2 Interoperability with Oracle WSM 10g Security Environments

This chapter contains the following sections:

Overview of Interoperability with Oracle WSM 10g Security Environments

In Oracle WSM 10g, you specify policy steps at each policy enforcement point. The policy enforcement points in Oracle WSM 10g include Gateways and Agents.

Each policy step is a fine-grained operational task that addresses a specific security operation, such as authentication and authorization; encryption and decryption; security signature, token, or credential verification; and transformation. Each operational task is performed on either the Web service request or response. For more details about the Oracle WSM 10g policy steps, see "Oracle Web Services Manager Policy Steps" in Oracle Web Services Manager Administrator's Guide 10g (10.1.3.4) at http://download.oracle.com/docs/cd/E12524_01/web.1013/e12575/policy_steps.htm#BABIAHEG.

In Oracle WSM 11g, you attach policies to Web service endpoints. Each policy consists of one or more assertions, defined at the domain-level, that define the security requirements. A set of predefined policies and assertions are provided out-of-the-box. For more details about the predefined policies, see Predefined Policies. For information about configuring and attaching policies, see Configuring Policies and Attaching Policies to Web Services.

Table 2-1 summarizes the most common Oracle WSM 10g interoperability scenarios based on the following security requirements: authentication, message protection, and transport.

For more information about:

Note:

In the following scenarios, ensure that you are using a keystore with v3 certificates. By default, the JDK 1.5 keytool generates keystores with v3 certificates.

Please review "A Note About Oracle WSM 10g Gateways" and "A Note About Third-party Software" for important information about your usage of Oracle WSM 10g gateways and third-party software.

Table 2-1 Interoperability With Oracle WSM 10g Security Environments

Interoperability Scenario Client—>Web Service Oracle WSM 11g Policies Oracle WSM 10g Policies

"Anonymous Authentication with Message Protection (WS-Security 1.0)"

Oracle WSM 10g—>Oracle WSM 11g

oracle/wss10_message_protection_service_policy

Request pipeline: Sign Message and Encrypt

Response pipeline: Decrypt and Verify Signature

"Anonymous Authentication with Message Protection (WS-Security 1.0)"

Oracle WSM 11g—>Oracle WSM 10g

oracle/wss10_message_protection_client_policy

Request pipeline: Decrypt and Verify Signature

Response pipeline: Sign Message and Encrypt

"Username Token with Message Protection (WS-Security 1.0)"

Oracle WSM 10g—>Oracle WSM 11g

oracle/wss10_username_token_with_message_protection_service_policy

Request pipeline: Sign Message and Encrypt

Response pipeline: Decrypt and Verify Signature

"Username Token with Message Protection (WS-Security 1.0)"

Oracle WSM 11g—>Oracle WSM 10g

oracle/wss10_username_token_with_message_protection_client_policy

Request pipeline:

  • Decrypt and Verify Signature

  • Extract Credentials (configured as WS-BASIC)

  • File Authenticate

Response pipeline: Sign Message and Encrypt

"SAML Token (Sender Vouches) with Message Protection (WS-Security 1.0)"

Oracle WSM 10g—>Oracle WSM 11g

oracle/wss10_saml_token_with_message_protection_service_policy

Request pipeline:

  • Extract Credentials (configured as WS-BASIC

  • SAML—Insert WSS 1.0 Sender-Vouches Token

  • Sign and Encrypt

Response pipeline: Decrypt and Verify Signature

"SAML Token (Sender Vouches) with Message Protection (WS-Security 1.0)"

Oracle WSM 11g—>Oracle WSM 10g

oracle/wss10_saml_token_with_message_protection_client_policy

Request pipeline:

  • XML Decrypt

  • SAML—Verify WSS 1.0 Token

Response pipeline: Sign Message and Encrypt

"Mutual Authentication with Message Protection (WS-Security 1.0)"

Oracle WSM 10g—>Oracle WSM 11g

oracle/wss10_x509_token_with_message_protection_service_policy

Request pipeline: Sign Message and Encrypt

Response pipeline: Decrypt and Verify Signature

"Mutual Authentication with Message Protection (WS-Security 1.0)"

Oracle WSM 11g—>Oracle WSM 10g

oracle/wss10_x509_token_with_message_protection_client_policy

Request pipeline: Decrypt and Verify

Response pipeline: Sign Message and Encrypt

"Username Token Over SSL"

Oracle WSM 10g—>Oracle WSM 11g

wss_username_token_over_ssl_service_policy

N/A

"Username Token Over SSL"

Oracle WSM 11g—>Oracle WSM 10g

wss_username_token_over_ssl_client_policy

Request pipeline:

  • Extract Credentials

  • File Authenticate

"SAML Token (Sender Vouches) Over SSL (WS-Security 1.0)"

Oracle WSM 10g—>Oracle WSM 11g

oracle/wss_saml_token_over_ssl_service_policy

Request pipeline:

  • Extract Credentials

  • SAML—Insert WSS 1.0 Sender-Vouches Token

"SAML Token (Sender Vouches) Over SSL (WS-Security 1.0)"

Oracle WSM 11g—>Oracle WSM 10g

oracle/wss_saml_token_over_ssl_client_policy

Request pipeline:

  • Extract Credentials

  • File Authenticate

The following sections provide additional interoperability information about using Oracle WSM 10g gateways and third-party software with Oracle WSM 11g.

A Note About Oracle WSM 10g Gateways

As described in Examining the Rearchitecture of Oracle WSM in Oracle Fusion Middleware, Oracle Fusion Middleware 11g Release 1 (11.1.1) does not include a Gateway component. You can continue to use the Oracle WSM 10g Gateway components with Oracle WSM 10g policies in your applications, as described in the following sections.

A Note About Third-party Software

As described in Examining the Rearchitecture of Oracle WSM in Oracle Fusion Middleware, Oracle WSM 10g supported policy enforcement for third-party application servers, such as IBM WebSphere and Red Hat JBoss. Oracle Fusion Middleware 11g Release 1 (11.1.1) only supports Oracle WebLogic Server. You can continue to use the third-party application servers with Oracle WSM 10g policies, as described in the following sections.

Anonymous Authentication with Message Protection (WS-Security 1.0)

The following sections describe how to implement anonymous authentication with message protection that conforms to the WS-Security 1.0 standard, describing the following interoperability scenarios:

Anonymous Authentication with Message Protection (WS-Security 1.0)—Oracle WSM 10g Client —>Oracle WSM 11g Web Service

The steps required for interoperability are summarized in the following table.

Table 2-2 Anonymous Authentication with Message Protection (WS-Security 1.0)—Oracle WSM 10g Client —>Oracle WSM 11g Web Service

Web Service/Client Steps

Web Service—Oracle WSM 11g

Perform the following steps:

  1. Create a copy of the following policy: oracle/wss10_message_protection_service_policy.

    NOTE: Oracle recommends that you do not change the predefined policies so that you will always have a known set of valid policies to work with.

    Edit the policy settings, as follows:

    a. Disable the Include Timestamp configuration setting.

    b. Leave the default configuration set for all other configuration settings.

    For more information, see "Creating a Web Service Policy from an Existing Policy" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

  2. Attach the policy.

    For more information about attaching the policy at deployment time using Fusion Middleware Control, see Attaching Policies to Web Services. For more information about attaching the policy at design time using JDeveloper, see "Attaching Policies to Web Services" in JDeveloper Online Help.

Client—Oracle WSM 10g

Perform the following steps:

  1. Register the Web service (above) with the Oracle WSM 10g gateway. See "Registering Web Services to an Oracle WSM Gateway" in the Oracle WSM Administrator's Guide 10g at: http://download.oracle.com/docs/cd/E12524_01/web.1013/e12575/gateways.htm

  2. Attach the following policy step to the request pipeline: Sign Message and Encrypt.

  3. Configure the Sign Message and Encrypt policy step in the request pipeline, as follows:

    a. Set Encryption Algorithm to AES-128.

    b. Set Key Transport Algorithm to RSA-OAEP-MGF1P.

    c. Configure the keystore properties for message signing and encryption. The configuration should be in accordance with the keystore used on the server side.

  4. Attach the following policy step to the response pipeline: Decrypt and Verify Signature.

  5. Configure the Decrypt and Verify Signature policy step in the response pipeline, as follows:

    a. Configure the keystore properties for decryption and signature verification. The configuration should be in accordance with the keystore used on the server side.

  6. Navigate to the Oracle WSM Test page and enter the virtualized URL of the Web service.

  7. Invoke the Web service.

Anonymous Authentication with Message Protection (WS-Security 1.0)—Oracle WSM 11g Client —>Oracle WSM 10g Web Service

The steps required for interoperability are summarized in the following table.

Table 2-3 Anonymous Authentication with Message Protection (WS-Security 1.0)—Oracle WSM 11g Client —>Oracle WSM 10g Web Service

Web Service/Client Steps

Web Service—Oracle WSM 10g

Perform the following steps:

  1. Register the Web service with the Oracle WSM 10g gateway. See "Registering Web Services to an Oracle WSM Gateway" in the Oracle WSM Administrator's Guide 10g at: http://download.oracle.com/docs/cd/E12524_01/web.1013/e12575/gateways.htm

  2. Attach the following policy step in the request pipeline: Decrypt and Verify Signature

  3. Configure the Decrypt and Verify Signature policy step in the request pipeline, as follows:

    a. Configure the keystore properties for decryption and signature verification. The configuration should be in accordance with the keystore used on the server side.

  4. Attach the following policy step in the response pipeline: Sign Message and Encrypt

  5. Configure the Sign Message and Encrypt policy response pipeline, follows:

    a. Set Encryption Algorithm to AES-128.

    b. Set Key Transport Algorithm to RSA-OAEP-MGF1P.

    c. Configure the keystore properties for message signing and encryption. The configuration should be in accordance with the keystore used on the server side.

Client—Oracle WSM 11g

Perform the following steps:

  1. Create a client proxy using the virtualized URL of the Web service registered on the Oracle WSM gateway.

  2. Create a copy of the following policy: oracle/wss10_message_protection_client_policy.

    NOTE: Oracle recommends that you do not change the predefined policies so that you will always have a known set of valid policies to work with.

    Edit the policy settings, as follows:

    a. Disable the Include Timestamp configuration setting.

    b. Leave the default configuration set for all other configuration settings.

    For more information, see "Creating a Web Service Policy from an Existing Policy" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

  3. Attach the policy to the Web service client.

    For more information about attaching the policy at deployment time using Fusion Middleware Control, see "Attaching Policies to Web Service Clients" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services. For more information about attaching the policy at design time using JDeveloper, see "Attaching Oracle WSM Policies to Web Service Clients" in JDeveloper Online Help.

  4. Configure the policy, as described in "oracle/wss10_message_protection_client_policy" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

  5. Invoke the Web service.

Username Token with Message Protection (WS-Security 1.0)

The following sections describe how to implement username token with message protection that conforms to the WS-Security 1.0 standard, describing the following interoperability scenarios:

Username Token with Message Protection (WS-Security 1.0)—Oracle WSM 10g Client —> Oracle WSM 11g Web Service

The steps required for interoperability are summarized in the following table.

Table 2-4 Username Token with Message Protection (WS-Security 1.0)—Oracle WSM 10g Client —> Oracle WSM 11g Web Service

Web Service/Client Steps

Web Service—Oracle WSM 11g

Perform the following steps:

  1. Create a copy of the following policy: oracle/wss10_username_token_with_message_protection_service_policy.

    NOTE: Oracle recommends that you do not change the predefined policies so that you will always have a known set of valid policies to work with.

    Edit the policy settings, as follows:

    a. Disable the Include Timestamp configuration setting.

    b. Leave the default configuration set for all other configuration settings.

    For more information, see "Creating a Web Service Policy from an Existing Policy" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

  2. Attach the policy.

    For more information about attaching the policy at deployment time using Fusion Middleware Control, see "Attaching Policies to Web Services" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services. For more information about attaching the policy at design time using JDeveloper, see "Attaching Policies to Web Services" in JDeveloper Online Help.

Client—Oracle WSM 10g

Perform the following steps:

  1. Register the Web service (above) with the Oracle WSM 10g gateway. See "Registering Web Services to an Oracle WSM Gateway" in the Oracle WSM Administrator's Guide 10g at: http://download.oracle.com/docs/cd/E12524_01/web.1013/e12575/gateways.htm

  2. Attach the following policy step to the request pipeline: Sign Message and Encrypt

  3. Configure the Sign Message and Encrypt policy step in the request pipeline, as follows:

    a. Set Encryption Algorithm to AES-128.

    b. Set Key Transport Algorithm to RSA-OAEP-MGF1P.

    c. Set Encrypted Content to ENVELOPE.

    d. Set Signed Content to ENVELOPE.

    e. Configure the keystore properties for message signing and encryption. The configuration should be in accordance with the keystore used on the server side.

  4. Attach the following policy step to the response pipeline: Decrypt and Verify Signature.

  5. Configure the Decrypt and Verify Signature policy step in the response pipeline, as follows:

    a.Configure the keystore properties for decryption and signature verification. The configuration should be in accordance with the keystore used on the server side.

  6. Navigate to the Oracle WSM Test page and enter the virtualized URL of the Web service.

  7. Select the Include Header checkbox against WS-Security and provide valid credentials.

  8. Invoke the Web service.

Username Token with Message Protection (WS-Security 1.0)—Oracle WSM 11g Client —> Oracle WSM 10g Web Service

The steps required for interoperability are summarized in the following table.

Table 2-5 Username Token with Message Protection (WS-Security 1.0)—Oracle WSM 11g Client —> Oracle WSM 10g Web Service

Web Service/Client Steps

Web Service—Oracle WSM 10g

Perform the following steps:

  1. Register the Web service with the Oracle WSM 10g gateway. See "Registering Web Services to an Oracle WSM Gateway" in the Oracle WSM Administrator's Guide 10g at: http://download.oracle.com/docs/cd/E12524_01/web.1013/e12575/gateways.htm

  2. Attach the following policy steps in the request pipeline:

    - Decrypt and Verify Signature

    - Extract Credentials (configured as WS-BASIC)

    - File Authenticate

    Note: You can substitute File Authenticate with LDAP Authenticate, Oracle Access Manager Authenticate, Active Directory Authenticate, or SiteMinder Authenticate.

  3. Configure the Decrypt and Verify Signature policy step in the request pipeline, as follows:

    a. Configure the keystore properties for extracting credentials. The configuration should be in accordance with the keystore used on the server side.

  4. Configure the Extract Credentials policy step in the request pipeline, as follows:

    a. Set the Credentials location to WS-BASIC.

  5. Configure the File Authenticate policy step in the request pipeline to use valid credentials.

  6. Attach the following policy step in the response pipeline: Sign Message and Encrypt.

  7. Configure the Sign Message and Encrypt policy response pipeline, follows:

    a. Set Encryption Algorithm to AES-128.

    b. Set Key Transport Algorithm to RSA-OAEP-MGF1P.

    c. Configure the keystore properties for message signing and encryption. The configuration should be in accordance with the keystore used on the server side.

Client—Oracle WSM 11g

Perform the following steps:

  1. Create a client proxy using the virtualized URL of the Web service registered on the Oracle WSM gateway.

  2. Create a copy of the following policy: oracle/wss10_username_token_with_message_protection_client_policy.

    NOTE: Oracle recommends that you do not change the predefined policies so that you will always have a known set of valid policies to work with.

    Edit the policy settings, as follows:

    a. Disable the Include Timestamp configuration setting.

    b. Leave the default configuration set for all other configuration settings.

    For more information, see "Creating a Web Service Policy from an Existing Policy" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

  3. Attach the policy to the Web service client.

    For more information about attaching the policy at deployment time using Fusion Middleware Control, see "Attaching Policies to Web Service Clients" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services. For more information about attaching the policy at design time using JDeveloper, see "Attaching Oracle WSM Policies to Web Service Clients" in JDeveloper Online Help. .

  4. Configure the policy, as described in "oracle/wss10_username_token_with_message_protection_client_policy" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

  5. Invoke the Web service.

SAML Token (Sender Vouches) with Message Protection (WS-Security 1.0)

The following sections describe how to implement SAML token (sender vouches) with message protection that conforms to the WS-Security 1.0 standard, describing the following interoperability scenarios:

SAML Token (Sender Vouches) with Message Protection (WS-Security 1.0)—Oracle WSM 10g Client —> Oracle WSM 11g Web Service

The steps required for interoperability are summarized in the following table.

Table 2-6 SAML Token (Sender Vouches) with Message Protection (WS-Security 1.0)—Oracle WSM 10g Client —> Oracle WSM 11g Web Service

Web Service/Client Steps

Web Service—Oracle WSM 11g

Perform the following steps:

  1. Create a copy of the following policy: oracle/wss10_saml_token_with_message_protection_service_policy.

    NOTE: Oracle recommends that you do not change the predefined policies so that you will always have a known set of valid policies to work with.

    Edit the policy settings, as follows:

    a. Disable the Include Timestamp configuration setting.

    b. Leave the default configuration set for all other configuration settings.

    For more information, see "Creating a Web Service Policy from an Existing Policy" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

  2. Attach the policy to the Web service.

    For more information about attaching the policy at deployment time using Fusion Middleware Control, see "Attaching Policies to Web Services" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services. For more information about attaching the policy at design time using JDeveloper, see "Attaching Policies to Web Services" in JDeveloper Online Help.

Client—Oracle WSM 10g

Perform the following steps:

  1. Register the Web service (above) with the Oracle WSM 10g gateway. See "Registering Web Services to an Oracle WSM Gateway" in the Oracle WSM Administrator's Guide 10g at: http://download.oracle.com/docs/cd/E12524_01/web.1013/e12575/gateways.htm

  2. Attach the following policy steps in the request pipeline:

    - Extract Credentials (configured as WS-BASIC)

    - SAML—Insert WSS 1.0 Sender-Vouches Token

    - Sign Message and Encrypt

  3. Configure the Extract Credentials policy step in the request pipeline, as follows:

    a. Set the Credentials location to WS-BASIC.

  4. Configure the SAML—Insert WSS 1.0 Sender-Vouches Token policy step in the request pipeline, as follows:

    a. Set Subject Name Qualifier to www.oracle.com.

    b. Set Assertion Issuer as www.oracle.com.

    c. Set Subject Format as UNSPECIFIED.

    d. Set other signing properties, as required.

  5. Configure the Sign Message and Encrypt policy step in the request pipeline, as follows:

    a. Set the Encryption Algorithm to AES-128.

    b. Set Key Transport Algorithm to RSA-OAEP-MGF1P.

    c. Configure the keystore properties for decryption and signature verification. The configuration should be in accordance with the keystore used on the server side.

  6. Attach the following policy step in the response pipeline: Decrypt and Verify Signature.

  7. Configure the Decrypt and Verify Signature policy step in the response pipeline, as follows:

    a.Configure the keystore properties for decryption and signature verification. The configuration should be in accordance with the keystore used on the server side.

  8. Navigate to the Oracle WSM Test page and enter the virtualized URL of the Web service.

  9. Select Include Header checkbox against WS-Security and provide valid credentials.

  10. Invoke the Web service.

SAML Token (Sender Vouches) with Message Protection (WS-Security 1.0)—Oracle WSM 11g Client —> Oracle WSM 10g Web Service

The steps required for interoperability are summarized in the following table.

Table 2-7 SAML Token (Sender Vouches) with Message Protection (WS-Security 1.0)—Oracle WSM 11g Client —> Oracle WSM 10g Web Service

Web Service/Client Steps

Web Service—Oracle WSM 10g

Perform the following steps:

  1. Register the Web service with the Oracle WSM 10g gateway. See "Registering Web Services to an Oracle WSM Gateway" in the Oracle WSM Administrator's Guide 10g at: http://download.oracle.com/docs/cd/E12524_01/web.1013/e12575/gateways.htm

  2. Attach the following policy steps in the request pipeline:

    - XML Decrypt

    - SAML—Verify WSS 1.0 Token

  3. Configure the XML Decrypt policy step in the request pipeline, as follows:

    a. Configure the keystore properties for XML decryption. The configuration should be in accordance with the keystore used on the server side.

  4. Configure the SAML—Verify WSS 1.0 Token policy step in the request pipeline, as follows:

    a. Set the Trusted Issuer Name as www.oracle.com.

  5. Attach the following policy step in the response pipeline: Sign Message and Encrypt.

  6. Configure the Sign Message and Encrypt policy step in the response pipeline, follows:

    a. Set Encryption Algorithm to AES-128.

    b. Set Key Transport Algorithm to RSA-OAEP-MGF1P.

    c. Configure the keystore properties for message signing and encryption. The configuration should be in accordance with the keystore used on the server side.

Client—Oracle WSM 11g

Perform the following steps:

  1. Create a client proxy using the virtualized URL of the Web service registered on the Oracle WSM gateway.

  2. Create a copy of the following policy: oracle/wss10_saml_token_with_message_protection_client_policy.

    NOTE: Oracle recommends that you do not change the predefined policies so that you will always have a known set of valid policies to work with.

    Edit the policy settings, as follows:

    a. Disable the Include Timestamp configuration setting.

    b. Leave the default configuration set for all other configuration settings.

    For more information, see "Creating a Web Service Policy from an Existing Policy" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

  3. Attach the policy to the Web service client.

    For more information about attaching the policy at deployment time using Fusion Middleware Control, see "Attaching Policies to Web Service Clients" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services. For more information about attaching the policy at design time using JDeveloper, see "Attaching Oracle WSM Policies to Web Service Clients" in JDeveloper Online Help. .

  4. Configure the policy, as described in "oracle/wss10_saml_token_with_message_protection_client_policy" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

  5. Invoke the Web service.

Mutual Authentication with Message Protection (WS-Security 1.0)

The following sections describe how to implement mutual authentication with message protection that conforms to the WS-Security 1.0 standard, describing the following interoperability scenarios:

Mutual Authentication with Message Protection (WS-Security 1.0)—Oracle WSM 10g Client —> Oracle WSM 11g Web Service

The steps required for interoperability are summarized in the following table.

Table 2-8 Mutual Authentication with Message Protection (WS-Security 1.0)—Oracle WSM 10g Client —> Oracle WSM 11g Web Service

Web Service/Client Steps

Web Service—Oracle WSM 11g

Perform the following steps:

  1. Create a copy of the following policy: oracle/wss10_x509_token_with_message_protection_service_policy.

    NOTE: Oracle recommends that you do not change the predefined policies so that you will always have a known set of valid policies to work with.

    Edit the policy settings, as follows:

    a. Disable the Include Timestamp configuration setting.

    b. Leave the default configuration set for all other configuration settings.

    For more information, see "Creating a Web Service Policy from an Existing Policy" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

  2. Attach the policy.

    For more information about attaching the policy at deployment time using Fusion Middleware Control, see "Attaching Policies to Web Services" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services. For more information about attaching the policy at design time using JDeveloper, see "Attaching Policies to Web Services" in JDeveloper Online Help.

Client—Oracle WSM 10g

Perform the following steps:

  1. Register the Web service (above) with the Oracle WSM 10g gateway. See "Registering Web Services to an Oracle WSM Gateway" in the Oracle WSM Administrator's Guide 10g at: http://download.oracle.com/docs/cd/E12524_01/web.1013/e12575/gateways.htm

  2. Attach the following policy step in the request pipeline: Sign Message and Encrypt.

  3. Configure the Sign Message and Encrypt policy step in the request pipeline, as follows:

    a. Set Encryption Algorithm to AES-128.

    b. Set Key Transport Algorithm to RSA-OAEP-MGF1P.

    c. Configure the keystore properties for message signing and encryption. The configuration should be in accordance with the keystore used on the server side.

  4. Attach the following policy step in the response pipeline: Decrypt and Verify Signature.

  5. Configure the Decrypt and Verify Signature policy step in the response pipeline, as follows:

    a. Configure the keystore properties for decryption and signature verification. The configuration should be in accordance with the keystore used on the server side.

  6. Update the following property in the gateway-config-installer.properties file located at ORACLE_HOME/j2ee/oc4j_instance/applications/gateway/gateway/WEB-INF:

    pep.securitysteps.signBinarySecurityToken=true

  7. Restart Oracle WSM Gateway.

  8. Navigate to the Oracle WSM Test page and enter the virtualized URL of the Web service.

  9. Invoke the Web service.

Mutual Authentication with Message Protection (WS-Security 1.0)—Oracle WSM 11g Client —> Oracle WSM 10g Web Service

The steps required for interoperability are summarized in the following table.

Table 2-9 Mutual Authentication with Message Protection (WS-Security 1.0)—Oracle WSM 11g Client —> Oracle WSM 10g Web Service

Web Service/Client Steps

Web Service—Oracle WSM 10g

Perform the following steps:

  1. Register the Web service with the Oracle WSM 10g gateway. See "Registering Web Services to an Oracle WSM Gateway" in the Oracle WSM Administrator's Guide 10g at: http://download.oracle.com/docs/cd/E12524_01/web.1013/e12575/gateways.htm

  2. Attach the following policy steps in the request pipeline: Decrypt and Verify.

  3. Configure the Decrypt and Verify Signature policy step in the request pipeline, as follows:

    a. Configure the keystore properties for decryption and signature verification. The configuration should be in accordance with the keystore used on the server side.

  4. Attach the following policy steps in the response pipeline: Sign Message and Encrypt.

  5. Configure the Sign Message and Encrypt policy step in the response pipeline, as follows:

    a. Set Encryption Algorithm to AES-128.

    b. Set Key Transport Algorithm to RSA-OAEP-MGF1P.

    c. Configure the keystore properties for message signing and encryption. The configuration should be in accordance with the keystore used on the server side.

Client—Oracle WSM 11g

Perform the following steps:

  1. Create a client proxy using the virtualized URL of the Web service registered on the Oracle WSM gateway.

  2. Create a copy of the following policy: oracle/wss10_x509_token_with_message_protection_client_policy.

    NOTE: Oracle recommends that you do not change the predefined policies so that you will always have a known set of valid policies to work with.

    Edit the policy settings, as follows:

    a. Disable the Include Timestamp configuration setting.

    b. Leave the default configuration set for all other configuration settings.

    For more information, see "Creating a Web Service Policy from an Existing Policy" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

  3. Attach the policy to the Web service client.

    For more information about attaching the policy, see "Attaching Policies to Web Service Clients" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

  4. Configure the policy, as described in "oracle/wss10_x509_token_with_message_protection_client_policy" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

  5. Invoke the Web service.

Username Token Over SSL

The following sections describe how to implement username token over SSL, describing the following interoperability scenarios:

For more information about:

Username Token Over SSL—Oracle WSM 10g Client —> Oracle WSM 11g Web Service

The steps required for interoperability are summarized in the following table.

Table 2-10 Username Token Over SSL—Oracle WSM 10g Client —> Oracle WSM 11g Web Service

Web Service/Client Steps

Web Service—Oracle WSM 11g

Perform the following steps:

  1. Configure the server for SSL.

    For more information, see "Configuring SSL on WebLogic Server (One-Way)" and "Configuring SSL on WebLogic Server (Two-Way)" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

  2. Attach the following policy: wss_username_token_over_ssl_service_policy.

    For more information about attaching the policy at deployment time using Fusion Middleware Control, see "Attaching Policies to Web Services" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services. For more information about attaching the policy at design time using JDeveloper, see "Attaching Policies to Web Services" in JDeveloper Online Help.

Client—Oracle WSM 10g

Perform the following steps:

  1. Configure the server for SSL.

    For more information, see http://download.oracle.com/docs/cd/B14099_19/web.1012/b14013/configssl.htm.

  2. Register the Web service (above) with the Oracle WSM 10g gateway. See "Registering Web Services to an Oracle WSM Gateway" in the Oracle WSM Administrator's Guide 10g at: http://download.oracle.com/docs/cd/E12524_01/web.1013/e12575/gateways.htm

  3. Navigate to the Oracle WSM Test page and enter the virtualized URL of the Web service.

  4. Select the Include Header checkbox against WS-Security and provide valid credentials.

  5. Invoke the Web service.

Username Token Over SSL—Oracle WSM 11g Client —> Oracle WSM 10g Web Service

The steps required for interoperability are summarized in the following table.

Table 2-11 Username Token Over SSL—Oracle WSM 11g Client —> Oracle WSM 10g Web Service

Web Service/Client Steps

Web Service—Oracle WSM 10g

Perform the following steps:

  1. Configure the server for SSL.

    For more information, see http://download.oracle.com/docs/cd/B14099_19/web.1012/b14013/configssl.htm.

  2. Register the Web service with the Oracle WSM 10g gateway. See "Registering Web Services to an Oracle WSM Gateway" in the Oracle WSM Administrator's Guide 10g at: http://download.oracle.com/docs/cd/E12524_01/web.1013/e12575/gateways.htm

  3. Attach the following policy steps to the request pipeline:

    - Extract Credentials

    - File Authenticate

    Note: You can substitute File Authenticate with LDAP Authenticate, Oracle Access Manager Authenticate, Active Directory Authenticate, or SiteMinder Authenticate.

  4. Configure the Extract Credentials policy step in the request pipeline, as follows:

    a. Configure the Credentials Location as WS-BASIC.

  5. Configure the File Authentication policy step in the request pipeline with the appropriate credentials.

Client—Oracle WSM 11g

Perform the following steps:

  1. Create a client proxy using the virtualized URL of the Web service registered on the Oracle WSM gateway.

    Ensure that while generate the client, specify HTTP in the URL along with the HTTP port number.

  2. Create a copy of the following policy: oracle/wss_username_token_over_ssl_client_policy.

    NOTE: Oracle recommends that you do not change the predefined policies so that you will always have a known set of valid policies to work with.

    Edit the policy settings, as follows:

    a. Disable the Include Timestamp configuration setting.

    b. Leave the default configuration set for all other configuration settings.

    For more information, see "Creating a Web Service Policy from an Existing Policy" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

  3. Attach the policy to the Web service client.

    For more information about attaching the policy at deployment time using Fusion Middleware Control, see "Attaching Policies to Web Service Clients" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services. For more information about attaching the policy at design time using JDeveloper, see "Attaching Oracle WSM Policies to Web Service Clients" in JDeveloper Online Help. .

  4. Configure the policy, as described in "oracle/wss_username_token_over_ssl_client_policy" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

  5. Invoke the Web service.

SAML Token (Sender Vouches) Over SSL (WS-Security 1.0)

The following sections describe how to implement SAML token (sender vouches) over SSL that conforms to the WS-Security 1.0 standard, describing the following interoperability scenarios:

For more information about:

SAML Token (Sender Vouches) Over SSL—Oracle WSM 10g Client —> Oracle WSM 11g Web Service

The steps required for interoperability are summarized in the following table.

Table 2-12 SAML Token (Sender Vouches) Over SSL—Oracle WSM 10g Client —> Oracle WSM 11g Web Service

Web Service/Client Steps

Web Service—Oracle WSM 11g

Perform the following steps:

  1. Configure the server for two-way SSL.

    For more information, see Configuring SSL on WebLogic Server (Two-Way).

  2. Create a copy of the following policy: oracle/wss_saml_token_over_ssl_service_policy.

    NOTE: Oracle recommends that you do not change the predefined policies so that you will always have a known set of valid policies to work with.

    Edit the policy settings, as follows:

    a. Disable the Include Timestamp configuration setting.

    For more information, see "Creating a Web Service Policy from an Existing Policy" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

  3. Attach the policy.

    For more information about attaching the policy at deployment time using Fusion Middleware Control, see "Attaching Policies to Web Services" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services. For more information about attaching the policy at design time using JDeveloper, see "Attaching Policies to Web Services" in JDeveloper Online Help.

Client—Oracle WSM 10g

Perform the following steps:

  1. Configure the server for two-way SSL.

    For more information, see http://download.oracle.com/docs/cd/B14099_19/web.1012/b14013/configssl.htm.

  2. Register the Web service (above) with the Oracle WSM 10g gateway. See "Registering Web Services to an Oracle WSM Gateway" in the Oracle WSM Administrator's Guide 10g at: http://download.oracle.com/docs/cd/E12524_01/web.1013/e12575/gateways.htm

  3. Attach the following policy steps to the request pipeline:

    - Extract Credentials

    - SAML—Insert WSS 1.0 Sender-Vouches Token

  4. Configure the Extra Credentials policy step in the request pipeline, as follows:

    a. Configure the Credentials Location as WS-BASIC.

  5. Configure the SAML—Insert WSS 1.0 Sender-Vouches Token policy step in the request pipeline, as follows:

    a. Configure the Subject Name Qualifier as www.oracle.com.

    b. Configure the Assertion Issuer as www.oracle.com.

    c. Configure the Subject Format as UNSPECIFIED.

    d. Configure the Sign the assertion as false.

  6. Navigate to the Oracle WSM Test page and enter the virtualized URL of the Web service.

  7. Select Include Header checkbox against WS-Security and provide valid credentials.

  8. Invoke the Web service.

SAML Token (Sender Vouches) Over SSL—Oracle WSM 11g Client —> Oracle WSM 10g Web Service

The steps required for interoperability are summarized in the following table.

Table 2-13 SAML Token (Sender Vouches) Over SSL—Oracle WSM 11g Client —> Oracle WSM 10g Web Service

Web Service/Client Steps

Web Service—Oracle WSM 10g

Perform the following steps:

  1. Configure the server for two-way SSL.

    For more information, see http://download.oracle.com/docs/cd/B14099_19/web.1012/b14013/configssl.htm.

  2. Register the Web service with the Oracle WSM 10g gateway. See "Registering Web Services to an Oracle WSM Gateway" in the Oracle WSM Administrator's Guide 10g at: http://download.oracle.com/docs/cd/E12524_01/web.1013/e12575/gateways.htm

  3. Attach the policy step: SAML—Verify WSS 1.0 Token

  4. Configure the SAML—Verify WSS 1.0 Token policy step in the request pipeline, as follows:

    a. Under Signature Verification Properties, set Allow signed assertions only to false.

    b. Set the Trusted Issuer Name to www.oracle.com.

Client—Oracle WSM 11g

Perform the following steps:

  1. Configure the server for two-way SSL.

    For more information, see "Configuring SSL on WebLogic Server (Two-Way)" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

  2. Create a client proxy using the virtualized URL of the Web service registered on the Oracle WSM gateway.

  3. Create a copy of the following policy: oracle/wss_saml_token_over_ssl_client_policy.

    NOTE: Oracle recommends that you do not change the predefined policies so that you will always have a known set of valid policies to work with.

    Edit the policy settings, as follows:

    a. Disable the Include Timestamp configuration setting.

    b. Leave the default configuration set for all other configuration settings.

    For more information, see "Creating a Web Service Policy from an Existing Policy" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

  4. Attach the policy to the Web service client.

    For more information about attaching the policy at deployment time using Fusion Middleware Control, see "Attaching Policies to Web Service Clients" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services. For more information about attaching the policy at design time using JDeveloper, see "Attaching Oracle WSM Policies to Web Service Clients" in JDeveloper Online Help. .

  5. Configure the policy, as described in "oracle/wss_saml_token_over_ssl_client_policy" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

  6. Invoke the Web service.