Determining Which Predefined Policies to Use for a Web Service

3.1 Security Policy Questionnaire for a Web Service

The security policies that best meet your requirements is determined by the basic requirements, requirement for authentication, requirement for authentication and authorization, and requirement for authentication and message protection.

Use the following series of questions to help you identify the security policies that best meet your requirements:

What are the basic requirements of your security policy? Decide if you need to only authenticate users, or if you only need message protection, or if you need both.
1. Do you require authentication only? If yes, then go to step 2.
2. Do you require authorization only? If yes, then see Configuring Authorization Using Oracle Web Services Manager.
3. Do you require authentication and authorization? If yes, then go to step 3.
4. Do you only require message protection? If yes, then see "Security Policies-Message Protection Only".
5. Do you require both authentication and message protection? If yes, then go to step 4.
If you only require authentication, then there are two basic questions you need to consider:
1. Where will the token be inserted? Will the token to be inserted in the transport layer or in a SOAP header?
2. Do you need to use a particular type of token? The supported credentials for authentication-only policies are username/password, SAML, and Kerberos tokens. Authentication-only policies are described in Authentication Only Policies.
If you require authentication and authorization, then you need to consider the following:
1. Review the considerations provided for authentication in step 2.
2. Review Configuring Authorization Using Oracle Web Services Manager for more information about authorization policies.
If you require both authentication and message protection, then you need to consider the following:
1. Will message protection be handled in the transport layer? If yes, then there are four sets of policies to choose from: Username over SSL, SAML over SSL (Sender-Vouches), SAML over SSL (Token Bearer), and HTTP token over SSL. Kerberos over SSL is also available via a custom policy.
  
  In one set of policies (wss_http_token_over_ssl_client_policy and wss_http_token_over_ssl_service_policy) authentication is also handled in the transport layer. For the other three polices, authentication takes place in the SOAP header.
  
  If you are using the WS-Security V1.0 or V1.1 standard, then both authentication and message protection occur in the SOAP header. There are five pairs of policies supporting the following tokens: username/password, SAML, X.509 certificates, and Kerberos.
  
  For more information, see "Security Policies-Messages Protection and Authentication".

3.1.1 Choosing the Right Authentication Policy for a Web Service

OWSM includes many different authentication policies, and it might not be obvious which one best suites your needs. This topic describes selected authentication policies and when you might want to use them.

Table 3-1 describes selected authentication policies and when you might want to use them. In Table 3-1 the policy names are shown with wildcards (for example, "*username_token*") to indicate all policies that have username_token in their name.)

Table 3-1 Choosing the Right Authentication Policy

Policy Type	Description
username_token	For these policies, the client needs to send the username and password to the web service. The password must be made available to the client in the credential store. This type of policy is useful for identity switching, in which a client needs to connect to a web service with an application identifier that is different from the actual end user name. It is the simplest of the authentication policies, and therefore compatible with the widest variety of third party clients.
saml	For these policies, the client needs to send a SAML assertion that contains the user name. There are variants of SAML, including the following: Sender Vouches. In this case the client constructs the SAML assertion. The server needs to be set up to trust the client. This policy is useful for identity propagation where a particular end user has already authenticated to the client, and the client needs to propagate this same user to the web service side, without having to know this user's password. Sender Vouches works best when communication between a middleware servers that are part of the same domain, or different domain that share the same credential store. Because they all share the same credential store and keys it is easier to make them all trust each other. Be cautious when using sender vouches for clients that are completely outside the domain. In sender vouches, the trust is based on the client's key, and with this key an attacker can impersonate any user. For example, do not use sender vouches from a client residing in an end user's desktop, because a malicious end user can easily get the client key, and with that be able to impersonate any other end user. Holder Of Key from STS. The SAML holder of key is used in conjunction with a Secure Token Service (STS), which enables brokered trust. If there are many clients and many web services all in different unrelated security domains, it is difficult to make them all trust each other. Instead, they can trust a central entity, the STS. All the web services need to trust only the STS, and clients need to prove themselves to the STS by sending the credentials of the end users: user name, password, Kerberos tokens, and so forth.

Policy Type

Description

*username_token*

For these policies, the client needs to send the username and password to the web service. The password must be made available to the client in the credential store. This type of policy is useful for identity switching, in which a client needs to connect to a web service with an application identifier that is different from the actual end user name. It is the simplest of the authentication policies, and therefore compatible with the widest variety of third party clients.

*saml*

For these policies, the client needs to send a SAML assertion that contains the user name. There are variants of SAML, including the following:

Sender Vouches. In this case the client constructs the SAML assertion. The server needs to be set up to trust the client. This policy is useful for identity propagation where a particular end user has already authenticated to the client, and the client needs to propagate this same user to the web service side, without having to know this user's password.

Sender Vouches works best when communication between a middleware servers that are part of the same domain, or different domain that share the same credential store. Because they all share the same credential store and keys it is easier to make them all trust each other.

Be cautious when using sender vouches for clients that are completely outside the domain. In sender vouches, the trust is based on the client's key, and with this key an attacker can impersonate any user. For example, do not use sender vouches from a client residing in an end user's desktop, because a malicious end user can easily get the client key, and with that be able to impersonate any other end user.
Holder Of Key from STS. The SAML holder of key is used in conjunction with a Secure Token Service (STS), which enables brokered trust. If there are many clients and many web services all in different unrelated security domains, it is difficult to make them all trust each other. Instead, they can trust a central entity, the STS.

All the web services need to trust only the STS, and clients need to prove themselves to the STS by sending the credentials of the end users: user name, password, Kerberos tokens, and so forth.

Because SAML sender vouches are username token are among the most used policies, OWSM offers OR group policies combining these two, such as oracle/wss_saml_or_username_token_service_policy. In most situations web services should use this policy. This is policy is also a perfect candidate for global policy attachment.

3.1.2 Choosing the Right Confidentiality and Integrity Policy for a Web Service

OWSM offers three levels of confidentiality and integrity.

The three levels of confidentiality and integrity are:

No confidentiality and integrity — Confidentiality and integrity require cryptography, which consumes computing resources. In messages exchanged between middleware servers in a fire walled private network, there is no need to pay the price for confidentiality and integrity. The OWSM policies that do not have confidentiality and integrity do provide authentication through username token or SAML.
SSL based confidentiality and integrity — SSL provides transport level confidentiality and integrity. With SSL you need to change your endpoints to use HTTPS, and make sure your clients talk to the HTTPS endpoints.
Message Security based confidentiality and integrity — Message security offers much lower performance than SSL, but it has some advantages over SSL:
- Unlike SSL, where the message stops being secure at the SSL termination point (which can be a load balancer, Oracle HTTP Server, or J2EE container) with message security the message remains secure all the way to the application.
- With SSL, the security is at the container level. That is, all web services running on a container must share the same key. With message security, although the default is to share the same key throughout the domain, it is also possible to override the key on a per-Web-service basis.
There are two versions of message security offered in OWSM: wss10 and wss11. wss11 is an improvement over wss10 because every client does need to have its own client key, which is required for Wss10. (In certain policies such as SAML sender vouches, the client key is required in wss11 as well.)

wss11 is also faster because it requires fewer asymmetric key operations. However wss10 offers wider compatibility: some clients work with wss10 only.

Use wss11 policies unless you need to support a client that can use wss10 only.

3.2 Summary of Predefined Security Policies for a Web Service

Predefined security policies provide security for a Web Service. These policies are enforced either at the transport layer or SOAP header.

The following sections summarize the predefined security policies, based on the type of security they provide and whether the policy is enforced at the transport layer or SOAP header. For more information about the predefined policy categories, see "Policy Categories" in Understanding Oracle Web Services Manager. For full descriptions of the policies, see Oracle Web Services Manager Predefined Policies.

3.2.1 Authentication Only Policies

This topic lists the authentication only policies provided for SOAP and RESTful web services.

Table 3-3 summarizes the security policies that enforce authentication only for SOAP and RESTful web services.

Table 3-2 Authentication Only Policies—SOAP and RESTful Web Services

Client Policy	Service Policy	Authentication Transport
oracle/http_basic_auth_over_ssl_client_policy	oracle/http_basic_auth_over_ssl_service_policy	Yes
N/A	oracle/http_oam_token_service_policy	Yes
oracle/http_saml20_token_bearer_client_policy	oracle/http_saml20_token_bearer_service_policy	Yes
oracle/http_saml20_token_bearer_over_ssl_client_policy	oracle/http_saml20_bearer_token_over_ssl_service_policy	Yes
Attach one of the following: oracle/wss_http_token_client_policy oracle/http_saml20_token_bearer_client_policy oracle/http_jwt_token_client_policy oracle/http_oauth2_token_client_policy To support HTTP OAM security, you must configure OAM Webgate to intercept the request. For more information, see "oracle/multi_token_rest_service_policy".	oracle/multi_token_rest_service_policy	Yes
Attach one of the following: oracle/http_basic_auth_over_ssl_client_policy oracle/http_saml20_token_bearer_over_ssl_client_policy oracle/http_jwt_token_over_ssl_client_policy oracle/http_oauth2_token_identity_switch_over_ssl_client_policy oracle/http_oauth2_token_over_ssl_client_policy To support HTTP OAM security, you must configure OAM Webgate to intercept the request. For more information, see "oracle/multi_token_over_ssl_rest_service_policy".	oracle/multi_token_over_ssl_rest_service_policy	Yes

Table 3-3 summarizes the security policies that enforce authentication only for SOAP web services and indicates whether the token is inserted at the transport layer or SOAP header.

Table 3-3 Authentication Only Policies—SOAP Web Services Only

Client Policy	Service Policy	Authentication Transport	Authentication SOAP
oracle/wss_http_token_client_policy	oracle/wss_http_token_service_policy	Yes	No
oracle/wss_username_token_client_policy	oracle/wss_username_token_service_policy	No	Yes
oracle/wss10_saml_token_client_policy	oracle/wss10_saml_token_service_policy	No	Yes
oracle/wss10_saml_token_client_policy	oracle/wss10_saml20_token_service_policy	No	Yes
oracle/wss11_kerberos_token_client_policy	oracle/wss11_kerberos_token_service_policy	No	Yes

Table 3-4 summarizes the security policies that enforce authentication only for AOuth2 and JWT web services.

Table 3-4 Authentication Only Policies—OAuth2 and JWT Web Services

Client Policy	Service Policy	Authentication Transport
oracle/http_oauth2_token_client_policy	oracle/http_jwt_token_service_policy	Yes
oracle/http_oauth2_token_identity_switch_opc_oauth2_over_ssl_client_policy
oracle/http_oauth2_token_identity_switch_over_ssl_client_policy	oracle/http_jwt_token_over_ssl_service_policy	Yes
oracle/http_oauth2_token_opc_oauth2_client_policy	Reserved for use with Oracle Cloud.
oracle/http_oauth2_token_opc_oauth2_over_ssl_client_policy
oracle/http_oauth2_token_over_ssl_client_policy	oracle/http_jwt_token_over_ssl_service_policy	Yes
oracle/oauth2_config_client_policy	NA
oracle/http_jwt_token_client_policy	oracle/http_jwt_token_service_policy	Yes
oracle/http_jwt_token_identity_switch_client_policy
oracle/http_jwt_token_over_ssl_client_policy	oracle/http_jwt_token_over_ssl_service_policy	Yes

3.2.2 Message Protection Only Policies

This topic summarizes the policies that enforce message protection only, and indicates whether the policy is enforced at the transport layer or SOAP header.

Table 3-5 Message-Protection Only Policies

Client Policy	Service Policy	Authentication Transport	Authentication SOAP	Message Protection Transport	Message Protection SOAP
oracle/wss10_message_protection_client_policy	oracle/wss10_message_protection_service_policy	No	No	No	Yes
oracle/wss11_message_protection_client_policy	oracle/wss11_message_protection_service_policy	No	No	No	Yes

3.2.3 Message Protection and Authentication Policies

This topic summarizes the policies that enforce both message protection and authentication but do not conform to the WS-Security 1.0 or 1.1 standard. The table indicates whether the policy is enforced at the transport layer or SOAP header.

Table 3-6 Message Protection and Authentication Policies

Client Policy	Service Policy	Authentication Transport	Authentication SOAP	Message Protection Transport	Message Protection SOAP
oracle/wss_http_token_over_ssl_client_policy	oracle/wss_http_token_over_ssl_service_policy	Yes	No	Yes	No
Attach one of the following: oracle/wss_saml_token_over_ssl_client_policy oracle/wss_username_token_over_ssl_client_policy	oracle/wss_saml_or_username_token_service_policy	No	Yes	Yes	No
oracle/wss_saml_token_bearer_over_ssl_client_policy	oracle/wss_saml_token_bearer_over_ssl_service_policy	No	Yes	Yes	No
oracle/wss_saml_token_over_ssl_client_policy	oracle/wss_saml_token_over_ssl_service_policy	No	Yes	Yes	No
oracle/wss_saml20_token_over_ssl_client_policy	oracle/wss_saml20_token_over_ssl_service_policy	No	Yes	Yes	No
oracle/wss_username_token_over_ssl_client_policy	oracle/wss_username_token_over_ssl_service_policy	No	Yes	Yes	No
oracle/wss10_saml_hok_token_with_message_protection_client_policy	oracle/wss10_saml_hok_token_with_message_protection_service_policy	No	Yes	No	Yes
oracle/wss10_saml_token_with_message_integrity_client_policy	oracle/wss10_saml_token_with_message_integrity_service_policy	No	Yes	No	Yes
oracle/wss10_saml_token_with_message_protection_client_policy	oracle/wss10_saml_token_with_message_protection_service_policy	No	Yes	No	Yes
oracle/wss10_saml20_token_with_message_protection_client_policy	oracle/wss10_saml20_token_with_message_protection_service_policy	No	Yes	No	Yes
oracle/wss10_saml_token_with_message_protection_ski_basic256_client_policy	oracle/wss10_saml_token_with_message_protection_ski_basic256_service_policy	No	Yes	No	Yes
oracle/wss10_username_id_propagation_with_msg_protection_client_policy	oracle/wss10_username_id_propagation_with_msg_protection_service_policy	No	Yes	No	Yes
oracle/wss10_username_token_with_message_protection_client_policy	oracle/wss10_username_token_with_message_protection_service_policy	No	Yes	No	Yes
oracle/wss10_username_token_with_message_protection_ski_basic256_client_policy	oracle/wss10_username_token_with_message_protection_ski_basic256_service_policy	No	Yes	No	Yes
oracle/wss10_x509_token_with_message_protection_client_policy	oracle/wss10_x509_token_with_message_protection_service_policy	No	Yes	No	Yes
oracle/wss11_kerberos_token_with_message_protection_client_policy	oracle/wss11_kerberos_token_with_message_protection_service_policy	No	Yes	No	Yes
oracle/wss11_kerberos_token_with_message_protection_basic128_client_policy	oracle/wss11_kerberos_token_with_message_protection_basic128_service_policy	No	Yes	No	Yes
Attach one of the following: oracle/wss11_saml_token_with_message_protection_client_policy oracle/wss11_username_token_with_message_protection_client_policy	oracle/wss11_saml_or_username_token_with_message_protection_service_policy	No	Yes	No	Yes
oracle/wss11_saml_token_with_message_protection_client_policy	oracle/wss11_saml_token_with_message_protection_service_policy	No	Yes	No	Yes
oracle/wss11_saml20_token_with_message_protection_client_policy	oracle/wss11_saml20_token_with_message_protection_service_policy	No	Yes	No	Yes
oracle/wss11_saml_token_identity_switch_with_message_protection_client_policy	oracle/wss11_saml_token_with_message_protection_service_policy	No	Yes	No	Yes
oracle/wss11_username_token_with_message_protection_client_policy	oracle/wss11_username_token_with_message_protection_service_policy	No	Yes	No	Yes
oracle/wss11_x509_token_with_message_protection_client_policy	oracle/wss11_x509_token_with_message_protection_service_policy	No	Yes	No	Yes
oracle/wss_saml20_token_bearer_over_ssl_client_policy	oracle/wss_saml20_token_bearer_over_ssl_service_policy	No	Yes	No	Yes
oracle/wss_saml_token_bearer_client_policy	oracle/wss_saml_token_bearer_service_policy	No	Yes	No	Yes
oracle/wss_saml_token_bearer_identity_switch_client_policy	-	No	Yes	No	Yes
-	oracle/wss_saml_bearer_or_username_token_service_policy	No	Yes	No	Yes

3.2.4 Authorization Policies

This topic summarizes the security policies that enforce authorization, and indicates whether the policy is enforced at the transport layer or SOAP header.

Table 3-7 Authorization Only Policies

Client Policy	Authentication Transport	Authentication SOAP	Message Protection Transport	Message Protection SOAP
oracle/binding_authorization_denyall_policy	No	Yes	No	No
oracle/binding_authorization_permitall_policy	No	Yes	No	No
oracle/binding_permission_authorization_policy	No	Yes	No	No
oracle/component_authorization_denyall_policy	No	Yes	No	No
oracle/component_authorization_permitall_policy	No	Yes	No	No
oracle/component_permission_authorization_policy	No	Yes	No	No
oracle/whitelist_authorization_policy	No	Yes	No	No

3.2.5 WS-Trust Policies

This topic summarizes the WS-Trust policies.

Table 3-8 WS-Trust Policies

Client Policy	Service Policy	Authentication Transport	Authentication SOAP	Message Protection Transport	Message Protection SOAP
oracle/sts_trust_config_client_policy	oracle/sts_trust_config_service_policy	No	No	No	No
oracle/wss_sts_issued_saml_bearer_token_over_ssl_client_policy	oracle/wss_sts_issued_saml_bearer_token_over_ssl_service_policy	Yes	No	Yes	No
oracle/wss11_sts_issued_saml_hok_with_message_protection_client_policy	oracle/wss11_sts_issued_saml_hok_with_message_protection_service_policy	No	Yes	No	Yes
oracle/wss11_sts_issued_saml_with_message_protection_client_policy		No	Yes	No	Yes

3.2.6 MTOM Attachment Policies

This topic lists the MTOM Attachment policies supported in the current release.

oracle/wsmtom_policy.

Please note the following:

If you configure MTOM from Fusion Middleware Control by attaching the oracle/wsmtom_policy policy (either via direct or global policy attachment), the endpoint throws a fault if the request is not MTOM encoded. The MTOM policy rejects inbound messages that are not in MTOM format and verifies that outbound messages are in MTOM format. In this use, requests must be MTOM-enabled.
If you configure MTOM for an ADF BC web service outside of Fusion Middleware Control, such as by editing the MTOM-enabled switch in oracle-webservices.xml or by directly adding the @MTOM annotation to the web service, the endpoint can accept MTOM requests but does not return a fault if the request is not MTOM encoded. In this use, requests might be MTOM-enabled, but there is no requirement that they must be.

3.2.7 Reliable Messaging Policies

This topic lists the Reliable messaging policies supported in the current release.

3.2.8 No Behavior Policies

No behavior policies provide the ability to effectively disable a policy attached globally in a policy set. There are no configuration properties available for these policies. All of these policies use the same no behavior assertion.

Client Policies:

Service Policies:

3.3 OWSM Policies Supported for Java EE Web Services and Clients

All OWSM policies are not supported for Java EE web services and clients. Only a subset of OWSM policies are supported for Java EE web services and clients.

You can attach to WebLogic JAX-WS web services and clients the OWSM security policies in the following categories:

Authentication only
Message protection only
Message protection and authentication
Authorization
WS-Trust
WS-SecureConversation

OWSM policies in the following categories are not currently supported for WebLogic JAX-WS web services and clients:

Atomic Transactions
Configuration
Management
MTOM attachment
No behavior
Reliable messaging
SOAP Over JMS Transport
WS-Addressing policies

Note:

You can also secure Java EE (WebLogic) web services using WebLogic web service policies, which are provided by WebLogic Server. You manage WebLogic web service policies from the WebLogic Administration Console. For more information about the WebLogic web service policies, see Using Oracle Web Services Manager Security Policies

A subset of WebLogic web service policies interoperate with OWSM policies. For more information, see "Interoperability with Oracle WebLogic Server 12c Web Service Security Environments" in Interoperability Solutions Guide for Oracle Web Services Manager.

You cannot attach OWSM policies to JAX-RPC web services.

3.4 OWSM Policies Supported for RESTful Web Services and Clients

All OWSM policies are not supported for RESTful web services and clients. Only a subset of OWSM security policies are supported for RESTful web services and clients.

These policies are outlined in Table 3-9.

Note:

This section applies to Java EE, SOA, and Oracle Service Bus RESTful web services and clients.

You can attach OWSM policies to RESTful web services and clients that are built using Jersey 1.x JAX-RS RI only. RESTful web services and clients that are built using Jersey 2.5 JAX-RS RI cannot be secured using OWSM policies in this release. For more information about securing RESTful web services and clients built using Jersey 2.5 JAX-RS RI, see "Securing RESTful Web Services and Clients" in Developing and Securing RESTful Web Services for Oracle WebLogic Server.

Table 3-9 OWSM Security Policies Supported for RESTful Web Services and Clients

Security Supported Policies

Security	Supported Policies
Authentication Policies	Authentication policies defined in Table 3-2.
Authorization	`oracle/binding_authorization_denyall_policy` `oracle/binding_authorization_permitall_policy` `oracle/binding_permission_authorization_policy` Note: The `oracle/binding_permission_authorization_policy` permission-based policy is not supported for RESTful Oracle Service Bus web services and clients.

Authentication Policies

Authentication policies defined in Table 3-2.

Authorization

oracle/binding_authorization_denyall_policy
oracle/binding_authorization_permitall_policy
oracle/binding_permission_authorization_policy

Note: The oracle/binding_permission_authorization_policy permission-based policy is not supported for RESTful Oracle Service Bus web services and clients.

Note:

You can also attach a SPNEGO token policy that you create using the oracle/http_spnego_token_service_template assertion template. For more information, see "Kerberos Configuration with SPNEGO Negotiation".

3.5 OWSM Policies Supported for Web Services and Clients That Use SOAP Over JMS Transport

All OWSM policies are not supported for web services and clients that use SOAP over JMS transport. Only a subset of OWSM security policies are supported for web services and clients that use SOAP over JMS transport.

These supported policies include:

wsmtom_policy
wss_saml_token_bearer_client_policy
wss_username_token_client_policy and wss_username_token_service_policy
wss10_message_protection_client_policy and wss10_message_protection_service_policy
wss10_saml_token_client_policy and wss10_saml_token_service_policy
wss10_saml_hok_token_with_message_protection_client_policy and wss10_saml_hok_token_with_message_protection_service_policy
wss10_saml_token_with_message_integrity_client_policy and wss10_saml_hok_token_with_message_integrity_service_policy
wss10_saml_token_with_message_protection_client_policy and wss10_saml_token_with_message_protection_service_policy
wss10_saml_token_with_message_protection_ski_basic256_client_policy and wss10_saml_token_with_message_protection_ski_basic256_service_policy
wss10_username_token_with_message_protection_client_policy and wss10_username_token_with_message_protection_service_policy
wss10_x509_token_with_message_protection_client_policy and wss10_x509_token_with_message_protection_service_policy
wss11_kerberos_token_client_policy and wss11_kerberos_token_service_policy
wss11_kerberos_token_with_message_protection_client_policy and wss11_kerberos_token_with_message_protection_service_policy
wss11_kerberos_token_with_message_protection_basic128_client_policy and wss11_kerberos_token_with_message_protection_basic128_service_policy
wss11_message_protection_client_policy and wss11_message_protection_service_policy
wss11_saml_token_identity_switch_with_message_protection_client_policy
wss11_saml_token_with_message_protection_client_policy and wss11_saml_token_with_message_protection_service_policy
wss11_x509_token_with_message_protection_client_policy and wss11_x509_token_with_message_protection_service_policy
wss11_x509_token_with_message_protection_wssc_client_policy and wss11_x509_token_with_message_protection_wssc_service_policy
wss11_x509_token_with_message_protection_wssc_reauthn_client_policy and wss11_x509_token_with_message_protection_wssc_reauthn_service_policy
wss11_sts_issued_saml_hok_with_message_protection_client_policy and wss11_sts_issued_saml_hok_with_message_protection_service_policy
wss11_username_token_with_message_protection_client_policy and wss11_username_token_with_message_protection_service_policy
wss11_username_token_with_message_protection_wssc_client_policy and wss11_username_token_with_message_protection_wssc_service_policy

3.6 OWSM Policies Supported for SOA Composite Services and Clients

You can attach various OWSM policies for SOAP SOA composite service and clients, but only a subset of OWSM security policies are supported for RESTful web services and clients.

For SOAP SOA composite service and clients, all policies described in "Oracle Web Services Manager Predefined Policies" apply except the configuration policies, described in "Configuration Policies".

For RESTful SOA composite services and clients, see "OWSM Policies Supported for RESTful Web Services and Clients".

3.7 OWSM Policies that Require You to Configure SSL

This topic list the OWSM policies that requires you to configure SSL and the templates that can be used to create these policies.

Refer to the following sections for more details:

3.7.1 List of Policies That Require You to Configure SSL

The OWSM policies that require you to configure SSL are as follows:

oracle/wss_http_token_over_ssl_service_policy
oracle/wss_http_token_over_ssl_client_policy
oracle/wss_saml_token_bearer_over_ssl_server_policy
oracle/wss_saml_token_bearer_over_ssl_client_policy
oracle/wss_saml_token_over_ssl_service_policy
oracle/wss_saml_token_over_ssl_client_policy
oracle/wss_username_token_over_ssl_service_policy
oracle/wss_username_token_over_ssl_client_policy
http_basic_auth_over_ssl_client_policy
http_basic_auth_over_ssl_service_policy
http_jwt_token_over_ssl_client_policy
http_jwt_token_over_ssl_service_policy
http_oauth2_token_identity_switch_opc_oauth2_over_ssl_client_policy
http_oauth2_token_identity_switch_over_ssl_client_policy
http_oauth2_token_opc_oauth2_over_ssl_client_policy
http_oauth2_token_over_ssl_client_policy
http_saml20_token_bearer_over_ssl_client_policy
http_saml20_token_bearer_over_ssl_service_policy
multi_token_over_ssl_rest_service_policy
wss_http_token_over_ssl_client_policy
wss_http_token_over_ssl_service_policy
wss_saml20_token_bearer_over_ssl_client_policy
wss_saml20_token_bearer_over_ssl_service_policy
wss_saml20_token_over_ssl_client_policy
wss_saml20_token_over_ssl_service_policy
wss_saml_or_username_token_over_ssl_service_policy
wss_saml_token_bearer_over_ssl_client_policy
wss_saml_token_bearer_over_ssl_service_policy
wss_saml_token_over_ssl_client_policy
wss_saml_token_over_ssl_service_policy
wss_sts_issued_saml_bearer_token_over_ssl_client_policy
wss_sts_issued_saml_bearer_token_over_ssl_service_policy
wss_username_token_over_ssl_client_policy
wss_username_token_over_ssl_service_policy
wss_username_token_over_ssl_wssc_client_policy
wss_username_token_over_ssl_wssc_service_policy

3.7.2 List of Templates to Create Policies that Require SSL

You can create a new policy that requires SSL by using the following templates:

oracle/wss_http_token_over_ssl_service_template
oracle/wss_http_token_over_ssl_client_template
oracle/wss_saml_token_bearer_over_ssl_service_template
oracle/wss_saml_token_bearer_over_ssl_client_template
oracle/wss_saml_token_over_ssl_service_template
oracle/wss_saml_token_over_ssl_client_template
oracle/wss_sts_issued_saml_bearer_token_over_ssl_client_template
oracle/wss_sts_issued_saml_bearer_token_over_ssl_service_template
oracle/wss_username_token_over_ssl_service_template
oracle/wss_username_token_over_ssl_client_template
http_jwt_token_over_ssl_client_template
http_jwt_token_over_ssl_service_template
http_oauth2_token_over_ssl_client_template
wss11_kerberos_token_over_ssl_client_template
wss11_kerberos_token_over_ssl_service_template
wss_http_token_over_ssl_client_template
wss_http_token_over_ssl_service_template
wss_saml20_token_bearer_over_ssl_client_template
wss_saml20_token_bearer_over_ssl_service_template
wss_saml20_token_over_ssl_client_template
wss_saml20_token_over_ssl_service_template
wss_saml_token_bearer_over_ssl_client_template
wss_saml_token_bearer_over_ssl_service_template
wss_saml_token_over_ssl_client_template
wss_saml_token_over_ssl_service_template
wss_sts_issued_saml_bearer_token_over_ssl_client_template
wss_sts_issued_saml_bearer_token_over_ssl_service_template
wss_username_token_over_ssl_client_template
wss_username_token_over_ssl_service_template

See Oracle Web Services Manager Predefined Assertion Templates and Oracle Web Services Manager Predefined Policies for more information on these assertions and policies.

3.7.3 List of Policies That Require You to Configure Two-Way SSL

This topic lists the OWSM policies that require you to configure two-way SSL.

oracle/wss_saml_token_over_ssl_client_policy
oracle/wss_saml_token_over_ssl_service_policy
oracle/wss_username_token_over_ssl_client_policy, when mutual authentication is selected.
oracle/wss_username_token_over_ssl_service_policy, when mutual authentication is selected.
oracle/wss_http_token_over_ssl_client_policy, when mutual authentication is selected.
oracle/wss_http_token_over_ssl_service_policy, when mutual authentication is selected.

3.7.4 List of Templates to Create Policies that Require Two-way SSL

This topic lists the templates for creating a new OWSM policies that requires two-way SSL.

oracle/wss_saml_token_over_ssl_client_template
oracle/wss_saml_token_over_ssl_service_template

3.8 OWSM Policies Supported for Identity Context

All OWSM policies do not support the Identity Context feature. Only a subset of OWSM security policies are supported for the Identity Context feature.

Details about the Identity Context feature are described in "About Propagating Identity Context with OWSM".

The following SAML policies support the propagate.identity.context configuration property:

oracle/http_saml20_token_bearer_service_policy and oracle/http_saml20_token_bearer_client_policy
oracle/http_saml20_token_bearer_over_ssl_service_policy and oracle/http_saml20_token_bearer_over_ssl_client_policy
oracle/wss_saml_or_username_token_service_policy
oracle/wss_saml_or_username_token_over_ssl_service_policy
oracle/wss_saml_token_bearer_over_ssl_service_policy and oracle/wss_saml_token_bearer_over_ssl_client_policy
oracle/wss_saml_token_over_ssl_service_policy and oracle/wss_saml_token_over_ssl_client_policy
oracle/wss_saml20_token_bearer_over_ssl_service_policy and oracle/wss_saml20_token_bearer_over_ssl_client_policy
oracle/wss_saml20_token_over_ssl_service_policy and oracle/wss_saml20_token_over_ssl_client_policy
oracle/wss10_saml_token_service_policy and oracle/wss10_saml_token_client_policy
oracle/wss10_saml_token_with_message_integrity_service_policy and oracle/wss10_saml_token_with_message_integrity_client_policy
oracle/wss10_saml_token_with_message_protection_service_policy and oracle/wss10_saml_token_with_message_protection_client_policy
oracle/wss10_saml_token_with_message_protection_ski_basic256_service_policy and oracle/wss10_saml_token_with_message_protection_ski_basic256_client_policy
oracle/wss10_saml20_token_service_policy and oracle/wss10_saml20_token_client_policy
oracle/wss10_saml20_token_with_message_protection_service_policy and oracle/wss10_saml20_token_with_message_protection_client_policy
oracle/wss11_saml_token_with_message_protection_service_policy and oracle/wss11_saml_token_with_message_protection_client_policy
oracle/wss11_saml_or_username_token_with_message_protection_service_policy
oracle/wss11_saml20_token_with_message_protection_service_policy and oracle/wss11_saml20_token_with_message_protection_client_policy

3.9 OWSM Policies Supported for WS-SecureConversation

Know more about the OWSM policies for which WS-SecureConversation is enabled by default.

The OWSM policies for which WS-SecureConversation is enabled by default are listed below:

oracle/wss11_saml_token_with_message_protection_wssc_client_policy
oracle/wss11_saml_token_with_message_protection_wssc_service_policy
oracle/wss11_saml_token_with_message_protection_wssc_reauthn_client_policy
oracle/wss11_saml_token_with_message_protection_wssc_reauthn_service_policy
oracle/wss11_username_token_with_message_protection_wssc_client_policy
oracle/wss11_username_token_with_message_protection_wssc_service_policy
oracle/wss11_x509_token_with_message_protection_wssc_client_policy
oracle/wss11_x509_token_with_message_protection_wssc_service_policy
oracle/wss_username_token_over_ssl_wssc_client_policy
oracle/wss_username_token_over_ssl_wssc_service_policy

In addition to these policies, policies based on many of the predefined assertion templates also support WS-SecureConversation. For more information, see Oracle Web Services Manager Predefined Assertion Templates.

Note:

SOAP over JMS is not supported for WS-SecureConversation policies.

3.10 OWSM Policies Supported for JCA Adapters

All OWSM policies do not support JCA Adapters. Only a subset of OWSM security policy is supported for JCA adapters.

OWSM supports the following predefined policy for JCA adapters:

oracle/pii_security_policy

In addition, custom policies that you create by cloning the pii_security_policy or that are based on the oracle/pii_security_template can also be used. For more information about using this policy, see Protecting Personally Identifiable Information.

Note:

This policy is supported only for SOA and Oracle Service Bus environments.

3.11 OWSM Policies Supported for OES Integration

All OWSM policies do not support OES Integration. Only a subset of OWSM security policies are supported for OES Integration.

OWSM supports the following predefined policies for OES Integration:

oracle/binding_oes_authorization_policy
oracle/binding_oes_masking_policy
oracle/component_oes_authorization_policy

In addition, custom policies that you create by cloning the OES policies or that are based on the OES templates can also be used. For more information about using these policies, see "About Configuring Fine-Grained Authorization Using Oracle Entitlements Server"

3.12 OWSM Policies Are Supported for PII

All OWSM policies do not support Personally Identifiable Information (PII). Only a subset of OWSM security policies are supported for PII.

OWSM supports the following predefined policy for protecting PII:

oracle/pii_security_policy

In addition, custom policies that you create by cloning the pii_security_policy or that are based on the oracle/pii_security_template can also be used. For more information about using this policy, see Protecting Personally Identifiable Information.

Note:

This policy is supported only for SOA and Oracle Service Bus environments.

3.13 OWSM Policies Supported for Oracle Service Bus

Know more about the supported OWSM policies for Oracle Service Bus.

For Oracle Service Bus, all policies described in "Oracle Web Services Manager Predefined Policies" apply except those specified in Table 3-10. The table lists unsupported OWSM assertions for both SOAP and non-SOAP services, shows which policies contain the assertions, and describes the affected capabilities and alternatives to achieve the capabilities. Any assertions not listed are supported, including user-defined assertions.

Table 3-10 Unsupported Policies and Assertions for Oracle Service Bus

Unsupported Assertion	OWSM Policies Containing the Assertion	Capability Affected and Alternative
binding-permission-authorization	`oracle/binding_permission_authorization_policy`	Permission-based access control to service. Alternative: Use XACML authorization policies.
sca-component-auhorization	`oracle/component_authorization_denyall_policy` `oracle/component_authorization_permitall_policy`	Role-based access control to deny/permit all to access the component. Alternative: Not applicable
sca-component-pemission-authorization	`oracle/component_permission_authorization_policy`	Permission based Access Control to component Alternative: Not applicable
OptimizedMimeSerialization	`oracle/wsmtom_policy`	Message Transmission Optimization Mechanism (MTOM) Alternative: Use MTOM configuration directly on proxy/business service.
RM Assertion	`oracle/reliable_messaging_policy` `oracle/wsrm10_policy` `oracle/wsrm11_policy`	WS-RM 1.0/1.1 Alternative: Use the WS transport directly in Service Bus for WS-RM 1.0.
UsingAddressing	`oracle/wsaddr_policy`	To require WS-Addressing Alternative: Configure WS-Addressing on business services that use the SOA-DIRECT transport; or add WS-Addressing to messages in a Service Bus pipeline.