Interoperability with Oracle WebLogic Server 12c Web Service Security Environments

4.1 Overview of Interoperability with Oracle WebLogic Server 12c Web Service Security Environments

In Oracle Fusion Middleware 12c, you can attach both OWSM and Oracle WebLogic Server 12c web service policies to WebLogic Java EE web services.

4.1.1 OWSM Predefined Policies for Oracle WebLogic Server 12c Policies

Review this topic for more information on OWSM predefined policies for Oracle WebLogic Server 12c security environment.

OWSM predefined policies, see "Predefined Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
Configuring and attaching OWSM 12c policies, see "Securing Web Services" and "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager.

For more details about the predefined Oracle WebLogic Server 12c web service policies, see:

"Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager
Using Oracle Web Services Manager Security Policies in Securing WebLogic Web Services for Oracle WebLogic Server

4.1.2 Oracle WebLogic Service Interoperability Scenarios

Review this topic for more information on the different scenarios for interoperability between WebLogic Web Service Policy and OWSM Client Policy, and WebLogic client Policy and OWSM Web Service Policy.

Table 4-1 and Table 4-2 summarize the most common Oracle WebLogic Server 12c web service policy interoperability scenarios based on the following security requirements: authentication, message protection, and transport. The tables are organized as follows:

Table 4-1 describes interoperability scenarios with WebLogic web service policies and OWSM client policies.
Table 4-2 describes interoperability scenarios with OWSM web service policies and WebLogic web service client policies.

Table 4-1 WebLogic Web Service Policy and OWSM Client Policy Interoperability

Identity Token	WS-Security Version	Message Protection	Transport Security	Service Policy	Client Policy
Username	1.1	Yes	No	`Wssp1.2-2007-Wss1.1-UsernameToken-Plain-EncryptedKey-Basic128.xml` `Wssp1.2-2007-SignBody.xml` `Wssp1.2-2007-EncryptBody.xml`	`oracle/wss11_username_token_with_message_protection_client_policy`
Username and MTOM	1.1	Yes	No	`Wssp1.2-2007-Wss1.1-UsernameToken-Plain-EncryptedKey-Basic128.xml` `Wssp1.2-2007-SignBody.xml` `Wssp1.2-2007-EncryptBody.xml`	`oracle/wss11_username_token_with_message_protection_client_policy` `wsmtom_policy`
Username	1.0	Yes	No	`Wssp1.2-wss10_username_token_with_message_protection_owsm_policy.xml` `Wssp1.2-2007-SignBody.xml` `Wssp1.2-2007-EncryptBody.xml`	`oracle/wss10_username_token_with_message_protection_client_policy`
SAML 2.0	1.1	Yes	No	`Wssp1.2-wss11_saml_token_with_message_protection_owsm_policy.xml` `Wssp1.2-2007-SignBody.xml` `Wssp1.2-2007-EncryptBody.xml`	`oracle/wss11_saml_token_with_message_protection_client_policy`
SAML	1.1	Yes	No	`Wssp1.2-wss11_saml_token_with_message_protection_owsm_policy.xml` `Wssp1.2-2007-SignBody.xml` `Wssp1.2-2007-EncryptBody.xml`	`oracle/wss11_saml_token_with_message_protection_client_policy`
SAML and MTOM	1.1	Yes	No	`Wssp1.2-wss11_saml_token_with_message_protection_owsm_policy.xml` `Wssp1.2-2007-SignBody.xml` `Wssp1.2-2007-EncryptBody.xml`	`oracle/wss11_saml_token_with_message_protection_client_policy` `wsmtom_policy`
SAML	1.0	Yes	No	`Wssp1.2-wss10_saml_token_with_message_protection_owsm_policy.xml` `Wssp1.2-2007-SignBody.xml` `Wssp1.2-2007-EncryptBody.xml`	`oracle/wss10_saml_token_with_message_protection_client_policy`
Mutual Authentication	1.1	Yes	No	`Wssp1.2-wss11_x509_token_with_message_protection_owsm_policy.xml` `Wssp1.2-2007-SignBody.xml` `Wssp1.2-2007-EncryptBody.xml`	`oracle/wss11_x509_token_with_message_protection_client_policy`
Mutual Authentication	1.0	Yes	No	`Wssp1.2-wss10_x509_token_with_message_protection_owsm_policy.xml` `Wssp1.2-2007-SignBody.xml` `Wssp1.2-2007-EncryptBody.xml`	`oracle/wss10_x509_token_with_message_protection_client_policy`

Table 4-2 OWSM Web Service Policy and WebLogic Web Service Client Policy Interoperability

Identity Token	WS-Security Version	Message Protection	Transport Security	Service Policy	Client Policy
Username	1.1	Yes	No	`oracle/wss11_username_token_with_message_protection_service_policy`	`Wssp1.2-2007-Wss1.1-UsernameToken-Plain-EncryptedKey-Basic128.xml` `Wssp1.2-2007-SignBody.xml` `Wssp1.2-2007-EncryptBody.xml`
Username and MTOM	1.1	Yes	No	`oracle/wss11_username_token_with_message_protection_service_policy`	`Wssp1.2-wss10_username_token_with_message_protection_owsm_policy.xml` `Wssp1.2-2007-SignBody.xml` `Wssp1.2-2007-EncryptBody.xml`
Username	1.0	Yes	No	`oracle/wss10_username_token_with_message_protection_service_policy`	`Wssp1.2-wss10_username_token_with_message_protection_owsm_policy.xml` `Wssp1.2-2007-SignBody.xml` `Wssp1.2-2007-EncryptBody.xml`
Username over SSL	1.0 and 1.1	No	Yes	`oracle/wss_username_token_over_ssl_service_policy`	`Wssp1.2-2007-Https-UsernameToken-Plain.xml`
Username over SSL with MTOM	1.0 and 1.1	No	Yes	`oracle/wss_username_token_over_ssl_service_policy`	`Wssp1.2-2007-Https-UsernameToken-Plain.xml`
SAML over SSL	1.0 and 1.1	No	Yes	`oracle/wss_saml_token_over_ssl_service_policy`	`Wssp1.2-2007-Saml1.1-SenderVouches-Https.xml`
SAML over SSL with MTOM	1.0 and 1.1	No	Yes	`oracle/wss_saml_token_over_ssl_service_policy`	`Wssp1.2-2007-Saml1.1-SenderVouches-Https.xml`
SAML 2.0	1.1	Yes	No	`oracle/wss11_saml_token_with_message_protection_service_policy`	`Wssp1.2-wss11_saml_token_with_message_protection_owsm_policy.xml` `Wssp1.2-2007-SignBody.xml` `Wssp1.2-2007-EncryptBody.xml`
SAML	1.1	Yes	No	`oracle/wss11_saml_token_with_message_protection_service_policy`	`Wssp1.2-wss11_saml_token_with_message_protection_owsm_policy.xml` `Wssp1.2-2007-SignBody.xml` `Wssp1.2-2007-EncryptBody.xml`
SAML with MTOM	1.1	Yes	No	`oracle/wss11_saml_token_with_message_protection_service_policy`	`Wssp1.2-wss11_saml_token_with_message_protection_owsm_policy.xml` `Wssp1.2-2007-SignBody.xml` `Wssp1.2-2007-EncryptBody.xml`
SAML	1.0	Yes	No	`oracle/wss10_saml_token_with_message_protection_service_policy`	`Wssp1.2-wss10_saml_token_with_message_protection_owsm_policy.xml` `Wssp1.2-2007-SignBody.xml` `Wssp1.2-2007-EncryptBody.xml`
Mutual Authentication	1.1	Yes	No	`oracle/wss11_x509_token_with_message_protection_service_policy`	`Wssp1.2-wss11_x509_token_with_message_protection_owsm_policy.xml` `Wssp1.2-2007-SignBody.xml` `Wssp1.2-2007-EncryptBody.xml`
Mutual Authentication	1.0	Yes	No	`oracle/wss10_x509_token_with_message_protection_service_policy`	`Wssp1.2-wss10_x509_token_with_message_protection_owsm_policy.xml` `Wssp1.2-2007-SignBody.xml` `Wssp1.2-2007-EncryptBody.xml`

Table 4-3 Interoperability With Oracle WebLogic Server 12c Web Services Security Environments

Interoperability Scenario	Client—>Web Service	OWSM 12c Policies	Oracle WebLogic Server 12c Policies
"Username Token with Message Protection for Oracle WebLogic Server (WS-Security 1.1)"	Oracle WebLogic Server ——> OWSM	`oracle/wss11_username_token_with_message_protection_service_policy`	`Wssp1.2-2007-Wss1.1-UsernameToken-Plain-EncryptedKey-Basic128.xml` `Wssp1.2-2007-SignBody.xml` `Wssp1.2-2007-EncryptBody.xml`
(cont.)	OWSM ——> Oracle WebLogic Server	`oracle/wss11_username_token_with_message_protection_client_policy`	`Wssp1.2-2007-Wss1.1-UsernameToken-Plain-EncryptedKey-Basic128.xml` `Wssp1.2-2007-SignBody.xml` `Wssp1.2-2007-EncryptBody.xml`
"Username Token with Message Protection for Oracle WebLogic Server (WS-Security 1.1) and MTOM"	Oracle WebLogic Server ——> OWSM	`oracle/wss11_username_token_with_message_protection_service_policy`	`Wssp1.2-wss10_username_token_with_message_protection_owsm_policy.xml` `Wssp1.2-2007-SignBody.xml` `Wssp1.2-2007-EncryptBody.xml`
(cont.)	OWSM ——> Oracle WebLogic Server	`oracle/wss11_username_token_with_message_protection_client_policy`	`Wssp1.2-2007-Wss1.1-UsernameToken-Plain-EncryptedKey-Basic128.xml` `Wssp1.2-2007-SignBody.xml` `Wssp1.2-2007-EncryptBody.xml`
"Username Token with Message Protection Oracle WebLogic Server (WS-Security 1.0)"	Oracle WebLogic Server ——> OWSM	`oracle/wss10_username_token_with_message_protection_service_policy`	`Wssp1.2-wss10_username_token_with_message_protection_owsm_policy.xml` `Wssp1.2-2007-SignBody.xml` `Wssp1.2-2007-EncryptBody.xml`
(cont.)	OWSM ——> Oracle WebLogic Server	`oracle/wss10_username_token_with_message_protection_client_policy`	`Wssp1.2-wss10_username_token_with_message_protection_owsm_policy.xml` `Wssp1.2-2007-SignBody.xml` `Wssp1.2-2007-EncryptBody.xml`
"Username Token over SSL for Oracle WebLogic Server"	Oracle WebLogic Server ——> OWSM	`oracle/wss_username_token_over_ssl_service_policy`	`Wssp1.2-2007-Https-UsernameToken-Plain.xml`
"Implementing Username Token Over SSL for Oracle WebLogic Server with MTOM"	Oracle WebLogic Server ——> OWSM	`oracle/wss_username_token_over_ssl_service_policy`	`Wssp1.2-2007-Https-UsernameToken-Plain.xml`
"SAML Token (Sender Vouches) over SSL for Oracle WebLogic Server"	Oracle WebLogic Server ——> OWSM	`oracle/wss_saml_token_over_ssl_service_policy`	`Wssp1.2-2007-Saml1.1-SenderVouches-Https.xml`
"Implementing SAML Token (Sender Vouches) Over SSL for Oracle WebLogic Server with MTOM"	Oracle WebLogic Server ——> OWSM	`oracle/wss_saml_token_over_ssl_service_policy`	`Wssp1.2-2007-Saml1.1-SenderVouches-Https.xml`
"SAML Token 2.0 (Sender Vouches) Message Protection for Oracle WebLogic Server (WS-Security 1.1)"	Oracle WebLogic Server ——> OWSM	oracle/wss11_saml_token_with_message_protection_service_policy	`Wssp1.2-wss11_saml_token_with_message_protection_owsm_policy.xml` `Wssp1.2-2007-SignBody.xml` `Wssp1.2-2007-EncryptBody.xml`
(cont.)	OWSM ——> Oracle WebLogic Server	`oracle/wss11_saml_token_with_message_protection_client_policy`	`Wssp1.2-wss11_saml_token_with_message_protection_owsm_policy.xml` `Wssp1.2-2007-SignBody.xml` `Wssp1.2-2007-EncryptBody.xml`
"SAML Token (Sender Vouches) with Message Protection (WS-Security 1.1) for Oracle WebLogic Server"	Oracle WebLogic Server ——> OWSM	`oracle/wss11_saml_token_with_message_protection_service_policy`	`Wssp1.2-wss11_saml_token_with_message_protection_owsm_policy.xml` `Wssp1.2-2007-SignBody.xml` `Wssp1.2-2007-EncryptBody.xml`
(cont.)	OWSM ——> Oracle WebLogic Server	`oracle/wss11_saml_token_with_message_protection_client_policy`	`Wssp1.2-wss11_saml_token_with_message_protection_owsm_policy.xml` `Wssp1.2-2007-SignBody.xml` `Wssp1.2-2007-EncryptBody.xml`
"SAML Token (Sender Vouches) with Message Protection (WS-Security 1.1) and MTOM for Oracle WebLogic Server"	Oracle WebLogic Server ——> OWSM	`oracle/wss11_saml_token_with_message_protection_service_policy`	`Wssp1.2-wss11_saml_token_with_message_protection_owsm_policy.xml` `Wssp1.2-2007-SignBody.xml` `Wssp1.2-2007-EncryptBody.xml`
(cont.)	OWSM ——> Oracle WebLogic Server	`oracle/wss11_saml_token_with_message_protection_client_policy` `oracle/wsmtom_policy`	`Wssp1.2-wss11_saml_token_with_message_protection_owsm_policy.xml` `Wssp1.2-2007-SignBody.xml` `Wssp1.2-2007-EncryptBody.xml`
"SAML Token (Sender Vouches) with Message Protection (WS-Security 1.0) for Oracle WebLogic Server"	Oracle WebLogic Server ——> OWSM	`oracle/wss10_saml_token_with_message_protection_service_policy`	`Wssp1.2-wss10_saml_token_with_message_protection_owsm_policy.xml` `Wssp1.2-2007-SignBody.xml` `Wssp1.2-2007-EncryptBody.xml`
(cont.)	OWSM ——> Oracle WebLogic Server	`oracle/wss10_saml_token_with_message_protection_client_policy`	`Wssp1.2-wss10_saml_token_with_message_protection_owsm_policy.xml` `Wssp1.2-2007-SignBody.xml` `Wssp1.2-2007-EncryptBody.xml`
"Mutual Authentication with Message Protection (WS-Security 1.0) for Oracle WebLogic Server"	Oracle WebLogic Server ——> OWSM	`oracle/wss10_x509_token_with_message_protection_service_policy`	`Wssp1.2-wss10_x509_token_with_message_protection_owsm_policy.xml` `Wssp1.2-2007-SignBody.xml` `Wssp1.2-2007-EncryptBody.xml`
(cont.)	OWSM ——> Oracle WebLogic Server	`oracle/wss10_x509_token_with_message_protection_client_policy`	`Wssp1.2-wss10_x509_token_with_message_protection_owsm_policy.xml` `Wssp1.2-2007-SignBody.xml` `Wssp1.2-2007-EncryptBody.xml`
"Mutual Authentication with Message Protection (WS-Security 1.1) for Oracle WebLogic Server"	Oracle WebLogic Server ——> OWSM	`oracle/wss11_x509_token_with_message_protection_service_policy`	`Wssp1.2-wss11_x509_token_with_message_protection_owsm_policy.xml` `Wssp1.2-2007-SignBody.xml` `Wssp1.2-2007-EncryptBody.xm`l
(cont.)	OWSM ——> Oracle WebLogic Server	`oracle/wss11_x509_token_with_message_protection_client_policy`	`Wssp1.2-wss11_x509_token_with_message_protection_owsm_policy.xml` `Wssp1.2-2007-SignBody.xml` `Wssp1.2-2007-EncryptBody.xml`

4.2 Username Token with Message Protection for Oracle WebLogic Server (WS-Security 1.1)

The Username Token with Message Protection policy conforms to the WS-Security 1.1 standard. This policy is implemented to achieve the interoperability between OWSM and Oracle WebLogic Server web service security environments.

4.2.1 Interoperability with a WebLogic Web Service Policy (Username Token)

Follow these procedures to implement username token with message protection that conforms to the WS-Security 1.1 standard and ensure interoperability between the WebLogic web service policy and the OWSM client policy.

4.2.1.1 Attaching and Configuring WebLogic Web Service Policy (Username Token)

Follow these steps to Attach and Configure the WebLogic Web Service Policy:

Create a WebLogic web service.

For more information, see "Roadmap for Implementing WebLogic (Java EE) Web Services" in Understanding Web Services
Attach the following policies:
1. Wssp1.2-2007-Wss1.1-UsernameToken-Plain-EncryptedKey-Basic128.xml
2. Wssp1.2-2007-SignBody.xml
3. Wssp1.2-2007-EncryptBody.xml
  
  For more information, see "Updating the JWS File with @Policy and @Policies Annotations" in Securing WebLogic Web Services for Oracle WebLogic Server
Configure identity and trust stores.

For more information, see "Configure identity and trust" in Oracle WebLogic Server Administration Console Online Help
Configure message-level security.

Note:

You only need to configure the Confidentiality Key for a WS-Security 1.1 policy.

For more information, see:
- "Configuring Message-Level Security" in Securing WebLogic Web Services for Oracle WebLogic Server
- "Create a Web Service security configuration" in Oracle WebLogic Server Administration Console Online Help
Deploy the web service.

For more information, see "Install a Web Service" in Oracle WebLogic Server Administration Console Online Help

4.2.1.2 Attaching and Configuring OWSM Client Policy (Username Token)

Follow these steps to attach and Configure the OWSM Client Policy:

Create a client proxy for the web service created earlier using clientgen or some other mechanism.

For more information, see "Roadmap for Implementing Oracle Fusion Middleware Web Services" in Understanding Web Services
Attach the following policy to the web service client: oracle/wss11_username_token_with_message_protection_client_policy.

For more information, see "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager
Configure the policy.

For more information, see "oracle/wss11_username_token_with_message_protection_client_policy" in Securing Web Services and Managing Policies with Oracle Web Services Manager
Specify keystore.recipient.alias in the client configuration.

For more information, see "oracle/wss11_username_token_with_message_protection_client_policy" in Securing Web Services and Managing Policies with Oracle Web Services Manager
Ensure that the keystore.recipient.alias keys specified for the client exist as trusted certificate entry in the trust store configured for the web service.

For more information, see "oracle/wss11_username_token_with_message_protection_client_policy" in Securing Web Services and Managing Policies with Oracle Web Services Manager
Provide a valid username and password as part of the configuration.

For more information, see "oracle/wss11_username_token_with_message_protection_client_policy" in Securing Web Services and Managing Policies with Oracle Web Services Manager
Invoke the web service method from the client.

For more information, see "Roadmap for Implementing Oracle Fusion Middleware Web Services" in Understanding Web Services

4.2.2 Web Service Client Policy (Username Token)

You can implement Username Token with Message Protection that conforms to the WS-Security 1.1 standard to ensure interoperability between the OWSM web service policy and the WebLogic web service client policy.

4.2.2.1 Attaching and Configuring OWSM Web Service Policy(Username Token)

Follow these steps to attach and Configure the OWSM Policy:

Create and deploy a web service.

For more information, see "Roadmap for Implementing Oracle Fusion Middleware Web Services" in Understanding Web Services
Attach the following policy to the web service:
1. oracle/wss11_username_token_with_message_protection_service_policy.
  
  For more information, see "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager

4.2.2.2 Attaching and Configuring WebLogic Web Service Client Policy(Username Token)

Follow these steps to attach and Configure the WebLogic Web Service Client Policy:

Create a client proxy for the web service created using clientgen.

For more information, see "Using the clientgen Ant Task to Generate Client Artifacts" in Developing JAX-WS Web Services for Oracle WebLogic Server
Attach the following policies:
1. Wssp1.2-2007-Wss1.1-UsernameToken-Plain-EncryptedKey-Basic128.xml
2. Wssp1.2-2007-SignBody.xml
3. Wssp1.2-2007-EncryptBody.xml
  
  For more information, see "Updating the JWS File with @Policy and @Policies Annotations" in Securing WebLogic Web Services for Oracle WebLogic Server
Provide the configuration for the server (encryption key) in the client.

Note:

Ensure that the encryption key specified is in accordance with the encryption key configured for the web service.

For more information, see "Updating a Client Application to Invoke a Message-Secured Web Service" in Securing WebLogic Web Services for Oracle WebLogic Server
Invoke the web service method from the client.

For more information, see "Writing the Java Client Application Code to Invoke a Web Service" in Developing JAX-WS Web Services for Oracle WebLogic Server

4.3 Username Token with Message Protection for Oracle WebLogic Server (WS-Security 1.1) and MTOM

The Username Token with Message Protection and Message Transmission Optimization Mechanism policies conform to the WS-Security 1.1 standard. These policies are implemented to achieve the interoperability between OWSM and Oracle WebLogic Server web service security environments.

4.3.1 Interoperability with a WebLogic Web Service Policy (Username Token with Message Protection and MTOM)

Follow these procedures to implement username token with message protection that conforms to the WS-Security 1.1 standard and uses Message Transmission Optimization Mechanism (MTOM), and to ensure interoperability between the WebLogic web service policy and the OWSM client policy.

4.3.1.1 Attaching and Configuring WebLogic Web Service Policy (Username Token With Message Protection and MTOM)

Follow these steps to attach and Configure the WebLogic Web Service Policy, perform the following steps:

Create a WebLogic web service.

For more information, see "Roadmap for Implementing WebLogic (Java EE) Web Services" in Understanding Web Services.
Use the @MTOM annotation in the web service.

For more information, see "Updating the JWS File with @Policy and @Policies Annotations" in Securing WebLogic Web Services for Oracle WebLogic Server

4.3.1.2 Attaching and Configuring OWSM Client Policy (Username Token With Message Protection and MTOM)

Follow these steps to attach and configure the OWSM Client Policy:

Configure the client proxy for the web service using clientgen or some other mechanism.
If you did not use the @MTOM annotation in the web services, attach wsmtom_policy from the Management tab.

For more information, see "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager

4.3.2 Interoperability with a WebLogic Web Service Client Policy (Username Token with Message Protection and MTOM)

Follow these procedures to implement username token with message protection that conforms to the WS-Security 1.1 standard and uses Message Transmission Optimization Mechanism (MTOM), and to ensure interoperability between the OWSM web service policy and the WebLogic web service client policy.

4.3.2.1 Attaching and Configuring OWSM Policy (Username Token With Message Protection and MTOM)

Follow these steps to attach and configure the OWSM Policy:

Configure the OWSM web service.
Attach wsmtom_policy from the Management tab.

For more information, see "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager

4.3.2.2 Attaching and Configuring WebLogic Web Service Client Policy (Username Token With Message Protection and MTOM)

Follow these steps to attach and configure the WebLogic Web Service Client Policy:

Create a client proxy for the web service created using clientgen.
If you did not attach the wsmtom_policy, use the @MTOM annotation in the web service client.

4.4 Username Token with Message Protection Oracle WebLogic Server (WS-Security 1.0)

The Username Token with Message Protection policy conforms to the WS-Security 1.0 standard. This policy is implemented to achieve the interoperability between OWSM and Oracle WebLogic Server 12c web service security environments.

Note:

WS-Security 1.0 policy is supported for legacy applications only. Use WS-Security 1.1 policy for maximum performance. For more information, see Username Token with Message Protection for Oracle WebLogic Server (WS-Security 1.1).

4.4.1 Interoperability with a WebLogic Web Service Policy (Username Token with Message Protection)

Follow these procedures to implement username token with message protection that conforms to the WS-Security 1.0 standard and ensure interoperability between the WebLogic web service policy and the OWSM client policy.

4.4.1.1 Attaching and Configuring WebLogic Web Service Policy (Username Token With Message Protection)

Follow these steps to attach and configure the WebLogic Web Service Policy:

Create a WebLogic web service.

For more information, see "Roadmap for Implementing WebLogic (Java EE) Web Services" in Understanding Web Services
Attach the following policies:
1. Wssp1.2-2007-SignBody.xml
2. Wssp1.2-wss10_username_token_with_message_protection_owsm_policy.xml
3. Wssp1.2-2007-EncryptBody.xml
  
  For more information, see "Updating the JWS File with @Policy and @Policies Annotations" in Securing WebLogic Web Services for Oracle WebLogic Server
Configure identity and trust stores.

For more information, see "Configure identity and trust" in Oracle WebLogic Server Administration Console Online Help.
Configure message-level security.

For more information, see:
- "Configuring Message-Level Security" in Securing WebLogic Web Services for Oracle WebLogic Server
- "Create a Web Service security configuration" in Oracle WebLogic Server Administration Console Online Help
Deploy the web service.

For more information, see Deploy a web service in Deploying Applications to Oracle WebLogic Server.

4.4.1.2 Attaching and Configuring OWSM Client Policy (Username Token With Message Protection)

Follow these steps to attach and configure the OWSM Client Policy:

Create a client proxy to the web service created using clientgen or some other mechanism.

For more information, see "Roadmap for Implementing Oracle Fusion Middleware Web Services" in Understanding Web Services
Attach the following policy to the web service client:
1. oracle/wss10_username_token_with_message_protection_client_policy.
  
  For more information, see "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager
Configure the policy.

For more information, see "oracle/wss10_username_token_with_message_protection_client_policy" in Securing Web Services and Managing Policies with Oracle Web Services Manager

Note:

Ensure that you use different keys for client (sign and decrypt key) and keystore recipient alias (server public key used for encryption). Ensure that the recipient alias is in accordance with the keys defined in the web service policy security configuration.
Ensure that the signing and encryption keys specified for the client exist as trusted certificate entries in the trust store configured for the web service.
Provide a valid username and password as part of the configuration.
Invoke the web service method from the client.

For more information, see "Roadmap for Implementing Oracle Fusion Middleware Web Services" in Understanding Web Services

4.4.2 Interoperability with a WebLogic Web Service Client Policy (Username Token with Message Protection)

Follow these procedures to implement username token with message protection that conforms to the WS-Security 1.0 standard and ensure interoperability between the OWSM web service policy and the WebLogic web service client policy.

4.4.2.1 Attaching and Configuring OWSM Policy (Username Token With Message Protection)

To attach and configure the OWSM Policy, perform the following steps:

Create a web service.

For more information, see "Roadmap for Implementing Oracle Fusion Middleware Web Services" in Understanding Web Services
Attach the following policy to the web service:
1. oracle/wss10_username_token_with_message_protection_service_policy.
  
  For more information, see "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager.

4.4.2.2 Attaching and Configuring WebLogic Web Service Client Policy(Username Token With Message Protection)

Follow these steps to attach and configure the WebLogic Web Service Client Policy:

Create a client proxy for the web service created using clientgen.

For more information, see "Using the clientgen Ant Task to Generate Client Artifacts" in Developing JAX-WS Web Services for Oracle WebLogic Server
Attach the following policies:
1. Wssp1.2-wss10_username_token_with_message_protection_owsm_policy.xml
2. Wssp1.2-2007-SignBody.xml
3. Wssp1.2-2007-EncryptBody.xml
  
  For more information, see "Updating the JWS File with @Policy and @Policies Annotations" in Securing WebLogic Web Services for Oracle WebLogic Server
Configure the client for server (encryption key) and client certificates.

Note:

Ensure that the encryption key specified is in accordance with the encryption key configured for the web service.

For more information, see "Updating a Client Application to Invoke a Message-Secured Web Service" in Securing WebLogic Web Services for Oracle WebLogic Server
Invoke the web service method from the client.

For more information, see "Writing the Java Client Application Code to Invoke a Web Service" in Developing JAX-WS Web Services for Oracle WebLogic Server

4.5 Username Token over SSL for Oracle WebLogic Server

The Username Token over SSL identity token conforms to the WS-Security 1.0 and 1.1 standards. This identity token is implemented to achieve the interoperability between the OWSM web service policy and the WebLogic web service client policy.

You can implement username token over SSL. To implement username token over SSL and ensure interoperability between the OWSM web service policy and the WebLogic web service client policy, perform the following instructions:

4.5.1 Attaching and Configuring OWSM Policy (Username Token Over SSL)

Follow these steps to attach and configure the OWSM Policy:

Configure the server for one-way SSL.

For more information, see "Configuring SSL on WebLogic Server (One-Way)" in Securing Web Services and Managing Policies with Oracle Web Services Manager
Create a web service.

For more information, see "Roadmap for Implementing Oracle Fusion Middleware Web Services" in Understanding Web Services
Attach the following policy:
1. oracle/wss_username_token_over_ssl_service_policy.
  
  For more information, see "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager

4.5.2 Attaching and Configuring WebLogic Web Service Client Policy (Username Token Over SSL)

Follow these steps to attach and configure the WebLogic Web Service Client Policy:

Create a client proxy for the web service created using clientgen. Provide a valid username and password as part of the configuration for this policy in the client proxy.

For more information, see "Using the clientgen Ant Task to Generate Client Artifacts" in Developing JAX-WS Web Services for Oracle WebLogic Server
Configure WebLogic Server for SSL.

For more information, see "Configuring SSL on WebLogic Server (One-Way)" in Securing Web Services and Managing Policies with Oracle Web Services Manager
Configure identity and trust stores.

For more information, see "Configure identity and trust" in Oracle WebLogic Server Administration Console Online Help
Attach Wssp1.2-2007-Https-UsernameToken-Plain.xml to the web service client.

For more information, see "Updating the JWS File with @Policy and @Policies Annotations" in Securing WebLogic Web Services for Oracle WebLogic Server
Provide the truststore and other required System properties in the SSL client.

For more information, see "Using SSL Authentication in Java Clients" in Developing Applications with the WebLogic Security Service
Invoke the web service.

For more information, see "Writing the Java Client Application Code to Invoke a Web Service" in Developing JAX-WS Web Services for Oracle WebLogic Server

4.6 Implementing Username Token Over SSL for Oracle WebLogic Server with MTOM

Follow these steps to implement username token over SSL with Message Transmission Optimization Mechanism (MTOM) and ensure interoperability between the OWSM web service policy and the WebLogic web service client policy.

Configure the OWSM web service.
Attach and configure WebLogic Web Service Client Policy by creating client proxy for the web service created earlier.
Use the @MTOM annotation in the web service client.

For more information, see "Updating the JWS File with @Policy and @Policies Annotations" in Securing WebLogic Web Services for Oracle WebLogic Server

4.7 SAML Token (Sender Vouches) over SSL for Oracle WebLogic Server

The SAML Token (Sender Vouches) over SSL identity token conforms to the WS-Security 1.0 and 1.1 standards. This identity token is implemented to ensure interoperability between the OWSM web service policy and the WebLogic web service client policy.

4.7.1 Attaching and Configuring OWSM Policy (SAML Token)

Follow these steps to attach and configure the OWSM Policy.

Configure the oracle/wss_saml_token_over_ssl_service_policy policy for two-way SSL.

For more information, see "oracle/wss_saml_token_over_ssl_service_policy" in Securing Web Services and Managing Policies with Oracle Web Services Manager
Create a web service.

For more information, see "Roadmap for Implementing Oracle Fusion Middleware Web Services" in Understanding Web Services
Attach the following policy to the web service: oracle/wss_saml_token_over_ssl_service_policy.

For more information, see "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager.

4.7.2 Configuring WebLogic Web Service Client Policy (SAML Token)

Follow these steps to attach and configure the WebLogic Web Service client policy.

Configure the oracle/wss_saml_token_over_ssl_service_policy policy for two-way SSL.

For more information, see "oracle/wss_saml_token_over_ssl_service_policy" in Securing Web Services and Managing Policies with Oracle Web Services Manager
Create a web service.

For more information, see "Roadmap for Implementing Oracle Fusion Middleware Web Services" in Understanding Web Services
Attach the following policy to the web service: oracle/wss_saml_token_over_ssl_service_policy.

For more information, see "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager.

4.7.3 Attaching and Configuring WebLogic Web Service Client Policy (SAML Token)

Follow these steps to attach and configure the WebLogic Web Service client policy.

Create a client proxy for the web service created earlier using clientgen.

For more information, see "Using the clientgen Ant Task to Generate Client Artifacts" in Developing JAX-WS Web Services for Oracle WebLogic Server
Configure Oracle WebLogic Server for two-way SSL.

For more information, see "Configuring SSL on WebLogic Server (Two-Way)" in Securing Web Services and Managing Policies with Oracle Web Services Manager
Configure identity and trust stores.

For more information, see "Configure identity and trust" in Oracle WebLogic Server Administration Console Online Help
Attach Wssp1.2-2007-Saml1.1-SenderVouches-Https.xml to the web service client.

For more information, see "Updating the JWS File with @Policy and @Policies Annotations" in Securing WebLogic Web Services for Oracle WebLogic Server
Configure a SAML credential mapping provider.
In the WebLogic Server Administration Console, navigate to Security Realms > RealmName > Providers > Credential Mapping page and create a New Credential Mapping Provider of type SAMLCredentialMapperV2.
Select the new provider, click on Provider Specific, and configure it as follows:
1. Set Issuer URI to www.oracle.com.
2. Set Name Qualifier to www.oracle.com.
Restart Oracle WebLogic Server.

For more information, see "Accessing Oracle WebLogic Administration Console" in Administering Web Services
Create a SAML relying party by setting the Profile to WSS/Sender-Vouches.
Configure the SAML relying party as follows (leave other values set to the defaults):
1. Target URL: <url_used_to_access_Web_service>
2. Description: <your_description>
3. Select the Enabled checkbox and click Save.
4. Ensure the Target URL is set to the URL used for the client web service.
  
  For more information, see "Create a SAML 1.1 Relying Party" in Oracle WebLogic Server Administration Console Online Help
Create a servlet and call the proxy code from the servlet.
Use BASIC authentication so that the authenticated subject can be created.
Provide the truststore and other required System properties in the SSL client.

For more information, see "Using SSL Authentication in Java Clients" in Developing Applications with the WebLogic Security Service
Invoke the Web application client.
Enter the credentials of the user whose identity is to be propagated using the SAML token.

For more information, see "Writing the Java Client Application Code to Invoke a Web Service" in Developing JAX-WS Web Services for Oracle WebLogic Server

4.8 Implementing SAML Token (Sender Vouches) Over SSL for Oracle WebLogic Server with MTOM

Follow these steps to implement SAML token vouches over SSL with MTOM and ensure interoperability between the OWSM web service policy and the WebLogic web service client policy.

Configure the OWSM web service.

For more information, see SAML Token (Sender Vouches) over SSL for Oracle WebLogic Server
Configure the Oracle WebLogic web service client policy.

For more information, see SAML Token (Sender Vouches) over SSL for Oracle WebLogic Server
Use the @MTOM annotation in the web service client.

For more information, see "Updating the JWS File with @Policy and @Policies Annotations" in Securing WebLogic Web Services for Oracle WebLogic Server.

4.9 SAML Token 2.0 (Sender Vouches) Message Protection for Oracle WebLogic Server (WS-Security 1.1)

The SAML Token 2.0 (Sender Vouches) Message Protection identity token conforms to the WS-Security 1.1 standard. This identity token is implemented to achieve the interoperability between OWSM and Oracle WebLogic Server 12c web service security environments.

4.9.1 Interoperability with a WebLogic Web Service Policy (SAML Token 2.0)

Follow these procedures to implement SAML 2.0 token sender vouches with message protection that conforms to the WS-Security 1.1 standard and ensure interoperability between the WebLogic web service policy and the OWSM client policy.

4.9.1.1 Attaching and Configuring WebLogic Web Service Policy(SAML Token 2.0)

Follow these steps to attach and configure the WebLogic Web Service Policy:

Create a WebLogic web service.

For more information, see "Roadmap for Implementing WebLogic (Java EE) Web Services" in Understanding Web Services
Attach the following policies:
- Wssp1.2-2007-Saml2.0-SenderVouches-Wss1.1.xml
- Wssp1.2-2007-SignBody.xml
- Wssp1.2-2007-EncryptBody.xml
For more information, see "Updating the JWS File with @Policy and @Policies Annotations" in Securing WebLogic Web Services for Oracle WebLogic Server
Configure the keystore properties for message signing and encryption. The configuration should be in accordance with the keystore used on the server side. Create the trust store out of the keystore by exporting both keys, and trust both of them while importing into trust store. Configure identity and trust stores.

For more information, see "Configure identity and trust" in Oracle WebLogic Server Administration Console Online Help.
Configure message-level security.

For more information, see
- "Configuring Message-Level Security" in Securing WebLogic Web Services for Oracle WebLogic Server
- "Create a Web Service security configuration" in Oracle WebLogic Server Administration Console Online Help
Attach new configuration using the annotation:
```
@WssConfiguration(value="<my_security_configuration>") where <my_security_configuration> is the name of the Web Security Configuration created in previous step. 
```
For more information, see "Configuring Message-Level Security" in Securing WebLogic Web Services for Oracle WebLogic Server
Deploy the web service.

For more information, see Deploy a web service in Deploying Applications to Oracle WebLogic Server.

Create a SAML Identity Asserter.

In the WebLogic Server Administration Console, navigate to Security Realms > RealmName > Providers > Credential Mapping page and create a New Credential Mapping Provider of type SAML2IdentityAsserter.

For more information, see "Configure Authentication and Identity Assertion providers" in Oracle WebLogic Server Administration Console Online Help

Restart WebLogic Server.

For more information, see "Start and stop servers" in the Oracle WebLogic Server Administration Console Online Help.
To add the identity provider to the identity asserter created in Step 7, perform the following steps:
1. Select the identity asserter created in Step 7 in the WebLogic Administration Console.
2. Create a new identity provider partner, select New, and then select New Webservice Identity Provider Partner.
3. Provide a name, and select Finish.
Configure the identity provider as follows:
1. Select the identity provide partner created in Step 9.
2. Select the Enabled check box.
3. Provide the Audience URI. For example:
```
target:*:/saml20WLSWS-Project1-context-root/Class1Port
```
4. Set Issuer URI to www.oracle.com.
5. Set Target URL to <url_used_to_access_Web_service>.
6. Set Profile to WSS/Sender-Vouches.

4.9.1.2 Attaching and Configuring OWSM Client Policy(SAML Token 2.0)

Follow these steps to attach and configure the OWSM Client Policy:

Generate a client using JDeveloper for the web service created earlier. Create a Web project and then select New, and create a client proxy using the WSDL.

For more information, see
- "Roadmap for Implementing Oracle Fusion Middleware Web Services" in Understanding Web Services
- "Developing and Securing Web Services" in Developing Applications with Oracle JDeveloper.
Add a servlet in the above project.
Attach the following policy to the web service client: oracle/wss11_saml20_token_with_message_protection_client_policy.

For more information, see "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager
Specify keystore.recipient.alias in the client configuration.

Note:

Ensure that keystore.recipient.alias is same as the decryption key specified for the web service.

For more information, see "oracle/wss11_saml20_token_with_message_protection_cient_policy" in Securing Web Services and Managing Policies with Oracle Web Services Manager
Ensure that the keystore.recipient.alias keys specified for the client exist as trusted certificate entry in the trust store configured for the web service.

For more information, see "oracle/wss11_saml20_token_with_message_protection_cient_policy" in Securing Web Services and Managing Policies with Oracle Web Services Manager
In JDeveloper, secure web project with Form-based authentication using the Configure ADF Security Wizard.

For more information, see Developing Applications with Oracle JDeveloper
Invoke the Web application client.

For more information, see "Roadmap for Implementing Oracle Fusion Middleware Web Services" in Understanding Web Services

4.9.2 Interoperability with a WebLogic Web Service Client Policy (SAML Token 2.0)

Follow these procedures to implement SAML 2.0 token sender vouches with message protection that conforms to the WS-Security 1.1 standard and ensure interoperability between the WebLogic web service client policy and the OWSM policy.

4.9.2.1 Attaching and Configuring OWSM Policy (SAML Token 2.0)

Follow these steps to attach and configure the OWSM Policy:

Create a web service.

For more information, see "Roadmap for Implementing Oracle Fusion Middleware Web Services" in Understanding Web Services
Attach the following policy to the web service:
```
oracle/wss11_saml20_token_with_message_protection_service_policy.
```
For more information, see "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager

4.9.2.2 Attaching and Configuring WebLogic Web Service Client (SAML Token 2.0)

Follow these steps to attach and configure the WebLogic Web Service Client:

Create a Java EE client for the deployed web service using JDeveloper. Create a Web project and create a proxy using WSDL proxy.

For more information, see "Creating JAX-WS Web Services and Clients" in Developing Applications with Oracle JDeveloper
Attach the following policies:
- Wssp1.2-2007-Saml2.0-SenderVouches-Wss1.1.xml
- Wssp1.2-2007-SignBody.xml
- Wssp1.2-2007-EncryptBody.xml
  
  Note:
  
  Extract weblogic.jar to a folder and provide the absolute path to the above policies files.
  
  For more information, see "Attaching Policies" in Developing Applications with Oracle JDeveloper
Add servlet to above web project.
Configure the client for server (encryption key) and client certificates.

Note:

Ensure that the encryption key specified is in accordance with the decryption key configured for the web service.

For more information, see "Updating a Client Application to Invoke a Message-Secured Web Service" in Securing WebLogic Web Services for Oracle WebLogic Server
Secure the Web application client using BASIC Authentication.

For more information, see "Developing BASIC Authentication Web Applications" in Developing Applications with the WebLogic Security Service
Deploy the Java EE Web application client.

For more information, see "Deploying Web Services Applications" in Administering Web Services
Configure a SAML credential mapping provider.
- In the Oracle WebLogic Server Administration Console, navigate to Security Realms > RealmName > Providers > Credential Mapping page and create a New Credential Mapping Provider of type SAML2CredentialMapper.
Select the new provider, click on Provider Specific, and configure it as follows:
1. Set Issuer URI to www.oracle.com.
2. Set Name Qualifier to www.oracle.com.
For more information, see "Configure Credential Mapping Providers" in Oracle WebLogic Server Administration Console Online Help
Restart WebLogic Server.

For more information, see "Start and stop servers" in the Oracle WebLogic Server Administration Console Online Help.
To create a new service provider partner, perform the following steps:
1. Select the credential mapper created in Step 7 in the WebLogic Administration Console, and then select the Management tab.
2. Select New, and then select New Webservice Service Provider Partner.
3. Provide a name, and select Finish.
Configure the service provider partner as follows:
1. Select the service provide partner created in Step 10.
2. Select the Enabled check box.
3. Provide the Audience URI.
4. Set Issuer URI to www.oracle.com.
5. Set Target URL to <url_used_to_access_Web_service>.
6. Set Profile to WSS/Sender-Vouches.
Invoke the Web application client.
- Enter the credentials of the user whose identity is to be propagated using SAML token.
  
  For more information, see "Writing the Java Client Application Code to Invoke a Web Service" in Developing JAX-WS Web Services for Oracle WebLogic Server

4.10 SAML Token (Sender Vouches) with Message Protection (WS-Security 1.1) for Oracle WebLogic Server

The SAML Token (Sender Vouches) with Message Protection identity token conforms to the WS-Security 1.1 standard. This identity token is implemented to achieve the interoperability between OWSM and Oracle WebLogic Server 12c web service security environments.

4.10.1 Interoperability with a WebLogic Web Service Policy (SAML Token with Message Protection)

Follow these procedures to implement SAML token sender vouches with message protection that conforms to the WS-Security 1.1 standard and ensure interoperability between the WebLogic web service policy and the OWSM client policy.

4.10.1.1 Attaching and Configuring WebLogic Web Service Policy (SAML Token With Message Protection)

Follow these steps to attach and configure the WebLogic Web Service Policy:

Create a WebLogic web service.

For more information, see "Roadmap for Implementing WebLogic (Java EE) Web Services" in Understanding Web Services
Attach the following policies:
- Wssp1.2-wss11_saml_token_with_message_protection_owsm_policy.xml
- Wssp1.2-2007-SignBody.xml
- Wssp1.2-2007-EncryptBody.xml
  
  For more information, see "Updating the JWS File with @Policy and @Policies Annotations" in Securing WebLogic Web Services for Oracle WebLogic Server.
Configure identity and trust stores.

For more information, see "Configure identity and trust" in Oracle WebLogic Server Administration Console Online Help
Configure message-level security.

Note:

Since this is a WS-Security 1.1 policy, you need to configure Confidentiality Key only.

For more information, see
- "Configure Message-Level Security" in Securing WebLogic Web Services for Oracle WebLogic Server
- "Create a Web Service security configuration" in Oracle WebLogic Server Administration Console Online Help.
Deploy the web service.

For more information, see Deploy a web service in Deploying Applications to Oracle WebLogic Server.
Create a SAMLIdentityAsserterV2 authentication provider.
- In the WebLogic Server Administration Console, navigate to Security Realms > RealmName > Providers > Credential Mapping page and create a New Credential Mapping Provider of type SAMLCredentialMapperV2.
  
  For more information, see "Configuring Authentication and Identity Assertion providers" in Oracle WebLogic Server Administration Console Online Help
Restart WebLogic Server.

For more information, see "Start and stop servers" in the Oracle WebLogic Server Administration Console Online Help.
Select the authentication provider created in step 5.
Create a SAML asserting party.
- Set Profile to WSS/Sender-Vouches.
For more information, see "Create a SAML 1.1 Asserting Party" in Oracle WebLogic Server Administration Console Online Help
Configure the SAML asserting party as follows:
1. Set Issuer URI to www.oracle.com.
2. Set Target URL to <url_used_to_access_Web_service>.
  
  For more information, see "Create a SAML 1.1 Asserting Party" in Oracle WebLogic Server Administration Console Online Help

4.10.1.2 Attaching and Configuring OWSM Client Policy (SAML Token With Message Protection)

Follow these steps to attach and configure the OWSM Client Policy:

Create a client proxy to the web service created earlier using clientgen or some other mechanism.

For more information, see "Roadmap for Implementing Oracle Fusion Middleware Web Services" in Understanding Web Services
Attach the following policy to the web service client:
- oracle/wss11_saml_token_with_message_protection_client_policy.
  
  For more information, see "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager
Configure the policy, as described in oracle/wss11_saml_token_with_message_protection_client_policy.

For more information, see "oracle/wss11_saml_token_with_message_protection_client_policy" in Securing Web Services and Managing Policies with Oracle Web Services Manager
Specify keystore.recipient.alias in the client configuration.

Note:

Ensure that keystore.recipient.alias is the same as the decryption key specified for the web service.

For more information, see "oracle/wss11_saml_token_with_message_protection_client_policy" in Securing Web Services and Managing Policies with Oracle Web Services Manager
Ensure that the keystore.recipient.alias keys specified for the client exist as trusted certificate entry in the trust store configured for the web service.

For more information, see "oracle/wss11_saml_token_with_message_protection_client_policy" in Securing Web Services and Managing Policies with Oracle Web Services Manager
Provide a valid username whose identity needs to be propagated using SAML token in the client configuration.

For more information, see "oracle/wss11_saml_token_with_message_protection_client_policy" in Securing Web Services and Managing Policies with Oracle Web Services Manager
Invoke the Web application client.
- Enter the credentials of the user whose identity is to be propagated using SAML token.
  
  For more information, see "Roadmap for Implementing Oracle Fusion Middleware Web Services" in Understanding Web Services

4.10.2 Interoperability with a WebLogic Web Service Client Policy (SAML Token with Message Protection)

Follow these procedures to implement SAML sender vouches with message protection that conforms to the WS-Security 1.1 standard and ensure interoperability between the OWSM web service policy and the WebLogic web service client policy.

4.10.2.1 Attaching and Configuring OWSM Policy (SAML Token With Message Protection)

Follow these steps to attach and configure the OWSM Policy:

Create a web service.

For more information, see "Roadmap for Implementing Oracle Fusion Middleware Web Services" in Understanding Web Services
Attach the following policy to the web service:
- oracle/wss11_saml_token_with_message_protection_service_policy.
  
  For more information, see "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager

4.10.2.2 Attaching and Configuring WebLogic Web Service Client Policy (SAML Token With Message Protection)

Follow these steps to attach and configure the WebLogic Web Service Client Policy:

Create a client proxy for the web service (above) using clientgen.

For more information, see "Using the clientgen Ant Task to Generate Client Artifacts" in Developing JAX-WS Web Services for Oracle WebLogic Server
Attach the following policies:
- Wssp1.2-wss11_saml_token_with_message_protection_owsm_policy.xml
- Wssp1.2-2007-SignBody.xml
- Wssp1.2-2007-EncryptBody.xml
  
  For more information, see "Updating the JWS File with @Policy and @Policies Annotations" in Securing WebLogic Web Services for Oracle WebLogic Server
Configure the client for server (encryption key) and client certificates.

Note:

Ensure that the encryption key specified is in accordance with the decryption key configured for the web service.

For more information, see "Updating a Client Application to Invoke a Message-Secured Web Service" in Securing WebLogic Web Services for Oracle WebLogic Server
Secure the Web application client using BASIC Authentication.

For more information, see "Developing BASIC Authentication Web Applications" in Developing Applications with the WebLogic Security Service.
Deploy the web service client.

For more information, see "Deploying Web Services Applications" in Administering Web Services
Configure a SAML credential mapping provider.
- In the Oracle WebLogic Server Administration Console, navigate to Security Realms > RealmName > Providers > Credential Mapping page and create a New Credential Mapping Provider of type SAMLCredentialMapperV2.
Select the new provider, click on Provider Specific, and configure it as follows:
1. Set Issuer URI to www.oracle.com.
2. Set Name Qualifier to www.oracle.com.
  
  For more information, see "Configure Credential Mapping Providers" in Oracle WebLogic Server Administration Console Online Help
Restart WebLogic Server.

For more information, see "Start and stop servers" in the Oracle WebLogic Server Administration Console Online Help.
Create a SAML relying party.
- Set the Profile to WSS/Sender-Vouches.
  
  For more information, see "Create a SAML 1.1 Relying Party" and "Configure a SAML 1.1 Relying Party" in Oracle WebLogic Server Administration Console Online Help
Configure the SAML relying party.
- Ensure the Target URL is set to the URL used for the client web service.
  
  For more information, see "Configure a SAML 1.1 Relying Party" in Oracle WebLogic Server Administration Console Online Help
Invoke the Web application client.
- Enter the credentials of the user whose identity is to be propagated using SAML token.
  
  For more information, see "Writing the Java Client Application Code to Invoke a Web Service" in Developing JAX-WS Web Services for Oracle WebLogic Server

4.11 SAML Token (Sender Vouches) with Message Protection (WS-Security 1.1) and MTOM for Oracle WebLogic Server

The SAML Token (Sender Vouches) with Message Protection and Message Transmission Optimization Mechanism identity tokens conform to the WS-Security 1.1 standard. These identity tokens are implemented to achieve the interoperability between OWSM and Oracle WebLogic Server 12c web service security environments.

4.11.1 Interoperability with a WebLogic Web Service Policy (SAML Token with Message Protection and MTOM)

Follow these procedures to implement SAML token sender vouches with message protection that conforms to the WS-Security 1.1 standard and MTOM and ensure interoperability between the WebLogic web service policy and the OWSM client policy.

4.11.1.1 Attaching and Configuring WebLogic Web Service Policy (SAML Token With Message Protection and MTOM)

Follow these steps to attach and configure the WebLogic Web Service Policy:

Create a WebLogic web service, as described in SAML Token (Sender Vouches) with Message Protection (WS-Security 1.1) for Oracle WebLogic Server

For more information, see "Roadmap for Implementing WebLogic (Java EE) Web Services" in Understanding Web Services
Use the @MTOM annotation in the web service in Step 2 of " Attaching and Configuring the WebLogic Web Service Policy".

For more information, see "Updating the JWS File with @Policy and @Policies Annotations" in Securing WebLogic Web Services for Oracle WebLogic Server

4.11.1.2 Attaching and Configuring OWSM Client Policy (SAML Token With Message Protection and MTOM)

Follow these steps to attach and configure the OWSM Client Policy:

Create a client proxy to the web service created earlier, as described in SAML Token (Sender Vouches) with Message Protection (WS-Security 1.1) for Oracle WebLogic Server

For more information, see "Roadmap for Implementing Oracle Fusion Middleware Web Services" in Understanding Web Services
Attach wsmtom_policy from the Management tab.

For more information, see "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager

4.11.2 Interoperability with a WebLogic Web Service Client Policy (SAML Token with Message Protection and MTOM)

Follow these procedures to implement SAML token sender vouches with message protection that conforms to the WS-Security 1.1 standard and MTOM and ensure interoperability between the OWSM web service policy and the WebLogic web service client policy.

4.11.2.1 Attaching and Configuring OWSM Policy (SAML Token With Message Protection and MTOM)

Follow these steps to attach and configure the OWSM Policy:

Create and deploy a web service.

For more information, see "Roadmap for Implementing Oracle Fusion Middleware Web Services" in Understanding Web Services
Attach the following policy to the web service:
- oracle/wss11_username_token_with_message_protection_service_policy.
  
  For more information, see "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager

4.11.2.2 Attaching and Configuring WebLogic Web Service Client Policy (SAML Token With Message Protection and MTOM)

Follow these steps to attach and configure the WebLogic Web Service Client Policy:

Create a client proxy for the web service created earlier using clientgen.

For more information, see "Using the clientgen Ant Task to Generate Client Artifacts" in Developing JAX-WS Web Services for Oracle WebLogic Server
Attach the following policies:
- Wssp1.2-2007-Wss1.1-UsernameToken-Plain-EncryptedKey-Basic128.xml
- Wssp1.2-2007-SignBody.xml
- Wssp1.2-2007-EncryptBody.xml
For more information, see "Updating the JWS File with @Policy and @Policies Annotations" in Securing WebLogic Web Services for Oracle WebLogic Server
Provide the configuration for the server (encryption key) in the client.

Note:

Ensure that the encryption key specified is in accordance with the encryption key configured for the web service.

For more information, see "Updating a Client Application to Invoke a Message-Secured Web Service" in Securing WebLogic Web Services for Oracle WebLogic Server
Invoke the web service method from the client.

For more information, see "Writing the Java Client Application Code to Invoke a Web Service" in Developing JAX-WS Web Services for Oracle WebLogic Server

4.12 SAML Token (Sender Vouches) with Message Protection (WS-Security 1.0) for Oracle WebLogic Server

The SAML Token (Sender Vouches) with Message Protection identity token conforms to the WS-Security 1.0 standard. This identity token is implemented to achieve the interoperability between OWSM and Oracle WebLogic Server 12c web service security environments.

Note:

WS-Security 1.0 policy is supported for legacy applications only. Use WS-Security 1.1 policy for maximum performance. For more information, see SAML Token (Sender Vouches) with Message Protection (WS-Security 1.1) for Oracle WebLogic Server.

4.12.1 Interoperability with a WebLogic Web Service Policy - SAML Token with Message Protection (WS-Security 1.0)

Follow these procedures to implement SAML token with sender vouches and message protection that conforms to the WS-Security 1.0 standard and ensure interoperability between the WebLogic web service policy and the OWSM client policy.

4.12.1.1 Attaching and Configuring WebLogic Web Service Policy-SAML Token With Message Protection(WS-Security 1.0)

Follow these steps to attach and configure the WebLogic Web Service Policy:

Create a WebLogic web service.

For more information, see "Roadmap for Implementing WebLogic (Java EE) Web Services" in Understanding Web Services
Attach the following policies:
- Wssp1.2-wss10_saml_token_with_message_protection_owsm_policy.xml
- Wssp1.2-2007-SignBody.xml
- Wssp1.2-2007-EncryptBody.xml
Configure identity and trust stores.

For more information, see "Configure identity and trust" in Oracle WebLogic Server Administration Console Online Help
Configure message-level security.

For more information, see
- "Configuring Message-Level Security" in Securing WebLogic Web Services for Oracle WebLogic Server
- "Create a Web Service security configuration" in Oracle WebLogic Server Administration Console Online Help
Deploy the web service.

For more information, see Deploy a web service in Deploying Applications to Oracle WebLogic Server.
Create a SAMLIdentityAsserterV2 authentication provider.
- In the WebLogic Server Administration Console, navigate to Security Realms > RealmName > Providers > Credential Mapping page and create a New Credential Mapping Provider of type SAMLCredentialMapperV2.
  
  For more information, see "Configure Authentication and Identity Assertion providers" in Oracle WebLogic Server Administration Console Online Help
Restart WebLogic Server.

For more information, see "Start and stop servers" in the Oracle WebLogic Server Administration Console Online Help.
Select the authentication provider created in step 5.
Create a SAML asserting party.
- Set Profile to WSS/Sender-Vouches.
  
  For more information, see "Create a SAML 1.1 Asserting Party" in Oracle WebLogic Server Administration Console Online Help
Configure the SAML asserting party as follows (leave other values set to the defaults):
1. Set Issuer URI to www.oracle.com.
2. Set Target URL to <url_used_by_client>.
  
  For more information, see "Configure a SAML 1.1 Asserting Party" in Oracle WebLogic Server Administration Console Online Help

4.12.1.2 Attaching and Configuring OWSM Client Policy-SAML Token With Message Protection(WS-Security 1.0)

Follow these steps to attach and configure the OWSM Client Policy:

Create a client proxy to the web service created earlier using clientgen or some other mechanism.

For more information, see "Roadmap for Implementing Oracle Fusion Middleware Web Services" in Understanding Web Services
Attach the following policy to the web service client:
- oracle/wss10_saml_token_with_message_protection_client_policy.
  
  For more information, see "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager
Configure the policy.

For more information, see "oracle/wss10_saml_token_with_message_protection_client_policy" in Securing Web Services and Managing Policies with Oracle Web Services Manager
Ensure that you use different keys for client (sign and decrypt key) and keystore recipient alias (server public key used for encryption). Ensure that the recipient alias is in accordance with the keys defined in the web service policy security configuration.

For more information, see "oracle/wss10_saml_token_with_message_protection_client_policy" in Securing Web Services and Managing Policies with Oracle Web Services Manager
Ensure that the signing and encryption keys specified for the client exist as trusted certificate entries in the trust store configured for the web service.

For more information, see "oracle/wss10_saml_token_with_message_protection_client_policy" in Securing Web Services and Managing Policies with Oracle Web Services Manager
Provide valid username whose identity needs to be propagated using SAML token in the client configuration.

For more information, see "oracle/wss10_saml_token_with_message_protection_client_policy" in Securing Web Services and Managing Policies with Oracle Web Services Manager
Invoke the web service method.

For more information, see "Roadmap for Implementing Oracle Fusion Middleware Web Services" in Understanding Web Services

4.12.2 Interoperability with a WebLogic Web Service Client Policy - SAML Token with Message Protection (WS-Security 1.0)

Follow these procedures to implement SAML token with message protection that conforms to the WS-Security 1.0 standard and ensure interoperability between the OWSM web service policy and the WebLogic web service client policy.

4.12.2.1 Attaching and Configuring OWSM Policy-SAML Token With Message Protection(WS-Security 1.0)

Follow these steps to attach and configure the OWSM Policy:

Create a web service.

For more information, see "Roadmap for Implementing Oracle Fusion Middleware Web Services" in Understanding Web Services
Attach the following policy to the web service:
- oracle/wss10_saml_token_with_message_protection_service_policy.
  
  For more information, see "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager

4.12.2.2 Attaching and Configuring WebLogic Web Service Client Policy-SAML Token With Message Protection(WS-Security 1.0)

Follow these steps to attach and configure the WebLogic Web Service Client Policy:

Create a client proxy for the web service (above) using clientgen.

For more information, see "Using the clientgen Ant Task to Generate Client Artifacts" in Developing JAX-WS Web Services for Oracle WebLogic Server
Attach the following policies:
- Wssp1.2-wss10_saml_token_with_message_protection_owsm_policy.xml
- Wssp1.2-2007-SignBody.xml
- Wssp1.2-2007-EncryptBody.xml
  
  For more information, see "Updating the JWS File with @Policy and @Policies Annotations" in Securing WebLogic Web Services for Oracle WebLogic Server
Configure the client for server (encryption key) and client certificates.

Note:

Ensure that the encryption key specified is in accordance with the decryption key configured for the web service.

For more information, see "Updating a Client Application to Invoke a Message-Secured Web Service" in Securing WebLogic Web Services for Oracle WebLogic Server
Secure the Web application client using BASIC Authentication.

For more information, see "Developing BASIC Authentication Web Applications" in Developing Applications with the WebLogic Security Service
Deploy the web service client.

For more information, see "Deploying Web Services Applications" in Administering Web Services
Configure a SAML credential mapping provider.
- In the WebLogic Server Administration Console, navigate to Security Realms > RealmName > Providers > Credential Mapping page and create a New Credential Mapping Provider of type SAMLCredentialMapperV2.
  
  For more information, see "Configure Credential Mapping Providers" in Oracle WebLogic Server Administration Console Online Help
Select the SAMLCredentialMapperV2, click on Provider Specific, and configure it as follows:
1. Set Issuer URI to www.oracle.com.
2. Set Name Qualifier to www.oracle.com.
Restart WebLogic Server.

For more information, see "Start and stop servers" in the Oracle WebLogic Server Administration Console Online Help.
Create a SAML relying party. Set the profile to WSS/Sender-Vouches.

For more information, see "Create a SAML 1.1 Relying Party" in Oracle WebLogic Server Administration Console Online Help
Configure the SAML relying party.

Note:

Ensure the target URL is set to the URL used for the client web service.

For more information, see "Configure a SAML 1.1 Relying Party" in Oracle WebLogic Server Administration Console Online Help
Invoke the Web application client and enter the appropriate credentials.

For more information, see "Writing the Java Client Application Code to Invoke a Web Service" in Developing JAX-WS Web Services for Oracle WebLogic Server

4.13 Mutual Authentication with Message Protection (WS-Security 1.0) for Oracle WebLogic Server

The Mutual Authentication with Message Protection identity token conforms to the WS-Security 1.0 standard. This identity token is implemented to achieve the interoperability between OWSM and Oracle WebLogic Server 12c web service security environments.

4.13.1 Interoperability with a WebLogic Web Service Policy-Mutual Authentication (WS-Security 1.0)

Follow these procedures to implement mutual authentication with message protection that conforms to the WS-Security 1.0 standard and ensure interoperability between the WebLogic web service policy and the OWSM client policy.

4.13.1.1 Attaching and Configuring WebLogic Web Service Policy-Mutual Authentication (WS-Security 1.0)

Follow these steps to attach and configure the WebLogic Web Service Policy:

Create a WebLogic web service.

For more information, see "Roadmap for Implementing WebLogic (Java EE) Web Services" in Understanding Web Services
Attach the following policies:
1. Wssp1.2-wss10_x509_token_with_message_protection_owsm_policy.xml
2. Wssp1.2-2007-SignBody.xml
3. Wssp1.2-2007-EncryptBody.xml
  
  For more information, see "Updating the JWS File with @Policy and @Policies Annotations" in Securing WebLogic Web Services for Oracle WebLogic Server
Configure identity and trust stores.

For more information, see "Configure identity and trust" in Oracle WebLogic Server Administration Console Online Help
Configure message-level security.

For more information, see
- "Configuring Message-Level Security" in Securing WebLogic Web Services for Oracle WebLogic Server
- "Create a Web Service security configuration" in Oracle WebLogic Server Administration Console Online Help
Create and configure token handlers for X.509 and for username token. In WebLogic Administration Console, navigate to the Web Service Security page of the domain and create the token handlers as described below.
Create a token handle for username token and configure the following:
1. Name: <name>
2. Class name:
```
weblogic.xml.crypto.wss.UsernameTokenHandler
```
3. Token Type: ut
4. Handling Order: 1
Create a token handler for X.509 and configure the following:
1. Name: <name>
2. Class name:
```
weblogic.xml.crypto.wss.BinarySecurityTokenHandler
```
3. Token Type: x509
4. Handling Order: 0
For the X.509 token handler, add the following properties:
1. Name: UserX509ForIdentity
2. Value: true
3. IsEncrypted: False
Configure a credential mapping provider. Create a PKICredentialMapper and configure it as follows (leave all other values set to the defaults):
1. Keystore Provider: N/A
2. Keystore Type: jks
3. Keystore File Name: default_keystore.jks
4. Keystore Pass Phrase: <password>
5. Confirm Keystore Pass Phrase: <password>
Configure Authentication by Selecting the Authentication tab and configure as follows:
1. Click DefaultIdentityAsserter and add X.509 to Chosen active types
2. Click Provider Specific and configure the following:
  
  Default User Name Mapper Attribute Type: CN
  
  Active Types: X.509
  
  Use Default User Name Mapper: True
  
  For more information, see "Configure Authentication and Identity Assertion providers" in Oracle WebLogic Server Administration Console Online Help.
If the users are not added, add the Common Name (CN) user specified in the certificate.

For more information, see "Create users" in Oracle WebLogic Server Administration Console Online Help
Restart Oracle WebLogic Server.
Deploy the web service.

For more information, see "Install a Web Service" in Oracle WebLogic Server Administration Console Online Help

4.13.1.2 Attaching and Configuring OWSM Client Policy-Mutual Authentication (WS-Security 1.0)

Follow these steps to attach and configure the OWSM Client Policy:

Create a client proxy to the web service created earlier using clientgen or some other mechanism.

For more information, see "Roadmap for Implementing Oracle Fusion Middleware Web Services" in Understanding Web Services
Attach the following policy to the client:
```
wss10_x509_token_with_message_protection_client_policy
```
For more information, see "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager
Provide the configuration for the server (encryption key) in the client.

Note:

Ensure that the encryption key specified is in accordance with the encryption key configured for the web service.

For more information, see "Updating a Client Application to Invoke a Message-Secured Web Service" in Securing WebLogic Web Services for Oracle WebLogic Server
Invoke the web service method from the client.

For more information, see "Roadmap for Implementing Oracle Fusion Middleware Web Services" in Understanding Web Services

4.13.2 Interoperability with a WebLogic Web Service Client Policy-Mutual Authentication (WS-Security 1.0)

Follow these procedures to implement mutual authentication with message protection that conforms to the WS-Security 1.0 standard and ensure interoperability between the OWSM web service policy and the WebLogic web service client policy.

4.13.2.1 Attaching and Configuring OWSM Policy-Mutual Authentication (WS-Security 1.0)

Follow these steps to attach and configure the OWSM Policy:

Create and deploy a web service application.

For more information, see "Roadmap for Implementing Oracle Fusion Middleware Web Services" in Understanding Web Services

Attach the following policy to the web service:

oracle/wss10_x509_token_with_message_protection_service_policy.

4.13.2.2 Attaching and Configuring WebLogic Web Service Client Policy-Mutual Authentication (WS-Security 1.0)

Follow these steps to attach and configure the WebLogic Web Service Client Policy:

Create a client proxy for the web service created earlier using clientgen.

For more information, see "Using the clientgen Ant Task to Generate Client Artifacts" in Developing JAX-WS Web Services for Oracle WebLogic Server
Attach the following policies:
- Wssp1.2-wss10_x509_token_with_message_protection_owsm_policy.xml
- Wssp1.2-2007-SignBody.xml
- Wssp1.2-2007-EncryptBody.xml
  
  For more information, see "Updating the JWS File with @Policy and @Policies Annotations" in Securing WebLogic Web Services for Oracle WebLogic Server
Provide the configuration for the server (encryption key) in the client.

Note:

Ensure that the encryption key specified is in accordance with the encryption key configured for the web service.

For more information, see "Updating a Client Application to Invoke a Message-Secured Web Service" in Securing WebLogic Web Services for Oracle WebLogic Server
Invoke the web service method from the client.

For more information, see "Writing the Java Client Application Code to Invoke a Web Service" in Developing JAX-WS Web Services for Oracle WebLogic Server

4.14 Mutual Authentication with Message Protection (WS-Security 1.1) for Oracle WebLogic Server

The Mutual Authentication with Message Protection identity token conforms to the WS-Security 1.1 standard. This identity token is implemented to achieve the interoperability between OWSM and Oracle WebLogic Server 12c web service security environments.

4.14.1 Interoperability with a WebLogic Web Service Policy-Mutual Authentication (WS-Security 1.1)

Follow these procedures to implement mutual authentication with message protection that conforms to the WS-Security 1.1 standard and ensure interoperability between the WebLogic web service policy and the OWSM client policy.

4.14.1.1 Attaching and Configuring WebLogic Web Service Policy-Mutual Authentication (WS-Security 1.1)

Follow these steps to attach and configure the WebLogic Web Service Policy:

Create a WebLogic web service.

For more information, see "Roadmap for Implementing WebLogic (Java EE) Web Services" in Understanding Web Services
Attach the following policies:
- Wssp1.2-wss11_x509_token_with_message_protection_owsm_policy.xml
- Wssp1.2-2007-SignBody.xml
- Wssp1.2-2007-EncryptBody.xml
  
  For more information, see "Updating the JWS File with @Policy and @Policies Annotations" in Securing WebLogic Web Services for Oracle WebLogic Server
Configure identity and trust stores.

For more information, see "Configure identity and trust" in Oracle WebLogic Server Administration Console Online Help
Configure message-level security.

For more information, see
- "Configuring Message-Level Security" in Securing WebLogic Web Services for Oracle WebLogic Server
- "Create a Web Service security configuration" in Oracle WebLogic Server Administration Console Online Help
Create and configure token handlers for X.509 and for username token. In WebLogic Administration Console, navigate to the Web Service Security page of the domain and create the token handlers as described below.
Create a token handle for username token and configure the following:
- Name: <name>
- Class name: weblogic.xml.crypto.wss.UsernameTokenHandler
- Token Type: ut
- Handling Order: 1
- Create a token handle for username token and configure the following:
Create a token handler for X.509 and configure the following:
- Name: <name>
- Class name: weblogic.xml.crypto.wss.BinarySecurityTokenHandler
- Token Type: x509
- Handling Order: 0
For the X.509 token handler, add the following properties:
- Name: UserX509ForIdentity
- Value: true
- IsEncrypted: False
  
  For more information, see "Create a token handler of a Web Service security configuration" in Oracle WebLogic Server Administration Console Online Help.
Configure a credential mapping provider by creating a PKICredentialMapper and configure it as follows (leave all other values set to the defaults):
- Keystore Provider: N/A
- Keystore Type: jks
- Keystore File Name: default_keystore.jks
- Keystore Pass Phrase: <password>
- Confirm Keystore Pass Phrase: <password>
  
  For more information, see "Configure Credential Mapping Providers" in Oracle WebLogic Server Administration Console Online Help
Configure Authentication by selecting the Authentication tab and configure as follows:
- Click DefaultIdentityAsserter and add X.509 to Chosen active types
- Click Provider Specific and configure the following:
- Default User Name Mapper Attribute Type: CN
- Active Types: X.509
- Use Default User Name Mapper: True
If the users are not added, add the Common Name (CN) user specified in the certificate.

For more information, see "Create users" in Oracle WebLogic Server Administration Console Online Help
Restart Oracle WebLogic Server.
Deploy the web service.

For more information, see "Install a Web Service" in Oracle WebLogic Server Administration Console Online Help

4.14.1.2 Attaching and Configuring OWSM Client Policy-Mutual Authentication (WS-Security 1.1)

Follow these steps to attach and configure the OWSM Client Policy:

Create a client proxy for the web service created earlier using clientgen or some other mechanism.

For more information, see "Roadmap for Implementing Oracle Fusion Middleware Web Services" in Understanding Web Services

Attach the following policy to the client

wss11_x509_token_with_message_protection_client_policy

Edit the policy as follows:
```
<orasp:x509-token 
  orasp:sign-key-ref-mech="thumbprint"
  orasp:enc-key-ref-mech="thumbprint"/>
```
For more information, see "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager
Provide the configuration for the server (encryption key) in the client.

Note:

Ensure that the encryption key specified is in accordance with the encryption key configured for the web service.

For more information, see "Updating a Client Application to Invoke a Message-Secured Web Service" in Securing WebLogic Web Services for Oracle WebLogic Server.
Invoke the web service method from the client.

For more information, see "Roadmap for Implementing Oracle Fusion Middleware Web Services" in Understanding Web Services

4.14.2 Interoperability with a WebLogic Web Service Client Policy-Mutual Authentication (WS-Security 1.1)

Follow these procedures to implement mutual authentication with message protection that conforms to the WS-Security 1.1 standard and ensure interoperability between the OWSM web service policy and the WebLogic web service client policy.

4.14.2.1 Attaching and Configuring OWSM Policy-Mutual Authentication (WS-Security 1.1)

Follow these steps to attach and configure the OWSM Policy:

Create and deploy a web service.

For more information, see "Roadmap for Implementing Oracle Fusion Middleware Web Services" in Understanding Web Services
Attach the following policy to the web service:
```
oracle/wss11_x509_token_with_message_protection_service_policy.
```
For more information, see "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager

4.14.2.2 Attaching and Configuring WebLogic Web Service Client Policy-Mutual Authentication (WS-Security 1.1)

Follow these steps to attach and configure the WebLogic Web Service Client Policy:

Create a client proxy for the web service created earlier using clientgen.

For more information, see "Using the clientgen Ant Task to Generate Client Artifacts" in Developing JAX-WS Web Services for Oracle WebLogic Server
Attach the following policies:
- Wssp1.2-wss11_x509_token_with_message_protection_owsm_policy.xml
- Wssp1.2-2007-SignBody.xml
- Wssp1.2-2007-EncryptBody.xml
  
  For more information, see "Updating the JWS File with @Policy and @Policies Annotations" in Securing WebLogic Web Services for Oracle WebLogic Server
Provide the configuration for the server (encryption key) in the client.

Note:

Ensure that the encryption key specified is in accordance with the encryption key configured for the web service.

For more information, see "Updating a Client Application to Invoke a Message-Secured Web Service" in Securing WebLogic Web Services for Oracle WebLogic Server
Invoke the web service method from the client.

For more information, see "Writing the Java Client Application Code to Invoke a Web Service" in Developing JAX-WS Web Services for Oracle WebLogic Server