When invoking the BI Publisher ReportService on an ERP POD, the usermame and password are cleartext in the request payload
(Doc ID 2753699.1)
Last updated on FEBRUARY 18, 2021
Applies to:
Oracle Integration-OIC - Version 18.2.5 and laterInformation in this document applies to any platform.
Symptoms
When invoking the BI Publisher ReportService on an ERP POD, using the OIC SOAP Adapter, the userID and password are cleartext in the request payload. This means these credentials can be viewed in the OIC Activity Stream.
eg:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:v2="http://xmlns.oracle.com/oxp/service/v2">
<soapenv:Header/>
<soapenv:Body>
<v2:runReport>
<v2:reportRequest>
<v2:attributeFormat>pdf</v2:attributeFormat>
<v2:flattenXML>false</v2:flattenXML>
<v2:byPassCache>true</v2:byPassCache>
<v2:parameterNameValues>
<v2:listOfParamNameValues>
<!--Zero or more repetitions:-->
<v2:item>
<pub:name>PM_order_no</pub:name>
<v2:values>
<v2:item>1</v2:item>
</v2:values>
</v2:item>
</v2:listOfParamNameValues>
</v2:parameterNameValues>
<v2:reportAbsolutePath>/Guest/RMS/Orders/ord_det/ord_det.xdo</v2:reportAbsolutePath>
<v2:sizeOfDataChunkDownload>-1</v2:sizeOfDataChunkDownload>
</v2:reportRequest>
<v2:userID>XXXXXXX</v2:userID>
<v2:password>YYYYYYYY</v2:password>
</v2:runReport>
</soapenv:Body>
</soapenv:Envelope>
<soapenv:Header/>
<soapenv:Body>
<v2:runReport>
<v2:reportRequest>
<v2:attributeFormat>pdf</v2:attributeFormat>
<v2:flattenXML>false</v2:flattenXML>
<v2:byPassCache>true</v2:byPassCache>
<v2:parameterNameValues>
<v2:listOfParamNameValues>
<!--Zero or more repetitions:-->
<v2:item>
<pub:name>PM_order_no</pub:name>
<v2:values>
<v2:item>1</v2:item>
</v2:values>
</v2:item>
</v2:listOfParamNameValues>
</v2:parameterNameValues>
<v2:reportAbsolutePath>/Guest/RMS/Orders/ord_det/ord_det.xdo</v2:reportAbsolutePath>
<v2:sizeOfDataChunkDownload>-1</v2:sizeOfDataChunkDownload>
</v2:reportRequest>
<v2:userID>XXXXXXX</v2:userID>
<v2:password>YYYYYYYY</v2:password>
</v2:runReport>
</soapenv:Body>
</soapenv:Envelope>
Can the userID and password be encrypted or otherwise obfuscated to hide them ?
Changes
Cause
To view full details, sign in with your My Oracle Support account. |
|
Don't have a My Oracle Support account? Click to get started! |
In this Document
| Symptoms |
| Changes |
| Cause |
| Solution |
| References |