6 Interoperability with Oracle Service Bus 10g Security Environments

This chapter contains the following sections:

• Overview of Interoperability with Oracle Service Bus 10g Security Environments

• Username Token with Message Protection (WS-Security 1.0)

• SAML Token (Sender Vouches) with Message Protection (WS-Security 1.0)

• SAML or Username Token Over SSL

• Mutual Authentication with Message Protection (WS-Security 1.0)

6.1 Overview of Interoperability with Oracle Service Bus 10g Security Environments

In Oracle Service Bus 10g, you attach policies to configure your security environment for inbound and outbound requests. Oracle Service Bus uses the underlying WebLogic security framework as building blocks for its security services. For information about configuring and attaching policies, see "Using WS-Policy in Oracle Service Bus Proxy and Business Services" in Oracle Service Bus Security Guide at http://download.oracle.com/docs/cd/E13159_01/osb/docs10gr3/security/ws_policy.html.

Note:

Ensure that you have downloaded and applied the TYBN and U37Z patches released for Oracle Service Bus 10.3 using the patch tool.

In Oracle WSM 11g, you attach policies to Web service endpoints. Each policy consists of one or more assertions, defined at the domain-level, that define the security requirements. A set of predefined policies and assertions are provided out-of-the-box.

For more details about the predefined policies, see "Predefined Policies" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

For more information about configuring and attaching policies, see "Configuring Policies" and "Attaching Policies to Web Services" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

Table 6-1 summarizes the most common Oracle Service Bus 10g interoperability scenarios based on the following security requirements: authentication, message protection, and transport.

For more information about:

• Configuring and attaching Oracle WSM 11g policies, see "Configuring Policies" and "Attaching Policies to Web Services" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

• Configuring and attaching Oracle Service Bus 10g policies, see "Using WS-Policy in Oracle Service Bus Proxy and Business Services" in Oracle Service Bus Security Guide at http://download.oracle.com/docs/cd/E13159_01/osb/docs10gr3/security/ws_policy.html.

Note:

In the following scenarios, ensure that you are using a keystore with v3 certificates. By default, the JDK 1.5 keytool generates keystores with v1 certificates.

In addition, ensure that the keys use the proper extensions, including DigitalSignature, Non_repudiation, Key_Encipherment, and Data_Encipherment.

Table 6-1 Interoperability With Oracle Service Bus 10g Security Environments

Interoperability Scenario	Client—>Web Service	Oracle WSM 11g Policies	Oracle Service Bus 10g Policies
"Username Token with Message Protection (WS-Security 1.0)"	Oracle Service Bus 10g—>Oracle WSM 11g	oracle/wss10_username_token_with_message_protection_service_policy	Encrypt.xml Sign.xml
"Username Token with Message Protection (WS-Security 1.0)"	Oracle WSM 11g—>Oracle Service Bus 10g	oracle/wss10_username_token_with_message_protection_client_policy	Encrypt.xml Sign.xml
"SAML Token (Sender Vouches) with Message Protection (WS-Security 1.0)"	Oracle Service Bus 10g—>Oracle WSM 11g	oracle/wss10_saml_token_with_message_protection_service_policy	Encrypt.xml Sign.xml
"SAML Token (Sender Vouches) with Message Protection (WS-Security 1.0)"	Oracle WSM 11g—>Oracle Service Bus 10g	oracle/wss10_saml_token_with_message_protection_client_policy	Encrypt.xml Sign.xml
"SAML or Username Token Over SSL"	Oracle Service Bus 10g—>Oracle WSM 11g	oracle/wss_saml_or_username_token_over_ssl_service_policy	Auth.xml
"Mutual Authentication with Message Protection (WS-Security 1.0)"	Oracle Service Bus 10g—>Oracle WSM 11g	oracle/wss10_x509_token_with_message_protection_service_policy	Encrypt.xml Sign.xml
"Mutual Authentication with Message Protection (WS-Security 1.0)"	Oracle WSM 11g—>Oracle Service Bus 10g	oracle/wss10_x509_token_with_message_protection_client_policy	Encrypt.xml Sign.xml

6.2 Username Token with Message Protection (WS-Security 1.0)

This section describes how to implement username token with message protection that conforms to the WS-Security 1.0 standard in the following interoperability scenarios:

• "Configuration Prerequisites for Interoperability"

• "Configuring Oracle Service Bus 10g Client and Oracle WSM 11g Web Service"

• "Configuring Oracle WSM 11g Client and Oracle Service Bus 10g Web Service"

Configuration Prerequisites for Interoperability

Perform the following prerequisite steps for the WebLogic Server on which Oracle Service Bus is running:

1. Copy the default-keystore.jks and trust.jks files to your domain directory.

   The default-keystore.jks is used to store public and private keys for SOAP messages within the WebLogic Domain. The trust.jks is used to store private keys, digital certificates, and trusted certificate authority certificates that are used to establish and verify identity and trust in the WebLogic Server environment.

2. Invoke the WebLogic Administration Console, as described in Accessing Oracle WebLogic Administration Console.

3. Configure the Custom Identity and Custom Trust keystores, as described in "Configuring keystores" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help.

4. Configure SSL, as described in "Set up SSL" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help.

   Specify the private key alias, as required. For example: oratest.

5. Configure a credential mapping provider, as described in "Configure Credential Mapping Providers" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help.

   Create a PKICredentialMapper and configure it as follows (leave all other values set to the defaults):

   • Keystore Provider: N/A

   • Keystore Type: jks

   • Keystore File Name: default_keystore.jks

   • Keystore Pass Phrase: <password>

   • Confirm Keystore Pass Phrase: <password>

6. Restart Oracle WebLogic Server.

7. Invoke the OSB Console. For example:

   http://<host name>:<port number>/sbconsole
   

8. Create a ServiceKeyProvider.

9. Specify Encryption Key and Digital Signature Key, as required.

   You must use different keys on the Oracle WSM and Oracle Service Bus servers. You can use the same key for encryption and signing, if desired.

6.2.1 Configuring Oracle Service Bus 10g Client and Oracle WSM 11g Web Service

To configure Oracle Service Bus 10g client and Oracle WSM 11g Web Service, perform the steps described in the following sections:

6.2.1.1 Configuring Oracle WSM 11g Web Service

1. Create a copy of the following policy: wss10_username_token_with_message_protection_service_policy.

   Note:

   Oracle recommends that you do not change the predefined policies so that you will always have a known set of valid policies to work with.

   Edit the policy settings, as follows:

   1. Set Encryption Key Reference Mechanism to issuerserial.

   2. Set Algorithm Suite to Basic128Rsa15 to match the algorithm suite used for Oracle Service Bus.

   3. Enable the Include Timestamp configuration setting.

   4. Set Is Encrypted to false for the Username token element only.

   For more information, see "Creating a Web Service Policy from an Existing Policy" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

2. Attach the policy to the Web service.

   For more information about attaching the policy, see "Attaching Policies to Web Services" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

6.2.1.2 Configuring Oracle Service Bus 10g Client

1. Create a copy of the Encrypt.xml and Sign.xml policy files.

   For example, copy the files to myEncrypt.xml and mySign.xml. It is not recommended to edit the predefined policy files directly.

2. Edit the encryption algorithm in myEncrypt.xml file to prevent encryption compliance failure, as follows:

   <wssp:Target>
      <wssp:EncryptionAlgorithm 
        URI="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
      <wssp:MessageParts
        Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">
         wsp:Body()
      </wssp:MessageParts>
   </wssp:Target>
   

3. Edit the mySign.xml policy file attached to the Oracle Service Bus business service request only to sign the Username token by including the following target:

   <wssp:Target>
      <wssp:DigestAlgorithm URI=
       "http://www.w3.org/2000/09/xmldsig#sha1" />
      <wssp:MessageParts Dialect=
       "http://www.bea.com/wls90/security/policy/wsee#part">
         wls:SecurityHeader(wsse:UsernameToken)
      </wssp:MessageParts>
   </wssp:Target>
   

4. Edit the mySign.xml policy file attached to the Oracle Service Bus business service response only to specify that the security token is unsigned:

   <wssp:Integrity SignToken="false"> 
   

   Also, for SOA clients only, comment out the target for system headers, as shown:

   <!-- wssp:Target>
     <wssp:DigestAlgorithm 
      URI="http://www.w3.org/2000/09/xmldsig#sha1" />
     <wssp:MessageParts 
      Dialect="http://www.bea.com/wls90/security/policy/wsee#part">
      wls:SystemHeaders()
     </wssp:MessageParts>
   </wssp:Target -->
   

5. Invoke the Web service method from the client.

6.2.2 Configuring Oracle WSM 11g Client and Oracle Service Bus 10g Web Service

To configure Oracle WSM 11g client and Oracle Service Bus 10g Web Service, perform the steps described in the following sections:

6.2.2.1 Configuring Oracle Service Bus 10g Web Service

1. Create a copy of the Encrypt.xml and Sign.xml policy files.

   For example, copy the files to myEncrypt.xml and mySign.xml. It is not recommended to edit the predefined policy files directly.

2. Edit the encryption algorithm in the myEncrypt.xml file to prevent encryption compliance failure, as follows:

   <wssp:Target>
      <wssp:EncryptionAlgorithm 
        URI="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
      <wssp:MessageParts
        Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">
         wsp:Body()
      </wssp:MessageParts>
   </wssp:Target>
   

3. Edit the mySign.xml policy file attached to the proxy service request only to specify that the security token is unsigned:

   <wssp:Integrity SignToken="false"> 
   

   Also, for SOA clients only, comment out the target for system headers, as shown:

   <!-- wssp:Target>
     <wssp:DigestAlgorithm 
      URI="http://www.w3.org/2000/09/xmldsig#sha1" />
     <wssp:MessageParts 
      Dialect="http://www.bea.com/wls90/security/policy/wsee#part">
      wls:SystemHeaders()
     </wssp:MessageParts>
   </wssp:Target -->
   

4. Create a Web service application that invokes the Oracle Service Bus routing service.

6.2.2.2 Configuring Oracle WSM 11g Client

1. Create a copy of the following policy: wss10_username_token_with_message_protection_client_policy.

   Note:

   Oracle recommends that you do not change the predefined policies so that you will always have a known set of valid policies to work with.

   Edit the policy settings, as follows:

   1. Set Encryption Key Reference Mechanism to issuerserial.

   2. Set Recipient Encryption Key Reference Mechanism to issuerserial.

   3. Set Algorithm Suite to Basic128Rsa15 to match the algorithm suite used for Oracle Service Bus.

   4. Disable the Include Timestamp configuration setting.

   5. Set Is Encrypted to false.

   6. Leave the default configuration set for message signing and encryption.

   For more information, see "Creating a Web Service Policy from an Existing Policy" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

2. Attach the policy to the Web service client.

   For more information about attaching the policy, see "Attaching Policies to Web Service Clients" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

3. Invoke the Web service from the client.

6.3 SAML Token (Sender Vouches) with Message Protection (WS-Security 1.0)

This section describes how to implement SAML token (sender vouches) with message protection that conforms to the WS-Security 1.0 standard in the following interoperability scenarios:

• "Configuration Prerequisites for Interoperability"

• "Configuring Oracle Service Bus 10g Client and Oracle WSM 11g Web Service"

• "Configuring Oracle WSM 11g Client and Oracle Service Bus 10g Web Service"

Configuration Prerequisites for Interoperability

Perform the following prerequisite steps for the WebLogic Server on which Oracle Service Bus is running:

1. Copy the default-keystore.jks and trust.jks files to your domain directory.

   The default-keystore.jks is used to store public and private keys for SOAP messages within the WebLogic Domain. The trust.jks is used to store private keys, digital certificates, and trusted certificate authority certificates that are used to establish and verify identity and trust in the WebLogic Server environment.

2. Invoke the WebLogic Administration Console, as described in Accessing Oracle WebLogic Administration Console.

3. Create a SAMLIdentityAsserterV2 authentication provider, as described in "Configuring Authentication and Identity Assertion providers" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help.

4. Restart WebLogic Server to add the new provider to the Administration Server's Runtime MBean server.

5. Select the authentication provider created in step 3.

6. Create and configure a SAML asserting party, as described in "SAML Identity Asserter V2: Create an Asserting Party" and "SAML Identity Asserter V2: Asserting Party: Configuration" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help.

   Configure the SAML asserting party as follows (leave other values set to the defaults):

   • Profile: WSS/Sender-Vouches

   • Target URL: <OSB Proxy Service Endpoint URI>

   • Issuer URI: www.oracle.com

   Select the Enabled checkbox and click Save.

7. Create a SamlCredentialMapperV2 credential mapping provider, as described in "Configure Credential Mapping Providers" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help.

   Select SamlCredentialMapperV2 from the drop-down list and name the credential mapper, for example, UC2_SamlCredentialMapperV2.

8. Restart WebLogic Server.

9. Configure the credential mapper as follows (leave other values set to the defaults):

   • Issuer URI: www.oracle.com

     Note: This value is specified in the policy file.

   • Name Qualifier: oracle.com

10. Create and configure a SAML relying party, as described in "SAML Credential Mapping Provider V2: Create a Relying Party" and "SAML Credential Mapping Provider V2: Relying Party: Configuration" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help.

    Configure the SAML relying party as follows (leave other values set to the defaults):

    • Profile: WSS/Sender-Vouches

    • Target URL: <Oracle WSM 11g Web Service>

    • Description: <your_description>

    Select the Enabled checkbox and click Save.

11. Restart WebLogic Server.

6.3.1 Configuring Oracle Service Bus 10g Client and Oracle WSM 11g Web Service

To configure Oracle Service Bus 10g client and Oracle WSM 11g Web Service, perform the steps described in the following sections:

6.3.1.1 Configuring Oracle WSM 11g Web Service

1. Create a copy of the following policy: oracle/wss10_saml_token_with_message_protection_service_policy.

   1. Set Encryption Key Reference Mechanism to issuerserial.

   2. Set Algorithm Suite to Basic128Rsa15 to match the algorithm suite used for Oracle Service Bus.

   3. Set Is Encrypted to false for the Username token element only.

   4. Leave the default configuration set for message signing and encryption.

   For more information, see "Creating a Web Service Policy from an Existing Policy" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

2. Attach the policy to the Web service.

   For more information about attaching the policy, see "Attaching Policies to Web Services" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

6.3.1.2 Configuring Oracle Service Bus 10g Client

1. Create a copy of the Encrypt.xml and Sign.xml policy files.

   For example, to myEncrypt.xml and mySign.xml. It is not recommended to edit the predefined policy files directly.

2. Edit the encryption algorithm in the myEncrypt.xml file to prevent encryption compliance failure, as follows:

   <wssp:Target>
      <wssp:EncryptionAlgorithm 
        URI="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
      <wssp:MessageParts
        Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">
         wsp:Body()
      </wssp:MessageParts>
   </wssp:Target>
   

3. Edit the mySign.xml file attached to the Oracle Service Bus business service request only to sign the SAML assertion by including the following target:

   <wssp:Target>
      <wssp:DigestAlgorithm URI="http://www.w3.org/2000/09/xmldsig#sha1" />
      <wssp:MessageParts Dialect=
       "http://www.bea.com/wls90/security/policy/wsee#part">
         wls:SecurityHeader(wsse:Assertion)
      </wssp:MessageParts>
   </wssp:Target>
   

4. Edit the mySign.xml file attached to the Oracle Service Bus business service response only to specify that the security token is unsigned, as follows:

   <wssp:Integrity SignToken="false">
   

   Also, for SOA clients only, comment out the target for system headers, as shown:

   <!-- wssp:Target>
     <wssp:DigestAlgorithm 
      URI="http://www.w3.org/2000/09/xmldsig#sha1" />
     <wssp:MessageParts 
      Dialect="http://www.bea.com/wls90/security/policy/wsee#part">
      wls:SystemHeaders()
     </wssp:MessageParts>
   </wssp:Target -->
   

5. Use the custom SAML policy file defined in Example 6-1.

6. Invoke the Web service from the client.

The following defines the custom SAML policy to be used:

Example 6-1 Custom SAML Policy

<?xml version="1.0"?>
<wsp:Policy
   xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
   xmlns:wssp="http://www.bea.com/wls90/security/policy"
   xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
   xmlns:wls="http://www.bea.com/wls90/security/policy/wsee#part"
   wsu:Id="custom_saml">
   <wssp:Identity xmlns:wssp="http://www.bea.com/wls90/security/policy">
      <wssp:SupportedTokens>
         <wssp:SecurityToken  
          TokenType=
"http://docs.oasis-open.org/wss/2004/01/oasis-2004-01-saml-token-profile-1.0#SAMLAssertionID">
            <wssp:Claims>
               <wssp:ConfirmationMethod>
                  sender-vouches
               </wssp:ConfirmationMethod>
            </wssp:Claims>
         </wssp:SecurityToken>
      </wssp:SupportedTokens>
   </wssp:Identity>
   </wsp:Policy>

6.3.2 Configuring Oracle WSM 11g Client and Oracle Service Bus 10g Web Service

To configure Oracle WSM 11g client and Oracle Service Bus 10g Web Service, perform the steps described in the following sections:

6.3.2.1 Configuring Oracle Service Bus 10g Web Service

1. Create a copy of the Encrypt.xml and Sign.xml policy files.

   For example, to myEncrypt.xml and mySign.xml. It is not recommended to edit the predefined policy files directly.

2. Edit the encryption algorithm in the myEncrypt.xml policy file to prevent encryption compliance failure, as follows:

   <wssp:Target>
      <wssp:EncryptionAlgorithm 
        URI="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
      <wssp:MessageParts
        Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">
         wsp:Body()
      </wssp:MessageParts>
   </wssp:Target>
   

3. Edit the mySign.xml policy file attached to the proxy service request only to specify that the security token is unsigned:

   <wssp:Integrity SignToken="false"> 
   

   Also, for SOA clients only, comment out the target for system headers, as shown:

   <!-- wssp:Target>
     <wssp:DigestAlgorithm 
      URI="http://www.w3.org/2000/09/xmldsig#sha1" />
     <wssp:MessageParts 
      Dialect="http://www.bea.com/wls90/security/policy/wsee#part">
      wls:SystemHeaders()
     </wssp:MessageParts>
   </wssp:Target -->
   

4. Use the custom SAML policy file defined in Example 6-1.

6.3.2.2 Configuring Oracle WSM 11g Client

1. Create a copy of the following policy: wss10_saml_token_with_message_protection_client_policy.

   Note:

   Oracle recommends that you do not change the predefined policies so that you will always have a known set of valid policies to work with.

   Edit the policy settings, as follows:

   1. Set Encryption Key Reference Mechanism to issuerserial.

   2. Set Recipient Encryption Key Reference Mechanism to issuerserial.

   3. Set Algorithm Suite to Basic128Rsa15 to match the algorithm suite used for Oracle Service Bus.

   4. Disable the Include Timestamp configuration setting.

   5. Leave the default configuration set for message signing and encryption.

   For more information, see "Creating a Web Service Policy from an Existing Policy" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

2. Attach the policy to the Web service client.

   For more information about attaching the policy, see "Attaching Policies to Web Service Clients" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

3. Invoke the Web service from the client.

6.4 SAML or Username Token Over SSL

This section describes how to implement the SAML or username token over SSL policy in the following interoperability scenario:

• "Configuration Prerequisites for Interoperability"

• "SAML Prerequisites for Interoperability"

• "Configuring Oracle Service Bus 10g Client and Oracle WSM 11g Web Service"

Note:

The interoperability scenario described in this section also applies to the SAML Token Over SSL and Username Token Over SSL policies.

Configuration Prerequisites for Interoperability

See "Configuration Prerequisites for Interoperability" for configuration information on the username token.

See "Configuration Prerequisites for Interoperability" for configuration information on the SAML token.

SAML Prerequisites for Interoperability

For SAML, perform the following prerequisite steps for the WebLogic Server on which Oracle Service Bus is running:

1. Create a SamlCredentialMapperV2 credential mapping provider, as described in "Configure Credential Mapping Providers" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help.

   Select SamlCredentialMapperV2 from the drop-down list and name the credential mapper; for example, UC2_SamlCredentialMapperV2.

2. Restart WebLogic Server.

3. Configure the credential mapper as follows (leave other values set to the defaults):

   • Issuer URI: www.oracle.com

     Note: This value is specified in the policy file.

   • Name Qualifier: oracle.com

4. Create and configure a SAML relying party, as described in "SAML Credential Mapping Provider V2: Create a Relying Party" and "SAML Credential Mapping Provider V2: Relying Party: Configuration" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help.

   Configure the SAML relying party as follows (leave other values set to the defaults):

   • Profile: WSS/Sender-Vouches

   • Target URL: <Oracle WSM 11g Web Service>

   • Description: <your_description>

   Select the Enabled checkbox and click Save.

5. Restart WebLogic Server.

6.4.1 Configuring Oracle Service Bus 10g Client and Oracle WSM 11g Web Service

To configure Oracle Service Bus 10g client and Oracle WSM 11g Web Service, perform the steps described in the following sections:

6.4.1.1 Configuring Oracle WSM 11g Web Service

1. Configure the server for two-way SSL.

   For more information, see "Configuring SSL on WebLogic Server (Two-Way)" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

   • If the service policy is Username Token Over SSL, set Two Way Client Cert Behavior to "Client Certs Requested and Not Enforced."

   • If the service policy is SAML Token Over SSL, set Two Way Client Cert Behavior to "Client Certs Requested and Enforced."

2. Create a copy of the following policy: wss_saml_or_username_token_over_ssl_service_policy.

   Note:

   Oracle recommends that you do not change the predefined policies so that you will always have a known set of valid policies to work with.

   • For wss_username_token_over_ssl_service_policy, disable the Create Element and Nonce configuration settings.

   • For wss_saml_token_over_ssl_service_policy, disable the Include Timestamp configuration setting.

   For more information, see "Creating a Web Service Policy from an Existing Policy" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

3. Use Fusion Middleware Control to import the policy.

4. Use JDeveloper to create a simple SOA composite.

5. Attach the copy of the wss_saml_or_username_token_over_ssl_service_policy policy to the composite and deploy it.

   For more information about attaching the policy, see "Attaching Policies to Web Services" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

6.4.1.2 Configuring Oracle Service Bus 10g Client

Both the SAML token client and the username token client are supported.

1. Configure the server for two-way SSL.

   For more information, see "Configuring SSL on WebLogic Server (Two-Way)" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

   • If the client policy is the equivalent of Username Token Over SSL, then set Two Way Client Cert Behavior to "Client Certs Requested and Not Enforced."

   • If the client policy is the equivalent of SAML Token Over SSL, then set Two Way Client Cert Behavior to "Client Certs Requested and Enforced."

2. In the Oracle Service Bus console, import the WSDL for the relying party. Make sure that there is no policy attached. (Policy assertions are not allowed on this service.)

3. For SAML token, create a business service.

   1. Attach the policy shown in Example 6-1, "Custom SAML Policy" to the request.

   2. Change the WSDL from HTTP to HTTPS.

4. For username token, create a business service.

   1. Attach the auth.xml policy to the request.

   2. Change the WSDL from HTTP to HTTPS.

5. Create a service key provider.

6. Create a proxy service, and create a route to the business service.

   In HTTP Transport Configuration, set Authentication to "basic."

   On the Security page, associate the Service key provider. This is needed for Oracle Service Bus to send the client cert to SOA.

7. Run the proxy service from the Oracle Service Bus console with the username and password.

6.5 Mutual Authentication with Message Protection (WS-Security 1.0)

The following sections describe how to implement mutual authentication with message protection that conform to the WS-Security 1.0 standards:

• "Configuration Prerequisites for Oracle WebLogic Server"

• "Configuration Prerequisites for Oracle WSM"

• "Configuring Oracle Service Bus 10g Client and Oracle WSM 11g Web Service"

• "Configuring Oracle WSM 11g Client and Oracle Service Bus 10g Web Service"

Configuration Prerequisites for Oracle WebLogic Server

Perform the following prerequisite steps for the Oracle WebLogic Server on which Oracle Service Bus is running:

1. Copy the default-keystore.jks and trust.jks files to your domain directory.

   The default-keystore.jks is used to store public and private keys for SOAP messages within the WebLogic Domain. The trust.jks is used to store private keys, digital certificates, and trusted certificate authority certificates that are used to establish and verify identity and trust in the Oracle WebLogic Server environment.

2. Invoke the WebLogic Administration Console, as described in Accessing Oracle WebLogic Administration Console.

3. Configure the Custom Identity and Custom Trust keystores, as described in "Configuring keystores" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help.

4. Configure SSL, as described in "Set up SSL" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help.

   Specify the private key alias, as required. For example: oratest.

5. Configure a credential mapping provider, as described in "Configure Credential Mapping Providers" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help.

   Create a PKICredentialMapper and configure it as follows (leave all other values set to the defaults):

   • Keystore Provider: N/A

   • Keystore Type: jks

   • Keystore File Name: default_keystore.jks

   • Keystore Pass Phrase: <password>

   • Confirm Keystore Pass Phrase: <password>

6. Configure Authentication, as described in "Configure Authentication and Identity Assertion providers" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help.

   Select the Authentication tab and configure as follows:

   • Click DefaultIdentityAsserter and add X.509 to Chosen active types

   • Click Provider Specific and configure the following:

     • Default User Name Mapper Attribute Type: CN

     • Active Types: X.509

     • Use Default User Name Mapper: True

7. Configure a token handler to specify that a client invoking a message-secured Web service uses an X.509 certificate to establish their identity. In WebLogic Administration Console, navigate to the Web Service Security page of the domain and configure the inbound and outbound messages as follows:

   Note:

   Only username token with message protection or mutual authentication with message protection is available at any given time. Once you enable mutual authentication with message protection, username authentication will fail.

   • Click _SERVICE_BUS_INBOUND_WEB_SERVICE_SECURITY_MBEAN_ and select the Token Handler tab.

   • Click X.509 token handler and configure the following:

     • Name: UseX509ForIdentity

     • Value: True

   • Perform the same steps for the outbound Oracle Service Bus MBean: _SERVICE_BUS_OUTBOUND_WEB_SERVICE_SECURITY_MBEAN_

8. If the users are not added, add the Common Name (CN) user specified in the certificate as described in "Create users" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help.

9. Restart Oracle WebLogic Server.

Configuration Prerequisites for Oracle WSM

Perform the following prerequisite steps for the Oracle WSM using Oracle WebLogic Server Administration Console:

1. Configure Authentication, as described in "Configure Authentication and Identity Assertion providers" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help.

   Select the Authentication tab and configure as follows:

   • Click DefaultIdentityAsserter and add X.509 to Chosen active types

   • Click Provider Specific and configure the following:

     • Default User Name Mapper Attribute Type: CN

     • Active Types: X.509

     • Use Default User Name Mapper: True

2. If the users are not added, add the Common Name (CN) user specified in the certificate as described in "Create users" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help.

3. Restart Oracle WebLogic Server.

6.5.1 Configuring Oracle Service Bus 10g Client and Oracle WSM 11g Web Service

To configure Oracle Service Bus 10g client and Oracle WSM 11g Web service, perform the steps described in the following sections:

• "Configuring Oracle WSM 11g Web Service"

• "Configuring Oracle Service Bus 10g Client"

6.5.1.1 Configuring Oracle WSM 11g Web Service

1. Create and deploy a SOA composite.

2. Create a copy of the following policy: wss10_x509_token_with_message_protection_service_policy.

   Note:

   Oracle recommends that you do not change the predefined policies so that you will always have a known set of valid policies to work with.

   Edit the policy settings, as follows:

   1. Set Encryption Key Reference Mechanism to issuerserial.

   2. Set Algorithm Suite to Basic128Rsa15 to match the algorithm suite used for Oracle Service Bus.

   For more information, see "Creating a Web Service Policy from an Existing Policy" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

3. Attach the policy to the Web service.

   For more information about attaching the policy, see "Attaching Policies to Web Services" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

6.5.1.2 Configuring Oracle Service Bus 10g Client

1. Create an Oracle Service Bus business service.

2. Create a copy of the Encrypt.xml and Sign.xml policy files.

   For example, copy the files to myEncrypt.xml and mySign.xml. It is not recommended to edit the predefined policy files directly.

3. Attach the X.509 policy to the Oracle Service Bus business service request.

   <wsp:Policy
     xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
     xmlns:wssp="http://www.bea.com/wls90/security/policy"
     xmlns:s0="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
     s0:Id="X509Auth">
           <wssp:Identity xmlns:wssp="http://www.bea.com/wls90/security/policy">
               <wssp:SupportedTokens>
                   <wssp:SecurityToken TokenType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
               </wssp:SupportedTokens>
           </wssp:Identity>
   </wsp:Policy>
   

4. Attach the Sign.xml policy file to the Oracle Service Bus business service request.

5. Edit the myEncrypt.xml policy and attach it to the Oracle Service Bus business service request.

   <?xml version="1.0"?>
   <wsp:Policy
    xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
    xmlns:wssp="http://www.bea.com/wls90/security/policy"
    xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
    xmlns:wls="http://www.bea.com/wls90/security/policy/wsee#part"
    wsu:Id="X509Encrypt"> 
     <wssp:Confidentiality>
       <wssp:KeyWrappingAlgorithm URI="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
       <wssp:Target>
         <wssp:EncryptionAlgorithm URI="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>    
         <wssp:MessageParts Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body()</wssp:MessageParts>
       </wssp:Target>
       <wssp:KeyInfo/>
     </wssp:Confidentiality>
   </wsp:Policy>
   

6. Edit the mySign.xml policy file attached to the Oracle Service Bus business service response to specify that the security token is unsigned:

   <wssp:Integrity SignToken="false"> 
   

   Also, for SOA clients only, comment out the target for system headers, as shown:

     <?xml version="1.0"?>
   <wsp:Policy
     xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
     xmlns:wssp="http://www.bea.com/wls90/security/policy"
    
   xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-
   utility-1.0.xsd"
     xmlns:wls="http://www.bea.com/wls90/security/policy/wsee#part"
     wsu:Id="X509Sign">
     <wssp:Integrity SignToken="false">
       <wssp:SignatureAlgorithm URI="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
       <wssp:CanonicalizationAlgorithm
    URI="http://www.w3.org/2001/10/xml-exc-c14n#"/>
       <!--wssp:Target>
         <wssp:DigestAlgorithm URI="http://www.w3.org/2000/09/xmldsig#sha1" />
         <wssp:MessageParts
    Dialect="http://www.bea.com/wls90/security/policy/wsee#part">
           wls:SystemHeaders()
         </wssp:MessageParts>
       </wssp:Target-->
       <wssp:Target>
         <wssp:DigestAlgorithm URI="http://www.w3.org/2000/09/xmldsig#sha1" />
         <wssp:MessageParts
    Dialect="http://www.bea.com/wls90/security/policy/wsee#part">
           wls:SecurityHeader(wsu:Timestamp)
         </wssp:MessageParts>
       </wssp:Target>
       <wssp:Target>
         <wssp:DigestAlgorithm URI="http://www.w3.org/2000/09/xmldsig#sha1" />
         <wssp:MessageParts
    Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">
         wsp:Body()
         </wssp:MessageParts>
       </wssp:Target>
      </wssp:Integrity>
     <wssp:MessageAge/>
   </wsp:Policy>
   
   

7. Attach the myEncrypt.xml policy file from Step 6 to the Oracle Service Bus business service response.

8. Create a ServiceKeyProvider.

9. Specify Encryption Key and Digital Signature Key, as required.

   You must use different keys on the Oracle WSM and Oracle Service Bus servers. You can use the same key for encryption and signing, if desired.

10. Create a proxy service, and create a route to the business service.

    On the Security page, associate the Service key provider. This is needed for Oracle Service Bus to send the client certificate to SOA.

11. Run the proxy service from the Oracle Service Bus console.

6.5.2 Configuring Oracle WSM 11g Client and Oracle Service Bus 10g Web Service

To configure Oracle WSM 11g client and Oracle Service Bus 10g Web Service, perform the steps described in the following sections:

• "Configuring Oracle Service Bus 10g Web Service"

• "Configuring Oracle WSM 11g Client"

6.5.2.1 Configuring Oracle Service Bus 10g Web Service

1. Create a Oracle Service Bus proxy service.

2. Create a copy of the Encrypt.xml and Sign.xml policy files.

   For example, to myEncrypt.xml and mySign.xml. It is not recommended to edit the predefined policy files directly.

3. Attach the X.509 policy as described in "Configuring Oracle Service Bus 10g Client" to the proxy service request.

4. Edit the mySign.xml policy file attached to the proxy service request and comment out the target for system headers and timestamp, as shown:

   <?xml version="1.0"?>
   <wsp:Policy
     xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
     xmlns:wssp="http://www.bea.com/wls90/security/policy"
     xmlns:s0="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
     s0:Id="X509SignRequest">
     <wssp:Integrity
    xmlns:wls="http://www.bea.com/wls90/security/policy/wsee#part"
    xmlns:wssp="http://www.bea.com/wls90/security/policy"
   xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-
   utility-1.0.xsd">
     <wssp:SignatureAlgorithm URI="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
     <wssp:CanonicalizationAlgorithm URI="http://www.w3.org/2001/10/xml-exc-c14n#"
    />
     <!-- wssp:Target>
     <wssp:DigestAlgorithm URI="http://www.w3.org/2000/09/xmldsig#sha1" />
     <wssp:MessageParts Dialect="http://www.bea.com/wls90/security/policy/wsee#part">wls:SystemHeaders
   ()</wssp:MessageParts>
     </wssp:Target -->
     <!-- wssp:Target>
     <wssp:DigestAlgorithm URI="http://www.w3.org/2000/09/xmldsig#sha1" />
     <wssp:MessageParts
   Dialect="http://www.bea.com/wls90/security/policy/wsee#part">wls:SecurityHeader
   (wsu:Timestamp)</wssp:MessageParts>
     </wssp:Target -->
     <wssp:Target>
     <wssp:DigestAlgorithm URI="http://www.w3.org/2000/09/xmldsig#sha1" />
     <wssp:MessageParts Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body()</wssp:MessageParts>
     </wssp:Target>
   </wsp:Policy>
   

5. Edit the encryption algorithm in the myEncrypt.xml file attached to the proxy service request as follows:

   <?xml version="1.0"?>
   <wsp:Policy
    xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
    xmlns:wssp="http://www.bea.com/wls90/security/policy"
    xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
    xmlns:wls="http://www.bea.com/wls90/security/policy/wsee#part"
    wsu:Id="X509Encrypt"> 
     <wssp:Confidentiality>
       <wssp:KeyWrappingAlgorithm URI="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
       <wssp:Target>
         <wssp:EncryptionAlgorithm URI="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>    
         <wssp:MessageParts Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body()</wssp:MessageParts>
       </wssp:Target>
       <wssp:KeyInfo/>
     </wssp:Confidentiality>
    
   </wsp:Policy>
   

6. Attach mySign.xml and myEncrypt.xml policy files from the previous steps to the proxy service response.

7. Create a Service Key Provider.

6.5.2.2 Configuring Oracle WSM 11g Client

1. Create a copy of the following policy: wss10_x509_token_with_message_protection_client_policy.

   Note:

   Oracle recommends that you do not change the predefined policies so that you will always have a known set of valid policies to work with.

   In Enterprise Manager, edit the policy settings, as follows:

   1. Set Encryption Key Reference Mechanism to issuerserial.

   2. Set Recipient Encryption Key Reference Mechanism to issuerserial.

   3. Set Algorithm Suite to Basic128Rsa15 to match the algorithm suite used for Oracle Service Bus.

   4. Disable the Include Timestamp configuration setting.

   For more information, see "Creating a Web Service Policy from an Existing Policy" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

2. In Enterprise Manager, specify keystore.recipient.alias in the client configuration. Ensure that the keystore.recipient.alias keys specified for the client exist as trusted certificate entry in the trust store configured for the Web service.

3. Attach the policy to the Web service client.

   For more information about attaching the policy, see "Attaching Policies to Web Service Clients" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

4. Invoke the Web service from the client.