This chapter contains the following sections:
Overview of Interoperability with Oracle WebLogic Server 11g Web Service Security Environments
Username Token With Message Protection (WS-Security 1.1) and MTOM
SAML Token 2.0 (Sender Vouches) With Message Protection (WS-Security 1.1)
SAML Token (Sender Vouches) with Message Protection (WS-Security 1.1)
SAML Token (Sender Vouches) with Message Protection (WS-Security 1.1) and MTOM
SAML Token (Sender Vouches) with Message Protection (WS-Security 1.0)
Mutual Authentication with Message Protection (WS-Security 1.0)
Mutual Authentication with Message Protection (WS-Security 1.1)
In Oracle Fusion Middleware 11g, you can attach both Oracle WSM and Oracle WebLogic Server Web service policies to WebLogic Java EE Web services.
For more details about the predefined Oracle WSM 11g policies, see the following sections in Oracle Fusion Middleware Security and Administrator's Guide for Web Services:
For more details about the predefined Oracle WebLogic Server 11g Web service policies, see:
"Attaching Policies to WebLogic Web Services and Clients" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services
Oracle Fusion Middleware Securing WebLogic Web Services for Oracle WebLogic Server
Table 4-1 summarizes the most common Oracle WebLogic Server 11g Web service policy interoperability scenarios based on the following security requirements: authentication, message protection, and transport.
Table 4-1 Interoperability With Oracle WebLogic Server 11g Web Services Security Environments
| Interoperability Scenario | Client—>Web Service | Oracle WSM 11g Policies | Oracle WebLogic Server 11g Policies |
|---|---|---|---|
|
Oracle WebLogic Server 11g—>Oracle WSM 11g |
oracle/wss11_username_token_with_message_protection_service_policy |
|
|
|
Oracle WSM 11g—>Oracle WebLogic Server 11g |
oracle/wss11_username_token_with_message_protection_client_policy |
|
|
|
"Username Token With Message Protection (WS-Security 1.1) and MTOM" |
Oracle WebLogic Server 11g—>Oracle WSM 11g |
oracle/wss10_username_token_with_message_protection_service_policy |
|
|
"Username Token With Message Protection (WS-Security 1.1) and MTOM" |
Oracle WSM 11g—>Oracle WebLogic Server 11g |
oracle/wss11_username_token_with_message_protection_client_policy |
|
|
Oracle WebLogic Server 11g—>Oracle WSM 11g |
oracle/wss10_username_token_with_message_protection_service_policy |
|
|
|
Oracle WSM 11g—>Oracle WebLogic Server 11g |
oracle/wss10_username_token_with_message_protection_client_policy |
|
|
|
Oracle WebLogic Server 11g—>Oracle WSM 11g |
oracle/wss_username_token_over_ssl_service_policy |
Wssp1.2-2007-Https-UsernameToken-Plain.xml |
|
|
Oracle WebLogic Server 11g—>Oracle WSM 11g |
oracle/wss_username_token_over_ssl_service_policy |
Wssp1.2-2007-Https-UsernameToken-Plain.xml |
|
|
Oracle WebLogic Server 11g—>Oracle WSM 11g |
oracle/wss_saml_token_over_ssl_service_policy |
Wssp1.2-2007-Saml1.1-SenderVouches-Https.xml |
|
|
Oracle WebLogic Server 11g—>Oracle WSM 11g |
oracle/wss_saml_token_over_ssl_service_policy |
Wssp1.2-2007-Saml1.1-SenderVouches-Https.xml |
|
|
"SAML Token 2.0 (Sender Vouches) With Message Protection (WS-Security 1.1)" |
Oracle WebLogic Server 11g—>Oracle WSM 11g |
oracle/wss11_saml_token_with_message_protection_service_policy |
|
|
"SAML Token 2.0 (Sender Vouches) With Message Protection (WS-Security 1.1)" |
Oracle WSM 11g—>Oracle WebLogic Server 11g |
oracle/wss11_saml_token_with_message_protection_client_policy |
|
|
"SAML Token (Sender Vouches) with Message Protection (WS-Security 1.1)" |
Oracle WebLogic Server 11g—>Oracle WSM 11g |
oracle/wss11_saml_token_with_message_protection_service_policy |
|
|
"SAML Token (Sender Vouches) with Message Protection (WS-Security 1.1)" |
Oracle WSM 11g—>Oracle WebLogic Server 11g |
oracle/wss11_saml_token_with_message_protection_client_policy |
|
|
"SAML Token (Sender Vouches) with Message Protection (WS-Security 1.1) and MTOM" |
Oracle WebLogic Server 11g—>Oracle WSM 11g |
oracle/wss11_saml_token_with_message_protection_service_policy |
|
|
"SAML Token (Sender Vouches) with Message Protection (WS-Security 1.1) and MTOM" |
Oracle WSM 11g—>Oracle WebLogic Server 11g |
oracle/wss11_saml_token_with_message_protection_client_policy wsmtom_policy |
|
|
"SAML Token (Sender Vouches) with Message Protection (WS-Security 1.0)" |
Oracle WebLogic Server 11g—>Oracle WSM 11g |
oracle/wss10_saml_token_with_message_protection_service_policy |
|
|
"SAML Token (Sender Vouches) with Message Protection (WS-Security 1.0)" |
Oracle WSM 11g—>Oracle WebLogic Server 11g |
oracle/wss10_saml_token_with_message_protection_client_policy |
|
|
"Mutual Authentication with Message Protection (WS-Security 1.0)" |
Oracle WebLogic Server 11g—>Oracle WSM 11g |
oracle/wss10_x509_token_with_message_protection_service_policy |
|
|
"Mutual Authentication with Message Protection (WS-Security 1.0)" |
Oracle WSM 11g—>Oracle WebLogic Server 11g |
oracle/wss10_x509_token_with_message_protection_client_policy |
|
|
"Mutual Authentication with Message Protection (WS-Security 1.1)" |
Oracle WebLogic Server 11g—>Oracle WSM 11g |
oracle/wss11_x509_token_with_message_protection_service_policy |
|
|
"Mutual Authentication with Message Protection (WS-Security 1.1)" |
Oracle WSM 11g—>Oracle WebLogic Server 11g |
oracle/wss11_x509_token_with_message_protection_client_policy |
|
This section describes how to implement username token with message protection that conforms to the WS-Security 1.1 standard in the following interoperability scenarios:
To configure a JSE (or JEE) client that uses Oracle WebLogic Server 11g security policy and Oracle WSM 11g Web service, perform the following steps:
Create a Web service.
Attach the following policy to the Web service: oracle/wss11_username_token_with_message_protection_service_policy.
For more information about attaching the policy, see "Attaching Policies to Web Services" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.
Create a client proxy for the Web service (above) using clientgen.
For more information, see "Using the clientgen Ant Task to Generate Client Artifacts" in Oracle Fusion Middleware Getting Started With JAX-WS Web Services for Oracle WebLogic Server
Attach the following policies:
Wssp1.2-2007-Wss1.1-UsernameToken-Plain-EncryptedKey-Basic128.xml
Wssp1.2-2007-SignBody.xml
Wssp1.2-2007-EncryptBody.xml
Provide the configuration for the server (encryption key) in the client, as described in "Updating a Client Application to Invoke a Message-Secured Web Service" in Oracle Fusion Middleware Securing WebLogic Web Services for Oracle WebLogic Server.
Ensure that the encryption key specified is in accordance with the encryption key configured for the Web service.
Invoke the Web service method from the client.
To configure a JSE (or JEE) client that uses Oracle WSM 11g policies and Oracle WebLogic Server 11g Web service, perform the following steps:
Create a Web service.
Attach the following policies:
Wssp1.2-2007-Wss1.1-UsernameToken-Plain-EncryptedKey-Basic128.xml
Wssp1.2-2007-SignBody.xml
Wssp1.2-2007-EncryptBody.xml
For more information, see "Updating the JWS File with @Policy and @Policies Annotations" in Oracle Fusion Middleware Securing WebLogic Web Services for Oracle WebLogic Server.
Configure identity and trust stores, as described in "Configure identity and trust" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help
Configure message-level security, as described in:
- "Configuring Message-Level Security" in Oracle Fusion Middleware Securing WebLogic Web Services for Oracle WebLogic Server
- "Create a Web Service security configuration" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help.
You only need to configure the Confidentiality Key for a WS-Security 1.1 policy.
Deploy the Web service.
See Oracle Fusion Middleware Deploying Applications to Oracle WebLogic Server.
Create a client proxy to the Web service (above).
Attach the following policy to the Web service client: oracle/wss11_username_token_with_message_protection_client_policy.
For more information about attaching the policy, see "Attaching Policies to Web Services" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.
Configure the policy, as described in "oracle/wss11_username_token_with_message_protection_client_policy" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.
Specify keystore.recipient.alias in the client configuration.
Ensure that the keystore.recipient.alias keys specified for the client exist as trusted certificate entry in the trust store configured for the Web service.
Provide a valid username and password as part of the configuration.
Invoke the Web service method from the client.
This section describes how to implement username token with message protection that conforms to the WS-Security 1.1 standard and uses Message Transmission Optimization Mechanism (MTOM) in the following interoperability scenarios:
"Configuring Oracle WebLogic Server 11g Client and Oracle WSM 11g Web Service"
"Configuring Oracle WSM 11g Client and Oracle WebLogic Server 11g Web Service"
To configure Oracle WebLogic Server 11g client and Oracle WSM 11g Web service, perform the following steps:
Configure the Oracle WebLogic Server 11g client and Oracle WSM 11g Web service as described in "Username Token With Message Protection (WS-Security 1.1)".
To enable MTOM communication, use the @MTOM annotation in the Web service in Step 2 of "Configuring the Client".
To configure Oracle WSM 11g client and Oracle WebLogic Server 11g Web service, perform the following steps:
Configure the Oracle WSM 11g client and Oracle WebLogic Server 11g Web service as described in "Username Token With Message Protection (WS-Security 1.1)".
To enable MTOM communication, perform one of the following:
Use the @MTOM annotation in the Web service in Step 2 of "Configuring Oracle WebLogic Server 11g Web Service".
In Step 3 of "Configuring the Client", attach wsmtom_policy from the Management tab.
This section describes how to implement username token with message protection that conforms to the WS-Security 1.0 standard in the following interoperability scenarios:
"Configuring Oracle WebLogic Server 11g Client and Oracle WSM 11g Web Service"
"Configuring Oracle WSM 11g Client and Oracle WebLogic Server 11g Web Service"
Note:
WS-Security 1.0 policy is supported for legacy applications only. Use WS-Security 1.1 policy for maximum performance. For more information, see "Username Token With Message Protection (WS-Security 1.1)".To configure Oracle WebLogic Server 11g client and Oracle WSM 11g Web service, perform the following steps:
Create a Web service.
Attach the following policy to the Web service: oracle/wss10_username_token_with_message_protection_service_policy.
For more information about attaching the policy, see "Attaching Policies to Web Services" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.
Create a client proxy for the Web service (above) using clientgen.
For more information, see "Using the clientgen Ant Task to Generate Client Artifacts" in Oracle Fusion Middleware Getting Started With JAX-WS Web Services for Oracle WebLogic Server
Attach the following policies:
Wssp1.2-wss10_username_token_with_message_protection_owsm_policy.xml
Wssp1.2-2007-SignBody.xml
Wssp1.2-2007-EncryptBody.xml
Configure the client for server (encryption key) and client certificates, as described in "Updating a Client Application to Invoke a Message-Secured Web Service" in Oracle Fusion Middleware Securing WebLogic Web Services for Oracle WebLogic Server.
Ensure that the encryption key specified is in accordance with the decryption key configured for the Web service.
Invoke the Web service method from the client.
To configure Oracle WSM 11g client and Oracle WebLogic Server 11g Web service, perform the following steps:
Create a Web service.
Attach the following policies:
Wssp1.2-2007-SignBody.xml
Wssp1.2-wss10_username_token_with_message_protection_owsm_policy.xml
Wssp1.2-2007-EncryptBody.xml
For more information, see "Updating the JWS File with @Policy and @Policies Annotations" in Oracle Fusion Middleware Securing WebLogic Web Services for Oracle WebLogic Server.
Configure identity and trust stores, as described in "Configure identity and trust" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help
Configure message-level security, as described in:
- "Configuring Message-Level Security" in Oracle Fusion Middleware Securing WebLogic Web Services for Oracle WebLogic Server
- "Create a Web Service security configuration" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help.
Deploy the Web service.
See Oracle Fusion Middleware Deploying Applications to Oracle WebLogic Server.
Create a client proxy to the Web service (above).
Attach the following policy to the Web service client: oracle/wss10_username_token_with_message_protection_client_policy.
For more information about attaching the policy, see "Attaching Policies to Web Service Clients" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.
Configure the policy, as described in "oracle/wss10_username_token_with_message_protection_client_policy" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.
Ensure that you use different keys for client (sign and decrypt key) and keystore recipient alias (server public key used for encryption). Ensure that the recipient alias is in accordance with the keys defined in the Web service policy security configuration.
Ensure that the signing and encryption keys specified for the client exist as trusted certificate entries in the trust store configured for the Web service.
Provide a valid username and password as part of the configuration.
Invoke the Web service method from the client.
The following section describes how to implement username token over SSL, describing the following interoperability scenario:
To configure Oracle WebLogic Server 11g client and Oracle WSM 11g Web service, perform the following steps:
Configure the server for one-way SSL.
For more information, see "Configuring SSL on WebLogic Server (One-Way)" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.
Create a Web service.
Attach the following policy: oracle/wss_username_token_over_ssl_service_policy.
For more information about attaching the policy, see "Attaching Policies to Web Services" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.
Create a client proxy for the Web service (above) using clientgen. Provide a valid username and password as part of the configuration for this policy in the client proxy.
For more information, see "Using the clientgen Ant Task to Generate Client Artifacts" in Oracle Fusion Middleware Getting Started With JAX-WS Web Services for Oracle WebLogic Server.
Configure WebLogic Server for SSL.
For more information, see "Configuring SSL on WebLogic Server (One-Way)" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.
Configure identity and trust stores, as described in "Configure identity and trust" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help
Attach Wssp1.2-2007-Https-UsernameToken-Plain.xml to the Web service client.
Provide the truststore and other required System properties in the SSL client, as described in "Using SSL Authentication in Java Clients" in Oracle Fusion Middleware Programming Security for Oracle WebLogic Server.
Invoke the Web service.
The following section describes how to implement username token over SSL with Message Transmission Optimization Mechanism (MTOM) in the following interoperability scenario:
To configure Oracle WebLogic Server 11g client and Oracle WSM 11g Web service, perform the following steps:
Configure the Oracle WebLogic Server 11g client and Oracle WSM 11g Web service as described in "Username Token Over SSL".
To enable MTOM communication, use the @MTOM annotation in the Web service in Step 4 of "Configuring Oracle WebLogic Server 11g Client".
The following section describes how to implement SAML token sender vouches with SSL. It describes the following interoperability scenario:
To configure Oracle WebLogic Server 11g client and Oracle WSM 11g Web service, perform the following steps:
Configure the oracle/wss_saml_token_over_ssl_service_policy policy for two-way SSL, as described in "oracle/wss_saml_token_over_ssl_service_policy" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.
Create a Web service.
Attach the following policy to the Web service: oracle/wss_saml_token_over_ssl_service_policy.
For more information about attaching the policy, see "Attaching Policies to Web Services" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.
Create a client proxy for the Web service (above) using clientgen.
For more information, see "Using the clientgen Ant Task to Generate Client Artifacts" in Oracle Fusion Middleware Getting Started With JAX-WS Web Services for Oracle WebLogic Server.
Configure Oracle WebLogic Server for two-way SSL.
For more information, see "Configuring SSL on WebLogic Server (Two-Way)" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.
Configure identity and trust stores, as described in "Configure Identity and Trust" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help
Attach Wssp1.2-2007-Saml1.1-SenderVouches-Https.xml to the Web service client.
Configure a SAML credential mapping provider, as described in "Configure Credential Mapping Providers" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help.
In the WebLogic Server Administration Console, navigate to Security Realms > RealmName > Providers > Credential Mapping page and create a New Credential Mapping Provider of type SAMLCredentialMapperV2.
Select the new provider, click on Provider Specific, and configure it as follows:
Set Issuer URI to www.oracle.com.
Set Name Qualifier to www.oracle.com.
Restart Oracle WebLogic Server.
Create a SAML relying party, as described in "Create a SAML 1.1 Relying Party" and "Configure a SAML 1.1 Relying Party" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help.
Set the Profile to WSS/Sender-Vouches.
Configure the SAML relying party, as described in "Configure a SAML 1.1 Relying Party" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help.
Configure the SAML relying party as follows (leave other values set to the defaults):
Target URL: <url_used_to_access_Web_service>
Description: <your_description>
Select the Enabled checkbox and click Save.
Ensure the Target URL is set to the URL used for the client Web service.
Create a servlet and call the proxy code from the servlet.
Use BASIC authentication so that the authenticated subject can be created.
Provide the truststore and other required System properties in the SSL client, as described in "Using SSL Authentication in Java Clients" in Oracle Fusion Middleware Programming Security for Oracle WebLogic Server.
Invoke the Web application client.
Enter the credentials of the user whose identity is to be propagated using the SAML token.
The following section describes how to implement SAML token sender vouches over SSL with MTOM. It describes the following interoperability scenario:
To configure Oracle WebLogic Server 11g client and Oracle WSM 11g Web service, perform the following steps:
Configure the Oracle WebLogic Server 11g client and Oracle WSM 11g Web service as described in "SAML Token (Sender Vouches) Over SSL".
To enable MTOM communication, use the @MTOM annotation in the Web service in Step 4 of "Configuring Oracle WebLogic Server 11g Client and Oracle WSM 11g Web Service".
This section describes how to implement SAML 2.0 token sender vouches with message protection that conforms to the WS-Security 1.1 standard in the following interoperability scenarios:
"Configuring Oracle WebLogic Server 11g Client and Oracle WSM 11g Web Service"
"Configuring Oracle WSM 11g Client and Oracle WebLogic Server 11g Web Service"
To configure Oracle WebLogic Server 11g client and Oracle WSM 11g Web service, perform the following steps:
Create a JAX-WS Web service.
Attach the following policy to the Web service: oracle/wss11_saml20_token_with_message_protection_service_policy.
For more information about attaching the policy, see "Attaching Policies to Web Services" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.
Create a J2EE client for the deployed Web service using JDeveloper. Create a Web project and create a proxy using WSDL proxy.
Attach the following policies:
Wssp1.2-2007-Saml2.0-SenderVouches-Wss1.1.xml
Wssp1.2-2007-SignBody.xml
Wssp1.2-2007-EncryptBody.xml
Extract weblogic.jar to a folder and provide the absolute path to the above policies files.
Add servlet to above web project.
Configure the client for server (encryption key) and client certificates, as described in "Updating a Client Application to Invoke a Message-Secured Web Service" in Oracle Fusion Middleware Securing WebLogic Web Services for Oracle WebLogic Server.
Ensure that the encryption key specified is in accordance with the decryption key configured for the Web service.
Secure the Web application client using BASIC Authentication. For more information, see "Developing BASIC Authentication Web Applications" in Oracle Fusion Middleware Programming Security for Oracle WebLogic Server.
Deploy the J2EE Web application client.
See "Deploying Web Services Applications" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.
Configure a SAML credential mapping provider, as described in "Configure Credential Mapping Providers" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help.
In the Oracle WebLogic Server Administration Console, navigate to Security Realms > RealmName > Providers > Credential Mapping page and create a New Credential Mapping Provider of type SAML2CredentialMapper.
Select the new provider, click on Provider Specific, and configure it as follows:
Set Issuer URI to www.oracle.com.
Set Name Qualifier to www.oracle.com.
Restart WebLogic Server.
To create a new service provider partner, perform the following steps:
Select the credential mapper created in Step 7 in the WebLogic Administration Console, and then select the Management tab.
Select New, and then select New Webservice Service Provider Partner.
Provide a name, and select Finish.
Configure the service provider partner as follows:
Select the service provide partner created in Step 9.
Select the Enabled check box.
Provide the Audience URI.
Set Issuer URI to www.oracle.com.
Set Target URL to <url_used_to_access_Web_service>.
Set Profile to WSS/Sender-Vouches.
Invoke the Web application client.
Enter the credentials of the user whose identity is to be propagated using SAML token.
To configure Oracle WSM 11g client and Oracle WebLogic Server 11g Web service, perform the following steps:
Create a Web service.
Attach the following policies:
Wssp1.2-2007-Saml2.0-SenderVouches-Wss1.1.xml
Wssp1.2-2007-SignBody.xml
Wssp1.2-2007-EncryptBody.xml
For more information, see "Updating the JWS File with @Policy and @Policies Annotations" in Oracle Fusion Middleware Securing WebLogic Web Services for Oracle WebLogic Server.
Configure the keystore properties for message signing and encryption. The configuration should be in accordance with the keystore used on the server side. Create the trust store out of the keystore by exporting both keys, and trust both of them while importing into trust store. Configure identity and trust stores, as described in "Configure identity and trust" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help.
Configure message-level security, as described in:
"Configuring Message-Level Security" in Oracle Fusion Middleware Securing WebLogic Web Services for Oracle WebLogic Server.
"Create a Web Service security configuration" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help.
Since this is a WS-Security 1.1 policy, you need to configure Confidentiality Key only.
Attach new configuration using the annotation:
@WssConfiguration(value="my_security_configuration") where my_security_configuration is the name of the Web Security Configuration created in Step 4. For more information, see "Configuring Message-Level Security" in Oracle Fusion Middleware Securing WebLogic Web Services for Oracle WebLogic Server.
Deploy the Web service.
See Oracle Fusion Middleware Deploying Applications to Oracle WebLogic Server.
Create a SAML Identity Asserter, as described in "Configuring Authentication and Identity Assertion providers" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help.
In the WebLogic Server Administration Console, navigate to Security Realms > RealmName > Providers > Credential Mapping page and create a New Credential Mapping Provider of type SAML2IdentityAsserter.
Restart WebLogic Server.
To add the identity provider to the identity assertor created in Step 7, perform the following steps:
Select the identity assertor created in Step 7 in the WebLogic Administration Console.
Create a new identity provider partner, select New, and then select New Webservice Identity Provider Partner.
Provide a name, and select Finish.
Configure the identity provider as follows:
Select the identity provide partner created in Step 9.
Select the Enabled check box.
Provide the Audience URI. For example: target:*:/saml20WLSWS-Project1-context-root/Class1Port
Set Issuer URI to www.oracle.com.
Set Target URL to <url_used_to_access_Web_service>.
Set Profile to WSS/Sender-Vouches.
Generate a client using JDeveloper for the Web service created in "Configuring Oracle WSM 11g Client". Create a Web project and then select New, and create a client proxy using the WSDL.
Add a servlet in the above project.
Attach the following policy to the Web service client: oracle/wss11_saml20_token_with_message_protection_client_policy.
For more information about attaching the policy, see "Attaching Policies to Web Service Clients" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.
Specify keystore.recipient.alias in the client configuration.
Ensure that keystore.recipient.alias is the same as the decryption key specified for the Web service.
Ensure that the keystore.recipient.alias keys specified for the client exist as trusted certificate entry in the trust store configured for the Web service.
In JDeveloper, secure web project with Form-based authentication using the Configure ADF Security Wizard.
Invoke the Web application client.
This section describes how to implement SAML token sender vouches with message protection that conforms to the WS-Security 1.1 standard in the following interoperability scenarios:
"Configuring Oracle WebLogic Server 11g Client and Oracle WSM 11g Web Service"
"Configuring Oracle WSM 11g Client and Oracle WebLogic Server 11g Web Service"
To configure Oracle WebLogic Server 11g client and Oracle WSM 11g Web service, perform the following steps:
Create a Web service.
Attach the following policy to the Web service: oracle/wss11_saml_token_with_message_protection_service_policy.
For more information about attaching the policy, see "Attaching Policies to Web Services" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.
Create a client proxy for the Web service (above) using clientgen.
For more information, see "Using the clientgen Ant Task to Generate Client Artifacts" in Oracle Fusion Middleware Getting Started With JAX-WS Web Services for Oracle WebLogic Server
Attach the following policies:
Wssp1.2-wss11_saml_token_with_message_protection_owsm_policy.xml
Wssp1.2-2007-SignBody.xml
Wssp1.2-2007-EncryptBody.xml
Configure the client for server (encryption key) and client certificates, as described in "Updating a Client Application to Invoke a Message-Secured Web Service" in Oracle Fusion Middleware Securing WebLogic Web Services for Oracle WebLogic Server.
Ensure that the encryption key specified is in accordance with the decryption key configured for the Web service.
Secure the Web application client using BASIC Authentication. For more information, see "Developing BASIC Authentication Web Applications" in Oracle Fusion Middleware Programming Security for Oracle WebLogic Server.
Deploy the Web service client.
See "Deploying Web Services Applications" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.
Configure a SAML credential mapping provider, as described in "Configure Credential Mapping Providers" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help.
In the Oracle WebLogic Server Administration Console, navigate to Security Realms > RealmName > Providers > Credential Mapping page and create a New Credential Mapping Provider of type SAMLCredentialMapperV2.
Select the new provider, click on Provider Specific, and configure it as follows:
Set Issuer URI to www.oracle.com.
Set Name Qualifier to www.oracle.com.
Restart WebLogic Server.
Create a SAML relying party, as described in "Create a SAML 1.1 Relying Party" and "Configure a SAML 1.1 Relying Party" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help.
Set the Profile to WSS/Sender-Vouches.
Configure the SAML relying party, as described in "Configure a SAML 1.1 Relying Party" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help.
Ensure the Target URL is set to the URL used for the client Web service.
Invoke the Web application client.
Enter the credentials of the user whose identity is to be propagated using SAML token.
To configure Oracle WSM 11g client and Oracle WebLogic Server 11g Web service, perform the following steps:
Create a Web service.
Attach the following policies:
Wssp1.2-wss11_saml_token_with_message_protection_owsm_policy.xml
Wssp1.2-2007-SignBody.xml
Wssp1.2-2007-EncryptBody.xml
For more information, see "Updating the JWS File with @Policy and @Policies Annotations" in Oracle Fusion Middleware Securing WebLogic Web Services for Oracle WebLogic Server.
Configure identity and trust stores, as described in "Configure identity and trust" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help
Configure message-level security, as described in:
"Configuring Message-Level Security" in Oracle Fusion Middleware Securing WebLogic Web Services for Oracle WebLogic Server
"Create a Web Service security configuration" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help.
Since this is a WS-Security 1.1 policy, you need to configure Confidentiality Key only.
Deploy the Web service.
See Oracle Fusion Middleware Deploying Applications to Oracle WebLogic Server.
Create a SAMLIdentityAsserterV2 authentication provider, as described in "Configuring Authentication and Identity Assertion providers" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help.
In the WebLogic Server Administration Console, navigate to Security Realms > RealmName > Providers > Credential Mapping page and create a New Credential Mapping Provider of type SAMLCredentialMapperV2.
Restart WebLogic Server.
Select the authentication provider created in step 5.
Create a SAML asserting party, as described in "Create a SAML 1.1 Asserting Party" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help.
Set Profile to WSS/Sender-Vouches.
Configure the SAML asserting party, as described in "Configure a SAML 1.1 Asserting Party" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help.
Configure the SAML asserting party as follows:
Set Issuer URI to www.oracle.com.
Set Target URL to <url_used_to_access_Web_service>.
Create a client proxy to the Web service (above).
Attach the following policy to the Web service client: oracle/wss11_saml_token_with_message_protection_client_policy.
For more information about attaching the policy, see "Attaching Policies to Web Service Clients" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.
Configure the policy, as described in oracle/wss11_saml_token_with_message_protection_client_policy.
Specify keystore.recipient.alias in the client configuration.
Ensure that keystore.recipient.alias is the same as the decryption key specified for the Web service.
Ensure that the keystore.recipient.alias keys specified for the client exist as trusted certificate entry in the trust store configured for the Web service.
Provide a valid username whose identity needs to be propagated using SAML token in the client configuration.
Invoke the Web application client.
Enter the credentials of the user whose identity is to be propagated using SAML token.
This section describes how to implement SAML token with sender vouches and message protection that conforms to the WS-Security 1.1 standard and uses Message Transmission Optimization Mechanism (MTOM) in the following interoperability scenarios:
"Configuring Oracle WebLogic Server 11g Client and Oracle WSM 11g Web Service"
"Configuring Oracle WSM 11g Client and Oracle WebLogic Server 11g Web Service"
To configure Oracle WebLogic Server 11g client and Oracle WSM 11g Web service, perform the following steps:
Configure the Oracle WebLogic Server 11g client and Oracle WSM 11g Web service as described in "SAML Token (Sender Vouches) with Message Protection (WS-Security 1.1)".
To enable MTOM communication, use the @MTOM annotation in the Web service in Step 2 of "Configuring Oracle WebLogic Server 11g Client".
To configure Oracle WSM 11g client and Oracle WebLogic Server 11g Web service, perform the following steps:
Configure the Oracle WSM 11g client and Oracle WebLogic Server 11g Web service as described in "SAML Token (Sender Vouches) with Message Protection (WS-Security 1.1)".
To enable MTOM communication, perform one of the following:
Use the @MTOM annotation in the Web service in Step 2 of "Configuring Oracle WebLogic Server 11g Web Service".
In Step 2 of "Configuring Oracle WSM 11g Client", attach wsmtom_policy from the Management tab.
This section describes how to implement SAML token with sender vouches and message protection that conforms to the WS-Security 1.0 standard in the following interoperability scenarios:
"Configuring Oracle WebLogic Server 11g Client and Oracle WSM 11g Web Service"
"Configuring Oracle WSM 11g Client and Oracle WebLogic Server 11g Web Service"
Note:
WS-Security 1.0 policy is supported for legacy applications only. Use WS-Security 1.1 policy for maximum performance. For more information, see "SAML Token (Sender Vouches) with Message Protection (WS-Security 1.1)".To configure Oracle WebLogic Server 11g client and Oracle WSM 11g Web service, perform the following steps:
Create a Web service.
Attach the following policy to the Web service: oracle/wss10_saml_token_with_message_protection_service_policy.
For more information about attaching the policy, see "Attaching Policies to Web Services" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.
Create a client proxy for the Web service (above) using clientgen.
For more information, see "Using the clientgen Ant Task to Generate Client Artifacts" in Oracle Fusion Middleware Getting Started With JAX-WS Web Services for Oracle WebLogic Server
Attach the following policies:
Wssp1.2-wss10_saml_token_with_message_protection_owsm_policy.xml
Wssp1.2-2007-SignBody.xml
Wssp1.2-2007-EncryptBody.xml
Configure the client for server (encryption key) and client certificates, as described in "Updating a Client Application to Invoke a Message-Secured Web Service" in Oracle Fusion Middleware Securing WebLogic Web Services for Oracle WebLogic Server.
Ensure that the encryption key specified is in accordance with the decryption key configured for the Web service.
Secure the Web application client using BASIC Authentication. For more information, see "Developing BASIC Authentication Web Applications" in Oracle Fusion Middleware Programming Security for Oracle WebLogic Server.
Deploy the Web service client.
See "Deploying Web Services Applications" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.
Configure a SAML credential mapping provider, as described in "Configure Credential Mapping Providers" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help.
In the WebLogic Server Administration Console, navigate to Security Realms > RealmName > Providers > Credential Mapping page and create a New Credential Mapping Provider of type SAMLCredentialMapperV2.
Select the SAMLCredentialMapperV2, click on Provider Specific, and configure it as follows:
Set Issuer URI to www.oracle.com.
Set Name Qualifier to www.oracle.com.
Restart WebLogic Server.
Create a SAML relying party, as described in "Create a SAML 1.1 Relying Party" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help.
Set the profile to WSS/Sender-Vouches.
Configure the SAML relying party, as described in "Configure a SAML 1.1 Relying Party" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help.
Ensure the target URL is set to the URL used for the client Web service.
Invoke the Web application client and enter the appropriate credentials.
To configure Oracle WSM 11g client and Oracle WebLogic Server 11g Web service, perform the following steps:
Create a Web service.
Attach the following policies:
Wssp1.2-wss10_saml_token_with_message_protection_owsm_policy.xml
Wssp1.2-2007-SignBody.xml
Wssp1.2-2007-EncryptBody.xml
For more information, see "Updating the JWS File with @Policy and @Policies Annotations" in Oracle Fusion Middleware Securing WebLogic Web Services for Oracle WebLogic Server.
Configure identity and trust stores, as described in "Configure identity and trust" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help
Configure message-level security, as described in:
"Configuring Message-Level Security" in Oracle Fusion Middleware Securing WebLogic Web Services for Oracle WebLogic Server
"Create a Web Service security configuration" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help.
Since this is a WS-Security 1.1 policy, you need to configure Confidentiality Key only.
Deploy the Web service.
See Oracle Fusion Middleware Deploying Applications to Oracle WebLogic Server.
Create a SAMLIdentityAsserterV2 authentication provider, as described in "Configuring Authentication and Identity Assertion providers" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help.
In the WebLogic Server Administration Console, navigate to Security Realms > RealmName > Providers > Credential Mapping page and create a New Credential Mapping Provider of type SAMLCredentialMapperV2.
Restart WebLogic Server.
Select the authentication provider created in step 5.
Create a SAML asserting party, as described in "Create a SAML 1.1 Asserting Party" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help.
Set Profile to WSS/Sender-Vouches.
Configure a SAML asserting party, as described in "Configure a SAML 1.1 Asserting Party" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help.
Configure the SAML asserting party as follows (leave other values set to the defaults):
Set Issuer URI to www.oracle.com.
Set Target URL to <url_used_by_client>.
Create a client proxy to the Web service (above).
Attach the following policy to the Web service client: oracle/wss10_saml_token_with_message_protection_client_policy.
For more information about attaching the policy, see "Attaching Policies to Web Service Clients" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.
Configure the policy, as described in oracle/wss10_saml_token_with_message_protection_client_policy.
Ensure that you use different keys for client (sign and decrypt key) and keystore recipient alias (server public key used for encryption). Ensure that the recipient alias is in accordance with the keys defined in the Web service policy security configuration.
Ensure that the signing and encryption keys specified for the client exist as trusted certificate entries in the trust store configured for the Web service.
Provide valid username whose identity needs to be propagated using SAML token in the client configuration.
Invoke the Web service method.
The following sections describe how to implement mutual authentication with message protection that conform to the WS-Security 1.0 standards:
"Configuring Oracle WebLogic Server 11g Client and Oracle WSM 11g Web Service"
"Configuring Oracle WSM 11g Client and Oracle WebLogic Server 11g Web Service"
To configure Oracle WebLogic Server 10g client and Oracle WSM 11g Web service, perform the steps in the following sections.
Create a Web service.
Attach the following policy to the Web service: oracle/wss10_x509_token_with_message_protection_service_policy.
For more information about attaching the policy, see "Attaching Policies to Web Services" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.
Create a client proxy for the Web service (above) using clientgen.
For more information, see "Using the clientgen Ant Task to Generate Client Artifacts" in Oracle Fusion Middleware Getting Started With JAX-WS Web Services for Oracle WebLogic Server
Attach the following policies:
Wssp1.2-wss10_x509_token_with_message_protection_owsm_policy.xml
Wssp1.2-2007-SignBody.xml
Wssp1.2-2007-EncryptBody.xml
Provide the configuration for the server (encryption key) in the client, as described in "Updating a Client Application to Invoke a Message-Secured Web Service" in Oracle Fusion Middleware Securing WebLogic Web Services for Oracle WebLogic Server.
Ensure that the encryption key specified is in accordance with the encryption key configured for the Web service.
Invoke the Web service method from the client.
To configure Oracle WSM 11g client and Oracle WebLogic Server 11g Web service, perform the steps in the following sections.
Create a JAX-WS Web service.
Attach the following policies:
Wssp1.2-wss10_x509_token_with_message_protection_owsm_policy.xml
Wssp1.2-2007-SignBody.xml
Wssp1.2-2007-EncryptBody.xml
For more information, see "Updating the JWS File with @Policy and @Policies Annotations" in Oracle Fusion Middleware Securing WebLogic Web Services for Oracle WebLogic Server.
Configure identity and trust stores, as described in "Configure identity and trust" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help.
Configure message-level security, as described in:
- "Configuring Message-Level Security" in Oracle Fusion Middleware Securing WebLogic Web Services for Oracle WebLogic Server
- "Create a Web Service security configuration" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help
You only need to configure the Confidentiality Key for a WS-Security 1.0 policy.
Create and configure token handlers for X.509 and for username token. In WebLogic Administration Console, navigate to the Web Service Security page of the domain and create the token handlers as follows:
Create a token handle for username token and configure the following:
Name: <name>
Class name: weblogic.xml.crypto.wss.UsernameTokenHandler
Token Type: ut
Handling Order: 1
Create a token handler for X.509 and configure the following:
Name: <name>
Class name: weblogic.xml.crypto.wss.BinarySecurityTokenHandler
Token Type: x509
Handling Order: 0
For the X.509 token handler, add the following properties:
Name: UserX509ForIdentity
Value: true
IsEncrypted: False
For more information on token handlers, see "Create a token handler of a Web Service security configuration" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help.
Configure a credential mapping provider, as described in "Configure Credential Mapping Providers" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help.
Create a PKICredentialMapper and configure it as follows (leave all other values set to the defaults):
Keystore Provider: N/A
Keystore Type: jks
Keystore File Name: default_keystore.jks
Keystore Pass Phrase: <password>
Confirm Keystore Pass Phrase: <password>
Configure Authentication, as described in "Configure Authentication and Identity Assertion providers" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help.
Select the Authentication tab and configure as follows:
Click DefaultIdentityAsserter and add X.509 to Chosen active types
Click Provider Specific and configure the following:
Default User Name Mapper Attribute Type: CN
Active Types: X.509
Use Default User Name Mapper: True
If the users are not added, add the Common Name (CN) user specified in the certificate as described in "Create users" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help.
Restart Oracle WebLogic Server.
Deploy the Web service.
See Oracle Fusion Middleware Deploying Applications to Oracle WebLogic Server.
Create a client proxy for the Web service using clientgen.
For more information, see "Using the clientgen Ant Task to Generate Client Artifacts" in Oracle Fusion Middleware Getting Started With JAX-WS Web Services for Oracle WebLogic Server.
Attach the following policy to the client: wss10_x509_token_with_message_protection_client_policy
Provide the configuration for the server (encryption key) in the client, as described in "Updating a Client Application to Invoke a Message-Secured Web Service" in Oracle Fusion Middleware Securing WebLogic Web Services for Oracle WebLogic Server.
Ensure that the encryption key specified is in accordance with the encryption key configured for the Web service.
Invoke the Web service method from the client.
The following sections describe how to implement mutual authentication with message protection that conform to the WS-Security 1.1 standards:
"Configuring Oracle WebLogic Server 11g Client and Oracle WSM 11g Web Service"
"Configuring Oracle WSM 11g Client and Oracle WebLogic Server 11g Web Service"
To configure Oracle WebLogic Server 11g client and Oracle WSM 11g Web service, perform the steps in the following sections.
Create a JAX-WS Web service.
Attach the following policy to the Web service: oracle/wss11_x509_token_with_message_protection_service_policy.
For more information about attaching the policy, see "Attaching Policies to Web Services" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.
Create a client proxy for the Web service (above) using clientgen.
For more information, see "Using the clientgen Ant Task to Generate Client Artifacts" in Oracle Fusion Middleware Getting Started With JAX-WS Web Services for Oracle WebLogic Server
Attach the following policies:
Wssp1.2-wss11_x509_token_with_message_protection_owsm_policy.xml
Wssp1.2-2007-SignBody.xml
Wssp1.2-2007-EncryptBody.xml
Provide the configuration for the server (encryption key) in the client, as described in "Updating a Client Application to Invoke a Message-Secured Web Service" in Oracle Fusion Middleware Securing WebLogic Web Services for Oracle WebLogic Server.
Ensure that the encryption key specified is in accordance with the encryption key configured for the Web service.
Invoke the Web service method from the client.
To configure Oracle WSM 11g client and Oracle WebLogic Server 11g Web service, perform the steps in the following sections:
Create a JAX-WS Web service.
Attach the following policies:
Wssp1.2-wss11_x509_token_with_message_protection_owsm_policy.xml
Wssp1.2-2007-SignBody.xml
Wssp1.2-2007-EncryptBody.xml
For more information, see "Updating the JWS File with @Policy and @Policies Annotations" in Oracle Fusion Middleware Securing WebLogic Web Services for Oracle WebLogic Server.
Configure identity and trust stores, as described in "Configure identity and trust" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help
Configure message-level security, as described in:
- "Configuring Message-Level Security" in Oracle Fusion Middleware Securing WebLogic Web Services for Oracle WebLogic Server
- "Create a Web Service security configuration" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help.
You only need to configure the Confidentiality Key for a WS-Security 1.1 policy.
Create and configure token handlers for X.509 and for username token. In WebLogic Administration Console, navigate to the Web Service Security page of the domain and create the token handlers as follows:
Create a token handle for username token and configure the following:
Name: <name>
Class name: weblogic.xml.crypto.wss.UsernameTokenHandler
Token Type: ut
Handling Order: 1
Create a token handler for X.509 and configure the following:
Name: <name>
Class name: weblogic.xml.crypto.wss.BinarySecurityTokenHandler
Token Type: x509
Handling Order: 0
For the X.509 token handler, add the following properties:
Name: UserX509ForIdentity
Value: true
IsEncrypted: False
For more information on token handlers, see "Create a token handler of a Web Service security configuration" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help.
Configure a credential mapping provider, as described in "Configure Credential Mapping Providers" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help.
Create a PKICredentialMapper and configure it as follows (leave all other values set to the defaults):
Keystore Provider: N/A
Keystore Type: jks
Keystore File Name: default_keystore.jks
Keystore Pass Phrase: <password>
Confirm Keystore Pass Phrase: <password>
Configure Authentication, as described in "Configure Authentication and Identity Assertion providers" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help.
Select the Authentication tab and configure as follows:
Click DefaultIdentityAsserter and add X.509 to Chosen active types
Click Provider Specific and configure the following:
Default User Name Mapper Attribute Type: CN
Active Types: X.509
Use Default User Name Mapper: True
If the users are not added, add the Common Name (CN) user specified in the certificate as described in "Create users" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help.
Restart Oracle WebLogic Server.
Deploy the Web service.
See Oracle Fusion Middleware Deploying Applications to Oracle WebLogic Server.
Create a client proxy for the Web service (above) using clientgen.
For more information, see "Using the clientgen Ant Task to Generate Client Artifacts" in Oracle Fusion Middleware Getting Started With JAX-WS Web Services for Oracle WebLogic Server
Attach the following policy to the client: wss11_x509_token_with_message_protection_client_policy
Note:
Edit the policy as follows:<orasp:x509-token orasp:sign-key-ref-mech="thumbprint"orasp:enc-key-ref-mech="thumbprint"/>
Provide the configuration for the server (encryption key) in the client, as described in "Updating a Client Application to Invoke a Message-Secured Web Service" in Oracle Fusion Middleware Securing WebLogic Web Services for Oracle WebLogic Server.
Ensure that the encryption key specified is in accordance with the encryption key configured for the Web service.
Invoke the Web service method from the client.