Skip Headers
Oracle® Fusion Middleware Security and Administrator's Guide for Web Services
11g Release 1 (11.1.1)
Part Number B32511-02
Go to Documentation Home
Home		 Go to Book List
Book List		 Go to Table of Contents
Contents		 Go to Feedback page
Contact Us
Go to previous page
Previous		 Go to next page
Next
View PDF

C Predefined Assertion Templates

This appendix describes the predefined assertion templates that you can use to construct your policies or copy to create new policies.

This chapter contains the following sections:

Security Assertion Templates

The following sections describe the security assertion templates in more detail.

You can jump to a specific assertion template description (client or template) using the following links (listed alphabetically):

Authentication Only Assertion Templates

Table C-59 summarizes the assertion templates that enforce authentication only, and indicates whether the token is inserted at the transport layer or SOAP header.

Table C-1 Authentication Only Assertions

Client Template Service Template Authentication Transport Authentication SOAP Message Protection Transport Message Protection SOAP

oracle/wss_http_token_client_template

oracle/wss_http_token_service_template

Yes

No

No

No

oracle/wss_username_token_client_template

oracle/wss_username_token_service_template

No

Yes

No

No

oracle/wss10_saml_token_client_template

oracle/wss10_saml_token_service_template

No

Yes

No

No

oracle/wss_http_token_client_template

The wss_http_token_client_template assertion template includes username and password credentials in the HTTP header. You can control whether one-way or two-way authentication is required.

Settings

Table C-2 lists the settings for the wss_http_token_client_template assertion template.

Table C-2 wss_http_token_client_template Settings

Name Description Default Value

Authentication Header—Mechanism

Authentication mechanism.

Valid values include:

  • basic—Client authenticates itself by transmitting the username and password.

  • digest—Not supported in this release. Client authenticates itself by transmitting an encrypted password through the use of an MD5 digest.

  • cert—Not supported in this release. Client authenticates itself by transmitting a certificate.

  • custom—Not supported in this release. Custom authentication mechanism.

basic

Authentication Header—Header Name

Name of the authentication header.

None

Transport Security—Require Mutual Authentication

Not applicable.

Disabled

Configurations

Table C-3 lists the identity store configurations for the wss_http_token_client_template assertion template.

Table C-3 wss_http_token_client_template Configurations

Name Description

csf-key

Credential Store Key that maps to a username and password in the Oracle Platform Security Services identity store.

Specify the following properties:

  • Value—Current value.

  • Default—Default value. This value is used if Value field is not set. Defaults to basic.credentials.

  • Type—Specifies one of the following values:

    - Constant—Property cannot be overridden.

    - Required—Property is required and can be overridden.

    - Optional—Property is optional and can be overridden.

    This value defaults to required. For information about overriding policies, see "Attaching Client Policies Permitting Overrides".

  • Description—Description of the property.

role

SOAP role.

Specify the following properties:

  • Value—Current value.

  • Default—Default value. This value is used if Value field is not set. Defaults to ultimateReceiver.

  • Type—Specifies one of the following values:

    - Constant—Property cannot be overridden.

    - Required—Property is required and can be overridden.

    - Optional—Property is optional and can be overridden.

    This value defaults to constant. For information about overriding policies, see "Attaching Client Policies Permitting Overrides".

  • Description—Description of the property.

oracle/wss_http_token_service_template

The wss_http_token_service_template assertion template uses the credentials in the HTTP header to authenticate users against the Oracle Platform Security Services identity store. You can control whether one-way or two-way authentication is required.

Settings

The settings for the wss_http_token_service_template are identical to those for the client version of the assertion. See Table C-2 for information on the settings.

Configurations

Table C-4 lists the identity store configurations for the wss_http_token_service_template assertion template.

Table C-4 wss_http_token_service_template Configurations

Name Description

realm

HTTP Realm.

Specify the following properties:

  • Value—Current value.

  • Default—Default value. This value is used if Value field is not set. Defaults to owsm.

  • Type—Specifies one of the following values:

    - Constant—Property cannot be overridden.

    - Required—Property is required and can be overridden.

    - Optional—Property is optional and can be overridden.

    This value defaults to constant. For information about overriding policies, see "Attaching Client Policies Permitting Overrides".

  • Description—Description of the property.

role

SOAP role.

Specify the following properties:

  • Value—Current value.

  • Default—Default value. This value is used if Value field is not set. Defaults to ultimateReceiver.

  • Type—Specifies one of the following values:

    - Constant—Property cannot be overridden.

    - Required—Property is required and can be overridden.

    - Optional—Property is optional and can be overridden.

    This value defaults to constant. For information about overriding policies, see "Attaching Client Policies Permitting Overrides".

  • Description—Description of the property.

oracle/wss_username_token_client_template

The wss_username_token_client_template assertion template includes authentication with username and password credentials in the WS-Security UsernameToken header. The assertion supports three types of password credentials: plain text, digest, and no password.

Note:

Digest passwords are not supported in this release.

To protect against replay attacks, the assertion provides the option to require nonce or creation time in the username token.

Settings

Table C-5 lists the settings for the wss_username_token_client_template assertion template.

Table C-5 wss_username_token_client_template Settings

Name Description Default Value

Password Type

Type of password required.

Valid values are:

  • none—No password.

  • plaintext—Unencrypted password in clear text.

  • digest—Not supported in this release. Client authenticates itself by transmitting an encrypted password through the use of an MD5 digest.

Note: The plaintext type is not recommended when the token propagation occurs on an unsecure channel. However, if SSL is being used as the transport channel to secure a point-to-point connection between client and server, the plaintext type can be used as the channel takes care of protecting the password.

plaintext

Nonce Required

Flag that specifies whether a nonce must be included with the username to prevent replay attacks.

Note: If Password Type is set to digest, then this attribute must be set to true. Otherwise, the policy to which it is attached will not validate.

False

Creation Time Required

Flag that specifies whether a time stamp for the creation of the username token is required.

Note: If Password Type is set to digest, then this attribute must be set to true. Otherwise, the policy to which it is attached will not validate.

False

Configurations

Table C-6 lists the identify store configurations for the wss_username_token_client_template assertion template.

Table C-6 wss_username_token_client_template Configurations

Name Description

role

SOAP role.

Specify the following properties:

  • Value—Current value.

  • Default—Default value. This value is used if Value field is not set. Defaults to ultimateReceiver.

  • Type—Specifies one of the following values:

    - Constant—Property cannot be overridden.

    - Required—Property is required and can be overridden.

    - Optional—Property is optional and can be overridden.

    This value defaults to constant. For information about overriding policies, see "Attaching Client Policies Permitting Overrides".

  • Description—Description of the property.

csf-key

Credential Store Key that maps to a username and password in the Oracle Platform Security Services identity store.

Specify the following properties:

  • Value—Current value.

  • Default—Default value. This value is used if Value field is not set. Defaults to basic.credentials.

  • Type—Specifies one of the following values:

    - Constant—Property cannot be overridden.

    - Required—Property is required and can be overridden.

    - Optional—Property is optional and can be overridden.

    This value defaults to required. For information about overriding policies, see "Attaching Client Policies Permitting Overrides".

  • Description—Description of the property.

oracle/wss_username_token_service_template

The wss_username_token_service_template assertion template enforces authentication with username and password credentials in the WS-Security UsernameToken SOAP header. The assertion supports three types of password credentials: plain text, digest, and no password.

Note:

Digest passwords are not supported in this release.

To protect against replay attacks, the assertion provides the option to require nonce or creation time in the username token.

Settings

The settings for the wss_username_token_service_template are identical to the client version of the assertion. See Table C-5 for information on the settings.

Configurations

Table C-7 lists the identify store configurations for the wss_username_token_service_template assertion template.

Table C-7 wss_username_token_service_template Configurations

Name Description

role

SOAP role.

Specify the following properties:

  • Value—Current value.

  • Default—Default value. This value is used if Value field is not set. Defaults to ultimateReceiver.

  • Type—Specifies one of the following values:

    - Constant—Property cannot be overridden.

    - Required—Property is required and can be overridden.

    - Optional—Property is optional and can be overridden.

    This value defaults to constant. For information about overriding policies, see "Attaching Client Policies Permitting Overrides".

  • Description—Description of the property.

oracle/wss10_saml_token_client_template

The wss10_saml_token_client_template assertion template includes SAML tokens in outbound SOAP request messages. The SAML token is created automatically.

Settings

Table C-8 lists the settings for the wss10_saml_token_client_template assertion template.

Table C-8 wss10_saml_token_client_template Settings

Name Description Default Value

Version

SAML version. The only valid value is 1.1.

1.1

Confirmation Type

Confirmation type. The only valid value is:

  • sender-vouches—Uses the Sender Vouches SAML token for authentication.

sender-vouches

Configurations

Table C-9 lists the identity store configurations for the wss10_saml_token_client_template assertion template.

Table C-9 wss10_saml_token_client_template Configurations

Name Description

user.roles.include

SOAP roles to be included.

Specify the following properties:

  • Value—Current value.

  • Default—Default value. This value is used if Value field is not set. Defaults to false.

  • Type—Specifies one of the following values:

    - Constant—Property cannot be overridden.

    - Required—Property is required and can be overridden.

    - Optional—Property is optional and can be overridden.

    This value defaults to optional. For information about overriding policies, see "Attaching Client Policies Permitting Overrides".

  • Description—Description of the property.

saml.issuer.name

Name of the issuer of the SAML token.

Specify the following properties:

  • Value—Current value.

  • Default—Default value. This value is used if Value field is not set. Defaults to www.oracle.com.

  • Type—Specifies one of the following values:

    - Constant—Property cannot be overridden.

    - Required—Property is required and can be overridden.

    - Optional—Property is optional and can be overridden.

    This value defaults to optional. For information about overriding policies, see "Attaching Client Policies Permitting Overrides".

  • Description—Description of the property.

oracle/wss10_saml_token_service_template

The wss10_saml_token_service_template assertion template authenticates users using credentials provided in SAML tokens in the WS-Security SOAP header.

Settings

The settings for the wss10_saml_token_service_template are identical to the client version of the assertion. See Table C-8 for information on the settings.

Configurations

Table C-10 lists the identity store configurations for the wss10_saml_token_service_template assertion template.

Table C-10 wss10_saml_token_service_template Configurations

Name Description

role

SOAP role.

Specify the following properties:

  • Value—Current value.

  • Default—Default value. This value is used if Value field is not set. Defaults to ultimateReceiver.

  • Type—Specifies one of the following values:

    - Constant—Property cannot be overridden.

    - Required—Property is required and can be overridden.

    - Optional—Property is optional and can be overridden.

    This value defaults to constant. For information about overriding policies, see "Attaching Client Policies Permitting Overrides".

  • Description—Description of the property.

oracle/wss11_kerberos_token_client_template

The wss11_kerberos_token_client_template assertion template includes a Kerberos token in the WS-Security header in accordance with the WS-Security Kerberos Token Profile v1.1 standard.

Settings

Table C-11 lists the settings for the wss11_kerberos_token_client_template assertion template.

Table C-11 wss11_kerberos_token_client_template Settings

Name Description Default Value

Kerberos Token Type

Type of Kerberos token. The only valid value is: gss-apreq-v5 (Kerberos Version 5 GSS-API).

gss-apreq-v5

Configurations

Table C-12 lists the identity store configurations for the wss11_kerberos_token_client_template assertion template.

Table C-12 wss11_kerberos_token_client_template Configurations

Name Description

service.principal.name

Kerberos principal name that identifies the service.

Specify the following properties:

  • Value—Current value.

  • Default—Default value. This value is used if Value field is not set. Defaults to HOST/localhost@EXAMPLE.COM.

  • Type—Specifies one of the following values:

    - Constant—Property cannot be overridden.

    - Required—Property is required and can be overridden.

    - Optional—Property is optional and can be overridden.

    This value defaults to required. For information about overriding policies, see "Attaching Client Policies Permitting Overrides".

  • Description—Description of the property.

oracle/wss11_kerberos_token_service_template

The wss11_kerberos_token_service_template assertion template enforces in accordance with the WS-Security Kerberos Token Profile v1.1 standard. It extracts the Kerberos token from the SOAP header and authenticates the user. The container must have the Kerberos infrastructure configured through Oracle Platform Security Services.

Settings

The settings for the wss11_keberos_token_service_template are identical to the client version of the assertion. See Table C-11 for information on the settings.

Configurations

Table C-13 lists the identity store configurations for the wss11_kerberos_token_service_template assertion template.

Table C-13 wss11_kerberos_token_service_template Configurations

Name Description

role

SOAP role.

Specify the following properties:

  • Value—Current value.

  • Default—Default value. This value is used if Value field is not set. Defaults to ultimateReceiver.

  • Type—Specifies one of the following values:

    - Constant—Property cannot be overridden.

    - Required—Property is required and can be overridden.

    - Optional—Property is optional and can be overridden.

    This value defaults to constant. For information about overriding policies, see "Attaching Client Policies Permitting Overrides".

  • Description—Description of the property.

Message-Protection Only Assertion Template

Table C-14 summarizes the assertion templates that enforce message protection only, and indicates whether the token is inserted at the transport layer or SOAP header.

Table C-14 Authentication Only Assertions

Client Template Service Template Authentication Transport Authentication SOAP Message Protection Transport Message Protection SOAP

oracle/wss10_message_protection_client_template

oracle/wss10_message_protection_service_template

No

No

No

Yes

oracle/wss11_message_protection_client_template

oracle/wss11_message_protection_service_template

No

No

No

Yes

oracle/wss10_message_protection_client_template

The wss10_message_protection_client_template assertion template provides message protection (integrity and confidentiality) for outbound SOAP requests in accordance with the WS-Security 1.0 standard.

Settings

Table C-15 lists the settings for the wss10_message_protection_client_template assertion template.

Table C-15 wss10_message_protection_client_template Settings

Name Description Default Value

Sign Key Reference Mechanism

Mechanism used when signing the request.

Valid values include:

  • direct—X.509 Token is included in the request.

  • ski—Subject Key Identifier (SKI) extension value of the X.509 certificate used to reference the certificate. (Some certificates may not have this extension.) The recipient of the message looks up its keystore for a certificate corresponding to the SKI and validates the signature against it.

  • issuerserial—Composite key of issuer name and serial number attributes used to reference the X.509 certificate. The recipient of the message looks up its keystore for a certificate corresponding to Issuer name and Serial Number and validates the signature using it.

direct

Encryption Key Reference Mechanism

Mechanism used when encrypting the request. Valid values are the same as for Sign Key Reference Mechanism above.

direct

Recipient Sign Key Reference Mechanism

Mechanism used when encrypting the receipt. Valid values are the same as for Sign Key Reference Mechanism above.

direct

Recipient Encryption Key Reference Mechanism

Mechanism used when encrypting the receipt. Valid values are the same as for Sign Key Reference Mechanism above.

direct

Algorithm Suite

Algorithm suite used for message protection. See "Supported Algorithm Suites".

Basic128

Include Timestamp

Flag that specifies whether to include a timestamp. A timestamp can be used to prevent replay attacks by identifying an expiration time after which the message is no longer valid.

Enabled

Request Message Settings

See Table C-62.

N/A

Response Message Settings

See Table C-62.

N/A

Fault Message Settings

See Table C-62.

N/A

Configurations

Table C-16 lists the identity store configurations for the wss10_message_protection_client_template assertion template.

Table C-16 wss10_message_protection_client_template Configurations

Name Description

keystore.recipient.alias

Keystore alias associated with the peer certificate. The security runtime uses this alias to extract the peer certificate from the configured keystore and to encrypt messages to the peer.

Specify the following properties:

  • Value—Current value.

  • Default—Default value. This value is used if Value field is not set. Defaults to orakey.

  • Type—Specifies one of the following values:

    - Constant—Property cannot be overridden.

    - Required—Property is required and can be overridden.

    - Optional—Property is optional and can be overridden.

    This value defaults to required. For information about overriding policies, see "Attaching Client Policies Permitting Overrides".

  • Description—Description of the property.

role

SOAP role.

Specify the following properties:

  • Value—Current value.

  • Default—Default value. This value is used if Value field is not set. Defaults to ultimateReceiver.

  • Type—Specifies one of the following values:

    - Constant—Property cannot be overridden.

    - Required—Property is required and can be overridden.

    - Optional—Property is optional and can be overridden.

    This value defaults to constant. For information about overriding policies, see "Attaching Client Policies Permitting Overrides".

  • Description—Description of the property.

oracle/wss10_message_protection_service_template

The wss10_message_protection_service_template assertion template provides message protection (integrity and confidentiality) for inbound SOAP requests in accordance with the WS-Security 1.0 standard.

Settings

The settings for the wss10_message_protection_service_template are identical to the client version of the assertion. See Table C-15 for information on the settings.

Configurations

Table C-17 lists the identity store configurations for the wss10_message_protection_client_template assertion template.

Table C-17 wss10_message_protection_service_template Configurations

Name Description

role

SOAP role.

Specify the following properties:

  • Value—Current value.

  • Default—Default value. This value is used if Value field is not set. Defaults to ultimateReceiver.

  • Type—Specifies one of the following values:

    - Constant—Property cannot be overridden.

    - Required—Property is required and can be overridden.

    - Optional—Property is optional and can be overridden.

    This value defaults to constant. For information about overriding policies, see "Attaching Client Policies Permitting Overrides".

  • Description—Description of the property.

oracle/wss11_message_protection_client_template

The wss11_message_protection_client_template assertion template provides message protection (integrity and confidentiality) for outbound SOAP requests in accordance with the WS-Security 1.1 standard.

Settings

Table C-18 lists the settings for the wss11_message_protection_client_template assertion template.

Table C-18 wss11_message_protection_client_template Settings

Name Description Default Value

Confirm Signature

Flag that specifies whether to send a signature confirmation back to the client.

True

Encryption Key Reference Mechanism

Mechanism used when encrypting the request. Valid values include:

  • direct—X.509 Token is included in the request.

  • ski—Subject Key Identifier (SKI) extension value of the X.509 certificate used to reference the certificate. (Some certificates may not have this extension.) The recipient of the message looks up its keystore for a certificate corresponding to the SKI and validates the signature against it.

  • issuerserial—Composite key of issuer name and serial number attributes used to reference the X.509 certificate. The recipient of the message looks up its keystore for a certificate corresponding to Issuer name and Serial Number and validates the signature using it.

  • thumbprint—Fingerprint (SHA1 hash) of the contents of the certificate. Provides a method to store certificates that is low overhead.

thumbprint

Algorithm Suite

Algorithm suite used for message protection. See "Supported Algorithm Suites".

Basic128

Include Timestamp

Flag that specifies whether to include a timestamp. A timestamp can be used to prevent replay attacks by identifying an expiration time after which the message is no longer valid.

Enabled

Request Message Settings

See Table C-62.

N/A

Response Message Settings

See Table C-62.

N/A

Fault Message Settings

See Table C-62.

N/A

Configurations

Table C-19 lists the identity store configurations for the wss11_message_protection_client_template assertion template.

Table C-19 wss11_message_protection_client_template Configurations

Name Description

keystore.recipient.alias

Keystore alias associated with the peer certificate. The security runtime uses this alias to extract the peer certificate from the configured keystore and to encrypt messages to the peer.

Specify the following properties:

  • Value—Current value.

  • Default—Default value. This value is used if Value field is not set. Defaults to orakey.

  • Type—Specifies one of the following values:

    - Constant—Property cannot be overridden.

    - Required—Property is required and can be overridden.

    - Optional—Property is optional and can be overridden.

    This value defaults to required. For information about overriding policies, see "Attaching Client Policies Permitting Overrides".

  • Description—Description of the property.

role

SOAP role.

Specify the following properties:

  • Value—Current value.

  • Default—Default value. This value is used if Value field is not set. Defaults to ultimateReceiver.

  • Type—Specifies one of the following values:

    - Constant—Property cannot be overridden.

    - Required—Property is required and can be overridden.

    - Optional—Property is optional and can be overridden.

    This value defaults to constant. For information about overriding policies, see "Attaching Client Policies Permitting Overrides".

  • Description—Description of the property.

oracle/wss11_message_protection_service_template

The wss11_message_protection_service_template assertion template enforces message protection (integrity and confidentiality) for inbound SOAP requests in accordance with the WS-Security 1.1 standard.

Settings

The settings for the wss11_message_protection_service_template are identical to the client version of the assertion. See Table C-18 for information on the settings.

Configurations

Table C-20 lists the identity store configurations for the wss11_message_protection_service_template assertion template.

Table C-20 wss11_message_protection_service_template Configurations

Name Description

role

SOAP role.

Specify the following properties:

  • Value—Current value.

  • Default—Default value. This value is used if Value field is not set. Defaults to ultimateReceiver.

  • Type—Specifies one of the following values:

    - Constant—Property cannot be overridden.

    - Required—Property is required and can be overridden.

    - Optional—Property is optional and can be overridden.

    This value defaults to constant. For information about overriding policies, see "Attaching Client Policies Permitting Overrides".

  • Description—Description of the property.

Message Protection and Authentication Assertion Templates

Table C-21 summarizes the assertion templates that enforce both message protection and authentication, and indicates whether the token is inserted at the transport layer or SOAP header.

Table C-21 Message Protection and Authentication Assertions

Client Template Service Template Authentication Transport Authentication SOAP Message Protection Transport Message Protection SOAP

oracle/wss_http_token_over_ssl_client_template

oracle/wss_http_token_over_ssl_service_template

Yes

No

Yes

No

oracle/wss_saml_token_bearer_over_ssl_client_template

oracle/wss_saml_token_bearer_over_ssl_service_template

No

Yes

Yes

No

oracle/wss_saml_token_over_ssl_client_template

oracle/wss_saml_token_over_ssl_service_template

No

Yes

Yes

No

oracle/wss_username_token_over_ssl_client_template

oracle/wss_username_token_over_ssl_service_template

No

Yes

Yes

No

oracle/wss10_saml_hok_with_message_protection_client_template

oracle/wss10_saml_hok_with_message_protection_service_template

No

Yes

No

Yes

oracle/wss10_saml_token_with_message_protection_client_template

oracle/wss10_saml_token_with_message_protection_service_template

No

Yes

No

Yes

oracle/wss10_username_token_with_message_protection_client_template

oracle/wss10_username_token_with_message_protection_service_template

No

Yes

No

Yes

oracle/wss10_x509_token_with_message_protection_client_template

oracle/wss10_x509_token_with_message_protection_service_template

No

Yes

No

Yes

oracle/wss11_kerberos_token_with_message_protection_client_template

oracle/wss11_kerberos_token_with_message_protection_service_template

No

Yes

No

Yes

oracle/wss11_saml_token_with_message_protection_client_template

oracle/wss11_saml_token_with_message_protection_service_template

No

Yes

No

Yes

oracle/wss11_username_token_with_message_protection_client_template

oracle/wss11_username_token_with_message_protection_service_template

No

Yes

No

Yes

oracle/wss11_x509_token_with_message_protection_client_template

oracle/wss11_x509_token_with_message_protection_service_template

No

Yes

No

Yes

oracle/wss_http_token_over_ssl_client_template

The wss_http_token_over_ssl_client_template assertion template includes credentials in the HTTP header for outbound client requests and authenticates users against the Oracle Platform Security Services identity store.

Settings

Table C-22 lists the settings for the wss_http_token_over_ssl_client_template assertion template.

Table C-22 wss_http_token_over_ssl_client_template Settings

Name Description Default Value

Authentication Header—Mechanism

Authentication mechanism.

Valid values include:

  • basic—Client authenticates itself by transmitting the username and password.

  • digest—Not supported in this release. Client authenticates itself by transmitting an encrypted password through the use of an MD5 digest.

  • cert—Not supported in this release. Client authenticates itself by transmitting a certificate.

  • custom—Not supported in this release. Custom authentication mechanism.

basic

Authentication Header—Header Name

Name of the authentication header.

None

Transport Security—Require Mutual Authentication

Flag that specifies whether two-way authentication is required.

Valid values include:

  • Enabled—The service must authenticate itself to the client, and the client must authenticate itself to the service.

  • Disabled—One-way authentication is required. The service must authenticate itself to the client, but the client is not required to authenticate itself to the service.

Disabled

Configurations

Table C-23 lists the identity store configurations for the wss_http_token_over_ssl_client_template assertion template.

Table C-23 wss_http_token_over_ssl_client_template Configurations

Name Description

csf-key

Credential Store Key that maps to a username and password in the Oracle Platform Security Services identity store.

Specify the following properties:

  • Value—Current value.

  • Default—Default value. This value is used if Value field is not set. Defaults to basic.credentials.

  • Type—Specifies one of the following values:

    - Constant—Property cannot be overridden.

    - Required—Property is required and can be overridden.

    - Optional—Property is optional and can be overridden.

    This value defaults to required. For information about overriding policies, see "Attaching Client Policies Permitting Overrides".

  • Description—Description of the property.

role

SOAP role.

Specify the following properties:

  • Value—Current value.

  • Default—Default value. This value is used if Value field is not set. Defaults to ultimateReceiver.

  • Type—Specifies one of the following values:

    - Constant—Property cannot be overridden.

    - Required—Property is required and can be overridden.

    - Optional—Property is optional and can be overridden.

    This value defaults to constant. For information about overriding policies, see "Attaching Client Policies Permitting Overrides".

  • Description—Description of the property.

oracle/wss_http_token_over_ssl_service_template

The wss_http_token_over_ssl_service_template assertion template extracts the credentials in the HTTP header and authenticates users against the Oracle Platform Security Services identity store.

Settings

The settings for the wss_http_token_over_ssl_service_template assertion template are identical to the client version of the assertion. See Table C-22 for information on the settings.

Configurations

Table C-24 lists the identity store configurations for the wss_http_token_service_template assertion template.

Table C-24 wss_http_token_over_ssl_service_template Configurations

Name Description

realm

HTTP Realm.

Specify the following properties:

  • Value—Current value.

  • Default—Default value. This value is used if Value field is not set. Defaults to owsm.

  • Type—Specifies one of the following values:

    - Constant—Property cannot be overridden.

    - Required—Property is required and can be overridden.

    - Optional—Property is optional and can be overridden.

    This value defaults to constant. For information about overriding policies, see "Attaching Client Policies Permitting Overrides".

  • Description—Description of the property.

role

SOAP role.

Specify the following properties:

  • Value—Current value.

  • Default—Default value. This value is used if Value field is not set. Defaults to ultimateReceiver.

  • Type—Specifies one of the following values:

    - Constant—Property cannot be overridden.

    - Required—Property is required and can be overridden.

    - Optional—Property is optional and can be overridden.

    This value defaults to constant. For information about overriding policies, see "Attaching Client Policies Permitting Overrides".

  • Description—Description of the property.

oracle/wss_saml_token_bearer_over_ssl_client_template

The wss_saml_token_bearer_over_ssl_client template assertion template includes SAML tokens in outbound SOAP request messages. The SAML token with confirmation method [Bearer] is created automatically.

Settings

Table C-25 lists the settings for the wss_saml_token_bearer_over_ssl_client_template assertion template.

Table C-25 wss_saml_token_bearer_over_ssl_client_template Settings

Name Description Default Value

Algorithm Suite

Algorithm suite used for message protection. Valid algorithm suites include: Basic128, Basic256, and TripleDES. See "Supported Algorithm Suites".

Basic256

Configurations

None defined.

oracle/wss_saml_token_bearer_over_ssl_service_template

The wss_saml_token_bearer_over_ssl_service_template assertion template authenticates users using credentials provided in SAML tokens with confirmation method 'Bearer' in the WS-Security SOAP header.

Settings

The settings for the wss_saml_token_bearer_over_ssl_service_template assertion template are identical to the client version of the assertion. See Table C-25 for information on the settings.

Configurations

None defined.

oracle/wss_saml_token_over_ssl_client_template

The wss_saml_token_over_ssl_client_template assertion template enables the authentication of credentials provided via a SAML token within WS-Security SOAP header using the sender-vouches confirmation type.

Settings

Table C-26 lists the settings for the wss_saml_token_over_ssl_client_template assertion template.

Table C-26 wss_saml_token_over_ssl_client_template Settings

Name Description Default Value

Algorithm Suite

Algorithm suite used for message protection. Valid algorithm suites include: Basic128, Basic256, and TripleDES. See "Supported Algorithm Suites".

Basic256

Configurations

None defined.

oracle/wss_saml_token_over_ssl_service_template

The wss_saml_token_over_ssl_service_template enforces the authentication of credentials provided via a SAML token within WS-Security SOAP header using the sender-vouches confirmation type.

Settings

The settings for the wss_saml_token_over_ssl_service_template assertion template are identical to the client version of the assertion. See Table C-26 for information on the settings.

Configurations

None defined.

oracle/wss_username_token_over_ssl_client_template

The wss_username_token_over_ssl_client_template assertion template includes credentials in the WS-Security UsernameToken header in outbound SOAP request messages. The assertion supports three types of password credentials: plain text, digest, and no password.

Note:

Digest passwords are not supported in this release.

To protect against replay attacks, the assertion provides the option to require nonce or creation time in the username token.

Settings

Table C-27 lists the settings for the wss_username_token_over_ssl_client_template assertion template.

Table C-27 wss_username_token_over_ssl_client_template Settings

Name Description Default Value

Password Type

Type of password required.

Valid values are:

  • none—No password.

  • plaintext—Unencrypted password in clear text.

  • digest—Not supported in this release. Client authenticates itself by transmitting an encrypted password through the use of an MD5 digest.

Note: The plaintext type is not recommended when the token propagation occurs on an unsecure channel. However, if SSL is being used as the transport channel to secure a point-to-point connection between client and server, the plaintext type can be used as the channel takes care of protecting the password.

plaintext

Nonce Required

Flag that specifies whether a nonce must be included with the username to prevent replay attacks.

Note: If Password Type is set to digest, then this attribute must be set to true. Otherwise, the policy to which it is attached will not validate.

False

Creation Time Required

Flag that specifies whether a time stamp for the creation of the username token is required.

Note: If Password Type is set to digest, then this attribute must be set to true. Otherwise, the policy to which it is attached will not validate.

False

Mutual Authentication Required

Flag that specifies whether two-way authentication is required.

Valid values include:

  • Enabled—Two-way authentication. The service must authenticate itself to the client, and the client must authenticate itself to the service.

  • Disabled—One-way authentication. The service must authenticate itself to the client, but the client is not required to authenticate itself to the service.

Disabled

Configurations

Table C-28 lists the identity store configurations for the wss_username_token_over_ssl_client_template assertion template.

Table C-28 wss_username_token_over_ssl_client_template Configurations

Name Description

role

SOAP role.

Specify the following properties:

  • Value—Current value.

  • Default—Default value. This value is used if Value field is not set. Defaults to ultimateReceiver.

  • Type—Specifies one of the following values:

    - Constant—Property cannot be overridden.

    - Required—Property is required and can be overridden.

    - Optional—Property is optional and can be overridden.

    This value defaults to constant. For information about overriding policies, see "Attaching Client Policies Permitting Overrides".

  • Description—Description of the property.

csf-key

Credential Store Key that maps to a username and password in the Oracle Platform Security Services (OPSS) identity store.

Specify the following properties:

  • Value—Current value.

  • Default—Default value. This value is used if Value field is not set. Defaults to basic.credentials.

  • Type—Specifies one of the following values:

    - Constant—Property cannot be overridden.

    - Required—Property is required and can be overridden.

    - Optional—Property is optional and can be overridden.

    This value defaults to required. For information about overriding policies, see "Attaching Client Policies Permitting Overrides".

  • Description—Description of the property.

oracle/wss_username_token_over_ssl_service_template

The wss_username_token_over_ssl_service_template assertion template uses the credentials in the UsernameToken WS-Security SOAP header to authenticate users against the Oracle Platform Security Services configured identity store. The assertion supports three types of password credentials: plain text, digest, and no password.

Note:

Digest passwords are not supported in this release.

To protect against replay attacks, the assertion provides the option to require nonce or creation time in the username token.

Settings

The settings for the wss_username_token_over_ssl_service_template assertion template are identical to the client version of the assertion. See Table C-28 for information on the settings.

Configurations

Table C-29 lists the identity store configurations for the wss_username_token_over_ssl­_service_template assertion template.

Table C-29 wss_username_token_over_ssl_service_template Configurations

Name Description

role

SOAP role.

Specify the following properties:

  • Value—Current value.

  • Default—Default value. This value is used if Value field is not set. Defaults to ultimateReceiver.

  • Type—Specifies one of the following values:

    - Constant—Property cannot be overridden.

    - Required—Property is required and can be overridden.

    - Optional—Property is optional and can be overridden.

    This value defaults to constant. For information about overriding policies, see "Attaching Client Policies Permitting Overrides".

  • Description—Description of the property.

oracle/wss10_saml_hok_with_message_protection_client_template

The wss10_saml_hok_with_message_protection_client_template assertion template provides message protection (integrity and confidentiality) and SAML holder of key based authentication for outbound SOAP messages in accordance with the WS-Security 1.0 standard.

Settings

Table C-30 lists the settings for the wss10_saml_hok_with_message_protection_client_template assertion template.

Table C-30 wss10_saml_hok_with_message_protection_client_template Settings

Name Description Default Value

Version

SAML version. The only valid value is: 1.1.

1.1

Confirmation Type

Confirmation type. The only valid value is: holder-of-key.

holder-of-key

Is Signed

Flag that specifies whether the username is signed. The only valid value for SAML policies is: True.

True

Is Encrypted

Flag that specifies whether the username is encrypted.

False

Sign Key Reference Mechanism

Mechanism used when signing the request.

Valid values include:

  • direct—X.509 Token is included in the request.

  • ski—Subject Key Identifier (SKI) extension value of the X.509 certificate used to reference the certificate. (Some certificates may not have this extension.) The recipient of the message looks up its keystore for a certificate corresponding to the SKI and validates the signature against it.

  • issuerserial—Composite key of issuer name and serial number attributes used to reference the X.509 certificate. The recipient of the message looks up its keystore for a certificate corresponding to Issuer name and Serial Number and validates the signature using it.

ski

Encryption Key Reference Mechanism

Mechanism used when encrypting the request. Valid values include:

  • direct—X.509 Token is included in the request.

  • ski—Subject Key Identifier (SKI) extension value of the X.509 certificate used to reference the certificate. (Some certificates may not have this extension.) The recipient of the message looks up its keystore for a certificate corresponding to the SKI and validates the signature against it.

  • issuerserial—Composite key of issuer name and serial number attributes used to reference the X.509 certificate. The recipient of the message looks up its keystore for a certificate corresponding to Issuer name and Serial Number and validates the signature using it.

direct

Recipient Sign Key Reference Mechanism

Mechanism used when encrypting the receipt. Valid values are the same as for Sign Key Reference Mechanism above.

direct

Recipient Encryption Key Reference Mechanism

Mechanism used when encrypting the receipt. Valid values are the same as for Sign Key Reference Mechanism above.

direct

Algorithm Suite

Algorithm suite used for message protection. See "Supported Algorithm Suites".

Basic128

Include Timestamp

Flag that specifies whether to include a timestamp. A timestamp can be used to prevent replay attacks by identifying an expiration time after which the message is no longer valid.

Enabled

Request Message Settings

See Table C-62.

N/A

Response Message Settings

See Table C-62.

N/A

Fault Message Settings

See Table C-62.

N/A

Configurations

Table C-31 lists the identity store configurations for the wss10_saml_hok_with_message_protection_client_template assertion template.

Table C-31 wss10_saml_hok_with_message_protection_client_template Configurations

Name Description

keystore.recipient.alias

Keystore alias associated with the peer certificate. The security runtime uses this alias to extract the peer certificate from the configured keystore and to encrypt messages to the peer.

Specify the following properties:

  • Value—Current value.

  • Default—Default value. This value is used if Value field is not set. Defaults to orakey.

  • Type—Specifies one of the following values:

    - Constant—Property cannot be overridden.

    - Required—Property is required and can be overridden.

    - Optional—Property is optional and can be overridden.

    This value defaults to required. For information about overriding policies, see "Attaching Client Policies Permitting Overrides".

  • Description—Description of the property.

saml.issuer.name

Name identifier for the issuer of the SAML token.

Specify the following properties:

  • Value—Current value.

  • Default—Default value. This value is used if Value field is not set. Defaults to www.oracle.com.

  • Type—Specifies one of the following values:

    - Constant—Property cannot be overridden.

    - Required—Property is required and can be overridden.

    - Optional—Property is optional and can be overridden.

    This value defaults to optional. For information about overriding policies, see "Attaching Client Policies Permitting Overrides".

  • Description—Description of the property.

user.roles.include

Flag that specifies whether to include SOAP roles.

Specify the following properties:

  • Value—Current value.

  • Default—Default value. This value is used if Value field is not set. Defaults to false.

  • Type—Specifies one of the following values:

    - Constant—Property cannot be overridden.

    - Required—Property is required and can be overridden.

    - Optional—Property is optional and can be overridden.

    This value defaults to optional. For information about overriding policies, see "Attaching Client Policies Permitting Overrides".

  • Description—Description of the property.

saml.assertion.filename

Name of the of the SAML token file.

Specify the following properties:

  • Value—Current value.

  • Default—Default value. This value is used if Value field is not set. Defaults to temp.

  • Type—Specifies one of the following values:

    - Constant—Property cannot be overridden.

    - Required—Property is required and can be overridden.

    - Optional—Property is optional and can be overridden.

    This value defaults to optional. For information about overriding policies, see "Attaching Client Policies Permitting Overrides".

  • Description—Description of the property.

oracle/wss10_saml_hok_with_message_protection_service_template

The wss10_saml_hok_with_message_protection_client_template assertion template enforces message-level protection and SAML holder of key based authentication for inbound SOAP requests in accordance with the WS-Security 1.0 standard.

Settings

The settings for the wss10_saml_hok_with_message_protection_service_template are identical to those for client version of the assertion. See Table C-30 for information on the settings.

Configurations

Table C-32 lists the identity store configurations for the wss10_saml_hok_with_message_protection_service_template assertion template.

Table C-32 wss10_saml_hok_with_message_protection_service_template Configurations

Name Description

role

SOAP role.

Specify the following properties:

  • Value—Current value.

  • Default—Default value. This value is used if Value field is not set. Defaults to ultimateReceiver.

  • Type—Specifies one of the following values:

    - Constant—Property cannot be overridden.

    - Required—Property is required and can be overridden.

    - Optional—Property is optional and can be overridden.

    This value defaults to constant. For information about overriding policies, see "Attaching Client Policies Permitting Overrides".

  • Description—Description of the property.

oracle/wss10_saml_token_with_message_protection_client_template

The wss10_saml_token_with_message_protection_client_template assertion template provides message-level protection and SAML-based authentication for outbound SOAP messages in accordance with the WS-Security 1.0 standard.

The Web service consumer includes a SAML token in the SOAP header, and the confirmation type is sender-vouches. The SOAP message is signed and encrypted. The Web service provider decrypts the message, and verifies and authenticates the signature.

To prevent replay attacks, the assertion provides the option to include time stamps, SAML token limits, and their verification by the Web service provider.

Settings

Table C-33 lists the settings for the wss10_saml_token_with_message_protection_client_template assertion template.

Table C-33 wss10_saml_token_with_message_protection_client_template Settings

Name Description Default Value

Version

SAML version. The only valid value is: 1.1.

1.1

Confirmation Type

Confirmation type. The only valid value is: sender-vouches.

sender-vouches

Is Signed

Flag that specifies whether the username is signed. The only valid value for SAML policies is: True.

True

Is Encrypted

Flag that specifies whether the username is encrypted.

False

Sign Key Reference Mechanism

Mechanism used when signing the request.

Valid values include:

  • direct—X.509 Token is included in the request.

  • ski—Subject Key Identifier (SKI) extension value of the X.509 certificate used to reference the certificate. (Some certificates may not have this extension.) The recipient of the message looks up its keystore for a certificate corresponding to the SKI and validates the signature against it.

  • issuerserial—Composite key of issuer name and serial number attributes used to reference the X.509 certificate. The recipient of the message looks up its keystore for a certificate corresponding to Issuer name and Serial Number and validates the signature using it.

direct

Encryption Key Reference Mechanism

Mechanism used when encrypting the request. Valid values are the same as for Sign Key Reference Mechanism above.

direct

Recipient Sign Key Reference Mechanism

Mechanism used when encrypting the receipt. Valid values are the same as for Sign Key Reference Mechanism above.

direct

Recipient Encryption Key Reference Mechanism

Mechanism used when encrypting the receipt. Valid values are the same as for Sign Key Reference Mechanism above.

direct

Algorithm Suite

Algorithm suite used for message protection. See "Supported Algorithm Suites".

Basic128

Include Timestamp

Flag that specifies whether to include a timestamp. A timestamp can be used to prevent replay attacks by identifying an expiration time after which the message is no longer valid.

Enabled

Request Message Settings

See Table C-62.

N/A

Response Message Settings

See Table C-62.

N/A

Fault Message Settings

See Table C-62.

N/A

Configurations

Table C-34 lists the identity store configurations for the wss10_saml_token_with_message_protection_client_template assertion template.

Table C-34 wss10_saml_token_with_message_protection_client_template Configurations

Name Description

keystore.recipient.alias

Keystore alias associated with the peer certificate. The security runtime uses this alias to extract the peer certificate from the configured keystore and to encrypt messages to the peer.

Specify the following properties:

  • Value—Current value.

  • Default—Default value. This value is used if Value field is not set. Defaults to orakey.

  • Type—Specifies one of the following values:

    - Constant—Property cannot be overridden.

    - Required—Property is required and can be overridden.

    - Optional—Property is optional and can be overridden.

    This value defaults to required. For information about overriding policies, see "Attaching Client Policies Permitting Overrides".

  • Description—Description of the property.

user.roles.include

Flag that specifies whether to include SOAP roles.

Specify the following properties:

  • Value—Current value.

  • Default—Default value. This value is used if Value field is not set. Defaults to false.

  • Type—Specifies one of the following values:

    - Constant—Property cannot be overridden.

    - Required—Property is required and can be overridden.

    - Optional—Property is optional and can be overridden.

    This value defaults to optional. For information about overriding policies, see "Attaching Client Policies Permitting Overrides".

  • Description—Description of the property.

saml.issuer.name

Name identifier for the issuer of the SAML token.

Specify the following properties:

  • Value—Current value.

  • Default—Default value. This value is used if Value field is not set. Defaults to www.oracle.com.

  • Type—Specifies one of the following values:

    - Constant—Property cannot be overridden.

    - Required—Property is required and can be overridden.

    - Optional—Property is optional and can be overridden.

    This value defaults to optional. For information about overriding policies, see "Attaching Client Policies Permitting Overrides".

  • Description—Description of the property.

oracle/wss10_saml_token_with_message_protection_service_template

The wss10_saml_token_with_message_protection_service_template assertion template enforces message protection (integrity and confidentiality) and SAML-based authentication for inbound SOAP requests in accordance with the WS-Security 1.0 standard.

The Web service consumer includes a SAML token in the SOAP header, and the confirmation type is sender-vouches. The SOAP message is signed and encrypted. The Web service provider decrypts the message, and verifies and authenticates the signature.

To prevent replay attacks, the assertion provides the option to include time stamps, SAML token limits, and their verification by the Web service provider.

Settings

The settings for the wss10_saml_token_with_message_protection_service_template are identical to those for client version of the assertion. See Table C-34 for information on the settings.

Configurations

Table C-35 lists the identity store configurations for the wss10_saml_token_with_message_protection_service_template assertion template.

Table C-35 wss10_saml_token_with_message_protection_service_template Configurations

Name Description

role

SOAP role.

Specify the following properties:

  • Value—Current value.

  • Default—Default value. This value is used if Value field is not set. Defaults to ultimateReceiver.

  • Type—Specifies one of the following values:

    - Constant—Property cannot be overridden.

    - Required—Property is required and can be overridden.

    - Optional—Property is optional and can be overridden.

    This value defaults to constant. For information about overriding policies, see "Attaching Client Policies Permitting Overrides".

  • Description—Description of the property.

oracle/wss10_username_token_with_message_protection_client_template

The wss10_username_token_with_message_protection_client_template assertion template provides message protection (integrity and confidentiality) and authentication for outbound SOAP requests in accordance with the WS-Security 1.0 standard. Credentials are included in the WS-Security UsernameToken header in the outbound SOAP message.

The assertion supports three types of password credentials: plain text, digest, and no password.

Note:

Digest passwords are not supported in this release.

To protect against replay attacks, the assertion provides the option to require nonce or creation time in the username token. The SOAP message is signed and encrypted. The Web service provider decrypts the message, and verifies and authenticates the signature.

Settings

Table C-36 lists the settings for the wss10_username_token_with_message_protection_client_template assertion template.

Table C-36 wss10_username_token_with_message_protection_client_template Settings

Name Description Default Value

Password Type

Type of password required.

Valid values are:

  • none—No password.

  • plaintext—Unencrypted password in clear text.

  • digest—Not supported in this release. Client authenticates itself by transmitting an encrypted password through the use of an MD5 digest.

plaintext

Nonce Required

Flag that specifies whether a nonce must be included with the username to prevent replay attacks.

Note: If Password Type is set to digest, then this attribute must be set to true. Otherwise, the policy to which it is attached will not validate.

False

Creation Time Required

Flag that specifies whether a time stamp for the creation of the username token is required.

Note: If Password Type is set to digest, then this attribute must be set to true. Otherwise, the policy to which it is attached will not validate.

False

Is Signed

Flag that specifies whether the username is signed.

True

Is Encrypted

Flag that specifies whether the username is encrypted.

True

Sign Key Reference Mechanism

Mechanism used when signing the request.

Valid values include:

  • direct—X.509 Token is included in the request.

  • ski—Subject Key Identifier (SKI) extension value of the X.509 certificate used to reference the certificate. (Some certificates may not have this extension.) The recipient of the message looks up its keystore for a certificate corresponding to the SKI and validates the signature against it.

  • issuerserial—Composite key of issuer name and serial number attributes used to reference the X.509 certificate. The recipient of the message looks up its keystore for a certificate corresponding to Issuer name and Serial Number and validates the signature using it.

direct

Encryption Key Reference Mechanism

Mechanism used when encrypting the request. Valid values are the same as for Sign Key Reference Mechanism above.

direct

Recipient Sign Key Reference Mechanism

Mechanism used when encrypting the receipt. Valid values are the same as for Sign Key Reference Mechanism above.

direct

Recipient Encryption Key Reference Mechanism

Mechanism used when encrypting the receipt. Valid values are the same as for Sign Key Reference Mechanism above.

direct

Algorithm Suite

Algorithm suite used for message protection. See "Supported Algorithm Suites".

Basic128

Include Timestamp

Flag that specifies whether to include a timestamp. A timestamp can be used to prevent replay attacks by identifying an expiration time after which the message is no longer valid.

Enabled

Request Message Settings

See Table C-62.

N/A

Response Message Settings

See Table C-62.

N/A

Fault Message Settings

See Table C-62.

N/A

Configurations

Table C-37 lists the identity store configurations for the wss10_username_token_with_message_protection_client_template assertion template.

Table C-37 wss10_username_token_with_message_protection_client_template Configurations

Name Description

csf-key

Credential Store Key that maps to a username and password in the Oracle Platform Security Services identity store.

Specify the following properties:

  • Value—Current value

  • Default—Default value. This value is used if the Value field is not set. Defaults to basic.credentials.

  • Type—Specifies one of the following values:

    - Constant—Property cannot be overridden.

    - Required—Property is required and can be overridden.

    - Optional—Property is optional and can be overridden.

    This value defaults to required. For information about overriding policies, see "Attaching Client Policies Permitting Overrides".

  • Description—Description of the property.

role

SOAP role.

Specify the following properties:

  • Value—Current value.

  • Default—Default value. This value is used if Value field is not set. Defaults to ultimateReceiver.

  • Type—Specifies one of the following values:

    - Constant—Property cannot be overridden.

    - Required—Property is required and can be overridden.

    - Optional—Property is optional and can be overridden.

    This value defaults to constant. For information about overriding policies, see "Attaching Client Policies Permitting Overrides".

  • Description—Description of the property.

keystore.recipient.alias

Keystore alias associated with the peer certificate. The security runtime uses this alias to extract the peer certificate from the configured keystore and to encrypt messages to the peer.

Specify the following properties:

  • Value—Current value.

  • Default—Default value. This value is used if Value field is not set. Defaults to orakey.

  • Type—Specifies one of the following values:

    - Constant—Property cannot be overridden.

    - Required—Property is required and can be overridden.

    - Optional—Property is optional and can be overridden.

    This value defaults to required. For information about overriding policies, see "Attaching Client Policies Permitting Overrides".

  • Description—Description of the property.

oracle/wss10_username_token_with_message_protection_service_template

The wss10_username_token_with_message_protection_service_template assertion template enforces message protection (integrity and confidentiality) and authentication for inbound SOAP requests in accordance with the WS-Security 1.0 standard.

The assertion supports three types of password credentials: plain text, digest, and no password.

Note:

Digest passwords are not supported in this release.

To protect against replay attacks, the assertion provides the option to require nonce or creation time in the username token. The SOAP message is signed and encrypted. The Web service provider decrypts the message, and verifies and authenticates the signature.

Settings

The settings for the wss10_username_token_with_message_protection_service_template assertion template are identical to the client version of the assertion. See Table C-36 for information on the settings.

Configurations

Table C-38 lists the identity store configurations for the wss10_username_token_with_message_protection_service_template assertion template.

Table C-38 wss10_username_token_with_message_protection_service_template Configurations

Name Description

role

SOAP role.

Specify the following properties:

  • Value—Current value.

  • Default—Default value. This value is used if Value field is not set. Defaults to ultimateReceiver.

  • Type—Specifies one of the following values:

    - Constant—Property cannot be overridden.

    - Required—Property is required and can be overridden.

    - Optional—Property is optional and can be overridden.

    This value defaults to constant. For information about overriding policies, see "Attaching Client Policies Permitting Overrides".

  • Description—Description of the property.

oracle/wss10_x509_token_with_message_protection_client_template

The wss10_x509_token_with_message_protection_client template assertion template provides message protection (integrity and confidentiality) and certificate credential population for outbound SOAP requests in accordance with the WS-Security 1.0 standard.

Settings

Table C-36 lists the settings for the wss10_x509_token_with_message_protection_client template assertion template.

Table C-39 wss10_x509_token_with_message_protection_client_template Settings

Name Description Default Value

Sign Key Reference Mechanism

Mechanism used when signing the request.

Valid values include:

  • direct—X.509 Token is included in the request.

  • ski—Subject Key Identifier (SKI) extension value of the X.509 certificate used to reference the certificate. (Some certificates may not have this extension.) The recipient of the message looks up its keystore for a certificate corresponding to the SKI and validates the signature against it.

  • issuerserial—Composite key of issuer name and serial number attributes used to reference the X.509 certificate. The recipient of the message looks up its keystore for a certificate corresponding to Issuer name and Serial Number and validates the signature using it.

direct

Encryption Key Reference Mechanism

Mechanism used when encrypting the request. Valid values are the same as for Sign Key Reference Mechanism above.

direct

Recipient Sign Key Reference Mechanism

Mechanism used when encrypting the receipt. Valid values are the same as for Sign Key Reference Mechanism above.

direct

Recipient Encryption Key Reference Mechanism

Mechanism used when encrypting the receipt. Valid values are the same as for Sign Key Reference Mechanism above.

direct

Algorithm Suite

Algorithm suite used for message protection. See "Supported Algorithm Suites".

Basic128

Include Timestamp

Flag that specifies whether to include a timestamp. A timestamp can be used to prevent replay attacks by identifying an expiration time after which the message is no longer valid.

Enabled

Request Message Settings

See Table C-62.

N/A

Response Message Settings

See Table C-62.

N/A

Fault Message Settings

See Table C-62.

N/A

Configurations

Table C-40 lists the identity store configurations for the wss10_x509_token_with_message_protection_client_template assertion template.

Table C-40 wss10_x509_token_with_message_protection_client_template Configurations

Name Description

role

SOAP role.

Specify the following properties:

  • Value—Current value.

  • Default—Default value. This value is used if Value field is not set. Defaults to ultimateReceiver.

  • Type—Specifies one of the following values:

    - Constant—Property cannot be overridden.

    - Required—Property is required and can be overridden.

    - Optional—Property is optional and can be overridden.

    This value defaults to constant. For information about overriding policies, see "Attaching Client Policies Permitting Overrides".

  • Description—Description of the property.

keystore.recipient.alias

Keystore alias associated with the peer certificate. The security runtime uses this alias to extract the peer certificate from the configured keystore and to encrypt messages to the peer.

Specify the following properties:

  • Value—Current value.

  • Default—Default value. This value is used if Value field is not set. Defaults to orakey.

  • Type—Specifies one of the following values:

    - Constant—Property cannot be overridden.

    - Required—Property is required and can be overridden.

    - Optional—Property is optional and can be overridden.

    This value defaults to required. For information about overriding policies, see "Attaching Client Policies Permitting Overrides".

  • Description—Description of the property.

oracle/wss10_x509_token_with_message_protection_service_template

The wss10_x509_token_with_message_protection_service_template assertion template enforces message protection (integrity and confidentiality) and certificate-based authentication for inbound SOAP requests in accordance with the WS-Security 1.0 standard.

Settings

The settings for the wss10_x509_token_with_message_protection_service_template assertion template are identical to the client version of the assertion. See Table C-39 for information on the settings.

Configurations

Table C-41 lists the identity store configurations for the wss10_x509_token_with_message_protection_service_template assertion template.

Table C-41 wss10_x509_token_with_message_protection_service_template Configurations

Name Description

role

SOAP role.

Specify the following properties:

  • Value—Current value.

  • Default—Default value. This value is used if Value field is not set. Defaults to ultimateReceiver.

  • Type—Specifies one of the following values:

    - Constant—Property cannot be overridden.

    - Required—Property is required and can be overridden.

    - Optional—Property is optional and can be overridden.

    This value defaults to constant. For information about overriding policies, see "Attaching Client Policies Permitting Overrides".

  • Description—Description of the property.

oracle/wss11_kerberos_token_with_message_protection_client_template

The wss11_kerberos_token_with_message_protection_client_template assertion template includes a Kerberos token in the WS-Security header in accordance with the WS-Security Kerberos Token Profile v1.1 standard.

Settings

Table C-42 lists the settings for the wss11_kerberos_token_with_message_protection_client_template assertion template.

Table C-42 wss11_kerberos_token_with_message_protection_client_template Settings

Name Description Default Value

Kerberos Token Type

Type of Kerberos token. The only valid value is: gss-apreq-v5 (Kerberos Version 5 GSS-API).

gss-apreq-v5

Confirm Signature

Flag that specifies whether to send a signature confirmation back to the client.

True

Sign Key Reference Mechanism

Mechanism used when signing the request.

Valid values include:

  • direct—X.509 Token is included in the request.

  • ski—Subject Key Identifier (SKI) extension value of the X.509 certificate used to reference the certificate. (Some certificates may not have this extension.) The recipient of the message looks up its keystore for a certificate corresponding to the SKI and validates the signature against it.

  • issuerserial—Composite key of issuer name and serial number attributes used to reference the X.509 certificate. The recipient of the message looks up its keystore for a certificate corresponding to Issuer name and Serial Number and validates the signature using it.

direct

Encryption Key Reference Mechanism

Mechanism used when encrypting the request. Valid values are the same as for Sign Key Reference Mechanism above.

direct

Algorithm Suite

Algorithm suite used for message protection. See "Supported Algorithm Suites".

TripleDes

Include Timestamp

Flag that specifies whether to include a timestamp. A timestamp can be used to prevent replay attacks by identifying an expiration time after which the message is no longer valid.

Enabled

Request Message Settings

See Table C-62.

N/A

Response Message Settings

See Table C-62.

N/A

Fault Message Settings

See Table C-62.

N/A

Configurations

Table C-43 lists the identity store configurations for the wss11_kerberos_token_with_message_protection_client_template assertion template.

Table C-43 wss11_kerberos_token_with_message_protection_client_template Configurations

Name Description

service.principal.name

Kerberos principal name that identifies the service.

Specify the following properties:

  • Value—Current value.

  • Default—Default value. This value is used if Value field is not set. Defaults to HOST/localhost@EXAMPLE.COM.

  • Type—Specifies one of the following values:

    - Constant—Property cannot be overridden.

    - Required—Property is required and can be overridden.

    - Optional—Property is optional and can be overridden.

    This value defaults to required. For information about overriding policies, see "Attaching Client Policies Permitting Overrides".

  • Description—Description of the property.

oracle/wss11_kerberos_token_with_message_protection_service_template

The wss11_kerberos_token_with_message_protection_service_template assertion template enforces in accordance with the WS-Security Kerberos Token Profile v1.1 standard. It extracts the Kerberos token from the SOAP header and authenticates the user. The container must have the Kerberos infrastructure configured through Oracle Platform Security Services.

Settings

The settings for the wss11_keberos_token_with_message_protection_service_template are identical to the client version of the assertion. See Table C-42 for information on the settings.

Configurations

None required.

Table C-44 wss11_kerberos_token_with_message_protection_service_template Configurations

Name Description

role

SOAP role.

Specify the following properties:

  • Value—Current value.

  • Default—Default value. This value is used if Value field is not set. Defaults to ultimateReceiver.

  • Type—Specifies one of the following values:

    - Constant—Property cannot be overridden.

    - Required—Property is required and can be overridden.

    - Optional—Property is optional and can be overridden.

    This value defaults to constant. For information about overriding policies, see "Attaching Client Policies Permitting Overrides".

  • Description—Description of the property.

oracle/wss11_saml_token_with_message_protection_client_template

The wss11_saml_token_with_message_protection_client_template assertion template enables message protection (integrity and confidentiality) and SAML token population for outbound SOAP requests in accordance with WS-Security 1.1. A SAML token is included in the SOAP message for use in SAML based authentication with sender vouches confirmation.

Settings

Table C-45 lists the settings for the wss11_saml_token_with_message_protection_client_template assertion template.

Table C-45 wss11_saml_token_with_message_protection_client_template Settings

Name Description Default Value

Version

SAML version. The only valid value is: 1.1.

None

Confirmation Type

Confirmation type. Valid values include: sender-vouches.

sender-vouches.

Is Signed

Flag that specifies whether the username is signed. The only valid value for SAML policies is: True.

True

Is Encrypted

Flag that specifies whether the username is encrypted.

False

Confirm Signature

Flag that specifies whether to send a signature confirmation back to the client.

True

Sign Key Reference Mechanism

Mechanism used when signing the request.

Valid values include:

  • direct—X.509 Token is included in the request.

  • ski—Subject Key Identifier (SKI) extension value of the X.509 certificate used to reference the certificate. (Some certificates may not have this extension.) The recipient of the message looks up its keystore for a certificate corresponding to the SKI and validates the signature against it.

  • issuerserial—Composite key of issuer name and serial number attributes used to reference the X.509 certificate. The recipient of the message looks up its keystore for a certificate corresponding to Issuer name and Serial Number and validates the signature using it.

  • thumbprint—Fingerprint (SHA1 hash) of the contents of the certificate. Provides a method to store certificates that is low overhead. This value is valid for Encryption Key Reference Mechanism only (described below.)

direct

Encryption Key Reference Mechanism

Mechanism used when encrypting the request. Valid values are the same as for Sign Key Reference Mechanism above.

thumbprint

Algorithm Suite

Algorithm suite used for message protection. See "Supported Algorithm Suites".

Basic128

Include Timestamp

Flag that specifies whether to include a timestamp. A timestamp can be used to prevent replay attacks by identifying an expiration time after which the message is no longer valid.

Enabled

Request Message Settings

See Table C-62.

N/A

Response Message Settings

See Table C-62.

N/A

Fault Message Settings

See Table C-62.

N/A

Configurations

Table C-45 lists the identity store configurations for the wss11_saml_token_with_message_protection_client_template assertion template.

Table C-46 wss11_saml_token_with_message_protection_client_template Configurations

Name Description

saml.issuer.name

Name identifier for the issuer of the SAML token.

Specify the following properties:

  • Value—Current value.

  • Default—Default value. This value is used if Value field is not set. Defaults to www.oracle.com.

  • Type—Specifies one of the following values:

    - Constant—Property cannot be overridden.

    - Required—Property is required and can be overridden.

    - Optional—Property is optional and can be overridden.

    This value defaults to optional. For information about overriding policies, see "Attaching Client Policies Permitting Overrides".

  • Description—Description of the property.

role

SOAP role.

Specify the following properties:

  • Value—Current value.

  • Default—Default value. This value is used if Value field is not set. Defaults to ultimateReceiver.

  • Type—Specifies one of the following values:

    - Constant—Property cannot be overridden.

    - Required—Property is required and can be overridden.

    - Optional—Property is optional and can be overridden.

    This value defaults to constant. For information about overriding policies, see "Attaching Client Policies Permitting Overrides".

  • Description—Description of the property.

keystore.recipient.alias

Keystore alias associated with the peer certificate. The security runtime uses this alias to extract the peer certificate from the configured keystore and to encrypt messages to the peer.

Specify the following properties:

  • Value—Current value.

  • Default—Default value. This value is used if Value field is not set. Defaults to orakey.

  • Type—Specifies one of the following values:

    - Constant—Property cannot be overridden.

    - Required—Property is required and can be overridden.

    - Optional—Property is optional and can be overridden.

    This value defaults to required. For information about overriding policies, see "Attaching Client Policies Permitting Overrides".

  • Description—Description of the property.

oracle/wss11_saml_token_with_message_protection_service_template

The wss11_saml_token_with_message_protection_service_template assertion template enforces message-level integrity protection and SAML-based authentication for inbound SOAP requests in accordance with the WS-Security 1.0 standard. It extracts the SAML token from the WS-Security binary security token, and uses those credentials to validate users against the Oracle Platform Security Services identity store.

Settings

The settings for the wss11_saml_token_with_message_protection_service_template are identical to the client version of the assertion. See Table C-45 for information on the settings.

Configurations

Table C-44 lists the identity store configurations for the wss11_saml_token__with_message_protection_service_template assertion template.

Table C-47 wss11_saml_token_with_message_protection_service_template Configurations

Name Description

role

SOAP role.

Specify the following properties:

  • Value—Current value.

  • Default—Default value. This value is used if Value field is not set. Defaults to ultimateReceiver.

  • Type—Specifies one of the following values:

    - Constant—Property cannot be overridden.

    - Required—Property is required and can be overridden.

    - Optional—Property is optional and can be overridden.

    This value defaults to constant. For information about overriding policies, see "Attaching Client Policies Permitting Overrides".

  • Description—Description of the property.

oracle/wss11_username_token_with_message_protection_client_template

The ws11_username_token_with_message_protection_client_template assertion template includes authentication and message protection in accordance with the WS-Security v1.1 standard.

The Web service consumer inserts username and password credentials, and signs and encrypts the outgoing SOAP message. The Web service provider decrypts and verifies the message and the signature.

In order to prevent replay attacks, the assertion provides the option to include time stamps and verification by the Web service provider. The message can be protected with ciphers of different strengths.

Settings

Table C-48 lists the settings for the wss11_username_token_with_message_protection_client_template assertion template.

Table C-48 wss11_username_token_with_message_protection_client_template Settings

Name Description Default Value

Password Type

Type of password required.

Valid values are:

  • none—No password.

  • plaintext—Unencrypted password in clear text.

  • digest—Not supported in this release. Client authenticates itself by transmitting an encrypted password through the use of an MD5 digest.

plaintext

Nonce Required

Flag that specifies whether a nonce must be included with the username to prevent replay attacks.

Note: If Password Type is set to digest, then this attribute must be set to true. Otherwise, the policy to which it is attached will not validate.

False

Creation Time Required

Flag that specifies whether a time stamp for the creation of the username token is required.

Note: If Password Type is set to digest, then this attribute must be set to true. Otherwise, the policy to which it is attached will not validate.

False

Is Signed

Flag that specifies whether the username is signed.

True

Is Encrypted

Flag that specifies whether the username is encrypted.

True

Confirm Signature

Flag that specifies whether to send a signature confirmation back to the client.

True

Encryption Key Reference Mechanism

Mechanism used when encrypting the request.

Valid values include:

  • direct—X.509 Token is included in the request.

  • ski—Subject Key Identifier (SKI) extension value of the X.509 certificate used to reference the certificate. (Some certificates may not have this extension.) The recipient of the message looks up its keystore for a certificate corresponding to the SKI and validates the signature against it.

  • issuerserial—Composite key of issuer name and serial number attributes used to reference the X.509 certificate. The recipient of the message looks up its keystore for a certificate corresponding to Issuer name and Serial Number and validates the signature using it.

  • thumbprint—Fingerprint (SHA1 hash) of the contents of the certificate. Provides a method to store certificates that is low overhead.

thumbprint

Algorithm Suite

Algorithm suite used for message protection. See "Supported Algorithm Suites".

Basic256

Include Timestamp

Flag that specifies whether to include a timestamp. A timestamp can be used to prevent replay attacks by identifying an expiration time after which the message is no longer valid.

Enabled

Request Message Settings

See Table C-62.

N/A

Response Message Settings

See Table C-62.

N/A

Fault Message Settings

See Table C-62.

N/A

Configurations

Table C-49 lists the identity store configurations for the wss11_username_token_with_message_protection_client_template assertion template.

Table C-49 wss11_username_token_with_message_protection_client_template Configurations

Name Description

csf-key

Credential Store Key that maps to a username and password in the Oracle Platform Security Services identity store.

Specify the following properties:

  • Value—Current value.

  • Default—Default value. This value is used if Value field is not set. Defaults to basic.credentials.

  • Type—Specifies one of the following values:

    - Constant—Property cannot be overridden.

    - Required—Property is required and can be overridden.

    - Optional—Property is optional and can be overridden.

    This value defaults to required. For information about overriding policies, see "Attaching Client Policies Permitting Overrides".

  • Description—Description of the property.

role

SOAP role.

Specify the following properties:

  • Value—Current value.

  • Default—Default value. This value is used if Value field is not set. Defaults to ultimateReceiver.

  • Type—Specifies one of the following values:

    - Constant—Property cannot be overridden.

    - Required—Property is required and can be overridden.

    - Optional—Property is optional and can be overridden.

    This value defaults to constant. For information about overriding policies, see "Attaching Client Policies Permitting Overrides".

  • Description—Description of the property.

keystore.recipient.alias

Keystore alias associated with the peer certificate. The security runtime uses this alias to extract the peer certificate from the configured keystore and to encrypt messages to the peer.

Specify the following properties:

  • Value—Current value.

  • Default—Default value. This value is used if Value field is not set. Defaults to orakey.

  • Type—Specifies one of the following values:

    - Constant—Property cannot be overridden.

    - Required—Property is required and can be overridden.

    - Optional—Property is optional and can be overridden.

    This value defaults to required. For information about overriding policies, see "Attaching Client Policies Permitting Overrides".

  • Description—Description of the property.

oracle/wss11_username_token_with_message_protection_service_template

The ws11_username_token_with_message_protection_service_template assertion template enforces authentication and message protection in accordance with the WS-Security v1.1 standard.

The Web service consumer inserts username and password credentials, and signs and encrypts the outgoing SOAP message. The Web service provider decrypts and verifies the message and the signature. In order to prevent replay attacks, the assertion provides the option to include time stamps and verification by the Web service provider. The message can be protected with ciphers of different strengths.

Settings

The settings for the wss11_username_token_with_message_protection_service_template are identical to the client version of the assertion. See Table C-48 for information on the settings.

Configurations

Table C-50 lists the identity store configurations for the wss11_username_token_with_message_protection_service_template assertion template.

Table C-50 wss11_username_token_with_message_protection_service_template Configurations

Name Description

role

SOAP role.

Specify the following properties:

  • Value—Current value.

  • Default—Default value. This value is used if Value field is not set. Defaults to ultimateReceiver.

  • Type—Specifies one of the following values:

    - Constant—Property cannot be overridden.

    - Required—Property is required and can be overridden.

    - Optional—Property is optional and can be overridden.

    This value defaults to constant. For information about overriding policies, see "Attaching Client Policies Permitting Overrides".

  • Description—Description of the property.

oracle/wss11_x509_token_with_message_protection_client_template

The wss11_x509_token_with_message_protection_client_template assertion template provides message protection (integrity and confidentiality) and certificate-based authentication for outbound SOAP requests in accordance with the WS-Security 1.1 standard. Credentials are included in the WS-Security binary security token of the SOAP message. ]

Settings

Table C-51 lists the settings for the wss11_x509_token_with_message_protection_client_template assertion template.

Table C-51 wss11_x509_token_with_message_protection_client_template Settings

Name Description Default Value

Confirm Signature

Flag that specifies whether to send a signature confirmation back to the client.

True

Sign Key Reference Mechanism

Mechanism used when signing the request.

Valid values include:

  • direct—X.509 Token is included in the request.

  • ski—Subject Key Identifier (SKI) extension value of the X.509 certificate used to reference the certificate. (Some certificates may not have this extension.) The recipient of the message looks up its keystore for a certificate corresponding to the SKI and validates the signature against it.

  • issuerserial—Composite key of issuer name and serial number attributes used to reference the X.509 certificate. The recipient of the message looks up its keystore for a certificate corresponding to Issuer name and Serial Number and validates the signature using it.

  • thumbprint—Fingerprint (SHA1 hash) of the contents of the certificate. Provides a method to store certificates that is low overhead. This value is valid for Encryption Key Reference Mechanism only (described below.)

direct

Encryption Key Reference Mechanism

Mechanism used when encrypting the request. Valid values are the same as for Sign Key Reference Mechanism above.

thumbprint

Algorithm Suite

Algorithm suite used for message protection. See "Supported Algorithm Suites".

Basic128

Include Timestamp

Flag that specifies whether to include a timestamp. A timestamp can be used to prevent replay attacks by identifying an expiration time after which the message is no longer valid.

Enabled

Request Message Settings

See Table C-62.

N/A

Response Message Settings

See Table C-62.

N/A

Fault Message Settings

See Table C-62.

N/A

Configurations

Table C-52 lists the identity store configurations for the wss11_x509_token_with_message_protection_client_template assertion template.

Table C-52 wss11_x509_token_with_message_protection_client_template Configurations

Name Description

role

SOAP role.

Specify the following properties:

  • Value—Current value.

  • Default—Default value. This value is used if Value field is not set. Defaults to ultimateReceiver.

  • Type—Specifies one of the following values:

    - Constant—Property cannot be overridden.

    - Required—Property is required and can be overridden.

    - Optional—Property is optional and can be overridden.

    This value defaults to constant. For information about overriding policies, see "Attaching Client Policies Permitting Overrides".

  • Description—Description of the property.

keystore.recipient.alias

Keystore alias associated with the peer certificate. The security runtime uses this alias to extract the peer certificate from the configured keystore and to encrypt messages to the peer.

Specify the following properties:

  • Value—Current value.

  • Default—Default value. This value is used if Value field is not set. Defaults to orakey.

  • Type—Specifies one of the following values:

    - Constant—Property cannot be overridden.

    - Required—Property is required and can be overridden.

    - Optional—Property is optional and can be overridden.

    This value defaults to required. For information about overriding policies, see "Attaching Client Policies Permitting Overrides".

  • Description—Description of the property.

oracle/wss11_x509_token_with_message_protection_service_template

The wss11_x509_token_with_message_protection_service_template assertion template enforces message-level protection and certificate-based authentication for inbound SOAP requests in accordance with the WS-Security 1.1 standard. The certificate is extracted from the WS-Security binary security token header, and the credentials in the certificate are validated against the Oracle Platform Security Services identity store.

Settings

The settings for the wss11_x509_token_with_message_protection_service_template are identical to the client version of the assertion. See Table C-51 for information on the settings.

Configurations

Table C-53 lists the identity store configurations for the wss11_x509_token_with_message_protection_service_template assertion template.

Table C-53 wss11_x509_token_with_message_protection_service_template Configurations

Name Description

role

SOAP role.

Specify the following properties:

  • Value—Current value.

  • Default—Default value. This value is used if Value field is not set. Defaults to ultimateReceiver.

  • Type—Specifies one of the following values:

    - Constant—Property cannot be overridden.

    - Required—Property is required and can be overridden.

    - Optional—Property is optional and can be overridden.

    This value defaults to constant. For information about overriding policies, see "Attaching Client Policies Permitting Overrides".

  • Description—Description of the property.

Authorization Assertion Templates

Table C-54 summarizes assertion templates that are used for authorization. Each authorization assertion template must follow an authentication assertion template.

Table C-54 Authorization Assertion Templates

Service Template Description

oracle/binding_authorization_template

Provides simple role-based authorization for the request based on the authenticated subject at the SOAP binding level.

oracle/binding_permission_authorization_template

Provides simple permission-based authorization for the request based on the authenticated subject at the SOAP binding level.

oracle/component_authorization_template

Provides simple role-based authorization for the request based on the authenticated subject at the SOA component level.

oracle/component_permission_authorization_template

Provides simple permission-based authorization for the request based on the authenticated subject at the SOA component level.

oracle/binding_authorization_template

The binding_authorization_template assertion template provides simple role-based authorization for the request based on the authenticated subject at the SOAP binding level. It should follow an authentication assertion template.

Settings

Table C-55 lists the settings for the binding_authorization_template assertion template.

Table C-55 binding_authorization_template Settings

Name Description Default Value

Action Pattern

Action or Web service operation for which authorization checks are performed. This value can be a comma-separated list of values. This field accepts wildcards.

For example, validate,amountAvailable.

actionMatchPattern

Resource Pattern

Name of the resource for which authorization checks are performed. This field accepts wildcards.

For example, if the namespace of the Web service is http://project11 and the service name is CreditValidation, the resource name is http://project11/CreditValidation.

resourceMatchPattern

Authorization Setting

Specifies the roles that are authorized.

The valid values are:

  • Permit All—Permit users with any roles.

  • Deny All—Deny all users with roles.

  • Selected Roles—Permit selected roles.

To add roles:

  1. Click Add.

  2. To add roles, click the checkbox next to each role you want to add in the Roles Available column and click Move. To add all roles, click Move All.

    To remove roles, click the checkbox next to each role you want to remove in the Roles Selected to Add column, and click Remove. To remove all roles, click Remove All.

    To search for roles, enter a search string in the Role Name search box and click the go arrow. The Roles Available column is updated to include only those roles that match the search string.

  3. Click OK.

To delete roles:

  1. Select the role that you want to delete in the Selected Roles list.

  2. Click Delete.

Selected Roles

Configurations

None defined.

oracle/binding_permission_authorization_template

The binding_permission_authorization_template assertion provides simple permission-based authorization for the request based on the authenticated subject at the SOAP binding level. It should follow an authentication assertion.

Note:

You should be careful when using permission-based policies with EJBs as the security permissions specified in system-jazn-data.xml will be relaxed beyond a single invocation of the service operation.

Settings

Table C-56 lists the settings for the binding_permission_authorization_template assertion template.

Table C-56 binding_permission_authorization_template Settings

Name Description Default Value

Constraint Pattern

Reserved for future use.

N/A

Action Pattern

Action or Web service operation for which permission-based checks are performed. This value can be a comma-separated list of values. This field accepts wildcards.

For example, validate,amountAvailable.

*

Resource Pattern

Name of the resource for which permission-based checks are performed. This field accepts wildcards.

For example, if the namespace of the Web service is http://project11 and the service name is CreditValidation, the resource name is http://project11/CreditValidation.

*

Permission Check Class

Class used for the permission-based checking. For example, oracle.wsm.security.WSFuncPermission.

N/A

Configurations

None defined.

oracle/component_authorization_template

The component_authorization_template assertion provides simple role-based authorization for the request based on the authenticated subject at the SOA component level. It should follow an authentication assertion.

Settings

Table C-57 lists the settings for the component_authorization_template assertion template.

Table C-57 component_authorization_template Settings

Name Description Default Value

Authorization Setting

Specifies the roles that are authorized.

The valid values are:

  • Permit All—Permit users with any roles.

  • Deny All—Deny all users with roles.

  • Selected Roles—Permit selected roles.

To add roles:

  1. Click Add.

  2. To add roles, click the checkbox next to each role you want to add in the Roles Available column and click Move. To add all roles, click Move All.

    To remove roles, click the checkbox next to each role you want to remove in the Roles Selected to Add column, and click Remove. To remove all roles, click Remove All.

    To search for roles, enter a search string in the Role Name search box and click the go arrow. The Roles Available column is updated to include only those roles that match the search string.

  3. Click OK.

To delete roles:

  1. Select the role that you want to delete in the Selected Roles list.

  2. Click Delete.

Selected Roles

Configurations

None defined.

oracle/component_permission_authorization_template

The component_permission_authorization_template assertion provides simple permission-based authorization for the request based on the authenticated subject at the SOA component level. It should follow an authentication assertion.

Note:

You should be careful when using permission-based policies with EJBs as the security permissions specified in system-jazn-data.xml will be relaxed beyond a single invocation of the service operation.

Settings

Table C-58 lists the settings for the component_permission_authorization_template assertion template.

Table C-58 component_permission_authorization_template Settings

Name Description Default Value

Constraint Pattern

Reserved for future use.

N/A

Action Pattern

Action or Web service operation for which permission-based checks are performed. This value can be a comma-separated list of values. This field accepts wildcards.

For example, validate,amountAvailable.

*

Resource Pattern

Name of the resource for which permission-based checks are performed. This field accepts wildcards.

For example, if the composite name of the Web service is HelloWorld and the service name is Hello, the resource name is HelloWorld/Hello.

*

Permission Check Class

Class used for the permission-based checking. For example, oracle.wsm.security.WSFunctionPermission.

N/A

Configurations

None defined.

Management Assertions

Table C-59 summarizes the management assertion templates.

Table C-59 Management Assertion Templates

Name Description

oracle/security_log_template

Provides simple role-based authorization for the request based on the authenticated subject.

oracle/security_log_template

The security_log_template assertion template provides a logging assertion template that can be attached to any binding or component.

Note:

It is recommended that the logging assertion be used for debugging and auditing purposes only.

Settings

Table C-60 lists the settings for the security_log_template assertion template.

Table C-60 security_log_template Settings

Name Description Default Value

Request

Requirements for logging request messages.

The valid values are:

  • all—Log the entire SOAP message.

  • header—Log SOAP header information only.

  • soap_body—Log SOAP body information only.

  • soap_envelope—Log SOAP envelope information only.

all

Response

Requirements for logging response messages. The valid values are the same as for Request above.

soap_body

Configurations

None defined.

Supported Algorithm Suites

Table C-61 lists the algorithm suites that are supported for message protection. The algorithm suites enable you to control the cryptographic characteristics of the algorithms that are used when securing messages.

Table C-61 Supported Algorithm Suites

Algorithm Suite Digest Encryption Symmetric Key Wrap Asymmetric Key Wrap Encrypted Key Derivation Signature Key Derivation Minimum Signature Key Length

Basic256

Sha1

Aes256

KwAes256

KwRsaOaep

PSha1L256

PSha1L192

256

Basic192

Sha1

Aes192

KwAes192

KwRsaOaep

PSha1L192

PSha1L192

192

Basic128

Sha1

Aes128

KwAes128

KwRsaOaep

PSha1L128

PSha1L128

128

TripleDes

Sha1

TripleDes

KwTripleDes

KwRsaOaep

PSha1L192

PSha1L192

192

Basic256Rsa15

Sha1

Aes256

KwAes256

KwRsa15

PSha1L256

PSha1L192

256

Basic192Rsa15

Sha1

Aes192

KwAes192

KwRsa15

PSha1L192

PSha1L192

192

Basic128Rsa15

Sha1

Aes128

KwAes128

KwRsa15

PSha1L128

PSha1L128

128

TripleDesRsa15

Sha1

TripleDes

KwTripleDes

KwRsa15

PSha1L192

PSha1L192

192

Message Signing and Encyrption Settings for Request, Response, and Fault Messages

Table C-62 lists the settings for the Request, Response, and Fault messages. You configure these settings for message signing and encryption.

Table C-62 Request, Response, and Fault Message Signing and Encryption Settings

Name Description Default Value

Include Entire Body

Sign or encrypt the entire body of the SOAP message.

If false, you can add specific body elements using the Body Elements section.

True for Request and Response messages

False for Fault messages

Include Attachment

Sign or encrypt SOAP messages with attachments.

Note: This field is not applicable to MTOM attachments.

False

Include Attachment with MIME Headers

Sign or encrypt SOAP attachments with MIME headers.

Note: This field is applicable if Include Attachment is enabled. It is not applicable to MTOM attachments.

False

Header Elements

Sign or encrypt the specified SOAP header elements.

To add a header element:

  1. Click Add.

  2. Enter the namespace URI.

  3. Enter the local name for the header element.

  4. Click OK.

To edit a header element:

  1. Select the header element that you want to edit in the Header Elements list.

  2. Click Edit.

  3. Modify the values, as required.

  4. Click OK.

To delete a header element:

  1. Select the header element that you want to delete in the Header Elements list.

  2. Click Delete.

  3. When prompted to confirm, click OK.

None

Body Elements

Note: This field is available if Include Entire Body is disabled.

Sign or encrypt the specified body elements. This field is applicable if the Include Body field is disabled.

To add a body element:

  1. Click Add.

  2. Enter the namespace URI.

  3. Enter the local name for the body element.

  4. Click OK.

To edit a body element:

  1. Select the bpdu element that you want to edit in the Body Elements list.

  2. Click Edit.

  3. Modify the values, as required.

  4. Click OK.

To delete a body element:

  1. Select the body element that you want to delete in the Body Elements list.

  2. Click Delete.

  3. When prompted to confirm, click OK.

None

Go to previous page
Previous		 Go to next page
Next
Go to Documentation Home
Home		 Go to Book List
Book List		 Go to Table of Contents
Contents		 Go to Feedback page
Contact Us