Monday, August 30, 2021

Oracle Developer Connect Portal and SOAP Web Services in Oracle Fusion

Oracle Developer Connect portal is an integrated repository of all the SOAP Web Services provided by Oracle ERP cloud.

What is it ?

- A cloud developer portal that runs on your cloud instance and provides information about the specific set of services deployed to your cloud instance.

- Very useful resource to integrate or extend Oracle Cloud Applications and develop customized business solutions.

- Discover business object services, look up service endpoints and view metadata.

- Includes definitions for all SOAP-based web services that are marked for external use.

- Reflects the current service interface and includes patches as well as service data object customizations, if any.

What are the prerequisites ?

- To use the Developer Connect portal, your job role must have one of the following privileges -



- Alternatively, you can create a custom role with ATK_WEB_SERVICE_INFO_ACCESS_PRIV entitlement and then grant the custom role to desired user

What does it offer ?

- Searchable list of all the available web services.

- Quick access to complete URLs for the Service Endpoints as well as WSDL locations.

- Easy to UI with detailed information including service statuses and meaningful descriptions.

- Additional details on all related Service Operations, Service Data Objects and Sample payloads.

How to access ?

- In your ERP Cloud instance, Navigate to Tools > Developer Connect

- Search for the desired Web Service

- Locate Web Service Summary and WSDL

Web Service Description Language (WSDL) - Describes structure of a web service. Provides location and the operations offered by a given service
Sample -

- Locate Web Service Operations

- Locate Web Service Payload details

- Locate Web Service Service Data Object structure

XML Schema Definition (XSD)


Tuesday, August 10, 2021

Web Service Security Policies in Oracle Fusion

Indeed we can use basic authentication (login/password) to authenticate all Webservices in Oracle ERP Cloud .. but what if we want to have a better level of security ? Let's see more effective methods to securely access Webservices in Oracle Fusion.

Oracle Web Services Manager (OWSM) policies enforce and enable web service security in Oracle Fusion Applications.

Whilst the basic authentication might be sufficient in some cases, there are more secure ways to use Fusion Applications web services.

This involves the use of a secure session header token. The token expires within a few hours of being generated.

Tokens are encrypted and signed.

SOAP Web services policies -

  • SOAP web services are secured by a global server-side policy called oracle/wss11_saml_or_username_token_with_message_protection_service_policy

  • SOAP WSDLs contain an X509 certificate in binary format.
  • This needs to be imported into the client machine certificate key store.

  • This helps the client application in encrypting the web service requests made to ERP Cloud and the cloud environment decrypts the request upon receipt.

  • Additionally, a certificate needs to be generated on the client machine and then imported into the Fusion Applications environment certificate keystore. Oracle Support can help with importing the certificate into a Fusion Applications environment.

REST Web services policies -

  • REST services are secured by a single global server-side policy called oracle/multi_token_over_ssl_rest_service_policy

  • This policy supports three different authentication mechanisms -
  • Basic Authentication - A combination of the username and password are base64 encoded and passed in the header to authenticate to use the Web Service.

  • JWT https header token
    - JSON Web Tokens (JWT) are used to store session data
    - Oracle Fusion Applications stores session information within a JWT token and therefore it can be used to maintain a session.
    - The JWT token is retrieved during the authentication process and is then placed in the header of every REST service request.
    - JWT tokens expire after a few hours and a new one is necessary to continue the session.

  • SAML 2.0 https header token
    - Similar to JWT, Security Assertion Markup Language 2.0 (SAML 2.0) tokens can be stored in the HTTP header to authenticate and authorize a user.