4 Interoperability with Oracle WebLogic Server 11g Web Service Security Environments

This chapter contains the following sections:

4.1 Overview of Interoperability with Oracle WebLogic Server 11g Web Service Security Environments

In Oracle Fusion Middleware 11g, you can attach both Oracle WSM and Oracle WebLogic Server 11g Web service policies to WebLogic Java EE Web services.

For more details about the predefined Oracle WSM 11g policies, see the following sections in Oracle Fusion Middleware Security and Administrator's Guide for Web Services:

For more details about the predefined Oracle WebLogic Server 11g Web service policies, see:

Table 4-1 and Table 4-2 summarize the most common Oracle WebLogic Server 11g Web service policy interoperability scenarios based on the following security requirements: authentication, message protection, and transport. The tables are organized as follows:

  • Table 4-1 describes interoperability scenarios with WebLogic Web service policies and Oracle WSM client policies.

  • Table 4-2 describes interoperability scenarios with Oracle WSM Web service policies and WebLogic Web service client policies.

Table 4-1 WebLogic Web Service Policy and Oracle WSM Client Policy Interoperability

Identity Token WS-Security Version Message Protection Transport Security Service Policy Client Policy

Username

1.1

Yes

No

  • Wssp1.2-2007-Wss1.1-UsernameToken-Plain-EncryptedKey-Basic128.xml

  • Wssp1.2-2007-SignBody.xml

  • Wssp1.2-2007-EncryptBody.xml

oracle/wss11_username_token_with_message_protection_client_policy

Username and MTOM

1.1

Yes

No

  • Wssp1.2-2007-Wss1.1-UsernameToken-Plain-EncryptedKey-Basic128.xml

  • Wssp1.2-2007-SignBody.xml

  • Wssp1.2-2007-EncryptBody.xml

oracle/wss11_username_token_with_message_protection_client_policy

wsmtom_policy

Username

1.0

Yes

No

  • Wssp1.2-wss10_username_token_with_message_protection_owsm_policy.xml

  • Wssp1.2-2007-SignBody.xml

  • Wssp1.2-2007-EncryptBody.xml

oracle/wss10_username_token_with_message_protection_client_policy

SAML 2.0

1.1

Yes

No

  • Wssp1.2-wss11_saml_token_with_message_protection_owsm_policy.xml

  • Wssp1.2-2007-SignBody.xml

  • Wssp1.2-2007-EncryptBody.xml

oracle/wss11_saml_token_with_message_protection_client_policy

SAML

1.1

Yes

No

  • Wssp1.2-wss11_saml_token_with_message_protection_owsm_policy.xml

  • Wssp1.2-2007-SignBody.xml

  • Wssp1.2-2007-EncryptBody.xml

oracle/wss11_saml_token_with_message_protection_client_policy

SAML and MTOM

1.1

Yes

No

  • Wssp1.2-wss11_saml_token_with_message_protection_owsm_policy.xml

  • Wssp1.2-2007-SignBody.xml

  • Wssp1.2-2007-EncryptBody.xml

oracle/wss11_saml_token_with_message_protection_client_policy

wsmtom_policy

SAML

1.0

Yes

No

  • Wssp1.2-wss10_saml_token_with_message_protection_owsm_policy.xml

  • Wssp1.2-2007-SignBody.xml

  • Wssp1.2-2007-EncryptBody.xml

oracle/wss10_saml_token_with_message_protection_client_policy

Mutual Authentication

1.1

Yes

No

  • Wssp1.2-wss11_x509_token_with_message_protection_owsm_policy.xml

  • Wssp1.2-2007-SignBody.xml

  • Wssp1.2-2007-EncryptBody.xml

oracle/wss11_x509_token_with_message_protection_client_policy

Mutual Authentication

1.0

Yes

No

  • Wssp1.2-wss10_x509_token_with_message_protection_owsm_policy.xml

  • Wssp1.2-2007-SignBody.xml

  • Wssp1.2-2007-EncryptBody.xml

oracle/wss10_x509_token_with_message_protection_client_policy

Table 4-2 Oracle WSM Service Policy and WebLogic Web Service Client Policy Interoperability

Identity Token WS-Security Version Message Protection Transport Security Service Policy Client Policy

Username

1.1

Yes

No

oracle/wss11_username_token_with_message_protection_service_policy

  • Wssp1.2-2007-Wss1.1-UsernameToken-Plain-EncryptedKey-Basic128.xml

  • Wssp1.2-2007-SignBody.xml

  • Wssp1.2-2007-EncryptBody.xml

Username and MTOM

1.1

Yes

No

oracle/wss11_username_token_with_message_protection_service_policy

  • Wssp1.2-wss10_username_token_with_message_protection_owsm_policy.xml

  • Wssp1.2-2007-SignBody.xml

  • Wssp1.2-2007-EncryptBody.xml

Username

1.0

Yes

No

oracle/wss10_username_token_with_message_protection_service_policy

  • Wssp1.2-wss10_username_token_with_message_protection_owsm_policy.xml

  • Wssp1.2-2007-SignBody.xml

  • Wssp1.2-2007-EncryptBody.xml

Username over SSL

1.0 and 1.1

No

Yes

oracle/wss_username_token_over_ssl_service_policy

Wssp1.2-2007-Https-UsernameToken-Plain.xml

Username over SSL with MTOM

1.0 and 1.1

No

Yes

oracle/wss_username_token_over_ssl_service_policy

Wssp1.2-2007-Https-UsernameToken-Plain.xml

SAML over SSL

1.0 and 1.1

No

Yes

oracle/wss_saml_token_over_ssl_service_policy

Wssp1.2-2007-Saml1.1-SenderVouches-Https.xml

SAML over SSL with MTOM

1.0 and 1.1

No

Yes

oracle/wss_saml_token_over_ssl_service_policy

Wssp1.2-2007-Saml1.1-SenderVouches-Https.xml

SAML 2.0

1.1

Yes

No

oracle/wss11_saml_token_with_message_protection_service_policy

  • Wssp1.2-wss11_saml_token_with_message_protection_owsm_policy.xml

  • Wssp1.2-2007-SignBody.xml

  • Wssp1.2-2007-EncryptBody.xml

SAML

1.1

Yes

No

oracle/wss11_saml_token_with_message_protection_service_policy

  • Wssp1.2-wss11_saml_token_with_message_protection_owsm_policy.xml

  • Wssp1.2-2007-SignBody.xml

  • Wssp1.2-2007-EncryptBody.xml

SAML with MTOM

1.1

Yes

No

oracle/wss11_saml_token_with_message_protection_service_policy

  • Wssp1.2-wss11_saml_token_with_message_protection_owsm_policy.xml

  • Wssp1.2-2007-SignBody.xml

  • Wssp1.2-2007-EncryptBody.xml

SAML

1.0

Yes

No

oracle/wss10_saml_token_with_message_protection_service_policy

  • Wssp1.2-wss10_saml_token_with_message_protection_owsm_policy.xml

  • Wssp1.2-2007-SignBody.xml

  • Wssp1.2-2007-EncryptBody.xml

Mutual Authentication

1.1

Yes

No

oracle/wss11_x509_token_with_message_protection_service_policy

  • Wssp1.2-wss11_x509_token_with_message_protection_owsm_policy.xml

  • Wssp1.2-2007-SignBody.xml

  • Wssp1.2-2007-EncryptBody.xml

Mutual Authentication

1.0

Yes

No

oracle/wss10_x509_token_with_message_protection_service_policy

  • Wssp1.2-wss10_x509_token_with_message_protection_owsm_policy.xml

  • Wssp1.2-2007-SignBody.xml

  • Wssp1.2-2007-EncryptBody.xml

4.2 Username Token With Message Protection (WS-Security 1.1)

This section describes how to implement username token with message protection that conforms to the WS-Security 1.1 standard in the following interoperability scenarios:

4.2.1 Interoperating with a WebLogic Web Service Policy

The following sections describe how to implement username token with message protection that conforms to the WS-Security 1.1 standard and ensure interoperability between the WebLogic Web service policy and the Oracle WSM client policy:

4.2.1.1 Attaching and Configuring the WebLogic Web Service Policy

To configure a Web service with a WebLogic Web service policy, perform the following tasks.

Table 4-3 Attaching and Configuring the WebLogic Web Service Policy

Task Description More Information

1

Create a WebLogic Web service.

"Roadmap for Implementing WebLogic (Java EE) Web Services" in Oracle Fusion Middleware Introducing Web Services

2

Attach the following policies:

  • Wssp1.2-2007-Wss1.1-UsernameToken-Plain-EncryptedKey-Basic128.xml

  • Wssp1.2-2007-SignBody.xml

  • Wssp1.2-2007-EncryptBody.xml

"Updating the JWS File with @Policy and @Policies Annotations" in Oracle Fusion Middleware Securing WebLogic Web Services for Oracle WebLogic Server

3

Configure identity and trust stores.

"Configure identity and trust" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help

4

Configure message-level security.

Note: You only need to configure the Confidentiality Key for a WS-Security 1.1 policy.

5

Deploy the Web service.

"Install a Web Service" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help

4.2.1.2 Attaching and Configuring the Oracle WSM Client Policy

To configure the client with an Oracle WSM client policy, perform the following tasks.

Table 4-4 Attaching and Configuring the Oracle WSM Client Policy

Task Description More Information

1

Create a client proxy for the Web service created in Table 4-3 using clientgen or some other mechanism.

"Roadmap for Implementing Oracle Fusion Middleware Web Services" in Oracle Fusion Middleware Introducing Web Services

2

Attach the following policy to the Web service client: oracle/wss11_username_token_with_message_protection_client_policy.

"Attaching Policies to Web Services" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services

3

Configure the policy.

"oracle/wss11_username_token_with_message_protection_client_policy" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services

4

Specify keystore.recipient.alias in the client configuration.

"oracle/wss11_username_token_with_message_protection_client_policy" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services

5

Ensure that the keystore.recipient.alias keys specified for the client exist as trusted certificate entry in the trust store configured for the Web service.

"oracle/wss11_username_token_with_message_protection_client_policy" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services

6

Provide a valid username and password as part of the configuration.

"oracle/wss11_username_token_with_message_protection_client_policy" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services

7

Invoke the Web service method from the client.

"Roadmap for Implementing Oracle Fusion Middleware Web Services" in Oracle Fusion Middleware Introducing Web Services

4.2.2 Interoperating with a WebLogic Web Service Client Policy

The following sections describe how to implement username token with message protection that conforms to the WS-Security 1.1 standard and ensure interoperability between the Oracle WSM Web service policy and the WebLogic Web service client policy:

4.2.2.1 Attaching and Configuring the Oracle WSM Policy

To configure a Web service with an Oracle WSM Web service policy, perform the following tasks.

Table 4-5 Attaching and Configuring the Oracle WSM Policy

Task Description More Information

1

Create and deploy a Web service.

"Roadmap for Implementing Oracle Fusion Middleware Web Services" in Oracle Fusion Middleware Introducing Web Services

2

Attach the following policy to the Web service: oracle/wss11_username_token_with_message_protection_service_policy.

"Attaching Policies to Web Services" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services

4.2.2.2 Attaching and Configuring the WebLogic Web Service Client Policy

To configure a client that uses WebLogic Web service client policy, perform the following tasks.

Table 4-6 Attaching and Configuring the WebLogic Web Service Client Policy

Task Description More Information

1

Create a client proxy for the Web service created in Table 4-5 using clientgen.

"Using the clientgen Ant Task to Generate Client Artifacts" in Oracle Fusion Middleware Getting Started With JAX-WS Web Services for Oracle WebLogic Server

2

Attach the following policies:

  • Wssp1.2-2007-Wss1.1-UsernameToken-Plain-EncryptedKey-Basic128.xml

  • Wssp1.2-2007-SignBody.xml

  • Wssp1.2-2007-EncryptBody.xml

"Updating the JWS File with @Policy and @Policies Annotations" in Oracle Fusion Middleware Securing WebLogic Web Services for Oracle WebLogic Server

3

Provide the configuration for the server (encryption key) in the client.

Note: Ensure that the encryption key specified is in accordance with the encryption key configured for the Web service.

"Updating a Client Application to Invoke a Message-Secured Web Service" in Oracle Fusion Middleware Securing WebLogic Web Services for Oracle WebLogic Server

4

Invoke the Web service method from the client.

"Writing the Java Client Application Code to Invoke a Web Service" in Oracle Fusion Middleware Getting Started With JAX-WS Web Services for Oracle WebLogic Server

4.3 Username Token With Message Protection (WS-Security 1.1) and MTOM

This section describes how to implement username token with message protection that conforms to the WS-Security 1.1 standard and uses Message Transmission Optimization Mechanism (MTOM) in the following interoperability scenarios:

4.3.1 Interoperating with a WebLogic Web Service Policy

The following sections describe how to implement username token with message protection that conforms to the WS-Security 1.1 standard and ensure interoperability between the WebLogic Web service policy and the Oracle WSM client policy:

4.3.1.1 Attaching and Configuring the WebLogic Web Service Policy

To configure a Web service with a WebLogic Web service policy, perform the following tasks.

Table 4-7 Attaching and Configuring the WebLogic Web Service Policy

Task Description More Information

1

Create a WebLogic Web service.

"Roadmap for Implementing WebLogic (Java EE) Web Services" in Oracle Fusion Middleware Introducing Web Services.

2

Use the @MTOM annotation in the Web service.

"Updating the JWS File with @Policy and @Policies Annotations" in Oracle Fusion Middleware Securing WebLogic Web Services for Oracle WebLogic Server

4.3.1.2 Attaching and Configuring the Oracle WSM Client Policy

To configure the client with an Oracle WSM client policy, perform the following tasks.

Table 4-8 Attaching and Configuring the Oracle WSM Client Policy

Task Description More Information

1

Configure the client proxy for the Web service in Table 4-7 using clientgen or some other mechanism.

Follow the steps described in "Username Token With Message Protection (WS-Security 1.1)".

2

If you did not use the @MTOM annotation in the Web service (as described in Table 4-7), attach wsmtom_policy from the Management tab.

Follow Step 2 of "Attaching and Configuring the Oracle WSM Client Policy".

"Attaching Policies to Oracle Infrastructure Web Service Clients" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services

4.3.2 Interoperating with a WebLogic Web Service Client Policy

The following sections describe how to implement username token with message protection that conforms to the WS-Security 1.1 standard and ensure interoperability between the Oracle WSM Web service policy and the WebLogic Web service client policy:

4.3.2.1 Attaching and Configuring the Oracle WSM Policy

To configure a Web service with an Oracle WSM Web service policy, perform the following tasks.

Table 4-9 Attaching and Configuring the Oracle WSM Policy

Task Description More Information

1

Configure the Oracle WSM Web service.

Follow the steps in Section 4.2, "Username Token With Message Protection (WS-Security 1.1)".

2

Attach wsmtom_policy from the Management tab.

Follow Step 2 of Section 4.2.1.2, "Attaching and Configuring the Oracle WSM Client Policy".

"Attaching Policies to Oracle Infrastructure Web Service Clients" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services

4.3.2.2 Attaching and Configuring the WebLogic Web Service Client Policy

To configure a client that uses a WebLogic Web service client policy, perform the following tasks.

Table 4-10 Attaching and Configuring the WebLogic Web Service Client Policy

Task Description More Information

1

Create a client proxy for the Web service created in Table 4-9 using clientgen.

Follow the steps in Section 4.2, "Username Token With Message Protection (WS-Security 1.1)".

2

If you did not attach the wsmtom_policy as described in Table 4-9, use the @MTOM annotation in the Web service client.

Follow Step 2 of "Attaching and Configuring the WebLogic Web Service Client Policy".

4.4 Username Token With Message Protection (WS-Security 1.0)

This section describes how to implement username token with message protection that conforms to the WS-Security 1.0 standard in the following interoperability scenarios:

Note:

WS-Security 1.0 policy is supported for legacy applications only. Use WS-Security 1.1 policy for maximum performance. For more information, see "Username Token With Message Protection (WS-Security 1.1)".

4.4.1 Interoperability with a WebLogic Web Service Policy

The following sections describe how to implement username token with message protection that conforms to the WS-Security 1.0 standard and ensure interoperability between the WebLogic Web service policy and the Oracle WSM client policy:

4.4.1.1 Attaching and Configuring the WebLogic Web Service Policy

To configure a Web service with a WebLogic Web service policy, perform the following tasks.

Table 4-11 Attaching and Configuring the WebLogic Web Service Policy

Task Description More Information

1

Create a WebLogic Web service.

"Roadmap for Implementing WebLogic (Java EE) Web Services" in Oracle Fusion Middleware Introducing Web Services

2

Attach the following policies:

  • Wssp1.2-2007-SignBody.xml

  • Wssp1.2-wss10_username_token_with_message_protection_owsm_policy.xml

  • Wssp1.2-2007-EncryptBody.xml

"Updating the JWS File with @Policy and @Policies Annotations" in Oracle Fusion Middleware Securing WebLogic Web Services for Oracle WebLogic Server

3

Configure identity and trust stores.

"Configure identity and trust" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help.

4

Configure message-level security.

"Configuring Message-Level Security" in Oracle Fusion Middleware Securing WebLogic Web Services for Oracle WebLogic Server

"Create a Web Service security configuration" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help

5

Deploy the Web service.

Oracle Fusion Middleware Deploying Applications to Oracle WebLogic Server.

4.4.1.2 Attaching and Configuring the Oracle WSM Client Policy

To configure the client with an Oracle WSM client policy, perform the following tasks.

Table 4-12 Attaching and Configuring the Oracle WSM Client Policy

Task Description More Information

1

Create a client proxy to the Web service created in Table 4-11 using clientgen or some other mechanism.

"Roadmap for Implementing Oracle Fusion Middleware Web Services" in Oracle Fusion Middleware Introducing Web Services

2

Attach the following policy to the Web service client: oracle/wss10_username_token_with_message_protection_client_policy.

"Attaching Policies to Web Service Clients" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

3

Configure the policy.

"oracle/wss10_username_token_with_message_protection_client_policy" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services

4

Ensure that you use different keys for client (sign and decrypt key) and keystore recipient alias (server public key used for encryption). Ensure that the recipient alias is in accordance with the keys defined in the Web service policy security configuration.

  

5

Ensure that the signing and encryption keys specified for the client exist as trusted certificate entries in the trust store configured for the Web service.

  

6

Provide a valid username and password as part of the configuration.

  

7

Invoke the Web service method from the client.

"Roadmap for Implementing Oracle Fusion Middleware Web Services" in Oracle Fusion Middleware Introducing Web Services

4.4.2 Interoperability with a WebLogic Web Service Client Policy

The following sections describe how to implement username token with message protection that conforms to the WS-Security 1.0 standard and ensure interoperability between the Oracle WSM Web service policy and the WebLogic Web service client policy:

4.4.2.1 Attaching and Configuring the Oracle WSM Policy

To configure a Web service with an Oracle WSM Web service policy, perform the following tasks.

Table 4-13 Attaching and Configuring the Oracle WSM Policy

Task Description More Information

1

Create a Web service.

"Roadmap for Implementing Oracle Fusion Middleware Web Services" in Oracle Fusion Middleware Introducing Web Services

2

Attach the following policy to the Web service: oracle/wss10_username_token_with_message_protection_service_policy.

See "Attaching Policies to Web Services" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

4.4.2.2 Attaching and Configuring the WebLogic Web Service Client Policy

To configure a client that uses WebLogic Web service client policy, perform the following tasks.

Table 4-14 Attaching and Configuring the WebLogic Web Service Client Policy

Task Description More Information

1

Create a client proxy for the Web service created in Table 4-13 using clientgen.

"Using the clientgen Ant Task to Generate Client Artifacts" in Oracle Fusion Middleware Getting Started With JAX-WS Web Services for Oracle WebLogic Server

2

Attach the following policies:

  • Wssp1.2-wss10_username_token_with_message_protection_owsm_policy.xml

  • Wssp1.2-2007-SignBody.xml

  • Wssp1.2-2007-EncryptBody.xml

"Updating the JWS File with @Policy and @Policies Annotations" in Oracle Fusion Middleware Securing WebLogic Web Services for Oracle WebLogic Server

3

Configure the client for server (encryption key) and client certificates.

Note: Ensure that the encryption key specified is in accordance with the encryption key configured for the Web service.

"Updating a Client Application to Invoke a Message-Secured Web Service" in Oracle Fusion Middleware Securing WebLogic Web Services for Oracle WebLogic Server

4

Invoke the Web service method from the client.

"Writing the Java Client Application Code to Invoke a Web Service" in Oracle Fusion Middleware Getting Started With JAX-WS Web Services for Oracle WebLogic Server

4.5 Username Token Over SSL

The following section describes how to implement username token over SSL, describing the following interoperability scenario:

4.5.1 Interoperating with a WebLogic Web Service Client Policy

The following sections describe how to implement username token over SSL and ensure interoperability between the Oracle WSM Web service policy and the WebLogic Web service client policy:

4.5.1.1 Attaching and Configuring the Oracle WSM Policy

To configure a Web service with an Oracle WSM Web service policy, perform the following tasks.

Table 4-15 Attaching and Configuring the Oracle WSM Policy

Task Description More Information

1

Configure the server for one-way SSL.

"Configuring SSL on WebLogic Server (One-Way)" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services

2

Create a Web service.

"Roadmap for Implementing Oracle Fusion Middleware Web Services" in Oracle Fusion Middleware Introducing Web Services

3

Attach the following policy: oracle/wss_username_token_over_ssl_service_policy.

"Attaching Policies to Web Services" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services

4.5.1.2 Attaching and Configuring the WebLogic Web Service Client Policy

To configure a client that uses WebLogic Web service client policy, perform the following tasks.

Table 4-16 Attaching and Configuring the WebLogic Web Service Client Policy

Task Description More Information

1

Create a client proxy for the Web service created in Table 4-15 using clientgen. Provide a valid username and password as part of the configuration for this policy in the client proxy.

"Using the clientgen Ant Task to Generate Client Artifacts" in Oracle Fusion Middleware Getting Started With JAX-WS Web Services for Oracle WebLogic Server

2

Configure WebLogic Server for SSL.

"Configuring SSL on WebLogic Server (One-Way)" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services

3

Configure identity and trust stores.

"Configure identity and trust" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help

4

Attach Wssp1.2-2007-Https-UsernameToken-Plain.xml to the Web service client.

"Updating the JWS File with @Policy and @Policies Annotations" in Oracle Fusion Middleware Securing WebLogic Web Services for Oracle WebLogic Server

5

Provide the truststore and other required System properties in the SSL client.

"Using SSL Authentication in Java Clients" in Oracle Fusion Middleware Programming Security for Oracle WebLogic Server

6

Invoke the Web service.

"Writing the Java Client Application Code to Invoke a Web Service" in Oracle Fusion Middleware Getting Started With JAX-WS Web Services for Oracle WebLogic Server

4.6 Username Token Over SSL with MTOM

The following section describes how to implement username token over SSL with Message Transmission Optimization Mechanism (MTOM) in the following interoperability scenario:

4.6.1 Interoperating with a WebLogic Web Service Client Policy

The following sections describe how to implement username token over SSL with MTOM and ensure interoperability between the Oracle WSM Web service policy and the WebLogic Web service client policy:

4.6.1.1 Attaching and Configuring the Oracle WSM Policy

To configure a Web service with an Oracle WSM Web service policy, perform the following tasks.

Table 4-17 Attaching and Configuring the Oracle WSM Policy

Task Description More Information

1

Configure the Oracle WSM Web service.

Follow the steps in "Username Token With Message Protection (WS-Security 1.1)".

4.6.1.2 Attaching and Configuring the WebLogic Web Service Client Policy

To configure a client that uses a WebLogic Web service client policy, perform the following tasks.

Table 4-18 Attaching and Configuring the WebLogic Web Service Client Policy

Task Description More Information

1

Create a client proxy for the Web service created in Table 4-17.

Follow the steps in "Username Token With Message Protection (WS-Security 1.1)".

2

Use the @MTOM annotation in the Web service client.

"Updating the JWS File with @Policy and @Policies Annotations" in Oracle Fusion Middleware Securing WebLogic Web Services for Oracle WebLogic Server

4.7 SAML Token (Sender Vouches) Over SSL

The following section describes how to implement SAML token sender vouches with SSL. It describes the following interoperability scenario:

4.7.1 Interoperating with a WebLogic Web Service Client Policy

The following sections describe how to implement SAML token sender vouches with SSL and ensure interoperability between the Oracle WSM Web service policy and the WebLogic Web service client policy:

4.7.1.1 Attaching and Configuring the Oracle WSM Policy

To configure a Web service with an Oracle WSM Web service policy, perform the following tasks.

Table 4-19 Attaching and Configuring the Oracle WSM Policy

Task Description More Information

1

Configure the oracle/wss_saml_token_over_ssl_service_policy policy for two-way SSL.

"oracle/wss_saml_token_over_ssl_service_policy" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services

2

Create a Web service.

"Roadmap for Implementing Oracle Fusion Middleware Web Services" in Oracle Fusion Middleware Introducing Web Services

3

Attach the following policy to the Web service: oracle/wss_saml_token_over_ssl_service_policy.

"Attaching Policies to Web Services" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services

4.7.1.2 Attaching and Configuring the WebLogic Web Service Client Policy

To configure a client that uses WebLogic Web service client policy, perform the following tasks.

Table 4-20 Attaching and Configuring the WebLogic Web Service Client Policy

Task Description More Information

1

Create a client proxy for the Web service created in Table 4-19 using clientgen.

"Using the clientgen Ant Task to Generate Client Artifacts" in Oracle Fusion Middleware Getting Started With JAX-WS Web Services for Oracle WebLogic Server

2

Configure Oracle WebLogic Server for two-way SSL.

"Configuring SSL on WebLogic Server (Two-Way)" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services

3

Configure identity and trust stores.

"Configure Identity and Trust" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help

4

Attach Wssp1.2-2007-Saml1.1-SenderVouches-Https.xml to the Web service client.

"Updating the JWS File with @Policy and @Policies Annotations" in Oracle Fusion Middleware Securing WebLogic Web Services for Oracle WebLogic Server

5

Configure a SAML credential mapping provide.

In the WebLogic Server Administration Console, navigate to Security Realms > RealmName > Providers > Credential Mapping page and create a New Credential Mapping Provider of type SAMLCredentialMapperV2.

Select the new provider, click on Provider Specific, and configure it as follows:

  1. Set Issuer URI to www.oracle.com.

  2. Set Name Qualifier to www.oracle.com.

"Configure Credential Mapping Providers" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help

6

Restart Oracle WebLogic Server.

  

7

Create a SAML relying party.

Set the Profile to WSS/Sender-Vouches.

"Create a SAML 1.1 Relying Party" and "Configure a SAML 1.1 Relying Party" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help

8

Configure the SAML relying party.

Configure the SAML relying party as follows (leave other values set to the defaults):

  • Target URL: <url_used_to_access_Web_service>

  • Description: <your_description>

Select the Enabled checkbox and click Save.

Ensure the Target URL is set to the URL used for the client Web service.

"Configure a SAML 1.1 Relying Party" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help

9

Create a servlet and call the proxy code from the servlet.

  

10

Use BASIC authentication so that the authenticated subject can be created.

  

11

Provide the truststore and other required System properties in the SSL client.

"Using SSL Authentication in Java Clients" in Oracle Fusion Middleware Programming Security for Oracle WebLogic Server

12

Invoke the Web application client.

Enter the credentials of the user whose identity is to be propagated using the SAML token.

"Writing the Java Client Application Code to Invoke a Web Service" in Oracle Fusion Middleware Getting Started With JAX-WS Web Services for Oracle WebLogic Server

4.8 SAML Token (Sender Vouches) Over SSL with MTOM

The following section describes how to implement SAML token sender vouches over SSL with MTOM. It describes the following interoperability scenario:

4.8.1 Interoperating with a WebLogic Web Service Client Policy

The following sections describe how to implement SAML token vouches over SSL with MTOM and ensure interoperability between the Oracle WSM Web service policy and the WebLogic Web service client policy:

4.8.1.1 Attaching and Configuring the Oracle WSM Policy

To configure a Web service with an Oracle WSM Web service policy, perform the following tasks.

Table 4-21 Attaching and Configuring the Oracle WSM Policy

Task Description More Information

1

Configure the Oracle WSM Web service.

"SAML Token (Sender Vouches) Over SSL"

4.8.1.2 Attaching and Configuring the WebLogic Web Service Client Policy

To configure a client that uses a WebLogic Web service client policy, perform the following tasks.

Table 4-22 Attaching and Configuring the WebLogic Web Service Client Policy

Task Description More Information

1

Configure the Oracle WebLogic Web service client policy.

"SAML Token (Sender Vouches) Over SSL"

2

Use the @MTOM annotation in the Web service client.

"Updating the JWS File with @Policy and @Policies Annotations" in Oracle Fusion Middleware Securing WebLogic Web Services for Oracle WebLogic Server.

4.9 SAML Token 2.0 (Sender Vouches) With Message Protection (WS-Security 1.1)

This section describes how to implement SAML 2.0 token sender vouches with message protection that conforms to the WS-Security 1.1 standard in the following interoperability scenarios:

4.9.1 Interoperating with a WebLogic Web Service Policy

The following sections describe how to implement SAML 2.0 token sender vouches with message protection that conforms to the WS-Security 1.1 standard and ensure interoperability between the WebLogic Web service policy and the Oracle WSM client policy:

4.9.1.1 Attaching and Configuring the WebLogic Web Service Policy

To configure a Web service with a WebLogic Web service policy, perform the following tasks.

Table 4-23 Attaching and Configuring the WebLogic Web Service Policy

Task Description More Information

1

Create a WebLogic Web service.

"Roadmap for Implementing WebLogic (Java EE) Web Services" in Oracle Fusion Middleware Introducing Web Services

2

Attach the following policies:

  • Wssp1.2-2007-Saml2.0-SenderVouches-Wss1.1.xml

  • Wssp1.2-2007-SignBody.xml

  • Wssp1.2-2007-EncryptBody.xml

"Updating the JWS File with @Policy and @Policies Annotations" in Oracle Fusion Middleware Securing WebLogic Web Services for Oracle WebLogic Server

3

Configure the keystore properties for message signing and encryption. The configuration should be in accordance with the keystore used on the server side. Create the trust store out of the keystore by exporting both keys, and trust both of them while importing into trust store. Configure identity and trust stores.

See "Configure identity and trust" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help.

4

Configure message-level security.

See "Configuring Message-Level Security" in Oracle Fusion Middleware Securing WebLogic Web Services for Oracle WebLogic Server

"Create a Web Service security configuration" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help

5

Attach new configuration using the annotation:

@WssConfiguration(value="my_security_configuration") where my_security_configuration is the name of the Web Security Configuration created in Step 4.

"Configuring Message-Level Security" in Oracle Fusion Middleware Securing WebLogic Web Services for Oracle WebLogic Server

6

Deploy the Web service.

See Oracle Fusion Middleware Deploying Applications to Oracle WebLogic Server.

7

Create a SAML Identity Asserter.

In the WebLogic Server Administration Console, navigate to Security Realms > RealmName > Providers > Credential Mapping page and create a New Credential Mapping Provider of type SAML2IdentityAsserter.

"Configuring Authentication and Identity Assertion providers" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help

8

Restart WebLogic Server.

  

9

To add the identity provider to the identity asserter created in Step 7, perform the following steps:

  1. Select the identity asserter created in Step 7 in the WebLogic Administration Console.

  2. Create a new identity provider partner, select New, and then select New Webservice Identity Provider Partner.

  3. Provide a name, and select Finish.

  

10

Configure the identity provider as follows:

  1. Select the identity provide partner created in Step 9.

  2. Select the Enabled check box.

  3. Provide the Audience URI. For example: target:*:/saml20WLSWS-Project1-context-root/Class1Port

  4. Set Issuer URI to www.oracle.com.

  5. Set Target URL to <url_used_to_access_Web_service>.

  6. Set Profile to WSS/Sender-Vouches.

  

4.9.1.2 Attaching and Configuring the Oracle WSM Client Policy

To configure the client with an Oracle WSM client policy, perform the following tasks.

Table 4-24 Attaching and Configuring the Oracle WSM Client Policy

Task Description More Information

1

Generate a client using JDeveloper for the Web service created in Table 4-23. Create a Web project and then select New, and create a client proxy using the WSDL.

"Roadmap for Implementing Oracle Fusion Middleware Web Services" in Oracle Fusion Middleware Introducing Web Services

2

Add a servlet in the above project.

  

3

Attach the following policy to the Web service client: oracle/wss11_saml20_token_with_message_protection_client_policy.

"Attaching Policies to Web Service Clients" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services

4

Specify keystore.recipient.alias in the client configuration.

Ensure that keystore.recipient.alias is the same as the decryption key specified for the Web service.

  

5

Ensure that the keystore.recipient.alias keys specified for the client exist as trusted certificate entry in the trust store configured for the Web service.

  

6

In JDeveloper, secure web project with Form-based authentication using the Configure ADF Security Wizard.

  

7

Invoke the Web application client.

"Roadmap for Implementing Oracle Fusion Middleware Web Services" in Oracle Fusion Middleware Introducing Web Services

4.9.2 Interoperating with a WebLogic Web Service Client Policy

The following sections describe how to implement SAML 2.0 token sender vouches with message protection that conforms to the WS-Security 1.1 standard and ensure interoperability between the WebLogic Web service client policy and the Oracle WSM policy:

4.9.2.1 Attaching and Configuring the Oracle WSM Policy

To configure a Web service with an Oracle WSM Web service policy, perform the following tasks.

Table 4-25 Attaching and Configuring the Oracle WSM Policy

Task Description More Information

1

Create a Web service.

"Roadmap for Implementing Oracle Fusion Middleware Web Services" in Oracle Fusion Middleware Introducing Web Services

2

Attach the following policy to the Web service: oracle/wss11_saml20_token_with_message_protection_service_policy.

"Attaching Policies to Web Services" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services

4.9.2.2 Attaching and Configuring the WebLogic Web Service Client Policy

To configure a client that uses WebLogic Web service client policy, perform the following tasks.

Table 4-26 Attaching and Configuring the WebLogic Web Service Client Policy

Task Description More Information

1

Create a Java EE client for the deployed Web service using JDeveloper. Create a Web project and create a proxy using WSDL proxy.

  

2

Attach the following policies:

  • Wssp1.2-2007-Saml2.0-SenderVouches-Wss1.1.xml

  • Wssp1.2-2007-SignBody.xml

  • Wssp1.2-2007-EncryptBody.xml

Extract weblogic.jar to a folder and provide the absolute path to the above policies files.

  

3

Add servlet to above web project.

  

4

Configure the client for server (encryption key) and client certificates.

Ensure that the encryption key specified is in accordance with the decryption key configured for the Web service.

"Updating a Client Application to Invoke a Message-Secured Web Service" in Oracle Fusion Middleware Securing WebLogic Web Services for Oracle WebLogic Server

5

Secure the Web application client using BASIC Authentication.

"Developing BASIC Authentication Web Applications" in Oracle Fusion Middleware Programming Security for Oracle WebLogic Server

6

Deploy the Java EE Web application client.

"Deploying Web Services Applications" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services

7

Configure a SAML credential mapping provider.

In the Oracle WebLogic Server Administration Console, navigate to Security Realms > RealmName > Providers > Credential Mapping page and create a New Credential Mapping Provider of type SAML2CredentialMapper.

Select the new provider, click on Provider Specific, and configure it as follows:

  1. Set Issuer URI to www.oracle.com.

  2. Set Name Qualifier to www.oracle.com.

"Configure Credential Mapping Providers" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help

8

Restart WebLogic Server.

  

9

To create a new service provider partner, perform the following steps:

  1. Select the credential mapper created in Step 7 in the WebLogic Administration Console, and then select the Management tab.

  2. Select New, and then select New Webservice Service Provider Partner.

  3. Provide a name, and select Finish.

  

10

Configure the service provider partner as follows:

  1. Select the service provide partner created in Step 9.

  2. Select the Enabled check box.

  3. Provide the Audience URI.

  4. Set Issuer URI to www.oracle.com.

  5. Set Target URL to <url_used_to_access_Web_service>.

  6. Set Profile to WSS/Sender-Vouches.

  

11

Invoke the Web application client.

Enter the credentials of the user whose identity is to be propagated using SAML token.

"Writing the Java Client Application Code to Invoke a Web Service" in Oracle Fusion Middleware Getting Started With JAX-WS Web Services for Oracle WebLogic Server

4.10 SAML Token (Sender Vouches) with Message Protection (WS-Security 1.1)

This section describes how to implement SAML token sender vouches with message protection that conforms to the WS-Security 1.1 standard in the following interoperability scenarios:

4.10.1 Interoperating with a WebLogic Web Service Policy

The following sections describe how to implement SAML token sender vouches with message protection that conforms to the WS-Security 1.1 standard and ensure interoperability between the WebLogic Web service policy and the Oracle WSM client policy:

4.10.1.1 Attaching and Configuring the WebLogic Web Service Policy

To configure a Web service with a WebLogic Web service policy, perform the following tasks.

Table 4-27 Attaching and Configuring the WebLogic Web Service Policy

Task Description More Information

1

Create a WebLogic Web service.

"Roadmap for Implementing WebLogic (Java EE) Web Services" in Oracle Fusion Middleware Introducing Web Services

2

Attach the following policies:

  • Wssp1.2-wss11_saml_token_with_message_protection_owsm_policy.xml

  • Wssp1.2-2007-SignBody.xml

  • Wssp1.2-2007-EncryptBody.xml

"Updating the JWS File with @Policy and @Policies Annotations" in Oracle Fusion Middleware Securing WebLogic Web Services for Oracle WebLogic Server.

3

Configure identity and trust stores.

"Configure identity and trust" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help

4

Configure message-level security.

Since this is a WS-Security 1.1 policy, you need to configure Confidentiality Key only.

5

Deploy the Web service.

Oracle Fusion Middleware Deploying Applications to Oracle WebLogic Server.

6

Create a SAMLIdentityAsserterV2 authentication provider.

In the WebLogic Server Administration Console, navigate to Security Realms > RealmName > Providers > Credential Mapping page and create a New Credential Mapping Provider of type SAMLCredentialMapperV2.

"Configuring Authentication and Identity Assertion providers" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help

7

Restart WebLogic Server.

  

8

Select the authentication provider created in step 5.

  

9

Create a SAML asserting party.

Set Profile to WSS/Sender-Vouches.

"Create a SAML 1.1 Asserting Party" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help

10

Configure the SAML asserting party.

Configure the SAML asserting party as follows:

  1. Set Issuer URI to www.oracle.com.

  2. Set Target URL to <url_used_to_access_Web_service>.

"Configure a SAML 1.1 Asserting Party" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help

4.10.1.2 Attaching and Configuring the Oracle WSM Client Policy

To configure the client with an Oracle WSM client policy, perform the following tasks.

Table 4-28 Attaching and Configuring the Oracle WSM Client Policy

Task Description More Information

1

Create a client proxy to the Web service created in Table 4-27 using clientgen or some other mechanism.

"Roadmap for Implementing Oracle Fusion Middleware Web Services" in Oracle Fusion Middleware Introducing Web Services

2

Attach the following policy to the Web service client: oracle/wss11_saml_token_with_message_protection_client_policy.

"Attaching Policies to Web Service Clients" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

3

Configure the policy, as described in oracle/wss11_saml_token_with_message_protection_client_policy.

  

4

Specify keystore.recipient.alias in the client configuration.

Ensure that keystore.recipient.alias is the same as the decryption key specified for the Web service.

  

5

Ensure that the keystore.recipient.alias keys specified for the client exist as trusted certificate entry in the trust store configured for the Web service.

  

6

Provide a valid username whose identity needs to be propagated using SAML token in the client configuration.

  

7

Invoke the Web application client.

Enter the credentials of the user whose identity is to be propagated using SAML token.

"Roadmap for Implementing Oracle Fusion Middleware Web Services" in Oracle Fusion Middleware Introducing Web Services

4.10.2 Interoperating with a WebLogic Web Service Client Policy

The following sections describe how to implement SAML 2.0 sender vouches with message protection that conforms to the WS-Security 1.1 standard and ensure interoperability between the Oracle WSM Web service policy and the WebLogic Web service client policy:

4.10.2.1 Attaching and Configuring the Oracle WSM Policy

To configure a Web service with an Oracle WSM Web service policy, perform the following tasks.

Table 4-29 Attaching and Configuring the Oracle WSM Policy

Task Description More Information

1

Create a Web service.

"Roadmap for Implementing Oracle Fusion Middleware Web Services" in Oracle Fusion Middleware Introducing Web Services

2

Attach the following policy to the Web service: oracle/wss11_saml_token_with_message_protection_service_policy.

"Attaching Policies to Web Services" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services

4.10.2.2 Attaching and Configuring the WebLogic Web Service Client Policy

To configure a client that uses WebLogic Web service client policy, perform the following tasks.

Table 4-30 Attaching and Configuring the WebLogic Web Service Client Policy

Task Description More Information

1

Create a client proxy for the Web service (above) using clientgen.

"Using the clientgen Ant Task to Generate Client Artifacts" in Oracle Fusion Middleware Getting Started With JAX-WS Web Services for Oracle WebLogic Server

2

Attach the following policies:

  • Wssp1.2-wss11_saml_token_with_message_protection_owsm_policy.xml

  • Wssp1.2-2007-SignBody.xml

  • Wssp1.2-2007-EncryptBody.xml

"Updating the JWS File with @Policy and @Policies Annotations" in Oracle Fusion Middleware Securing WebLogic Web Services for Oracle WebLogic Server

3

Configure the client for server (encryption key) and client certificates.

Ensure that the encryption key specified is in accordance with the decryption key configured for the Web service.

"Updating a Client Application to Invoke a Message-Secured Web Service" in Oracle Fusion Middleware Securing WebLogic Web Services for Oracle WebLogic Server

4

Secure the Web application client using BASIC Authentication.

"Developing BASIC Authentication Web Applications" in Oracle Fusion Middleware Programming Security for Oracle WebLogic Server.

5

Deploy the Web service client.

"Deploying Web Services Applications" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services

6

Configure a SAML credential mapping provider.

In the Oracle WebLogic Server Administration Console, navigate to Security Realms > RealmName > Providers > Credential Mapping page and create a New Credential Mapping Provider of type SAMLCredentialMapperV2.

Select the new provider, click on Provider Specific, and configure it as follows:

  1. Set Issuer URI to www.oracle.com.

  2. Set Name Qualifier to www.oracle.com.

"Configure Credential Mapping Providers" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help

7

Restart WebLogic Server.

  

8

Create a SAML relying party.

Set the Profile to WSS/Sender-Vouches.

"Create a SAML 1.1 Relying Party" and "Configure a SAML 1.1 Relying Party" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help

9

Configure the SAML relying party.

Ensure the Target URL is set to the URL used for the client Web service.

"Configure a SAML 1.1 Relying Party" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help

10

Invoke the Web application client.

Enter the credentials of the user whose identity is to be propagated using SAML token.

"Writing the Java Client Application Code to Invoke a Web Service" in Oracle Fusion Middleware Getting Started With JAX-WS Web Services for Oracle WebLogic Server

4.11 SAML Token (Sender Vouches) with Message Protection (WS-Security 1.1) and MTOM

This section describes how to implement SAML token with sender vouches and message protection that conforms to the WS-Security 1.1 standard and uses Message Transmission Optimization Mechanism (MTOM) in the following interoperability scenarios:

4.11.1 Interoperating with a WebLogic Web Service Policy

The following sections describe how to implement SAML token sender vouches with message protection that conforms to the WS-Security 1.1 standard and MTOM and ensure interoperability between the WebLogic Web service policy and the Oracle WSM client policy:

4.11.1.1 Attaching and Configuring the WebLogic Web Service Policy

To configure a Web service with a WebLogic Web service policy, perform the following tasks.

Table 4-31 Attaching and Configuring the WebLogic Web Service Policy

Task Description More Information

1

Create a WebLogic Web service, as described in Section 4.10, "SAML Token (Sender Vouches) with Message Protection (WS-Security 1.1)"

"Roadmap for Implementing WebLogic (Java EE) Web Services" in Oracle Fusion Middleware Introducing Web Services

2

Use the @MTOM annotation in the Web service in Step 2 of "Attaching and Configuring the WebLogic Web Service Policy".

"Updating the JWS File with @Policy and @Policies Annotations" in Oracle Fusion Middleware Securing WebLogic Web Services for Oracle WebLogic Server

4.11.1.2 Attaching and Configuring the Oracle WSM Client Policy

To configure the client with an Oracle WSM client policy, perform the following tasks.

Table 4-32 Attaching and Configuring the Oracle WSM Client Policy

Task Description More Information

1

Create a client proxy to the Web service created in Table 4-31, as described in Section 4.10, "SAML Token (Sender Vouches) with Message Protection (WS-Security 1.1)"

"Roadmap for Implementing Oracle Fusion Middleware Web Services" in Oracle Fusion Middleware Introducing Web Services

2

Attach wsmtom_policy from the Management tab.

Step 2 of Section 4.10.1.2, "Attaching and Configuring the Oracle WSM Client Policy".

"Attaching Policies to Oracle Infrastructure Web Service Clients" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services

4.11.2 Interoperating with a WebLogic Web Service Client Policy

The following sections describe how to implement SAML token sender vouches with message protection that conforms to the WS-Security 1.1 standard and MTOM and ensure interoperability between the Oracle WSM Web service policy and the WebLogic Web service client policy:

4.11.2.1 Attaching and Configuring the Oracle WSM Policy

To configure a Web service with an Oracle WSM Web service policy, perform the following tasks.

Table 4-33 Attaching and Configuring the Oracle WSM Policy

Task Description More Information

1

Create and deploy a Web service.

"Roadmap for Implementing Oracle Fusion Middleware Web Services" in Oracle Fusion Middleware Introducing Web Services

2

Attach the following policy to the Web service: oracle/wss11_username_token_with_message_protection_service_policy.

"Attaching Policies to Web Services" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services

4.11.2.2 Attaching and Configuring the WebLogic Web Service Client Policy

To configure a client that uses WebLogic Web service client policy, perform the following tasks.

Table 4-34 Attaching and Configuring the WebLogic Web Service Client Policy

Task Description More Information

1

Create a client proxy for the Web service created in Table 4-5 using clientgen.

"Using the clientgen Ant Task to Generate Client Artifacts" in Oracle Fusion Middleware Getting Started With JAX-WS Web Services for Oracle WebLogic Server

2

Attach the following policies:

  • Wssp1.2-2007-Wss1.1-UsernameToken-Plain-EncryptedKey-Basic128.xml

  • Wssp1.2-2007-SignBody.xml

  • Wssp1.2-2007-EncryptBody.xml

"Updating the JWS File with @Policy and @Policies Annotations" in Oracle Fusion Middleware Securing WebLogic Web Services for Oracle WebLogic Server

3

Provide the configuration for the server (encryption key) in the client.

Note: Ensure that the encryption key specified is in accordance with the encryption key configured for the Web service.

"Updating a Client Application to Invoke a Message-Secured Web Service" in Oracle Fusion Middleware Securing WebLogic Web Services for Oracle WebLogic Server

4

Invoke the Web service method from the client.

"Writing the Java Client Application Code to Invoke a Web Service" in Oracle Fusion Middleware Getting Started With JAX-WS Web Services for Oracle WebLogic Server

4.12 SAML Token (Sender Vouches) with Message Protection (WS-Security 1.0)

This section describes how to implement SAML token with sender vouches and message protection that conforms to the WS-Security 1.0 standard in the following interoperability scenarios:

Note:

WS-Security 1.0 policy is supported for legacy applications only. Use WS-Security 1.1 policy for maximum performance. For more information, see "SAML Token (Sender Vouches) with Message Protection (WS-Security 1.1)".

4.12.1 Interoperating with a WebLogic Web Service Policy

The following sections describe how to implement SAML token with sender vouches and message protection that conforms to the WS-Security 1.0 standard and ensure interoperability between the WebLogic Web service policy and the Oracle WSM client policy:

4.12.1.1 Attaching and Configuring the WebLogic Web Service Policy

To configure a Web service with a WebLogic Web service policy, perform the following tasks.

Table 4-35 Attaching and Configuring the WebLogic Web Service Policy

Task Description More Information

1

Create a WebLogic Web service.

"Roadmap for Implementing WebLogic (Java EE) Web Services" in Oracle Fusion Middleware Introducing Web Services

2

Attach the following policies:

  • Wssp1.2-wss10_saml_token_with_message_protection_owsm_policy.xml

  • Wssp1.2-2007-SignBody.xml

  • Wssp1.2-2007-EncryptBody.xml

"Updating the JWS File with @Policy and @Policies Annotations" in Oracle Fusion Middleware Securing WebLogic Web Services for Oracle WebLogic Server

3

Configure identity and trust stores.

"Configure identity and trust" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help

4

Configure message-level security.

5

Deploy the Web service.

Oracle Fusion Middleware Deploying Applications to Oracle WebLogic Server.

6

Create a SAMLIdentityAsserterV2 authentication provider.

In the WebLogic Server Administration Console, navigate to Security Realms > RealmName > Providers > Credential Mapping page and create a New Credential Mapping Provider of type SAMLCredentialMapperV2.

"Configuring Authentication and Identity Assertion providers" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help

7

Restart WebLogic Server.

  

8

Select the authentication provider created in step 5.

  

9

Create a SAML asserting party.

Set Profile to WSS/Sender-Vouches.

"Create a SAML 1.1 Asserting Party" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help

10

Configure a SAML asserting party.

Configure the SAML asserting party as follows (leave other values set to the defaults):

  1. Set Issuer URI to www.oracle.com.

  2. Set Target URL to <url_used_by_client>.

"Configure a SAML 1.1 Asserting Party" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help

4.12.1.2 Attaching and Configuring the Oracle WSM Client Policy

To configure the client with an Oracle WSM client policy, perform the following tasks.

Table 4-36 Attaching and Configuring the Oracle WSM Client Policy

Task Description More Information

1

Create a client proxy to the Web service created in Table 4-35 using clientgen or some other mechanism.

"Roadmap for Implementing Oracle Fusion Middleware Web Services" in Oracle Fusion Middleware Introducing Web Services

2

Attach the following policy to the Web service client: oracle/wss10_saml_token_with_message_protection_client_policy.

"Attaching Policies to Web Service Clients" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services

3

Configure the policy.

oracle/wss10_saml_token_with_message_protection_client_policy

4

Ensure that you use different keys for client (sign and decrypt key) and keystore recipient alias (server public key used for encryption). Ensure that the recipient alias is in accordance with the keys defined in the Web service policy security configuration.

  

5

Ensure that the signing and encryption keys specified for the client exist as trusted certificate entries in the trust store configured for the Web service.

  

6

Provide valid username whose identity needs to be propagated using SAML token in the client configuration.

  

7

Invoke the Web service method.

"Roadmap for Implementing Oracle Fusion Middleware Web Services" in Oracle Fusion Middleware Introducing Web Services

4.12.2 Interoperating with a WebLogic Web Service Client Policy

The following sections describe how to implement SAML token with message protection that conforms to the WS-Security 1.0 standard and ensure interoperability between the Oracle WSM Web service policy and the WebLogic Web service client policy:

4.12.2.1 Attaching and Configuring the Oracle WSM Policy

To configure a Web service with an Oracle WSM Web service policy, perform the following tasks.

Table 4-37 Attaching and Configuring the Oracle WSM Policy

Task Description More Information

1

Create a Web service.

"Roadmap for Implementing Oracle Fusion Middleware Web Services" in Oracle Fusion Middleware Introducing Web Services

2

Attach the following policy to the Web service: oracle/wss10_saml_token_with_message_protection_service_policy.

"Attaching Policies to Web Services" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services

4.12.2.2 Attaching and Configuring the WebLogic Web Service Client Policy

To configure a client that uses WebLogic Web service client policy, perform the following tasks.

Table 4-38 Attaching and Configuring the WebLogic Web Service Client Policy

Task Description More Information

1

Create a client proxy for the Web service (above) using clientgen.

"Using the clientgen Ant Task to Generate Client Artifacts" in Oracle Fusion Middleware Getting Started With JAX-WS Web Services for Oracle WebLogic Server

2

Attach the following policies:

  • Wssp1.2-wss10_saml_token_with_message_protection_owsm_policy.xml

  • Wssp1.2-2007-SignBody.xml

  • Wssp1.2-2007-EncryptBody.xml

"Updating the JWS File with @Policy and @Policies Annotations" in Oracle Fusion Middleware Securing WebLogic Web Services for Oracle WebLogic Server

3

Configure the client for server (encryption key) and client certificates.

Ensure that the encryption key specified is in accordance with the decryption key configured for the Web service.

"Updating a Client Application to Invoke a Message-Secured Web Service" in Oracle Fusion Middleware Securing WebLogic Web Services for Oracle WebLogic Server

4

Secure the Web application client using BASIC Authentication.

"Developing BASIC Authentication Web Applications" in Oracle Fusion Middleware Programming Security for Oracle WebLogic Server

5

Deploy the Web service client.

"Deploying Web Services Applications" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services

6

Configure a SAML credential mapping provider.

In the WebLogic Server Administration Console, navigate to Security Realms > RealmName > Providers > Credential Mapping page and create a New Credential Mapping Provider of type SAMLCredentialMapperV2.

"Configure Credential Mapping Providers" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help

7

Select the SAMLCredentialMapperV2, click on Provider Specific, and configure it as follows:

  1. Set Issuer URI to www.oracle.com.

  2. Set Name Qualifier to www.oracle.com.

  

8

Restart WebLogic Server.

  

9

Create a SAML relying party.

Set the profile to WSS/Sender-Vouches.

"Create a SAML 1.1 Relying Party" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help

10

Configure the SAML relying party.

Ensure the target URL is set to the URL used for the client Web service.

"Configure a SAML 1.1 Relying Party" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help

11

Invoke the Web application client and enter the appropriate credentials.

"Writing the Java Client Application Code to Invoke a Web Service" in Oracle Fusion Middleware Getting Started With JAX-WS Web Services for Oracle WebLogic Server

4.13 Mutual Authentication with Message Protection (WS-Security 1.0)

The following sections describe how to implement mutual authentication with message protection that conform to the WS-Security 1.0 standards:

4.13.1 Interoperating with a WebLogic Web Service Policy

The following sections describe how to mutual authentication with message protection that conforms to the WS-Security 1.0 standard and ensure interoperability between the WebLogic Web service policy and the Oracle WSM client policy:

4.13.1.1 Attaching and Configuring the WebLogic Web Service Policy

To configure a Web service with a WebLogic Web service policy, perform the following tasks.

Table 4-39 Attaching and Configuring the WebLogic Web Service Policy

Task Description More Information

1

Create a WebLogic Web service.

"Roadmap for Implementing WebLogic (Java EE) Web Services" in Oracle Fusion Middleware Introducing Web Services

2

Attach the following policies:

  • Wssp1.2-wss10_x509_token_with_message_protection_owsm_policy.xml

  • Wssp1.2-2007-SignBody.xml

  • Wssp1.2-2007-EncryptBody.xml

"Updating the JWS File with @Policy and @Policies Annotations" in Oracle Fusion Middleware Securing WebLogic Web Services for Oracle WebLogic Server

3

Configure identity and trust stores.

"Configure identity and trust" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help

4

Configure message-level security.

5

Create and configure token handlers for X.509 and for username token. In WebLogic Administration Console, navigate to the Web Service Security page of the domain and create the token handlers as follows:

  • Create a token handle for username token and configure the following:

    • Name: <name>

    • Class name: weblogic.xml.crypto.wss.UsernameTokenHandler

    • Token Type: ut

    • Handling Order: 1

  • Create a token handler for X.509 and configure the following:

    • Name: <name>

    • Class name: weblogic.xml.crypto.wss.BinarySecurityTokenHandler

    • Token Type: x509

    • Handling Order: 0

  • For the X.509 token handler, add the following properties:

    • Name: UserX509ForIdentity

    • Value: true

    • IsEncrypted: False

"Create a token handler of a Web Service security configuration" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help.

6

Configure a credential mapping provider.

Create a PKICredentialMapper and configure it as follows (leave all other values set to the defaults):

  • Keystore Provider: N/A

  • Keystore Type: jks

  • Keystore File Name: default_keystore.jks

  • Keystore Pass Phrase: <password>

  • Confirm Keystore Pass Phrase: <password>

"Configure Credential Mapping Providers" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help

7

Configure Authentication.

Select the Authentication tab and configure as follows:

  • Click DefaultIdentityAsserter and add X.509 to Chosen active types

  • Click Provider Specific and configure the following:

    • Default User Name Mapper Attribute Type: CN

    • Active Types: X.509

    • Use Default User Name Mapper: True

"Configure Authentication and Identity Assertion providers" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help

8

If the users are not added, add the Common Name (CN) user specified in the certificate.

"Create users" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help

9

Restart Oracle WebLogic Server.

  

10

Deploy the Web service.

"Install a Web Service" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help

4.13.1.2 Attaching and Configuring the Oracle WSM Client Policy

To configure the client with an Oracle WSM client policy, perform the following tasks.

Table 4-40 Attaching and Configuring the Oracle WSM Client Policy

Task Description More Information

1

Create a client proxy to the Web service created in Table 4-39 using clientgen or some other mechanism.

"Roadmap for Implementing Oracle Fusion Middleware Web Services" in Oracle Fusion Middleware Introducing Web Services

2

Attach the following policy to the client: wss10_x509_token_with_message_protection_client_policy

"Attaching Policies to Web Services" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services

3

Provide the configuration for the server (encryption key) in the client.

Ensure that the encryption key specified is in accordance with the encryption key configured for the Web service.

"Updating a Client Application to Invoke a Message-Secured Web Service" in Oracle Fusion Middleware Securing WebLogic Web Services for Oracle WebLogic Server

4

Invoke the Web service method from the client.

"Roadmap for Implementing Oracle Fusion Middleware Web Services" in Oracle Fusion Middleware Introducing Web Services

4.13.2 Interoperating with a WebLogic Web Service Client Policy

The following sections describe how to implement username token with message protection that conforms to the WS-Security 1.0 standard and ensure interoperability between the Oracle WSM Web service policy and the WebLogic Web service client policy:

4.13.2.1 Attaching and Configuring the Oracle WSM Policy

To configure a Web service with an Oracle WSM Web service policy, perform the following tasks.

Table 4-41 Attaching and Configuring the Oracle WSM Policy

Task Description More Information

1

Create a Web service.

"Roadmap for Implementing Oracle Fusion Middleware Web Services" in Oracle Fusion Middleware Introducing Web Services

2

Attach the following policy to the Web service: oracle/wss10_x509_token_with_message_protection_service_policy.

"Attaching Policies to Web Services" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services

4.13.2.2 Attaching and Configuring the WebLogic Web Service Client Policy

To configure a client that uses WebLogic Web service client policy, perform the following tasks.

Table 4-42 Attaching and Configuring the WebLogic Web Service Client Policy

Task Description More Information

1

Create a client proxy for the Web service created in Table 4-41 using clientgen.

"Using the clientgen Ant Task to Generate Client Artifacts" in Oracle Fusion Middleware Getting Started With JAX-WS Web Services for Oracle WebLogic Server

2

Attach the following policies:

  • Wssp1.2-wss10_x509_token_with_message_protection_owsm_policy.xml

  • Wssp1.2-2007-SignBody.xml

  • Wssp1.2-2007-EncryptBody.xml

"Updating the JWS File with @Policy and @Policies Annotations" in Oracle Fusion Middleware Securing WebLogic Web Services for Oracle WebLogic Server

3

Provide the configuration for the server (encryption key) in the client.

Ensure that the encryption key specified is in accordance with the encryption key configured for the Web service.

"Updating a Client Application to Invoke a Message-Secured Web Service" in Oracle Fusion Middleware Securing WebLogic Web Services for Oracle WebLogic Server

4

Invoke the Web service method from the client.

"Writing the Java Client Application Code to Invoke a Web Service" in Oracle Fusion Middleware Getting Started With JAX-WS Web Services for Oracle WebLogic Server

4.14 Mutual Authentication with Message Protection (WS-Security 1.1)

The following sections describe how to implement mutual authentication with message protection that conform to the WS-Security 1.1 standards:

4.14.1 Interoperating with a WebLogic Web Service Policy

The following sections describe how to implement mutual authentication with message protection that conforms to the WS-Security 1.1 standard and ensure interoperability between the WebLogic Web service policy and the Oracle WSM client policy:

4.14.1.1 Attaching and Configuring the WebLogic Web Service Policy

To configure a Web service with a WebLogic Web service policy, perform the following tasks.

Table 4-43 Attaching and Configuring the WebLogic Web Service Policy

Task Description More Information

1

Create a WebLogic Web service.

"Roadmap for Implementing WebLogic (Java EE) Web Services" in Oracle Fusion Middleware Introducing Web Services

2

Attach the following policies:

  • Wssp1.2-wss11_x509_token_with_message_protection_owsm_policy.xml

  • Wssp1.2-2007-SignBody.xml

  • Wssp1.2-2007-EncryptBody.xml

"Updating the JWS File with @Policy and @Policies Annotations" in Oracle Fusion Middleware Securing WebLogic Web Services for Oracle WebLogic Server

3

Configure identity and trust stores.

"Configure identity and trust" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help

4

Configure message-level security.

5

Create and configure token handlers for X.509 and for username token. In WebLogic Administration Console, navigate to the Web Service Security page of the domain and create the token handlers as follows:

  • Create a token handle for username token and configure the following:

    • Name: <name>

    • Class name: weblogic.xml.crypto.wss.UsernameTokenHandler

    • Token Type: ut

    • Handling Order: 1

  • Create a token handler for X.509 and configure the following:

    • Name: <name>

    • Class name: weblogic.xml.crypto.wss.BinarySecurityTokenHandler

    • Token Type: x509

    • Handling Order: 0

  • For the X.509 token handler, add the following properties:

    • Name: UserX509ForIdentity

    • Value: true

    • IsEncrypted: False

"Create a token handler of a Web Service security configuration" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help.

6

Configure a credential mapping provider.

Create a PKICredentialMapper and configure it as follows (leave all other values set to the defaults):

  • Keystore Provider: N/A

  • Keystore Type: jks

  • Keystore File Name: default_keystore.jks

  • Keystore Pass Phrase: <password>

  • Confirm Keystore Pass Phrase: <password>

"Configure Credential Mapping Providers" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help

7

Configure Authentication.

Select the Authentication tab and configure as follows:

  • Click DefaultIdentityAsserter and add X.509 to Chosen active types

  • Click Provider Specific and configure the following:

    • Default User Name Mapper Attribute Type: CN

    • Active Types: X.509

    • Use Default User Name Mapper: True

"Configure Authentication and Identity Assertion providers" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help

8

If the users are not added, add the Common Name (CN) user specified in the certificate.

"Create users" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help

9

Restart Oracle WebLogic Server.

  

10

Deploy the Web service.

"Install a Web Service" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help

4.14.1.2 Attaching and Configuring the Oracle WSM Client Policy

To configure the client with an Oracle WSM client policy, perform the following tasks.

Table 4-44 Attaching and Configuring the Oracle WSM Client Policy

Task Description More Information

1

Create a client proxy for the Web service created in Table 4-43 using clientgen or some other mechanism.

"Roadmap for Implementing Oracle Fusion Middleware Web Services" in Oracle Fusion Middleware Introducing Web Services

2

Attach the following policy to the client: wss11_x509_token_with_message_protection_client_policy

Edit the policy as follows:

<orasp:x509-token orasp:sign-key-ref-mech="thumbprint"

orasp:enc-key-ref-mech="thumbprint"/>

"Attaching Policies to Web Services" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services

3

Provide the configuration for the server (encryption key) in the client.

Ensure that the encryption key specified is in accordance with the encryption key configured for the Web service.

"Updating a Client Application to Invoke a Message-Secured Web Service" in Oracle Fusion Middleware Securing WebLogic Web Services for Oracle WebLogic Server.

4

Invoke the Web service method from the client.

"Roadmap for Implementing Oracle Fusion Middleware Web Services" in Oracle Fusion Middleware Introducing Web Services

4.14.2 Interoperating with a WebLogic Web Service Client Policy

The following sections describe how to implement mutual authentication with message protection that conforms to the WS-Security 1.1 standard and ensure interoperability between the Oracle WSM Web service policy and the WebLogic Web service client policy:

4.14.2.1 Attaching and Configuring the Oracle WSM Policy

To configure a Web service with an Oracle WSM Web service policy, perform the following tasks.

Table 4-45 Attaching and Configuring the Oracle WSM Policy

Task Description More Information

1

Create and deploy a Web service.

"Roadmap for Implementing Oracle Fusion Middleware Web Services" in Oracle Fusion Middleware Introducing Web Services

2

Attach the following policy to the Web service: oracle/wss11_x509_token_with_message_protection_service_policy.

"Attaching Policies to Web Services" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services

4.14.2.2 Attaching and Configuring the WebLogic Web Service Client Policy

To configure a client that uses WebLogic Web service client policy, perform the following tasks.

Table 4-46 Attaching and Configuring the WebLogic Web Service Client Policy

Task Description More Information

1

Create a client proxy for the Web service created in Table 4-45 using clientgen.

"Using the clientgen Ant Task to Generate Client Artifacts" in Oracle Fusion Middleware Getting Started With JAX-WS Web Services for Oracle WebLogic Server

2

Attach the following policies:

  • Wssp1.2-wss11_x509_token_with_message_protection_owsm_policy.xml

  • Wssp1.2-2007-SignBody.xml

  • Wssp1.2-2007-EncryptBody.xml

"Updating the JWS File with @Policy and @Policies Annotations" in Oracle Fusion Middleware Securing WebLogic Web Services for Oracle WebLogic Server

3

Provide the configuration for the server (encryption key) in the client.

Note: Ensure that the encryption key specified is in accordance with the encryption key configured for the Web service.

"Updating a Client Application to Invoke a Message-Secured Web Service" in Oracle Fusion Middleware Securing WebLogic Web Services for Oracle WebLogic Server

4

Invoke the Web service method from the client.

"Writing the Java Client Application Code to Invoke a Web Service" in Oracle Fusion Middleware Getting Started With JAX-WS Web Services for Oracle WebLogic Server