This chapter includes the following sections:
Review these topics to describe the OWSM 10g and 12c policy steps, interoperability scenarios, and OWSM 10g gateways.
With OWSM 10g, you specify policy steps at each policy enforcement point.
The policy enforcement points in OWSM 10g include Gateways and Agents. Each policy step is a fine-grained operational task that addresses a specific security operation, such as authentication and authorization; encryption and decryption; security signature, token, or credential verification; and transformation. Each operational task is performed on either the web service request or response. For more details about the OWSM 10g policy steps, see "Oracle Web Services Manager Policy Steps" in Oracle Web Services Manager Administrator's Guide 10g (10.1.3.4) at http://download.oracle.com/docs/cd/E12524_01/web.1013/e12575/policy_steps.htm#BABIAHEG
.
With OWSM 12c, you attach policies to web service endpoints.
Each policy consists of one or more assertions, defined at the domain-level, that define the security requirements. A set of predefined policies and assertions are provided out-of-the-box.
For more information about:
OWSM predefined policies, see "Predefined Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
Configuring and attaching OWSM 12c policies, see "Securing Web Services" and "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
OWSM 10g policy steps, see "Oracle Web Services Manager Policy Steps" in Oracle Web Services Manager Administrator's Guide 10g (10.1.3.4) at http://download.oracle.com/docs/cd/E12524_01/web.1013/e12575/policy_steps.htm#BABIAHEG
Review this topic for more information on the most common OWSM 10g interoperability scenarios based on the following security requirements: authentication, message protection, and transport.
Note:
In the following scenarios in the Table 2-1 and Table 2-2, ensure that you are using a keystore with v3 certificates. By default, the JDK 1.5 keytool generates keystores with v1 certificates.
The following sections provide additional interoperability information about using OWSM 10g Gateways and third-party software with OWSM 12c:
Table 2-1 OWSM 10g Service Policy and OWSM 12c Client Policy Interoperability
Identity Token | WS-Security Version | Message Protection | Transport Security | Service Policy | Client Policy |
---|---|---|---|---|---|
Anonymous |
1.0 |
Yes |
No |
Request pipeline: Decrypt and Verify Signature Response pipeline: Sign Message and Encrypt |
|
Username |
1.0 |
Yes |
No |
Request pipeline:
Response pipeline: Sign Message and Encrypt |
|
SAML |
1.0 |
Yes |
No |
Request pipeline:
Response pipeline: Sign Message and Encrypt |
|
Mutual Authentication |
1.0 |
Yes |
No |
Request pipeline: Decrypt and Verify Response pipeline: Sign Message and Encrypt |
|
Username over SSL |
1.0 and 1.1 |
No |
Yes |
Request pipeline:
|
|
SAML over SSL |
1.0 and 1.1 |
No |
Yes |
Request pipeline:
|
|
Table 2-2 OWSM 12c Service Policy and OWSM 10g Client Policy Interoperability
Identity Token | WS-Security Version | Message Protection | Transport Security | Service Policy | Client Policy |
---|---|---|---|---|---|
Anonymous |
1.0 |
Yes |
No |
|
Request pipeline: Sign Message and Encrypt Response pipeline: Decrypt and Verify Signature |
Username |
1.0 |
Yes |
No |
|
Request pipeline: Sign Message and Encrypt Response pipeline: Decrypt and Verify Signature |
SAML |
1.0 |
Yes |
No |
|
Request pipeline:
Response pipeline: Decrypt and Verify Signature |
Mutual Authentication |
1.0 |
Yes |
No |
|
Request pipeline: Sign Message and Encrypt Response pipeline: Decrypt and Verify Signature |
Username over SSL |
1.0 and 1.1 |
No |
Yes |
|
N/A |
SAML over SSL |
1.0 and 1.1 |
No |
Yes |
|
Request pipeline:
|
The Anonymous Authentication with Message Protection identity token conforms to the WS-Security 1.0 standard. This identity token is implemented to achieve the interoperability between OWSM 12c web service and an OWSM 10g client and the interoperability between OWSM 10g web service and an OWSM 12c client.
Follow these procedures to configure an OWSM 12c web service and an OWSM 10g client to implement anonymous authentication with message protection that conforms to the WS-Security 1.0 standard.
Follow these steps to configure OWSM 12c Web Service:
Clone the following policy: oracle/wss10_message_protection_service_policy
For more information, see "Cloning a Web Service Policy" in Securing Web Services and Managing Policies with Oracle Web Services Manager
Edit the policy settings, as follows:
Disable the Include Timestamp configuration setting.
Leave the default configuration set for all other configuration settings.
Attach the policy to a web service.
For more information, see
"Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager
Follow these steps to configure OWSM 10g client:
Register the web service (above) with the OWSM 10g Gateway.
For more information, see"Registering Web Services to an OWSM Gateway" in the OWSM Administrator's Guide 10g at: http://download.oracle.com/docs/cd/E12524_01/web.1013/e12575/gateways.htm
Attach the following policy step to the request pipeline: Sign Message and Encrypt Gateway.
Configure the Sign Message and Encrypt policy step in the request pipeline, as follows:
Set Encryption Algorithm to AES-128.
Set Key Transport Algorithm to RSA-OAEP-MGF1P.
Configure the keystore properties for message signing and encryption. The configuration should be in accordance with the keystore used on the server side
Attach the following policy step to the response pipeline: Decrypt and Verify Signature.
Configure the Decrypt and Verify Signature policy step in the response pipeline, by configuring the keystore properties for decryption and signature verification. The configuration should be in accordance with the keystore used on the server side.
Navigate to the OWSM Test page and enter the virtualized URL of the web service.
Invoke the web service.
Follow these procedures to configure the OWSM 10g web service and an OWSM 12c client to implement anonymous authentication with message protection that conforms to the WS-Security 1.0 standard.
Follow these steps to configure OWSM 10g web service:
Register the web service with the OWSM 10g Gateway.
For more information, see "Registering Web Services to an OWSM Gateway" in the OWSM Administrator's Guide 10g at: http://download.oracle.com/docs/cd/E12524_01/web.1013/e12575/gateways.htm
Attach the following policy step in the request pipeline: Decrypt and Verify Signature.
Configure the Decrypt and Verify Signature policy step in the request pipeline, as follows. Configure the keystore properties for decryption and signature verification. The configuration should be in accordance with the keystore used on the server side.
Attach the following policy step in the response pipeline: Sign Message and Encrypt.
Configure the Sign Message and Encrypt policy response pipeline as follows:
Set Encryption Algorithm to AES-128.
Set Key Transport Algorithm to RSA-OAEP-MGF1P.
Configure the keystore properties for message signing and encryption. The configuration should be in accordance with the keystore used on the server side.
Follow these steps to configure the OWSM 12c client:
Create a client proxy using the virtualized URL of the web service registered on the OWSM Gateway.
Clone the following policy: oracle/wss10_message_protection_client_policy
.
Edit the policy settings, as follows:
Disable the Include Timestamp configuration setting.
Leave the default configuration set for all other configuration settings.
Attach the policy to the web service client.
For more information, see "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager
Configure the policy.
For more information, see "oracle/wss10_message_protection_client_policy" in Securing Web Services and Managing Policies with Oracle Web Services Manager
Invoke the web service.
The Username Token with Message Protection identity token conforms to the WS-Security 1.0 standard. This identity token is implemented to achieve the interoperability between OWSM 12c web service and an OWSM 10g client and the interoperability between OWSM 10g web service and an OWSM 12c client.
Follow these procedures to configure the OWSM 12c web service and an OWSM 10g client to implement username token with message protection that conforms to the WS-Security 1.0 standard.
Follow these steps to configure OWSM 12c Web Service:
Clone the following policy: oracle/wss10_username_token_with_message_protection_service_policy
Edit the policy settings, as follows:
Disable the Include Timestamp configuration setting.
Leave the default configuration set for all other configuration settings.
For more information, see "Cloning a Web Service Policy" in Securing Web Services and Managing Policies with Oracle Web Services Manager
Attach the policy to a web service.
For more information, see "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager
Follow these steps to configure the OWSM 10g client:
Register the web service (above) with the OWSM 10g Gateway.
Fore more information, see "Registering Web Services to an OWSM Gateway" in the OWSM Administrator's Guide 10g at: http://download.oracle.com/docs/cd/E12524_01/web.1013/e12575/gateways.htm
Attach the following policy step to the request pipeline: Sign Message and Encrypt
Configure the Sign Message and Encrypt policy step in the request pipeline, as follows:
Set Encryption Algorithm to AES-128.
Set Key Transport Algorithm to RSA-OAEP-MGF1P.
Set Encrypted Content to ENVELOPE.
Set Signed Content to ENVELOPE.
Configure the keystore properties for message signing and encryption. The configuration should be in accordance with the keystore used on the server side.
Attach the following policy step to the response pipeline: Decrypt and Verify Signature.
Configure the Decrypt and Verify Signature policy step in the response pipeline, as follows:
Configure the keystore properties for decryption and signature verification. The configuration should be in accordance with the keystore used on the server side.
Navigate to the OWSM Test page and enter the virtualized URL of the web service.
Select the Include Header checkbox against WS-Security and provide valid credentials.
Invoke the web service.
Follow these procedures to configure the OWSM 10g web service and an OWSM 12c client to implement username token with message protection that conforms to the WS-Security 1.0 standard.
Follow these steps to configure OWSM 10g Web Service:
Register the web service with the OWSM 10g Gateway.
For more information, see "Registering Web Services to an OWSM Gateway" in the OWSM Administrator's Guide 10g at: http://download.oracle.com/docs/cd/E12524_01/web.1013/e12575/gateways.htm
Attach the following policy steps in the request pipeline:
Decrypt and Verify Signature
Extract Credentials (configured as WS-BASIC)
File Authenticate
Note:
You can substitute File Authenticate with LDAP Authenticate, Oracle Access Manager Authenticate, Active Directory Authenticate, or SiteMinder Authenticate.
Configure the Decrypt and Verify Signature policy step in the request pipeline, as follows:
Configure the keystore properties for extracting credentials. The configuration should be in accordance with the keystore used on the server side.
Configure the Extract Credentials policy step in the request pipeline, as follows:
Set the Credentials location to WS-BASIC.
Configure the File Authenticate policy step in the request pipeline to use valid credentials.
Attach the following policy step in the response pipeline: Sign Message and Encrypt.
Set Encryption Algorithm to AES-128.
Set Key Transport Algorithm to RSA-OAEP-MGF1P.
Configure the keystore properties for message signing and encryption. The configuration should be in accordance with the keystore used on the server side.
Follow these steps to configure the OWSM 12c Client:
Create a client proxy using the virtualized URL of the web service registered on the OWSM Gateway.
Clone the following policy: oracle/wss10_username_token_with_message_protection_client_policy
For more information, see "Cloning a Web Service Policy" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
Edit the policy settings, as follows:
Disable the Include Timestamp configuration setting.
Leave the default configuration set for all other configuration settings.
For more information, see "Cloning a Web Service Policy" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
Attach the policy to the web service client.
For more information, see "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager
Configure the policy.
For more information, see "oracle/wss10_username_token_with_message_protection_client_policy" in Securing Web Services and Managing Policies with Oracle Web Services Manager
Invoke the web service.
The SAML Token (Sender Vouches) with Message Protection identity token conforms to the WS-Security 1.0 standard. This identity token is implemented to achieve the interoperability between OWSM 12c web service and an OWSM 10g client and the interoperability between OWSM 10g web service and an OWSM 12c client.
Follow these procedures to configure an OWSM 12c web service and an OWSM 10g client to implement SAML token (sender vouches) with message protection that conforms to the WS-Security 1.0 standard.
Follow these steps to configure OWSM 12c Web Service:
Clone the following policy: oracle/wss10_saml_token_with_message_protection_service_policy.
Note:
Oracle recommends that you do not change the predefined policies so that you will always have a known set of valid policies to work with.
Edit the policy settings, as follows:
Disable the Include Timestamp configuration setting.
Leave the default configuration set for all other configuration settings.
Attach the policy to the web service.
For more information, see "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager
Follow these steps to configure the OWSM 10g Client:
Register the web service with the OWSM 10g Gateway.
For more information, see "Registering Web Services to an OWSM Gateway" in the OWSM Administrator's Guide 10g at: http://download.oracle.com/docs/cd/E12524_01/web.1013/e12575/gateways.htm
Attach the following policy steps in the request pipeline:
Extract Credentials (configured as WS-BASIC)
SAML—Insert WSS 1.0 Sender-Vouches Token
Sign Message and Encrypt
Configure the Extract Credentials policy step in the request pipeline, as follows:
Set the Credentials location to WS-BASIC.
Configure the SAML—Insert WSS 1.0 Sender-Vouches Token policy step in the request pipeline, as follows:
Set Subject Name Qualifier to www.oracle.com
Set Assertion Issuer as www.oracle.com
Set Subject Format as UNSPECIFIED.
Set other signing properties, as required.
Configure the Sign Message and Encrypt policy step in the request pipeline, as follows:
Set the Encryption Algorithm to AES-128.
Set Key Transport Algorithm to RSA-OAEP-MGF1P.
Configure the keystore properties for decryption and signature verification. The configuration should be in accordance with the keystore used on the server side.
Attach the following policy step in the response pipeline: Decrypt and Verify Signature.
Configure the Decrypt and Verify Signature policy step in the response pipeline, as follows:
Configure the keystore properties for decryption and signature verification. The configuration should be in accordance with the keystore used on the server side.
Navigate to the OWSM Test page and enter the virtualized URL of the web service.
Select Include Header checkbox against WS-Security and provide valid credentials.
Invoke the web service.
Follow these procedures to configure an OWSM 10g web service and an OWSM 12c client to implement SAML token (sender vouches) with message protection that conforms to the WS-Security 1.0 standard.
Follow these steps to configure OWSM 10g Web Services:
Register the web service with the OWSM 10g Gateway.
For more information, see "Registering Web Services to an OWSM Gateway" in the OWSM Administrator's Guide 10g at: http://download.oracle.com/docs/cd/E12524_01/web.1013/e12575/gateways.htm
Attach the following policy steps in the request pipeline:
XML Decrypt
SAML—Verify WSS 1.0 Token
Configure the XML Decrypt policy step in the request pipeline, as follows:
Configure the keystore properties for XML decryption. The configuration should be in accordance with the keystore used on the server side.
Configure the SAML—Verify WSS 1.0 Token policy step in the request pipeline, as follows:
Set the Trusted Issuer Name as www.oracle.com
Attach the following policy step in the response pipeline: Sign Message and Encrypt.
Configure the Sign Message and Encrypt policy step in the response pipeline, follows:
Set Encryption Algorithm to AES-128.
Set Key Transport Algorithm to RSA-OAEP-MGF1P.
Configure the keystore properties for message signing and encryption. The configuration should be in accordance with the keystore used on the server side.
Follow these steps to configure OWSM 12c Client:
Create a client proxy using the virtualized URL of the web service registered on the OWSM Gateway.
Clone the following policy: oracle/wss10_saml_token_with_message_protection_client_policy
.
For more information, see "Cloning a Web Service Policy" in Securing Web Services and Managing Policies with Oracle Web Services Manager
Edit the policy settings, as follows:
Disable the Include Timestamp configuration setting.
Leave the default configuration set for all other configuration settings.
Attach the policy to the web service client.
For more information, see "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager
Configure the policy.
For more information, see "oracle/wss10_saml_token_with_message_protection_client_policy" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
Invoke the web service.
The Mutual Authentication with Message Protection identity token conforms to the WS-Security 1.0 standard. This identity token is implemented to achieve the interoperability between OWSM 12c web service and an OWSM 10g client and the interoperability between OWSM 10g web service and an OWSM 12c client.
Follow these procedures to configure an OWSM 12c web service and an OWSM 10g client to implement mutual authentication with message protection that conform to the WS-Security 1.0 standard.
Follow these steps to configure OWSM 12c Web Service:
Clone the following policy: oracle/wss10_x509_token_with_message_protection_service_policy
.
For more information, see "Cloning a Web Service Policy" in Securing Web Services and Managing Policies with Oracle Web Services Manager
Edit the policy settings, as follows:
Disable the Include Timestamp configuration setting.
Leave the default configuration set for all other configuration settings.
Attach the policy to the web service.
Follow these steps to configure OWSM 10g Client using Mutual Authentication.
Register the web service (above) with the OWSM 10g Gateway.
For more information, see "Registering Web Services to an OWSM Gateway" in the OWSM Administrator's Guide 10g at: http://download.oracle.com/docs/cd/E12524_01/web.1013/e12575/gateways.htm
Attach the following policy step in the request pipeline: Sign Message and Encrypt.
Configure the Sign Message and Encrypt policy step in the request pipeline, as follows:
Set Encryption Algorithm to AES-128.
Set Key Transport Algorithm to RSA-OAEP-MGF1P.
Configure the keystore properties for message signing and encryption. The configuration should be in accordance with the keystore used on the server side.
Attach the following policy step in the response pipeline: Decrypt and Verify Signature.
Configure the Decrypt and Verify Signature policy step in the response pipeline, as follows:
Configure the keystore properties for decryption and signature verification. The configuration should be in accordance with the keystore used on the server side.
Update the following property in the gateway-config-installer.properties
file located at ORACLE_HOME/j2ee/
oc4j_instance/applications/gateway/gateway/WEB-INF
:
pep.securitysteps.signBinarySecurityToken=true
Restart OWSM 10g Gateway.
Navigate to the OWSM Test page and enter the virtualized URL of the web service.
Invoke the web service.
Follow these procedures to configure an OWSM 10g web service and an OWSM 12c client to implement mutual authentication with message protection that conform to the WS-Security 1.0 standard.
Follow these steps to configure OWSM 10g web service:
Register the web service (above) with the OWSM 10g Gateway.
"Registering Web Services to an OWSM Gateway" in the OWSM Administrator's Guide 10g at: http://download.oracle.com/docs/cd/E12524_01/web.1013/e12575/gateways.htm
Attach the following policy steps in the request pipeline: Decrypt and Verify.
Configure the Decrypt and Verify Signature policy step in the request pipeline, as follows:
Configure the keystore properties for decryption and signature verification. The configuration should be in accordance with the keystore used on the server side.
Attach the following policy steps in the response pipeline: Sign Message and Encrypt.
Configure the Sign Message and Encrypt policy step in the response pipeline, as follows:
Set Encryption Algorithm to AES-128.
Set Key Transport Algorithm to RSA-OAEP-MGF1P.
Configure the keystore properties for message signing and encryption. The configuration should be in accordance with the keystore used on the server side.
Follow these steps to configure OWSM 12c Client:
Create a client proxy using the virtualized URL of the web service registered on the OWSM Gateway.
Clone the following policy: oracle/wss10_x509_token_with_message_protection_client_policy
.
For more information, see "Cloning a Web Service Policy" in Securing Web Services and Managing Policies with Oracle Web Services Manager
Edit the policy settings, as follows:
Disable the Include Timestamp configuration setting.
Leave the default configuration set for all other configuration settings.
Attach the policy to the web service client.
For more information, see "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager
Configure the policy.
"oracle/wss10_x509_token_with_message_protection_client_policy" in Securing Web Services and Managing Policies with Oracle Web Services Manager
Invoke the web service.
The username Token over SSL identity token conforms to the WS-Security 1.0 and 1.1 standards. This identity token is implemented to achieve the interoperability between OWSM 12c web service and an OWSM 10g client and the interoperability between OWSM 10g web service and an OWSM 12c client.
You can implement username token over SSL, in the following interoperability scenarios:
Configuring an OWSM 12c Web Service and an OWSM 10g Client (Username Token Over SSL)
Configuring an OWSM 10g Web Service and an OWSM 12c Client (Username Token Over SSL)
For more information about:
Configuring SSL on WebLogic Server, see "Configuring Transport-Level Security (SSL)" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
Configuring SSL on OC4J, see http://download.oracle.com/docs/cd/B14099_19/web.1012/b14013/configssl.htm
.
Follow these procedures to configure an OWSM 12c web service and an OWSM 10g client to implement username token over SSL.
Follow these steps to configure OWSM 12c web service:
Configure the server for SSL.
For more information, see "Configuring Transport-Level Security (SSL)" in Securing Web Services and Managing Policies with Oracle Web Services Manager
Attach the following policy: wss_username_token_over_ssl_service_policy
.
For more information, see "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager
Follow these steps to configure OWSM 10g client:
Configure the server for SSL
For more information, see " Configuring OC4J and SSL" in Oracle Application Server Containers for J2EE Security Guide at http://download.oracle.com/docs/cd/B14099_19/web.1012/b14013/configssl.htm
Register the web service (above) with the OWSM 10g Gateway.
"Registering Web Services to an OWSM Gateway" in the OWSM Administrator's Guide 10g at: http://download.oracle.com/docs/cd/E12524_01/web.1013/e12575/gateways.htm
Navigate to the OWSM Test page and enter the virtualized URL of the web service.
Select the Include Header checkbox against WS-Security and provide valid credentials.
Invoke the web service.
Follow these procedures to configure an OWSM 10g web service and an OWSM 12c client to implement username token over SSL.
Follow these steps to configure OWSM 10g Web Service:
Configure the server for SSL
For more information, see " Configuring OC4J and SSL" in Oracle Application Server Containers for J2EE Security Guide at http://download.oracle.com/docs/cd/B14099_19/web.1012/b14013/configssl.htm
Register the web service (above) with the OWSM 10g Gateway.
"Registering Web Services to an OWSM Gateway" in the OWSM Administrator's Guide 10g at: http://download.oracle.com/docs/cd/E12524_01/web.1013/e12575/gateways.htm
Attach the following policy steps to the request pipeline:
Extract Credentials
File Authenticate
Note:
You can substitute File Authenticate with LDAP Authenticate, Oracle Access Manager Authenticate, Active Directory Authenticate, or SiteMinder Authenticate.
Configure the Extract Credentials policy step in the request pipeline, as follows:
Configure the Credentials Location as WS-BASIC.
Configure the File Authentication policy step in the request pipeline with the appropriate credentials.
Follow these steps to configure OWSM 12c Client:
Create a client proxy using the virtualized URL of the web service registered on the OWSM Gateway. Ensure that when generating the client, HTTP is specified in the URL along with the HTTP port number.
Clone the following policy: oracle/wss_username_token_over_ssl_client_policy
.
For more information, see "Cloning a Web Service Policy" in Securing Web Services and Managing Policies with Oracle Web Services Manager
Edit the policy settings, as follows:
Disable the Include Timestamp configuration setting.
Leave the default configuration set for all other configuration settings.
Attach the policy to the web service client.
For more information, see "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager
Configure the policy.
For more information, see "oracle/wss_username_token_over_ssl_client_policy" in Securing Web Services and Managing Policies with Oracle Web Services Manager
Invoke the web service.
The SAML Token (Sender Vouches) over SSL identity token conforms to the WS-Security 1.0 standard. This identity token is implemented to achieve the interoperability between OWSM 12c web service and an OWSM 10g client and the interoperability between OWSM 10g web service and an OWSM 12c client.
Configuring an OWSM 12c Web Service and an OWSM 10g Client (SAML Token Over SSL)
Configuring an OWSM 10g Web Service and OWSM 12c Client (SAML Token Over SSL)
For more information about:
Configuring SSL on WebLogic Server, see "Configuring Transport-Level Security (SSL)" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
Configuring SSL on OC4J, see http://download.oracle.com/docs/cd/B14099_19/web.1012/b14013/configssl.htm
.
Follow these procedures to configure an OWSM 12c web service and an OWSM 10g client to implement SAML token (sender vouches) over SSL that conforms to the WS-Security 1.0 standard.
Follow these steps to configure OWSM 12c Web Service to implement SAML token (sender vouches) over SSL:
Configure the server for two-way SSL.
For more information, see "Configuring Transport-Level Security (SSL)" in Securing Web Services and Managing Policies with Oracle Web Services Manager
Clone the following policy: oracle/wss_saml_token_over_ssl_service_policy
.
For more information, see "Cloning a Web Service Policy" in Securing Web Services and Managing Policies with Oracle Web Services Manager
Edit the policy settings, as follows:
Disable the Include Timestamp configuration setting.
For more information, see "Cloning a Web Service Policy" in Securing Web Services and Managing Policies with Oracle Web Services Manager
Attach the policy.
For more information, see "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager
Follow these steps to configure the OWSM 10g Client:
Configure the server for two-way SSL.
For more information, see " Configuring OC4J and SSL" in Oracle Application Server Containers for J2EE Security Guide at http://download.oracle.com/docs/cd/B14099_19/web.1012/b14013/configssl.htm
Register the web service (above) with the OWSM 10g Gateway.
For more information, see "Registering Web Services to an OWSM Gateway" in the OWSM Administrator's Guide 10g at: http://download.oracle.com/docs/cd/E12524_01/web.1013/e12575/gateways.htm
Attach the following policy steps to the request pipeline:
Extract Credentials
SAML—Insert WSS 1.0 Sender-Vouches Token
Configure the Extra Credentials policy step in the request pipeline, as follows:
Configure the Credentials Location as WS-BASIC.
Configure the SAML—Insert WSS 1.0 Sender-Vouches Token policy step in the request pipeline, as follows:
Configure the Subject Name Qualifier as www.oracle.com
Configure the Assertion Issuer as www.oracle.com
Configure the Subject Format as UNSPECIFIED.
Configure the Sign the assertion as false.
Navigate to the OWSM Test page and enter the virtualized URL of the web service.
Select Include Header checkbox against WS-Security and provide valid credentials.
Invoke the web service.
Follow these procedures to configure an OWSM 10g web service and an OWSM 12c client to implement SAML token (sender vouches) over SSL that conforms to the WS-Security 1.0 standard.
Follow these steps to configure OWSM 10g Web Service using SAML Token over SSL:
Configure the server for two-way SSL.
For more information, see " Configuring OC4J and SSL" in Oracle Application Server Containers for J2EE Security Guide at http://download.oracle.com/docs/cd/B14099_19/web.1012/b14013/configssl.htm
Register the web service (above) with the OWSM 10g Gateway.
For more information, see "Registering Web Services to an OWSM Gateway" in the OWSM Administrator's Guide 10g at: http://download.oracle.com/docs/cd/E12524_01/web.1013/e12575/gateways.htm
Attach the policy step: SAML—Verify WSS 1.0 Token
Configure the SAML—Verify WSS 1.0 Token policy step in the request pipeline, as follows:
Under Signature Verification Properties, set Allow signed assertions only to false.
Set the Trusted Issuer Name to www.oracle.com
.
Follow these steps to configure the OWSM 12c Client:
Configure the server for two-way SSL.
For more information, see "Configuring SSL on WebLogic Server (Two-Way)" in Securing Web Services and Managing Policies with Oracle Web Services Manager
Create a client proxy using the virtualized URL of the web service registered on the OWSM gateway.
s: oracle/wss_saml_token_over_ssl_client_policy
.
For more information, see "Cloning a Web Service Policy" in Securing Web Services and Managing Policies with Oracle Web Services Manager
Edit the policy settings, as follows:
Disable the Include Timestamp configuration setting.
Leave the default configuration set for all other configuration settings.
Attach the policy to the web service client.
For more information, see "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager
Configure the policy.
For more information, see "oracle/wss_username_token_over_ssl_client_policy" in Securing Web Services and Managing Policies with Oracle Web Services Manager
Invoke the web service.