1 Predefined Policies

This chapter describes the Mobile Security Access Server (MSAS) predefined security and management policies. For more information about attaching policies, see "Attaching and Detaching Policies and Assertions" in Administering Mobile Security Access Server.

This chapter includes the following sections:

• Predefined Security Policies

• Predefined Management Policies

Note:

Oracle recommends that you do not edit the predefined assertion templates so that you will always have a known set of valid templates. You can, however, create a new assertion template from a predefined assertion template, or configure the attributes in an assertion after you have added it to a policy. For information about managing the assertion templates and adding them to policies, see "Managing Policy Assertion Templates" in Administering Mobile Security Access Server.

Predefined Security Policies

This section describes the predefined security policies that are provided with your MSAS installation and which are listed on the Access Policies page in the MSAS Console.

The tables in the following sections distinguish how the MSAS security policies are documented in this release:

• MSAS Security Policies – summarizes new MSAS security policies that are documented in this reference.

  Note: Some policies are marked as internal because they are not available for attachment to URLs in applications.

• Security Polices Supported by MSAS – summarizes additional security policies that are supported by MSAS, but which are documented in the Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

• Security Polices Reserved for Future Use – summarizes security policies that appear in the MSAS Console, but which are reserved for future use with MSAS.

MSAS Security Policies

Table 1-1 summarizes the predefined MSAS security policies listed on the Access Policies page in the MSAS Console, and which are documented in this reference.

Table 1-1 Predefined MSAS Security Policies

Policy Name	Description
oracle/binding_oes_authorization_policy	Performs user authorization based on the policy defined in Oracle Entitlements Server (OES) and provides fine-grained authorization on any operation on a web service.
oracle/http_action_over_ssl_policy	Internal policy that provides SKEK encryption and SKEK decryption.
oracle/http_bmax_jwt_user_token_client_policy	Injects a JWT User Token in the HTTP header when accessing back-end resources.
oracle/http_bmax_oam_client_policy	Injects an OAM access token in the authorization header when accessing OAM protected resources.
oracle/http_bmax_oauth_client_policy	Injects an OAuth access token in the authorization header when accessing OAuth protected resources.
oracle/http_bmax_spnego_client_policy	Creates a SPNEGO token and sends it to the service in the HTTP header.
oracle/http_form_based_auth_over_ssl_service_policy	Internal policy that performs HTML form based authentication. This policy can be attached to web applications (URLs).
oracle/http_kinit_over_ssl_policy	Internal policy that enables the Kerberos password authentication.
oracle/http_oam_authentication_service_policy	Verifies if the web resource is protected via OAM, and if it is then it authenticates using OAM and establishes the Subject before allowing access to the actual web resource.
oracle/http_oauth2_confidential_client_over_ssl_policy	Internal policy that performs OAuth2 confidential client authentication and creates OAuth and OAM tokens. This policy is attached only on internal authentication endpoints.
oracle/http_oauth2_mobile_client_over_ssl_policy	Internal policy that performs OAuth2 mobile client authentication and creates OAuth and OAM tokens. This policy is attached only on internal authentication endpoints.
oracle/http_ntlm_token_client_policy	Performs NTLM (NT LAN Manager) authentication with NTLM protected applications. It requires a KINIT or PKINIT-based HTTP session token. This policy can be attached to SOAP/REST services and also to web applications.
oracle/http_pkinit_over_ssl_policy	Internal policy enables the Kerberos PKI authentication.
oracle/http_session_token_issue_policy	Internal policy that issues a session token with the authenticated user ID.
oracle/http_session_token_verify_policy	Verifies the session token including the timestamp and signature, decrypts the encrypted data and asserts the identity using the user ID from the session token. The request is rejected if the verification fails.
oracle/http_tlp_over_ssl_policy	Internal policy that enables the Time Limited Password authentication.
oracle/inject_header_with_bmax_url_policy	Internal policy that injects a custom HTTP Header with the BMAX (MSAS) URL. This is required by MSM to know the MSAS URL.
oracle/inject_header_with_client_certificate_policy	Internal policy that injects a custom HTTP header with the client certificate received over two-way SSL.
oracle/multi_token_client_policy	An exactly-one policy for creating a SPNEGO, NTLM, or Bearer assertion based on a back-end service policy.

Security Polices Supported by MSAS

Table 1-2 summarizes additional access policies that are supported by Mobile Security Access Server. For detailed descriptions, however, see "Predefined Policies" in the Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

Table 1-2 Predefined Security Policies Supported by MSAS

Policy Name	Description
oracle/http_basic_auth_over_ssl_client_policy	Includes credentials in the HTTP header for outbound client requests and verifies that the transport protocol is HTTPS.
oracle/http_basic_auth_over_ssl_service_policy	Uses the credentials in the HTTP header to authenticate users against the Oracle Platform Security Services identity store.
oracle/http_jwt_token_client_policy	Includes a JSON Web Token (JWT) token in the HTTP header. The JWT token is created automatically. The issuer name and subject name are provided either programmatically or declaratively through the policy. You can specify the audience restriction condition for this policy.
oracle/http_jwt_token_over_ssl_client_policy	Includes a JWT token in the HTTP header. The JWT token is created automatically. The issuer name and subject name are provided either programmatically or declaratively through the policy. You can specify the audience restriction condition for this policy.
oracle/http_jwt_token_over_ssl_service_policy	Authenticates users using the username provided in the JWT token in the HTTP header. This policy also verifies that the transport protocol is HTTPS. Requests over a non-HTTPS transport protocol are refused.
oracle/http_jwt_token_service_policy	Authenticates users using the username provided in the JWT token in the HTTP header.
oracle/http_saml20_token_bearer_client_policy	Includes a SAML Bearer V2.0 token in the HTTP header. The SAML token with confirmation method Bearer is created automatically. This policy can be enforced on any HTTP-based client endpoint.
oracle/http_saml20_token_bearer_over_ssl_client_policy	Includes a SAML Bearer v2.0 token in the HTTP header. The SAML token with confirmation method Bearer is created automatically. The policy verifies that the transport protocol provides SSL message protection. This policy can be attached to any HTTP-based client endpoint.
oracle/http_saml20_token_bearer_over_ssl_service_policy	Authenticates users using credentials provided in the SAML v2.0 token with confirmation method Bearer in the HTTP header. The credentials in the SAML token are authenticated against a SAML v2.0 login module. The policy verifies that the transport protocol provides SSL message protection. This policy can be enforced on any HTTP-based endpoint.
oracle/http_saml20_token_bearer_service_policy	Authenticates users using credentials provided in the SAML v2.0 token with confirmation method Bearer in the HTTP header. The credentials in the SAML token are authenticated against a SAML v2.0 login module. This policy can be enforced on any HTTP-based endpoint.
oracle/wss_http_token_client_policy	Includes credentials in the HTTP header for outbound client requests. This policy can be enforced on any HTTP-based client.
oracle/wss_http_token_service_policy	Uses the credentials in the HTTP header to authenticate users against the Oracle Platform Security Services identity store. This policy can be enforced on any HTTP-based endpoint.

Security Polices Reserved for Future Use

Table 1-3 summarizes the predefined MSAS policies that are listed in the Access Policies page, but which are reserved for future use.

Table 1-3 Predefined Security Policies that Are Reserved for Future Use

Policy Name	Description
oracle/binding_authorization_denyall_policy	Reserved for future use.
oracle/binding_authorization_permitall_policy	Reserved for future use.
oracle/binding_oes_masking_policy	Reserved for future use.
oracle/binding_permission_authorization_policy	Reserved for future use.
oracle/component_authorization_denyall_policy	Reserved for future use.
oracle/component_authorization_permitall_policy	Reserved for future use.
oracle/component_oes_authorization_policy	Reserved for future use.
oracle/component_permission_authorization_policy	Reserved for future use.
oracle/http_jwt_token_identity_switch_client_policy	Reserved for future use.
oracle/http_oam_token_service_policy	Reserved for future use.
oracle/http_oauth2_token_client_policy	Reserved for future use.
oracle/http_oauth2_token_identity_switch_opc_oauth2_over_ssl_client_policy	Reserved for future use.
oracle/http_oauth2_token_identity_switch_over_ssl_client_policy	Reserved for future use.
oracle/http_oauth2_token_opc_oauth2_client_policy	Reserved for future use.
oracle/http_oauth2_token_opc_oauth2_over_ssl_client_policy	Reserved for future use.
oracle/http_oauth2_token_over_ssl_client_policy	Reserved for future use.
oracle/multi_token_over_ssl_client_policy	Reserved for future use.
oracle/multi_token_over_ssl_rest_service_policy	Reserved for future use.
oracle/multi_token_rest_service_policy	Reserved for future use.
oracle/no_authentication_client_policy	Reserved for future use.
oracle/no_authentication_service_policy	Reserved for future use.
oracle/no_authorization_component_policy	Reserved for future use.
oracle/no_authorization_service_policy	Reserved for future use.
oracle/no_messageprotection_client_policy	Reserved for future use.
oracle/no_messageprotection_service_policy	Reserved for future use.
oracle/oauth2_config_client_policy	Reserved for future use.
oracle/pii_security_policy	Reserved for future use.
oracle/sts_trust_config_client_policy	Reserved for future use.
oracle/sts_trust_config_service_policy	Reserved for future use.
oracle/whitelist_authorization_policy	Reserved for future use.
oracle/wss10_message_protection_client_policy	Reserved for future use.
oracle/wss10_message_protection_client_policy	Reserved for future use.
oracle/wss10_saml20_token_client_policy	Reserved for future use.
oracle/wss10_saml20_token_service_policy	Reserved for future use.
oracle/wss10_saml20_token_with_message_protection_client_policy	Reserved for future use.
oracle/wss10_saml20_token_with_message_protection_service_policy	Reserved for future use.
oracle/wss10_saml_hok_with_message_protection_client_policy	Reserved for future use.
oracle/wss10_saml_hok_token_with_message_protection_service_policy	Reserved for future use.
oracle/wss10_saml_token_client_policy	Reserved for future use.
oracle/wss10_saml_token_service_policy	Reserved for future use.
oracle/wss10_saml_token_with_message_integrity_client_policy	Reserved for future use.
oracle/wss10_saml_token_with_message_integrity_service_policy	Reserved for future use.
oracle/wss10_saml_token_with_message_protection_client_policy	Reserved for future use.
oracle/wss10_saml_token_with_message_protection_service_policy	Reserved for future use.
oracle/wss10_saml_token_with_message_protection_ski_basic256_client_policy	Reserved for future use.
oracle/wss10_saml_token_with_message_protection_ski_basic256_service_policy	Reserved for future use.
oracle/wss10_username_id_propagation_with_msg_protection_client_policy	Reserved for future use.
oracle/wss10_username_id_propagation_with_msg_protection_service_policy	Reserved for future use.
oracle/wss10_username_token_with_message_protection_client_policy	Reserved for future use.
oracle/wss10_username_token_with_message_protection_service_policy	Reserved for future use.
oracle/wss10_username_token_with_message_protection_ski_basic256_client_policy	Reserved for future use.
oracle/wss10_username_token_with_message_protection_ski_basic256_service_policy	Reserved for future use.
oracle/wss10_x509_token_with_message_protection_client_policy	Reserved for future use.
oracle/wss10_x509_token_with_message_protection_service_policy	Reserved for future use.
oracle/wss11_kerberos_token_client_policy	Reserved for future use.
oracle/wss11_kerberos_token_service_policy	Reserved for future use.
oracle/wss11_kerberos_token_with_message_protection_basic128_client_policy	Reserved for future use.
oracle/wss11_kerberos_token_with_message_protection_basic128__service_policy	Reserved for future use.
oracle/wss11_kerberos_token_with_message_protection_client_policy	Reserved for future use.
oracle/wss11_kerberos_token_with_message_protection_service_policy	Reserved for future use.
oracle/wss11_message_protection_client_policy	Reserved for future use.
oracle/wss11_message_protection_client_policy	Reserved for future use.
oracle/wss11_saml20_token_with_message_protection_client_policy	Reserved for future use.
oracle/wss11_saml20_token_with_message_protection_service_policy	Reserved for future use.
oracle/wss11_saml_or_username_token_with_message_protection_service_policy	Reserved for future use.
oracle/wss11_saml_token_with_identity_switch_message_protection_client_policy	Reserved for future use.
oracle/wss11_saml_token_with_message_protection_client_policy	Reserved for future use.
oracle/wss11_saml_token_with_message_protection_service_policy	Reserved for future use.
oracle/wss11_sts_issued_saml_hok_with_message_protection_client_policy	Reserved for future use.
oracle/wss11_sts_issued_saml_hok_with_message_protection_service_policy	Reserved for future use.
oracle/wss11_sts_issued_saml_with_message_protection_client_policy	Reserved for future use.
oracle/wss11_username_token_with_message_protection_client_policy	Reserved for future use.
oracle/wss11_username_token_with_message_protection_service_policy	Reserved for future use.
oracle/wss11_x509_token_with_message_protection_client_policy	Reserved for future use.
oracle/wss11_x509_token_with_message_protection_service_policy	Reserved for future use.
oracle/wss_http_token_over_ssl_client_policy	Reserved for future use.
oracle/wss_http_token_over_ssl_service_policy	Reserved for future use.
oracle/wss_saml20_token_bearer_over_ssl_client_policy	Reserved for future use.
oracle/wss_saml20_token_bearer_over_ssl_service_policy	Reserved for future use.
oracle/wss_saml20_token_over_ssl_client_tpolicy	Reserved for future use.
oracle/wss_saml20_token_over_ssl_service_policy	Reserved for future use.
oracle/wss_saml_bearer_or_username_token_service_policy	Reserved for future use.
oracle/wss_saml_or_username_token_over_ssl_service_policy	Reserved for future use.
oracle/wss_saml_or_username_token_service_policy	Reserved for future use.
oracle/wss_saml_token_bearer_client_policy	Reserved for future use.
oracle/wss_saml_token_bearer_identity_switch_client_policy	Reserved for future use.
oracle/wss_saml_token_bearer_over_ssl_client_policy	Reserved for future use.
oracle/wss_saml_token_bearer_over_ssl_service_policy	Reserved for future use.
oracle/wss_saml_token_over_ssl_client_policy	Reserved for future use.
oracle/wss_saml_token_over_ssl_service_policy	Reserved for future use.
oracle/wss_sts_issued_saml_bearer_token_over_ssl_client_policy	Reserved for future use.
oracle/wss_sts_issued_saml_bearer_token_over_ssl_service_policy	Reserved for future use.
oracle/wss_username_token_client_policy	Reserved for future use.
oracle/wss_username_token_service_policy	Reserved for future use.
oracle/wss_username_token_over_ssl_client_policy	Reserved for future use.
oracle/wss_username_token_over_ssl_service_policy	Reserved for future use.

oracle/binding_oes_authorization_policy

Display Name: Fine-grained authorization using Oracle Entitlements Server

Category: Security

Description

This policy performs user authorization based on the policy defined in Oracle Entitlements Server (OES) and provides fine-grained authorization on any operation on a web service. Authorization is based on attributes, current authenticated subject, and web service actions invoked by the client. This policy should follow an authentication policy where the subject is established, and can be attached to any SOAP-based or REST-based endpoint.

Assertion

This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:

• oracle/binding_oes_authorization_template

Configuration

To configure the policy:

• Override the configuration properties defined in Table 2-5, "binding_oes_authorization_template Configuration Properties". For more information, see "Configuring Policy Overrides" in Administering Mobile Security Access Server.

oracle/http_action_over_ssl_policy

Display Name: HTTP Action Security Policy

Category: Security

Description

This internal policy provides SKEK encryption and SKEK decryption.

Assertion

This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:

• oracle/http_action_over_ssl_template

Configuration

To configure the policy:

• Override the configuration properties defined in Table 2-7, "http_action_over_ssl_template Configuration Properties". For more information, see "Configuring Policy Overrides" in Administering Mobile Security Access Server.

oracle/http_bmax_jwt_user_token_client_policy

Display Name: HTTP BMAX JWT User Token Client Policy

Category: Security

Description

This policy injects a JWT User Token in the HTTP header when accessing back-end resources.

Assertion

This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:

• oracle/http_bmax_jwt_user_token_client_template

Configuration

To configure the policy:

• Override the configuration properties defined in Table 2-8, "http_bmax_jwt_user_token_client_template Configuration Properties". For more information, see "Configuring Policy Overrides" in Administering Mobile Security Access Server.

oracle/http_bmax_oam_client_policy

Display Name: HTTP BMAX OAM Token Client Policy

Category: Security

Description

This policy injects an OAM access token in the authorization header when accessing OAM protected resources.

Assertion

This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:

• oracle/http_bmax_oam_client_template

Configuration

To configure the policy:

• Override the configuration properties defined in Table 2-9, "http_bmax_oam_client_template Configuration Properties". For more information, see "Configuring Policy Overrides" in Administering Mobile Security Access Server.

oracle/http_bmax_oauth_client_policy

Display Name: HTTP BMAX OAUTH Client Policy

Category: Security

Description

This policy injects an OAuth access token in the authorization header when accessing OAuth protected resources.

Assertion

This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:

• oracle/http_bmax_oauth_client_template

Configuration

To configure the policy:

• Override the configuration properties defined in Table 2-10, "http_bmax_oauth_client_template Configuration Properties". For more information, see "Configuring Policy Overrides" in Administering Mobile Security Access Server.

oracle/http_bmax_spnego_client_policy

Display Name: HTTP BMAX SPNEGO Client Policy

Category: Security

Description

This policy creates a SPNEGO token and sends it to the service in the HTTP header.

Assertion

This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:

• oracle/http_bmax_spnego_client_template

Configuration

To configure the policy:

• Override the configuration properties defined in Table 2-11, "http_bmax_spnego_client_template Configuration Properties". For more information, see "Configuring Policy Overrides" in Administering Mobile Security Access Server.

oracle/http_form_based_auth_over_ssl_service_policy

Display Name: HTTP Form Based Authentication Service Policy

Category: Security

Description

This internal policy performs HTML form based authentication. This policy can be attached to web applications (URLs).

Assertion

This internal policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:

• oracle/http_form_based_auth_over_ssl_service_template

Configuration

To configure the policy:

• Override the configuration properties defined in Table 2-13, "http_form_based_auth_over_ssl_service_template Configuration Properties". For more information, see "Configuring Policy Overrides" in Administering Mobile Security Access Server.

oracle/http_kinit_over_ssl_policy

Display Name: HTTP Kerberos Password Authentication Service Policy

Category: Security

Description

This internal policy enables the Kerberos password authentication.

Assertion

This internal policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:

• oracle/http_kinit_over_ssl_template

Configuration

To configure the policy:

• Override the configuration properties defined in Table 2-15, "http_kinit_over_ssl_template Configuration Properties". For more information, see "Configuring Policy Overrides" in Administering Mobile Security Access Server.

oracle/http_oam_authentication_service_policy

Display Name: HTTP OAM Access Service Policy

Category: Security

Description

This policy verifies if the web resource is protected via OAM, and if it is then it authenticates using OAM and establishes the Subject before allowing access to the actual web resource.

Assertion

This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:

• oracle/http_oam_authentication_service_template

Configuration

To configure the policy:

• Override the configuration properties defined in Table 2-18, "http_oam_authentication_service_template Configuration Properties". For more information, see "Configuring Policy Overrides" in Administering Mobile Security Access Server.

oracle/http_oauth2_confidential_client_over_ssl_policy

Display Name: HTTP OAuth2 Confidential Client Over SSL Policy

Category: Security

Description

This internal policy performs OAuth2 confidential client authentication and creates OAuth and OAM tokens. This policy is attached only on internal authentication endpoints.

Assertion

This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:

• oracle/http_oauth2_confidential_client_over_ssl_template

Configuration

To configure the policy:

• Override the configuration properties defined in Table 2-20, "http_oauth2_confidential_client_over_ssl_template Configuration Properties". For more information, see "Configuring Policy Overrides" in Administering Mobile Security Access Server.

oracle/http_oauth2_mobile_client_over_ssl_policy

Display Name: HTTP OAuth2 Mobile Client Token Over SSL Service Policy

Category: Security

Description

This internal policy performs OAuth2 mobile client authentication and creates OAuth and OAM tokens. This policy is attached only on internal authentication endpoints.

Assertion

This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:

• oracle/http_oauth2_mobile_client_over_ssl_template

Configuration

To configure the policy:

• Override the configuration properties defined in Table 2-22, "http_oauth2_mobile_client_over_ssl_template Configuration Properties". For more information, see "Configuring Policy Overrides" in Administering Mobile Security Access Server.

oracle/http_ntlm_token_client_policy

Display Name: HTTP NTLM Authentication Client Policy

Category: Security

Description

This policy performs NTLM (NT LAN Manager) authentication with NTLM protected applications. It requires a KINIT or PKINIT-based HTTP session token. This policy can be attached to SOAP/REST services and also to web applications.

Assertion

This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:

• oracle/http_ntlm_token_client_template

Configuration

To configure the policy:

• Override the configuration properties defined in Table 2-16, "http_ntlm_token_client_template Configuration Properties". For more information, see "Configuring Policy Overrides" in Administering Mobile Security Access Server.

oracle/http_pkinit_over_ssl_policy

Display Name: HTTP Kerberos PKI Authentication Service Policy

Category: Security

Description

This internal policy enables the Kerberos PKI authentication.

Assertion

This internal policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:

• oracle/http_pkinit_over_ssl_template

Configuration

To configure the policy:

• Override the configuration properties defined in Table 2-24, "http_pkinit_over_ssl_template Configuration Properties". For more information, see "Configuring Policy Overrides" in Administering Mobile Security Access Server.

oracle/http_session_token_issue_policy

Display Name: HTTP Session Token Issue Policy

Category: Security

Description

This policy issues a session token with the authenticated user ID.

Assertion

This internal policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:

• oracle/http_session_token_issue_template

Configuration

To configure the policy:

• Override the configuration properties defined in Table 2-26, "http_session_token_issue_template Configuration Properties". For more information, see "Configuring Policy Overrides" in Administering Mobile Security Access Server.

oracle/http_session_token_verify_policy

Display Name: HTTP Session Token Verify Policy

Category: Security

Description

This policy verifies the session token including the timestamp and signature, decrypts the encrypted data and asserts the identity using the user ID from the session token. The request is rejected if the verification fails.

Assertion

This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:

• oracle/http_session_token_verify_template

  Note: The assert.stoken.identity property's default value is false in the http_session_token_verify_template. For authorization policy scenarios, this property must be set to true.

Configuration

To configure the policy:

• Override the configuration properties defined in Table 2-28, "http_session_token_verify_template Configuration Properties". For more information, see "Configuring Policy Overrides" in Administering Mobile Security Access Server.

oracle/http_tlp_over_ssl_policy

Display Name: HTTP TLP Authentication Service Policy

Category: Security

Description

This internal policy enables the Time Limited Password authentication.

Assertion

This internal policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:

• oracle/http_tlp_over_ssl_template

Configuration

To configure the policy:

• Override the configuration properties defined in Table 2-30, "http_tlp_over_ssl_template Configuration Properties". For more information, see "Configuring Policy Overrides" in Administering Mobile Security Access Server.

oracle/inject_header_with_bmax_url_policy

Display Name: Inject Header with BMAX (MSAS) URL

Category: Security

Description

This internal policy injects a custom HTTP header with the BMAX (MSAS) URL. This is required by MSM to know the MSAS URL.

Assertion

This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:

• oracle/inject_header_template

Configuration

To configure the policy:

• Override the configuration properties defined in Table 2-31, "inject_header_template Configuration Properties". For more information, see "Configuring Policy Overrides" in Administering Mobile Security Access Server.

oracle/inject_header_with_client_certificate_policy

Display Name: Inject Header with Client Certificate Policy

Category: Security

Description

This internal policy injects a custom HTTP header with the client certificate received over two-way SSL.

Assertion

This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:

• oracle/inject_header_template

Configuration

To configure the policy:

• Override the configuration properties defined in Table 2-31, "inject_header_template Configuration Properties". For more information, see "Configuring Policy Overrides" in Administering Mobile Security Access Server.

oracle/multi_token_client_policy

Display Name: Multitoken Client Policy for SPNEGO, NTLM, OAM, and OAuth2

Category: Security

Description

This policy is an exactly-one policy for enforcing one of the following authentication policies based on a back-end service policy using transport security.

• SPNEGO over HTTP security—Extracts Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO) token from the HTTP header.

• NTLM over HTTP token—Performs NT LAN Manager authentication with NTLM protected applications.

• BMAX OAM Client Policy for OAuth2 authentication SSO—Accesses OAM protected resources.

• BMAX OAuth2 Client Policy for OAuth2 authentication SSO—Accesses OAuth2 protected resources.

Assertions (OR Group)

This policy contains assertions that are based on the following assertion templates as an OR group—meaning any one of the tokens can be sent by the client:

• "oracle/http_spnego_token_client_template" in the Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

• oracle/http_ntlm_token_client_template

• oracle/http_bmax_oam_client_template

• oracle/http_bmax_oauth_client_template

Configuration

To configure the policy:

• Override the configuration properties defined in one of the following sections, based on the token sent by the client. For more information, see "Configuring Policy Overrides" in Administering Mobile Security Access Server.

  • "http_spnego_token_client_template Configuration Properties" in the Oracle Fusion Middleware Security and Administrator's Guide for Web Services

  • Table 2-16, "http_ntlm_token_client_template Configuration Properties"

  • Table 2-9, "http_bmax_oam_client_template Configuration Properties"

  • Table 2-10, "http_bmax_oauth_client_template Configuration Properties"

oracle/multi_token_over_ssl_client_policy

Display Name: Multitoken Client Policy for SPNEGO, NTLM, OAM, and OAuth2 Using Transport Security

Category: Security

Note:

This policy is reserved for future use.

Reserved for future use.

Description

This policy is an exactly-one policy for enforcing one of the following authentication policies based on a back-end service policy using transport security.

• SPNEGO over HTTP security—Extracts Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO) token from the HTTP header.

• NTLM over HTTP token—Performs NT LAN Manager authentication with NTLM protected applications.

• BMAX OAM Client Policy for OAuth2 authentication SSO—Accesses OAM protected resources.

• BMAX OAuth2 Client Policy for OAuth2 authentication SSO—Accesses OAuth2 protected resources.

Assertions (OR Group)

This policy contains assertions that are based on the following assertion templates as an OR group—meaning any one of the tokens can be sent by the client:

• "oracle/http_spnego_token_client_template" in the Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

• oracle/http_ntlm_token_client_template

• oracle/http_bmax_oam_client_template

• oracle/http_bmax_oauth_client_template

Configuration

To configure the policy:

• Override the configuration properties defined in one of the following sections, based on the token sent by the client. For more information, see "Configuring Policy Overrides" in Administering Mobile Security Access Server.

  • "http_spnego_token_client_template Configuration Properties" in the Oracle Fusion Middleware Security and Administrator's Guide for Web Services

  • Table 2-16, "http_ntlm_token_client_template Configuration Properties"

  • Table 2-9, "http_bmax_oam_client_template Configuration Properties"

  • Table 2-10, "http_bmax_oauth_client_template Configuration Properties"

Predefined Management Policies

This section describes the Oracle Mobile Security Access Server (MSAS) predefined management policies.

Note:

This section is reserved for future use.