This chapter describes how to use Service Bus in conjunction with Oracle Web Services Manager (OWSM) to provide a scalable, standards-based, centrally managed approach to securing your service integration environment with WS-Security policies while leveraging your existing security providers.
OWSM is a runtime framework for policy creation for security, management, and governance. You create policies, attach them to services in Service Bus, and enforce those policies at various points in the messaging life cycle with OWSM agents.
OWSM policies enable WS-AT, WS-RM and WS-Security/WS-SC. WSDL-embedded policies cannot be used.
Note:
Oracle Web Services Manager (OWSM) is the Web Services security mechanism used by Service Bus. All newly created resources, such as business services and proxy services, use OWSM policies for security. WLS 9 policies are deprecated, and cannot be used to configure security for a new Service Bus resource.
However, you can import resources already configured with WLS 9 policies into your Service Bus project. You cannot edit or modify these WLS 9policies, but you can replace them with OWSM policies.
This chapter includes the following sections:
OWSM is a component of the Oracle Enterprise Manager Fusion Middleware Control, a runtime framework that provides centralized management and governance of Oracle SOA Suite environments and applications.
You create and configure OWSM policies in Oracle Enterprise Manager, and those policies are persisted in a policy store (a database is recommended). OWSM lets you define policies against an LDAP directory and generate standard security tokens (such as SAML tokens) to propagate identities across multiple web services used in a single transaction.
In Service Bus, when defining a business or proxy service that lets you attach security policies, you can attach available OWSM policies.
Service Bus and Oracle Web Services Manager (OWSM) use certain services for authentication and authorization. OWSM uses Java Platform Security (JPS), so Service Bus uses JPS providers for OWSM policies. Service Bus also uses Common Security Services (CSS), which is a part of Oracle Platform Security Services (OPSS), for other aspects of message security.
For more information about Oracle security services, see Introduction to Oracle Platform Security Services in the Securing Applications with Oracle Platform Security Services.
The following topics describe which security providers Service Bus and OWSM use for different security areas.
When using Oracle Web Services Manager policies, the following apply:
OWSM policies use SAML providers from JPS and not from WebLogic Server. For information on configuring SAML with OWSM, see "Configuring SAML" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
For authentication, OWSM uses the JPS Login Module, which in turn calls authentication providers configured on WebLogic Server.
OWSM and Service Bus support the Java Keystore (JKS) and the Keystore Service (KSS) provided by Oracle Platform Security Services. For OWSM policies, a best practice is to configure the keystore on JPS, with both the WebLogic Server and the JPS keystore referencing the same kind of keystore. For example, if you use a JKS file keystore, JPS and WebLogic Server should point to the same file. If you use an KSS keystore, JPS and WebLogic Server should point to the same KSS configuration.
For information on creating the keystore, see "Configuring Keystores for Message Protection" in the Securing Web Services and Managing Policies with Oracle Web Services Manager.
A JPS keystore serves as both a keystore and a truststore for OWSM policies.
Service Bus uses the following providers:
CSS providers to enforce WLS 9 policies
CSS providers to enforce transport security
WebLogic Server authorization providers for authorization policies
Custom WebLogic Server authentication providers and identity asserters for custom authentication policies
WebLogic Server credential providers and mappers
WebLogic Server keystore and truststore for WLS 9 policies
Authentication and identity assertion through Oracle Web Services Manager agents
This section includes topics about how to attach OWSM policies to Service bus services, deployment considerations, and auditing and monitoring.
You can attach OWSM policies to the following types of proxy and business services in Service Bus on the Policies page:
WSDL
Any SOAP
Any XML
Messaging
REST
You can attach OWSM policies only at the service level, and you cannot embed them in service WSDL files. Note that policy support for non-SOAP services is limited.
When attaching policies in the development environment, keep in mind that services in the development environment can be out of sync with services in the Oracle Service Bus Console, so take care when updating services from JDeveloper to the Console. If you copy a service to create a same type of service (for example, copy a business service to create a new business service), be sure to review your OWSM policies in the new service and make any necessary adjustments.
After adding OWSM policies to a service, you can provide policy overrides on the Security page. For the policies used, the user interface displays the override keys (properties) and their default values. The key names come from the policy binding. If allowed, a text box appears next to a key's default value where you can provide an override value. Service Bus does not provide well-known keys for override, such as sign key alias or CSF key, which points to user credentials in a CSF store. (Service Bus provides user credentials in the service account.) Override keys you provide are passed to the Oracle Web Services Manager agent during invocation.
For information on configuring SAML for use with Service Bus, see Using SAML with Oracle Service Bus. For information on configuring SAML with OWSM, see "Configuring SAML" in the Securing Web Services and Managing Policies with Oracle Web Services Manager.
When WSDL files contain embedded Oracle Web Services Manager policies, you can advertise the policies to be compatible with the following policy standards, supported by Oracle Service Bus and Oracle SOA Suite:
WS-Policy 1.2 (default) and 1.5
WS-Security Policy 1.1 (default), 1.2, and 1.3
Using special query parameters in URLs to access WSDL files embedded with OWSM policies, Service Bus generates WSDL files that comply with the required standards. For more information on accessing WSDL files with a URL, see Viewing Service Bus Resources in a Web Browser.
Note:
This feature is not available in the Service Bus "Export WSDL" or "Generate WSDL" functionality.
The special query parameters are &wsp (WS-Policy) and &wssp (WS-Security Policy), and you can use them in conjunction with the WSDL, PROXY, and BIZ URL patterns for retrieving WSDL files. For example:
http://localhost:7001/proxy/myProxy?WSDL&wsp=1.5&wssp=1.2
Returns the WSDL file for myProxy, a WSDL-based proxy service, so that the OWSM policy reference conforms to WS-Policy 1.5 and WS-Security Policy 1.2.
Note:
In the previous URL, /proxy/myProxy is the endpoint URI for the proxy service.
http://localhost:7001/sbresource?PROXY/myProject/myProxy&wsp=1.5&wssp=1.2
Returns the WSDL file for myProxy, a WSDL-based proxy service, so that the OWSM policy reference conforms to WS-Policy 1.5 and WS-Security Policy 1.2.
http://localhost:7001/sbresource?BIZ/myProject/myBiz&wsp=1.5&wssp=1.3
Returns the WSDL file for myBiz, a WSDL-based business service, so that the OWSM policy reference conforms to WS-Policy 1.5 and WS-Security Policy 1.3.
http://localhost:7001/sbresource?WSDL/proxy/myProxy
Returns the WSDL file for myProxy, a WSDL-based proxy service, so that the OWSM policy reference conforms to WS-Policy 1.2 and WS-Security Policy 1.1. Because no query parameters are used, Service Bus uses the defaults.
http://localhost:7001/proxy/myProxy?WSDL&wssp=1.3
Because WS-Security Policy 1.3 is compatible only with WS-Policy 1.5, this returns the WSDL file for myProxy so that the OWSM policy reference conforms to WS-Security Policy 1.3 and WS-Policy 1.5.
Invalid Values/Combinations
WS-Security Policy 1.2 and 1.3 are compatible only with WS-Policy 1.5. For invalid value examples, see Table 52-1.
Tip:
In a web browser, try different query parameter versions see how the returned WSDL changes.
For a quick reference of query parameter combinations, see the following section, WSDL Query Parameter Reference for WS Policies.
This section provides a quick reference showing valid and invalid combinations of the &wsp and &wssp query parameters described in the previous section, Advertising WSDL Files to Support WS Standards. The examples use ?WSDL to retrieve the WSDL file. You can also use the ?PROXY and ?BIZ methods of WSDL file retrieval, as described in Viewing Service Bus Resources in a Web Browser.
As shown in Table 52-1, when one or more parameters is omitted, Service Bus provides the valid default. For the invalid value exceptions, WS-Security Policy 1.2 and 1.3 are compatible with only WS-Policy 1.5, and vice versa.
Table 52-1 Valid and Invalid Combinations of the &wsp and &wssp Query Parameters
| Query Parameter Combinations | WS-Policy Version | WS-Security Policy Version | 
|---|---|---|
| ...?WSDL | 1.2 | 1.1 | 
| ...?WSDL&wsp=1.2 | 1.2 | 1.1 | 
| ...?WSDL&wsp=1.5 | 1.5 | 1.3 | 
| ...?WSDL&wssp=1.1 | 1.2 | 1.1 | 
| ...?WSDL&wssp=1.2 | 1.5 | 1.2 | 
| ...?WSDL&wssp=1.3 | 1.5 | 1.3 | 
| ...?WSDL&wsp=1.2&wssp=1.1 | 1.2 | 1.1 | 
| ...?WSDL&wsp=1.5&wssp=1.2 | 1.5 | 1.2 | 
| ...?WSDL&wsp=1.5&wssp=1.3 | 1.5 | 1.3 | 
| ...?WSDL&wsp=1.2&wssp=1.2 | Invalid value exception | Invalid value exception | 
| ...?WSDL&wsp=1.2&wssp=1.3 | Invalid value exception | Invalid value exception | 
| ...?WSDL&wsp=1.5&wssp=1.1 | Invalid value exception | Invalid value exception | 
| ...?WSDL&wsp=3.0&wssp=1.2 | Invalid value exception | Invalid value exception | 
| ...?WSDL&wsp=1.2&wssp=2.0 | Invalid value exception | Invalid value exception | 
When you export Service Bus configurations that contain services with OWSM policy references, the references are maintained. You must ensure that the referenced policies also exist in the target environment. If the target environment is the IDE, warnings are displayed saying that policies will be validated on publish.
To audit policy events in Oracle Enterprise Manager, you must set up an audit data repository and set up event collection. For more information, see the following topics in Administering Web Services:
"Viewing Audit Reports" – Pre-defined audit reports for OWSM in Oracle Business Intelligence Publisher include statistics for Service Bus.
You can audit the following policy-level events:
Policy creation, deletion, or modification
Assertion template creation, deletion, or modification
Fusion Middleware Control lets you monitor and manage policies attached to your Service Bus services, including their usage and violation metrics. You can also attach policy sets globally, define policy overrides, and attach and detach policies from your services. See "Monitoring and Managing Security Policies" in Administering Oracle Service Bus for details on monitoring and managing these policies.
Service Bus collects WS-Security error statistics for OWSM policy enforcement errors as it does for WLS 9 policies, and those statistics are available in the Service Bus service monitoring dashboard.
This section lists, and provides links to, the OWSM predefined policies and assertions that Service Bus supports and does not support. Custom assertions are supported.
Note:
The assertion or policy "enabled/disabled" option in the Oracle Enterprise Manager Fusion Middleware Control user interface does not determine whether or not an assertion or policy is supported in Service Bus. Supported policies and assertions are listed in this section.
See the following topics for information about which OWSM policies are supported with Service Bus:
SOAP Services: See "Determining Which Predefined Policies to Use" in Securing Web Services and Managing Policies with Oracle Web Services Manager, which provides information about the predefined policies available in the current release.
Non-SOAP Services: See Table 52-2, which lists the supported OWSM predefined policies for business and proxy services that are configured with the WSDL (non-SOAP), XML, or Messaging service type using the HTTP Transport. User-defined policies are also supported.
REST Services: See "Which OWSM Policies Are Supported for RESTful Web Services and Clients?" in Securing Web Services and Managing Policies with Oracle Web Services Manager, which lists supported OWSM predefined policies for services configured with the REST service type.
JCA Services: See "Which OWSM Policies Are Supported for JCA Adapters?" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
Note:
In the development environment, if you use unsupported seed policies:
An effective WSDL file generated in the development environment will skip unsupported policies.
Validation is performed on service publish.
For more information on the following policies, see "Predefined Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
Table 52-2 Supported OWSM Predefined Policies for WSDL (non-SOAP), XML, and Messaging Service Service Types with HTTP Transport
| Type | Client Policy | Service Policy | 
|---|---|---|
| Authentication only | oracle/wss_http_token_client_policy Basic authentication only. For more information on this policy, see wss_http_token_*_policy Guidelines and OWSM Authentication Policy Guidelines. | oracle/wss_http_token_service_policy Basic authentication only. For more information on this policy, see wss_http_token_*_policy Guidelines and OWSM Authentication Policy Guidelines. | 
| Authentication and Message Protection | oracle/wss_http_token_over_ssl_client_policy For more information on this policy, see wss_http_token_*_policy Guidelines and OWSM Authentication Policy Guidelines. | oracle/wss_http_token_over_ssl_service_policy For more information on this policy, see wss_http_token_*_policy Guidelines and OWSM Authentication Policy Guidelines. | 
| Authorization only | N/A | oracle/whitelist_authorization_policy | 
| Authorization only | N/A | oracle/binding_authorization_denyall_policy | 
| Authorization only | N/A | oracle/binding_authorization_permitall_policy | 
| Reliable Messaging | N/A | oracle/reliable_messaging_policy Note: This policy is supported only for HTTP transport services of WSDL service type. You must also attach oracle/reliable_messaging_internal_api_policy when attaching this policy. | 
| Reliable Messaging | N/A | oracle/reliable_messaging_internal_api_policy Note: This policy is supported only for HTTP transport services of WSDL service type. You must also attach oracle/reliable_messaging_policy when attaching this policy. | 
This section provides guidance on using the wss_http_token policies with Service Bus.
Note:
When using the HTTP transport with an OWSM policy, set the Authentication property for the transport to None. Setting it to any other value conflicts with the OWSM policy.
When you enable specific options on the policies in OWSM, certain guidelines apply. The options are:
Authentication Mode – OWSM and Service Bus support only "Basic" authentication mode in the policy. Any other mode causes an exception.
Transport Security – This option indicates that the invocation has to be done on the SSL channel. At runtime:
Proxy Services: If you enable this option on the policy, you must enable the HTTPS Required option on the proxy service containing the policy.
Business Services: No validation occurs on the business service configuration when you enable this option on the policy, so be sure that the business service endpoint addresses use HTTPS. A runtime error is thrown if an endpoint does not use HTTPS.
Mutual Authentication Required – This option indicates two-way SSL.
Proxy Services: This option is not supported for use on proxy services. Clear this option when using the wss_*_over_ssl_* _policy policies provided by OWSM.
Business Services: Because OWSM ignores this option on outbound messages, this option has no effect when used with business services.
Include Timestamp – This option enforces the inclusion of timestamp in the SOAP header.
Proxy Services: When you enable this option with proxy services, OWSM ensures the timestamp is available and valid in the SOAP header.
Business Services: When you enable this option with business services, OWSM adds a timestamp to the SOAP header if a timestamp does not already exist.
Note:
When applying wss_http_token policies to proxy and business services that use non-SOAP service types with the HTTP transport, the Include Timestamp option in the OWSM policy must be disabled.
When you use token transport policies on a Service Bus service, such as wss_http_token_over_ssl_client_policy or wss_username_token_over_ssl_client_policy, the Authentication property on the service's transport configuration page to None. You can use either an OWSM token policy or handle authentication through the transport, but not both.
You can attach any of the supported OWSM policies to proxy and business services that include support for SOAP with Attachments (SwA). In addition to securing the message body, you can configure message protection policies to include SwA attachments and MIME headers for message signing or message encryption.
You can attach OWSM policies to proxy and business services that include support for MTOM-formatted SOAP messages and use the HTTP, Local, or SB Transport. Message processing for all supported policies is the same for SOAP messages in MTOM format as for any other SOAP message, with the exception of message protection policies.
For a message protection policy that encrypts any part of the message body, the <xop:Include> elements of incoming messages are inlined prior to decryption. On decryption, the <xop:Include> elements are replaced by the base64Binary representation of the data. The message contents do not change.
Note:
When applying OWSM policies to services that support messages in MTOM format:
For proxy services, the incoming message must first be encrypted using an equivalent client policy.
Set the Authentication property for the transport to None when configuring the service. Setting it to any other value conflicts with the OWSM policy.
Service Bus supports WS-ReliableMessaging (WS-RM) with HTTP transport services of the WSDL service type by attaching the oracle/reliable_messaging_policy and oracle/reliable_messaging_internal_api_policy Oracle Web Services Manager policies.
This topic describes supported and unsupported features.
Supported Features
Supports WS-RM 1.0, 1.1, and 1.2
Supports One-way WS-RM
Supports synchronous WS-RM (anonymous ReplyTo)
Quality of Service (QoS):
AtLeastOnce
ExactlyOnce
AtMostOnce
Unsupported Features
Non-HTTP transport services are not supported.
Asynchronous WS-RM (non-anonymous ReplyTo) is not supported.
Additional Notes
Whenever you attach oracle/reliable_messaging_policy to a service, you must also attach oracle/reliable_messaging_internal_api_policy. An error is thrown if both are not added.
In a synchronous WS-RM scenario, response messages don’t need to be sent reliably. There are scenarios in which a request message is reliably processed by the service, but the client may not receive a response.
HTTP proxy services with the WS-RM policies attached invoke HTTP business services with WS-RM policies attached only:
when the business service is in a route node of a pipeline which is targeted by the WS-RM-enabled proxy service
when the business service is a target service of the proxy service
WS-AT policy can only be applied on WSDL with SOAP binding or any SOAP based HTTP proxy/business service.
WS-AT and WS-RM policies cannot be applied for the same service.
WS-AT is not supported for one-way WSDL operations. A warning message is shown at design time for HTTP proxy with WSDL (of SOAP binding) based services containing one-way operations.
Attach the oracle/reliable_messaging_ policy and oracle/reliable_messaging_internal_api_policy OWSM policies to a proxy service to enable WS-RM for that service. See Attaching Oracle Web Services Manager Policies to Oracle Service Bus Services for more information.
HTTP proxy services with WS-RM policies attached are:
Transactional
Asynchronous
The WS-RM stack initiates a transaction only when the sequence’s QualityOfService is set in the policy as AtMostOnce or ExactlyOnce. The Quality of Service (QoS) on Routing Options is set as ExactlyOnce only when the policy contains the sequence QualityofService as AtMostOnce or ExactlyOnce.
For both one-way and synchronous request messages, the WS-RM stack is notified for message acknowledgement after the request path processing is successfully completed. When failures are encountered in the request path, the WS-RM stack is notified of the errors and the request message is considered not processed. It will be retried according to the retry configuration on the policy.
Attach the oracle/reliable_messaging_ policy and oracle/reliable_messaging_internal_api_policy OWSM policies to a business service to enable WS-RM for that service. See Attaching Oracle Web Services Manager Policies to Oracle Service Bus Services for more information.
HTTP business services with WS-RM policies attached are:
Transactional
Asynchronous
When a business service with WS-RM policies attached receives a request message in a transaction, the transaction is suspended before undergoing WS-RM processing. The transaction is committed only when it receives a successful acknowledgement from the target service.
Transactions are marked for rollback when:
the WS-RM stack does not receive any acknowledgment or the message times out in processing
it receives a fault related to WS-RM processing from the target service.
When a request message is unable to be processed due to failures in the WS-RM stack a fault is generated and sent as a response.
End-to-end message reliability can be achieved using one of the scenarios described below.
End-to-end reliability is supported for the following scenarios:
Asynchronous proxy service to WS-RM outbound
WS-RM inbound to WS-RM outbound is supported with the following configuration:
WS-RM inbound has a target service of WS-RM outbound
WS-RM inbound targets to pipeline which routes to WS-RM outbound
The following interactions using Service Bus as an intermediary are supported:
SOA Suite 12.2.1 / WebLogic Server < --- > Service Bus < ---- > non WS-RM service
Non WS-RM client < --- > Service Bus < ---- > Oracle SOA Suite 12.2.1 / WebLogic Server
Oracle SOA Suite 12.2.1 / WebLogic Server < --- > Service Bus < ---- > Oracle SOA Suite 12.2.1 / WebLogic Server
You can achieve better performance by configuring properties for the oracle/reliable_messaging_policy and oracle/reliable_messaging_internal_api_policy OWSM policies.
See oracle/reliable_messaging_policy in Securing Web Services and Managing Policies with Oracle Web Services Manager and oracle/reliable_messaging_internal_api_policy for complete lists of the properties you can configure for each of these policies.
Configure an appropriate transactional timeout using the user.transaction.timeout property in oracle/reliable_messaging_internal_api_policy.
Configure an interval (in milliseconds)for maintenance tasks for purging data stored in database tables for orphaned messages using thesequence.manager.maintenance.period property in oracle/reliable_messaging_internal_api_policy.
Specify how many concurrently-active WS-RM sessions (measured based on inbound WS-RM sequences) the sequence manager dedicated to the WS Endpoint accepts before starting to refuse new requests for sequence creation using the max.concurrent.session property in oracle/reliable_messaging_internal_api_policy.
The following properties can be configured to tune the performance of services with oracle/reliable_messaging_policy
Table 52-3 oracle/reliable_messaging_internal_api_policy Properties
| Name | Description | Default | Required? | 
|---|---|---|---|
| 
 | Specifies the period (in milliseconds) of a sequence manager maintenance task execution. | 60000 | Optional | 
| 
 | Specifies how many concurrently active RM sessions (measured based on inbound RM sequences) the sequence manager dedicated to the WS Endpoint accepts before starting to refuse new requests for sequence creation. | 100 | Optional | 
| 
 | Transactional timeout for XA transaction started by proxy service. The default value of 0 says to use the system default. | 0 | Optional | 
| 
 | See reference.priority in Securing Web Services and Managing Policies with Oracle Web Services Manager for information. | None | Optional | 
Table 52-4 lists unsupported OWSM assertions for both SOAP and non-SOAP services, shows which policies contain the assertions, and describes the affected capabilities and alternatives to achieve the capabilities.
Table 52-4 Unsupported assertions
| Unsupported Assertion | OWSM Policies Containing the Assertion | Capability Affected and Alternative | 
|---|---|---|
| binding-permission-authorization | oracle/binding_permission_authorization_policy | Permission-based access control to service. Alternative: Use XACML authorization policies. | 
| OptimizedMimeSerialization (MTOM) | oracle/wsmtom_policy | MTOM Alternative: Use MTOM configuration directly on proxy/business service. | 
| RMAssertion | oracle/wsrm10_policy oracle/wsrm11_policy | WS-RM 1.0/1.1/1.2 Alternative: Use the WS transport directly in Service Bus for WS-RM 1.0/1.1/1.2; or attach oracle/reliable_messaging_ policy and oracle/reliable_messaging_internal_api_policy to HTTP transport services of the WSDL type. | 
| sca-component-authorization | oracle/component_authorization_denyall_policy oracle/component_authorization_permitall_policy | Role-based access control to deny/permit all to access the component. Alternative: Not applicable | 
| sca-component-permission-authorization | oracle/component_permission_authorization_policy | Permission based Access Control to component Alternative: Not applicable | 
| UsingAddressing | oracle/wsaddr_policy | To require WS-Addressing Alternative: Configure WS-Addressing on business services that use the SOA-DIRECT transport; or add WS-Addressing to messages in a Service Bus pipeline. | 
Oracle Service Bus provides support for the execution of a set of predefined policies and assertion templates that are delivered by OWSM. When a specific functionality is not provided with the standard policies available with the product, users can develop custom assertions.
See "About Custom Assertions" in Developing Extensible Applications for Oracle Web Services Manager for more information on custom assertions.
See "Creating Custom Assertions" in Developing Extensible Applications for Oracle Web Services Manager for more information on creating custom assertions.
Starting in Service Bus 12.2.1, you can secure services with REST endpoints by attaching OAuth OWSM policies.
The topics in this section describe the supported use cases and the steps needed to configure the OAuth server and OWSM for using OAuth with Service Bus.
Only OAuth2 is supported with this release of Service Bus.
This release of Service Bus supports 2–Legged OAuth use cases. The following 2–Legged OAuth use cases are supported: Client Authentication and Client + User Authentication.
Client authentication:
Client credentials – AppID username and password in Authentication HTTP header (federated=false) (with and without SSL)
Client credentials – JWT (JSON Web Token)  (federated=true) (with and without SSL)
Note:
In the case of federated=true, the JWT token is created for the client credentials. You can change this value in the OWSM OAuth policy.
Client + User authentication
Client credentials - AppID username and password in Authentication HTTP header + User Credentials – JWT (federated=false) (with and without SSL)
Client Identity – JWT + User Identity – JWT (federated=true)  (with and without SSL)
See Understanding 2-Legged Authorization in Oracle Fusion Middleware Administrator's Guide for Oracle Access Management for additional information about 2–legged OAuth.
You must configure OWSM and the OAuth server to secure REST endpoints with OAuth policies in Service Bus.
Topics
Note:
This section documents the steps required to configure a sample OAuth server; the configuration described in these tasks might not apply to every deployment scenario. For additional information about configuring an OAuth server, see Configuring OAuth Services in Oracle Fusion Middleware Administrator's Guide for Oracle Access Management
You must complete the following tasks to configure the OAuth server:
Topics
Note:
This section documents the steps required to configure a sample OAuth server; the configuration described in these tasks might not apply to every deployment scenario. For additional information about configuring an OAuth server, see Configuring OAuth Services in Oracle Fusion Middleware Administrator's Guide for Oracle Access Management.
Before configuring the OAuth server, you have to enable OAuth for Oracle Access Management. You accomplish this by enabling the Access Manager and Mobile and Social services in the Oracle Access Management Console.
jwt.issuer property: jwt.issuer=www.example.com .jwt.CryptoScheme property: jwt.CryptoScheme=RS256.listCred(map="oracle.wsm.security",key="keystore-csf-key").keytool -exportcert -keystore default-keystore.jks -alias orakey -file oauth-key.pem -rfc.orakey to owsmkey<unique-ending>: keytool -changealias -alias orakey -destalias owsmkey<unique-ending> -keystore default-keystore.jks.keytool -exportcert -keystore default-keystore.jks -alias owsmkey<unique-ending> -file owsmkey<unique-ending>.cer.keytool -importcert -file owsmkey<unique-ending>.cer -keystore default-keystore.jks -alias owsmkey<unique-ending>.keytool -importcert -file oauth-key.pem -keystore default-keystore.jks -alias orakey.You attach OAuth OWSM policies to business and proxy services the same way you attach any OWSM policy to Service Bus services.
See Securing Business and Proxy Services for information about attaching policies to services using JDeveloper and the Service Bus console.
The oracle/http_jwt_token_service_policy or oracle/http_jwt_token_over_ssl_service_policy policies can be attached to proxy services, and the oracle/oauth2_config_client_policy (where you specify the REST endpoint from which to get the OAuth token) and oracle/http_oauth2_token_client_policy or oracle/http_oauth2_token_over_ssl_client_policy policies can be attached to business services.