This chapter describes the most common Oracle Containers for Java EE (OC4J) 10g interoperability scenarios based on the following security requirements: authentication, message protection, and transport.
This chapter includes the following sections:
Overview of Interoperability with OC4J 10g Security Environments
Anonymous Authentication with Message Protection (WS-Security 1.0)
SAML Token (Sender Vouches) with Message Protection (WS-Security 1.0)
Mutual Authentication with Message Protection (WS-Security 1.0)
In OC4J 10g, you configure your security environment, as described in the following documents.
For information about using Application Server Control to configure the web service, see Oracle Application Server Advanced Web Services Developer's Guide at http://download.oracle.com/docs/cd/B31017_01/web.1013/b28975/toc.htm
.
For information about using JDeveloper to develop and configure your client-side application, see Developing Applications with Oracle JDeveloper.
For information about how to modify the XML-based deployment descriptor files, see Oracle Application Server Web Services Security Guide 10g (10.1.3.1.0) at: http://download.oracle.com/docs/cd/B31017_01/web.1013/b28976/toc.htm
With OWSM 12c, you attach policies to web service endpoints. Each policy consists of one or more assertions, defined at the domain-level, that define the security requirements. A set of predefined policies and assertions are provided out-of-the-box.
For more information about:
OWSM predefined policies, see "Predefined Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
Configuring and attaching OWSM 12c policies, see "Securing Web Services" and "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
Table 3-2 and Table 3-2 summarize the most common OC4J 10g interoperability scenarios based on the following security requirements: authentication, message protection, and transport.
Note:
In the following scenarios, ensure that you are using a keystore with v3 certificates. By default, the JDK 1.5 keytool generates keystores with v1 certificates.Table 3-1 OWSM 12c Service Policy and Oracle OC4J 10g Client Policy Interoperability
Identity Token | WS-Security Version | Message Protection | Transport Security | Service Policy | Client Policy |
---|---|---|---|---|---|
Anonymous |
1.0 |
Yes |
No |
|
|
Username |
1.0 |
Yes |
No |
|
|
SAML |
1.0 |
Yes |
No |
|
|
Mutual Authentication |
1.0 |
Yes |
No |
|
|
Username over SSL |
1.0 and 1.1 |
No |
Yes |
OR
|
|
SAML over SSL |
1.0 and 1.1 |
No |
Yes |
OR
|
Table 3-2 Oracle OC4J 10g Service Policy and OWSM 12c Client Policy Interoperability
Identity Token | WS-Security Version | Message Protection | Transport Security | Service Policy | Client Policy |
---|---|---|---|---|---|
Anonymous |
1.0 |
Yes |
No |
|
|
Username |
1.0 |
Yes |
No |
|
|
SAML |
1.0 |
Yes |
No |
|
|
Mutual Authentication |
1.0 |
Yes |
No |
|
|
Username over SSL |
1.0 and 1.1 |
No |
Yes |
|
|
SAML over SSL |
1.0 and 1.1 |
No |
Yes |
|
This section tells how to implement anonymous authentication with message protection that conforms to the WS-Security 1.0 standard, in the following interoperability scenarios:
"Configuring an OWSM 12c Web Service and an OC4J 10g Client"
"Configuring an OC4J 10g Web Service and an OWSM 12c Client"
The following instructions tell how to configure an OWSM 12c web service and an OWSM 10g client to implement anonymous authentication with message protection that conforms to the WS-Security 1.0 standard:
Table 3-3 Configuring the OWSM 12c Web Service
Task | Description | More Information |
---|---|---|
1 |
Create a web service application. |
|
2 |
Attach the following policy to the entry point of the web service: |
"Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager |
Table 3-4 Configuring the OC4J 10g Client
Task | Description | More Information |
---|---|---|
1 |
Create a client proxy for the web service (discussed in Table 3-3) using Oracle JDeveloper. |
"Developing and Securing Web Services" in Developing Applications with Oracle JDeveloper. |
2 |
Use the Oracle JDeveloper wizard to secure the proxy by right-clicking on the proxy project and selecting Secure Proxy. |
-- |
3 |
Click Authentication in the Proxy Editor navigation bar and set the following options:
|
-- |
4 |
Click Inbound Integrity in the Proxy Editor navigation bar and set the following options:
|
-- |
5 |
Click Outbound Integrity in the Proxy Editor navigation bar and set the following options:
|
-- |
6 |
Click Inbound Confidentiality in the Proxy Editor navigation bar and set the following options:
|
-- |
7 |
Click Outbound Confidentiality in the Proxy Editor navigation bar and set the following options:
|
-- |
8 |
Click Keystore Options in the Proxy Editor navigation bar and configure the keystore properties, as required. Ensure that you are using keystore with v3 certificates. By default, the JDK 1.5 keytool generates keystores with v1 certificates. |
-- |
9 |
Click OK to close the wizard. |
-- |
10 |
In the Structure pane, click <appname>Binding_Stub.xml and edit the file as described in next section. |
-- |
11 |
Invoke the web service method from the client. |
-- |
Table 3-5 Editing the <appname>Binding_Stub.xml File
Task | Description |
---|---|
1 |
Provide the keystore password and sign and encryption key passwords. |
2 |
In the inbound signature, specify the following: <inbound><verify-signature><tbs-elements> <tbs-element name-space="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity- utility-1.0.xsd" local-part="Timestamp" /> ... |
3 |
In the outbound signature, specify that the timestamp should be signed, as follows: <outbound>/<signature>/<tbs-elements> <tbs-element name-space="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity -utility-1.0.xsd" local-part="Timestamp"/> ... |
4 |
In the outbound encryption, specify the key transport algorithm, as follows: <outbound><encrypt> <keytransport-method>RSA-OAEP-MGF1P</keytransport-method> ... |
The following instructions tell how to configure an OC4J 10g web service and an OWSM 12c client to implement anonymous authentication with message protection that conforms to the WS-Security 1.0 standard:
Table 3-6 Configuring the OC4J 10g Web Service
Task | Description |
---|---|
1 |
Create and deploy a web service application. |
2 |
Use Application Server Control to secure the deployed web service. |
3 |
Click Authentication tab and ensure that no options are selected. |
4 |
Click Integrity tab of the Inbound Policies page and set the following options:
|
5 |
Click Integrity tab of the Outbound Policies page and set the following options:
|
6 |
Click Confidentiality tab of the Inbound Policies page and set the following options:
|
7 |
Click Confidentiality tab of the Outbound Policies page and set the following options:
|
8 |
Configure the keystore properties and identity certificates. Ensure that you are using keystore with v3 certificates. By default, the JDK 1.5 keytool generates keystores with v1 certificates. |
9 |
Edit the wsmgmt.xml deployment descriptor file, as described in Table 3-8, "Editing the wsmgmt.xml File". |
Table 3-7 Configuring the OWSM 12c Client
Task | Description | More Information |
---|---|---|
1 |
Create a client proxy for the OC4J 10g web service. |
-- |
2 |
Attach the following policy: |
"Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager |
3 |
Configure the policy. |
"oracle/wss10_username_token_with_message_protection_client_policy" in Securing Web Services and Managing Policies with Oracle Web Services Manager |
4 |
Invoke the web service method from the client. |
-- |
Table 3-8 Editing the wsmgmt.xml File
Task | Description | More Information |
---|---|---|
1 |
Locate the The |
"Understanding the Web Services Management Schema" in Oracle® Application Server Advanced Web Services Developer's Guide |
2 |
In the inbound signature, specify the following: <inbound><verify-signature><tbs-elements> <tbs-element name-space="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity -utility-1.0.xsd" local-part="Timestamp"/> ... |
-- |
3 |
In the outbound signature, specify that the timestamp should be signed, as follows: <outbound>/<signature>/<tbs-elements> <tbs-element name-space="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity -utility-1.0.xsd" local-part="Timestamp"/> ... |
-- |
4 |
In the outbound encryption, specify the key transport algorithm, as follows: <outbound><encrypt> <keytransport-method>RSA-OAEP-MGF1P</keytransport-method> ... |
-- |
This section tells how to implement username token with message protection that conforms to the WS-Security 1.0 standard:
"Configuring an OWSM 12c Web Service and an OC4J 10g Client"
"Configuring an OC4J 10g Web Service and an OWSM 12c Client"
The following instructions tell how to configure an OWSM 12c web service and an OC4J 10g client to implement username token with message protection that conforms to the WS-Security 1.0 standard:
Table 3-9 Configuring the OWSM 12c Web Service
Task | Description | More Information |
---|---|---|
1 |
Create an OWSM 12c web service. |
-- |
2 |
Attach the following policy to the web service: |
"Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager |
Table 3-10 Configuring the OC4J 10g Client
Task | Description | More Information |
---|---|---|
1 |
Create a client proxy for the web service (above) using Oracle JDeveloper. |
"Developing and Securing Web Services" in Developing Applications with Oracle JDeveloper. |
2 |
Specify the username and password in the client proxy, as follows: port.setUsername(<username>) port.setPassword(<password>) |
-- |
3 |
Use the Oracle JDeveloper wizard to secure the proxy by right-clicking on the proxy project and selecting Secure Proxy. |
-- |
4 |
Click Authentication in the Proxy Editor navigation bar and set the following options:
|
-- |
5 |
Click Inbound Integrity in the Proxy Editor navigation bar and set the following options:
|
-- |
6 |
Click Outbound Integrity in the Proxy Editor navigation bar and set the following options:
|
-- |
7 |
Click Inbound Confidentiality in the Proxy Editor navigation bar and set the following options:
|
-- |
8 |
Click Outbound Confidentiality in the Proxy Editor navigation bar and set the following options:
|
-- |
9 |
Click Keystore Options in the Proxy Editor navigation bar and configure the keystore properties, as required. Ensure that you are using keystore with v3 certificates. By default, the JDK 1.5 keytool generates keystores with v1 certificates. |
-- |
10 |
Click OK to close the wizard. |
-- |
11 |
In the Structure pane, click <appname>Binding_Stub.xml and edit the file, as described in Table 3-11, "Editing the <appname>Binding_Stub.xml File". |
-- |
12 |
Invoke the web service. |
-- |
Table 3-11 Editing the <appname>Binding_Stub.xml File
Task | Description |
---|---|
1 |
Provide the keystore password and sign and encryption key passwords. |
2 |
In the inbound signature, specify the following: <inbound><verify-signature><tbs-elements> <tbs-element name-space="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity -utility-1.0.xsd" local-part="Timestamp" /> ... |
3 |
In the outbound signature, specify that the timestamp and UsernameToken should be signed, as follows: <outbound>/<signature>/<tbs-elements> <tbs-element name-space="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity- utility-1.0.xsd" local-part="Timestamp"/> <tbs-element name-space="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity -secext-1.0.xsd" local-part="UsernameToken"/> ... |
4 |
In the outbound encryption, specify the key transport algorithm, as follows: <outbound><encrypt> <keytransport-method>RSA-OAEP-MGF1P</keytransport-method> ... |
5 |
In the outbound encryption, specify that the UsernameToken should be encrypted, as follows: <outbound>/<encrypt>/<tbe-elements> <tbe-element local-part="UsernameToken" name-space="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity -secext-1.0.xsd" mode="CONTENT"/> ... |
The following instructions tell how to configure an OC4J 10g web service and an OWSM 12c client to implement username token with message protection that conforms to the WS-Security 1.0 standard:
Table 3-12 Configuring the OC4J 10g Web Service
Task | Description |
---|---|
1 |
Create and deploy a JAX-RPC web service on OC4J. |
2 |
Use Application Server Control to secure the deployed web service. |
3 |
Click Authentication tab and set the following options:
|
4 |
Click Integrity tab in Inbound Policies page and set the following options:
|
5 |
Click Integrity tab in Outbound Policies page and set the following options:
|
6 |
Click Confidentiality tab in the Inbound Policies page and set the following options:
|
7 |
Click Confidentiality tab in the Outbound Policies page and set the following options:
|
8 |
Configure the keystore properties and identity certificates. Ensure that you are using keystore with v3 certificates. By default, the JDK 1.5 keytool generates keystores with v1 certificates. |
9 |
Edit the wsmgmt.xml deployment descriptor file, as described in Table 3-14, "Editing the wsmgmt.xml File". |
Table 3-13 Configuring the OWSM 02c Client
Task | Description | More Information |
---|---|---|
1 |
Create a client proxy for the OC4J 10g web service. |
-- |
2 |
Attach the following policy: |
"Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager |
3 |
Configure the policy. |
"oracle/wss10_username_token_with_message_protection_client_policy" in Securing Web Services and Managing Policies with Oracle Web Services Manager |
4 |
Invoke the web service method from the client. |
-- |
Table 3-14 Editing the wsmgmt.xml File
Task | Description |
---|---|
1 |
Find the |
2 |
In the inbound signature, specify the following: <inbound><verify-signature><tbs-elements> <tbs-element name-space="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity -utility-1.0.xsd" local-part="Timestamp"/> ... |
3 |
In the outbound signature, specify that the timestamp should be signed, as follows: <outbound>/<signature>/<tbs-elements> <tbs-element name-space="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity -utility-1.0.xsd" local-part="Timestamp"/> ... |
4 |
In the outbound encryption, specify that the UsernameToken should be encrypted, as follows: <outbound>/<encrypt>/<tbe-elements> <tbe-element local-part="UsernameToken" name-space="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity -secext-1.0.xsd" mode="CONTENT"/> ... |
This section tells how to implement SAML token sender vouches with message protection that conforms to the WS-Security 1.0 standard, the following interoperability scenarios:
"Configuring an OWSM 12c Web Service and an OC4J 10g Client"
"Configuring an OC4J 10g Web Service and an OWSM 12c Client"
The following instructions tell how to configure an OWSM 12c web service and an OC4J 10g client to implement SAML token sender vouches with message protection that conforms to the WS-Security 1.0 standard:
Table 3-15 Configuring the OWSM 12c Web Service
Task | Description | More Information |
---|---|---|
1 |
Create an OWSM 12c web service. |
-- |
2 |
Attach the following policy to the web service: |
"Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager |
Table 3-16 Configuring the OC4J 10g Client
Task | Description | More Information |
---|---|---|
1 |
Create a client proxy for the web service (above) using Oracle JDeveloper. |
"Developing and Securing Web Services" in Developing Applications with Oracle JDeveloper. |
2 |
Use the Oracle JDeveloper wizard to secure the proxy by right-clicking on the proxy project and selecting Secure Proxy. |
-- |
3 |
Click Authentication in the Proxy Editor navigation bar and set the following options:
|
-- |
4 |
Click Inbound Integrity in the Proxy Editor navigation bar and set the following options:
|
-- |
5 |
Click Outbound Integrity in the Proxy Editor navigation bar and set the following options:
|
-- |
6 |
Click Inbound Confidentiality in the Proxy Editor navigation bar and set the following options:
|
-- |
7 |
Click Outbound Confidentiality in the Proxy Editor navigation bar and set the following options:
|
-- |
8 |
Click Keystore Options in the Proxy Editor navigation bar and configure the keystore properties, as required. Ensure that you are using keystore with v3 certificates. By default, the JDK 1.5 keytool generates keystores with v1 certificates. |
-- |
9 |
Click OK to close the wizard. |
-- |
10 |
In the Structure pane, click <appname>Binding_Stub.xml and edit the file, as described in Table 3-17, "Editing the <appname>Binding_Stub.xml File". |
-- |
11 |
Invoke the web service method. |
-- |
Table 3-17 Editing the <appname>Binding_Stub.xml File
Task | Description |
---|---|
1 |
Provide the keystore password and sign and encryption key passwords. |
2 |
In the inbound signature, specify the following: <inbound><verify-signature><tbs-elements> <tbs-element name-space="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity -utility-1.0.xsd" local-part="Timestamp" /> ... |
3 |
In the outbound signature, specify that the timestamp should be signed, as follows: <outbound>/<signature>/<tbs-elements> <tbs-element name-space="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity -utility-1.0.xsd" local-part="Timestamp"/> ... |
4 |
In the outbound encryption, specify the key transport algorithm, as follows: <outbound><encrypt> <keytransport-method>RSA-OAEP-MGF1P</keytransport-method> ... |
The following instructions tell how to configure an OC4J 10g web service and an OWSM 12c client to implement SAML token sender vouches with message protection that conforms to the WS-Security 1.0 standard:
Table 3-18 Configuring the OC4J 10g Web Service
Task | Description |
---|---|
1 |
Create and deploy a JAX-RPC web service on OC4J. |
2 |
Use the Application Server Control to secure the deployed web service. |
3 |
Click Authentication in navigation bar and set the following options:
|
4 |
Click Inbound Integrity in the navigation bar and set the following option:
|
5 |
Click Outbound Integrity in the navigation bar and select the following options:
|
6 |
Click Inbound Confidentiality in the navigation bar and set the following option:
|
7 |
Click Outbound Confidentiality in the navigation bar and set the following option:
|
8 |
Configure the keystore properties and identity certificates. Ensure that you are using keystore with v3 certificates. By default, the JDK 1.5 keytool generates keystores with v1 certificates. |
9 |
Edit the |
10 |
Invoke the web service. |
Table 3-19 Configuring the OWSM 12c Client
Task | Description | More Information |
---|---|---|
1 |
Create a client proxy for the OC4J 10g web service. |
-- |
2 |
Attach the following policy: |
"Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager |
3 |
Configure the policy. |
"oracle/wss10_saml_token_with_message_protection_client_policy" in Securing Web Services and Managing Policies with Oracle Web Services Manager |
4 |
Invoke the web service method from the client. |
-- |
Table 3-20 Editing the wsmgmt.xml File
Task | Description |
---|---|
1 |
Find the |
2 |
In the inbound signature, specify the following: <inbound><verify-signature><tbs-elements> <tbs-element name-space="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity -utility-1.0.xsd" local-part="Timestamp"/> ... |
3 |
In the outbound signature, specify that the timestamp should be signed, as follows: <outbound>/<signature>/<tbs-elements> <tbs-element name-space="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity -utility-1.0.xsd" local-part="Timestamp"/> ... |
4 |
In the outbound encryption, specify that the UsernameToken should be encrypted, as follows: <outbound>/<encrypt>/<tbe-elements> <tbe-element local-part="UsernameToken" name-space="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity -secext-1.0.xsd" mode="CONTENT"/> ... |
This section tells how to implement mutual authentication with message protection that conforms to the WS-Security 1.0 standard, the following interoperability scenarios:
"Configuring an OWSM 12c Web Service and an OC4J 10g Client"
"Configuring an OC4J 10g Web Service and an OWSM 12c Client"
The following instructions tell how to configure an OWSM 12c web service and an OC4J 10g client to implement mutual authentication with message protection that conforms to the WS-Security 1.0 standard:
Table 3-21 Configuring the OWSM 12c Web Service
Task | Description | More Information |
---|---|---|
1 |
Create a web service application. |
-- |
2 |
Attach the following policy to the web service: |
"Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager |
Table 3-22 Configuring the OC4J 10g Client
Task | Description | More Information |
---|---|---|
1 |
Create a client proxy for the web service (above) using Oracle JDeveloper. |
"Developing and Securing Web Services" in Developing Applications with Oracle JDeveloper. |
2 |
Use the Oracle JDeveloper wizard to secure the proxy by right-clicking on the proxy project and selecting Secure Proxy. |
-- |
3 |
Click Authentication in the Proxy Editor navigation bar and set the following options:
|
-- |
4 |
Click Inbound Integrity in the Proxy Editor navigation bar and set the following options:
|
-- |
5 |
Click Outbound Integrity in the Proxy Editor navigation bar and set the following options:
|
-- |
6 |
Click Inbound Confidentiality in the Proxy Editor navigation bar and set the following options:
|
-- |
7 |
Click Outbound Confidentiality in the Proxy Editor navigation bar and set the following options:
|
-- |
8 |
Click Keystore Options in the Proxy Editor navigation bar and configure the keystore properties, as required. Ensure that you are using keystore with v3 certificates. By default, the JDK 1.5 keytool generates keystores with v1 certificates. |
-- |
9 |
Click OK to close the wizard. |
-- |
10 |
In the Structure pane, click <appname>Binding_Stub.xml and edit the file, as describe in Table 3-23, "Editing the <appname>Binding_Stub.xml File". |
-- |
11 |
Invoke the web service. |
-- |
Table 3-23 Editing the <appname>Binding_Stub.xml File
Task | Description |
---|---|
1 |
Provide the keystore password and sign and encryption key passwords. |
2 |
In the inbound signature, specify the following: <inbound><verify-signature><tbs-elements> <tbs-element name-space="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity -utility-1.0.xsd" local-part="Timestamp" /> ... |
3 |
In the outbound signature, specify that the timestamp should be signed, as follows: <outbound>/<signature>/<tbs-elements> <tbs-element name-space="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity -utility-1.0.xsd" local-part="Timestamp"/> ... |
4 |
In the outbound encryption, specify the key transport algorithm, as follows: <outbound><encrypt> <keytransport-method>RSA-OAEP-MGF1P</keytransport-method> ... |
The following instructions tell how to configure an OC4J 10g web service and an OWSM 12c client to implement mutual authentication with message protection that conforms to the WS-Security 1.0 standard:
Table 3-24 Configuring the OC4J 10g Web Service
Task | Description |
---|---|
1 |
Create and deploy a JAX-RPC web service on OC4J. |
2 |
Use the Application Server Control to secure the deployed web service. |
3 |
Click Authentication tab and set the following options:
|
4 |
Click Integrity tab of the Inbound Policies page and set the following options:
|
5 |
Click Integrity tab of the Outbound Policies page and set the following options:
|
6 |
Click Confidentiality tab of the Inbound Policies page and set the following options:
|
7 |
Click Confidentiality tab of the Outbound Policies page and set the following options:
|
8 |
Configure the keystore properties and identity certificates. Ensure that you are using keystore with v3 certificates. By default, the JDK 1.5 keytool generates keystores with v1 certificates. |
9 |
Edit the |
Table 3-25 Configuring the OWSM 12c Client
Task | Description | More Information |
---|---|---|
1 |
Create a client proxy to the OC4J 10g web service. |
-- |
2 |
Attach the following policy: |
"Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager |
3 |
Configure the policy. |
"oracle/wss10_x509_token_with_message_protection_client_policy" in Securing Web Services and Managing Policies with Oracle Web Services Manager |
4 |
Invoke the web service. |
-- |
Table 3-26 Editing the wsmgmt.xml File
Task | Description |
---|---|
1 |
Find the |
2 |
In the inbound signature, specify the following: <inbound><verify-signature><tbs-elements> <tbs-element name-space="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity -utility-1.0.xsd" local-part="Timestamp"/> ... |
3 |
In the outbound signature, specify that the timestamp should be signed, as follows: <outbound>/<signature>/<tbs-elements> <tbs-element name-space="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity -utility-1.0.xsd" local-part="Timestamp"/> ... |
4 |
In the outbound encryption, specify that the UsernameToken should be encrypted, as follows: <outbound>/<encrypt>/<tbe-elements> <tbe-element local-part="UsernameToken" name-space="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity -secext-1.0.xsd" mode="CONTENT"/> ... |
This section tells how to implement username token over SSL, in the following interoperability scenarios:
"Configuring an OWSM 12c Web Service and an OC4J 10g Client"
"Configuring an OC4J 10g Web Service and an OWSM 12c Client"
For information about:
Configuring SSL on WebLogic Server, see "Configuring Transport-Level Security (SSL)" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
Configuring SSL on OC4J, see http://download.oracle.com/docs/cd/B14099_19/web.1012/b14013/configssl.htm
.
The following instructions tell how to configure an OWSM 12c web service and an OC4J 10g client to implement username token over SSL:
Table 3-27 Configuring the OWSM 12c Web Service
Task | Description | More Information |
---|---|---|
1 |
Configure the server for SSL. |
"Configuring Transport-Level Security (SSL)" in Securing Web Services and Managing Policies with Oracle Web Services Manager |
2 |
Attach one of the following policies to the web service:
|
"Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager |
Table 3-28 Configuring the OC4J 10g Client
Task | Description | More Information |
---|---|---|
1 |
Create a client proxy for the web service (above) using Oracle JDeveloper. Ensure that the web service endpoint references the URL with HTTPS and SSL port configured on Oracle WebLogic Server. |
"Developing and Securing Web Services" in Developing Applications with Oracle JDeveloper. |
2 |
Add the following code excerpt to initialize two-way SSL (at the beginning of the client proxy code): HostnameVerifier hv = new HostnameVerifier() httpsURLConnection.setDefaultHostnameVerifier(hv); System.setProperty("javax.net.ssl.trustStore","<trust_store>"); System.setProperty("javax.net.ssl.trustStorePassword","<trust_store _password>"); System.setProperty("javax.net.ssl.keyStore","<key_store>"); System.setProperty("javax.net.ssl.keyStorePassword","<key_store_password>"); System.setProperty("javax.net.ssl.keyStoreType","JKS"); |
-- |
3 |
Use the Oracle JDeveloper wizard to secure the proxy by right-clicking on the proxy project and selecting Secure Proxy. |
-- |
4 |
Click Authentication in the Proxy Editor navigation bar and set the following options:
|
-- |
5 |
Click Inbound Integrity in the Proxy Editor navigation bar and deselect all options. |
-- |
6 |
Click Outbound Integrity in the Proxy Editor navigation bar and deselect all options. |
-- |
7 |
Click Inbound Confidentiality in the Proxy Editor navigation bar and deselect all options. |
-- |
8 |
Click Outbound Confidentiality in the Proxy Editor navigation bar and deselect all options. |
-- |
9 |
Click Keystore Options in the Proxy Editor navigation bar and configure the keystore properties, as required. Ensure that you are using keystore with v3 certificates. By default, the JDK 1.5 keytool generates keystores with v1 certificates. |
-- |
10 |
Click OK to close the wizard. |
-- |
11 |
In the Structure pane, click <appname>Binding_Stub.xml and edit the file. as described in. Table 3-29, "Editing the <appname>Binding_Stub.xml File" |
-- |
12 |
Invoke the web service. |
-- |
Table 3-29 Editing the <appname>Binding_Stub.xml File
Task | Description |
---|---|
1 |
Provide the keystore password and sign and encryption key passwords. |
2 |
In the outbound signature, specify that the timestamp should be signed, as follows (and remove all other tags): <outbound> <signature> <add-timestamp created="true" expiry="<Expiry_Time>"/> </signature> ... |
The following instructions tell how to configure an OC4J 10g web service and an OWSM 12c client to implement username token over SSL:
Table 3-30 Configuring the OC4J 10g Web Service
Task | Description | More Information |
---|---|---|
1 |
Configure the server for SSL. |
|
2 |
Use the Application Server Control to secure the deployed web service. |
-- |
3 |
Click Authentication tab and set the following options:
|
-- |
4 |
Click Integrity tab of the Inbound Policies page and deselect all options. |
-- |
5 |
Click Integrity tab of the Outbound Policies page and deselect all options. |
-- |
6 |
Click Confidentiality tab of the Inbound Policies page and deselect all options. |
-- |
7 |
Click Confidentiality tab of the Outbound Policies page and deselect all options. |
-- |
8 |
Edit the |
-- |
Table 3-31 Configuring the OWSM 12c Client
Task | Description | More Information |
---|---|---|
1 |
Create a client proxy to the OC4J 10g web service using Ensure that the web service endpoint references the URL with HTTPS and SSL port configured on Oracle WebLogic Server. |
-- |
2 |
Add the following code excerpt to initialize two-way SSL (at the beginning of the client proxy code): HostnameVerifier hv = new HostnameVerifier() httpsURLConnection.setDefaultHostnameVerifier(hv); System.setProperty("javax.net.ssl.trustStore","<trust_store>"); System.setProperty("javax.net.ssl.trustStorePassword","<trust_store _password>"); System.setProperty("javax.net.ssl.keyStore","<key_store>"); System.setProperty("javax.net.ssl.keyStorePassword","<key_store_password>"); System.setProperty("javax.net.ssl.keyStoreType","JKS"); |
-- |
3 |
Attach the following policy: |
"Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager |
4 |
Configure the policy. |
"oracle/wss_username_token_over_ssl_client_policy" in Securing Web Services and Managing Policies with Oracle Web Services Manager |
5 |
Invoke the web service. |
-- |
Table 3-32 Editing the wsmgmt.xml File
Task | Description |
---|---|
1 |
Find the |
2 |
In the outbound signature, specify that the timestamp should be signed, as follows (and remove all other tags): <outbound> <signature> <add-timestamp created="true" expiry="<Expiry_Time>"/> </signature> ... |
This section tells how to implement SAML token (sender vouches) over SSL that conforms to the WS-Security 1.0 standard, in the following interoperability scenarios:
"Configuring an OWSM 12c Web Service and an OC4J 10g Client"
"Configuring an OC4J 10g Web Service and an OWSM 12c Client"
For information about:
Configuring SSL on WebLogic Server, see "Configuring Transport-Level Security (SSL)" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
Configuring SSL on OC4J, see http://download.oracle.com/docs/cd/B14099_19/web.1012/b14013/configssl.htm
.
The following instructions tell how to configure an OWSM 12c web service and an OC4J 10g client to implement SAML token (sender vouches) over SSL that conforms to the WS-Security 1.0 standard:
Table 3-33 Configuring the OWSM 12c Web Service
Task | Description | More Information |
---|---|---|
1 |
Configure the server for two-way SSL. |
"Configuring SSL on WebLogic Server (Two-Way)" in Securing Web Services and Managing Policies with Oracle Web Services Manager. |
2 |
Attach the following policy to the web service:
|
"Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager |
Table 3-34 Configuring the OC4J 10g Client
Task | Description | More Information |
---|---|---|
1 |
Configure the server for two-way SSL. |
|
2 |
Create a client proxy for the web service (above) using Oracle JDeveloper. Ensure that the web service endpoint references the URL with HTTPS and SSL port configured on Oracle WebLogic Server. |
"Developing and Securing Web Services" in Developing Applications with Oracle JDeveloper. |
3 |
Add the following code excerpt to initialize two-way SSL (at the beginning of the client proxy code): HostnameVerifier hv = new HostnameVerifier() httpsURLConnection.setDefaultHostnameVerifier(hv); System.setProperty("javax.net.ssl.trustStore","<trust_store>"); System.setProperty("javax.net.ssl.trustStorePassword","<trust_store _password>"); System.setProperty("javax.net.ssl.keyStore","<key_store>"); System.setProperty("javax.net.ssl.keyStorePassword","<key_store_password>"); System.setProperty("javax.net.ssl.keyStoreType","JKS"); |
-- |
4 |
Use the Oracle JDeveloper wizard to secure the proxy by right-clicking on the proxy project and selecting Secure Proxy. |
-- |
5 |
Click Authentication in the Proxy Editor navigation bar and set the following options:
|
-- |
6 |
Click Inbound Integrity in the Proxy Editor navigation bar and set the following option:
|
-- |
7 |
Click Outbound Integrity in the Proxy Editor navigation bar and deselect all options. |
-- |
8 |
Click Inbound Confidentiality in the Proxy Editor navigation bar and set the following option:
|
-- |
9 |
Click Outbound Confidentiality in the Proxy Editor navigation bar and set the following option:
|
-- |
10 |
Provide required information for the keystore to be used. |
-- |
11 |
Click OK to close the wizard. |
-- |
12 |
In the Structure pane, click <appname>Binding_Stub.xml and edit the file, as described in Table 3-35, "Editing the <appname>Binding_Stub.xml File". |
-- |
13 |
Invoke the web service. |
-- |
Table 3-35 Editing the <appname>Binding_Stub.xml File
Task | Description |
---|---|
1 |
Provide the keystore password and sign and encryption key passwords. |
2 |
In the outbound signature, specify that the timestamp should be signed, as follows (and remove all other tags): <outbound> <signature> <add-timestamp created="true" expiry="<Expiry_Time>"/> </signature> ... |
The following instructions tell how to configure an OC4J 10g web service and an OWSM 12c client to implement SAML token (sender vouches) over SSL that conforms to the WS-Security 1.0 standard:
Table 3-36 Configuring the OC4J 10g Web Service
Task | Description | More Information |
---|---|---|
1 |
Configure the server for two-way SSL. |
|
2 |
Use the Application Server Control to secure the deployed web service. |
-- |
3 |
Click Authentication in navigation bar and set the following options:
|
-- |
4 |
Click Integrity tab of the Inbound Policies page and deselect all options. |
-- |
5 |
Click Integrity tab of the Outbound Policies page and deselect all options. |
-- |
6 |
Click Confidentiality tab of the Inbound Policies page and deselect all options. |
-- |
7 |
Click Confidentiality tab of the Outbound Policies page and deselect all options. |
-- |
7 |
Edit the wsmgmt.xml deployment descriptor file, as described in Table 3-38, "Edit the wsmgmt.xml File". |
-- |
Table 3-37 Configuring the OWSM 12c Client
Task | Description | More Information |
---|---|---|
1 |
Configure the server for two-way SSL. |
"Configuring SSL on WebLogic Server (Two-Way)" in Securing Web Services and Managing Policies with Oracle Web Services Manager |
2 |
Create a client proxy to the OC4J 10g web service. Ensure that the web service endpoint references the URL with HTTPS and SSL port configured on Oracle WebLogic Server. |
-- |
3 |
Attach the following policy: |
"Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager |
4 |
Configure the policy. |
"oracle/wss_saml_token_over_ssl_client_policy" in Securing Web Services and Managing Policies with Oracle Web Services Manager |
5 |
Invoke the web service. |
-- |
Table 3-38 Edit the wsmgmt.xml File
Task | Description |
---|---|
1 |
Find the |
2 |
In the outbound signature, specify that the timestamp should be signed, as follows (and remove all other tags): <outbound> <signature> <add-timestamp created="true" expiry="<Expiry_Time>"/> </signature> ... |