Using the Service Accounts in OSB

Very often, when we want to connect to some external FTP/SFTP or JMS servers  or for that matter even for some of the HTTP services we need to authenticate our self before initiating the conservation. The same case applies to OSB proxy and business services as well. To facilitate this OSB has provided a feature of Service Accounts.

Service Account is nothing but an OSB resource that allows us to specify the ‘User Name’ and ‘Password’ for the target server that we want to connect through proxy or business service. The OSB proxy and business service creation wizards provides the option to include this service account resource wherever applicable depending on the transport.

OSB provides 3 types of service accounts and the behavior is like below:

  • Static: The specified credentials will be encoded in outbound request.
  • Pass-through: The specified credentials in the custom token will be used for outbound WS-Security Username Token authentication.
  • Mapping: The credentials mentioned in the inbound request will be mapped to other credentials that are remote.

The Service Account can be used during the design time or at the runtime in the message flow of the proxy service.

Using Service Account in Design Time:

In this section we will have a look at how to use the service account in the design time while creating the business service.

1) Create a simple proxy and route it to the business service.

2) Create a new Service Account resource as shown in the following screenshot.


3) Enter the Service Account name as TestSA and click on Finish button.


4) As mentioned earlier, the service account can be of 3 types which are represented by ‘Resource Type’ in the following screenshot. Select the resource type as ‘Static’ and enter the username and password fields that we need to connect to HTTP or FTP or JMS server.


5) Now go to HTTP Transport configuration page in the business service as shown in the below screenshot. Modify the Authentication to ‘Basic’ and observe that Service Account field became mandatory.


6) Click on ‘Browse’ button and select the Service Account ‘’ as shown in the below screenshot. In the same way we can use the service account when the transport is selected as FTP, JMS etc.. and both proxy and business services can make use of the Service Accounts.


7) Click on OK and save the business service and now you can start testing the business service that accepts these credentials in the request.


Using Service Account in Run Time:

If we want to use the service account in the message flow of the proxy service, use the following XQuery function


The above XQuery function results into the following output when used in any of the OSB activities.

<con:UsernamePasswordCredential xmlns:con=""&gt;




So the following XPath expressions will fetch you the username and password that can be used wherever we want, where varSA represents the variable that store the above XQuery function result.




15 Responses to “Using the Service Accounts in OSB”

  1. 1 sudhahar June 7, 2019 at 5:03 AM

    Is it possible to change the service account id/password based on the payload using xquery at runtime?.

    My requirement is if the target system ‘A’ in the payload then I have use one serviceaccount(id/pass)

    if the target system ‘B’ then I have use another serviceaccount(id/pass)


  2. 2 Pinky March 28, 2019 at 3:58 AM

    Can I customize the service Account url in cutomization file if yes can u give an example customization file

  3. 4 Anonymous April 6, 2016 at 1:26 PM

    In your example, we can see how we can read the credentials but not how to eventually assign the proper Service Account.

    Is it feasible to assign a Service Account for a Business Service at runtime?
    Or a Business Service can only be bound to a Service Account in a hard-coded manner?

  4. 6 Paul Pham August 25, 2014 at 10:22 AM

    One question that is not related to topic. Please show me the differences between design-time and runtime?

    • 7 svgonugu August 25, 2014 at 11:17 AM

      What context you are asking about? you consider usage of service accounts described in this post, first part of this post shows attaching the service account to business service or proxy service during your design time or creation time. second part of it shows using the API, which reads the service account at run time to get the credentials and use it in message flow.

      This is some thing like the following loop. If we directly give the value for cnt during our coding itself, its something similar to design time activity. but if we derive the value cnt somehow and use it in the loop, it can be considered as determining the value at runtime.

  5. 8 Anonymous July 16, 2014 at 11:16 AM


    I tried this example with pass through service account it did not work, but it is working fine with static one. can you please help

  6. 10 Anonymous July 16, 2014 at 11:14 AM


    I tried this example with pass through service accont, but it is not working, can you please help

  7. 11 Karthik July 5, 2013 at 9:17 AM

    It got resolved. I was using fn-bea:lookupBasicCredentials(‘ServiceAccount/’) instead of fn-bea:lookupBasicCredentials(‘ServiceAccount/TestSA’).

    Thanks for your guidance.

  8. 12 Karthik July 4, 2013 at 6:25 PM

    Wonderful article. But my service account is present within some other project, how can I access it in fn-bea:lookupBasicCredentials(‘ServiceAccount/TestSA’)

  1. 1 OSB Links | Tim Cheung Trackback on March 18, 2014 at 11:36 AM
  2. 2 Using the Service Accounts in OSB | Siva’s Blog | jmmate JavaBlog Trackback on June 16, 2013 at 3:33 AM

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.


Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 379 other subscribers

Enter your email address to follow this blog and receive notifications of new posts by email.

%d bloggers like this: