This chapter contains the following sections:
Overview of Interoperability with OC4J 10g Security Environments
Anonymous Authentication with Message Protection (WS-Security 1.0)
SAML Token (Sender Vouches) with Message Protection (WS-Security 1.0)
Mutual Authentication with Message Protection (WS-Security 1.0)
In OC4J 10g, you configure your security environment, as described in the following documents:
For information about using Application Server Control to configure the Web service, see Oracle Application Server Advanced Web Services Developer's Guide at http://download.oracle.com/docs/cd/B31017_01/web.1013/b28975/toc.htm
.
For information about using JDeveloper to develop and configure your client-side application, see the JDeveloper online help.
For information about how to modify the XML-based deployment descriptor files, see Oracle Application Server Web Services Security Guide 10g (10.1.3.1.0) at: http://download.oracle.com/docs/cd/B31017_01/web.1013/b28976/toc.htm
In Oracle WSM 11g, you attach policies to Web service endpoints. Each policy consists of one or more assertions, defined at the domain-level, that define the security requirements. A set of predefined policies and assertions are provided out-of-the-box. For more details about the predefined policies, see "Predefined Policies" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services. For information about configuring and attaching policies, see "Configuring Policies" and "Attaching Policies to Web Services" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.
Table 3-1 summarizes the most common OC4J 10g interoperability scenarios based on the following security requirements: authentication, message protection, and transport.
For information about configuring and attaching Oracle WSM 11g policies, see "Configuring Policies" and "Attaching Policies to Web Services" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.
Note:
In the following scenarios, ensure that you are using a keystore with v3 certificates. By default, the JDK 1.5 keytool generates keystores with v3 certificates.Table 3-1 Interoperability With OC4J 10g Security Environments
Interoperability Scenario | Client—>Web Service | Oracle WSM 11g Policies | OC4J 10g Policies |
---|---|---|---|
"Anonymous Authentication with Message Protection (WS-Security 1.0)" |
OC4J10g—>Oracle WSM 11g |
oracle/wss10_message_protection_service_policy |
See Table 3-2 |
"Anonymous Authentication with Message Protection (WS-Security 1.0)" |
Oracle WSM 11g—>OC4J10g |
oracle/wss10_message_protection_client_policy |
See Table 3-3 |
OC4J10g—>Oracle WSM 11g |
oracle/wss10_username_token_with_message_protection_service_policy |
See Table 3-4 |
|
Oracle WSM 11g—>OC4J10g |
oracle/wss10_username_token_with_message_protection_client_policy |
See Table 3-5 |
|
"SAML Token (Sender Vouches) with Message Protection (WS-Security 1.0)" |
OC4J10g—>Oracle WSM 11g |
oracle/wss10_saml_token_with_message_protection_service_policy |
See Table 3-6 |
"SAML Token (Sender Vouches) with Message Protection (WS-Security 1.0)" |
Oracle WSM 11g—>OC4J10g |
oracle/wss10_saml_token_with_message_protection_client_policy |
See Table 3-7 |
"Mutual Authentication with Message Protection (WS-Security 1.0)" |
OC4J10g—>Oracle WSM 11g |
oracle/wss10_x509_token_with_message_protection_service_policy |
See Table 3-8 |
"Mutual Authentication with Message Protection (WS-Security 1.0)" |
Oracle WSM 11g—>OC4J10g |
oracle/wss10_x509_token_with_message_protection_client_policy |
See Table 3-9 |
OC4J10g—>Oracle WSM 11g |
oracle/wss_username_token_over_ssl_service_policy OR oracle/wss_saml_or_username_token_over_ssl_service_policy |
See Table 3-10 |
|
Oracle WSM 11g—>OC4J10g |
oracle/wss_username_token_over_ssl_client_policy |
See Table 3-11 |
|
OC4J10g—>Oracle WSM 11g |
oracle/wss_saml_token_over_ssl_service_policy OR oracle/wss_saml_or_username_token_over_ssl_service_policy |
See Table 3-12 |
|
Oracle WSM 11g—>OC4J10g |
oracle/wss_saml_token_over_ssl_client_policy |
See Table 3-13 |
The following sections describe how to implement anonymous authentication with message protection that conforms to the WS-Security 1.0 standard, describing the following interoperability scenarios:
Perform the steps described in the following table.
Table 3-2 Anonymous Authentication with Message Protection (WS-Security 1.0)—OC4J10g Client —> Oracle WSM 11g Web Service
Web Service/Client | Steps |
---|---|
Web Service—Oracle WSM 11g |
Perform the following steps:
|
Client—OC4J 10g |
Perform the following steps:
|
Editing the <appname>Binding_Stub.xml File
Edit the <appname>Binding_Stub.xml file, as follows:
Provide the keystore password and sign and encryption key passwords.
In the inbound signature, specify the following:
<inbound><verify-signature><tbs-elements> <tbs-element name-space="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" local-part="Timestamp" /> ...
In the outbound signature, specify that the timestamp should be signed, as follows:
<outbound>/<signature>/<tbs-elements> <tbs-element name-space="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" local-part="Timestamp"/> ...
In the outbound encryption, specify the key transport algorithm, as follows:
<outbound><encrypt> <keytransport-method>RSA-OAEP-MGF1P</keytransport-method> ...
Perform the steps described in the following table.
Table 3-3 Anonymous Authentication with Message Protection (WS-Security 1.0)—Oracle WSM 11g —> OC4J 10g Client Web Service
Web Service/Client | Steps |
---|---|
Web Service—OC4J 10g |
Perform the following steps:
|
Client—Oracle WSM 11g |
Perform the following steps:
|
Edit the wsmgmt.xml file in ORACLE_HOME/j2ee/oc4j_instance/config, as follows:
In the inbound signature, specify the following:
<inbound><verify-signature><tbs-elements> <tbs-element name-space="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" local-part="Timestamp"/> ...
In the outbound signature, specify that the timestamp should be signed, as follows:
<outbound>/<signature>/<tbs-elements> <tbs-element name-space="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" local-part="Timestamp"/> ...
In the outbound encryption, specify the key transport algorithm, as follows:
<outbound><encrypt> <keytransport-method>RSA-OAEP-MGF1P</keytransport-method> ...
The following sections describe how to implement username token with message protection that conforms to the WS-Security 1.0 standard, describing the following interoperability scenarios:
Perform the steps described in the following table.
Table 3-4 Username Token with Message Protection—OC4J 10g Client —> Oracle WSM 11g Web Service
Web Service/Client | Steps |
---|---|
Web Service—Oracle WSM 11g |
Perform the following steps:
|
Client—OC4J 10g |
Perform the following steps:
|
Editing the <appname>Binding_Stub.xml File
Edit the <appname>Binding_Stub.xml file, as follows:
Provide the keystore password and sign and encryption key passwords.
In the inbound signature, specify the following:
<inbound><verify-signature><tbs-elements> <tbs-element name-space="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" local-part="Timestamp" /> ...
In the outbound signature, specify that the timestamp and UsernameToken should be signed, as follows:
<outbound>/<signature>/<tbs-elements> <tbs-element name-space="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" local-part="Timestamp"/> <tbs-element name-space="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" local-part="UsernameToken"/> ...
In the outbound encryption, specify the key transport algorithm, as follows:
<outbound><encrypt> <keytransport-method>RSA-OAEP-MGF1P</keytransport-method> ...
In the outbound encryption, specify that the UsernameToken should be encrypted, as follows:
<outbound>/<encrypt>/<tbe-elements> <tbe-element local-part="UsernameToken" name-space="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" mode="CONTENT"/> ...
Perform the steps defined in the following table.
Table 3-5 Username Token with Message Protection—Oracle WSM 11g Client —> OC4J 10g Web Service
Web Service/Client | Steps |
---|---|
Web Service—OC4J 10g |
Perform the following steps:
|
Client—Oracle WSM 11g |
Perform the following steps:
|
Edit the wsmgmt.xml file in ORACLE_HOME/j2ee/oc4j_instance/config, as follows:
In the inbound signature, specify the following:
<inbound><verify-signature><tbs-elements> <tbs-element name-space="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" local-part="Timestamp"/> ...
In the outbound signature, specify that the timestamp should be signed, as follows:
<outbound>/<signature>/<tbs-elements> <tbs-element name-space="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" local-part="Timestamp"/> ...
In the outbound encryption, specify that the UsernameToken should be encrypted, as follows:
<outbound>/<encrypt>/<tbe-elements> <tbe-element local-part="UsernameToken" name-space="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" mode="CONTENT"/> ...
The following sections describe how to implement SAML token sender vouches with message protection that conforms to the WS-Security 1.0 standard, describing the following interoperability scenarios:
Perform the steps described in the following table.
Table 3-6 SAML Token (Sender Vouches) with Message Protection (WS-Security 1.0)—OC4J 10g Client —> Oracle WSM 11g Web Service
Web Service/Client | Steps |
---|---|
Web Service—Oracle WSM 11g |
Perform the following steps:
|
Client—OC4J 10g |
Perform the following steps:
|
Editing the <appname>Binding_Stub.xml File
Edit the <appname>Binding_Stub.xml file, as follows:
Provide the keystore password and sign and encryption key passwords.
In the inbound signature, specify the following:
<inbound><verify-signature><tbs-elements> <tbs-element name-space="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" local-part="Timestamp" /> ...
In the outbound signature, specify that the timestamp should be signed, as follows:
<outbound>/<signature>/<tbs-elements> <tbs-element name-space="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" local-part="Timestamp"/> ...
In the outbound encryption, specify the key transport algorithm, as follows:
<outbound><encrypt> <keytransport-method>RSA-OAEP-MGF1P</keytransport-method> ...
Perform the steps defined in the following table.
Table 3-7 SAML Token (Sender Vouches) with Message Protection (WS-Security 1.0)—Oracle WSM 11g Client —> OC4J 10g Web Service
Web Service/Client | Steps |
---|---|
Web Service—OC4J 10g |
Perform the following steps:
|
Client—Oracle WSM 11g |
Perform the following steps:
|
Edit the wsmgmt.xml file in ORACLE_HOME/j2ee/oc4j_instance/config, as follows:
In the inbound signature, specify the following:
<inbound><verify-signature><tbs-elements> <tbs-element name-space="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" local-part="Timestamp"/> ...
In the outbound signature, specify that the timestamp should be signed, as follows:
<outbound>/<signature>/<tbs-elements> <tbs-element name-space="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" local-part="Timestamp"/> ...
In the outbound encryption, specify that the UsernameToken should be encrypted, as follows:
<outbound>/<encrypt>/<tbe-elements> <tbe-element local-part="UsernameToken" name-space="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" mode="CONTENT"/> ...
The following sections describe how to implement mutual authentication with message protection that conforms to the WS-Security 1.0 standard, describing the following interoperability scenarios:
Perform the steps described in the following table.
Table 3-8 Mutual Authentication with Message Protection (WS-Security 1.0)—OC4J 10g Client —> Oracle WSM 11g Web Service
Web Service/Client | Steps |
---|---|
Web Service—Oracle WSM 11g |
Perform the following steps:
|
Client—OC4J 10g |
Perform the following steps:
|
Editing the <appname>Binding_Stub.xml File
Edit the <appname>Binding_Stub.xml file, as follows:
Provide the keystore password and sign and encryption key passwords.
In the inbound signature, specify the following:
<inbound><verify-signature><tbs-elements> <tbs-element name-space="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" local-part="Timestamp" /> ...
In the outbound signature, specify that the timestamp should be signed, as follows:
<outbound>/<signature>/<tbs-elements> <tbs-element name-space="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" local-part="Timestamp"/> ...
In the outbound encryption, specify the key transport algorithm, as follows:
<outbound><encrypt> <keytransport-method>RSA-OAEP-MGF1P</keytransport-method> ...
Perform the steps described in the following table.
Table 3-9 Mutual Authentication with Message Protection (WS-Security 1.0)—Oracle WSM 11g Client —> OC4J 10g Web Service
Web Service/Client | Steps |
---|---|
Web Service—OC4J 10g |
Perform the following steps:
|
Client—Oracle WSM 11g |
Perform the following steps:
|
Edit the wsmgmt.xml file in ORACLE_HOME/j2ee/oc4j_instanceconfig, as follows:
In the inbound signature, specify the following:
<inbound><verify-signature><tbs-elements> <tbs-element name-space="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" local-part="Timestamp"/> ...
In the outbound signature, specify that the timestamp should be signed, as follows:
<outbound>/<signature>/<tbs-elements> <tbs-element name-space="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" local-part="Timestamp"/> ...
In the outbound encryption, specify that the UsernameToken should be encrypted, as follows:
<outbound>/<encrypt>/<tbe-elements> <tbe-element local-part="UsernameToken" name-space="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" mode="CONTENT"/> ...
The following sections describe how to implement username token over SSl, describing the following interoperability scenarios:
"Username token over SSL—OC4J 10g Client —> Oracle WSM 11g Web Service"
"Username token over SSL—Oracle WSM 11g Client —> OC4J 10g Web Service"
For information about:
Configuring SSL on WebLogic Server, see "Configuring SSL on WebLogic Server (One-Way)" and "Configuring SSL on WebLogic Server (Two-Way)" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.
Configuring SSL on OC4J, see http://download.oracle.com/docs/cd/B14099_19/web.1012/b14013/configssl.htm
.
Perform the steps defined in the following table.
Table 3-10 Username Token Over SSL—OC4J 10g Client —> Oracle WSM 11g Web Service
Web Service/Client | Steps |
---|---|
Web Service—Oracle WSM 11g |
Perform the following steps:
|
Client—OC4J 10g |
Perform the following steps:
|
Editing the <appname>Binding_Stub.xml File
Edit the <appname>Binding_Stub.xml file, as follows:
Provide the keystore password and sign and encryption key passwords.
In the outbound signature, specify that the timestamp should be signed, as follows (and remove all other tags):
<outbound> <signature> <add-timestamp created="true" expiry="<Expiry_Time>"/> </signature> ...
Perform the steps defined in the following table.
Table 3-11 Username Token Over SSL—Oracle WSM 11g Client —> OC4J 10g Web Service
Web Service/Client | Steps |
---|---|
Web Service—OC4J 10g |
Perform the following steps:
|
Client—Oracle WSM 11g |
Perform the following steps:
|
Edit the wsmgmt.xml file in ORACLE_HOME/j2ee/oc4j_instance/config, as follows:
In the outbound signature, specify that the timestamp should be signed, as follows (and remove all other tags):
<outbound> <signature> <add-timestamp created="true" expiry="<Expiry_Time>"/> </signature> ...
The following sections describe how to implement SAML token (sender vouches) over SSL that conforms to the WS-Security 1.0 standard, describing the following interoperability scenarios:
For information about:
Configuring SSL on WebLogic Server, see "Configuring SSL on WebLogic Server (One-Way)" and "Configuring SSL on WebLogic Server (Two-Way)" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.
Configuring SSL on OC4J, see http://download.oracle.com/docs/cd/B14099_19/web.1012/b14013/configssl.htm
.
Perform the steps defined in the following table.
Table 3-12 SAML Token (Sender Vouches) Over SSL (WS-Security 1.0)—OC4J 10g Client —> Oracle WSM 11g Web Service
Web Service/Client | Steps |
---|---|
Web Service—Oracle WSM 11g |
Perform the following steps:
|
Client—OC4J 10g |
Perform the following steps:
|
Editing the <appname>Binding_Stub.xml File
Edit the <appname>Binding_Stub.xml file, as follows:
Provide the keystore password and sign and encryption key passwords.
In the outbound signature, specify that the timestamp should be signed, as follows (and remove all other tags):
<outbound> <signature> <add-timestamp created="true" expiry="<Expiry_Time>"/> </signature> ...
Perform the steps defined in the following table.
Table 3-13 SAML Token (Sender Vouches) Over SSL (WS-Security 1.0)—Oracle WSM 11g Client —> OC4J 10g Web Service
Client/Service | Steps |
---|---|
Web Service—OC4J 10g |
Perform the following steps:
|
Client—Oracle WSM 11g |
Perform the following steps:
|
Edit the wsmgmt.xml file in ORACLE_HOME/j2ee/oc4j_instance/config, as follows:
In the outbound signature, specify that the timestamp should be signed, as follows (and remove all other tags):
<outbound> <signature> <add-timestamp created="true" expiry="<Expiry_Time>"/> </signature> ...