This chapter describes the predefined assertion templates defined for the current release. Use the predefined assertion templates to construct your own policies or clone to create new policies.
Note:
The predefined policies and assertion templates distributed with the current release are read only. You must copy the policy or assertion template before modifying it. You also have the option of configuring the attributes in an assertion after you have added it to a policy. For information about managing the assertion templates and adding them to policies, see "Managing Policy Assertion Templates".This chapter includes the following sections:
For a detailed description of the configuration settings in the tables, see "Assertion Template Settings for Oracle Web Services".
For a detailed description of the configuration properties listed in the tables, see "Assertion Template Configuration Properties for Oracle Web Services." For details on how to edit the configuration properties, see "Editing the Configuration Properties in an Assertion Template". For information about overriding policies, see "Overview of Policy Configuration Overrides".
The following sections describe the security assertion templates in more detail.
You can jump to a specific assertion template description using the following links (listed alphabetically):
oracle/http_spnego_token_client_template or oracle/http_spnego_token_service_template
oracle/http_saml20_token_bearer_client_template or oracle/http_saml20_token_bearer_service_template
oracle/wss_http_token_over_ssl_client_template or oracle/wss_http_token_over_ssl_service_template
oracle/wss_http_token_client_template or oracle/wss_http_token_service_template
oracle/wss_saml_token_bearer_over_ssl_client_template or oracle/wss_saml_token_bearer_over_ssl_service_template
oracle/wss_saml20_token_bearer_over_ssl_client_template or oracle/wss_saml20_token_bearer_over_ssl_service_template
oracle/wss_saml_token_over_ssl_client_template or oracle/wss_saml_token_over_ssl_service_template
oracle/wss_saml20_token_over_ssl_client_template or oracle/wss_saml20_token_over_ssl_service_template
oracle/wss_sts_issued_saml_bearer_token_over_ssl_client_template or oracle/wss_sts_issued_saml_bearer_token_over_ssl_service_template
oracle/wss_username_token_over_ssl_client_template or oracle/wss_username_token_over_ssl_service_template
oracle/wss_username_token_client_template or oracle/wss_username_token_service_template
oracle/wss_username_token_over_ssl_client_template or oracle/wss_username_token_over_ssl_service_template
oracle/wss10_message_protection_client_template or oracle/wss10_message_protection_service_template
oracle/wss10_saml_token_client_template or oracle/wss10_saml_token_service_template
oracle/wss10_saml20_token_client_template or oracle/wss10_saml20_token_service_template
oracle/wss10_saml_token_with_message_protection_client_template or oracle/wss10_saml_token_with_message_protection_service_template
oracle/wss10_saml20_token_with_message_protection_client_template or oracle/wss10_saml20_token_with_message_protection_service_template
oracle/wss10_username_token_with_message_protection_client_template or oracle/wss10_username_token_with_message_protection_service_template
oracle/wss10_x509_token_with_message_protection_client_template or oracle/wss10_x509_token_with_message_protection_service_template
oracle/wss11_kerberos_token_client_template or oracle/wss11_kerberos_token_service_template
oracle/wss11_kerberos_token_with_message_protection_client_template or oracle/wss11_kerberos_token_with_message_protection_service_template
oracle/wss11_saml_token_with_message_protection_client_template or oracle/wss11_saml_token_with_message_protection_service_template
oracle/wss11_saml20_token_with_message_protection_client_template or oracle/wss11_saml20_token_with_message_protection_service_template
oracle/wss11_sts_issued_saml_hok_with_message_protection_client_template or oracle/wss11_sts_issued_saml_hok_with_message_protection_service_template
oracle/wss11_sts_issued_saml_with_message_protection_client_template
oracle/wss11_username_token_with_message_protection_client_template or oracle/wss11_username_token_with_message_protection_service_template
oracle/wss11_x509_token_with_message_protection_client_template or oracle/wss11_x509_token_with_message_protection_service_template
Table 18-1 summarizes the assertion templates that enforce authentication only, and indicates whether the token is inserted at the transport layer or SOAP header.
Table 18-1 Authentication Only Assertion Templates
| Client Template | Service Template | Authentication Transport | Authentication SOAP | Authentication REST | Message Protection Transport | Message Protection SOAP |
|---|---|---|---|---|---|---|
|
N/A |
No |
No |
Yes |
No |
No |
|
|
No |
No |
Yes |
Yes |
No |
||
|
No |
No |
Yes |
Yes |
No |
||
|
Yes |
No |
No |
No |
No |
||
|
No |
Yes |
No |
No |
No |
||
|
No |
Yes |
No |
No |
No |
||
|
No |
Yes |
No |
No |
No |
||
|
No |
Yes |
No |
No |
No |
||
|
No |
Yes |
No |
No |
No |
||
|
No |
Yes |
No |
No |
No |
||
|
No |
Yes |
No |
No |
No |
||
|
No |
Yes |
No |
No |
No |
||
|
No |
Yes |
No |
No |
No |
||
|
No |
Yes |
No |
No |
No |
||
|
No |
Yes |
No |
No |
No |
Display Name: Http OAM Service Assertion Template
Category: Security
Type: http-oam-security
The http_oam_token_service_template assertion template verifies that OAM agent has authenticated the user and has established an identity. This policy can be applied to any HTTP-based endpoint.
Table 18-2 lists the settings for the http_oam_token_service_template assertion template.
Table 18-3 lists the default configuration properties and the default settings for the http_oam_token_service_template assertion template.
Display Name: Http Saml Bearer V2.0 Token Client Assertion Template
Category: Security
Type: http-saml20-bearer-security
The http_saml20_token_bearer_client_template assertion template includes SAML 2.0 tokens in outbound SOAP request messages. The SAML token with confirmation method [Bearer] is created automatically.
Table 18-4 lists the settings for the http_saml20_token_bearer_client_template assertion template.
Table 18-5 lists the configuration properties and the default settings for the http_saml20_token_bearer_client_template assertion template.
Display Name: Http Saml Bearer V2.0 Token Service Assertion Template
Category: Security
Type: http-saml20-bearer-security
The http_saml20_token_bearer_service_template assertion template authenticates users using credentials provided in SAML tokens with confirmation method 'Bearer' in the WS-Security SOAP header.
The settings for the http_saml20_token_bearer_service_template assertion template are identical to the client version of the assertion template. See Table 18-4 for information about the settings.
Table 18-56 lists the configuration properties and the default settings for the http_saml20_token_bearer_service_template assertion template.
Display Name: SPNEGO Token Client Assertion Template
Category: Security
Type: http-spnego-security
The http_spnego_token_client_template assertion template provides authentication using a Kerberos token and the Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO) protocol.
Table 18-7 lists the settings for the http_spnego_token_client_template assertion template.
Table 18-8 lists the configuration properties and the default settings for the http_spnego_token_client_template assertion template.
Display Name: SPNEGO Token Service Assertion Template
Category: Security
Type: http-spnego-security
The http_spnego_token_service_template assertion template provides authentication using a Kerberos token and the SPNEGO protocol.
The settings for the http_spnego_token_service_template assertion template are identical to the client version of the assertion template. See Table 18-7 for information about the settings.
Table 18-9 lists the configuration properties and the default settings for the http_spnego_token_service_template assertion template.
Display Name: Wss HTTP Token client Assertion Template
Category: Security
Type: http-security
The wss_http_token_client_template assertion template includes username and password credentials in the HTTP header. You can control whether one-way or two-way authentication is required.
Table 18-10 lists the settings for the wss_http_token_client_template assertion template.
Table 18-11 lists the configuration properties and the default settings for the wss_http_token_client_template assertion template.
Display Name: Wss HTTP Token service Assertion Template
Category: Security
Type: http-security
The wss_http_token_service_template assertion template uses the credentials in the HTTP header to authenticate users against the Oracle Platform Security Services identity store. You can control whether one-way or two-way authentication is required.
The settings for the wss_http_token_service_template are identical to those for the client version of the assertion template. See Table 18-10 for information about the settings.
Table 18-12 lists the configuration properties and the default settings for the wss_http_token_service_template assertion template.
Display Name: Wss Username Token client Assertion Template
Category: Security
Type: wss-username-token
The wss_username_token_client_template assertion template includes authentication with username and password credentials in the WS-Security UsernameToken header. The assertion supports three types of password credentials: plain text, digest, and no password.
Note:
If you do not use a digest password, policies created using this template are not secure. You should use this assertion with plain text or no password in low security situations only, or when you know that the transport is protected using some other mechanism. Alternatively, consider using the SSL version of this assertion, "oracle/wss_username_token_over_ssl_client_template".To protect against replay attacks, the assertion provides the option to require nonce or creation time in the username token.
Table 18-13 lists the settings for the wss_username_token_client_template assertion template.
Table 18-14 lists the configuration properties and the default settings for the wss_username_token_client_template assertion template.
Display Name: Wss Username Token service Assertion Template
Category: Security
Type: wss-username-token
The wss_username_token_service_template assertion template enforces authentication with username and password credentials in the WS-Security UsernameToken SOAP header. The assertion supports three types of password credentials: plain text, digest, and no password.
Note:
If you do not use a digest password, policies created using this template are not secure. You should use this assertion with plain text or no password in low security situations only, or when you know that the transport is protected using some other mechanism. Alternatively, consider using the SSL version of this assertion, "oracle/wss_username_token_over_ssl_service_template".To protect against replay attacks, the assertion provides the option to require nonce or creation time in the username token.
The settings for the wss_username_token_service_template are identical to the client version of the assertion template. See Table 18-13 for information about the settings.
Table 18-15 lists the configuration properties and the default settings for the wss_username_token_service_template assertion template.
Display Name: Wss10 SAML Token client Assertion Template
Category: Security
Type: wss10-saml-token
The wss10_saml_token_client_template assertion template includes SAML tokens in outbound SOAP request messages. The SAML token is created automatically.
Table 18-16 lists the settings for the wss10_saml_token_client_template assertion template.
Table 18-17 lists the configuration properties and the default settings for the wss10_saml_token_client_template assertion template.
Display Name: Wss10 SAML Token service Assertion Template
Category: Security
Type: wss10-saml-token
The wss10_saml_token_service_template assertion template authenticates users using credentials provided in SAML tokens in the WS-Security SOAP header.
The settings for the wss10_saml_token_service_template are identical to the client version of the assertion. See Table 18-16 for information about the settings.
Table 18-18 lists the configuration properties and the default settings for the wss10_saml_token_service_template assertion template.
Display Name: Wss10 SAML V2.0 Token client Assertion Template
Category: Security
Type: wss10-saml-token
The wss10_saml20_token_client_template assertion template includes SAML tokens in outbound SOAP request messages. The SAML token is created automatically.
Table 18-19 lists the settings for the wss10_saml20_token_client_template assertion template.
Table 18-20 lists the configuration properties and the default settings for the wss10_saml20_token_client_template assertion template. For details about the configuration property settings, see "Editing the Configuration Properties in an Assertion Template".
For information about overriding policies, see "Overview of Policy Configuration Overrides".
Display Name: Wss10 SAML V2.0 Token service Assertion Template
Category: Security
Type: wss10-saml-token
The wss10_saml20_token_service_template assertion template authenticates users using credentials provided in SAML tokens in the WS-Security SOAP header.
The settings for the wss10_saml20_token_service_template are similar to the client version of the assertion template. See Table 18-19 for information about the settings.
Table 18-21 lists the configuration properties and the default settings for the wss10_saml20_token_service_template assertion template. For details about the configuration property settings, see "Editing the Configuration Properties in an Assertion Template".
For information about overriding policies, see "Overview of Policy Configuration Overrides".
Display Name: Wss11 Kerberos Token client Assertion Template
Category: Security
Type: kerberos-security
The wss11_kerberos_token_client_template assertion template includes a Kerberos token in the WS-Security header in accordance with the WS-Security Kerberos Token Profile v1.1 standard.
Table 18-22 lists the settings for the wss11_kerberos_token_client_template assertion template.
Table 18-23 lists the configuration properties and the default settings for the wss11_kerberos_token_client_template assertion template.
Display Name: Wss11 Kerberos Token service Assertion Template
Category: Security
Type: kerberos-security
The wss11_kerberos_token_service_template assertion template enforces in accordance with the WS-Security Kerberos Token Profile v1.1 standard. It extracts the Kerberos token from the SOAP header and authenticates the user. The container must have the Kerberos infrastructure configured through Oracle Platform Security Services.
The settings for the wss11_keberos_token_service_template are identical to the client version of the assertion template. See Table 18-22 for information about the settings.
Table 18-24 lists the configuration properties and the default settings for the wss11_kerberos_token_service_template assertion template.
The http_oauth2_token_client_template assertion template is the HTTP binding level template for OAuth2 token authentication.
Table 18-25 lists the settings for the http_oauth2_token_client_template assertion template.
Table 18-25 http_oauth2_token_client_template Settings
| Name | Description | Default Value |
|---|---|---|
|
Authentication Header—Mechanism |
Authentication mechanism. Valid values include:
|
<orasp:auth-header orasp:mechanism="oauth2"/> |
|
Authentication Header—Header Name |
Name of the authentication header. |
None |
|
Authentication Header—is-signed |
Flag that specifies whether the token is signed. |
<orasp:auth-header orasp:is-signed="false"/> |
|
Authentication Header— is encrypted |
Flag that specifies whether the token is encrypted. |
<orasp:auth-header orasp:is-encrypted="false"/> |
Table 18-26 lists the default configuration properties for the http_oauth2_token_client_template assertion template.
Table 18-26 http_oauth2_token_client_template Configuration Properties
| Name | Description |
|---|---|
|
audience.uri |
Audience restriction. The following conditions are supported:
Default setting: <orawsp:Property orawsp:contentType="optional" orawsp:name="audience.uri" orawsp:type="string"> <orawsp:Value/> <orawsp:DefaultValue>NONE</orawsp:DefaultValue> |
|
authz.code |
Optional property for passing the authorization code for the 3-legged OAuth2 use case. (Not supported in this release.) Default setting: <orawsp:Property orawsp:contentType="optional" orawsp:name="authz.code" orawsp:type="string"> <orawsp:Value/> |
|
csf-key |
Credential store key that maps to a user name and password in the Oracle Platform Security Services (OPSS) identity store. Default setting: <orawsp:Property orawsp:type="string" orawsp:contentType="optional" orawsp:name="csf-key"> <orawsp:Value/> |
|
csf.map |
Oracle WSM map in the credential store that contains the CSF aliases. Default setting: <orawsp:Property orawsp:contentType="optional" orawsp:name="csf.map" orawsp:type="string"/> You can override the default, domain-level Oracle WSM map, by specifying an application-level map name as a <orawsp:Property orawsp:contentType="optional" orawsp:name="csf.map" orawsp:type="string"/> <orawsp:Value>app-level-mapname.map</orawsp:Value> </orawsp:Property> Accessing an application-level map also requires granting credential access and identity permission to the |
|
federated.client.token |
Optional property which, by default, specifies that a JWT token is generated for the client using the values of the oauth2.client.csf.key and keystore.sig.csf.key properties. If set to false, oauth2.client.csf.key is used to generate an Authorization header sent in the client request to the OAuth server. Default setting: <orawsp:Property orawsp:contentType="optional" orawsp:name="federated.client.token" orawsp:type="boolean"> <orawsp:Value/> <orawsp:DefaultValue>true</orawsp:DefaultValue> |
|
include.certificate |
When true, the signature certificate and the trusted certificate chain (for CA-issued certificates) are included in JWT token claim. This increases the size of the JWT token, but you do not need to then import the certificate and certificate chain into the service side keystore. When false, only the thumbprint and alias of the certificate are included in the JWT token. Default setting: <orawsp:Property orawsp:contentType="optional" orawsp:name="include.certificate" orawsp:type="string"> <orawsp:Value/> <orawsp:DefaultValue>false</orawsp:DefaultValue> </orawsp:Property> |
|
issuer.name |
Optional property that specifies the issuer name used for the locally-generated JWT token (iss:claim). By default it is www.oracle.com. Default setting: <orawsp:Property orawsp:contentType="optional" orawsp:name="issuer.name" orawsp:type="string"> <orawsp:Value/> <orawsp:DefaultValue>www.oracle.com</orawsp:DefaultValue> |
|
keystore.sig.csf.key |
Optional property that specifies the tenant key from the Oracle WSM keystore for signing the locally-created JWT token. Default setting: <orawsp:Property orawsp:contentType="optional" orawsp:name="keystore.sig.csf.key" orawsp:type="string"> <orawsp:Value/> |
|
oauth2.client.csf.key |
Required property that specifies the key to use to obtain the client username and password. The value of oauth2.client.csf.key must match the client ID and secret expected by the client profile, as described in "Understanding OAuth Client Profiles Configuration" in Administrator's Guide for Oracle Access Manager with Oracle Security Token Service. If If you override oauth2.client.csf.key, that value is used. Otherwise, the value of oauth2.client.csf.key in oauth2_config_client_policy is used. Default setting: <orawsp:Property orawsp:type="string" orawsp:contentType="required" orawsp:name="oauth2.client.csf.key"> <orawsp:Value/> <orawsp:DefaultValue>NONE</orawsp:DefaultValue> </orawsp:Property> |
|
oracle.oauth2.service |
Optional property that specifies how the default behavior of token issuer and scope are determined. When true, the client ID is used as the issuer of the user and client JWT token for the OAuth2 server. In this case, the value for When false, the issuer is determined by |
|
propagate.identity.context |
Optional property that specifies whether the identity context information is propagated as claims in the JWT token. Default setting: <orawsp:Property orawsp:contentType="optional" orawsp:name="propagate.identity.context" orawsp:type="string"> <orawsp:Value/> |
|
redirect.uri |
Optional property that specifies the redirect URIs that the OAuth server will use to redirect the user-agent to the client once access is granted or denied. Default setting: <orawsp:Property orawsp:contentType="optional" orawsp:name="redirect.uri" orawsp:type="string"> <orawsp:Value/> |
|
reference.priority |
Optional property that specifies the priority of the policy attachment. When specified for an attached policy, the effective set of policies algorithm allows the policy with the highest integer value priority to take precedence over a conflicting policy attachment, irrespective of its scope. The value of reference.priority can be any number between(-231) and (231 - 1). The higher the number, the higher the priority assigned during effective policy calculation. Any policy that does not have a value or a non-numeric value is treated as having a value of 0. If the value is set to any of the words "yes", "true", or "on", the value is set to 1. For more information, see "Specifying the Priority of a Policy Attachment". Default setting: <orawsp:Property orawsp:contentType="optional" orawsp:name="reference.priority" orawsp:type="string"/> |
|
scope |
Optional property that specifies the scope (as-is) of the OAuth2 request. If present, the scope is included in the OAuth2 token request with the value. Default setting: <orawsp:Property orawsp:contentType="optional" orawsp:name="scope" orawsp:type="string"> <orawsp:Value/> The scope depends on the value of the
|
|
subject.precedence |
Property that specifies the location from which the subject used to create the JWT token should be obtained. As described in Table 10-2, "User Credential, Subject, and Access Token":
Default setting: <orawsp:Property orawsp:contentType="optional" orawsp:name="subject.precedence" orawsp:type="string"> <orawsp:Value>true</orawsp:Value> </orawsp:Property> |
|
time.in.millis |
Support standard NumericDate (seconds after Epoch as unit for values in exp (Expiry) and iat (Issued AT) claims in JWT token. If true, then milliseconds after Epoch is used. Otherwise, seconds after Epoch is used. Default setting: <orawsp:Property orawsp:type="boolean" orawsp:contentType="optional" orawsp:name="time.in.millis"> <orawsp:Value/> <orawsp:DefaultValue>true</orawsp:DefaultValue> </orawsp:Property> |
|
user.attributes |
Optional property that specifies whether user attributes are inserted as claims in JWT token. Specify the attributes to be included as a comma-separated list. For example, attrib1,attrib2. The attribute names you specify must exactly match valid attributes in the configured identity store. The Oracle WSM run time reads the values for these attributes from the configured identity store, and then includes the attributes and their values in the JWT token. Requires that the Subject is available and A client policy reads the values of the attributes specified using The If the identity store you require is not the first identity store, you can specify that additional identity stores be searched. See "Including User Attributes in the Assertion"for more information. Default setting: <orawsp:Property orawsp:contentType="optional" orawsp:name="user.attributes" orawsp:type="string"> <orawsp:Value/> |
|
user.roles.include |
Optional property that specifies whether the user roles from the subject are included in the JWT token as claims. If set to true, the authenticated user roles are included in the JWT token as private claims. Default setting: <orawsp:Property orawsp:contentType="optional" orawsp:name="user.roles.include" orawsp:type="boolean"> <orawsp:Value/> <orawsp:DefaultValue>false</orawsp:DefaultValue> |
|
user.tenant.name |
Reserved for internal use. |
This oracle/http_jwt_token_service_template authenticates users using the credentials provided in the JWT token in the HTTP header.
The settings for the http_jwt_token_service_template assertion template are identical to the client version of the assertion template. See Table 18-32 for information about the settings.
Table 18-27 lists the configuration properties and the default settings for the http_jwt_token_service_template assertion template.
Table 18-27 http_jwt_token_service_template Configuration Properties
| Name | Default Values |
|---|---|
|
trusted.issuers |
A comma-separated list of trusted issuers for an application that will override the trusted issuers defined at the domain level. Default setting: <orawsp:Property orawsp:contentType="optional" orawsp:name="saml.trusted.issuers" orawsp:type="string"> <orawsp:Value/> </orawsp:Property> |
|
csf.map |
Oracle WSM map in the credential store that contains the CSF aliases. Default setting: <orawsp:Property orawsp:contentType="optional" orawsp:name="csf.map" orawsp:type="string"/> |
|
keystore.sig.csf.key |
The alias and password used for storing the signature key password in the keystore. If specified, the key corresponding to this csf-key is fetched from the keystore and used for signing. This property allows you to specify the signature key on a per-attachment level instead of at the domain level. Default setting: <orawsp:Property orawsp:contentType="optional" orawsp:name="keystore.sig.csf.key" orawsp:type="string"/> |
|
reference.priority |
Optional property that specifies the priority of the policy attachment. When specified for an attached policy, the effective set of policies algorithm allows the policy with the highest integer value priority to take precedence over a conflicting policy attachment, irrespective of its scope. The value of reference.priority can be any number between(-231) and (231 - 1). The higher the number, the higher the priority assigned during effective policy calculation. Any policy that does not have a value or a non-numeric value is treated as having a value of 0. If the value is set to any of the words "yes", "true", or "on", the value is set to 1. For more information, see "Specifying the Priority of a Policy Attachment". Default setting: <orawsp:Property orawsp:contentType="optional" orawsp:name="reference.priority" orawsp:type="string"/> |
|
propagate.identity.context |
Propagates the identity context from the Web service client to the Web service, and then makes it available ("publishes it") to other components for authentication and authorization purposes. Default setting: <orawsp:Property orawsp:contentType="optional" orawsp:name="propagate.identity.context" orawsp:type="string"><orawsp:Value/> |
The http_oauth2_token_over_ssl_client_template assertion template is the HTTP binding level template for OAuth2 token authentication. This template is same as http_oauth2_token_client_template, except that the AT is propagated over 1-way SSL to the resource.
Table 18-28 lists the settings for the http_oauth2_token_over_ssl_client_template assertion template.
Table 18-28 http_oauth2_token_over_ssl_client_template Settings
| Name | Description | Default Value |
|---|---|---|
|
Authentication Header—Mechanism |
Authentication mechanism. Valid values include:
|
<orasp:auth-header orasp:mechanism="oauth2"/> |
|
Authentication Header—Header Name |
Name of the authentication header. |
None |
|
Authentication Header—is-signed |
Flag that specifies whether the token is signed. |
<orasp:auth-header orasp:is-signed="false"/> |
|
Authentication Header— is encrypted |
Flag that specifies whether the token is encrypted. |
<orasp:auth-header orasp:is-encrypted="false"/> |
|
Transport Security |
Flag that specifies whether SSL is enabled. |
<orasp:auth-header orasp:require-tls/> |
|
Transport Security—Mutual Authentication Required |
Flag that specifies whether two-way authentication is required. Valid values include:
|
<orasp:auth-header orasp:mutual-auth="false"/> |
|
Transport Security—Include Timestamp |
Flag that specifies whether to include a timestamp. A timestamp can be used to prevent replay attacks by identifying an expiration time after which the message is no longer valid. |
<orasp:auth-header orasp:include-timestamp="false"/> |
The settings for the http_oauth2_token_over_ssl_client_template assertion template are identical to the non-SSL version of the assertion template. See Table 18-25 for information about the settings.
The oracle/http_jwt_token_over_ssl_service_template authenticates users using the username provided in the JWT token in the HTTP header.
The settings for the http_jwt_token_over_ssl_service_template assertion template are identical to the client version of the assertion template. See Table 18-34 for information about the settings.
Table 18-29 lists the configuration properties and the default settings for the http_jwt_token_over_ssl_service_template assertion template.
Table 18-29 http_jwt_token_over_ssl_service_template Configuration Properties
| Name | Default Values |
|---|---|
|
csf.map |
Oracle WSM map in the credential store that contains the CSF aliases. Default setting: <orawsp:Property orawsp:contentType="optional" orawsp:name="csf.map" orawsp:type="string"/> |
|
keystore.sig.csf.key |
The alias and password used for storing the signature key password in the keystore. If specified, the key corresponding to this csf-key is fetched from the keystore and used for signing. This property allows you to specify the signature key on a per-attachment level instead of at the domain level. Default setting: <orawsp:Property orawsp:contentType="optional" orawsp:name="keystore.sig.csf.key" orawsp:type="string"/> |
|
propagate.identity.context |
Propagates the identity context from the Web service client to the Web service, and then makes it available ("publishes it") to other components for authentication and authorization purposes. Default setting: <orawsp:Property orawsp:contentType="optional" orawsp:name="propagate.identity.context" orawsp:type="string"><orawsp:Value/> |
|
reference.priority |
Optional property that specifies the priority of the policy attachment. When specified for an attached policy, the effective set of policies algorithm allows the policy with the highest integer value priority to take precedence over a conflicting policy attachment, irrespective of its scope. The value of reference.priority can be any number between(-231) and (231 - 1). The higher the number, the higher the priority assigned during effective policy calculation. Any policy that does not have a value or a non-numeric value is treated as having a value of 0. If the value is set to any of the words "yes", "true", or "on", the value is set to 1. For more information, see "Specifying the Priority of a Policy Attachment". Default setting: <orawsp:Property orawsp:contentType="optional" orawsp:name="reference.priority" orawsp:type="string"/> |
|
trusted.issuers |
A comma-separated list of trusted issuers for an application that will override the trusted issuers defined at the domain level. Default setting: <orawsp:Property orawsp:contentType="optional" orawsp:name="saml.trusted.issuers" orawsp:type="string"> <orawsp:Value/> </orawsp:Property> |
The oauth2_config_client_template assertion template provides OAuth2 information that is used to invoke the OAuth2 server for obtaining an access token.
Table 18-30 lists the settings for the oauth2_config_client_template assertion template.
Table 18-30 oauth2_config_client_template Settings
| Name | Description | Default Value |
|---|---|---|
|
token-uri |
Required property that specifies the token endpoint of the OAuth2 server. |
orasp:token-uri="http://host:port/tokens" |
Table 18-31 lists the default configuration properties for the oauth2_config_client_template assertion template.
Table 18-31 oauth2_config_client_template Configuration Properties
| Name | Description |
|---|---|
|
oauth2.client.csf.key |
Required property that specifies the key to use to obtain the client username and password. The value of oauth2.client.csf.key must match the client ID and secret expected by the client profile, as described in "Understanding OAuth Client Profiles Configuration" in Administrator's Guide for Oracle Access Manager with Oracle Security Token Service. Default setting: <orawsp:Property orawsp:type="string" orawsp:contentType="required"\ orawsp:name="oauth2.client.csf.key"> <orawsp:Value/> <orawsp:DefaultValue>basic.client.credentials</orawsp:DefaultValue> </orawsp:Property> |
|
role |
SOAP role. Default setting:
<orawsp:Property orawsp:contentType="constant"
orawsp:name="role" orawsp:type="string">
<orawsp:DefaultValue>
ultimateReceiver
</orawsp:DefaultValue>
</orawsp:Property>
|
|
reference.priority |
Optional property that specifies the priority of the policy attachment. When specified for an attached policy, the effective set of policies algorithm allows the policy with the highest integer value priority to take precedence over a conflicting policy attachment, irrespective of its scope. The value of reference.priority can be any number between(-231) and (231 - 1). The higher the number, the higher the priority assigned during effective policy calculation. Any policy that does not have a value or a non-numeric value is treated as having a value of 0. If the value is set to any of the words "yes", "true", or "on", the value is set to 1. For more information, see "Specifying the Priority of a Policy Attachment". Default setting: <orawsp:Property orawsp:contentType="optional" orawsp:name="reference.priority" orawsp:type="string"/> |
|
token.uri |
Optional property to override the token-uri value. Default setting: <orawsp:Property orawsp:contentType="optional" orawsp:name="token.uri" orawsp:type="string"><orawsp:Value/><orawsp:DefaultValue>http://host:port/tokens </orawsp:DefaultValue></orawsp:Property> |
The http_jwt_token_client_template assertion template includes a JWT token in the HTTP header. The JWT token is created automatically. The issuer name and subject name are provided either programmatically or declarative through the policy. A policy created using this template can be attached to any HTTP-based client. You can specify the audience restriction condition using the configuration override property.
Table 18-32 lists the settings for the http_jwt_token_client_template assertion template.
Table 18-32 http_jwt_token_client_template Settings
| Name | Description | Default Value |
|---|---|---|
|
Authentication Header—Mechanism |
Authentication mechanism. Valid values include:
|
<orasp:auth-header orasp:mechanism="jwt"/> |
|
Authentication Header—Header Name |
Name of the authentication header. |
None |
|
Authentication Header—algorithm-suite |
Algorithm suite used to sign the JWT token. |
<orasp:auth-header orasp:algorithm-suite="Basic256Sha256"/" |
|
Authentication Header—is-signed |
Flag that specifies whether the JWT token is signed. The only valid value for JWT policies is: |
<orasp:auth-header orasp:is-signed="true"/> |
|
Authentication Header— is encrypted |
Flag that specifies whether the JWT token is encrypted. |
<orasp:auth-header orasp:is-encrypted="false"/> |
Table 18-33 lists the configuration properties and the default settings for the http_jwt_token_client_template assertion template.
Table 18-33 http_jwt_token_client_template Configuration Properties
| Name | Default Values |
|---|---|
|
audience.uri |
Audience restriction. The following conditions are supported:
Default setting: <orawsp:Property orawsp:contentType="optional" orawsp:name="audience.uri" orawsp:type="string"> <orawsp:Value/> </orawsp:Property> |
|
csf-key |
Credential Store Key that maps to a username and password in the Oracle Platform Security Services (OPSS) identity store. Default setting: <orawsp:Property orawsp:contentType="optional" orawsp:name="csf-key" orawsp:type="string"> <orawsp:Value>basic.credentials</orawsp:Value> </orawsp:Property> |
|
csf.map |
Oracle WSM map in the credential store that contains the CSF aliases. Default setting: <orawsp:Property orawsp:contentType="optional" orawsp:name="csf.map" orawsp:type="string"/> |
|
issuer.name |
Name of the JWT issuer. The default value is www.oracle.com. Default setting: <orawsp:Property orawsp:contentType="optional" orawsp:name="issuer.name" orawsp:type="string"> <orawsp:Value>www.oracle.com</orawsp:Value> </orawsp:Property> |
|
keystore.sig.csf.key |
The alias and password used for storing the signature key password in the keystore. If specified, the key corresponding to this csf-key is fetched from the keystore and used for signing. This property allows you to specify the signature key on a per-attachment level instead of at the domain level. Default setting: <orawsp:Property orawsp:contentType="optional" orawsp:name="keystore.sig.csf.key" orawsp:type="string"/> |
|
propagate.identity.context |
Propagates the identity context from the Web service client to the Web service, and then makes it available ("publishes it") to other components for authentication and authorization purposes. Default setting: <orawsp:Property orawsp:contentType="optional" orawsp:name="propagate.identity.context" orawsp:type="string"><orawsp:Value/> |
|
reference.priority |
Optional property that specifies the priority of the policy attachment. When specified for an attached policy, the effective set of policies algorithm allows the policy with the highest integer value priority to take precedence over a conflicting policy attachment, irrespective of its scope. The value of reference.priority can be any number between(-231) and (231 - 1). The higher the number, the higher the priority assigned during effective policy calculation. Any policy that does not have a value or a non-numeric value is treated as having a value of 0. If the value is set to any of the words "yes", "true", or "on", the value is set to 1. For more information, see "Specifying the Priority of a Policy Attachment". Default setting: <orawsp:Property orawsp:contentType="optional" orawsp:name="reference.priority" orawsp:type="string"/> |
|
subject.precedence |
Property that specifies the location from which the subject used to create the JWT token should be obtained. If Default setting: <orawsp:Property orawsp:contentType="optional" orawsp:name="subject.precedence" orawsp:type="string"> <orawsp:Value>true</orawsp:Value> </orawsp:Property> |
|
user.attributes |
List of user attributes for the authenticated user to be included in the JWT token. Specify the attributes to be included as a comma-separated list. For example, attrib1,attrib2. The attribute names you specify must exactly match valid attributes in the configured identity store. The Oracle WSM run time reads the values for these attributes from the configured identity store, and then includes the attributes and their values in the JWT token. Requires that the Subject is available and A client policy reads the values of the attributes specified using The If the identity store you require is not the first identity store, you can specify that additional identity stores be searched. See "Including User Attributes in the Assertion" for more information. Default setting: <orawsp:Property orawsp:contentType="optional" orawsp:name="user.attributes" orawsp:type="string"/> |
|
user.roles.include |
User roles to be included in the JWT token. If set to Default setting: <orawsp:Property orawsp:contentType="optional" orawsp:name="user.roles.include" orawsp:type="string"> <orawsp:Value>false</orawsp:Value> </orawsp:Property> |
The http_jwt_token_over_ssl_client_template assertion template includes a JWT token in the HTTP header. The JWT token is created automatically. The issuer name and subject name are provided either programmatically or declarative through the policy. A policy created using this template can be attached to any HTTP-based client. You can specify the audience restriction condition using the configuration override property.
Table 18-34 lists the settings for the http_jwt_token_over_ssl_client_template assertion template.
Table 18-34 http_jwt_token_over_ssl_client_template Settings
| Name | Description | Default Value |
|---|---|---|
|
Authentication Header—Mechanism |
Authentication mechanism. Valid values include:
|
<orasp:auth-header orasp:mechanism="jwt"/> |
|
Authentication Header—Header Name |
Name of the authentication header. |
None |
|
Authentication Header—algorithm-suite |
Flag that specifies the algorithm suite used to sign the JWT token. |
<orasp:auth-header orasp:algorithm-suite="Basic256Sha256"/" |
|
Authentication Header—is-signed |
Flag that specifies whether the JWT token is signed. The only valid value for JWT policies is: |
<orasp:auth-header orasp:is-signed="true"/> |
|
Authentication Header— is encrypted |
Flag that specifies whether the JWT token is encrypted. |
<orasp:auth-header orasp:is-encrypted="false"/> |
|
Transport Security |
Flag that specifies whether SSL is enabled. |
<orasp:auth-header orasp:require-tls/> |
|
Transport Security—Mutual Authentication Required |
Flag that specifies whether two-way authentication is required. Valid values include:
|
<orasp:auth-header orasp:mutual-auth="false"/> |
|
Transport Security—Include Timestamp |
Flag that specifies whether to include a timestamp. A timestamp can be used to prevent replay attacks by identifying an expiration time after which the message is no longer valid. |
<orasp:auth-header orasp:include-timestamp="false"/> |
Table 18-35 lists the configuration properties and the default settings for the http_jwt_token_over_ssl_client_template assertion template.
Table 18-35 http_jwt_token_over_ssl_client_template Configuration Properties
| Name | Default Values |
|---|---|
|
audience.uri |
Audience restriction. The following conditions are supported:
Default setting: <orawsp:Property orawsp:contentType="optional" orawsp:name="audience.uri" orawsp:type="string"> <orawsp:Value/> </orawsp:Property> |
|
csf.map |
Oracle WSM map in the credential store that contains the CSF aliases. Default setting: <orawsp:Property orawsp:contentType="optional" orawsp:name="csf.map" orawsp:type="string"/> |
|
csf-key |
Credential Store Key that maps to a username and password in the Oracle Platform Security Services (OPSS) identity store. Default setting: <orawsp:Property orawsp:contentType="optional" orawsp:name="csf-key" orawsp:type="string"> <orawsp:Value>basic.credentials</orawsp:Value> </orawsp:Property> |
|
issuer.name |
Name of the JWT issuer. The default value is www.oracle.com. Default setting: <orawsp:Property orawsp:contentType="optional" orawsp:name="issuer.name" orawsp:type="string"> <orawsp:Value>www.oracle.com</orawsp:Value> </orawsp:Property> |
|
keystore.sig.csf.key |
The alias and password used for storing the signature key password in the keystore. If specified, the key corresponding to this csf-key is fetched from the keystore and used for signing. This property allows you to specify the signature key on a per-attachment level instead of at the domain level. Default setting: <orawsp:Property orawsp:contentType="optional" orawsp:name="keystore.sig.csf.key" orawsp:type="string"/> |
|
propagate.identity.context |
Propagates the identity context from the Web service client to the Web service, and then makes it available ("publishes it") to other components for authentication and authorization purposes. Default setting: <orawsp:Property orawsp:contentType="optional" orawsp:name="propagate.identity.context" orawsp:type="string"><orawsp:Value/> |
|
reference.priority |
Optional property that specifies the priority of the policy attachment. When specified for an attached policy, the effective set of policies algorithm allows the policy with the highest integer value priority to take precedence over a conflicting policy attachment, irrespective of its scope. The value of reference.priority can be any number between(-231) and (231 - 1). The higher the number, the higher the priority assigned during effective policy calculation. Any policy that does not have a value or a non-numeric value is treated as having a value of 0. If the value is set to any of the words "yes", "true", or "on", the value is set to 1. For more information, see "Specifying the Priority of a Policy Attachment". Default setting: <orawsp:Property orawsp:contentType="optional" orawsp:name="reference.priority" orawsp:type="string"/> |
|
subject.precedence |
Property that specifies the location from which the subject used to create the JWT token should be obtained. If Default setting: <orawsp:Property orawsp:contentType="optional" orawsp:name="subject.precedence" orawsp:type="string"> <orawsp:Value>true</orawsp:Value> </orawsp:Property> |
|
user.attributes |
List of user attributes for the authenticated user to be included in the JWT token. Specify the attributes to be included as a comma-separated list. For example, attrib1,attrib2. The attribute names you specify must exactly match valid attributes in the configured identity store. The Oracle WSM run time reads the values for these attributes from the configured identity store, and then includes the attributes and their values in the JWT token. Requires that the Subject is available and A client policy reads the values of the attributes specified using The If the identity store you require is not the first identity store, you can specify that additional identity stores be searched. See "Including User Attributes in the Assertion" for more information. Default setting: <orawsp:Property orawsp:contentType="optional" orawsp:name="user.attributes" orawsp:type="string"/> |
|
user.roles.include |
User roles to be included in the JWT token. If set to Default setting: <orawsp:Property orawsp:contentType="optional" orawsp:name="user.roles.include" orawsp:type="string"> <orawsp:Value>false</orawsp:Value> </orawsp:Property> |
|
user.tenant.name |
Reserved for use internal use. |
Table 18-36 summarizes the assertion templates that enforce message protection only, and indicates whether the token is inserted at the transport layer or SOAP header.
Table 18-36 Message-Protection Only Assertion Templates
| Client Template | Service Template | Authentication Transport | Authentication SOAP | Message Protection Transport | Message Protection SOAP |
|---|---|---|---|---|---|
|
No |
No |
No |
Yes |
||
|
No |
No |
No |
Yes |
Display Name: Wss10 Message Protection client Assertion Template
Category: Security
Type: wss10-anonymous-with-certificates
The wss10_message_protection_client_template assertion template provides message protection (integrity and confidentiality) for outbound SOAP requests in accordance with the WS-Security 1.0 standard.
Table 18-37 lists the settings for the wss10_message_protection_client_template assertion template.
Table 18-37 wss10_message_protection_client_template Settings
| Name | Default Value |
|---|---|
|
X509 Token |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Disabled |
|
|
Disabled |
|
|
Secure Conversation |
|
|
Disabled |
|
|
1.3 or 1.4. OWSM WS-SC supports both Secure Conversation versions 1.3 and 1.4. Although the policy displays the 1.3 version number, you use this policy for 1.4 as well. |
|
|
Disabled |
|
|
Enabled |
|
|
Enabled |
|
|
Enabled |
|
|
Inherit from Application Setting |
|
|
Message Security |
|
|
|
|
|
Enabled |
|
|
Disabled |
|
|
See Table 18-128, "Request, Response, and Fault Message Signing and Encryption Settings" |
|
|
See Table 18-128, "Request, Response, and Fault Message Signing and Encryption Settings" |
|
|
See Table 18-128, "Request, Response, and Fault Message Signing and Encryption Settings" |
Table 18-38 lists the configuration properties and the default settings for the wss10_message_protection_client_template assertion template.
Display Name: Wss10 Message Protection service Assertion Template
Category: Security
Type: wss10-anonymous-with-certificates
The wss10_message_protection_service_template assertion template provides message protection (integrity and confidentiality) for inbound SOAP requests in accordance with the WS-Security 1.0 standard.
The settings for the wss10_message_protection_service_template are identical to the client version of the assertion template. See Table 18-37 for information about the settings.
Table 18-39 lists the configuration properties and the default settings for the wss10_message_protection_service_template assertion template.
Display Name: Wss11 Message Protection client Assertion Template
Category: Security
Type: wss11-anonymous-with-certificates
The wss11_message_protection_client_template assertion template provides message protection (integrity and confidentiality) for outbound SOAP requests in accordance with the WS-Security 1.1 standard.
Table 18-40 lists the settings for the wss11_message_protection_client_template assertion template.
Table 18-40 wss11_message_protection_client_template Settings
| Name | Default Value |
|---|---|
|
X509 Token |
|
|
|
|
|
Enabled |
|
|
Disabled |
|
|
Disabled |
|
|
Secure Conversation |
|
|
Disabled |
|
|
1.3 or 1.4. OWSM WS-SC supports both Secure Conversation version 1.3 and 1.4. Although the policy displays the 1.3 version number, you use this policy for 1.4 as well. |
|
|
Disabled |
|
|
Enabled |
|
|
Enabled |
|
|
Enabled |
|
|
Inherit from Application Setting |
|
|
Message Security |
|
|
|
|
|
Enabled |
|
|
Enabled |
|
|
Disabled |
|
|
See Table 18-128, "Request, Response, and Fault Message Signing and Encryption Settings" |
|
|
See Table 18-128, "Request, Response, and Fault Message Signing and Encryption Settings" |
|
|
See Table 18-128, "Request, Response, and Fault Message Signing and Encryption Settings" |
Table 18-41 lists the configuration properties and the default settings for the wss11_message_protection_client_template assertion template.
Display Name: Wss11 Message Protection service Assertion Template
Category: Security
Type: wss11-anonymous-with-certificates
The wss11_message_protection_service_template assertion template enforces message protection (integrity and confidentiality) for inbound SOAP requests in accordance with the WS-Security 1.1 standard.
The settings for the wss11_message_protection_service_template are identical to the client version of the assertion template. See Table 18-40 for information about the settings.
Table 18-42 lists the configuration properties and the default settings for the wss11_message_protection_service_template assertion template.
Table 18-43 summarizes the assertion templates that enforce both message protection and authentication, and indicates whether the token is inserted at the transport layer or SOAP header.
Table 18-43 Message Protection and Authentication Assertion Templates
Display Name: Wss HTTP Token Over SSL client Assertion Template
Category: Security
Type: http-security
The wss_http_token_over_ssl_client_template assertion template includes credentials in the HTTP header for outbound client requests and authenticates users against the Oracle Platform Security Services identity store. This policy verifies that the transport protocol is HTTPS. Requests over a non-HTTPS transport protocol are refused. This policy can be applied to any HTTP-based client.
Table 18-44 lists the settings for the wss_http_token_over_ssl_client_template assertion template.
Table 18-45 lists the configuration properties and the default settings for the wss_http_token_over_ssl_client_template assertion template.
Display Name: Wss HTTP Token Over SSL service Assertion Template
Category: Security
Type: http-security
The wss_http_token_over_ssl_service_template assertion template extracts the credentials in the HTTP header and authenticates users against the Oracle Platform Security Services identity store.
The settings for the wss_http_token_over_ssl_service_template assertion template are identical to the client version of the assertion template. See Table 18-44 for information about the settings.
Table 18-46 lists the configuration properties and the default settings for the wss_http_token_service_template assertion template.
Display Name: Wss SAML Bearer Token client Assertion Template
Category: Security
Type: wss11-saml-token
The wss_saml_token_bearer_client_template assertion template includes SAML tokens in outbound SOAP request messages. The SAML token with confirmation method [Bearer] is created automatically.
Table 18-47 lists the settings for the wss_saml_token_bearer_client_template assertion template.
Table 18-48 lists the configuration properties and the default settings for the wss_saml_token_bearer_client_template assertion template.
Display Name: Wss SAML Bearer Token service Assertion Template
Category: Security
Type: wss11-saml-token
The wss_saml_token_bearer_service_template assertion template includes SAML tokens in outbound SOAP request messages. The SAML token with confirmation method [Bearer] is created automatically.
Table 18-47 lists the settings for the wss_saml_token_bearer_service_template assertion template.
Table 18-52 lists the configuration properties and the default settings for the wss_saml_token_bearer_service_template assertion template.
Display Name: Wss SAML Token (Confirmation method as bearer) Over SSL client Assertion Template
Category: Security
Type: wss-saml-token-bearer-over-ssl
The wss_saml_token_bearer_over_ssl_client template assertion template includes SAML tokens in outbound SOAP request messages. The SAML token with confirmation method [Bearer] is created automatically.
Table 18-51 lists the settings for the wss_saml_token_bearer_over_ssl_client_template assertion template.
Table 18-51 wss_saml_token_bearer_over_ssl_client_template Settings
| Name | Default Value |
|---|---|
|
SAML Token Type |
|
|
|
|
|
|
|
|
Disabled |
|
|
Disabled |
|
|
unspecified |
|
|
Transport Layer Security |
|
|
Enabled |
|
|
Disabled |
|
|
Enabled |
|
|
None |
|
|
|
|
|
Secure Conversation |
|
|
Disabled |
|
|
1.3 or 1.4. OWSM WS-SC supports both Secure Conversation version 1.3 and 1.4. Although the policy displays the 1.3 version number, you use this policy for 1.4 as well. |
|
|
Disabled |
|
|
Enabled |
|
|
Disabled |
|
|
Enabled |
Table 18-52 lists the configuration properties and the default settings for the wss_saml_token_bearer_over_ssl_client_template assertion template.
Table 18-52 wss_saml_token_bearer_over_ssl_client_template Configuration Properties
| Name | Default Value | Type |
|---|---|---|
|
None |
Optional |
|
|
|
Optional |
|
|
|
Optional |
|
|
|
Optional |
|
|
|
Optional |
|
|
None |
Optional |
|
|
None |
Optional |
|
|
None |
Optional |
|
|
None |
Optional |
|
|
|
Optional |
|
|
None |
Optional |
|
|
None |
Optional |
Display Name: Wss SAML Token (Confirmation method as bearer) Over SSL service Assertion Template
Category: Security
Type: wss-saml-token-bearer-over-ssl
The wss_saml_token_bearer_over_ssl_service_template assertion template authenticates users using credentials provided in SAML tokens with confirmation method 'Bearer' in the WS-Security SOAP header.
The settings for the wss_saml_token_bearer_over_ssl_service_template assertion template are identical to the client version of the assertion template. See Table 18-51 for information about the settings.
Table 18-53 lists the configuration properties and the default settings for the wss_saml_token_bearer_over_ssl_service_template assertion template.
Display Name: Wss SAML V2.0 Token (Confirmation method as bearer) Over SSL client Assertion Template
Category: Security
Type: wss-saml-token-bearer-over-ssl
The wss_saml20_token_bearer_over_ssl_client template assertion template includes SAML tokens in outbound SOAP request messages. The SAML token with confirmation method [Bearer] is created automatically.
Table 18-54 lists the settings for the wss_saml20_token_bearer_over_ssl_client_template assertion template.
Table 18-54 wss_saml20_token_bearer_over_ssl_client_template Settings
| Name | Default Value |
|---|---|
|
SAML Token Type |
|
|
|
|
|
|
|
|
Disabled |
|
|
Disabled |
|
|
unspecified |
|
|
Transport Layer Security |
|
|
Enabled |
|
|
Disabled |
|
|
Enabled |
|
|
None |
|
|
|
|
|
Secure Conversation |
|
|
Disabled |
|
|
1.3 or 1.4. OWSM WS-SC supports both Secure Conversation version 1.3 and 1.4. Although the policy displays the 1.3 version number, you use this policy for 1.4 as well. |
|
|
Disabled |
|
|
Enabled |
|
|
Disabled |
|
|
Enabled |
Table 18-55 lists the configuration properties and the default settings for the wss_saml20_token_bearer_over_ssl_client_template assertion template.
Display Name: Wss SAML V2.0 Token (Confirmation method as bearer) Over SSL service Assertion Template
Category: Security
Type: wss-saml-token-bearer-over-ssl
The wss_saml20_token_bearer_over_ssl_service_template assertion template authenticates users using credentials provided in SAML tokens with confirmation method 'Bearer' in the WS-Security SOAP header.
The settings for the wss_saml20_token_bearer_over_ssl_service_template assertion template are identical to the client version of the assertion template. See Table 18-54 for information about the settings.
Table 18-56 lists the configuration properties and the default settings for the wss_saml20_token_bearer_over_ssl_service_template assertion template.
Display Name: Wss SAML Token Over SSL client Assertion Template
Category: Security
Type: wss-saml-token-over-ssl
The wss_saml_token_over_ssl_client_template assertion template enables the authentication of credentials provided via a SAML token within WS-Security SOAP header using the sender-vouches confirmation type.
Table 18-57 lists the settings for the wss_saml_token_over_ssl_client_template assertion template.
Table 18-57 wss_saml_token_over_ssl_client_template Settings
| Name | Default Value |
|---|---|
|
SAML Token Type |
|
|
|
|
|
|
|
|
Enabled |
|
|
Disabled |
|
|
|
|
|
Transport Layer Security |
|
|
Enabled |
|
|
Enabled |
|
|
Enabled |
|
|
None |
|
|
|
|
|
Secure Conversation |
|
|
Disabled |
|
|
1.3 or 1.4. OWSM WS-SC supports both Secure Conversation version 1.3 and 1.4. Although the policy displays the 1.3 version number, you use this policy for 1.4 as well. |
|
|
Disabled |
|
|
Enabled |
|
|
Disabled |
|
|
Enabled |
Table 18-58 lists the configuration properties and the default settings for the wss_saml_token_over_ssl_client_template assertion template.
Display Name: Wss SAML Token Over SSL service Assertion Template
Category: Security
Type: wss-saml-token-over-ssl
The wss_saml_token_over_ssl_service_template enforces the authentication of credentials provided via a SAML token within WS-Security SOAP header using the sender-vouches confirmation type.
The settings for the wss_saml_token_over_ssl_service_template assertion template are identical to the client version of the assertion template. See Table 18-57 for information about the settings.
Table 18-59 lists the configuration properties and the default settings for the wss_saml_token_over_ssl_service_template assertion template.
Display Name: Wss SAML V2.0 Token Over SSL client Assertion Template
Category: Security
Type: wss-saml-token-over-ssl
The wss_saml20_token_over_ssl_client_template assertion template enables the authentication of credentials provided via a SAML token within WS-Security SOAP header using the sender-vouches confirmation type.
Table 18-60 lists the settings for the wss_saml20_token_over_ssl_client_template assertion template.
Table 18-60 wss_saml20_token_over_ssl_client_template Settings
| Name | Default Value |
|---|---|
|
SAML Token Type |
|
|
|
|
|
|
|
|
Enabled |
|
|
Disabled |
|
|
unspecified |
|
|
Transport Layer Security |
|
|
Enabled |
|
|
Enabled |
|
|
Enabled |
|
|
None |
|
|
|
|
|
Secure Conversation |
|
|
Disabled |
|
|
1.3 or 1.4. OWSM WS-SC supports both Secure Conversation version 1.3 and 1.4. Although the policy displays the 1.3 version number, you use this policy for 1.4 as well. |
|
|
Disabled |
|
|
Enabled |
|
|
Disabled |
|
|
Enabled |
Table 18-61 lists the configuration properties and the default settings for the wss_saml20_token_over_ssl_client_template assertion template.
Display Name: Wss SAML V2.0 Token Over SSL service Assertion Template
Category: Security
Type: wss-saml-token-over-ssl
The wss_saml20_token_over_ssl_service_template enforces the authentication of credentials provided via a SAML token within WS-Security SOAP header using the sender-vouches confirmation type.
The settings for the wss_saml20_token_over_ssl_service_template assertion template are identical to the client version of the assertion template. See Table 18-60 for information about the settings.
Table 18-62 lists the configuration properties and the default settings for the wss_saml20_token_over_ssl_service_template assertion template.
Display Name: Wss Username Token Over SSL client Assertion Template
Category: Security
Type: wss-username-token-over-ssl
The wss_username_token_over_ssl_client_template assertion template includes credentials in the WS-Security UsernameToken header in outbound SOAP request messages. The assertion supports three types of password credentials: plain text, digest, and no password.
To protect against replay attacks, the assertion provides the option to require nonce or creation time in the username token.
Table 18-63 lists the settings for the wss_username_token_over_ssl_client_template assertion template.
Table 18-63 wss_username_token_over_ssl_client_template Settings
| Name | Default Value |
|---|---|
|
Username Token |
|
|
|
|
|
Disabled |
|
|
Disabled |
|
|
Transport Layer Security |
|
|
Enabled |
|
|
Disabled |
|
|
Enabled |
|
|
None |
|
|
|
|
|
Secure Conversation |
|
|
Disabled |
|
|
1.3 or 1.4. OWSM WS-SC supports both Secure Conversation version 1.3 and 1.4. Although the policy displays the 1.3 version number, you use this policy for 1.4 as well. |
|
|
Disabled |
|
|
Enabled |
|
|
Disabled |
|
|
Enabled |
Table 18-64 lists the configuration properties and the default settings for the wss_username_token_over_ssl_client_template assertion template.
Display Name: Wss Username Token Over SSL service Assertion Template
Category: Security
Type: wss-username-token-over-ssl
The wss_username_token_over_ssl_service_template assertion template uses the credentials in the UsernameToken WS-Security SOAP header to authenticate users against the Oracle Platform Security Services configured identity store. The assertion supports three types of password credentials: plain text, digest, and no password.
To protect against replay attacks, the assertion provides the option to require nonce or creation time in the username token.
The settings for the wss_username_token_over_ssl_service_template assertion template are identical to the client version of the assertion template. See Table 18-63 for information about the settings.
Table 18-65 lists the configuration properties and the default settings for the wss_username_token_over_ssl_service_template assertion template.
Display Name: Wss10 SAML Holder-Of-Key Token with Message Protection client Assertion Template
Category: Security
Type: wss10-saml-hok-with-certificates
The wss10_saml_hok_token_with_message_protection_client_template assertion template provides message protection (integrity and confidentiality) and SAML holder of key based authentication for outbound SOAP messages in accordance with the WS-Security 1.0 standard.
Table 18-66 lists the settings for the wss10_saml_hok_token_with_message_protection_client_template assertion template.
Table 18-66 wss10_saml_hok_token_with_message_protection_client_template Settings
| Name | Default Value |
|---|---|
|
SAML Token Type |
|
|
|
|
|
|
|
|
Enabled |
|
|
Disabled |
|
|
unspecified |
|
|
X509 Token |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Disabled |
|
|
Disabled |
|
|
Message Security |
|
|
|
|
|
Enabled |
|
|
Disabled |
|
|
See Table 18-128, "Request, Response, and Fault Message Signing and Encryption Settings" |
|
|
See Table 18-128, "Request, Response, and Fault Message Signing and Encryption Settings" |
|
|
See Table 18-128, "Request, Response, and Fault Message Signing and Encryption Settings" |
Table 18-67 lists the configuration properties and the default settings for the wss10_saml_hok_token_with_message_protection_client_template assertion template.
Display Name: Wss10 SAML Holder-Of-Key Token with Message Protection service Assertion Template
Category: Security
Type: wss10-saml-hok-with-certificates
The wss10_saml_hok_token_with_message_protection_service_template assertion template enforces message-level protection and SAML holder of key based authentication for inbound SOAP requests in accordance with the WS-Security 1.0 standard.
The settings for the wss10_saml_hok_token_with_message_protection_service_template are identical to those for the client version of the assertion template. See Table 18-66 for information about the settings.
Table 18-68 lists the configuration properties and the default settings for the wss10_saml_hok_token_with_message_protection_service_template assertion template.
Display Name: Wss10 SAML Token with Message Protection client Assertion Template
Category: Security
Type: wss10-saml-with-certificates
The wss10_saml_token_with_message_protection_client_template assertion template provides message-level protection and SAML-based authentication for outbound SOAP messages in accordance with the WS-Security 1.0 standard.
The web service consumer includes a SAML token in the SOAP header, and the confirmation type is sender-vouches. The SOAP message is signed and encrypted. The web service provider decrypts the message, and verifies and authenticates the signature.
To prevent replay attacks, the assertion provides the option to include time stamps, SAML token limits, and their verification by the web service provider.
Table 18-69 lists the settings for the wss10_saml_token_with_message_protection_client_template assertion template.
Table 18-69 wss10_saml_token_with_message_protection_client_template Settings
| Name | Default Value |
|---|---|
|
SAML Token Type |
|
|
|
|
|
|
|
|
Enabled |
|
|
Disabled |
|
|
unspecified |
|
|
X509 Token |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Disabled |
|
|
Disabled |
|
|
Secure Conversation |
|
|
Disabled |
|
|
1.3 or 1.4. OWSM WS-SC supports both Secure Conversation version 1.3 and 1.4. Although the policy displays the 1.3 version number, you use this policy for 1.4 as well. |
|
|
Disabled |
|
|
Enabled |
|
|
Enabled |
|
|
Enabled |
|
|
Inherit from Application Setting |
|
|
Message Security |
|
|
|
|
|
Enabled |
|
|
Disabled |
|
|
See Table 18-128, "Request, Response, and Fault Message Signing and Encryption Settings" |
|
|
See Table 18-128, "Request, Response, and Fault Message Signing and Encryption Settings" |
|
|
See Table 18-128, "Request, Response, and Fault Message Signing and Encryption Settings" |
Table 18-70 lists the configuration properties and the default settings for the wss10_saml_token_with_message_protection_client_template assertion template.
Table 18-70 wss10_saml_token_with_message_protection_client_template Configuration Properties
| Name | Default Value | Type |
|---|---|---|
|
None |
Optional |
|
|
|
Required |
|
|
|
Optional |
|
|
|
Optional |
|
|
None |
Optional |
|
|
None |
Optional |
|
|
|
Optional |
|
|
|
Optional |
|
|
None |
Optional |
|
|
None |
Optional |
|
|
|
Optional |
|
|
None |
Optional |
|
|
None |
Optional |
Display Name: Wss10 SAML Token with Message Protection service Assertion Template
Category: Security
Type: wss10-saml-with-certificates
The wss10_saml_token_with_message_protection_service_template assertion template enforces message protection (integrity and confidentiality) and SAML-based authentication for inbound SOAP requests in accordance with the WS-Security 1.0 standard.
The web service consumer includes a SAML token in the SOAP header, and the confirmation type is sender-vouches. The SOAP message is signed and encrypted. The web service provider decrypts the message, and verifies and authenticates the signature.
To prevent replay attacks, the assertion provides the option to include time stamps, SAML token limits, and their verification by the web service provider.
The settings for the wss10_saml_token_with_message_protection_service_template are identical to those for client version of the assertion template. See Table 18-69 for information about the settings.
Table 18-71 lists the configuration properties and the default settings for the wss10_saml_token_with_message_protection_service_template assertion template.
Display Name: Wss10 SAML V2.0 Token with Message Protection client Assertion Template
Category: Security
Type: wss10-saml-with-certificates
The wss10_saml20_token_with_message_protection_client_template assertion template provides message-level protection and SAML-based authentication for outbound SOAP messages in accordance with the WS-Security 1.0 standard.
The web service consumer includes a SAML token in the SOAP header, and the confirmation type is sender-vouches. The SOAP message is signed and encrypted. The web service provider decrypts the message, and verifies and authenticates the signature.
To prevent replay attacks, the assertion provides the option to include time stamps, SAML token limits, and their verification by the web service provider.
Table 18-72 lists the settings for the wss10_saml20_token_with_message_protection_client_template assertion template.
Table 18-72 wss10_saml20_token_with_message_protection_client_template Settings
| Name | Default Value |
|---|---|
|
SAML Token Type |
|
|
|
|
|
|
|
|
Enabled |
|
|
Disabled |
|
|
unspecified |
|
|
X509 Token |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Disabled |
|
|
Disabled |
|
|
Secure Conversation |
|
|
Disabled |
|
|
1.3 or 1.4. OWSM WS-SC supports both Secure Conversation version 1.3 and 1.4. Although the policy displays the 1.3 version number, you use this policy for 1.4 as well. |
|
|
Disabled |
|
|
Enabled |
|
|
Enabled |
|
|
Enabled |
|
|
Inherit from Application Setting |
|
|
Message Security |
|
|
|
|
|
Enabled |
|
|
Disabled |
|
|
See Table 18-128, "Request, Response, and Fault Message Signing and Encryption Settings" |
|
|
See Table 18-128, "Request, Response, and Fault Message Signing and Encryption Settings" |
|
|
See Table 18-128, "Request, Response, and Fault Message Signing and Encryption Settings" |
Table 18-73 lists the configuration properties and the default settings for the wss10_saml20_token_with_message_protection_client_template assertion template.
Table 18-73 wss10_saml20_token_with_message_protection_client_template Configuration Properties
| Name | Default Value | Type |
|---|---|---|
|
None |
Optional |
|
|
|
Required |
|
|
|
Optional |
|
|
None |
Optional |
|
|
None |
Optional |
|
|
|
Optional |
|
|
|
Optional |
|
|
|
Optional |
|
|
|
Optional |
|
|
None |
Optional |
|
|
None |
Optional |
|
|
|
Optional |
|
|
None |
Optional |
|
|
None |
Optional |
Display Name: Wss10 SAML V2.0 Token with Message Protection service Assertion Template
Category: Security
Type: wss10-saml-with-certificates
The wss10_saml20_token_with_message_protection_service_template assertion template enforces message protection (integrity and confidentiality) and SAML-based authentication for inbound SOAP requests in accordance with the WS-Security 1.0 standard.
The web service consumer includes a SAML token in the SOAP header, and the confirmation type is sender-vouches. The SOAP message is signed and encrypted. The web service provider decrypts the message, and verifies and authenticates the signature.
To prevent replay attacks, the assertion provides the option to include time stamps, SAML token limits, and their verification by the web service provider.
The settings for the wss10_saml20_token_with_message_protection_service_template are similar to those of the client version of the assertion template. See Table 18-72 for information about the settings.
Table 18-74 lists the configuration properties and the default settings for the wss10_saml20_token_with_message_protection_service_template assertion template.
Display Name: Wss10 Username Token with Message Protection client Assertion Template
Category: Security
Type: wss10-username-with-certificates
The wss10_username_token_with_message_protection_client_template assertion template provides message protection (integrity and confidentiality) and authentication for outbound SOAP requests in accordance with the WS-Security 1.0 standard. Credentials are included in the WS-Security UsernameToken header in the outbound SOAP message.
The assertion supports three types of password credentials: plain text, digest, and no password.
To protect against replay attacks, the assertion provides the option to require nonce or creation time in the username token. The SOAP message is signed and encrypted. The web service provider decrypts the message, and verifies and authenticates the signature.
Table 18-75 lists the settings for the wss10_username_token_with_message_protection_client_template assertion template.
Table 18-75 wss10_username_token_with_message_protection_client_template Settings
| Name | Default Value |
|---|---|
|
Username Token |
|
|
|
|
|
Disabled |
|
|
Disabled |
|
|
Enabled |
|
|
Enabled |
|
|
X509 Token |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Disabled |
|
|
Disabled |
|
|
Secure Conversation |
|
|
Disabled |
|
|
1.3 or 1.4. OWSM WS-SC supports both Secure Conversation version 1.3 and 1.4. Although the policy displays the 1.3 version number, you use this policy for 1.4 as well. |
|
|
Disabled |
|
|
Enabled |
|
|
Enabled |
|
|
Enabled |
|
|
Inherit from Application Setting |
|
|
Message Security |
|
|
|
|
|
Enabled |
|
|
Disabled |
|
|
See Table 18-128, "Request, Response, and Fault Message Signing and Encryption Settings" |
|
|
See Table 18-128, "Request, Response, and Fault Message Signing and Encryption Settings" |
|
|
See Table 18-128, "Request, Response, and Fault Message Signing and Encryption Settings" |
Table 18-76 lists the configuration properties and the default settings for the wss10_username_token_with_message_protection_client_template assertion template.
Display Name: Wss10 Username Token with Message Protection service Assertion Template
Category: Security
Type: wss10-username-with-certificates
The wss10_username_token_with_message_protection_service_template assertion template enforces message protection (integrity and confidentiality) and authentication for inbound SOAP requests in accordance with the WS-Security 1.0 standard.
The assertion supports three types of password credentials: plain text, digest, and no password.
To protect against replay attacks, the assertion provides the option to require nonce or creation time in the username token. The SOAP message is signed and encrypted. The web service provider decrypts the message, and verifies and authenticates the signature.
The settings for the wss10_username_token_with_message_protection_service_template assertion template are identical to the client version of the assertion template. See Table 18-75 for information about the settings.
Table 18-77 lists the configuration properties and the default settings for the wss10_username_token_with_message_protection_service_template assertion template.
Display Name: Wss10 X509 Token with Message Protection client Assertion Template
Category: Security
Type: wss10-mutual-auth-with-certificates
The wss10_x509_token_with_message_protection_client template assertion template provides message protection (integrity and confidentiality) and certificate credential population for outbound SOAP requests in accordance with the WS-Security 1.0 standard.
Table 18-78 lists the settings for the wss10_x509_token_with_message_protection_client template assertion template.
Table 18-78 wss10_x509_token_with_message_protection_client_template Settings
| Name | Default Value |
|---|---|
|
X509 Token |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Disabled |
|
|
Disabled |
|
|
Secure Conversation |
|
|
Disabled |
|
|
1.3 or 1.4. OWSM WS-SC supports both Secure Conversation version 1.3 and 1.4. Although the policy displays the 1.3 version number, you use this policy for 1.4 as well. |
|
|
Disabled |
|
|
Enabled |
|
|
Enabled |
|
|
Enabled |
|
|
Inherit from Application Setting |
|
|
Message Security |
|
|
|
|
|
Enabled |
|
|
Disabled |
|
|
See Table 18-128, "Request, Response, and Fault Message Signing and Encryption Settings" |
|
|
See Table 18-128, "Request, Response, and Fault Message Signing and Encryption Settings" |
|
|
See Table 18-128, "Request, Response, and Fault Message Signing and Encryption Settings" |
Table 18-79 lists the configuration properties and the default settings for the wss10_x509_token_with_message_protection_client_template assertion template.
Display Name: Wss10 X509 Token with Message Protection service Assertion Template
Category: Security
Type: wss10-mutual-auth-with-certificates
The wss10_x509_token_with_message_protection_service_template assertion template enforces message protection (integrity and confidentiality) and certificate-based authentication for inbound SOAP requests in accordance with the WS-Security 1.0 standard.
The settings for the wss10_x509_token_with_message_protection_service_template assertion template are identical to the client version of the assertion template. See Table 18-78 for information about the settings.
Table 18-80 lists the configuration properties and the default settings for the wss10_x509_token_with_message_protection_service_template assertion template.
Display Name: Wss11 Kerberos Token Over SSL Client Assertion Template
Category: Security
Type: wss11-kerberos-over-ssl-security
The wss11_kerberos_token_over_ssl_client_template assertion template includes a Kerberos token in the WS-Security SOAP header in accordance with the WS-Security Kerberos Token Profile v1.1 standard. The Kerberos token is advertised as an EndorsingSupportingToken, and is used only for authentication and for signing the timestamp. Message protection is provided by SSL.
Table 18-81 lists the settings for the wss11_kerberos_token_over_ssl_client_template assertion template.
Table 18-82 lists the configuration properties and the default settings for the wss11_kerberos_token_over_ssl_client_template assertion template.
Display Name: Wss11 Kerberos Token Over SSL Service Assertion Template
Category: Security
Type: wss11-kerberos-over-ssl-security
The wss11_kerberos_token_service_template assertion template enforces in accordance with the WS-Security Kerberos Token Profile v1.1 standard. It extracts the Kerberos token from the SOAP header and authenticates the user. The container must have the Kerberos infrastructure configured through Oracle Platform Security Services. The Kerberos token is advertised as an EndorsingSupportingToken, and is used only for authentication and for signing the timestamp. Message protection is provided by SSL.
The settings for the wss11_kerberos_token_over_ssl_service_template are identical to the client version of the assertion template. See Table 18-81 for information about the settings.
Table 18-83 lists the configuration properties and the default settings for the wss11_kerberos_token_over_ssl_service_template assertion template.
Display Name: Wss11 Kerberos Token with message protection client Assertion Template
Category: Security
Type: kerberos-security
The wss11_kerberos_token_with_message_protection_client_template assertion template includes a Kerberos token in the WS-Security header in accordance with the WS-Security Kerberos Token Profile v1.1 standard.
Table 18-84 lists the settings for the wss11_kerberos_token_with_message_protection_client_template assertion template.
Table 18-84 wss11_kerberos_token_with_message_protection_client_template Settings
| Name | Default Value |
|---|---|
|
Kerberos Token Type |
|
|
|
|
|
Disabled |
|
|
Secure Conversation |
|
|
Disabled |
|
|
1.3 or 1.4. OWSM WS-SC supports both Secure Conversation version 1.3 and 1.4. Although the policy displays the 1.3 version number, you use this policy for 1.4 as well. |
|
|
Disabled |
|
|
Enabled |
|
|
Enabled |
|
|
Enabled |
|
|
Inherit from Application Setting |
|
|
Message Security |
|
|
|
|
|
Enabled |
|
|
Enabled |
|
|
Disabled |
|
|
See Table 18-128, "Request, Response, and Fault Message Signing and Encryption Settings" |
|
|
See Table 18-128, "Request, Response, and Fault Message Signing and Encryption Settings" |
|
|
See Table 18-128, "Request, Response, and Fault Message Signing and Encryption Settings" |
Table 18-85 lists the configuration properties and the default settings for the wss11_kerberos_token_with_message_protection_client_template assertion template.
Display Name: Wss11 Kerberos Token service with message protection Assertion Template
Category: Security
Type: kerberos-security
The wss11_kerberos_token_with_message_protection_service_template assertion template enforces in accordance with the WS-Security Kerberos Token Profile v1.1 standard. It extracts the Kerberos token from the SOAP header and authenticates the user. The container must have the Kerberos infrastructure configured through Oracle Platform Security Services.
The settings for the wss11_keberos_token_with_message_protection_service_template are identical to the client version of the assertion template. See Table 18-84 for information about the settings.
Table 18-86 lists the configuration properties and the default settings for the wss11_kerberos_token_with_message_protection_service_template assertion template.
Display Name: Wss11 SAML Token with Message Protection client Assertion Template
Category: Security
Type: wss11-saml-with-certificates
The wss11_saml_token_with_message_protection_client_template assertion template enables message protection (integrity and confidentiality) and SAML token population for outbound SOAP requests in accordance with WS-Security 1.1. A SAML token is included in the SOAP message for use in SAML based authentication with sender vouches confirmation.
Table 18-87 lists the settings for the wss11_saml_token_with_message_protection_client_template assertion template.
Table 18-87 wss11_saml_token_with_message_protection_client_template Settings
| Name | Default Value |
|---|---|
|
SAML Token Type |
|
|
|
|
|
|
|
|
Enabled |
|
|
Disabled |
|
|
unspecified |
|
|
X509 Token |
|
|
|
|
|
|
|
|
Enabled |
|
|
Disabled |
|
|
Disabled |
|
|
Secure Conversation |
|
|
Disabled |
|
|
1.3 or 1.4. OWSM WS-SC supports both Secure Conversation version 1.3 and 1.4. Although the policy displays the 1.3 version number, you use this policy for 1.4 as well. |
|
|
Disabled |
|
|
Enabled |
|
|
Enabled |
|
|
Enabled |
|
|
Inherit from Application Setting |
|
|
Message Security |
|
|
|
|
|
Enabled |
|
|
Enabled |
|
|
Disabled |
|
|
See Table 18-128, "Request, Response, and Fault Message Signing and Encryption Settings" |
|
|
See Table 18-128, "Request, Response, and Fault Message Signing and Encryption Settings" |
|
|
See Table 18-128, "Request, Response, and Fault Message Signing and Encryption Settings" |
Table 18-88 lists the configuration properties and the default settings for the wss11_saml_token_with_message_protection_client_template assertion template.
Table 18-88 wss11_saml_token_with_message_protection_client_template Configuration Properties
| Name | Default Value | Type |
|---|---|---|
|
None |
Optional |
|
|
|
Optional |
|
|
|
Constant |
|
|
|
Required |
|
|
None |
Optional |
|
|
None |
Optional |
|
|
|
Optional |
|
|
|
Optional |
|
|
None |
Optional |
|
|
None |
Optional |
|
|
None |
Optional |
|
|
|
Optional |
|
|
None |
Optional |
|
|
None |
Optional |
Display Name: Wss11 SAML Token with Message Protection service Assertion Template
Category: Security
Type: wss11-saml-with-certificates
The wss11_saml_token_with_message_protection_service_template assertion template enforces message-level integrity protection and SAML-based authentication for inbound SOAP requests in accordance with the WS-Security 1.1 standard. It extracts the SAML token from the WS-Security binary security token, and uses those credentials to validate users against the Oracle Platform Security Services identity store.
The settings for the wss11_saml_token_with_message_protection_service_template are identical to the client version of the assertion template. See Table 18-87 for information about the settings.
Table 18-89 lists the configuration properties and the default settings for the wss11_saml_token__with_message_protection_service_template assertion template.
Display Name: Wss11 SAML V2.0 Token with Message Protection client Assertion Template
Category: Security
Type: wss11-saml-with-certificates
The wss11_saml20_token_with_message_protection_client_template assertion template enables message protection (integrity and confidentiality) and SAML token population for outbound SOAP requests in accordance with WS-Security 1.1. A SAML token is included in the SOAP message for use in SAML based authentication with sender vouches confirmation.
Table 18-90 lists the settings for the wss11_saml20_token_with_message_protection_client_template assertion template.
Table 18-90 wss11_saml20_token_with_message_protection_client_template Settings
| Name | Default Value |
|---|---|
|
SAML Token Type |
|
|
|
|
|
|
|
|
Enabled |
|
|
Disabled |
|
|
unspecified |
|
|
X509 Token |
|
|
|
|
|
|
|
|
Enabled |
|
|
Disabled |
|
|
Disabled |
|
|
Secure Conversation |
|
|
Disabled |
|
|
1.3 or 1.4. OWSM WS-SC supports both Secure Conversation version 1.3 and 1.4. Although the policy displays the 1.3 version number, you use this policy for 1.4 as well. |
|
|
Disabled |
|
|
Enabled |
|
|
Enabled |
|
|
Enabled |
|
|
Inherit from Application Setting |
|
|
Message Security |
|
|
|
|
|
Enabled |
|
|
Enabled |
|
|
Disabled |
|
|
See Table 18-128, "Request, Response, and Fault Message Signing and Encryption Settings" |
|
|
See Table 18-128, "Request, Response, and Fault Message Signing and Encryption Settings" |
|
|
See Table 18-128, "Request, Response, and Fault Message Signing and Encryption Settings" |
Table 18-91 lists the configuration properties and the default settings for the wss11_saml20_token_with_message_protection_client_template assertion template.
Table 18-91 wss11_saml20_token_with_message_protection_client_template Configuration Properties
| Name | Default Value | Type |
|---|---|---|
|
None |
Optional |
|
|
|
Optional |
|
|
|
Constant |
|
|
|
Required |
|
|
None |
Optional |
|
|
None |
Optional |
|
|
|
Optional |
|
|
|
Optional |
|
|
None |
Optional |
|
|
None |
Optional |
|
|
None |
Optional |
|
|
|
Optional |
|
|
None |
Optional |
|
|
None |
Optional |
Display Name: Wss11 SAML V2.0 Token with Message Protection service Assertion Template
Category: Security
Type: wss11-saml-with-certificates
The wss11_saml20_token_with_message_protection_service_template assertion template enforces message-level integrity protection and SAML-based authentication for inbound SOAP requests in accordance with the WS-Security 1.1 standard. It extracts the SAML token from the WS-Security binary security token, and uses those credentials to validate users against the Oracle Platform Security Services identity store.
The settings for the wss11_saml_token_with_message_protection_service_template are similar to the client version of the assertion template. See Table 18-90 for information about the settings.
Table 18-92 lists the configuration properties and the default settings for the wss11_saml20_token__with_message_protection_service_template assertion template.
Display Name: Wss11 Username Token with Message Protection client Assertion Template
Category: Security
Type: wss11-username-with-certificates
The ws11_username_token_with_message_protection_client_template assertion template includes authentication and message protection in accordance with the WS-Security v1.1 standard.
The web service consumer inserts username and password credentials, and signs and encrypts the outgoing SOAP message. The web service provider decrypts and verifies the message and the signature.
To prevent replay attacks, the assertion provides the option to include time stamps and verification by the web service provider. The message can be protected with ciphers of different strengths.
Table 18-93 lists the settings for the wss11_username_token_with_message_protection_client_template assertion template.
Table 18-93 wss11_username_token_with_message_protection_client_template Settings
| Name | Default Value |
|---|---|
|
Username Token |
|
|
|
|
|
Disabled |
|
|
Disabled |
|
|
Enabled |
|
|
Enabled |
|
|
X509 Token |
|
|
|
|
|
Enabled |
|
|
Disabled |
|
|
Disabled |
|
|
Secure Conversation |
|
|
Disabled |
|
|
1.3 or 1.4. OWSM WS-SC supports both Secure Conversation version 1.3 and 1.4. Although the policy displays the 1.3 version number, you use this policy for 1.4 as well. |
|
|
Disabled |
|
|
Enabled |
|
|
Enabled |
|
|
Enabled |
|
|
Inherit from Application Setting |
|
|
Message Security |
|
|
|
|
|
Enabled |
|
|
Enabled |
|
|
Disabled |
|
|
See Table 18-128, "Request, Response, and Fault Message Signing and Encryption Settings" |
|
|
See Table 18-128, "Request, Response, and Fault Message Signing and Encryption Settings" |
|
|
See Table 18-128, "Request, Response, and Fault Message Signing and Encryption Settings" |
Table 18-94 lists the configuration properties and the default settings for the wss11_username_token_with_message_protection_client_template assertion template.
Display Name: Wss11 Username Token with Message Protection service Assertion Template
Category: Security
Type: wss11-username-with-certificates
The ws11_username_token_with_message_protection_service_template assertion template enforces authentication and message protection in accordance with the WS-Security v1.1 standard.
The web service consumer inserts username and password credentials, and signs and encrypts the outgoing SOAP message. The web service provider decrypts and verifies the message and the signature. To prevent replay attacks, the assertion provides the option to include time stamps and verification by the web service provider. The message can be protected with ciphers of different strengths.
The settings for the wss11_username_token_with_message_protection_service_template are identical to the client version of the assertion template. See Table 18-93 for information about the settings.
Table 18-95 lists the configuration properties and the default settings for the wss11_username_token_with_message_protection_service_template assertion template.
Display Name: Wss11 X509 Token with Message Protection client Assertion Template
Category: Security
Type: wss11-mutual-auth-with-certificates
The wss11_x509_token_with_message_protection_client_template assertion template provides message protection (integrity and confidentiality) and certificate-based authentication for outbound SOAP requests in accordance with the WS-Security 1.1 standard. Credentials are included in the WS-Security binary security token of the SOAP message.
Table 18-96 lists the settings for the wss11_x509_token_with_message_protection_client_template assertion template.
Table 18-96 wss11_x509_token_with_message_protection_client_template Settings
| Name | Default Value |
|---|---|
|
X509 Token |
|
|
|
|
|
|
|
|
Enabled |
|
|
Disabled |
|
|
Disabled |
|
|
Secure Conversation |
|
|
Disabled |
|
|
1.3 or 1.4. OWSM WS-SC supports both Secure Conversation version 1.3 and 1.4. Although the policy displays the 1.3 version number, you use this policy for 1.4 as well. |
|
|
Disabled |
|
|
Enabled |
|
|
Enabled |
|
|
Enabled |
|
|
Inherit from Application Setting |
|
|
Message Security |
|
|
|
|
|
Enabled |
|
|
Enabled |
|
|
Disabled |
|
|
See Table 18-128, "Request, Response, and Fault Message Signing and Encryption Settings" |
|
|
See Table 18-128, "Request, Response, and Fault Message Signing and Encryption Settings" |
|
|
See Table 18-128, "Request, Response, and Fault Message Signing and Encryption Settings" |
Table 18-97 lists the configuration properties and the default settings for the wss11_x509_token_with_message_protection_client_template assertion template.
Display Name: Wss11 X509 Token with Message Protection service Assertion Template
Category: Security
Type: wss11-mutual-auth-with-certificates
The wss11_x509_token_with_message_protection_service_template assertion template enforces message-level protection and certificate-based authentication for inbound SOAP requests in accordance with the WS-Security 1.1 standard. The certificate is extracted from the WS-Security binary security token header, and the credentials in the certificate are validated against the Oracle Platform Security Services identity store.
The settings for the wss11_x509_token_with_message_protection_service_template are identical to the client version of the assertion template. See Table 18-96 for information about the settings.
Table 18-98 lists the configuration properties and the default settings for the wss11_x509_token_with_message_protection_service_template assertion template.
Table 18-99 summarizes the assertion templates that are used for OES integration.
Table 18-99 OES Integration Templates
| Service Template | Description |
|---|---|
|
Sets authorization based on the policy defined in Oracle Entitlements Server (OES). |
|
|
Does response masking based on a policy defined in Oracle Entitlements Server (OES). |
|
|
Sets authorization based on the policy defined in Oracle Entitlements Server (OES). This template is used for fine-grained authorization on SCA component. |
Display Name: Binding OES Authorization Assertion Template
Category: Security
Type: oes-authorization
The binding_oes_authorization_template assertion template sets authorization based on the policy defined in Oracle Entitlements Server (OES). Authorization is based on attributes, the current authenticated subject, and the web service action invoked by the client. This template is used for fine-grained authorization on any operation on a web service. Policies based on this template should follow an authentication policy where the subject is established. Policies based on this template can be attached to any SOAP endpoint.
Table 18-100 lists the settings for the binding_oes_authorization_template assertion template.
Table 18-100 binding_oes_authorization_template Settings
| Name | Default Value |
|---|---|
|
OES Based Authorization |
|
|
Guard (see Permissions) |
|
|
* |
|
|
None |
|
|
* |
Table 18-101 lists the configuration properties and the default settings for the binding_oes_authorization_template assertion template.
Display Name: Response masking using Oracle Entitlements Server.
Category: Security
Type: oes-masking
The binding_oes_masking_template assertion template does response masking based on the policy defined in OES. Masking is based on attributes, the current authenticated subject, and the web service action invoked by the client. This template is used for fine-grained masking on any operation of a web service.
Table 18-100 lists the settings for the binding_oes_masking_template assertion template.
Table 18-101 lists the configuration properties and the default settings for the binding_oes_masking_template assertion template.
Display Name: Component OES Authorization Assertion Template
Category: Security
Type: oes-authorization
The component_oes_authorization_template assertion template does user authorization based on a policy defined in Oracle Entitlements Server (OES). Authorization is based on attributes, the current authenticated subject and the web service action invoked by the client. This template is used for fine-grained authorization on a SCA component.
Table 18-100 lists the settings for the component_oes_authorization_template assertion template.
Table 18-101 lists the configuration properties and the default settings for the component_oes_authorization_template assertion template.
Table 18-102 summarizes the assertion template that is used for PII security.
Table 18-102 Pii Assertion Template
| Template | Description |
|---|---|
|
Provides simple role-based authorization for the request based on the authenticated subject at the SOAP binding level. |
Display Name: PII Security Assertion Template
Category: Security
Type: pii-security
The pii_security_template assertion template secures personally identifiable information (PII) using encryption. PIIs are identified by XPath configuration.
Note:
This assertion template applies to SOA and JCA adapters only.Table 18-103 lists the settings for the pii_security_template assertion template.
Table 18-104 lists the configuration properties and the default settings for the pii_security_template assertion template.
Table 18-105 summarizes the WS-Trust assertion templates.
In this release, you can use Fusion Middleware Control to directly edit the assertion template text, but the Settings and Configuration pages are not available.
Table 18-105 WS-Trust Assertion Templates
| Name | Description |
|---|---|
|
STS configuration information assertion template that is used to invoke STS for token exchange. |
|
|
STS configuration information assertion template that is used to invoke STS for token exchange. |
|
|
oracle/wss_sts_issued_saml_bearer_token_over_ssl_client_template |
SOAP binding-level client assertion template for issued token SAML authentication (confirmation method bearer), with SSL message protection. |
|
oracle/wss_sts_issued_saml_bearer_token_over_ssl_service_template |
SOAP binding-level service assertion template for issued token SAML authentication (confirmation method bearer), with SSL message protection. |
|
oracle/wss11_sts_issued_saml_hok_with_message_protection_client_template |
WS-Security 1.1 issued token SAML HOK token with certificates client assertion template. Provides authentication and message protection using Basic128. |
|
oracle/wss11_sts_issued_saml_hok_with_message_protection_service_template |
WS-Security 1.1 issued token SAML HOK token with certificates service assertion template. Provides authentication and message protection using Basic128. |
|
oracle/wss11_sts_issued_saml_with_message_protection_client_template |
WS-Security 1.1 issued token SAML sender voucher with certificates. Provides authentication and message protection using Basic128. |
Display Name: Trust Configuration Client Assertion Template
Category: Security
Type: sts-trust-config
STS Configuration information, provided on the client side, that is used to invoke STS for token exchange.
Table 18-106 lists the settings for the oracle/sts_trust_config_client_template assertion template.
Table 18-107 lists the configuration properties and the default settings for the oracle/sts_trust_config_client_template assertion template.
Display Name: Trust Configuration Service Assertion Template
Category: Security
Type: sts-trust-config
Minimal STS Configuration information, provided on the service side, that is used to obtain all other STS information and invoke STS for token exchange.
Table 18-108 lists the settings for the oracle/sts_trust_config_service_template assertion template.
Table 18-109 lists the configuration properties and the default settings for the oracle/sts_trust_config_service_template assertion template.
Display Name: Wss Issued Saml Bearer Token with Message Protection Client Assertion Template
Category: Security
Type: wss-sts-issued-token-over-ssl
SOAP binding level policy for Issued Token SAML authentication (confirmation method as bearer) with SSL Message Protection.
Table 18-110 lists the settings for the oracle/wss_sts_issued_saml_bearer_token_over_ssl_client_template assertion template.
Table 18-110 oracle/wss_sts_issued_saml_bearer_token_over_ssl_client_template Settings
| Name | Default Value |
|---|---|
|
Issued Token |
|
|
|
|
|
|
|
|
None |
|
|
Disabled |
|
|
Transport Layer Security |
|
|
Enabled |
|
|
Disabled |
|
|
Enabled |
|
|
None |
|
|
|
|
|
Secure Conversation |
|
|
Disabled |
|
|
1.3 or 1.4. OWSM WS-SC supports both Secure Conversation version 1.3 and 1.4. Although the policy displays the 1.3 version number, you use this policy for 1.4 as well. |
|
|
Disabled |
|
|
Enabled |
|
|
Disabled |
|
|
Enabled |
Table 18-111 lists the configuration properties and the default settings for the oracle/wss_sts_issued_saml_bearer_token_over_ssl_client_template assertion template.
Table 18-111 oracle/wss_sts_issued_saml_bearer_token_over_ssl_client_template Properties
| Name | Default Value | Type |
|---|---|---|
|
None |
Optional |
|
|
None |
Optional |
|
|
|
Required |
|
|
None |
Optional |
|
|
|
Optional |
|
|
None |
Optional |
|
|
|
Optional |
|
|
None |
Optional |
|
|
None |
Optional |
|
|
|
Optional |
|
|
None |
Optional |
|
|
None |
Optional |
|
|
None |
Optional |
|
|
|
Optional |
|
|
None |
Optional |
Display Name: Wss Issued Saml Bearer Token with Message Protection Service Assertion Template
Category: Security
Type: wss-sts-issued-token-over-ssl
SOAP binding level policy for Issued Token SAML authentication (confirmation method as bearer) With SSL Message Protection.
The settings for the oracle/wss_sts_issued_saml_bearer_token_over_ssl_service_template are identical to the client version of the assertion template. See Table 18-110 for information about the settings.
Table 18-112 lists the configuration properties and the default settings for the oracle/wss_sts_issued_saml_bearer_token_over_ssl_service_template assertion template.
Display Name: Wss11 Issued Token with Saml Holder of Key with Message Protection Client Assertion Template
Category: Security
Type: wss11-sts-issued-token-with-certificates
WS-Security 1.1 Issued Token SAML HOK with Certificates. Provides Authenticates and Message Protection using Basic128.
Table 18-113 lists the settings for the wss11_sts_issued_saml_hok_with_message_protection_client_template assertion template.
Table 18-113 oracle/wss11_sts_issued_saml_hok_with_message_protection_client_template Settings
| Name | Default Value |
|---|---|
|
Issued Token |
|
|
|
|
|
|
|
|
|
|
|
Disabled |
|
|
X509 Token |
|
|
|
|
|
|
|
|
Enabled |
|
|
Disabled |
|
|
Disabled |
|
|
Secure Conversation |
|
|
Disabled |
|
|
1.3 or 1.4. OWSM WS-SC supports both Secure Conversation version 1.3 and 1.4. Although the policy displays the 1.3 version number, you use this policy for 1.4 as well. |
|
|
Disabled |
|
|
Enabled |
|
|
Enabled |
|
|
Enabled |
|
|
Inherit from Application Setting |
|
|
Message Security |
|
|
|
|
|
Enabled |
|
|
Enabled |
|
|
Disabled |
|
|
See Table 18-128, "Request, Response, and Fault Message Signing and Encryption Settings" |
|
|
See Table 18-128, "Request, Response, and Fault Message Signing and Encryption Settings" |
|
|
See Table 18-128, "Request, Response, and Fault Message Signing and Encryption Settings" |
Table 18-114 lists the configuration properties and the default settings for the wss11_sts_issued_saml_hok_with_message_protection_client_template assertion template.
Table 18-114 oracle/wss11_sts_issued_saml_hok_with_message_protection_client_template Properties
| Name | Default Value | Type |
|---|---|---|
|
None |
Optional |
|
|
enc-csf-key |
Optional |
|
|
|
Required |
|
|
None |
Optional |
|
|
|
Optional |
|
|
None |
Optional |
|
|
|
Required |
|
|
None |
Optional |
|
|
|
Optional |
|
|
None |
Optional |
|
|
None |
Optional |
|
|
|
Optional |
|
|
None |
Optional |
|
|
None |
Optional |
|
|
None |
Optional |
|
|
|
Optional |
|
|
None |
Optional |
Display Name: Wss11 Issued Token with Saml Holder of Key with Message Protection Service Assertion Template
Category: Security
Type: wss11-sts-issued-token-with-certificates
WS-Security 1.1 Issued Token SAML HOK with Certificates. Provides Authenticates and Message Protection using Basic128.
Table 18-113 lists the settings for the wss11_sts_issued_saml_hok_with_message_protection_service_template assertion template.
Table 18-115 lists the configuration properties and the default settings for the wss11_sts_issued_saml_hok_with_message_protection_service_template assertion template.
Display Name: Wss11 Issued Token Saml Sender Voucher with Message Protection Client Assertion Template
Category: Security
Type: wss11-sts-issued-token-with-certificates
WS-Security 1.1 Issued Token SAML Sender Voucher with Certificates. Provides Authenticates and Message Protection using Basic128.
Table 18-116 lists the settings for the wss11_sts_issued_saml_with_message_protection_client_template assertion template.
Table 18-116 wss11_sts_issued_saml_with_message_protection_client_template Settings
| Name | Default Value |
|---|---|
|
Issued Token |
|
|
|
|
|
None |
|
|
|
|
|
Disabled |
|
|
X509 Token |
|
|
|
|
|
|
|
|
Enabled |
|
|
Disabled |
|
|
Disabled |
|
|
Secure Conversation |
|
|
Disabled |
|
|
1.3 or 1.4. OWSM WS-SC supports both Secure Conversation version 1.3 and 1.4. Although the policy displays the 1.3 version number, you use this policy for 1.4 as well. |
|
|
Disabled |
|
|
Enabled |
|
|
Enabled |
|
|
Enabled |
|
|
Inherit from Application Setting |
|
|
Message Security |
|
|
|
|
|
Enabled |
|
|
Enabled |
|
|
Disabled |
|
|
See Table 18-128, "Request, Response, and Fault Message Signing and Encryption Settings" |
|
|
See Table 18-128, "Request, Response, and Fault Message Signing and Encryption Settings" |
|
|
See Table 18-128, "Request, Response, and Fault Message Signing and Encryption Settings" |
Table 18-117 lists the configuration properties and the default settings for the wss11_sts_issued_saml_with_message_protection_client_template assertion template.
Table 18-117 oracle/wss11_sts_issued_saml_with_message_protection_client_template Properties
| Name | Default Value | Type |
|---|---|---|
|
None |
Optional |
|
|
None |
Optional |
|
|
|
Required |
|
|
None |
Optional |
|
|
|
Optional |
|
|
None |
Optional |
|
|
|
Optional |
|
|
None |
Optional |
|
|
None |
Optional |
|
|
None |
Optional |
|
|
|
Optional |
|
|
None |
Optional |
|
|
|
Optional |
|
|
None |
Optional |
Table 18-118 summarizes assertion templates that are used for authorization. Each authorization assertion template must follow an authentication assertion template.
Table 18-118 Authorization Assertion Templates
| Service Template | Description |
|---|---|
|
Provides simple role-based authorization for the request based on the authenticated subject at the SOAP binding level. |
|
|
Provides simple permission-based authorization for the request based on the authenticated subject at the SOAP binding level. |
|
|
Provides simple role-based authorization for the request based on the authenticated subject at the SOA component level. |
|
|
Provides simple permission-based authorization for the request based on the authenticated subject at the SOA component level. |
Display Name: Binding Authorization Assertion Template
Category: Security
Type: binding-authorization
The binding_authorization_template assertion template provides simple role-based authorization for the request based on the authenticated subject at the SOAP binding level. It should follow an authentication assertion template.
Table 18-119 lists the settings for the binding_authorization_template assertion template.
Table 18-119 binding_authorization_template Settings
| Name | Default Value |
|---|---|
|
Authorization Permission |
|
|
Permissions—Action Match |
None |
|
Permissions—Constraint Match |
None |
|
Authorization Permission |
|
|
Guard (see Permissions) |
|
|
None |
|
|
None |
|
|
None |
|
|
Not Set |
Table 18-120 lists the configuration properties and the default settings for the binding_authorization_template assertion template.
Display Name: Binding Permission Based Authorization Assertion Template
Category: Security
Type: binding-permission-authorization
The binding_permission_authorization_template assertion provides simple permission-based authorization for the request based on the authenticated subject at the SOAP binding level. It should follow an authentication assertion.
Table 18-121 lists the settings for the binding_permission_authorization_template assertion template.
Table 18-121 binding_permission_authorization_template Settings
| Name | Default Value |
|---|---|
|
Authorization Permission |
|
|
Guard (see Permissions) |
|
|
* |
|
|
None |
|
|
* |
|
|
Check Permission |
|
|
None |
Table 18-122 lists the configuration properties and the default settings for the binding_permission_authorization_template assertion template.
Display Name: Component Authorization Assertion Template
Category: Security
Type: sca-component-authorization
The component_authorization_template assertion provides simple role-based authorization for the request based on the authenticated subject at the SOA component level. It should follow an authentication assertion.
Table 18-123 lists the settings for the component_authorization_template assertion template.
Table 18-123 component_authorization_template Settings
| Name | Default Value |
|---|---|
|
Authorization Permission |
|
|
Guard (see Permissions) |
|
|
None |
|
|
None |
|
|
None |
|
|
Not Set |
Table 18-124 lists the configuration properties and the default settings for the component_authorization_template assertion template.
Display Name: Component Permission Based Authorization Assertion Template
Category: Security
Type: sca-component-permission-authorization
The component_permission_authorization_template assertion template provides simple permission-based authorization for the request based on the authenticated subject at the SOA component level. It should follow an authentication assertion.
Note:
You should be careful when using permission-based policies with EJBs as the security permissions specified in system-jazn-data.xml will be relaxed beyond a single invocation of the service operation.Table 18-125 lists the settings for the component_permission_authorization_template assertion template.
Table 18-125 component_permission_authorization_template Settings
| Name | Default Value |
|---|---|
|
Authorization Permission |
|
|
Guard (see Permissions) |
|
|
* |
|
|
None |
|
|
None |
|
|
None |
Table 18-126 lists the configuration properties and the default settings for the component_permission_authorization_template assertion template.
Table 18-127 lists the algorithm suites that are supported for message protection. The algorithm suites enable you to control the cryptographic characteristics of the algorithms that are used when securing messages.
A group of standard algorithm suites are defined in WS-SecurityPolicy 1.2, which is available at the following URL:
The symmetric signature (Sym Sig) and the asymmetric signature (Asym Sig) in each suite are defaulted to HmacSha1 and RsaSha1 respectively as follows:
| Property Algorithm | Value |
|---|---|
| [Sym Sig] | HmacSha1 |
| [Asym Sig] | RsaSha1 |
OWSM also provides the extended algorithm suites as listed in the following table with:
| Property Algorithm | Value |
|---|---|
| [Sym Sig] | HmacSha256 |
| [Asym Sig] | RsaSha256 |
The XML signatures RSA-SHA256 and HMAC-SHA256 are defined in w3c XML Security Algorithm Cross-Reference spec, which is available at the following URL:
http://www.w3.org/TR/xmlsec-algorithms/
Note:
FIPS compliant algorithm suites are marked with an asterisk (*). See "Enabling FIPS Mode" in Administering Security for Oracle WebLogic Server for FIPS information.Table 18-127 Supported Algorithm Suites
| Algorithm Suite | Digest | Encryption | Symmetric Key Wrap | Asymmetric Key Wrap | Encrypted Key Derivation | Signature Key Derivation | Minimum Signature Key Length | Symmetric Signature | Asymmetric Signature |
|---|---|---|---|---|---|---|---|---|---|
|
Basic256 |
Sha1 |
Aes256 |
KwAes256 |
KwRsaOaep |
PSha1L256 |
PSha1L192 |
256 |
HmacSha1 |
RsaSha1 |
|
Basic192 |
Sha1 |
Aes192 |
KwAes192 |
KwRsaOaep |
PSha1L192 |
PSha1L192 |
192 |
HmacSha1 |
RsaSha1 |
|
Basic128 |
Sha1 |
Aes128 |
KwAes128 |
KwRsaOaep |
PSha1L128 |
PSha1L128 |
128 |
HmacSha1 |
RsaSha1 |
|
TripleDes |
Sha1 |
TripleDes |
KwTripleDes |
KwRsaOaep |
PSha1L192 |
PSha1L192 |
192 |
HmacSha1 |
RsaSha1 |
|
Basic256Rsa15* |
Sha1 |
Aes256 |
KwAes256 |
KwRsa15 |
PSha1L256 |
PSha1L192 |
256 |
HmacSha1 |
RsaSha1 |
|
Basic192Rsa15* |
Sha1 |
Aes192 |
KwAes192 |
KwRsa15 |
PSha1L192 |
PSha1L192 |
192 |
HmacSha1 |
RsaSha1 |
|
Basic128Rsa15* |
Sha1 |
Aes128 |
KwAes128 |
KwRsa15 |
PSha1L128 |
PSha1L128 |
128 |
HmacSha1 |
RsaSha1 |
|
TripleDesRsa15* |
Sha1 |
TripleDes |
KwTripleDes |
KwRsa15 |
PSha1L192 |
PSha1L192 |
192 |
HmacSha1 |
RsaSha1 |
|
Basic256Sha256 |
Sha256 |
Aes256 |
KwAes256 |
KwRsaOaep |
PSha1L256 |
PSha1L192 |
256 |
HmacSha1 |
RsaSha1 |
|
Basic192Sha256 |
Sha256 |
Aes192 |
KwAes192 |
KwRsaOaep |
PSha1L192 |
PSha1L192 |
192 |
HmacSha1 |
RsaSha1 |
|
Basic128Sha256 |
Sha256 |
Aes128 |
KwAes128 |
KwRsaOaep |
PSha1L128 |
PSha1L128 |
128 |
HmacSha1 |
RsaSha1 |
|
TripleDesSha256 |
Sha256 |
TripleDes |
KwTripleDes |
KwRsaOaep |
PSha1L192 |
PSha1L192 |
192 |
HmacSha1 |
RsaSha1 |
|
Basic256Sha256Rsa15* |
Sha256 |
Aes256 |
KwAes256 |
KwRsa15 |
PSha1L256 |
PSha1L192 |
256 |
HmacSha1 |
RsaSha1 |
|
Basic192Sha256Rsa15* |
Sha256 |
Aes192 |
KwAes192 |
KwRsa15 |
PSha1L192 |
PSha1L192 |
192 |
HmacSha1 |
RsaSha1 |
|
Basic128Sha256Rsa15* |
Sha256 |
Aes128 |
KwAes128 |
KwRsa15 |
PSha1L128 |
PSha1L128 |
128 |
HmacSha1 |
RsaSha1 |
|
TripleDesSha256Rsa15* |
Sha256 |
TripleDes |
KwTripleDes |
KwRsa15 |
PSha1L192 |
PSha1L192 |
192 |
HmacSha1 |
RsaSha1 |
|
Basic256Exn256 |
Sha256 |
Aes256 |
KwAes256 |
KwRsaOaep |
PSha1L256 |
PSha1L192 |
256 |
HmacSha256 |
RsaSha256 |
|
Basic192Exn256 |
Sha256 |
Aes192 |
KwAes192 |
KwRsaOaep |
PSha1L192 |
PSha1L192 |
192 |
HmacSha256 |
RsaSha256 |
|
Basic128Exn256 |
Sha256 |
Aes128 |
KwAes128 |
KwRsaOaep |
PSha1L128 |
PSha1L128 |
128 |
HmacSha256 |
RsaSha256 |
|
TripleDesExn256 |
Sha256 |
TripleDes |
KwTripleDes |
KwRsaOaep |
PSha1L192 |
PSha1L192 |
192 |
HmacSha256 |
RsaSha256 |
|
Basic256Exn256Rsa15 |
Sha256 |
Aes256 |
KwAes256 |
KwRsa15 |
PSha1L256 |
PSha1L192 |
256 |
HmacSha256 |
RsaSha256 |
|
Basic192Exn256Rsa15 |
Sha256 |
Aes192 |
KwAes192 |
KwRsa15 |
PSha1L192 |
PSha1L192 |
192 |
HmacSha256 |
RsaSha256 |
|
Basic128Exn256Rsa15 |
Sha256 |
Aes128 |
KwAes128 |
KwRsa15 |
PSha1L128 |
PSha1L128 |
128 |
HmacSha256 |
RsaSha256 |
|
TripleDesExn256Rsa15 |
Sha256 |
TripleDes |
KwTripleDes |
KwRsa15 |
PSha1L192 |
PSha1L192 |
192 |
HmacSha256 |
RsaSha256 |
Note:
To use the extended algorithm suites for Symmetric Signature HmacSha256 and Asymmetric Signature RsaSha256, you need to create a custom OWSM policy with algorithm suite set to extended algorithm suite type. For instance, if the algorithm suite type isBasic256Exn256, then it should be set as follows:
orasp:algorithm-suite="Basic256Exn256
You can follow the steps to create a new policy from a predefined policy and modify the algorithm suite using Oracle Enterprise Manager Fusion Middleware Control. For more information, see:
"Creating Custom Policies" in Oracle® Fusion Middleware Securing Web Services and Managing Policies with Oracle Web Services Manager.
"Editing a Web Service Policy" in Oracle® Fusion Middleware Securing Web Services and Managing Policies with Oracle Web Services Manager.
Table 18-128 lists the settings for the Request, Response, and Fault messages. You configure these settings for message signing and encryption.
Table 18-129 summarizes the management assertion templates.
Table 18-129 Management Assertion Templates
| Name | Description |
|---|---|
|
Provides a logging assertion template that can be attached to any binding or component. |
Display Name: Security Log Assertion Template
Category: Security
Type: Logging
The security_log_template assertion template provides a logging assertion template that can be attached to any binding or component.
Note:
It is recommended that the logging assertion be used for debugging and auditing purposes only.Table 18-130 lists the settings for the security_log_template assertion template.
Table 18-131 lists the configuration properties and the default settings for the security_log_template assertion template.