1. Implementation Guide
  2. Configuring Web Service Security

7 Configuring Web Service Security

Web service providers are secured using security policies. There are many security policies available to use in the WebLogic server. When a service provider is secured with a particular policy, the service consumer will have to provide the required information (like username, password, certificate etc) for the provider to validate, authenticate and secure the service invocation. Two such security policy configurations are certified by Oracle for RFI. These are referred to as Policy A and an unsecured policy in this document.

  • Policy A is Username Token over HTTPS. The transport layer of the service invocation uses https for this policy. The consumers will have to provide the username and password for invoking the service.

When RFI is a Web service consumer, either Policy A or unsecured can be setup for the provider service. The consumer must be configured with corresponding Policy A or Unsecured setting. For example, if RMS supplier service is configured with policy A, the RFI Web service consumer should be configured to Policy A.

When the RFI acts as a Web service provider, service can be either unsecured or secured only with Policy A. For example, for GL Account validation Web service, supplied by RFI can be secured using only policy A else it needs to be unsecured; policy setting in RMS should be configured to use Policy A.

Figure 7-1 Security Configurations

Security Configurations

The above diagram shows the security configurations that are needed for web service providers and consumers. If RMS Supplier Web service is configured with Policy A configuration then the corresponding RFI consumer should be configured to use Policy A.

The RFI GL account Web service can be configured secured with only Policy A or it can be unsecured.

. For invoking services over SSL, RFI will need to provide a username and password for authentication of the service. User credentials are recommended to be stored in Oracle credential wallets. These wallets should be accessible to service consumer.

RFI will also need to provide a username and password for user authentication with the service. User credentials are recommended to be stored in a wallet file.

RFI uses credential wallets, a password-protected container, for storing authentication information.