Skip Headers
Oracle® Fusion Middleware Security and Administrator's Guide for Web Services
11g Release 1 (11.1.1.7)

Part Number B32511-09
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Master Index
Master Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
PDF · Mobi · ePub

What's New

11g Release 1 includes a complete redesign of Oracle Web Services Manager 10g and Web services security management. For more details about what has changed in Release 11g, see Chapter 4, "Examining the Rearchitecture of Oracle WSM in Oracle Fusion Middleware."

The following topics provide a summary of the features and enhancements in each of the 11g Release 1 releases:

11g Release 1 (11.1.1.7)

11g Release 1 (11.1.1.7) includes the following new features and enhancements:

New Features

The following new features and enhancements have been added to the current release of Oracle Web Services Manager:

Support for JSON Web Tokens (JWT) for Identity Propagation

Oracle WSM now includes support for JSON Web Token (JWT) as a means of representing claims to be transferred between two parties. JWT is a compact token format intended for space-constrained environments such as HTTP Authorization headers.

Note:

Support for JWT tokens in this release is provided in a patch available for download. For information about this patch, see "Support for JSON Web Tokens Available for This Release" in the Oracle Fusion Middleware Infrastructure Release Notes.

References to the JWT token have been added throughout the document. Additional information is provided in the following sections:

The following new policies were added to support JWT:

The following existing policies were updated to add JWT as a supported token type:

The following new assertion templates were added to support JWT:

The following WLST commands were updated to include support for JWT tokens:

Details for using these commands are provided in "Defining Trusted Issuers and Managing DN Lists Using WLST".

New Section for Troubleshooting WS-Trust Configurations

A new section has been added to assist in troubleshooting WS-Trust configurations. For more information, see "Diagnosing Common Oracle WSM Exceptions for WS-Trust Use Cases".

Check the Status of Oracle WSM Components

Oracle WSM has added the checkWSMStatus WLST command which allows you to check the configuration of your domain. The checkWSMStatus command returns the status of the policy manager (wsm-pm), the agent (agent), and the credential store and keystore configuration (credstore). The status of the components can be checked together or individually.

For more information, see "Diagnosing Problems With a Domain Configuration using WLST".

Token Attribute Rules

There are increasing requirements to control which users and user attributes are accepted and processed for a particular trusted user. Oracle WSM allows you to define token attribute rules to apply additional security constraints for the trusted STS (Secure Token Service) server and for the trusted SAML client. Token attribute rules can be applied through the Fusion Middleware Control or by using WLST commands.

For more information, see "Configuring Token Attribute Rules for Trusted Issuers".

WLST Commands for Managing Distinguished Name (DN) Lists

Oracle WSM adds the ability to manage DN lists with WLST commands. There are new WLST commands to configure an issuer and its DN list, display the issuers and DN lists, and delete an issuer and its DN list. These commands include deleteWSMTokenIssuerTrust, deleteWSMTokenIssuerTrustAttributeRule, setWSMTokenIssuerTrust, setWSMTokenIssuerTrust, and setWSMTokenIssuerTrust.

For more information, see "Defining Trusted Issuers and Managing DN Lists Using WLST".

Policy Accessor Properties for Tuning the Repository Connection

New properties have been added to the Policy Accessor to enable you to configure the connection between the Agent and the Policy Manager. Some of the things the properties allow you to configure include how often the runtime attempts to reconnect to the Policy Manager, the number of times the Agent will attempt to communicate with the Policy Manager (which in turn accesses the Repository) and the time interval between retries, and how often the Agent attempts to contact the Policy Manager to refresh documents it has already cached.

For more information, see"Tuning WSM Repository Connections".

ID Context Propagation

Identity Context allows applications in a system to have visibility into a shared identity context to manage identity-related risks in their security policies. Oracle WSM propagates the identity context from the Web service client to the Web service, and then makes it available ("publishes it") to other components for authentication and authorization purposes.

For more information, see "Propagating Identity Context with Oracle WSM".

Automatic Oracle WSM Repository Upgrade After Patch Set Installation

After you install a Fusion Middleware patch set, the repository is automatically upgraded, as part of the server startup process, with the latest predefined policies and assertion templates. You no longer need to execute the upgradeWSMPolicyRepository command.

For more information, see "Upgrading the Oracle WSM Policies in the Repository".

WLST Commands to Attach Policies to Java EE Web Services

In Oracle WSM you can now perform policy attachment and detachment operations on Java EE Web services and clients using WLST commands. See the following sections:

Keystore Service (KSS) Enhancements

As described in "Managing Keys and Certificates with the Keystore Service" in Oracle Fusion Middleware Application Security Guide, the Oracle Platform Security Services (OPSS) Keystore Service provides an alternate mechanism to manage keys and certificates for message security.

For more information on how to configure the OPSS Keystore Service for message protection, see Chapter 10, "Setting Up Your Environment for Policies"of Security and Administrator's Guide for Web Services.

Servlet Application Security

To secure servlet applications, such as ADF business components exposed as RESTful servlets, you can attach a subset of Oracle WSM predefined security policies.

For more information, see "Attaching Policies to Servlet Applications".

Interoperability of Oracle WSM with .NET AND ADFS 2.0 STS

The "Interoperability with Microsoft WCF/.NET 3.5 Security Environments" chapter of Interoperability Guide for Oracle Web Services Manager now provides instructions for securing WCF/.NET 3.5 Client with Microsoft Active Directory Federation Services (ADFS) 2.0.

Ability to Sign and Encrypt SOAP Parts and Elements in Fault Messages

Oracle WSM now supports signing and encrypting body parts and header elements in fault messages for message protection policies. By default fault protection is disabled. You can configure this setting in the Message Security section of the message protection policies. For more information, see "Message Signing and Encryption Settings for Request, Response, and Fault Messages".

New WLST Commands

The current release adds these Web Services WLST commands. For more information on these commands, see "Web Services Custom WLST Commands" in WebLogic Scripting Tool Command Reference.

The following commands are associated with managing DN lists. For more information, see "Defining Trusted Issuers and Managing DN Lists Using WLST".

The following command checks the status of Oracle WSM Components. For more information, see "Diagnosing Problems With a Domain Configuration using WLST".

New Predefined Policies

The current release includes the following new predefined policies. For more information, see Appendix B, "Predefined Policies."

To support servlet application security, the following predefined policies are provided:

To support SAML token bearer authentication, the following predefined policies are provided:

New Predefined Assertion Templates

The current release includes the following new predefined assertion templates. For more information, see Appendix C, "Predefined Assertion Templates."

To support servlet application security, the following predefined assertion templates are provided:

To support SAML token bearer authentication, the following predefined assertion templates are provided:

11g Release 1 (11.1.1.6)

11g Release 1 (11.1.1.6) includes the following new features and enhancements:

Global Policy Attachment Enhancements

The global policy attachment feature has been enhanced as follows:

Run-Time Constraints

Oracle WSM provides the ability to specify a run-time constraint that determines the context in which the policy set is relevant, for example external clients outside a firewall versus internal clients. For more information, see "Specifying Run-time Constraints in Policy Sets".

Oracle SPARC Server T-Series Cryptographic Acceleration Support

Ability to configure Oracle WSM to take advantage of Oracle SPARC Server Cryptographic Acceleration. For more information, see "Configuring Oracle WSM for Oracle SPARC T4 Cryptographic Acceleration".

Enhanced Support for WebLogic Java EE Clients in Fusion Middleware Control

Ability to use Fusion Middleware Control to view and monitor Java EE clients and attach Oracle WSM policies.

Test Web Service Enhancements

Enhanced ability to test Web service security using Oracle WSM policies. For more information, see Chapter 12, "Testing Web Services."

Derived Keys and Encrypt Signature Controls Enabled in Fusion Middleware Control

Oracle WSM supports the Derived Key setting in wss11 message protection policies and the Encrypt Signature setting in wss10 and wss11 message protection policies. You can now enable these features using Fusion Middleware Control in the Message Security settings in message protection policies. For more information about these settings, refer to the message protection assertion templates described in Appendix C, "Predefined Assertion Templates."

No Server Restart Required for JKS Keystore Changes

You no longer need to restart the server when you make changes to the JKS keystore. For more information about the JKS keystore, see "Generating Private Keys and Creating the Java Keystore".

Support for Anonymous User with SAML Policies

Oracle WSM supports propagating the anonymous user with SAML policies. For more information, see "Using Anonymous Users with SAML Policies".

Database Support

Oracle WSM is certified with MySQL and Oracle Edition Based Redefinitions (EBR).

Versioned Web Services

Oracle WSM supports multiple versions (namespaces) of a Web service. Service names in WLST input and output, and Fusion Middleware Control, now require the use of the namespace with the service name, for example {http://mynamespace/}myService. For more information, see the following topics:

SAML Issuer Changes

You no longer need to define SAML issuers in the SAML login module. In this release, if you define a SAML issuer using the Platform Policy Configuration page, any issuers added in the SAML login module are ignored. Also, when SAML issuers are added using the platform policy configuration, you do not need to restart the server. For more information, see "Defining Trusted Issuers and a Trusted DN List for Signing Certificates".

Additional OR Groups Added to wss11_saml_or_username_token_with_message_protection_service_policy

The oracle/wss11_saml_or_username_token_with_message_protection_service_policy now includes five assertions:

For more information, see "Configuring a Policy With an OR Group".

11g Release 1 (11.1.1.5)

11g Release 1 (11.1.1.5) includes the following updates and enhancements:

11g Release 1 (11.1.1.4)

11g Release 1 (11.1.1.4) includes the following new features:

Global Policy Attachments

Oracle Infrastructure Web services provide the ability to create and attach policy sets to subjects on a global scope:

Oracle Web Services Manager and Oracle Infrastructure Web Services supported on IBM WebSphere

Differences in behavior, and any limitations, are described in "Managing Web Services on IBM WebSphere" in the Oracle Fusion Middleware Third-Party Application Server Guide.

SAML 2.0 Support

There is new configuration control for overriding policy attachments and new predefined SAML 2.0 policies.

Client-side WS-Trust Support

Support for WS-Trust 1.3 policies has been added. WS-Trust extensions provide methods for issuing, renewing, and validating security tokens. See "WS-Trust Policies and Configuration Steps".

Hardware Token Support

Oracle WSM provides the ability to use the LunaSA Hardware Security Manager (HSM) for key storage. See "Using Hardware Security Modules With Oracle WSM".

Oracle WebLogic Web Services Monitoring Enhancements

The Web Service Endpoint page in Oracle Enterprise Manager Fusion Middleware Control provides the ability to monitor policy violations for WebLogic JAX-WS Web services. In addition, the tab that displays Oracle WSM policy information has been renamed to OWSM Policies. For WebLogic JAX-RPC Web services, the endpoint tab is labeled WebLogic Policy Violations.

For more information on monitoring Web services, see "Monitoring the Performance of Web Services".

Usage Analysis Enhancements

The Usage Analysis page in Oracle Enterprise Manager Fusion Middleware Control provides:

For more information on policy usage analysis, see "Analyzing Policy Usage".

Test Web Service Enhancements

The Request/Response tabs on Test Web Services page in Oracle Enterprise Manager Fusion Middleware Control have enhanced usability, as follows:

For more information on testing Web services, see "Testing Web Services".

Install Oracle WSM on a Standalone WebLogic Server

If you have a standalone WebLogic Server environment with JAX-WS Web services and clients deployed, you can install Oracle WSM and use it to secure your Web services and clients. For more information, see "Installing Oracle WSM on WebLogic Server".

Enhanced Specification Support for WS-Policy 1.5 and WS-SecurityPolicy 1.2, 1.3

Supported versions, with links to the specifications, are provided in "Supported Standards" in Developer's Guide for Oracle Infrastructure Web Services.

For information about valid version combinations, see "Policy Advertisement".

New Extensibility Guide for Creating Custom Assertions

All information related to developing custom assertions has been moved from this guide and into the new Extensibility Guide for Oracle Web Services Manager.

11g Release 1 (11.1.1.3)

11g Release 1 (11.1.1.3) includes the following new features:

11g Release 1 (11.1.1.2)

11g Release 1 (11.1.1.2) includes the following new features:

11g Release 1 (11.1.1)

11g Release 1 includes the following new features: