When first installed, the Oracle I/PM Web Services are configured with no Oracle Web Service Manager security policies applied. When no security policies are applied, the services leverage the HTTP Basic Authentication mechanism where by user credentials (user ID and password) are transmitted in the web service HTTP message header. This mechanism is, however, not very secure since the users credentials are not encrypted in any way unless a Secure Socket Layer (SSL) transport mechanism is used. If SSL is properly configured for the Oracle I/PM server instance, I/PM can be configured to force the use of SSL in all web service communication. This done by setting the I/PM configuration MBean “RequireBasicAuthSSL” to true. By default, it is false. [Note, the RequireBasicAuthSSL setting only applies when no HTTP Basic Authentication is in use because no OWSM security policies have been applied.]