1/32
Contents
Title and Copyright Information
Preface
About this Guide
Audience
How to Use This Guide
Documentation Accessibility
Related Documents
Conventions
What's New
11
g
Release 1 (11.1.1.7)
11
g
Release 1 (11.1.1.6)
11
g
Release 1 (11.1.1.5)
11
g
Release 1 (11.1.1.4)
11
g
Release 1 (11.1.1.3)
11g Release 1 (11.1.1.2)
11g Release 1 (11.1.1)
Part I Introduction
1
Overview of Web Services Security and Administration
Web Services Security and Administration in Oracle Fusion Middleware 11
g
Web Service Security and Administration Tasks
Securing and Administering Oracle Infrastructure Web Services
Securing and Administering WebLogic Web Services
Accessing the Security and Administration Tools
Accessing Oracle Enterprise Manager Fusion Middleware Control
Accessing Oracle WebLogic Administration Console
Accessing the Web Services Custom WLST Commands
Installing Oracle WSM on WebLogic Server
2
Understanding Web Services Security Concepts
Securing Web Services
Transport-level Security
Application-level Security
Web Service Security Requirements
How Oracle Fusion Middleware Secures Web Services and Clients
3
Understanding Oracle WSM Policy Framework
Overview of Oracle WSM Policy Framework
What Are Policies?
Building Policies Using Policy Assertions
Attaching Policies to Subjects
Attaching Policies Globally Using Policy Sets
How Policies are Executed
Oracle WSM Predefined Policies and Assertion Templates
Defining Multiple Policy Alternatives (OR Groups)
Overriding Security Policy Configuration
Recommended Naming Conventions for Policies
4
Examining the Rearchitecture of Oracle WSM in Oracle Fusion Middleware
How Oracle WSM 10
g
is Redesigned in Oracle Fusion Middleware 11
g
Release 1
Comparing Oracle WSM 10
g
and Oracle WSM 11
g
Policies
Comparing Oracle Application Server 10g WS-Security with Oracle WSM 11
g
Interoperability and Upgrade
Part II Basic Administration
5
Deploying Web Services Applications
Overview
Deploying Web Services Applications
Undeploying a Web Services Application
Redeploying a Web Services Application
6
Administering Web Services
Viewing All Current Web Services for a Server
Viewing the Web Services in a Domain Using WLST
Navigating to the Web Services Summary Page for an Application
Viewing the Web Services in Your Application
Using Fusion Middleware Control
Using WLST
Viewing the Web Services and References in a SOA Composite
Viewing the Details for a Web Service Endpoint
Using Fusion Middleware Control
Using WLST
Viewing Web Service Clients
Using Fusion Middleware Control
Viewing SOA References
Viewing Connection-Based Web Service Clients
Viewing WebCenter Portlets
Viewing Java EE Web Service Clients
Viewing Asynchronous Web Service Callback Clients
Using WLST
Displaying the Web Service WSDL Document
Configuring the Web Service Endpoint
Using Fusion Middleware Control
Using WLST
Enabling or Disabling a Web Service
Using Fusion Middleware Control
Using WLST
Enabling or Disabling RESTful Web Services
Using Fusion Middleware Control
Using WLST
Enabling or Disabling the Display of the Web Service WSDL Document
Using Fusion Middleware Control
Using WLST
Enabling or Disabling the Exchange of Metadata
Enabling or Disabling the Web Service Test Endpoint
Using Fusion Middleware Control
Using WLST
Validating the Request Message
Configuring Web Services Atomic Transactions
Using Fusion Middleware Control
Using WLST
Setting the Size of the Request Message
Using Fusion Middleware Control
Using WLST
Configuring Asynchronous Web Services
Enabling and Disabling MTOM
Configuring the Web Service Client
Using Fusion Middleware Control
Configuring SOA References
Configuring ADF DC Web Service Clients
Configuring Asynchronous Web Service Callback Clients
Using WLST
7
Managing Web Service Policies
Overview of Web Services Policy Management
Viewing Available Web Services Policies
Navigating to the Web Services Policies Page in Fusion Middleware Control
Displaying a List of the Available Policies Using WLST
Viewing a Web Service Policy
Searching for Web Service Policies
Creating Web Service Policies
Creating a New Web Service Policy
Creating a Web Service Policy from an Existing Policy
Importing Web Service Policies
Creating Custom Policies
Managing Policy Assertion Templates
Navigating to the Web Services Assertion Templates Page
Naming Conventions for Assertion Templates
Viewing an Assertion Template
Searching for an Assertion Template
Creating an Assertion Template
Editing an Assertion Template
Editing the Configuration Properties
Adding Assertions to a Policy
Adding an OR Group to a Policy
Configuring Assertions
Exporting an Assertion Template
Importing an Assertion Template
Deleting an Assertion Template
Validating Web Services Policies
Editing Web Service Policies
Versioning Web Service Policies
Viewing the Version History of Web Services Policies
About the Restore and Activate Policy Options
Creating a New Version of a Web Service Policy
Restoring an Earlier Version of a Web Service Policy
Deleting Versions of a Web Service Policy
Exporting Web Service Policies
Deleting Web Service Policies
Generating Client Policies
Enabling or Disabling a Policy for a Single Policy Subject
Using Fusion Middleware Control
Using WLST
Enabling or Disabling a Policy for All Subjects
Enabling or Disabling Assertions Within a Policy
Analyzing Policy Usage
Policy Advertisement
8
Attaching Policies to Web Services
Viewing the Policies That are Attached to a Web Service
Using Fusion Middleware Control
Using WLST
Attaching Policies to Web Services
Attaching a Policy to a Single Subject
Attaching a Policy to a Web Service Using Fusion Middleware Control
Attaching a Policy to a Web Service Using WLST
Attaching a Policy to Multiple Subjects (Bulk Attachment)
Validating Policy Subjects
Attaching Policies to Web Service Clients
Attaching Policies to Web Service Clients Using Fusion Middleware Control
Attaching Policies to SOA References
Attaching Policies to Connection-Based Web Service Clients
Attaching Policies to Asynchronous Web Service Callback Clients
Attaching Policies to Java EE Web Service Clients
Attaching Policies to Web Service Clients Using WLST
Enabling and Disabling Web Service Client Policies Using WLST
Attaching Policies to Servlet Applications
Attaching Policies Directly to Servlet Applications
Attaching Policies Globally to Servlet Applications
Attaching Web Service Policies Permitting Overrides
Configuring Server-Side Override Properties for Message Protection Policies
Setting Default Values for the Keystore Configuration Properties
Configuring Server-Side Override Properties for Authorization Policies
Setting Default Values for the Configuration Properties
Overriding Configuration Properties When Attaching a Service Policy Using Fusion Middleware Control
Overriding Configuration Properties When Attaching a Policy Using WLST
Attaching Client Policies Permitting Overrides
Overriding Configuration Properties When Attaching Client Policies Using Fusion Middleware Control
Attaching Client Policies Permitting Overrides Using WLST
Configuring User-Defined Client- or Server-Side Override Properties
Scope of User-Defined Configuration Properties
Adding a User-Defined Configuration Property
Editing a User-Defined Configuration Property
Deleting a User-Defined Configuration Property
Overriding the Configuration Properties When Attaching a User-Defined Policy
9
Creating and Managing Policy Sets
Understanding Global Policy Attachments Using Policy Sets
Subject Types and Scope of Resources
Typical Uses for Global Policy Attachments
Navigating to the Policy Set Summary Page
Displaying a List of Policy Sets Using WLST
Viewing the Configuration of a Policy Set
Using Fusion Middleware Control
Using WLST
Managing Repository Modification Sessions Using WLST
Creating a Policy Set
Using Fusion Middleware Control
Using WLST
Creating a Policy Set from an Existing Policy Set
Using Fusion Middleware Control
Using WLST
Editing a Policy Set
Using Fusion Middleware Control
Using WLST
Defining the Type and Scope of Resources
Resource Type
Resource Scope
Determining the Namespace for a Web Service
Examples
Validating a Policy Set
Overriding Configuration Properties for Globally Attached Policies
Using Fusion Middleware Control
Using WLST
Specifying Run-time Constraints in Policy Sets
Using Fusion Middleware Control
Using WLST
Disabling a Globally Attached Policy
Enabling and Disabling a Policy Set
Using Fusion Middleware Control
Using WLST
Deleting Policy Sets
Using Fusion Middleware Control
Using WLST
Migrating Direct Policy Attachments to Global Policy Attachments
Specifying the Priority of a Policy Attachment
Determining the Secure Status of an Endpoint
How the Effective Set of Policies is Calculated
10
Setting Up Your Environment for Policies
Understanding Keys and Certificates
Overview of Private Keys and Certificates
How Different Security Policies Use Private Keys and Certificates
Message Protection Policy Types
Authentication Token Policy Types
Setting Up Private Keys and Certificates for SSL Policies
Setting up Private Keys and Certificates for Message Protection Policies
Configuring Keystores for Message Protection
Generating Private Keys and Creating the Java Keystore
Configuring the Oracle WSM Keystore
Using Fusion Middleware Control
Using WLST
Obtaining a Trusted Certificate and Importing it into the Keystore
Setting Up the Web Service Client Keystore
Configuring the Credential Store
Adding Keys and User Credentials to the Credential Store
Using Fusion Middleware Control
Using WLST
How Oracle WSM Locates Keystore And Key Passwords
Configuring the OPSS Keystore Service for Message Protection
Configuring Keystores for SSL
Which Policies Require You to Configure SSL?
Which Policies Require You to Configure Two-Way SSL?
How to Configure a Keystore on WebLogic Server
Configuring SSL on WebLogic Server (One-Way)
Configuring SSL on WebLogic Server (Two-Way)
Configuring SSL for a Web Service Client
Configuring Two-Way SSL for a Web Service Client
Configuring SSL on Oracle HTTP Server
One-Way SSL
Two-Way SSL
Hardware Integration
Using Hardware Security Modules With Oracle WSM
Using SafeNet Luna SA With Oracle WSM for Key Storage
About Installing and Configuring the Luna SA HSM Client
Configuring the JRE Used By Oracle WSM
Logging On to Luna SA
Copying Keys and Certificates from JKS to Luna SA
Configuring Oracle WSM to Use Luna SA
Configuring Oracle WSM for Oracle SPARC T4 Cryptographic Acceleration
Terms You Need to Understand
Overview of Oracle SPARC T4 Hardware Assisted Cryptographic Acceleration
Configuring Transport-Level Security for Cryptographic Acceleration
Configuring Message-level Security for Cryptographic Acceleration
Additional Reading
Using Service Identity Certification Extension
Hostname Verification for the Certificate Included in WSDL
Enabling or Disabling Service Identity Certificate Extension and Hostname Verification
Ignoring the Service Identity Certificate Extension From the Client
Ignoring Hostname Verification from the Client
Configuring an Authentication Provider in WebLogic Server
What Type of WebLogic Security Authentication Providers Must You Create?
Configuring the SAML and Kerberos Login Modules
Configuring SAML
How the SAML Token is Validated
Which Authentication Provider is Used?
How to Configure SAML Web Service Client at Design Time
Configure the Username for the SAML Assertion
Including User Attributes in the Assertion
Including User Roles in the Assertion
How to Configure Oracle Platform Security Services (OPSS) for SAML Policies
Adding an Additional SAML Assertion Issuer Name
Configuring SAML Web Service Clients for Identity Switching
Set the javax.xml.ws.security.auth.username Property
Set the WSIdentityPermission Permission
Defining a Trusted Distinguished Name (DN) List for SAML Signing Certificates
Using Anonymous Users with SAML Policies
Using JSON Web Token (JWT) with Oracle WSM
Example JWT Use Case (High Level Steps)
Configuring the Client and Service for Propagating the JWT Token
Client-side Configuration for JWT Token Propagation
Service-side Configuration for JWT Token Propagation
Propagating Identity Context with Oracle WSM
Using SAML and JWT Policies to Propagate Identity Context
Configuring Identity Context Propagation: Main Steps
Configuring Identity Context Propagation for SAML Policies
Configuring Identity Context Propagation for JWT Token Policies
Using Kerberos Tokens
Initializing and Starting the MIT Kerberos KDC
Creating Principals
Configuring the Web Service Client to Use the Correct KDC
Setting the Service Principal Name In the Web Service Client
Setting the Service Principal Name In the Web Service Client at Design Time
Configuring the Web Service to Use the Correct KDC
Using the Correct Keytab File in Enterprise Manager
Extract and Export the Keytab File
Modify the krb5 Login Module to use the Keytab File
Authenticating the User Corresponding to the Service Principal
Creating a Ticket Cache for the Web Service Client
Configuring Kerberos With SPNEGO Negotiation
Using Active Directory with Kerberos and Message Protection
Setting Up the Web Service Client
Create a User Account
Create a Keytab File
Set the Service Principal Name
Set Up the Web Service
SAML Message Protection Use Case
What You Need to Know
Requirements of the wss11_saml_token_with_message_protection_service_policy
How Are Messages Protected Via Symmetric Keys?
What Keys Must Be in the Keystore?
Multi-Domain Use Case (Keystore Hardening)
When to Override the SAML Issuer
Main Steps
Create a WebLogic Server User
Create a Java Keystore
Configure the Web Services Manager Keystore
Store the Password for the Decryption Key in the Credential Store
Attach the Policy to Your Web Service
Attach the Policy to Your Web Service Client
WS-Trust Policies and Configuration Steps
Overview of Web Services WS-Trust
How the STS Configuration is Obtained
Typical Token Request and Response
Example WS-Trust Use Case
On Behalf Of Use Cases
Token Lifetime
What Token Types Are Exchanged?
Overview of Sender Vouches in WS-Trust
Setting Up Automatic Policy Configuration for STS
Requirements for Automatic Policy Configuration
Setting Up Automatic Policy Configuration: Main Steps
Manually Configuring the STS Config Policy From the Web Service Client: Main Steps
Using SAML Sender Vouches with WS Trust
Available WS-Trust Policies
Programmatic Configuration Overrides for WS-Trust Client Policies
Supported STS Servers
Examples Using WS-Trust with OpenSSO STS
Configuring OpenSSO STS
SAML Holder-of-Key With Message Protection Scenario
SAML Sender Vouches with Message Protection Scenario
SAML Bearer with Message Protection Scenario
11
Configuring Policies
Determining Which Security Policies to Use
Protecting Messages
Message Protection Basics
Example for Partial Encryption
Security SwA Attachments
Which Policies Offer Message Protection?
Authentication-Only Policies and Configuration Steps
oracle/http_basic_auth_over_ssl_client_policy
Settings
Configuration Properties
How to Set Up WebLogic Server
How to Attach and Configure the Policy for Servlet Applications
oracle/http_basic_auth_over_ssl_service_policy
Settings
Configuration Properties
How to Set Up WebLogic Server
How to Attach and Configure the Policy for Servlet Applications
oracle/http_jwt_token_client_policy
Settings
Configuration Properties
oracle/http_jwt_token_service_policy
Settings
Configuration Properties
oracle/http_jwt_token_over_ssl_client_policy
Settings
Configuration Properties
How to Set Up WebLogic Server
oracle/http_jwt_token_over_ssl_service_policy
Settings
Configuration Properties
How to Set Up WebLogic Server
oracle/http_oam_token_service_policy
Settings
Configuration Properties
How to Set Up OAM
oracle/http_saml20_token_bearer_client_policy
Settings
Configuration Properties
oracle/http_saml20_bearer_token_service_policy
Settings
Configuration Properties
oracle/http_saml20_bearer_token_over_ssl_client_policy
Settings
Configuration Properties
oracle/http_saml20_bearer_token_over_ssl_service_policy
Settings
Configuration Properties
oracle/wss_http_token_client_policy
Settings
Configuration Properties
How to Set Up the Web Service Client
How to Set Up the Web Service Client at Design Time
How to Attach and Configure the Policy for Servlet Applications
oracle/wss_http_token_service_policy
Settings
Configuration Properties
How to Set Up WebLogic Server
How to Attach and Configure the Policy for Servlet Applications
oracle/wss_username_token_client_policy
Settings
Configuration Properties
How to Set Up the Web Service Client
How to Set Up the Web Service Client At Design Time
oracle/wss_username_token_service_policy
Settings
Configuration Properties
How to Set Up WebLogic Server
oracle/wss10_saml_token_client_policy
Settings
Configuration Properties
How to Set Up the Web Service Client
How to Set Up the Web Service Client at Design Time
oracle/wss10_saml_token_service_policy
Settings
Configuration Properties
Configure the Login Module
How to Set Up WebLogic Server
oracle/wss10_saml20_token_client_policy
Settings
Configuration Properties
How to Set Up the Web Service Client
How to Set Up the Web Service Client at Design Time
oracle/wss10_saml20_token_service_policy
Settings
Configuration Properties
Configure the Login Module
How to Set Up WebLogic Server
oracle/wss11_kerberos_token_client_policy
Settings
Configuration Properties
How to Set Up the Web Service Client
How to Set Up the Web Service Client at Design Time
oracle/wss11_kerberos_token_service_policy
Settings
Configuration Properties
Configure the Login Module
How to Configure WebLogic Server
Message Protection-Only Policies and Configuration Steps
oracle/wss10_message_protection_client_policy
Settings
Configuration Properties
How to Set Up the Web Service Client
How to Set Up the Web Service Client at Design Time
oracle/wss10_message_protection_service_policy
Settings
Configuration Properties
How to Set Up Oracle Platform Security Services (OPSS)
oracle/wss11_message_protection_client_policy
Settings
Configuration Properties
How to Configure the Web Service Client
How to Configure the Web Service Client at Design Time
oracle/wss11_message_protection_service_policy
Settings
Configuration Properties
How to Set Up Oracle Platform Security Services (OPSS)
Message Protection and Authentication Policies and Configuration Steps
Configuring a Policy With an OR Group
oracle/wss_http_token_over_ssl_client_policy
Settings
Configuration Properties
How to Set Up the Web Services Client
How to Set Up the Web Service Client at Design Time
oracle/wss_http_token_over_ssl_service_policy
Settings
Configuration Properties
How to Set Up WebLogic Server
oracle/wss_saml_token_bearer_client_policy
Settings
Configuration Properties
How to Set Up the Web Service Client
How to Set Up the Web Service Client at Design Time
oracle/wss_saml_token_bearer_over_ssl_client_policy
Settings
Configuration Properties
How to Set Up the Web Service Client
How to Set Up the Web Service Client at Design Time
oracle/wss_saml_token_bearer_over_ssl_service_policy
Settings
Configuration Properties
Configure the Login Module
How to Set Up Oracle Platform Security Services (OPSS)
oracle/wss_saml20_token_bearer_over_ssl_client_policy
Settings
Configuration Properties
How to Set Up the Web Service Client
How to Set Up the Web Service Client at Design Time
oracle/wss_saml20_token_bearer_over_ssl_service_policy
Settings
Configuration Properties
Configure the Login Module
How to Set Up Oracle Platform Security Services (OPSS)
oracle/wss_saml_token_over_ssl_client_policy
Settings
Configuration Properties
How to Set Up the Web Service Client
How to Set Up the Web Service Client at Design Time
oracle/wss_saml_token_over_ssl_service_policy
Settings
Configuration Properties
Configure the Login Module.
How to Set Up WebLogic Server
oracle/wss_saml20_token_over_ssl_client_policy
Settings
Configuration Properties
How to Set Up the Web Service Client
How to Set Up the Web Service Client at Design Time
oracle/wss_saml20_token_over_ssl_service_policy
Settings
Configuration Properties
Configure the Login Module.
How to Set Up WebLogic Server
oracle/wss_username_token_over_ssl_client_policy
Settings
Configuration Properties
How to Set Up the Web Service Client
How to Set Up the Web Service Client at Design Time
oracle/wss_username_token_over_ssl_service_policy
Settings
Configuration Properties
How to Set Up WebLogic Server
oracle/wss10_saml_hok_token_with_message_protection_client_policy
Settings
Configuration Properties
How to Set Up the Web Service Client
How to Set Up the Web Service Client at Design Time
oracle/wss10_saml_hok_token_with_message_protection_service_policy
Configure the Login Module
How to Set Up WebLogic Server
oracle/wss10_saml_token_with_message_integrity_client_policy
Settings
Configuration Properties
How to Set Up the Web Service Client
How to Set Up the Web Service Client at Design Time
oracle/wss10_saml_token_with_message_integrity_service_policy
Settings
Configuration Properties
Configure the Login Module
How to Set Up WebLogic Server
oracle/wss10_saml_token_with_message_protection_client_policy
Settings
Configuration Properties
How to Set Up the Web Service Client
How to Set Up the Web Service Client at Design Time
oracle/wss10_saml_token_with_message_protection_service_policy
Settings
Configuration Properties
Configure the Login Module
How to Set Up WebLogic Server
oracle/wss10_saml20_token_with_message_protection_client_policy
Settings
Configuration Properties
How to Set Up the Web Service Client
How to Set Up the Web Service Client at Design Time
oracle/wss10_saml20_token_with_message_protection_service_policy
Settings
Configuration Properties
Configure the Login Module
How to Set Up WebLogic Server
oracle/wss10_saml_token_with_message_protection_ski_basic256_client_policy
Settings
Configuration Properties
How to Set Up the Web Service Client
How to Set Up the Web Service Client at Design Time
oracle/wss10_saml_token_with_message_protection_ski_basic256_service_policy
Settings
Configuration Properties
Configure the Login Module
How to Set Up WebLogic Server
oracle/wss10_username_id_propagation_with_msg_protection_client_policy
Settings
Configuration Properties
How to Set Up the Web Service Client
How to Set Up the Web Service Client at Design Time
oracle/wss10_username_id_propagation_with_msg_protection_service_policy
Settings
Configuration Properties
How to Set Up WebLogic Server
oracle/wss10_username_token_with_message_protection_client_policy
Settings
Configuration Properties
How to Set Up the Web Service Client
How to Set Up the Web Service Client at Design Time
oracle/wss10_username_token_with_message_protection_service_policy
Settings
Configuration Properties
How to Set Up WebLogic Server
oracle/wss10_username_token_with_message_protection_ski_basic256_client_policy
Settings
Configuration Properties
How to Set Up the Web Service Client
How to Set Up the Web Service Client at Design Time
oracle/wss10_username_token_with_message_protection_ski_basic256_service_policy
Settings
Configuration Properties
How to Set Up WebLogic Server
oracle/wss10_x509_token_with_message_protection_client_policy
Settings
Configuration Properties
How to Set Up the Web Service Client
How to Set Up the Web Service Client at Design Time
oracle/wss10_x509_token_with_message_protection_service_policy
Settings
Attributes You Can Configure
How to Set Up Oracle Platform Security Services (OPSS)
oracle/wss11_kerberos_token_with_message_protection_client_policy
Settings
Configuration Properties
How to Set up the Web Service Client
How to Set Up the Web Service Client at Design Time
oracle/wss11_kerberos_token_with_message_protection_service_policy
Settings
Configuration Properties
Configure the Login Module
How to Set Up Oracle Platform Security Services (OPSS)
oracle/wss11_kerberos_token_with_message_protection_basic128_client_policy
Settings
Configuration Properties
How to Set up the Web Service Client
How to Set Up the Web Service Client at Design Time
oracle/wss11_kerberos_token_with_message_protection_basic128_service_policy
Settings
Configuration Properties
Configure the Login Module
How to Set Up Oracle Platform Security Services (OPSS)
oracle/wss11_saml_token_identity_switch_with_message_protection_client_policy
Settings
Configuration Properties
How to Set Up the Web Service Client
How to Set Up the Web Service Client at Design Time
oracle/wss11_saml_token_with_message_protection_client_policy
Settings
Configuration Properties
How to Set Up the Web Service Client
How to Set Up the Web Service Client at Design Time
oracle/wss11_saml_token_with_message_protection_service_policy
Settings
Configuration Properties
Configure the Login Module
How to Set Up Oracle Platform Security Services (OPSS)
oracle/wss11_saml20_token_with_message_protection_client_policy
Settings
Configuration Properties
How to Set Up the Web Service Client
How to Set Up the Web Service Client at Design Time
oracle/wss11_saml20_token_with_message_protection_service_policy
Settings
Configuration Properties
Configure the Login Module
How to Set Up Oracle Platform Security Services (OPSS)
oracle/wss11_username_token_with_message_protection_client_policy
Settings
Configuration Properties
How to Set Up the Web Service Client
How to Set Up the Web Service Client at Design Time
oracle/wss11_username_token_with_message_protection_service_policy
Settings
Configuration Properties
How to Set Up Oracle Platform Security Services (OPSS)
oracle/wss11_x509_token_with_message_protection_client_policy
Settings
Configuration Properties
How to Set Up the Web Service Client
How to Set Up the Web Service Client at Design Time
oracle/wss11_x509_token_with_message_protection_service_policy
Settings
Configuration Properties
How to Set Up Oracle Platform Security Services (OPSS)
Authorization Policies and Configuration Steps
Determining Which Resources to Protect
How Authorization Permissions Are Determined
OPSS Resource Name Can Include Operation Name
oracle/binding_authorization_denyall_policy
Settings
Configuration Properties
How to Set Up Oracle Platform Security Services (OPSS)
oracle/binding_authorization_permitall_policy
Settings
Configuration Properties
How to Set Up Oracle Platform Security Services (OPSS)
oracle/binding_permission_authorization_policy
Settings
Attributes You Can Configure
How to Set Up Oracle Platform Security Services (OPSS)
oracle/component_authorization_denyall_policy
Settings
Configuration Properties
How to Set Up Oracle Platform Security Services (OPSS)
oracle/component_authorization_permitall_policy
Settings
Configuration Properties
How to Set Up Oracle Platform Security Services (OPSS)
oracle/component_permission_authorization_policy
Settings
Configuration Properties
How to Set Up Oracle Platform Security Services (OPSS)
oracle/whitelist_authorization_policy
Settings
Configuration Properties
How to Set Up Oracle Platform Security Services (OPSS)
How to Successfully Invoke Services Using This Policy
Configuring Oracle HTTP Server to Specify Request Origin
WS-Addressing Policies and Configuration Steps
oracle/wsaddr_policy
How to Set Up the Web Service Client
How to Set Up the Web Service Client at Design Time
How to Set Up Oracle Platform Security Services (OPSS)
WS-Trust Policies
oracle/sts_trust_config_service_policy
Policy Assertion
Settings
Configuration Properties
How to Set Up the Web Service
oracle/sts_trust_config_client_policy
Policy Assertion
Settings
Configuration Properties
How to Set Up the Web Service Client
How to Set Up the Web Service Client at Design Time
How to Set Up the Web Service
oracle/wss_sts_issued_saml_bearer_token_over_ssl_client_policy
Policy Assertion
Settings
Configuration Properties
How to Set Up the Web Service Client
How to Set Up the Web Service Client at Design Time
oracle/wss_saml_bearer_or_username_token_service_policy
oracle/wss_sts_issued_saml_bearer_token_over_ssl_service_policy
Policy Assertion
Settings
Configuration Properties
How to Set Up the Web Service
oracle/wss11_sts_issued_saml_hok_with_message_protection_client_policy
Policy Assertion
Settings
Configuration Properties
How to Set Up the Web Service Client
How to Set Up the Web Service Client at Design Time
oracle/wss11_sts_issued_saml_hok_with_message_protection_service_policy
Policy Assertion
Settings
Configuration Properties
How to Set Up the Web Service
oracle/wss11_sts_issued_saml_with_message_protection_client_policy
Policy Assertion
Settings
Configuration Properties
How to Set Up the Web Service Client
How to Set Up the Web Service Client at Design Time
MTOM Attachment Policies and Configuration Steps
oracle/wsmtom_policy
How to Set Up the Web Service Client
How to Set Up the Web Service Client at Design Time
How to Set Up Oracle Platform Security Services (OPSS)
Reliable Messaging Policies and Configuration Steps
WS-RM Policy Properties
oracle/wsrm10_policy
How to Set Up the Web Service Client
How to Set Up the Web Service Client at Design Time
How to Set Up Oracle Platform Security Services (OPSS)
oracle/wsrm11_policy
How to Set Up the Web Service Client
How to Set Up the Web Service Client at Design Time
How to Set Up Oracle Platform Security Services (OPSS)
Management Policies and Configuration Steps
oracle/log_policy
Settings
Configuration Properties
How to Set Up the Web Service or Client
How to Set Up Oracle Platform Security Services (OPSS)
Attaching Policy Files to Web Services and Clients
Using Client Programmatic Configuration Overrides
Configuration Override Example
Configuring Local Optimization for a Policy
Controlling When Local Optimization is Used
Configuring the Policy-Level Optimization Control
12
Testing Web Services
Testing Your Web Services
Editing the Input Arguments as XML Source
Enabling Security Testing
Supported Client Security Policies
Enabling Quality of Service Testing
Enabling HTTP Transport Options
Stress Testing the Web Service Operation
Disabling the Test Page for a Web Service
13
Monitoring the Performance of Web Services
Overview of Performance Monitoring
When Are Web Service Statistics Started or Reset?
Viewing Web Service Statistics for an Application
Viewing Web Service Statistics for a Server Instance
Viewing Web Service Statistics for an Individual Web Service
Viewing Operation Statistics for a Web Service Endpoint
Viewing Web Service Statistics for Java EE Web Service Clients
Viewing the Security Violations for a Web Service
Part III Advanced Administration
14
Advanced Administration
Registering Web Services and Sources
UDDI Basics
WSIL Basics
Viewing Registered Sources and Web Services
Registering a Source
Registering Web Services from a UDDI Source
Registering Web Services from a WSIL Source
Deleting a Web Service or Web Service Source
Publishing Web Services to UDDI
Publishing a Web Service to UDDI from a Registered Source
Publishing a Web Service to UDDI from an Application
Configuring the Proxy Server for UDDI
Auditing Web Services
Configuring Audit Policies
Managing Audit Data Collection and Storage
Viewing Audit Reports
Managing the WSDL
Adding Security to a Running Client
Configuring Platform Policy Properties
Configuring the Policy Manager Connection and Tuning the Policy Cache
Configuring Web Service Policy Retrieval
Tuning WSM Repository Connections
Tuning Web Service Security Policy Enforcement
Defining Identity Extension Properties
Defining Trusted Issuers and a Trusted DN List for Signing Certificates
Configuring an Issuer and its DN List Using Fusion Middleware Control
Defining Trusted Issuers and Managing DN Lists Using WLST
Configuring an Issuer and its DN List Using WLST
Displaying Issuers and DN Lists using WLST
Deleting an Issuer and its DN List using WLST
Configuring Token Attribute Rules for Trusted Issuers
Configuring Token Attribute Rules for Trusted Issuers Using Fusion Middleware Control
Configuring Token Attribute Rules for Trusted Issuers Using WLST
Deleting a Token Attribute Rule Using WLST
Configuring Oracle WSM with a Domain-Wide Administration Port
Setting Up the Java Object Cache
Running the configure-joc.py Script
Modifying the Default User
Changing the JMS System User for Asynchronous Web Services
15
Managing Application Migration Between Environments
Overview of Web Service Application Migration
Overview of Horizontal Policy Migration
Sample Use Cases for Deployment Descriptor Migration
Scaling a Deployed ADF Business Control or WebCenter Web Service Application in a Cluster
Propagating Run-time Policy Changes in an ADF Business Control or WebCenter Web Service Environment
Migrating Policies
Migrating Policy Configuration
Migrating Keystores
Migrating Users and Groups
Migrating Credentials
Migrating Username and Password
Migrating Keystores and Encryption Key Passwords
Migrating Oracle Platform Security Services Application and System Policies
Migrating Oracle Platform Security Services Configuration
Migrating SSL
Migrating Kerberos Configuration
Migrating Assertion Templates
Migrating Deployment Descriptors
16
Diagnosing Problems
Diagnosing Problems with Oracle WSM Policy Manager
Diagnosing Common Problems with Oracle WSM
Unable to Connect to the Policy Manager
Key or Credential Store Error After an Application Invokes Web Service
Trust Certificate Error After Application Invokes Web Service
SAML Assertion Error Appears During Identity Propagation
Policy Access Error After an Application Invokes Web Service
Unable to Access User in Credential Store
Authorization Error After an Application Invokes Web Service
Timestamp Error After an Application Invokes Web Service
Multiple Authentication Security Policy Error After an Application Invokes a Web Service
Diagnosing Policy Attachment Issues Using WLST
Diagnosing Problems With a Domain Configuration using WLST
Diagnosing Common Oracle WSM Exceptions for WS-Trust Use Cases
Diagnosing Problems Using Logs
Using Diagnostic Logs for Web Services
Setting the Log Level for Diagnostic Logs
Viewing Diagnostic Logs
Filtering Diagnostic Logs
Logging Oracle WSM Debug Messages
Using Message Logs for Web Services
Configuring Message Logs
Viewing Message Logs
Filtering Message Logs
Reviewing Sample Logs
Sample Log: Oracle WSM Policy Manager Not Available
Sample Log: Security Keystore Not Configured
Sample Log: Certificate Not Available
Configuring Log Files for a Web Service
17
Maintaining the Oracle WSM Repository
About the Oracle WSM Repository
Registering an Oracle WSM Repository
Understanding the Different Mechanisms for Importing and Exporting Policies
Importing and Exporting Documents in the Repository
Exporting Documents from the Repository
Importing Documents into the Repository
Migrating Policies Between Application Environments
Exporting Policies from the Oracle WSM Repository for Use in JDeveloper
Patching Policies in the Repository
Backing Up and Restoring the Oracle WSM Repository
Upgrading the Oracle WSM Policies in the Repository
Rebuilding the Oracle WSM Repository
Part IV WebLogic Web Service Administration
18
Securing and Administering WebLogic Web Services
Steps to Secure and Administer WebLogic Web Services
Attaching Policies to WebLogic Web Services and Clients
Attaching Oracle WSM Policies to WebLogic Web Services
Attaching Oracle WSM Policies to WebLogic Web Service Clients
Attaching WebLogic Web Service Policies to WebLogic Web Services
Attaching WebLogic Web Service Policies to WebLogic Web Service Clients
Part V Reference
A
Web Service Security Standards
Web Services Interoperability Organization—Basic Security Profile
Transport Layer Security—SSL
XML Encryption (Confidentiality)
XML Signature (Integrity, Authenticity)
WS-Security
WS-Security Tokens
Username
X.509 Certificate
Kerberos Token
SAML Token
WS-Policy
WS-SecurityPolicy
Web Services Addressing (WS-Addressing)
WS-Trust
WS-ReliableMessaging
B
Predefined Policies
Security Policies
Authentication Only Policies
oracle/http_basic_auth_over_ssl_client_policy
oracle/http_basic_auth_over_ssl_service_policy
oracle/http_jwt_token_client_policy
oracle/http_jwt_token_service_policy
oracle/http_jwt_token_over_ssl_client_policy
oracle/http_jwt_token_over_ssl_service_policy
oracle/http_oam_token_service_policy
oracle/http_saml20_token_bearer_client_policy
oracle/http_saml20_token_bearer_service_policy
oracle/http_saml20_token_bearer_over_ssl_client_policy
oracle/http_saml20_token_bearer_over_ssl_service_policy
oracle/multi_token_rest_service_policy
oracle/multi_token_over_ssl_rest_service_policy
oracle/wss_http_token_client_policy
oracle/wss_http_token_service_policy
oracle/wss_username_token_client_policy
oracle/wss_username_token_service_policy
oracle/wss10_saml_token_client_policy
oracle/wss10_saml_token_service_policy
oracle/wss10_saml20_token_client_policy
oracle/wss10_saml20_token_service_policy
oracle/wss11_kerberos_token_client_policy
oracle/wss11_kerberos_token_service_policy
Message Protection Only Policies
oracle/wss10_message_protection_client_policy
oracle/wss10_message_protection_service_policy
oracle/wss11_message_protection_client_policy
oracle/wss11_message_protection_service_policy
Message Protection and Authentication Policies
oracle/wss_http_token_over_ssl_client_policy
oracle/wss_http_token_over_ssl_service_policy
oracle/wss_saml_or_username_token_service_policy
oracle/wss_saml_or_username_token_over_ssl_service_policy
oracle/wss_saml_token_bearer_client_policy
oracle/wss_saml_token_bearer_over_ssl_client_policy
oracle/wss_saml_token_bearer_over_ssl_service_policy
oracle/wss_saml20_token_bearer_over_ssl_client_policy
oracle/wss_saml20_token_bearer_over_ssl_service_policy
oracle/wss_saml_token_over_ssl_client_policy
oracle/wss_saml_token_over_ssl_service_policy
oracle/wss_saml20_token_over_ssl_client_policy
oracle/wss_saml20_token_over_ssl_service_policy
oracle/wss_username_token_over_ssl_client_policy
oracle/wss_username_token_over_ssl_service_policy
oracle/wss10_saml_hok_with_message_protection_client_policy
oracle/wss10_saml_hok_token_with_message_protection_service_policy
oracle/wss10_saml_token_with_message_integrity_client_policy
oracle/wss10_saml_token_with_message_integrity_service_policy
oracle/wss10_saml_token_with_message_protection_client_policy
oracle/wss10_saml_token_with_message_protection_service_policy
oracle/wss10_saml20_token_with_message_protection_client_policy
oracle/wss10_saml20_token_with_message_protection_service_policy
oracle/wss10_saml_token_with_message_protection_ski_basic256_client_policy
oracle/wss10_saml_token_with_message_protection_ski_basic256_service_policy
oracle/wss10_username_id_propagation_with_msg_protection_client_policy
oracle/wss10_username_id_propagation_with_msg_protection_service_policy
oracle/wss10_username_token_with_message_protection_client_policy
oracle/wss10_username_token_with_message_protection_service_policy
oracle/wss10_username_token_with_message_protection_ski_basic256_client_policy
oracle/wss10_username_token_with_message_protection_ski_basic256_service_policy
oracle/wss10_x509_token_with_message_protection_client_policy
oracle/wss10_x509_token_with_message_protection_service_policy
oracle/wss11_kerberos_token_with_message_protection_client_policy
oracle/wss11_kerberos_token_with_message_protection_service_policy
oracle/wss11_kerberos_token_with_message_protection_basic128_client_policy
oracle/wss11_kerberos_token_with_message_protection_basic128__service_policy
oracle/wss11_saml_token_with_message_protection_client_policy
oracle/wss11_saml20_token_with_message_protection_client_policy
oracle/wss11_saml_token_with_identity_switch_message_protection_client_policy
oracle/wss11_saml_token_with_message_protection_service_policy
oracle/wss11_saml20_token_with_message_protection_service_policy
oracle/wss11_saml_or_username_token_with_message_protection_service_policy
oracle/wss11_username_token_with_message_protection_client_policy
oracle/wss11_username_token_with_message_protection_service_policy
oracle/wss11_x509_token_with_message_protection_client_policy
oracle/wss11_x509_token_with_message_protection_service_policy
WS-Trust Policies
oracle/sts_trust_config_service_policy
oracle/sts_trust_config_client_policy
oracle/wss_sts_issued_saml_bearer_token_over_ssl_client_policy
oracle/wss_sts_issued_saml_bearer_token_over_ssl_service_policy
oracle/wss11_sts_issued_saml_hok_with_message_protection_client_policy
oracle/wss11_sts_issued_saml_hok_with_message_protection_service_policy
oracle/wss11_sts_issued_saml_with_message_protection_client_policy
Authorization Only Policies
oracle/binding_authorization_denyall_policy
oracle/binding_authorization_permitall_policy
oracle/binding_permission_authorization_policy
oracle/component_authorization_denyall_policy
oracle/component_authorization_permitall_policy
oracle/component_permission_authorization_policy
oracle/whitelist_authorization_policy
WS-Addressing Policies
oracle/wsaddr_policy
MTOM Attachment Policies
oracle/wsmtom_policy
Reliable Messaging Policies
oracle/wsrm10_policy
oracle/wsrm11_policy
Management Policies
oracle/log_policy
No Behavior Policies
oracle/no_authentication_service_policy
oracle/no_authentication_client_policy
oracle/no_messageprotection_service_policy
oracle/no_messageprotection_client_policy
oracle/no_authorization_service_policy
oracle/no_authorization_component_policy
oracle/no_addressing_policy
oracle/no_mtom_policy
oracle/no_wsrm_policy
C
Predefined Assertion Templates
Security Assertion Templates
Authentication Only Assertion Templates
oracle/http_jwt_token_client_template
oracle/http_jwt_token_service_template
oracle/http_jwt_token_over_ssl_client_template
oracle/http_jwt_token_over_ssl_service_template
oracle/http_oam_token_service_template
oracle/http_saml20_token_bearer_client_template
oracle/http_saml20_token_bearer_service_template
oracle/http_spnego_token_client_template
oracle/http_spnego_token_service_template
oracle/wss_http_token_client_template
oracle/wss_http_token_service_template
oracle/wss_username_token_client_template
oracle/wss_username_token_service_template
oracle/wss10_saml_token_client_template
oracle/wss10_saml_token_service_template
oracle/wss10_saml20_token_client_template
oracle/wss10_saml20_token_service_template
oracle/wss11_kerberos_token_client_template
oracle/wss11_kerberos_token_service_template
Message-Protection Only Assertion Templates
oracle/wss10_message_protection_client_template
oracle/wss10_message_protection_service_template
oracle/wss11_message_protection_client_template
oracle/wss11_message_protection_service_template
Message Protection and Authentication Assertion Templates
oracle/wss_http_token_over_ssl_client_template
oracle/wss_http_token_over_ssl_service_template
oracle/wss_saml_token_bearer_client_template
oracle/wss_saml_token_bearer_service_template
oracle/wss_saml_token_bearer_over_ssl_client_template
oracle/wss_saml_token_bearer_over_ssl_service_template
oracle/wss_saml20_token_bearer_over_ssl_client_template
oracle/wss_saml20_token_bearer_over_ssl_service_template
oracle/wss_saml_token_over_ssl_client_template
oracle/wss_saml_token_over_ssl_service_template
oracle/wss_saml20_token_over_ssl_client_template
oracle/wss_saml20_token_over_ssl_service_template
oracle/wss_username_token_over_ssl_client_template
oracle/wss_username_token_over_ssl_service_template
oracle/wss10_saml_hok_token_with_message_protection_client_template
oracle/wss10_saml_hok_token_with_message_protection_service_template
oracle/wss10_saml_token_with_message_protection_client_template
oracle/wss10_saml_token_with_message_protection_service_template
oracle/wss10_saml20_token_with_message_protection_client_template
oracle/wss10_saml20_token_with_message_protection_service_template
oracle/wss10_username_token_with_message_protection_client_template
oracle/wss10_username_token_with_message_protection_service_template
oracle/wss10_x509_token_with_message_protection_client_template
oracle/wss10_x509_token_with_message_protection_service_template
oracle/wss11_kerberos_token_with_message_protection_client_template
oracle/wss11_kerberos_token_with_message_protection_service_template
oracle/wss11_saml_token_with_message_protection_client_template
oracle/wss11_saml_token_with_message_protection_service_template
oracle/wss11_saml20_token_with_message_protection_client_template
oracle/wss11_saml20_token_with_message_protection_service_template
oracle/wss11_username_token_with_message_protection_client_template
oracle/wss11_username_token_with_message_protection_service_template
oracle/wss11_x509_token_with_message_protection_client_template
oracle/wss11_x509_token_with_message_protection_service_template
WS-Trust Assertion Templates
oracle/sts_trust_config_client_template
oracle/sts_trust_config_service_template
oracle/wss_sts_issued_saml_bearer_token_over_ssl_client_template
oracle/wss_sts_issued_saml_bearer_token_over_ssl_service_template
oracle/wss11_sts_issued_saml_hok_with_message_protection_client_template
oracle/wss11_sts_issued_saml_hok_with_message_protection_service_template
oracle/wss11_sts_issued_saml_with_message_protection_client_template
Authorization Assertion Templates
oracle/binding_authorization_template
oracle/binding_permission_authorization_template
oracle/component_authorization_template
oracle/component_permission_authorization_template
Supported Algorithm Suites
Message Signing and Encryption Settings for Request, Response, and Fault Messages
Management Assertion Templates
oracle/security_log_template
No Behavior Assertion Templates
D
Schema Reference for Predefined Assertions
Graphical Representation
Element Descriptions
wsp:Policy
Attributes
Example
wsp:ExactlyOne
Attributes
Example
orasp:Assertion
Attributes
Example
orawsp:bindings
Example
orawsp:Config
Attributes
Example
orawsp:PropertySet
Attributes
Example
orawsp:Property
Attributes
Example
orawsp:Description
Example
orawsp:Value
Example
orawsp:guard
Examples
orawsp:resource-match
Examples
orawsp:action-match
Examples
orawsp:constraint-match
Example
oralgp:Logging
Example
orasp:binding-authorization
Example
orasp:binding-permission-authorization
Example
orasp:coreid-security
Example
orasp:http-jwt-security
Example
orasp:http-oam-security
Example
orasp:http-saml20-bearer-security
Example
orasp:http-security
Example
orasp:kerberos-security
Example
orasp:sca-component-authorization
Example
orasp:sca-component-permission-authorization
Example
orasp:sts-trust-config
Attributes
Example
orasp:wss10-anonymous-with-certificates
Example
orasp:wss10-mutual-auth-with-certificates
Example
orasp:wss10-saml-hok-with-certificates
Example
orasp:wss10-saml-token
Example
orasp:wss10-saml-with-certificates
Example
orasp:wss10-username-with-certificates
Example
orasp:wss11-anonymous-with-certificates
Example
orasp:wss11-mutual-auth-with-certificates
Example
orasp:wss11-saml-with-certificates
Example
orasp:wss11-sts-issued-token-with-certificates
Attributes
Example
orasp:wss11-username-with-certificates
Example
orasp:wss-saml-token-bearer-over-ssl
Example
orasp:wss-saml-token-over-ssl
Example
orasp:wss-sts-issued-token-over-ssl
Attributes
Example
orasp:wss-username-token
Example
orasp:wss-username-token-over-ssl
Example
rm:RMAssertion
Example
wsaw:UsingAddressing
Example
wsoma:OptimizedMimeSerialization
Example
oralgp:fault
Example
oralgp:request
Example
oralgp:response
Example
oralgp:msg-log
Example
orasp:attachment
Attributes
Example
orasp:auth-header
Attributes
Examples
orasp:body
Example
orasp:check-permission
Example
orasp:coreid-token
Attributes
Example
orasp:denyAll
Example
orasp:element
Attributes
Example
orasp:encrypted-elements
Example
orasp:encrypted-parts
Example
orasp:fault
Example
orasp:header
Attributes
Example
orasp:issued-token
Attributes
Example
orasp:kerberos-token
Attributes
Example
orasp:msg-security
Attributes
Example
orasp:permitAll
Example
orasp:request
Example
orasp:require-tls
Attributes
Examples
orasp:response
Example
orasp:role
Attribute
Example
orasp:saml-token
Attributes
Example
orasp:signed-elements
Example
orasp:signed-parts
Example
orasp:username-token
Attributes
Example
orasp:x509-token
Attributes
Example
orawsp:Description
Example
E
Schema Reference for Policy Sets
Graphical Representation
Element Descriptions
policySet
Attributes
wsp:policyReference
Attributes
Example
orawsp:OverrideProperty
Example
Scripting on this page enhances content navigation, but does not change the content in any way.