Oracle® Fusion Middleware Upgrade Guide for Oracle SOA Suite, WebCenter, and ADF 11g Release 1 (11.1.1) Part Number E10127-02 |
|
|
View PDF |
This chapter provides important supplementary information upgrading Oracle SOA applications to Oracle Fusion Middleware 11g.
Use Chapter 8, "Overview of Upgrading Oracle SOA Suite, WebCenter, and ADF Applications" for the tasks required to upgrade any Oracle SOA Suite, WebCenter, and ADF application.
Use the following sections to understand tasks specific to upgrading Oracle SOA applications:
Section 13.1, "Upgrading Oracle Web Services Manager (WSM) Policies"
Section 13.2, "Upgrading Oracle Containers for J2EE (OC4J) Security Environments"
In Oracle WSM 10g, you specify policy steps at each policy enforcement point. Each policy step is a fine-grained operational task that addresses a specific security operation, such as authentication and authorization; encryption and decryption; security signature, token, or credential verification; and transformation. Each operational task is performed on either the Web service request or response.
For more details about the Oracle WSM 10g policy steps, see “Oracle Web Services Manager Policy Steps” in the Oracle Web Services Manager Administrator's Guide in the Oracle Application Server 10g Release 3 (10.1.3.1.0) documentation library at:
http://www.oracle.com/technology/documentation/
In Oracle WSM 11g, you attach policies to Web service endpoints. Each policy consists of one or more assertions, defined at the domain-level, that define the security requirements. A set of predefined policies and assertions are provided out-of-the-box. For more details about the predefined policies, see “Predefined Policy Reference” in Security and Administrator's Guide for Oracle Web Services.
Before you upgrade Oracle WSM policies, you must perform the following tasks:
Install Oracle WSM 11g. For more information, see the Oracle Fusion Middleware Installation Guide for Oracle SOA Suite.
Upgrade your Oracle Containers for J2EE (OC4J) 10g Web services to Oracle WebLogic Server 11g Web services.
For more information, see "Task 6: Upgrade the Application Web Services" in the Oracle Fusion Middleware Upgrade Guide for Java EE.
As described in "Examining the Rearchitecture of Oracle WSM in Oracle Fusion Middleware" in the Oracle Fusion Middleware Security and Administrator's Guide for Web Services, Oracle Fusion Middleware 11g Release 1 (11.1.1) does not include a Gateway component.
You can continue to use the Oracle WSM 10g Gateway components with Oracle WSM 10g policies in your applications. For information about Oracle WSM 10g interoperability, see "Interoperability with Oracle WSM 10g Security Environments" in the Oracle Fusion Middleware Security and Administrator's Guide for Web Services.
As described in "Examining the Rearchitecture of Oracle WSM in Oracle Fusion Middleware" in the Oracle Fusion Middleware Security and Administrator's Guide for Web Services, Oracle WSM 10g supported policy enforcement for third-party application servers, such as IBM WebSphere and Red Hat JBoss. Oracle Fusion Middleware 11g Release 1 (11.1.1) only supports Oracle WebLogic Server.
You can continue to use the third-party application servers with Oracle WSM 10g policies. For information about Oracle WSM 10g interoperability, see "Interoperability with Oracle WSM 10g Security Environments" in the Oracle Fusion Middleware Security and Administrator's Guide for Web Services.
Table 13-1 describes the most common Oracle WSM predefined policy upgrade scenarios based on the following security requirements: authentication and authorization, message protection, transport, and logging. A comparison of the steps required to implement each security requirement in both the Oracle WSM 10g and Oracle WSM 11g environments is provided.
For more information about:
Attaching policies in Oracle Fusion Middleware 11g, see "Attaching Policies to Web Services" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.
Oracle WSM 10g policy steps, see “Oracle Web Services Manager Policy Steps” in Oracle Web Services Manager Administrator's Guide in the Oracle Application Server 10g Release 3 (10.1.3.1.0) documentation library at:
http://www.oracle.com/technology/documentation/
Table 13-1 Upgrading Oracle WSM 10g Predefined Policies
Security Requirements | Oracle WSM 10g | Oracle WSM 11g |
---|---|---|
Anonymous authentication with message protection (WS-Security 1.0) |
Attach policy steps as follows:
|
|
Anonymous authentication with message integrity (WS-Security 1.0) |
Attach policy steps as follows:
|
|
Anonymous authentication with message confidentiality (WS-Security 1.0) |
Attach policy steps as follows:
|
|
Username token with message protection (WS-Security 1.0) |
Attach policy steps as follows:
Note: You can substitute File Authenticate with LDAP Authenticate, Oracle Access Manager Authenticate, Active Directory Authenticate, or SetMinder Authenticate. |
|
Username token with message protection (WS-Security 1.0) and file authorization |
Attach policy steps as follows:
Note: You can substitute File Authenticate with LDAP Authenticate, Active Directory Authenticate, or SetMinder Authenticate. Similarly, you can substitute File Authorize with LDAP Authorize, Active Directory Authorize, or SetMinder Authorize. |
|
ID propagation with SAML token (sender vouches) with message protection (WS-Security 1.0) |
Attach policy steps as follows:
|
|
HTTP basic authentication |
Attach policy steps as follows:
|
Attach policies as follows:
|
Oracle Access Manager security (WS-Security 1.0) |
Attach policy steps as follows:
|
Attach policies as follows:
|
Mutual authentication with message protection (WS-Security 1.0) |
Attach policy steps as follows:
Note: You can substitute File Authenticate with LDAP Authenticate, Oracle Access Manager Authenticate, Active Directory Authenticate, or SetMinder Authenticate. |
|
Username token over SSL |
|
|
ID propagation with SAML token (sender vouches) over SSL (WS-Security 1.0) |
|
|
Log information |
Attach the following policy step to the client or Web service: Log |
Attach the following policy to the client or Web service: oracle/log_policy |
In Oracle WSM 10g, you create, develop, and deploy custom policy steps using the procedures described in the Oracle Web Services Manager Extensibility Guide in the Oracle Application Server 10g Release 3 (10.1.3.1.0) documentation library at:
http://www.oracle.com/technology/documentation/
In Oracle WSM 11g, you create, develop, and deploy custom policy assertions. You will need to redefine your custom policy steps as custom policy assertions using the procedures described in "Creating Custom Assertions" in Security and Administrator's Guide for Oracle Web Services.
In OC4J 10g, you configure your security environment by modifying the contents of the XML-based deployment descriptor files. For complete details about securing OC4J environments, see Oracle Application Server Web Services Security Guide at:
http://www.oracle.com/technology/documentation/
In Oracle WSM 11g, you attach policies to Web service endpoints. Each policy consists of one or more assertions, defined at the domain-level, that define the security requirements. A set of predefined policies and assertions are provided out-of-the-box. For more details about the predefined policies, see “Predefined Policy Reference” in Security and Administrator's Guide for Oracle Web Services.
The following sections describe the most common OC4J upgrade scenarios based on the following security requirements: authentication, message protection, transport, and logging. A comparison of the steps required to implement each security requirement in both the OC4J 10g and Oracle WSM 11g environments is provided.
Section 13.2.2, "Anonymous Authentication with Message Protection (WS-Security 1.0)"
Section 13.2.3, "Anonymous Authentication with Message Integrity (WS-Security 1.0)"
Section 13.2.4, "Anonymous Authentication with Message Confidentiality (WS-Security 1.0)"
Section 13.2.5, "Username Token with Message Protection (WS-Security 1.0)"
Section 13.2.8, "Mutual Authentication with Message Protection (WS-Security 1.0)"
Section 13.2.10, "ID Propagation with SAML Token (Sender Vouches) over SSL (WS-Security 1.0)"
Note:
For information about configuring attaching policies in Oracle Fusion Middleware 11g, see Oracle Fusion Middleware Security and Administrator's Guide for Web Services.The next section describes the prerequisites required before you upgrade.
Before you upgrade the OC4J security environment, you must perform the following tasks:
Install Oracle WSM 11g. For more information, see the Oracle Fusion Middleware Installation Guide for Oracle SOA Suite.
Review "Task 6: Upgrade the Application Web Services" in the Oracle Fusion Middleware Upgrade Guide for Java EE.
This section provides general information about upgrading OC4J Web services to Oracle WebLogic Server.
The following sections describe how to implement authentication with message protection that conforms to the WS-Security 1.0 standard, and compare the steps required for the OC4J 10g and Oracle WSM 11g environments.
Edit the deployment descriptors for the Web service and client, as described in the following sections.
For more information about the deployment descriptor elements, see "OracleAS Web Services Security Schema" in Oracle Application Server Web Services Security Guide in the Oracle Application Server 10g Release 3 (10.1.3.1.0) documentation library at:
http://www.oracle.com/technology/documentation/
Web Service Client (with sample data)
Define the <signature> and <encrypt> elements in the client deployment descriptor. For example:
<signature> <signature-method>RSA-SHA1</signature-method> <tbs-elements> <tbs-element local-part="Body" name-space= "http://schemas.xmlsoap.org/soap/envelope/" /> <tbs-element name-space= "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" local-part="Timestamp" /> </tbs-elements> <add-timestamp created="true" expiry="28800" /> </signature> <encrypt> <recipient-key alias="orakey"/> <encryption-method>AES-128</encryption-method> <keytransport-method>RSA-OAEP-MGF1P</keytransport-method> <tbe-elements> <tbe-element local-part="Body" name-space= "http://schemas.xmlsoap.org/soap/envelope/" mode="CONTENT" /> </tbe-elements> </encrypt>
Web Service (with sample data)
Define the <verify-signature> and <decrypt> elements in the service deployment descriptor. For example:
<verify-signature> <tbs-elements> <tbs-element name-space="http://schemas.xmlsoap.org/soap/envelope/" local-part="Body" /> <tbs-element name-space= "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" local-part="Timestamp" /> </tbs-elements> <verify-timestamp expiry="28800" created="true" /> </verify-signature> <decrypt> <tbe-elements> <tbe-element name-space="http://schemas.xmlsoap.org/soap/envelope/" local-part="Body" mode="CONTENT" /> </tbe-elements> </decrypt>
Perform the following steps:
Attach policies as follows:
Client: oracle/wss10_message_protection_client_policy.
Web service: oracle/wss10_message_protection_service_policy.
For more information about attaching policies in Oracle Fusion Middleware 11g, see "Attaching Policies to Web Services" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.
Leave the configuration set for message body signing and encryption.
The following sections describe how to implement authentication with message integrity that conforms to the WS-Security 1.0 standard, and compare the steps required for the OC4J 10g and Oracle WSM 11g environments.
Edit the deployment descriptors for the Web service and client, as described in the following sections.
For more information about the deployment descriptor elements, see "OracleAS Web Services Security Schema" in Oracle Application Server Web Services Security Guide in the Oracle Application Server 10g Release 3 (10.1.3.1.0) documentation library at:
http://www.oracle.com/technology/documentation/
Web Service Client (with sample data)
Define the <signature> element in the client deployment descriptor. For example:
<signature> <signature-method>RSA-SHA1</signature-method> <tbs-elements> <tbs-element local-part="Body" name-space= "http://schemas.xmlsoap.org/soap/envelope/" /> <tbs-element name-space= "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" local-part="Timestamp" /> </tbs-elements> <add-timestamp created="true" expiry="28800" /> </signature>
Web Service (with sample data)
Define the <verify-signature> element in the service deployment descriptor. For example:
<verify-signature> <tbs-elements> <tbs-element name-space="http://schemas.xmlsoap.org/soap/envelope/" local-part="Body" /> <tbs-element name-space= "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" local-part="Timestamp" /> </tbs-elements> <verify-timestamp expiry="28800" created="true" /> </verify-signature>
Perform the following steps:
Attach policies as follows:
Client: oracle/wss10_message_protection_client_policy.
Web service: oracle/wss10_message_protection_service_policy.
For more information about attaching policies in Oracle Fusion Middleware 11g, see "Attaching Policies to Web Services" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.
Configure the policy assertion for message body signing only.
The following sections describe how to implement authentication with message confidentiality that conforms to the WS-Security 1.0 standard, and compare the steps required for the OC4J 10g and Oracle WSM 11g environments.
For more information about the deployment descriptor elements, see "OracleAS Web Services Security Schema" in Oracle Application Server Web Services Security Guide in the 10g Release 3 (10.1.3.1.0) documentation library at:
http://www.oracle.com/technology/documentation/
Edit the deployment descriptors for the Web service and client, as described in the following sections.
Web Service Client (with sample data)
Define the <encrypt> element in the client deployment descriptor. For example:
<encrypt> <recipient-key alias="orakey"/> <encryption-method>AES-128</encryption-method> <keytransport-method>RSA-OAEP-MGF1P</keytransport-method> <tbe-elements> <tbe-element local-part="Body" name-space= "http://schemas.xmlsoap.org/soap/envelope/" mode="CONTENT" /> </tbe-elements> </encrypt>
Web Service (with sample data)
Define the <decrypt> element in the service deployment descriptor. For example:
<decrypt> <tbe-elements> <tbe-element name-space="http://schemas.xmlsoap.org/soap/envelope/" local-part="Body" mode="CONTENT" /> </tbe-elements> </decrypt>
Perform the following steps:
Attach policies as follows:
Client: oracle/wss10_message_protection_client_policy.
Web service: oracle/wss10_message_protection_service_policy.
For more information about attaching policies in Oracle Fusion Middleware 11g, see "Attaching Policies to Web Services" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.
Configure the policy assertion for message body encryption only.
The following sections describe how to implement username token with message protection that conforms to the WS-Security 1.0 standard, and compare the steps required in the OC4J 10g and Oracle WSM 11g environments.
Edit the deployment descriptors for the Web service and client, as described in the following sections.
For more information about the deployment descriptor elements, see "OracleAS Web Services Security Schema" in Oracle Application Server Web Services Security Guide in the 10g Release 3 (10.1.3.1.0) documentation library at:
http://www.oracle.com/technology/documentation/
Web Service Client (with sample data)
Define the <username-token>, <signature>, and <encrypt> elements in the client deployment descriptor. For example:
<username-token password-type="PLAINTEXT" add-nonce="false" add-created="false" /> <signature> <signature-method>RSA-SHA1</signature-method> <tbs-elements> <tbs-element local-part="Body" name-space= "http://schemas.xmlsoap.org/soap/envelope/"/> <tbs-element name-space= "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" local-part="Timestamp" /> <tbs-element name-space= "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" local-part="UsernameToken" /> </tbs-elements> <add-timestamp created="true" expiry="28800" /> </signature> <encrypt> <recipient-key alias="orakey" /> <encryption-method>AES-128</encryption-method> <keytransport-method>RSA-OAEP-MGF1P</keytransport-method> <tbe-elements> <tbe-element local-part="Body" name-space= "http://schemas.xmlsoap.org/soap/envelope/" mode="CONTENT" /> <tbe-element name-space= "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" local-part="UsernameToken" /> </tbe-elements> </encrypt>
Web Service (with sample data)
Define the <verify-username-token>, <verify-signature>, and <decrypt> elements in the service deployment descriptor. For example:
<verify-username-token password-type="PLAINTEXT" require-nonce="false" require-created="false" /> <verify-signature> <tbs-elements> <tbs-element name-space="http://schemas.xmlsoap.org/soap/envelope/" local-part="Body" /> <tbs-element name-space= "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" local-part="Timestamp" /> </tbs-elements> <verify-timestamp expiry="28800" created="true" /> </verify-signature> <decrypt> <tbe-elements> <tbe-element name-space="http://schemas.xmlsoap.org/soap/envelope/" local-part="Body" mode="CONTENT" /> </tbe-elements> </decrypt>
Perform the following steps:
Attach policies as follows:
Client: oracle/wss10_username_token_with_message_protection_client_policy.
Web service: oracle/wss10_username_token_with_message_protection_service_policy.
For more information about attaching policies in Oracle Fusion Middleware 11g, see "Attaching Policies to Web Services" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.
Leave the configuration set for message body signing and encryption.
Configure the Authentication and Identity Assertion provider.
The following sections describe how to implement ID propagation using SAML token sender vouches with message protection that conforms to the WS-Security 1.0 standard, and compare the steps required in the OC4J 10g and Oracle WSM 11g environments.
For more information about the deployment descriptor elements, see "OracleAS Web Services Security Schema" in Oracle Application Server Web Services Security Guide 10g (10.1.3.1.0) at:
http://www.oracle.com/technology/documentation/
Edit the deployment descriptors for the Web service and client, as described in the following sections.
Web Service Client (with sample data)
Define the <saml-token>, <signature>, and <encrypt> elements in the client deployment descriptor. For example:
<saml-token issuer-name="www.oracle.com" name="weblogic" name-format="UNSPECIFIED"> <subject-confirmation-method> <confirmation-method>SENDER-VOUCHES</confirmation-method> </subject-confirmation-method> </saml-token> <signature> <signature-method>RSA-SHA1</signature-method> <tbs-elements> <tbs-element local-part="Body" name-space="http://schemas.xmlsoap.org/soap/envelope/" /> <tbs-element name-space= "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" local-part="Timestamp" /> </tbs-elements> <add-timestamp created="true" expiry="28800" /> </signature> <encrypt> <recipient-key alias="orakey" /> <encryption-method>AES-128</encryption-method> <keytransport-method>RSA-OAEP-MGF1P</keytransport-method> <tbe-elements> <tbe-element local-part="Body" name-space= "http://schemas.xmlsoap.org/soap/envelope/" mode="CONTENT" /> </tbe-elements> </encrypt>
Web Service (with sample data)
Define the <verify-saml-token>, <verify-signature>, and <decrypt> elements in the service deployment descriptor. For example:
<verify-saml-token> <subject-confirmation-methods> <confirmation-method>SENDER-VOUCHES</confirmation-method> </subject-confirmation-methods> </verify-saml-token> <verify-signature> <tbs-elements> <tbs-element name-space="http://schemas.xmlsoap.org/soap/envelope/" local-part="Body" /> <tbs-element name-space= "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" local-part="Timestamp" /> </tbs-elements> <verify-timestamp expiry="28800" created="true" /> </verify-signature> <decrypt> <tbe-elements> <tbe-element name-space="http://schemas.xmlsoap.org/soap/envelope/" local-part="Body" mode="CONTENT" /> </tbe-elements> </decrypt>
Attach policies as follows:
Client: oracle/wss10_saml_token_with_message_protection_client_policy.
Web service: oracle/wss10_saml_token_with_message_protection_service_policy.
For more information about attaching policies in Oracle Fusion Middleware 11g, see "Attaching Policies to Web Services" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.
The following sections describe how to implement ID propagation using SAML token holder of key with message protection that conforms to the WS-Security 1.0 standard, and compare the steps required in the OC4J 10g and Oracle WSM 11g environments.
For more information about the deployment descriptor elements, see "OracleAS Web Services Security Schema" in Oracle Application Server Web Services Security Guide in the 10g Release 3 (10.1.3.1.0) documentation library at:
http://www.oracle.com/technology/documentation/
Edit the deployment descriptors for the Web service and client, as described in the following sections.
Web Service Client (with sample data)
Define the <saml-token>, <signature>, and <encrypt> elements in the client deployment descriptor. For example:
<saml-token issuer-name="www.oracle.com" name="weblogic" name-format="UNSPECIFIED"> <subject-confirmation-method> <confirmation-method>HOLDER-OF-KEY</confirmation-method> </subject-confirmation-method> </saml-token> <signature> <signature-method>RSA-SHA1</signature-method> <tbs-elements> <tbs-element local-part="Body" name-space="http://schemas.xmlsoap.org/soap/envelope/" /> <tbs-element name-space= "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" local-part="Timestamp" /> </tbs-elements> <add-timestamp created="true" expiry="28800" /> </signature> <encrypt> <recipient-key alias="orakey" /> <encryption-method>AES-128</encryption-method> <keytransport-method>RSA-OAEP-MGF1P</keytransport-method> <tbe-elements> <tbe-element local-part="Body" name-space= "http://schemas.xmlsoap.org/soap/envelope/" mode="CONTENT" /> </tbe-elements> </encrypt>
Web Service (with sample data)
Define the <verify-saml-token>, <verify-signature>, and <decrypt> elements in the service deployment descriptor. For example:
<verify-saml-token> <subject-confirmation-methods> <confirmation-method>HOLDER-OF-KEY</confirmation-method> </subject-confirmation-methods> </verify-saml-token> <verify-signature> <tbs-elements> <tbs-element name-space="http://schemas.xmlsoap.org/soap/envelope/" local-part="Body" /> <tbs-element name-space= "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" local-part="Timestamp" /> </tbs-elements> <verify-timestamp expiry="28800" created="true" /> </verify-signature> <decrypt> <tbe-elements> <tbe-element name-space="http://schemas.xmlsoap.org/soap/envelope/" local-part="Body" mode="CONTENT" /> </tbe-elements> </decrypt>
Attach policies as follows:
Client: oracle/wss10_saml_hok_with_message_protection_client_policy.
Web service: oracle/wss10_saml_hok_with_message_protection_service_policy.
For more information about attaching policies in Oracle Fusion Middleware 11g, see "Attaching Policies to Web Services" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.
The following sections describe how to implement mutual authentication with message protection that conforms to the WS-Security 1.0 standard, and compare the steps required in the OC4J 10g and Oracle WSM 11g environments.
For more information about the deployment descriptor elements, see "OracleAS Web Services Security Schema" in Oracle Application Server Web Services Security Guide in the 10g Release 3 (10.1.3.1.0) documentation library at:
http://www.oracle.com/technology/documentation/
Edit the deployment descriptors for the Web service and client, as described in the following sections.
Web Service Client (with sample data)
Define the <x509-token>, <signature>, and <encrypt> elements in the client deployment descriptor. For example:
<x509-token /> <signature> <signature-method>RSA-SHA1</signature-method> <tbs-elements> <tbs-element local-part="Body" name-space="http://schemas.xmlsoap.org/soap/envelope/" /> <tbs-element name-space= "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" local-part="Timestamp" /> </tbs-elements> <add-timestamp created="true" expiry="28800" /> </signature> <encrypt> <recipient-key alias="orakey" /> <encryption-method>AES-128</encryption-method> <keytransport-method>RSA-OAEP-MGF1P</keytransport-method> <tbe-elements> <tbe-element local-part="Body" name-space="http://schemas.xmlsoap.org/soap/envelope/" mode="CONTENT" /> </tbe-elements> </encrypt>
Web Service (with sample data)
Define the <verify-x509-token>, <verify-signature>, and <decrypt> elements in the service deployment descriptor. For example:
<verify-x509-token /> <verify-signature> <tbs-elements> <tbs-element name-space="http://schemas.xmlsoap.org/soap/envelope/" local-part="Body" /> <tbs-element name-space= "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" local-part="Timestamp" /> </tbs-elements> <verify-timestamp expiry="28800" created="true" /> </verify-signature> <decrypt> <tbe-elements> <tbe-element name-space="http://schemas.xmlsoap.org/soap/envelope/" local-part="Body" mode="CONTENT" /> </tbe-elements> </decrypt>
Perform the following steps:
Attach policies as follows:
Client: oracle/wss10_x509_token_with_message_protection_client_policy.
Web service: oracle/wss10_x509_token_with_message_protection_service_policy.
For more information about attaching policies in Oracle Fusion Middleware 11g, see "Attaching Policies to Web Services" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.
Leave the configuration set for message body signing and encryption.
Configure the Authentication and Identity Assertion provider.
The following sections describe how to implement username token over SSL, and compare the steps required in the OC4J 10g and Oracle WSM 11g environments.
For more information about the deployment descriptor elements, see "OracleAS Web Services Security Schema" in Oracle Application Server Web Services Security Guide in the 10g Release 3 (10.1.3.1.0) documentation library at:
http://www.oracle.com/technology/documentation/
Configure the application server for SSL and edit the deployment descriptors for the Web service and client, as described in the following sections.
Web Service Client (with sample data)
Define the <username-token> and <signature> elements in the client deployment descriptor. For example:
<username-token password-type="PLAINTEXT" add-nonce="true" add-created="true" /> <signature> <add-timestamp created="true" expiry="28800" /> </signature>
Web Service (with sample data)
Define the <verify-username> element in the service deployment descriptor. For example:
<verify-username-token password-type="PLAINTEXT" require-nonce="false" require-created="false" /> <signature> <verify-timestamp expiry="28800" created="true" /> </signature>
Perform the following step:
Configure the application server for SSL.
Attach policies as follows:
Client: oracle/wss_username_token_over_ssl_client_policy.
Web service: oracle/wss_username_token_over_ssl_service_policy
For more information about attaching policies in Oracle Fusion Middleware 11g, see "Attaching Policies to Web Services" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.
The following sections describe how to implement ID propagation with SAML token sender vouches over SSL that conforms to WS-Security 1.0, and compare the steps required in the OC4J 10g and Oracle WSM 11g environments.
For more information about the deployment descriptor elements, see "OracleAS Web Services Security Schema" in Oracle Application Server Web Services Security Guide in the 10g Release 3 (10.1.3.1.0) documentation library at:
http://www.oracle.com/technology/documentation/
Configure the application server for SSL and edit the deployment descriptors for the Web service and client, as described in the following sections.
Web Service Client (with sample data)
Define the <saml-token> and <signature> elements in the client deployment descriptor. For example:
<saml-token name="weblogic" issuer-name="www.oracle.com" name-format="UNSPECIFIED"> <subject-confirmation-method> <confirmation-method>SENDER-VOUCHES</confirmation-method> </subject-confirmation-method> </saml-token> <signature> <add-timestamp created="true" expiry="28800" /> </signature>
Web Service (with sample data)
Define the <verify-saml-token> element in the service deployment descriptor. For example:
<verify-saml-token> <subject-confirmation-methods> <confirmation-method>SENDER-VOUCHES-UNSIGNED</confirmation-method> </subject-confirmation-methods> </verify-saml-token> <signature> <verify-timestamp expiry="28800" created="true" /> </signature>
The following sections describe how to enable the collection of log information, and compare the steps required in the OC4J 10g and Oracle WSM 11g environments.
Attach the following policy to the Web service or client: oracle/log_policy.
For more information about attaching policies in Oracle Fusion Middleware 11g, see "Attaching Policies to Web Services" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services.