This chapter describes interoperability of Oracle Web Services Manager (OWSM) with Oracle WebLogic Server 12c Web service security environments.
This chapter contains the following sections:
Section 4.2, "Username Token With Message Protection (WS-Security 1.1)"
Section 4.3, "Username Token With Message Protection (WS-Security 1.1) and MTOM"
Section 4.4, "Username Token With Message Protection (WS-Security 1.0)"
Section 4.8, "SAML Token (Sender Vouches) Over SSL with MTOM"
Section 4.9, "SAML Token 2.0 (Sender Vouches) With Message Protection (WS-Security 1.1)"
Section 4.10, "SAML Token (Sender Vouches) with Message Protection (WS-Security 1.1)"
Section 4.11, "SAML Token (Sender Vouches) with Message Protection (WS-Security 1.1) and MTOM"
Section 4.12, "SAML Token (Sender Vouches) with Message Protection (WS-Security 1.0)"
Section 4.13, "Mutual Authentication with Message Protection (WS-Security 1.0)"
Section 4.14, "Mutual Authentication with Message Protection (WS-Security 1.1)"
In Oracle Fusion Middleware 12c, you can attach both OWSM and Oracle WebLogic Server 12c Web service policies to WebLogic Java EE Web services.
For more information about:
OWSM predefined policies, see "Predefined Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
Configuring and attaching OWSM 12c policies, see "Securing Web Services" and "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
For more details about the predefined Oracle WebLogic Server 12c Web service policies, see:
"Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager
Table 4-1 and Table 4-2 summarize the most common Oracle WebLogic Server 12c Web service policy interoperability scenarios based on the following security requirements: authentication, message protection, and transport. The tables are organized as follows:
Table 4-1 describes interoperability scenarios with WebLogic Web service policies and OWSM client policies.
Table 4-2 describes interoperability scenarios with OWSM Web service policies and WebLogic Web service client policies.
Table 4-1 WebLogic Web Service Policy and OWSM Client Policy Interoperability
Identity Token | WS-Security Version | Message Protection | Transport Security | Service Policy | Client Policy |
---|---|---|---|---|---|
1.1 |
Yes |
No |
|
|
|
1.1 |
Yes |
No |
|
|
|
1.0 |
Yes |
No |
|
|
|
1.1 |
Yes |
No |
|
|
|
1.1 |
Yes |
No |
|
|
|
1.1 |
Yes |
No |
|
|
|
1.0 |
Yes |
No |
|
|
|
1.1 |
Yes |
No |
|
|
|
1.0 |
Yes |
No |
|
|
Table 4-2 OWSM Service Policy and WebLogic Web Service Client Policy Interoperability
Identity Token | WS-Security Version | Message Protection | Transport Security | Service Policy | Client Policy |
---|---|---|---|---|---|
1.1 |
Yes |
No |
|
|
|
1.1 |
Yes |
No |
|
|
|
1.0 |
Yes |
No |
|
|
|
1.0 and 1.1 |
No |
Yes |
|
|
|
1.0 and 1.1 |
No |
Yes |
|
|
|
1.0 and 1.1 |
No |
Yes |
|
|
|
1.0 and 1.1 |
No |
Yes |
|
|
|
1.1 |
Yes |
No |
|
|
|
1.1 |
Yes |
No |
|
|
|
1.1 |
Yes |
No |
|
|
|
1.0 |
Yes |
No |
|
|
|
1.1 |
Yes |
No |
|
|
|
1.0 |
Yes |
No |
|
|
This section describes how to implement username token with message protection that conforms to the WS-Security 1.1 standard in the following interoperability scenarios:
Section 4.2.1, "Interoperating with a WebLogic Web Service Policy"
Section 4.2.2, "Interoperating with a WebLogic Web Service Client Policy"
The following sections describe how to implement username token with message protection that conforms to the WS-Security 1.1 standard and ensure interoperability between the WebLogic Web service policy and the OWSM client policy:
Section 4.2.1.1, "Attaching and Configuring the WebLogic Web Service Policy"
Section 4.2.1.2, "Attaching and Configuring the OWSM Client Policy"
To configure a Web service with a WebLogic Web service policy, perform the following tasks.
Table 4-3 Attaching and Configuring the WebLogic Web Service Policy
Task | Description | More Information |
---|---|---|
1 |
Create a WebLogic Web service. |
"Roadmap for Implementing WebLogic (Java EE) Web Services" in Understanding Web Services |
2 |
Attach the following policies:
|
"Updating the JWS File with @Policy and @Policies Annotations" in Securing WebLogic Web Services for Oracle WebLogic Server |
3 |
Configure identity and trust stores. |
"Configure identity and trust" in Oracle WebLogic Server Administration Console Online Help |
4 |
Configure message-level security. Note: You only need to configure the Confidentiality Key for a WS-Security 1.1 policy. |
|
5 |
Deploy the Web service. |
"Install a Web Service" in Oracle WebLogic Server Administration Console Online Help |
To configure the client with an OWSM client policy, perform the following tasks.
Table 4-4 Attaching and Configuring the OWSM Client Policy
Task | Description | More Information |
---|---|---|
1 |
Create a client proxy for the Web service created in Table 4-3 using |
"Roadmap for Implementing Oracle Fusion Middleware Web Services" in Understanding Web Services |
2 |
Attach the following policy to the Web service client: |
"Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager |
3 |
Configure the policy. |
"oracle/wss11_username_token_with_message_protection_client_policy" in Securing Web Services and Managing Policies with Oracle Web Services Manager |
4 |
Specify |
"oracle/wss11_username_token_with_message_protection_client_policy" in Securing Web Services and Managing Policies with Oracle Web Services Manager |
5 |
Ensure that the |
"oracle/wss11_username_token_with_message_protection_client_policy" in Securing Web Services and Managing Policies with Oracle Web Services Manager |
6 |
Provide a valid username and password as part of the configuration. |
"oracle/wss11_username_token_with_message_protection_client_policy" in Securing Web Services and Managing Policies with Oracle Web Services Manager |
7 |
Invoke the Web service method from the client. |
"Roadmap for Implementing Oracle Fusion Middleware Web Services" in Understanding Web Services |
The following sections describe how to implement username token with message protection that conforms to the WS-Security 1.1 standard and ensure interoperability between the OWSM Web service policy and the WebLogic Web service client policy:
Section 4.2.2.1, "Attaching and Configuring the OWSM Policy"
Section 4.2.2.2, "Attaching and Configuring the WebLogic Web Service Client Policy"
To configure a Web service with an OWSM Web service policy, perform the following tasks.
Table 4-5 Attaching and Configuring the OWSM Policy
Task | Description | More Information |
---|---|---|
1 |
Create and deploy a Web service. |
"Roadmap for Implementing Oracle Fusion Middleware Web Services" in Understanding Web Services |
2 |
Attach the following policy to the Web service: |
"Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager |
To configure a client that uses WebLogic Web service client policy, perform the following tasks.
Table 4-6 Attaching and Configuring the WebLogic Web Service Client Policy
Task | Description | More Information |
---|---|---|
1 |
Create a client proxy for the Web service created in Table 4-5 using |
"Using the clientgen Ant Task to Generate Client Artifacts" in Developing JAX-WS Web Services for Oracle WebLogic Server |
2 |
Attach the following policies:
|
"Updating the JWS File with @Policy and @Policies Annotations" in Securing WebLogic Web Services for Oracle WebLogic Server |
3 |
Provide the configuration for the server (encryption key) in the client. Note: Ensure that the encryption key specified is in accordance with the encryption key configured for the Web service. |
"Updating a Client Application to Invoke a Message-Secured Web Service" in Securing WebLogic Web Services for Oracle WebLogic Server |
4 |
Invoke the Web service method from the client. |
"Writing the Java Client Application Code to Invoke a Web Service" in Developing JAX-WS Web Services for Oracle WebLogic Server |
This section describes how to implement username token with message protection that conforms to the WS-Security 1.1 standard and uses Message Transmission Optimization Mechanism (MTOM) in the following interoperability scenarios:
Section 4.3.1, "Interoperating with a WebLogic Web Service Policy"
Section 4.3.2, "Interoperating with a WebLogic Web Service Client Policy"
The following sections describe how to implement username token with message protection that conforms to the WS-Security 1.1 standard and ensure interoperability between the WebLogic Web service policy and the OWSM client policy:
Section 4.3.1.1, "Attaching and Configuring the WebLogic Web Service Policy"
Section 4.3.1.2, "Attaching and Configuring the OWSM Client Policy"
To configure a Web service with a WebLogic Web service policy, perform the following tasks.
Table 4-7 Attaching and Configuring the WebLogic Web Service Policy
Task | Description | More Information |
---|---|---|
1 |
Create a WebLogic Web service. |
"Roadmap for Implementing WebLogic (Java EE) Web Services" in Understanding Web Services. |
2 |
Use the |
"Updating the JWS File with @Policy and @Policies Annotations" in Securing WebLogic Web Services for Oracle WebLogic Server |
To configure the client with an OWSM client policy, perform the following tasks.
Table 4-8 Attaching and Configuring the OWSM Client Policy
Task | Description | More Information |
---|---|---|
1 |
Configure the client proxy for the Web service in Table 4-7 using |
Follow the steps described in "Username Token With Message Protection (WS-Security 1.1)". |
2 |
If you did not use the |
Follow Step 2 of "Attaching and Configuring the OWSM Client Policy". "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager |
The following sections describe how to implement username token with message protection that conforms to the WS-Security 1.1 standard and ensure interoperability between the OWSM Web service policy and the WebLogic Web service client policy:
Section 4.3.2.1, "Attaching and Configuring the OWSM Policy"
Section 4.3.2.2, "Attaching and Configuring the WebLogic Web Service Client Policy"
To configure a Web service with an OWSM Web service policy, perform the following tasks.
Table 4-9 Attaching and Configuring the OWSM Policy
Task | Description | More Information |
---|---|---|
1 |
Configure the OWSM Web service. |
Follow the steps in Section 4.2, "Username Token With Message Protection (WS-Security 1.1)". |
2 |
Attach |
Follow Step 2 of Section 4.2.1.2, "Attaching and Configuring the OWSM Client Policy". "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager |
To configure a client that uses a WebLogic Web service client policy, perform the following tasks.
Table 4-10 Attaching and Configuring the WebLogic Web Service Client Policy
Task | Description | More Information |
---|---|---|
1 |
Create a client proxy for the Web service created in Table 4-9 using |
Follow the steps in Section 4.2, "Username Token With Message Protection (WS-Security 1.1)". |
2 |
If you did not attach the wsmtom_policy as described in Table 4-9, use the |
Follow Step 2 of "Attaching and Configuring the WebLogic Web Service Client Policy". |
This section describes how to implement username token with message protection that conforms to the WS-Security 1.0 standard in the following interoperability scenarios:
Section 4.4.1, "Interoperability with a WebLogic Web Service Policy"
Section 4.4.2, "Interoperability with a WebLogic Web Service Client Policy"
Note:
WS-Security 1.0 policy is supported for legacy applications only. Use WS-Security 1.1 policy for maximum performance. For more information, see "Username Token With Message Protection (WS-Security 1.1)".
The following sections describe how to implement username token with message protection that conforms to the WS-Security 1.0 standard and ensure interoperability between the WebLogic Web service policy and the OWSM client policy:
Section 4.4.1.1, "Attaching and Configuring the WebLogic Web Service Policy"
Section 4.4.1.2, "Attaching and Configuring the OWSM Client Policy"
To configure a Web service with a WebLogic Web service policy, perform the following tasks.
Table 4-11 Attaching and Configuring the WebLogic Web Service Policy
Task | Description | More Information |
---|---|---|
1 |
Create a WebLogic Web service. |
"Roadmap for Implementing WebLogic (Java EE) Web Services" in Understanding Web Services |
2 |
Attach the following policies:
|
"Updating the JWS File with @Policy and @Policies Annotations" in Securing WebLogic Web Services for Oracle WebLogic Server |
3 |
Configure identity and trust stores. |
"Configure identity and trust" in Oracle WebLogic Server Administration Console Online Help. |
4 |
Configure message-level security. |
"Configuring Message-Level Security" in Securing WebLogic Web Services for Oracle WebLogic Server "Create a Web Service security configuration" in Oracle WebLogic Server Administration Console Online Help |
5 |
Deploy the Web service. |
To configure the client with an OWSM client policy, perform the following tasks.
Table 4-12 Attaching and Configuring the OWSM Client Policy
Task | Description | More Information |
---|---|---|
1 |
Create a client proxy to the Web service created in Table 4-11 using |
"Roadmap for Implementing Oracle Fusion Middleware Web Services" in Understanding Web Services |
2 |
Attach the following policy to the Web service client: |
"Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager |
3 |
Configure the policy. |
"oracle/wss10_username_token_with_message_protection_client_policy" in Securing Web Services and Managing Policies with Oracle Web Services Manager |
4 |
Ensure that you use different keys for client (sign and decrypt key) and keystore recipient alias (server public key used for encryption). Ensure that the recipient alias is in accordance with the keys defined in the Web service policy security configuration. |
"oracle/wss10_username_token_with_message_protection_client_policy" in Securing Web Services and Managing Policies with Oracle Web Services Manager |
5 |
Ensure that the signing and encryption keys specified for the client exist as trusted certificate entries in the trust store configured for the Web service. |
"oracle/wss10_username_token_with_message_protection_client_policy" in Securing Web Services and Managing Policies with Oracle Web Services Manager |
6 |
Provide a valid username and password as part of the configuration. |
"oracle/wss10_username_token_with_message_protection_client_policy" in Securing Web Services and Managing Policies with Oracle Web Services Manager |
7 |
Invoke the Web service method from the client. |
"Roadmap for Implementing Oracle Fusion Middleware Web Services" in Understanding Web Services |
The following sections describe how to implement username token with message protection that conforms to the WS-Security 1.0 standard and ensure interoperability between the OWSM Web service policy and the WebLogic Web service client policy:
Section 4.4.2.1, "Attaching and Configuring the OWSM Policy"
Section 4.4.2.2, "Attaching and Configuring the WebLogic Web Service Client Policy"
To configure a Web service with an OWSM Web service policy, perform the following tasks.
Table 4-13 Attaching and Configuring the OWSM Policy
Task | Description | More Information |
---|---|---|
1 |
Create a Web service. |
"Roadmap for Implementing Oracle Fusion Middleware Web Services" in Understanding Web Services |
2 |
Attach the following policy to the Web service: |
"Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager. |
To configure a client that uses WebLogic Web service client policy, perform the following tasks.
Table 4-14 Attaching and Configuring the WebLogic Web Service Client Policy
Task | Description | More Information |
---|---|---|
1 |
Create a client proxy for the Web service created in Table 4-13 using |
"Using the clientgen Ant Task to Generate Client Artifacts" in Developing JAX-WS Web Services for Oracle WebLogic Server |
2 |
Attach the following policies:
|
"Updating the JWS File with @Policy and @Policies Annotations" in Securing WebLogic Web Services for Oracle WebLogic Server |
3 |
Configure the client for server (encryption key) and client certificates. Note: Ensure that the encryption key specified is in accordance with the encryption key configured for the Web service. |
"Updating a Client Application to Invoke a Message-Secured Web Service" in Securing WebLogic Web Services for Oracle WebLogic Server |
4 |
Invoke the Web service method from the client. |
"Writing the Java Client Application Code to Invoke a Web Service" in Developing JAX-WS Web Services for Oracle WebLogic Server |
The following section describes how to implement username token over SSL, describing the following interoperability scenario:
The following sections describe how to implement username token over SSL and ensure interoperability between the OWSM Web service policy and the WebLogic Web service client policy:
Section 4.5.1.1, "Attaching and Configuring the OWSM Policy"
Section 4.5.1.2, "Attaching and Configuring the WebLogic Web Service Client Policy"
To configure a Web service with an OWSM Web service policy, perform the following tasks.
Table 4-15 Attaching and Configuring the OWSM Policy
Task | Description | More Information |
---|---|---|
1 |
Configure the server for one-way SSL. |
"Configuring SSL on WebLogic Server (One-Way)" in Securing Web Services and Managing Policies with Oracle Web Services Manager |
2 |
Create a Web service. |
"Roadmap for Implementing Oracle Fusion Middleware Web Services" in Understanding Web Services |
3 |
Attach the following policy: |
"Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager |
To configure a client that uses WebLogic Web service client policy, perform the following tasks.
Table 4-16 Attaching and Configuring the WebLogic Web Service Client Policy
Task | Description | More Information |
---|---|---|
1 |
Create a client proxy for the Web service created in Table 4-15 using |
"Using the clientgen Ant Task to Generate Client Artifacts" in Developing JAX-WS Web Services for Oracle WebLogic Server |
2 |
Configure WebLogic Server for SSL. |
"Configuring SSL on WebLogic Server (One-Way)" in Securing Web Services and Managing Policies with Oracle Web Services Manager |
3 |
Configure identity and trust stores. |
"Configure identity and trust" in Oracle WebLogic Server Administration Console Online Help |
4 |
Attach |
"Updating the JWS File with @Policy and @Policies Annotations" in Securing WebLogic Web Services for Oracle WebLogic Server |
5 |
Provide the truststore and other required System properties in the SSL client. |
"Using SSL Authentication in Java Clients" in Developing Applications with the WebLogic Security Service |
6 |
Invoke the Web service. |
"Writing the Java Client Application Code to Invoke a Web Service" in Developing JAX-WS Web Services for Oracle WebLogic Server |
The following section describes how to implement username token over SSL with Message Transmission Optimization Mechanism (MTOM) in the following interoperability scenario:
The following sections describe how to implement username token over SSL with MTOM and ensure interoperability between the OWSM Web service policy and the WebLogic Web service client policy:
Section 4.6.1.1, "Attaching and Configuring the OWSM Policy"
Section 4.6.1.2, "Attaching and Configuring the WebLogic Web Service Client Policy"
To configure a Web service with an OWSM Web service policy, perform the following tasks.
Table 4-17 Attaching and Configuring the OWSM Policy
Task | Description | More Information |
---|---|---|
1 |
Configure the OWSM Web service. |
Follow the steps in "Username Token With Message Protection (WS-Security 1.1)". |
To configure a client that uses a WebLogic Web service client policy, perform the following tasks.
Table 4-18 Attaching and Configuring the WebLogic Web Service Client Policy
Task | Description | More Information |
---|---|---|
1 |
Create a client proxy for the Web service created in Table 4-17. |
Follow the steps in "Username Token With Message Protection (WS-Security 1.1)". |
2 |
Use the |
"Updating the JWS File with @Policy and @Policies Annotations" in Securing WebLogic Web Services for Oracle WebLogic Server |
The following section describes how to implement SAML token sender vouches with SSL. It describes the following interoperability scenario:
The following sections describe how to implement SAML token sender vouches with SSL and ensure interoperability between the OWSM Web service policy and the WebLogic Web service client policy:
Section 4.7.1.1, "Attaching and Configuring the OWSM Policy"
Section 4.7.1.2, "Attaching and Configuring the WebLogic Web Service Client Policy"
To configure a Web service with an OWSM Web service policy, perform the following tasks.
Table 4-19 Attaching and Configuring the OWSM Policy
Task | Description | More Information |
---|---|---|
1 |
Configure the |
"oracle/wss_saml_token_over_ssl_service_policy" in Securing Web Services and Managing Policies with Oracle Web Services Manager |
2 |
Create a Web service. |
"Roadmap for Implementing Oracle Fusion Middleware Web Services" in Understanding Web Services |
3 |
Attach the following policy to the Web service: |
"Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager. |
To configure a client that uses WebLogic Web service client policy, perform the following tasks.
Table 4-20 Attaching and Configuring the WebLogic Web Service Client Policy
Task | Description | More Information |
---|---|---|
1 |
Create a client proxy for the Web service created in Table 4-19 using |
"Using the clientgen Ant Task to Generate Client Artifacts" in Developing JAX-WS Web Services for Oracle WebLogic Server |
2 |
Configure Oracle WebLogic Server for two-way SSL. |
"Configuring SSL on WebLogic Server (Two-Way)" in Securing Web Services and Managing Policies with Oracle Web Services Manager |
3 |
Configure identity and trust stores. |
"Configure identity and trust" in Oracle WebLogic Server Administration Console Online Help |
4 |
Attach |
"Updating the JWS File with @Policy and @Policies Annotations" in Securing WebLogic Web Services for Oracle WebLogic Server |
5 |
Configure a SAML credential mapping provide. In the WebLogic Server Administration Console, navigate to Security Realms > RealmName > Providers > Credential Mapping page and create a New Credential Mapping Provider of type SAMLCredentialMapperV2. Select the new provider, click on Provider Specific, and configure it as follows:
|
"Configure Credential Mapping Providers" in Oracle WebLogic Server Administration Console Online Help |
6 |
Restart Oracle WebLogic Server. |
"Accessing Oracle WebLogic Administration Console" in Administering Web Services |
7 |
Create a SAML relying party. Set the Profile to |
"Create a SAML 1.1 Relying Party" and "Configure a SAML 1.1 Relying Party" in Oracle WebLogic Server Administration Console Online Help |
8 |
Configure the SAML relying party. Configure the SAML relying party as follows (leave other values set to the defaults):
Select the Enabled checkbox and click Save. Ensure the Target URL is set to the URL used for the client Web service. |
"Create a SAML 1.1 Relying Party" in Oracle WebLogic Server Administration Console Online Help |
9 |
Create a servlet and call the proxy code from the servlet. |
|
10 |
Use BASIC authentication so that the authenticated subject can be created. |
|
11 |
Provide the truststore and other required System properties in the SSL client. |
"Using SSL Authentication in Java Clients" in Developing Applications with the WebLogic Security Service |
12 |
Invoke the Web application client. Enter the credentials of the user whose identity is to be propagated using the SAML token. |
"Writing the Java Client Application Code to Invoke a Web Service" in Developing JAX-WS Web Services for Oracle WebLogic Server |
The following section describes how to implement SAML token sender vouches over SSL with MTOM. It describes the following interoperability scenario:
The following sections describe how to implement SAML token vouches over SSL with MTOM and ensure interoperability between the OWSM Web service policy and the WebLogic Web service client policy:
Section 4.8.1.1, "Attaching and Configuring the OWSM Policy"
Section 4.8.1.2, "Attaching and Configuring the WebLogic Web Service Client Policy"
To configure a Web service with an OWSM Web service policy, perform the following tasks.
To configure a client that uses a WebLogic Web service client policy, perform the following tasks.
Table 4-22 Attaching and Configuring the WebLogic Web Service Client Policy
Task | Description | More Information |
---|---|---|
1 |
Configure the Oracle WebLogic Web service client policy. |
|
2 |
Use the |
"Updating the JWS File with @Policy and @Policies Annotations" in Securing WebLogic Web Services for Oracle WebLogic Server. |
This section describes how to implement SAML 2.0 token sender vouches with message protection that conforms to the WS-Security 1.1 standard in the following interoperability scenarios:
Section 4.9.1, "Interoperating with a WebLogic Web Service Policy"
Section 4.9.2, "Interoperating with a WebLogic Web Service Client Policy"
The following sections describe how to implement SAML 2.0 token sender vouches with message protection that conforms to the WS-Security 1.1 standard and ensure interoperability between the WebLogic Web service policy and the OWSM client policy:
Section 4.9.1.1, "Attaching and Configuring the WebLogic Web Service Policy"
Section 4.9.1.2, "Attaching and Configuring the OWSM Client Policy"
To configure a Web service with a WebLogic Web service policy, perform the following tasks.
Table 4-23 Attaching and Configuring the WebLogic Web Service Policy
Task | Description | More Information |
---|---|---|
1 |
Create a WebLogic Web service. |
"Roadmap for Implementing WebLogic (Java EE) Web Services" in Understanding Web Services |
2 |
Attach the following policies:
|
"Updating the JWS File with @Policy and @Policies Annotations" in Securing WebLogic Web Services for Oracle WebLogic Server |
3 |
Configure the keystore properties for message signing and encryption. The configuration should be in accordance with the keystore used on the server side. Create the trust store out of the keystore by exporting both keys, and trust both of them while importing into trust store. Configure identity and trust stores. |
See "Configure identity and trust" in Oracle WebLogic Server Administration Console Online Help. |
4 |
Configure message-level security. |
See "Configuring Message-Level Security" in Securing WebLogic Web Services for Oracle WebLogic Server "Create a Web Service security configuration" in Oracle WebLogic Server Administration Console Online Help |
5 |
Attach new configuration using the annotation:
|
"Configuring Message-Level Security" in Securing WebLogic Web Services for Oracle WebLogic Server |
6 |
Deploy the Web service. |
|
7 |
Create a SAML Identity Asserter. In the WebLogic Server Administration Console, navigate to Security Realms > RealmName > Providers > Credential Mapping page and create a New Credential Mapping Provider of type SAML2IdentityAsserter. |
"Configure Authentication and Identity Assertion providers" in Oracle WebLogic Server Administration Console Online Help |
8 |
Restart WebLogic Server. |
"Start and stop servers" in the Oracle WebLogic Server Administration Console Online Help. |
9 |
To add the identity provider to the identity asserter created in Step 7, perform the following steps:
|
|
10 |
Configure the identity provider as follows:
|
To configure the client with an OWSM client policy, perform the following tasks.
Table 4-24 Attaching and Configuring the OWSM Client Policy
Task | Description | More Information |
---|---|---|
1 |
Generate a client using JDeveloper for the Web service created in Table 4-23. Create a Web project and then select New, and create a client proxy using the WSDL. |
"Roadmap for Implementing Oracle Fusion Middleware Web Services" in Understanding Web Services |
2 |
Add a servlet in the above project. |
|
3 |
Attach the following policy to the Web service client: |
"Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager |
4 |
Specify Ensure that |
"oracle/wss11_saml20_token_with_message_protection_cient_policy" in Securing Web Services and Managing Policies with Oracle Web Services Manager |
5 |
Ensure that the |
"oracle/wss11_saml20_token_with_message_protection_cient_policy" in Securing Web Services and Managing Policies with Oracle Web Services Manager |
6 |
In JDeveloper, secure web project with Form-based authentication using the Configure ADF Security Wizard. |
|
7 |
Invoke the Web application client. |
"Roadmap for Implementing Oracle Fusion Middleware Web Services" in Understanding Web Services |
The following sections describe how to implement SAML 2.0 token sender vouches with message protection that conforms to the WS-Security 1.1 standard and ensure interoperability between the WebLogic Web service client policy and the OWSM policy:
Section 4.9.2.1, "Attaching and Configuring the OWSM Policy"
Section 4.9.2.2, "Attaching and Configuring the WebLogic Web Service Client Policy"
To configure a Web service with an OWSM Web service policy, perform the following tasks.
Table 4-25 Attaching and Configuring the OWSM Policy
Task | Description | More Information |
---|---|---|
1 |
Create a Web service. |
"Roadmap for Implementing Oracle Fusion Middleware Web Services" in Understanding Web Services |
2 |
Attach the following policy to the Web service: |
"Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager |
To configure a client that uses WebLogic Web service client policy, perform the following tasks.
Table 4-26 Attaching and Configuring the WebLogic Web Service Client Policy
Task | Description | More Information |
---|---|---|
1 |
Create a Java EE client for the deployed Web service using JDeveloper. Create a Web project and create a proxy using WSDL proxy. |
"Creating JAX-WS Web Services and Clients" in Developing Applications with Oracle JDeveloper |
2 |
Attach the following policies:
Extract |
"Attaching Policies" in Developing Applications with Oracle JDeveloper |
3 |
Add servlet to above web project. |
|
4 |
Configure the client for server (encryption key) and client certificates. Ensure that the encryption key specified is in accordance with the decryption key configured for the Web service. |
"Updating a Client Application to Invoke a Message-Secured Web Service" in Securing WebLogic Web Services for Oracle WebLogic Server |
5 |
Secure the Web application client using BASIC Authentication. |
"Developing BASIC Authentication Web Applications" in Developing Applications with the WebLogic Security Service |
6 |
Deploy the Java EE Web application client. |
"Deploying Web Services Applications" in Administering Web Services |
7 |
Configure a SAML credential mapping provider. In the Oracle WebLogic Server Administration Console, navigate to Security Realms > RealmName > Providers > Credential Mapping page and create a New Credential Mapping Provider of type SAML2CredentialMapper. Select the new provider, click on Provider Specific, and configure it as follows:
|
"Configure Credential Mapping Providers" in Oracle WebLogic Server Administration Console Online Help |
8 |
Restart WebLogic Server. |
"Start and stop servers" in the Oracle WebLogic Server Administration Console Online Help. |
9 |
To create a new service provider partner, perform the following steps:
|
|
10 |
Configure the service provider partner as follows:
|
|
11 |
Invoke the Web application client. Enter the credentials of the user whose identity is to be propagated using SAML token. |
"Writing the Java Client Application Code to Invoke a Web Service" in Developing JAX-WS Web Services for Oracle WebLogic Server |
This section describes how to implement SAML token sender vouches with message protection that conforms to the WS-Security 1.1 standard in the following interoperability scenarios:
Section 4.10.1, "Interoperating with a WebLogic Web Service Policy"
Section 4.10.2, "Interoperating with a WebLogic Web Service Client Policy"
The following sections describe how to implement SAML token sender vouches with message protection that conforms to the WS-Security 1.1 standard and ensure interoperability between the WebLogic Web service policy and the OWSM client policy:
Section 4.10.1.1, "Attaching and Configuring the WebLogic Web Service Policy"
Section 4.10.1.2, "Attaching and Configuring the OWSM Client Policy"
To configure a Web service with a WebLogic Web service policy, perform the following tasks.
Table 4-27 Attaching and Configuring the WebLogic Web Service Policy
Task | Description | More Information |
---|---|---|
1 |
Create a WebLogic Web service. |
"Roadmap for Implementing WebLogic (Java EE) Web Services" in Understanding Web Services |
2 |
Attach the following policies:
|
"Updating the JWS File with @Policy and @Policies Annotations" in Securing WebLogic Web Services for Oracle WebLogic Server. |
3 |
Configure identity and trust stores. |
"Configure identity and trust" in Oracle WebLogic Server Administration Console Online Help |
4 |
Configure message-level security. Since this is a WS-Security 1.1 policy, you need to configure Confidentiality Key only. |
|
5 |
Deploy the Web service. |
|
6 |
Create a SAMLIdentityAsserterV2 authentication provider. In the WebLogic Server Administration Console, navigate to Security Realms > RealmName > Providers > Credential Mapping page and create a New Credential Mapping Provider of type SAMLCredentialMapperV2. |
"Configuring Authentication and Identity Assertion providers" in Oracle WebLogic Server Administration Console Online Help |
7 |
Restart WebLogic Server. |
"Start and stop servers" in the Oracle WebLogic Server Administration Console Online Help. |
8 |
Select the authentication provider created in step 5. |
|
9 |
Create a SAML asserting party. Set Profile to |
"Create a SAML 1.1 Asserting Party" in Oracle WebLogic Server Administration Console Online Help |
10 |
Configure the SAML asserting party. Configure the SAML asserting party as follows:
|
"Create a SAML 1.1 Asserting Party" in Oracle WebLogic Server Administration Console Online Help |
To configure the client with an OWSM client policy, perform the following tasks.
Table 4-28 Attaching and Configuring the OWSM Client Policy
Task | Description | More Information |
---|---|---|
1 |
Create a client proxy to the Web service created in Table 4-27 using clientgen or some other mechanism. |
"Roadmap for Implementing Oracle Fusion Middleware Web Services" in Understanding Web Services |
2 |
Attach the following policy to the Web service client: |
"Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager |
3 |
Configure the policy, as described in |
"oracle/wss11_saml_token_with_message_protection_client_policy" in Securing Web Services and Managing Policies with Oracle Web Services Manager |
4 |
Specify Ensure that |
"oracle/wss11_saml_token_with_message_protection_client_policy" in Securing Web Services and Managing Policies with Oracle Web Services Manager |
5 |
Ensure that the |
"oracle/wss11_saml_token_with_message_protection_client_policy" in Securing Web Services and Managing Policies with Oracle Web Services Manager |
6 |
Provide a valid username whose identity needs to be propagated using SAML token in the client configuration. |
"oracle/wss11_saml_token_with_message_protection_client_policy" in Securing Web Services and Managing Policies with Oracle Web Services Manager |
7 |
Invoke the Web application client. Enter the credentials of the user whose identity is to be propagated using SAML token. |
"Roadmap for Implementing Oracle Fusion Middleware Web Services" in Understanding Web Services |
The following sections describe how to implement SAML 2.0 sender vouches with message protection that conforms to the WS-Security 1.1 standard and ensure interoperability between the OWSM Web service policy and the WebLogic Web service client policy:
Section 4.10.2.1, "Attaching and Configuring the OWSM Policy"
Section 4.10.2.2, "Attaching and Configuring the WebLogic Web Service Client Policy"
To configure a Web service with an OWSM Web service policy, perform the following tasks.
Table 4-29 Attaching and Configuring the OWSM Policy
Task | Description | More Information |
---|---|---|
1 |
Create a Web service. |
"Roadmap for Implementing Oracle Fusion Middleware Web Services" in Understanding Web Services |
2 |
Attach the following policy to the Web service: |
"Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager |
To configure a client that uses WebLogic Web service client policy, perform the following tasks.
Table 4-30 Attaching and Configuring the WebLogic Web Service Client Policy
Task | Description | More Information |
---|---|---|
1 |
Create a client proxy for the Web service (above) using clientgen. |
"Using the clientgen Ant Task to Generate Client Artifacts" in Developing JAX-WS Web Services for Oracle WebLogic Server |
2 |
Attach the following policies:
|
"Updating the JWS File with @Policy and @Policies Annotations" in Securing WebLogic Web Services for Oracle WebLogic Server |
3 |
Configure the client for server (encryption key) and client certificates. Ensure that the encryption key specified is in accordance with the decryption key configured for the Web service. |
"Updating a Client Application to Invoke a Message-Secured Web Service" in Securing WebLogic Web Services for Oracle WebLogic Server |
4 |
Secure the Web application client using BASIC Authentication. |
"Developing BASIC Authentication Web Applications" in Developing Applications with the WebLogic Security Service. |
5 |
Deploy the Web service client. |
"Deploying Web Services Applications" in Administering Web Services |
6 |
Configure a SAML credential mapping provider. In the Oracle WebLogic Server Administration Console, navigate to Security Realms > RealmName > Providers > Credential Mapping page and create a New Credential Mapping Provider of type SAMLCredentialMapperV2. Select the new provider, click on Provider Specific, and configure it as follows:
|
"Configure Credential Mapping Providers" in Oracle WebLogic Server Administration Console Online Help |
7 |
Restart WebLogic Server. |
"Start and stop servers" in the Oracle WebLogic Server Administration Console Online Help. |
8 |
Create a SAML relying party. Set the Profile to WSS/Sender-Vouches. |
"Create a SAML 1.1 Relying Party" and "Configure a SAML 1.1 Relying Party" in Oracle WebLogic Server Administration Console Online Help |
9 |
Configure the SAML relying party. Ensure the Target URL is set to the URL used for the client Web service. |
"Configure a SAML 1.1 Relying Party" in Oracle WebLogic Server Administration Console Online Help |
10 |
Invoke the Web application client. Enter the credentials of the user whose identity is to be propagated using SAML token. |
"Writing the Java Client Application Code to Invoke a Web Service" in Developing JAX-WS Web Services for Oracle WebLogic Server |
This section describes how to implement SAML token with sender vouches and message protection that conforms to the WS-Security 1.1 standard and uses Message Transmission Optimization Mechanism (MTOM) in the following interoperability scenarios:
Section 4.11.1, "Interoperating with a WebLogic Web Service Policy"
Section 4.11.2, "Interoperating with a WebLogic Web Service Client Policy"
The following sections describe how to implement SAML token sender vouches with message protection that conforms to the WS-Security 1.1 standard and MTOM and ensure interoperability between the WebLogic Web service policy and the OWSM client policy:
Section 4.11.1.1, "Attaching and Configuring the WebLogic Web Service Policy"
Section 4.11.1.2, "Attaching and Configuring the OWSM Client Policy"
To configure a Web service with a WebLogic Web service policy, perform the following tasks.
Table 4-31 Attaching and Configuring the WebLogic Web Service Policy
Task | Description | More Information |
---|---|---|
1 |
Create a WebLogic Web service, as described in Section 4.10, "SAML Token (Sender Vouches) with Message Protection (WS-Security 1.1)" |
"Roadmap for Implementing WebLogic (Java EE) Web Services" in Understanding Web Services |
2 |
Use the @MTOM annotation in the Web service in Step 2 of "Attaching and Configuring the WebLogic Web Service Policy". |
"Updating the JWS File with @Policy and @Policies Annotations" in Securing WebLogic Web Services for Oracle WebLogic Server |
To configure the client with an OWSM client policy, perform the following tasks.
Table 4-32 Attaching and Configuring the OWSM Client Policy
Task | Description | More Information |
---|---|---|
1 |
Create a client proxy to the Web service created in Table 4-31, as described in Section 4.10, "SAML Token (Sender Vouches) with Message Protection (WS-Security 1.1)" |
"Roadmap for Implementing Oracle Fusion Middleware Web Services" in Understanding Web Services |
2 |
Attach |
Step 2 of Section 4.10.1.2, "Attaching and Configuring the OWSM Client Policy". "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager |
The following sections describe how to implement SAML token sender vouches with message protection that conforms to the WS-Security 1.1 standard and MTOM and ensure interoperability between the OWSM Web service policy and the WebLogic Web service client policy:
Section 4.11.2.1, "Attaching and Configuring the OWSM Policy"
Section 4.11.2.2, "Attaching and Configuring the WebLogic Web Service Client Policy"
To configure a Web service with an OWSM Web service policy, perform the following tasks.
Table 4-33 Attaching and Configuring the OWSM Policy
Task | Description | More Information |
---|---|---|
1 |
Create and deploy a Web service. |
"Roadmap for Implementing Oracle Fusion Middleware Web Services" in Understanding Web Services |
2 |
Attach the following policy to the Web service: |
"Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager |
To configure a client that uses WebLogic Web service client policy, perform the following tasks.
Table 4-34 Attaching and Configuring the WebLogic Web Service Client Policy
Task | Description | More Information |
---|---|---|
1 |
Create a client proxy for the Web service created in Table 4-5 using clientgen. |
"Using the clientgen Ant Task to Generate Client Artifacts" in Developing JAX-WS Web Services for Oracle WebLogic Server |
2 |
Attach the following policies:
|
"Updating the JWS File with @Policy and @Policies Annotations" in Securing WebLogic Web Services for Oracle WebLogic Server |
3 |
Provide the configuration for the server (encryption key) in the client. Note: Ensure that the encryption key specified is in accordance with the encryption key configured for the Web service. |
"Updating a Client Application to Invoke a Message-Secured Web Service" in Securing WebLogic Web Services for Oracle WebLogic Server |
4 |
Invoke the Web service method from the client. |
"Writing the Java Client Application Code to Invoke a Web Service" in Developing JAX-WS Web Services for Oracle WebLogic Server |
This section describes how to implement SAML token with sender vouches and message protection that conforms to the WS-Security 1.0 standard in the following interoperability scenarios:
Section 4.12.1, "Interoperating with a WebLogic Web Service Policy"
Section 4.12.2, "Interoperating with a WebLogic Web Service Client Policy"
Note:
WS-Security 1.0 policy is supported for legacy applications only. Use WS-Security 1.1 policy for maximum performance. For more information, see "SAML Token (Sender Vouches) with Message Protection (WS-Security 1.1)".
The following sections describe how to implement SAML token with sender vouches and message protection that conforms to the WS-Security 1.0 standard and ensure interoperability between the WebLogic Web service policy and the OWSM client policy:
Section 4.12.1.1, "Attaching and Configuring the WebLogic Web Service Policy"
Section 4.12.1.2, "Attaching and Configuring the OWSM Client Policy"
To configure a Web service with a WebLogic Web service policy, perform the following tasks.
Table 4-35 Attaching and Configuring the WebLogic Web Service Policy
Task | Description | More Information |
---|---|---|
1 |
Create a WebLogic Web service. |
"Roadmap for Implementing WebLogic (Java EE) Web Services" in Understanding Web Services |
2 |
Attach the following policies:
|
"Updating the JWS File with @Policy and @Policies Annotations" in Securing WebLogic Web Services for Oracle WebLogic Server |
3 |
Configure identity and trust stores. |
"Configure identity and trust" in Oracle WebLogic Server Administration Console Online Help |
4 |
Configure message-level security. |
|
5 |
Deploy the Web service. |
|
6 |
Create a SAMLIdentityAsserterV2 authentication provider. In the WebLogic Server Administration Console, navigate to Security Realms > RealmName > Providers > Credential Mapping page and create a New Credential Mapping Provider of type SAMLCredentialMapperV2. |
"Configure Authentication and Identity Assertion providers" in Oracle WebLogic Server Administration Console Online Help |
7 |
Restart WebLogic Server. |
"Start and stop servers" in the Oracle WebLogic Server Administration Console Online Help. |
8 |
Select the authentication provider created in step 5. |
|
9 |
Create a SAML asserting party. Set Profile to WSS/Sender-Vouches. |
"Create a SAML 1.1 Asserting Party" in Oracle WebLogic Server Administration Console Online Help |
10 |
Configure a SAML asserting party. Configure the SAML asserting party as follows (leave other values set to the defaults):
|
"Configure a SAML 1.1 Asserting Party" in Oracle WebLogic Server Administration Console Online Help |
To configure the client with an OWSM client policy, perform the following tasks.
Table 4-36 Attaching and Configuring the OWSM Client Policy
Task | Description | More Information |
---|---|---|
1 |
Create a client proxy to the Web service created in Table 4-35 using clientgen or some other mechanism. |
"Roadmap for Implementing Oracle Fusion Middleware Web Services" in Understanding Web Services |
2 |
Attach the following policy to the Web service client: |
"Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager |
3 |
Configure the policy. |
"oracle/wss10_saml_token_with_message_protection_client_policy" in Securing Web Services and Managing Policies with Oracle Web Services Manager |
4 |
Ensure that you use different keys for client (sign and decrypt key) and keystore recipient alias (server public key used for encryption). Ensure that the recipient alias is in accordance with the keys defined in the Web service policy security configuration. |
"oracle/wss10_saml_token_with_message_protection_client_policy" in Securing Web Services and Managing Policies with Oracle Web Services Manager |
5 |
Ensure that the signing and encryption keys specified for the client exist as trusted certificate entries in the trust store configured for the Web service. |
"oracle/wss10_saml_token_with_message_protection_client_policy" in Securing Web Services and Managing Policies with Oracle Web Services Manager |
6 |
Provide valid username whose identity needs to be propagated using SAML token in the client configuration. |
"oracle/wss10_saml_token_with_message_protection_client_policy" in Securing Web Services and Managing Policies with Oracle Web Services Manager |
7 |
Invoke the Web service method. |
"Roadmap for Implementing Oracle Fusion Middleware Web Services" in Understanding Web Services |
The following sections describe how to implement SAML token with message protection that conforms to the WS-Security 1.0 standard and ensure interoperability between the OWSM Web service policy and the WebLogic Web service client policy:
Section 4.12.2.1, "Attaching and Configuring the OWSM Policy"
Section 4.12.2.2, "Attaching and Configuring the WebLogic Web Service Client Policy"
To configure a Web service with an OWSM Web service policy, perform the following tasks.
Table 4-37 Attaching and Configuring the OWSM Policy
Task | Description | More Information |
---|---|---|
1 |
Create a Web service. |
"Roadmap for Implementing Oracle Fusion Middleware Web Services" in Understanding Web Services |
2 |
Attach the following policy to the Web service: |
"Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager |
To configure a client that uses WebLogic Web service client policy, perform the following tasks.
Table 4-38 Attaching and Configuring the WebLogic Web Service Client Policy
Task | Description | More Information |
---|---|---|
1 |
Create a client proxy for the Web service (above) using clientgen. |
"Using the clientgen Ant Task to Generate Client Artifacts" in Developing JAX-WS Web Services for Oracle WebLogic Server |
2 |
Attach the following policies:
|
"Updating the JWS File with @Policy and @Policies Annotations" in Securing WebLogic Web Services for Oracle WebLogic Server |
3 |
Configure the client for server (encryption key) and client certificates. Ensure that the encryption key specified is in accordance with the decryption key configured for the Web service. |
"Updating a Client Application to Invoke a Message-Secured Web Service" in Securing WebLogic Web Services for Oracle WebLogic Server |
4 |
Secure the Web application client using BASIC Authentication. |
"Developing BASIC Authentication Web Applications" in Developing Applications with the WebLogic Security Service |
5 |
Deploy the Web service client. |
"Deploying Web Services Applications" in Administering Web Services |
6 |
Configure a SAML credential mapping provider. In the WebLogic Server Administration Console, navigate to Security Realms > RealmName > Providers > Credential Mapping page and create a New Credential Mapping Provider of type SAMLCredentialMapperV2. |
"Configure Credential Mapping Providers" in Oracle WebLogic Server Administration Console Online Help |
7 |
Select the SAMLCredentialMapperV2, click on Provider Specific, and configure it as follows:
|
|
8 |
Restart WebLogic Server. |
"Start and stop servers" in the Oracle WebLogic Server Administration Console Online Help. |
9 |
Create a SAML relying party. Set the profile to |
"Create a SAML 1.1 Relying Party" in Oracle WebLogic Server Administration Console Online Help |
10 |
Configure the SAML relying party. Ensure the target URL is set to the URL used for the client Web service. |
"Configure a SAML 1.1 Relying Party" in Oracle WebLogic Server Administration Console Online Help |
11 |
Invoke the Web application client and enter the appropriate credentials. |
"Writing the Java Client Application Code to Invoke a Web Service" in Developing JAX-WS Web Services for Oracle WebLogic Server |
The following sections describe how to implement mutual authentication with message protection that conform to the WS-Security 1.0 standards:
Section 4.13.1, "Interoperating with a WebLogic Web Service Policy"
Section 4.13.2, "Interoperating with a WebLogic Web Service Client Policy"
The following sections describe how to mutual authentication with message protection that conforms to the WS-Security 1.0 standard and ensure interoperability between the WebLogic Web service policy and the OWSM client policy:
Section 4.13.1.1, "Attaching and Configuring the WebLogic Web Service Policy"
Section 4.13.1.2, "Attaching and Configuring the OWSM Client Policy"
To configure a Web service with a WebLogic Web service policy, perform the following tasks.
Table 4-39 Attaching and Configuring the WebLogic Web Service Policy
Task | Description | More Information |
---|---|---|
1 |
Create a WebLogic Web service. |
"Roadmap for Implementing WebLogic (Java EE) Web Services" in Understanding Web Services |
2 |
Attach the following policies:
|
"Updating the JWS File with @Policy and @Policies Annotations" in Securing WebLogic Web Services for Oracle WebLogic Server |
3 |
Configure identity and trust stores. |
"Configure identity and trust" in Oracle WebLogic Server Administration Console Online Help |
4 |
Configure message-level security. |
|
5 |
Create and configure token handlers for X.509 and for username token. In WebLogic Administration Console, navigate to the Web Service Security page of the domain and create the token handlers as described below. Create a token handle for username token and configure the following:
Create a token handler for X.509 and configure the following:
For the X.509 token handler, add the following properties:
|
"Create a token handler of a Web Service security configuration" in Oracle WebLogic Server Administration Console Online Help. |
6 |
Configure a credential mapping provider. Create a PKICredentialMapper and configure it as follows (leave all other values set to the defaults):
|
"Configure Credential Mapping Providers" in Oracle WebLogic Server Administration Console Online Help |
7 |
Configure Authentication. Select the Authentication tab and configure as follows:
|
"Configure Authentication and Identity Assertion providers" in Oracle WebLogic Server Administration Console Online Help |
8 |
If the users are not added, add the Common Name (CN) user specified in the certificate. |
"Create users" in Oracle WebLogic Server Administration Console Online Help |
9 |
Restart Oracle WebLogic Server. |
|
10 |
Deploy the Web service. |
"Install a Web Service" in Oracle WebLogic Server Administration Console Online Help |
To configure the client with an OWSM client policy, perform the following tasks.
Table 4-40 Attaching and Configuring the OWSM Client Policy
Task | Description | More Information |
---|---|---|
1 |
Create a client proxy to the Web service created in Table 4-39 using |
"Roadmap for Implementing Oracle Fusion Middleware Web Services" in Understanding Web Services |
2 |
Attach the following policy to the client: |
"Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager |
3 |
Provide the configuration for the server (encryption key) in the client. Ensure that the encryption key specified is in accordance with the encryption key configured for the Web service. |
"Updating a Client Application to Invoke a Message-Secured Web Service" in Securing WebLogic Web Services for Oracle WebLogic Server |
4 |
Invoke the Web service method from the client. |
"Roadmap for Implementing Oracle Fusion Middleware Web Services" in Understanding Web Services |
The following sections describe how to implement username token with message protection that conforms to the WS-Security 1.0 standard and ensure interoperability between the OWSM Web service policy and the WebLogic Web service client policy:
Section 4.13.2.1, "Attaching and Configuring the OWSM Policy"
Section 4.13.2.2, "Attaching and Configuring the WebLogic Web Service Client Policy"
To configure a Web service with an OWSM Web service policy, perform the following tasks.
Table 4-41 Attaching and Configuring the OWSM Policy
Task | Description | More Information |
---|---|---|
1 |
Create a Web service. |
"Roadmap for Implementing Oracle Fusion Middleware Web Services" in Understanding Web Services |
2 |
Attach the following policy to the Web service: |
"Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager |
To configure a client that uses WebLogic Web service client policy, perform the following tasks.
Table 4-42 Attaching and Configuring the WebLogic Web Service Client Policy
Task | Description | More Information |
---|---|---|
1 |
Create a client proxy for the Web service created in Table 4-41 using clientgen. |
"Using the clientgen Ant Task to Generate Client Artifacts" in Developing JAX-WS Web Services for Oracle WebLogic Server |
2 |
Attach the following policies:
|
"Updating the JWS File with @Policy and @Policies Annotations" in Securing WebLogic Web Services for Oracle WebLogic Server |
3 |
Provide the configuration for the server (encryption key) in the client. Ensure that the encryption key specified is in accordance with the encryption key configured for the Web service. |
"Updating a Client Application to Invoke a Message-Secured Web Service" in Securing WebLogic Web Services for Oracle WebLogic Server |
4 |
Invoke the Web service method from the client. |
"Writing the Java Client Application Code to Invoke a Web Service" in Developing JAX-WS Web Services for Oracle WebLogic Server |
The following sections describe how to implement mutual authentication with message protection that conform to the WS-Security 1.1 standards:
Section 4.13.1, "Interoperating with a WebLogic Web Service Policy"
Section 4.13.2, "Interoperating with a WebLogic Web Service Client Policy"
The following sections describe how to implement mutual authentication with message protection that conforms to the WS-Security 1.1 standard and ensure interoperability between the WebLogic Web service policy and the OWSM client policy:
Section 4.14.1.1, "Attaching and Configuring the WebLogic Web Service Policy"
Section 4.14.1.2, "Attaching and Configuring the OWSM Client Policy"
To configure a Web service with a WebLogic Web service policy, perform the following tasks.
Table 4-43 Attaching and Configuring the WebLogic Web Service Policy
Task | Description | More Information |
---|---|---|
1 |
Create a WebLogic Web service. |
"Roadmap for Implementing WebLogic (Java EE) Web Services" in Understanding Web Services |
2 |
Attach the following policies:
|
"Updating the JWS File with @Policy and @Policies Annotations" in Securing WebLogic Web Services for Oracle WebLogic Server |
3 |
Configure identity and trust stores. |
"Configure identity and trust" in Oracle WebLogic Server Administration Console Online Help |
4 |
Configure message-level security. |
|
5 |
Create and configure token handlers for X.509 and for username token. In WebLogic Administration Console, navigate to the Web Service Security page of the domain and create the token handlers as described below. Create a token handle for username token and configure the following:
Create a token handler for X.509 and configure the following:
For the X.509 token handler, add the following properties:
|
"Create a token handler of a Web Service security configuration" in Oracle WebLogic Server Administration Console Online Help. |
6 |
Configure a credential mapping provider. Create a PKICredentialMapper and configure it as follows (leave all other values set to the defaults):
|
"Configure Credential Mapping Providers" in Oracle WebLogic Server Administration Console Online Help |
7 |
Configure Authentication. Select the Authentication tab and configure as follows:
|
"Configure Authentication and Identity Assertion providers" in Oracle WebLogic Server Administration Console Online Help |
8 |
If the users are not added, add the Common Name (CN) user specified in the certificate. |
"Create users" in Oracle WebLogic Server Administration Console Online Help |
9 |
Restart Oracle WebLogic Server. |
|
10 |
Deploy the Web service. |
"Install a Web Service" in Oracle WebLogic Server Administration Console Online Help |
To configure the client with an OWSM client policy, perform the following tasks.
Table 4-44 Attaching and Configuring the OWSM Client Policy
Task | Description | More Information |
---|---|---|
1 |
Create a client proxy for the Web service created in Table 4-43 using clientgen or some other mechanism. |
"Roadmap for Implementing Oracle Fusion Middleware Web Services" in Understanding Web Services |
2 |
Attach the following policy to the client: wss11_x509_token_with_message_protection_client_policy Edit the policy as follows: <orasp:x509-token orasp:sign-key-ref-mech="thumbprint" orasp:enc-key-ref-mech="thumbprint"/> |
"Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager |
3 |
Provide the configuration for the server (encryption key) in the client. Ensure that the encryption key specified is in accordance with the encryption key configured for the Web service. |
"Updating a Client Application to Invoke a Message-Secured Web Service" in Securing WebLogic Web Services for Oracle WebLogic Server. |
4 |
Invoke the Web service method from the client. |
"Roadmap for Implementing Oracle Fusion Middleware Web Services" in Understanding Web Services |
The following sections describe how to implement mutual authentication with message protection that conforms to the WS-Security 1.1 standard and ensure interoperability between the OWSM Web service policy and the WebLogic Web service client policy:
Section 4.14.2.1, "Attaching and Configuring the OWSM Policy"
Section 4.14.2.2, "Attaching and Configuring the WebLogic Web Service Client Policy"
To configure a Web service with an OWSM Web service policy, perform the following tasks.
Table 4-45 Attaching and Configuring the OWSM Policy
Task | Description | More Information |
---|---|---|
1 |
Create and deploy a Web service. |
"Roadmap for Implementing Oracle Fusion Middleware Web Services" in Understanding Web Services |
2 |
Attach the following policy to the Web service: |
"Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager |
To configure a client that uses WebLogic Web service client policy, perform the following tasks.
Table 4-46 Attaching and Configuring the WebLogic Web Service Client Policy
Task | Description | More Information |
---|---|---|
1 |
Create a client proxy for the Web service created in Table 4-45 using clientgen. |
"Using the clientgen Ant Task to Generate Client Artifacts" in Developing JAX-WS Web Services for Oracle WebLogic Server |
2 |
Attach the following policies:
|
"Updating the JWS File with @Policy and @Policies Annotations" in Securing WebLogic Web Services for Oracle WebLogic Server |
3 |
Provide the configuration for the server (encryption key) in the client. Note: Ensure that the encryption key specified is in accordance with the encryption key configured for the Web service. |
"Updating a Client Application to Invoke a Message-Secured Web Service" in Securing WebLogic Web Services for Oracle WebLogic Server |
4 |
Invoke the Web service method from the client. |
"Writing the Java Client Application Code to Invoke a Web Service" in Developing JAX-WS Web Services for Oracle WebLogic Server |