| Oracle® Web Services Manager Administrator's Guide 10g (10.1.3.4) Part Number E12575-01 |
|
|
View PDF |
| Oracle® Web Services Manager Administrator's Guide 10g (10.1.3.4) Part Number E12575-01 |
|
|
View PDF |
This appendix is a reference for the Oracle Web Services Manager (Oracle WSM) policy steps.
Table A-1 shows which policy steps can be used with each policy enforcement point.
Note:
Oracle Web Services Manager supports SOAP version 1.1 only.Table A-1 Supported Policy Steps for Policy Enforcement Points Foot 1
| Steps | Gateways | AgentsFoot 2 | |||
|---|---|---|---|---|---|
| OC4JFoot 3 | AXISFoot 4 | ||||
| Client | Server | Client | Server | ||
|
Active Directory Authenticate |
X |
X |
X |
X |
X |
|
Active Directory Authorize |
X |
X |
X |
X |
X |
|
Decrypt and Verify Signature |
X |
X |
X |
X |
X |
|
Extract Credentials |
X |
X |
X |
X |
X |
|
File Authenticate |
X |
X |
X |
X |
X |
|
File Authorize |
X |
X |
X |
X |
X |
|
Handle Generic Fault |
X |
NA |
NA |
X |
X |
|
Insert Oracle Access Manager Token |
X |
NA |
NA |
X |
X |
|
Insert WSBASIC Credentials |
X |
X |
X |
X |
X |
|
LDAP Authenticate |
X |
X |
X |
X |
X |
|
LDAP Authorize |
X |
X |
X |
X |
X |
|
Log |
X |
X |
X |
X |
X |
|
Oracle Access Manager Authenticate Authorize |
X |
X |
X |
X |
X |
|
SAML – Insert WSS 1.0 Sender-Vouches Token |
X |
NA |
NA |
X |
NA |
|
SAML – Verify WSS 1.0 Token |
X |
X |
X |
NA |
X |
|
Sign Message |
X |
X |
X |
X |
X |
|
Sign Message and Encrypt |
X |
X |
X |
X |
X |
|
SiteMinder Authenticate |
X |
X |
X |
X |
X |
|
SiteMinder Authorize |
X |
X |
X |
X |
X |
|
Verify Certificate |
X |
X |
X |
X |
X |
|
Verify Signature |
X |
X |
X |
X |
X |
|
XML Decrypt |
X |
X |
X |
X |
X |
|
XML Encrypt |
X |
X |
X |
X |
X |
|
XML Transform |
X |
X |
X |
X |
X |
Footnote 1 NA = Not Applicable
Footnote 2 For more information on the different types of agents, see Oracle Web Services Manager Deployment Guide.
Footnote 3 OC4J agents are native to OC4J. Using this type of agent requires that you have OC4J administrator permissions to deploy the agent.
Footnote 4 AXIS agents are filter agents and are injected into the Web service or client application. AXIS agents are used to protect AXIS stack-based Web services.
Verifies the sender's identity using Microsoft Active Directory.
Usage
Uses a user name and password to authenticate the sender.
Prerequisite Steps
Extract Credentials
Properties
Table A-2 Active Directory Properties
| Property | Description |
|---|---|
|
Enabled |
If set to true, this step is enabled. |
|
AD host |
Host name on which the Active Directory server is running that contains the user schema. |
|
AD port |
Port on which the Active Directory server is listening for the connections. |
|
AD SSL port |
Port on which the Active Directory server is listening for SSL connections. |
|
AD baseDN |
Base distinguished name where the users and groups (also known as roles) data exist for this Active Directory server. |
|
AD domain |
Active Directory domain of the user. In the example john.doe@oracle.com, the domain oracle.com would be specified. |
|
ADSSLEnabled |
If set to true, then the connection to Active Directory uses SSL. |
|
Uid Attribute |
Attribute that uniquely identifies the user. This is used in the search filter. |
|
User Attributes to be retrieved |
User profile attributes to be read after authentication. These attributes can be used in subsequent steps such as SAML - Insert WSS 1.0 Sender-Vouches Token, which inserts attribute statements using the retrieved values. Custom policy steps can also use these attributes. |
Possible Next Steps
Active Directory Authorize
Grants or denies the sender's request using Microsoft Active Directory.
Usage
Authorizes access to the service based on user group membership in Active Directory. The user must be a member of one of the configured groups in the ServiceRoles property to be granted access.
Prerequisite Steps
Active Directory Authenticate
Properties
Table A-3 Active Directory Authorize Properties
| Property | Description |
|---|---|
|
Enabled |
If set to true, this step is enabled. |
|
AD host |
Host name on which the Active Directory server is running that contains the users and their roles. |
|
AD port |
Port on which the Active Directory server is listening for the connections. |
|
AD SSL port |
Port on which the Active Directory server is listening for SSL connections. |
|
AD baseDN |
Base distinguished name where the users and groups (also known as roles) data exist for this Active Directory server. |
|
ServiceRoles |
Comma-delimited list of service roles that have access to the service. |
|
ADAdminUser |
Admin user with permission to connect to the Active Directory server and perform searches on the schema. |
|
ADAdminPwd |
Password for the Admin user with permission to connect to the Active Directory server. |
|
AD domain |
Active Directory domain of the user. In the example john.doe@oracle.com, the domain oracle.com would be specified. |
|
ADSSLEnabled |
Set this to true if the Active Directory connection must be an SSL connection. |
|
Uid Attribute |
An attribute, such as uid, that uniquely identifies the user entry in Active Directory. |
Possible Next Steps
There are no recommended next steps.
Decrypts the XML message and verifies that the signature is valid.
Usage
Decrypts the message, then verifies the signature. You can use this policy step only if the order in which the message was secured was by being signed first, and then encrypted.
For all other situations, use the individual policy steps, Verify Signature and XML Decrypt. For example:
If the encryption and signing were done in the opposite order, that is, the message was encrypted before it was signed, then use the Verify Signature step followed by the XML Decrypt step. This is true whether the encryption and signing were done in a single step or as separate steps.
If the message was encrypted and not signed, then use the Decrypt XML step.
If the message was signed and not encrypted, then use the Verify Signature step.
Prerequisite Steps
None
Properties
Table A-4 Decrypt and Verify Signature Properties
| Property | Description |
|---|---|
|
Enabled |
If set to true, this step is enabled. |
|
Decryptor's keystore location |
Location of the keystore on the local file system that contains the private keys used for decryption. |
|
Decrypt Keystore Type |
Keystore file format. The valid values are:
|
|
Decryptor's keystore password |
Password to access the decryptor's keystore. |
|
Decryptor's private-key alias |
Alias of the private key used for decryption. |
|
Enforce Encryption |
If set to true, Oracle WSM does not allow an unencrypted message to pass through. |
|
Verifying Keystore location |
Location of the keystore on the local file system that contains the public key used for signature verification. |
|
Verifying Keystore type |
Keystore file format. The valid values are:
|
|
Verifying Keystore password |
Password to access the verifying keystore. |
|
Signer's public-key alias |
Alias of the public key used for signature verification. |
|
Remove Signatures |
If selected, the signature is removed from the SOAP security header after successful verification. |
|
Enforce Signing |
If set to true, Oracle WSM does not allow an unsigned message to pass through. |
Possible Next Steps
Extract Credentials
Locates and extracts credentials and presents the credentials in a form that can be authenticated. You must know from where the credentials are to be extracted.
Prerequisite Steps
If the message was protected, then the appropriate steps required to decrypt the XML message or verify the signature, or do both, must first be performed.
Properties
Table A-5 Extract Credentials Properties
| Property | Description |
|---|---|
|
Enabled |
If set to true, this property is enabled. |
|
Credentials location |
Where the credentials are extracted. The four possible locations are:
|
|
Namespaces |
Space-delimited list of prefix and namespace Uniform Resource Identifier (URI) pairs for the prefixes used in the User ID xpath and Password xpath properties. For example:
If spaces appear in the URI itself, they must be replaced by the characters %20. This parameter applies only if the Credentials location property is specified with an XPath expression. |
|
UserID xpath |
XPath for the user name. This XPath is relative to the XPath specified in the Credentials location property. For example:
This parameter only applies if the Credentials location property is specified with an XPath expression. |
|
Password xpath |
XPath for the password. This XPath is relative to the XPath specified in the Credentials location property. For example:
This parameter applies only if the Credentials location property is specified with an XPath expression. |
Possible Next Steps
The next step is to authenticate the credentials using one of the following steps: Active Directory Authenticate, Oracle Access Manager Authenticate Authorize, File Authenticate, LDAP Authenticate, or SiteMinder Authentication.
Verifies the sender's identity by checking against entries in a file.
Usage
Used most often in testing situations. The file format is the same as the .htpasswd file format used by the Apache Web server. The password can be encoded in four forms: MD5, SHA1, plain text, or some mix of the three forms.
The MD5 format used by Oracle Web Services Manager is not compatible with other MD5 encodings. Therefore, if you use the MD5 encoding, you must use the tool provided to encode the passwords.
The wsmadmin command-line tool can be found at the following location:
ORACLE_HOME/OWSM_1/owsm/bin
Create a text file with the user name and password in unencrypted text. For example, the text file, password.txt, could contain the following entries:
johndoe:baseball janedoe:rollarskating
You must run the md5encode command separately for each user name and password combination.
The command to run the tool is:
wsmadmin md5encode htpasswdfile user_name password
The parameters are:
htpasswdfile – the name of the file to which the user name and password are added
user_name – the user name in the text file
password – Password assigned to the user
For example:
ORACLE_HOME/OWSM_1/owsm/bin/wsdadmin.sh md5encode johndoe baseball C:/password.txt
The wsmadmin tool encrypts the password and replaces the password you entered in unencrypted text with the encrypted form.The following are example entries in the file after the command has been executed:
johndoe:{MD5}JMnhX1KvxHwiW3V+e+4fnQ==
janedoe:{MD5}dqIXO+Y5M1TnL/pNbfEDCg==
Prerequisite Steps
Extract Credentials
Properties
Table A-6 File Authenticate Properties
| Property | Description |
|---|---|
|
Enabled |
If set to true, this step is enabled. |
|
Passwd file location |
Location of the file that contains the user names and passwords. You can provide a full path or a relative path. For the gateway and OC4J agents, the path is relative to ORACLE_HOME/j2ee/home. |
|
.htpasswd file format |
Format in which the passwords are encrypted. The valid values are:
|
Possible Next Steps
File Authorize
Grants or denies access to an authenticated user using a local roles file.
Usage
Used most often in testing situations.
Role information is defined in a text file with the following format:
<user username="name_of_user" roles=role_1, role_2, role_n"/>
Each entry identifies the user and the roles to which the user is assigned. The entry for each user is on a separate line in the file. An example file can be found in the following location: ORACLE_HOME/owsm/config/gateway/roles.xml.
If any of the roles to which the user is assigned matches one of the roles defined in the Allowed Roles property, the user is granted access to the service.
Prerequisite Steps
File Authenticate
Properties
Table A-7 File Authorize Properties
| Property | Description |
|---|---|
|
Enabled |
If set to true, this step is enabled. |
|
User roles file location |
Location of the file describing the user roles. You can provide a full path or a relative path. For the gateway and OC4J agents, the path is relative to ORACLE_HOME/j2ee/home. |
|
Allowed roles |
Comma-delimited list of roles authorized access to the service. |
Possible Next Steps
There are no recommended next steps.
Provides custom message in the SOAP fault when errors are encountered.
Usage
Customizes the message that is sent back in the SOAP fault when errors occur in processing the policy.
Prerequisite Steps
None
Properties
Table A-8 Handle Generic Fault Properties
| Property | Description |
|---|---|
|
Enabled |
If set to true, this step is enabled. |
|
CustomMessage |
Message text that the error handler returns. This message overrides the default Oracle WSM error message. |
Possible Next Steps
There are no recommended next steps.
Inserts an ObSSOCookie in the SOAP security header.
Usage
Used with the gateway policy enforcement points when the client sends an ObSSOCookie in the HTTP header, and the Web service expects the ObSSOCookie in a SOAP security header.
Prerequisite Steps
None
Properties
Table A-9 Insert Oracle Access Manager Token Properties
| Property | Description |
|---|---|
|
Enabled |
If set to true, this step is enabled. |
Possible Next Steps
To protect the token, use the Sign Message or the Sign Message and Encrypt policy step.
Inserts user name and password credentials in a SOAP security header.
Usage
Used with gateway policy enforcement points when the client credentials are specified in one format and the Web service expects the credentials in a WS-BASIC SOAP header. You must first use the Extract Credentials step to get the credentials, then use Insert WSBASIC Credentials to put the credentials in the SOAP header as specified in the Web Services Security Username Token Profile 1.0.
Prerequisite Steps
Extract Credentials
Properties
Table A-10 Insert WSBASIC Credentials Properties
| Property | Description |
|---|---|
|
Enabled |
If set to true, this step is enabled. |
|
User Name |
User name for the user's credentials. |
|
User Password |
Password for the user's credentials. |
Possible Next Steps
To protect the token, this step should be followed by the Sign Message and Encrypt policy step.
Verifies the sender's identity by checking the user name and password in an LDAP directory.
Usage
Establishes that a valid client is invoking the Web service.
Prerequisite Steps
Extract Credentials
Properties
Table A-11 LDAP Authenticate Properties
| Property | Description |
|---|---|
|
Enabled |
If set to true, this step is enabled. |
|
LDAP host |
Host on which the LDAP directory server is running that contains the user schema that must be authenticated. |
|
LDAP port |
Port on which the LDAP directory server is listening for the connections. |
|
LDAP SSL port |
Port on which the LDAP directory server is listening for SSL connections. |
|
User objectclass |
The object class of the user for which authentication is being performed. |
|
LDAP baseDN |
The base distinguished name where the users and groups (also known as roles) data exist for this LDAP directory server. |
|
LDAP adminDN |
This property is required when the LDAP admin login enabled property is set to true. The distinguished name for Admin. For example, cn=DirectoryManager. |
|
LDAP admin password |
The password for the Admin user when the LDAP admin login enabled property is set to true. |
|
LDAP admin login enabled |
Set to true if the Admin user is required to connect to the LDAP directory server. If set to false, then anonymous access is permitted. |
|
LDAPSSLEnabled |
Set to true if the LDAP connection must be an SSL connection. |
|
Uid Attribute |
A property, such as uid, that uniquely identifies the user entry in LDAP. |
|
User Attributes to be retrieved |
User profile properties to be read. These properties can be used in subsequent steps such as SAML - Insert WSS 1.0 Sender-Vouches Token which inserts attribute statements using the retrieved values. Custom policy steps can also use these attributes. |
Possible Next Steps
LDAP Authorize
Grants or denies access to an authenticated user using an LDAP directory server.
Usage
Authorizes access to the Web service based on user group membership in LDAP. The user must be a member of one of the configured groups in the ServiceRoles property to be granted access.
Prerequisite Steps
LDAP Authenticate
Properties
Table A-12 LDAP Authorize Properties
| Property | Description |
|---|---|
|
Enabled |
If set to true, this step is enabled. |
|
LDAP host |
Host on which the LDAP directory server is running that contains the users and their roles. |
|
LDAP port |
Port on which the LDAP directory server is listening for connections. |
|
LDAP SSL port |
Port on which the LDAP directory server is listening for SSL connections. |
|
LDAP baseDN |
The base distinguished name where the users and groups (also known as roles) data exist for this LDAP directory server. Set the base distinguished name to the root DN of both the users and groups. For example, if the users are in cn=users, dc=company, dc=com, and the groups are in cn=groups, dc=company, dc=com, then the LDAP baseDN should be set to dc=company, dc=com. |
|
ServiceRoles |
Roles that have access to the service. Use an asterisk to indicate white spaces in the name. For example, for the role Customer Support, you would specify Customer*Support. |
|
LDAPAdminDN |
Distinguished name for Admin. This property is required when LDAPAdminLoginEnabled property is set to true. If set to false, then an anonymous bind is permitted. |
|
LDAPAdminPwd |
The password for the Admin user when the LDAPAdminLoginEnabled property is set to true. |
|
LDAPAdminLoginEnabled |
Set to true if Admin user is required to connect to the LDAP directory server. If set to false, then an anonymous bind is permitted. |
|
LDAPSSLEnabled |
Set to true if the connection to LDAP must use SSL. |
|
Uid Attribute |
An attribute, such as uid, that uniquely identifies the user entry in LDAP. |
|
LDAP Group Object Class |
Name of objectclass for LDAP groups. |
Possible Next Steps
There are no recommended next steps.
Logs the current message as received in this policy step.
Usage
Debugs other policy steps. Insert it after the policy step you want to debug to find out how the message was modified by the step.
Messages are stored in the database and can be viewed from Web Services Manager Control.
Prerequisite Steps
None
Properties
Table A-13 Log Properties
| Property | Description |
|---|---|
|
Enabled |
If set to true, this step is enabled. |
|
Log level |
The part of the message you want logged. Valid values are: envelope, body, header, and all. Note, the values envelope and all are identical. |
Possible Next Steps
There are no recommended policy steps.
Verifies the sender's identity in Oracle Access Manager, and if the sender is authenticated, the sender is given access using an Oracle Access Manager policy.
Usage
Combines authentication and authorization in a single step. Authentication is automatically performed, and authorization is performed, by default. You may turn authorization off with the Authorize parameter.
Oracle Access Manager extracts the credentials to authenticate the sender in the order shown:
ObSSOCookie in the HTTP header
ObSSOCookie in SOAP header
User name and password extracted in a previous Extract Credentials step
Signing certificate extracted in a previous Verify Signature step
SSL certificate used by the transport layer
The ObSSOCookie in the SOAP header must be set as a BinarySecurityToken with Security/BinarySecurityToken/@ValueType = ObSSOCookie.
Oracle Access Manager first checks for an ObSSOCookie in the HTTP header. If it finds the cookie, it uses this to authenticate the sender. If not, it continues and checks for an ObSSOCookie in the SOAP header. It continues searching in the order previously shown until it finds the credential.
If the Authorize property is set to true, then authorization is performed based on a policy that is configured in Oracle Access Manager with an authorization rule. The following types of authorization can be performed:
Membership in a group (static or dynamic)
Time-of-day based authorization
Internet Protocol (IP) validation
Custom authorization using Oracle Access Manager authorization plug-ins
Required Configuration
Oracle Access Manager Authenticate Authorize uses the Java Native Interface (JNI) libraries. Therefore, you must set up your environment variables to load the shared libraries. See Appendix E, "Authentication Sources," in Oracle Web Services Manager Deployment Guide for more information.
User Attribute or Group Information
You may need to retrieve user attributes or group information if a subsequent policy step, such as SAML – Insert WSS 1.0 Sender-Vouches Token or a custom policy step, requires this information. This information can be retrieved using the Oracle Access Manager Authenticate Authorize step. You must use the return action functionality in Oracle Access Manager. Use the Access System Console to add an action for an authentication rule. On the Actions page, find the Authentication Success section, then find the Return section. Specify values for the following fields.
To retrieve user attributes, enter the following values:
Type – HeaderVar
Name – Enter any name of your choice to identify the attribute. Note, however, this is the name by which the attribute must be referred to in subsequent policy steps. For example, this is the name you would enter in the User Attributes for attribute statements parameter for the SAML – Insert WSS 1.0 Sender-Vouches Token policy step.
Return Attribute – Enter the LDAP user attribute name. You must use the name by which the attribute is identified in the LDAP directory.
To retrieve user groups, enter the following values:
Type – HeaderVar
Name – Enter any name of your choice to identify the attribute. Note, however, this is the name by which the attribute must be referred to in subsequent policy steps. For example, this is the name you would enter in the User Attributes for attribute statements parameter for the SAML – Insert WSS 1.0 Sender-Vouches Token policy step or in a custom step.
Return Attribute – obmygroups
Retrieved attribute or group information can be used in the SAML – Insert WSS 1.0 Sender-Vouches Token policy step or in a custom step.
For more information on how to set up return actions, see the section, "Setting Authentication Actions" in the Oracle Access Manager Access System Administration Guide.
Prerequisite Steps
Depending on the method used to establish credentials, Extract Credentials or Verify Signature may be prerequisites.
Properties
Table A-14 Oracle Access Manager Authenticate Authorize Properties
| Property | Description |
|---|---|
|
Enabled |
If set to true, this step is enabled. |
|
Resource Type |
Type of resource to be protected such as HTTP. This should match the resource type configured in Oracle Access Manager policies. |
|
AccessGate Install Directory |
Directory where AccessServerSDK is installed. |
|
Authorize |
If set to true, authorization is performed. |
|
ForwardCookie |
If set to true, an ObSSOCookie is inserted in the header. |
Possible Next Steps
If this is a client-side policy verifying a client's identity, then a possible next step is SAML – Insert WSS 1.0 Sender-Vouches Token.
If this is a server-side policy verifying access to Web services, then a possible next step is a custom step that authorizes users based on retrieved user attributes.
Secures SOAP messages by inserting SAML assertions. Optionally, the assertion can be signed.
Usage
Sends user credentials in a federated way across security domains using the SAML 1.1 assertions. The token follows the Web Services Security SAML Token Profile 1.0 (WSS STP 1.0), and uses the sender-vouches confirmation method. Both authentication and attribute statements of the user, and signed or unsigned assertions can be sent as part of a SOAP message. Oracle WSM acts as the SAML issuer, and any WS-Security SAML-compliant third-party tool can consume SAML assertions produced by Oracle WSM.
Prerequisite Steps
Extract Credentials
If an attribute statement is included in the assertion, then you must use LDAP Authenticate, Oracle Access Manager Authenticate Authorize, or Active Directory Authenticate to retrieve the values for the attributes.
Properties
Table A-15 SAML - Insert WSS 1.0 Sender-Vouches Token Properties
| Property | Description |
|---|---|
|
Enabled |
If set to true, this step is enabled. |
|
Subject Name Qualifier |
Security or administrative domain that qualifies the name of the subject. For example, |
|
Subject Format |
Syntax used to identify the subject. The valid values are:
|
|
Assertion Issuer |
Issuer of the assertion. Specify the issuer in URI format. For example, The URI for the assertion issuer cannot contain spaces. Use commas to separate entries. |
|
Assertion valid till before current time |
Number of seconds prior to the current system time that the assertion is valid. This property allows for minor discrepancies between the clock time of the computer hosting the identity provider and the computer hosting the Web service provider. |
|
Assertion valid till on/after current time |
Number of seconds after the current system time that the assertion expires and is no longer valid. |
|
User Attributes for attribute statements |
Comma-delimited user attributes for which SAML attribute statements are generated in the assertion. If this property is specified, then an authentication step must precede this step which extracts the user attributes. |
|
Corresponding namespace URIs for the user attributes |
Comma-delimited namespace URIs to use for the attributes specified with the User attributes for attribute statements property. For example, |
|
Sign the assertion |
If set to true, then the SAML assertion and the SOAP body are signed. |
|
Keystore location |
Location of the keystore used for signing. |
|
Keystore Type |
Keystore file format. The valid values are:
|
|
Keystore password |
Password for keystore file. |
|
Signature Method |
Algorithm used to sign message. This should be identical to the signature algorithm used for Signing key alias. The valid values are:
|
|
Signing key alias |
Alias of the key used to sign the message. |
|
Signing key password |
Password for the Signing key alias. |
Possible Next Steps
If you want to encrypt the SOAP message, then use XML Encrypt.
Verifies the SAML token according to the Web Services Security SAML Token Profile 1.0 (WSS STP 1.0) standard.
Usage
Verifies user credentials that are sent as SAML assertions. The assertions are sent by a client in a federated way across security domains using the SAML 1.1 protocol. The token received must follow the Web Services Security SAML Token Profile 1.0 (WSS STP 1.0) standard. Both the authentication and attribute statements of the user can be verified. The assertions that are received can be signed or unsigned. Oracle WSM acts as the SAML issuer, and any WS-Security SAML-compliant third-party tool can consume SAML assertions produced by Oracle WSM.
Prerequisite Steps
If the message was encrypted, then you must first decrypt the message using XML Decrypt.
Properties
Table A-16 SAML - Verify WSS 1.0 Token Properties
| Property | Description |
|---|---|
|
Enabled |
If set to true, this step is enabled. |
|
Trusted Assertion Issuer Names |
Comma-delimited list of names of trusted assertion issuers. The URI for the assertion issuer cannot contain spaces. |
|
Allow signed assertions only |
If set to true, requires that assertions are signed. Unsigned assertions are rejected. |
|
Trust store location |
Keystore location containing trusted root and intermediate authority certificates. |
|
Trust store Type |
Trust store file format. Valid values are:
|
|
Trust store password |
Password for keystore. |
Possible Next Steps
The Oracle Access Manager Authenticate Authorize step can be used to further authenticate the user using the SubjectName only. An authentication scheme should be configured for this in Oracle Access Manager which uses only the user ID for authentication.
Authorizations based on attribute statements can be performed in a custom step. The SAML assertions are available to custom steps through the following API:
ArrayList[] IMessageContext.getProperty("SAML_ASSERTIONS");
ArrayList[] is an array of strings.
Digitally signs the message.
Usage
Protects the integrity of the message.
Prerequisite Steps
None
Properties
Table A-17 Sign Message Properties
| Property | Description |
|---|---|
|
Enabled |
If set to true, this step is enabled. |
|
Keystore location |
Location of keystore file. |
|
Signing Keystore Type |
Keystore format type that is used for signing. |
|
Keystore password |
Password for keystore file. |
|
Signer's private-key alias |
Key alias used for the signing operations. |
|
Signer's private-key password |
Password for the signing key alias. |
|
Signature Algorithm |
Block cipher used to sign data. Valid values are: RSA-SHA1 and DSA-SHA1. |
|
Signed Content |
Part of the SOAP envelope to sign. Valid values are: BODY, HEADERS, ENVELOPE, or XPATH. The default is BODY. |
|
Sign XPATH Expression |
XPath Expression for the element to be signed (for example, |
|
Sign XML Namespace |
Comma-delimited namespace URLs for the XPath expression. For example, Note: The namespace URI must precisely match what appears in the XML document. For example, if a forward slash (/) appears at the end of the URI, this must be included in the Sign XML Namespace. |
Possible Next Steps
There are no recommended next steps.
Attaches a signature to an XML message and encrypts the message.
Usage
Protects both the integrity and confidentiality of the message. This is achieved by signing the message and encrypting the message or parts of it such that the protected parts cannot be read.
Prerequisite Steps
None
Properties
Table A-18 Sign Message and Encrypt Properties
| Property | Description |
|---|---|
|
Enabled |
If set to true, this step is enabled. |
|
Signing Keystore location |
Location of the keystore file. |
|
Signing Keystore Type |
Keystore format type that is used for signing. |
|
Signing Keystore password |
Password for keystore file. |
|
Signer's private-key alias |
Key alias for the signing operations. |
|
Signer's private-key password |
Password for the signing key alias. |
|
Signature Algorithm |
Block cipher used to sign data. Valid values are: RSA-SHA1 and DSA-SHA1. |
|
Signed Content |
Part of the SOAP envelope to sign. Valid values are: BODY, HEADERS, ENVELOPE, or XPATH. The default is BODY. |
|
Sign XPATH Expression |
XPath Expression for the element to be signed (for example, |
|
Sign XML Namespace |
Namespace URLs for the XPath expression. For example, Note: The namespace URI must precisely match what appears in the XML document. For example, if a forward slash (/) appears at the end of the URI, this must be included in the Sign XML Namespace. |
|
Encryption Keystore location |
Location of the keystore file. |
|
Encrypt Keystore Type |
Keystore format type that is used for encryption. |
|
Encryption Keystore password |
Password for the keystore file. |
|
Decryptor's public-key alias |
Key alias for the decryption operations. |
|
Encryption Algorithm |
Block cipher used to encrypt data. Valid values are: 3DES (Triple Data Encryption Standard), AES-128, and AES-256 (Advanced Encryption Standard). |
|
Key Transport Algorithm |
Valid values are RSA-1_5 and RSA-OAEP-MGF1P. |
|
Encrypted Content |
Part of the SOAP envelope to be encrypted. Valid values are: BODY, HEADERS, ENVELOPE, or XPATH. The default is BODY. |
|
Encrypt XPATH Expression |
XPath Expression for the element to be signed (for example, |
|
Encrypt XML Namespace |
Namespace URLs for the XPath expression. For example, Note: The namespace URI must precisely match what appears in the XML document. For example, if a forward slash (/) appears at the end of the URI, this must be included in the Encrypt XML Namespace. |
Possible Next Steps
There are no recommended next steps.
Verifies the sender's identity by checking the user name and password in a CA eTrust SiteMinder access system.
Usage
Establishes that a valid client is invoking the service.
Prerequisite Steps
Extract Credentials
Properties
Table A-19 SiteMinder Authenticate Properties
| Property | Description |
|---|---|
|
Enabled |
If set to true, this step is enabled. |
|
SmServer host |
IP address for the system running the CA eTrust SiteMinder server. |
|
SmAgent name |
Name of the agent configured with the CA eTrust SiteMinder server. |
|
SmAgent secret |
Password for the agent. |
|
Resource |
Name of the resource configured with basic authentication in the SiteMinder policy. |
|
Operation |
Name of the operation configured in the SiteMinder policy. |
Possible Next Steps
SiteMinder Authorize
Grants or denies access to an authenticated user using CA eTrust SiteMinder.
Usage
Uses CA eTrust SiteMinder to verify if the user has access.
Prerequisite Steps
SiteMinder Authentication
Properties
Table A-20 SiteMinder Authorize Properties
| Property | Description |
|---|---|
|
Enabled |
If set to true, this step is enabled. |
|
TransactionID |
ID used to identify the transaction with the CA eTrust SiteMinder server. This parameter is optional. |
Possible Next Steps
There are no recommended next steps.
Verifies if a certificate path is valid by validating the trusted root and intermediate certificates.
Usage
Verifies if the certificate used for signing or for SSL connections was issued by trusted root and intermediate CA authorities. For the verification to pass, the keystore should contain the actual certificate as well as the root and any intermediate certificates.
Prerequisite Steps
Verify Signature, Decrypt and Verify Signature, or if the transport security uses SSL.
Properties
Table A-21 Verify Certificate Properties
| Property | Description |
|---|---|
|
Enabled |
If set to true, this step is enabled. |
|
Keystore location |
Location of the keystore file used to verify the certificate and its trusted root and intermediate certificates. |
|
Keystore password |
Password to access the keystore. |
Possible Next Steps
Extract Credentials
Verifies the signature of the XML message that was signed in order to protect the integrity of the message.
Usage
Decrypts and verifies the signature of the XML message. If the message was both encrypted and signed in two steps, then the policy steps to decrypt and verify the signature must be performed in reverse order. If both were performed in a single step, then use the Decrypt and Verify Signature step.
The Enabled property enables the verification of signatures. The Enforce Signing property allows you to control whether unsigned messages are allowed to pass through or not.
Prerequisite Steps
None
Properties
Table A-22 Verify Signature Properties
| Property | Description |
|---|---|
|
Enabled |
If set to true, this step is enabled. |
|
Keystore location |
Location of the keystore file used for signing and encryption. |
|
Verifying Keystore Type |
Keystore file format. The valid values are:
|
|
Keystore password |
Password to access the keystore file. |
|
Signer's public-key alias |
Alias for the public key. This alias is used to locate the key. |
|
Remove Signatures |
If set to true, then the signature elements are removed from the message. Set this property to false if you want to pass the message with its signature elements. |
|
Enforce Signing |
If set to true, an unsigned message is not allowed to pass through. If set to false, both signed and unsigned messages are allowed. |
Possible Next Steps
If the message was encrypted before it was signed, then the next step is XML Decrypt.
If not, then the next step is Extract Credentials.
Decrypts the XML message or the parts of the message that were encrypted for confidentiality.
Usage
If the message was both encrypted and signed in two separate policy steps, then the policy steps to decrypt and verify the signature must be performed in reverse order. If both were performed in a single step, then use the Decrypt and Verify Signature step.
The Enabled property enables decryption of encrypted messages. The Enforce Encryption property allows you to control whether or not unencrypted messages are permitted to pass through.
Prerequisite Steps
None
Properties
Table A-23 XML Decrypt Properties
| Property | Description |
|---|---|
|
Enabled |
If set to true, this step is enabled. |
|
Keystore location |
Location of the keystore file used for signing and encryption. |
|
Decrypt Keystore Type |
Keystore file format. The valid values are:
|
|
Keystore password |
Password to access the keystore file. |
|
Decryptor's private-key alias |
Alias of the private key used to decrypt the message. |
|
Decryptor's private-key password |
Password to access the private key used for decryption. |
|
Enforce Encryption |
If set to true, only encrypted messages are allowed to pass through; an unencrypted message is not allowed through. If set to false, then both encrypted and unencrypted messages are permitted through. |
Possible Next Steps
If the message was signed before it was encrypted, then the next step is Verify Signature.
If not, then the next step is to Extract Credentials.
Encrypts an XML message.
Usage
Protects the confidentiality of the message or parts of the message such that the protected parts cannot be read.
Prerequisite Steps
None
Properties
Table A-24 XML Encrypt Properties
| Property | Description |
|---|---|
|
Enabled |
If set to true, this step is enabled. |
|
Keystore location |
Location of the keystore file. |
|
Encrypt Keystore Type |
Keystore format type that is used for encryption. |
|
Keystore password |
Password for the keystore file. |
|
Decryptor's public-key alias |
Key for the encryption operations. |
|
Encryption Algorithm |
Block cipher used to encrypt data. Valid values are: 3DES (Triple Data Encryption Standard), AES-128, and AES-256 (Advanced Encryption Standard). |
|
Key Transport Algorithm |
Valid values are RSA-1_5 and RSA-OAEP-MGF1P. |
|
Encrypted Content |
Part of the SOAP envelope to be encrypted. Valid values are: BODY, HEADERS, ENVELOPE, and XPATH. The default is BODY. |
|
Encrypt XPATH Expression |
XPath Expression for the element to be signed (for example, |
|
Encrypt XML Namespace |
Comma-delimited namespace URLs for the XPath expression. For example, Note: The namespace URI must precisely match what appears in the XML document. For example, if a forward slash (/) appears at the end of the URI, this must be included in the Encrypt XML Namespace. |
Possible Next Steps
There are no recommended next steps.
Modifies the incoming XML using an XSLT file.
Usage
Transforms the message using XSLT in the agent or gateway without requiring changes to the clients.When the service interface changes, all client interfaces must also change.
Set either the XSLTUrl or XSLTFileName property. If both are set, then XSLTUrl is used.
Prerequisite Steps
None
Properties
Table A-25 XML Transform Properties
| Property | Description |
|---|---|
|
Enabled |
If set to true, this step is enabled. |
|
XSLTUrl |
URL that specifies the location of the XSLT file. |
|
XSLTFileName |
Path to the XSLT file on the system where Oracle WSM is installed. |
Possible Next Steps
There are no recommended next steps.
