4 Interoperability with Oracle WebLogic Server 11g Web Service Security Environments

This chapter contains the following sections:

Overview of Interoperability with Oracle WebLogic Server 11g Web Service Security Environments

In Oracle Fusion Middleware 11g, you can attach both Oracle WSM and Oracle WebLogic Server Web service policies to WebLogic Java EE Web services.

For more details about the predefined Oracle WSM 11g policies, see the following sections in Oracle Fusion Middleware Security and Administrator's Guide for Web Services:

For more details about the predefined Oracle WebLogic Server 11g Web service policies, see:

Table 4-1 summarizes the most common Oracle WebLogic Server 11g Web service policy interoperability scenarios based on the following security requirements: authentication, message protection, and transport.

Table 4-1 Interoperability With Oracle WebLogic Server 11g Web Services Security Environments

Interoperability Scenario Client—>Web Service Oracle WSM 11g Policies Oracle WebLogic Server 11g Policies

"Username Token With Message Protection (WS-Security 1.1)"

Oracle WebLogic Server 11g—>Oracle WSM 11g

oracle/wss11_username_token_with_message_protection_service_policy

  • Wssp1.2-2007-Wss1.1-UsernameToken-Plain-EncryptedKey-Basic128.xml

  • Wssp1.2-2007-SignBody.xml

  • Wssp1.2-2007-EncryptBody.xml

"Username Token With Message Protection (WS-Security 1.1)"

Oracle WSM 11g—>Oracle WebLogic Server 11g

oracle/wss11_username_token_with_message_protection_client_policy

  • Wssp1.2-2007-Wss1.1-UsernameToken-Plain-EncryptedKey-Basic128.xml

  • Wssp1.2-2007-SignBody.xml

  • Wssp1.2-2007-EncryptBody.xml

"Username Token With Message Protection (WS-Security 1.0)"

Oracle WebLogic Server 11g—>Oracle WSM 11g

oracle/wss10_username_token_with_message_protection_service_policy

  • Wssp1.2-wss10_username_token_with_message_protection_owsm_policy.xml

  • Wssp1.2-2007-SignBody.xml

  • Wssp1.2-2007-EncryptBody.xml

"Username Token With Message Protection (WS-Security 1.0)"

Oracle WSM 11g—>Oracle WebLogic Server 11g

oracle/wss10_username_token_with_message_protection_client_policy

  • Wssp1.2-wss10_username_token_with_message_protection_owsm_policy.xml

  • Wssp1.2-2007-SignBody.xml

  • Wssp1.2-2007-EncryptBody.xml

"Username Token Over SSL"

Oracle WebLogic Server 11g—>Oracle WSM 11g

oracle/wss_username_token_over_ssl_service_policy

Wssp1.2-2007-Https-UsernameToken-Plain.xml

"SAML Token (Sender Vouches) Over SSL"

Oracle WebLogic Server 11g—>Oracle WSM 11g

oracle/wss_saml_token_over_ssl_service_policy

Wssp1.2-2007-Saml1.1-SenderVouches-Https.xml

"SAML Token (Sender Vouches) with Message Protection (WS-Security 1.1)"

Oracle WebLogic Server 11g—>Oracle WSM 11g

oracle/wss11_saml_token_with_message_protection_service_policy

  • Wssp1.2-wss11_saml_token_with_message_protection_owsm_policy.xml

  • Wssp1.2-2007-SignBody.xml

  • Wssp1.2-2007-EncryptBody.xml

"SAML Token (Sender Vouches) with Message Protection (WS-Security 1.1)"

Oracle WSM 11g—>Oracle WebLogic Server 11g

oracle/wss11_saml_token_with_message_protection_client_policy

  • Wssp1.2-wss11_saml_token_with_message_protection_owsm_policy.xml

  • Wssp1.2-2007-SignBody.xml

  • Wssp1.2-2007-EncryptBody.xml

"SAML Token (Sender Vouches) with Message Protection (WS-Security 1.0)"

Oracle WebLogic Server 11g—>Oracle WSM 11g

oracle/wss10_saml_token_with_message_protection_service_policy

  • Wssp1.2-wss10_saml_token_with_message_protection_owsm_policy.xml

  • Wssp1.2-2007-SignBody.xml

  • Wssp1.2-2007-EncryptBody.xml

"SAML Token (Sender Vouches) with Message Protection (WS-Security 1.0)"

Oracle WSM 11g—>Oracle WebLogic Server 11g

oracle/wss10_saml_token_with_message_protection_client_policy

  • Wssp1.2-wss10_saml_token_with_message_protection_owsm_policy.xml

  • Wssp1.2-2007-SignBody.xml

  • Wssp1.2-2007-EncryptBody.xml

Username Token With Message Protection (WS-Security 1.1)

The following sections describe how to implement username token with message protection that conforms to the WS-Security 1.1 standard, describing the following interoperability scenarios:

Username Token With Message Protection (WS-Security 1.1)—Oracle WebLogic Server 11g Client —> Oracle WSM 11g Web Service

Attach and configure policies, as described in the following table.

Table 4-2 Username Token with Message Protection (WS-Security 1.1)—Oracle WebLogic Server 11g Client —> Oracle WSM 11g Web Service

Web Service/Client Steps

Web Service—Oracle WSM 11g

Perform the following steps:

  1. Attach the following policy to the Web service: oracle/wss11_username_token_with_message_protection_service_policy.

    For more information about attaching the policy, see "Attaching Policies to Web Services" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

Client—Oracle WebLogic Server 11g

Perform the following steps:

  1. Create a client proxy for the Web service (above) using clientgen.

    For more information, see "Using the clientgen Ant Task to Generate Client Artifacts" in Oracle Fusion Middleware Getting Started With JAX-WS Web Services for Oracle WebLogic Server

  2. Attach the following policies:

    - Wssp1.2-2007-Wss1.1-UsernameToken-Plain-EncryptedKey-Basic128.xml

    - Wssp1.2-2007-SignBody.xml

    - Wssp1.2-2007-EncryptBody.xml

  3. Provide the configuration for the server (encryption key) in the client, as described in "Updating a Client Application to Invoke a Message-Secured Web Service" in Oracle Fusion Middleware Securing WebLogic Web Services for Oracle WebLogic Server.

    Ensure that the encryption key specified is in accordance with the encryption key configured for the Web service.

  4. Invoke the Web service method from the client.

Username Token With Message Protection (WS-Security 1.1)—Oracle WSM 11g Client —> Oracle WebLogic Server 11g Web Service

Attach and configure policies, as described in the following table.

Table 4-3 Username Token with Message Protection (WS-Security 1.1)—Oracle WSM 11g Client —> Oracle WebLogic Server 11g Web Service

Web Service/Client Steps

Web Service—Oracle WebLogic Server 11g

Perform the following steps:

  1. Attach the following policies:

    - Wssp1.2-2007-Wss1.1-UsernameToken-Plain-EncryptedKey-Basic128.xml

    - Wssp1.2-2007-SignBody.xml

    - Wssp1.2-2007-EncryptBody.xml

    For more information, see "Updating the JWS File with @Policy and @Policies Annotations" in Oracle Fusion Middleware Securing WebLogic Web Services for Oracle WebLogic Server.

  2. Configure identity and trust stores, as described in "Configure identity and trust" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help

  3. Configure message-level security, as described in:

    - "Configuring Message-Level Security" in Oracle Fusion Middleware Securing WebLogic Web Services for Oracle WebLogic Server

    - "Create a Web Service security configuration" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help.

    You only need to configure the Confidentiality Key for a WS-Security 1.1 policy.

  4. Deploy the Web service.

    See Oracle Fusion Middleware Deploying Applications to Oracle WebLogic Server.

Client—Oracle WSM 11g

Perform the following steps:

  1. Create a client proxy to the Web service (above).

  2. Attach the following policy to the Web service client: oracle/wss11_username_token_with_message_protection_client_policy.

    For more information about attaching the policy, see "Attaching Policies to Web Services" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

  3. Configure the policy, as described in "oracle/wss11_username_token_with_message_protection_client_policy" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

  4. Specify keystore.recipient.alias in the client configuration.

  5. Ensure that the keystore.recipient.alias keys specified for the client exist as trusted certificate entry in the trust store configured for the Web service.

  6. Provide a valid username and password as part of the configuration.

  7. Invoke the web service method from the client.

Username Token With Message Protection (WS-Security 1.0)

The following sections describe how to implement username token with message protection that conforms to the WS-Security 1.0 standard, describing the following interoperability scenarios:

Note:

WS-Security 1.0 policy is supported for legacy applications only. Use WS-Security 1.1 policy for maximum performance. For more information, see "Username Token With Message Protection (WS-Security 1.1)".

Username Token With Message Protection (WS-Security 1.0)—Oracle WebLogic Server 11g Client —> Oracle WSM 11g Web Service

Attach and configure policies, as described in the following table.

Table 4-4 Username Token with Message Protection (WS-Security 1.0)—Oracle WebLogic Server 11g Client —> Oracle WSM 11g Web Service

Web Service/Client Steps

Web Service—Oracle WSM 11g

Perform the following steps:

  1. Attach the following policy to the Web service: oracle/wss10_username_token_with_message_protection_service_policy.

    For more information about attaching the policy, see "Attaching Policies to Web Services" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

Client—Oracle WebLogic Server 11g

Perform the following steps:

  1. Create a client proxy for the Web service (above) using clientgen.

    For more information, see "Using the clientgen Ant Task to Generate Client Artifacts" in Oracle Fusion Middleware Getting Started With JAX-WS Web Services for Oracle WebLogic Server

  2. Attach the following policies:

    - Wssp1.2-wss10_username_token_with_message_protection_owsm_policy.xml

    - Wssp1.2-2007-SignBody.xml

    - Wssp1.2-2007-EncryptBody.xml

  3. Configure the client for server (encryption key) and client certificates, as described in "Updating a Client Application to Invoke a Message-Secured Web Service" in Oracle Fusion Middleware Securing WebLogic Web Services for Oracle WebLogic Server.

    Ensure that the encryption key specified is in accordance with the decryption key configured for the Web service.

  4. Invoke the Web service method from the client.

Username Token With Message Protection (WS-Security 1.0)—Oracle WSM 11g Client —> Oracle WebLogic Server 11g Web Service

Attach and configure policies, as described in the following table.

Table 4-5 Username Token with Message Protection (WS-Security 1.0)—Oracle WSM 11g Client —> Oracle WebLogic Server 11g Web Service

Web Service/Client Steps

Web Service—Oracle WebLogic Server 11g

Perform the following steps:

  1. Attach the following policies:

    - Wssp1.2-wss10_username_token_with_message_protection_owsm_policy.xml

    - Wssp1.2-2007-SignBody.xml

    - Wssp1.2-2007-EncryptBody.xml

    For more information, see "Updating the JWS File with @Policy and @Policies Annotations" in Oracle Fusion Middleware Securing WebLogic Web Services for Oracle WebLogic Server.

  2. Configure identity and trust stores, as described in "Configure identity and trust" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help

  3. Configure message-level security, as described in:

    - "Configuring Message-Level Security" in Oracle Fusion Middleware Securing WebLogic Web Services for Oracle WebLogic Server

    - "Create a Web Service security configuration" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help.

  4. Deploy the Web service.

    See Oracle Fusion Middleware Deploying Applications to Oracle WebLogic Server.

Client—Oracle WSM 11g

Perform the following steps:

  1. Create a client proxy to the Web service (above).

  2. Attach the following policy to the Web service client: oracle/wss10_username_token_with_message_protection_client_policy.

    For more information about attaching the policy, see "Attaching Policies to Web Service Clients" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

  3. Configure the policy, as described in "oracle/wss10_username_token_with_message_protection_client_policy" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

  4. Ensure that you use different keys for client (sign and decrypt key) and keystore recipient alias (server public key used for encryption). Ensure that the recipient alias is in accordance with the keys defined in the Web service policy security configuration.

  5. Ensure that the signing and encryption keys specified for the client exist as trusted certificate entries in the trust store configured for the Web service.

  6. Provide a valid username and password as part of the configuration.

  7. Invoke the Web service method from the client.

Username Token Over SSL

The following section describes how to implement username token over SSL, describing the following interoperability scenario:

Username Token Over SSL—Oracle WebLogic Server 11g Client —> Oracle WSM 11g Web Service

Perform the steps described in the following table.

Table 4-6 Username Token Over SSL—Oracle WebLogic Server 11g Client —> Oracle WSM 11g Web Service

Web Service/Client Steps

Web Service—Oracle WSM 11g

Perform the following steps:

  1. Configure the server for one-way SSL.

    For more information, see "Configuring SSL on WebLogic Server (One-Way)" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

  2. Attach the following policy: oracle/wss_username_token_over_ssl_service_policy.

    For more information about attaching the policy, see "Attaching Policies to Web Services" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

Client—Oracle WebLogic Server 11g

Perform the following steps:

  1. Create a client proxy for the Web service (above) using clientgen. Provide a valid username and password as part of the configuration for this policy in the client proxy.

    For more information, see "Using the clientgen Ant Task to Generate Client Artifacts" in Oracle Fusion Middleware Getting Started With JAX-WS Web Services for Oracle WebLogic Server.

  2. Configure WebLogic Server for SSL.

    For more information, see "Configuring SSL on WebLogic Server (One-Way)" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

  3. Configure identity and trust stores, as described in "Configure identity and trust" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help

  4. Attach Wssp1.2-2007-Https-UsernameToken-Plain.xml to the Web service client.

  5. Provide the truststore and other needed System properties in the SSL client, as described in "Using SSL Authentication in Java Clients" in Oracle Fusion Middleware Programming Security for Oracle WebLogic Server.

  6. Invoke the Web service.

SAML Token (Sender Vouches) Over SSL

The following section describes how to implement SAML token sender vouches with SSL. It describes the following interoperability scenario:

SAML Token (Sender Vouches) Over SSL—Oracle WebLogic Server 11g Client —> Oracle WSM 11g Web Service

Attach and configure policies, as described in the following table.

Table 4-7 SAML Token (Sender Vouches) Over SSL—Oracle WebLogic Server 11g Client —> Oracle WSM 11g Web Service

Web Service/Client Steps

Web Service—Oracle WSM 11g

Perform the following steps:

  1. Configure the oracle/wss_saml_token_over_ssl_service_policy policy for two-way SSL, as described in "oracle/wss_saml_token_over_ssl_service_policy" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

  2. Attach the following policy to the Web service: oracle/wss_saml_token_over_ssl_service_policy.

    For more information about attaching the policy, see "Attaching Policies to Web Services" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

Client—Oracle WebLogic Server 11g

Perform the following steps:

  1. Create a client proxy for the Web service (above) using clientgen.

    For more information, see "Using the clientgen Ant Task to Generate Client Artifacts" in Oracle Fusion Middleware Getting Started With JAX-WS Web Services for Oracle WebLogic Server.

  2. Configure WebLogic Server for two-way SSL.

    For more information, see "Configuring SSL on WebLogic Server (Two-Way)" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

  3. Configure identity and trust stores, as described in "Configure Identity and Trust" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help

  4. Attach Wssp1.2-2007-Saml1.1-SenderVouches-Https.xml to the Web service client.

  5. Create a SAMLIdentityAsserterV2 authentication provider, as described in "Configure Authentication and Identity Assertion" providers in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help.

  6. Restart WebLogic Server.

  7. Select the authentication provider created in step 5.

  8. Create a SAML asserting party, as described in "Create a SAML 1.1 Asserting Party" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help.

    Set Profile to WSS/Sender-Vouches.

  9. Configure the SAML asserting party, as described in "Configure a SAML 1.1 Asserting Party" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help.

    Configure the SAML asserting party as follows:

    - Set Issuer URI to www.oracle.com.

    - Set Target URL to <url_used_to_access_Web_service>.

  10. Create a servlet and call the proxy code from the servlet.

  11. Use BASIC authentication so that the authenticated subject can be created.

  12. Provide the truststore and other needed System properties in the SSL client, as described in "Using SSL Authentication in Java Clients" in Oracle Fusion Middleware Programming Security for Oracle WebLogic Server.

  13. Invoke the Web application client.

    Enter the credentials of the user whose identity is to be propagated using the SAML token.

SAML Token (Sender Vouches) with Message Protection (WS-Security 1.1)

The following sections describe how to implement SAML token sender vouches with message protection that conforms to the WS-Security 1.1 standard, describing the following interoperability scenarios:

  • Oracle WSM 11g policy attached to the Web service and Oracle WebLogic Server 11g Web service policy attached to the Web service client.

  • Oracle WebLogic Server 11g Web service policy attached to the Web service and Oracle WSM 11g policy attached to the Web service client.

SAML Token (Sender Vouches) with Message Protection (WS-Security 1.1)—Oracle WebLogic Server 11g Client —> Oracle WSM 11g Web Service

Attach and configure policies, as described in the following table.

Table 4-8 SAML Token (Sender Vouches) with Message Protection (WS-Security 1.1)—Oracle WebLogic Server 11g Client —> Oracle WSM 11g Web Service

Web Service/Client Steps

Web Service—Oracle WSM 11g

Perform the following steps:

  1. Attach the following policy to the Web service: oracle/wss11_saml_token_with_message_protection_service_policy.

    For more information about attaching the policy, see "Attaching Policies to Web Services" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

Client—Oracle WebLogic Server 11g

Perform the following steps:

  1. Create a client proxy for the Web service (above) using clientgen.

    For more information, see "Using the clientgen Ant Task to Generate Client Artifacts" in Oracle Fusion Middleware Getting Started With JAX-WS Web Services for Oracle WebLogic Server

  2. Attach the following policies:

    - Wssp1.2-wss11_saml_token_with_message_protection_owsm_policy.xml

    - Wssp1.2-2007-SignBody.xml

    - Wssp1.2-2007-EncryptBody.xml

  3. Configure the client for server (encryption key) and client certificates, as described in "Updating a Client Application to Invoke a Message-Secured Web Service" in Oracle Fusion Middleware Securing WebLogic Web Services for Oracle WebLogic Server.

    Ensure that the encryption key specified is in accordance with the decryption key configured for the Web service.

  4. Secure the Web application client using BASIC Authentication. For more information, see "Developing BASIC Authentication Web Applications" in Oracle Fusion Middleware Programming Security for Oracle WebLogic Server.

  5. Deploy the Web service client.

    See "Deploying Web Services Applications" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

  6. Configure a SAML credential mapping provider, as described in "Configure Credential Mapping Providers" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help.

    In the WebLogic Server Administration Console, navigate to Security Realms > RealmName > Providers > Credential Mapping page and create a New Credential Mapping Provider of type SAMLCredentialMapperV2.

    Select the new provider, click on Provider Specific, and configure it as follows:

    - Set Issuer URI to www.oracle.com.

    - Set Name Qualifier to www.oracle.com.

  7. Restart WebLogic Server.

  8. Create a SAML relying party, as described in "Create a SAML 1.1 Relying Party" and "Configure a SAML 1.1 Relying Party" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help.

    Set the Profile to WSS/Sender-Vouches.

  9. Configure the SAML relying party, as described in "Configure a SAML 1.1 Relying Party" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help.

    Ensure the Target URL is set to the URL used for the client Web service.

  10. Invoke the Web application client.

    Enter the credentials of the user whose identity is to be propagated using SAML token.

SAML Token (Sender Vouches) with Message Protection (WS-Security 1.1)—Oracle WSM 11g Client —> Oracle WebLogic Server 11g Web Service

Attach and configure policies, as described in the following table.

Table 4-9 SAML Token (Sender Vouches) with Message Protection (WS-Security 1.1)—Oracle WSM 11g Client —> Oracle WebLogic Server 11g Web Service

Web Service/Client Steps

Web Service—Oracle WebLogic Server 11g

Perform the following steps:

  1. Attach the following policies:

    - Wssp1.2-wss11_saml_token_with_message_protection_owsm_policy.xml

    - Wssp1.2-2007-SignBody.xml

    - Wssp1.2-2007-EncryptBody.xml

    For more information, see "Updating the JWS File with @Policy and @Policies Annotations" in Oracle Fusion Middleware Securing WebLogic Web Services for Oracle WebLogic Server.

  2. Configure identity and trust stores, as described in "Configure identity and trust" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help

  3. Configure message-level security, as described in:

    - "Configuring Message-Level Security" in Oracle Fusion Middleware Securing WebLogic Web Services for Oracle WebLogic Server

    - "Create a Web Service security configuration" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help.

    Since this is a WS-Security 1.1 policy, you need to configure Confidentiality Key only.

  4. Deploy the Web service.

    See Oracle Fusion Middleware Deploying Applications to Oracle WebLogic Server.

  5. Create a SAMLIdentityAsserterV2 authentication provider, as described in "Configuring Authentication and Identity Assertion providers" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help.

    In the WebLogic Server Administration Console, navigate to Security Realms > RealmName > Providers > Credential Mapping page and create a New Credential Mapping Provider of type SAMLCredentialMapperV2.

  6. Restart WebLogic Server.

  7. Select the authentication provider created in step 5.

  8. Create a SAML asserting party, as described in "Create a SAML 1.1 Asserting Party" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help.

    Set Profile to WSS/Sender-Vouches.

  9. Configure the SAML asserting party, as described in "Configure a SAML 1.1 Asserting Party" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help.

    Configure the SAML asserting party as follows:

    - Set Issuer URI to www.oracle.com.

    - Set Target URL to <url_used_to_access_Web_service>.

Client—Oracle WSM 11g

Perform the following steps:

  1. Create a client proxy to the Web service (above).

  2. Attach the following policy to the Web service client: oracle/wss11_saml_token_with_message_protection_client_policy.

    For more information about attaching the policy, see "Attaching Policies to Web Service Clients" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

  3. Configure the policy, as described in oracle/wss11_saml_token_with_message_protection_client_policy.

  4. Specify keystore.recipient.alias in the client configuration.

    Ensure that keystore.recipient.alias is the same as the decryption key specified for the Web service.

  5. Ensure that the keystore.recipient.alias keys specified for the client exist as trusted certificate entry in the trust store configured for the Web service.

  6. Provide a valid username whose identity needs to be propagated using SAML token in the client configuration.

  7. Invoke the Web application client.

    Enter the credentials of the user whose identity is to be propagated using SAML token.

SAML Token (Sender Vouches) with Message Protection (WS-Security 1.0)

The following sections describe how to implement SAML token with sender vouches and message protection that conforms to the WS-Security 1.0 standard, describing the following interoperability scenarios:

Note:

WS-Security 1.0 policy is supported for legacy applications only. Use WS-Security 1.1 policy for maximum performance. For more information, see "SAML Token (Sender Vouches) with Message Protection (WS-Security 1.1)".

SAML Token (Sender Vouches) with Message Protection (WS-Security 1.0)—Oracle WebLogic Server 11g Client —> Oracle WSM 11g Web Service

Attach and configure policies, as described in the following table.

Table 4-10 SAML Token (Sender Vouches) with Message Protection (WS-Security 1.0)—Oracle WebLogic Server 11g Client —> Oracle WSM 11g Web Service

Web Service/Client Steps

Web Service—Oracle WSM 11g

Perform the following steps:

  1. Attach the following policy to the Web service: oracle/wss10_saml_token_with_message_protection_service_policy.

    For more information about attaching the policy, see "Attaching Policies to Web Services" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

Client—Oracle WebLogic Server 11g

Perform the following steps:

  1. Create a client proxy for the Web service (above) using clientgen.

    For more information, see "Using the clientgen Ant Task to Generate Client Artifacts" in Oracle Fusion Middleware Getting Started With JAX-WS Web Services for Oracle WebLogic Server

  2. Attach the following policies:

    - Wssp1.2-wss10_saml_token_with_message_protection_owsm_policy.xml

    - Wssp1.2-2007-SignBody.xml

    - Wssp1.2-2007-EncryptBody.xml

  3. Configure the client for server (encryption key) and client certificates, as described in "Updating a Client Application to Invoke a Message-Secured Web Service" in Oracle Fusion Middleware Securing WebLogic Web Services for Oracle WebLogic Server.

    Ensure that the encryption key specified is in accordance with the decryption key configured for the Web service.

  4. Secure the Web application client using BASIC Authentication. For more information, see "Developing BASIC Authentication Web Applications" in Oracle Fusion Middleware Programming Security for Oracle WebLogic Server.

  5. Deploy the Web service client.

    See "Deploying Web Services Applications" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

  6. Configure a SAML credential mapping provider, as described in "Configure Credential Mapping Providers" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help.

    In the WebLogic Server Administration Console, navigate to Security Realms > RealmName > Providers > Credential Mapping page and create a New Credential Mapping Provider of type SAMLCredentialMapperV2.

  7. Select the SAMLCredentialMapperV2, click on Provider Specific, and configure it as follows:

    - Set Issuer URI to www.oracle.com.

    - Set Name Qualifier to www.oracle.com.

  8. Restart WebLogic Server.

  9. Create a SAML relying party, as described in "Create a SAML 1.1 Relying Party" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help.

    Set the profile to WSS/Sender-Vouches.

  10. Configure the SAML relying party, as described in "Configure a SAML 1.1 Relying Party" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help.

    Ensure the target URL is set to the URL used for the client Web service.

  11. Invoke the Web application client and enter the appropriate credentials.

SAML Token (Sender Vouches) with Message Protection (WS-Security 1.0)—Oracle WSM 11g Client —> Oracle WebLogic Server 11g Web Service

Attach and configure policies, as described in the following table.

Table 4-11 SAML Token (Sender Vouches) with Message Protection (WS-Security 1.0)—Oracle WSM 11g Client —>Oracle WebLogic Server 11g Web Service

Web Service/Client Steps

Web Service—Oracle WebLogic Server 11g

Perform the following steps:

  1. Attach the following policies:

    - Wssp1.2-wss10_saml_token_with_message_protection_owsm_policy.xml

    - Wssp1.2-2007-SignBody.xml

    - Wssp1.2-2007-EncryptBody.xml

    For more information, see "Updating the JWS File with @Policy and @Policies Annotations" in Oracle Fusion Middleware Securing WebLogic Web Services for Oracle WebLogic Server.

  2. Configure identity and trust stores, as described in "Configure identity and trust" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help

  3. Configure message-level security, as described in:

    - "Configuring Message-Level Security" in Oracle Fusion Middleware Securing WebLogic Web Services for Oracle WebLogic Server

    - "Create a Web Service security configuration" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help.

    Since this is a WS-Security 1.1 policy, you need to configure Confidentiality Key only.

  4. Deploy the Web service.

    See Oracle Fusion Middleware Deploying Applications to Oracle WebLogic Server.

  5. Create a SAMLIdentityAsserterV2 authentication provider, as described in "Configuring Authentication and Identity Assertion providers" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help.

    In the WebLogic Server Administration Console, navigate to Security Realms > RealmName > Providers > Credential Mapping page and create a New Credential Mapping Provider of type SAMLCredentialMapperV2.

  6. Restart WebLogic Server.

  7. Select the authentication provider created in step 5.

  8. Create a SAML asserting party, as described in "Create a SAML 1.1 Asserting Party" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help.

    - Set Profile to WSS/Sender-Vouches.

  9. Configure a SAML asserting party, as described in "Configure a SAML 1.1 Asserting Party" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help.

    Configure the SAML asserting party as follows (leave other values set to the defaults):

    - Set Issuer URI to www.oracle.com.

    - Set Target URL to <url_used_by_client>.

Client—Oracle WSM 11g

Perform the following steps:

  1. Create a client proxy to the Web service (above).

  2. Attach the following policy to the Web service client: oracle/wss10_saml_token_with_message_protection_client_policy.

    For more information about attaching the policy, see "Attaching Policies to Web Service Clients" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

  3. Configure the policy, as described in oracle/wss10_saml_token_with_message_protection_client_policy.

  4. Ensure that you use different keys for client (sign and decrypt key) and keystore recipient alias (server public key used for encryption). Ensure that the recipient alias is in accordance with the keys defined in the Web service policy security configuration.

  5. Ensure that the signing and encryption keys specified for the client exist as trusted certificate entries in the trust store configured for the Web service.

  6. Provide valid username whose identity needs to be propagated using SAML token in the client configuration.

  7. Invoke the Web service method.