3 Interoperability with Oracle Containers for J2EE (OC4J) 10g Security Environments

This chapter describes the most common Oracle Containers for J2EE (OC4J) 10g interoperability scenarios based on the following security requirements: authentication, message protection, and transport.

This chapter contains the following sections:

• Overview of Interoperability with OC4J 10g Security Environments

• Anonymous Authentication with Message Protection (WS-Security 1.0)

• Username Token with Message Protection (WS-Security 1.0)

• SAML Token (Sender Vouches) with Message Protection (WS-Security 1.0)

• Mutual Authentication with Message Protection (WS-Security 1.0)

• Username token over SSL

• SAML Token (Sender Vouches) Over SSL (WS-Security 1.0)

3.1 Overview of Interoperability with OC4J 10g Security Environments

In OC4J 10g, you configure your security environment.

• For information about using Application Server Control to configure the Web service, see Oracle Application Server Advanced Web Services Developer's Guide at http://download.oracle.com/docs/cd/B31017_01/web.1013/b28975/toc.htm.

• For information about using JDeveloper to develop and configure your client-side application, see the JDeveloper online help.

• For information about how to modify the XML-based deployment descriptor files, see Oracle Application Server Web Services Security Guide 10g (10.1.3.1.0) at: http://download.oracle.com/docs/cd/B31017_01/web.1013/b28976/toc.htm

In Oracle WSM 11g, you attach policies to Web service endpoints. Each policy consists of one or more assertions, defined at the domain-level, that define the security requirements. A set of predefined policies and assertions are provided out-of-the-box. For more details about the predefined policies, see "Predefined Policies" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services. For information about configuring and attaching policies, see "Configuring Policies" and "Attaching Policies to Web Services" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

Table 3-1 summarizes the most common OC4J 10g interoperability scenarios based on the following security requirements: authentication, message protection, and transport.

For information about configuring and attaching Oracle WSM 11g policies, see "Configuring Policies" and "Attaching Policies to Web Services" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

Note:

In the following scenarios, ensure that you are using a keystore with v3 certificates. By default, the JDK 1.5 keytool generates keystores with v1 certificates.

Table 3-1 Interoperability With OC4J 10g Security Environments

Interoperability Scenario	Client—>Web Service	Oracle WSM 11g Policies	OC4J 10g Policies
"Anonymous Authentication with Message Protection (WS-Security 1.0)"	OC4J10g—>Oracle WSM 11g	oracle/wss10_message_protection_service_policy	See "Configuring OC4J 10g Client"
"Anonymous Authentication with Message Protection (WS-Security 1.0)"	Oracle WSM 11g—>OC4J10g	oracle/wss10_message_protection_client_policy	See "Configuring OC4J 10g Web Service"
"Username Token with Message Protection (WS-Security 1.0)"	OC4J10g—>Oracle WSM 11g	oracle/wss10_username_token_with_message_protection_service_policy	See "Configuring OC4J 10g Client"
"Username Token with Message Protection (WS-Security 1.0)"	Oracle WSM 11g—>OC4J10g	oracle/wss10_username_token_with_message_protection_client_policy	See "Configuring OC4J 10g Web Service"
"SAML Token (Sender Vouches) with Message Protection (WS-Security 1.0)"	OC4J10g—>Oracle WSM 11g	oracle/wss10_saml_token_with_message_protection_service_policy	See "Configuring OC4J 10g Client"
"SAML Token (Sender Vouches) with Message Protection (WS-Security 1.0)"	Oracle WSM 11g—>OC4J10g	oracle/wss10_saml_token_with_message_protection_client_policy	See "Configuring OC4J 10g Web Service"
"Mutual Authentication with Message Protection (WS-Security 1.0)"	OC4J10g—>Oracle WSM 11g	oracle/wss10_x509_token_with_message_protection_service_policy	See "Configuring OC4J 10g Client"
"Mutual Authentication with Message Protection (WS-Security 1.0)"	Oracle WSM 11g—>OC4J10g	oracle/wss10_x509_token_with_message_protection_client_policy	See "Configuring OC4J 10g Web Service"
"Username token over SSL"	OC4J10g—>Oracle WSM 11g	oracle/wss_username_token_over_ssl_service_policy OR oracle/wss_saml_or_username_token_over_ssl_service_policy	See "Configuring OC4J 10g Client"
"Username token over SSL"	Oracle WSM 11g—>OC4J10g	oracle/wss_username_token_over_ssl_client_policy	See "Configuring OC4J 10g Web Service"
"SAML Token (Sender Vouches) Over SSL (WS-Security 1.0)"	OC4J10g—>Oracle WSM 11g	oracle/wss_saml_token_over_ssl_service_policy OR oracle/wss_saml_or_username_token_over_ssl_service_policy	See "Configuring OC4J 10g Client"
"SAML Token (Sender Vouches) Over SSL (WS-Security 1.0)"	Oracle WSM 11g—>OC4J10g	oracle/wss_saml_token_over_ssl_client_policy	See "Configuring OC4J 10g Web Service"

3.2 Anonymous Authentication with Message Protection (WS-Security 1.0)

This section describes how to implement anonymous authentication with message protection that conforms to the WS-Security 1.0 standard in the following scenarios:

• "Configuring OC4J 10g Client and Oracle WSM 11g Web Service"

• "Configuring Oracle WSM 11g Client and OC4J 10g Web Service"

3.2.1 Configuring OC4J 10g Client and Oracle WSM 11g Web Service

To configure OC4J 10g client and Oracle WSM 11g Web service, perform the following steps:

3.2.1.1 Configuring Oracle WSM 11g Web Service

1. Create a Web service application.

2. Attach the following policy to the entry point of the Web service: oracle/wss10_message_protection_service_policy.

   For more information about attaching the policy, see "Attaching Policies to Web Services" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

3.2.1.2 Configuring OC4J 10g Client

1. Create a client proxy for the Web service (above) using Oracle JDeveloper.

2. Use the Oracle JDeveloper wizard to secure the proxy by right-clicking on the proxy project and selecting Secure Proxy.

3. Click Authentication in the Proxy Editor navigation bar and set the following options:

   • Select No Authentication.

4. Click Inbound Integrity in the Proxy Editor navigation bar and set the following options:

   • Select Verify Inbound Signed Request Body.

   • Select Verify Timestamp and Creation Time Required in Timestamp.

   • Enter the Expiration Time (in seconds).

   • Select all options under Acceptable Signature Algorithms.

5. Click Outbound Integrity in the Proxy Editor navigation bar and set the following options:

   • Select Sign Outbound Messages.

   • Select Add Timestamp to Outbound Messages and Creation Time Required in Timestamp.

   • Enter the Expiration Time (in seconds).

6. Click Inbound Confidentiality in the Proxy Editor navigation bar and set the following options:

   • Select Decrypt Inbound Message Content.

   • Select all options under Acceptable Signature Algorithms.

7. Click Outbound Confidentiality in the Proxy Editor navigation bar and set the following options:

   • Select Encrypt Outbound Messages.

   • Set the Algorithm to AES-128.

8. Click Keystore Options in the Proxy Editor navigation bar and configure the keystore properties, as required.

   Ensure that you are using keystore with v3 certificates. By default, the JDK 1.5 keytool generates keystores with v1 certificates.

9. Click OK to close the wizard.

10. In the Structure pane, click <appname>Binding_Stub.xml and edit the file as described in next section.

11. Invoke the Web service method from the client.

Editing the <appname>Binding_Stub.xml File

1. Provide the keystore password and sign and encryption key passwords.

2. In the inbound signature, specify the following:

   <inbound><verify-signature><tbs-elements>
   <tbs-element
   name-space="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-
   utility-1.0.xsd" local-part="Timestamp" />
   ...
   

3. In the outbound signature, specify that the timestamp should be signed, as follows:

   <outbound>/<signature>/<tbs-elements>
   <tbs-element
   name-space="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity
   -utility-1.0.xsd" local-part="Timestamp"/>
   ...
   

4. In the outbound encryption, specify the key transport algorithm, as follows:

   <outbound><encrypt>
   <keytransport-method>RSA-OAEP-MGF1P</keytransport-method>
   ...
   

3.2.2 Configuring Oracle WSM 11g Client and OC4J 10g Web Service

To configure Oracle WSM 11g client and OC4J 10g Web service, perform the following steps:

3.2.2.1 Configuring OC4J 10g Web Service

1. Create and deploy a Web service application.

2. Use Application Server Control to secure the deployed Web service.

3. Click Authentication tab and ensure that no options are selected.

4. Click Integrity tab of the Inbound Policies page and set the following options:

   • Select Require Message Body to Be Signed.

   • Select Verify Timestamp and Creation Time Required in Timestamp.

   • Enter the Expiration Time (in seconds).

5. Click Integrity tab of the Outbound Policies page and set the following options:

   • Select Sign Body Element of Message.

   • Set the Signature Method to RSA-SHA1.

   • Select Add Timestamp and Creation Time Required in Timestamp.

   • Enter the Expiration Time (in seconds).

6. Click Confidentiality tab of the Inbound Policies page and set the following options:

   • Select Require Encryption of Message Body.

7. Click Confidentiality tab of the Outbound Policies page and set the following options:

   • Select Encrypt Body Element of Message.

   • Set the Encryption Method to AES-128.

   • Set the public key to encrypt.

8. Configure the keystore properties and identity certificates.

   Ensure that you are using keystore with v3 certificates. By default, the JDK 1.5 keytool generates keystores with v1 certificates.

9. Edit the wsmgmt.xml deployment descriptor file, as described in Editing the wsmgmt.xml File.

3.2.2.2 Configuring Oracle WSM 11g Client

1. Create a client proxy for the OC4J 10g Web service.

2. Attach the following policy: oracle/wss10_message_protection_client_policy.

   For more information about attaching the policy, see "Attaching Policies to Web Service Clients" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

3. Configure the policy, as described in "oracle/wss10_username_token_with_message_protection_client_policy" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

4. Invoke the Web service method from the client.

Editing the wsmgmt.xml File

Edit the wsmgmt.xml file in ORACLE_HOME/j2ee/oc4j_instance/config, as follows:

1. In the inbound signature, specify the following:

   <inbound><verify-signature><tbs-elements>
   <tbs-element
   name-space="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity
   -utility-1.0.xsd" local-part="Timestamp"/>
   ...
   

2. In the outbound signature, specify that the timestamp should be signed, as follows:

   <outbound>/<signature>/<tbs-elements>
   <tbs-element
   name-space="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity
   -utility-1.0.xsd" local-part="Timestamp"/>
   ...
   

3. In the outbound encryption, specify the key transport algorithm, as follows:

   <outbound><encrypt>
   <keytransport-method>RSA-OAEP-MGF1P</keytransport-method>
   ...
   

3.3 Username Token with Message Protection (WS-Security 1.0)

The following sections describe how to implement username token with message protection that conforms to the WS-Security 1.0 standard:

• "Configuring OC4J 10g Client and Oracle WSM 11g Web Service"

• "Configuring Oracle WSM 11g Client and OC4J 10g Web Service"

3.3.1 Configuring OC4J 10g Client and Oracle WSM 11g Web Service

To configure OC4J 10g client and Oracle WSM 11g Web service, perform the following steps:

3.3.1.1 Configuring Oracle WSM 11g Web Service

1. Create an Oracle WSM 11g Web service.

2. Attach the following policy to the Web service: oracle/wss10_username_token_with_message_protection_service_policy.

   For more information about attaching the policy, see "Attaching Policies to Web Services" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

3.3.1.2 Configuring OC4J 10g Client

1. Create a client proxy for the Web service (above) using Oracle JDeveloper.

2. Specify the username and password in the client proxy, as follows:

   port.setUsername(<username>)
   port.setPassword(<password>)
   

3. Use the Oracle JDeveloper wizard to secure the proxy by right-clicking on the proxy project and selecting Secure Proxy.

4. Click Authentication in the Proxy Editor navigation bar and set the following options:

   • Select Use Username to Authenticate.

   • Deselect Add Nonce and Add Creation Time.

5. Click Inbound Integrity in the Proxy Editor navigation bar and set the following options:

   • Select Verify Inbound Signed Request Body.

   • Select Verify Timestamp and Creation Time Required in Timestamp.

   • Enter the Expiration Time (in seconds).

   • Select all options under Acceptable Signature Algorithms.

6. Click Outbound Integrity in the Proxy Editor navigation bar and set the following options:

   • Select Sign Outbound Messages.

   • Select Add Timestamp to Outbound Messages and Creation Time Required in Timestamp.

   • Enter the Expiration Time (in seconds).

7. Click Inbound Confidentiality in the Proxy Editor navigation bar and set the following options:

   • Select Decrypt Inbound Message Content.

   • Select all options under Acceptable Signature Algorithms.

8. Click Outbound Confidentiality in the Proxy Editor navigation bar and set the following options:

   • Select Encrypt Outbound Messages.

   • Set the Algorithm to AES-128.

9. Click Keystore Options in the Proxy Editor navigation bar and configure the keystore properties, as required.

   Ensure that you are using keystore with v3 certificates. By default, the JDK 1.5 keytool generates keystores with v1 certificates.

10. Click OK to close the wizard.

11. In the Structure pane, click <appname>Binding_Stub.xml and edit the file as described in Editing the <appname>Binding_Stub.xml File.

12. Invoke the Web service.

Editing the <appname>Binding_Stub.xml File

Edit the <appname>Binding_Stub.xml file, as follows:

1. Provide the keystore password and sign and encryption key passwords.

2. In the inbound signature, specify the following:

   <inbound><verify-signature><tbs-elements>
   <tbs-element
   name-space="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity
   -utility-1.0.xsd" local-part="Timestamp" />
   ...
   

3. In the outbound signature, specify that the timestamp and UsernameToken should be signed, as follows:

   <outbound>/<signature>/<tbs-elements>
   <tbs-element
   name-space="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-
   utility-1.0.xsd" local-part="Timestamp"/>
    <tbs-element
   name-space="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity
   -secext-1.0.xsd" local-part="UsernameToken"/>
   ...
   

4. In the outbound encryption, specify the key transport algorithm, as follows:

   <outbound><encrypt>
   <keytransport-method>RSA-OAEP-MGF1P</keytransport-method>
   ...
   

5. In the outbound encryption, specify that the UsernameToken should be encrypted, as follows:

   <outbound>/<encrypt>/<tbe-elements>
   <tbe-element local-part="UsernameToken"
   name-space="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity
   -secext-1.0.xsd" mode="CONTENT"/>
   ...
   

3.3.2 Configuring Oracle WSM 11g Client and OC4J 10g Web Service

To configure Oracle WSM 11g client and OC4J 10g Web service, perform the following steps:

3.3.2.1 Configuring OC4J 10g Web Service

1. Create and deploy a JAX-RPC Web service on OC4J.

2. Use Application Server Control to secure the deployed Web service.

3. Click Authentication tab and set the following options:

   • Select Use Username/Password Authentication.

   • Set Password to Plain Text.

4. Click Integrity tab in Inbound Policies page and set the following options:

   • Select Require Message Body to Be Signed.

   • Select Verify Timestamp and Creation Time Required in Timestamp.

   • Enter the Expiration Time (in seconds).

5. Click Integrity tab in Outbound Policies page and set the following options:

   • Select Sign Body Element of Message.

   • Set the Signature Method to RSA-SHA1.

   • Select Add Timestamp and Creation Time Required in Timestamp.

   • Enter the Expiration Time (in seconds).

6. Click Confidentiality tab in the Inbound Policies page and set the following options:

   • Select Require Encryption of Message Body.

7. Click Confidentiality tab in the Outbound Policies page and set the following options:

   • Select Encrypt Body Element of Message.

   • Set the Encryption Method to AES-128.

   • Set the public key to encrypt.

8. Configure the keystore properties and identity certificates.

   Ensure that you are using keystore with v3 certificates. By default, the JDK 1.5 keytool generates keystores with v1 certificates.

9. Edit the wsmgmt.xml deployment descriptor file, as described in Editing the wsmgmt.xml File.

3.3.2.2 Configuring Oracle WSM 11g Client

1. Create a client proxy for the OC4J 10g Web service.

2. Attach the following policy: oracle/wss10_username_token_with_message_protection_client_policy.

   For more information about attaching the policy, see "Attaching Policies to Web Service Clients" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

3. Configure the policy, as described in "oracle/wss10_username_token_with_message_protection_client_policy" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

4. Invoke the Web service method from the client.

Editing the wsmgmt.xml File

Edit the wsmgmt.xml file in ORACLE_HOME/j2ee/oc4j_instance/config, as follows:

1. In the inbound signature, specify the following:

   <inbound><verify-signature><tbs-elements>
   <tbs-element
   name-space="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity
   -utility-1.0.xsd" local-part="Timestamp"/>
   ...
   

2. In the outbound signature, specify that the timestamp should be signed, as follows:

   <outbound>/<signature>/<tbs-elements>
   <tbs-element
   name-space="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity
   -utility-1.0.xsd" local-part="Timestamp"/>
   ...
   

3. In the outbound encryption, specify that the UsernameToken should be encrypted, as follows:

   <outbound>/<encrypt>/<tbe-elements>
   <tbe-element local-part="UsernameToken"
   name-space="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity
   -secext-1.0.xsd" mode="CONTENT"/>
   ...
   

3.4 SAML Token (Sender Vouches) with Message Protection (WS-Security 1.0)

The following sections describe how to implement SAML token sender vouches with message protection that conforms to the WS-Security 1.0 standard:

• "Configuring OC4J 10g Client and Oracle WSM 11g Web Service"

• "Configuring Oracle WSM 11g Client and OC4J 10g Web Service"

3.4.1 Configuring OC4J 10g Client and Oracle WSM 11g Web Service

To configure OC4J 10g client and Oracle WSM 11g Web service, perform the following steps:

3.4.1.1 Configuring Oracle WSM 11g Web Service

1. Create an Oracle WSM 11g Web service.

2. Attach the following policy to the Web service: oracle/wss10_saml_token__with_message_protection_service_policy.

   For more information about attaching the policy, see "Attaching Policies to Web Services" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

3.4.1.2 Configuring OC4J 10g Client

1. Create a client proxy for the Web service (above) using Oracle JDeveloper.

2. Use the Oracle JDeveloper wizard to secure the proxy by right-clicking on the proxy project and selecting Secure Proxy.

3. Click Authentication in the Proxy Editor navigation bar and set the following options:

   • Select Use SAML Token.

   • Click SAML Details.

   • Select Sender Vouches Confirmation and Use Signature.

   • Enter the username that needs to be propagated as the Default Subject Name.

   • Enter www.oracle.com as the Default Issuer Name.

4. Click Inbound Integrity in the Proxy Editor navigation bar and set the following options:

   • Select Verify Inbound Signed Request Body.

   • Select Verify Timestamp and Creation Time Required in Timestamp.

   • Enter the Expiration Time (in seconds).

   • Select all options under Acceptable Signature Algorithms.

5. Click Outbound Integrity in the Proxy Editor navigation bar and set the following options:

   • Select Sign Outbound Messages.

   • Select Add Timestamp to Outbound Messages and Creation Time Required in Timestamp.

   • Enter the Expiration Time (in seconds).

6. Click Inbound Confidentiality in the Proxy Editor navigation bar and set the following options:

   • Select Decrypt Inbound Message Content.

   • Select all options under Acceptable Signature Algorithms.

7. Click Outbound Confidentiality in the Proxy Editor navigation bar and set the following options:

   • Select Encrypt Outbound Messages.

   • Set the Algorithm to AES-128.

8. Click Keystore Options in the Proxy Editor navigation bar and configure the keystore properties, as required.

   Ensure that you are using keystore with v3 certificates. By default, the JDK 1.5 keytool generates keystores with v1 certificates.

9. Click OK to close the wizard.

10. In the Structure pane, click <appname>Binding_Stub.xml and edit the file as described in Editing the <appname>Binding_Stub.xml File.

11. Invoke the Web service method.

Editing the <appname>Binding_Stub.xml File

Edit the <appname>Binding_Stub.xml file, as follows:

1. Provide the keystore password and sign and encryption key passwords.

2. In the inbound signature, specify the following:

   <inbound><verify-signature><tbs-elements>
   <tbs-element
   name-space="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity
   -utility-1.0.xsd" local-part="Timestamp" />
   ...
   

3. In the outbound signature, specify that the timestamp should be signed, as follows:

   <outbound>/<signature>/<tbs-elements>
   <tbs-element
   name-space="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity
   -utility-1.0.xsd" local-part="Timestamp"/>
   ...
   

4. In the outbound encryption, specify the key transport algorithm, as follows:

   <outbound><encrypt>
   <keytransport-method>RSA-OAEP-MGF1P</keytransport-method>
   ...
   

3.4.2 Configuring Oracle WSM 11g Client and OC4J 10g Web Service

To configure Oracle WSM 11g client and OC4J 10g Web service, perform the following steps:

3.4.2.1 Configuring OC4J 10g Web Service

1. Create and deploy a JAX-RPC Web service on OC4J.

2. Use the Application Server Control to secure the deployed Web service.

3. Click Authentication in navigation bar and set the following options:

   • Select Use SAML Authentication.

   • Select Accept Sender Vouches.

   • Deselect Verify Signature.

4. Click Inbound Integrity in the navigation bar and set the following option:

   • Select Require Message Body To Be Signed.

   • Select Verify Timestamp and Creation Time Required in Timestamp.

   • Enter the Expiration Time (in seconds).

5. Click Outbound Integrity in the navigation bar and select the following options:

   • Select Sign Body Element of Message.

   • Set the Signature Method to RSA-SHA1.

   • Select Add Timestamp and Creation Time Required in Timestamp.

   • Enter the Expiration Time (in seconds).

6. Click Inbound Confidentiality in the navigation bar and set the following option:

   • Deselect Require Encryption of Message Body.

7. Click Outbound Confidentiality in the navigation bar and set the following option:

   • Select Encrypt Body Element of Message.

   • Set the Encryption Method to AES-128.

   • Set the public key to encrypt.

8. Configure the keystore properties and identity certificates.

   Ensure that you are using keystore with v3 certificates. By default, the JDK 1.5 keytool generates keystores with v1 certificates.

   For more information, see the Oracle Fusion Middleware Administrator's Guide.

9. Edit the wsmgmt.xml deployment descriptor file, as described in Editing the wsmgmt.xml File.

10. Invoke the Web service.

3.4.2.2 Configuring Oracle WSM 11g Client

1. Create a client proxy for the OC4J 10g Web service.

2. Attach the following policy: oracle/wss10_saml_token_with_message_protection_client_policy.

   For more information about attaching the policy, see "Attaching Policies to Web Service Clients" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

3. Configure the policy, as described in "oracle/wss10_saml_token_with_message_protection_client_policy" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

4. Invoke the Web service method from the client.

Editing the wsmgmt.xml File

Edit the wsmgmt.xml file in ORACLE_HOME/j2ee/oc4j_instance/config, as follows:

1. In the inbound signature, specify the following:

   <inbound><verify-signature><tbs-elements>
   <tbs-element
   name-space="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity
   -utility-1.0.xsd" local-part="Timestamp"/>
   ...
   

2. In the outbound signature, specify that the timestamp should be signed, as follows:

   <outbound>/<signature>/<tbs-elements>
   <tbs-element
   name-space="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity
   -utility-1.0.xsd" local-part="Timestamp"/>
   ...
   

3. In the outbound encryption, specify that the UsernameToken should be encrypted, as follows:

   <outbound>/<encrypt>/<tbe-elements>
   <tbe-element local-part="UsernameToken"
   name-space="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity
   -secext-1.0.xsd" mode="CONTENT"/>
   ...
   

3.5 Mutual Authentication with Message Protection (WS-Security 1.0)

The following sections describe how to implement mutual authentication with message protection that conforms to the WS-Security 1.0 standard:

• "Configuring OC4J 10g Client and Oracle WSM 11g Web Service"

• "Configuring Oracle WSM 11g Client and OC4J 10g Web Service"

3.5.1 Configuring OC4J 10g Client and Oracle WSM 11g Web Service

To configure OC4J 10g client and Oracle WSM 11g Web service, perform the following steps:

3.5.1.1 Configuring Oracle WSM 11g Web Service

1. Create a Web service application.

2. Attach the following policy to the Web service: oracle/wss10_x509_token_with_message_protection_service_policy.

   For more information about attaching the policy, see "Attaching Policies to Web Services" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

3.5.1.2 Configuring OC4J 10g Client

1. Create a client proxy for the Web service (above) using Oracle JDeveloper.

2. Use the Oracle JDeveloper wizard to secure the proxy by right-clicking on the proxy project and selecting Secure Proxy.

3. Click Authentication in the Proxy Editor navigation bar and set the following options:

   • Select Use X509 To Authenticate.

4. Click Inbound Integrity in the Proxy Editor navigation bar and set the following options:

   • Select Verify Inbound Signed Request Body.

   • Select Verify Timestamp and Creation Time Required in Timestamp.

   • Enter the Expiration Time (in seconds).

   • Select all options under Acceptable Signature Algorithms.

5. Click Outbound Integrity in the Proxy Editor navigation bar and set the following options:

   • Select Sign Outbound Messages.

   • Select Add Timestamp to Outbound Messages and Creation Time Required in Timestamp.

   • Enter the Expiration Time (in seconds).

6. Click Inbound Confidentiality in the Proxy Editor navigation bar and set the following options:

   • Select Decrypt Inbound Message Content.

   • Select all options under Acceptable Signature Algorithms.

7. Click Outbound Confidentiality in the Proxy Editor navigation bar and set the following options:

   • Select Encrypt Outbound Messages.

   • Set the Algorithm to AES-128.

8. Click Keystore Options in the Proxy Editor navigation bar and configure the keystore properties, as required.

   Ensure that you are using keystore with v3 certificates. By default, the JDK 1.5 keytool generates keystores with v1 certificates.

9. Click OK to close the wizard.

10. In the Structure pane, click <appname>Binding_Stub.xml and edit the file as described in Editing the <appname>Binding_Stub.xml File.

11. Invoke the Web service.

Editing the <appname>Binding_Stub.xml File

Edit the <appname>Binding_Stub.xml file, as follows:

1. Provide the keystore password and sign and encryption key passwords.

2. In the inbound signature, specify the following:

   <inbound><verify-signature><tbs-elements>
   <tbs-element
   name-space="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity
   -utility-1.0.xsd" local-part="Timestamp" />
   ...
   

3. In the outbound signature, specify that the timestamp should be signed, as follows:

   <outbound>/<signature>/<tbs-elements>
   <tbs-element
   name-space="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity
   -utility-1.0.xsd" local-part="Timestamp"/>
   ...
   

4. In the outbound encryption, specify the key transport algorithm, as follows:

   <outbound><encrypt>
   <keytransport-method>RSA-OAEP-MGF1P</keytransport-method>
   ...
   

3.5.2 Configuring Oracle WSM 11g Client and OC4J 10g Web Service

To configure Oracle WSM 11g client and OC4J 10g Web service, perform the following steps:

3.5.2.1 Configuring OC4J 10g Web Service

1. Create and deploy a JAX-RPC Web service on OC4J.

2. Use the Application Server Control to secure the deployed Web service.

3. Click Authentication taband set the following options:

   • Select Use X509 Certificate Authentication.

4. Click Integrity tab of the Inbound Policies page and set the following options:

   • Select Require Message Body to Be Signed.

   • Select Verify Timestamp and Creation Time Required in Timestamp.

   • Enter the Expiration Time (in seconds).

5. Click Integrity tab of the Outbound Policies page and set the following options:

   • Select Sign Body Element of Message.

   • Set the Signature Method to RSA-SHA1.

   • Select Add Timestamp and Creation Time Required in Timestamp.

   • Enter the Expiration Time (in seconds).

6. Click Confidentiality tab of the Inbound Policies page and set the following options:

   • Select Require Encryption of Message Body.

7. Click Confidentiality tab of the Outbound Policies page and set the following options:

   • Select Encrypt Body Element of Message.

   • Set the Encryption Method to AES-128.

   • Set the public key to encrypt.

8. Configure the keystore properties and identity certificates.

   Ensure that you are using keystore with v3 certificates. By default, the JDK 1.5 keytool generates keystores with v1 certificates.

9. Edit the wsmgmt.xml deployment descriptor file, as described in Editing the wsmgmt.xml File.

3.5.2.2 Configuring Oracle WSM 11g Client

1. Create a client proxy to the OC4J 10g Web service.

2. Attach the following policy: oracle/wss10_x509_token_with_message_protection_client_policy.

   For more information about attaching the policy, see "Attaching Policies to Web Service Clients" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

3. Configure the policy, as described in "oracle/wss10_x509_token_with_message_protection_client_policy" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

4. Invoke the Web service.

Editing the wsmgmt.xml File

Edit the wsmgmt.xml file in ORACLE_HOME/j2ee/oc4j_instance/config, as follows:

1. In the inbound signature, specify the following:

   <inbound><verify-signature><tbs-elements>
   <tbs-element
   name-space="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity
   -utility-1.0.xsd" local-part="Timestamp"/>
   ...
   

2. In the outbound signature, specify that the timestamp should be signed, as follows:

   <outbound>/<signature>/<tbs-elements>
   <tbs-element
   name-space="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity
   -utility-1.0.xsd" local-part="Timestamp"/>
   ...
   

3. In the outbound encryption, specify that the UsernameToken should be encrypted, as follows:

   <outbound>/<encrypt>/<tbe-elements>
   <tbe-element local-part="UsernameToken"
   name-space="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity
   -secext-1.0.xsd" mode="CONTENT"/>
   ...
   

3.6 Username token over SSL

The following sections describe how to implement username token over SSL:

• "Configuring OC4J 10g Client and Oracle WSM 11g Web Service"

• "Configuring Oracle WSM 11g Client and OC4J 10g Web Service"

For information about:

• Configuring SSL on WebLogic Server, see "Configuring SSL on WebLogic Server (One-Way)" and "Configuring SSL on WebLogic Server (Two-Way)" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

• Configuring SSL on OC4J, see http://download.oracle.com/docs/cd/B14099_19/web.1012/b14013/configssl.htm.

3.6.1 Configuring OC4J 10g Client and Oracle WSM 11g Web Service

To configure OC4J 10g client and Oracle WSM 11g Web service, perform the following steps:

3.6.1.1 Configuring Oracle WSM 11g Web Service

1. Configure the server for SSL.

   For more information, see "Configuring SSL on WebLogic Server (One-Way)" and "Configuring SSL on WebLogic Server (Two-Way)" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

2. Attach one of the following policies to the Web service:

   oracle/wss_username_token_over_ssl_service_policy

   oracle/wss_username_or_saml_token_over_ssl_service_policy

   For more information about attaching the policy, see "Attaching Policies to Web Services" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

3.6.1.2 Configuring OC4J 10g Client

1. Create a client proxy for the Web service (above) using Oracle JDeveloper.

   Ensure that the Web service endpoint references the URL with HTTPS and SSL port configured on Oracle WebLogic Server.

2. Add the following code excerpt to initialize two-way SSL (at the beginning of the client proxy code):

   HostnameVerifier hv = new HostnameVerifier()
   httpsURLConnection.setDefaultHostnameVerifier(hv);
   System.setProperty("javax.net.ssl.trustStore","<trust_store>");
   System.setProperty("javax.net.ssl.trustStorePassword","<trust_store
   _password>");
   System.setProperty("javax.net.ssl.keyStore","<key_store>");
   System.setProperty("javax.net.ssl.keyStorePassword","<key_store_password>");
   System.setProperty("javax.net.ssl.keyStoreType","JKS");
   

3. Use the Oracle JDeveloper wizard to secure the proxy by right-clicking on the proxy project and selecting Secure Proxy.

4. Click Authentication in the Proxy Editor navigation bar and set the following options:

   • Select Use Username to Authenticate.

   • Deselect Add Nonce and Add Creation Time.

5. Click Inbound Integrity in the Proxy Editor navigation bar and deselect all options.

6. Click Outbound Integrity in the Proxy Editor navigation bar and deselect all options.

7. Click Inbound Confidentiality in the Proxy Editor navigation bar and deselect all options.

8. Click Outbound Confidentiality in the Proxy Editor navigation bar and deselect all options.

9. Click Keystore Options in the Proxy Editor navigation bar and configure the keystore properties, as required.

   Ensure that you are using keystore with v3 certificates. By default, the JDK 1.5 keytool generates keystores with v1 certificates.

10. Click OK to close the wizard.

11. In the Structure pane, click <appname>Binding_Stub.xml and edit the file as described in Editing the <appname>Binding_Stub.xml File.

12. Invoke the Web service.

Editing the <appname>Binding_Stub.xml File

Edit the <appname>Binding_Stub.xml file, as follows:

1. Provide the keystore password and sign and encryption key passwords.

2. In the outbound signature, specify that the timestamp should be signed, as follows (and remove all other tags):

   <outbound>
      <signature>
         <add-timestamp created="true" expiry="<Expiry_Time>"/> 
      </signature>
   ...
   

3.6.2 Configuring Oracle WSM 11g Client and OC4J 10g Web Service

To configure Oracle WSM 11g client and OC4J 10g Web service, perform the following steps:

3.6.2.1 Configuring OC4J 10g Web Service

1. Configure the server for SSL.

   For more information, see http://download.oracle.com/docs/cd/B14099_19/web.1012/b14013/configssl.htm.

2. Use the Application Server Control to secure the deployed Web service.

3. Click Authentication tab and set the following options:

   • Select Use Username/Password Authentication.

4. Click Integrity tab of the Inbound Policies page and deselect all options.

5. Click Integrity tab of the Outbound Policies page and deselect all options.

6. Click Confidentiality tab of the Inbound Policies page and deselect all options.

7. Click Confidentiality tab of the Outbound Policies page and deselect all options.

8. Edit the wsmgmt.xml deployment descriptor file, as described in Editing the wsmgmt.xml File.

3.6.2.2 Configuring Oracle WSM 11g Client

1. Create a client proxy to the OC4J 10g Web service using clientgen.

   Ensure that the Web service endpoint references the URL with HTTPS and SSL port configured on Oracle WebLogic Server.

2. Add the following code excerpt to initialize two-way SSL (at the beginning of the client proxy code):

   HostnameVerifier hv = new HostnameVerifier()
   httpsURLConnection.setDefaultHostnameVerifier(hv);
   System.setProperty("javax.net.ssl.trustStore","<trust_store>");
   System.setProperty("javax.net.ssl.trustStorePassword","<trust_store
   _password>");
   System.setProperty("javax.net.ssl.keyStore","<key_store>");
   System.setProperty("javax.net.ssl.keyStorePassword","<key_store_password>");
   System.setProperty("javax.net.ssl.keyStoreType","JKS");
   

3. Attach the following policy: oracle/wss_username_token_over_ssl_client_policy.

   For more information about attaching the policy, see "Attaching Policies to Web Service Clients" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

4. Configure the policy, as described in "oracle/wss_username_token_over_ssl_client_policy" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

5. Invoke the Web service.

Editing the wsmgmt.xml File

Edit the wsmgmt.xml file in ORACLE_HOME/j2ee/oc4j_instance/config, as follows:

1. In the outbound signature, specify that the timestamp should be signed, as follows (and remove all other tags):

   <outbound>
      <signature>
         <add-timestamp created="true" expiry="<Expiry_Time>"/> 
      </signature>
   ...
   

3.7 SAML Token (Sender Vouches) Over SSL (WS-Security 1.0)

The following sections describe how to implement SAML token (sender vouches) over SSL that conforms to the WS-Security 1.0 standard:

• "Configuring OC4J 10g Client and Oracle WSM 11g Web Service"

• "Configuring Oracle WSM 11g Client and OC4J 10g Web Service"

For information about:

• Configuring SSL on WebLogic Server, see "Configuring SSL on WebLogic Server (One-Way)" and "Configuring SSL on WebLogic Server (Two-Way)" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

• Configuring SSL on OC4J, see http://download.oracle.com/docs/cd/B14099_19/web.1012/b14013/configssl.htm.

3.7.1 Configuring OC4J 10g Client and Oracle WSM 11g Web Service

To configure OC4J 10g client and Oracle WSM 11g Web service, perform the following steps:

3.7.1.1 Configuring Oracle WSM 11g Web Service

1. Configure the server for two-way SSL.

   For more information, see "Configuring SSL on WebLogic Server (Two-Way)" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

2. Attach the following policy to the Web service:

   oracle/wss_saml_token_over_ssl_service_policy OR

   oracle/wss_username_or_saml_token_over_ssl_service_policy.

   For more information about attaching the policy, see "Attaching Policies to Web Services" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

3.7.1.2 Configuring OC4J 10g Client

1. Configure the server for two-way SSL.

   For more information, see http://download.oracle.com/docs/cd/B14099_19/web.1012/b14013/configssl.htm.

2. Create a client proxy for the Web service (above) using Oracle JDeveloper.

   Ensure that the Web service endpoint references the URL with HTTPS and SSL port configured on Oracle WebLogic Server.

3. Add the following code excerpt to initialize two-way SSL (at the beginning of the client proxy code):

   HostnameVerifier hv = new HostnameVerifier()
   httpsURLConnection.setDefaultHostnameVerifier(hv);
   System.setProperty("javax.net.ssl.trustStore","<trust_store>");
   System.setProperty("javax.net.ssl.trustStorePassword","<trust_store
   _password>");
   System.setProperty("javax.net.ssl.keyStore","<key_store>");
   System.setProperty("javax.net.ssl.keyStorePassword","<key_store_password>");
   System.setProperty("javax.net.ssl.keyStoreType","JKS");
   

4. Use the Oracle JDeveloper wizard to secure the proxy by right-clicking on the proxy project and selecting Secure Proxy.

5. Click Authentication in the Proxy Editor navigation bar and set the following options:

   • Select Use SAML Token.

   • Click SAML Details.

   • Select Sender Vouches Confirmation.

   • Enter a valid username as the Default Subject Name.

6. Click Inbound Integrity in the Proxy Editor navigation bar and set the following option:

   • Deselect Verify Inbound Signed Message Body.

7. Click Outbound Integrity in the Proxy Editor navigation bar and deselect all options.

8. Click Inbound Confidentiality in the Proxy Editor navigation bar and set the following option:

   • Deselect Decrypt Inbound Message Content.

9. Click Outbound Confidentiality in the Proxy Editor navigation bar and set the following option:

   • Deselect Encrypt Outbound Message.

10. Provide required information for the keystore to be used.

11. Click OK to close the wizard.

12. In the Structure pane, click <appname>Binding_Stub.xml and edit the file as described in Editing the <appname>Binding_Stub.xml File.

13. Invoke the Web service.

Editing the <appname>Binding_Stub.xml File

Edit the <appname>Binding_Stub.xml file, as follows:

1. Provide the keystore password and sign and encryption key passwords.

2. In the outbound signature, specify that the timestamp should be signed, as follows (and remove all other tags):

   <outbound>
      <signature>
         <add-timestamp created="true" expiry="<Expiry_Time>"/> 
      </signature>
   ...
   

3.7.2 Configuring Oracle WSM 11g Client and OC4J 10g Web Service

To configure Oracle WSM 11g client and OC4J 10g Web service, perform the following steps:

3.7.2.1 Configuring OC4J 10g Web Service

1. Configure the server for two-way SSL.

   For more information, see http://download.oracle.com/docs/cd/B14099_19/web.1012/b14013/configssl.htm.

2. Use the Application Server Control to secure the deployed Web service.

3. Click Authentication in navigation bar and set the following options:

   • Select Use SAML Authentication.

   • Select Accept Sender Vouches.

   • Deselect Verify Signature.

4. Click Integrity tab of the Inbound Policies page and deselect all options.

5. Click Integrity tab of the Outbound Policies page and deselect all options.

6. Click Confidentiality tab of the Inbound Policies page and deselect all options.

7. Click Confidentiality tab of the Outbound Policies page and deselect all options.

8. Edit the wsmgmt.xml deployment descriptor file, as described in Edit the wsmgmt.xml File.

3.7.2.2 Configuring Oracle WSM 11g Client

1. Configure the server for two-way SSL.

   For more information, see "Configuring SSL on WebLogic Server (Two-Way)" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

2. Create a client proxy to the OC4J 10g Web service.

   Ensure that the Web service endpoint references the URL with HTTPS and SSL port configured on Oracle WebLogic Server.

3. Attach the following policy: oracle/wss_saml_token_over_ssl_client_policy.

   For more information about attaching the policy, see "Attaching Policies to Web Service Clients" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

4. Configure the policy, as described in "oracle/wss_saml_token_over_ssl_client_policy" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

5. Invoke the Web service.

Edit the wsmgmt.xml File

Editing the wsmgmt.xml file in ORACLE_HOME/j2ee/oc4j_instance/config, as follows:

1. In the outbound signature, specify that the timestamp should be signed, as follows (and remove all other tags):

   <outbound>
      <signature>
         <add-timestamp created="true" expiry="<Expiry_Time>"/> 
      </signature>
   ...