This chapter describes the most common Oracle Containers for Java EE (OC4J) 10g interoperability scenarios based on the following security requirements: authentication, message protection, and transport.
This chapter includes the following sections:
Overview of Interoperability with OC4J 10g Security Environments
Anonymous Authentication with Message Protection (WS-Security 1.0)
SAML Token (Sender Vouches) with Message Protection (WS-Security 1.0)
Mutual Authentication with Message Protection (WS-Security 1.0)
In OC4J 10g, you configure your security environment, as described in the following documents.
For information about using Application Server Control to configure the web service, see Oracle Application Server Advanced Web Services Developer's Guide at http://download.oracle.com/docs/cd/B31017_01/web.1013/b28975/toc.htm
.
For information about using JDeveloper to develop and configure your client-side application, see Developing Applications with Oracle JDeveloper.
For information about how to modify the XML-based deployment descriptor files, see Oracle Application Server Web Services Security Guide 10g (10.1.3.1.0) at: http://download.oracle.com/docs/cd/B31017_01/web.1013/b28976/toc.htm
With OWSM 12c, you attach policies to web service endpoints. Each policy consists of one or more assertions, defined at the domain-level, that define the security requirements. A set of predefined policies and assertions are provided out-of-the-box.
For more information about:
OWSM predefined policies, see "Predefined Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
Configuring and attaching OWSM 12c policies, see "Securing Web Services" and "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
Table 3–2 and Table 3–2 summarize the most common OC4J 10g interoperability scenarios based on the following security requirements: authentication, message protection, and transport.
Note:
In the following scenarios, ensure that you are using a keystore with v3 certificates. By default, the JDK 1.5 keytool generates keystores with v1 certificates.Table 3-1 OWSM 12c Service Policy and Oracle OC4J 10g Client Policy Interoperability
Identity Token | WS-Security Version | Message Protection | Transport Security | Service Policy | Client Policy |
---|---|---|---|---|---|
Anonymous |
1.0 |
Yes |
No |
|
See Table 3–4 , " Configuring the OC4J 10g Client" on page 3-4 |
Username |
1.0 |
Yes |
No |
|
See Table 3–10, " Configuring the OC4J 10g Client" on page 3-8 |
SAML |
1.0 |
Yes |
No |
|
See Table 3–4, " Configuring the OC4J 10g Client" on page 3-11 |
Mutual Authentication |
1.0 |
Yes |
No |
|
See Table 3–10, " Configuring the OC4J 10g Client" on page 3-15 |
Username over SSL |
1.0 and 1.1 |
No |
Yes |
OR
|
See Table 3–16, " Configuring the OC4J 10g Client" on page 3-19 |
SAML over SSL |
1.0 and 1.1 |
No |
Yes |
OR
|
See Table 3–22, " Configuring the OC4J 10g Client" on page 3-25 |
Table 3-2 Oracle OC4J 10g Service Policy and OWSM 12c Client Policy Interoperability
Identity Token | WS-Security Version | Message Protection | Transport Security | Service Policy | Client Policy |
---|---|---|---|---|---|
Anonymous |
1.0 |
Yes |
No |
See Table 3–6, " Configuring the OC4J 10g Web Service" on page 3-5 |
|
Username |
1.0 |
Yes |
No |
See Table 3–12, " Configuring the OC4J 10g Web Service" on page 3-10 |
|
SAML |
1.0 |
Yes |
No |
See Table 3–6, " Configuring the OC4J 10g Web Service" on page 3-12 |
|
Mutual Authentication |
1.0 |
Yes |
No |
See Table 3–12, " Configuring the OC4J 10g Web Service" on page 3-16 |
|
Username over SSL |
1.0 and 1.1 |
No |
Yes |
See Table 3–18, " Configuring the OC4J 10g Web Service" on page 3-20 |
|
SAML over SSL |
1.0 and 1.1 |
No |
Yes |
See Table 3–24, " Configuring the OC4J 10g Web Service" on page 3-24 |
|
This section tells how to implement anonymous authentication with message protection that conforms to the WS-Security 1.0 standard, in the following interoperability scenarios:
"Configuring an OWSM 12c Web Service and an OC4J 10g Client"
"Configuring an OC4J 10g Web Service and an OWSM 12c Client"
The following instructions tell how to configure an OWSM 12c web service and an OWSM 10g client to implement anonymous authentication with message protection that conforms to the WS-Security 1.0 standard:
To Configure the OWSM 12c Web Service:
Create a web service application.
Attach the following policy to the entry point of the web service: oracle/wss10_message_protection_service_policy
.
For more information, see "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager
To Configure the OC4J 10g Client:
Create a client proxy for the web service using Oracle JDeveloper.
For more information, see "Developing and Securing Web Services" in Developing Applications with Oracle JDeveloper.
Use the Oracle JDeveloper wizard to secure the proxy by right-clicking on the proxy project and selecting Secure Proxy.
Click Authentication in the Proxy Editor navigation bar and set the following options:
Select No Authentication.
Click Inbound Integrity in the Proxy Editor navigation bar and set the following options:
Select Verify Inbound Signed Request Body.
Select Verify Timestamp and Creation Time Required in Timestamp.
Enter the Expiration Time (in seconds).
Select all options under Acceptable Signature Algorithms.
Click Outbound Integrity in the Proxy Editor navigation bar and set the following options:
Select Sign Outbound Messages.
Select Add Timestamp to Outbound Messages and Creation Time Required in Timestamp.
Enter the Expiration Time (in seconds).
Click Inbound Confidentiality in the Proxy Editor navigation bar and set the following options:
Select Decrypt Inbound Message Content.
Select all options under Acceptable Signature Algorithms.
Click Outbound Confidentiality in the Proxy Editor navigation bar and set the following options:
Select Encrypt Outbound Messages.
Set the Algorithm to AES-128.
Click Keystore Options in the Proxy Editor navigation bar and configure the keystore properties, as required.
Note:
Ensure that you are using keystore with v3 certificates. By default, the JDK 1.5 keytool generates keystores with v1 certificates.Click OK to close the wizard.
In the Structure pane, click <appname>Binding_Stub.xml and edit the file as described in next section.
Invoke the web service method from the client.
To edit the <appname>Binding_Stub.xml File:
Provide the keystore password and sign and encryption key passwords.
In the inbound signature, specify the following:
<inbound><verify-signature><tbs-elements> <tbs-element name-space="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity- utility-1.0.xsd" local-part="Timestamp"/> ...
In the outbound signature, specify that the timestamp should be signed, as follows:
<outbound>/<signature>/<tbs-elements> <tbs-element name-space="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity -utility-1.0.xsd" local-part="Timestamp"/> ...
In the outbound encryption, specify the key transport algorithm, as follows:
<outbound><encrypt> <keytransport-method>RSA-OAEP-MGF1P</keytransport-method> ...
The following instructions tell how to configure an OC4J 10g web service and an OWSM 12c client to implement anonymous authentication with message protection that conforms to the WS-Security 1.0 standard:
To configure the OC4J 10g Web Service:
Create and deploy a web service application.
Use Application Server Control to secure the deployed web service.
Click Authentication tab and ensure that no options are selected.
Click Integrity tab of the Inbound Policies page and set the following options:
Select Require Message Body to Be Signed.
Select Verify Timestamp and Creation Time Required in Timestamp.
Enter the Expiration Time (in seconds).
Click Integrity tab of the Outbound Policies page and set the following options:
Select Sign Body Element of Message.
Set the Signature Method to RSA-SHA1.
Select Add Timestamp and Creation Time Required in Timestamp.
Enter the Expiration Time (in seconds).
Click Confidentiality tab of the Inbound Policies page and set the following options:
Select Require Encryption of Message Body.
Click Confidentiality tab of the Outbound Policies page and set the following options:
Select Encrypt Body Element of Message.
Set the Encryption Method to AES-128.
Set the public key to encrypt.
Configure the keystore properties and identity certificates.
Note:
Ensure that you are using keystore with v3 certificates. By default, the JDK 1.5 keytool generates keystores with v1 certificates.Edit the wsmgmt.xml deployment descriptor file, as described in Table 3–8, " Editing the wsmgmt.xml File".
To configure the OWSM 12c Client:
Create a client proxy for the OC4J 10g web service.
Attach the following policy: oracle/wss10_message_protection_client_policy
.
For more information, see "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager
Configure the policy.
For more information, see "oracle/wss10_username_token_with_message_protection_client_policy" in Securing Web Services and Managing Policies with Oracle Web Services Manager
Invoke the web service method from the client.
To edit the wsmgmt.xml File:
Locate the wsmgmt.xml
File under ORACLE_HOME
/j2ee/
oc4j_instance
/config
.
Tip:
Thewsmgmt.xml
file is an instance-level configuration file, which holds the entire security configuration for the web services deployed in an OC4J instance.For more information, see "Understanding the Web Services Management Schema" in Oracle® Application Server Advanced Web Services Developer's Guide
In the inbound signature, specify the following:
<inbound><verify-signature><tbs-elements> <tbs-element name-space="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity -utility-1.0.xsd" local-part="Timestamp"/> ...
In the outbound signature, specify that the timestamp should be signed, as follows:
<outbound>/<signature>/<tbs-elements> <tbs-element name-space="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity -utility-1.0.xsd" local-part="Timestamp"/> ...
In the outbound encryption, specify the key transport algorithm, as follows:
<outbound><encrypt> <keytransport-method>RSA-OAEP-MGF1P</keytransport-method> ...
This section tells how to implement username token with message protection that conforms to the WS-Security 1.0 standard:
"Configuring an OWSM 12c Web Service and an OC4J 10g Client" on page 3-6
"Configuring an OC4J 10g Web Service and an OWSM 12c Client" on page 3-8
The following instructions tell how to configure an OWSM 12c web service and an OC4J 10g client to implement username token with message protection that conforms to the WS-Security 1.0 standard:
To Configure the OWSM 12c Web Service:
Create an OWSM 12c web service.
Attach the following policy to the web service: oracle/wss10_username_token_with_message_protection_service_policy
.
For more information, see "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager
To configure the OC4J 10g Client:
Create a client proxy for the web service (above) using Oracle JDeveloper.
For more information, see "Developing and Securing Web Services" in Developing Applications with Oracle JDeveloper.
Specify the username and password in the client proxy, as follows:
port.setUsername(<username>) port.setPassword(<password>)
Use the Oracle JDeveloper wizard to secure the proxy by right-clicking on the proxy project and selecting Secure Proxy.
Click Authentication in the Proxy Editor navigation bar and set the following options:
Select Use Username to Authenticate.
Deselect Add Nonce and Add Creation Time.
Click Inbound Integrity in the Proxy Editor navigation bar and set the following options:
Select Verify Inbound Signed Request Body.
Select Verify Timestamp and Creation Time Required in Timestamp.
Enter the Expiration Time (in seconds).
Select all options under Acceptable Signature Algorithms.
Click Outbound Integrity in the Proxy Editor navigation bar and set the following options:
Select Sign Outbound Messages.
Select Add Timestamp to Outbound Messages and Creation Time Required in Timestamp.
Enter the Expiration Time (in seconds).
Click Inbound Confidentiality in the Proxy Editor navigation bar and set the following options:
Select Decrypt Inbound Message Content.
Select all options under Acceptable Signature Algorithms.
Click Outbound Confidentiality in the Proxy Editor navigation bar and set the following options:
Select Encrypt Outbound Messages.
Set the Algorithm to AES-128.
Click Keystore Options in the Proxy Editor navigation bar and configure the keystore properties, as required.
Tip:
Ensure that you are using keystore with v3 certificates. By default, the JDK 1.5 keytool generates keystores with v1 certificates.Click OK to close the wizard.
In the Structure pane, click <appname>Binding_Stub.xml and edit the file, as described in Table 3–11, " Editing the <appname>Binding_Stub.xml File".
Invoke the web service.
To edit the <appname>Binding_Stub.xml File:
Provide the keystore password and sign and encryption key passwords.
In the inbound signature, specify the following:
<inbound><verify-signature><tbs-elements> <tbs-element name-space="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity -utility-1.0.xsd" local-part="Timestamp" /> ...
In the outbound signature, specify that the timestamp and UsernameToken should be signed, as follows:
<outbound>/<signature>/<tbs-elements> <tbs-element name-space="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity- utility-1.0.xsd" local-part="Timestamp"/> <tbs-element name-space="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity -secext-1.0.xsd" local-part="UsernameToken"/> ...
In the outbound encryption, specify the key transport algorithm, as follows:
<outbound><encrypt> <keytransport-method>RSA-OAEP-MGF1P</keytransport-method> ...
In the outbound encryption, specify that the UsernameToken should be encrypted, as follows:
<outbound>/<encrypt>/<tbe-elements> <tbe-element local-part="UsernameToken" name-space="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity -secext-1.0.xsd" mode="CONTENT"/> ...
The following instructions tell how to configure an OC4J 10g web service and an OWSM 12c client to implement username token with message protection that conforms to the WS-Security 1.0 standard:
To configure the OC4J 10g Web Service:
Create and deploy a JAX-RPC web service on OC4J.
Use Application Server Control to secure the deployed web service.
Click Authentication tab and set the following options:
Select Use Username/Password Authentication.
Set Password to Plain Text.
Click Integrity tab in Inbound Policies page and set the following options:
Select Require Message Body to Be Signed.
Select Verify Timestamp and Creation Time Required in Timestamp.
Enter the Expiration Time (in seconds).
Click Integrity tab in Outbound Policies page and set the following options:
Select Sign Body Element of Message.
Set the Signature Method to RSA-SHA1.
Select Add Timestamp and Creation Time Required in Timestamp.
Enter the Expiration Time (in seconds).
Click Confidentiality tab in the Inbound Policies page and set the following options:
Select Require Encryption of Message Body.
Click Confidentiality tab in the Outbound Policies page and set the following options:
Select Encrypt Body Element of Message.
Set the Encryption Method to AES-128.
Set the public key to encrypt.
Configure the keystore properties and identity certificates.
Tip:
Ensure that you are using keystore with v3 certificates. By default, the JDK 1.5 keytool generates keystores with v1 certificates.Edit the wsmgmt.xml deployment descriptor file, as described in Table 3–14, " Editing the wsmgmt.xml File".
To configure the OWSM 02c Client:
Create a client proxy for the OC4J 10g web service.
Attach the following policy: oracle/wss10_username_token_with_message_protection_client_policy
.
For more information, see "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager
Configure the policy.
For more information, see "oracle/wss10_username_token_with_message_protection_client_policy" in Securing Web Services and Managing Policies with Oracle Web Services Manager
Invoke the web service method from the client.
To edit the wsmgmt.xml File:
Find the wsmgmt.xml
file under ORACLE_HOME
/j2ee/
oc4j_instance
/config/
.
In the inbound signature, specify the following:
<inbound><verify-signature><tbs-elements> <tbs-element name-space="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity -utility-1.0.xsd" local-part="Timestamp"/> ...
In the outbound signature, specify that the timestamp should be signed, as follows:
<outbound>/<signature>/<tbs-elements> <tbs-element name-space="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity -utility-1.0.xsd" local-part="Timestamp"/> ...
In the outbound encryption, specify that the UsernameToken should be encrypted, as follows:
<outbound>/<encrypt>/<tbe-elements> <tbe-element local-part="UsernameToken" name-space="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity -secext-1.0.xsd" mode="CONTENT"/> ...
This section tells how to implement SAML token sender vouches with message protection that conforms to the WS-Security 1.0 standard, the following interoperability scenarios:
"Configuring an OWSM 12c Web Service and an OC4J 10g Client" on page 3-10
"Configuring an OC4J 10g Web Service and an OWSM 12c Client" on page 3-12
The following instructions tell how to configure an OWSM 12c web service and an OC4J 10g client to implement SAML token sender vouches with message protection that conforms to the WS-Security 1.0 standard:
To configure the OWSM 12c Web Service:
Create an OWSM 12c web service.
Attach the following policy to the web service: oracle/wss10_saml_token__with_message_protection_service_policy
For more information, see "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager
To configure the OC4J 10g client:
Create a client proxy for the web service (above) using Oracle JDeveloper.
For more information, see Developing and Securing Web Services" in Developing Applications with Oracle JDeveloper.
Use the Oracle JDeveloper wizard to secure the proxy by right-clicking on the proxy project and selecting Secure Proxy.
Click Authentication in the Proxy Editor navigation bar and set the following options:
Select Use SAML Token.
Click SAML Details.
Select Sender Vouches Confirmation and Use Signature.
Enter the username that needs to be propagated as the Default Subject Name.
Enter www.oracle.com as the Default Issuer Name.
Click Inbound Integrity in the Proxy Editor navigation bar and set the following options:
Select Verify Inbound Signed Request Body.
Select Verify Timestamp and Creation Time Required in Timestamp.
Enter the Expiration Time (in seconds).
Select all options under Acceptable Signature Algorithms.
Click Outbound Integrity in the Proxy Editor navigation bar and set the following options:
Select Sign Outbound Messages.
Select Add Timestamp to Outbound Messages and Creation Time Required in Timestamp.
Enter the Expiration Time (in seconds).
Click Inbound Confidentiality in the Proxy Editor navigation bar and set the following options:
Select Decrypt Inbound Message Content.
Select all options under Acceptable Signature Algorithms.
Click Outbound Confidentiality in the Proxy Editor navigation bar and set the following options:
Select Encrypt Outbound Messages.
Set the Algorithm to AES-128.
Click Keystore Options in the Proxy Editor navigation bar and configure the keystore properties, as required.
Note:
Ensure that you are using keystore with v3 certificates. By default, the JDK 1.5 keytool generates keystores with v1 certificates.Click OK to close the wizard.
In the Structure pane, click <appname>Binding_Stub.xml and edit the file, as described in Table 3–17, " Editing the <appname>Binding_Stub.xml File".
Invoke the web service method.
To Edit the <appname>Binding_Stub.xml File:
Provide the keystore password and sign and encryption key passwords.
In the inbound signature, specify the following:
<inbound><verify-signature><tbs-elements> <tbs-element name-space="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity -utility-1.0.xsd" local-part="Timestamp" /> ...
In the outbound signature, specify that the timestamp should be signed, as follows:
<outbound>/<signature>/<tbs-elements> <tbs-element name-space="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity -utility-1.0.xsd" local-part="Timestamp"/> ...
In the outbound encryption, specify the key transport algorithm, as follows:
<outbound><encrypt> <keytransport-method>RSA-OAEP-MGF1P</keytransport-method> ...
The following instructions tell how to configure an OC4J 10g web service and an OWSM 12c client to implement SAML token sender vouches with message protection that conforms to the WS-Security 1.0 standard:
To configure the OC4J 10g Web Service:
Create and deploy a JAX-RPC web service on OC4J.
Use the Application Server Control to secure the deployed web service.
Click Authentication in navigation bar and set the following options:
Select Use SAML Authentication.
Select Accept Sender Vouches.
Deselect Verify Signature.
Click Inbound Integrity in the navigation bar and set the following option:
Select Require Message Body To Be Signed.
Select Verify Timestamp and Creation Time Required in Timestamp.
Enter the Expiration Time (in seconds).
Click Outbound Integrity in the navigation bar and select the following options:
Select Sign Body Element of Message.
Set the Signature Method to RSA-SHA1.
Select Add Timestamp and Creation Time Required in Timestamp.
Enter the Expiration Time (in seconds).
Click Inbound Confidentiality in the navigation bar and set the following option:
Deselect Require Encryption of Message Body.
Click Outbound Confidentiality in the navigation bar and set the following option:
Select Encrypt Body Element of Message.
Set the Encryption Method to AES-128.
Set the public key to encrypt.
Configure the keystore properties and identity certificates.
Note:
Ensure that you are using keystore with v3 certificates. By default, the JDK 1.5 keytool generates keystores with v1 certificates.Edit the wsmgmt.xml
deployment descriptor file, as described in Table 3–20, " Editing the wsmgmt.xml File".
Invoke the web service.
To configure the OWSM 12c Client:
Create a client proxy for the OC4J 10g web service.
Attach the following policy: oracle/wss10_saml_token_with_message_protection_client_policy
.
For more information, see "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager
Configure the policy.
For more information, see "oracle/wss10_saml_token_with_message_protection_client_policy" in Securing Web Services and Managing Policies with Oracle Web Services Manager
Invoke the web service method from the client.
To edit the wsmgmt.xml File:
Find the wsmgmt.xml
file in ORACLE_HOME
/j2ee/
oc4j_instance
/config
.
In the inbound signature, specify the following:
<inbound><verify-signature><tbs-elements> <tbs-element name-space="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity -utility-1.0.xsd" local-part="Timestamp"/> ...
In the outbound signature, specify that the timestamp should be signed, as follows:
<outbound>/<signature>/<tbs-elements> <tbs-element name-space="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity -utility-1.0.xsd" local-part="Timestamp"/> ...
In the outbound encryption, specify that the UsernameToken should be encrypted, as follows:
<outbound>/<encrypt>/<tbe-elements> <tbe-element local-part="UsernameToken" name-space="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity -secext-1.0.xsd" mode="CONTENT"/> ...
This section tells how to implement mutual authentication with message protection that conforms to the WS-Security 1.0 standard, the following interoperability scenarios:
"Configuring an OWSM 12c Web Service and an OC4J 10g Client" on page 3-13
"Configuring an OC4J 10g Web Service and an OWSM 12c Client" on page 3-15
The following instructions tell how to configure an OWSM 12c web service and an OC4J 10g client to implement mutual authentication with message protection that conforms to the WS-Security 1.0 standard:
To configure the OWSM 12c Web Service:
Create a web service application.
Attach the following policy to the web service: oracle/wss10_x509_token_with_message_protection_service_policy
.
For more information, see "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager
To configure the OC4J 10g Client:
Create a client proxy for the web service (above) using Oracle JDeveloper.
For more information, see Developing and Securing Web Services" in Developing Applications with Oracle JDeveloper.
Use the Oracle JDeveloper wizard to secure the proxy by right-clicking on the proxy project and selecting Secure Proxy.
Click Authentication in the Proxy Editor navigation bar and set the following options:
Select Use X509 To Authenticate.
Click Inbound Integrity in the Proxy Editor navigation bar and set the following options:
Select Verify Inbound Signed Request Body.
Select Verify Timestamp and Creation Time Required in Timestamp.
Enter the Expiration Time (in seconds).
Select all options under Acceptable Signature Algorithms.
Click Outbound Integrity in the Proxy Editor navigation bar and set the following options:
Select Sign Outbound Messages.
Select Add Timestamp to Outbound Messages and Creation Time Required in Timestamp.
Enter the Expiration Time (in seconds).
Click Inbound Confidentiality in the Proxy Editor navigation bar and set the following options:
Select Decrypt Inbound Message Content.
Select all options under Acceptable Signature Algorithms.
Click Outbound Confidentiality in the Proxy Editor navigation bar and set the following options:
Select Encrypt Outbound Messages.
Set the Algorithm to AES-128.
Click Keystore Options in the Proxy Editor navigation bar and configure the keystore properties, as required.
Note:
Ensure that you are using keystore with v3 certificates. By default, the JDK 1.5 keytool generates keystores with v1 certificates.Click OK to close the wizard.
In the Structure pane, click <appname>Binding_Stub.xml and edit the file, as describe in Table 3–23, " Editing the <appname>Binding_Stub.xml File".
Invoke the web service.
To edit the <appname>Binding_Stub.xml file:
Provide the keystore password and sign and encryption key passwords.
In the inbound signature, specify the following:
<inbound><verify-signature><tbs-elements> <tbs-element name-space="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity -utility-1.0.xsd" local-part="Timestamp" /> ...
In the outbound signature, specify that the timestamp should be signed, as follows:
<outbound>/<signature>/<tbs-elements> <tbs-element name-space="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity -utility-1.0.xsd" local-part="Timestamp"/> ...
In the outbound encryption, specify the key transport algorithm, as follows:
<outbound><encrypt> <keytransport-method>RSA-OAEP-MGF1P</keytransport-method> ...
The following instructions tell how to configure an OC4J 10g web service and an OWSM 12c client to implement mutual authentication with message protection that conforms to the WS-Security 1.0 standard:
To configure the OC4J 10g Web Service:
Create and deploy a JAX-RPC web service on OC4J.
Use the Application Server Control to secure the deployed web service.
Click Authentication tab and set the following options:
Select Use X509 Certificate Authentication.
Click Integrity tab of the Inbound Policies page and set the following options:
Select Require Message Body to Be Signed.
Select Verify Timestamp and Creation Time Required in Timestamp.
Enter the Expiration Time (in seconds).
Click Integrity tab of the Outbound Policies page and set the following options:
Select Sign Body Element of Message.
Set the Signature Method to RSA-SHA1.
Select Add Timestamp and Creation Time Required in Timestamp.
Enter the Expiration Time (in seconds).
Click Confidentiality tab of the Inbound Policies page and set the following options:
Select Require Encryption of Message Body.
Click Confidentiality tab of the Outbound Policies page and set the following options:
Select Encrypt Body Element of Message.
Set the Encryption Method to AES-128.
Set the public key to encrypt.
Configure the keystore properties and identity certificates.
Note:
Ensure that you are using keystore with v3 certificates. By default, the JDK 1.5 keytool generates keystores with v1 certificates.Edit the wsmgmt.xml
deployment descriptor file, as described in Table 3–26, " Editing the wsmgmt.xml File".
To configure the OWSM 12c Client:
Create a client proxy to the OC4J 10g web service.
Attach the following policy: oracle/wss10_x509_token_with_message_protection_client_policy
.
For more information, see "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager
Configure the policy.
For more information, see "oracle/wss10_x509_token_with_message_protection_client_policy" in Securing Web Services and Managing Policies with Oracle Web Services Manager
Invoke the web service.
To edit the wsmgmt.xml file:
Find the wsmgmt.xml
file under ORACLE_HOME
/j2ee/
oc4j_instance
/config/
.
In the inbound signature, specify the following:
<inbound><verify-signature><tbs-elements> <tbs-element name-space="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity -utility-1.0.xsd" local-part="Timestamp"/> ...
In the outbound signature, specify that the timestamp should be signed, as follows:
<outbound>/<signature>/<tbs-elements> <tbs-element name-space="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity -utility-1.0.xsd" local-part="Timestamp"/> ...
In the outbound encryption, specify that the UsernameToken should be encrypted, as follows:
<outbound>/<encrypt>/<tbe-elements> <tbe-element local-part="UsernameToken" name-space="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity -secext-1.0.xsd" mode="CONTENT"/> ...
This section tells how to implement username token over SSL, in the following interoperability scenarios:
"Configuring an OWSM 12c Web Service and an OC4J 10g Client"
"Configuring an OC4J 10g Web Service and an OWSM 12c Client"
For information about:
Configuring SSL on WebLogic Server, see "Configuring Transport-Level Security (SSL)" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
Configuring SSL on OC4J, see http://download.oracle.com/docs/cd/B14099_19/web.1012/b14013/configssl.htm
.
The following instructions tell how to configure an OWSM 12c web service and an OC4J 10g client to implement username token over SSL:
To configure the OWSM 12c Web Service:
Configure the server for SSL.
For more information, see "Configuring Transport-Level Security (SSL)" in Securing Web Services and Managing Policies with Oracle Web Services Manager
Attach one of the following policies to the web service:
oracle/wss_username_token_over_ssl_service_policy
oracle/wss_username_or_saml_token_over_ssl_service_policy
For more information, see "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager
To configure the OC4J 10g Client:
Create a client proxy for the web service (above) using Oracle JDeveloper.
Note:
Ensure that the web service endpoint references the URL with HTTPS and SSL port configured on Oracle WebLogic Server.For more information, see Developing and Securing Web Services" in Developing Applications with Oracle JDeveloper.
Add the following code excerpt to initialize two-way SSL (at the beginning of the client proxy code):
HostnameVerifier hv = new HostnameVerifier() httpsURLConnection.setDefaultHostnameVerifier(hv); System.setProperty("javax.net.ssl.trustStore","<trust_store>"); System.setProperty("javax.net.ssl.trustStorePassword","<trust_store _password>"); System.setProperty("javax.net.ssl.keyStore","<key_store>"); System.setProperty("javax.net.ssl.keyStorePassword","<key_store_password>"); System.setProperty("javax.net.ssl.keyStoreType","JKS");
Use the Oracle JDeveloper wizard to secure the proxy by right-clicking on the proxy project and selecting Secure Proxy.
Click Authentication in the Proxy Editor navigation bar and set the following options:
Select Use Username to Authenticate.
Deselect Add Nonce and Add Creation Time.
Click Inbound Integrity in the Proxy Editor navigation bar and deselect all options.
Click Outbound Integrity in the Proxy Editor navigation bar and deselect all options.
Click Inbound Confidentiality in the Proxy Editor navigation bar and deselect all options.
Click Outbound Confidentiality in the Proxy Editor navigation bar and deselect all options.
Click Keystore Options in the Proxy Editor navigation bar and configure the keystore properties, as required.
Note:
Ensure that you are using keystore with v3 certificates. By default, the JDK 1.5 keytool generates keystores with v1 certificates.Click OK to close the wizard.
In the Structure pane, click <appname>Binding_Stub.xml and edit the file. as described in. Table 3–29, " Editing the <appname>Binding_Stub.xml File"
Invoke the web service.
To edit the <appname>Binding_Stub.xml file:
Provide the keystore password and sign and encryption key passwords.
In the outbound signature, specify that the timestamp should be signed, as follows (and remove all other tags):
<outbound> <signature> <add-timestamp created="true" expiry="<Expiry_Time>"/> </signature> ...
The following instructions tell how to configure an OC4J 10g web service and an OWSM 12c client to implement username token over SSL:
To configure the OC4J 10g Web Service:
Configure the server for SSL.
For more information, see http://download.oracle.com/docs/cd/B14099_19/web.1012/b14013/configssl.htm
Use the Application Server Control to secure the deployed web service.
Click Authentication tab and set the following options:
Select Use Username/Password Authentication.
Click Integrity tab of the Inbound Policies page and deselect all options.
Click Integrity tab of the Outbound Policies page and deselect all options.
Click Confidentiality tab of the Inbound Policies page and deselect all options.
Click Confidentiality tab of the Outbound Policies page and deselect all options.
Edit the wsmgmt.xml
deployment descriptor file, as described in Table 3–32, " Editing the wsmgmt.xml File".
To configure the OWSM 12c client:
Create a client proxy to the OC4J 10g web service using clientgen
.
Note:
Ensure that the web service endpoint references the URL with HTTPS and SSL port configured on Oracle WebLogic Server.Add the following code excerpt to initialize two-way SSL (at the beginning of the client proxy code):
HostnameVerifier hv = new HostnameVerifier() httpsURLConnection.setDefaultHostnameVerifier(hv); System.setProperty("javax.net.ssl.trustStore","<trust_store>"); System.setProperty("javax.net.ssl.trustStorePassword","<trust_store _password>"); System.setProperty("javax.net.ssl.keyStore","<key_store>"); System.setProperty("javax.net.ssl.keyStorePassword","<key_store_password>"); System.setProperty("javax.net.ssl.keyStoreType","JKS");
Attach the following policy: oracle/wss_username_token_over_ssl_client_policy
.
For more information, see "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager
Configure the policy.
For more information, see "oracle/wss_username_token_over_ssl_client_policy" in Securing Web Services and Managing Policies with Oracle Web Services Manager
Invoke the web service.
To edit the wsmgmt.xml file:
Find the wsmgmt.xml
file under ORACLE_HOME
/j2ee/
oc4j_instance
/config/
.
In the outbound signature, specify that the timestamp should be signed, as follows (and remove all other tags):
<outbound> <signature> <add-timestamp created="true" expiry="<Expiry_Time>"/> </signature> ...
This section tells how to implement SAML token (sender vouches) over SSL that conforms to the WS-Security 1.0 standard, in the following interoperability scenarios:
"Configuring an OWSM 12c Web Service and an OC4J 10g Client"
"Configuring an OC4J 10g Web Service and an OWSM 12c Client"
For information about:
Configuring SSL on WebLogic Server, see "Configuring Transport-Level Security (SSL)" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
Configuring SSL on OC4J, see http://download.oracle.com/docs/cd/B14099_19/web.1012/b14013/configssl.htm
.
The following instructions tell how to configure an OWSM 12c web service and an OC4J 10g client to implement SAML token (sender vouches) over SSL that conforms to the WS-Security 1.0 standard:
To configure the OWSM 12c Web Service:
Configure the server for two-way SSL.
For more information, see "Configuring SSL on WebLogic Server (Two-Way)" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
Attach the following policy to the web service:
oracle/wss_saml_token_over_ssl_service_policy
oracle/wss_username_or_saml_token_over_ssl_service_policy
For more information, see "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager
To configure the OC4J 10g client:
Configure the server for two-way SSL.
For more information, see http://download.oracle.com/docs/cd/B14099_19/web.1012/b14013/configssl.htm
Create a client proxy for the web service (above) using Oracle JDeveloper.
Note:
Ensure that the web service endpoint references the URL with HTTPS and SSL port configured on Oracle WebLogic Server.For more information, see Developing and Securing Web Services" in Developing Applications with Oracle JDeveloper.
Add the following code excerpt to initialize two-way SSL (at the beginning of the client proxy code):
HostnameVerifier hv = new HostnameVerifier() httpsURLConnection.setDefaultHostnameVerifier(hv); System.setProperty("javax.net.ssl.trustStore","<trust_store>"); System.setProperty("javax.net.ssl.trustStorePassword","<trust_store _password>"); System.setProperty("javax.net.ssl.keyStore","<key_store>"); System.setProperty("javax.net.ssl.keyStorePassword","<key_store_password>"); System.setProperty("javax.net.ssl.keyStoreType","JKS");
Use the Oracle JDeveloper wizard to secure the proxy by right-clicking on the proxy project and selecting Secure Proxy.
Click Authentication in the Proxy Editor navigation bar and set the following options:
Select Use SAML Token.
Click SAML Details.
Select Sender Vouches Confirmation.
Enter a valid username as the Default Subject Name.
Click Inbound Integrity in the Proxy Editor navigation bar and set the following option:
Deselect Verify Inbound Signed Message Body.
Click Outbound Integrity in the Proxy Editor navigation bar and deselect all options.
Click Inbound Confidentiality in the Proxy Editor navigation bar and set the following option:
Deselect Decrypt Inbound Message Content.
Click Outbound Confidentiality in the Proxy Editor navigation bar and set the following option:
Deselect Encrypt Outbound Message.
Provide required information for the keystore to be used.
Click OK to close the wizard.
In the Structure pane, click <appname>Binding_Stub.xml and edit the file, as described in Table 3–35, " Editing the <appname>Binding_Stub.xml File".
Invoke the web service.
To edit the <appname>Binding_Stub.xml file:
Provide the keystore password and sign and encryption key passwords.
In the outbound signature, specify that the timestamp should be signed, as follows (and remove all other tags):
<outbound> <signature> <add-timestamp created="true" expiry="<Expiry_Time>"/> </signature> ...
The following instructions tell how to configure an OC4J 10g web service and an OWSM 12c client to implement SAML token (sender vouches) over SSL that conforms to the WS-Security 1.0 standard:
To configure the OC4J 10g Web Service:
Configure the server for two-way SSL.
For more information, see http://download.oracle.com/docs/cd/B14099_19/web.1012/b14013/configssl.htm
Use the Application Server Control to secure the deployed web service.
Click Authentication in navigation bar and set the following options:
Select Use SAML Authentication.
Select Accept Sender Vouches.
Deselect Verify Signature.
Click Integrity tab of the Inbound Policies page and deselect all options.
Click Integrity tab of the Outbound Policies page and deselect all options.
Click Confidentiality tab of the Inbound Policies page and deselect all options.
Click Confidentiality tab of the Outbound Policies page and deselect all options.
Edit the wsmgmt.xml deployment descriptor file, as described in Table 3–38, " Edit the wsmgmt.xml File".
To configure the OWSM 12c Client:
Configure the server for two-way SSL.
For more information, see "Configuring SSL on WebLogic Server (Two-Way)" in Securing Web Services and Managing Policies with Oracle Web Services Manager
Create a client proxy to the OC4J 10g web service.
For more information, see Ensure that the web service endpoint references the URL with HTTPS and SSL port configured on Oracle WebLogic Server.
Attach the following policy: oracle/wss_saml_token_over_ssl_client_policy
.
For more information, see "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager
Configure the policy.
For more information, see "oracle/wss_saml_token_over_ssl_client_policy" in Securing Web Services and Managing Policies with Oracle Web Services Manager
Invoke the web service.
To edit the wsmgmt.xml file:
Find the wsmgmt.xml
file under ORACLE_HOME
/j2ee/
oc4j_instance
/config/
,.
In the outbound signature, specify that the timestamp should be signed, as follows (and remove all other tags):
<outbound> <signature> <add-timestamp created="true" expiry="<Expiry_Time>"/> </signature> ...