13 Upgrading Oracle Web Services Manager Policies and OC4J Security Environments

This chapter provides important supplementary information upgrading Oracle SOA applications to Oracle Fusion Middleware 11g.

Use Chapter 8, "Overview of Upgrading Oracle SOA Suite, WebCenter, and ADF Applications" for the tasks required to upgrade any Oracle SOA Suite, WebCenter, and ADF application.

Use the following sections to understand tasks specific to upgrading Oracle SOA applications:

• Upgrading Oracle Web Services Manager (WSM) Policies

• Upgrading Oracle Containers for J2EE (OC4J) Security Environments

13.1 Upgrading Oracle Web Services Manager (WSM) Policies

In Oracle WSM 10g, you specify policy steps at each policy enforcement point. Each policy step is a fine-grained operational task that addresses a specific security operation, such as authentication and authorization; encryption and decryption; security signature, token, or credential verification; and transformation. Each operational task is performed on either the Web service request or response.

For more details about the Oracle WSM 10g policy steps, see "Oracle Web Services Manager Policy Steps" in the Oracle Web Services Manager Administrator's Guide in the Oracle Application Server 10g Release 3 (10.1.3.1.0) documentation library at:

http://www.oracle.com/technology/documentation/

In Oracle WSM 11g, you attach policies to Web service endpoints. Each policy consists of one or more assertions, defined at the domain-level, that define the security requirements. A set of predefined policies and assertions are provided out-of-the-box. For more details about the predefined policies, see "Predefined Policies" in Security and Administrator's Guide for Oracle Web Services.

13.1.1 Before You Upgrade

Before you upgrade Oracle WSM policies, you must perform the following tasks:

• Install Oracle WSM 11g. For more information, see the Oracle Fusion Middleware Installation Guide for Oracle SOA Suite and Oracle Business Process Management Suite.

• Upgrade your Oracle Containers for J2EE (OC4J) 10g Web services to Oracle WebLogic Server 11g Web services.

  For more information, see "Task 6: Upgrade the Application Web Services" in the Oracle Fusion Middleware Upgrade Guide for Java EE.

13.1.1.1 A Note About Oracle WSM 10g Gateways

As described in "Examining the Rearchitecture of Oracle WSM in Oracle Fusion Middleware" in the Oracle Fusion Middleware Security and Administrator's Guide for Web Services, Oracle Fusion Middleware 11g does not include a Gateway component.

You can continue to use the Oracle WSM 10g Gateway components with Oracle WSM 10g policies in your applications. For information about Oracle WSM 10g interoperability, see the Oracle Fusion Middleware Interoperability Guide for Oracle Web Services Manager.

13.1.1.2 A Note About Third-party Software

As described in "Examining the Rearchitecture of Oracle WSM in Oracle Fusion Middleware" in the Oracle Fusion Middleware Security and Administrator's Guide for Web Services, Oracle WSM 10g supported policy enforcement for third-party application servers, such as IBM WebSphere and Red Hat JBoss. Oracle Fusion Middleware 11g only supports Oracle WebLogic Server.

You can continue to use the third-party application servers with Oracle WSM 10g policies. For information about Oracle WSM 10g interoperability, see the Oracle Fusion Middleware Interoperability Guide for Oracle Web Services Manager.

13.1.2 Upgrading Oracle WSM 10g Predefined Policies

Table 13-1 describes the most common Oracle WSM predefined policy upgrade scenarios based on the following security requirements: authentication and authorization, message protection, transport, and logging. A comparison of the steps required to implement each security requirement in both the Oracle WSM 10g and Oracle WSM 11g environments is provided.

For more information about:

• Attaching policies in Oracle Fusion Middleware 11g, see "Attaching Policies to Web Services Using Fusion Middleware Control" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

• Oracle WSM 10g policy steps, see "Oracle Web Services Manager Policy Steps" in Oracle Web Services Manager Administrator's Guide in the Oracle Application Server 10g Release 3 (10.1.3.1.0) documentation library at:

  http://www.oracle.com/technology/documentation/
  

Table 13-1 Upgrading Oracle WSM 10g Predefined Policies

Security Requirements	Oracle WSM 10g	Oracle WSM 11g
Anonymous authentication with message protection (WS-Security 1.0)	Attach policy steps as follows: Client: Sign Message and Encrypt. Web service: Decrypt and Verify Signature.	Attach policies as follows: Client: oracle/wss10_message_protection_client_policy. Web service: oracle/wss10_message_protection_service_policy. Leave the default configuration set for message signing and encryption. Disable the Include Timestamp configuration setting.
Anonymous authentication with message integrity (WS-Security 1.0)	Attach policy steps as follows: Client: Sign Message. Web service: Verify Signature.	Attach policies as follows: Client: oracle/wss10_message_protection_client_policy. Web service: oracle/wss10_message_protection_service_policy. Configure the policy assertion for message signing only. Disable the Include Timestamp configuration setting.
Anonymous authentication with message confidentiality (WS-Security 1.0)	Attach policy steps as follows: Client: XML Encrypt. Web service: XML Decrypt.	Attach policies as follows: Client: oracle/wss10_message_protection_client_policy. Web service: oracle/wss10_message_protection_service_policy. Configure the policy assertion for message encryption only. Disable the Include Timestamp configuration setting.
Username token with message protection (WS-Security 1.0)	Attach policy steps as follows: Client: Insert WSBASIC Credentials and Sign Message and Encrypt. Web service: Decrypt and Verify Signature, Extract Credentials (configured as WSBASIC), and FileAuthenticate. Note: You can substitute File Authenticate with LDAP Authenticate, Oracle Access Manager Authenticate, Active Directory Authenticate, or SetMinder Authenticate.	Attach policies as follows: Client: oracle/wss10_username_token_with_message_protection_client_policy. Web service: oracle/wss10_username_token_with_message_protection_service_policy. Leave the default configuration set for message signing and encryption. Disable the Include Timestamp configuration setting. Configure the Authentication and Identity Assertion provider.
Username token with message protection (WS-Security 1.0) and file authorization	Attach policy steps as follows: Client: Insert WSBASIC Credentials and Sign Message and Encrypt. Web service: Decrypt and Verify Signature, Extract Credentials (configured as WSBASIC), FileAuthenticate and File Authorize. Note: You can substitute File Authenticate with LDAP Authenticate, Active Directory Authenticate, or SetMinder Authenticate. Similarly, you can substitute File Authorize with LDAP Authorize, Active Directory Authorize, or SetMinder Authorize.	Attach policies as follows: Client: oracle/wss10_username_token_with_message_protection_client_policy. Web service: oracle/wss10_username_token_with_message_protection_service_policy and oracle/binding_authorization. Leave the default configuration set for message signing and encryption. Disable the Include Timestamp configuration setting. Configure the Authentication and Identity Assertion provider.
ID propagation with SAML token (sender vouches) with message protection (WS-Security 1.0)	Attach policy steps as follows: Client: SAML—Insert WSS 1.0 Sender-Vouches Token and Sign and Encrypt. Web service: XML Decrypt and SAML—Verify WSS 1.0 Token.	Attach policies as follows: Client: oracle/wss10_saml_token_with_message_protection_client_policy. Web service: oracle/wss10_saml_token_with_message_protection_service_policy. Disable the Include Timestamp configuration setting. Leave the default configuration set for message signing and encryption.
HTTP basic authentication	Attach policy steps as follows: Client: N/A. Web service: Extract Credentials (configure as HTTP).	Attach policies as follows: Client: oracle/wss_http_token_client_policy. Web service: oracle/wss_http_token_service_policy.
Mutual authentication with message protection (WS-Security 1.0)	Attach policy steps as follows: Client: Insert WSBASIC Credentials and Sign Message and Encrypt. Web service: Decrypt and Verify Signature, Extract Credentials (configured as WSBASIC), and FileAuthenticate. Note: You can substitute File Authenticate with LDAP Authenticate, Oracle Access Manager Authenticate, Active Directory Authenticate, or SetMinder Authenticate.	Attach policies as follows: Client: oracle/wss10_x509_token_with_message_protection_client_policy. Web service: oracle/wss10_x509_token_with_message_protection_service_policy. Leave the default configuration set for message signing and encryption. Disable the Include Timestamp configuration setting. Configure the Authentication and Identity Assertion provider.
Username token over SSL	Configure the application server for SSL. Attach policy steps as follows: Client: Insert WSBASIC Credentials. Web service: Extract Credentials and File Authenticate.	Configure the application server for SSL. Attach policies as follows: Client: oracle/wss_username_token_over_ssl_client_policy. Web service: oracle/wss_username_token_over_ssl_client_service_policy. Disable the Include Timestamp configuration setting.
ID propagation with SAML token (sender vouches) over SSL (WS-Security 1.0)	Configure the application server for SSL. Attach policy steps as follows: Client: SAML—Insert WSS 1.0 Sender-Vouches Token. Web service: SAML—Verify WSS 1.0 Token.	Configure the application server for SSL. Attach policies as follows: Client: oracle/wss_saml_token_over_ssl_client_policy. Web service: oracle/wss_saml_token_over_ssl_client_service_policy. Disable the Include Timestamp configuration setting.
Log information	Attach the following policy step to the client or Web service: Log	Attach the following policy to the client or Web service: oracle/log_policy

13.1.3 Upgrading Oracle WSM Custom Policies

In Oracle WSM 10g, you create, develop, and deploy custom policy steps using the procedures described in the Oracle Web Services Manager Extensibility Guide in the Oracle Application Server 10g Release 3 (10.1.3.1.0) documentation library at:

http://www.oracle.com/technology/documentation/

In Oracle WSM 11g, you create, develop, and deploy custom policy assertions. You will need to redefine your custom policy steps as custom policy assertions using the procedures described in "Creating Custom Policies" in Security and Administrator's Guide for Oracle Web Services.

13.2 Upgrading Oracle Containers for J2EE (OC4J) Security Environments

In OC4J 10g, you configure your security environment by modifying the contents of the XML-based deployment descriptor files. For complete details about securing OC4J environments, see Oracle Application Server Web Services Security Guide at:

http://www.oracle.com/technology/documentation/

In Oracle WSM 11g, you attach policies to Web service endpoints. Each policy consists of one or more assertions, defined at the domain-level, that define the security requirements. A set of predefined policies and assertions are provided out-of-the-box. For more details about the predefined policies, see "Predefined Policies" in Security and Administrator's Guide for Oracle Web Services.

The following sections describe the most common OC4J upgrade scenarios based on the following security requirements: authentication, message protection, transport, and logging. A comparison of the steps required to implement each security requirement in both the OC4J 10g and Oracle WSM 11g environments is provided.

• Section 13.2.1, "Before You Upgrade"

• Section 13.2.2, "Anonymous Authentication with Message Protection (WS-Security 1.0)"

• Section 13.2.3, "Anonymous Authentication with Message Integrity (WS-Security 1.0)"

• Section 13.2.4, "Anonymous Authentication with Message Confidentiality (WS-Security 1.0)"

• Section 13.2.5, "Username Token with Message Protection (WS-Security 1.0)"

• Section 13.2.6, "ID Propagation Using SAML Token (Sender Vouches) with Message Protection (WS-Security 1.0)"

• Section 13.2.7, "ID Propagation Using SAML Token (Holder of Key) with Message Protection (WS-Security 1.0)"

• Section 13.2.8, "Mutual Authentication with Message Protection (WS-Security 1.0)"

• Section 13.2.9, "Username token over SSL"

• Section 13.2.10, "ID Propagation with SAML Token (Sender Vouches) over SSL (WS-Security 1.0)"

• Section 13.2.11, "Log Information"

Note:

For information about configuring attaching policies in Oracle Fusion Middleware 11g, see Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

The next section describes the prerequisites required before you upgrade.

13.2.1 Before You Upgrade

Before you upgrade the OC4J security environment, you must perform the following tasks:

• Install Oracle WSM 11g. For more information, see the Oracle Fusion Middleware Installation Guide for Oracle SOA Suite and Oracle Business Process Management Suite.

• Review "Task 6: Upgrade the Application Web Services" in the Oracle Fusion Middleware Upgrade Guide for Java EE.

  This section provides general information about upgrading OC4J Web services to Oracle WebLogic Server.

13.2.2 Anonymous Authentication with Message Protection (WS-Security 1.0)

The following sections describe how to implement authentication with message protection that conforms to the WS-Security 1.0 standard, and compare the steps required for the OC4J 10g and Oracle WSM 11g environments.

13.2.2.1 OC4J 10g

Edit the deployment descriptors for the Web service and client, as described in the following sections.

For more information about the deployment descriptor elements, see "OracleAS Web Services Security Schema" in Oracle Application Server Web Services Security Guide in the Oracle Application Server 10g Release 3 (10.1.3.1.0) documentation library at:

http://www.oracle.com/technology/documentation/

Web Service Client (with sample data)

Define the <signature> and <encrypt> elements in the client deployment descriptor. For example:

<signature>
   <signature-method>RSA-SHA1</signature-method> 
   <tbs-elements>
      <tbs-element local-part="Body" name-space=
       "http://schemas.xmlsoap.org/soap/envelope/" /> 
      <tbs-element name-space=
"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" local-part="Timestamp" /> 
   </tbs-elements>
   <add-timestamp created="true" expiry="28800" /> 
</signature>
<encrypt>
   <recipient-key alias="orakey"/>
   <encryption-method>AES-128</encryption-method> 
   <keytransport-method>RSA-OAEP-MGF1P</keytransport-method> 
   <tbe-elements>
      <tbe-element local-part="Body" name-space=
       "http://schemas.xmlsoap.org/soap/envelope/" mode="CONTENT" />
   </tbe-elements>
</encrypt>

Web Service (with sample data)

Define the <verify-signature> and <decrypt> elements in the service deployment descriptor. For example:

<verify-signature>
   <tbs-elements>
      <tbs-element name-space="http://schemas.xmlsoap.org/soap/envelope/" 
       local-part="Body" /> 
      <tbs-element name-space=
"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" 
       local-part="Timestamp" /> 
   </tbs-elements>
   <verify-timestamp expiry="28800" created="true" /> 
</verify-signature>
<decrypt>
   <tbe-elements>
      <tbe-element 
       name-space="http://schemas.xmlsoap.org/soap/envelope/" 
       local-part="Body" mode="CONTENT" /> 
   </tbe-elements>
</decrypt>

13.2.2.2 Oracle WSM 11g

Perform the following steps:

1. Attach policies as follows:

   Client: oracle/wss10_message_protection_client_policy.

   Web service: oracle/wss10_message_protection_service_policy.

   For more information about attaching policies in Oracle Fusion Middleware 11g, see "Attaching Policies to Web Services" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

2. Leave the configuration set for message body signing and encryption.

13.2.3 Anonymous Authentication with Message Integrity (WS-Security 1.0)

The following sections describe how to implement authentication with message integrity that conforms to the WS-Security 1.0 standard, and compare the steps required for the OC4J 10g and Oracle WSM 11g environments.

13.2.3.1 OC4J 10g

Edit the deployment descriptors for the Web service and client, as described in the following sections.

For more information about the deployment descriptor elements, see "OracleAS Web Services Security Schema" in Oracle Application Server Web Services Security Guide in the Oracle Application Server 10g Release 3 (10.1.3.1.0) documentation library at:

http://www.oracle.com/technology/documentation/

Web Service Client (with sample data)

Define the <signature> element in the client deployment descriptor. For example:

<signature>
   <signature-method>RSA-SHA1</signature-method> 
   <tbs-elements>
      <tbs-element local-part="Body" name-space=
       "http://schemas.xmlsoap.org/soap/envelope/" /> 
      <tbs-element name-space=
"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" local-part="Timestamp" /> 
   </tbs-elements>
   <add-timestamp created="true" expiry="28800" /> 
</signature>

Web Service (with sample data)

Define the <verify-signature> element in the service deployment descriptor. For example:

<verify-signature>
   <tbs-elements>
      <tbs-element name-space="http://schemas.xmlsoap.org/soap/envelope/" 
       local-part="Body" /> 
      <tbs-element name-space=
"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" 
       local-part="Timestamp" /> 
   </tbs-elements>
   <verify-timestamp expiry="28800" created="true" /> 
</verify-signature>

13.2.3.2 Oracle WSM 11g

Perform the following steps:

1. Attach policies as follows:

   Client: oracle/wss10_message_protection_client_policy.

   Web service: oracle/wss10_message_protection_service_policy.

   For more information about attaching policies in Oracle Fusion Middleware 11g, see "Attaching Policies to Web Services" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

2. Configure the policy assertion for message body signing only.

13.2.4 Anonymous Authentication with Message Confidentiality (WS-Security 1.0)

The following sections describe how to implement authentication with message confidentiality that conforms to the WS-Security 1.0 standard, and compare the steps required for the OC4J 10g and Oracle WSM 11g environments.

For more information about the deployment descriptor elements, see "OracleAS Web Services Security Schema" in Oracle Application Server Web Services Security Guide in the 10g Release 3 (10.1.3.1.0) documentation library at:

http://www.oracle.com/technology/documentation/

13.2.4.1 OC4J 10g

Edit the deployment descriptors for the Web service and client, as described in the following sections.

Web Service Client (with sample data)

Define the <encrypt> element in the client deployment descriptor. For example:

<encrypt>
   <recipient-key alias="orakey"/>
   <encryption-method>AES-128</encryption-method> 
   <keytransport-method>RSA-OAEP-MGF1P</keytransport-method> 
   <tbe-elements>
      <tbe-element local-part="Body" name-space=
       "http://schemas.xmlsoap.org/soap/envelope/" mode="CONTENT" />
   </tbe-elements>
</encrypt>

Web Service (with sample data)

Define the <decrypt> element in the service deployment descriptor. For example:

<decrypt>
   <tbe-elements>
      <tbe-element 
       name-space="http://schemas.xmlsoap.org/soap/envelope/" 
       local-part="Body" mode="CONTENT" /> 
   </tbe-elements>
</decrypt>

13.2.4.2 Oracle WSM 11g

Perform the following steps:

1. Attach policies as follows:

   Client: oracle/wss10_message_protection_client_policy.

   Web service: oracle/wss10_message_protection_service_policy.

   For more information about attaching policies in Oracle Fusion Middleware 11g, see "Attaching Policies to Web Services" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

2. Configure the policy assertion for message body encryption only.

13.2.5 Username Token with Message Protection (WS-Security 1.0)

The following sections describe how to implement username token with message protection that conforms to the WS-Security 1.0 standard, and compare the steps required in the OC4J 10g and Oracle WSM 11g environments.

13.2.5.1 OC4J 10g

Edit the deployment descriptors for the Web service and client, as described in the following sections.

For more information about the deployment descriptor elements, see "OracleAS Web Services Security Schema" in Oracle Application Server Web Services Security Guide in the 10g Release 3 (10.1.3.1.0) documentation library at:

http://www.oracle.com/technology/documentation/

Web Service Client (with sample data)

Define the <username-token>, <signature>, and <encrypt> elements in the client deployment descriptor. For example:

<username-token password-type="PLAINTEXT" add-nonce="false" 
 add-created="false" /> 
<signature>
   <signature-method>RSA-SHA1</signature-method> 
   <tbs-elements>
      <tbs-element local-part="Body" name-space=
       "http://schemas.xmlsoap.org/soap/envelope/"/> 
      <tbs-element name-space=
"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" 
       local-part="Timestamp" /> 
      <tbs-element name-space=
"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" 
       local-part="UsernameToken" /> 
   </tbs-elements>
   <add-timestamp created="true" expiry="28800" /> 
</signature>
<encrypt>
   <recipient-key alias="orakey" /> 
   <encryption-method>AES-128</encryption-method> 
   <keytransport-method>RSA-OAEP-MGF1P</keytransport-method> 
   <tbe-elements>
      <tbe-element local-part="Body" name-space=
       "http://schemas.xmlsoap.org/soap/envelope/" mode="CONTENT" /> 
      <tbe-element name-space=
"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" 
       local-part="UsernameToken" /> 
   </tbe-elements>
</encrypt>

Web Service (with sample data)

Define the <verify-username-token>, <verify-signature>, and <decrypt> elements in the service deployment descriptor. For example:

<verify-username-token password-type="PLAINTEXT" require-nonce="false" 
 require-created="false" /> 
<verify-signature>
   <tbs-elements>
      <tbs-element name-space="http://schemas.xmlsoap.org/soap/envelope/" 
       local-part="Body" /> 
      <tbs-element name-space=
"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" 
       local-part="Timestamp" /> 
   </tbs-elements>
   <verify-timestamp expiry="28800" created="true" /> 
</verify-signature>
<decrypt>
   <tbe-elements>
      <tbe-element name-space="http://schemas.xmlsoap.org/soap/envelope/" 
       local-part="Body" mode="CONTENT" /> 
   </tbe-elements>
</decrypt>

13.2.5.2 Oracle WSM 11g

Perform the following steps:

1. Attach policies as follows:

   Client: oracle/wss10_username_token_with_message_protection_client_policy.

   Web service: oracle/wss10_username_token_with_message_protection_service_policy.

   For more information about attaching policies in Oracle Fusion Middleware 11g, see "Attaching Policies to Web Services" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

2. Leave the configuration set for message body signing and encryption.

3. Configure the Authentication and Identity Assertion provider.

13.2.6 ID Propagation Using SAML Token (Sender Vouches) with Message Protection (WS-Security 1.0)

The following sections describe how to implement ID propagation using SAML token sender vouches with message protection that conforms to the WS-Security 1.0 standard, and compare the steps required in the OC4J 10g and Oracle WSM 11g environments.

For more information about the deployment descriptor elements, see "OracleAS Web Services Security Schema" in Oracle Application Server Web Services Security Guide 10g (10.1.3.1.0) at:

http://www.oracle.com/technology/documentation/

13.2.6.1 OC4J 10g

Edit the deployment descriptors for the Web service and client, as described in the following sections.

Web Service Client (with sample data)

Define the <saml-token>, <signature>, and <encrypt> elements in the client deployment descriptor. For example:

<saml-token issuer-name="www.oracle.com" name="weblogic" 
 name-format="UNSPECIFIED">
   <subject-confirmation-method>
      <confirmation-method>SENDER-VOUCHES</confirmation-method> 
   </subject-confirmation-method>
</saml-token>
<signature>
   <signature-method>RSA-SHA1</signature-method> 
   <tbs-elements>
      <tbs-element local-part="Body" 
       name-space="http://schemas.xmlsoap.org/soap/envelope/" /> 
      <tbs-element name-space=
"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" 
       local-part="Timestamp" /> 
   </tbs-elements>
   <add-timestamp created="true" expiry="28800" /> 
</signature>
<encrypt>
   <recipient-key alias="orakey" /> 
   <encryption-method>AES-128</encryption-method> 
   <keytransport-method>RSA-OAEP-MGF1P</keytransport-method> 
   <tbe-elements>
      <tbe-element local-part="Body" name-space=
       "http://schemas.xmlsoap.org/soap/envelope/" mode="CONTENT" /> 
   </tbe-elements>
</encrypt>

Web Service (with sample data)

Define the <verify-saml-token>, <verify-signature>, and <decrypt> elements in the service deployment descriptor. For example:

<verify-saml-token>
   <subject-confirmation-methods>
      <confirmation-method>SENDER-VOUCHES</confirmation-method> 
   </subject-confirmation-methods>
</verify-saml-token>
<verify-signature>
   <tbs-elements>
      <tbs-element name-space="http://schemas.xmlsoap.org/soap/envelope/" 
       local-part="Body" /> 
      <tbs-element name-space=
"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" 
       local-part="Timestamp" /> 
   </tbs-elements>
   <verify-timestamp expiry="28800" created="true" /> 
</verify-signature>
<decrypt>
   <tbe-elements>
     <tbe-element name-space="http://schemas.xmlsoap.org/soap/envelope/" 
      local-part="Body" mode="CONTENT" /> 
   </tbe-elements>
</decrypt>
 

13.2.6.2 Oracle WSM 11g

Attach policies as follows:

• Client: oracle/wss10_saml_token_with_message_protection_client_policy.

• Web service: oracle/wss10_saml_token_with_message_protection_service_policy.

For more information about attaching policies in Oracle Fusion Middleware 11g, see "Attaching Policies to Web Services" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

13.2.7 ID Propagation Using SAML Token (Holder of Key) with Message Protection (WS-Security 1.0)

The following sections describe how to implement ID propagation using SAML token holder of key with message protection that conforms to the WS-Security 1.0 standard, and compare the steps required in the OC4J 10g and Oracle WSM 11g environments.

For more information about the deployment descriptor elements, see "OracleAS Web Services Security Schema" in Oracle Application Server Web Services Security Guide in the 10g Release 3 (10.1.3.1.0) documentation library at:

http://www.oracle.com/technology/documentation/

13.2.7.1 OC4J 10g

Edit the deployment descriptors for the Web service and client, as described in the following sections.

Web Service Client (with sample data)

Define the <saml-token>, <signature>, and <encrypt> elements in the client deployment descriptor. For example:

<saml-token issuer-name="www.oracle.com" name="weblogic" 
 name-format="UNSPECIFIED">
   <subject-confirmation-method>
      <confirmation-method>HOLDER-OF-KEY</confirmation-method> 
   </subject-confirmation-method>
</saml-token>
<signature>
   <signature-method>RSA-SHA1</signature-method> 
   <tbs-elements>
      <tbs-element local-part="Body" 
       name-space="http://schemas.xmlsoap.org/soap/envelope/" /> 
      <tbs-element name-space=
"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" 
       local-part="Timestamp" /> 
   </tbs-elements>
   <add-timestamp created="true" expiry="28800" /> 
</signature>
<encrypt>
   <recipient-key alias="orakey" /> 
   <encryption-method>AES-128</encryption-method> 
   <keytransport-method>RSA-OAEP-MGF1P</keytransport-method> 
   <tbe-elements>
      <tbe-element local-part="Body" name-space=
       "http://schemas.xmlsoap.org/soap/envelope/" mode="CONTENT" /> 
   </tbe-elements>
</encrypt>

Web Service (with sample data)

Define the <verify-saml-token>, <verify-signature>, and <decrypt> elements in the service deployment descriptor. For example:

<verify-saml-token>
   <subject-confirmation-methods>
      <confirmation-method>HOLDER-OF-KEY</confirmation-method> 
   </subject-confirmation-methods>
</verify-saml-token>
<verify-signature>
   <tbs-elements>
      <tbs-element name-space="http://schemas.xmlsoap.org/soap/envelope/" 
       local-part="Body" /> 
      <tbs-element name-space=
"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" 
       local-part="Timestamp" /> 
   </tbs-elements>
   <verify-timestamp expiry="28800" created="true" /> 
</verify-signature>
<decrypt>
   <tbe-elements>
     <tbe-element name-space="http://schemas.xmlsoap.org/soap/envelope/" 
      local-part="Body" mode="CONTENT" /> 
   </tbe-elements>
</decrypt> 

13.2.7.2 Oracle WSM 11g

Attach policies as follows:

• Client: oracle/wss10_saml_hok_with_message_protection_client_policy.

• Web service: oracle/wss10_saml_hok_with_message_protection_service_policy.

For more information about attaching policies in Oracle Fusion Middleware 11g, see "Attaching Policies to Web Services" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

13.2.8 Mutual Authentication with Message Protection (WS-Security 1.0)

The following sections describe how to implement mutual authentication with message protection that conforms to the WS-Security 1.0 standard, and compare the steps required in the OC4J 10g and Oracle WSM 11g environments.

For more information about the deployment descriptor elements, see "OracleAS Web Services Security Schema" in Oracle Application Server Web Services Security Guide in the 10g Release 3 (10.1.3.1.0) documentation library at:

http://www.oracle.com/technology/documentation/

13.2.8.1 OC4J 10g

Edit the deployment descriptors for the Web service and client, as described in the following sections.

Web Service Client (with sample data)

Define the <x509-token>, <signature>, and <encrypt> elements in the client deployment descriptor. For example:

<x509-token /> 
<signature>
   <signature-method>RSA-SHA1</signature-method> 
   <tbs-elements>
      <tbs-element local-part="Body" 
       name-space="http://schemas.xmlsoap.org/soap/envelope/" /> 
      <tbs-element name-space=
"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" 
       local-part="Timestamp" /> 
   </tbs-elements>
   <add-timestamp created="true" expiry="28800" /> 
</signature>
<encrypt>
   <recipient-key alias="orakey" /> 
   <encryption-method>AES-128</encryption-method> 
   <keytransport-method>RSA-OAEP-MGF1P</keytransport-method> 
   <tbe-elements>
      <tbe-element local-part="Body" 
       name-space="http://schemas.xmlsoap.org/soap/envelope/" mode="CONTENT" /> 
   </tbe-elements>
</encrypt>

Web Service (with sample data)

Define the <verify-x509-token>, <verify-signature>, and <decrypt> elements in the service deployment descriptor. For example:

<verify-x509-token /> 
<verify-signature>
   <tbs-elements>
      <tbs-element name-space="http://schemas.xmlsoap.org/soap/envelope/" 
       local-part="Body" /> 
      <tbs-element name-space=
"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" 
       local-part="Timestamp" /> 
   </tbs-elements>
   <verify-timestamp expiry="28800" created="true" /> 
</verify-signature>
<decrypt>
   <tbe-elements>
      <tbe-element name-space="http://schemas.xmlsoap.org/soap/envelope/"
       local-part="Body" mode="CONTENT" /> 
   </tbe-elements>
</decrypt>

13.2.8.2 Oracle WSM 11g

Perform the following steps:

1. Attach policies as follows:

   Client: oracle/wss10_x509_token_with_message_protection_client_policy.

   Web service: oracle/wss10_x509_token_with_message_protection_service_policy.

   For more information about attaching policies in Oracle Fusion Middleware 11g, see "Attaching Policies to Web Services" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

2. Leave the configuration set for message body signing and encryption.

3. Configure the Authentication and Identity Assertion provider.

13.2.9 Username token over SSL

The following sections describe how to implement username token over SSL, and compare the steps required in the OC4J 10g and Oracle WSM 11g environments.

For more information about the deployment descriptor elements, see "OracleAS Web Services Security Schema" in Oracle Application Server Web Services Security Guide in the 10g Release 3 (10.1.3.1.0) documentation library at:

http://www.oracle.com/technology/documentation/

13.2.9.1 OC4J 10g

Configure the application server for SSL and edit the deployment descriptors for the Web service and client, as described in the following sections.

Web Service Client (with sample data)

Define the <username-token> and <signature> elements in the client deployment descriptor. For example:

<username-token password-type="PLAINTEXT" add-nonce="true" 
 add-created="true" />
<signature>
   <add-timestamp created="true" expiry="28800" /> 
</signature>

Web Service (with sample data)

Define the <verify-username> element in the service deployment descriptor. For example:

<verify-username-token password-type="PLAINTEXT" require-nonce="false" require-created="false" />  
<signature>
   <verify-timestamp expiry="28800" created="true" />  
</signature>

13.2.9.2 Oracle WSM 11g

Perform the following step:

1. Configure the application server for SSL.

2. Attach policies as follows:

   Client: oracle/wss_username_token_over_ssl_client_policy.

   Web service: oracle/wss_username_token_over_ssl_service_policy

For more information about attaching policies in Oracle Fusion Middleware 11g, see "Attaching Policies to Web Services" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

13.2.10 ID Propagation with SAML Token (Sender Vouches) over SSL (WS-Security 1.0)

The following sections describe how to implement ID propagation with SAML token sender vouches over SSL that conforms to WS-Security 1.0, and compare the steps required in the OC4J 10g and Oracle WSM 11g environments.

For more information about the deployment descriptor elements, see "OracleAS Web Services Security Schema" in Oracle Application Server Web Services Security Guide in the 10g Release 3 (10.1.3.1.0) documentation library at:

http://www.oracle.com/technology/documentation/

13.2.10.1 OC4J 10g

Configure the application server for SSL and edit the deployment descriptors for the Web service and client, as described in the following sections.

Web Service Client (with sample data)

Define the <saml-token> and <signature> elements in the client deployment descriptor. For example:

<saml-token name="weblogic" issuer-name="www.oracle.com" 
 name-format="UNSPECIFIED">
   <subject-confirmation-method>
     <confirmation-method>SENDER-VOUCHES</confirmation-method> 
   </subject-confirmation-method>
</saml-token>
<signature>
   <add-timestamp created="true" expiry="28800" /> 
</signature> 

Web Service (with sample data)

Define the <verify-saml-token> element in the service deployment descriptor. For example:

<verify-saml-token>
   <subject-confirmation-methods> 
      <confirmation-method>SENDER-VOUCHES-UNSIGNED</confirmation-method> 
   </subject-confirmation-methods> 
</verify-saml-token>  
<signature>
   <verify-timestamp expiry="28800" created="true" />  
</signature>

13.2.10.2 Oracle WSM 11g

Perform the following steps:

1. Configure the application server for SSL.

2. Attach policies as follows:

   Client: oracle/wss_saml_token_over_ssl_client_policy.

   Web service: oracle/wss_saml_token_over_ssl_service_policy.

13.2.11 Log Information

The following sections describe how to enable the collection of log information, and compare the steps required in the OC4J 10g and Oracle WSM 11g environments.

13.2.11.1 OC4J 10g

Configure the logging and auditing interceptor.

13.2.11.2 Oracle WSM 11g

Attach the following policy to the Web service or client: oracle/log_policy.

For more information about attaching policies in Oracle Fusion Middleware 11g, see "Attaching Policies to Web Services" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.