C Security Policies for Connector APIs
Connecting to external services usually requires some degree of authentication and authorization. When you configure a connector API, you have the option of specifying the security policies to use when communicating with an external service (except for ICS Connector APIs where the security policy is determined by the WSDL for SOAP-based integrations).
Descriptions of the supported Oracle Web Services Manager (Oracle WSM) security policies for the REST, SOAP, ICS, and Fusion Applications Connector APIs are provided here. Additionally, the policy properties that you can override are also described along with a mapping of policy properties to the policies that contain them.
Note that for connector APIs, only client policies are valid.
Security Policies for REST Connector APIs
The supported Oracle Web Services Manager (Oracle WSM) security policies for REST Connector APIs are described in the following table:
Security Policy | Description |
---|---|
|
Includes user name and password in an HTTP Basic Authorization header. |
|
Includes a JWT token in the HTTP header. A JSON Web Token represents claims and is generally used in Federated Identity systems where the source and target have mutual trust and a shared identity realm. The JWT token is create automatically. The issuer name and subject name are provided either programmatically or declaratively through the policy. You can specify the audience restriction condition for this policy. |
|
Includes JWT token in the HTTP header. Similar to |
|
Includes a JWT token in the HTTP header. A JSON Web Token represents claims and is generally used in Federated Identity systems where the source and target have mutual trust and a shared identity realm. The JWT token is created automatically. The issuer name and subject name are provided either programmatically or declaratively through the policy. You can specify the audience restriction condition for this policy. This version of the policy enforces that connections are made over https. |
|
Includes SAML 2.0 tokens in the HTTP header. SAML provides single sign-on in that multiple services can redirect a user to a single identity provider, which supplies signed assertion tokens. The SAML token with confirmation method |
|
Includes SAML 2.0 tokens in the HTTP header. SAML provides single sign-on in that multiple services can redirect a user to a single identity provider, which supplies signed assertion tokens. The SAML token with confirmation method |
|
Provides information about the OAuth2 server, which preforms authorization and issues the access tokens. You must set both this policy and |
|
Includes OAuth2 access token in the request. OAuth2 allows users to safely grant client applications limited access to protected resources.. You must set both this policy and |
|
Includes OAuth2 access token in the request. OAuth2 allows users to safely grant client applications limited access to protected resources. You must set both this policy and |
Security Policies for SOAP Connector APIs
The supported Oracle Web Services Manager (Oracle WSM) security polices for SOAP connectors are described in the following table:
Security Policy | Description |
---|---|
|
Includes credentials in the HTTP header for outbound client requests. This policy also verifies that the transport protocol is HTTPS. Requests over a non-HTTPS transport protocol are refused. This policy can be applied to any HTTP-based endpoint. |
|
Includes credentials in the HTTP header for outbound client requests. The credentials can be provided either programmatically or through the current Java Authentication and Authorization Service (JAAS) subject. This policy can be applied to any HTTP-based client. Note: Currently only HTTP Basic Authentication is supported. |
|
Includes credentials in the HTTP header for outbound client requests. The credentials are provided either programmatically or through the Java Authentication and Authorization Service (JAAS) subject. It also verifies that the outbound transport protocol is HTTPS. If a non-HTTPS transport protocol is used, then the request is refused. This policy can be applied to any HTTP-based client. |
|
Includes the SAML |
|
Includes SAML tokens in outbound SOAP request messages. The SAML token with confirmation method |
|
Includes SAML V2.0 tokens in outbound SOAP request messages. The SAML token with confirmation method |
|
Includes SAML V2.0 tokens in outbound SOAP request messages. The SAML token with confirmation method Bearer is automatically created. The issuer name and subject name are provided either programmatically or through the current Java Authentication and Authorization Service (JAAS) subject. The SOAP header contains no timestamp. Optionally, attesting entity and audience restriction condition can be specified. The policy also verifies that the transport protocol provides SSL message protection. This policy can be attached to any SOAP-based client. |
|
Includes SAML V2.0 tokens in outbound SOAP request messages. The SAML token is automatically created. The issuer name and subject name are provided either programmatically or through the current Java Authentication and Authorization Service (JAAS) subject. Optionally, attesting entity and audience restriction condition can be specified. The policy also verifies that the transport protocol provides SSL message protection. This policy can be attached to any SOAP-based client. |
|
Includes credentials in the |
|
Includes credentials in the HTTP header for outbound client requests. The credentials are provided either programmatically or through the Java Authentication and Authorization Service (JAAS) subject. It also verifies that the outbound transport protocol is HTTPS. If a non-HTTPS transport protocol is used, then the request is refused. This policy can be applied to any HTTP-based client. |
|
Provides message integrity and confidentiality for outbound SOAP requests in accordance with the WS-Security v1.0 standard. It uses WS-Security's Basic 128 suite of asymmetric key technologies, specifically RSA key mechanism for message confidentiality, SHA-1 hashing algorithm for message integrity, and AES-128 bit encryption. The keystore on the client side is configured either on a per-request basis or through the security configuration. This policy doesn’t authenticate or authorize the requestor. |
|
Provides message-level protection and a SAML holder of key based authentication for outbound SOAP messages in accordance with the WS-Security 1.0 standard. It uses WS-Security's Basic 128 suite of asymmetric key technologies, specifically RSA key mechanisms for message confidentiality, SHA-1 hashing algorithm for message integrity, and AES-128 bit encryption. The keystore on the client side is configured either on a per-request basis or through the security configuration. A SAML token, included in the SOAP message, is used in SAML-based authentication with sender vouchers confirmation. These credentials are provided either programmatically or through the security configuration. |
|
Includes SAML tokens in outbound SOAP request messages. The SAML token is automatically created. The issuer name and subject name are provided either programmatically or through the current Java Authentication and Authorization Service (JAAS) subject. |
|
Provides message-level protection and SAML-based authentication for outbound SOAP messages in accordance with the WS-Security 1.0 standard. It uses WS-Security's Basic 128 suite of asymmetric key technologies, specifically RSA key mechanisms for message confidentiality, SHA-1 hashing algorithm for message integrity, and AES-128 bit encryption. The keystore on the client is configured either on a per-request basis or through the security configuration. A SAML token, included in the SOAP message, is used in SAML-based authentication with sender vouchers confirmation. These credentials are provided either programmatically or through the security configuration. |
|
Includes SAML V2.0 tokens in outbound SOAP request messages. The SAML token is automatically created. The issuer name and subject name are provided either programmatically or through the current Java Authentication and Authorization Service (JAAS) subject. Optionally, attesting entity and audience restriction can be specified. |
|
Provides message-level protection and SAML V2.0 based authentication for outbound SOAP messages in accordance with the WS-Security 1.0 and SAML Token profile 1.1 standards. It uses WS-Security's Basic 128 suite of asymmetric key technologies, specifically RSA key mechanisms for message confidentiality, SHA-1 hashing algorithm for message integrity, and AES-128 bit encryption. The keystore on the client is configured either on a per-request basis or through the security configuration. A SAML V2.0 token, included in the SOAP message, is used in SAML-based authentication with sender vouches confirmation. These credentials are provided either programmatically or through the security configuration. |
|
Provides message-level protection and certificate credential population for outbound SOAP requests in accordance with the WS-Security 1.0 standard. It uses WS-Security's Basic 128 suite of asymmetric key technologies, specifically RSA key mechanisms for message confidentiality, SHA-1 hashing algorithm for message integrity, and AES-128 bit encryption. The keystore on the client side is configured either on a per-request basis or through the security configuration. Authentication credentials are included in the SOAP message through the WS-Security binary security token. These credentials are provided either programmatically or through the security configuration |
|
Provides message-level protection and SAML-based authentication for outbound SOAP messages in accordance with the WS-Security 1.0 standard. It uses WS-Security's Basic 256 suite of asymmetric key technologies, specifically RSA key mechanisms for message confidentiality, SHA-1 hashing algorithm for message integrity, and AES-256 bit encryption. This policy uses the Subject Key Identifier (ski) reference mechanism for an encryption key in the request and for both signature and encryption keys in the response. The keystore on the client is configured either on a per-request basis or through the security configuration. A SAML token, included in the SOAP message, is used in SAML-based authentication with sender vouches confirmation. These credentials are provided either programmatically or through the security configuration. |
|
Enables message-level protection (that is, integrity and confidentiality) and identity propagation for outbound SOAP requests using mechanisms described in WS-Security 1.0. Message protection is provided using WS-Security's Basic 128 suite of asymmetric key technologies, specifically RSA key mechanisms for confidentiality, SHA-1 hashing algorithm for integrity and AES-128 bit encryption. The keystore on the client side is configured either on a per request basis or through the security configuration. Credentials (only user name) are included in outbound SOAP request messages via a |
|
Provides message-level protection (message integrity and confidentiality) and authentication for outbound SOAP requests in accordance with the WS-Security v1.0 standard. It uses WS-Security's Basic 128 suite of asymmetric key technologies, specifically RSA key mechanism for message confidentiality, SHA-1 hashing algorithm for message integrity, and AES-128 bit encryption. The keystore on the client side is configured either on a per-request basis or through the security configuration. Credentials are included in the |
|
Provides message-level protection and SAML-based authentication for outbound SOAP messages in accordance with the WS-Security 1.0 standard. It uses WS-Security's Basic 256 suite of asymmetric key technologies, specifically RSA key mechanisms for message confidentiality, SHA-1 hashing algorithm for message integrity, and AES-256 bit encryption. This policy uses the Subject Key Identifier (ski) reference mechanism for encryption key in the request and for both signature and encryption keys in the response. The keystore on the client is configured either on a per-request basis or through the security configuration. A SAML token, included in the SOAP message, is used in SAML-based authentication with sender vouches confirmation. These credentials are provided either programmatically or through the security configuration. |
|
Provides message-level protection and certificate-based authentication for outbound SOAP requests in accordance with the WS-Security 1.1 standard. Messages are protected using WS-Security's Basic 128 suite of symmetric key technologies, specifically RSA key mechanisms for message confidentiality, SHA-1 hashing algorithm for message integrity, and AES-128 bit encryption. The keystore on the client side is configured either on a per-request basis or through the security configuration. Credentials are included in the WS-Security binary security token of the SOAP message. These credentials are provided either programmatically or through the security configuration. |
|
Provides message-level protection and SAML-based authentication for outbound SOAP requests in accordance with the WS-Security 1.1 standard. Messages are protected using WS-Security's Basic 128 suite of symmetric key technologies, specifically RSA key mechanisms for message confidentiality, SHA-1 hashing algorithm for message integrity, and AES-128 bit encryption. The keystore on the client is configured either on a per-request basis or through the security configuration. A SAML token, included in the SOAP message, is used in SAML-based authentication with sender vouches confirmation. These credentials are provided either programmatically or through the security configuration. This policy performs dynamic identity switching by propagating a different identity than the one based on an authenticated Subject. This policy can be attached to any SOAP-based client. |
|
Provides message integrity and confidentiality for outbound SOAP requests in accordance with the WS-Security 1.1 standard. It uses WS-Security's Basic 128 suite of symmetric key technologies, specifically RSA key mechanisms for message confidentiality, SHA-1 hashing algorithm for message integrity, and AES-128 bit encryption. The keystore on the client side is configured either on a per-request basis or through the security configuration. This policy doesn’t authenticate or authorize the requestor. |
|
Provides message-level protection and SAML-based authentication for outbound SOAP requests in accordance with the WS-Security 1.1 standard. Messages are protected using WS-Security's Basic 128 suite of symmetric key technologies, specifically RSA key mechanisms for message confidentiality, SHA-1 hashing algorithm for message integrity, and AES-128 bit encryption. The keystore on the client is configured either on a per-request basis or through the security configuration. A SAML token, included in the SOAP message, is used in SAML-based authentication with sender vouches confirmation. These credentials are provided either programmatically or through the security configuration. This policy can be attached to any SOAP-based client. |
|
Provides message-level protection and authentication for outbound SOAP requests in accordance with the WS-Security 1.1 standard. Messages are protected using WS-Security's Basic 128 suite of symmetric key technologies, specifically RSA key mechanisms for message confidentiality, SHA-1 hashing algorithm for message integrity, and AES-128 bit encryption. The keystore on the client side is configured either on a per-request basis or through the security configuration. Credentials are included in the |
Security Policies for ICS Connector APIs
The supported Oracle Web Services Manager (Oracle WSM) security policies for ICS Connector APIs are described in the following table:
Security Policy | Description |
---|---|
|
Includes credentials in the HTTP header for outbound client requests. This policy also verifies that the transport protocol is HTTPS. Requests over a non-HTTPS transport protocol are refused. This policy can be applied to any HTTP-based endpoint. |
|
Includes credentials in the HTTP header for outbound client requests. The credentials are provided either programmatically or through the Java Authentication and Authorization Service (JAAS) subject. This policy also verifies that the transport protocol is HTTPS. Requests over a non-HTTPS transport protocol are refused. This policy can be applied to any HTTP-based endpoint. |
|
Includes credentials in the HTTP header for outbound client requests. The credentials are provided either programmatically or through the Java Authentication and Authorization Service (JAAS) subject. It also verifies that the outbound transport protocol is HTTPS. If a non-HTTPS transport protocol is used, then the request is refused. This policy can be applied to any HTTP-based client. |
Security Policies for Fusion Applications Connector APIs
The supported Oracle Web Services Manager (Oracle WSM) security policies for REST Connector APIs are described in the following table:
Security Policy | Description |
---|---|
|
Includes credentials in the HTTP header for outbound client requests. The credentials can be provided either programmatically or through the current Java Authentication and Authorization Service (JAAS) subject. This policy can be applied to any HTTP-based client. Note: Currently only HTTP Basic Authentication is supported. |
|
Includes SAML tokens in outbound SOAP request messages. The SAML token with confirmation method |
|
Provides information about the OAuth2 server, which preforms authorization and issues the access tokens. You must set both this policy and |
|
Includes OAuth2 access token in the request. OAuth2 allows users to safely grant client applications limited access to protected resources.. You must set both this policy and |
|
Includes OAuth2 access token in the request. OAuth2 allows users to safely grant client applications limited access to protected resources. You must set both this policy and |
Security Policy Properties
Every security policy has a set of attributes that defines it. Some of these attributes can be overridden (see Setting Security Policies and Policy Overrides for REST Connector APIs and Setting Security Policies and Policy Overrides for SOAP Connector APIs ). The following table lists the attributes that you can modify and their descriptions:
Property | Description |
---|---|
|
The mapping attribute used to represent the attesting entity. Only the DN (distinguished name) is currently supported. This attribute is applicable only to sender vouches and then only to message protection use cases. It isn’t applicable to SAML over SSL policies. |
|
Audience restriction. The following conditions are supported:
|
|
The previously obtained OAuth2 authorization code. |
|
Credential Store key that maps to a user name and password in the Oracle Platform Security Services identity store. |
|
Oracle WSM map in the credential store that contains the CSF aliases. |
|
The federated identity that enables you to consolidate the multiple local identities that you’ve configured among multiple service providers. Allows you to log on at one service provider site without having to re-authenticate or re-establish your identity. |
|
The signer's certificate. |
|
Name of the JWT issuer. The default value is |
|
The alias and password used for storing the decryption key password in the keystore. If you set this value, then you can override it. If you do override this value, then the key for the new value must be in the keystore. That is, overriding the value doesn’t free you from the requirement of configuring the key in the keystore. |
|
Keystore alias associated with the peer certificate. The security runtime uses this alias to extract the peer certificate from the configured keystore and to encrypt messages to the peer. Valid value is |
|
The alias and password used for storing the signature key password in the keystore. This property allows you to specify the signature key on a per-attachment level instead of at the domain level. |
|
The Credential Store Framework key to the OAuth2 client username and password. The client credentials are the same on every request. |
|
Propagation of the identity context from the web service client to the web service, and then makes it available ("publishes it") to other components for authentication and authorization purposes. This is applicable to both SAML and OAuth, but not to HTTP Basic Authentication. |
|
The redirect URI specified when obtaining the authorization code (set this property if setting |
|
SOAP role |
|
Name of the SAML token file. |
|
Representation of the relying party, as a comma-separated URI. This field accepts the following wildcards:
|
|
Flag that specifies whether the |
|
Name identifier for the issuer of the SAML token. |
|
Ability for a user to grant the client application access to specific resources rather than a blanket authorization. .Passed to the OAuth2 server token request |
|
Identification of the authenticated principal. If set to false, then allows use of a client-specific user name rather than the authenticated subject. If set to true, then the user name to create the SAML assertion is obtained only from the Subject. Similarly, if set to false, the user name to create the SAML assertion is obtained only from the csf-key user name property. |
|
The OAuth2 server's token endpoint URI, which issues the access tokens. |
|
User attributes related to the principal of the SAML token. Attributes are added as a comma-separated list. The attribute names that you specify must exactly match valid attributes in the configured identity store. The Oracle WSM runtime reads the values for these attributes from the configured identity store, and then includes the attributes and their values in the SAML assertion. |
|
(SOAP) Flag that specifies whether to include SOAP roles. (REST) User roles to be included in the token. If set to true, then the authenticated user roles are included in the token as private claims. The default is false. |
|
Reserved for use with Oracle Cloud. |
The following table shows which security policies have these attributes:
Property | Security Policies Containing the Property |
---|---|
|
SOAP security policies:
|
|
REST security policies:
Fusion Applications security policies:
|
|
REST security policies:
Fusion Applications security policies:
|
|
REST security policies:
SOAP security policies:
Fusion Applications security policies:
ICS security policies:
ICS security policies:
Fusion Applications security policies:
|
|
REST security policy:
|
|
REST security policies:
Fusion Applications security policies:
|
|
REST security policies:
Fusion Applications security policies:
|
|
REST security policies:
Fusion Applications security policies:
|
|
SOAP security policies:
|
|
SOAP security policies:
|
|
REST security policies:
SOAP security policies:
Fusion Applications security policies:
|
|
REST security policies:
Fusion Applications security policies:
|
|
REST security policies:
SOAP security policies:
Fusion Applications security policies:
|
|
REST security policies:
Fusion Applications security policies:
|
|
REST security policy:
SOAP security policies:
ICS security policies:
Fusion Applications security policies:
|
|
SOAP security policy:
|
|
REST security policies:
SOAP security policies:
Fusion Applications security policies:
|
|
REST security policies:
SOAP security policies:
Fusion Applications security policies:
|
|
REST security policies:
SOAP security policies:
Fusion Applications security policies:
|
|
REST security policies:
Fusion Applications security policies:
|
|
REST security policies:
SOAP security policies:
Fusion Applications security policies:
|
|
REST security policy:
Fusion Applications security policies:
|
|
REST security policies:
SOAP security policies:
Fusion Applications security policies:
|
|
REST security policies:
SOAP security policies:
Fusion Applications security policies:
|
|
REST security policies:
SOAP security policies:
ICS security policies:
Fusion Applications security policies:
|