18 Oracle Web Services Manager Predefined Assertion Templates

This topic describes the predefined assertion templates defined for the current release. Use the predefined assertion templates to construct your own policies or clone to create new policies.

Note:

The predefined policies and assertion templates distributed with the current release are read only. You must copy the policy or assertion template before modifying it. You also have the option of configuring the attributes in an assertion after you have added it to a policy. For information about managing the assertion templates and adding them to policies, see "Managing Policy Assertion Templates".

For a detailed description of the configuration settings in the tables, see "Assertion Template Settings for Oracle Web Services".

For a detailed description of the configuration properties listed in the tables, see Assertion Template Configuration Properties for Oracle Web Services For details on how to edit the configuration properties, see "Editing the Configuration Properties in an Assertion Template". For information about overriding policies, see "Overview of Policy Configuration Overrides".

18.1 Authentication Only Assertion Templates

This table summarizes the assertion templates that enforce authentication only, and indicates whether the token is inserted at the transport layer or SOAP header.

18.2 Message-Protection Only Assertion Templates

Table 18-2 summarizes the assertion templates that enforce message protection only, and indicates whether the token is inserted at the transport layer or SOAP header.

Table 18-2 Message-Protection Only Assertion Templates

Client Template Service Template Authentication Transport Authentication SOAP Message Protection Transport Message Protection SOAP

oracle/wss10_message_protection_client_template

oracle/wss10_message_protection_service_template

No

No

No

Yes

oracle/wss11_message_protection_client_template

oracle/wss11_message_protection_service_template

No

No

No

Yes

18.3 Message Protection and Authentication Assertion Templates

Table 18-3 summarizes the assertion templates that enforce both message protection and authentication, and indicates whether the token is inserted at the transport layer or SOAP header.

Table 18-3 Message Protection and Authentication Assertion Templates

Client Template Service Template Authentication Transport Authentication SOAP Message Protection Transport Message Protection SOAP

oracle/wss_http_token_over_ssl_client_template

oracle/wss_http_token_over_ssl_service_template

Yes

No

Yes

No

oracle/wss_saml_token_bearer_over_ssl_client_template

oracle/wss_saml_token_bearer_over_ssl_service_template

No

Yes

Yes

No

oracle/wss_saml20_token_bearer_over_ssl_client_template

oracle/wss_saml20_token_bearer_over_ssl_service_template

No

Yes

Yes

No

oracle/wss_saml_token_over_ssl_client_template

oracle/wss_saml_token_over_ssl_service_template

No

Yes

Yes

No

oracle/wss_saml20_token_over_ssl_client_template

oracle/wss_saml20_token_over_ssl_service_template

No

Yes

Yes

No

oracle/wss_username_token_over_ssl_client_template

oracle/wss_username_token_over_ssl_service_template

No

Yes

Yes

No

oracle/wss10_saml_hok_token_with_message_protection_client_template

oracle/wss10_saml_hok_token_with_message_protection_service_template

No

Yes

No

Yes

oracle/wss10_saml_token_with_message_protection_client_template

oracle/wss10_saml_token_with_message_protection_service_template

No

Yes

No

Yes

oracle/wss10_saml20_token_with_message_protection_client_template

oracle/wss10_saml20_token_with_message_protection_service_template

No

Yes

No

Yes

oracle/wss10_username_token_with_message_protection_client_template

oracle/wss10_username_token_with_message_protection_service_template

No

Yes

No

Yes

oracle/wss10_x509_token_with_message_protection_client_template

oracle/wss10_x509_token_with_message_protection_service_template

No

Yes

No

Yes

oracle/wss11_kerberos_token_with_message_protection_client_template

oracle/wss11_kerberos_token_with_message_protection_service_template

No

Yes

No

Yes

oracle/wss11_saml_token_with_message_protection_client_template

oracle/wss11_saml_token_with_message_protection_service_template

No

Yes

No

Yes

oracle/wss11_saml20_token_with_message_protection_client_template

oracle/wss11_saml20_token_with_message_protection_service_template

No

Yes

No

Yes

oracle/wss11_username_token_with_message_protection_client_template

oracle/wss11_username_token_with_message_protection_service_template

No

Yes

No

Yes

oracle/wss11_x509_token_with_message_protection_client_template

oracle/wss11_x509_token_with_message_protection_service_template

No

Yes

No

Yes

oracle/wss11_username_token_derivedkey_with_message_protection_signature_only_client_template The service assertion includes both signature and encryption parts. The service assertion uses XOR method to process the request.

No

No

Yes

No

oracle/wss11_username_token_derivedkey_with_message_protection_encryption_only_client_template The service assertion includes both signature and encryption parts. The service assertion uses XOR method to process the request.

No

No

Yes

No

18.4 Oracle Entitlements Server (OES) Integration Templates

This topic summarizes the assertion templates that are used for OES integration.

It includes the following topics:

18.5 PII Assertion Templates

This section summarizes the assertion template that is used for PII security.

oracle/pii_security_template provides simple role-based authorization for the request based on the authenticated subject at the SOAP binding level.

18.7 Authorization Assertion Templates

This topic summarizes assertion templates that are used for authorization. Each authorization assertion template must follow an authentication assertion template.

18.8 Management Assertion Templates

This topic summarizes the management assertion templates.

oracle/security_log_template provides a logging assertion template that can be attached to any binding or component.

18.9 oracle/http_oam_token_service_template

This topic describes the http_oam_token_service_template assertion template.

Display Name: Http OAM Service Assertion Template

Category: Security

Type: http-oam-security

Description

The http_oam_token_service_template assertion template verifies that OAM agent has authenticated the user and has established an identity. This policy can be applied to any HTTP-based endpoint.

Settings

Table 18-4 lists the settings for the http_oam_token_service_template assertion template.

Table 18-4 http_oam_token_service_template Settings

Name Default Value

Authentication Header

Authentication Header—Mechanism

oam

Authentication Header—Header Name

None

Configuration

Table 18-5 lists the default configuration properties and the default settings for the http_oam_token_service_template assertion template.

Table 18-5 http_oam_token_service_template Configuration Properties

Name Default Value Type

reference.priority

None

Optional

remote-user OAM_REMOTE_USER Optional

18.10 oracle/http_saml20_token_bearer_client_template

This topic describes the http_saml20_token_bearer_client_template assertion template

Display Name: Http Saml Bearer V2.0 Token Client Assertion Template

Category: Security

Type: http-saml20-bearer-security

Description

The http_saml20_token_bearer_client_template assertion template includes SAML 2.0 tokens in outbound SOAP request messages. The SAML token with confirmation method [Bearer] is created automatically.

Settings

Table 18-6 lists the settings for the http_saml20_token_bearer_client_template assertion template.

Table 18-6 http_saml20_token_bearer_client_template Settings

Name Default Value

Authentication Header

Authentication Header—Mechanism

saml20-bearer

Authentication Header—Header Name

None

Configuration

Table 18-7 lists the configuration properties and the default settings for the http_saml20_token_bearer_client_template assertion template.

Table 18-7 http_saml20_token_bearer_client_template Configuration Properties

Name Default Value Type

user.attributes

None

Optional

saml.issuer.name

www.oracle.com

Optional

user.roles.include

false

Optional

csf-key

basic.credentials

Optional

subject.precedence

true

Optional

saml.audience.uri

None

Optional

keystore.sig.csf.key

None

Optional

saml.envelope.signature.required

true

Optional

reference.priority

None

Optional

propagate.identity.context

None

Optional

auth.header.token.type

oit

Optional

18.11 oracle/http_saml20_token_bearer_service_template

This topic describes the http_saml20_token_bearer_service_template assertion template.

Display Name: Http Saml Bearer V2.0 Token Service Assertion Template

Category: Security

Type: http-saml20-bearer-security

Description

The http_saml20_token_bearer_service_template assertion template authenticates users using credentials provided in SAML tokens with confirmation method 'Bearer' in the WS-Security SOAP header.

Settings

The settings for the http_saml20_token_bearer_service_template assertion template are identical to the client version of the assertion template. See Table 18-6 for information about the settings.

Configuration

Table 18-63 lists the configuration properties and the default settings for the http_saml20_token_bearer_service_template assertion template.

Table 18-8 http_saml20_token_bearer_service_template Configuration Properties

Name Default Value Type

saml.trusted.issuers

None

Optional

saml.envelope.signature.required

true

Optional

reference.priority

None

Optional

propagate.identity.context

None

Optional

auth.header.token.type

oit

Optional

18.12 oracle/http_spnego_token_client_template

This topic describes the http_spnego_token_client_template assertion template.

Display Name: SPNEGO Token Client Assertion Template

Category: Security

Type: http-spnego-security

Description

The http_spnego_token_client_template assertion template provides authentication using a Kerberos token and the Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO) protocol.

Settings

Table 18-9 lists the settings for the http_spnego_token_client_template assertion template.

Table 18-9 http_spnego_token_client_template Settings

Name Default Value

Authentication Header

Authentication Header—Mechanism

spnego

Authentication Header—Header Name

None

Configuration

Table 18-10 lists the configuration properties and the default settings for the http_spnego_token_client_template assertion template.

Table 18-10 http_spnego_token_client_template Configuration Properties

Name Default Value Type

service.principal.name

HOST/localhost@EXAMPLE.COM

Required

keytab.location

None

Optional

caller.principal.name

None

Optional

credential.delegation

false

Required

role

ultimateReceiver

Constant

reference.priority

None

Optional

18.13 oracle/http_spnego_token_service_template

This topic describes the http_spnego_token_service_template assertion template.

Display Name: SPNEGO Token Service Assertion Template

Category: Security

Type: http-spnego-security

Description

The http_spnego_token_service_template assertion template provides authentication using a Kerberos token and the SPNEGO protocol.

Settings

The settings for the http_spnego_token_service_template assertion template are identical to the client version of the assertion template. See Table 18-9 for information about the settings.

Configuration

Table 18-11 lists the configuration properties and the default settings for the http_spnego_token_service_template assertion template.

Table 18-11 http_spnego_token_service_template Configuration Properties

Name Default Value Type

role

ultimateReceiver

Constant

credential.delegation

false

Required

reference.priority

None

Optional

18.14 oracle/wss_http_token_client_template

This topic describes the wss_http_token_client_template assertion template.

Display Name: Wss HTTP Token client Assertion Template

Category: Security

Type: http-security

Description

The wss_http_token_client_template assertion template includes username and password credentials in the HTTP header. You can control whether one-way or two-way authentication is required.

Settings

Table 18-12 lists the settings for the wss_http_token_client_template assertion template.

Table 18-12 wss_http_token_client_template Settings

Name Default Value

Authentication Header

Authentication Header—Mechanism

basic

Authentication Header—Header Name

None

Transport Layer Security

Transport Layer Security

Disabled

Transport Layer Security—Mutual Authentication Required

Disabled

Transport Layer Security—Include Timestamp

Disabled

Configuration

Table 18-13 lists the configuration properties and the default settings for the wss_http_token_client_template assertion template.

Table 18-13 wss_http_token_client_template Configuration Properties

Name Default Value Type

csf-key

basic.credentials

Required

role

ultimateReceiver

Constant

reference.priority

None

Optional

include-timestamp

false

Optional

18.15 oracle/wss_http_token_service_template

This topic describes the wss_http_token_service_template assertion template.

Display Name: Wss HTTP Token service Assertion Template

Category: Security

Type: http-security

Description

The wss_http_token_service_template assertion template uses the credentials in the HTTP header to authenticate users against the Oracle Platform Security Services identity store. You can control whether one-way or two-way authentication is required.

Settings

The settings for the wss_http_token_service_template are identical to those for the client version of the assertion template. See Table 18-12 for information about the settings.

Configuration

Table 18-14 lists the configuration properties and the default settings for the wss_http_token_service_template assertion template.

Table 18-14 wss_http_token_service_template Configuration Properties

Name Default Value Type

realm

owsm

Constant

role

ultimateReceiver

Constant

reference.priority

None

Optional

18.16 oracle/wss_username_token_client_template

This topic describes the wss_username_token_client_template assertion template.

Display Name: Wss Username Token client Assertion Template

Category: Security

Type: wss-username-token

Description

The wss_username_token_client_template assertion template includes authentication with username and password credentials in the WS-Security UsernameToken header. The assertion supports three types of password credentials: plain text, digest, and no password.

Note:

If you do not use a digest password, policies created using this template are not secure. You should use this assertion with plain text or no password in low security situations only, or when you know that the transport is protected using some other mechanism. Alternatively, consider using the SSL version of this assertion, "oracle/wss_username_token_over_ssl_client_template".

To protect against replay attacks, the assertion provides the option to require nonce or creation time in the username token.

Settings

Table 18-15 lists the settings for the wss_username_token_client_template assertion template.

Table 18-15 wss_username_token_client_template Settings

Name Default Value

Username Token

Password Type

plaintext

Creation Time Required

Disabled

Nonce Required

Disabled

Configuration

Table 18-16 lists the configuration properties and the default settings for the wss_username_token_client_template assertion template.

Table 18-16 wss_username_token_client_template Configuration Properties

Name Default Value Type

csf-key

basic.credentials

Required

role

ultimateReceiver

Constant

csf.map

None

Optional

user.tenant.name

None

Optional

reference.priority

None

Optional

include-timestamp

false

Optional

18.17 oracle/wss_username_token_service_template

This topic describes the wss_username_token_service_template assertion template.

Display Name: Wss Username Token service Assertion Template

Category: Security

Type: wss-username-token

Description

The wss_username_token_service_template assertion template enforces authentication with username and password credentials in the WS-Security UsernameToken SOAP header. The assertion supports three types of password credentials: plain text, digest, and no password.

Note:

If you do not use a digest password, policies created using this template are not secure. You should use this assertion with plain text or no password in low security situations only, or when you know that the transport is protected using some other mechanism. Alternatively, consider using the SSL version of this assertion, "oracle/wss_username_token_over_ssl_service_template".

To protect against replay attacks, the assertion provides the option to require nonce or creation time in the username token.

Settings

The settings for the wss_username_token_service_template are identical to the client version of the assertion template. See Table 18-15 for information about the settings.

Configuration

Table 18-17 lists the configuration properties and the default settings for the wss_username_token_service_template assertion template.

Table 18-17 wss_username_token_service_template Configuration Properties

Name Default Value Type

role

ultimateReceiver

Constant

reference.priority

None

Optional

18.18 oracle/wss10_saml_token_client_template

This topic describes the wss10_saml_token_client_template assertion template.

Display Name: Wss10 SAML Token client Assertion Template

Category: Security

Type: wss10-saml-token

Description

The wss10_saml_token_client_template assertion template includes SAML tokens in outbound SOAP request messages. The SAML token is created automatically.

Settings

Table 18-18 lists the settings for the wss10_saml_token_client_template assertion template.

Table 18-18 wss10_saml_token_client_template Settings

Name Default Value

SAML Token Type

Version

1.1

Confirmation Type

sender-vouches

Name Identifier Format

unspecified

Configuration

Table 18-19 lists the configuration properties and the default settings for the wss10_saml_token_client_template assertion template.

Table 18-19 wss10_saml_token_client_template Configuration Properties

Name Default Value Type

user.attributes

None

Optional

user.roles.include

false

Optional

saml.issuer.name

www.oracle.com

Optional

csf-key

basic.credentials

Optional

subject.precedence

true

Optional

saml.audience.uri

None

Optional

propagate.identity.context

None

Optional

reference.priority

None

Optional

include-timestamp

false

Optional

18.19 oracle/wss10_saml_token_service_template

This topic describes the wss10_saml_token_service_template assertion template.

Display Name: Wss10 SAML Token service Assertion Template

Category: Security

Type: wss10-saml-token

Description

The wss10_saml_token_service_template assertion template authenticates users using credentials provided in SAML tokens in the WS-Security SOAP header.

Settings

The settings for the wss10_saml_token_service_template are identical to the client version of the assertion. See Table 18-18 for information about the settings.

Configuration

Table 18-20 lists the configuration properties and the default settings for the wss10_saml_token_service_template assertion template.

Table 18-20 wss10_saml_token_service_template Configuration Properties

Name Default Value Type

role

ultimateReceiver

Constant

saml.trusted.issuers

None

Optional

propagate.identity.context

None

Optional

reference.priority

None

Optional

18.20 oracle/wss10_saml20_token_client_template

This topic describes the wss10_saml20_token_client_template assertion template.

Display Name: Wss10 SAML V2.0 Token client Assertion Template

Category: Security

Type: wss10-saml-token

Description

The wss10_saml20_token_client_template assertion template includes SAML tokens in outbound SOAP request messages. The SAML token is created automatically.

Settings

Table 18-21 lists the settings for the wss10_saml20_token_client_template assertion template.

Table 18-21 wss10_saml20_token_client_template Settings

Name Default Value

SAML Token Type

Version

2.0

Confirmation Type

sender-vouches

Name Identifier Format

unspecified

Configuration

Table 18-22 lists the configuration properties and the default settings for the wss10_saml20_token_client_template assertion template. For details about the configuration property settings, see "Editing the Configuration Properties in an Assertion Template".

For information about overriding policies, see "Overview of Policy Configuration Overrides".

Table 18-22 wss10_saml20_token_client_template Configuration Properties

Name Default Value Type

user.attributes

None

Optional

user.roles.include

false

Optional

saml.issuer.name

www.oracle.com

Optional

csf-key

basic.credentials

Optional

subject.precedence

true

Optional

saml.audience.uri

None

Optional

propagate.identity.context

None

Optional

reference.priority

None

Optional

include-timestamp

false

Optional

18.21 oracle/wss10_saml20_token_service_template

This topic describes the wss10_saml20_token_service_template assertion template.

Display Name: Wss10 SAML V2.0 Token service Assertion Template

Category: Security

Type: wss10-saml-token

Description

The wss10_saml20_token_service_template assertion template authenticates users using credentials provided in SAML tokens in the WS-Security SOAP header.

Settings

The settings for the wss10_saml20_token_service_template are similar to the client version of the assertion template. See Table 18-21 for information about the settings.

Configuration

Table 18-23 lists the configuration properties and the default settings for the wss10_saml20_token_service_template assertion template. For details about the configuration property settings, see "Editing the Configuration Properties in an Assertion Template".

For information about overriding policies, see "Overview of Policy Configuration Overrides".

Table 18-23 wss10_saml20_token_service_template Configuration Properties

Name Default Value Type

role

ultimateReceiver

Constant

saml.trusted.issuers

None

Optional

propagate.identity.context

None

Optional

reference.priority

None

Optional

18.22 oracle/wss11_kerberos_token_client_template

This topic describes the wss11_kerberos_token_client_template assertion template.

Display Name: Wss11 Kerberos Token client Assertion Template

Category: Security

Type: kerberos-security

Description

The wss11_kerberos_token_client_template assertion template includes a Kerberos token in the WS-Security header in accordance with the WS-Security Kerberos Token Profile v1.1 standard.

Settings

Table 18-24 lists the settings for the wss11_kerberos_token_client_template assertion template.

Table 18-24 wss11_kerberos_token_client_template Settings

Name Default Value

Kerberos Token Type

Kerberos Token Type

gss-apreq-v5

Derived Keys

Disabled

Configuration

Table 18-25 lists the configuration properties and the default settings for the wss11_kerberos_token_client_template assertion template.

Table 18-25 wss11_kerberos_token_client_template Configuration Properties

Name Default Value Type

service.principal.name

HOST/localhost@EXAMPLE.COM

Required

keytab.location

None

Optional

caller.principal.name

None

Optional

credential.delegation

false

Required

reference.priority

None

Optional

18.23 oracle/wss11_kerberos_token_service_template

This topic describes the wss11_kerberos_token_service_template assertion template.

Display Name: Wss11 Kerberos Token service Assertion Template

Category: Security

Type: kerberos-security

Description

The wss11_kerberos_token_service_template assertion template enforces in accordance with the WS-Security Kerberos Token Profile v1.1 standard. It extracts the Kerberos token from the SOAP header and authenticates the user. The container must have the Kerberos infrastructure configured through Oracle Platform Security Services.

Settings

The settings for the wss11_keberos_token_service_template are identical to the client version of the assertion template. See Table 18-24 for information about the settings.

Configuration

Table 18-26 lists the configuration properties and the default settings for the wss11_kerberos_token_service_template assertion template.

Table 18-26 wss11_kerberos_token_service_template Configuration Properties

Name Default Value Type

credential.delegation

false

Required

role

ultimateReceiver

Constant

reference.priority

None

Optional

18.24 oracle/http_oauth2_token_client_template

The http_oauth2_token_client_template assertion template is the HTTP binding level template for OAuth2 token authentication.

Settings

Table 18-27 lists the settings for the http_oauth2_token_client_template assertion template.

Table 18-27 http_oauth2_token_client_template Settings

Name Description Default Value

Authentication Header—Mechanism

Authentication mechanism.

Valid values include:

  • basic—Client authenticates itself by transmitting the username and password.

    Note: It is recommended that you configure SSL when using basic authentication.

  • cert—Not supported in this release. Client authenticates itself by transmitting a certificate.

  • custom—Not supported in this release. Custom authentication mechanism.

  • digest—Not supported in this release. Client authenticates itself by transmitting an encrypted password through the use of an MD5 digest.

  • jwt—Client authenticates itself using JWT token.

  • oam—Client authenticates itself using OAM agent.

  • oauth2—Client authenticates using OAuth2 framework.

  • saml20-bearer—Client authenticates itself using SAML 2.0 Bearer token.

  • spnego—Client authenticates itself using Kerberos SPNEGO.

<orasp:auth-header 
  orasp:mechanism="oauth2"/>

Authentication Header—Header Name

Name of the authentication header.

None

Authentication Header—is-signed

Flag that specifies whether the token is signed.

<orasp:auth-header
orasp:is-signed="false"/>

Authentication Header— is encrypted

Flag that specifies whether the token is encrypted.

<orasp:auth-header
orasp:is-encrypted="false"/>														

Configurations

Table 18-28 lists the default configuration properties for the http_oauth2_token_client_template assertion template.

Table 18-28 http_oauth2_token_client_template Configuration Properties

Name Description

audience.uri

Audience restriction. The following conditions are supported:

  • If this property is not set, the service URL is used as the audience URI

  • If this property is set to NONE (not case sensitive), then the audience URI is set to null.

  • If this property is set to a value other than NONE, then the audience URI is set to this value.

Default setting:

<orawsp:Property orawsp:contentType="optional"
 orawsp:name="audience.uri" 
orawsp:type="string">
<orawsp:Value/>
<orawsp:DefaultValue>NONE</orawsp:DefaultValue>

authz.code

Optional property for passing the authorization code for the 3-legged OAuth2 use case. (Not supported in this release.)

Default setting:

<orawsp:Property orawsp:contentType="optional"
 orawsp:name="authz.code" 
orawsp:type="string">
<orawsp:Value/>

csf-key

Credential store key that maps to a user name and password in the Oracle Platform Security Services (OPSS) identity store.

Default setting:

<orawsp:Property orawsp:type="string"
 orawsp:contentType="optional" orawsp:name="csf-key">
<orawsp:Value/>

csf.map

Oracle WSM map in the credential store that contains the CSF aliases.

Default setting:

<orawsp:Property orawsp:contentType="optional"
 orawsp:name="csf.map" orawsp:type="string"/>

You can override the default, domain-level Oracle WSM map, by specifying an application-level map name as a Value in this property. For example:

<orawsp:Property orawsp:contentType="optional"
   orawsp:name="csf.map" orawsp:type="string"/>
   <orawsp:Value>app-level-mapname.map</orawsp:Value>
</orawsp:Property>

Accessing an application-level map also requires granting credential access and identity permission to the wsm-agent-core.jar.

federated.client.token

Optional property which, by default, specifies that a JWT token is generated for the client using the values of the oauth2.client.csf.key and keystore.sig.csf.key properties.

If set to false, oauth2.client.csf.key is used to generate an Authorization header sent in the client request to the OAuth server.

Default setting:

<orawsp:Property orawsp:contentType="optional"
 orawsp:name="federated.client.token" 
orawsp:type="boolean">
<orawsp:Value/>
<orawsp:DefaultValue>true</orawsp:DefaultValue>

include.certificate

When true, the signature certificate and the trusted certificate chain (for CA-issued certificates) are included in JWT token claim. This increases the size of the JWT token, but you do not need to then import the certificate and certificate chain into the service side keystore.

When false, only the thumbprint and alias of the certificate are included in the JWT token.

Default setting:

<orawsp:Property orawsp:contentType="optional"
 orawsp:name="include.certificate"
orawsp:type="string">
<orawsp:Value/>
<orawsp:DefaultValue>false</orawsp:DefaultValue>
</orawsp:Property>

issuer.name

Optional property that specifies the issuer name used for the locally-generated JWT token (iss:claim). By default it is www.oracle.com.

Default setting:

<orawsp:Property orawsp:contentType="optional"
 orawsp:name="issuer.name" 
orawsp:type="string">
<orawsp:Value/>
<orawsp:DefaultValue>www.oracle.com</orawsp:DefaultValue>

keystore.sig.csf.key

Optional property that specifies the tenant key from the Oracle WSM keystore for signing the locally-created JWT token.

Default setting:

<orawsp:Property orawsp:contentType="optional"
 orawsp:name="keystore.sig.csf.key" 
orawsp:type="string">
<orawsp:Value/>

oauth2.client.csf.key

Required property that specifies the key to use to obtain the client username and password.

The value of oauth2.client.csf.key must match the client ID and secret expected by the client profile, as described in "Understanding OAuth Client Profiles Configuration" in Administrator's Guide for Oracle Access Manager with Oracle Security Token Service.

If federated.client.token is set to false, oauth2.client.csf.key is used to generate an Authorization header sent in the client request to the OAuth server.

If you override oauth2.client.csf.key, that value is used. Otherwise, the value of oauth2.client.csf.key in oauth2_config_client_policy is used.

Default setting:

<orawsp:Property orawsp:type="string"
orawsp:contentType="required"
orawsp:name="oauth2.client.csf.key">
<orawsp:Value/>
<orawsp:DefaultValue>NONE</orawsp:DefaultValue>
</orawsp:Property>

oracle.oauth2.service

Optional property that specifies how the default behavior of token issuer and scope are determined. When true, the client ID is used as the issuer of the user and client JWT token for the OAuth2 server. In this case, the value for issuer.name is ignored.

When false, the issuer is determined by issuer.name with the default value of "www.oracle.com".

propagate.identity.context

Optional property that specifies whether the identity context information is propagated as claims in the JWT token.

Default setting:

<orawsp:Property orawsp:contentType="optional"
 orawsp:name="propagate.identity.context" 
orawsp:type="string">
<orawsp:Value/>

redirect.uri

Optional property that specifies the redirect URIs that the OAuth server will use to redirect the user-agent to the client once access is granted or denied.

Default setting:

<orawsp:Property orawsp:contentType="optional"
 orawsp:name="redirect.uri" 
orawsp:type="string">
<orawsp:Value/>

reference.priority

Optional property that specifies the priority of the policy attachment. When specified for an attached policy, the effective set of policies algorithm allows the policy with the highest integer value priority to take precedence over a conflicting policy attachment, irrespective of its scope.

The value of reference.priority can be any number between(-231) and (231 - 1). The higher the number, the higher the priority assigned during effective policy calculation. Any policy that does not have a value or a non-numeric value is treated as having a value of 0. If the value is set to any of the words "yes", "true", or "on", the value is set to 1.

For more information, see "Specifying the Priority of a Policy Attachment".

Default setting:

<orawsp:Property orawsp:contentType="optional" 
  orawsp:name="reference.priority" 
  orawsp:type="string"/>

scope

Optional property that specifies the scope (as-is) of the OAuth2 request. If present, the scope is included in the OAuth2 token request with the value.

Default setting:

<orawsp:Property orawsp:contentType="optional"
 orawsp:name="scope" orawsp:type="string">
<orawsp:Value/>

The scope depends on the value of the oracle.oauth2.service property:

  • If oracle.oauth2.service is false (the default), the scope property determines the scope.

  • If oracle.oauth2.service is true and scope has no value, (the default), the protocol, host and port (if available) are obtained from the service URL and used.

subject.precedence

Property that specifies the location from which the subject used to create the JWT token should be obtained.

As described in Table 10-2:

  • If subject.precedence is set to true, the user name to create the JWT token is obtained only from the authenticated subject.

  • If subject.precedence is set to false, the user name to create the JWT token is obtained only from the csf-key property.

Default setting:

<orawsp:Property orawsp:contentType="optional" 
  orawsp:name="subject.precedence" orawsp:type="string">
  <orawsp:Value>true</orawsp:Value>
</orawsp:Property>

time.in.millis

Support standard NumericDate (seconds after Epoch as unit for values in exp (Expiry) and iat (Issued AT) claims in JWT token.

If true, then milliseconds after Epoch is used. Otherwise, seconds after Epoch is used.

Default setting:

<orawsp:Property orawsp:type="boolean"
 orawsp:contentType="optional"
 orawsp:name="time.in.millis">
<orawsp:Value/>
<orawsp:DefaultValue>true</orawsp:DefaultValue>
</orawsp:Property>

user.attributes

Optional property that specifies whether user attributes are inserted as claims in JWT token.

Specify the attributes to be included as a comma-separated list. For example, attrib1,attrib2. The attribute names you specify must exactly match valid attributes in the configured identity store. The Oracle WSM run time reads the values for these attributes from the configured identity store, and then includes the attributes and their values in the JWT token.

Requires that the Subject is available and subject.precedence is set to true.

A client policy reads the values of the attributes specified using user.attributes from the configured identity store. All valid attribute names and values are used to create JWT claims.

The user.attributes property is supported for a single identity store, and only the first identity store in the list is used. The user must therefore exist and be valid in the identity store used by the configured WebLogic Server Authentication provider. Authentication providers are described in "Configuring an Authentication Provider".

If the identity store you require is not the first identity store, you can specify that additional identity stores be searched. See "Including User Attributes in the Assertion"for more information.

Default setting:

<orawsp:Property orawsp:contentType="optional"
 orawsp:name="user.attributes" 
orawsp:type="string">
<orawsp:Value/>

user.roles.include

Optional property that specifies whether the user roles from the subject are included in the JWT token as claims. If set to true, the authenticated user roles are included in the JWT token as private claims.

Default setting:

<orawsp:Property orawsp:contentType="optional"
 orawsp:name="user.roles.include" 
orawsp:type="boolean">
<orawsp:Value/>
<orawsp:DefaultValue>false</orawsp:DefaultValue>

user.tenant.name

Reserved for internal use.

set.client.id

Set.client.id is set to false by default. If it is set to true OWSM sends client id to OAuth2 provider in access token request as query param. Default setting:
<orawsp:Property orawsp:type="boolean" orawsp:contentType="optional" orawsp:name="set.client.id">

<orawsp:Value/>
<orawsp:DefaultValue>false</orawsp:DefaultValue>

18.25 oracle/http_jwt_token_service_template

The oracle/http_jwt_token_service_template authenticates users using the credentials provided in the JWT token in the HTTP header.

Settings

The settings for the http_jwt_token_service_template assertion template are identical to the client version of the assertion template. See Table 18-37 for information about the settings.

Configuration

Table 18-29 lists the configuration properties and the default settings for the http_jwt_token_service_template assertion template.

Table 18-29 http_jwt_token_service_template Configuration Properties

Name Default Values

trusted.issuers

A comma-separated list of trusted issuers for an application that will override the trusted issuers defined at the domain level.

Default setting:

<orawsp:Property orawsp:contentType="optional"  
  orawsp:name="saml.trusted.issuers" orawsp:type="string">
  <orawsp:Value/>
</orawsp:Property>

csf.map

Oracle WSM map in the credential store that contains the CSF aliases.

Default setting:

<orawsp:Property orawsp:contentType="optional"
 orawsp:name="csf.map" orawsp:type="string"/>

keystore.sig.csf.key

The alias and password used for storing the signature key password in the keystore. If specified, the key corresponding to this csf-key is fetched from the keystore and used for signing. This property allows you to specify the signature key on a per-attachment level instead of at the domain level.

Default setting:

<orawsp:Property orawsp:contentType="optional" 
  orawsp:name="keystore.sig.csf.key" orawsp:type="string"/>

reference.priority

Optional property that specifies the priority of the policy attachment. When specified for an attached policy, the effective set of policies algorithm allows the policy with the highest integer value priority to take precedence over a conflicting policy attachment, irrespective of its scope.

The value of reference.priority can be any number between(-231) and (231 - 1). The higher the number, the higher the priority assigned during effective policy calculation. Any policy that does not have a value or a non-numeric value is treated as having a value of 0. If the value is set to any of the words "yes", "true", or "on", the value is set to 1.

For more information, see "Specifying the Priority of a Policy Attachment".

Default setting:

<orawsp:Property orawsp:contentType="optional" 
  orawsp:name="reference.priority" orawsp:type="string"/>

propagate.identity.context

Propagates the identity context from the Web service client to the Web service, and then makes it available ("publishes it") to other components for authentication and authorization purposes.

Default setting:

<orawsp:Property orawsp:contentType="optional"
 orawsp:name="propagate.identity.context" orawsp:type="string"><orawsp:Value/>

18.26 oracle/http_oauth2_token_over_ssl_client_template

The http_oauth2_token_over_ssl_client_template assertion template is the HTTP binding level template for OAuth2 token authentication. This template is same as http_oauth2_token_client_template, except that the AT is propagated over 1-way SSL to the resource.

Settings

Table 18-30 lists the settings for the http_oauth2_token_over_ssl_client_template assertion template.

Table 18-30 http_oauth2_token_over_ssl_client_template Settings

Name Description Default Value

Authentication Header—Mechanism

Authentication mechanism.

Valid values include:

  • basic—Client authenticates itself by transmitting the username and password.

    Note: It is recommended that you configure SSL when using basic authentication.

  • cert—Not supported in this release. Client authenticates itself by transmitting a certificate.

  • custom—Not supported in this release. Custom authentication mechanism.

  • digest—Not supported in this release. Client authenticates itself by transmitting an encrypted password through the use of an MD5 digest.

  • jwt—Client authenticates itself using JWT token.

  • oam—Client authenticates itself using OAM agent.

  • oauth2—Client authenticates using OAuth2 framework.

  • saml20-bearer—Client authenticates itself using SAML 2.0 Bearer token.

  • spnego—Client authenticates itself using Kerberos SPNEGO.

<orasp:auth-header 
  orasp:mechanism="oauth2"/>

Authentication Header—Header Name

Name of the authentication header.

None

Authentication Header—is-signed

Flag that specifies whether the token is signed.

<orasp:auth-header
orasp:is-signed="false"/>

Authentication Header— is encrypted

Flag that specifies whether the token is encrypted.

<orasp:auth-header
orasp:is-encrypted="false"/>

Transport Security

Flag that specifies whether SSL is enabled.

<orasp:auth-header
 orasp:require-tls/>

Transport Security—Mutual Authentication Required

Flag that specifies whether two-way authentication is required.

Valid values include:

  • Enabled—The service must authenticate itself to the client, and the client must authenticate itself to the service.

  • Disabled—One-way authentication is required. The service must authenticate itself to the client, but the client is not required to authenticate itself to the service.

<orasp:auth-header
  orasp:mutual-auth="false"/>

Transport Security—Include Timestamp

Flag that specifies whether to include a timestamp. A timestamp can be used to prevent replay attacks by identifying an expiration time after which the message is no longer valid.

<orasp:auth-header
orasp:include-timestamp="false"/>

Configurations

The settings for the http_oauth2_token_over_ssl_client_template assertion template are identical to the non-SSL version of the assertion template. See Table 18-27 for information about the settings.

18.27 oracle/http_mutual_auth_over_ssl_client_template

This topic describes the http_mutual_auth_over_ssl_client_template assertion template.

Display Name: http mutual auth over ssl client template

Category: Security

Type: http-security

Description

The http_mutual_auth_over_ssl_client_template assertion template includes credentials in the HTTP header for outbound client requests and authenticates users against the Oracle Platform Security Services identity store. This policy verifies that the transport protocol is HTTPS. Requests over a non-HTTPS transport protocol are refused. This policy can be applied to any HTTP-based client.

Settings

wss_http_token_over_ssl_client_template Settings lists the settings for the http_mutual_auth_over_ssl_client_template assertion template.

Table 18-31 http_mutual_auth_over_ssl_client_template Settings

Name Default Value

Authentication Header

Authentication Header—Mechanism

basic

Transport Layer Security

Transport Layer Security

Enabled

Transport Layer Security—Mutual Authentication Required

Enabled

Transport Layer Security—Include Timestamp

Disabled

Algorithm Suite

BASIC_128

Configuration

wss_http_token_over_ssl_client_template Configuration Properties lists the configuration properties and the default settings for the wss_http_token_over_ssl_client_template assertion template.

Table 18-32 wss_http_token_over_ssl_client_template Configuration Properties

Name Default Value Type

csf-key

basic.credentials

Required

role

ultimateReceiver

Constant

reference.priority

None

Optional

18.28 oracle/http_mutual_auth_over_ssl_service_template

Display Name: http mutual auth over ssl service template

Category: Security

Type: http-security

Description

The http_mutual_auth_over_ssl_service_template assertion template extracts the credentials in the HTTP header and authenticates users against the Oracle Platform Security Services identity store.

Settings

The settings for the http_mutual_auth_over_ssl_service_template assertion template are identical to the client version of the assertion template.

Configuration

wss_http_token_over_ssl_service_template Configuration Properties lists the configuration properties and the default settings for the http_mutual_auth_over_ssl_service_template assertion template.

Table 18-33 http_mutual_auth_over_ssl_service_template Configuration Properties

Name Default Value Type

realm

owsm

Constant

role

ultimateReceiver

Constant

reference.priority

None

Optional

18.29 oracle/http_jwt_token_over_ssl_service_template

The oracle/http_jwt_token_over_ssl_service_template authenticates users using the username provided in the JWT token in the HTTP header.

Settings

The settings for the http_jwt_token_over_ssl_service_template assertion template are identical to the client version of the assertion template. See Table 18-39 for information about the settings.

Configuration

Table 18-34 lists the configuration properties and the default settings for the http_jwt_token_over_ssl_service_template assertion template.

Table 18-34 http_jwt_token_over_ssl_service_template Configuration Properties

Name Default Values

csf.map

Oracle WSM map in the credential store that contains the CSF aliases.

Default setting:

<orawsp:Property orawsp:contentType="optional"
 orawsp:name="csf.map" orawsp:type="string"/>

keystore.sig.csf.key

The alias and password used for storing the signature key password in the keystore. If specified, the key corresponding to this csf-key is fetched from the keystore and used for signing. This property allows you to specify the signature key on a per-attachment level instead of at the domain level.

Default setting:

<orawsp:Property orawsp:contentType="optional" 
  orawsp:name="keystore.sig.csf.key" orawsp:type="string"/>

propagate.identity.context

Propagates the identity context from the Web service client to the Web service, and then makes it available ("publishes it") to other components for authentication and authorization purposes.

Default setting:

<orawsp:Property orawsp:contentType="optional"
 orawsp:name="propagate.identity.context" orawsp:type="string"><orawsp:Value/>

reference.priority

Optional property that specifies the priority of the policy attachment. When specified for an attached policy, the effective set of policies algorithm allows the policy with the highest integer value priority to take precedence over a conflicting policy attachment, irrespective of its scope.

The value of reference.priority can be any number between(-231) and (231 - 1). The higher the number, the higher the priority assigned during effective policy calculation. Any policy that does not have a value or a non-numeric value is treated as having a value of 0. If the value is set to any of the words "yes", "true", or "on", the value is set to 1.

For more information, see "Specifying the Priority of a Policy Attachment".

Default setting:

<orawsp:Property orawsp:contentType="optional" 
  orawsp:name="reference.priority" orawsp:type="string"/>

trusted.issuers

A comma-separated list of trusted issuers for an application that will override the trusted issuers defined at the domain level.

Default setting:

<orawsp:Property orawsp:contentType="optional"  
  orawsp:name="saml.trusted.issuers" orawsp:type="string">
  <orawsp:Value/>
</orawsp:Property>

18.30 oracle/oauth2_config_client_template

The oauth2_config_client_template assertion template provides OAuth2 information that is used to invoke the OAuth2 server for obtaining an access token.

Settings

Table 18-35 lists the settings for the oauth2_config_client_template assertion template.

Table 18-35 oauth2_config_client_template Settings

Name Description Default Value

token-uri

Required property that specifies the token endpoint of the OAuth2 server.

orasp:token-uri="http://host:port/tokens" 

Configurations

Table 18-36 lists the default configuration properties for the oauth2_config_client_template assertion template.

Table 18-36 oauth2_config_client_template Configuration Properties

Name Description

oauth2.client.csf.key

Required property that specifies the key to use to obtain the client username and password.

The value of oauth2.client.csf.key must match the client ID and secret expected by the client profile, as described in "Understanding OAuth Client Profiles Configuration" in Administrator's Guide for Oracle Access Manager with Oracle Security Token Service.

Default setting:

<orawsp:Property orawsp:type="string"
orawsp:contentType="required"\
orawsp:name="oauth2.client.csf.key">
<orawsp:Value/>
<orawsp:DefaultValue>basic.client.credentials</orawsp:DefaultValue>
</orawsp:Property>

role

SOAP role.

Default setting:

<orawsp:Property orawsp:contentType="constant" 
  orawsp:name="role" orawsp:type="string">
  <orawsp:DefaultValue>
    ultimateReceiver
  </orawsp:DefaultValue>
</orawsp:Property>

reference.priority

Optional property that specifies the priority of the policy attachment. When specified for an attached policy, the effective set of policies algorithm allows the policy with the highest integer value priority to take precedence over a conflicting policy attachment, irrespective of its scope.

The value of reference.priority can be any number between(-231) and (231 - 1). The higher the number, the higher the priority assigned during effective policy calculation. Any policy that does not have a value or a non-numeric value is treated as having a value of 0. If the value is set to any of the words "yes", "true", or "on", the value is set to 1.

For more information, see "Specifying the Priority of a Policy Attachment".

Default setting:

<orawsp:Property orawsp:contentType="optional" 
 orawsp:name="reference.priority" orawsp:type="string"/>

token.uri

Optional property to override the token-uri value.

Default setting:

<orawsp:Property orawsp:contentType="optional" orawsp:name="token.uri" orawsp:type="string"><orawsp:Value/><orawsp:DefaultValue>http://host:port/tokens
</orawsp:DefaultValue></orawsp:Property>

18.31 oracle/http_jwt_token_client_template

The http_jwt_token_client_template assertion template includes a JWT token in the HTTP header. The JWT token is created automatically. The issuer name and subject name are provided either programmatically or declarative through the policy. A policy created using this template can be attached to any HTTP-based client. You can specify the audience restriction condition using the configuration override property.

Settings

Table 18-37 lists the settings for the http_jwt_token_client_template assertion template.

Table 18-37 http_jwt_token_client_template Settings

Name Description Default Value

Authentication Header—Mechanism

Authentication mechanism.

Valid values include:

  • basic—Client authenticates itself by transmitting the username and password.

    Note: It is recommended that you configure SSL when using basic authentication.

  • cert—Not supported in this release. Client authenticates itself by transmitting a certificate.

  • custom—Not supported in this release. Custom authentication mechanism.

  • digest—Not supported in this release. Client authenticates itself by transmitting an encrypted password through the use of an MD5 digest.

  • jwt—Client authenticates itself using JWT token.

  • oam—Client authenticates itself using OAM agent.

  • saml20-bearer—Client authenticates itself using SAML 2.0 Bearer token.

  • spnego—Client authenticates itself using Kerberos SPNEGO.

<orasp:auth-header 
  orasp:mechanism="jwt"/>

Authentication Header—Header Name

Name of the authentication header.

None

Authentication Header—algorithm-suite

Algorithm suite used to sign the JWT token.

<orasp:auth-header
orasp:algorithm-suite="Basic256Sha256"/"

Authentication Header—is-signed

Flag that specifies whether the JWT token is signed. The only valid value for JWT policies is: true.

<orasp:auth-header
orasp:is-signed="true"/>

Authentication Header— is encrypted

Flag that specifies whether the JWT token is encrypted.

<orasp:auth-header
orasp:is-encrypted="false"/>

Configuration

Table 18-38 lists the configuration properties and the default settings for the http_jwt_token_client_template assertion template.

Table 18-38 http_jwt_token_client_template Configuration Properties

Name Default Values

audience.uri

Audience restriction. The following conditions are supported:

  • If this property is not set, the service URL is used as the audience URI

  • If this property is set to NONE (not case sensitive), then the audience URI is set to null.

  • If this property is set to a value other than NONE, then the audience URI is set to this value.

Default setting:

<orawsp:Property orawsp:contentType="optional" 
  orawsp:name="audience.uri" orawsp:type="string">
  <orawsp:Value/>
</orawsp:Property>

csf-key

Credential Store Key that maps to a username and password in the Oracle Platform Security Services (OPSS) identity store.

Default setting:

<orawsp:Property orawsp:contentType="optional"
   orawsp:name="csf-key" orawsp:type="string">
   <orawsp:Value>basic.credentials</orawsp:Value>
</orawsp:Property>

csf.map

Oracle WSM map in the credential store that contains the CSF aliases.

Default setting:

<orawsp:Property orawsp:contentType="optional"
 orawsp:name="csf.map" orawsp:type="string"/>

issuer.name

Name of the JWT issuer. The default value is www.oracle.com.

Default setting:

<orawsp:Property orawsp:contentType="optional" 
  orawsp:name="issuer.name" orawsp:type="string">
  <orawsp:Value>www.oracle.com</orawsp:Value>
</orawsp:Property>

keystore.sig.csf.key

The alias and password used for storing the signature key password in the keystore. If specified, the key corresponding to this csf-key is fetched from the keystore and used for signing. This property allows you to specify the signature key on a per-attachment level instead of at the domain level.

Default setting:

<orawsp:Property orawsp:contentType="optional" 
  orawsp:name="keystore.sig.csf.key" orawsp:type="string"/>

propagate.identity.context

Propagates the identity context from the Web service client to the Web service, and then makes it available ("publishes it") to other components for authentication and authorization purposes.

Default setting:

<orawsp:Property orawsp:contentType="optional"
 orawsp:name="propagate.identity.context" orawsp:type="string"><orawsp:Value/>

reference.priority

Optional property that specifies the priority of the policy attachment. When specified for an attached policy, the effective set of policies algorithm allows the policy with the highest integer value priority to take precedence over a conflicting policy attachment, irrespective of its scope.

The value of reference.priority can be any number between(-231) and (231 - 1). The higher the number, the higher the priority assigned during effective policy calculation. Any policy that does not have a value or a non-numeric value is treated as having a value of 0. If the value is set to any of the words "yes", "true", or "on", the value is set to 1.

For more information, see "Specifying the Priority of a Policy Attachment".

Default setting:

<orawsp:Property orawsp:contentType="optional" 
  orawsp:name="reference.priority" orawsp:type="string"/>

subject.precedence

Property that specifies the location from which the subject used to create the JWT token should be obtained.

If subject.precedence is set to true, the user name to create the JWT token is obtained only from the authenticated Subject. If subject.precedence is set to false, the user name to create the JWT token is obtained only from the csf-key username property.

Default setting:

<orawsp:Property orawsp:contentType="optional" 
  orawsp:name="subject.precedence" orawsp:type="string">
  <orawsp:Value>true</orawsp:Value>
</orawsp:Property>

user.attributes

List of user attributes for the authenticated user to be included in the JWT token.

Specify the attributes to be included as a comma-separated list. For example, attrib1,attrib2. The attribute names you specify must exactly match valid attributes in the configured identity store. The Oracle WSM run time reads the values for these attributes from the configured identity store, and then includes the attributes and their values in the JWT token.

Requires that the Subject is available and subject.precedence is set to true.

A client policy reads the values of the attributes specified using user.attributes from the configured identity store. All valid attribute names and values are used to create JWT claims.

The user.attributes property is supported for a single identity store, and only the first identity store in the list is used. The user must therefore exist and be valid in the identity store used by the configured WebLogic Server Authentication provider. Authentication providers are described in "Configuring an Authentication Provider".

If the identity store you require is not the first identity store, you can specify that additional identity stores be searched. See "Including User Attributes in the Assertion" for more information.

Default setting:

<orawsp:Property orawsp:contentType="optional"
 orawsp:name="user.attributes" orawsp:type="string"/>

user.roles.include

User roles to be included in the JWT token. If set to true, the authenticated user roles are included in the JWT token as private claims. The default is false.

Default setting:

<orawsp:Property orawsp:contentType="optional"   
  orawsp:name="user.roles.include" orawsp:type="string">
  <orawsp:Value>false</orawsp:Value>
</orawsp:Property>

user.tenant.name

Reserved for internal use.

18.32 oracle/http_jwt_token_over_ssl_client_template

The http_jwt_token_over_ssl_client_template assertion template includes a JWT token in the HTTP header. The JWT token is created automatically. The issuer name and subject name are provided either programmatically or declarative through the policy.

A policy created using this template can be attached to any HTTP-based client. You can specify the audience restriction condition using the configuration override property.

Settings

Table 18-39 lists the settings for the http_jwt_token_over_ssl_client_template assertion template.

Table 18-39 http_jwt_token_over_ssl_client_template Settings

Name Description Default Value

Authentication Header—Mechanism

Authentication mechanism.

Valid values include:

  • basic—Client authenticates itself by transmitting the username and password.

    Note: It is recommended that you configure SSL when using basic authentication.

  • cert—Not supported in this release. Client authenticates itself by transmitting a certificate.

  • custom—Not supported in this release. Custom authentication mechanism.

  • digest—Not supported in this release. Client authenticates itself by transmitting an encrypted password through the use of an MD5 digest.

  • jwt—Client authenticates itself using JWT token.

  • oam—Client authenticates itself using OAM agent.

  • saml20-bearer—Client authenticates itself using SAML 2.0 Bearer token.

  • spnego—Client authenticates itself using Kerberos SPNEGO.

<orasp:auth-header 
  orasp:mechanism="jwt"/>

Authentication Header—Header Name

Name of the authentication header.

None

Authentication Header—algorithm-suite

Flag that specifies the algorithm suite used to sign the JWT token.

<orasp:auth-header
orasp:algorithm-suite="Basic256Sha256"/"

Authentication Header—is-signed

Flag that specifies whether the JWT token is signed. The only valid value for JWT policies is: true.

<orasp:auth-header
orasp:is-signed="true"/>

Authentication Header— is encrypted

Flag that specifies whether the JWT token is encrypted.

<orasp:auth-header
orasp:is-encrypted="false"/>

Transport Security

Flag that specifies whether SSL is enabled.

<orasp:auth-header
 orasp:require-tls/>

Transport Security—Mutual Authentication Required

Flag that specifies whether two-way authentication is required.

Valid values include:

  • Enabled—The service must authenticate itself to the client, and the client must authenticate itself to the service.

  • Disabled—One-way authentication is required. The service must authenticate itself to the client, but the client is not required to authenticate itself to the service.

<orasp:auth-header
  orasp:mutual-auth="false"/>

Transport Security—Include Timestamp

Flag that specifies whether to include a timestamp. A timestamp can be used to prevent replay attacks by identifying an expiration time after which the message is no longer valid.

<orasp:auth-header
orasp:include-timestamp="false"/>

Configuration

Table 18-40 lists the configuration properties and the default settings for the http_jwt_token_over_ssl_client_template assertion template.

Table 18-40 http_jwt_token_over_ssl_client_template Configuration Properties

Name Default Values

audience.uri

Audience restriction. The following conditions are supported:

  • If this property is not set, the service URL is used as the audience URI

  • If this property is set to NONE (not case sensitive), then the audience URI is set to null.

  • If this property is set to a value other than NONE, then the audience URI is set to this value.

Default setting:

<orawsp:Property orawsp:contentType="optional" 
  orawsp:name="audience.uri" orawsp:type="string">
  <orawsp:Value/>
</orawsp:Property>

csf.map

Oracle WSM map in the credential store that contains the CSF aliases.

Default setting:

<orawsp:Property orawsp:contentType="optional"
 orawsp:name="csf.map" orawsp:type="string"/>

csf-key

Credential Store Key that maps to a username and password in the Oracle Platform Security Services (OPSS) identity store.

Default setting:

<orawsp:Property orawsp:contentType="optional"
   orawsp:name="csf-key" orawsp:type="string">
   <orawsp:Value>basic.credentials</orawsp:Value>
</orawsp:Property>

issuer.name

Name of the JWT issuer. The default value is www.oracle.com.

Default setting:

<orawsp:Property orawsp:contentType="optional" 
  orawsp:name="issuer.name" orawsp:type="string">
  <orawsp:Value>www.oracle.com</orawsp:Value>
</orawsp:Property>

keystore.sig.csf.key

The alias and password used for storing the signature key password in the keystore. If specified, the key corresponding to this csf-key is fetched from the keystore and used for signing. This property allows you to specify the signature key on a per-attachment level instead of at the domain level.

Default setting:

<orawsp:Property orawsp:contentType="optional" 
  orawsp:name="keystore.sig.csf.key" orawsp:type="string"/>

propagate.identity.context

Propagates the identity context from the Web service client to the Web service, and then makes it available ("publishes it") to other components for authentication and authorization purposes.

Default setting:

<orawsp:Property orawsp:contentType="optional"
 orawsp:name="propagate.identity.context" orawsp:type="string"><orawsp:Value/>

reference.priority

Optional property that specifies the priority of the policy attachment. When specified for an attached policy, the effective set of policies algorithm allows the policy with the highest integer value priority to take precedence over a conflicting policy attachment, irrespective of its scope.

The value of reference.priority can be any number between(-231) and (231 - 1). The higher the number, the higher the priority assigned during effective policy calculation. Any policy that does not have a value or a non-numeric value is treated as having a value of 0. If the value is set to any of the words "yes", "true", or "on", the value is set to 1.

For more information, see "Specifying the Priority of a Policy Attachment".

Default setting:

<orawsp:Property orawsp:contentType="optional" 
  orawsp:name="reference.priority" orawsp:type="string"/>

subject.precedence

Property that specifies the location from which the subject used to create the JWT token should be obtained.

If subject.precedence is set to true, the user name to create the JWT token is obtained only from the authenticated Subject. If subject.precedence is set to false, the user name to create the JWT token is obtained only from the csf-key username property.

Default setting:

<orawsp:Property orawsp:contentType="optional" 
  orawsp:name="subject.precedence" orawsp:type="string">
  <orawsp:Value>true</orawsp:Value>
</orawsp:Property>

user.attributes

List of user attributes for the authenticated user to be included in the JWT token.

Specify the attributes to be included as a comma-separated list. For example, attrib1,attrib2. The attribute names you specify must exactly match valid attributes in the configured identity store. The Oracle WSM run time reads the values for these attributes from the configured identity store, and then includes the attributes and their values in the JWT token.

Requires that the Subject is available and subject.precedence is set to true.

A client policy reads the values of the attributes specified using user.attributes from the configured identity store. All valid attribute names and values are used to create JWT claims.

The user.attributes property is supported for a single identity store, and only the first identity store in the list is used. The user must therefore exist and be valid in the identity store used by the configured WebLogic Server Authentication provider. Authentication providers are described in "Configuring an Authentication Provider".

If the identity store you require is not the first identity store, you can specify that additional identity stores be searched. See "Including User Attributes in the Assertion" for more information.

Default setting:

<orawsp:Property orawsp:contentType="optional"
 orawsp:name="user.attributes" orawsp:type="string"/>

user.roles.include

User roles to be included in the JWT token. If set to true, the authenticated user roles are included in the JWT token as private claims. The default is false.

Default setting:

<orawsp:Property orawsp:contentType="optional"   
  orawsp:name="user.roles.include" orawsp:type="string">
  <orawsp:Value>false</orawsp:Value>
</orawsp:Property>

user.tenant.name

Reserved for use internal use.

18.33 oracle/wss10_message_protection_client_template

This topic describes the wss10_message_protection_client_template assertion template.

Display Name: Wss10 Message Protection client Assertion Template

Category: Security

Type: wss10-anonymous-with-certificates

Description

The wss10_message_protection_client_template assertion template provides message protection (integrity and confidentiality) for outbound SOAP requests in accordance with the WS-Security 1.0 standard.

Settings

Table 18-41 lists the settings for the wss10_message_protection_client_template assertion template.

Table 18-41 wss10_message_protection_client_template Settings

Name Default Value

X509 Token

Sign Key Reference Mechanism

direct

Encryption Key Reference Mechanism

direct

Recipient Sign Key Reference Mechanism

direct

Recipient Encryption Key Reference Mechanism

direct

Is Signed

Disabled

Use PKI Path

Disabled

Secure Conversation

Enabled

Disabled

Version

1.3 or 1.4. OWSM WS-SC supports both Secure Conversation versions 1.3 and 1.4. Although the policy displays the 1.3 version number, you use this policy for 1.4 as well.

Re-authenticate

Disabled

Client Entropy

Enabled

Derived Keys

Enabled

Server Entropy

Enabled

Bootstrap Message Security

Inherit from Application Setting

Message Security

Algorithm Suite

BASIC_128

Include Timestamp

Enabled

Confirm Signature

Disabled

Encrypt Signature

Disabled

Request Message Settings

See Table 18-132

Response Message Settings

See Table 18-132

Fault Message Settings

See Table 18-132

Configuration

Table 18-42 lists the configuration properties and the default settings for the wss10_message_protection_client_template assertion template.

Table 18-42 wss10_message_protection_client_template Configuration Properties

Name Default Value Type

keystore.recipient.alias

orakey

Required

role

ultimateReceiver

Constant

keystore.sig.csf.key

None

Optional

keystore.enc.csf.key

None

Optional

ignore.timestamp.in.response

false

Optional

sc.token.lifetime

None

Optional

reference.priority

None

Optional

18.34 oracle/wss10_message_protection_service_template

This topic describes the wss10_message_protection_service_template assertion template.

Display Name: Wss10 Message Protection service Assertion Template

Category: Security

Type: wss10-anonymous-with-certificates

Description

The wss10_message_protection_service_template assertion template provides message protection (integrity and confidentiality) for inbound SOAP requests in accordance with the WS-Security 1.0 standard.

Settings

The settings for the wss10_message_protection_service_template are identical to the client version of the assertion template. See Table 18-41 for information about the settings.

Configuration

Table 18-43 lists the configuration properties and the default settings for the wss10_message_protection_service_template assertion template.

Table 18-43 wss10_message_protection_service_template Configuration Properties

Name Default Value Type

role

ultimateReceiver

Constant

keystore.sig.csf.key

None

Optional

keystore.enc.csf.key

None

Optional

sc.token.lifetime

None

Optional

reference.priority

None

Optional

18.35 oracle/wss11_message_protection_client_template

This topic describes the wss11_message_protection_client_template assertion template.

Display Name: Wss11 Message Protection client Assertion Template

Category: Security

Type: wss11-anonymous-with-certificates

Description

The wss11_message_protection_client_template assertion template provides message protection (integrity and confidentiality) for outbound SOAP requests in accordance with the WS-Security 1.1 standard.

Settings

Table 18-44 lists the settings for the wss11_message_protection_client_template assertion template.

Table 18-44 wss11_message_protection_client_template Settings

Name Default Value

X509 Token

Encryption Key Reference Mechanism

thumbprint

Is Signed

Enabled

Use PKI Path

Disabled

Derived Keys

Disabled

Secure Conversation

Enabled

Disabled

Version

1.3 or 1.4. OWSM WS-SC supports both Secure Conversation version 1.3 and 1.4. Although the policy displays the 1.3 version number, you use this policy for 1.4 as well.

Re-authenticate

Disabled

Client Entropy

Enabled

Derived Keys

Enabled

Server Entropy

Enabled

Bootstrap Message Security

Inherit from Application Setting

Message Security

Algorithm Suite

BASIC_128

Include Timestamp

Enabled

Confirm Signature

Enabled

Encrypt Signature

Disabled

Request Message Settings

See Table 18-132

Response Message Settings

See Table 18-132

Fault Message Settings

See Table 18-132

Configuration

Table 18-45 lists the configuration properties and the default settings for the wss11_message_protection_client_template assertion template.

Table 18-45 wss11_message_protection_client_template Configuration Properties

Name Default Value Type

keystore.recipient.alias

orakey

Required

role

ultimateReceiver

Constant

keystore.enc.csf.key

None

Optional

ignore.timestamp.in.response

false

Optional

sc.token.lifetime

None

Optional

reference.priority

None

Optional

18.36 oracle/wss11_message_protection_service_template

This topic describes the wss11_message_protection_service_template assertion template.

Display Name: Wss11 Message Protection service Assertion Template

Category: Security

Type: wss11-anonymous-with-certificates

Description

The wss11_message_protection_service_template assertion template enforces message protection (integrity and confidentiality) for inbound SOAP requests in accordance with the WS-Security 1.1 standard.

Settings

The settings for the wss11_message_protection_service_template are identical to the client version of the assertion template. See Table 18-44 for information about the settings.

Configuration

Table 18-46 lists the configuration properties and the default settings for the wss11_message_protection_service_template assertion template.

Table 18-46 wss11_message_protection_service_template Configuration Properties

Name Default Value Type

role

ultimateReceiver

Constant

keystore.enc.csf.key

None

Optional

sc.token.lifetime

None

Optional

reference.priority

None

Optional

18.37 wss11_username_token_derivedkey_message_protection_signature_client

This topic describes the oracle/wss11_username_token_derivedkey_with_message_protection_signature_only_client_template assertion template.

Display Name: wss11 username with derivedKey with message protection signature only client template

Category: Security

Type: wss11-username-with-derivedKey

Note:

When cloning wss11-username-with-derivedKey assertion based policies, the request, response or fault Message part can either contain signed parts or encrypted parts . Both are not supported.

Description

The wss11_username_token_derivedkey_with_message_protection_signature_only_client_template assertion template enforces authentication and message protection in accordance with the WS-Security v1.1 standard.

The web service consumer inserts username and password credentials, and signs the outgoing SOAP message. The web service provider verifies the message and the signature. To prevent replay attacks, the assertion provides the option to include time stamps and verification by the web service provider.

Settings

Table 18-100 lists the settings for the wss11_username_token_derivedkey_with_message_protection_signature_only_client_template assertion template.

Table 18-47 wss11_username_token_derivedkey_with_message_protection_signature_only_client_template

Name Default Value

Username Token

Password Type

none

Creation Time Required

Disabled

Nonce Required

Disabled

Is Encrypted

Disables

Is Signed

Enabled

Message Security

Algorithm Suite

BASIC_128

Include Timestamp

Enabled

Confirm Signature

Enabled

Encrypt Signature

Disabled

Request Message Settings

See Table 18-132

Response Message Settings

See Table 18-132

Fault Message Settings

See Table 18-132

Configuration

Table 18-101 lists the configuration properties and the default settings for the assertion template.

Table 18-48 wss11_username_token_derivedkey_with_message_protection_signature_only_client_template Configuration Properties

Name Default Value Type

csf-key

basic.credentials

Required

user.tenant.name

None

Optional

ignore.timestamp.in.response

false

Optional

iterations 1000 Optional

18.38 wss11_username_token_derivedkey_message_protection_encryption_client_template

This topic describes the oracle/wss11_username_token_derivedkey_with_message_protection_encryption_only_client_template assertion template.

Display Name: wss11 username token derivedKey with message protection encryption only client template

Category: Security

Type: wss11-username-with-derivedKey

Note:

When cloning wss11-username-with-derivedKey assertion based policies, the request, response or fault Message part can either contain signed parts or encrypted parts . Both are not supported.

Description

The wss11_username_token_derivedkey_with_message_protection_encryption_only_client_template assertion template includes authentication and message protection in accordance with the WS-Security v1.1 standard.

The web service consumer inserts username and password credentials, and encrypts the outgoing SOAP message.
The web service provider verifies the message and the signature. To prevent replay attacks, the assertion provides the option to include time stamps and verification by the web service provider.

Settings

Table 18-100 lists the settings for the wss11_username_token_derivedkey_with_message_protection_encryption_only_client_template assertion template.

Table 18-49 wss11_username_token_derivedkey_with_message_protection_encryption_only_client_template

Name Default Value

Username Token

Password Type

none

Creation Time Required

Disabled

Nonce Required

Disabled

Is Encrypted

Disabled

Is Signed

Disabled

Message Security

Algorithm Suite

BASIC_128

Include Timestamp

Enabled

Confirm Signature

Disabled

Encrypt Signature

Disabled

Request Message Settings

See Table 18-132

Response Message Settings

See Table 18-132

Fault Message Settings

See Table 18-132

Configuration

Table 18-101 lists the configuration properties and the default settings for the assertion template.

Table 18-50 wss11_username_token_derivedkey_with_message_protection_encryption_only_client_template Configuration Properties

Name Default Value Type

csf-key

basic.credentials

Required

user.tenant.name

None

Optional

ignore.timestamp.in.response

false

Optional

iterations 1000 Optional

18.39 oracle/wss_http_token_over_ssl_client_template

This topic describes the wss_http_token_over_ssl_client_template assertion template.

Display Name: Wss HTTP Token Over SSL client Assertion Template

Category: Security

Type: http-security

Description

The wss_http_token_over_ssl_client_template assertion template includes credentials in the HTTP header for outbound client requests and authenticates users against the Oracle Platform Security Services identity store. This policy verifies that the transport protocol is HTTPS. Requests over a non-HTTPS transport protocol are refused. This policy can be applied to any HTTP-based client.

Settings

Table 18-51 lists the settings for the wss_http_token_over_ssl_client_template assertion template.

Table 18-51 wss_http_token_over_ssl_client_template Settings

Name Default Value

Authentication Header

Authentication Header—Mechanism

basic

Authentication Header—Header Name

None

Transport Layer Security

Transport Layer Security

Enabled

Transport Layer Security—Mutual Authentication Required

Disabled

Transport Layer Security—Include Timestamp

Disabled

Algorithm Suite

BASIC_128

Configuration

Table 18-52 lists the configuration properties and the default settings for the wss_http_token_over_ssl_client_template assertion template.

Table 18-52 wss_http_token_over_ssl_client_template Configuration Properties

Name Default Value Type

csf-key

basic.credentials

Required

role

ultimateReceiver

Constant

reference.priority

None

Optional

18.40 oracle/wss_http_token_over_ssl_service_template

Display Name: Wss HTTP Token Over SSL service Assertion Template

Category: Security

Type: http-security

Description

The wss_http_token_over_ssl_service_template assertion template extracts the credentials in the HTTP header and authenticates users against the Oracle Platform Security Services identity store.

Settings

The settings for the wss_http_token_over_ssl_service_template assertion template are identical to the client version of the assertion template. See Table 18-51 for information about the settings.

Configuration

Table 18-53 lists the configuration properties and the default settings for the wss_http_token_service_template assertion template.

Table 18-53 wss_http_token_over_ssl_service_template Configuration Properties

Name Default Value Type

realm

owsm

Constant

role

ultimateReceiver

Constant

reference.priority

None

Optional

18.41 oracle/wss_saml_token_bearer_client_template

This topic describes the wss_saml_token_bearer_client_template assertion template.

Display Name: Wss SAML Bearer Token client Assertion Template

Category: Security

Type: wss11-saml-token

Description

The wss_saml_token_bearer_client_template assertion template includes SAML tokens in outbound SOAP request messages. The SAML token with confirmation method [Bearer] is created automatically.

Settings

Table 18-54 lists the settings for the wss_saml_token_bearer_client_template assertion template.

Table 18-54 wss_saml_token_bearer_client_template Settings

Name Default Value

SAML Token Type

Version

1.1

Confirmation Type

bearer

Name Identifier Format

unspecified

Configuration

Table 18-55 lists the configuration properties and the default settings for the wss_saml_token_bearer_client_template assertion template.

Table 18-55 wss_saml_token_bearer_client_template Configuration Properties

Name Default Value Type

user.attributes

None

Optional

user.roles.include

false

Optional

saml.issuer.name

www.oracle.com

Optional

csf-key

basic.credentials

Optional

csf.map

None

Optional

subject.precedence

true

Optional

saml.audience.uri

None

Optional

keystore.sig.csf.key

None

Optional

saml.envelope.signature.required

true

Optional

propagate.identity.context

None

Optional

user.tenant.name

None

Optional

reference.priority

None

Optional

include-timestamp

false

Optional

18.42 oracle/wss_saml_token_bearer_service_template

This topic describes the wss_saml_token_bearer_service_template assertion template.

Display Name: Wss SAML Bearer Token service Assertion Template

Category: Security

Type: wss11-saml-token

Description

The wss_saml_token_bearer_service_template assertion template includes SAML tokens in outbound SOAP request messages. The SAML token with confirmation method [Bearer] is created automatically.

Settings

Table 18-54 lists the settings for the wss_saml_token_bearer_service_template assertion template.

Table 18-56 wss_saml_token_bearer_service_template Settings

Name Default Value

SAML Token Type

Version

1.1

Confirmation Type

bearer

Name Identifier Format

unspecified

Configuration

Table 18-59 lists the configuration properties and the default settings for the wss_saml_token_bearer_service_template assertion template.

Table 18-57 wss_saml_token_bearer_service_template Configuration Properties

Name Default Value Type

role

ultimateReceiver

Constant

saml.trusted.issuers

None

Optional

saml.envelope.signature.required

true

Optional

propagate.identity.context

None

Optional

reference.priority

None

Optional

18.43 oracle/wss_saml_token_bearer_over_ssl_client_template

This topic describes the wss_saml_token_bearer_over_ssl_client template assertion template.

Display Name: Wss SAML Token (Confirmation method as bearer) Over SSL client Assertion Template

Category: Security

Type: wss-saml-token-bearer-over-ssl

Description

The wss_saml_token_bearer_over_ssl_client template assertion template includes SAML tokens in outbound SOAP request messages. The SAML token with confirmation method [Bearer] is created automatically.

Settings

Table 18-58 lists the settings for the wss_saml_token_bearer_over_ssl_client_template assertion template.

Table 18-58 wss_saml_token_bearer_over_ssl_client_template Settings

Name Default Value

SAML Token Type

Version

1.1

Confirmation Type

bearer

Is Signed

Disabled

Is Encrypted

Disabled

Name Identifier Format

unspecified

Transport Layer Security

Transport Layer Security

Enabled

Transport Layer Security—Mutual Authentication Required

Disabled

Transport Layer Security—Include Timestamp

Enabled

Algorithm Suite

None

Algorithm Suite

BASIC_128

Secure Conversation

Enabled

Disabled

Version

1.3 or 1.4. OWSM WS-SC supports both Secure Conversation version 1.3 and 1.4. Although the policy displays the 1.3 version number, you use this policy for 1.4 as well.

Re-authenticate

Disabled

Client Entropy

Enabled

Derived Keys

Disabled

Server Entropy

Enabled

Configuration

Table 18-59 lists the configuration properties and the default settings for the wss_saml_token_bearer_over_ssl_client_template assertion template.

Table 18-59 wss_saml_token_bearer_over_ssl_client_template Configuration Properties

Name Default Value Type

user.attributes

None

Optional

user.roles.include

false

Optional

saml.issuer.name

www.oracle.com

Optional

csf-key

basic.credentials

Optional

subject.precedence

true

Optional

saml.audience.uri

None

Optional

keystore.sig.csf.key

None

Optional

propagate.identity.context

None

Optional

user.tenant.name

None

Optional

ignore.timestamp.in.response

false

Optional

sc.token.lifetime

None

Optional

reference.priority

None

Optional

18.44 oracle/wss_saml_token_bearer_over_ssl_service_template

This topic describes the wss_saml_token_bearer_over_ssl_service_template assertion template.

Display Name: Wss SAML Token (Confirmation method as bearer) Over SSL service Assertion Template

Category: Security

Type: wss-saml-token-bearer-over-ssl

Description

The wss_saml_token_bearer_over_ssl_service_template assertion template authenticates users using credentials provided in SAML tokens with confirmation method 'Bearer' in the WS-Security SOAP header.

Settings

The settings for the wss_saml_token_bearer_over_ssl_service_template assertion template are identical to the client version of the assertion template. See Table 18-58 for information about the settings.

Configuration

Table 18-60 lists the configuration properties and the default settings for the wss_saml_token_bearer_over_ssl_service_template assertion template.

Table 18-60 wss_saml_token_bearer_over_ssl_service_template Configuration Properties

Name Default Value Type

role

ultimateReceiver

Constant

saml.trusted.issuers

None

Optional

propagate.identity.context

None

Optional

sc.token.lifetime

None

Optional

reference.priority

None

Optional

18.45 oracle/wss_saml20_token_bearer_over_ssl_client_template

This topic describes the wss_saml20_token_bearer_over_ssl_client template assertion template.

Display Name: Wss SAML V2.0 Token (Confirmation method as bearer) Over SSL client Assertion Template

Category: Security

Type: wss-saml-token-bearer-over-ssl

Description

The wss_saml20_token_bearer_over_ssl_client template assertion template includes SAML tokens in outbound SOAP request messages. The SAML token with confirmation method [Bearer] is created automatically.

Settings

Table 18-61 lists the settings for the wss_saml20_token_bearer_over_ssl_client_template assertion template.

Table 18-61 wss_saml20_token_bearer_over_ssl_client_template Settings

Name Default Value

SAML Token Type

Version

2.0

Confirmation Type

bearer

Is Signed

Disabled

Is Encrypted

Disabled

Name Identifier Format

unspecified

Transport Layer Security

Transport Layer Security

Enabled

Transport Layer Security—Mutual Authentication Required

Disabled

Transport Layer Security—Include Timestamp

Enabled

Algorithm Suite

None

Algorithm Suite

BASIC_128

Secure Conversation

Enabled

Disabled

Version

1.3 or 1.4. OWSM WS-SC supports both Secure Conversation version 1.3 and 1.4. Although the policy displays the 1.3 version number, you use this policy for 1.4 as well.

Re-authenticate

Disabled

Client Entropy

Enabled

Derived Keys

Disabled

Server Entropy

Enabled

Configuration

Table 18-62 lists the configuration properties and the default settings for the wss_saml20_token_bearer_over_ssl_client_template assertion template.

Table 18-62 wss_saml20_token_bearer_over_ssl_client_template Configuration Properties

Name Default Value Type

user.attributes

None

Optional

user.roles.include

false

Optional

saml.issuer.name

www.oracle.com

Optional

csf-key

basic.credentials

Optional

subject.precedence

true

Optional

saml.audience.uri

None

Optional

keystore.sig.csf.key

None

Optional

propagate.identity.context

None

Optional

ignore.timestamp.in.response

false

Optional

sc.token.lifetime

None

Optional

reference.priority

None

Optional

18.46 oracle/wss_saml20_token_bearer_over_ssl_service_template

Display Name: Wss SAML V2.0 Token (Confirmation method as bearer) Over SSL service Assertion Template

Category: Security

Type: wss-saml-token-bearer-over-ssl

Description

The wss_saml20_token_bearer_over_ssl_service_template assertion template authenticates users using credentials provided in SAML tokens with confirmation method 'Bearer' in the WS-Security SOAP header.

Settings

The settings for the wss_saml20_token_bearer_over_ssl_service_template assertion template are identical to the client version of the assertion template. See Table 18-61 for information about the settings.

Configuration

Table 18-63 lists the configuration properties and the default settings for the wss_saml20_token_bearer_over_ssl_service_template assertion template.

Table 18-63 wss_saml20_token_bearer_over_ssl_service_template Configuration Properties

Name Default Value Type

role

ultimateReceiver

Constant

saml.trusted.issuers

None

Optional

propagate.identity.context

None

Optional

sc.token.lifetime

None

Optional

reference.priority

None

Optional

18.47 oracle/wss_saml_token_over_ssl_client_template

This topic describes the wss_saml_token_over_ssl_client_template assertion template.

Display Name: Wss SAML Token Over SSL client Assertion Template

Category: Security

Type: wss-saml-token-over-ssl

Description

The wss_saml_token_over_ssl_client_template assertion template enables the authentication of credentials provided via a SAML token within WS-Security SOAP header using the sender-vouches confirmation type.

Settings

Table 18-64 lists the settings for the wss_saml_token_over_ssl_client_template assertion template.

Table 18-64 wss_saml_token_over_ssl_client_template Settings

Name Default Value

SAML Token Type

Version

1.1

Confirmation Type

sender-vouches

Is Signed

Enabled

Is Encrypted

Disabled

Name Identifier Format

unspecified

Transport Layer Security

Transport Layer Security

Enabled

Transport Layer Security—Mutual Authentication Required

Enabled

Transport Layer Security—Include Timestamp

Enabled

Algorithm Suite

None

Algorithm Suite

BASIC_128

Secure Conversation

Enabled

Disabled

Version

1.3 or 1.4. OWSM WS-SC supports both Secure Conversation version 1.3 and 1.4. Although the policy displays the 1.3 version number, you use this policy for 1.4 as well.

Re-authenticate

Disabled

Client Entropy

Enabled

Derived Keys

Disabled

Server Entropy

Enabled

Configuration

Table 18-65 lists the configuration properties and the default settings for the wss_saml_token_over_ssl_client_template assertion template.

Table 18-65 wss_saml_token_over_ssl_client_template Configuration Properties

Name Default Value Type

user.attributes

None

Optional

user.roles.include

false

Optional

saml.issuer.name

www.oracle.com

Optional

csf-key

basic.credentials

Optional

subject.precedence

true

Optional

saml.audience.uri

None

Optional

propagate.identity.context

None

Optional

ignore.timestamp.in.response

false

Optional

sc.token.lifetime

None

Optional

reference.priority

None

Optional

18.48 oracle/wss_saml_token_over_ssl_service_template

This topic describes the wss_saml_token_over_ssl_service_template assertion template.

Display Name: Wss SAML Token Over SSL service Assertion Template

Category: Security

Type: wss-saml-token-over-ssl

Description

The wss_saml_token_over_ssl_service_template enforces the authentication of credentials provided via a SAML token within WS-Security SOAP header using the sender-vouches confirmation type.

Settings

The settings for the wss_saml_token_over_ssl_service_template assertion template are identical to the client version of the assertion template. See Table 18-64 for information about the settings.

Configuration

Table 18-66 lists the configuration properties and the default settings for the wss_saml_token_over_ssl_service_template assertion template.

Table 18-66 wss_saml_token_over_ssl_service_template Configuration Properties

Name Default Value Type

role

ultimateReceiver

Constant

saml.trusted.issuers

None

Optional

propagate.identity.context

None

Optional

sc.token.lifetime

None

Optional

reference.priority

None

Optional

18.49 oracle/wss_saml20_token_over_ssl_client_template

This topic describes the wss_saml20_token_over_ssl_client_template assertion template.

Display Name: Wss SAML V2.0 Token Over SSL client Assertion Template

Category: Security

Type: wss-saml-token-over-ssl

Description

The wss_saml20_token_over_ssl_client_template assertion template enables the authentication of credentials provided via a SAML token within WS-Security SOAP header using the sender-vouches confirmation type.

Settings

Table 18-67 lists the settings for the wss_saml20_token_over_ssl_client_template assertion template.

Table 18-67 wss_saml20_token_over_ssl_client_template Settings

Name Default Value

SAML Token Type

Version

2.0

Confirmation Type

sender-vouches

Is Signed

Enabled

Is Encrypted

Disabled

Name Identifier Format

unspecified

Transport Layer Security

Transport Layer Security

Enabled

Transport Layer Security—Mutual Authentication Required

Enabled

Transport Layer Security—Include Timestamp

Enabled

Algorithm Suite

None

Algorithm Suite

BASIC_128

Secure Conversation

Enabled

Disabled

Version

1.3 or 1.4. OWSM WS-SC supports both Secure Conversation version 1.3 and 1.4. Although the policy displays the 1.3 version number, you use this policy for 1.4 as well.

Re-authenticate

Disabled

Client Entropy

Enabled

Derived Keys

Disabled

Server Entropy

Enabled

Configuration

Table 18-68 lists the configuration properties and the default settings for the wss_saml20_token_over_ssl_client_template assertion template.

Table 18-68 wss_saml20_token_over_ssl_client_template Configuration Properties

Name Default Value Type

user.attributes

None

Optional

user.roles.include

false

Optional

saml.issuer.name

www.oracle.com

Optional

csf-key

basic.credentials

Optional

subject.precedence

true

Optional

saml.audience.uri

None

Optional

propagate.identity.context

None

Optional

ignore.timestamp.in.response

false

Optional

sc.token.lifetime

None

Optional

reference.priority

None

Optional

18.50 oracle/wss_saml20_token_over_ssl_service_template

This topic describes the wss_saml20_token_over_ssl_service_template assertion template.

Display Name: Wss SAML V2.0 Token Over SSL service Assertion Template

Category: Security

Type: wss-saml-token-over-ssl

Description

The wss_saml20_token_over_ssl_service_template enforces the authentication of credentials provided via a SAML token within WS-Security SOAP header using the sender-vouches confirmation type.

Settings

The settings for the wss_saml20_token_over_ssl_service_template assertion template are identical to the client version of the assertion template. See Table 18-67 for information about the settings.

Configuration

Table 18-69 lists the configuration properties and the default settings for the wss_saml20_token_over_ssl_service_template assertion template.

Table 18-69 wss_saml20_token_over_ssl_service_template Configuration Properties

Name Default Value Type

role

ultimateReceiver

Constant

saml.trusted.issuers

None

Optional

propagate.identity.context

None

Optional

sc.token.lifetime

None

Optional

reference.priority

None

Optional

18.51 oracle/wss_username_token_over_ssl_client_template

This topic describes the wss_username_token_over_ssl_client_template assertion template.

Display Name: Wss Username Token Over SSL client Assertion Template

Category: Security

Type: wss-username-token-over-ssl

Description

The wss_username_token_over_ssl_client_template assertion template includes credentials in the WS-Security UsernameToken header in outbound SOAP request messages. The assertion supports three types of password credentials: plain text, digest, and no password.

To protect against replay attacks, the assertion provides the option to require nonce or creation time in the username token.

Settings

Table 18-70 lists the settings for the wss_username_token_over_ssl_client_template assertion template.

Table 18-70 wss_username_token_over_ssl_client_template Settings

Name Default Value

Username Token

Password Type

plaintext

Creation Time Required

Disabled

Nonce Required

Disabled

Transport Layer Security

Transport Layer Security

Enabled

Transport Layer Security—Mutual Authentication Required

Disabled

Transport Layer Security—Include Timestamp

Enabled

Algorithm Suite

None

Algorithm Suite

BASIC_128

Secure Conversation

Enabled

Disabled

Version

1.3 or 1.4. OWSM WS-SC supports both Secure Conversation version 1.3 and 1.4. Although the policy displays the 1.3 version number, you use this policy for 1.4 as well.

Re-authenticate

Disabled

Client Entropy

Enabled

Derived Keys

Disabled

Server Entropy

Enabled

Configuration

Table 18-71 lists the configuration properties and the default settings for the wss_username_token_over_ssl_client_template assertion template.

Table 18-71 wss_username_token_over_ssl_client_template Configuration Properties

Name Default Value Type

role

ultimateReceiver

Constant

csf-key

basic.credentials

Required

csf.map

None

Optional

user.tenant.name

None

Optional

sc.token.lifetime

None

Optional

reference.priority

None

Optional

ignore.timestamp.in.response

false

Optional

18.52 oracle/wss_username_token_over_ssl_service_template

This topic describes the wss_username_token_over_ssl_service_template assertion template.

Display Name: Wss Username Token Over SSL service Assertion Template

Category: Security

Type: wss-username-token-over-ssl

Description

The wss_username_token_over_ssl_service_template assertion template uses the credentials in the UsernameToken WS-Security SOAP header to authenticate users against the Oracle Platform Security Services configured identity store. The assertion supports three types of password credentials: plain text, digest, and no password.

To protect against replay attacks, the assertion provides the option to require nonce or creation time in the username token.

Settings

The settings for the wss_username_token_over_ssl_service_template assertion template are identical to the client version of the assertion template. See Table 18-70 for information about the settings.

Configuration

Table 18-72 lists the configuration properties and the default settings for the wss_username_token_over_ssl­_service_template assertion template.

Table 18-72 wss_username_token_over_ssl_service_template Configuration Properties

Name Default Value Type

role

ultimateReceiver

Constant

sc.token.lifetime

None

Optional

reference.priority

None

Optional

18.53 oracle/wss10_saml_hok_token_with_message_protection_client_template

This topic describes the wss10_saml_hok_token_with_message_protection_client_template assertion template.

Display Name: Wss10 SAML Holder-Of-Key Token with Message Protection client Assertion Template

Category: Security

Type: wss10-saml-hok-with-certificates

Description

The wss10_saml_hok_token_with_message_protection_client_template assertion template provides message protection (integrity and confidentiality) and SAML holder of key based authentication for outbound SOAP messages in accordance with the WS-Security 1.0 standard.

Settings

Table 18-73 lists the settings for the wss10_saml_hok_token_with_message_protection_client_template assertion template.

Table 18-73 wss10_saml_hok_token_with_message_protection_client_template Settings

Name Default Value

SAML Token Type

Version

1.1

Confirmation Type

holder-of-key

Is Signed

Enabled

Is Encrypted

Disabled

Name Identifier Format

unspecified

X509 Token

Sign Key Reference Mechanism

ski

Encryption Key Reference Mechanism

direct

Recipient Sign Key Reference Mechanism

direct

Recipient Encryption Key Reference Mechanism

direct

Is Signed

Disabled

Use PKI Path

Disabled

Message Security

Algorithm Suite

BASIC_128

Include Timestamp

Enabled

Confirm Signature

Disabled

Encrypt Signature

Disabled

Request Message Settings

See Table 18-132

Response Message Settings

See Table 18-132

Fault Message Settings

See Table 18-132

Configuration

Table 18-74 lists the configuration properties and the default settings for the wss10_saml_hok_token_with_message_protection_client_template assertion template.

Table 18-74 wss10_saml_hok_token_with_message_protection_client_template Configuration Properties

Name Default Value Type

user.attributes

None

Optional

keystore.recipient.alias

orakey

Required

saml.issuer.name

www.oracle.com

Optional

user.roles.include

false

Optional

saml.assertion.filename

temp

Optional

keystore.sig.csf.key

None

Optional

keystore.enc.csf.key

None

Optional

ignore.timestamp.in.response

false

Optional

reference.priority

None

Optional

18.54 oracle/wss10_saml_hok_token_with_message_protection_service_template

This topic describes the wss10_saml_hok_token_with_message_protection_service_template assertion template

Display Name: Wss10 SAML Holder-Of-Key Token with Message Protection service Assertion Template

Category: Security

Type: wss10-saml-hok-with-certificates

Description

The wss10_saml_hok_token_with_message_protection_service_template assertion template enforces message-level protection and SAML holder of key based authentication for inbound SOAP requests in accordance with the WS-Security 1.0 standard.

Settings

The settings for the wss10_saml_hok_token_with_message_protection_service_template are identical to those for the client version of the assertion template. See Table 18-73 for information about the settings.

Configuration

Table 18-75 lists the configuration properties and the default settings for the wss10_saml_hok_token_with_message_protection_service_template assertion template.

Table 18-75 wss10_saml_hok_token_with_message_protection_service_template Configuration Properties

Name Default Value Type

role

ultimateReceiver

Constant

keystore.sig.csf.key

None

Optional

keystore.enc.csf.key

None

Optional

saml.trusted.issuers

None

Optional

reference.priority

None

Optional

18.55 oracle/wss10_saml_token_with_message_protection_client_template

This topic describes the wss10_saml_token_with_message_protection_client_template assertion template.

Display Name: Wss10 SAML Token with Message Protection client Assertion Template

Category: Security

Type: wss10-saml-with-certificates

Description

The wss10_saml_token_with_message_protection_client_template assertion template provides message-level protection and SAML-based authentication for outbound SOAP messages in accordance with the WS-Security 1.0 standard.

The web service consumer includes a SAML token in the SOAP header, and the confirmation type is sender-vouches. The SOAP message is signed and encrypted. The web service provider decrypts the message, and verifies and authenticates the signature.

To prevent replay attacks, the assertion provides the option to include time stamps, SAML token limits, and their verification by the web service provider.

Settings

Table 18-76 lists the settings for the wss10_saml_token_with_message_protection_client_template assertion template.

Table 18-76 wss10_saml_token_with_message_protection_client_template Settings

Name Default Value

SAML Token Type

Version

1.1

Confirmation Type

sender-vouches

Is Signed

Enabled

Is Encrypted

Disabled

Name Identifier Format

unspecified

X509 Token

Sign Key Reference Mechanism

direct

Encryption Key Reference Mechanism

direct

Recipient Sign Key Reference Mechanism

direct

Recipient Encryption Key Reference Mechanism

direct

Is Signed

Disabled

Use PKI Path

Disabled

Secure Conversation

Enabled

Disabled

Version

1.3 or 1.4. OWSM WS-SC supports both Secure Conversation version 1.3 and 1.4. Although the policy displays the 1.3 version number, you use this policy for 1.4 as well.

Re-authenticate

Disabled

Client Entropy

Enabled

Derived Keys

Enabled

Server Entropy

Enabled

Bootstrap Message Security

Inherit from Application Setting

Message Security

Algorithm Suite

BASIC_128

Include Timestamp

Enabled

Confirm Signature

Disabled

Encrypt Signature

Disabled

Request Message Settings

See Table 18-132

Response Message Settings

See Table 18-132

Fault Message Settings

See Table 18-132

Configuration

Table 18-77 lists the configuration properties and the default settings for the wss10_saml_token_with_message_protection_client_template assertion template.

Table 18-77 wss10_saml_token_with_message_protection_client_template Configuration Properties

Name Default Value Type

user.attributes

None

Optional

keystore.recipient.alias

orakey

Required

user.roles.include

false

Optional

saml.issuer.name

www.oracle.com

Optional

keystore.sig.csf.key

None

Optional

keystore.enc.csf.key

None

Optional

csf-key

basic.credentials

Optional

subject.precedence

true

Optional

saml.audience.uri

None

Optional

propagate.identity.context

None

Optional

ignore.timestamp.in.response

false

Optional

sc.token.lifetime

None

Optional

reference.priority

None

Optional

18.56 oracle/wss10_saml_token_with_message_protection_service_template

This topic describes the wss10_saml_token_with_message_protection_service_template assertion template.

Display Name: Wss10 SAML Token with Message Protection service Assertion Template

Category: Security

Type: wss10-saml-with-certificates

Description

The wss10_saml_token_with_message_protection_service_template assertion template enforces message protection (integrity and confidentiality) and SAML-based authentication for inbound SOAP requests in accordance with the WS-Security 1.0 standard.

The web service consumer includes a SAML token in the SOAP header, and the confirmation type is sender-vouches. The SOAP message is signed and encrypted. The web service provider decrypts the message, and verifies and authenticates the signature.

To prevent replay attacks, the assertion provides the option to include time stamps, SAML token limits, and their verification by the web service provider.

Settings

The settings for the wss10_saml_token_with_message_protection_service_template are identical to those for client version of the assertion template. See Table 18-76 for information about the settings.

Configuration

Table 18-78 lists the configuration properties and the default settings for the wss10_saml_token_with_message_protection_service_template assertion template.

Table 18-78 wss10_saml_token_with_message_protection_service_template Configuration Properties

Name Default Value Type

role

ultimateReceiver

Constant

keystore.sig.csf.key

None

Optional

keystore.enc.csf.key

None

Optional

saml.trusted.issuers

None

Optional

propagate.identity.context

None

Optional

sc.token.lifetime

None

Optional

reference.priority

None

Optional

18.57 oracle/wss10_saml20_token_with_message_protection_client_template

Display Name: Wss10 SAML V2.0 Token with Message Protection client Assertion Template

Category: Security

Type: wss10-saml-with-certificates

Description

The wss10_saml20_token_with_message_protection_client_template assertion template provides message-level protection and SAML-based authentication for outbound SOAP messages in accordance with the WS-Security 1.0 standard.

The web service consumer includes a SAML token in the SOAP header, and the confirmation type is sender-vouches. The SOAP message is signed and encrypted. The web service provider decrypts the message, and verifies and authenticates the signature.

To prevent replay attacks, the assertion provides the option to include time stamps, SAML token limits, and their verification by the web service provider.

Settings

Table 18-79 lists the settings for the wss10_saml20_token_with_message_protection_client_template assertion template.

Table 18-79 wss10_saml20_token_with_message_protection_client_template Settings

Name Default Value

SAML Token Type

Version

2.0

Confirmation Type

sender-vouches

Is Signed

Enabled

Is Encrypted

Disabled

Name Identifier Format

unspecified

X509 Token

Sign Key Reference Mechanism

direct

Encryption Key Reference Mechanism

direct

Recipient Sign Key Reference Mechanism

direct

Recipient Encryption Key Reference Mechanism

direct

Is Signed

Disabled

Use PKI Path

Disabled

Secure Conversation

Enabled

Disabled

Version

1.3 or 1.4. OWSM WS-SC supports both Secure Conversation version 1.3 and 1.4. Although the policy displays the 1.3 version number, you use this policy for 1.4 as well.

Re-authenticate

Disabled

Client Entropy

Enabled

Derived Keys

Enabled

Server Entropy

Enabled

Bootstrap Message Security

Inherit from Application Setting

Message Security

Algorithm Suite

BASIC_128

Include Timestamp

Enabled

Confirm Signature

Disabled

Encrypt Signature

Disabled

Request Message Settings

See Table 18-132

Response Message Settings

See Table 18-132

Fault Message Settings

See Table 18-132

Configuration

Table 18-80 lists the configuration properties and the default settings for the wss10_saml20_token_with_message_protection_client_template assertion template.

Table 18-80 wss10_saml20_token_with_message_protection_client_template Configuration Properties

Name Default Value Type

user.attributes

None

Optional

keystore.recipient.alias

orakey

Required

user.roles.include

false

Optional

keystore.sig.csf.key

None

Optional

keystore.enc.csf.key

None

Optional

saml.issuer.name

www.oracle.com

Optional

csf-key

basic.credentials

Optional

subject.precedence

true

Optional

attesting.mapping.attribute

DN

Optional

saml.audience.uri

None

Optional

propagate.identity.context

None

Optional

ignore.timestamp.in.response

false

Optional

sc.token.lifetime

None

Optional

reference.priority

None

Optional

18.58 oracle/wss10_saml20_token_with_message_protection_service_template

This topic describes the wss10_saml20_token_with_message_protection_service_template assertion template.

Display Name: Wss10 SAML V2.0 Token with Message Protection service Assertion Template

Category: Security

Type: wss10-saml-with-certificates

Description

The wss10_saml20_token_with_message_protection_service_template assertion template enforces message protection (integrity and confidentiality) and SAML-based authentication for inbound SOAP requests in accordance with the WS-Security 1.0 standard.

The web service consumer includes a SAML token in the SOAP header, and the confirmation type is sender-vouches. The SOAP message is signed and encrypted. The web service provider decrypts the message, and verifies and authenticates the signature.

To prevent replay attacks, the assertion provides the option to include time stamps, SAML token limits, and their verification by the web service provider.

Settings

The settings for the wss10_saml20_token_with_message_protection_service_template are similar to those of the client version of the assertion template. See Table 18-79 for information about the settings.

Configuration

Table 18-81 lists the configuration properties and the default settings for the wss10_saml20_token_with_message_protection_service_template assertion template.

Table 18-81 wss10_saml20_token_with_message_protection_service_template Configuration Properties

Name Default Value Type

role

ultimateReceiver

Constant

keystore.sig.csf.key

None

Optional

keystore.enc.csf.key

None

Optional

saml.trusted.issuers

None

Optional

propagate.identity.context

None

Optional

sc.token.lifetime

None

Optional

reference.priority

None

Optional

18.59 oracle/wss10_username_token_with_message_protection_client_template

This topic describes the wss10_username_token_with_message_protection_client_template assertion template.

Display Name: Wss10 Username Token with Message Protection client Assertion Template

Category: Security

Type: wss10-username-with-certificates

Description

The wss10_username_token_with_message_protection_client_template assertion template provides message protection (integrity and confidentiality) and authentication for outbound SOAP requests in accordance with the WS-Security 1.0 standard. Credentials are included in the WS-Security UsernameToken header in the outbound SOAP message.

The assertion supports three types of password credentials: plain text, digest, and no password.

To protect against replay attacks, the assertion provides the option to require nonce or creation time in the username token. The SOAP message is signed and encrypted. The web service provider decrypts the message, and verifies and authenticates the signature.

Settings

Table 18-82 lists the settings for the wss10_username_token_with_message_protection_client_template assertion template.

Table 18-82 wss10_username_token_with_message_protection_client_template Settings

Name Default Value

Username Token

Password Type

plaintext

Creation Time Required

Disabled

Nonce Required

Disabled

Is Signed

Enabled

Is Encrypted

Enabled

X509 Token

Sign Key Reference Mechanism

direct

Encryption Key Reference Mechanism

direct

Recipient Sign Key Reference Mechanism

direct

Recipient Encryption Key Reference Mechanism

direct

Is Signed

Disabled

Use PKI Path

Disabled

Secure Conversation

Enabled

Disabled

Version

1.3 or 1.4. OWSM WS-SC supports both Secure Conversation version 1.3 and 1.4. Although the policy displays the 1.3 version number, you use this policy for 1.4 as well.

Re-authenticate

Disabled

Client Entropy

Enabled

Derived Keys

Enabled

Server Entropy

Enabled

Bootstrap Message Security

Inherit from Application Setting

Message Security

Algorithm Suite

BASIC_128

Include Timestamp

Enabled

Confirm Signature

Disabled

Encrypt Signature

Disabled

Request Message Settings

See Table 18-132

Response Message Settings

See Table 18-132

Fault Message Settings

See Table 18-132

Configuration

Table 18-83 lists the configuration properties and the default settings for the wss10_username_token_with_message_protection_client_template assertion template.

Table 18-83 wss10_username_token_with_message_protection_client_template Configuration Properties

Name Default Value Type

csf-key

basic.credentials

Required

csf.map

None

Optional

role

ultimateReceiver

Constant

keystore.sig.csf.key

None

Optional

keystore.enc.csf.key

None

Optional

keystore.recipient.alias

orakey

Required

ignore.timestamp.in.response

false

Optional

sc.token.lifetime

None

Optional

reference.priority

None

Optional

18.60 oracle/wss10_username_token_with_message_protection_service_template

Display Name: Wss10 Username Token with Message Protection service Assertion Template

Category: Security

Type: wss10-username-with-certificates

Description

The wss10_username_token_with_message_protection_service_template assertion template enforces message protection (integrity and confidentiality) and authentication for inbound SOAP requests in accordance with the WS-Security 1.0 standard.

The assertion supports three types of password credentials: plain text, digest, and no password.

To protect against replay attacks, the assertion provides the option to require nonce or creation time in the username token. The SOAP message is signed and encrypted. The web service provider decrypts the message, and verifies and authenticates the signature.

Settings

The settings for the wss10_username_token_with_message_protection_service_template assertion template are identical to the client version of the assertion template. See Table 18-82 for information about the settings.

Configuration

Table 18-84 lists the configuration properties and the default settings for the wss10_username_token_with_message_protection_service_template assertion template.

Table 18-84 wss10_username_token_with_message_protection_service_template Configuration Properties

Name Default Value Type

role

ultimateReceiver

Constant

csf.map

None

Optional

keystore.sig.csf.key

None

Optional

keystore.enc.csf.key

None

Optional

sc.token.lifetime

None

Optional

reference.priority

None

Optional

18.61 oracle/wss10_x509_token_with_message_protection_client_template

This topic describes the wss10_x509_token_with_message_protection_client template assertion template.

Display Name: Wss10 X509 Token with Message Protection client Assertion Template

Category: Security

Type: wss10-mutual-auth-with-certificates

Description

The wss10_x509_token_with_message_protection_client template assertion template provides message protection (integrity and confidentiality) and certificate credential population for outbound SOAP requests in accordance with the WS-Security 1.0 standard.

Settings

Table 18-85 lists the settings for the wss10_x509_token_with_message_protection_client template assertion template.

Table 18-85 wss10_x509_token_with_message_protection_client_template Settings

Name Default Value

X509 Token

Sign Key Reference Mechanism

direct

Encryption Key Reference Mechanism

direct

Recipient Sign Key Reference Mechanism

direct

Recipient Encryption Key Reference Mechanism

direct

Is Signed

Disabled

Use PKI Path

Disabled

Secure Conversation

Enabled

Disabled

Version

1.3 or 1.4. OWSM WS-SC supports both Secure Conversation version 1.3 and 1.4. Although the policy displays the 1.3 version number, you use this policy for 1.4 as well.

Re-authenticate

Disabled

Client Entropy

Enabled

Derived Keys

Enabled

Server Entropy

Enabled

Bootstrap Message Security

Inherit from Application Setting

Message Security

Algorithm Suite

BASIC_128

Include Timestamp

Enabled

Confirm Signature

Disabled

Encrypt Signature

Disabled

Request Message Settings

See Table 18-132

Response Message Settings

See Table 18-132

Fault Message Settings

See Table 18-132

Configuration

Table 18-86 lists the configuration properties and the default settings for the wss10_x509_token_with_message_protection_client_template assertion template.

Table 18-86 wss10_x509_token_with_message_protection_client_template Configuration Properties

Name Default Value Type

role

ultimateReceiver

Constant

csf.map

None

Optional

keystore.sig.csf.key

None

Optional

keystore.enc.csf.key

None

Optional

keystore.recipient.alias

orakey

Required

ignore.timestamp.in.response

false

Optional

sc.token.lifetime

None

Optional

reference.priority

None

Optional

18.62 oracle/wss10_x509_token_with_message_protection_service_template

This topic describes the wss10_x509_token_with_message_protection_service_template assertion template.

Display Name: Wss10 X509 Token with Message Protection service Assertion Template

Category: Security

Type: wss10-mutual-auth-with-certificates

Description

The wss10_x509_token_with_message_protection_service_template assertion template enforces message protection (integrity and confidentiality) and certificate-based authentication for inbound SOAP requests in accordance with the WS-Security 1.0 standard.

Settings

The settings for the wss10_x509_token_with_message_protection_service_template assertion template are identical to the client version of the assertion template. See Table 18-85 for information about the settings.

Configuration

Table 18-87 lists the configuration properties and the default settings for the wss10_x509_token_with_message_protection_service_template assertion template.

Table 18-87 wss10_x509_token_with_message_protection_service_template Configuration Properties

Name Default Value Type

role

ultimateReceiver

Constant

csf.map

None

Optional

keystore.sig.csf.key

None

Optional

keystore.enc.csf.key

None

Optional

sc.token.lifetime

None

Optional

reference.priority

None

Optional

18.63 oracle/wss11_kerberos_token_over_ssl_client_template

This topic describes the wss11_kerberos_token_over_ssl_client_template assertion template.

Display Name: Wss11 Kerberos Token Over SSL Client Assertion Template

Category: Security

Type: wss11-kerberos-over-ssl-security

Description

The wss11_kerberos_token_over_ssl_client_template assertion template includes a Kerberos token in the WS-Security SOAP header in accordance with the WS-Security Kerberos Token Profile v1.1 standard. The Kerberos token is advertised as an EndorsingSupportingToken, and is used only for authentication and for signing the timestamp. Message protection is provided by SSL.

Settings

Table 18-88 lists the settings for the wss11_kerberos_token_over_ssl_client_template assertion template.

Table 18-88 wss11_kerberos_token_over_ssl_client_template Settings

Name Default Value

Kerberos Token Type

Kerberos Token Type

gss-apreq-v5

Transport Layer Security

Transport Layer Security

Enabled

Transport Layer Security—Mutual Authentication Required

Disabled

Transport Layer Security—Include Timestamp

Enabled

Algorithm Suite

BASIC_128

Configuration

Table 18-89 lists the configuration properties and the default settings for the wss11_kerberos_token_over_ssl_client_template assertion template.

Table 18-89 wss11_kerberos_token_over_ssl_client_template Configuration Properties

Name Default Value Type

service.principal.name

HOST/localhost@EXAMPLE.COM

Required

keytab.location

None

Optional

caller.principal.name

None

Optional

credential.delegation

false

Required

reference.priority

None

Optional

18.64 oracle/wss11_kerberos_token_over_ssl_service_template

This topic describes the wss11_kerberos_token_service_template assertion template.

Display Name: Wss11 Kerberos Token Over SSL Service Assertion Template

Category: Security

Type: wss11-kerberos-over-ssl-security

Description

The wss11_kerberos_token_service_template assertion template enforces in accordance with the WS-Security Kerberos Token Profile v1.1 standard. It extracts the Kerberos token from the SOAP header and authenticates the user. The container must have the Kerberos infrastructure configured through Oracle Platform Security Services. The Kerberos token is advertised as an EndorsingSupportingToken, and is used only for authentication and for signing the timestamp. Message protection is provided by SSL.

Settings

The settings for the wss11_kerberos_token_over_ssl_service_template are identical to the client version of the assertion template. See Table 18-88 for information about the settings.

Configuration

Table 18-90 lists the configuration properties and the default settings for the wss11_kerberos_token_over_ssl_service_template assertion template.

Table 18-90 wss11_kerberos_token_over_ssl_service_template Configuration Properties

Name Default Value Type

credential.delegation

false

Required

reference.priority

None

Optional

18.65 oracle/wss11_kerberos_token_with_message_protection_client_template

This topic describes the wss11_kerberos_token_with_message_protection_client_template assertion template.

Display Name: Wss11 Kerberos Token with message protection client Assertion Template

Category: Security

Type: kerberos-security

Description

The wss11_kerberos_token_with_message_protection_client_template assertion template includes a Kerberos token in the WS-Security header in accordance with the WS-Security Kerberos Token Profile v1.1 standard.

Settings

Table 18-91 lists the settings for the wss11_kerberos_token_with_message_protection_client_template assertion template.

Table 18-91 wss11_kerberos_token_with_message_protection_client_template Settings

Name Default Value

Kerberos Token Type

Kerberos Token Type

gss-apreq-v5

Derived Keys

Disabled

Secure Conversation

Enabled

Disabled

Version

1.3 or 1.4. OWSM WS-SC supports both Secure Conversation version 1.3 and 1.4. Although the policy displays the 1.3 version number, you use this policy for 1.4 as well.

Re-authenticate

Disabled

Client Entropy

Enabled

Derived Keys

Enabled

Server Entropy

Enabled

Bootstrap Message Security

Inherit from Application Setting

Message Security

Algorithm Suite

TRIPLE_DES

Include Timestamp

Enabled

Confirm Signature

Enabled

Encrypt Signature

Disabled

Request Message Settings

See Table 18-132

Response Message Settings

See Table 18-132

Fault Message Settings

See Table 18-132

Configuration

Table 18-92 lists the configuration properties and the default settings for the wss11_kerberos_token_with_message_protection_client_template assertion template.

Table 18-92 wss11_kerberos_token_with_message_protection_client_template Configuration Properties

Name Default Value Type

service.principal.name

HOST/localhost@EXAMPLE.COM

Required

keytab.location

None

Optional

caller.principal.name

None

Optional

credential.delegation

false

Required

sc.token.lifetime

None

Optional

reference.priority

None

Optional

18.66 oracle/wss11_kerberos_token_with_message_protection_service_template

This topic describes the wss11_kerberos_token_with_message_protection_service_template assertion template.

Display Name: Wss11 Kerberos Token service with message protection Assertion Template

Category: Security

Type: kerberos-security

Description

The wss11_kerberos_token_with_message_protection_service_template assertion template enforces in accordance with the WS-Security Kerberos Token Profile v1.1 standard. It extracts the Kerberos token from the SOAP header and authenticates the user. The container must have the Kerberos infrastructure configured through Oracle Platform Security Services.

Settings

The settings for the wss11_keberos_token_with_message_protection_service_template are identical to the client version of the assertion template. See Table 18-91 for information about the settings.

Configuration

Table 18-93 lists the configuration properties and the default settings for the wss11_kerberos_token_with_message_protection_service_template assertion template.

Table 18-93 wss11_kerberos_token_with_message_protection_service_template Configuration Properties

Name Default Value Type

credential.delegation

false

Required

sc.token.lifetime

None

Optional

reference.priority

None

Optional

18.67 oracle/wss11_saml_token_with_message_protection_client_template

This topic describes the wss11_saml_token_with_message_protection_client_template assertion template.

Display Name: Wss11 SAML Token with Message Protection client Assertion Template

Category: Security

Type: wss11-saml-with-certificates

Description

The wss11_saml_token_with_message_protection_client_template assertion template enables message protection (integrity and confidentiality) and SAML token population for outbound SOAP requests in accordance with WS-Security 1.1. A SAML token is included in the SOAP message for use in SAML based authentication with sender vouches confirmation.

Settings

Table 18-94 lists the settings for the wss11_saml_token_with_message_protection_client_template assertion template.

Table 18-94 wss11_saml_token_with_message_protection_client_template Settings

Name Default Value

SAML Token Type

Version

1.1

Confirmation Type

sender-vouches

Is Signed

Enabled

Is Encrypted

Disabled

Name Identifier Format

unspecified

X509 Token

Sign Key Reference Mechanism

direct

Encryption Key Reference Mechanism

thumbprint

Is Signed

Enabled

Use PKI Path

Disabled

Derived Keys

Disabled

Secure Conversation

Enabled

Disabled

Version

1.3 or 1.4. OWSM WS-SC supports both Secure Conversation version 1.3 and 1.4. Although the policy displays the 1.3 version number, you use this policy for 1.4 as well.

Re-authenticate

Disabled

Client Entropy

Enabled

Derived Keys

Enabled

Server Entropy

Enabled

Bootstrap Message Security

Inherit from Application Setting

Message Security

Algorithm Suite

BASIC_128

Include Timestamp

Enabled

Confirm Signature

Enabled

Encrypt Signature

Disabled

Request Message Settings

See Table 18-132

Response Message Settings

See Table 18-132

Fault Message Settings

See Table 18-132

Configuration Properties

Table 18-95 lists the configuration properties and the default settings for the wss11_saml_token_with_message_protection_client_template assertion template.

Table 18-95 wss11_saml_token_with_message_protection_client_template Configuration Properties

Name Default Value Type

user.attributes

None

Optional

saml.issuer.name

www.oracle.com

Optional

role

ultimateReceiver

Constant

keystore.recipient.alias

orakey

Required

keystore.sig.csf.key

None

Optional

keystore.enc.csf.key

None

Optional

csf.map

None

Optional

csf-key

basic.credentials

Optional

subject.precedence

true

Optional

saml.audience.uri

None

Optional

propagate.identity.context

None

Optional

user.tenant.name

None

Optional

ignore.timestamp.in.response

false

Optional

sc.token.lifetime

None

Optional

reference.priority

None

Optional

18.68 oracle/wss11_saml_token_with_message_protection_service_template

This topic describes the wss11_saml_token_with_message_protection_service_template assertion template.

Display Name: Wss11 SAML Token with Message Protection service Assertion Template

Category: Security

Type: wss11-saml-with-certificates

Description

The wss11_saml_token_with_message_protection_service_template assertion template enforces message-level integrity protection and SAML-based authentication for inbound SOAP requests in accordance with the WS-Security 1.1 standard. It extracts the SAML token from the WS-Security binary security token, and uses those credentials to validate users against the Oracle Platform Security Services identity store.

Settings

The settings for the wss11_saml_token_with_message_protection_service_template are identical to the client version of the assertion template. See Table 18-94 for information about the settings.

Configuration

Table 18-96 lists the configuration properties and the default settings for the wss11_saml_token__with_message_protection_service_template assertion template.

Table 18-96 wss11_saml_token_with_message_protection_service_template Configuration Properties

Name Default Value Type

role

ultimateReceiver

Constant

keystore.enc.csf.key

None

Optional

saml.trusted.issuers

None

Optional

propagate.identity.context

None

Optional

sc.token.lifetime

None

Optional

reference.priority

None

Optional

18.69 oracle/wss11_saml20_token_with_message_protection_client_template

This topic describes the wss11_saml20_token_with_message_protection_client_template assertion template.

Display Name: Wss11 SAML V2.0 Token with Message Protection client Assertion Template

Category: Security

Type: wss11-saml-with-certificates

Description

The wss11_saml20_token_with_message_protection_client_template assertion template enables message protection (integrity and confidentiality) and SAML token population for outbound SOAP requests in accordance with WS-Security 1.1. A SAML token is included in the SOAP message for use in SAML based authentication with sender vouches confirmation.

Settings

Table 18-97 lists the settings for the wss11_saml20_token_with_message_protection_client_template assertion template.

Table 18-97 wss11_saml20_token_with_message_protection_client_template Settings

Name Default Value

SAML Token Type

Version

2.0

Confirmation Type

sender-vouches

Is Signed

Enabled

Is Encrypted

Disabled

Name Identifier Format

unspecified

X509 Token

Sign Key Reference Mechanism

direct

Encryption Key Reference Mechanism

thumbprint

Is Signed

Enabled

Use PKI Path

Disabled

Derived Keys

Disabled

Secure Conversation