2 Interoperability with OWSM 10g Security Environments

Oracle Web Services Manager (OWSM) is interoperable with OWSM 10g security environments. Policies that conform to the WS-Security 1.0 standard are attached to web services, to achieve the interoperability between OWSM security environments.

This chapter includes the following sections:

• Overview of Interoperability with OWSM 10g Security Environments

• Anonymous Authentication with Message Protection (WS-Security 1.0)

• Username Token with Message Protection (WS-Security 1.0)

• SAML Token (Sender Vouches) with Message Protection (WS-Security 1.0)

• Mutual Authentication with Message Protection (WS-Security 1.0)

• Username Token Over SSL

• SAML Token (Sender Vouches) over SSL (WS-Security 1.0)

2.1 Overview of Interoperability with OWSM 10g Security Environments

Review these topics to describe the OWSM 10g and 12c policy steps, interoperability scenarios, and OWSM 10g gateways.

• OWSM 10g Policy Steps

• OWSM Predefined Policies

• Interoperability Scenarios

• About OWSM 10g Gateways

• About Third-party Software

2.1.1 OWSM 10g Policy Steps

With OWSM 10g, you specify policy steps at each policy enforcement point.

The policy enforcement points in OWSM 10g include Gateways and Agents. Each policy step is a fine-grained operational task that addresses a specific security operation, such as authentication and authorization; encryption and decryption; security signature, token, or credential verification; and transformation. Each operational task is performed on either the web service request or response. For more details about the OWSM 10g policy steps, see "Oracle Web Services Manager Policy Steps" in Oracle Web Services Manager Administrator's Guide 10g (10.1.3.4) at http://download.oracle.com/docs/cd/E12524_01/web.1013/e12575/policy_steps.htm#BABIAHEG.

2.1.2 OWSM Predefined Policies

With OWSM 12c, you attach policies to web service endpoints.

Each policy consists of one or more assertions, defined at the domain-level, that define the security requirements. A set of predefined policies and assertions are provided out-of-the-box.

For more information about:

• OWSM predefined policies, see "Predefined Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager.

• Configuring and attaching OWSM 12c policies, see "Securing Web Services" and "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager.

• OWSM 10g policy steps, see "Oracle Web Services Manager Policy Steps" in Oracle Web Services Manager Administrator's Guide 10g (10.1.3.4) at http://download.oracle.com/docs/cd/E12524_01/web.1013/e12575/policy_steps.htm#BABIAHEG

2.1.3 Interoperability Scenarios

Review this topic for more information on the most common OWSM 10g interoperability scenarios based on the following security requirements: authentication, message protection, and transport.

Note:

In the following scenarios in the Table 2-1 and Table 2-2, ensure that you are using a keystore with v3 certificates. By default, the JDK 1.5 keytool generates keystores with v1 certificates.

The following sections provide additional interoperability information about using OWSM 10g Gateways and third-party software with OWSM 12c:

• About OWSM 10g Gateways

• About Third-party Software

Table 2-1 OWSM 10g Service Policy and OWSM 12c Client Policy Interoperability

Identity Token	WS-Security Version	Message Protection	Transport Security	Service Policy	Client Policy
Anonymous	1.0	Yes	No	Request pipeline: Decrypt and Verify Signature Response pipeline: Sign Message and Encrypt	oracle/wss10_message_protection_client_policy
Username	1.0	Yes	No	Request pipeline: Decrypt and Verify Signature Extract Credentials (configured as WS-BASIC) File Authenticate Response pipeline: Sign Message and Encrypt	oracle/wss10_username_token_with_message_protection_client_policy
SAML	1.0	Yes	No	Request pipeline: XML Decrypt SAML—Verify WSS 1.0 Token Response pipeline: Sign Message and Encrypt	oracle/wss10_saml_token_with_message_protection_client_policy
Mutual Authentication	1.0	Yes	No	Request pipeline: Decrypt and Verify Response pipeline: Sign Message and Encrypt	oracle/wss10_x509_token_with_message_protection_client_policy
Username over SSL	1.0 and 1.1	No	Yes	Request pipeline: Extract Credentials File Authenticate	wss_username_token_over_ssl_client_policy
SAML over SSL	1.0 and 1.1	No	Yes	Request pipeline: Extract Credentials File Authenticate	oracle/wss_saml_token_over_ssl_client_policy

Table 2-2 OWSM 12c Service Policy and OWSM 10g Client Policy Interoperability

Identity Token	WS-Security Version	Message Protection	Transport Security	Service Policy	Client Policy
Anonymous	1.0	Yes	No	oracle/wss10_message_protection_service_policy	Request pipeline: Sign Message and Encrypt Response pipeline: Decrypt and Verify Signature
Username	1.0	Yes	No	oracle/wss10_username_token_with_message_protection_service_policy	Request pipeline: Sign Message and Encrypt Response pipeline: Decrypt and Verify Signature
SAML	1.0	Yes	No	oracle/wss10_saml_token_with_message_protection_service_policy	Request pipeline: Extract Credentials (configured as WS-BASIC SAML—Insert WSS 1.0 Sender-Vouches Token Sign and Encrypt Response pipeline: Decrypt and Verify Signature
Mutual Authentication	1.0	Yes	No	oracle/wss10_x509_token_with_message_protection_service_policy	Request pipeline: Sign Message and Encrypt Response pipeline: Decrypt and Verify Signature
Username over SSL	1.0 and 1.1	No	Yes	wss_username_token_over_ssl_service_policy	N/A
SAML over SSL	1.0 and 1.1	No	Yes	oracle/wss_saml_token_over_ssl_service_policy	Request pipeline: Extract Credentials SAML—Insert WSS 1.0 Sender-Vouches Token

2.1.4 About OWSM 10g Gateways

Oracle Fusion Middleware 12c does not include a Gateway component. You can continue to use the OWSM 10g Gateway components with OWSM 10g policies in your applications.

2.1.5 About Third-party Software

OWSM 10g supports policy enforcement for third-party application servers, such as IBM WebSphere and Red Hat JBoss.

Oracle Fusion Middleware 12c only supports Oracle WebLogic Server. You can continue to use the third-party application servers with OWSM 10g policies.

2.2 Anonymous Authentication with Message Protection (WS-Security 1.0)

The Anonymous Authentication with Message Protection identity token conforms to the WS-Security 1.0 standard. This identity token is implemented to achieve the interoperability between OWSM 12c web service and an OWSM 10g client and the interoperability between OWSM 10g web service and an OWSM 12c client.

• Configuring an OWSM 12c Web Service and an OWSM 10g Client (Anonymous Authentication)

• Configuring an OWSM 10g Web Service and an OWSM 12c Client (Anonymous Authentication)

2.2.1 Configuring an OWSM 12c Web Service and an OWSM 10g Client (Anonymous Authentication)

Follow these procedures to configure an OWSM 12c web service and an OWSM 10g client to implement anonymous authentication with message protection that conforms to the WS-Security 1.0 standard.

• Configuring OWSM 12c Web Service(Anonymous Authentication)

• Configuring OWSM 10g Client(Anonymous Authentication)

2.2.1.1 Configuring OWSM 12c Web Service(Anonymous Authentication)

Follow these steps to configure OWSM 12c Web Service:

1. Clone the following policy: oracle/wss10_message_protection_service_policy

   For more information, see "Cloning a Web Service Policy" in Securing Web Services and Managing Policies with Oracle Web Services Manager

2. Edit the policy settings, as follows:

   1. Disable the Include Timestamp configuration setting.

   2. Leave the default configuration set for all other configuration settings.

3. Attach the policy to a web service.

   For more information, see

   "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager

2.2.1.2 Configuring OWSM 10g Client(Anonymous Authentication)

Follow these steps to configure OWSM 10g client:

1. Register the web service (above) with the OWSM 10g Gateway.

   For more information, see"Registering Web Services to an OWSM Gateway" in the OWSM Administrator's Guide 10g at: http://download.oracle.com/docs/cd/E12524_01/web.1013/e12575/gateways.htm

2. Attach the following policy step to the request pipeline: Sign Message and Encrypt Gateway.

3. Configure the Sign Message and Encrypt policy step in the request pipeline, as follows:

   1. Set Encryption Algorithm to AES-128.

   2. Set Key Transport Algorithm to RSA-OAEP-MGF1P.

   3. Configure the keystore properties for message signing and encryption. The configuration should be in accordance with the keystore used on the server side

4. Attach the following policy step to the response pipeline: Decrypt and Verify Signature.

5. Configure the Decrypt and Verify Signature policy step in the response pipeline, by configuring the keystore properties for decryption and signature verification. The configuration should be in accordance with the keystore used on the server side.

6. Navigate to the OWSM Test page and enter the virtualized URL of the web service.

7. Invoke the web service.

2.2.2 Configuring an OWSM 10g Web Service and an OWSM 12c Client (Anonymous Authentication)

Follow these procedures to configure the OWSM 10g web service and an OWSM 12c client to implement anonymous authentication with message protection that conforms to the WS-Security 1.0 standard.

• Configuring OWSM 10g Web Service(Anonymous Authentication)

• Configuring OWSM 12c client(Anonymous Authentication)

2.2.2.1 Configuring OWSM 10g Web Service(Anonymous Authentication)

Follow these steps to configure OWSM 10g web service:

1. Register the web service with the OWSM 10g Gateway.

   For more information, see "Registering Web Services to an OWSM Gateway" in the OWSM Administrator's Guide 10g at: http://download.oracle.com/docs/cd/E12524_01/web.1013/e12575/gateways.htm

2. Attach the following policy step in the request pipeline: Decrypt and Verify Signature.

3. Configure the Decrypt and Verify Signature policy step in the request pipeline, as follows. Configure the keystore properties for decryption and signature verification. The configuration should be in accordance with the keystore used on the server side.

4. Attach the following policy step in the response pipeline: Sign Message and Encrypt.

5. Configure the Sign Message and Encrypt policy response pipeline as follows:

   1. Set Encryption Algorithm to AES-128.

   2. Set Key Transport Algorithm to RSA-OAEP-MGF1P.

   3. Configure the keystore properties for message signing and encryption. The configuration should be in accordance with the keystore used on the server side.

2.2.2.2 Configuring OWSM 12c client(Anonymous Authentication)

Follow these steps to configure the OWSM 12c client:

1. Create a client proxy using the virtualized URL of the web service registered on the OWSM Gateway.

2. Clone the following policy: oracle/wss10_message_protection_client_policy.

3. Edit the policy settings, as follows:

   1. Disable the Include Timestamp configuration setting.

   2. Leave the default configuration set for all other configuration settings.

4. Attach the policy to the web service client.

   For more information, see "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager

5. Configure the policy.

   For more information, see "oracle/wss10_message_protection_client_policy" in Securing Web Services and Managing Policies with Oracle Web Services Manager

6. Invoke the web service.

2.3 Username Token with Message Protection (WS-Security 1.0)

The Username Token with Message Protection identity token conforms to the WS-Security 1.0 standard. This identity token is implemented to achieve the interoperability between OWSM 12c web service and an OWSM 10g client and the interoperability between OWSM 10g web service and an OWSM 12c client.

• Configuring an OWSM 12c Web Service and an OWSM 10g Client (Username Token)

• Configuring an OWSM 10g Web Service and an OWSM 12c Client (Username Token)

2.3.1 Configuring an OWSM 12c Web Service and an OWSM 10g Client (Username Token)

Follow these procedures to configure the OWSM 12c web service and an OWSM 10g client to implement username token with message protection that conforms to the WS-Security 1.0 standard.

• Configuring OWSM 12c Web Service (Username Token)

• Configuring OWSM 10g client (Username Token)

2.3.1.1 Configuring OWSM 12c Web Service (Username Token)

Follow these steps to configure OWSM 12c Web Service:

1. Clone the following policy: oracle/wss10_username_token_with_message_protection_service_policy

2. Edit the policy settings, as follows:

   1. Disable the Include Timestamp configuration setting.

   2. Leave the default configuration set for all other configuration settings.

      For more information, see "Cloning a Web Service Policy" in Securing Web Services and Managing Policies with Oracle Web Services Manager

3. Attach the policy to a web service.

   For more information, see "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager

2.3.1.2 Configuring OWSM 10g client (Username Token)

Follow these steps to configure the OWSM 10g client:

1. Register the web service (above) with the OWSM 10g Gateway.

   Fore more information, see "Registering Web Services to an OWSM Gateway" in the OWSM Administrator's Guide 10g at: http://download.oracle.com/docs/cd/E12524_01/web.1013/e12575/gateways.htm

2. Attach the following policy step to the request pipeline: Sign Message and Encrypt

3. Configure the Sign Message and Encrypt policy step in the request pipeline, as follows:

   1. Set Encryption Algorithm to AES-128.

   2. Set Key Transport Algorithm to RSA-OAEP-MGF1P.

   3. Set Encrypted Content to ENVELOPE.

   4. Set Signed Content to ENVELOPE.

   5. Configure the keystore properties for message signing and encryption. The configuration should be in accordance with the keystore used on the server side.

4. Attach the following policy step to the response pipeline: Decrypt and Verify Signature.

5. Configure the Decrypt and Verify Signature policy step in the response pipeline, as follows:

   1. Configure the keystore properties for decryption and signature verification. The configuration should be in accordance with the keystore used on the server side.

6. Navigate to the OWSM Test page and enter the virtualized URL of the web service.

7. Select the Include Header checkbox against WS-Security and provide valid credentials.

8. Invoke the web service.

2.3.2 Configuring an OWSM 10g Web Service and an OWSM 12c Client (Username Token)

Follow these procedures to configure the OWSM 10g web service and an OWSM 12c client to implement username token with message protection that conforms to the WS-Security 1.0 standard.

• Configuring OWSM 10g Web Service (Username Token)

• Configuring OWSM 12c Client (Username Token)

2.3.2.1 Configuring OWSM 10g Web Service (Username Token)

Follow these steps to configure OWSM 10g Web Service:

1. Register the web service with the OWSM 10g Gateway.

   For more information, see "Registering Web Services to an OWSM Gateway" in the OWSM Administrator's Guide 10g at: http://download.oracle.com/docs/cd/E12524_01/web.1013/e12575/gateways.htm

2. Attach the following policy steps in the request pipeline:

   1. Decrypt and Verify Signature

   2. Extract Credentials (configured as WS-BASIC)

   3. File Authenticate

   Note:

   You can substitute File Authenticate with LDAP Authenticate, Oracle Access Manager Authenticate, Active Directory Authenticate, or SiteMinder Authenticate.

3. Configure the Decrypt and Verify Signature policy step in the request pipeline, as follows:

   1. Configure the keystore properties for extracting credentials. The configuration should be in accordance with the keystore used on the server side.

4. Configure the Extract Credentials policy step in the request pipeline, as follows:

   1. Set the Credentials location to WS-BASIC.

5. Configure the File Authenticate policy step in the request pipeline to use valid credentials.

6. Attach the following policy step in the response pipeline: Sign Message and Encrypt.

   1. Set Encryption Algorithm to AES-128.

   2. Set Key Transport Algorithm to RSA-OAEP-MGF1P.

   3. Configure the keystore properties for message signing and encryption. The configuration should be in accordance with the keystore used on the server side.

2.3.2.2 Configuring OWSM 12c Client (Username Token)

Follow these steps to configure the OWSM 12c Client:

1. Create a client proxy using the virtualized URL of the web service registered on the OWSM Gateway.

2. Clone the following policy: oracle/wss10_username_token_with_message_protection_client_policy

   For more information, see "Cloning a Web Service Policy" in Securing Web Services and Managing Policies with Oracle Web Services Manager.

3. Edit the policy settings, as follows:

   1. Disable the Include Timestamp configuration setting.

   2. Leave the default configuration set for all other configuration settings.

   For more information, see "Cloning a Web Service Policy" in Securing Web Services and Managing Policies with Oracle Web Services Manager.

4. Attach the policy to the web service client.

   For more information, see "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager

5. Configure the policy.

   For more information, see "oracle/wss10_username_token_with_message_protection_client_policy" in Securing Web Services and Managing Policies with Oracle Web Services Manager

6. Invoke the web service.

2.4 SAML Token (Sender Vouches) with Message Protection (WS-Security 1.0)

The SAML Token (Sender Vouches) with Message Protection identity token conforms to the WS-Security 1.0 standard. This identity token is implemented to achieve the interoperability between OWSM 12c web service and an OWSM 10g client and the interoperability between OWSM 10g web service and an OWSM 12c client.

• Configuring an OWSM 12c Web Service and an OWSM 10g Client (SAML Token)

• Configuring an OWSM 10g Web Service and an OWSM 12c Client (SAML Token)

2.4.1 Configuring an OWSM 12c Web Service and an OWSM 10g Client (SAML Token)

Follow these procedures to configure an OWSM 12c web service and an OWSM 10g client to implement SAML token (sender vouches) with message protection that conforms to the WS-Security 1.0 standard.

• Configuring OWSM 12c Web Service (SAML Token)

• Configuring OWSM 10g Client(SAML Token)

2.4.1.1 Configuring OWSM 12c Web Service (SAML Token)

Follow these steps to configure OWSM 12c Web Service:

1. Clone the following policy: oracle/wss10_saml_token_with_message_protection_service_policy.

   Note:

   Oracle recommends that you do not change the predefined policies so that you will always have a known set of valid policies to work with.

2. Edit the policy settings, as follows:

   1. Disable the Include Timestamp configuration setting.

   2. Leave the default configuration set for all other configuration settings.

3. Attach the policy to the web service.

   For more information, see "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager

2.4.1.2 Configuring OWSM 10g Client(SAML Token)

Follow these steps to configure the OWSM 10g Client:

1. Register the web service with the OWSM 10g Gateway.

   For more information, see "Registering Web Services to an OWSM Gateway" in the OWSM Administrator's Guide 10g at: http://download.oracle.com/docs/cd/E12524_01/web.1013/e12575/gateways.htm

2. Attach the following policy steps in the request pipeline:

   1. Extract Credentials (configured as WS-BASIC)

   2. SAML—Insert WSS 1.0 Sender-Vouches Token

   3. Sign Message and Encrypt

3. Configure the Extract Credentials policy step in the request pipeline, as follows:

   1. Set the Credentials location to WS-BASIC.

4. Configure the SAML—Insert WSS 1.0 Sender-Vouches Token policy step in the request pipeline, as follows:

   1. Set Subject Name Qualifier to www.oracle.com

   2. Set Assertion Issuer as www.oracle.com

   3. Set Subject Format as UNSPECIFIED.

   4. Set other signing properties, as required.

5. Configure the Sign Message and Encrypt policy step in the request pipeline, as follows:

   1. Set the Encryption Algorithm to AES-128.

   2. Set Key Transport Algorithm to RSA-OAEP-MGF1P.

   3. Configure the keystore properties for decryption and signature verification. The configuration should be in accordance with the keystore used on the server side.

6. Attach the following policy step in the response pipeline: Decrypt and Verify Signature.

7. Configure the Decrypt and Verify Signature policy step in the response pipeline, as follows:

   1. Configure the keystore properties for decryption and signature verification. The configuration should be in accordance with the keystore used on the server side.

8. Navigate to the OWSM Test page and enter the virtualized URL of the web service.

9. Select Include Header checkbox against WS-Security and provide valid credentials.

10. Invoke the web service.

2.4.2 Configuring an OWSM 10g Web Service and an OWSM 12c Client (SAML Token)

Follow these procedures to configure an OWSM 10g web service and an OWSM 12c client to implement SAML token (sender vouches) with message protection that conforms to the WS-Security 1.0 standard.

• Configuring OWSM 10g Web Service(SAML Token)

• Configuring OWSM 12c Client (SAML Token)

2.4.2.1 Configuring OWSM 10g Web Service(SAML Token)

Follow these steps to configure OWSM 10g Web Services:

1. Register the web service with the OWSM 10g Gateway.

   For more information, see "Registering Web Services to an OWSM Gateway" in the OWSM Administrator's Guide 10g at: http://download.oracle.com/docs/cd/E12524_01/web.1013/e12575/gateways.htm

2. Attach the following policy steps in the request pipeline:

   1. XML Decrypt

   2. SAML—Verify WSS 1.0 Token

3. Configure the XML Decrypt policy step in the request pipeline, as follows:

   1. Configure the keystore properties for XML decryption. The configuration should be in accordance with the keystore used on the server side.

4. Configure the SAML—Verify WSS 1.0 Token policy step in the request pipeline, as follows:

   1. Set the Trusted Issuer Name as www.oracle.com

5. Attach the following policy step in the response pipeline: Sign Message and Encrypt.

6. Configure the Sign Message and Encrypt policy step in the response pipeline, follows:

   1. Set Encryption Algorithm to AES-128.

   2. Set Key Transport Algorithm to RSA-OAEP-MGF1P.

   3. Configure the keystore properties for message signing and encryption. The configuration should be in accordance with the keystore used on the server side.

2.4.2.2 Configuring OWSM 12c Client (SAML Token)

Follow these steps to configure OWSM 12c Client:

1. Create a client proxy using the virtualized URL of the web service registered on the OWSM Gateway.

2. Clone the following policy: oracle/wss10_saml_token_with_message_protection_client_policy.

   For more information, see "Cloning a Web Service Policy" in Securing Web Services and Managing Policies with Oracle Web Services Manager

3. Edit the policy settings, as follows:

   1. Disable the Include Timestamp configuration setting.

   2. Leave the default configuration set for all other configuration settings.

4. Attach the policy to the web service client.

   For more information, see "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager

5. Configure the policy.

   For more information, see "oracle/wss10_saml_token_with_message_protection_client_policy" in Securing Web Services and Managing Policies with Oracle Web Services Manager.

6. Invoke the web service.

2.5 Mutual Authentication with Message Protection (WS-Security 1.0)

The Mutual Authentication with Message Protection identity token conforms to the WS-Security 1.0 standard. This identity token is implemented to achieve the interoperability between OWSM 12c web service and an OWSM 10g client and the interoperability between OWSM 10g web service and an OWSM 12c client.

• Configuring an OWSM 12c Web Service and an OWSM 10g Client (Mutual Authentication)

• Configuring an OWSM 10g Web Service and an OWSM 12c Client (Mutual Authentication)

2.5.1 Configuring an OWSM 12c Web Service and an OWSM 10g Client (Mutual Authentication)

Follow these procedures to configure an OWSM 12c web service and an OWSM 10g client to implement mutual authentication with message protection that conform to the WS-Security 1.0 standard.

• Configuring OWSM 12c Web Service (Mutual Authentication)

• Configuring OWSM 10g Client (Mutual Authentication)

2.5.1.1 Configuring OWSM 12c Web Service (Mutual Authentication)

Follow these steps to configure OWSM 12c Web Service:

1. Clone the following policy: oracle/wss10_x509_token_with_message_protection_service_policy.

   For more information, see "Cloning a Web Service Policy" in Securing Web Services and Managing Policies with Oracle Web Services Manager

2. Edit the policy settings, as follows:

   1. Disable the Include Timestamp configuration setting.

   2. Leave the default configuration set for all other configuration settings.

3. Attach the policy to the web service.

2.5.1.2 Configuring OWSM 10g Client (Mutual Authentication)

Follow these steps to configure OWSM 10g Client using Mutual Authentication.

1. Register the web service (above) with the OWSM 10g Gateway.

   For more information, see "Registering Web Services to an OWSM Gateway" in the OWSM Administrator's Guide 10g at: http://download.oracle.com/docs/cd/E12524_01/web.1013/e12575/gateways.htm

2. Attach the following policy step in the request pipeline: Sign Message and Encrypt.

3. Configure the Sign Message and Encrypt policy step in the request pipeline, as follows:

   1. Set Encryption Algorithm to AES-128.

   2. Set Key Transport Algorithm to RSA-OAEP-MGF1P.

   3. Configure the keystore properties for message signing and encryption. The configuration should be in accordance with the keystore used on the server side.

4. Attach the following policy step in the response pipeline: Decrypt and Verify Signature.

5. Configure the Decrypt and Verify Signature policy step in the response pipeline, as follows:

   1. Configure the keystore properties for decryption and signature verification. The configuration should be in accordance with the keystore used on the server side.

6. Update the following property in the gateway-config-installer.properties file located at ORACLE_HOME/j2ee/oc4j_instance/applications/gateway/gateway/WEB-INF:

   pep.securitysteps.signBinarySecurityToken=true

7. Restart OWSM 10g Gateway.

8. Navigate to the OWSM Test page and enter the virtualized URL of the web service.

9. Invoke the web service.

2.5.2 Configuring an OWSM 10g Web Service and an OWSM 12c Client (Mutual Authentication)

Follow these procedures to configure an OWSM 10g web service and an OWSM 12c client to implement mutual authentication with message protection that conform to the WS-Security 1.0 standard.

• Configuring OWSM 10g Web Service (Mutual Authentication)

• Configuring OWSM 12c Client (Mutual Authentication)

2.5.2.1 Configuring OWSM 10g Web Service (Mutual Authentication)

Follow these steps to configure OWSM 10g web service:

1. Register the web service (above) with the OWSM 10g Gateway.

   "Registering Web Services to an OWSM Gateway" in the OWSM Administrator's Guide 10g at: http://download.oracle.com/docs/cd/E12524_01/web.1013/e12575/gateways.htm

2. Attach the following policy steps in the request pipeline: Decrypt and Verify.

3. Configure the Decrypt and Verify Signature policy step in the request pipeline, as follows:

   1. Configure the keystore properties for decryption and signature verification. The configuration should be in accordance with the keystore used on the server side.

4. Attach the following policy steps in the response pipeline: Sign Message and Encrypt.

5. Configure the Sign Message and Encrypt policy step in the response pipeline, as follows:

   1. Set Encryption Algorithm to AES-128.

   2. Set Key Transport Algorithm to RSA-OAEP-MGF1P.

   3. Configure the keystore properties for message signing and encryption. The configuration should be in accordance with the keystore used on the server side.

2.5.2.2 Configuring OWSM 12c Client (Mutual Authentication)

Follow these steps to configure OWSM 12c Client:

1. Create a client proxy using the virtualized URL of the web service registered on the OWSM Gateway.

2. Clone the following policy: oracle/wss10_x509_token_with_message_protection_client_policy.

   For more information, see "Cloning a Web Service Policy" in Securing Web Services and Managing Policies with Oracle Web Services Manager

3. Edit the policy settings, as follows:

   1. Disable the Include Timestamp configuration setting.

   2. Leave the default configuration set for all other configuration settings.

4. Attach the policy to the web service client.

   For more information, see "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager

5. Configure the policy.

   "oracle/wss10_x509_token_with_message_protection_client_policy" in Securing Web Services and Managing Policies with Oracle Web Services Manager

6. Invoke the web service.

2.6 Username Token Over SSL

The username Token over SSL identity token conforms to the WS-Security 1.0 and 1.1 standards. This identity token is implemented to achieve the interoperability between OWSM 12c web service and an OWSM 10g client and the interoperability between OWSM 10g web service and an OWSM 12c client.

You can implement username token over SSL, in the following interoperability scenarios:

• Configuring an OWSM 12c Web Service and an OWSM 10g Client (Username Token Over SSL)

• Configuring an OWSM 10g Web Service and an OWSM 12c Client (Username Token Over SSL)

For more information about:

• Configuring SSL on WebLogic Server, see "Configuring Transport-Level Security (SSL)" in Securing Web Services and Managing Policies with Oracle Web Services Manager.

• Configuring SSL on OC4J, see http://download.oracle.com/docs/cd/B14099_19/web.1012/b14013/configssl.htm.

2.6.1 Configuring an OWSM 12c Web Service and an OWSM 10g Client (Username Token Over SSL)

Follow these procedures to configure an OWSM 12c web service and an OWSM 10g client to implement username token over SSL.

• Configuring OWSM 12c Web Service (Username Token Over SSL)

• Configuring OWSM 10g Client (Username Token Over SSL)

2.6.1.1 Configuring OWSM 12c Web Service (Username Token Over SSL)

Follow these steps to configure OWSM 12c web service:

1. Configure the server for SSL.

   For more information, see "Configuring Transport-Level Security (SSL)" in Securing Web Services and Managing Policies with Oracle Web Services Manager

2. Attach the following policy: wss_username_token_over_ssl_service_policy.

   For more information, see "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager

2.6.1.2 Configuring OWSM 10g Client (Username Token Over SSL)

Follow these steps to configure OWSM 10g client:

1. Configure the server for SSL

   For more information, see " Configuring OC4J and SSL" in Oracle Application Server Containers for J2EE Security Guide at http://download.oracle.com/docs/cd/B14099_19/web.1012/b14013/configssl.htm

2. Register the web service (above) with the OWSM 10g Gateway.

   "Registering Web Services to an OWSM Gateway" in the OWSM Administrator's Guide 10g at: http://download.oracle.com/docs/cd/E12524_01/web.1013/e12575/gateways.htm

3. Navigate to the OWSM Test page and enter the virtualized URL of the web service.

4. Select the Include Header checkbox against WS-Security and provide valid credentials.

5. Invoke the web service.

2.6.2 Configuring an OWSM 10g Web Service and an OWSM 12c Client (Username Token Over SSL)

Follow these procedures to configure an OWSM 10g web service and an OWSM 12c client to implement username token over SSL.

• Configuring OWSM 10g Web Service (Username Token Over SSL)

• Configuring OWSM 12c Client (Username Token Over SSL)

2.6.2.1 Configuring OWSM 10g Web Service (Username Token Over SSL)

Follow these steps to configure OWSM 10g Web Service:

1. Configure the server for SSL

   For more information, see " Configuring OC4J and SSL" in Oracle Application Server Containers for J2EE Security Guide at http://download.oracle.com/docs/cd/B14099_19/web.1012/b14013/configssl.htm

2. Register the web service (above) with the OWSM 10g Gateway.

   "Registering Web Services to an OWSM Gateway" in the OWSM Administrator's Guide 10g at: http://download.oracle.com/docs/cd/E12524_01/web.1013/e12575/gateways.htm

3. Attach the following policy steps to the request pipeline:

   1. Extract Credentials

   2. File Authenticate

      Note:

      You can substitute File Authenticate with LDAP Authenticate, Oracle Access Manager Authenticate, Active Directory Authenticate, or SiteMinder Authenticate.

4. Configure the Extract Credentials policy step in the request pipeline, as follows:

   1. Configure the Credentials Location as WS-BASIC.

5. Configure the File Authentication policy step in the request pipeline with the appropriate credentials.

2.6.2.2 Configuring OWSM 12c Client (Username Token Over SSL)

Follow these steps to configure OWSM 12c Client:

1. Create a client proxy using the virtualized URL of the web service registered on the OWSM Gateway. Ensure that when generating the client, HTTP is specified in the URL along with the HTTP port number.

2. Clone the following policy: oracle/wss_username_token_over_ssl_client_policy.

   For more information, see "Cloning a Web Service Policy" in Securing Web Services and Managing Policies with Oracle Web Services Manager

3. Edit the policy settings, as follows:

   1. Disable the Include Timestamp configuration setting.

   2. Leave the default configuration set for all other configuration settings.

4. Attach the policy to the web service client.

   For more information, see "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager

5. Configure the policy.

   For more information, see "oracle/wss_username_token_over_ssl_client_policy" in Securing Web Services and Managing Policies with Oracle Web Services Manager

6. Invoke the web service.

2.7 SAML Token (Sender Vouches) over SSL (WS-Security 1.0)

The SAML Token (Sender Vouches) over SSL identity token conforms to the WS-Security 1.0 standard. This identity token is implemented to achieve the interoperability between OWSM 12c web service and an OWSM 10g client and the interoperability between OWSM 10g web service and an OWSM 12c client.

• Configuring an OWSM 12c Web Service and an OWSM 10g Client (SAML Token Over SSL)

• Configuring an OWSM 10g Web Service and OWSM 12c Client (SAML Token Over SSL)

For more information about:

• Configuring SSL on WebLogic Server, see "Configuring Transport-Level Security (SSL)" in Securing Web Services and Managing Policies with Oracle Web Services Manager.

• Configuring SSL on OC4J, see http://download.oracle.com/docs/cd/B14099_19/web.1012/b14013/configssl.htm.

2.7.1 Configuring an OWSM 12c Web Service and an OWSM 10g Client (SAML Token Over SSL)

Follow these procedures to configure an OWSM 12c web service and an OWSM 10g client to implement SAML token (sender vouches) over SSL that conforms to the WS-Security 1.0 standard.

• Configuring OWSM 12c Web Service (SAML Token Over SSL)

• Configuring OWSM 10g Client (SAML Token Over SSL)

2.7.1.1 Configuring OWSM 12c Web Service (SAML Token Over SSL)

Follow these steps to configure OWSM 12c Web Service to implement SAML token (sender vouches) over SSL:

1. Configure the server for two-way SSL.

   For more information, see "Configuring Transport-Level Security (SSL)" in Securing Web Services and Managing Policies with Oracle Web Services Manager

2. Clone the following policy: oracle/wss_saml_token_over_ssl_service_policy.

   For more information, see "Cloning a Web Service Policy" in Securing Web Services and Managing Policies with Oracle Web Services Manager

3. Edit the policy settings, as follows:

   1. Disable the Include Timestamp configuration setting.

   For more information, see "Cloning a Web Service Policy" in Securing Web Services and Managing Policies with Oracle Web Services Manager

4. Attach the policy.

   For more information, see "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager

2.7.1.2 Configuring OWSM 10g Client (SAML Token Over SSL)

Follow these steps to configure the OWSM 10g Client:

1. Configure the server for two-way SSL.

   For more information, see " Configuring OC4J and SSL" in Oracle Application Server Containers for J2EE Security Guide at http://download.oracle.com/docs/cd/B14099_19/web.1012/b14013/configssl.htm

2. Register the web service (above) with the OWSM 10g Gateway.

   For more information, see "Registering Web Services to an OWSM Gateway" in the OWSM Administrator's Guide 10g at: http://download.oracle.com/docs/cd/E12524_01/web.1013/e12575/gateways.htm

3. Attach the following policy steps to the request pipeline:

   1. Extract Credentials

   2. SAML—Insert WSS 1.0 Sender-Vouches Token

4. Configure the Extra Credentials policy step in the request pipeline, as follows:

   1. Configure the Credentials Location as WS-BASIC.

5. Configure the SAML—Insert WSS 1.0 Sender-Vouches Token policy step in the request pipeline, as follows:

   1. Configure the Subject Name Qualifier as www.oracle.com

   2. Configure the Assertion Issuer as www.oracle.com

   3. Configure the Subject Format as UNSPECIFIED.

   4. Configure the Sign the assertion as false.

6. Navigate to the OWSM Test page and enter the virtualized URL of the web service.

7. Select Include Header checkbox against WS-Security and provide valid credentials.

8. Invoke the web service.

2.7.2 Configuring an OWSM 10g Web Service and OWSM 12c Client (SAML Token Over SSL)

Follow these procedures to configure an OWSM 10g web service and an OWSM 12c client to implement SAML token (sender vouches) over SSL that conforms to the WS-Security 1.0 standard.

• Configuring OWSM 10g Web Service (SAML Token Over SSL)

• Configuring OWSM 12c Client (SAML Token Over SSL)

2.7.2.1 Configuring OWSM 10g Web Service (SAML Token Over SSL)

Follow these steps to configure OWSM 10g Web Service using SAML Token over SSL:

1. Configure the server for two-way SSL.

   For more information, see " Configuring OC4J and SSL" in Oracle Application Server Containers for J2EE Security Guide at http://download.oracle.com/docs/cd/B14099_19/web.1012/b14013/configssl.htm

2. Register the web service (above) with the OWSM 10g Gateway.

   For more information, see "Registering Web Services to an OWSM Gateway" in the OWSM Administrator's Guide 10g at: http://download.oracle.com/docs/cd/E12524_01/web.1013/e12575/gateways.htm

3. Attach the policy step: SAML—Verify WSS 1.0 Token

4. Configure the SAML—Verify WSS 1.0 Token policy step in the request pipeline, as follows:

   1. Under Signature Verification Properties, set Allow signed assertions only to false.

   2. Set the Trusted Issuer Name to www.oracle.com.

2.7.2.2 Configuring OWSM 12c Client (SAML Token Over SSL)

Follow these steps to configure the OWSM 12c Client:

1. Configure the server for two-way SSL.

   For more information, see "Configuring SSL on WebLogic Server (Two-Way)" in Securing Web Services and Managing Policies with Oracle Web Services Manager

2. Create a client proxy using the virtualized URL of the web service registered on the OWSM gateway.

3. s: oracle/wss_saml_token_over_ssl_client_policy.

   For more information, see "Cloning a Web Service Policy" in Securing Web Services and Managing Policies with Oracle Web Services Manager

4. Edit the policy settings, as follows:

   1. Disable the Include Timestamp configuration setting.

   2. Leave the default configuration set for all other configuration settings.

5. Attach the policy to the web service client.

   For more information, see "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager

6. Configure the policy.

   For more information, see "oracle/wss_username_token_over_ssl_client_policy" in Securing Web Services and Managing Policies with Oracle Web Services Manager

7. Invoke the web service.