23 Understanding Global Policy Attachments
When you install Oracle Identity Manager, or upgrade to this release of Oracle Identity Manager, certain OWSM policy sets are created by default. These Policy sets contain attached OWSM policies on application path that make Restful and SOAP services secure. By default, the policies are not SSL-enabled.
This chapter contains the following topics:
23.1 Predefined Policies
As part of Global Policy Attachments, OWSM policies for both RESTful and SOAP web services govern the security access to the REST and SOAP services respectively. These policies can be modified to apply different levels or types of security to the applications.
Table 23-1 lists the RESTful WSM policy sets and the corresponding attached policies.
Table 23-1 RESTful WSM Policy Sets
Policy Set Name | Policy Attached | Description |
---|---|---|
policySetAPPONBRD | oracle/multi_token_rest_service_policy | This policy enforces one of the following authentication policies based on the token sent by the client:
HTTP basic (username/password) SAML 2.0 Bearer token JWT token security HTTP OAM security (disabled by default) |
policySetDM | oracle/multi_token_rest_service_policy | This policy enforces one of the following authentication policies based on the token sent by the client:
HTTP basic (username/password) SAML 2.0 Bearer token JWT token security HTTP OAM security (disabled by default) |
policySetREST_Auth | oracle/multi_token_rest_service_policy | This policy enforces one of the following authentication policies based on the token sent by the client:
HTTP basic (username/password) SAML 2.0 Bearer token JWT token security HTTP OAM security (disabled by default) |
policySetREST_Unauth | oracle/no_authentication_service_policy | This policy facilitates the disabling of a globally attached authentication policy. This includes disabling the whole global policy containing any other assertions in addition to the authentication assertion. |
policySetSCIM_Auth | oracle/multi_token_rest_service_policy | This policy enforces one of the following authentication policies based on the token sent by the client:
HTTP basic (username/password) SAML 2.0 Bearer token JWT token security HTTP OAM security (disabled by default) |
policySetSCIM_Unauth | oracle/no_authentication_service_policy | This policy facilitates the disabling of a globally attached authentication policy. This includes disabling the whole global policy containing any other assertions in addition to the authentication assertion. |
policySetTOKEN | oracle/multi_token_rest_service_policy | This policy enforces one of the following authentication policies based on the token sent by the client:
HTTP basic (username/password) SAML 2.0 Bearer token JWT token security HTTP OAM security (disabled by default) |
policySetFacade | oracle/http_saml20_token_bearer_client_policy | This policy governs generation of SAML token from facade application that is used for authentication at /tokens end point. |
Table 23-2 lists the SOAP WSM policy sets and the corresponding attached policies.
Table 23-2 SOAP WSM Policy Sets
Policy Set Name | Policy Attached |
---|---|
policySetCertCallbackSvc | oracle/wss_username_token_service_policy |
policySetIdAuditCallbackSvc | oracle/wss_username_token_service_policy |
policySetProvCallback | oracle/wss11_saml_or_username_token_with_message_protection_service_policy |
policySetReqSvc | oracle/wss_username_token_service_policy |
policySetSPMLXSD | oracle/wss_saml_or_username_token_service_policy |
policySetWorkflowSvc | oracle/wss11_saml_or_username_token_with_message_protection_service_policy |
Note:
See Security Policies-Authentication Only in Securing Web Services and Managing Policies with Oracle Web Services Manager for detailed information about the default RESTful and SOAP WSM policies.23.2 Viewing and Editing Global Policy Attachments
You can view and edit the policy attachments by using Oracle Enterprise Manager Fusion Middleware Control.
To view the policy sets and the attached policies and edit the policy sets, see Attaching Policies to Manage and Secure Web Services in Securing Web Services and Managing Policies with Oracle Web Services Manager.
When you make change to a policy, the change to the policy takes effect at the next polling interval for policy changes. The default polling interval is 10 minutes, which is 600000 milliseconds.
23.3 Enabling SCIM to Run Only on HTTPS
By default, SCIM is configured to run on both HTTP and HTTPs ports. You can enable SCIM to run only on HTTPs ports by editing the policySetSCIM_Auth
and policySetSCIM_Unauth
policy sets.
SCIM can run on both HTTP and HTTPs ports by default. For example, both the following URLs will work by default without any configuration changes:
http://OIM_HOST:OIM_HTTP_PORT/iam/governance/scim/v1/Users https://OIM_HOST:OIM_HTTP_PORT/iam/governance/scim/v1/Users
- Login to Oracle Enterprise Manager Fusion Middleware Control.
- Click WebLogic Domain, and select Web Services, WSM Policy Sets.
- Edit the WSM policy set
policySetSCIM_Auth
, and move to the Add Policy References page. - Detach the existing
oracle/multi_token_rest_service_policy
, and attach theoracle/multi_token_over_ssl_rest_service_policy
. - Go to the Summary page and save the policy set.
- Edit the WSM policy Set
policySetSCIM_Unauth
, and move to the Add Policy References page. - Detach the existing
oracle/no_authentication_service_policy
, and attach theoracle/http_anonymous_rest_over_ssl_service_policy
. - Go to the Summary page, and save the policy set.
23.4 Enabling REST to Run Only on HTTPS
By default, REST is configured to run on both HTTP and HTTPs ports. You can enable REST to run only on HTTPS ports by editing the policySetREST_Auth
and policySetREST_Unauth
policy sets.
- Login to Oracle Enterprise Manager Fusion Middleware Control.
- Click WebLogic Domain, and select Web Services, WSM Policy Sets.
- Edit the WSM policy set
policySetREST_Auth
, and move to the Add Policy References page. - Detach the existing
oracle/multi_token_rest_service_policy
and attach theoracle/multi_token_over_ssl_rest_service_policy
. - Go to the Summary page and save the policy set.
- Edit the WSM policy set
policySetREST_Unauth
, and move to the Add Policy References page. - Detach the existing
oracle/no_authentication_service_policy
and attach theoracle/http_anonymous_rest_over_ssl_service_policy
. - Go to the Summary page and save the policy set.