Oracle® Fusion Middleware Interoperability Guide for Oracle Web Services Manager 11g Release 1 (11.1.1) Part Number E16098-01 |
|
|
View PDF |
This chapter contains the following sections:
Overview of Interoperability with Oracle WSM 10g Security Environments
Anonymous Authentication with Message Protection (WS-Security 1.0)
SAML Token (Sender Vouches) with Message Protection (WS-Security 1.0)
Mutual Authentication with Message Protection (WS-Security 1.0)
In Oracle WSM 10g, you specify policy steps at each policy enforcement point. The policy enforcement points in Oracle WSM 10g include Gateways and Agents.
Each policy step is a fine-grained operational task that addresses a specific security operation, such as authentication and authorization; encryption and decryption; security signature, token, or credential verification; and transformation. Each operational task is performed on either the Web service request or response. For more details about the Oracle WSM 10g policy steps, see "Oracle Web Services Manager Policy Steps" in Oracle Web Services Manager Administrator's Guide 10g (10.1.3.4) at http://download.oracle.com/docs/cd/E12524_01/web.1013/e12575/policy_steps.htm#BABIAHEG
.
In Oracle WSM 11g, you attach policies to Web service endpoints. Each policy consists of one or more assertions, defined at the domain-level, that define the security requirements. A set of predefined policies and assertions are provided out-of-the-box. For more details about the predefined policies, see Predefined Policies. For information about configuring and attaching policies, see Configuring Policies and Attaching Policies to Web Services.
Table 2-1 summarizes the most common Oracle WSM 10g interoperability scenarios based on the following security requirements: authentication, message protection, and transport.
For more information about:
Oracle WSM 11g policies, see "Configuring Policies" and "Attaching Policies to Web Services" in Oracle Fusion Middleware Security and Administrator's Guide for Web Services
Oracle WSM 10g policy steps, see "Oracle Web Services Manager Policy Steps" in Oracle Web Services Manager Administrator's Guide 10g (10.1.3.4) at http://download.oracle.com/docs/cd/E12524_01/web.1013/e12575/policy_steps.htm#BABIAHEG
Note:
In the following scenarios, ensure that you are using a keystore with v3 certificates. By default, the JDK 1.5 keytool generates keystores with v3 certificates.Please review "A Note About Oracle WSM 10g Gateways" and "A Note About Third-party Software" for important information about your usage of Oracle WSM 10g gateways and third-party software.
Table 2-1 Interoperability With Oracle WSM 10g Security Environments
Interoperability Scenario | Client—>Web Service | Oracle WSM 11g Policies | Oracle WSM 10g Policies |
---|---|---|---|
"Anonymous Authentication with Message Protection (WS-Security 1.0)" |
Oracle WSM 10g—>Oracle WSM 11g |
oracle/wss10_message_protection_service_policy |
Request pipeline: Sign Message and Encrypt Response pipeline: Decrypt and Verify Signature |
"Anonymous Authentication with Message Protection (WS-Security 1.0)" |
Oracle WSM 11g—>Oracle WSM 10g |
oracle/wss10_message_protection_client_policy |
Request pipeline: Decrypt and Verify Signature Response pipeline: Sign Message and Encrypt |
Oracle WSM 10g—>Oracle WSM 11g |
oracle/wss10_username_token_with_message_protection_service_policy |
Request pipeline: Sign Message and Encrypt Response pipeline: Decrypt and Verify Signature |
|
Oracle WSM 11g—>Oracle WSM 10g |
oracle/wss10_username_token_with_message_protection_client_policy |
Request pipeline:
Response pipeline: Sign Message and Encrypt |
|
"SAML Token (Sender Vouches) with Message Protection (WS-Security 1.0)" |
Oracle WSM 10g—>Oracle WSM 11g |
oracle/wss10_saml_token_with_message_protection_service_policy |
Request pipeline:
Response pipeline: Decrypt and Verify Signature |
"SAML Token (Sender Vouches) with Message Protection (WS-Security 1.0)" |
Oracle WSM 11g—>Oracle WSM 10g |
oracle/wss10_saml_token_with_message_protection_client_policy |
Request pipeline:
Response pipeline: Sign Message and Encrypt |
"Mutual Authentication with Message Protection (WS-Security 1.0)" |
Oracle WSM 10g—>Oracle WSM 11g |
oracle/wss10_x509_token_with_message_protection_service_policy |
Request pipeline: Sign Message and Encrypt Response pipeline: Decrypt and Verify Signature |
"Mutual Authentication with Message Protection (WS-Security 1.0)" |
Oracle WSM 11g—>Oracle WSM 10g |
oracle/wss10_x509_token_with_message_protection_client_policy |
Request pipeline: Decrypt and Verify Response pipeline: Sign Message and Encrypt |
Oracle WSM 10g—>Oracle WSM 11g |
wss_username_token_over_ssl_service_policy |
N/A |
|
Oracle WSM 11g—>Oracle WSM 10g |
wss_username_token_over_ssl_client_policy |
Request pipeline:
|
|
Oracle WSM 10g—>Oracle WSM 11g |
oracle/wss_saml_token_over_ssl_service_policy |
Request pipeline:
|
|
Oracle WSM 11g—>Oracle WSM 10g |
oracle/wss_saml_token_over_ssl_client_policy |
Request pipeline:
|
The following sections provide additional interoperability information about using Oracle WSM 10g gateways and third-party software with Oracle WSM 11g.
As described in Examining the Rearchitecture of Oracle WSM in Oracle Fusion Middleware, Oracle Fusion Middleware 11g Release 1 (11.1.1) does not include a Gateway component. You can continue to use the Oracle WSM 10g Gateway components with Oracle WSM 10g policies in your applications, as described in the following sections.
As described in Examining the Rearchitecture of Oracle WSM in Oracle Fusion Middleware, Oracle WSM 10g supported policy enforcement for third-party application servers, such as IBM WebSphere and Red Hat JBoss. Oracle Fusion Middleware 11g Release 1 (11.1.1) only supports Oracle WebLogic Server. You can continue to use the third-party application servers with Oracle WSM 10g policies, as described in the following sections.
The following sections describe how to implement anonymous authentication with message protection that conforms to the WS-Security 1.0 standard, describing the following interoperability scenarios:
The steps required for interoperability are summarized in the following table.
Table 2-2 Anonymous Authentication with Message Protection (WS-Security 1.0)—Oracle WSM 10g Client —>Oracle WSM 11g Web Service
Web Service/Client | Steps |
---|---|
Web Service—Oracle WSM 11g |
Perform the following steps:
|
Client—Oracle WSM 10g |
Perform the following steps:
|
The steps required for interoperability are summarized in the following table.
Table 2-3 Anonymous Authentication with Message Protection (WS-Security 1.0)—Oracle WSM 11g Client —>Oracle WSM 10g Web Service
Web Service/Client | Steps |
---|---|
Web Service—Oracle WSM 10g |
Perform the following steps:
|
Client—Oracle WSM 11g |
Perform the following steps:
|
The following sections describe how to implement username token with message protection that conforms to the WS-Security 1.0 standard, describing the following interoperability scenarios:
The steps required for interoperability are summarized in the following table.
Table 2-4 Username Token with Message Protection (WS-Security 1.0)—Oracle WSM 10g Client —> Oracle WSM 11g Web Service
Web Service/Client | Steps |
---|---|
Web Service—Oracle WSM 11g |
Perform the following steps:
|
Client—Oracle WSM 10g |
Perform the following steps:
|
The steps required for interoperability are summarized in the following table.
Table 2-5 Username Token with Message Protection (WS-Security 1.0)—Oracle WSM 11g Client —> Oracle WSM 10g Web Service
Web Service/Client | Steps |
---|---|
Web Service—Oracle WSM 10g |
Perform the following steps:
|
Client—Oracle WSM 11g |
Perform the following steps:
|
The following sections describe how to implement SAML token (sender vouches) with message protection that conforms to the WS-Security 1.0 standard, describing the following interoperability scenarios:
The steps required for interoperability are summarized in the following table.
Table 2-6 SAML Token (Sender Vouches) with Message Protection (WS-Security 1.0)—Oracle WSM 10g Client —> Oracle WSM 11g Web Service
Web Service/Client | Steps |
---|---|
Web Service—Oracle WSM 11g |
Perform the following steps:
|
Client—Oracle WSM 10g |
Perform the following steps:
|
The steps required for interoperability are summarized in the following table.
Table 2-7 SAML Token (Sender Vouches) with Message Protection (WS-Security 1.0)—Oracle WSM 11g Client —> Oracle WSM 10g Web Service
Web Service/Client | Steps |
---|---|
Web Service—Oracle WSM 10g |
Perform the following steps:
|
Client—Oracle WSM 11g |
Perform the following steps:
|
The following sections describe how to implement mutual authentication with message protection that conforms to the WS-Security 1.0 standard, describing the following interoperability scenarios:
The steps required for interoperability are summarized in the following table.
Table 2-8 Mutual Authentication with Message Protection (WS-Security 1.0)—Oracle WSM 10g Client —> Oracle WSM 11g Web Service
Web Service/Client | Steps |
---|---|
Web Service—Oracle WSM 11g |
Perform the following steps:
|
Client—Oracle WSM 10g |
Perform the following steps:
|
The steps required for interoperability are summarized in the following table.
Table 2-9 Mutual Authentication with Message Protection (WS-Security 1.0)—Oracle WSM 11g Client —> Oracle WSM 10g Web Service
Web Service/Client | Steps |
---|---|
Web Service—Oracle WSM 10g |
Perform the following steps:
|
Client—Oracle WSM 11g |
Perform the following steps:
|
The following sections describe how to implement username token over SSL, describing the following interoperability scenarios:
"Username Token Over SSL—Oracle WSM 10g Client —> Oracle WSM 11g Web Service"
"Username Token Over SSL—Oracle WSM 11g Client —> Oracle WSM 10g Web Service"
For more information about:
Configuring SSL on WebLogic Server, see Configuring SSL on WebLogic Server (One-Way) and Configuring SSL on WebLogic Server (Two-Way).
Configuring SSL on OC4J, see http://download.oracle.com/docs/cd/B14099_19/web.1012/b14013/configssl.htm
.
The steps required for interoperability are summarized in the following table.
Table 2-10 Username Token Over SSL—Oracle WSM 10g Client —> Oracle WSM 11g Web Service
Web Service/Client | Steps |
---|---|
Web Service—Oracle WSM 11g |
Perform the following steps:
|
Client—Oracle WSM 10g |
Perform the following steps:
|
The steps required for interoperability are summarized in the following table.
Table 2-11 Username Token Over SSL—Oracle WSM 11g Client —> Oracle WSM 10g Web Service
Web Service/Client | Steps |
---|---|
Web Service—Oracle WSM 10g |
Perform the following steps:
|
Client—Oracle WSM 11g |
Perform the following steps:
|
The following sections describe how to implement SAML token (sender vouches) over SSL that conforms to the WS-Security 1.0 standard, describing the following interoperability scenarios:
"SAML Token (Sender Vouches) Over SSL—Oracle WSM 10g Client —> Oracle WSM 11g Web Service"
"SAML Token (Sender Vouches) Over SSL—Oracle WSM 11g Client —> Oracle WSM 10g Web Service"
For more information about:
Configuring SSL on WebLogic Server, see Configuring SSL on WebLogic Server (One-Way) and Configuring SSL on WebLogic Server (Two-Way).
Configuring SSL on OC4J, see http://download.oracle.com/docs/cd/B14099_19/web.1012/b14013/configssl.htm
.
The steps required for interoperability are summarized in the following table.
Table 2-12 SAML Token (Sender Vouches) Over SSL—Oracle WSM 10g Client —> Oracle WSM 11g Web Service
Web Service/Client | Steps |
---|---|
Web Service—Oracle WSM 11g |
Perform the following steps:
|
Client—Oracle WSM 10g |
Perform the following steps:
|
The steps required for interoperability are summarized in the following table.
Table 2-13 SAML Token (Sender Vouches) Over SSL—Oracle WSM 11g Client —> Oracle WSM 10g Web Service
Web Service/Client | Steps |
---|---|
Web Service—Oracle WSM 10g |
Perform the following steps:
|
Client—Oracle WSM 11g |
Perform the following steps:
|