Administration Console Online Help

Previous Next Open TOC in new window
Content starts here

Use a password digest in SOAP messages

Before you begin

You must first create the Web service security configuration that is associated with a Web service before you can configure specific features.

See Create a Web service security configuration for details about creating a security configuration.


By default, the WebLogic Web services security runtime uses cleartext passwords, rather than the password digest, in the SOAP messages from an invoke of a message-secured Web service. The password digest is a cyptographic hash of the password and timestamp.The following procedure shows how to change this default behavior so that the SOAP messages use the password digest instead.

  1. If you have not already done so, in the Change Center of the Administration Console, click Lock & Edit (see Use the Change Center).
  2. In the left pane of the Administration Console, select your domain. This is the top-level node of the navigation tree.
  3. In the right pane, select Web Service Security.
  4. In the table, click the name of the Web service security configuration you want to update.

    The default configuration is called default_wss; updating this configuration updates security behavior of all Web services that are associated with this default configuration.

  5. If not already there, select Credential Provider.
  6. Click New.
  7. Enter the following values:
    • Name: A name for your credential provider. This can be anything you want.
    • Class Name: Enter the following exact value: weblogic.xml.crypto.wss.UNTCredentialProvider.
    • Token Type: Enter the following exact value: ut.
  8. Click Finish.
  9. In the Credential Providers table, click the name of the credential provider you just created.
  10. At the bottom of the page in the Credential Provider Properties table, click New.
  11. Enter the following values:
    • Name: Enter the following exact value: UsePasswordDigest.
    • Value: Enter the following exact value: true.

    Leave the Is Encrypted checkbox unchecked.

  12. Click OK.
  13. To activate these changes, in the Change Center of the Administration Console, click Activate Changes.
    Not all changes take effect immediately—some require a restart (see Use the Change Center).

After you finish

If you specify that SOAP messages use the password digest, rather than the cleartext password, then you must also change the default behavior of the core security runtime to enable password digest. You do this by ensuring that the Enable Password Digests checkbox of the Default Authenticator is checked. See Configure Authentication and Identity Assertion providers.

Additionally, if the core security runtime has already stored the password digests (rather than cleartext passwords) for already-created users, you must recreate these users so that their cleartext password, and not their digest, is stored in the password database.

You must redeploy any Web service which is associated with this security configuration for the security changes to take effect.


Back to Top