Fusion Middleware Documentation
Advanced Search


Securing Web Services and Managing Policies with Oracle Web Services Manager
Close Window

Table of Contents

Show All | Collapse

19 Predefined Assertion Templates

Use the predefined assertion templates to construct your own policies or clone to create new policies. This chapter describes the predefined assertion templates defined for the current release.

Notes:

  • The predefined policies and assertion templates distributed with the current release are read only. You must copy the policy or assertion template before modifying it. You also have the option of configuring the attributes in an assertion after you have added it to a policy. For information about managing the assertion templates and adding them to policies, see "Managing Policy Assertion Templates".

  • If you have modified any of the predefined policies or assertion templates from the previous release (11g), they will be replaced by read only versions in the next release. For more information, see "Overview of Web Services Policy Management".

This chapter contains the following sections:

For a detailed description of the configuration settings in the tables, see "Assertion Template Settings Reference".

For a detailed description of the configuration properties listed in the tables, see "Assertion Template Configuration Properties Reference". For details on how to edit the configuration properties, see "Editing the Configuration Properties in an Assertion Template". For information about overriding policies, see "Overview of Policy Configuration Overrides".

19.1 Security Assertion Templates

The following sections describe the security assertion templates in more detail.

You can jump to a specific assertion template description using the following links (listed alphabetically):

19.1.1 Authentication Only Assertion Templates

Table 19-1 summarizes the assertion templates that enforce authentication only, and indicates whether the token is inserted at the transport layer or SOAP header.

19.1.1.1 oracle/http_oam_token_service_template

Display Name: Http OAM Service Assertion Template

Category: Security

Type: http-oam-security

Description

The http_oam_token_service_template assertion template verifies that OAM agent has authenticated the user and has established an identity. This policy can be applied to any HTTP-based endpoint.

Settings

Table 19-2 lists the settings for the http_oam_token_service_template assertion template.

Table 19-2 http_oam_token_service_template Settings

Name Default Value

Authentication Header

 

Authentication Header—Mechanism

oam

Authentication Header—Header Name

None


Configuration

Table 19-3 lists the default configuration properties for the http_oam_token_service_template assertion template.

Table 19-3 http_oam_token_service_template Configuration Properties

Name Default Value Type

reference.priority

None

Optional


19.1.1.2 oracle/http_saml20_token_bearer_client_template

Display Name: Http Saml Bearer V2.0 Token Client Assertion Template

Category: Security

Type: http-saml20-bearer-security

Description

The http_saml20_token_bearer_client_template assertion template includes SAML 2,0 tokens in outbound SOAP request messages. The SAML token with confirmation method [Bearer] is created automatically.

Settings

Table 19-4 lists the settings for the http_saml20_token_bearer_client_template assertion template.

Table 19-4 http_saml20_token_bearer_client_template Settings

Name Default Value

Authentication Header

 

Authentication Header—Mechanism

saml20-bearer

Authentication Header—Header Name

None


Configuration

Table 19-5 lists the configuration properties and the default settings for the http_saml20_token_bearer_client_template assertion template.

Table 19-5 http_saml20_token_bearer_client_template Configuration Properties

Name Default Value Type

user.attributes

None

Optional

saml.issuer.name

www.oracle.com

Optional

user.roles.include

false

Optional

csf-key

basic.credentials

Optional

subject.precedence

true

Optional

saml.audience.uri

None

Optional

keystore.sig.csf.key

None

Optional

saml.envelope.signature.required

true

Optional

reference.priority

None

Optional

propagate.identity.context

None

Optional


19.1.1.3 oracle/http_saml20_token_bearer_service_template

Display Name: Http Saml Bearer V2.0 Token Service Assertion Template

Category: Security

Type: http-saml20-bearer-security

Description

The http_saml20_token_bearer_service_template assertion template authenticates users using credentials provided in SAML tokens with confirmation method 'Bearer' in the WS-Security SOAP header.

Settings

The settings for the http_saml20_token_bearer_service_template assertion template are identical to the client version of the assertion template. See Table 19-4 for information about the settings.

Configuration

Table 19-45 lists the configuration properties and the default settings for the http_saml20_token_bearer_service_template assertion template.

Table 19-6 http_saml20_token_bearer_service_template Configuration Properties

Name Default Value Type

saml.trusted.issuers

Null

Optional

saml.envelope.signature.required

true

Optional

reference.priority

None

Optional

propagate.identity.context

None

Optional


19.1.1.4 oracle/http_spnego_token_client_template

Display Name: SPNEGO Token Client Assertion Template

Category: Security

Type: http-spnego-security

Description

The http_spnego_token_client_template assertion template provides authentication using a Kerberos token and the Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO) protocol.

Settings

Table 19-7 lists the settings for the http_spnego_token_client_template assertion template.

Table 19-7 http_spnego_token_client_template Settings

Name Default Value

Authentication Header

 

Authentication Header—Mechanism

spnego

Authentication Header—Header Name

None


Configuration

Table 19-8 lists the default configuration properties for the http_spnego_token_client_template assertion template.

Table 19-8 http_spnego_token_client_template Configuration Properties

Name Default Value Type

service.principal.name

HOST/localhost@EXAMPLE.COM

Required

keytab.location

None

Optional

caller.principal.name

None

Optional

credential.delegation

false

Required

role

ultimateReceiver

Constant

reference.priority

None

Optional


19.1.1.5 oracle/http_spnego_token_service_template

Display Name: SPNEGO Token Service Assertion Template

Category: Security

Type: http-spnego-security

Description

The http_spnego_token_service_template assertion template provides authentication using a Kerberos token and the SPNEGO protocol.

Settings

The settings for the http_spnego_token_service_template assertion template are identical to the client version of the assertion template. See Table 19-7 for information about the settings.

Configuration

Table 19-9 lists the default configuration properties for the http_spnego_token_service_template assertion template.

Table 19-9 http_spnego_token_service_template Configuration Properties

Name Default Value Type

role

ultimateReceiver

Constant

credential.delegation

false

Required

reference.priority

None

Optional


19.1.1.6 oracle/wss_http_token_client_template

Display Name: Wss HTTP Token client Assertion Template

Category: Security

Type: http-security

Description

The wss_http_token_client_template assertion template includes username and password credentials in the HTTP header. You can control whether one-way or two-way authentication is required.

Settings

Table 19-10 lists the settings for the wss_http_token_client_template assertion template.

Table 19-10 wss_http_token_client_template Settings

Name Default Value

Authentication Header

 

Authentication Header—Mechanism

basic

Authentication Header—Header Name

None

Transport Layer Security

 

Transport Layer Security

Disabled

Transport Layer Security—Mutual Authentication Required

Disabled

Transport Layer Security—Include Timestamp

Disabled


Configuration

Table 19-11 lists the default configuration properties for the wss_http_token_client_template assertion template.

Table 19-11 wss_http_token_client_template Configuration Properties

Name Default Value Type

csf-key

basic.credentials

Required

role

ultimateReceiver

Constant

reference.priority

None

Optional


19.1.1.7 oracle/wss_http_token_service_template

Display Name: Wss HTTP Token service Assertion Template

Category: Security

Type: http-security

Description

The wss_http_token_service_template assertion template uses the credentials in the HTTP header to authenticate users against the Oracle Platform Security Services identity store. You can control whether one-way or two-way authentication is required.

Settings

The settings for the wss_http_token_service_template are identical to those for the client version of the assertion template. See Table 19-10 for information about the settings.

Configuration

Table 19-12 lists the default configuration properties for the wss_http_token_service_template assertion template.

Table 19-12 wss_http_token_service_template Configuration Properties

Name Default Value Type

realm

owsm

Constant

role

ultimateReceiver

Constant

reference.priority

None

Optional


19.1.1.8 oracle/wss_username_token_client_template

Display Name: Wss Username Token client Assertion Template

Category: Security

Type: wss-username-token

Description

The wss_username_token_client_template assertion template includes authentication with username and password credentials in the WS-Security UsernameToken header. The assertion supports three types of password credentials: plain text, digest, and no password.

Note:

If you do not use a digest password, policies created using this template are not secure. You should use this assertion with plain text or no password in low security situations only, or when you know that the transport is protected using some other mechanism. Alternatively, consider using the SSL version of this assertion, "oracle/wss_username_token_over_ssl_client_template".

To protect against replay attacks, the assertion provides the option to require nonce or creation time in the username token.

Settings

Table 19-13 lists the settings for the wss_username_token_client_template assertion template.

Table 19-13 wss_username_token_client_template Settings

Name Default Value

Username Token

 

Password Type

plaintext

Creation Time Required

Disabled

Nonce Required

Disabled


Configuration

Table 19-14 lists the default configuration properties for the wss_username_token_client_template assertion template.

Table 19-14 wss_username_token_client_template Configuration Properties

Name Default Value Type

csf-key

basic.credentials

Required

role

ultimateReceiver

Constant

reference.priority

None

Optional


19.1.1.9 oracle/wss_username_token_service_template

Display Name: Wss Username Token service Assertion Template

Category: Security

Type: wss-username-token

Description

The wss_username_token_service_template assertion template enforces authentication with username and password credentials in the WS-Security UsernameToken SOAP header. The assertion supports three types of password credentials: plain text, digest, and no password.

Note:

If you do not use a digest password, policies created using this template are not secure. You should use this assertion with plain text or no password in low security situations only, or when you know that the transport is protected using some other mechanism. Alternatively, consider using the SSL version of this assertion, "oracle/wss_username_token_over_ssl_service_template".

To protect against replay attacks, the assertion provides the option to require nonce or creation time in the username token.

Settings

The settings for the wss_username_token_service_template are identical to the client version of the assertion template. See Table 19-13 for information about the settings.

Configuration

Table 19-15 lists the configuration properties and the default settings for the wss_username_token_service_template assertion template.

Table 19-15 wss_username_token_service_template Configuration Properties

Name Default Value Type

role

ultimateReceiver

Constant

reference.priority

None

Optional


19.1.1.10 oracle/wss10_saml_token_client_template

Display Name: Wss10 SAML Token client Assertion Template

Category: Security

Type: wss10-saml-token

Description

The wss10_saml_token_client_template assertion template includes SAML tokens in outbound SOAP request messages. The SAML token is created automatically.

Settings

Table 19-16 lists the settings for the wss10_saml_token_client_template assertion template.

Table 19-16 wss10_saml_token_client_template Settings

Name Default Value

SAML Token Type

 

Version

1.1

Confirmation Type

sender-vouches

Name Identifier Format

unspecified


Configuration

Table 19-17 lists the configuration properties and the default settings for the wss10_saml_token_client_template assertion template.

Table 19-17 wss10_saml_token_client_template Configuration Properties

Name Default Value Type

user.attributes

None

Optional

user.roles.include

false

Optional

saml.issuer.name

www.oracle.com

Optional

csf-key

basic.credentials

Required

subject.precedence

true

Optional

saml.audience.uri

Null

Optional

propagate.identity.context

None

Optional

reference.priority

None

Optional


19.1.1.11 oracle/wss10_saml_token_service_template

Display Name: Wss10 SAML Token service Assertion Template

Category: Security

Type: wss10-saml-token

Description

The wss10_saml_token_service_template assertion template authenticates users using credentials provided in SAML tokens in the WS-Security SOAP header.

Settings

The settings for the wss10_saml_token_service_template are identical to the client version of the assertion. See Table 19-16 for information about the settings.

Configuration

Table 19-18 lists the configuration properties and the default settings for the wss10_saml_token_service_template assertion template.

Table 19-18 wss10_saml_token_service_template Configuration Properties

Name Default Value Type

role

ultimateReceiver

Constant

saml.trusted.issuers

Null

Optional

propagate.identity.context

None

Optional

reference.priority

None

Optional


19.1.1.12 oracle/wss10_saml20_token_client_template

Display Name: Wss10 SAML V2.0 Token client Assertion Template

Category: Security

Type: wss10-saml-token

Description

The wss10_saml20_token_client_template assertion template includes SAML tokens in outbound SOAP request messages. The SAML token is created automatically.

Settings

Table 19-19 lists the settings for the wss10_saml20_token_client_template assertion template.

Table 19-19 wss10_saml20_token_client_template Settings

Name Default Value

SAML Token Type

 

Version

2.0

Confirmation Type

sender-vouches

Name Identifier Format

unspecified


Configuration

Table 19-20 lists the configuration properties and the default settings for the wss10_saml20_token_client_template assertion template. For details about the configuration property settings, see "Editing the Configuration Properties in an Assertion Template".

For information about overriding policies, see "Overview of Policy Configuration Overrides".

Table 19-20 wss10_saml20_token_client_template Configuration Properties

Name Default Value Type

user.attributes

None

Optional

user.roles.include

false

Optional

saml.issuer.name

www.oracle.com

Optional

csf-key

basic.credentials

Optional

subject.precedence

true

Optional

saml.audience.uri

Null

Optional

propagate.identity.context

None

Optional

reference.priority

None

Optional


19.1.1.13 oracle/wss10_saml20_token_service_template

Display Name: Wss10 SAML V2.0 Token service Assertion Template

Category: Security

Type: wss10-saml-token

Description

The wss10_saml20_token_service_template assertion template authenticates users using credentials provided in SAML tokens in the WS-Security SOAP header.

Settings

The settings for the wss10_saml20_token_service_template are similar to the client version of the assertion template. See Table 19-19 for information about the settings.

Configuration

Table 19-21 lists the configuration properties and the default settings for the wss10_saml20_token_service_template assertion template. For details about the configuration property settings, see "Editing the Configuration Properties in an Assertion Template".

For information about overriding policies, see "Overview of Policy Configuration Overrides".

Table 19-21 wss10_saml20_token_service_template Configuration Properties

Name Default Value Type

role

ultimateReceiver

Constant

saml.trusted.issuers

Null

Optional

propagate.identity.context

None

Optional

reference.priority

None

Optional


19.1.1.14 oracle/wss11_kerberos_token_client_template

Display Name: Wss11 Kerberos Token client Assertion Template

Category: Security

Type: kerberos-security

Description

The wss11_kerberos_token_client_template assertion template includes a Kerberos token in the WS-Security header in accordance with the WS-Security Kerberos Token Profile v1.1 standard.

Settings

Table 19-22 lists the settings for the wss11_kerberos_token_client_template assertion template.

Table 19-22 wss11_kerberos_token_client_template Settings

Name Default Value

Kerberos Token Type

 

Kerberos Token Type

gss-apreq-v5

Derived Keys

Disabled


Configuration

Table 19-23 lists the default configuration properties for the wss11_kerberos_token_client_template assertion template.

Table 19-23 wss11_kerberos_token_client_template Configuration Properties

Name Default Value Type

service.principal.name

HOST/localhost@EXAMPLE.COM

Required

keytab.location

None

Optional

caller.principal.name

None

Optional

credential.delegation

false

Required

reference.priority

None

Optional


19.1.1.15 oracle/wss11_kerberos_token_service_template

Display Name: Wss11 Kerberos Token service Assertion Template

Category: Security

Type: kerberos-security

Description

The wss11_kerberos_token_service_template assertion template enforces in accordance with the WS-Security Kerberos Token Profile v1.1 standard. It extracts the Kerberos token from the SOAP header and authenticates the user. The container must have the Kerberos infrastructure configured through Oracle Platform Security Services.

Settings

The settings for the wss11_keberos_token_service_template are identical to the client version of the assertion template. See Table 19-22 for information about the settings.

Configuration

Table 19-24 lists the configuration properties and the default settings for the wss11_kerberos_token_service_template assertion template.

Table 19-24 wss11_kerberos_token_service_template Configuration Properties

Name Default Value Type

credential.delegation

false

Required

role

ultimateReceiver

Constant

reference.priority

None

Optional


19.1.2 Message-Protection Only Assertion Templates

Table 19-25 summarizes the assertion templates that enforce message protection only, and indicates whether the token is inserted at the transport layer or SOAP header.

Table 19-25 Message-Protection Only Assertion Templates

Client Template Service Template Authentication Transport Authentication SOAP Message Protection Transport Message Protection SOAP

oracle/wss10_message_protection_client_template

oracle/wss10_message_protection_service_template

No

No

No

Yes

oracle/wss11_message_protection_client_template

oracle/wss11_message_protection_service_template

No

No

No

Yes


19.1.2.1 oracle/wss10_message_protection_client_template

Display Name: Wss10 Message Protection client Assertion Template

Category: Security

Type: wss10-anonymous-with-certificates

Description

The wss10_message_protection_client_template assertion template provides message protection (integrity and confidentiality) for outbound SOAP requests in accordance with the WS-Security 1.0 standard.

Settings

Table 19-26 lists the settings for the wss10_message_protection_client_template assertion template.

Table 19-26 wss10_message_protection_client_template Settings

Name Default Value

X509 Token

 

Sign Key Reference Mechanism

direct

Encryption Key Reference Mechanism

direct

Recipient Sign Key Reference Mechanism

direct

Recipient Encryption Key Reference Mechanism

direct

Is Signed

Disabled

Use PKI Path

Disabled

Secure Conversation

 

Enabled

Disabled

Version

1.3 or 1.4. OWSM WS-SC supports both Secure Conversation versions 1.3 and 1.4. Although the policy displays the 1.3 version number, you use this policy for 1.4 as well.

Re-authenticate

Disabled

Client Entropy

Enabled

Derived Keys

Enabled

Server Entropy

Enabled

Bootstrap Message Security

Inherit from Application Setting

Message Security

 

Algorithm Suite

BASIC_128

Include Timestamp

Enabled

Encrypt Signature

Disabled

Request Message Settings

N/A

Response Message Settings

N/A

Fault Message Settings

N/A


Configuration

Table 19-27 lists the configuration properties and the default settings for the wss10_message_protection_client_template assertion template.

Table 19-27 wss10_message_protection_client_template Configuration Properties

Name Default Value Type

keystore.recipient.alias

orakey

Required

role

ultimateReceiver

Constant

keystore.sig.csf.key

None

Optional

keystore.enc.csf.key

None

Optional

ignore.timestamp.in.response

false

Optional

sc.token.lifetime

None

Optional

reference.priority

None

Optional


19.1.2.2 oracle/wss10_message_protection_service_template

Display Name: Wss10 Message Protection service Assertion Template

Category: Security

Type: wss10-anonymous-with-certificates

Description

The wss10_message_protection_service_template assertion template provides message protection (integrity and confidentiality) for inbound SOAP requests in accordance with the WS-Security 1.0 standard.

Settings

The settings for the wss10_message_protection_service_template are identical to the client version of the assertion template. See Table 19-26 for information about the settings.

Configuration

Table 19-28 lists the configuration properties and the default settings for the wss10_message_protection_service_template assertion template.

Table 19-28 wss10_message_protection_service_template Configuration Properties

Name Default Value Type

role

ultimateReceiver

Constant

keystore.sig.csf.key

None

Optional

keystore.enc.csf.key

None

Optional

sc.token.lifetime

None

Optional

reference.priority

None

Optional


19.1.2.3 oracle/wss11_message_protection_client_template

Display Name: Wss11 Message Protection client Assertion Template

Category: Security

Type: wss11-anonymous-with-certificates

Description

The wss11_message_protection_client_template assertion template provides message protection (integrity and confidentiality) for outbound SOAP requests in accordance with the WS-Security 1.1 standard.

Settings

Table 19-29 lists the settings for the wss11_message_protection_client_template assertion template.

Table 19-29 wss11_message_protection_client_template Settings

Name Default Value

X509 Token

 

Encryption Key Reference Mechanism

thumbprint

Is Signed

Enabled

Use PKI Path

Disabled

Derived Keys

Disabled

Secure Conversation

 

Enabled

Disabled

Version

1.3 or 1.4. OWSM WS-SC supports both Secure Conversation version 1.3 and 1.4. Although the policy displays the 1.3 version number, you use this policy for 1.4 as well.

Re-authenticate

Disabled

Client Entropy

Enabled

Derived Keys

Enabled

Server Entropy

Enabled

Bootstrap Message Security

Inherit from Application Setting

Message Security

 

Algorithm Suite

BASIC_128

Include Timestamp

Enabled

Encrypt Signature

Disabled

Confirm Signature

Enabled

Request Message Settings

N/A

Response Message Settings

N/A

Fault Message Settings

N/A


Configuration

Table 19-30 lists the configuration properties and the default settings for the wss11_message_protection_client_template assertion template.

Table 19-30 wss11_message_protection_client_template Configuration Properties

Name Default Value Type

keystore.recipient.alias

orakey

Required

role

ultimateReceiver

Constant

keystore.enc.csf.key

None

Optional

sc.token.lifetime

None

Optional

reference.priority

None

Optional

ignore.timestamp.in.response

false

Optional


19.1.2.4 oracle/wss11_message_protection_service_template

Display Name: Wss11 Message Protection service Assertion Template

Category: Security

Type: wss11-anonymous-with-certificates

Description

The wss11_message_protection_service_template assertion template enforces message protection (integrity and confidentiality) for inbound SOAP requests in accordance with the WS-Security 1.1 standard.

Settings

The settings for the wss11_message_protection_service_template are identical to the client version of the assertion template. See Table 19-29 for information about the settings.

Configuration

Table 19-31 lists the configuration properties and the default settings for the wss11_message_protection_service_template assertion template.

Table 19-31 wss11_message_protection_service_template Configuration Properties

Name Default Value Type

role

ultimateReceiver

Constant

keystore.enc.csf.key

None

Optional

sc.token.lifetime

None

Optional

reference.priority

None

Optional


19.1.3 Message Protection and Authentication Assertion Templates

Table 19-32 summarizes the assertion templates that enforce both message protection and authentication, and indicates whether the token is inserted at the transport layer or SOAP header.

Table 19-32 Message Protection and Authentication Assertion Templates

Client Template Service Template Authentication Transport Authentication SOAP Message Protection Transport Message Protection SOAP

oracle/wss_http_token_over_ssl_client_template

oracle/wss_http_token_over_ssl_service_template

Yes

No

Yes

No

oracle/wss_saml_token_bearer_over_ssl_client_template

oracle/wss_saml_token_bearer_over_ssl_service_template

No

Yes

Yes

No

oracle/wss_saml20_token_bearer_over_ssl_client_template

oracle/wss_saml20_token_bearer_over_ssl_service_template

No

Yes

Yes

No

oracle/wss_saml_token_over_ssl_client_template

oracle/wss_saml_token_over_ssl_service_template

No

Yes

Yes

No

oracle/wss_saml20_token_over_ssl_client_template

oracle/wss_saml20_token_over_ssl_service_template

No

Yes

Yes

No

oracle/wss_username_token_over_ssl_client_template

oracle/wss_username_token_over_ssl_service_template

No

Yes

Yes

No

oracle/wss10_saml_hok_token_with_message_protection_client_template

oracle/wss10_saml_hok_token_with_message_protection_service_template

No

Yes

No

Yes

oracle/wss10_saml_token_with_message_protection_client_template

oracle/wss10_saml_token_with_message_protection_service_template

No

Yes

No

Yes

oracle/wss10_saml20_token_with_message_protection_client_template

oracle/wss10_saml20_token_with_message_protection_service_template

No

Yes

No

Yes

oracle/wss10_username_token_with_message_protection_client_template

oracle/wss10_username_token_with_message_protection_service_template

No

Yes

No

Yes

oracle/wss10_x509_token_with_message_protection_client_template

oracle/wss10_x509_token_with_message_protection_service_template

No

Yes

No

Yes

oracle/wss11_kerberos_token_with_message_protection_client_template

oracle/wss11_kerberos_token_with_message_protection_service_template

No

Yes

No

Yes

oracle/wss11_saml_token_with_message_protection_client_template

oracle/wss11_saml_token_with_message_protection_service_template

No

Yes

No

Yes

oracle/wss11_saml20_token_with_message_protection_client_template

oracle/wss11_saml20_token_with_message_protection_service_template

No

Yes

No

Yes

oracle/wss11_username_token_with_message_protection_client_template

oracle/wss11_username_token_with_message_protection_service_template

No

Yes

No

Yes

oracle/wss11_x509_token_with_message_protection_client_template

oracle/wss11_x509_token_with_message_protection_service_template

No

Yes

No

Yes


19.1.3.1 oracle/wss_http_token_over_ssl_client_template

Display Name: Wss HTTP Token Over SSL client Assertion Template

Category: Security

Type: http-security

Description

The wss_http_token_over_ssl_client_template assertion template includes credentials in the HTTP header for outbound client requests and authenticates users against the Oracle Platform Security Services identity store. This policy verifies that the transport protocol is HTTPS. Requests over a non-HTTPS transport protocol are refused. This policy can be applied to any HTTP-based client.

Settings

Table 19-33 lists the settings for the wss_http_token_over_ssl_client_template assertion template.

Table 19-33 wss_http_token_over_ssl_client_template Settings

Name Default Value

Authentication Header

 

Authentication Header—Mechanism

basic

Authentication Header—Header Name

None

Transport Layer Security

 

Transport Layer Security

Enabled

Transport Layer Security—Mutual Authentication Required

Disabled

Transport Layer Security—Include Timestamp

Disabled


Configuration

Table 19-34 lists the configuration properties and the default settings for the wss_http_token_over_ssl_client_template assertion template.

Table 19-34 wss_http_token_over_ssl_client_template Configuration Properties

Name Default Value Type

csf-key

basic.credentials

Required

role

ultimateReceiver

Constant

reference.priority

None

Optional


19.1.3.2 oracle/wss_http_token_over_ssl_service_template

Display Name: Wss HTTP Token Over SSL service Assertion Template

Category: Security

Type: http-security

Description

The wss_http_token_over_ssl_service_template assertion template extracts the credentials in the HTTP header and authenticates users against the Oracle Platform Security Services identity store.

Settings

The settings for the wss_http_token_over_ssl_service_template assertion template are identical to the client version of the assertion template. See Table 19-33 for information about the settings.

Configuration

Table 19-35 lists the configuration properties and the default settings for the wss_http_token_service_template assertion template.

Table 19-35 wss_http_token_over_ssl_service_template Configuration Properties

Name Default Value Type

realm

owsm

Constant

role

ultimateReceiver

Constant

reference.priority

None

Optional


19.1.3.3 oracle/wss_saml_token_bearer_client_template

Display Name: Wss SAML Bearer Token client Assertion Template

Category: Security

Type: wss10-saml-token

Description

The wss_saml_token_bearer_client_template assertion template includes SAML tokens in outbound SOAP request messages. The SAML token with confirmation method [Bearer] is created automatically.

Settings

Table 19-36 lists the settings for the wss_saml_token_bearer_client_template assertion template.

Table 19-36 wss_saml_token_bearer_client_template Settings

Name Default Value

SAML Token Type

 

Version

1.1

Confirmation Type

bearer

Name Identifier Format

unspecified


Configuration

Table 19-41 lists the configuration properties and the default settings for the wss_saml_token_bearer_client_template assertion template.

Table 19-37 wss_saml_token_bearer_client_template Configuration Properties

Name Default Value Type

user.attributes

Null

Optional

user.roles.include

false

Optional

saml.issuer.name

www.oracle.com

Optional

csf-key

basic.credentials

Optional

subject.precedence

true

Optional

saml.audience.uri

Null

Optional

keystore.sig.csf.key

None

Optional

saml.envelope.signature.required

true

Optional

propagate.identity.context

None

Optional

user.tenant.name

None

Optional

reference.priority

None

Optional


19.1.3.4 oracle/wss_saml_token_bearer_service_template

Display Name: Wss SAML Bearer Token service Assertion Template

Category: Security

Type: wss10-saml-token

Description

The wss_saml_token_bearer_service_template assertion template includes SAML tokens in outbound SOAP request messages. The SAML token with confirmation method [Bearer] is created automatically.

Settings

Table 19-36 lists the settings for the wss_saml_token_bearer_service_template assertion template.

Table 19-38 wss_saml_token_bearer_service_template Settings

Name Default Value

SAML Token Type

 

Version

1.1

Confirmation Type

bearer

Name Identifier Format

unspecified


Configuration

Table 19-41 lists the configuration properties and the default settings for the wss_saml_token_bearer_service_template assertion template.

Table 19-39 wss_saml_token_bearer_service_template Configuration Properties

Name Default Value Type

role

ultimateReceiver

Constant

saml.trusted.issuers

None

Optional

saml.envelope.signature.required

true

Optional

propagate.identity.context

None

Optional

reference.priority

None

Optional


19.1.3.5 oracle/wss_saml_token_bearer_over_ssl_client_template

Display Name: Wss SAML Token (Confirmation method as bearer) Over SSL client Assertion Template

Category: Security

Type: wss-saml-token-bearer-over-ssl

Description

The wss_saml_token_bearer_over_ssl_client template assertion template includes SAML tokens in outbound SOAP request messages. The SAML token with confirmation method [Bearer] is created automatically.

Settings

Table 19-40 lists the settings for the wss_saml_token_bearer_over_ssl_client_template assertion template.

Table 19-40 wss_saml_token_bearer_over_ssl_client_template Settings

Name Default Value

SAML Token Type

 

Version

1.1

Confirmation Type

bearer

Is Signed

Disabled

Is Encrypted

Disabled

Name Identifier Format

unspecified

Transport Layer Security

 

Transport Layer Security

Enabled

Transport Layer Security—Mutual Authentication Required

Disabled

Transport Layer Security—Include Timestamp

Disabled

Algorithm Suite

None

Secure Conversation

 

Enabled

Disabled

Version

1.3 or 1.4. OWSM WS-SC supports both Secure Conversation version 1.3 and 1.4. Although the policy displays the 1.3 version number, you use this policy for 1.4 as well.

Re-authenticate

Disabled

Client Entropy

Enabled

Derived Keys

Disabled

Server Entropy

Enabled


Configuration

Table 19-41 lists the configuration properties and the default settings for the wss_saml_token_bearer_over_ssl_client_template assertion template.

Table 19-41 wss_saml_token_bearer_over_ssl_client_template Configuration Properties

Name Default Value Type

user.attributes

Null

Optional

user.roles.include

false

Optional

saml.issuer.name

www.oracle.com

Optional

csf-key

basic.credentials

Optional

subject.precedence

true

Optional

saml.audience.uri

Null

Optional

propagate.identity.context

None

Optional

user.tenant.name

None

Optional

sc.token.lifetime

None

Optional

reference.priority

None

Optional


19.1.3.6 oracle/wss_saml_token_bearer_over_ssl_service_template

Display Name: Wss SAML Token (Confirmation method as bearer) Over SSL service Assertion Template

Category: Security

Type: wss-saml-token-bearer-over-ssl

Description

The wss_saml_token_bearer_over_ssl_service_template assertion template authenticates users using credentials provided in SAML tokens with confirmation method 'Bearer' in the WS-Security SOAP header.

Settings

The settings for the wss_saml_token_bearer_over_ssl_service_template assertion template are identical to the client version of the assertion template. See Table 19-40 for information about the settings.

Configuration

Table 19-42 lists the configuration properties and the default settings for the wss_saml_token_bearer_over_ssl_service_template assertion template.

Table 19-42 wss_saml_token_bearer_over_ssl_service_template Configuration Properties

Name Default Value Type

role

ultimateReceiver

Constant

saml.trusted.issuers

None

Optional

propagate.identity.context

None

Optional

sc.token.lifetime

None

Optional

reference.priority

None

Optional


19.1.3.7 oracle/wss_saml20_token_bearer_over_ssl_client_template

Display Name: Wss SAML V2.0 Token (Confirmation method as bearer) Over SSL client Assertion Template

Category: Security

Type: wss-saml-token-bearer-over-ssl

Description

The wss_saml20_token_bearer_over_ssl_client template assertion template includes SAML tokens in outbound SOAP request messages. The SAML token with confirmation method [Bearer] is created automatically.

Settings

Table 19-43 lists the settings for the wss_saml20_token_bearer_over_ssl_client_template assertion template.

Table 19-43 wss_saml20_token_bearer_over_ssl_client_template Settings

Name Default Value

SAML Token Type

 

Version

2.0

Confirmation Type

bearer

Is Signed

Disabled

Is Encrypted

Disabled

Name Identifier Format

unspecified

Transport Layer Security

 

Transport Layer Security

Enabled

Transport Layer Security—Mutual Authentication Required

Disabled

Transport Layer Security—Include Timestamp

Disabled

Algorithm Suite

None

Secure Conversation

 

Enabled

Disabled

Version

1.3 or 1.4. OWSM WS-SC supports both Secure Conversation version 1.3 and 1.4. Although the policy displays the 1.3 version number, you use this policy for 1.4 as well.

Re-authenticate

Disabled

Client Entropy

Enabled

Derived Keys

Disabled

Server Entropy

Enabled


Configuration

Table 19-44 lists the configuration properties and the default settings for the wss_saml20_token_bearer_over_ssl_client_template assertion template.

Table 19-44 wss_saml20_token_bearer_over_ssl_client_template Configuration Properties

Name Default Value Type

user.attributes

None

Optional

user.roles.include

false

Optional

saml.issuer.name

www.oracle.com

Optional

csf-key

basic.credentials

Optional

subject.precedence

true

Optional

saml.audience.uri

Null

Optional

propagate.identity.context

None

Optional

sc.token.lifetime

None

Optional

reference.priority

None

Optional


19.1.3.8 oracle/wss_saml20_token_bearer_over_ssl_service_template

Display Name: Wss SAML V2.0 Token (Confirmation method as bearer) Over SSL service Assertion Template

Category: Security

Type: wss-saml-token-bearer-over-ssl

Description

The wss_saml20_token_bearer_over_ssl_service_template assertion template authenticates users using credentials provided in SAML tokens with confirmation method 'Bearer' in the WS-Security SOAP header.

Settings

The settings for the wss_saml20_token_bearer_over_ssl_service_template assertion template are identical to the client version of the assertion template. See Table 19-43 for information about the settings.

Configuration

Table 19-45 lists the configuration properties and the default settings for the wss_saml20_token_bearer_over_ssl_service_template assertion template.

Table 19-45 wss_saml20_token_bearer_over_ssl_service_template Configuration Properties

Name Default Value Type

role

ultimateReceiver

Constant

saml.trusted.issuers

Null

Optional

propagate.identity.context

None

Optional

sc.token.lifetime

None

Optional

reference.priority

None

Optional


19.1.3.9 oracle/wss_saml_token_over_ssl_client_template

Display Name: Wss SAML Token Over SSL client Assertion Template

Category: Security

Type: wss-saml-token-over-ssl

Description

The wss_saml_token_over_ssl_client_template assertion template enables the authentication of credentials provided via a SAML token within WS-Security SOAP header using the sender-vouches confirmation type.

Settings

Table 19-46 lists the settings for the wss_saml_token_over_ssl_client_template assertion template.

Table 19-46 wss_saml_token_over_ssl_client_template Settings

Name Default Value

SAML Token Type

 

Version

1.1

Confirmation Type

sender-vouches

Is Signed

Enabled

Is Encrypted

Disabled

Name Identifier Format

unspecified

Transport Layer Security

 

Transport Layer Security

Enabled

Transport Layer Security—Mutual Authentication Required

Enabled

Transport Layer Security—Include Timestamp

Disabled

Algorithm Suite

None

Secure Conversation

 

Enabled

Disabled

Version

1.3 or 1.4. OWSM WS-SC supports both Secure Conversation version 1.3 and 1.4. Although the policy displays the 1.3 version number, you use this policy for 1.4 as well.

Re-authenticate

Disabled

Client Entropy

Enabled

Derived Keys

Enabled

Server Entropy

Enabled


Configuration

Table 19-47 lists the configuration properties and the default settings for the wss_saml_token_over_ssl_client_template assertion template.

Table 19-47 wss_saml_token_over_ssl_client_template Configuration Properties

Name Default Value Type

user.attributes

None

Optional

user.roles.include

false

Optional

saml.issuer.name

www.oracle.com

Optional

csf-key

basic.credentials

Optional

subject.precedence

true

Optional

saml.audience.uri

None

Optional

propagate.identity.context

None

Optional

sc.token.lifetime

None

Optional

reference.priority

None

Optional


19.1.3.10 oracle/wss_saml_token_over_ssl_service_template

Display Name: Wss SAML Token Over SSL service Assertion Template

Category: Security

Type: wss-saml-token-over-ssl

Description

The wss_saml_token_over_ssl_service_template enforces the authentication of credentials provided via a SAML token within WS-Security SOAP header using the sender-vouches confirmation type.

Settings

The settings for the wss_saml_token_over_ssl_service_template assertion template are identical to the client version of the assertion template. See Table 19-46 for information about the settings.

Configuration

Table 19-48 lists the configuration properties and the default settings for the wss_saml_token_over_ssl_service_template assertion template.

Table 19-48 wss_saml_token_over_ssl_service_template Configuration Properties

Name Default Value Type

role

None

Optional

saml.trusted.issuers

Null

Optional

propagate.identity.context

None

Optional

sc.token.lifetime

None

Optional

reference.priority

None

Optional


19.1.3.11 oracle/wss_saml20_token_over_ssl_client_template

Display Name: Wss SAML V2.0 Token Over SSL client Assertion Template

Category: Security

Type: wss-saml-token-over-ssl

Description

The wss_saml20_token_over_ssl_client_template assertion template enables the authentication of credentials provided via a SAML token within WS-Security SOAP header using the sender-vouches confirmation type.

Settings

Table 19-49 lists the settings for the wss_saml20_token_over_ssl_client_template assertion template.

Table 19-49 wss_saml20_token_over_ssl_client_template Settings

Name Default Value

SAML Token Type

 

Version

2.0

Confirmation Type

sender-vouches

Is Signed

Enabled

Is Encrypted

Disabled

Name Identifier Format

unspecified

Transport Layer Security

 

Transport Layer Security

Enabled

Transport Layer Security—Mutual Authentication Required

Enabled

Transport Layer Security—Include Timestamp

Disabled

Algorithm Suite

None

Secure Conversation

 

Enabled

Disabled

Version

1.3 or 1.4. OWSM WS-SC supports both Secure Conversation version 1.3 and 1.4. Although the policy displays the 1.3 version number, you use this policy for 1.4 as well.

Re-authenticate

Disabled

Client Entropy

Enabled

Derived Keys

Disabled

Server Entropy

Enabled


Configuration

Table 19-50 lists the configuration properties and the default settings for the wss_saml20_token_over_ssl_client_template assertion template.

Table 19-50 wss_saml20_token_over_ssl_client_template Configuration Properties

Name Default Value Type

user.attributes

None

Optional

user.roles.include

false

Optional

saml.issuer.name

www.oracle.com

Optional

csf-key

basic.credentials

Optional

subject.precedence

true

Optional

saml.audience.uri

None

Optional

propagate.identity.context

None

Optional

sc.token.lifetime

None

Optional

reference.priority

None

Optional


19.1.3.12 oracle/wss_saml20_token_over_ssl_service_template

Display Name: Wss SAML V2.0 Token Over SSL service Assertion Template

Category: Security

Type: wss-saml-token-over-ssl

Description

The wss_saml20_token_over_ssl_service_template enforces the authentication of credentials provided via a SAML token within WS-Security SOAP header using the sender-vouches confirmation type.

Settings

The settings for the wss_saml20_token_over_ssl_service_template assertion template are identical to the client version of the assertion template. See Table 19-49 for information about the settings.

Configuration

Table 19-51 lists the configuration properties and the default settings for the wss_saml20_token_over_ssl_service_template assertion template.

Table 19-51 wss_saml20_token_over_ssl_service_template Configuration Properties

Name Default Value Type

role

ultimateReceiver

Constant

saml.trusted.issuers

None

Optional

propagate.identity.context

None

Optional

sc.token.lifetime

None

Optional

reference.priority

None

Optional


19.1.3.13 oracle/wss_username_token_over_ssl_client_template

Display Name: Wss Username Token Over SSL client Assertion Template

Category: Security

Type: wss-username-token-over-ssl

Description

The wss_username_token_over_ssl_client_template assertion template includes credentials in the WS-Security UsernameToken header in outbound SOAP request messages. The assertion supports three types of password credentials: plain text, digest, and no password.

To protect against replay attacks, the assertion provides the option to require nonce or creation time in the username token.

Settings

Table 19-52 lists the settings for the wss_username_token_over_ssl_client_template assertion template.

Table 19-52 wss_username_token_over_ssl_client_template Settings

Name Default Value

Username Token

 

Password Type

plaintext

Creation Time Required

Disabled

Nonce Required

Enabled

Transport Layer Security

 

Transport Layer Security

Enabled

Transport Layer Security—Mutual Authentication Required

Disabled

Transport Layer Security—Include Timestamp

Disabled

Algorithm Suite

None

Secure Conversation

 

Enabled

Disabled

Version

1.3 or 1.4. OWSM WS-SC supports both Secure Conversation version 1.3 and 1.4. Although the policy displays the 1.3 version number, you use this policy for 1.4 as well.

Re-authenticate

Disabled

Client Entropy

Enabled

Derived Keys

Disabled

Server Entropy

Enabled


Configuration

Table 19-53 lists the configuration properties and the default settings for the wss_username_token_over_ssl_client_template assertion template.

Table 19-53 wss_username_token_over_ssl_client_template Configuration Properties

Name Default Value Type

role

ultimateReceiver

Constant

csf-key

basic.credentials

Required

sc.token.lifetime

None

Optional

user.tenant.name

None

Optional

reference.priority

None

Optional


19.1.3.14 oracle/wss_username_token_over_ssl_service_template

Display Name: Wss Username Token Over SSL service Assertion Template

Category: Security

Type: wss-username-token-over-ssl

Description

The wss_username_token_over_ssl_service_template assertion template uses the credentials in the UsernameToken WS-Security SOAP header to authenticate users against the Oracle Platform Security Services configured identity store. The assertion supports three types of password credentials: plain text, digest, and no password.

To protect against replay attacks, the assertion provides the option to require nonce or creation time in the username token.

Settings

The settings for the wss_username_token_over_ssl_service_template assertion template are identical to the client version of the assertion template. See Table 19-52 for information about the settings.

Configuration

Table 19-54 lists the configuration properties and the default settings for the wss_username_token_over_ssl­_service_template assertion template.

Table 19-54 wss_username_token_over_ssl_service_template Configuration Properties

Name Default Value Type

role

ultimateReceiver

Constant

sc.token.lifetime

None

Optional

reference.priority

None

Optional


19.1.3.15 oracle/wss10_saml_hok_token_with_message_protection_client_template

Display Name: Wss10 SAML Holder-Of-Key Token with Message Protection client Assertion Template

Category: Security

Type: wss10-saml-hok-with-certificates

Description

The wss10_saml_hok_token_with_message_protection_client_template assertion template provides message protection (integrity and confidentiality) and SAML holder of key based authentication for outbound SOAP messages in accordance with the WS-Security 1.0 standard.

Settings

Table 19-55 lists the settings for the wss10_saml_hok_token_with_message_protection_client_template assertion template.

Table 19-55 wss10_saml_hok_token_with_message_protection_client_template Settings

Name Default Value

SAML Token Type

 

Version

1.1

Confirmation Type

holder-of-key

Is Signed

Enabled

Is Encrypted

Disabled

Name Identifier Format

unspecified

X509 Token

 

Sign Key Reference Mechanism

ski

Encryption Key Reference Mechanism

direct

Recipient Sign Key Reference Mechanism

direct

Recipient Encryption Key Reference Mechanism

direct

Is Signed

Disabled

Use PKI Path

Disabled

Message Security

 

Algorithm Suite

BASIC_128

Include Timestamp

Enabled

Encrypt Signature

Disabled

Request Message Settings

N/A

Response Message Settings

N/A

Fault Message Settings

N/A


Configuration

Table 19-56 lists the configuration properties and the default settings for the wss10_saml_hok_token_with_message_protection_client_template assertion template.

Table 19-56 wss10_saml_hok_token_with_message_protection_client_template Configuration Properties

Name Default Value Type

user.attributes

None

Optional

keystore.recipient.alias

orakey

Required

saml.issuer.name

www.oracle.com

Optional

user.roles.include

false

Optional

saml.assertion.filename

temp

Optional

keystore.sig.csf.key

None

Optional

keystore.enc.csf.key

None

Optional

ignore.timestamp.in.response

false

Optional

reference.priority

None

Optional


19.1.3.16 oracle/wss10_saml_hok_token_with_message_protection_service_template

Display Name: Wss10 SAML Holder-Of-Key Token with Message Protection service Assertion Template

Category: Security

Type: wss10-saml-hok-with-certificates

Description

The wss10_saml_hok_token_with_message_protection_service_template assertion template enforces message-level protection and SAML holder of key based authentication for inbound SOAP requests in accordance with the WS-Security 1.0 standard.

Settings

The settings for the wss10_saml_hok_token_with_message_protection_service_template are identical to those for the client version of the assertion template. See Table 19-55 for information about the settings.

Configuration

Table 19-57 lists the configuration properties and the default settings for the wss10_saml_hok_token_with_message_protection_service_template assertion template.

Table 19-57 wss10_saml_hok_token_with_message_protection_service_template Configuration Properties

Name Default Value Type

role

ultimateReceiver

Constant

keystore.sig.csf.key

None

Optional

keystore.enc.csf.key

None

Optional

saml.trusted.issuers

None

Optional

reference.priority

None

Optional


19.1.3.17 oracle/wss10_saml_token_with_message_protection_client_template

Display Name: Wss10 SAML Token with Message Protection client Assertion Template

Category: Security

Type: wss10-saml-with-certificates

Description

The wss10_saml_token_with_message_protection_client_template assertion template provides message-level protection and SAML-based authentication for outbound SOAP messages in accordance with the WS-Security 1.0 standard.

The Web service consumer includes a SAML token in the SOAP header, and the confirmation type is sender-vouches. The SOAP message is signed and encrypted. The Web service provider decrypts the message, and verifies and authenticates the signature.

To prevent replay attacks, the assertion provides the option to include time stamps, SAML token limits, and their verification by the Web service provider.

Settings

Table 19-58 lists the settings for the wss10_saml_token_with_message_protection_client_template assertion template.

Table 19-58 wss10_saml_token_with_message_protection_client_template Settings

Name Default Value

SAML Token Type

 

Version

1.1

Confirmation Type

sender-vouches

Is Signed

Enabled

Is Encrypted

Disabled

Name Identifier Format

unspecified

X509 Token

 

Sign Key Reference Mechanism

direct

Encryption Key Reference Mechanism

direct

Recipient Sign Key Reference Mechanism

direct

Recipient Encryption Key Reference Mechanism

direct

Is Signed

Disabled

Use PKI Path

Disabled

Secure Conversation

 

Enabled

Disabled

Version

1.3 or 1.4. OWSM WS-SC supports both Secure Conversation version 1.3 and 1.4. Although the policy displays the 1.3 version number, you use this policy for 1.4 as well.

Re-authenticate

Disabled

Client Entropy

Enabled

Derived Keys

Enabled

Server Entropy

Enabled

Bootstrap Message Security

Inherit from Application Setting

Message Security

 

Algorithm Suite

BASIC_128

Include Timestamp

Enabled

Encrypt Signature

Disabled

Request Message Settings

N/A

Response Message Settings

N/A

Fault Message Settings

N/A


Configuration

Table 19-59 lists the configuration properties and the default settings for the wss10_saml_token_with_message_protection_client_template assertion template.

Table 19-59 wss10_saml_token_with_message_protection_client_template Configuration Properties

Name Default Value Type

user.attributes

None

Optional

keystore.recipient.alias

orakey

Required

user.roles.include

false

Optional

saml.issuer.name

www.oracle.com

Optional

keystore.sig.csf.key

None

Optional

keystore.enc.csf.key

None

Optional

csf-key

basic.credentials

Optional

subject.precedence

true

Optional

saml.audience.uri

Null

Optional

propagate.identity.context

None

Optional

ignore.timestamp.in.response

false

Optional

sc.token.lifetime

None

Optional

reference.priority

None

Optional


19.1.3.18 oracle/wss10_saml_token_with_message_protection_service_template

Display Name: Wss10 SAML Token with Message Protection service Assertion Template

Category: Security

Type: wss10-saml-with-certificates

Description

The wss10_saml_token_with_message_protection_service_template assertion template enforces message protection (integrity and confidentiality) and SAML-based authentication for inbound SOAP requests in accordance with the WS-Security 1.0 standard.

The Web service consumer includes a SAML token in the SOAP header, and the confirmation type is sender-vouches. The SOAP message is signed and encrypted. The Web service provider decrypts the message, and verifies and authenticates the signature.

To prevent replay attacks, the assertion provides the option to include time stamps, SAML token limits, and their verification by the Web service provider.

Settings

The settings for the wss10_saml_token_with_message_protection_service_template are identical to those for client version of the assertion template. See Table 19-58 for information about the settings.

Configuration

Table 19-60 lists the configuration properties and the default settings for the wss10_saml_token_with_message_protection_service_template assertion template.

Table 19-60 wss10_saml_token_with_message_protection_service_template Configuration Properties

Name Default Value Type

role

ultimateReceiver

Constant

keystore.sig.csf.key

None

Optional

keystore.enc.csf.key

None

Optional

saml.trusted.issuers

None

Optional

propagate.identity.context

None

Optional

sc.token.lifetime

None

Optional

reference.priority

None

Optional


19.1.3.19 oracle/wss10_saml20_token_with_message_protection_client_template

Display Name: Wss10 SAML V2.0 Token with Message Protection client Assertion Template

Category: Security

Type: wss10-saml-with-certificates

Description

The wss10_saml20_token_with_message_protection_client_template assertion template provides message-level protection and SAML-based authentication for outbound SOAP messages in accordance with the WS-Security 1.0 standard.

The Web service consumer includes a SAML token in the SOAP header, and the confirmation type is sender-vouches. The SOAP message is signed and encrypted. The Web service provider decrypts the message, and verifies and authenticates the signature.

To prevent replay attacks, the assertion provides the option to include time stamps, SAML token limits, and their verification by the Web service provider.

Settings

Table 19-61 lists the settings for the wss10_saml20_token_with_message_protection_client_template assertion template.

Table 19-61 wss10_saml20_token_with_message_protection_client_template Settings

Name Default Value

SAML Token Type

 

Version

2.0

Confirmation Type

sender-vouches

Is Signed

Enabled

Is Encrypted

Disabled

Name Identifier Format

unspecified

X509 Token

 

Sign Key Reference Mechanism

direct

Encryption Key Reference Mechanism

direct

Recipient Sign Key Reference Mechanism

direct

Recipient Encryption Key Reference Mechanism

direct

Is Signed

Disabled

Use PKI Path

Disabled

Secure Conversation

 

Enabled

Disabled

Version

1.3 or 1.4. OWSM WS-SC supports both Secure Conversation version 1.3 and 1.4. Although the policy displays the 1.3 version number, you use this policy for 1.4 as well.

Re-authenticate

Disabled

Client Entropy

Enabled

Derived Keys

Enabled

Server Entropy

Enabled

Bootstrap Message Security

Inherit from Application Setting

Message Security

 

Algorithm Suite

BASIC_128

Include Timestamp

Enabled

Encrypt Signature

Disabled

Request Message Settings

N/A

Response Message Settings

N/A

Fault Message Settings

N/A


Configuration

Table 19-62 lists the configuration properties and the default settings for the wss10_saml20_token_with_message_protection_client_template assertion template.

Table 19-62 wss10_saml20_token_with_message_protection_client_template Configuration Properties

Name Default Value Type

user.attributes

None

Optional

keystore.recipient.alias

orakey

Required

user.roles.include

false

Optional

keystore.sig.csf.key

None

Optional

keystore.enc.csf.key

None

Optional

saml.issuer.name

www.oracle.com

Optional

csf-key

basic.credentials

Optional

subject.precedence

true

Optional

attesting.mapping.attribute

DN

Optional

saml.audience.uri

None

Optional

propagate.identity.context

None

Optional

ignore.timestamp.in.response

false

Optional

sc.token.lifetime

None

Optional

reference.priority

None

Optional


19.1.3.20 oracle/wss10_saml20_token_with_message_protection_service_template

Display Name: Wss10 SAML V2.0 Token with Message Protection service Assertion Template

Category: Security

Type: wss10-saml-with-certificates

Description

The wss10_saml20_token_with_message_protection_service_template assertion template enforces message protection (integrity and confidentiality) and SAML-based authentication for inbound SOAP requests in accordance with the WS-Security 1.0 standard.

The Web service consumer includes a SAML token in the SOAP header, and the confirmation type is sender-vouches. The SOAP message is signed and encrypted. The Web service provider decrypts the message, and verifies and authenticates the signature.

To prevent replay attacks, the assertion provides the option to include time stamps, SAML token limits, and their verification by the Web service provider.

Settings

The settings for the wss10_saml20_token_with_message_protection_service_template are similar to those of the client version of the assertion template. See Table 19-61 for information about the settings.

Configuration

Table 19-63 lists the configuration properties and the default settings for the wss10_saml20_token_with_message_protection_service_template assertion template.

Table 19-63 wss10_saml20_token_with_message_protection_service_template Configuration Properties

Name Default Value Type

role

ultimateReceiver

Constant

keystore.sig.csf.key

None

Optional

keystore.enc.csf.key

None

Optional

saml.trusted.issuers

None

Optional

propagate.identity.context

None

Optional

sc.token.lifetime

None

Optional

reference.priority

None

Optional


19.1.3.21 oracle/wss10_username_token_with_message_protection_client_template

Display Name: Wss10 Username Token with Message Protection client Assertion Template

Category: Security

Type: wss10-username-with-certificates

Description

The wss10_username_token_with_message_protection_client_template assertion template provides message protection (integrity and confidentiality) and authentication for outbound SOAP requests in accordance with the WS-Security 1.0 standard. Credentials are included in the WS-Security UsernameToken header in the outbound SOAP message.

The assertion supports three types of password credentials: plain text, digest, and no password.

To protect against replay attacks, the assertion provides the option to require nonce or creation time in the username token. The SOAP message is signed and encrypted. The Web service provider decrypts the message, and verifies and authenticates the signature.

Settings

Table 19-64 lists the settings for the wss10_username_token_with_message_protection_client_template assertion template.

Table 19-64 wss10_username_token_with_message_protection_client_template Settings

Name Default Value

Username Token

 

Password Type

plaintext

Creation Time Required

Disabled

Nonce Required

Disabled

Is Signed

Enabled

Is Encrypted

Enabled

X509 Token

 

Sign Key Reference Mechanism

direct

Encryption Key Reference Mechanism

direct

Recipient Sign Key Reference Mechanism

direct

Recipient Encryption Key Reference Mechanism

direct

Is Signed

Disabled

Use PKI Path

Disabled

Secure Conversation

 

Enabled

Disabled

Version

1.3 or 1.4. OWSM WS-SC supports both Secure Conversation version 1.3 and 1.4. Although the policy displays the 1.3 version number, you use this policy for 1.4 as well.

Re-authenticate

Disabled

Client Entropy

Enabled

Derived Keys

Enabled

Server Entropy

Enabled

Bootstrap Message Security

Inherit from Application Setting

Message Security

 

Algorithm Suite

BASIC_128

Include Timestamp

Enabled

Encrypt Signature

Disabled

Request Message Settings

N/A

Response Message Settings

N/A

Fault Message Settings

N/A


Configuration

Table 19-65 lists the configuration properties and the default settings for the wss10_username_token_with_message_protection_client_template assertion template.

Table 19-65 wss10_username_token_with_message_protection_client_template Configuration Properties

Name Default Value Type

csf-key

basic.credentials

Required

role

ultimateReceiver

Constant

keystore.sig.csf.key

None

Optional

keystore.enc.csf.key

None

Optional

keystore.recipient.alias

orakey

Required

ignore.timestamp.in.response

false

Optional

sc.token.lifetime

None

Optional

reference.priority

None

Optional


19.1.3.22 oracle/wss10_username_token_with_message_protection_service_template

Display Name: Wss10 Username Token with Message Protection service Assertion Template

Category: Security

Type: wss10-username-with-certificates

Description

The wss10_username_token_with_message_protection_service_template assertion template enforces message protection (integrity and confidentiality) and authentication for inbound SOAP requests in accordance with the WS-Security 1.0 standard.

The assertion supports three types of password credentials: plain text, digest, and no password.

To protect against replay attacks, the assertion provides the option to require nonce or creation time in the username token. The SOAP message is signed and encrypted. The Web service provider decrypts the message, and verifies and authenticates the signature.

Settings

The settings for the wss10_username_token_with_message_protection_service_template assertion template are identical to the client version of the assertion template. See Table 19-64 for information about the settings.

Configuration

Table 19-66 lists the configuration properties and the default settings for the wss10_username_token_with_message_protection_service_template assertion template.

Table 19-66 wss10_username_token_with_message_protection_service_template Configuration Properties

Name Default Value Type

role

ultimateReceiver

Constant

keystore.sig.csf.key

None

Optional

keystore.enc.csf.key

None

Optional

sc.token.lifetime

None

Optional

reference.priority

None

Optional


19.1.3.23 oracle/wss10_x509_token_with_message_protection_client_template

Display Name: Wss10 X509 Token with Message Protection client Assertion Template

Category: Security

Type: wss10-mutual-auth-with-certificates

Description

The wss10_x509_token_with_message_protection_client template assertion template provides message protection (integrity and confidentiality) and certificate credential population for outbound SOAP requests in accordance with the WS-Security 1.0 standard.

Settings

Table 19-67 lists the settings for the wss10_x509_token_with_message_protection_client template assertion template.

Table 19-67 wss10_x509_token_with_message_protection_client_template Settings

Name Default Value

X509 Token

 

Sign Key Reference Mechanism

direct

Encryption Key Reference Mechanism

direct

Recipient Sign Key Reference Mechanism

direct

Recipient Encryption Key Reference Mechanism

direct

Is Signed

Disabled

Use PKI Path

Disabled

Secure Conversation

 

Enabled

Disabled

Version

1.3 or 1.4. OWSM WS-SC supports both Secure Conversation version 1.3 and 1.4. Although the policy displays the 1.3 version number, you use this policy for 1.4 as well.

Re-authenticate

Disabled

Client Entropy

Enabled

Derived Keys

Enabled

Server Entropy

Enabled

Bootstrap Message Security

Inherit from Application Setting

Message Security

 

Algorithm Suite

BASIC_128

Include Timestamp

Enabled

Encrypt Signature

Disabled

Request Message Settings

N/A

Response Message Settings

N/A

Fault Message Settings

N/A


Configuration

Table 19-68 lists the configuration properties and the default settings for the wss10_x509_token_with_message_protection_client_template assertion template.

Table 19-68 wss10_x509_token_with_message_protection_client_template Configuration Properties

Name Default Value Type

role

ultimateReceiver

Constant

keystore.sig.csf.key

None

Optional

keystore.enc.csf.key

None

Optional

keystore.recipient.alias

orakey

Required

ignore.timestamp.in.response

false

Optional

sc.token.lifetime

None

Optional

reference.priority

None

Optional


19.1.3.24 oracle/wss10_x509_token_with_message_protection_service_template

Display Name: Wss10 X509 Token with Message Protection service Assertion Template

Category: Security

Type: wss10-mutual-auth-with-certificates

Description

The wss10_x509_token_with_message_protection_service_template assertion template enforces message protection (integrity and confidentiality) and certificate-based authentication for inbound SOAP requests in accordance with the WS-Security 1.0 standard.

Settings

The settings for the wss10_x509_token_with_message_protection_service_template assertion template are identical to the client version of the assertion template. See Table 19-67 for information about the settings.

Configuration

Table 19-69 lists the configuration properties and the default settings for the wss10_x509_token_with_message_protection_service_template assertion template.

Table 19-69 wss10_x509_token_with_message_protection_service_template Configuration Properties

Name Default Value Type

role

ultimateReceiver

Constant

keystore.sig.csf.key

None

Optional

keystore.enc.csf.key

None

Optional

sc.token.lifetime

None

Optional

reference.priority

None

Optional


19.1.3.25 oracle/wss11_kerberos_token_over_ssl_client_template

Display Name: Wss11 Kerberos Token Over SSL Client Assertion Template

Category: Security

Type: wss11-kerberos-over-ssl-security

Description

The wss11_kerberos_token_over_ssl_client_template assertion template includes a Kerberos token in the WS-Security SOAP header in accordance with the WS-Security Kerberos Token Profile v1.1 standard. The Kerberos token is advertised as an EndorsingSupportingToken, and is used only for authentication and for signing the timestamp. Message protection is provided by SSL.

Settings

Table 19-70 lists the settings for the wss11_kerberos_token_over_ssl_client_template assertion template.

Table 19-70 wss11_kerberos_token_over_ssl_client_template Settings

Name Default Value

Kerberos Token Type

 

Kerberos Token Type

gss-apreq-v5

Transport Layer Security

 

Transport Layer Security

Enabled

Transport Layer Security—Mutual Authentication Required

Disabled

Transport Layer Security—Include Timestamp

Enabled


Configuration

Table 19-71 lists the configuration properties and the default settings for the wss11_kerberos_token_over_ssl_client_template assertion template.

Table 19-71 wss11_kerberos_token_over_ssl_client_template Configuration Properties

Name Default Value Type

service.principal.name

HOST/localhost@EXAMPLE.COM

Required

keytab.location

None

Optional

caller.principal.name

None

Optional

credential.delegation

false

Required

reference.priority

None

Optional


19.1.3.26 oracle/wss11_kerberos_token_over_ssl_service_template

Display Name: Wss11 Kerberos Token Over SSL Service Assertion Template

Category: Security

Type: wss11-kerberos-over-ssl-security

Description

The wss11_kerberos_token_service_template assertion template enforces in accordance with the WS-Security Kerberos Token Profile v1.1 standard. It extracts the Kerberos token from the SOAP header and authenticates the user. The container must have the Kerberos infrastructure configured through Oracle Platform Security Services. The Kerberos token is advertised as an EndorsingSupportingToken, and is used only for authentication and for signing the timestamp. Message protection is provided by SSL.

Settings

The settings for the wss11_kerberos_token_over_ssl_service_template are identical to the client version of the assertion template. See Table 19-70 for information about the settings.

Configuration

Table 19-72 lists the configuration properties and the default settings for the wss11_kerberos_token_over_ssl_service_template assertion template.

Table 19-72 wss11_kerberos_token_over_ssl_service_template Configuration Properties

Name Default Value Type

credential.delegation

false

Required

reference.priority

None

Optional


19.1.3.27 oracle/wss11_kerberos_token_with_message_protection_client_template

Display Name: Wss11 Kerberos Token with message protection client Assertion Template

Category: Security

Type: kerberos-security

Description

The wss11_kerberos_token_with_message_protection_client_template assertion template includes a Kerberos token in the WS-Security header in accordance with the WS-Security Kerberos Token Profile v1.1 standard.

Settings

Table 19-73 lists the settings for the wss11_kerberos_token_with_message_protection_client_template assertion template.

Table 19-73 wss11_kerberos_token_with_message_protection_client_template Settings

Name Default Value

Kerberos Token Type

 

Kerberos Token Type

gss-apreq-v5

Derived Keys

Disabled

Secure Conversation

 

Enabled

Disabled

Version

1.3 or 1.4. OWSM WS-SC supports both Secure Conversation version 1.3 and 1.4. Although the policy displays the 1.3 version number, you use this policy for 1.4 as well.

Re-authenticate

Disabled

Client Entropy

Enabled

Derived Keys

Enabled

Server Entropy

Enabled

Bootstrap Message Security

Inherit from Application Setting

Message Security

 

Algorithm Suite

TRIPLE_DES

Include Timestamp

Enabled

Request Message Settings

N/A

Response Message Settings

N/A

Fault Message Settings

N/A


Configuration

Table 19-74 lists the configuration properties and the default settings for the wss11_kerberos_token_with_message_protection_client_template assertion template.

Table 19-74 wss11_kerberos_token_with_message_protection_client_template Configuration Properties

Name Default Value Type

service.principal.name

HOST/localhost@EXAMPLE.COM

Required

keytab.location

None

Optional

caller.principal.name

  • Value—Not set

  • Default Value—Not set

  • Type—Optional

  • Description—Not set

 

credential.delegation

false

Required

ignore.timestamp.in.response

false

Optional

sc.token.lifetime

None

Optional

reference.priority

None

Optional


19.1.3.28 oracle/wss11_kerberos_token_with_message_protection_service_template

Display Name: Wss11 Kerberos Token service with message protection Assertion Template

Category: Security

Type: kerberos-security

Description

The wss11_kerberos_token_with_message_protection_service_template assertion template enforces in accordance with the WS-Security Kerberos Token Profile v1.1 standard. It extracts the Kerberos token from the SOAP header and authenticates the user. The container must have the Kerberos infrastructure configured through Oracle Platform Security Services.

Settings

The settings for the wss11_keberos_token_with_message_protection_service_template are identical to the client version of the assertion template. See Table 19-73 for information about the settings.

Configuration

Table 19-75 lists the configuration properties and the default settings for the wss11_kerberos_token_with_message_protection_service_template assertion template.

Table 19-75 wss11_kerberos_token_with_message_protection_service_template Configuration Properties

Name Default Value Type

credential.delegation

false

Required

sc.token.lifetime

None

Optional

reference.priority

None

Optional


19.1.3.29 oracle/wss11_saml_token_with_message_protection_client_template

Display Name: Wss11 SAML Token with Message Protection client Assertion Template

Category: Security

Type: wss11-saml-with-certificates

Description

The wss11_saml_token_with_message_protection_client_template assertion template enables message protection (integrity and confidentiality) and SAML token population for outbound SOAP requests in accordance with WS-Security 1.1. A SAML token is included in the SOAP message for use in SAML based authentication with sender vouches confirmation.

Settings

Table 19-76 lists the settings for the wss11_saml_token_with_message_protection_client_template assertion template.

Table 19-76 wss11_saml_token_with_message_protection_client_template Settings

Name Default Value

SAML Token Type

 

Version

1.1

Confirmation Type

sender-vouches

Is Signed

Enabled

Is Encrypted

Disabled

Name Identifier Format

unspecified

X509 Token

 

Sign Key Reference Mechanism

direct

Encryption Key Reference Mechanism

thumbprint

Is Signed

Enabled

Use PKI Path

Disabled

Derived Keys

Disabled

Secure Conversation

 

Enabled

Disabled

Version

1.3 or 1.4. OWSM WS-SC supports both Secure Conversation version 1.3 and 1.4. Although the policy displays the 1.3 version number, you use this policy for 1.4 as well.

Re-authenticate

Disabled

Client Entropy

Enabled

Derived Keys

Enabled

Server Entropy

Enabled

Bootstrap Message Security

Inherit from Application Setting

Message Security

 

Algorithm Suite

BASIC_128

Include Timestamp

Enabled

Confirm Signature

Enabled

Encrypt Signature

Disabled

Request Message Settings

N/A

Response Message Settings

N/A

Fault Message Settings

N/A


Configuration Properties

Table 19-77 lists the configuration properties and the default settings for the wss11_saml_token_with_message_protection_client_template assertion template.

Table 19-77 wss11_saml_token_with_message_protection_client_template Configuration Properties

Name Default Value Type

user.attributes

None

Optional

saml.issuer.name

www.oracle.com

Optional

role

ultimateReceiver

Constant

keystore.recipient.alias

orakey

Required

keystore.sig.csf.key

None

Optional

keystore.enc.csf.key

None

Optional

csf-key

basic.credentials

Optional

subject.precedence

true

Optional

saml.audience.uri

None

Optional

propagate.identity.context

None

Optional

user.tenant.name

None

Optional

ignore.timestamp.in.response

false

Optional

sc.token.lifetime

None

Optional

reference.priority

None

Optional


19.1.3.30 oracle/wss11_saml_token_with_message_protection_service_template

Display Name: Wss11 SAML Token with Message Protection service Assertion Template

Category: Security

Type: wss11-saml-with-certificates

Description

The wss11_saml_token_with_message_protection_service_template assertion template enforces message-level integrity protection and SAML-based authentication for inbound SOAP requests in accordance with the WS-Security 1.1 standard. It extracts the SAML token from the WS-Security binary security token, and uses those credentials to validate users against the Oracle Platform Security Services identity store.

Settings

The settings for the wss11_saml_token_with_message_protection_service_template are identical to the client version of the assertion template. See Table 19-76 for information about the settings.

Configuration

Table 19-78 lists the configuration properties and the default settings for the wss11_saml_token__with_message_protection_service_template assertion template.

Table 19-78 wss11_saml_token_with_message_protection_service_template Configuration Properties

Name Default Value Type

role

ultimateReceiver

Constant

keystore.enc.csf.key

None

Optional

saml.trusted.issuers

None

Optional

propagate.identity.context

None

Optional

sc.token.lifetime

None

Optional

reference.priority

None

Optional


19.1.3.31 oracle/wss11_saml20_token_with_message_protection_client_template

Display Name: Wss11 SAML V2.0 Token with Message Protection client Assertion Template

Category: Security

Type: wss11-saml-with-certificates

Description

The wss11_saml20_token_with_message_protection_client_template assertion template enables message protection (integrity and confidentiality) and SAML token population for outbound SOAP requests in accordance with WS-Security 1.1. A SAML token is included in the SOAP message for use in SAML based authentication with sender vouches confirmation.

Settings

Table 19-79 lists the settings for the wss11_saml20_token_with_message_protection_client_template assertion template.

Table 19-79 wss11_saml20_token_with_message_protection_client_template Settings

Name Default Value

SAML Token Type

 

Version

2.0

Confirmation Type

sender-vouches

Is Signed

Enabled

Is Encrypted

Disabled

Name Identifier Format

unspecified

X509 Token

 

Sign Key Reference Mechanism

direct

Encryption Key Reference Mechanism

thumbprint

Is Signed

Enabled

Use PKI Path

Disabled

Derived Keys

Disabled

Secure Conversation

 

Enabled

Disabled

Version

1.3 or 1.4. OWSM WS-SC supports both Secure Conversation version 1.3 and 1.4. Although the policy displays the 1.3 version number, you use this policy for 1.4 as well.

Re-authenticate

Disabled

Client Entropy

Enabled

Derived Keys

Enabled

Server Entropy

Enabled

Bootstrap Message Security

Inherit from Application Setting

Message Security

 

Algorithm Suite

BASIC_128

Include Timestamp

Enabled

Confirm Signature

Enabled

Encrypt Signature

Disabled

Request Message Settings

N/A

Response Message Settings

N/A

Fault Message Settings

N/A


Configuration

Table 19-80 lists the configuration properties and the default settings for the wss11_saml20_token_with_message_protection_client_template assertion template.

Table 19-80 wss11_saml20_token_with_message_protection_client_template Configuration Properties

Name Default Value Type

user.attributes

None

Optional

saml.issuer.name

www.oracle.com

Optional

role

ultimateReceiver

Constant

keystore.sig.csf.key

None

Optional

keystore.enc.csf.key

None

Optional

keystore.recipient.alias

orakey

Required

csf-key

basic.credentials

Optional

subject.precedence

true

Optional

attesting.mapping.attribute

None

Optional

saml.audience.uri

None

Optional

propagate.identity.context

None

Optional

ignore.timestamp.in.response

false

Optional

sc.token.lifetime

None

Optional

reference.priority

DN

Optional


19.1.3.32 oracle/wss11_saml20_token_with_message_protection_service_template

Display Name: Wss11 SAML V2.0 Token with Message Protection service Assertion Template

Category: Security

Type: wss11-saml-with-certificates

Description

The wss11_saml20_token_with_message_protection_service_template assertion template enforces message-level integrity protection and SAML-based authentication for inbound SOAP requests in accordance with the WS-Security 1.1 standard. It extracts the SAML token from the WS-Security binary security token, and uses those credentials to validate users against the Oracle Platform Security Services identity store.

Settings

The settings for the wss11_saml_token_with_message_protection_service_template are similar to the client version of the assertion template. See Table 19-78 for information about the settings.

Configuration

Table 19-81 lists the configuration properties and the default settings for the wss11_saml20_token__with_message_protection_service_template assertion template.

Table 19-81 wss11_saml20_token_with_message_protection_service_template Configuration Properties

Name Default Value Type

role

ultimateReceiver

Constant

keystore.enc.csf.key

None

Optional

saml.trusted.issuers

None

Optional

propagate.identity.context

None

Optional

sc.token.lifetime

None

Optional

reference.priority

None

Optional


19.1.3.33 oracle/wss11_username_token_with_message_protection_client_template

Display Name: Wss11 Username Token with Message Protection client Assertion Template

Category: Security

Type: wss11-username-with-certificates

Description

The ws11_username_token_with_message_protection_client_template assertion template includes authentication and message protection in accordance with the WS-Security v1.1 standard.

The Web service consumer inserts username and password credentials, and signs and encrypts the outgoing SOAP message. The Web service provider decrypts and verifies the message and the signature.

To prevent replay attacks, the assertion provides the option to include time stamps and verification by the Web service provider. The message can be protected with ciphers of different strengths.

Settings

Table 19-82 lists the settings for the wss11_username_token_with_message_protection_client_template assertion template.

Table 19-82 wss11_username_token_with_message_protection_client_template Settings

Name Default Value

Username Token

 

Password Type

plaintext

Creation Time Required

Disabled

Nonce Required

Disabled

Is Encrypted

Enabled

Is Signed

Enabled

X509 Token

 

Encryption Key Reference Mechanism

thumbprint

Is Signed

Enabled

Use PKI Path

Disabled

Derived Keys

Disabled

Secure Conversation

 

Enabled

Disabled

Version

1.3 or 1.4. OWSM WS-SC supports both Secure Conversation version 1.3 and 1.4. Although the policy displays the 1.3 version number, you use this policy for 1.4 as well.

Re-authenticate

Disabled

Client Entropy

Enabled

Derived Keys

Enabled

Server Entropy

Enabled

Bootstrap Message Security

Inherit from Application Setting

Message Security

 

Algorithm Suite

BASIC_128

Include Timestamp

Enabled

Confirm Signature

Enabled

Encrypt Signature

Disabled

Request Message Settings

N/A

Response Message Settings

N/A

Fault Message Settings

N/A


Configuration

Table 19-83 lists the configuration properties and the default settings for the wss11_username_token_with_message_protection_client_template assertion template.

Table 19-83 wss11_username_token_with_message_protection_client_template Configuration Properties

Name Default Value Type

csf-key

basic.credentials

Required

role

ultimateReceiver

Constant

keystore.recipient.alias

orakey

Required

keystore.enc.csf.key

None

Optional

user.tenant.name

None

Optional

ignore.timestamp.in.response

false

Optional

sc.token.lifetime

None

Optional

reference.priority

None

Optional


19.1.3.34 oracle/wss11_username_token_with_message_protection_service_template

Display Name: Wss11 Username Token with Message Protection service Assertion Template

Category: Security

Type: wss11-username-with-certificates

Description

The ws11_username_token_with_message_protection_service_template assertion template enforces authentication and message protection in accordance with the WS-Security v1.1 standard.

The Web service consumer inserts username and password credentials, and signs and encrypts the outgoing SOAP message. The Web service provider decrypts and verifies the message and the signature. To prevent replay attacks, the assertion provides the option to include time stamps and verification by the Web service provider. The message can be protected with ciphers of different strengths.

Settings

The settings for the wss11_username_token_with_message_protection_service_template are identical to the client version of the assertion template. See Table 19-82 for information about the settings.

Configuration

Table 19-84 lists the configuration properties and the default settings for the wss11_username_token_with_message_protection_service_template assertion template.

Table 19-84 wss11_username_token_with_message_protection_service_template Configuration Properties

Name Default Value Type

role

ultimateReceiver

Constant

keystore.enc.csf.key

None

Optional

sc.token.lifetime

None

Optional

reference.priority

None

Optional


19.1.3.35 oracle/wss11_x509_token_with_message_protection_client_template

Display Name: Wss11 X509 Token with Message Protection client Assertion Template

Category: Security

Type: wss11-mutual-auth-with-certificates

Description

The wss11_x509_token_with_message_protection_client_template assertion template provides message protection (integrity and confidentiality) and certificate-based authentication for outbound SOAP requests in accordance with the WS-Security 1.1 standard. Credentials are included in the WS-Security binary security token of the SOAP message.

Settings

Table 19-85 lists the settings for the wss11_x509_token_with_message_protection_client_template assertion template.

Table 19-85 wss11_x509_token_with_message_protection_client_template Settings

Name Default Value

X509 Token

 

Sign Key Reference Mechanism

direct

Encryption Key Reference Mechanism

thumbprint

Is Signed

Enabled

Use PKI Path

Disabled

Derived Keys

Disabled

Secure Conversation

 

Enabled

Disabled

Version

1.3 or 1.4. OWSM WS-SC supports both Secure Conversation version 1.3 and 1.4. Although the policy displays the 1.3 version number, you use this policy for 1.4 as well.

Re-authenticate

Disabled

Client Entropy

Enabled

Derived Keys

Enabled

Server Entropy

Enabled

Bootstrap Message Security

Inherit from Application Setting

Message Security

 

Algorithm Suite

BASIC_128

Include Timestamp

Enabled

Confirmation Type

Enabled

Encrypt Signature

Disabled

Request Message Settings

N/A

Response Message Settings

N/A

Fault Message Settings

N/A


Configuration

Table 19-86 lists the configuration properties and the default settings for the wss11_x509_token_with_message_protection_client_template assertion template.

Table 19-86 wss11_x509_token_with_message_protection_client_template Configuration Properties

Name Default Value Type

role

ultimateReceiver

Constant

keystore.recipient.alias

orakey

Required

keystore.sig.csf.key

None

Optional

keystore.enc.csf.key

None

Optional

ignore.timestamp.in.response

false

Optional

sc.token.lifetime

None

Optional

reference.priority

None

Optional


19.1.3.36 oracle/wss11_x509_token_with_message_protection_service_template

Display Name: Wss11 X509 Token with Message Protection service Assertion Template

Category: Security

Type: wss11-mutual-auth-with-certificates

Description

The wss11_x509_token_with_message_protection_service_template assertion template enforces message-level protection and certificate-based authentication for inbound SOAP requests in accordance with the WS-Security 1.1 standard. The certificate is extracted from the WS-Security binary security token header, and the credentials in the certificate are validated against the Oracle Platform Security Services identity store.

Settings

The settings for the wss11_x509_token_with_message_protection_service_template are identical to the client version of the assertion template. See Table 19-85 for information about the settings.

Configuration

Table 19-87 lists the configuration properties and the default settings for the wss11_x509_token_with_message_protection_service_template assertion template.

Table 19-87 wss11_x509_token_with_message_protection_service_template Configuration Properties

Name Default Value Type

role

ultimateReceiver

Constant

keystore.enc.csf.key

None

Optional

sc.token.lifetime

None

Optional

reference.priority

None

Optional


19.1.4 Oracle Entitlements Server (OES) Integration Templates

Table 19-88 summarizes the assertion templates that are used for OES integration.

Table 19-88 OES Integration Templates

Service Template Description

oracle/binding_oes_authrization_template

Reserved for future use.

oracle/binding_oes_masking_template

Reserved for future use.

oracle/component_oes_authorization_template

Reserved for future use.


19.1.4.1 oracle/binding_oes_authrization_template

Reserved for future use.

19.1.4.2 oracle/binding_oes_masking_template

Reserved for future use.

19.1.4.3 oracle/component_oes_authorization_template

Reserved for future use.

19.1.5 PII Assertion Templates

Table 19-89 summarizes the assertion templates that are used for PII security.

Table 19-89 Pii Assertion Templates

Service Template Description

oracle/pii_security_template

Reserved for future use.


19.1.5.1 oracle/pii_security_template

Display Name: PII Security Assertion Template

Category: Security

Type: pii-security

Description

Reserved for future use.

19.1.6 WS-Trust Assertion Templates

Table 19-90 summarizes the WS-Trust assertion templates.

In this release, you can use Fusion Middleware Control to directly edit the assertion template text, but the Settings and Configuration pages are not available.

Table 19-90 WS-Trust Assertion Templates

Name Description

oracle/sts_trust_config_client_template

STS configuration information assertion template that is used to invoke STS for token exchange.

oracle/sts_trust_config_service_template

STS configuration information assertion template that is used to invoke STS for token exchange.

oracle/wss_sts_issued_saml_bearer_token_over_ssl_client_template

SOAP binding-level client assertion template for issued token SAML authentication (confirmation method bearer), with SSL message protection.

oracle/wss_sts_issued_saml_bearer_token_over_ssl_service_template

SOAP binding-level service assertion template for issued token SAML authentication (confirmation method bearer), with SSL message protection.

oracle/wss11_sts_issued_saml_hok_with_message_protection_client_template

WS-Security 1.1 issued token SAML HOK token with certificates client assertion template. Provides authentication and message protection using Basic128.

oracle/wss11_sts_issued_saml_hok_with_message_protection_service_template

WS-Security 1.1 issued token SAML HOK token with certificates service assertion template. Provides authentication and message protection using Basic128.

oracle/wss11_sts_issued_saml_with_message_protection_client_template

WS-Security 1.1 issued token SAML sender voucher with certificates. Provides authentication and message protection using Basic128.


19.1.6.1 oracle/sts_trust_config_client_template

Display Name: Trust Configuration Client Assertion Template

Category: Security

Type: sts-trust-config

Description

STS Configuration information, provided on the client side, that is used to invoke STS for token exchange.

Settings

Table 19-91 lists the settings for the oracle/sts_trust_config_client_template assertion template.

Table 19-91 oracle/sts_trust_config_client_template Settings

Name Default Value

STS Configuration

 

WSDL Exists

Yes

WSDL

http://host:port/sts?wsdl

Port URI

Blank

Service

Blank

Port

Blank

Port Endpoint

target-namespace#wsdl.endpoint(service-name/port-name)

Client Policy URI

Blank

Client Policy URI

Show All Client Policies

Keystore Recipient Alias

sts-csf-key


Configuration

Table 19-92 lists the configuration properties and the default settings for the oracle/sts_trust_config_client_template assertion template.

Table 19-92 oracle/sts_trust_config_client_template Properties

Name Default Value Type

role

ultimateReceiver

Constant

reference.priority

None

Optional


19.1.6.2 oracle/sts_trust_config_service_template

Display Name: Trust Configuration Service Assertion Template

Category: Security

Type: sts-trust-config

Description

Minimal STS Configuration information, provided on the service side, that is used to obtain all other STS information and invoke STS for token exchange.

Settings

Table 19-93 lists the settings for the oracle/sts_trust_config_service_template assertion template.

Table 19-93 oracle/sts_trust_config_service_template Settings

Name Default Value

STS Configuration

 

WSDL Exists

Yes

WSDL

http:host:port/sts?wsdl

Port URI

http://host:port/sts-service


Configuration

Table 19-94 lists the configuration properties and the default settings for the oracle/sts_trust_config_service_template assertion template.

Table 19-94 oracle/sts_trust_config_service_template Properties

Name Default Value Type

role

ultimateReceiver

Constant

reference.priority

None

Optional


19.1.6.3 oracle/wss_sts_issued_saml_bearer_token_over_ssl_client_template

Display Name: Wss Issued Saml Bearer Token with Message Protection Client Assertion Template

Category: Security

Type: wss-sts-issued-token-over-ssl

Description

SOAP binding level policy for Issued Token SAML authentication (confirmation method as bearer) with SSL Message Protection.

Settings

Table 19-95 lists the settings for the oracle/wss_sts_issued_saml_bearer_token_over_ssl_client_template assertion template.

Table 19-95 oracle/wss_sts_issued_saml_bearer_token_over_ssl_client_template Settings

Name Default Value

Issued Token

 

Token Type

SAML11

Key Type

Bearer

Algorithm Suite

Blank

Derived Keys

Disabled

Transport Layer Security

 

Transport Layer Security

Enabled

Mutual Authentication Required

Disabled

Include Timestamp

Enabled

Algorithm Suite

None

Secure Conversation

 

Enabled

Disabled

Version

1.3 or 1.4. OWSM WS-SC supports both Secure Conversation version 1.3 and 1.4. Although the policy displays the 1.3 version number, you use this policy for 1.4 as well.

Re-authenticate

Disabled

Client Entropy

Enabled

Derived Keys

Disabled

Server Entropy

Enabled


Configuration

Table 19-96 lists the configuration properties and the default settings for the oracle/wss_sts_issued_saml_bearer_token_over_ssl_client_template assertion template.

Table 19-96 oracle/wss_sts_issued_saml_bearer_token_over_ssl_client_template Properties

Name Default Value Type

sts.auth.user.csf.key

None

Optional

sts.auth.x509.csf.key

None

Optional

on.behalf.of

false

Required

sts.auth.on.behalf.of.csf.key

None

Optional

sts.auth.on.behalf.of.username.only

true

Optional

sts.keystore.recipient.alias

None

Optional

sts.auth.service.principal.name

HOST/localhost@EXAMPLE.COM

Optional

sts.auth.keytab.location

None

Optional

sts.auth.caller.principal.name

None

Optional

sts.in.order

None

Optional

sc.token.lifetime

None

Optional

issued.token.lifetime

None

Optional

issued.token.caching

false

Optional

reference.priority

None

Optional


19.1.6.4 oracle/wss_sts_issued_saml_bearer_token_over_ssl_service_template

Display Name: Wss Issued Saml Bearer Token with Message Protection Service Assertion Template

Category: Security

Type: wss-sts-issued-token-over-ssl

Description

SOAP binding level policy for Issued Token SAML authentication (confirmation method as bearer) With SSL Message Protection.

Settings

Table 19-95 lists the settings for the oracle/wss_sts_issued_saml_bearer_token_over_ssl_service_template assertion template.

Configuration

Table 19-97 lists the configuration properties and the default settings for the oracle/wss_sts_issued_saml_bearer_token_over_ssl_service_template assertion template.

Table 19-97 oracle/wss_sts_issued_saml_bearer_token_over_ssl_service_template Properties

Name Default Value Type

role

ultimateReceiver

Constant

sc.token.lifetime

None

Optional

reference.priority

None

Optional


19.1.6.5 oracle/wss11_sts_issued_saml_hok_with_message_protection_client_template

Display Name: Wss11 Issued Token with Saml Holder of Key with Message Protection Client Assertion Template

Category: Security

Type: wss11-sts-issued-token-with-certificates

Description

WS-Security 1.1 Issued Token SAML HOK with Certificates. Provides Authenticates and Message Protection using Basic128.

Settings

Table 19-98 lists the settings for the wss11_sts_issued_saml_hok_with_message_protection_client_template assertion template.

Table 19-98 oracle/wss11_sts_issued_saml_hok_with_message_protection_client_template Settings

Name Default Value

Issued Token

 

Token Type

SAML11

Key Type

Symmetric

Algorithm Suite

Basic128

Derived Keys

Disabled

X509 Token

 

Sign Key Reference Mechanism

thumbprint

Encryption Key Reference Mechanism

thumbprint

Is Signed

Enabled

Use PKI Path

Disabled

Derived Keys

Disabled

Secure Conversation

 

Enabled

Disabled

Version

1.3 or 1.4. OWSM WS-SC supports both Secure Conversation version 1.3 and 1.4. Although the policy displays the 1.3 version number, you use this policy for 1.4 as well.

Re-authenticate

Disabled

Client Entropy

Enabled

Derived Keys

Enabled

Server Entropy

Enabled

Bootstrap Message Security

Inherit from Application Setting

Message Security

 

Algorithm Suite

BASIC_128

Include Timestamp

Enabled

Confirm Signature

Enabled

Encrypt Signature

Disabled


Configuration

Table 19-99 lists the configuration properties and the default settings for the wss11_sts_issued_saml_hok_with_message_protection_client_template assertion template.

Table 19-99 oracle/wss11_sts_issued_saml_hok_with_message_protection_client_template Properties

Name Default Value Type

sts.auth.user.csf.key

None

Optional

sts.auth.x509.csf.key

None

Optional

on.behalf.of

true

Required

sts.auth.on.behalf.of.csf.key

None

Optional

sts.auth.on.behalf.of.username.only

true

Optional

sts.keystore.recipient.alias

None

Optional

keystore.recipient.alias

orakey

Required

keystore.enc.csf.key

None

Optional

sts.auth.service.principal.name

HOST/localhost@EXAMPLE.COM

Optional

sts.auth.keytab.location

None

Optional

sts.auth.caller.principal.name

None

Optional

sts.in.order

None

Optional

sc.token.lifetime

None

Optional

issued.token.lifetime

None

Optional

issued.token.caching

false

Optional

reference.priority

None

Optional


19.1.6.6 oracle/wss11_sts_issued_saml_hok_with_message_protection_service_template

Display Name: Wss11 Issued Token with Saml Holder of Key with Message Protection Service Assertion Template

Category: Security

Type: wss11-sts-issued-token-with-certificates

Description

WS-Security 1.1 Issued Token SAML HOK with Certificates. Provides Authenticates and Message Protection using Basic128.

Settings

Table 19-98 lists the settings for the wss11_sts_issued_saml_hok_with_message_protection_service_template assertion template.

Configuration

Table 19-100 lists the configuration properties and the default settings for the wss11_sts_issued_saml_hok_with_message_protection_service_template assertion template.

Table 19-100 oracle/wss11_sts_issued_saml_hok_with_message_protection_service_template Properties

Name Default Value Type

keystore.enc.csf.key

None

Optional

role

ultimateReceiver

Constant

sc.token.lifetime

None

Optional

reference.priority

None

Optional


19.1.6.7 oracle/wss11_sts_issued_saml_with_message_protection_client_template

Display Name: Wss11 Issued Token Saml Sender Voucher with Message Protection Client Assertion Template

Category: Security

Type: wss11-sts-issued-token-with-certificates

Description

WS-Security 1.1 Issued Token SAML Sender Voucher with Certificates. Provides Authenticates and Message Protection using Basic128.

Settings

Table 19-101 lists the settings for the wss11_sts_issued_saml_with_message_protection_client_template assertion template.

Table 19-101 wss11_sts_issued_saml_with_message_protection_client_template Settings

Name Default Value

Issued Token

 

Token Type

SAML11

Key Type

Blank

Algorithm Suite

Basic128

Derived Keys

Disabled

X509 Token

 

Sign Key Reference Mechanism

direct

Encryption Key Reference Mechanism

thumbprint

Is Signed

Enabled

Use PKI Path

Disabled

Derived Keys

Disabled

Secure Conversation

 

Enabled

Disabled

Version

1.3 or 1.4. OWSM WS-SC supports both Secure Conversation version 1.3 and 1.4. Although the policy displays the 1.3 version number, you use this policy for 1.4 as well.

Re-authenticate

Disabled

Client Entropy

Enabled

Derived Keys

Enabled

Server Entropy

Enabled

Bootstrap Message Security

Inherit from Application Setting

Message Security

 

Algorithm Suite

BASIC_128

Include Timestamp

Enabled

Confirm Signature

Enabled

Encrypt Signature

Disabled


Configuration

Table 19-102 lists the configuration properties and the default settings for the wss11_sts_issued_saml_with_message_protection_client_template assertion template.

Table 19-102 oracle/wss11_sts_issued_saml_with_message_protection_client_template Properties

Name Default Value Type

sts.auth.user.csf.key

None

Optional

sts.auth.x509.csf.key

None

Optional

on.behalf.of

true

Required

sts.auth.on.behalf.of.csf.key

None

Optional

sts.auth.on.behalf.of.username.only

true

Optional

sts.keystore.recipient.alias

None

Optional

keystore.recipient.alias

orakey

Optional

keystore.enc.csf.key

None

Optional

sts.in.order

None

Optional

sc.token.lifetime

None

Optional

issued.token.lifetime

None

Optional

issued.token.caching

false

Optional

reference.priority

None

Optional


19.1.7 Authorization Assertion Templates

Table 19-103 summarizes assertion templates that are used for authorization. Each authorization assertion template must follow an authentication assertion template.

Table 19-103 Authorization Assertion Templates

Service Template Description

oracle/binding_authorization_template

Provides simple role-based authorization for the request based on the authenticated subject at the SOAP binding level.

oracle/binding_permission_authorization_template

Provides simple permission-based authorization for the request based on the authenticated subject at the SOAP binding level.

oracle/component_authorization_template

Provides simple role-based authorization for the request based on the authenticated subject at the SOA component level.

oracle/component_permission_authorization_template

Provides simple permission-based authorization for the request based on the authenticated subject at the SOA component level.


19.1.7.1 oracle/binding_authorization_template

Display Name: Binding Authorization Assertion Template

Category: Security

Type: binding-authorization

Description

The binding_authorization_template assertion template provides simple role-based authorization for the request based on the authenticated subject at the SOAP binding level. It should follow an authentication assertion template.

Settings

Table 19-104 lists the settings for the binding_authorization_template assertion template.

Table 19-104 binding_authorization_template Settings

Name Default Value

Authorization Permission

 

Permissions—Action Match

Blank

Permissions—Constraint Match

Blank

Permissions—Resource Match

Blank

Roles

Not Set


Configuration

Table 19-105 lists the configuration properties and the default settings for the binding_authorization_template assertion template.

Table 19-105 binding_authorization_template Properties

Name Default Value Type

reference.priority

None

Optional


19.1.7.2 oracle/binding_permission_authorization_template

Display Name: Binding Permission Based Authorization Assertion Template

Category: Security

Type: binding-permission-authorization

Description

The binding_permission_authorization_template assertion provides simple permission-based authorization for the request based on the authenticated subject at the SOAP binding level. It should follow an authentication assertion.

Settings

Table 19-106 lists the settings for the binding_permission_authorization_template assertion template.

Table 19-106 binding_permission_authorization_template Settings

Name Default Value

Authorization Permission

 

Permissions—Action Match

*

Permissions—Constraint Match

Blank

Permissions—Resource Match

*

Permission Class

Blank


Configuration

Table 19-107 lists the configuration properties for the binding_permission_authorization_template assertion template.

Table 19-107 binding_permission_authorization_template Properties

Name Default Value Type

reference.priority

None

Optional


19.1.7.3 oracle/component_authorization_template

Display Name: Component Authorization Assertion Template

Category: Security

Type: sca-component-authorization

Description

The component_authorization_template assertion provides simple role-based authorization for the request based on the authenticated subject at the SOA component level. It should follow an authentication assertion.

Settings

Table 19-108 lists the settings for the component_authorization_template assertion template.

Table 19-108 component_authorization_template Settings

Name Default Value

Authorization Permission

 

Permissions—Action Match

Blank

Permissions—Constraint Match

Blank

Permissions—Resource Match

Blank

Roles

Not Set


Configuration

Table 19-109 lists the configuration properties for the component_authorization_template assertion template.

Table 19-109 component_authorization_template Properties

Name Default Value Type

reference.priority

None

Optional


19.1.7.4 oracle/component_permission_authorization_template

Display Name: Component Permission Based Authorization Assertion Template

Category: Security

Type: sca-component-permission-authorization

Description

The component_permission_authorization_template assertion template provides simple permission-based authorization for the request based on the authenticated subject at the SOA component level. It should follow an authentication assertion.

Note:

You should be careful when using permission-based policies with EJBs as the security permissions specified in system-jazn-data.xml will be relaxed beyond a single invocation of the service operation.

Settings

Table 19-110 lists the settings for the component_permission_authorization_template assertion template.

Table 19-110 component_permission_authorization_template Settings

Name Default Value

Authorization Permission

 

Permissions—Action Match

*

Permissions—Constraint Match

N/A

Permissions—Resource Match

*

Permission Class

N/A


Configuration

Table 19-111 lists the configuration properties for the component_permission_authorization_template assertion template.

Table 19-111 component_permission_authorization_template Properties

Name Default Value Type

reference.priority

None

Optional


19.1.8 Supported Algorithm Suites

Table 19-112 lists the algorithm suites that are supported for message protection. The algorithm suites enable you to control the cryptographic characteristics of the algorithms that are used when securing messages.

Table 19-112 Supported Algorithm Suites

Algorithm Suite Digest Encryption Symmetric Key Wrap Asymmetric Key Wrap Encrypted Key Derivation Signature Key Derivation Minimum Signature Key Length

Basic256

Sha1

Aes256

KwAes256

KwRsaOaep

PSha1L256

PSha1L192

256

Basic192

Sha1

Aes192

KwAes192

KwRsaOaep

PSha1L192

PSha1L192

192

Basic128

Sha1

Aes128

KwAes128

KwRsaOaep

PSha1L128

PSha1L128

128

TripleDes

Sha1

TripleDes

KwTripleDes

KwRsaOaep

PSha1L192

PSha1L192

192

Basic256Rsa15

Sha1

Aes256

KwAes256

KwRsa15

PSha1L256

PSha1L192

256

Basic192Rsa15

Sha1

Aes192

KwAes192

KwRsa15

PSha1L192

PSha1L192

192

Basic128Rsa15

Sha1

Aes128

KwAes128

KwRsa15

PSha1L128

PSha1L128

128

TripleDesRsa15

Sha1

TripleDes

KwTripleDes

KwRsa15

PSha1L192

PSha1L192

192

Basic256Sha256

Sha256

Aes256

KwAes256

KwRsaOaep

PSha1L256

PSha1L192

256

Basic192Sha256

Sha256

Aes192

KwAes192

KwRsaOaep

PSha1L192

PSha1L192

192

Basic128Sha256

Sha256

Aes128

KwAes128

KwRsaOaep

PSha1L128

PSha1L128

128

TripleDesSha256

Sha256

TripleDes

KwTripleDes

KwRsaOaep

PSha1L192

PSha1L192

192

Basic256Sha256Rsa15

Sha256

Aes256

KwAes256

KwRsa15

PSha1L256

PSha1L192

256

Basic192Sha256Rsa15

Sha256

Aes192

KwAes192

KwRsa15

PSha1L192

PSha1L192

192

Basic128Sha256Rsa15

Sha256

Aes128

KwAes128

KwRsa15

PSha1L128

PSha1L128

128

TripleDesSha256Rsa15

Sha256

TripleDes

KwTripleDes

KwRsa15

PSha1L192

PSha1L192

192


19.1.9 Message Signing and Encryption Settings for Request, Response, and Fault Messages

Table 19-113 lists the settings for the Request, Response, and Fault messages. You configure these settings for message signing and encryption.

Table 19-113 Request, Response, and Fault Message Signing and Encryption Settings

Name Default Value

Include Entire Body

True for Request and Response messages

False for Fault messages

Include SwA Attachment

False

Include MIME Headers

False

Header Elements

None

Body Elements

None


19.2 Management Assertion Templates

Table 19-114 summarizes the management assertion templates.

Table 19-114 Management Assertion Templates

Name Description

oracle/security_log_template

Provides a logging assertion template that can be attached to any binding or component.


19.2.1 oracle/security_log_template

Display Name: Security Log Assertion Template

Category: Security

Type: Logging

Description

The security_log_template assertion template provides a logging assertion template that can be attached to any binding or component.

Note:

It is recommended that the logging assertion be used for debugging and auditing purposes only.

Settings

Table 19-115 lists the settings for the security_log_template assertion template.

Table 19-115 security_log_template Settings

Name Default Value

Logging

 

Request

all

Response

soap_body

Fault

Not set


Configuration

Table 19-116 lists the configuration properties for the security_log_template assertion template.

Table 19-116 security_log_template Properties

Name Default Value Type

reference.priority

None

Optional


19.3 Assertion Template Settings Reference

The following sections summarize the settings that can be set for the predefined assertion templates; settings are listed alphabetically.

Note:

Not all settings apply to all assertion templates.

19.3.1 Action Match

Action or Web service operation for which authorization checks are performed. This value can be a comma-separated list of values. This field accepts wildcards.For example, validate,amountAvailable.

19.3.2 Algorithm Suite

Algorithm suite used for message protection. See "Supported Algorithm Suites".

19.3.3 Authentication Header—Header Name

Name of the authentication header.

19.3.4 Authentication Header—Mechanism

Authentication mechanism.

Valid values include:

  • basic—Client authenticates itself by transmitting the username and password.

    Note: It is recommended that you configure SSL when using basic authentication. For more information, see "Configuring Keystores for SSL".

  • certNot supported in this release. Client authenticates itself by transmitting a certificate.

  • customNot supported in this release. Custom authentication mechanism.

  • digestNot supported in this release. Client authenticates itself by transmitting an encrypted password through the use of an MD5 digest.

  • oam—Client authenticates itself using OAM agent.

  • saml20-bearer—Client authenticates itself using SAML 2.0 Bearer token.

  • spnego—Client authenticates itself using Kerberos SPNEGO.

19.3.5 Body Elements

Note: This field is available if Include Entire Body is disabled.

Sign or encrypt the specified body elements. This field is applicable if the Include Body field is disabled.

To add a body element:

  1. Click Add.

  2. Enter the namespace URI.

  3. Enter the local name for the body element.

  4. Click OK.

To edit a body element:

  1. Select the bpdu element that you want to edit in the Body Elements list.

  2. Click Edit.

  3. Modify the values, as required.

  4. Click OK.

To delete a body element:

  1. Select the body element that you want to delete in the Body Elements list.

  2. Click Delete.

  3. When prompted to confirm, click OK.

19.3.6 Bootstrap Message Security

A Secure Conversation policy has actually two policies: inner and outer. The Bootstrap Message Security control exposes the inner and outer policies. The bootstrap (inner) policy is used to obtain the token and establish the handshake between the client and the Web service. The outer policy is used for application messages when making requests with the token.

See "Using Basic Mode Versus Advanced Mode" in Understanding Oracle Web Services Manager for more information.

19.3.7 Client Entropy

This is used as key material for the requested proof token in Secure Conversation.

19.3.8 Client Policy URI

The client policy URI that will be used by the client to communicate with the STS. The policy you choose depends on the authentication requirements of the STS, as identified in its WSDL.

19.3.9 Confirm Signature

Flag that specifies whether to send a signature confirmation back to the client.

19.3.10 Confirmation Type

Confirmation type. The only valid value is:

  • sender-vouches—Uses the Sender Vouches SAML token for authentication.

19.3.11 Constraint Match

Expression that represents the constraints against which authorization checks are performed. The constraints expression is specified using the following two messageContext properties:

  • messageContext.authenticationMethod—Determines the authentication method used to authenticate the user. Valid value is SAML_SV.

  • messageContext.requestOrigin—Determines whether the request originated from an internal or external network. This property is valid only when using Oracle HTTP Server and the Oracle HTTP server administrator has added a custom VIRTUAL_HOST_TYPE header to the request.

The constraint pattern properties and their values are case sensitive.

The constraint expression uses the following standard supported operators: ==, !=, &&, || and !.

19.3.12 Creation Time Required

Flag that specifies whether a time stamp for the creation of the username token is required.

Note: If Password Type is set to digest, then this attribute must be set to true. Otherwise, the policy to which it is attached will not validate.

19.3.13 Derived Keys

Flag that specifies whether derived keys should be used.

19.3.14 Enabled

For the preconfigured WS-SC policies, Secure Conversation is enabled by default. For all of the other policies, Secure Conversation is disabled by default.

19.3.15 Encrypt Signature

Flag that specifies whether to encrypt the signature.

19.3.16 Encryption Key Reference Mechanism

Mechanism used when encrypting the request.

Valid values for wss10_message_protection_client_template and wss10_saml_token_with_message_protection_client_template:

  • direct—X.509 Token is included in the request.

  • ski—Subject Key Identifier (SKI) extension value of the X.509 certificate used to reference the certificate. (Some certificates may not have this extension.) The recipient of the message looks up its keystore for a certificate corresponding to the SKI and validates the signature against it.

  • issuerserial—Composite key of issuer name and serial number attributes used to reference the X.509 certificate. The recipient of the message looks up its keystore for a certificate corresponding to Issuer name and Serial Number and validates the signature using it.

Valid values for wss11_message_protection_client_template, wss11_saml_token_with_message_protection_client_template, wss11_saml20_token_with_message_protection_client_template, wss11_username_token_with_message_protection_client_template, wss11_x509_token_with_message_protection_client_template, wss11_username_token_with_message_protection_client_template:

  • direct—X.509 Token is included in the request.

  • ski—Subject Key Identifier (SKI) extension value of the X.509 certificate used to reference the certificate. (Some certificates may not have this extension.) The recipient of the message looks up its keystore for a certificate corresponding to the SKI and validates the signature against it.

  • issuerserial—Composite key of issuer name and serial number attributes used to reference the X.509 certificate. The recipient of the message looks up its keystore for a certificate corresponding to Issuer name and Serial Number and validates the signature using it.

  • thumbprint—Fingerprint (SHA1 hash) of the contents of the certificate. Provides a method to store certificates that is low overhead.

19.3.17 Fault Message Settings

See Table 19-113.

19.3.18 Header Elements

Sign or encrypt the specified SOAP header elements.

To add a header element:

  1. Click Add.

  2. Enter the namespace URI.

  3. Enter the local name for the header element.

  4. Click OK.

To edit a header element:

  1. Select the header element that you want to edit in the Header Elements list.

  2. Click Edit.

  3. Modify the values, as required.

  4. Click OK.

To delete a header element:

  1. Select the header element that you want to delete in the Header Elements list.

  2. Click Delete.

  3. When prompted to confirm, click OK.

19.3.19 Include Entire Body

Sign or encrypt the entire body of the SOAP message.

If false, you can add specific body elements using the Body Elements section.

19.3.20 Include MIME Headers

Sign or encrypt SOAP attachments with MIME headers.

Note: This field is enabled and applicable if Include SwA Attachment is enabled. It is not applicable to MTOM attachments.

19.3.21 Include SwA Attachment

Sign or encrypt SOAP messages with attachments.

Note: This field is not applicable to MTOM attachments.

19.3.22 Include Timestamp

Flag that specifies whether to include a timestamp. A timestamp can be used to prevent replay attacks by identifying an expiration time after which the message is no longer valid.

19.3.23 Is Encrypted

Flag that specifies whether the SAML token is encrypted.

19.3.24 Is Signed

Flag that specifies whether the SAML token is signed.

19.3.25 Kerberos Token Type

Type of Kerberos token. The only valid value is: gss-apreq-v5 (Kerberos Version 5 GSS-API).

19.3.26 Key Type

Key type. The only valid value is: bearer.

19.3.27 Keystore Recipient Alias

The alias of the STS certificate you added to the keystore. The default alias name is sts-csf-key.

19.3.28 Mutual Authentication Required

Flag that specifies whether two-way authentication is required.

Valid values include:

  • Enabled—The service must authenticate itself to the client, and the client must authenticate itself to the service.

  • Disabled—One-way authentication is required. The service must authenticate itself to the client, but the client is not required to authenticate itself to the service.

19.3.29 Name Identifier Format

Specifies the type of format to be used for the name identifier.

Specify one of the following values:

  • unspecified

  • emailAddress

  • X509SubjectName

  • WindowsDomainQualifiedName

The following assertion templates have the additional value: kerberos:

wss10_saml20_token_client_template, wss_saml20_token_bearer_over_ssl_client_template, wss10_saml20_token_with_message_protection_client_template, wss11_saml20_token_with_message_protection_client_template

Name Identifier Format is applicable only when subject.precedence is set to false. If subject.precedence is false, the user name to create the SAML assertion is obtained from the csf-key property or the username property (see "Configure the Username for the SAML Assertion"). The format of the user name must be the same as the format set in Name Identifier Format.

If subject.precedence is true, the user name to create the SAML assertion is obtained from the Subject. In this case, the Name Identifier Format is always "unspecified" and this cannot be changed by setting Name Identifier Format.

19.3.30 Nonce Required

Flag that specifies whether a nonce must be included with the username to prevent replay attacks.

Note: If Password Type is set to digest, then this attribute must be set to true. Otherwise, the policy to which it is attached will not validate.

19.3.31 Password Type

Type of password required.

Valid values are:

  • none—No password.

  • plaintext—Password in clear text.

  • digest— Client authenticates itself by transmitting an encrypted password through the use of an MD5 digest.

If you specify a password type of None, you do not need to include a password in the key.

Note:

If you do not use a digest password, policies created using this template are not secure; plaintext transmits the password in clear text. You should use this assertion without a digest password in low security situations only, or when you know that the transport is protected using some other mechanism. Alternatively, consider using the SSL version of this assertion, "oracle/wss_username_token_over_ssl_client_template".

19.3.32 Permissions

Role- and permission-based polices use the guard element (see "orawsp:guard") to define resource, action, and constraint match values. These values allow the assertion execution only if the result of the guard is true. If the accessed resource name and action match, only then is the assertion allowed to execute.

By default, resource name and action use the wildcard asterisk "*" and everything is allowed.

19.3.33 Permission Class

Class used for the permission-based checking. For example, oracle.wsm.security.WSFuncPermission.

You have the option to change the permission_class configuration property for the policy, which identifies the permission class as per JAAS standards. The permission class must be available in the application or server classpath.

The custom permission class must extend the abstract Permission class and implement the Serializable interface. See the Javadoc at http://docs.oracle.com/javase/7/docs/api/java/security/Permission.html.

The default is oracle.wsm.security.WSFunctionPermission.

19.3.34 Port Endpoint

The endpoint of the STS Web service.For a WSDL 2.0 STS, the format is specified as target-namespace#wsdl.endpoint(service-name/port-name). For example, http://samples.otn.com.LoanFlow#wsdl.endpoint(LoanFlowService/LoanFlowPort). For a WSDL 1.1 STS, the format is specified as targetnamespace#wsdl11.endpoint(servicename/portname). For example, http://samples.otn.com.LoanFlow#wsdl11.endpoint(LoanFlowService/LoanFlowPort).

19.3.35 Port URI

The actual endpoint URI of the STS port. For example. http://host:port/context-root/service1.

19.3.36 Re-authenticate

You can enable the re-authenticate control only for SAML sender vouches policies when the propagate.identity.context configuration attribute is set to True, as described in "When to Use Re-Authentication" in Understanding Oracle Web Services Manager.

19.3.37 Recipient Encryption Key Reference Mechanism

Mechanism used when encrypting the receipt. Valid values are the same as for Sign Key Reference Mechanism above.

19.3.38 Recipient Sign Key Reference Mechanism

Mechanism used when signing the receipt. Valid values are the same as for "Sign Key Reference Mechanism".

19.3.39 Request

Requirements for logging request messages.

The valid values are:

  • all—Log the entire SOAP message.

  • header—Log SOAP header information only.

  • soap_body—Log SOAP body information only.

  • soap_envelope—Log SOAP envelope information only.

19.3.40 Request Message Settings

See Table 19-113.

19.3.41 Request XPaths

Optional element. A comma-separated list of XPaths for the request. Default value is blank.

19.3.42 Request Namespaces

Optional element. A comma-separated list of namespaces for the request, where each namespace has a prefix and URI separated by the equals sign. Default value is blank.

19.3.43 Require Applies To

Optional element in the RST. If present, OWSM sends the endpoint address of the Web service for which the token is being requested. The default behavior is to always send the appliesTo element in the message from the client to the STS.

19.3.44 Require Client Entropy

If a symmetric proof key is required by the Web service's security policy, the requestor can pass some key material (entropy) that can be included in the calculation of the proof key. The Web service policy can indicate whether client entropy, STS entropy, or both are required.

19.3.45 Require External Reference

Indicates whether external reference to the token is required.

19.3.46 Require Internal Reference

Indicates whether internal reference to the token is required.

19.3.47 Require Server Entropy

If a symmetric proof key is required by the Web service's security policy, the requestor can pass some key material (entropy) that can be included in the calculation of the proof key. The Web service policy can indicate whether client entropy, STS entropy, or both are required.

19.3.48 Resource Match

Name of the resource for which authorization checks are performed. This field accepts wildcards.For example, if the namespace of the Web service is http://project11 and the service name is CreditValidation, the resource name is http://project11/CreditValidation.

19.3.49 Response

Requirements for logging response messages. The valid values are the same as for Request above.

19.3.50 Response Message Settings

See Table 19-113.

19.3.51 Response Namespaces

Optional element. A comma-separated list of namespaces, where each namespace has a prefix and URI separated by the equals sign. Default value is blank.

19.3.52 Response XPaths

Optional element. A comma-separated list of XPaths for the response. Default value is blank.

19.3.53 Roles

Specifies the roles that are authorized.

The valid values are:

  • Permit All—Permit users with any roles.

  • Deny All—Deny all users with roles.

  • Selected Roles—Permit selected roles.

To add roles:

  1. Click Add.

  2. To add roles, click the checkbox next to each role you want to add in the Roles Available column and click Move. To add all roles, click Move All.

    To remove roles, click the checkbox next to each role you want to remove in the Roles Selected to Add column, and click Remove. To remove all roles, click Remove All.

    To search for roles, enter a search string in the Role Name search box and click the go arrow. The Roles Available column is updated to include only those roles that match the search string.

  3. Click OK.

To delete roles:

  1. Select the role that you want to delete in the Selected Roles list.

  2. Click Delete.

19.3.54 Server Entropy

This is used as key material for the requested proof token for Secure Conversation.

19.3.55 Sign Key Reference Mechanism

Mechanism used when signing the request.

Valid values include:

  • direct—X.509 Token is included in the request.

  • ski—Subject Key Identifier (SKI) extension value of the X.509 certificate used to reference the certificate. (Some certificates may not have this extension.) The recipient of the message looks up its keystore for a certificate corresponding to the SKI and validates the signature against it.

  • issuerserial—Composite key of issuer name and serial number attributes used to reference the X.509 certificate. The recipient of the message looks up its keystore for a certificate corresponding to Issuer name and Serial Number and validates the signature using it.

  • thumbprint—Fingerprint (SHA1 hash) of the contents of the certificate. Provides a method to store certificates that is low overhead. This property is valid only for the following templates: wss11_saml_token_with_message_protection_client_template, wss11_saml20_token_with_message_protection_client_template, wss11_x509_token_with_message_protection_client_template, wss11_sts_issued_saml_with_message_protection_client_template, oracle/wss11_sts_issued_saml_hok_with_message_protection_client_template.

19.3.56 Sign Then Encrypt

Flag that specifies whether the request is signed and then encrypted.

19.3.57 Token Type

SAML token type. The only valid value is: 1.1.

19.3.58 Transport Layer Security

Flag that specifies whether Secure Socket Layer (SSL), otherwise known as Transport Layer Security (TLS), is enabled.

19.3.59 Transport Layer Security—Include Timestamp

Flag that specifies whether to include a timestamp. A timestamp can be used to prevent replay attacks by identifying an expiration time after which the message is no longer valid.

19.3.60 Transport Layer Security—Mutual Authentication Required

Flag that specifies whether two-way authentication is required.

Valid values include:

  • Enabled—The service must authenticate itself to the client, and the client must authenticate itself to the service.

  • Disabled—One-way authentication is required. The service must authenticate itself to the client, but the client is not required to authenticate itself to the service.

19.3.61 Version

SAML or Secure Conversation version.

19.3.62 Trust Version

WS-Trust version.

19.3.63 Use Derived Keys

Flag that specifies whether derived keys should be used.

19.3.64 Use PKI Path

Flag that specifies whether X509PKIPathV1 tokens should be processed and propagated.

19.3.65 WSDL Exists

The actual endpoint URI of the WSDL.

19.4 Assertion Template Configuration Properties Reference

The following sections summarize the configuration properties that can be set for the predefined assertion templates; settings are listed alphabetically.

Note:

Not all configuration properties apply to all assertion templates.

19.4.1 algorithm

The key derivation algorithm, which should be PBKDF2.

19.4.2 application.name

The application name defined in OES. Value can be static or dynamic that uses ${} notation.

19.4.3 attesting.mapping.attribute

The mapping attribute used to represent the attesting entity. Only the DN is currently supported. This attribute is applicable only to sender vouches and then only to message protection use cases. It is not applicable to SAML over SSL policies.

19.4.4 caller.principal.name

Client's principal name as generated using the ktpass command and mapped to the username for which the kerberos token should be generated. Use the following format: <username>@<REALM NAME>.

Note: keytab.location and caller.principal.name are required for propagating client identity for Java EE applications.

19.4.5 credential.delegation

Flag that specifies whether Credential Delegation with Forwarded TGT is supported. For more information, see "Configuring Credential Delegation". This value is false by default.

19.4.6 csf-key

Credential Store Key that maps to a username and password in the OPSS identity store. For information about how to add the key to the credential store, see "Adding Keys and User Credentials to the Credential Store".

19.4.7 encryption-algorithm

The data encryption algorithm. It should be in the form algorithm/mode/padding.

19.4.8 execute.action

Optional property. Action that will be used during real authorization. Value can be static or dynamic that uses ${} notation.

19.4.9 ignore.timestamp.in.response

Property used by the client to ignore the timestamp in the SOAP security header when it receives the response from the service. The default behavior is to NOT ignore the timestamp (the default value of this property is false). If set to true, then the timestamp is not required in the response message; if the timestamp is present, it is ignored.

The timestamp is required to prevent replay attacks, so in general, Oracle does not recommend setting this property to true except to address interoperability issues.

19.4.10 issued.token.caching

Controls whether OWSM requests a token lifetime when obtaining an issued token from a security token service (STS). When issued.token.caching is set to true, OWSM requests a token lifetime for returned tokens for the period specified by issued.token.lifetime. When it is set to false, OWSM does not request a token lifetime.

If the STS returns a token lifetime value different from the requested issued.token.lifetime value, OWSM uses the return value as the period for caching returned tokens. It the STS returns an empty token lifetime value, OWSM does not cache returned tokens despite issued.token.caching being set to true.

19.4.11 issued.token.lifetime

The time in milliseconds for OWSM to request as the token lifetime when obtaining an issued token from a security token service (STS). The domain default for this value is 28800000 milliseconds (eight hours). For information about how to change this default value, see "Configuring the Lifetime for the Issued Token Using Fusion Middleware Control".

19.4.12 iteration

The iteration count for key derivation.

19.4.13 keysize

The size of the key for key derivation.

19.4.14 keytab.location

Location of the client's keytab file.

19.4.15 keystore.enc.csf.key

The alias and password used for storing the decryption key password in the keystore.

If you set this value you then can override keystore.enc.csf.key, as described in "Overview of Policy Configuration Overrides".

If you do override this value, the key for the new value must be in the keystore. That is, overriding the value does not free you from the requirement of configuring the key in the keystores.

19.4.16 keystore.recipient.alias

Keystore alias associated with the peer certificate. The security run time uses this alias to extract the peer certificate from the configured keystore and to encrypt messages to the peer. For information about overriding policies, see "Overview of Policy Configuration Overrides".

19.4.17 keystore.sig.csf.key

The alias and password used for storing the signature key password in the keystore. This property allows you to specify the signature key on a per-attachment level instead of at the domain level. This key is used when generating the enveloping signature, as specified using saml.envelope.signature.required flag.

19.4.18 lookup.action

Optional property. Action that will be used during attributes lookup. Value can be static or dynamic that uses ${} notation.

19.4.19 on.behalf.of

Optional property. Override this property to indicate whether the request is on behalf of an another entity. The default value for this flag is false.

When set to true and sts.auth.on.behalf.of.csf.key is configured, then it will be given preference and the identity established using that CSF key will be sent in the onBehalfOf token. If the sts.auth.on.behalf.of.username.only property is also set to true, the password portion of the identity in the CSF key will not be sent in the onBehalfOf token.

Otherwise, if the subject is already established, then the username from the subject will be sent as the onBehalfOf token.

If sts.auth.on.behalf.of.csf.key is not set and the subject does not exist, on.behalf.of is treated as a token exchange for the requestor and not for another entity. It is not included in an onBehalfOf element in the request.

19.4.20 propagate.identity.context

Propagates the identity context from the Web service client to the Web service, and then makes it available ("publishes it") to other components for authentication and authorization purposes. For more information, see "Using SAML Policies to Propagate Identity Context".

19.4.21 realm

HTTP Realm.

19.4.22 reference.priority

Note:

This property has no effect when defined as an unscoped override using the setWSMPolicySetOverride command. For more information, see "setWMSPolicySetOverride" in WLST Command Reference for Infrastructure Components.

Optional property that specifies the priority of the policy attachment. When specified for an attached policy, the effective set of policies algorithm allows the policy with the highest integer value priority to take precedence over a conflicting policy attachment, irrespective of its scope.

The value of reference.priority can be any number between(-231) and (231 - 1). The higher the number, the higher the priority assigned during effective policy calculation. Any policy that does not have a value or a non-numeric value is treated as having a value of 0. If the value is set to any of the words "yes", "true", or "on", the value is set to 1.

For more information, see "Specifying the Priority of a Policy Attachment".

19.4.23 resource.mapping.model

Optional property that switches between different out-of-the-box mapping models. The default value is operation_as_action. Other allowed values are operation_as_resource_hierarchy and lookup_action_fixed_execute_action_as_operation.

19.4.24 resource.name

Optional property. Resource name defined in OES. Value can be static or dynamic that uses ${} notation.

19.4.25 resource.type

Optional property. Resource type defined in OES. Value can be static or dynamic that uses ${} notation.

19.4.26 rm.encrypt.body

Applies to Web service client only. If this is set, the body of protocol request messages such as createSequence() and terminateSequence() are encrypted. The default is that WS-RM protocol messages are not encrypted.

The response message body for protocol messages depends on the request message body: if the request message from the client is encrypted for protocol messages, the Web service sends the response encrypted, and vice versa.

19.4.27 role

SOAP role.

19.4.28 salt

A non-null and non-empty salt for key derivation.

19.4.29 saml.assertion.filename

Name of the of the SAML token file.

19.4.30 saml.audience.uri

Represents the relying party, as a comma-separated URI. This field accepts the following wildcards:

  • * in any location.

  • /* at the end of the URI.

  • .* at the end of the URI.

19.4.31 saml.envelope.signature.required

Flag that specifies whether the bearer token is signed using the domain signature key. You can override the domain signature key using the private signature key configured using keystore.sig.csf.key.

Set this flag false (in both client and service policy) to have the bearer token be unsigned.

19.4.32 saml.issuer.name

SAML issuer URI. For more information, see "Adding an Additional SAML Assertion Issuer Name".

19.4.33 saml.trusted.issuers

A comma-separated list of SAML token trusted issuers for an application that will override trusted issuers at domain level.

19.4.34 sc.token.lifetime

Secure Conversation token lifetime in milliseconds. The security context is shared by the client and Web service for the lifetime of a communication session. This is the time after which the SCT is expired.

19.4.35 service.principal.name

Kerberos principal name that identifies the service.

19.4.36 subject.precedence

Set subject.precedence to false to allow for the use of a client-specified username rather than the authenticated subject.

If subject.precedence is true, the user name to create the SAML assertion is obtained only from the Subject. Similarly, if subject.precedence is false, the user name to create the SAML assertion is obtained only from the csf-key username property.

19.4.37 sts.auth.caller.principal.name

Client's principal name as generated using the ktpass command and mapped to the username for which the kerberos token should be generated. It is of the format <username>@<REALM NAME>.

19.4.38 sts.auth.keytab.location

Location of the client's keytab file.

19.4.39 sts.auth.on.behalf.of.csf.key

Optional property. Use to configure on behalf of entity. If present, it will be given preference over Subject (if it exists). For information about the on behalf of entity, see "on.behalf.of".

19.4.40 sts.auth.on.behalf.of.username.only

Optional property. Use to configure the on behalf of entity when sts.auth.on.behalf.of.csf.key is specified. For information about the on behalf of entity, see "on.behalf.of".

19.4.41 sts.auth.service.principal.name

Principal name for the Web service that needs to be protected. It is of the format <host>/<machine name>@<REALM NAME>. For example, HTTP/mymachine@MYREALM.COM.

19.4.42 sts.auth.user.csf.key

Use to configure username/password to authenticate to the STS.

If policy-reference-uri in the oracle/sts_trust_config_template client assertion template points to a username-based policy, then you configure the sts.auth.user.csf.key property to specify a username/password to authenticate to the STS.

19.4.43 sts.auth.x509.csf.key

Use to configure X509 certificate for authenticating to the STS.

If policy-reference-uri in the oracle/sts_trust_config_template client assertion template points to an x509-based policy, then you configure the sts.auth.x509.csf.key property to specify the X509 certificate for authenticating to the STS.

19.4.44 sts.in.order

Use in Web Services Federation cases to specify the STSes in the trust chain from the RP-STS that web service trusts back to the IP-STS that the web client uses to authenticate.

Set the value of sts.in.order to a comma separated list of the STS URIs to be contacted, starting with the RP-STS and ending with the IP-STS.

For more information about using this property, see "Configuring Web Services Federation".

19.4.45 sts.keystore.recipient.alias

The alias of the STS certificate you added to the keystore. The default alias name is sts-csf-key.

19.4.46 use.single.step

Optional property. Set value to true to skip lookup phase. Does not apply to masking policy.

19.4.47 user.attributes

User attributes related to the principal of the SAML token.

Specify the attributes to be included as a comma-separated list. For example, attrib1,attrib2. The attribute names you specify must exactly match valid attributes in the configured identity store. The OWSM run time reads the values for these attributes from the configured identity store, and then includes the attributes and their values in the SAML assertion.

Requires that the Subject is available and subject.precedence is set to true.

A client policy reads the values of the attributes specified using user.attributes from the configured identity store. All valid attribute names and values are used to create the SAML attribute statement.

The user.attributes property is supported for a single identity store, and only the first identity store in the list is used. The user must, therefore, exist and be valid in the identity store used by the configured WebLogic Server Authentication provider. Authentication providers are described in "Configuring an Authentication Provider in WebLogic Server".

If the identity store you require is not the first identity store, you can specify that additional identity stores be searched. See "Including User Attributes in the Assertion" for more information.

19.4.48 user.roles.include

User roles to be included.

When set to true, OWSM reads the roles of the user from the user repository (LDAP) and propagates them as SAML attributes.

19.4.49 user.tenant.name

Reserved for use with Oracle Cloud.