6 Managing Web Service Policies with Fusion Middleware Control

For information about web services policies and how Oracle Web Services Manager (OWSM) uses policies to manage Quality of Service (QoS) for web services, see Overview of OWSM Policy Framework in Understanding Oracle Web Services Manager. The following sections describe managing web service policies with fusion middleware control:

6.1 Overview of Web Services Policy Management

In the 12c release, the predefined documents delivered with OWSM, including policies and assertion templates, are read-only. If this is a new installation, then all of the documents that are installed with OWSM will be read-only. To modify a predefined policy or assertion template, you will need to clone it and then make the desired modifications to the cloned version.

If you are installing into an existing OWSM environment, or if you are upgrading from an older release, any predefined documents that have not been customized for your environment are replaced with read-only versions, and new predefined read-only documents are added. Note, however, that any existing predefined documents that you have customized, and user-created custom policies in the repository are not overwritten.

Note:

To ensure that you always get all of the latest policies, Oracle recommends that you clone any predefined documents that you have modified and migrate any policy attachments. For details, see "Upgrading the OWSM Repository".

6.2 Managing Web Service Policies

From Managing Web Service Policies page you can search for specific policies or types of policies, view policies, create new policies, edit custom policies, delete custom policies, and import and export custom policies to or from the OWSM repository.

Topics:

6.2.1 Navigating to the WSM Policies Page

Use the WSM Policies page to manage the web service policies. From this page you can search for specific policies or types of policies, view policies, create new policies, edit custom policies, delete custom policies, and import and export policies to or from the OWSM repository.

6.2.2 Searching for Policies in the WSM Policies Page

Use the WSM Policies page to search for policies using the advanced search feature, the Query by Example filter, or a combination of the two to refine the search.

Details of searching for policies is provided in the following sections:

6.2.2.1 Using Advanced Search

In theWSM Policies page, you can reduce the number of policies that are returned by specifying the appropriate search criteria. To do so, perform the following steps:

  1. In the Search pane, specify the criteria to use in the search:
    • In the Name field, enter a policy name or part of a policy name and select the operator to use to refine the search. Available operators are Starts with, Ends with, Equals, and Contains. For example, to search for message protection policies only, select the Contains operator, and enter message in the Name field.

      You can use percent % as a wildcard, any place in the name. Asterisk * is not recognized as a wildcard and is treated as plain text. Searches are case-insensitive.

    • In the Category field, select the desired category.

    Alternatively, you can select one of the previously saved searches from the Saved Search drop-down menu. The search parameters automatically populate the search fields. If the Run automatically option is specified for the saved search, it runs automatically and the results are displayed in the Policies table.

  2. Optionally, refine the search using the Query By Example filter, as described in "Using the Query by Example Filter". Note that when you combine the two search types, the data entered into the Query By Example fields is appended using the AND operator to the data specified in the Search fields.
  3. Click Search.

    The Policies table is refreshed to include only those policies that match the specified search criteria. For example, using the example specified above for message protection policies only, if you did not refine the search using Query by Example, all message protection policies are shown in the list. If you used Query by Example to refine the search for client policies only, the list displayed includes only message protection client policies.

  4. Optionally, click Save... to save the search criteria in the repository. Note that only the values specified in the Advanced Search fields are saved; the values specified in the Query By Example fields are not included in the saved searches.

    In the Create Saved Search window, enter a name for the search in the Name field. To use this saved search as the default selection for future searches, select Set as default. To execute the search automatically when it is selected, select Run automatically. Click OK.

    To modify previously saved searches, click Personalize... from the Saved Search drop-down menu. In the Personalize Saved Searches window, select the saved search from the drop-down menu, edit as required and click Apply. To delete a saved search click Delete. To duplicate a search, click Duplicate. Modify the duplicate as desired and click Apply. When you are finished editing all of the searches, click OK.

6.2.2.2 Using the Query by Example Filter

The Query by Example filter in the WSM Policies page allows you to query a specific field and filter the results displayed in the table quickly and easily.

  1. If the search fields are not displayed at the top of the Policies table, click the Query by Example icon. A search field is displayed above the Name, Category, and Status columns.
  2. Enter the search criteria in the field above the column in which you want to search. The value entered is interpreted as a "contains" expression. That is, the value is wrapped in %value%, and will fetch all results that contain the value specified for that column. For example, to search for client policies only, enter client in the search field above the Name column.
  3. If you are using the Query by Example filter separately (not in conjunction with the advanced search fields), press Enter.

    The list of policies displayed in the table is filtered to display only the results that match the search criteria. Using the example specified in previous step, only client policies are displayed.

    Note:

    The Query by Example search fields can be used in conjunction with the advanced search fields to further refine the search results, as described in "Using Advanced Search". When used together, the data entered into the Query By Example fields is appended using the AND operator to the data specified in the Search fields. You must use the Search button to get the combined results.

    You need to manually clear the Query by Example search fields when you have completed the search.

6.2.3 Viewing the Details of a Web Service Policy

Use the WSM Policies page to view the details of a web service policy.

Predefined policies from Oracle are read-only and cannot be modified. These policies are displayed in read-only mode. User-created policies are not read-only, and can be edited as described in "Editing a Web Service Policy".

Perform the following steps to view the details of a web service policy:

  1. Navigate to the WSM Policies page as described in "Navigating to the WSM Policies Page".

    Optionally, refine the list of policies displayed using Search, as described in "Searching for Policies in the WSM Policies Page".

  2. Select the policy to be viewed from the list of policies and click Open. Alternatively, select Actions and then Open.

    Figure 6-2 displays the Policy Details page for the oracle/wss10_saml20_token_with_message_protection_service_policy.

    Figure 6-2 Policy Details Page with the General Tab Selected



    The Policy Details page contains two tabs:

    • The General tab (shown in Figure 6-2) displays information such as the policy name and display name, policy category, description, whether the policy is enabled, and the local optimization setting. The Attachment Attributes section provides details about the type of endpoints to which the policy can be attached, and the number of policy attachments. The Version Information section lists the version number of the policy, when it was last updated, and by whom. For user-created policies, you can also navigate to the Policy Version history page. For more information about policy versions, see "Versioning Web Service Policies".

    • The Assertions tab includes a table that lists all of the assertions contained in the policy. Select the assertion name in the table to view the assertion details. The content displayed varies depending on the assertion selected. Figure 6-3 displays the Assertions tab for the Wss10 SAML V2.0 Token With Message Protection Service Policy.

      Figure 6-3 Policy Details Page with the Assertion Tab Selected



6.2.4 Creating and Editing Web Service Policies

Use the WSM Policy Details page, to create and edit web service policies.

Topics:

6.2.4.1 Creating a New Web Service Policy

Use the following procedure to create a new policy using one or more assertion templates.

Perform the following steps to create a new web service policy

  1. Navigate to the WSM Policies page as described in "Navigating to the WSM Policies Page" and click Create. Alternatively, select Actions and then Create.

    The Policy Details page includes two tabs: General and Assertions. The General tab is displayed by default.

  2. On the General tab, optionally specify a unique name in the Display Name field to be used in the console to reference the policy. If you do not specify a display name, the policy name is used to reference the policy.
  3. Enter a policy name in the Name field.

    The policy name must include the directory in which the policy is located. For example, all predefined policies provided by Oracle are contained in the oracle/ directory, such as oracle/wss_http_token_service_policy.

    Note:

    Oracle recommends that you follow the policy naming conventions described in "Recommended Naming Conventions for Policies" in Understanding Oracle Web Services Manager.

    You cannot edit the name of a policy once the policy is created. To change the policy name, you will need to clone the policy and assign it a different name.

  4. Select the category to which the policy will belong from the Category drop-down menu.

    Note:

    You can create policies in the Security and Management categories only.

  5. Optionally, enter a brief description for the policy.
  6. Select the Enabled option to enable the policy, if desired. Note that a policy that is not enabled is not enforced at run time.
  7. Select the type of Local Optimization to be used for the policy from the drop-down menu. Available options are off, on, and check-identity. For more information about the local optimization feature, see "Using Local Optimization with OWSM Policies (SOA Composites)".
  8. In the Attachment Attributes section of the page, specify the type of policy subjects to which the policy can be attached. From the Applies To menu, choose one of the following options:
    • All—Specifies that the policy can be attached to any type of policy subject, including service endpoints, client endpoints, and SOA components.

    • SOA Components—Specifies that the policy can be attached to SOA components.

    • Service Bindings—Specifies that the policy can be attached to web service and client endpoints. When you choose this option, in the Service Category field select whether the policy can be attached to web service endpoints, web service clients, or both.

  9. Select the Assertions tab, and click Add to add assertions to your policy. For more information, see "Adding Assertions to a Policy".
  10. Optionally, add an OR group to the policy. Select the Add menu then select OR Group. Then click Add to add the desired assertions to the OR group.

    An OR group enables you to define multiple security subcategory options, only one of which can be executed. For example, a subset can contain both a SAML Token and a Username Token security/authentication subcategory assertion, so a web service application can use either one or the other, but not both.

    For more information, see "Adding an OR Group to a Policy".

  11. Configure the assertions as required by modifying the settings and configuration properties.
    • To edit the assertion settings, select the assertion and edit the settings in the Details section of the page.

    • To edit the configuration properties, click Configuration.

      The list of configuration properties defined for the assertion are displayed.

      Edit the configuration properties as described in "Editing the Configuration Properties in an Assertion Template" and click OK.

    • To enable or advertise the assertion, select the Enforced or Advertised options, respectively.

    For details about the settings and configuration properties for each assertion template, see Oracle Web Services Manager Predefined Assertion Templates.

  12. When you have finished adding assertions to the policy, select the assertions in the table and use the Move Up and Move Down buttons to set the order in the policy. Assertions are invoked in the order in which they appear in the list.
  13. Click Save to validate and save the policy.

    If the policy is invalid, it is disabled as a precaution. After you correct the validation issues, you will have to enable the policy. For more information on policy validation, see "Validating Web Service Policies".

6.2.4.2 Cloning a Web Service Policy

You can create a new policy by cloning an existing web service policy. For example, you can create a copy of one of the read-only predefined policies and edit it to suit your needs. You can also create a copy of a policy that you have created. Once the policy is created, you can treat it like any other user-created policy, adding or deleting assertions, and modifying existing assertions.

Perform the following steps to clone a web service policy:

  1. Navigate to the WSM Policies page as described in "Navigating to the WSM Policies Page".
  2. Optionally, refine the list of policies displayed using Search, as described in "Using Advanced Search".
  3. Select the policy to be cloned from the list of policies and click Create Like. Alternatively, select Actions and then Create Like.

    It is recommended that you change the name of this new policy to be more meaningful in your environment.

    Note:

    Oracle recommends that you follow the policy naming conventions described in "Recommended Naming Conventions for Policies" in Understanding Oracle Web Services Manager.

    You cannot edit the name of a policy once the policy is created. To change the policy name, you will need to clone the policy and assign it a different name.

  4. Modify the policy as required, including the assertions.

    For details about adding assertions to the policy, see "Adding Assertions to a Policy".

    For details about adding an OR group to the policy, see "Adding an OR Group to a Policy".

  5. Click Save to validate and save the policy.

    If the policy is invalid, it is disabled as a precaution. After you correct the validation issues, you will have to enable the policy. For more information on policy validation, see "Validating Web Service Policies".

6.2.4.3 Creating Custom Policies

You can create custom policies using custom assertions.

For more information and procedures about how to create both custom assertions and policies, see "Creating Custom Assertions" in Developing Extensible Applications for Oracle Web Services Manager.

6.2.4.4 Editing a Web Service Policy

You can edit a user-created policy as described in this topic.

Note:

The predefined policies that are provided with OWSM are read-only and cannot be edited. To edit a predefined policy you can clone it and then edit the cloned version.

The changes that you make to the policy take effect at the next polling interval for policy changes.

If you are using a database-based metadata repository, each time you save a change to your policy, a new version is created, and the older versions are retained. For more information about policy versioning, see "Versioning Web Service Policies".

Perform the following steps to edit a web service policy:

  1. Navigate to the WSM Policies page as described in "Navigating to the WSM Policies Page".

    Optionally, refine the list of policies displayed using Search, as described in "Using Advanced Search".

  2. Select the policy to be edited from the list of policies and click Open. Alternatively, select Actions and then Open.

    The Policy Details page is displayed. For predefined policies, this page is read-only. However, for user-created policies, you can edit the policy from this page. For more information about the Policy Details page, see "Viewing the Details of a Web Service Policy".

  3. Select the General tab and edit as follows:
    • Edit the display name and description, if desired. You cannot edit the policy name. To change the name of a policy, you will need to clone it and assign it a different name.

    • Edit the remaining fields on the tab as required, including enabling or disabling the policy, specifying local optimization, or modifying the type of policy subjects to which the policy can be attached.

  4. Select the Assertions tab and edit as follows:
    • Modify the assertion settings and configuration properties as required. To modify the assertion settings, select the assertion in the table and edit the settings as required in the Details section of the page. To edit the configuration properties, click Configuration and edit the properties as required in the Configuration table. To enable or advertise the assertion, select the Enforced or Advertised options, respectively.

    • Add assertions or OR groups as required, as described in "Adding Assertions to a Policy" and "Adding an OR Group to a Policy", respectively.

    • Delete assertions or OR groups as required. To do so, select the assertion or OR group in the table and click Delete.

    For details about the assertions in each predefined policy, see Oracle Web Services Manager Predefined Policies..

  5. Click Validate to validate the policy.
  6. Click Save to save the changes.

6.2.5 Using Local Optimization with OWSM Policies (SOA Composites)

OWSM supports an Oracle SOA Suite local optimization feature for composite-to-composite invocations in which the reference of one composite specifies a web service binding to a second composite running in the same container. Local optimization enables you to bypass the HTTP stack and SOAP/normalized message conversions during run time. If a policy is attached to the web service binding, the policy may not be invoked if local optimization is used.

Topics:

For details about the SOA local optimization feature, see "Configuring Local Optimization" in Administering Oracle SOA Suite and Oracle Business Process Management Suite.

6.2.5.1 Viewing the Default Local Optimization Setting in OWSM Policies

By default, each of the OWSM predefined policies includes a local optimization property. The default setting for the Local Optimization property is displayed on the General tab of each policy. Procedures for viewing the details of a policy using Fusion Middleware Control, including the Local Optimization property setting, are described in "Viewing the Details of a Web Service Policy".

There are three possible settings for the Local Optimization property:

  • on — Local optimization is turned on in the policy and the policy is not applied at runtime.

  • off — Local optimization is turned off and the policy is applied at runtime. The request goes through the usual WS/SOAP/HTTP process.

  • check-identity — Local optimization is used only if a JAAS subject exists in the current thread, indicating that authentication has already succeeded. If the JAAS subject does not exist in the thread, the request goes through the usual WS/SOAP/HTTP process.

6.2.5.2 Controlling When Local Optimization is Used

There are two ways to control the local optimization feature, and they have different scopes:

  • At the composite level, by adding the oracle.webservices.local.optimization property in the binding section of the composite.xml file. The following values are supported:

    • true -- (Default value). Local optimization is used if the attached policy is configured to use it. For a description of the local optimization property settings, see "Viewing the Default Local Optimization Setting in OWSM Policies". If optimization is used, the policy is not applied.

    • false -- Local optimization is not used, regardless of the how the local optimization property is configured in the policy. This setting forces the policy to be applied.

    The composite-level property is independent of the policy-level configuration. That is, if you want to turn off the optimization regardless of whether a policy is attached, set the composite-level property to false.

    For more information, see "Policy Attachments and Local Optimization in Composite-to-Composite Invocations" in Administering Oracle SOA Suite and Oracle Business Process Management Suite.

  • At the policy level, by configuring the local optimization property for a policy. The possible settings for the local optimization property are described in "Viewing the Default Local Optimization Setting in OWSM Policies". The policy-level property controls the optimization wherever the policy is used, unless it has been overridden by the composite-level property.

    Note:

    Predefined policies from Oracle are read-only and cannot be modified. If you clone a predefined policy, Oracle recommends that you do not change the local optimization setting. Doing so may prevent the policy from being invoked, resulting in unexpected behavior. If you create a new policy, however, you can set this property as required for your environment.

    If a policy is attached to a web service, the policy may not be invoked if local optimization is used. Therefore, for each new policy that you create, you need to decide whether you want to use local optimization.

6.2.6 Generating Client Policies from a WSDL

After you have configured a web service, you can use the web service WSDL to generate compatible client policies with the parameters required to call that service. Note that only assertions that are advertised in a policy can be used to generate equivalent client assertions in the client policy.

Note:

You must use the Oracle WSDL instead of the standard WSDL to generate the client policy. The URL for the web service must be appended with ?orawsdl, instead of ?wsdl. Generating the policy increases the likelihood that the client policy will work with the service policy.

When you generate a client policy, it is populated with the client assertion that is the matching pair to the advertised service assertion. For example, if the service policy in the WSDL contained the oracle/ wss_http_token_service_template, then the generated client policy is populated with its counterpart, oracle/wss_http_token_client_template.

Before editing the policy, you must first save it. After you have made the desired changes to the policy, you can access it from the WSM Policies page.

You can also delete any generated policies that you do not need. For example, you may want to delete duplicates of already existing MTOM or Reliable Messaging policies.

Perform the following steps to create a web service client policy:

  1. Determine the WSDL for the web service for which you want to generate a web service client policy.
  2. In the Oracle WSDL URL field, enter the URL to the web service WSDL using the following format: Web_service_endpoint?orawsdl, where Web_service_endpoint is the URL to the web service, for example http://my-host:port/jaxwsejb/Calculator?wsdl.

    Note:

    You must use ?orawsdl, instead of ?wsdl, to get the WSDL that is used to generate the corresponding client policy.

    The service policy information in the Oracle WSDL published for the web service is used as the basis for generating the initial client policies.

  3. If HTTP authentication is required, select Authentication and provide the username and password in the appropriate fields.
  4. Click Fetch.
  5. Select the service and port from the drop-down lists.

    The service and port combination define the endpoint to which the policies can be attached in the orawsdl.

  6. Click Generate Policies.

    The client policies corresponding to the service policy specified in the wsdl for the service and port are listed in the Generated Policy Results table as shown in Figure 6-4.

    Figure 6-4 Generate Client Policies from WSDL



  7. Optionally, select the policy and display name in the Generated Policy Results table and edit as desired.
  8. Click Add Policies.

    The Generate Client Policies page is displayed.

    The generated policies are listed in the table and their status is indicated as Not Saved.

  9. Click Save All to save all the policies, or select individual policies and click Save.

    Note:

    You must save the policies before you can edit them.

  10. To edit a policy, select the policy in the table and click Open.
  11. In the Policy Details page, edit the policy as necessary.
  12. Click Apply to save the changes to your policy.
  13. You are returned to the Generated Client Policies page. Edit and save the other policies as needed.

Once the policy is saved, you can navigate to the WSM Policies page and find the policy in the list of policies.

6.2.7 Adding Assertions to a Policy

You can add assertions to a user-created policy during policy creation or editing. You cannot add assertions to the predefined policies provided with OWSM. The predefined policies are read-only and cannot be modified.

Each policy can contain only one assertion for each of the following categories: MTOM Attachments and Reliable Messaging. The policy can contain any number of assertions belonging to the Security category; however, the combination of assertions must be valid. For more information on valid assertions, see "Validating Web Service Policies".

Perform the following steps to add an assertion to a policy:

  1. Navigate to the Policy Details page for the policy to which you want to add assertions.
  2. Select the Assertions tab.
  3. Click Add or select Assertion from the Add menu.

    The Add Assertion page is displayed. The assertions available for that policy are displayed in the Search Results table, organized by Template Name. Optionally, use the View menu to display the Display Name column, or to change the order of the columns.

  4. Select an assertion from the table, or provide search parameters in the Name and Category fields and click Search. The results that match the search criteria are displayed in the Search Results table.In the Search Results table, select the assertion or assertions to be added to the policy and click Add Selected. To add all the listed assertions to the policy, click Add All.

    The selected assertions are displayed in the Selected Assertion Templates table. The assertions are displayed using the Template Name. Optionally, use the View menu to display the Template Display Name column, or to change the order of the columns.

  5. In the Selected Assertion Templates table, optionally edit the names for the added assertions in the Assertion Name field.
  6. Review the selections in the Selected Assertion Templates table. To remove one or more assertions from this table, click Remove Selected or Remove All. When you have confirmed the assertion selection, click Add Assertion.

    The added assertions are listed in a table in the Assertion tab.

    For details about the OWSM assertion templates, see Oracle Web Services Manager Predefined Assertion Templates.

  7. To configure the assertion, select the assertion and edit the settings as required in the Details section of the page.
  8. To enable or advertise the assertion, select the Enforced or Advertised options, respectively.
  9. To edit the configuration properties, click Configuration.

    The list of configuration properties defined for the assertion are displayed.

  10. Edit the Configuration properties and click OK.

    For details about the configuration properties for each assertion template, see Oracle Web Services Manager Predefined Assertion Templates.

    Note that you can edit only the Value, and Description fields. The Name, Type, and Default Value property settings defined in the assertion template cannot be changed, and are displayed as read only. For details about these properties, see "Editing the Configuration Properties in an Assertion Template".

  11. When you have finished adding assertions to the policy, select the assertions in the table and use Move Up and Move Down buttons to set the order in the policy. Assertions are invoked in the order in which they appear in the list.
  12. When you are done, click Save to save the policy.

6.2.8 Adding an OR Group to a Policy

You can create an OR group, consisting of one or more assertions, enabling a single policy to accept multiple types of security tokens. A client can enforce any one of the policies that are defined in the OR group.

For more information, see "Defining Multiple Policy Alternatives (OR Groups)" in Understanding Oracle Web Services Manager.

You can add only one OR group to a policy. Once you have added an OR Group, the OR Group option is greyed out.

You add an OR group from the Policy Details page.

Perform the following steps to add an OR group to a policy:

  1. Navigate to the Policy Details page for the policy to which you want to add the OR group.
  2. Select the Assertions tab.
  3. Select OR Group from the Add menu.

    An OR Group row is added to the assertions table.

  4. Select Assertion to OR Group from the Add menu. Notice that the OR Group is now greyed out on the menu, so you cannot add any additional OR groups.

    Note:

    If you click Add or select Assertion from the Add menu, the assertion will be added outside the OR group.

    The Add Assertion search page is displayed.

  5. Select one or more assertions from the Search Results table, or provide search parameters in the Name and Category fields and click Search. The results that match the search criteria are displayed in the Search Results table.

    For details about the OWSM assertion templates, see Oracle Web Services Manager Predefined Assertion Templates.

  6. In the Search Results table, select the assertion or assertions to be added to the OR Group and click Add Selected. The selected assertions are displayed in the Selected Assertion Templates table.
  7. In the Selected Assertion Templates table, optionally provide display names for the added assertions in the Assertion Name field.
  8. Review the selections in the Selected Assertion Template table. To remove one or more assertions from this table, click Remove Selected or Remove All. When you have confirmed the assertion selection, click Add Assertion.

    The added assertions are listed under the OR Group in the list of assertions in the Assertion tab.

    Note:

    The values for the WS-Policy attributes attachTo and category limit the assertions that are valid within the current policy. All assertions within an OR group must be compatible with the attachTo and category attribute values in order to be considered. For more information about WS-Policy attributes, see "wsp:Policy Element".

  9. To add additional assertions to the OR group, repeat steps 4 through 8.
  10. Configure the assertions as required by modifying the settings and configuration properties.
    • To edit the assertion settings, select the assertion and edit the settings in the Details section of the page.

    • To edit the configuration properties, click Configuration.

      The list of configuration properties defined for the assertion are displayed.

      Edit the configuration properties as described in "Editing the Configuration Properties in an Assertion Template" and click OK.

    • To enable or advertise the assertion, select the Enforced or Advertised options, respectively.

    For details about the settings and configuration properties for each assertion template, see Oracle Web Services Manager Predefined Assertion Templates.

  11. When you have finished adding assertions to the OR group, select the assertions and use Move Up and Move Down to order them as needed. Assertions are considered for invocation in the order that they appear on the list.
  12. To delete an assertion from the OR group, select the assertion and click Delete. To delete the entire OR group, select the OR group and click Delete.
  13. When you are done, click Save to save the policy.

6.2.9 Importing Web Service Policies

Follow the procedure in this section to import one or more user-created policies into the OWSM repository. Once the policies are imported, you can attach them to web services and make changes to them.

For more information on importing web service policies, see "Understanding the Different Mechanisms for Importing and Exporting Policies".

Note:

The policy name you import must not already exist in the repository.

Be aware that "policy name" and "file name" are different. The policy name is specified by the name attribute of the policy content; the file name is the name of the policy file. You might find it convenient for the two names to match, but it is not required.

You cannot prefix the name of a policy with oracle_. Otherwise, you will receive exceptions when you try to use the policy.

Perform the following steps to import one or more web service policies:

  1. Navigate to the WSM Policies page as described in "Navigating to the WSM Policies Page".
  2. Click Import.

    You are prompted to provide the name of a zip archive file containing the policies to be imported.

    Note:

    The policies to be imported must use the following directory structure in the zip archive:

    META-INF/policies/policyname

    Within this directory structure, policyname includes the directory in which the policy is located.

    In 11g, policies were exported as XML files. If you are importing a policy that you exported from an 11g domain, you must add the file to a zip archive using the directory structure specified above.

  3. In the Import window, enter the path and file name for the zip archive file in the File Upload field, or click Browse to navigate to the directory where the policies archive file is located, then select the zip archive file to be imported.
  4. Click Import.

    If an error is encountered with one of the policies, the import process stops. For example, if there are five policies to be imported and an error is encountered in the third one, the first two will be imported but the remaining policies will not.

    An information window is displayed listing the policies that were imported. Click OK to close the window.

    The imported policies are added to the list of policies in the WSM Policies page.

6.2.10 Exporting Web Service Policies

You may want to export a policy to copy it from a development environment to a production environment, or to simply view the policy in another tool or application.

You can export web service policies that you have created as described in "Creating and Editing Web Service Policies". Predefined policies cannot be exported because the same read-only version of the policy will exist in the target environment. Once the policy is exported, you can import it to another repository, attach it to web services, make changes to it, and so forth.

For more information about exporting web service policies, see "Understanding the Different Mechanisms for Importing and Exporting Policies".

Use the following procedure to export a policy from the OWSM repository:

  1. Navigate to the WSM Policies page, as described in "Navigating to the WSM Policies Page".
  2. Optionally, refine the list of policies displayed using Search, as described in "Searching for Policies in the WSM Policies Page".
  3. Select the policy or policies to be exported from the list of policies and click Export.

    The policies are added to a zip archive file named policyexport.zip by default.

  4. Specify a file name for the archive file, if desired, then select a location in your local directory to which you want to save the zip file and click Save.

    The directory structure for each policy is maintained in the archive file using the following structure:

    META-INF/policies/policyname

    Within this directory structure, policyname includes the directory in which the policy is located.

6.2.11 Versioning Web Service Policies

Whenever a change to a user-created policy is saved, a new version of the policy is automatically created and the version number is incremented. The Policy Manager maintains the history of these changes, enabling you to go back to an earlier version.

Note:

Version control does not apply to the Oracle predefined policies because they are read only and cannot be modified.

Policy versioning requires that you use a database-based OWSM Repository. If you are using a file-based repository, versioning information is not maintained or displayed.

The recreation of a document (either by importing an existing document or by creating a new document) with the same name that already exists in the repository will result in increment of the version number.

For example, you might find it useful to create two different versions of a policy, perhaps one with logging and one without, and alternate between them. As another example, you might have an occasional need to use a policy such as oracle/binding_authorization_denyall_policy policy with selected roles to temporarily lock down access to a web service.

By using the versioning feature, you can reuse multiple versions of a policy without having to recreate them every time you need them.

You can also delete any version of the policy, except the active policy, from the Policy Version history table by selecting the policy and clicking Delete.

You cannot edit the policy from the Policy Version history page. You must edit a policy from the Policy Details page.

The following sections describe versioning in more detail:

6.2.11.1 Viewing the Version History of a Web Service Policy

You can view the version history for a web service policy from the Policy Version history page, which you can access from the Policy Details page.

Perform the following steps to view the version history for a policy:

  1. Navigate to the Policy Details page for the policy as described in "Viewing the Details of a Web Service Policy".
  2. Select the General tab for the policy, if it is not already selected.
  3. In the Version Information section of the page, click Versioning History.

    The Policy Version history for the page is displayed, as shown in Figure 6-5. The policy versions appear in order in the version history table at the top of the page. The currently active policy has the highest version number, and is the only policy that can be attached to a policy subject. However, you can make an earlier version of a policy the active version.

    Figure 6-5 Policy Version History Page



6.2.11.2 Changing the Current Version of a Policy

Use this procedure to change the current version of the policy:

  1. In the Version Information section of the policy detail page, click Versioning History to display the Policy Version history page.
  2. In the policy version table, select the version to be made current and click Make Current.

    The selected policy version becomes the current active policy and the current version number is incremented by 1. The earlier version of the policy is retained.

6.2.11.3 Deleting Versions of a Web Service Policy

Use the following procedure to delete earlier versions of a policy. You can delete all versions except the active policy version. To delete all versions of the policy, including the active version, see "Deleting a Web Service Policy".

Perform the following steps to delete the version of a web service policy:

  1. In the Version Information section of the policy detail page, click Versioning History to display the Policy Version history page.
  2. In the policy version table, select the version or versions to be deleted and click Delete.
  3. In the Confirm Policy Version Deletion box, click OK.

    The selected policy version(s) is deleted from the OWSM Repository and the Policy History table.

6.2.11.4 Exporting a Version of a Policy

Use the following procedure to export a version of the policy:

  1. In the Version Information section of the policy detail page, click Versioning History to display the Policy Version history page.
  2. In the policy version table, select the version to be made exported and click Export.

    You are prompted to open or save the file.

  3. Select Save File and click OK.
  4. Navigate to the local directory to which you want to save the file and update the filename as desired.
  5. Click Save.

6.2.12 Deleting a Web Service Policy

Before you delete a policy, Oracle recommends that you verify that the policy is not attached to any policy subjects. If you try to delete a policy that is attached to a subject, you will receive a warning. You will not be prevented from deleting an attached policy. However, the web service request will fail the next time the subject to which the policy is attached is invoked.

Note:

Only user-created policies can be deleted. The predefined policies delivered with OWSM are read only and cannot be edited or deleted.

When you delete a policy, the active policy and all previous versions of the policy are deleted. To retain the active policy version and delete only the previous versions of the policy, see "Deleting Versions of a Web Service Policy".

Perform the following steps to delete a user-created web service policy:

  1. Navigate to the WSM Policies page as described in "Navigating to the WSM Policies Page".

    Optionally, refine the list of policies displayed using Search, as described in "Using Advanced Search".

  2. From the WSM Policies page, select the policy to be deleted from the list of policies and click Delete. Alternatively, select Actions and then Delete.
  3. A dialog box appears asking you to confirm the deletion. Click Delete.

6.3 Validating Web Service Policies

There are restrictions on the type and number of policy assertions that are permitted in a web service policy. A policy can contain only assertions that belong to a single category. Therefore, you cannot combine a Security assertion with an MTOM assertion in the same policy. The policy type is determined by the category of the assertion. Therefore, a policy containing a security assertion is a security policy, a policy containing a management assertion is a management policy, and so on. Security assertions are further categorized into subcategories: authentication, logging, message protection (msg-protection), and authorization.

There are restrictions on the number and type of assertions you can have in a policy. The restrictions are as follows:

  • MTOM and Reliable Messaging policies can contain only one assertion.

  • A security policy can contain multiple security assertions; however, there can be only one assertion from the following subcategories in a policy: encryption, signing, and authentication.

  • Some assertions contain both authentication and message protection. For example, if you view the oracle/wss11_username_token_with_message_protection_service_policy, you will see that the second assertion falls into two categories: security/authentication and security/msg-protection, as shown in Figure 6-6.

    Figure 6-6 Security Assertion with Two Subcategories



  • A security policy can contain any number of security_log_template assertions. For example, if you view any of the predefined security policies, you will see two logging assertions included.

Oracle recommends that you create one policy for authentication and message protection, and a second policy for authorization. If you create a policy that contains both an authentication and an authorization assertion, then the authentication assertion must precede the authorization assertion.

When you create a new policy or edit a user-created policy, the validation process checks to see that your policies meet these requirements. If the validation fails during policy creation, the policy is created but is marked as disabled.

Perform the following steps to validate a policy:

  1. On the Policy Details page of the policy being viewed or edited, click Validate.

    If the validation is successful, the Policy is Valid message appears.

    If the validation is not successful, the resulting error message describes the problem. Make the necessary corrections, then revalidate the policy.

  2. Once the policy validates successfully, click Save to save the policy.

6.4 Managing Policy Assertion Templates

OWSM includes a set of predefined assertion templates that you can use to construct policies. The predefined assertion templates are read only and cannot be modified, but you can clone them to create new assertion templates, if needed, to satisfy a specific requirement.

For additional information, see "Building Policies Using Policy Assertions" in Understanding Oracle Web Services Manager.

If the functionality you require, such as support for a non-standard security token, is not provided out of the box, OWSM allows you to define custom policy assertions. For details, see Creating Custom Assertions.

You can add one or more assertions to a user-created policy as described in "Adding Assertions to a Policy". You cannot add assertions to the predefined policies that are provided with OWSM because they are read-only and cannot be modified. Assertions are executed in the order in which they are listed in the policy.

For details about the predefined assertion templates, see Oracle Web Services Manager Predefined Assertion Templates.

The following sections provide more detail about managing policy assertion templates:

6.4.1 About Navigating to the Assertion Templates Page

You can manage your assertion templates at the domain level from the Assertion Templates page. From this page, you can copy, edit, and delete, import, and export assertion templates.

6.4.2 Understanding Search Options on the Assertion Templates Page

You can search for assertion templates in the Assertion Templates page using the advanced search feature, the Query by Example filter, or a combination of the two to refine the search.

Details are provided in the following sections:

6.4.2.1 Searching for an Assertion Template Using Advanced Search

In the Assertion Templates page, you can reduce the number of assertion templates that are returned by specifying the appropriate search criteria. To do so:

  1. Navigate to the Assertion Templates page as described in "About Navigating to the Assertion Templates Page".
  2. In the Search pane, specify the criteria to use in the search:
    • In the Assertion Name field, enter an assertion template name or part of a name and select the operator to use to refine the search. Available operators are Starts with, Ends with, Equals, and Contains. For example, to search for message protection assertion templates only, select the Contains operator, and enter message in the Assertion Name field.

      You can use percent % as a wildcard, any place in the name. Asterisk * is not recognized as a wildcard and is treated as plain text. Searches are case-insensitive.

    • In the Category field, select the category to which the assertion template belongs. The options are: All, Management, Security, Reliable Messaging, MTOM Attachments, WS-Addressing, Make Connection, Atomic Transactions, Configuration, and SOAP Over JMS Transport.

    Alternatively, you can select one of the previously saved searches from the Saved Search drop-down menu. The search parameters automatically populate the search fields. If the Run automatically option is specified for the saved search, it runs automatically and the results are displayed in the assertion templates table.

  3. Optionally, refine the search using the Query By Example filter, as described in "Searching for an Assertion Template Using the Query by Example Filter". Note that when you combine the two search types, the data entered into the Query By Example fields is appended using the AND operator to the data specified in the Search fields.
  4. Click Search.

    The Assertion Templates table is refreshed to include only those assertion templates that match the specified search criteria. If you did not refine the search using Query by Example, all message protection assertion templates are shown in the list. If you refined the search for client assertion templates only using Query by Example, the list displayed includes only client message protection assertion templates.

  5. Optionally, click Save... to save the search criteria in the repository. Note that only the values specified in the Advanced Search fields are saved; the values specified in the Query By Example fields are not included in the saved searches.

    In the Create Saved Search window, enter a name for the search in the Name field. To use this saved search as the default selection for future searches, select Set as default. To execute the search automatically when it is selected, select Run automatically.

    To modify previously saved searches, click Personalize... from the Saved Search drop-down menu. In the Personalize Saved Searches window, select the saved search from the drop down menu and edit as required. Click Apply. When you are finished editing all of the searches, click OK.

6.4.2.2 Searching for an Assertion Template Using the Query by Example Filter

The Query by Example filter allows you to query a specific field and filter the results displayed in the table quickly and easily.

  1. If the search fields are not displayed at the top of the Assertion Templates table, click the Query by Example icon. A search field is displayed above the Display Name, Category, and Name columns.
  2. Enter the search criteria in the field above the column in which you want to search. The value entered is interpreted as a "contains" expression. That is, the value is wrapped in %value%, and will fetch all results that contain the value specified for that column. For example, to search for client assertion templates only, enter client in the search field above the Name column.
  3. If you are using the Query by Example filter separately (not in conjunction with the advanced search fields), press Enter.

    The list of assertion templates displayed in the table is filtered to display only the results that match the search criteria. Using the example specified in step 2, only client assertion templates are displayed.

    Note:

    The Query by Example search fields can be used in conjunction with the advanced search fields to further refine the search results, as described in "Searching for an Assertion Template Using Advanced Search". When used together, the data entered into the Query By Example fields is appended using the AND operator to the data specified in the Search fields. You must use the Search button to get the combined results.

    You need to manually clear the Query by Example search fields when you have completed the search.

6.4.3 Viewing the Details of an Assertion Template

Use these procedure to view the details of an assertion template. Predefined assertion templates from Oracle are read-only and cannot be modified. These assertion templates are displayed in read-only mode. User-created assertion templates are not read-only, and can be edited.

Perform the following steps to view the assertion template details:

  1. Navigate to the Assertion Templates page as described in "About Navigating to the Assertion Templates Page".

    Optionally, refine the list of assertion templates displayed using Search, as described in "Searching for an Assertion Template Using Advanced Search".

  2. Select the assertion template to be viewed from the list of assertion templates and click Open. Alternatively, select Actions and then Open.

    Figure 6-7 displays the Assertion Template Details page for the Wss10 SAML V2.0 Token with Message Protection service Assertion Template.

    Figure 6-7 Assertion Template Details Page



  3. Review the details of the assertion template.

    General information about the assertion template is provided at the top of the page. Click Configuration to view the configuration properties for the template. The Settings section of the page displays the settings specific to that template. For details about the settings and configuration properties for each of the predefined assertion templates, Oracle Web Services Manager Predefined Assertion Templates.

6.4.4 Naming Conventions for Assertion Templates

The same naming conventions used to name predefined policies are used to name the assertion templates.

The predefined assertion templates begin with the directory name oracle/ and are identified with the suffix _template at the end; for example, oracle/wss10_message_protection_service_template.

It is recommended that you follow the recommended naming conventions, and keep any assertion templates that you create in a directory that is separate from the oracle directory where the predefined assertion templates are located. You can organize your assertion templates at the root level, in a directory other than oracle, or in subdirectories.

For more information about the naming conventions for predefined policies, see "Recommended Naming Conventions for Policies" in Understanding Oracle Web Services Manager.

6.4.5 Cloning an Assertion Template

You can create a new assertion template using an existing template as the base. Select the assertion template that most closely matches the desired behavior, make a copy of it using the Create Like feature, then make any changes required to get the new behavior.

Perform the following steps to clone a web service policy:

  1. Navigate to the Assertion Templates page as described in "About Navigating to the Assertion Templates Page".
  2. Optionally, refine the list of assertion templates displayed using Search, as described in "Understanding Search Options on the Assertion Templates Page".
  3. Select the assertion template to be cloned from the list of assertion templates and click Create Like. Alternatively, select Actions and then Create Like.

    The Assertion Template Details page is displayed.

  4. Edit the name and display name for the assertion template and, optionally, enter a brief description.

    The word Copy is appended to the name and display name of the cloned assertion template and, by default, this is the name assigned to the new assertion template.

    It is recommended that you change the name of this new assertion template to be more meaningful in your environment. For more information, see "Naming Conventions for Assertion Templates".

    Note:

    You cannot edit the name of an assertion template after it is created. To change the assertion template name, you will need to clone the assertion template and assign it a different name.

  5. Modify the assertion template settings and configuration properties as required. For details about the settings and configuration properties in each of the predefined assertion templates, see Oracle Web Services Manager Predefined Assertion Templates. For details about modifying the configuration properties, see "Editing the Configuration Properties in an Assertion Template".
  6. Click Save to save the new assertion template.

6.4.6 Editing an Assertion Template

You can edit a user-created assertion template as described in the following procedure.

Note:

The predefined assertion templates that are provided with OWSM are read-only and cannot be edited. To edit a predefined template you can clone it and then edit the cloned version.

Perform the following steps to edit an assertion template:

  1. Navigate to the Assertion Templates page as described in "About Navigating to the Assertion Templates Page".

    Optionally, refine the list of assertion templates displayed using Search, as described in "Searching for an Assertion Template Using Advanced Search".

  2. Select the assertion template to be edited from the list of assertion templates and click Open. Alternatively, select Actions and then Open.
  3. Edit the display name and description, if desired. You cannot edit the assertion template name. To change the name of an assertion template you will need to clone it and assign it a different name. and assertion template as required and click Save.
  4. Edit the settings as required.

    For details about the settings and configuration properties for each of the predefined assertion templates, see Oracle Web Services Manager Predefined Assertion Templates.

  5. Click Configuration to edit the configuration properties.

    To delete a property, select the property in the table and click Delete.

  6. Click OK to accept the configuration property changes.
  7. Click Save to save the assertion template.

6.4.7 Editing the Configuration Properties in an Assertion Template

If you have cloned one of the predefined assertion templates, you can modify the configuration properties to match your environment. For example, properties that are configurable in assertion templates include csf-key, saml.issuer.name, keystore.recipient.alias, and role, among others.

Note:

You cannot modify the configuration properties in the predefined assertion templates because they are read-only and cannot be modified.

When you clone an assertion template, or edit a cloned assertion template, you can configure the following settings for each property:

  • Description—Description of the property.

  • Value—Current value.

  • Default—Default value. This value is used if the Value field is not set.

  • Type—Can be one of the following:

    • Constant—Property cannot be overridden.

    • Required—Property is required and can be overridden. This value determines if the Value property needs to have a value or it could be left blank.

    • Optional—Property is optional and can be overridden.

Perform the following steps to configure the properties:

  1. In the assertion template being cloned or edited, click Configuration.

    The Configuration window displays the list of properties for the template.

  2. Select the property from the list and modify the fields as required. Note that the Name of an existing property cannot be changed.
  3. Add or delete configuration properties as required.

    To add a configuration property, click Add. In the blank row that appears, provide a name for the property. The remaining fields are optional. However, if you select Type required, then you must provide a value for the property.

    To delete a configuration property, select the property in the table and click Delete.

  4. When you have finished changing the configuration properties, click OK.
  5. Click Save to save the changes in the assertion template.

    Note:

    When you add an assertion to a policy, as described in "Adding Assertions to a Policy", you can modify the Value, Default, and Description configuration properties to match your environment. The Name and Type configuration properties defined in the assertion template cannot be changed, and are not editable fields in the table.

6.4.8 Exporting an Assertion Template

You can export one or more assertion templates that you have created. Predefined assertion templates can not be exported because the same read-only version of the template will exist in the target environment. After you have exported the assertion templates, you can then copy them to a new directory if desired, or import them into another repository.

Exporting one or more assertion templates is described in "Cloning an Assertion Template".

Perform the following steps to export one or more assertion templates:

  1. Navigate to the Assertions Templates page, as described in "About Navigating to the Assertion Templates Page".
  2. Optionally, refine the list of assertion templates displayed using Search, as described in "Understanding Search Options on the Assertion Templates Page".
  3. Select the assertion template or templates to be exported from the list of assertion templates and click Export.

    The assertion templates are added to a zip archive file named assertiontemplatesexport.zip by default.

  4. Specify a file name for the archive file, if desired, then select a location in your local directory to which you want to save the zip file and click Save.

    The directory structure for each assertion template is maintained in the archive file using the following structure:

    META-INF/assertiontemplates/assertiontemplatename

    Within this directory structure, assertiontemplatename includes the directory in which the template is located and represent the values you specified when you created the template.

6.4.9 Importing an Assertion Template

Follow the steps in this section to import a zip archive containing one or more user-created assertion templates. You can use this feature in combination with Export to move one or more assertion templates between different repositories. Once the assertion template is imported, you can add it to web service policies and make changes to it.

Perform the following steps to import an assertion template:

  1. Navigate to the Assertions Templates page, as described in "About Navigating to the Assertion Templates Page".
  2. Click Import.

    You are prompted to provide the name of a zip file containing the assertion templates to be imported.

    Note:

    The assertion templates to be imported must use the following directory structure in the zip archive:

    META-INF/assertiontemplates/assertiontemplatename

    Within this directory structure, assertiontemplatename includes the directory in which the template is located.

    In 11g, assertion templates were exported as XML files. If you are importing an assertion template that you exported from an 11g domain, you must add the file to a zip archive using the directory structure specified above.

  3. In the Import window, enter the path and file name for the zip file in the File Upload field, or click Browse to navigate to the directory where the assertion template zip file is located, then select the zip file to be imported.
  4. Click Import.

    If an error is encountered with one of the assertion templates, the import process stops. For example, if there are five assertion templates to be imported and an error is encountered in the third one, the first two will be imported but the remaining assertion templates will not.

    An information window is displayed listing the assertion templates that were imported. Click OK to close the window.

    The imported assertion templates are added to the list of assertion templates on the Assertion Templates page.

6.4.10 Deleting an Assertion Template

Follow the steps in this section to delete an assertion template that you created or imported. The predefined assertion templates delivered with OWSM are read-only and cannot be deleted.

  1. Navigate to the Assertions Templates page, as described in "About Navigating to the Assertion Templates Page".
  2. Optionally, refine the list of assertion templates displayed using Search, as described in "Understanding Search Options on the Assertion Templates Page".
  3. Select the assertion template to be deleted from the list of assertion templates and click Delete.

    You are prompted to confirm that you want to delete the assertion template.

  4. Confirm your selection and click Delete.

    The selected assertion template is deleted from the list of assertion templates on the Assertion Templates page.

6.5 Managing Policies and Assertions

You can enable or disable policies, or assertions within a policy.

The following sections describe the different methods for enabling or disabling policies, or assertions within a policy:

6.5.1 Enabling or Disabling a Policy for all Policy Subjects

When you create a policy, it is enabled by default unless it has validation errors. A user-created policy can be globally enabled or disabled from the Policy Details page. You can enable or disable the policy from one central location, and it will be enabled or disabled for any policy subject to which it is attached.

Note:

You cannot disable a predefined policy from Oracle for all policy subjects. These policies are read-only and cannot be modified. You can, however, disable policy references to an individual subject. For more information, see "Enabling or Disabling Directly Attached Policies Using Fusion Middleware Control".

When you disable a policy from the Policy Details page, the policy continues to be attached to the policy subjects, but the policy is not enforced. You may want to temporarily disable a policy if you discover that there is a problem with the policy that is causing all requests to a web service to fail. Once the problem is corrected, you can globally enable the policy.

You may also selectively enable or disable a policy for a specific policy subject rather than for all policy subjects. For more information, see "Enabling or Disabling Directly Attached Policies Using Fusion Middleware Control".

Perform the following steps to enable or disable a user-created web service policy for all policy subjects:

  1. Navigate to the WSM Policies page as described in "Navigating to the WSM Policies Page".

    Optionally, refine the list of policies displayed using Search, as described in "Using Advanced Search".

  2. Select the policy to be edited from the list of policies and click Open. Alternatively, select Actions and then Open.

    The Policy Details page is displayed. For predefined policies, this page is read-only. However, for user-created policies, you can edit the policy from this page. For more information about the Policy Details page, see "Viewing the Details of a Web Service Policy".

  3. Select the General tab if it is not already selected.
  4. Select or deselect the Enabled box to enable or disable the policy, respectively.
  5. Click Save.

6.5.2 Enabling or Disabling Assertions Within a Policy

You can enable or disable one or more of the assertions that are contained within a policy. This provides a more fine-grained level of control over the assertions that are executed.

Note:

You cannot disable an assertion in a predefined policy from Oracle. These policies are read-only and cannot be modified. To disable an assertion in a predefined policy, you need to clone it and then edit the cloned version.

For example, if you created a policy based on one of the read-only predefined web service security policies, it contains an instance of the Security Log Assertion Template (oracle/security_log_template), to capture the entire SOAP message before and after the primary security assertion is executed. By default, the log assertion is not enforced. You must enable it in order for the SOAP message to be logged in message logs. (It is recommended that the logging assertion be enabled for debugging and auditing purposes only. For more information about logging, see "Diagnosing Problems Using Logs" in Administering Web Services.

Perform the following steps to enable or disable one or more assertions within a policy:

  1. Navigate to the WSM Policies page as described in "Navigating to the WSM Policies Page".

    Optionally, refine the list of policies displayed using Search, as described in "Using Advanced Search".

  2. Select the policy to be edited from the list of policies and click Open. Alternatively, select Actions and then Open.

    The Policy Details page is displayed. For predefined policies, this page is read-only. However, for user-created policies, you can edit the policy from this page. For more information about the policy details page, see "Viewing the Details of a Web Service Policy".

  3. Select the Assertions tab.
  4. Select the assertion in the table and select or deselect the Enforced box to enable or disable the assertion within the policy, respectively.
  5. Click Save.

6.6 Analyzing Policy Usage

The policy usage feature described in this section requires that you use a database-based OWSM Repository. If you are not using a database-based repository, policy usage information is not available.

Policies are created and managed at the domain level. The central management of policies gives you the ability to reuse policies and attach them to multiple policy subjects. Any change to a policy (for example, editing a policy or deleting a policy) affects all policy subjects to which the policy is attached. Therefore, before making any changes to your policies, Oracle recommends you do a usage analysis to see which subjects are using a particular policy.

Note:

The usage analysis simply identifies which policy subjects will be affected; it does not define the effect of the change. You need to evaluate the change on each of the policy subjects and determine if you should proceed.

Perform the following steps to perform a usage anlysis

  1. Navigate to the WSM Policies page as described in "Navigating to the WSM Policies Page".

    Optionally, refine the list of policies displayed using Search, as described in "Using Advanced Search".

    The Attachment Count column of the Policies table shows the number of subjects to which a policy is attached.

  2. Click the number in the Attachment column for the selected policy to display the Usage Analysis page.

    The Policy Subject List is filtered by subject type. The table displays a list of the policy subjects, of the selected type, to which the policy is attached. Valid policy subjects include OWSM Repository Documents and the subject types listed in "Understanding Policy Subjects" in Understanding Oracle Web Services Manager. Note that the Policy Subject List summary table displays fields that are relevant to the selected policy subject type only.

    The total number of policy subjects to which the policy is attached is shown at the bottom of the page in the Attachment Count field.

  3. To view the other policy subjects to which the policy is attached, select the subject type from the Subject Type menu.

    The Subject Type menu provides an attachment count for each subject type to which the policy is attached.

  4. In cases where multiple domains share the same OWSM Repository to store OWSM metadata, you can specify whether you want to view policy subjects in the Local Domain or in all domains in the enterprise. To view the policy subjects for all domains in the enterprise, select Enterprise in the View Option field.

Please note:

6.7 About Advertising Policy Assertions

You can enable the advertisement of a policy assertion within the WSDL file.

The advertisement of a policy assertion within the WSDL file is enabled by selecting the Advertised option on the Assertions tab, as shown in Figure 6-8, when performing any of the following tasks:

Note:

Advertisement of policy assertions in a WADL file is not supported. The Advertised option has no effect when the associated policy is attached to a RESTful web service.

Figure 6-8 Enabling Advertising for Policy Assertions



6.8 About Advertising WS-Policy and WS-SecurityPolicy Versions

For a standard WSDL (?wsdl) file, you can publish different version combinations for WS-Policy and WS-SecurityPolicy.

For example, http://localhost:8080/abc?wsdl&wsp=1.5&wssp=1.2 returns a WSDL with the following policy versions published: WS-Policy 1.5 and WS-SecurityPolicy 1.2.

Note:

For an Oracle WSDL (?orawsdl), you cannot advertise different version combinations for WS-Policy and WS-SecurityPolicy. For ?orawsdl, the policy is advertised with the following versions only: WS-Policy 1.2 and WS-SecurityPolicy 1.1 with Oracle extensions.

Table 6-1 lists the valid version combinations.

Table 6-1 Policy Advertisement

Version Combination Description

?wsdl

WS-Policy 1.2 and WS-SecurityPolicy 1.1

?wsdl&wsp=1.5

WS-Policy version 1.5 and WS-SecurityPolicy 1.3

?wsdl&wssp=1.2

WS-Policy versions 1.5 and WS-SecurityPolicy 1.2

?wsdl&wssp=1.3

WS-Policy versions 1.5 and WS-SecurityPolicy 1.3

?wsdl&wsp=1.5&wssp=1.2

WS-Policy 1.5 and WS-SecurityPolicy 1.2

?wsdl&wsp=1.5&wssp=1.3

WS-Policy 1.5 and WS-SecurityPolicy 1.3

?wsdl&wsp=1.2&wssp=1.2

WS-Policy 1.2 and WS-SecurityPolicy 1.2