This chapter describes interoperability of Oracle Web Services Manager (OWSM) with OWSM 10g security environments.
This chapter includes the following topics:
Section 2.1, "Overview of Interoperability with OWSM 10g Security Environments"
Section 2.4, "Anonymous Authentication with Message Protection (WS-Security 1.0)"
Section 2.5, "Username Token with Message Protection (WS-Security 1.0)"
Section 2.6, "SAML Token (Sender Vouches) with Message Protection (WS-Security 1.0)"
Section 2.7, "Mutual Authentication with Message Protection (WS-Security 1.0)"
Section 2.9, "SAML Token (Sender Vouches) Over SSL (WS-Security 1.0)"
With OWSM 10g, you specify policy steps at each policy enforcement point. The policy enforcement points in OWSM 10g include Gateways and Agents. Each policy step is a fine-grained operational task that addresses a specific security operation, such as authentication and authorization; encryption and decryption; security signature, token, or credential verification; and transformation. Each operational task is performed on either the Web service request or response. For more details about the OWSM 10g policy steps, see "Oracle Web Services Manager Policy Steps" in Oracle Web Services Manager Administrator's Guide 10g (10.1.3.4) at http://download.oracle.com/docs/cd/E12524_01/web.1013/e12575/policy_steps.htm#BABIAHEG
.
With OWSM 12c, you attach policies to Web service endpoints. Each policy consists of one or more assertions, defined at the domain-level, that define the security requirements. A set of predefined policies and assertions are provided out-of-the-box.
Table 2-1 and Table 2-2 summarize the most common OWSM 10g interoperability scenarios based on the following security requirements: authentication, message protection, and transport.
For more information about:
OWSM predefined policies, see "Predefined Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
Configuring and attaching OWSM 12c policies, see "Securing Web Services" and "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
OWSM 10g policy steps, see "Oracle Web Services Manager Policy Steps" in Oracle Web Services Manager Administrator's Guide 10g (10.1.3.4) at http://download.oracle.com/docs/cd/E12524_01/web.1013/e12575/policy_steps.htm#BABIAHEG
Note:
In the following scenarios, ensure that you are using a keystore with v3 certificates.
Review "A Note About OWSM 10g Gateways" and "A Note About Third-party Software" for important information about your usage of OWSM 10g Gateways and third-party software.
Table 2-1 OWSM 10g Service Policy and OWSM 12c Client Policy Interoperability
Identity Token | WS-Security Version | Message Protection | Transport Security | Service Policy | Client Policy |
---|---|---|---|---|---|
Anonymous |
1.0 |
Yes |
No |
Request pipeline: Decrypt and Verify Signature Response pipeline: Sign Message and Encrypt |
|
Username |
1.0 |
Yes |
No |
Request pipeline:
Response pipeline: Sign Message and Encrypt |
|
SAML |
1.0 |
Yes |
No |
Request pipeline:
Response pipeline: Sign Message and Encrypt |
|
Mutual Authentication |
1.0 |
Yes |
No |
Request pipeline: Decrypt and Verify Response pipeline: Sign Message and Encrypt |
|
Username over SSL |
1.0 and 1.1 |
No |
Yes |
Request pipeline:
|
|
SAML over SSL |
1.0 and 1.1 |
No |
Yes |
Request pipeline:
|
|
Table 2-2 OWSM 12c Service Policy and OWSM 10g Client Policy Interoperability
Identity Token | WS-Security Version | Message Protection | Transport Security | Service Policy | Client Policy |
---|---|---|---|---|---|
Anonymous |
1.0 |
Yes |
No |
|
Request pipeline: Sign Message and Encrypt Response pipeline: Decrypt and Verify Signature |
Username |
1.0 |
Yes |
No |
|
Request pipeline: Sign Message and Encrypt Response pipeline: Decrypt and Verify Signature |
SAML |
1.0 |
Yes |
No |
|
Request pipeline:
Response pipeline: Decrypt and Verify Signature |
Mutual Authentication |
1.0 |
Yes |
No |
|
Request pipeline: Sign Message and Encrypt Response pipeline: Decrypt and Verify Signature |
Username over SSL |
1.0 and 1.1 |
No |
Yes |
|
N/A |
SAML over SSL |
1.0 and 1.1 |
No |
Yes |
|
Request pipeline:
|
The following sections provide additional interoperability information about using OWSM 10g Gateways and third-party software with OWSM 12c.
Oracle Fusion Middleware 12c (12.1.2) does not include a Gateway component. You can continue to use the OWSM 10g Gateway components with OWSM 10g policies in your applications.
OWSM 10g supports policy enforcement for third-party application servers, such as IBM WebSphere and Red Hat JBoss. Oracle Fusion Middleware 12c (12.1.2) only supports Oracle WebLogic Server. You can continue to use the third-party application servers with OWSM 10g policies.
The following sections describe how to implement anonymous authentication with message protection that conforms to the WS-Security 1.0 standard:
To configure OWSM 10g client and OWSM 12c Web service, perform the following steps:
Create a copy of the policy: oracle/wss10_message_protection_service_policy
.
Note:
Oracle recommends that you do not change the predefined policies so that you will always have a known set of valid policies to work with.
Edit the policy settings, as follows:
Disable the Include Timestamp configuration setting.
Leave the default configuration set for all other configuration settings.
For more information, see "Cloning a Web Service Policy" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
Attach the policy to a Web service.
For more information, see "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
Register the Web service (above) with the OWSM 10g Gateway. See "Registering Web Services to an OWSM Gateway" in the OWSM Administrator's Guide 10g at: http://download.oracle.com/docs/cd/E12524_01/web.1013/e12575/gateways.htm
Attach the following policy step to the request pipeline: Sign Message and Encrypt.
Configure the Sign Message and Encrypt policy step in the request pipeline, as follows:
Set Encryption Algorithm to AES-128.
Set Key Transport Algorithm to RSA-OAEP-MGF1P.
Configure the keystore properties for message signing and encryption. The configuration should be in accordance with the keystore used on the server side.
Attach the following policy step to the response pipeline: Decrypt and Verify Signature.
Configure the Decrypt and Verify Signature policy step in the response pipeline, as follows:
Configure the keystore properties for decryption and signature verification. The configuration should be in accordance with the keystore used on the server side.
Navigate to the OWSM Test page and enter the virtualized URL of the Web service.
Invoke the Web service.
To configure OWSM 12c client and OWSM 10g Web service, perform the following steps:
Register the Web service with the OWSM 10g Gateway. See "Registering Web Services to an OWSM Gateway" in the OWSM Administrator's Guide 10g at: http://download.oracle.com/docs/cd/E12524_01/web.1013/e12575/gateways.htm
Attach the following policy step in the request pipeline: Decrypt and Verify Signature
Configure the Decrypt and Verify Signature policy step in the request pipeline, as follows:
Configure the keystore properties for decryption and signature verification. The configuration should be in accordance with the keystore used on the server side.
Attach the following policy step in the response pipeline: Sign Message and Encrypt
Configure the Sign Message and Encrypt policy response pipeline as follows:
Set Encryption Algorithm to AES-128.
Set Key Transport Algorithm to RSA-OAEP-MGF1P.
Configure the keystore properties for message signing and encryption. The configuration should be in accordance with the keystore used on the server side.
Create a client proxy using the virtualized URL of the Web service registered on the OWSM Gateway.
Create a copy of the following policy: oracle/wss10_message_protection_client_policy.
Note:
Oracle recommends that you do not change the predefined policies so that you will always have a known set of valid policies to work with.
Edit the policy settings, as follows:
Disable the Include Timestamp configuration setting.
Leave the default configuration set for all other configuration settings.
For more information, see "Cloning a Web Service Policy" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
Attach the policy to the Web service client.
For more information, see "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager
Configure the policy, as described in "oracle/wss10_message_protection_client_policy" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
Invoke the Web service.
The following sections describe how to implement username token with message protection that conforms to the WS-Security 1.0 standard:
To configure OWSM 10g client and OWSM 12c Web service, perform the following steps:
Create a copy of the following policy: oracle/wss10_username_token_with_message_protection_service_policy
.
Note:
Oracle recommends that you do not change the predefined policies so that you will always have a known set of valid policies to work with.
Edit the policy settings, as follows:
Disable the Include Timestamp configuration setting.
Leave the default configuration set for all other configuration settings.
For more information, see "Cloning a Web Service Policy" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
Attach the policy to a Web service.
For more information, see "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager
Register the Web service (above) with the OWSM 10g Gateway. See "Registering Web Services to an OWSM Gateway" in the OWSM Administrator's Guide 10g at: http://download.oracle.com/docs/cd/E12524_01/web.1013/e12575/gateways.htm
Attach the following policy step to the request pipeline: Sign Message and Encrypt
Configure the Sign Message and Encrypt policy step in the request pipeline, as follows:
Set Encryption Algorithm to AES-128.
Set Key Transport Algorithm to RSA-OAEP-MGF1P.
Set Encrypted Content to ENVELOPE.
Set Signed Content to ENVELOPE.
Configure the keystore properties for message signing and encryption. The configuration should be in accordance with the keystore used on the server side.
Attach the following policy step to the response pipeline: Decrypt and Verify Signature.
Configure the Decrypt and Verify Signature policy step in the response pipeline, as follows:
Configure the keystore properties for decryption and signature verification. The configuration should be in accordance with the keystore used on the server side.
Navigate to the OWSM Test page and enter the virtualized URL of the Web service.
Select the Include Header checkbox against WS-Security and provide valid credentials.
Invoke the Web service.
To configure OWSM 12c client and OWSM 10g Web service, perform the following steps:
Register the Web service with the OWSM 10g Gateway. See "Registering Web Services to an OWSM Gateway" in the OWSM Administrator's Guide 10g at: http://download.oracle.com/docs/cd/E12524_01/web.1013/e12575/gateways.htm
Attach the following policy steps in the request pipeline:
- Decrypt and Verify Signature
- Extract Credentials (configured as WS-BASIC)
- File Authenticate
Note:
You can substitute File Authenticate with LDAP Authenticate, Oracle Access Manager Authenticate, Active Directory Authenticate, or SiteMinder Authenticate.
Configure the Decrypt and Verify Signature policy step in the request pipeline, as follows:
Configure the keystore properties for extracting credentials. The configuration should be in accordance with the keystore used on the server side.
Configure the Extract Credentials policy step in the request pipeline, as follows:
Set the Credentials location to WS-BASIC.
Configure the File Authenticate policy step in the request pipeline to use valid credentials.
Attach the following policy step in the response pipeline: Sign Message and Encrypt.
Configure the Sign Message and Encrypt policy response pipeline, as follows:
Set Encryption Algorithm to AES-128.
Set Key Transport Algorithm to RSA-OAEP-MGF1P.
Configure the keystore properties for message signing and encryption. The configuration should be in accordance with the keystore used on the server side.
Create a client proxy using the virtualized URL of the Web service registered on the OWSM Gateway.
Create a copy of the following policy: oracle/wss10_username_token_with_message_protection_client_policy
.
Note:
Oracle recommends that you do not change the predefined policies so that you will always have a known set of valid policies to work with.
Edit the policy settings, as follows:
Disable the Include Timestamp configuration setting.
Leave the default configuration set for all other configuration settings.
For more information, see "Cloning a Web Service Policy" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
Attach the policy to the Web service client.
For more information, see "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager
Configure the policy, as described in "oracle/wss10_username_token_with_message_protection_client_policy" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
Invoke the Web service.
The following sections describe how to implement SAML token (sender vouches) with message protection that conforms to the WS-Security 1.0 standard:
To configure OWSM 10g client and OWSM 12c Web service, perform the following steps:
Create a copy of the following policy: oracle/wss10_saml_token_with_message_protection_service_policy.
Note:
Oracle recommends that you do not change the predefined policies so that you will always have a known set of valid policies to work with.
Edit the policy settings, as follows:
Disable the Include Timestamp configuration setting.
Leave the default configuration set for all other configuration settings.
For more information, see "Cloning a Web Service Policy" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
Attach the policy to the Web service.
For more information, see "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager
Register the Web service (above) with the OWSM 10g Gateway. See "Registering Web Services to an OWSM Gateway" in the OWSM Administrator's Guide 10g at: http://download.oracle.com/docs/cd/E12524_01/web.1013/e12575/gateways.htm
Attach the following policy steps in the request pipeline:
- Extract Credentials (configured as WS-BASIC)
- SAML—Insert WSS 1.0 Sender-Vouches Token
- Sign Message and Encrypt
Configure the Extract Credentials policy step in the request pipeline, as follows:
Set the Credentials location to WS-BASIC.
Configure the SAML—Insert WSS 1.0 Sender-Vouches Token policy step in the request pipeline, as follows:
Set Subject Name Qualifier to www.oracle.com.
Set Assertion Issuer as www.oracle.com.
Set Subject Format as UNSPECIFIED.
Set other signing properties, as required.
Configure the Sign Message and Encrypt policy step in the request pipeline, as follows:
Set the Encryption Algorithm to AES-128.
Set Key Transport Algorithm to RSA-OAEP-MGF1P.
Configure the keystore properties for decryption and signature verification. The configuration should be in accordance with the keystore used on the server side.
Attach the following policy step in the response pipeline: Decrypt and Verify Signature.
Configure the Decrypt and Verify Signature policy step in the response pipeline, as follows:
Configure the keystore properties for decryption and signature verification. The configuration should be in accordance with the keystore used on the server side.
Navigate to the OWSM Test page and enter the virtualized URL of the Web service.
Select Include Header checkbox against WS-Security and provide valid credentials.
Invoke the Web service.
To configure OWSM 12c client and OWSM 10g Web service, perform the following steps:
Register the Web service with the OWSM 10g Gateway. See "Registering Web Services to an OWSM Gateway" in the OWSM Administrator's Guide 10g at: http://download.oracle.com/docs/cd/E12524_01/web.1013/e12575/gateways.htm
Attach the following policy steps in the request pipeline:
- XML Decrypt
- SAML—Verify WSS 1.0 Token
Configure the XML Decrypt policy step in the request pipeline, as follows:
Configure the keystore properties for XML decryption. The configuration should be in accordance with the keystore used on the server side.
Configure the SAML—Verify WSS 1.0 Token policy step in the request pipeline, as follows:
Set the Trusted Issuer Name as www.oracle.com.
Attach the following policy step in the response pipeline: Sign Message and Encrypt.
Configure the Sign Message and Encrypt policy step in the response pipeline, follows:
Set Encryption Algorithm to AES-128.
Set Key Transport Algorithm to RSA-OAEP-MGF1P.
Configure the keystore properties for message signing and encryption. The configuration should be in accordance with the keystore used on the server side.
Create a client proxy using the virtualized URL of the Web service registered on the OWSM Gateway.
Create a copy of the following policy: oracle/wss10_saml_token_with_message_protection_client_policy
.
Note:
Oracle recommends that you do not change the predefined policies so that you will always have a known set of valid policies to work with.
Edit the policy settings, as follows:
Disable the Include Timestamp configuration setting.
Leave the default configuration set for all other configuration settings.
For more information, see "Cloning a Web Service Policy" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
Attach the policy to the Web service client.
For more information, see "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
Configure the policy, as described in "oracle/wss10_saml_token_with_message_protection_client_policy" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
Invoke the Web service.
The following sections describe how to implement mutual authentication with message protection that conform to the WS-Security 1.0 standards:
To configure OWSM 10g client and OWSM 12c Web service, perform the following steps:
Create a copy of the following policy: oracle/wss10_x509_token_with_message_protection_service_policy
.
Note:
Oracle recommends that you do not change the predefined policies so that you will always have a known set of valid policies to work with.
Edit the policy settings, as follows:
Disable the Include Timestamp configuration setting.
Leave the default configuration set for all other configuration settings.
For more information, see "Cloning a Web Service Policy" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
Attach the policy to the Web service.
For more information, see "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
Register the Web service (above) with the OWSM 10g Gateway. See "Registering Web Services to an OWSM Gateway" in the OWSM Administrator's Guide 10g at: http://download.oracle.com/docs/cd/E12524_01/web.1013/e12575/gateways.htm
Attach the following policy step in the request pipeline: Sign Message and Encrypt.
Configure the Sign Message and Encrypt policy step in the request pipeline, as follows:
Set Encryption Algorithm to AES-128.
Set Key Transport Algorithm to RSA-OAEP-MGF1P.
Configure the keystore properties for message signing and encryption. The configuration should be in accordance with the keystore used on the server side.
Attach the following policy step in the response pipeline: Decrypt and Verify Signature.
Configure the Decrypt and Verify Signature policy step in the response pipeline, as follows:
Configure the keystore properties for decryption and signature verification. The configuration should be in accordance with the keystore used on the server side.
Update the following property in the gateway-config-installer.properties
file located at ORACLE_HOME/j2ee/
oc4j_instance/applications/gateway/gateway/WEB-INF
:
pep.securitysteps.signBinarySecurityToken=true
Restart OWSM 10g Gateway.
Navigate to the OWSM Test page and enter the virtualized URL of the Web service.
Invoke the Web service.
To configure OWSM 12c client and OWSM 10g Web service, perform the following steps:
Register the Web service with the OWSM 10g Gateway. See "Registering Web Services to an OWSM Gateway" in the OWSM Administrator's Guide 10g at: http://download.oracle.com/docs/cd/E12524_01/web.1013/e12575/gateways.htm
Attach the following policy steps in the request pipeline: Decrypt and Verify.
Configure the Decrypt and Verify Signature policy step in the request pipeline, as follows:
Configure the keystore properties for decryption and signature verification. The configuration should be in accordance with the keystore used on the server side.
Attach the following policy steps in the response pipeline: Sign Message and Encrypt.
Configure the Sign Message and Encrypt policy step in the response pipeline, as follows:
Set Encryption Algorithm to AES-128.
Set Key Transport Algorithm to RSA-OAEP-MGF1P.
Configure the keystore properties for message signing and encryption. The configuration should be in accordance with the keystore used on the server side.
Create a client proxy using the virtualized URL of the Web service registered on the OWSM Gateway.
Create a copy of the following policy: oracle/wss10_x509_token_with_message_protection_client_policy
.
Note:
Oracle recommends that you do not change the predefined policies so that you will always have a known set of valid policies to work with.
Edit the policy settings, as follows:
Disable the Include Timestamp configuration setting.
Leave the default configuration set for all other configuration settings.
For more information, see "Cloning a Web Service Policy" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
Attach the policy to the Web service client.
For more information about attaching the policy, see "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
Configure the policy, as described in "oracle/wss10_x509_token_with_message_protection_client_policy" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
Invoke the Web service.
This section describes how to implement username token over SSL in the following scenarios:
For more information about:
Configuring SSL on WebLogic Server, see "Configuring Transport-Level Security (SSL)" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
Configuring SSL on OC4J, see http://download.oracle.com/docs/cd/B14099_19/web.1012/b14013/configssl.htm
.
To configure OWSM 10g client and OWSM 12c Web service, perform the following steps:
Configure the server for SSL.
For more information, see "Configuring Transport-Level Security (SSL)" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
Attach the following policy: wss_username_token_over_ssl_service_policy
.
For more information, see "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
Configure the server for SSL.
For more information, see http://download.oracle.com/docs/cd/B14099_19/web.1012/b14013/configssl.htm
.
Register the Web service (above) with the OWSM 10g Gateway. See "Registering Web Services to an OWSM Gateway" in the OWSM Administrator's Guide 10g at: http://download.oracle.com/docs/cd/E12524_01/web.1013/e12575/gateways.htm
Navigate to the OWSM Test page and enter the virtualized URL of the Web service.
Select the Include Header checkbox against WS-Security and provide valid credentials.
Invoke the Web service.
To configure OWSM 12c client and OWSM 10g Web service, perform the following steps:
Configure the server for SSL.
For more information, see http://download.oracle.com/docs/cd/B14099_19/web.1012/b14013/configssl.htm
.
Register the Web service with the OWSM 10g Gateway. See "Registering Web Services to an OWSM Gateway" in the OWSM Administrator's Guide 10g at: http://download.oracle.com/docs/cd/E12524_01/web.1013/e12575/gateways.htm
Attach the following policy steps to the request pipeline:
- Extract Credentials
- File Authenticate
Note:
You can substitute File Authenticate with LDAP Authenticate, Oracle Access Manager Authenticate, Active Directory Authenticate, or SiteMinder Authenticate.
Configure the Extract Credentials policy step in the request pipeline, as follows:
Configure the Credentials Location as WS-BASIC.
Configure the File Authentication policy step in the request pipeline with the appropriate credentials.
Create a client proxy using the virtualized URL of the Web service registered on the OWSM Gateway.
Ensure that when generating the client, HTTP is specified in the URL along with the HTTP port number.
Create a copy of the following policy: oracle/wss_username_token_over_ssl_client_policy.
Note:
Oracle recommends that you do not change the predefined policies so that you will always have a known set of valid policies to work with.
Edit the policy settings, as follows:
Disable the Include Timestamp configuration setting.
Leave the default configuration set for all other configuration settings.
For more information, see "Cloning a Web Service Policy" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
Attach the policy to the Web service client.
For more information, see "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
Configure the policy, as described in "oracle/wss_username_token_over_ssl_client_policy" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
Invoke the Web service.
The following sections describe how to implement SAML token (sender vouches) over SSL that conforms to the WS-Security 1.0 standard:
For more information about:
Configuring SSL on WebLogic Server, see "Configuring Transport-Level Security (SSL)" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
Configuring SSL on OC4J, see http://download.oracle.com/docs/cd/B14099_19/web.1012/b14013/configssl.htm
.
To configure OWSM 10g client and OWSM 12c Web service, perform the following steps:
Configure the server for two-way SSL.
For more information, see "Configuring Transport-Level Security (SSL)" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
Create a copy of the following policy: oracle/wss_saml_token_over_ssl_service_policy
.
Note:
Oracle recommends that you do not change the predefined policies so that you will always have a known set of valid policies to work with.
Edit the policy settings, as follows:
Disable the Include Timestamp configuration setting.
For more information, see "Cloning a Web Service Policy" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
Attach the policy.
For more information, see "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
Configure the server for two-way SSL.
For more information, see http://download.oracle.com/docs/cd/B14099_19/web.1012/b14013/configssl.htm
.
Register the Web service (above) with the OWSM 10g Gateway. See "Registering Web Services to an OWSM Gateway" in the OWSM Administrator's Guide 10g at: http://download.oracle.com/docs/cd/E12524_01/web.1013/e12575/gateways.htm
Attach the following policy steps to the request pipeline:
- Extract Credentials
- SAML—Insert WSS 1.0 Sender-Vouches Token
Configure the Extra Credentials policy step in the request pipeline, as follows:
Configure the Credentials Location as WS-BASIC.
Configure the SAML—Insert WSS 1.0 Sender-Vouches Token policy step in the request pipeline, as follows:
Configure the Subject Name Qualifier as www.oracle.com.
Configure the Assertion Issuer as www.oracle.com.
Configure the Subject Format as UNSPECIFIED.
Configure the Sign the assertion as false.
Navigate to the OWSM Test page and enter the virtualized URL of the Web service.
Select Include Header checkbox against WS-Security and provide valid credentials.
Invoke the Web service.
To configure OWSM 12c client and OWSM 10g Web service, perform the following steps:
Configure the server for two-way SSL.
For more information, see http://download.oracle.com/docs/cd/B14099_19/web.1012/b14013/configssl.htm
.
Register the Web service with the OWSM 10g Gateway. See "Registering Web Services to an OWSM Gateway" in the OWSM Administrator's Guide 10g at: http://download.oracle.com/docs/cd/E12524_01/web.1013/e12575/gateways.htm
Attach the policy step: SAML—Verify WSS 1.0 Token
Configure the SAML—Verify WSS 1.0 Token policy step in the request pipeline, as follows:
Under Signature Verification Properties, set Allow signed assertions only to false.
Set the Trusted Issuer Name to www.oracle.com
.
Configure the server for two-way SSL.
For more information, see "Configuring SSL on WebLogic Server (Two-Way)" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
Create a client proxy using the virtualized URL of the Web service registered on the OWSM gateway.
Create a copy of the following policy: oracle/wss_saml_token_over_ssl_client_policy
.
Note:
Oracle recommends that you do not change the predefined policies so that you will always have a known set of valid policies to work with.
Edit the policy settings, as follows:
Disable the Include Timestamp configuration setting.
Leave the default configuration set for all other configuration settings.
For more information, see "Cloning a Web Service Policy" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
Attach the policy to the Web service client.
For more information, see "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
Configure the policy, as described in "oracle/wss_saml_token_over_ssl_client_policy" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
Invoke the Web service.