRAP_POLICY, policy);
            String stsURL = "https://HYD-69ZRV01-L:6002/standalonests/SamlSTS";
                     new TrustManager() {
                         public boolean certificateCallback(
                                 X509Certificate[] chain, int validateErr) {
                             // need to validate if the server cert can be
                             // trusted
                             return true;
            requestContext.put(WLStub.SAML_ATTRIBUTE_ONLY, "False");
             credList.add(new SAMLTrustCredentialProvider());
             credList.add(new MySAMLCredentialProvider1());
            String username = "Alice";
             String password = "Interop1";
             credList.add(new ClientUNTCredentialProvider(username.getBytes(),
            // ClientBSTCredentialProvider
             String defaultClientcert = "F:/Oracle/Middleware/user_projects/domains/WebserviceDomain/certs/Alice.cer";
             String clientcert = System.getProperty("target.clientcert",
             String defaultClientkey = "F:/Oracle/Middleware/user_projects/domains/WebserviceDomain/certs/Alice.prv";
             String clientkey = System.getProperty("target.clientkey",
            String defaultServerCert = "F:/Oracle/Middleware/user_projects/domains/WebserviceDomain/certs/Bob.cer";
             String serverCert = System.getProperty("target.serverCert",
            credList.add(new ClientBSTCredentialProvider(clientcert, clientkey,
            // Add your code to call the desired methods.
             System.out.println(echoService.echo("Hello SAML2"));
        } catch (Exception ex) {
    * This Credntail Provider is for SMAL 2.0 Sender Vouches
  private static class MySAMLCredentialProvider1 extends SAML2CredentialProvider {
    public SAMLAttributeStatementData getSAMLAttributeData(Subject subject) {
      System.out.println(" Prividing SAML Attributes from MySAMLCredentialProvider1 for Subject =" + subject);
       // There are four types of attributes in this test
      SAMLAttributeStatementData attributes = new SAMLAttributeStatementDataImpl();
      String xmlns = "";
      // 1. The attribute without value
       SAMLAttributeData attribute1 = new SAMLAttributeDataImpl();
       // Friendly name is optional. It is set in this example.
       attribute1.setAttributeFriendlyName("Type 1 - No Value");
      // 2. Static attribute that has static value
       SAMLAttributeData attribute2 = new SAMLAttributeDataImpl();
       attribute2.setAttributeFriendlyName("Type 2 - Static Attribute");
      // 3. Subjust dependent attributes
       SAMLAttributeData attribute3 = new SAMLAttributeDataImpl();
       attribute3.setAttributeFriendlyName("Type 3 - Subject Dependent Attribute");
       if (hasUser("Alice", subject)) {
         attribute3.addAttributeValue("Alice A");
       } else if (hasUser("Bob", subject)) {
         attribute3.addAttributeValue("Bob B");
       } else {
         attribute3.addAttributeValue("Hacker X");
      // 4. Multiple value attributes
       SAMLAttributeData attribute4 = new SAMLAttributeDataImpl();
       attribute4.setAttributeFriendlyName("Type 4 - Multi-Value Attribute");
       if (hasUser("Alice", subject)) {
         attribute4.addAttributeValue("Team Lead");
       } else if (hasUser("Bob", subject)) {
         attribute4.addAttributeValue("System Admin");
       } else {
         attribute4.addAttributeValue("meber of unkown");
       return attributes;
    private static boolean hasUser(String user, Subject subject) {
       if (null == user || null == subject) {
         return false;
       Set principals = subject.getPrincipals();
       if (null == principals || principals.isEmpty()) {
         return false;
       for (Iterator it = principals.iterator(); it.hasNext();) {
         Object obj =;
         if (obj instanceof Principal) {
           Principal p = (Principal) obj;
           if (user.equals(p.getName())) {
             return true;
         } else if (obj instanceof WLSPrincipal) {
           WLSPrincipal principal = (WLSPrincipal) obj;
           if (user.equals(principal.getName())) {
             return true;
       return false;

SAML2 Assertion is not yet valid (NotBefore condition)

June 4, 2016 1 comment

My current setup:

Oracle STS is running on Machine 1 and Oracle Weblogic Web service is running on Machine 2

When I wrote a client to invoke SAML2 token from STS on Machine 1 and use the token to call SAML2 web service on weblogic running on Machine 2. My client constantly kept throwing following error:

<16 Jun, 2014 5:48:56 PM IST> <Debug> <SecuritySAML2Atn> <BEA-000000> <found idp partner with targetResource: /echoservicesaml2/EchoServiceSAML2>
<16 Jun, 2014 5:48:56 PM IST> <Debug> <SecuritySAML2Atn> <BEA-000000> <SAML2Assert: Start verify assertion signature>
<16 Jun, 2014 5:48:56 PM IST> <Debug> <SecuritySAML2Atn> <BEA-000000> <SAML2Assert: The assertion is signed.>
<16 Jun, 2014 5:48:56 PM IST> <Debug> <SecuritySAML2Atn> <BEA-000000> <SAML2Assert: End verify assertion signature>
<16 Jun, 2014 5:48:56 PM IST> <Debug> <SecuritySAML2Atn> <BEA-000000> <SAML2Assert: Start verify assertion attributes>
<16 Jun, 2014 5:48:56 PM IST> <Debug> <SecuritySAML2Atn> <BEA-000000> <SAML2Assert: End verify assertion attributes>
<16 Jun, 2014 5:48:56 PM IST> <Debug> <SecuritySAML2Atn> <BEA-000000> <SAML2Assert: Start verify assertion issuer>
<16 Jun, 2014 5:48:56 PM IST> <Debug> <SecuritySAML2Atn> <BEA-000000> <SAML2Assert: End verify assertion issuer>
<16 Jun, 2014 5:48:56 PM IST> <Debug> <SecuritySAML2Atn> <BEA-000000> <SAML2Assert: Start verify assertion conditions>
<WSEE:12>Exception while asserting identity: [Security:090377]Identity Assertion Failed, [Security:090377]Identity Assertion Failed, [Security:096537]Assertion is not yet valid (NotBefore condition).<CSSUtils.assertIdentity:429>

Root Cause:
Oracle STS returned token appropriately, but the request fails on the weblogic server.

After a bit of fight we could figure out that the Machine 2 time is 2 minutes behind Machine 1. When we adjusted the times (synced) of Machine 1 and Machine 2 things worked smoothly there after.

Hope this tip helps some one there.

Oracle Spatial Database Installation11g R2 quick step-by-step

December 26, 2012 Leave a comment

This post lists down the steps to Configure Oracle spatial Database 11gR2 on your machine. This post is definitely not intended for Advanced installation and configuration, it’s just for those users who are looking at an easy approach to installing & configuring Oracle database on their machine.

Pre-installation Requirements:
  • You should have at least 1 GB RAM (In current world this isn’t ideal as the Windows OS itself required about 512 MB RAM, I would suggest have a minimum of 2 GB RAM)
  • If your machine is on DHCP then you need to have Loop back adapter installed.
  •  Loop back adapter is required even in case you are currently working in non-network mode but later plan to connect to your network after Oracle installation.
  • Steps to install loop back adapter
  • Please check the compatibility metrics it’s an excel sheet you can find in the Oracle database download site, just to ensure software you are downloading is compatible to your system configuration
  • Download Oracle software appropriate version
  • Run the installer
  • Click Next0
  • Select Install only option0.10.2
  • Click Next, Next, Next, Next till you finish installation successfully
  • Now go to start –> Oracle Db Home –> Configuration & Migration tools –> Database Configuration Assistant (DBCA)
  • This should open your DBCA wizard. Now just follow the screens below…1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19
  • That’s it! You’ve Oracle Database 11gR2 installed now
  • Open command prompt and just type in sqlplus. If you can see the below screen then you now have Oracle db installed & configured on your machine.20
  • Happy learning…

JAR Scan Tool to scan for jar file for given class name

March 14, 2011 5 comments

This is a useful tool

This tool helps you in scanning through your directory structure parses through every jar file for the given class name and comes up with a final report on list of jar files that has this class name defined.

  • The tool is written in Java and will run on any system that has Java 1.4 or higher installed. It is available as a standalone, high performance Java application or as a online web application
  • You just need to follow 2 simple steps to get it running
  • Download the jar file, copy it in your file system
  • From command prompt, issue the command

E:\> java -jar jarscan.jar -dir “E:\weblogic” -class SipServerBean

That’s it! here is the output

Java Decompiler

February 10, 2011 Leave a comment

Jdec – Java Decompiler an opensource software. Loved using it!

Download on to the drive say D:\

double click on Jdec-UI.bat

Before starting, you need to configure the properties appropriately as shown in below screen shot.

Configuration–>Jdec(Decompiler) configuration

Make changes to the configuration

Click Update Changes button.

In the file folder list –> select appropriate class file and double click the same to see the decompiled java class file. That’s it!


Categories: Technology Tags: ,

TCP/IP Monitoring for viewing SOAP Envelope

February 9, 2011 2 comments

One needs a TCP/IP Monitoring tool to monitor the traffic between client and server.


I’ve web services deployed on weblogic server. I wrote a Java client to access one of the services works fine. My requirement is to view the SOAPEnvelope request and response.

Here are the simple steps from dailyraaga to help you configure TCP/IP traffic.

STEP 1: Download axis.jar

Download file from

Unzip the file to place it in d:\ (you may place it any where, for this post i just dropped the jar file in d drive)


Run the java command: D:\>java -cp axis.jar org.apache.axis.utils.tcpmon

This should open TCPMonitor

Since my weblogic is running on localhost on port 7001

Target Hostname: localhost
Target Port: 7001

Give a random Listen Port

Listen Port: 1234

Click on ‘Add’ now

You should see a new tab Port 1234


In your Java web service client code, add following statements.

System.setProperty("http.proxyHost", "localhost");
 System.setProperty("http.proxyPort", "1234");
 System.setProperty("", "localhost");
 System.setProperty("weblogic.webservice.transport.http.proxy.port", "7001");


Now run the java client to see the soap request/response

That’s it!

Rails and OpenLaszlo integration

February 6, 2011 Leave a comment

This post explains step-by-step approach for Rails and OpenLaszlo integration. Understanding of Rails and Openlaszlo is out of scope of this post…

Note: It’s been a while since I worked on these technologies, some parts may stand invalid.


‘am executing this project from my eclipse workspace, you may use different folder to your liking.

C:\eclipse-workspace>gem install ropenlaszlo
Successfully installed ropenlaszlo-0.5
1 gem installed
Installing ri documentation for ropenlaszlo-0.5...
Installing RDoc documentation for ropenlaszlo-0.5...

STEP 2: Creating rails application

C:\eclipse-workspace>rails contacts
create  app/controllers
create  app/helpers
create  app/models
create  app/views/layouts
create  config/environments
create  config/initializers
create  db
create  doc
create  lib
create  lib/tasks
create  log
create  public/images
create  public/javascripts
create  public/stylesheets
create  script/performance
create  script/process
create  test/fixtures
create  test/functional
create  test/integration
create  test/unit
create  vendor
create  vendor/plugins
create  tmp/sessions
create  tmp/sockets
create  tmp/cache
create  tmp/pids
create  Rakefile
create  README
create  app/controllers/application.rb
create  app/helpers/application_helper.rb
create  test/test_helper.rb
create  config/database.yml
create  config/routes.rb
create  config/initializers/inflections.rb
create  config/initializers/mime_types.rb
create  config/initializers/new_rails_defaults.rb
create  config/boot.rb
create  config/environment.rb
create  config/environments/production.rb
create  config/environments/development.rb
create  config/environments/test.rb
create  script/about
create  script/console
create  script/dbconsole
create  script/destroy
create  script/generate
create  script/performance/benchmarker
create  script/performance/profiler
create  script/performance/request
create  script/process/reaper
create  script/process/spawner
create  script/process/inspector
create  script/runner
create  script/server
create  script/plugin
create  public/dispatch.rb
create  public/dispatch.cgi
create  public/dispatch.fcgi
create  public/404.html
create  public/422.html
create  public/500.html
create  public/index.html
create  public/favicon.ico
create  public/robots.txt
create  public/images/rails.png
create  public/javascripts/prototype.js
create  public/javascripts/effects.js
create  public/javascripts/dragdrop.js
create  public/javascripts/controls.js
create  public/javascripts/application.js
create  doc/README_FOR_APP
create  log/server.log
create  log/production.log
create  log/development.log
create  log/test.log

STEP 3: Install OpenLaszlo plugin

Change directory

C:\eclipse-workspace>cd contacts
C:\eclipse-workspace\contacts>ruby script/plugin install


+ ./Rakefile 

+ ./TODO
+ ./generators/applet/USAGE
+ ./generators/applet/applet_generator.rb
+ ./generators/applet/templates/applet.lzx
+ ./generators/applet/templates/datamanager.lzx
+ ./generators/applet/templates/modelcontroller.lzx
+ ./generators/applet/templates/modelgrid.lzx
+ ./generators/applet/templates/view.rhtml
+ ./generators/rest_controller/USAGE
+ ./generators/rest_controller/rest_controller_generator.rb
+ ./generators/rest_controller/templates/controller.rb
+ ./generators/rest_scaffold/USAGE
+ ./generators/rest_scaffold/rest_scaffold_generator.rb
+ ./generators/rest_scaffold/templates/controller.rb
+ ./init.rb
+ ./javascripts/flashobject.js
+ ./lib/active_record_rest.rb
+ ./lib/active_record_xml.rb
+ ./lib/extensions.rb
+ ./lib/flashobject_view_helper.rb
+ ./lib/range_list.rb
+ ./lib/rest_helper.rb
+ ./lib/rest_scaffolding.rb
+ ./tasks/compile_applets.rake
+ ./tasks/update_flashobject.rake
+ ./trunk/CHANGES
+ ./trunk/MIT-LICENSE
+ ./trunk/README
+ ./trunk/Rakefile
+ ./trunk/TODO
+ ./trunk/generators/applet/USAGE
+ ./trunk/generators/applet/applet_generator.rb
+ ./trunk/generators/applet/templates/applet.lzx
+ ./trunk/generators/applet/templates/datamanager.lzx
+ ./trunk/generators/applet/templates/modelcontroller.lzx
+ ./trunk/generators/applet/templates/modelgrid.lzx
+ ./trunk/generators/applet/templates/view.rhtml
+ ./trunk/init.rb
+ ./trunk/install.rb
+ ./trunk/javascripts/flashobject.js
+ ./trunk/lib/flashobject_view_helper.rb
+ ./trunk/lib/openlaszlo_build_support.rb
+ ./trunk/lib/openlaszlo_installer.rb
+ ./trunk/tasks/compile_applets.rake
+ ./trunk/tasks/update_javascripts.rake

STEP 4: Generate Applet now


C:\eclipse-workspace\contacts>ruby script/generate applet contacts applet
exists  app/views/
dependency  model
exists    app/models/
exists    test/unit/
exists    test/fixtures/
create    app/models/contacts.rb
create    test/unit/contacts_test.rb
create    test/fixtures/contacts.yml
create    db/migrate
create    db/migrate/20080918153823_create_contacts.rb
dependency  rest_controller
exists    app/controllers/
exists    app/helpers/
exists    test/functional/
dependency    model
exists      app/models/
exists      test/unit/
exists      test/fixtures/
identical      app/models/contacts.rb
identical      test/unit/contacts_test.rb
identical      test/fixtures/contacts.yml
exists      db/migrate
Another migration is already named create_contacts: db/migrate/20080918153823_create_contacts.rb
./script/generate applet contacts applet
This will create:

STEP 5 (OPTIONAL): Set java_opts

set JAVA_OPTS=-Xms256m -Xmx512m -XX:MaxPermSize=128m

STEP 5: Rake applets

C:\eclipse-workspace\contacts>rake applets
C:\eclipse-workspace\contacts>cp C:/ eclipse-workspace/contacts/vendor/plugins/openlaszlo/javascripts/flashobject.js C:/ eclipse-workspace/contacts/public/javascripts
C:\eclipse-workspace\contacts>mkdir -p C:/eclipse-workspace/contacts/public/appletsC:\eclipse-workspace\contacts>lzc -dir public/applets app/applets/applet/applet.lzx
Compiling: app\applets\applet\applet.lzx to public\applets\applet.lzr=swf8.swf

Hope it helps some one who are looking to integrate both these technologies.

Enabling Audit to a table

January 17, 2011 1 comment

Audit Trail helps you in assessing who did what and when and from where information. In enterprise products Audit becomes mandatory and most of the time a compliance requirement. Audit as such can be performed at application level or database or both.

For audit at application level, you need to rely on a custom framework or manual way of secure insertion of audit events to a separate table.

In this post we will discuss steps or policies that need to be enforced over a database table to keep a track of who accessed the database table with what query and when and from where! Through this policy we basically address 4 w’s – who, what, where and when.

Here are simple steps to enforce audit policy on the table Employee of HR schema that gets loaded as a default database schema in oracle.

Note: The policy we are going to enforce is specific to Oracle database

Policy to enforce Audit on Employee Table of HR schema to Audit ‘Select, Insert, Update Delete’ operations.

     object_schema => 'HR',
     object_name => 'EMPLOYEE',
     policy_name => 'Employee_Policy_1',
     audit_condition => NULL,
     audit_column => NULL,
     handler_schema => NULL,
     handler_module => NULL,
     enable => TRUE,
     statement_types => 'SELECT, INSERT, UPDATE, DELETE',
     audit_trail => DBMS_FGA.DB_EXTENDED,
     audit_column_opts => DBMS_FGA.ANY_COLUMNS


Some times the logged in database user may not have permissions to execute over DBMS_FGA. In this case you need to login as sysdba and grant permissions to HR to execute over DBMS_FGA.

grant execute on dbms_fga to hr;

Some times executing the above policy may result in the following error:

In this case trying to check for the version of the oracle database whether auditing is enabled or not.

select * from v$version;

Fine grained Auditing comes with enterprise database not with stand alone databases. If you are using Enterprise endition d/b then look for what options enabled for the installed database

select * from v$option;

You should have Fine-grained Auditing = TRUE, if so continue to next step other wise you can’t enable audit for the table.

Activate the above policy now

     object_schema => 'HR',
     object_name => 'EMPLOYEE',
     policy_name => 'Employee_Policy_1'

Run sample query to check and see if audit is working fine or not

Connect as any user who has access to query over hr, say sysdba

SQL> select * from HR.Employee;

Run query over audit trail table to see if any records inserted or not.

SQL> SELECT * FROM DBA_FGA_AUDIT_TRAIL where policy_name = 'EMPLOYEES_Policy_1';

From above query result, you should find answers to 4 W’s – What was the query, from Where it’s been fired, When was it fired and Who fired the query.


Why SSL is not the right option for web service security?

December 31, 2010 Leave a comment

Security to web services is always not pretty straight forward…

This post primarily discusses the reasons why SSL (Secure Socket Layer) is not a best fit for ensuring web service security. SSL stands for Secure Socket Layer popularly works on Transport layer as HTTPS.

  • Web services need end-to-end security, where as SSL provides point-to-point security. While passing through SSL the message has to pass through multiple intermediaries that might not have enough security protection policies enforced! These intermediaries might pose a threat in compromising the integrity, confidentiality of the message
  • SSL doesn’t support non-repudiation. For definition of non-repudiation you may browse through on the net
  • SSL provides security only over the transport layer but not at the message level
  • If you want to encrypt Credit card information or sign a particular portion of the SOAP message then SSL is not the right option

I’ll try to bring in more information on security stuff in coming posts…

Till then have a great day and HAPPY NEW YEAR! 😀


Categories: Security, Technology