11g Release 1 includes a complete redesign of Oracle Web Services Manager 10g and Web services security management. For more details about what has changed in Release 11g, see Chapter 4, "Examining the Rearchitecture of Oracle WSM in Oracle Fusion Middleware."
The following topics provide a summary of the features and enhancements in each of the 11g Release 1 releases:
11g Release 1 (11.1.1.7) includes the following new features and enhancements:
The following new features and enhancements have been added to the current release of Oracle Web Services Manager:
Policy Accessor Properties for Tuning the Repository Connection
Automatic Oracle WSM Repository Upgrade After Patch Set Installation
Ability to Sign and Encrypt SOAP Parts and Elements in Fault Messages
Oracle WSM now includes support for JSON Web Token (JWT) as a means of representing claims to be transferred between two parties. JWT is a compact token format intended for space-constrained environments such as HTTP Authorization headers.
Note:
Support for JWT tokens in this release is provided in a patch available for download. For information about this patch, see "Support for JSON Web Tokens Available for This Release" in the Oracle Fusion Middleware Infrastructure Release Notes.References to the JWT token have been added throughout the document. Additional information is provided in the following sections:
"Defining Trusted Issuers and a Trusted DN List for Signing Certificates", specifically "Defining Trusted Issuers and Managing DN Lists Using WLST"
The following new policies were added to support JWT:
"oracle/http_jwt_token_client_policy"—includes a JWT token in the HTTP header.
"oracle/http_jwt_token_service_policy"—authenticates users using the username provided in the JWT token in the HTTP header.
"oracle/http_jwt_token_over_ssl_client_policy"—includes a JWT token in the HTTP header and verifies that the transport protocol is HTTPS.
"oracle/http_jwt_token_over_ssl_client_policy"—authenticates users using the username provided in the JWT token in the HTTP header and verifies that the transport protocol is HTTPS.
The following existing policies were updated to add JWT as a supported token type:
"oracle/multi_token_rest_service_policy"—includes the JWT assertion.
"oracle/multi_token_over_ssl_rest_service_policy"—includes the JWT assertion.
"oracle/wss11_saml_or_username_token_with_message_protection_service_policy"—includes the JWT over SSL assertion.
The following new assertion templates were added to support JWT:
"oracle/http_jwt_token_client_template"—includes a JWT token in the HTTP header.
"oracle/http_jwt_token_service_template"—authenticates users using the username provided in the JWT token in the HTTP header.
"oracle/http_jwt_token_over_ssl_client_template"—includes a JWT token in the HTTP header and verifies that the transport protocol is HTTPS.
"oracle/http_jwt_token_over_ssl_service_template"—authenticates users using the username provided in the JWT token in the HTTP header and verifies that the transport protocol is HTTPS.
The following WLST commands were updated to include support for JWT tokens:
displayWSMTokenIssuerTrust
setWSMTokenIssuerTrust
deleteWSMTokenIssuerTrust
Details for using these commands are provided in "Defining Trusted Issuers and Managing DN Lists Using WLST".
Oracle WSM allows web service clients to interact with the Mobile and Social OAuth 2.0 server implementation for both SOAP and REST web services, for "2-legged" authorization.
For more information, see "Using OAuth2 with Oracle WSM".
To secure RESTful Web service clients, attach Oracle WSM policies globally using WLST.
For more information, see "Attaching Policies to RESTful Web Service Clients Using WLST".
A new section has been added to assist in troubleshooting WS-Trust configurations. For more information, see "Diagnosing Common Oracle WSM Exceptions for WS-Trust Use Cases".
Oracle WSM has added the checkWSMStatus
WLST command which allows you to check the configuration of your domain. The checkWSMStatus
command returns the status of the policy manager (wsm-pm
), the agent (agent
), and the credential store and keystore configuration (credstore
). The status of the components can be checked together or individually.
For more information, see "Diagnosing Problems With a Domain Configuration using WLST".
There are increasing requirements to control which users and user attributes are accepted and processed for a particular trusted user. Oracle WSM allows you to define token attribute rules to apply additional security constraints for the trusted STS (Secure Token Service) server and for the trusted SAML client. Token attribute rules can be applied through the Fusion Middleware Control or by using WLST commands.
For more information, see "Configuring Token Attribute Rules for Trusted Issuers" and "Using a Token Attribute Rule for Client Identity Mapping".
Oracle WSM adds the ability to manage DN lists with WLST commands. There are new WLST commands to configure an issuer and its DN list, display the issuers and DN lists, and delete an issuer and its DN list. These commands include deleteWSMTokenIssuerTrust
, deleteWSMTokenIssuerTrustAttributeRule
, setWSMTokenIssuerTrust
, setWSMTokenIssuerTrust
, and setWSMTokenIssuerTrust
.
For more information, see "Defining Trusted Issuers and Managing DN Lists Using WLST".
New properties have been added to the Policy Accessor to enable you to configure the connection between the Agent and the Policy Manager. Some of the things the properties allow you to configure include how often the runtime attempts to reconnect to the Policy Manager, the number of times the Agent will attempt to communicate with the Policy Manager (which in turn accesses the Repository) and the time interval between retries, and how often the Agent attempts to contact the Policy Manager to refresh documents it has already cached.
For more information, see"Tuning WSM Repository Connections".
Identity Context allows applications in a system to have visibility into a shared identity context to manage identity-related risks in their security policies. Oracle WSM propagates the identity context from the Web service client to the Web service, and then makes it available ("publishes it") to other components for authentication and authorization purposes.
For more information, see "Propagating Identity Context with Oracle WSM".
After you install a Fusion Middleware patch set, the repository is automatically upgraded, as part of the server startup process, with the latest predefined policies and assertion templates. You no longer need to execute the upgradeWSMPolicyRepository
command.
For more information, see "Upgrading the Oracle WSM Policies in the Repository".
In Oracle WSM you can now perform policy attachment and detachment operations on Java EE Web services and clients using WLST commands. See the following sections:
"Attaching a Policy to a Web Service Using WLST" for information on the attachWebServicePolicy
, attachWebServicePolicies
, detachWebServicePolicy
, and detachWebServicePolicies
commands.
"Attaching Policies to Web Service Clients Using WLST" for information on the attachWebServiceClientPolicy
, attachWebServiceClientPolicies
, detachWebServiceClientPolicy
, and detachWebServiceClientPolicies
commands.
As described in "Managing Keys and Certificates with the Keystore Service" in Oracle Fusion Middleware Application Security Guide, the Oracle Platform Security Services (OPSS) Keystore Service provides an alternate mechanism to manage keys and certificates for message security.
For more information on how to configure the OPSS Keystore Service for message protection, see Chapter 10, "Setting Up Your Environment for Policies"of Security and Administrator's Guide for Web Services.
To secure servlet applications, such as ADF business components exposed as RESTful servlets, you can attach a subset of Oracle WSM predefined security policies.
For more information, see "Attaching Policies to Servlet Applications".
The "Interoperability with Microsoft WCF/.NET 3.5 Security Environments" chapter of Interoperability Guide for Oracle Web Services Manager now provides instructions for securing WCF/.NET 3.5 Client with Microsoft Active Directory Federation Services (ADFS) 2.0.
Oracle WSM now supports signing and encrypting body parts and header elements in fault messages for message protection policies. By default fault protection is disabled. You can configure this setting in the Message Security section of the message protection policies. For more information, see "Message Signing and Encryption Settings for Request, Response, and Fault Messages".
The current release adds these Web Services WLST commands. For more information on these commands, see "Web Services Custom WLST Commands" in WebLogic Scripting Tool Command Reference.
The following commands are associated with managing DN lists. For more information, see "Defining Trusted Issuers and Managing DN Lists Using WLST".
deleteWSMTokenIssuerTrust
—deletes the trusted issuer, including the DN list in it. See "Deleting an Issuer and its DN List using WLST".
deleteWSMTokenIssuerTrustAttributeRule
—deletes a token attribute rule associated with a DN list. See "Deleting a Token Attribute Rule Using WLST".
displayWSMTokenIssuerTrust
—displays the names of the DN lists associated with a specified issuer. See "Displaying Issuers and DN Lists using WLST".
setWSMTokenIssuerTrust
—specifies a trusted SAML issuer with a DN list. See "Configuring an Issuer and its DN List Using WLST".
setWSMTokenIssuerTrustAttributeFilter
—specifies the DN of a token signing certificate and a list of trusted users. See "Configuring Token Attribute Rules for Trusted Issuers Using Fusion Middleware Control".
The following command checks the status of Oracle WSM Components. For more information, see "Diagnosing Problems With a Domain Configuration using WLST".
checkWSMStatus
—checks the status of the WSM components which are required for proper functioning of the product. See "Diagnosing Problems With a Domain Configuration using WLST".
The current release includes the following new predefined policies. For more information, see Appendix B, "Predefined Policies."
To support servlet application security, the following predefined policies are provided:
oracle/http_oam_token_service_policy—verifies that the OAM agent has authenticated the user and has established an identity.
oracle/http_basic_auth_over_ssl_client_policy—includes credentials in the HTTP header for outbound client requests.
oracle/http_basic_auth_over_ssl_service_policy —uses the credentials in the HTTP header and authenticates users against the Oracle Platform Security Services identity store.
oracle/http_saml20_token_bearer_client_policy—includes SAML 2.0 tokens in the HTTP header.
oracle/http_saml20_token_bearer_service_policy—includes a SAML 2.0 token with confirmation method Bearer in the HTTP header.
oracle/http_saml20_token_bearer_over_ssl_client_policy—includes SAML 2.0 tokens in the HTTP header.
oracle/http_saml20_token_bearer_over_ssl_service_policy—includes a SAML 2.0 token with confirmation method Bearer in the HTTP header.
oracle/multi_token_rest_service_policy—enforces an authentication policy based on the token sent by the client.
oracle/multi_token_over_ssl_rest_service_policy—enforces an authentication policy based on the token sent by the client.
To support SAML token bearer authentication, the following predefined policies are provided:
oracle/wss_saml_token_bearer_client_policy—includes SAML tokens in outbound SOAP request messages.
oracle/wss_saml_bearer_or_username_token_service_policy—enforces one an authentication policy, based on whether the client uses a SAML or username token.
The current release includes the following new predefined assertion templates. For more information, see Appendix C, "Predefined Assertion Templates."
To support servlet application security, the following predefined assertion templates are provided:
oracle/http_oam_token_service_template —verifies that OAM agent has authenticated the user and has established an identity.
oracle/http_saml20_token_bearer_client_template—includes SAML 2,0 tokens in outbound SOAP request messages.
oracle/http_saml20_token_bearer_service_template—authenticates users using credentials provided in SAML tokens with confirmation method 'Bearer' in the WS-Security SOAP header.
oracle/http_spnego_token_client_template—provides authentication using a Kerberos token and the Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO) protocol.
oracle/http_spnego_token_service_template—provides authentication using a Kerberos token and the SPNEGO protocol.
To support SAML token bearer authentication, the following predefined assertion templates are provided:
oracle/wss_saml_token_bearer_client_template—includes SAML tokens in outbound SOAP request messages.
oracle/wss_saml_token_bearer_service_template—authenticates users using credentials provided in SAML tokens with confirmation method 'Bearer' in the WS-Security SOAP header.
11g Release 1 (11.1.1.6) includes the following new features and enhancements:
Global Policy Attachment Enhancements
The global policy attachment feature has been enhanced as follows:
Support for attaching policies globally at the partition, service or reference, and port and component levels for clients and services. For more information, see "Subject Types and Scope of Resources".
Support for a new WLST command (deleteAllPolicySets
) that allows a user to delete all policy set documents in the repository. For more information, see "Deleting Policy Sets".
Support for configuration overrides for global policy attachments. For more information, see "Overriding Configuration Properties for Globally Attached Policies".
Ability to specify the priority of a policy attachment which allows an administrator to indicate a preference over which policy attachment is used. For more information, see "Specifying the Priority of a Policy Attachment".
Improved visibility into the endpoint configuration using Fusion Middleware Control, including the ability to see the secure status of the endpoints, any configuration overrides, and if the endpoints have a valid configuration. For more information, see "Determining the Secure Status of an Endpoint".
Oracle WSM provides the ability to specify a run-time constraint that determines the context in which the policy set is relevant, for example external clients outside a firewall versus internal clients. For more information, see "Specifying Run-time Constraints in Policy Sets".
Oracle SPARC Server T-Series Cryptographic Acceleration Support
Ability to configure Oracle WSM to take advantage of Oracle SPARC Server Cryptographic Acceleration. For more information, see "Configuring Oracle WSM for Oracle SPARC T4 Cryptographic Acceleration".
Enhanced Support for WebLogic Java EE Clients in Fusion Middleware Control
Ability to use Fusion Middleware Control to view and monitor Java EE clients and attach Oracle WSM policies.
A new tab, Java EE Web Service Clients, has been added to the Web Services (Java EE) Home page for viewing information about Java EE clients. For more information, see "Viewing Java EE Web Service Clients".
Ability to attach Oracle WSM policies to Java EE clients. For more information, see "Attaching Policies to Java EE Web Service Clients".
Ability to view Web Service statistics for the run-time client instances in a Java EE application. For more information, see "Viewing Web Service Statistics for Java EE Web Service Clients".
Enhanced ability to test Web service security using Oracle WSM policies. For more information, see Chapter 12, "Testing Web Services."
Derived Keys and Encrypt Signature Controls Enabled in Fusion Middleware Control
Oracle WSM supports the Derived Key setting in wss11 message protection policies and the Encrypt Signature setting in wss10 and wss11 message protection policies. You can now enable these features using Fusion Middleware Control in the Message Security settings in message protection policies. For more information about these settings, refer to the message protection assertion templates described in Appendix C, "Predefined Assertion Templates."
No Server Restart Required for JKS Keystore Changes
You no longer need to restart the server when you make changes to the JKS keystore. For more information about the JKS keystore, see "Generating Private Keys and Creating the Java Keystore".
Support for Anonymous User with SAML Policies
Oracle WSM supports propagating the anonymous user with SAML policies. For more information, see "Using Anonymous Users with SAML Policies".
Oracle WSM is certified with MySQL and Oracle Edition Based Redefinitions (EBR).
Oracle WSM supports multiple versions (namespaces) of a Web service. Service names in WLST input and output, and Fusion Middleware Control, now require the use of the namespace with the service name, for example {http://mynamespace/}myService
. For more information, see the following topics:
"Specifying a Service Name" in "Web Services Custom WLST Commands" in WebLogic Scripting Tool Command Reference
listWebServices
in "Web Services Custom WLST Commands" in WebLogic Scripting Tool Command Reference
You no longer need to define SAML issuers in the SAML login module. In this release, if you define a SAML issuer using the Platform Policy Configuration page, any issuers added in the SAML login module are ignored. Also, when SAML issuers are added using the platform policy configuration, you do not need to restart the server. For more information, see "Defining Trusted Issuers and a Trusted DN List for Signing Certificates".
Additional OR Groups Added to wss11_saml_or_username_token_with_message_protection_service_policy
The oracle/wss11_saml_or_username_token_with_message_protection_service_policy now includes five assertions:
wss11_saml_token_with_message_protection
wss11_username_token_with_message_protection
wss_saml_token_bearer_over_ssl
wss_username_token_over_ssl
wss_http_token_over_ssl
For more information, see "Configuring a Policy With an OR Group".
11g Release 1 (11.1.1.5) includes the following updates and enhancements:
Added two new attributes to the asynchronous Web service queue annotations, @AsyncWebServiceQueue
and @AsyncWebServiceResponseQueue
. These new attributes, listed below, enable you to configure the initial and maximum sizes of the Message-driven bean (MDB) pool size, respectively:
messageProcessorInitialPoolSize
messageProcessorMaxPoolSize
For more information, refer to the following topics in "Annotation Reference" in Developer's Guide for Oracle Infrastructure Web Services:
Enhanced diagnostic and troubleshooting documentation to include additional information about diagnosing common problems with Oracle WSM and policy attachment issues using WLST. For more information, see "Diagnosing Problems".
Enhanced message protection keystore configuration documentation. For more information, see the following topics:
Reorganized documentation describing configuration overrides. For more information, see the following topics:
Added documentation that describes how to modify a default users group or role to ensure they have the proper permissions to access the Policy Manager. For more information, see "Modify the User's Group or Role".
11g Release 1 (11.1.1.4) includes the following new features:
Oracle Infrastructure Web services provide the ability to create and attach policy sets to subjects on a global scope:
For conceptual information about policy sets, see "Attaching Policies Globally Using Policy Sets".
For information on configuring and managing policy sets using Oracle Enterprise Manager Fusion Middleware Control, see "Creating and Managing Policy Sets".
For information on configuring and managing policy sets using WLST, see "Web Services Custom WLST Commands" in the WebLogic Scripting Tool Command Reference.
For information on importing and exporting policy sets using WLST, see "Importing and Exporting Documents in the Repository".
Oracle Web Services Manager and Oracle Infrastructure Web Services supported on IBM WebSphere
Differences in behavior, and any limitations, are described in "Managing Web Services on IBM WebSphere" in the Oracle Fusion Middleware Third-Party Application Server Guide.
There is new configuration control for overriding policy attachments and new predefined SAML 2.0 policies.
A new SAML 2.0 Login Module has been added. See "Configuring the SAML and Kerberos Login Modules".
New predefined SAML 2.0 policies have been added. See "Predefined Assertion Templates".
Support for WS-Trust 1.3 policies has been added. WS-Trust extensions provide methods for issuing, renewing, and validating security tokens. See "WS-Trust Policies and Configuration Steps".
A new Automatic Policy Configuration feature dynamically generates the information about an STS config policy by parsing the STS WSDL document. See "Setting Up Automatic Policy Configuration for STS".
New predefined WS-Trust assertions have been added. See "Predefined Assertion Templates".
Oracle WSM provides the ability to use the LunaSA Hardware Security Manager (HSM) for key storage. See "Using Hardware Security Modules With Oracle WSM".
Oracle WebLogic Web Services Monitoring Enhancements
The Web Service Endpoint page in Oracle Enterprise Manager Fusion Middleware Control provides the ability to monitor policy violations for WebLogic JAX-WS Web services. In addition, the tab that displays Oracle WSM policy information has been renamed to OWSM Policies. For WebLogic JAX-RPC Web services, the endpoint tab is labeled WebLogic Policy Violations.
For more information on monitoring Web services, see "Monitoring the Performance of Web Services".
The Usage Analysis page in Oracle Enterprise Manager Fusion Middleware Control provides:
The option to filter the Policy Subject List by subject type.
The option to view the available policy subjects in the entire enterprise or only in the local domain/cell.
The total number of policy subjects to which the policy is attached in the Attachment Count field.
For more information on policy usage analysis, see "Analyzing Policy Usage".
The Request/Response tabs on Test Web Services page in Oracle Enterprise Manager Fusion Middleware Control have enhanced usability, as follows:
The Request tab sections are now collapsed by default.
On the Response tab, the Test Status results has better readability and the composite test results are now highlighted.
For more information on testing Web services, see "Testing Web Services".
Install Oracle WSM on a Standalone WebLogic Server
If you have a standalone WebLogic Server environment with JAX-WS Web services and clients deployed, you can install Oracle WSM and use it to secure your Web services and clients. For more information, see "Installing Oracle WSM on WebLogic Server".
Enhanced Specification Support for WS-Policy 1.5 and WS-SecurityPolicy 1.2, 1.3
Supported versions, with links to the specifications, are provided in "Supported Standards" in Developer's Guide for Oracle Infrastructure Web Services.
For information about valid version combinations, see "Policy Advertisement".
New Extensibility Guide for Creating Custom Assertions
All information related to developing custom assertions has been moved from this guide and into the new Extensibility Guide for Oracle Web Services Manager.
11g Release 1 (11.1.1.3) includes the following new features:
Oracle WSM policy attachment to WebLogic Java EE endpoints using Oracle Enterprise Manager Fusion Middleware Control
Deployment descriptor migration for ADF Business Connect and WebCenter applications using the WebLogic Scripting Tool (WLST)
Cross-domain policy management of Oracle WSM Policies
Advertise policies for WebLogic JAX-WS Web services secured with Oracle WSM security policies
Web services atomic transaction support for SOA Web services and references and WebLogic JAX-WS Web services
Ability to configure a remote policy store at design time in JDeveloper. For more information, see "Using a Different Oracle WSM Policy Store" in "Developing with Web Services" in the JDeveloper Online Help.
Shared policy store for Oracle Infrastructure Web services and WebLogic Web services. For information about managing policies in the shared policy store, see "Using Custom Web Service Policies" in "Developing with Web Services" in the JDeveloper Online Help.
Ability to register Web service sources and to publish registered Web services to UDDI
Support for the DB2 database in the MDS repository
Ability to attach policies to Oracle Infrastructure Web Service providers
Ability to view assertion details for a policy when attaching to an endpoint
Ability to include a timestamp property for assertion templates that define Transport Security (SSL)
Ability to manually configure WebLogic Web service repository retrieval properties in Oracle Enterprise Manager Fusion Middleware Control
11g Release 1 (11.1.1.2) includes the following new features:
Enhanced administration and policy management for asynchronous Web services
Ability to define policy alternatives (OR groups)
Service-side policy configuration overrides
Oracle WSM policy attachment using the WebLogic Scripting Tool (WLST)
Ability to upgrade the Oracle WSM policies in the Oracle WSM Repository using WLST commands
Service identity certification extension for Web services that implement a message-protection policy. The Web service's public certificate is published in the WSDL, and it is no longer necessary for the Web service client to store the Web service's public certificate in its domain-level keystore.
Enhanced support for permission-based authorization using the oracle.wsm.security.WSFunctionPermission permission check class. In this release, the resource target of the WSFunctionPermission is enhanced to include the actual Web service operation name.
Ability to browse WSIL documents and import UDDI v3 registries using Fusion Middleware Control, and register services accordingly
Compliance with WSI-Basic Security Profile
Support for testing RESTful Web services in Fusion Middleware Control Test Web Service page
Support for Microsoft SQL Server in the MDS repository
Ability to use the same Oracle WSM Repository to manage policies across multiple domains. In previous releases, a repository could only be used by a single domain.
New document, Oracle Fusion Middleware Interoperability Guide for Oracle Web Services Manager, that contains the interoperability content previously provided in this document
Interoperability is certified between Oracle Web Services Manager and Axis 1.4 and WSS4J 1.58 security environments
11g Release 1 (11.1.1.7) includes the following new features:
Integration with the Oracle Fusion Middleware framework
Shared authorization and authentication infrastructure for Web applications and Web services through Oracle Platform Security Services
Automatic identity propagation
Integrated configuration, management, and monitoring of Web services using Oracle Enterprise Manager Fusion Middleware Control
Use of the Oracle Metadata Repository via Oracle Enterprise Manager Fusion Middleware Control
Integrated security management and monitoring of WebLogic Web services
Integrated policy attachment and monitoring support for WebLogic Web services
Enhanced support for Web services security standards
Enterprise policy framework with full standards support (WS-Policy, WS-SecurityPolicy, and WS-PolicyAttachment)
Run Time Services Oriented Architecture (SOA) governance support through reusable run-time policies and bulk attachment of policies
Policy usage and impact analysis