The Oracle RightNow adapter uses the Credentials Store Framework to store credentials captured during the configuration of connections within the Oracle RightNow adapter configuration wizard. This ensures that the credentials captured during configuration are stored in secured form and are not stored with the SOA Composite or Oracle Service Bus flow.
At runtime, the adapter automatically retrieves the credentials from the Credentials Store Framework based on the CSF_KEY that was specified during design time. These credentials are injected into the SOAP header of the document that is sent to the RightNow Cx Server for authentication.
The following section provides information about authenticating on the Oracle RightNow Cx Server with account passwords. This section includes:
When the Oracle Cloud Connect Web Services for SOAP API receives a request, a series of access control measures are enforced:
Server-side access control is enforced on all core API calls made by Oracle Cloud Connect Web Services for SOAP. The current permissions map to read, edit, delete, and move check boxes on the Profile Permissions editor in Oracle RightNow. Although server-side access is enabled by default on new May 2013 sites and later, it is disabled on upgraded sites before the May 2013 release. If you are an existing Oracle RightNow customer and plan to upgrade your site to a May 2013 or later build, contact customer care to have this security-enhancing functionality enabled.
If you already have server-side access control enabled on your site, be careful of changes you make to Profile permissions. If an Oracle RightNow administrator changes the permissions on a profile for an Oracle Cloud Connect Web Services for SOAP integration, they might break that integration.
Access to the Oracle Cloud Connect Web Services for SOAP is available only on those sites that have it enabled. If Oracle Cloud Connect Web Services for SOAP is not enabled, contact your Oracle account manager, as the API will not function and a request error will be returned.
Request errors are generated any time there is a validation failure or a data related error of the inbound request. The exception code will be
ACCESS_DENIED and the message will be the message base string for S
For complete information on request errors and exception codes, see Oracle Connect Web Services for SOAP.
Before staff accounts can be authenticated through Oracle RightNow Cx, their profile(s) must be updated on the Profile Permissions editor in Oracle RightNow Cx. The permissions check boxes are located at Staff Management > Profiles > Permissions.
Figure 4-5 Location of Permissions Checkboxes
In addition, RightNow Cx administrators can restrict access to Oracle Cloud Connect Web Services for SOAP integrations by IP address using the configuration settings in the Oracle RightNow Cx platform. The following setting is located at Site Configuration > Configuration Setting.
SEC_PAPI_INTEG_HOSTS_SOAP: Defines which hosts are allowed to access the SOAP interface. Valid entries include a comma-separated list of domain names with wild cards, specific IP addresses, or IP subnet masks (for example, *.rightnow.com,184.108.40.206, 10.11.12.0/255.255.255.0).
Only users logging in from hosts matching entries in this list are allowed access to the SOAP interface. The default is blank.
To configure restricted access permissions:
To access the same site in the future, you can launch the client by selecting Start menu > All Programs > RightNow > RightNow (<site_name>). The client application is site-based, meaning that a separate client must be deployed for each site you access.
However, a single client application can be used to access all interfaces on a single site. Interfaces are added to the client in the same way the client is deployed.
Access the interface's Launch page and click the Install Oracle RightNow CX Cloud Service button (as described in the Oracle RightNow Cx User's Guide), and the deployment tool adds the interface to the Interface drop-down menu on the client's Login window.
SEC_PAPI_INTEG_HOSTS_SOAPsetting. Refer to the Oracle RightNow Cx User's Guide.
When a request is sent to the API and the site configuration has been validated, the next step is to validate the account credentials. If the credentials do not verify, a request error is returned. The exception code will be
INVALID_LOGIN, and the message will be the message base string
The profile for the staff account which is used in the security header must have the Public SOAP API profile bit enabled. If this bit is not enabled, a request error is returned. The exception code will be
ACCESS_DENIED, and the message will be the message base string
Oracle Cloud Connect Web Service for SOAP utilizes Web Services Policy 1.2 is defined by http://specs.xmlsoap.org/ws/2004/09/policy/ws-policy.pdf for client authentication.
The supporting XSD for the security policy is located at http://schemas.xmlsoap.org/ws/2004/09/policy/ws-policy.xsd.
To authenticate with single sign-on, refer to Authenticating with SAML 2.0.
The WS-Security specification calls for a Security tag in the SOAP Header with a namespace of
Security tag is a
UsernameToken tag (part of the WS-Security UsernameToken Profile 1.0 specification). The
UsernameToken tag contains elements for
Password element has a
Type attribute which specifies if the content of the
Password element is
PasswordText. Oracle Cloud Connect Web Services for SOAP does not support
Created elements are not supported. If a request is received that contains the
PasswordDigest type or the
Created/Nonce elements, the server rejects the request as a malformed request.
The following is an example SOAP request with username and password credentials:
Example 4-1 Example SOAP Request with Username and Password Credentials
soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004 /01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soapenv:mustUnderstand="1"> <wsse:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/ oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="UsernameToken-3902281"> <wsse:Username>comland</wsse:Username> <wsse:Password Type= "http://docs.oasis-open.org/wss/2004 /01/oasis-200401-wss-username-token-profile-1.0 #PasswordText">Connect1</wsse:Password> </wsse:UsernameToken> </wsse:Security> </soapenv:Header> </soapenv:Envelope>