The following topics introduce the new and changed features of Oracle Web Services Manager (OWSM) and other significant changes that are described in this guide, and provides pointers to additional information.
Oracle Fusion Middleware 12c (12.2.1) includes the following new and changed features for this document:
You can configure an application-level credential map name in certain predefined policies using the csf.map
configuration property, which can be used to override the domain-level credential map on a per-attachment basis. See Creating an Application-level Credential Map.
New jndi.connection.timeout
property configuration property. See Configuring High Availability and Cache Management Using WLST.
Oracle Web Services Manager allows web service clients to interact with the Mobile and Social OAuth 2.0 server implementation for both SOAP and REST web services, for "2-legged" authorization. See Using OAuth2 with Oracle Web Services Manager.
You can now attach OWSM policies to RESTful web services and clients built using the Jersey 2.x release. (You can still attach policies using the Jersey 1.x release, but Oracle recommends you use the Jersey 2.x release.) See Chapter 4, "Attaching Policies to Manage and Secure Web Services."
The following APIs were deprecated in the 12c (12.1.3) release and have been removed in this release: weblogic.jaxrs.api.client, com.sun.jersey.api.client, com.sun.jersey.api.client.async, com.sun.jersey.api.client.config, and com.sun.jersey.api.client.filter.
Oracle Fusion Middleware 12c (12.1.3) includes the following new and changed features for this document:
Support for Oracle Service Bus and Oracle SOA Suite (SOAP/RESTful web services and JCA adapters), and Oracle Enterprise Scheduler. References to these components are included throughout this document as necessary. Some specific sections include:
"Web Services Security and Policy Management"
"Determining Which Predefined Policies to Use for a Web Service"
"Defining the Type and Scope of Resources for Globally Attached Policies"
Global policy attachment support for Java EE (WebLogic) web services. For more information, see:
"Attaching Policies Globally Using Fusion Middleware Control"
Support for determining the source of direct policy attachments. For more information, see "Determining the Source of Policy Attachments".
Security enhancements, including:
Integration of OWSM with Oracle Entitlements Server (OES). For more information, see "Configuring Fine-Grained Authorization Using Oracle Entitlements Server".
Ability to protect Personally Identifiable Information (PII) for SOA composites and SOA and Oracle Service Bus JCA adapters. For more information, see "Protecting Personally Identifiable Information".
Ability to manage Secure Conversation sessions using WLST commands. For more information, see "Understanding Secure Conversation Sessions".
Additional configuration properties available for Kerberos login module configuration in Fusion Middleware Control as described in "Configuring the Kerberos Login Module".
The ignore.timestamp.in.response
configuration property was added to the transport level (_over_ssl_
) client policies and assertion templates. For more information, see "Oracle Web Services Manager Predefined Policies" and "Oracle Web Services Manager Predefined Assertion Templates".
Ability to add assertions to a user-defined policy after adding an OR group. For more information, see "Adding an OR Group to a Policy".
The Algorithm Suite configuration setting defaults to BASIC_128 in all predefined SSL templates and policies. For more information, see Chapter 18, "Oracle Web Services Manager Predefined Assertion Templates."
Changes in the auto-discovery logic. The auto-discovery feature defaults to connecting to the Policy Manager in the local domain using non-secure protocol. However, if the auto-discovery logic cannot connect to a Policy Manager using non-secure protocol because the non-secure port is disabled, it will now attempt to connect to a Policy Manager using secure protocol. For more information, see "Configuring the Policy Manager Connection Using Fusion Middleware Control".
Support for the following new client policy configuration properties that can be overridden at design time for RESTful web service clients to configure the username and password:
oracle.wsm.security.util.SecurityConstants.ClientConstants.WSM_USERNAME_PROPERTY
oracle.wsm.security.util.SecurityConstants.ClientConstants.WSM_PASSWORD_PROPERTY
For more information, see "Overriding Client Policy Configuration Properties at Design Time".
For 12c (12.1.3), this guide has been updated in several ways. Following are the sections that have been added, deleted, or changed.
A new section has been added to assist in troubleshooting WS-Trust configurations. For more information, see "Diagnosing Common Oracle Web Services Manager Exceptions for WS-Trust Use Cases".
The SAML Message Protection Use Case and WS-Trust Use Cases chapters have been removed from this document and added to a new document Use Cases for Securing Web Services Using Oracle Web Services Manager.
Assertion template reference information for settings and configuration properties is consolidated into a single appendix: Appendix B, "Predefined Assertion Templates for Oracle Web Services."
Because configuration to a Policy Manager in a remote domain is not supported in this release, the following sections have been updated:
"Configuring the Policy Manager Connection Using Fusion Middleware Control"
"Configuring the Policy Manager Connection Using WLST"
The section "Configuring the Connection to a Remote Policy Manager" has been removed.
Oracle Fusion Middleware 12c (12.1.2) includes the following new and changed features for this document:
RESTful web services security using OWSM policies. For more information, see:
"Attaching Policies to RESTful Web Services and Clients at Design Time"
"Attaching Policies Directly Using Fusion Middleware Control"
Security enhancements, including:
Web Services Trust (WS-Trust 1.3) and Web Services Secure Conversation (WS-SecureConversation 1.3) specification support, which together provide secure communication between web services and their clients. You can use WS-SecureConversation to increase the performance and security of your web services. For more information, see Chapter 12, "Configuring Secure Conversation Using Oracle Web Services Manager."
Support for KSS as the default message protection OWSM keystore. For more information, see "Understanding OPSS Keystore Service for Message Protection".
Federated STS trust and token caching support, as described in "Overview of Web Services WS-Trust"
Kerberos security enhancements. See credential delegation and single sign-on using SPNEGO, as described in "Configuring Kerberos Tokens", derived key configuration, as described in "Derived Keys", and new predefined policies, as described in Chapter 17, "Oracle Web Services Manager Predefined Policies."
Cache the nonce with Oracle Coherence, as described in "Caching the Nonce with Oracle Coherence".
Encrypted header support.
SHA 256 (SHA-2) algorithm support, as described in "Supported Algorithm Suites".
X509 security enhancements, including:
All X509 assertion templates enable you to set PKI path, as described in "Use PKI Path".
All X509 assertion templates are signed, by default, as described in Appendix C, "Schema Reference for Predefined Assertions for Oracle Web Services."
Digest authentication, as described in "Configuring Digest Authentication".
Support for SOAP over JMS transport as a connection protocol, including:
New predefined policies and assertion templates, as described in "SOAP Over JMS Transport Policies".
New annotations, as described in Appendix A, "Security and Policy Annotations for Oracle Web Services."
Fast Infoset support, providing a compressed binary encoding format that provides a more efficient serialization than the text-based XML format, including:
New predefined policies and assertion templates, as described in "Configuration Policies".
New annotations, as described in Appendix A, "Security and Policy Annotations for Oracle Web Services."
Cross-component wiring support, which provides a simplified method for wiring Fusion Middleware components. OWSM uses cross-component wiring to auto-discover the Policy Manager in the domain. It automates the wiring process, and provides the ability to diagnose wirings after they are established. For more information, see "Using Cross-Component Wiring for Auto-Discovery of Policy Manager".
Auto-discovery feature now defaults to connecting to the Policy Manager in the local domain using non-secure protocol. A configuration option is available to configure auto-discovery using SSL if required. For more information, see "Configuring the Policy Manager Connection Using Fusion Middleware Control".
OWSM domain configuration is now consolidated in the OWSM Repository. In previous releases, the OWSM configuration was stored in various files and locations, such as jps-config.xml
and policy-accessor-config.xml
. This change includes an enhanced interface for configuring the OWSM environment for authentication, message protection, and policy access for the domain. For more information, see Chapter 14, "Managing Oracle Web Services Manager Domain Configuration."
Enhanced token issuer trust configuration. SAML trusted issuers and DN lists are now stored in trust configuration documents in the OWSM repository. For more information, see "Configuring Domain-Level Authentication Using Fusion Middleware Control".
Redesigned policy authoring and management pages. For more information, see Chapter 6, "Managing Web Service Policies with Fusion Middleware Control."
High performance security using Oracle SPARC T5 and SPARC M5 servers, as described in "Configuring OWSM for Oracle SPARC T5 and SPARC T4 Cryptographic Acceleration".
OWSM introspection plug-in for Oracle Virtual Assembly Builder, as described in Appendix E, "Oracle Web Services Manager Introspection Plug-in for Oracle Virtual Assembly Builder."
Web services feature configuration using policies and annotations, as described in the following sections, respectively:
Appendix A, "Security and Policy Annotations for Oracle Web Services"
Annotation support for attaching OWSM security policies to WebLogic web services and clients, including the following:
weblogic.wsee.jws.jaxws.owsm.Property
annotation to override configuration properties when attaching an OWSM policy.
weblogic.wsee.jws.jaxws.owsm.SecurityPolicies
annotation to attach an array of OWSM polices.
weblogic.wsee.jws.jaxws.owsm.SecurityPolicy
annotation to attach an OWSM policy.
For more information, see "Attaching Policies to Java EE Web Services and Clients Using Annotations".
General predefined policy and assertion template updates, including:
New policy categories, such as Configuration, SOAP Over JMS Transport, and so on. The new categories are updated in the relevant sections.
Predefined policies and assertion templates delivered with OWSM are read-only. For more information, see "Overview of Web Services Policy Management".
Server restart is no longer required after policy attachment.
WLST enhancements, including:
Redesigned web services WLST framework to provide consistency across web service stacks. As a result, there are a number of new and deprecated WLST commands for Oracle Infrastructure web services. The new commands are used in the examples throughout this document. For a complete list of deprecated commands and their 12c equivalents, see "Deprecated Commands for Oracle Infrastructure Web Services" in Release Notes for Oracle Fusion Middleware Infrastructure.
Command syntax to identify a policy subject has changed. All WLST examples have been updated throughout this document to use the new syntax. For more information, see "Identifying and Selecting the Policy Subject Using WLST".
New OWSM repository WLST commands for exporting application metadata, and migrating policy attachments and roles are provided. For more information, see Chapter 15, "Managing the Oracle Web Services Manager Repository."
New WLST commands for managing web service token issuer trust documents, as described in Chapter 14, "Managing Oracle Web Services Manager Domain Configuration."
For 12c (12.1.2), this guide has been updated in several ways. Following are the sections that have been added or changed.
In this release, the Security and Administrator's Guide for Web Services delivered in Oracle Fusion Middleware 11g, has been split up into the following documents:
Understanding Oracle Web Services Manager
Securing Web Services and Managing Policies with Oracle Web Services Manager (this document)
Predefined policy reference and configuration information has been consolidated into one chapter. For more information, see Chapter 17, "Oracle Web Services Manager Predefined Policies."
Summary list of OWSM logical roles has been included in "Modifying the User's Group or Role".
Default values for predefined assertion template properties appear consistently in the Default Value column. In 11g, default values appeared in the Value field, in some cases.
The sections "Assertion Template Settings for Oracle Web Services" and "Assertion Template Configuration Properties for Oracle Web Services" have been moved from Chapter 18, "Oracle Web Services Manager Predefined Assertion Templates" to a new chapter, Appendix B, "Predefined Assertion Templates for Oracle Web Services."