This chapter describes interoperability of Oracle Web Services Manager (OWSM) with Oracle Service Bus 10g security environments.
This chapter includes the following sections:
Overview of Interoperability with Oracle Service Bus 10g Security Environments
SAML Token (Sender Vouches) with Message Protection (WS-Security 1.0)
Mutual Authentication with Message Protection (WS-Security 1.0)
In Oracle Service Bus 10g, you attach policies to configure your security environment for inbound and outbound requests. Oracle Service Bus uses the underlying WebLogic security framework as building blocks for its security services. For information about configuring and attaching policies, see "Using WS-Policy in Oracle Service Bus Proxy and Business Services" in Oracle Service Bus Security Guide at http://download.oracle.com/docs/cd/E13159_01/osb/docs10gr3/security/ws_policy.html
.
Note:
Ensure that you have downloaded and applied the TYBN and U37Z patches released for Oracle Service Bus 10.3 using the patch tool.With OWSM 12c, you attach policies to web service endpoints. Each policy consists of one or more assertions, defined at the domain-level, that define the security requirements. A set of predefined policies and assertions are provided out-of-the-box.
Table 7-1 and Table 7-2 summarize the most common Oracle Service Bus 10g interoperability scenarios based on the following security requirements: authentication, message protection, and transport.
For more information about:
OWSM predefined policies, see "Predefined Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
Configuring and attaching OWSM 12c policies, see "Securing Web Services" and "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
Configuring and attaching Oracle Service Bus 10g policies, see "Using WS-Policy in Oracle Service Bus Proxy and Business Services" in Oracle Service Bus Security Guide at http://download.oracle.com/docs/cd/E13159_01/osb/docs10gr3/security/ws_policy.html
.
Note:
In the following scenarios, ensure that you are using a keystore with v3 certificates. By default, the JDK 1.5 keytool generates keystores with v1 certificates.In addition, ensure that the keys use the proper extensions, including DigitalSignature, Non_repudiation, Key_Encipherment, and Data_Encipherment.
Table 7-1 OWSM 12g Service Policy and Oracle Service Bus 10g Client Policy Interoperability
Identity Token | WS-Security Version | Message Protection | Transport Security | Service Policy | Client Policy |
---|---|---|---|---|---|
Username |
1.0 |
Yes |
No |
|
|
SAML |
1.0 |
Yes |
No |
|
|
SAML or Username |
1.0 and 1.1 |
No |
Yes |
|
|
Mutual Authentication |
1.0 |
Yes |
No |
|
|
Table 7-2 Oracle Service Bus 10g Service Policy and OWSM 12c Client Policy Interoperability
Identity Token | WS-Security Version | Message Protection | Transport Security | Service Policy | Client Policy |
---|---|---|---|---|---|
Username |
1.0 |
Yes |
No |
|
|
SAML |
1.0 |
Yes |
|
|
|
Mutual Authentication |
1.0 |
Yes |
No |
|
|
This section describes how to implement username token with message protection that conforms to the WS-Security 1.0 standard, in the following interoperability scenarios:
OWSM 12c web service with Oracle Service Bus 10g client
Oracle Service Bus 10g web service with OWSM 12c client
For either scenario, you must perform prerequisite tasks for the WebLogic Server on which Oracle Service Bus is running. See Table 7-3, "Configuration Prerequisites for Interoperability"
Instructions for the supported scenarios are:
"Configuring an OWSM 12c Web Service and an Oracle Service Bus 10g Client"
"Configuring an Oracle Service Bus 10g Web Service and an OWSM 12c Client"
Table 7-3 Configuration Prerequisites for Interoperability
Task | Description | More Information |
---|---|---|
1 |
Copy the |
"Configuring Keystores for Message Protection" in Securing Web Services and Managing Policies with Oracle Web Services Manager. |
2 |
Invoke the WebLogic Administration Console. |
"Accessing Oracle WebLogic Administration Console" in Administering Web Services |
3 |
Configure the Custom Identity and Custom Trust keystores. |
"Configure keystores" in Oracle WebLogic Server Administration Console Online Help |
4 |
Configure SSL. |
"Set up SSL" in Oracle WebLogic Server Administration Console Online Help |
5 |
Specify the private key alias, as required. For example: |
-- |
6 |
Configure a credential mapping provider. Create a PKICredentialMapper and configure it as follows (leave all other values set to the defaults):
|
"Configure Credential Mapping Providers" in Oracle WebLogic Server Administration Console Online Help |
7 |
Restart Oracle WebLogic Server. |
-- |
9 |
Invoke the OSB Console. For example: http://<host name>:<port number>/sbconsole |
-- |
10 |
Create a ServiceKeyProvider. |
-- |
11 |
Specify Encryption Key and Digital Signature Key, as required. You must use different keys on the OWSM and Oracle Service Bus servers. You can use the same key for encryption and signing, if desired. |
-- |
The following instructions tell how to configure an OWSM 12c web service and an Oracle Service Bus 10g client to implement username token with message protection that conforms to the WS-Security 1.0 standard:
Table 7-4 Configuring the OWSM 12c Web Service
Task | Description | More Information |
---|---|---|
1 |
Clone the following policy: |
"Cloning a Web Service Policy" in Securing Web Services and Managing Policies with Oracle Web Services Manager |
2 |
Edit the policy settings, as follows:
|
-- |
3 |
Attach the policy to the web service. |
"Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager |
Table 7-5 Configuring the Oracle Service Bus 10g Client
Task | Description | More Information |
---|---|---|
1 |
Clone the For example, copy the files to |
"Cloning a Web Service Policy" in Securing Web Services and Managing Policies with Oracle Web Services Manager "Using WS-Policy in Oracle Service Bus Proxy and Business Services" in Oracle Service Bus Security Guide at |
2 |
Edit the encryption algorithm in
<wssp:Target>
<wssp:EncryptionAlgorithm
URI="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
<wssp:MessageParts
Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">
wsp:Body()
</wssp:MessageParts>
</wssp:Target>
|
-- |
3 |
Edit the <wssp:Target> <wssp:DigestAlgorithm URI= "http://www.w3.org/2000/09/xmldsig#sha1" /> <wssp:MessageParts Dialect= "http://www.bea.com/wls90/security/policy/wsee#part"> wls:SecurityHeader(wsse:UsernameToken) </wssp:MessageParts> </wssp:Target> |
-- |
4 |
Edit the
<wssp:Integrity SignToken="false">
Also, for SOA clients only, comment out the target for system headers, as shown: <!-- wssp:Target> <wssp:DigestAlgorithm URI="http://www.w3.org/2000/09/xmldsig#sha1" /> <wssp:MessageParts Dialect="http://www.bea.com/wls90/security/policy/wsee#part"> wls:SystemHeaders() </wssp:MessageParts> </wssp:Target --> |
-- |
5 |
Invoke the web service method from the client. |
-- |
The following instructions tell how to configure an Oracle Service Bus 10g web service and an OWSM 12c client to implement username token with message protection that conforms to the WS-Security 1.0 standard:
Table 7-6 Configuring the Oracle Service Bus 10g Web Service
Task | Description |
---|---|
1 |
Clone the For example, copy the files to |
2 |
Edit the encryption algorithm in the
<wssp:Target>
<wssp:EncryptionAlgorithm
URI="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
<wssp:MessageParts
Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">
wsp:Body()
</wssp:MessageParts>
</wssp:Target>
For more information, see "Using WS-Policy in Oracle Service Bus Proxy and Business Services" in Oracle Service Bus Security Guide at |
3 |
Edit the
<wssp:Integrity SignToken="false">
Also, for SOA clients only, comment out the target for system headers, as shown: <!-- wssp:Target> <wssp:DigestAlgorithm URI="http://www.w3.org/2000/09/xmldsig#sha1" /> <wssp:MessageParts Dialect="http://www.bea.com/wls90/security/policy/wsee#part"> wls:SystemHeaders() </wssp:MessageParts> </wssp:Target --> |
4 |
Create a web service application that invokes the Oracle Service Bus routing service. |
Table 7-7 Configuring the OWSM 12c Client
Task | Description | More Information |
---|---|---|
1 |
Clone the following policy: Edit the policy settings, as follows:
|
"Cloning a Web Service Policy" in Securing Web Services and Managing Policies with Oracle Web Services Manager |
2 |
Attach the policy to the web service client. |
"Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager |
3 |
Invoke the web service from the client. |
-- |
This section describes how to implement SAML token (sender vouches) with message protection that conforms to the WS-Security 1.0 standard, in the following interoperability scenarios:
OWSM 12c Web Service with Oracle Service Bus 10g Client
Oracle Service Bus 10g Web Service with OWSM 12c Client
For either scenario, you must first perform prerequisite tasks for the WebLogic Server on which Oracle Service Bus is running, as described in Table 7-8, "Configuration Prerequisites for Interoperability"
Instructions for the supported scenarios are:
"Configuring an OWSM 12c Web Service and an Oracle Service Bus 10g Client"
"Configuring an Oracle Service Bus 10g Web Service and an OWSM 12c Client"
Table 7-8 Configuration Prerequisites for Interoperability
Task | Description | More Information |
---|---|---|
1 |
Copy the The |
"Configuring Keystores for Message Protection" in Securing Web Services and Managing Policies with Oracle Web Services Manager. |
2 |
Invoke the WebLogic Administration Console. |
"Accessing Oracle WebLogic Administration Console" in Administering Web Services |
3 |
Create a SAMLIdentityAsserterV2 authentication provider. |
"Configuring Authentication and Identity Assertion providers" in Oracle WebLogic Server Administration Console Online Help |
4 |
Restart WebLogic Server to add the new provider to the Administration Server's Runtime MBean server. |
-- |
5 |
Select the authentication provider created in step 3. |
-- |
6 |
Create and configure a SAML asserting party. Configure the SAML asserting party as follows (leave other values set to the defaults):
Select the Enabled checkbox and click Save. |
"SAML Identity Asserter V2: Create an Asserting Party" and "SAML Identity Asserter V2: Asserting Party: Configuration" in Oracle WebLogic Server Administration Console Online Help |
7 |
Create a SamlCredentialMapperV2 credential mapping provider. Select SamlCredentialMapperV2 from the drop-down list and name the credential mapper, for example, UC2_SamlCredentialMapperV2. |
"Configure Credential Mapping Providers" in Oracle WebLogic Server Administration Console Online Help |
8 |
Restart WebLogic Server. |
-- |
9 |
Configure the credential mapper as follows (leave other values set to the defaults):
|
-- |
10 |
Create and configure a SAML relying party. Configure the SAML relying party as follows (leave other values set to the defaults):
Select the Enabled checkbox and click Save. |
"SAML Credential Mapping Provider V2: Create a Relying Party" and "SAML Credential Mapping Provider V2: Relying Party: Configuration" in Oracle WebLogic Server Administration Console Online Help |
11 |
Restart WebLogic Server. |
-- |
The following instructions tell how to configure an OWSM 12c web service and an Oracle Service Bus 10g client to implement SAML token (sender vouches) with message protection that conforms to the WS-Security 1.0 standard:
Table 7-9 Configuring the OWSM 12c Web Service
Task | Description | More Information |
---|---|---|
1 |
Clone the following policy:
|
"Cloning a Web Service Policy" in Securing Web Services and Managing Policies with Oracle Web Services Manager |
2 |
Attach the policy to the web service. |
"Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager |
Table 7-10 Configuring the Oracle Service Bus 10g Client
Task | Description |
---|---|
1 |
Clone the For example, to |
2 |
Edit the encryption algorithm in the
<wssp:Target>
<wssp:EncryptionAlgorithm
URI="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
<wssp:MessageParts
Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">
wsp:Body()
</wssp:MessageParts>
</wssp:Target>
For more information, see "Using WS-Policy in Oracle Service Bus Proxy and Business Services" in Oracle Service Bus Security Guide at |
3 |
Edit the <wssp:Target> <wssp:DigestAlgorithm URI="http://www.w3.org/2000/09/xmldsig#sha1" /> <wssp:MessageParts Dialect= "http://www.bea.com/wls90/security/policy/wsee#part"> wls:SecurityHeader(wsse:Assertion) </wssp:MessageParts> </wssp:Target> |
4 |
Edit the <wssp:Integrity SignToken="false"> Also, for SOA clients only, comment out the target for system headers, as shown: <!-- wssp:Target> <wssp:DigestAlgorithm URI="http://www.w3.org/2000/09/xmldsig#sha1" /> <wssp:MessageParts Dialect="http://www.bea.com/wls90/security/policy/wsee#part"> wls:SystemHeaders() </wssp:MessageParts> </wssp:Target --> |
5 |
Use the custom SAML policy file shown in Example 7-1. |
6 |
Invoke the web service from the client. |
Example 7-1 Custom SAML Policy
<?xml version="1.0"?> <wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wssp="http://www.bea.com/wls90/security/policy" xmlns:wsu=" http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wls="http://www.bea.com/wls90/security/policy/wsee#part" wsu:Id="custom_saml"> <wssp:Identity xmlns:wssp="http://www.bea.com/wls90/security/policy"> <wssp:SupportedTokens> <wssp:SecurityToken TokenType= "http://docs.oasis-open.org/wss/2004/01/oasis-2004-01-saml-token-profile-1.0#SAMLAssertionID"> <wssp:Claims> <wssp:ConfirmationMethod> sender-vouches </wssp:ConfirmationMethod> </wssp:Claims> </wssp:SecurityToken> </wssp:SupportedTokens> </wssp:Identity> </wsp:Policy>
The following instructions tell how to configure an Oracle Service Bus 10g web service and an OWSM 12c client to implement SAML token (sender vouches) with message protection that conforms to the WS-Security 1.0 standard:
Table 7-11 Configuring the Oracle Service Bus 10g Web Service
Task | Description |
---|---|
1 |
Clone the For example, to |
2 |
Edit the encryption algorithm in the
<wssp:Target>
<wssp:EncryptionAlgorithm
URI="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
<wssp:MessageParts
Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">
wsp:Body()
</wssp:MessageParts>
</wssp:Target>
For more information, see "Using WS-Policy in Oracle Service Bus Proxy and Business Services" in Oracle Service Bus Security Guide at |
3 |
Edit the
<wssp:Integrity SignToken="false">
Also, for SOA clients only, comment out the target for system headers, as shown: <!-- wssp:Target> <wssp:DigestAlgorithm URI="http://www.w3.org/2000/09/xmldsig#sha1" /> <wssp:MessageParts Dialect="http://www.bea.com/wls90/security/policy/wsee#part"> wls:SystemHeaders() </wssp:MessageParts> </wssp:Target --> |
4 |
Use the custom SAML policy file shown in Example 7-1. |
Table 7-12 Configuring the OWSM 12c Client
Task | Description | More Information |
---|---|---|
1 |
Clone the following policy: Edit the policy settings, as follows:
|
"Cloning a Web Service Policy" in Securing Web Services and Managing Policies with Oracle Web Services Manager |
2 |
Attach the policy to the web service client. |
"Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager |
3 |
Invoke the web service from the client. |
-- |
This section describes how to implement the SAML or username token over SSL policy, in the following interoperability scenario:
Oracle Service Bus 10g client and OWSM 12c web service
Note:
The interoperability scenario described in this section also applies to the SAML Token Over SSL and Username Token Over SSL policies.For either scenario, you must first perform prerequisite tasks for the WebLogic Server on which Oracle Service Bus is running, as described in the following sections:
Configure the username token, as described in Table 7-3, "Configuration Prerequisites for Interoperability."
Configure the SAML token, as described in Table 7-8, "Configuration Prerequisites for Interoperability"
For SAML, perform the prerequisite steps for the WebLogic Server on which Oracle Service Bus is running, shown in Table 7-13, "SAML Prerequisites for Interoperability":
Configuration instructions for the supported scenarios are in the following section:
Table 7-13 SAML Prerequisites for Interoperability
Task | Description | More Information |
---|---|---|
1 |
Create a SamlCredentialMapperV2 credential mapping provider. Select SamlCredentialMapperV2 from the drop-down list and name the credential mapper; for example, UC2_SamlCredentialMapperV2. |
"Configure Credential Mapping Providers" in Oracle WebLogic Server Administration Console Online Help |
2 |
Restart WebLogic Server. |
-- |
3 |
Configure the credential mapper as follows (leave other values set to the defaults):
|
-- |
4 |
Create and configure a SAML relying party. Configure the SAML relying party as follows (leave other values set to the defaults):
Select the Enabled checkbox and click Save. |
"SAML Credential Mapping Provider V2: Create a Relying Party" and "SAML Credential Mapping Provider V2: Relying Party: Configuration" in Oracle WebLogic Server Administration Console Online Help |
5 |
Restart WebLogic Server. |
-- |
The following instructions tell how to configure an OWSM 12c web service and an Oracle Service Bus 10g client to implement the SAML or username token over SSL policy:
Table 7-15, "Configuring the Oracle Service Bus 10g Client"
Both the SAML token client and the username token client are supported.
Table 7-14 Configuring the OWSM 12c Web Service
Task | Description | More Information |
---|---|---|
1 |
Configure the server for two-way SSL.
|
"Configuring SSL on WebLogic Server (Two-Way)" in Securing Web Services and Managing Policies with Oracle Web Services Manager |
2 |
Clone the following policy:
|
"Cloning a Web Service Policy" in Securing Web Services and Managing Policies with Oracle Web Services Manager |
3 |
Use JDeveloper to create a simple SOA composite. |
-- |
4 |
Attach the copy of the |
"Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager |
Table 7-15 Configuring the Oracle Service Bus 10g Client
Task | Description | More Information |
---|---|---|
1 |
Configure the server for two-way SSL:
|
"Configuring SSL on WebLogic Server (Two-Way)" in Securing Web Services and Managing Policies with Oracle Web Services Manager |
2 |
In the Oracle Service Bus console, import the WSDL for the relying party. Make sure that there is no policy attached. (Policy assertions are not allowed on this service.) |
-- |
3 |
For SAML token, create a business service.
|
-- |
4 |
For username token, create a business service.
|
-- |
5 |
Create a proxy service, and create a route to the business service. In HTTP Transport Configuration, set Authentication to "basic." On the Security page, associate the Service key provider. This is needed for Oracle Service Bus to send the client cert to SOA. |
-- |
6 |
Run the proxy service from the Oracle Service Bus console with the username and password. |
-- |
This section describes how to implement mutual authentication with message protection that conforms to the WS-Security 1.0 standard, in the following interoperability scenarios:
OWSM 12c web service with Oracle Service Bus 10g client
Oracle Service Bus 10g web service with OWSM 12c client
For either scenario, you must first perform prerequisite tasks, as described in the following:
Configuration instructions for the supported scenarios are in the following sections:
"Configuring an OWSM 12c Web Service and an Oracle Service Bus 10g Client"
"Configuring an Oracle Service Bus 10g Web Service and an OWSM 12c Client"
Table 7-16 Configuration Prerequisites for the Oracle WebLogic Server
Task | Description | More Information |
---|---|---|
1 |
Copy the default-keystore.jks and trust.jks files to your domain directory. The |
"Configuring Keystores for Message Protection" in Securing Web Services and Managing Policies with Oracle Web Services Manager. |
2 |
Invoke the WebLogic Administration Console. |
"Accessing Oracle WebLogic Administration Console" in Administering Web Services |
3 |
Configure the Custom Identity and Custom Trust keystores. |
"Configure keystores" in Oracle WebLogic Server Administration Console Online Help |
4 |
Configure SSL. Specify the private key alias, as required. For example: |
"Set up SSL" in Oracle WebLogic Server Administration Console Online Help |
5 |
Configure a credential mapping provider. |
"Configure Credential Mapping Providers" in Oracle WebLogic Server Administration Console Online Help |
6 |
Create a PKICredentialMapper and configure it as follows (leave all other values set to the defaults):
|
-- |
7 |
Select the Authentication tab and configure as follows:
|
"Configure Authentication and Identity Assertion providers" in Oracle WebLogic Server Administration Console Online Help |
8 |
Configure a token handler to specify that a client invoking a message-secured web service uses an X.509 certificate to establish their identity. In WebLogic Administration Console, navigate to the Web Service Security page of the domain and configure the inbound and outbound messages as follows: Note: Only username token with message protection or mutual authentication with message protection is available at any given time. Once you enable mutual authentication with message protection, username authentication will fail.
|
-- |
9 |
If the users are not added, add the Common Name (CN) user specified in the certificate. |
"Create users" in Oracle WebLogic Server Administration Console Online Help. |
10 |
Restart Oracle WebLogic Server. |
-- |
Table 7-17 Configuration Prerequisites for OWSM
Task | Description | More Information |
---|---|---|
1 |
Configure authentication. Select the Authentication tab and configure as follows:
|
"Configure Authentication and Identity Assertion providers" in Oracle WebLogic Server Administration Console Online Help |
2 |
If the users are not added, add the Common Name (CN) user specified in the certificate. |
"Create users" in Oracle WebLogic Server Administration Console Online Help |
3 |
Restart Oracle WebLogic Server. |
-- |
The following instructions tell how to configure an OWSM 12c web service and Oracle Service Bus 10g client to implement mutual authentication with message protection that conform to the WS-Security 1.0 standard:
Table 7-18 Configuring the OWSM 12c Web Service
Task | Description | More Information |
---|---|---|
1 |
Create and deploy a SOA composite. |
|
2 |
Clone the following policy: Edit the policy settings, as follows:
|
"Cloning a Web Service Policy" in Securing Web Services and Managing Policies with Oracle Web Services Manager |
3 |
Attach the policy to the web service. |
"Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager |
Table 7-19 Configuring Oracle Service Bus 10g Client
Task | Description |
---|---|
1 |
Create an Oracle Service Bus business service. |
2 |
Clone the For example, copy the files to |
3 |
Attach the X.509 policy shown in Example 7-2, to the Oracle Service Bus business service request. |
4 |
Attach the |
5 |
Edit the For more information, see "Using WS-Policy in Oracle Service Bus Proxy and Business Services" in Oracle Service Bus Security Guide at |
6 |
Edit the
<wssp:Integrity SignToken="false">
Also, for SOA clients only, comment out the target for system headers, as shown in Example 7-4: |
7 |
Attach the |
8 |
Create a ServiceKeyProvider. |
9 |
Specify Encryption Key and Digital Signature Key, as required. You must use different keys on the OWSM and Oracle Service Bus servers. You can use the same key for encryption and signing, if desired. |
10 |
Create a proxy service, and create a route to the business service. On the Security page, associate the Service key provider. This is needed for Oracle Service Bus to send the client certificate to SOA. |
11 |
Run the proxy service from the Oracle Service Bus console. |
<wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wssp="http://www.bea.com/wls90/security/policy" xmlns:s0="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" s0:Id="X509Auth"> <wssp:Identity xmlns:wssp="http://www.bea.com/wls90/security/policy"> <wssp:SupportedTokens> <wssp:SecurityToken TokenType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/> </wssp:SupportedTokens> </wssp:Identity> </wsp:Policy>
Example 7-3 myEncrypt.xml Policy
<?xml version="1.0"?> <wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wssp="http://www.bea.com/wls90/security/policy" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wls="http://www.bea.com/wls90/security/policy/wsee#part" wsu:Id="X509Encrypt"> <wssp:Confidentiality> <wssp:KeyWrappingAlgorithm URI="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/> <wssp:Target> <wssp:EncryptionAlgorithm URI="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/> <wssp:MessageParts Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body()</wssp:MessageParts> </wssp:Target> <wssp:KeyInfo/> </wssp:Confidentiality> </wsp:Policy>
<?xml version="1.0"?> <wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wssp="http://www.bea.com/wls90/security/policy" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity- utility-1.0.xsd" xmlns:wls="http://www.bea.com/wls90/security/policy/wsee#part" wsu:Id="X509Sign"> <wssp:Integrity SignToken="false"> <wssp:SignatureAlgorithm URI="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <wssp:CanonicalizationAlgorithm URI="http://www.w3.org/2001/10/xml-exc-c14n#"/> <!--wssp:Target> <wssp:DigestAlgorithm URI="http://www.w3.org/2000/09/xmldsig#sha1" /> <wssp:MessageParts Dialect="http://www.bea.com/wls90/security/policy/wsee#part"> wls:SystemHeaders() </wssp:MessageParts> </wssp:Target--> <wssp:Target> <wssp:DigestAlgorithm URI="http://www.w3.org/2000/09/xmldsig#sha1" /> <wssp:MessageParts Dialect="http://www.bea.com/wls90/security/policy/wsee#part"> wls:SecurityHeader(wsu:Timestamp) </wssp:MessageParts> </wssp:Target> <wssp:Target> <wssp:DigestAlgorithm URI="http://www.w3.org/2000/09/xmldsig#sha1" /> <wssp:MessageParts Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part"> wsp:Body() </wssp:MessageParts> </wssp:Target> </wssp:Integrity> <wssp:MessageAge/> </wsp:Policy>
The following instructions tell how to configure an Oracle Service Bus 10g web service and an OWSM 12c client to implement mutual authentication with message protection that conform to the WS-Security 1.0 standard:
Table 7-20 Configuring the Oracle Service Bus 10g Web Service
Task | Description |
---|---|
1 |
Create a Oracle Service Bus proxy service. |
2 |
Clone the For example, to |
3 |
Attach the X.509 policy to the proxy service request. as shown in Example 7-2, "X.509 Policy". |
4 |
Edit the For more information, see "Using WS-Policy in Oracle Service Bus Proxy and Business Services" in Oracle Service Bus Security Guide at |
5 |
Edit the encryption algorithm in the |
6 |
Attach |
7 |
Create a Service Key Provider. |
<?xml version="1.0"?> <wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wssp="http://www.bea.com/wls90/security/policy" xmlns:s0="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" s0:Id="X509SignRequest"> <wssp:Integrity xmlns:wls="http://www.bea.com/wls90/security/policy/wsee#part" xmlns:wssp="http://www.bea.com/wls90/security/policy" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity- utility-1.0.xsd"> <wssp:SignatureAlgorithm URI="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /> <wssp:CanonicalizationAlgorithm URI="http://www.w3.org/2001/10/xml-exc-c14n#" /> <!-- wssp:Target> <wssp:DigestAlgorithm URI="http://www.w3.org/2000/09/xmldsig#sha1" /> <wssp:MessageParts Dialect="http://www.bea.com/wls90/security/policy/wsee#part">wls:SystemHeaders ()</wssp:MessageParts> </wssp:Target --> <!-- wssp:Target> <wssp:DigestAlgorithm URI="http://www.w3.org/2000/09/xmldsig#sha1" /> <wssp:MessageParts Dialect="http://www.bea.com/wls90/security/policy/wsee#part">wls:SecurityHeader (wsu:Timestamp)</wssp:MessageParts> </wssp:Target --> <wssp:Target> <wssp:DigestAlgorithm URI="http://www.w3.org/2000/09/xmldsig#sha1" /> <wssp:MessageParts Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body()</wssp:MessageParts> </wssp:Target> </wsp:Policy>
<?xml version="1.0"?>
<wsp:Policy
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
xmlns:wssp="http://www.bea.com/wls90/security/policy"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:wls="http://www.bea.com/wls90/security/policy/wsee#part"
wsu:Id="X509Encrypt">
<wssp:Confidentiality>
<wssp:KeyWrappingAlgorithm URI="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
<wssp:Target>
<wssp:EncryptionAlgorithm URI="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
<wssp:MessageParts Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body()</wssp:MessageParts>
</wssp:Target>
<wssp:KeyInfo/>
</wssp:Confidentiality>
</wsp:Policy>
Table 7-21 Configuring the OWSM 12c Client
Task | Description | More Information |
---|---|---|
1 |
Clone the following policy: In Fusion Middleware Control, edit the policy settings, as follows:
|
"Cloning a Web Service Policy" in Securing Web Services and Managing Policies with Oracle Web Services Manager. |
2 |
In Fusion Middleware Control, specify keystore.recipient.alias in the client configuration. Ensure that the keystore.recipient.alias keys specified for the client exist as trusted certificate entry in the trust store configured for the web service. |
-- |
3 |
Attach the policy to the web service client. |
"Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager |
4 |
Invoke the web service from the client. |
-- |