16 Oracle WSM 11g Interoperability

Perform the following steps:

1. Create a copy of the following policy: oracle/wss10_message_protection_service_policy.

   NOTE: Oracle recommends that you do not change the predefined policies so that you will always have a known set of valid policies to work with.

   Edit the policy settings, as follows:

   a. Disable the Include Timestamp configuration setting.

   b. Leave the default configuration set for all other configuration settings.

   For more information, see "Creating a Web Service Policy from an Existing Policy".

2. Attach the policy.

   For more information about attaching the policy, see "Attaching Policies to Web Services".

Perform the following steps:

1. Register the Web service (above) with the Oracle WSM 10g gateway. See "Registering Web Services to an Oracle WSM Gateway" in the Oracle WSM Administrator's Guide 10g at: http://download.oracle.com/docs/cd/E12524_01/web.1013/e12575/gateways.htm

2. Attach the following policy step to the request pipeline: Sign Message and Encrypt.

3. Configure the Sign Message and Encrypt policy step in the request pipeline, as follows:

   a. Set Encryption Algorithm to AES-128.

   b. Set Key Transport Algorithm to RSA-OAEP-MGF1P.

   c. Configure the keystore properties for message signing and encryption. The configuration should be in accordance with the keystore used on the server side.

4. Attach the following policy step to the response pipeline: Decrypt and Verify Signature.

5. Configure the Decrypt and Verify Signature policy step in the response pipeline, as follows:

   a. Configure the keystore properties for decryption and signature verification. The configuration should be in accordance with the keystore used on the server side.

6. Navigate to the Oracle WSM Test page and enter the virtualized URL of the Web service.

7. Invoke the Web service.

Perform the following steps:

1. Register the Web service with the Oracle WSM 10g gateway. See "Registering Web Services to an Oracle WSM Gateway" in the Oracle WSM Administrator's Guide 10g at: http://download.oracle.com/docs/cd/E12524_01/web.1013/e12575/gateways.htm

2. Attach the following policy step in the request pipeline: Decrypt and Verify Signature

3. Configure the Decrypt and Verify Signature policy step in the request pipeline, as follows:

   a. Configure the keystore properties for decryption and signature verification. The configuration should be in accordance with the keystore used on the server side.

4. Attach the following policy step in the response pipeline: Sign Message and Encrypt

5. Configure the Sign Message and Encrypt policy response pipeline, follows:

   a. Set Encryption Algorithm to AES-128.

   b. Set Key Transport Algorithm to RSA-OAEP-MGF1P.

   c. Configure the keystore properties for message signing and encryption. The configuration should be in accordance with the keystore used on the server side.

Perform the following steps:

1. Create a client proxy using the virtualized URL of the Web service registered on the Oracle WSM gateway.

2. Create a copy of the following policy: oracle/wss10_message_protection_client_policy.

   NOTE: Oracle recommends that you do not change the predefined policies so that you will always have a known set of valid policies to work with.

   Edit the policy settings, as follows:

   a. Disable the Include Timestamp configuration setting.

   b. Leave the default configuration set for all other configuration settings.

   For more information, see "Creating a Web Service Policy from an Existing Policy".

3. Attach the policy to the Web service client.

   For more information about attaching the policy, see "Attaching Policies to Web Service Clients".

4. Configure the policy, as described in "oracle/wss10_message_protection_client_policy".

5. Invoke the Web service.

Perform the following steps:

1. Create a copy of the following policy: wss10_username_token_with_message_protection_service_policy.

   NOTE: Oracle recommends that you do not change the predefined policies so that you will always have a known set of valid policies to work with.

   Edit the policy settings, as follows:

   a. Disable the Include Timestamp configuration setting.

   b. Leave the default configuration set for all other configuration settings.

   For more information, see "Creating a Web Service Policy from an Existing Policy".

2. Attach the policy.

   For more information about attaching the policy, see "Attaching Policies to Web Services".

Perform the following steps:

1. Register the Web service (above) with the Oracle WSM 10g gateway. See "Registering Web Services to an Oracle WSM Gateway" in the Oracle WSM Administrator's Guide 10g at: http://download.oracle.com/docs/cd/E12524_01/web.1013/e12575/gateways.htm

2. Attach the following policy steps to the request pipeline:

   - Sign Message and Encrypt

3. Configure the Sign Message and Encrypt policy step in the request pipeline, as follows:

   a. Set Encryption Algorithm to AES-128.

   b. Set Key Transport Algorithm to RSA-OAEP-MGF1P.

   c. Set Encrypted Content to ENVELOPE.

   d. Set Signed Content to ENVELOPE.

   e. Configure the keystore properties for message signing and encryption. The configuration should be in accordance with the keystore used on the server side.

4. Attach the following policy step to the response pipeline: Decrypt and Verify Signature.

5. Configure the Decrypt and Verify Signature policy step in the response pipeline, as follows:

   a.Configure the keystore properties for decryption and signature verification. The configuration should be in accordance with the keystore used on the server side.

6. Navigate to the Oracle WSM Test page and enter the virtualized URL of the Web service.

7. Select the Include Header checkbox against WS-Security and provide valid credentials.

8. Invoke the Web service.

Perform the following steps:

1. Register the Web service with the Oracle WSM 10g gateway. See "Registering Web Services to an Oracle WSM Gateway" in the Oracle WSM Administrator's Guide 10g at: http://download.oracle.com/docs/cd/E12524_01/web.1013/e12575/gateways.htm

2. Attach the following policy steps in the request pipeline:

   - Decrypt and Verify Signature

   - Extract Credentials (configured as WS-BASIC)

   - File Authenticate

   Note: You can substitute File Authenticate with LDAP Authenticate, Oracle Access Manager Authenticate, Active Directory Authenticate, or SiteMinder Authenticate.

3. Configure the Decrypt and Verify Signature policy step in the request pipeline, as follows:

   a. Configure the keystore properties for extracting credentials. The configuration should be in accordance with the keystore used on the server side.

4. Configure the Extract Credentials policy step in the request pipeline, as follows:

   a. Set the Credentials location to WS-BASIC.

5. Configure the File Authenticate policy step in the request pipeline to use valid credentials.

6. Attach the following policy step in the response pipeline: Sign Message and Encrypt.

7. Configure the Sign Message and Encrypt policy response pipeline, follows:

   a. Set Encryption Algorithm to AES-128.

   b. Set Key Transport Algorithm to RSA-OAEP-MGF1P.

   c. Configure the keystore properties for message signing and encryption. The configuration should be in accordance with the keystore used on the server side.

Perform the following steps:

1. Create a client proxy using the virtualized URL of the Web service registered on the Oracle WSM gateway.

2. Create a copy of the following policy: oracle/wss10_username_token_with_message_protection_client_policy.

   NOTE: Oracle recommends that you do not change the predefined policies so that you will always have a known set of valid policies to work with.

   Edit the policy settings, as follows:

   a. Disable the Include Timestamp configuration setting.

   b. Leave the default configuration set for all other configuration settings.

   For more information, see "Creating a Web Service Policy from an Existing Policy".

3. Attach the policy to the Web service client.

   For more information about attaching the policy, see "Attaching Policies to Web Service Clients".

4. Configure the policy, as described in "oracle/wss10_username_token_with_message_protection_client_policy".

5. Invoke the Web service.

Perform the following steps:

1. Create a copy of the following policy: oracle/wss10_saml_token_with_message_protection_service_policy.

   NOTE: Oracle recommends that you do not change the predefined policies so that you will always have a known set of valid policies to work with.

   Edit the policy settings, as follows:

   a. Disable the Include Timestamp configuration setting.

   b. Leave the default configuration set for all other configuration settings.

   For more information, see "Creating a Web Service Policy from an Existing Policy".

2. Attach the policy to the Web service.

   For more information about attaching the policy, see "Attaching Policies to Web Services".

Perform the following steps:

1. Register the Web service (above) with the Oracle WSM 10g gateway. See "Registering Web Services to an Oracle WSM Gateway" in the Oracle WSM Administrator's Guide 10g at: http://download.oracle.com/docs/cd/E12524_01/web.1013/e12575/gateways.htm

2. Attach the following policy steps in the request pipeline:

   - Extract Credentials (configured as WS-BASIC)

   - SAML—Insert WSS 1.0 Sender-Vouches Token

   - Sign Message and Encrypt

3. Configure the Extract Credentials policy step in the request pipeline, as follows:

   a. Set the Credentials location to WS-BASIC.

4. Configure the SAML—Insert WSS 1.0 Sender-Vouches Token policy step in the request pipeline, as follows:

   a. Set Subject Name Qualifier to www.oracle.com.

   b. Set Assertion Issuer as www.oracle.com.

   c. Set Subject Format as UNSPECIFIED.

   d. Set other signing properties, as required.

5. Attach the following policy step in the response pipeline: Sign Message and Encrypt.

6. Configure the Sign Message and Encrypt policy step in the response pipeline, as follows:

   a. Set the Encryption Algorithm to AES-128.

   b. Set Key Transport Algorithm to RSA-OAEP-MGF1P.

   c. Configure the keystore properties for decryption and signature verification. The configuration should be in accordance with the keystore used on the server side.

7. Navigate to the Oracle WSM Test page and enter the virtualized URL of the Web service.

8. Select Include Header checkbox against WS-Security and provide valid credentials.

9. Invoke the Web service.

Perform the following steps:

1. Register the Web service with the Oracle WSM 10g gateway. See "Registering Web Services to an Oracle WSM Gateway" in the Oracle WSM Administrator's Guide 10g at: http://download.oracle.com/docs/cd/E12524_01/web.1013/e12575/gateways.htm

2. Attach the following policy steps in the request pipeline:

   - XML Decrypt

   - SAML—Verify WSS 1.0 Token

3. Configure the XML Decrypt policy step in the request pipeline, as follows:

   a. Configure the keystore properties for XML decryption. The configuration should be in accordance with the keystore used on the server side.

4. Configure the SAML—Verify WSS 1.0 Token policy step in the request pipeline, as follows:

   a. Set the Trusted Issuer Name as www.oracle.com.

5. Attach the following policy step in the response pipeline: Sign Message and Encrypt.

6. Configure the Sign Message and Encrypt policy step in the response pipeline, follows:

   a. Set Encryption Algorithm to AES-128.

   b. Set Key Transport Algorithm to RSA-OAEP-MGF1P.

   c. Configure the keystore properties for message signing and encryption. The configuration should be in accordance with the keystore used on the server side.

Perform the following steps:

1. Create a client proxy using the virtualized URL of the Web service registered on the Oracle WSM gateway.

2. Create a copy of the following policy: oracle/wss10_saml_token_with_message_protection_client_policy.

   NOTE: Oracle recommends that you do not change the predefined policies so that you will always have a known set of valid policies to work with.

   Edit the policy settings, as follows:

   a. Disable the Include Timestamp configuration setting.

   b. Leave the default configuration set for all other configuration settings.

   For more information, see "Creating a Web Service Policy from an Existing Policy".

3. Attach the policy to the Web service client.

   For more information about attaching the policy, see "Attaching Policies to Web Service Clients".

4. Configure the policy, as described in "oracle/wss10_saml_token_with_message_protection_client_policy".

5. Invoke the Web service.

Perform the following steps:

1. Attach the following policy to the Web service: oracle/wss_oam_token_service_policy.

   For more information about attaching the policy, see "Attaching Policies to Web Services".

Perform the following steps:

1. Register the Web service (above) with the Oracle WSM 10g gateway. See "Registering Web Services to an Oracle WSM Gateway" in the Oracle WSM Administrator's Guide 10g at: http://download.oracle.com/docs/cd/E12524_01/web.1013/e12575/gateways.htm

2. Attach the following policy steps in the request pipeline:

   - Oracle Access Manager Authenticate Authorize

   - Insert Oracle Access Manager Token

3. Configure the Oracle Access Manager Authenticate Authorize policy step in the policy request pipeline, as follows:

   a. Set ForwardCookie to true.

4. Set up the AccessServer SDK, as described in "Configure the Access SDK to Each OC4J Instance" in the Oracle Containers for J2EE Security Guide at http://download.oracle.com/docs/cd/B25221_04/web.1013/b14429/coreid.htm#BJEIGIFH.

5. Configure OAM authentication, as described in "Configuring Application Authentication and Authorization" in Oracle Application Server Enterprise Deployment Guide at: http://download.oracle.com/docs/cd/B25221_04/core.1013/b25210/j2ee.htm#CACCJEHG.

Perform the following steps:

1. Create a secured J2EE webapp client using the virtualized URL of the Web service registered on the Oracle WSM gateway.

2. Create a copy of the following policy: oracle/wss_oam_token_client_policy.

   NOTE: Oracle recommends that you do not change the predefined policies so that you will always have a known set of valid policies to work with.

   Edit the policy settings, as follows:

   a. Leave the default configuration set for all other configuration settings.

   For more information, see "Creating a Web Service Policy from an Existing Policy".

3. Attach the policy to the Web service client.

   For more information about attaching the policy, see "Attaching Policies to Web Service Clients".

4. Configure the policy, as described in "oracle/wss_oam_token_client_policy".

5. Navigate to the Oracle WSM Test page and enter the virtualized URL of the Web service.

6. Provide the required credentials requested by the Web application.

Perform the following steps:

1. Create a copy of the following policy: oracle/wss10_x509_token_with_message_protection_service_policy.

   NOTE: Oracle recommends that you do not change the predefined policies so that you will always have a known set of valid policies to work with.

   Edit the policy settings, as follows:

   a. Disable the Include Timestamp configuration setting.

   b. Leave the default configuration set for all other configuration settings.

   For more information, see "Creating a Web Service Policy from an Existing Policy".

2. Attach the policy.

   For more information about attaching the policy, see "Attaching Policies to Web Services".

Perform the following steps:

1. Register the Web service (above) with the Oracle WSM 10g gateway. See "Registering Web Services to an Oracle WSM Gateway" in the Oracle WSM Administrator's Guide 10g at: http://download.oracle.com/docs/cd/E12524_01/web.1013/e12575/gateways.htm

2. Attach the following policy step in the request pipeline: Sign Message and Encrypt.

3. Configure the Sign Message and Encrypt policy step in the request pipeline, as follows:

   a. Set Encryption Algorithm to AES-128.

   b. Set Key Transport Algorithm to RSA-OAEP-MGF1P.

   c. Configure the keystore properties for message signing and encryption. The configuration should be in accordance with the keystore used on the server side.

4. Attach the following policy step in the response pipeline: Decrypt and Verify Signature.

5. Configure the Decrypt and Verify Signature policy step in the response pipeline, as follows:

   a. Configure the keystore properties for decryption and signature verification. The configuration should be in accordance with the keystore used on the server side.

6. Update the following property in the gateway-config-installer.properties file located at ORACLE_HOME/j2ee/oc4j_instance/applications/gateway/gateway/WEB-INF:

   pep.securitysteps.signBinarySecurityToken=true

7. Restart Oracle WSM Gateway.

8. Navigate to the Oracle WSM Test page and enter the virtualized URL of the Web service.

9. Invoke the Web service.

Perform the following steps:

1. Register the Web service with the Oracle WSM 10g gateway. See "Registering Web Services to an Oracle WSM Gateway" in the Oracle WSM Administrator's Guide 10g at: http://download.oracle.com/docs/cd/E12524_01/web.1013/e12575/gateways.htm

2. Attach the following policy steps in the request pipeline: Decrypt and Verify.

3. Configure the Decrypt and Verify Signature policy step in the request pipeline, as follows:

   a. Configure the keystore properties for decryption and signature verification. The configuration should be in accordance with the keystore used on the server side.

4. Attach the following policy steps in the response pipeline: Sign Message and Encrypt.

5. Configure the Sign Message and Encrypt policy step in the response pipeline, as follows:

   a. Set Encryption Algorithm to AES-128.

   b. Set Key Transport Algorithm to RSA-OAEP-MGF1P.

   c. Configure the keystore properties for message signing and encryption. The configuration should be in accordance with the keystore used on the server side.

Perform the following steps:

1. Create a client proxy using the virtualized URL of the Web service registered on the Oracle WSM gateway.

2. Create a copy of the following policy: oracle/wss10_x509_token_with_message_protection_client_policy.

   NOTE: Oracle recommends that you do not change the predefined policies so that you will always have a known set of valid policies to work with.

   Edit the policy settings, as follows:

   a. Disable the Include Timestamp configuration setting.

   b. Leave the default configuration set for all other configuration settings.

   For more information, see "Creating a Web Service Policy from an Existing Policy".

3. Attach the policy to the Web service client.

   For more information about attaching the policy, see "Attaching Policies to Web Service Clients".

4. Configure the policy, as described in "oracle/wss10_x509_token_with_message_protection_client_policy".

5. Invoke the Web service.

Perform the following steps:

1. Configure the server for SSL.

   For more information, see "Configuring SSL on WebLogic Server (One-Way)" and "Configuring SSL on WebLogic Server (Two-Way)".

2. Attach the following policy: wss_username_token_over_ssl_service_policy.

   For more information about attaching the policy, see "Attaching Policies to Web Services".

Perform the following steps:

1. Configure the server for SSL.

   For more information, see http://download.oracle.com/docs/cd/B14099_19/web.1012/b14013/configssl.htm.

2. Register the Web service (above) with the Oracle WSM 10g gateway. See "Registering Web Services to an Oracle WSM Gateway" in the Oracle WSM Administrator's Guide 10g at: http://download.oracle.com/docs/cd/E12524_01/web.1013/e12575/gateways.htm

3. Navigate to the Oracle WSM Test page and enter the virtualized URL of the Web service.

4. Select the Include Header checkbox against WS-Security and provide valid credentials.

5. Invoke the Web service.

Perform the following steps:

1. Configure the server for SSL.

   For more information, see http://download.oracle.com/docs/cd/B14099_19/web.1012/b14013/configssl.htm.

2. Register the Web service with the Oracle WSM 10g gateway. See "Registering Web Services to an Oracle WSM Gateway" in the Oracle WSM Administrator's Guide 10g at: http://download.oracle.com/docs/cd/E12524_01/web.1013/e12575/gateways.htm

3. Attach the policy steps:

   - Extract Credentials

   - File Authenticate

   Note: You can substitute File Authenticate with LDAP Authenticate, Oracle Access Manager Authenticate, Active Directory Authenticate, or SiteMinder Authenticate.

4. Configure the Extract Credentials policy step in the request pipeline, as follows:

   a. Configure the Credentials Location as WS-BASIC.

5. Configure the File Authentication policy step in the request pipeline with the appropriate credentials.

Perform the following steps:

1. Create a client proxy using the virtualized URL of the Web service registered on the Oracle WSM gateway.

   Ensure that while generate the client, specify HTTP int he URL along with the HTTP port number.

2. Create a copy of the following policy: oracle/wss_username_token_over_ssl_client_policy.

   NOTE: Oracle recommends that you do not change the predefined policies so that you will always have a known set of valid policies to work with.

   Edit the policy settings, as follows:

   a. Disable the Include Timestamp configuration setting.

   b. Leave the default configuration set for all other configuration settings.

   For more information, see "Creating a Web Service Policy from an Existing Policy".

3. Attach the policy to the Web service client.

   For more information about attaching the policy, see "Attaching Policies to Web Service Clients".

4. Configure the policy, as described in "oracle/wss_username_token_over_ssl_client_policy".

5. Invoke the Web service.

Perform the following steps:

1. Configure the server for two-way SSL.

   For more information, see "Configuring SSL on WebLogic Server (Two-Way)".

2. Create a copy of the following policy: oracle/wss_saml_token_over_ssl_service_policy.

   NOTE: Oracle recommends that you do not change the predefined policies so that you will always have a known set of valid policies to work with.

   Edit the policy settings, as follows:

   a. Disable the Include Timestamp configuration setting.

   For more information, see "Creating a Web Service Policy from an Existing Policy".

3. Attach the policy.

   For more information about attaching the policy, see "Attaching Policies to Web Services".

Perform the following steps:

1. Configure the server for two-way SSL.

   For more information, see http://download.oracle.com/docs/cd/B14099_19/web.1012/b14013/configssl.htm.

2. Register the Web service (above) with the Oracle WSM 10g gateway. See "Registering Web Services to an Oracle WSM Gateway" in the Oracle WSM Administrator's Guide 10g at: http://download.oracle.com/docs/cd/E12524_01/web.1013/e12575/gateways.htm

3. Attach the following policy steps:

   - Extract Credentials

   - SAML—Insert WSS 1.0 Sender-Vouches Token

4. Configure the Extra Credentials policy step in the request pipeline, as follows:

   a. Configure the Credentials Location as WS-BASIC.

5. Configure the SAML—Insert WSS 1.0 Sender-Vouches Token policy step in the request pipeline, as follows:

   a. Configure the Subject Name Qualifier as www.oracle.com.

   b. Configure the Assertion Issuer as www.oracle.com.

   c. Configure the Subject Format as UNSPECIFIED.

   d. Configure the Sign the assertion as false.

6. Navigate to the Oracle WSM Test page and enter the virtualized URL of the Web service.

7. Select Include Header checkbox against WS-Security and provide valid credentials.

8. Invoke the Web service.

Perform the following steps:

1. Configure the server for two-way SSL.

   For more information, see http://download.oracle.com/docs/cd/B14099_19/web.1012/b14013/configssl.htm.

2. Register the Web service with the Oracle WSM 10g gateway. See "Registering Web Services to an Oracle WSM Gateway" in the Oracle WSM Administrator's Guide 10g at: http://download.oracle.com/docs/cd/E12524_01/web.1013/e12575/gateways.htm

3. Attach the policy step: SAML—Verify WSS 1.0 Token

4. Configure the SAML—Verify WSS 1.0 Token policy step in the request pipeline, as follows:

   a. Under Signature Verification Properties, set Allow signed assertions only to false.

   b. Set the Trusted Issuer Name to www.oracle.com.

Perform the following steps:

1. Configure the server for two-way SSL.

   For more information, see "Configuring SSL on WebLogic Server (Two-Way)".

2. Create a client proxy using the virtualized URL of the Web service registered on the Oracle WSM gateway.

3. Create a copy of the following policy: oracle/wss_saml_token_over_ssl_client_policy.

   NOTE: Oracle recommends that you do not change the predefined policies so that you will always have a known set of valid policies to work with.

   Edit the policy settings, as follows:

   a. Disable the Include Timestamp configuration setting.

   b. Leave the default configuration set for all other configuration settings.

   For more information, see "Creating a Web Service Policy from an Existing Policy".

4. Attach the policy to the Web service client.

   For more information about attaching the policy, see "Attaching Policies to Web Service Clients".

5. Configure the policy, as described in "oracle/wss_saml_token_over_ssl_client_policy".

6. Invoke the Web service.

Perform the following steps:

1. Attach the following policy to the Web service: oracle/wss10_message_protection_service_policy.

   For more information about attaching the policy, see "Attaching Policies to Web Services".

Perform the following steps:

1. Create a client proxy for the Web service (above) using Oracle JDeveloper.

2. Use the Oracle JDeveloper wizard to secure the proxy by right-clicking on the proxy project and selecting Secure Proxy.

3. Click Authentication in the Proxy Editor navigation bar and set the following options:

   - Select No Authentication.

4. Click Inbound Integrity in the Proxy Editor navigation bar and set the following options:

   - Select Verify Inbound Signed Request Body.

   - Select Verify Timestamp and Creation Time Required in Timestamp.

   - Enter the Expiration Time (in seconds).

   - Select all options under Acceptable Signature Algorithms.

5. Click Outbound Integrity in the Proxy Editor navigation bar and set the following options:

   - Select Sign Outbound Messages.

   - Select Add Timestamp to Outbound Messages and Creation Time Required in Timestamp.

   - Enter the Expiration Time (in seconds).

6. Click Inbound Confidentiality in the Proxy Editor navigation bar and set the following options:

   - Select Decrypt Inbound Message Content.

   - Select all options under Acceptable Signature Algorithms.

7. Click Outbound Confidentiality in the Proxy Editor navigation bar and set the following options:

   - Select Encrypt Outbound Messages.

   - Set the Algorithm to AES-128.

8. Click Keystore Options in the Proxy Editor navigation bar and Configure the keystore properties, as required.

   Ensure that you are using keystore with v3 certificates. By default, the JDK 1.5 keytool generates keystores with v3 certificates.

9. Click OK to close the wizard.

10. In the Structure pane, click <appname>Binding_Stub.xml and edit the file as described in "Editing the <appname>Binding_Stub.xml File".

Perform the following steps:

1. Use Application Server Control to secure the deployed Web service.

2. Click Authentication in navigation bar and ensure that no options are selected.

3. Click Inbound Integrity in the navigation bar and set the following options:

   - Select Require Message Body to Be Signed.

   - Select Verify Timestamp and Creation Time Required in Timestamp.

   - Enter the Expiration Time (in seconds).

4. Click Outbound Integrity in the navigation bar and set the following options:

   - Select Sign Body Element of Message.

   - Set the Signature Method to RSA-SHA1.

   - Select Add Timestamp and Creation Time Required in Timestamp.

   - Enter the Expiration Time (in seconds).

5. Click Inbound Confidentiality in the navigation bar and set the following options:

   - Select Require Encryption of Message Body.

6. Click Outbound Confidentiality in the navigation bar and set the following options:

   - Select Encrypt Body Element of Message.

   - Set the Encryption Method to AES-128.

   - Set the public key to encrypt.

7. Configure the keystore properties and identity certificates.

   Ensure that you are using keystore with v3 certificates. By default, the JDK 1.5 keytool generates keystores with v3 certificates.

8. Edit the wsmgmt.xml deployment descriptor file, as described in "Editing the wsmgmt.xml File".

Perform the following steps:

1. Create a client proxy to the OC4J 10g Web service.

2. Attach the following policy: oracle/wss10_message_protection_client_policy.

   For more information about attaching the policy, see "Attaching Policies to Web Service Clients".

3. Configure the policy, as described in "oracle/wss10_username_token_with_message_protection_client_policy".

4. Invoke the Web service.

Perform the following steps:

1. Attach the following policy to the Web service: oracle/wss10_username_token_with_message_protection_service_policy.

   For more information about attaching the policy, see "Attaching Policies to Web Services".

Perform the following steps:

1. Create a client proxy for the Web service (above) using Oracle JDeveloper.

2. Specify the username and password in the client proxy, as follows:

   port.setUsername(<username>)
   port.setPassword(<password>)
   

3. Use the Oracle JDeveloper wizard to secure the proxy by right-clicking on the proxy project and selecting Secure Proxy.

4. Click Authentication in the Proxy Editor navigation bar and set the following options:

   - Select Use Username to Authenticate.

   - Deselect Add Nonce and Add Creation Time.

5. Click Inbound Integrity in the Proxy Editor navigation bar and set the following options:

   - Select Verify Inbound Signed Request Body.

   - Select Verify Timestamp and Creation Time Required in Timestamp.

   - Enter the Expiration Time (in seconds).

   - Select all options under Acceptable Signature Algorithms.

6. Click Outbound Integrity in the Proxy Editor navigation bar and set the following options:

   - Select Sign Outbound Messages.

   - Select Add Timestamp to Outbound Messages and Creation Time Required in Timestamp.

   - Enter the Expiration Time (in seconds).

7. Click Inbound Confidentiality in the Proxy Editor navigation bar and set the following options:

   - Select Decrypt Inbound Message Content.

   - Select all options under Acceptable Signature Algorithms.

8. Click Outbound Confidentiality in the Proxy Editor navigation bar and set the following options:

   - Select Encrypt Outbound Messages.

   - Set the Algorithm to AES-128.

9. Click Keystore Options in the Proxy Editor navigation bar and Configure the keystore properties, as required.

   Ensure that you are using keystore with v3 certificates. By default, the JDK 1.5 keytool generates keystores with v3 certificates.

10. Click OK to close the wizard.

11. In the Structure pane, click <appname>Binding_Stub.xml and edit the file as described in "Editing the <appname>Binding_Stub.xml File".

Perform the following steps:

1. Use Application Server Control to secure the deployed Web service.

2. Click Authentication in navigation bar and set the following options:

   - Select Use Username/Password Authentication.

   - Set Password to Plain Text.

3. Click Inbound Integrity in the navigation bar and set the following options:

   - Select Require Message Body to Be Signed.

   - Select Verify Timestamp and Creation Time Required in Timestamp.

   - Enter the Expiration Time (in seconds).

4. Click Outbound Integrity in the navigation bar and set the following options:

   - Select Sign Body Element of Message.

   - Set the Signature Method to RSA-SHA1.

   - Select Add Timestamp and Creation Time Required in Timestamp.

   - Enter the Expiration Time (in seconds).

5. Click Inbound Confidentiality in the navigation bar and set the following options:

   - Select Require Encryption of Message Body.

6. Click Outbound Confidentiality in the navigation bar and set the following options:

   - Select Encrypt Body Element of Message.

   - Set the Encryption Method to AES-128.

   - Set the public key to encrypt.

7. Configure the keystore properties and identity certificates.

   Ensure that you are using keystore with v3 certificates. By default, the JDK 1.5 keytool generates keystores with v3 certificates.

8. Edit the wsmgmt.xml deployment descriptor file, as described in "Editing the wsmgmt.xml File".

Perform the following steps:

1. Create a client proxy to the OC4J 10g Web service.

2. Attach the following policy: oracle/wss10_username_token_with_message_protection_client_policy.

   For more information about attaching the policy, see "Attaching Policies to Web Service Clients".

3. Configure the policy, as described in "oracle/wss10_username_token_with_message_protection_client_policy".

4. Invoke the Web service.

Perform the following steps:

1. Attach the following policy to the Web service: oracle/wss10_saml_token__with_message_protection_service_policy.

   For more information about attaching the policy, see "Attaching Policies to Web Services".

Perform the following steps:

1. Create a client proxy for the Web service (above) using Oracle JDeveloper.

2. Use the Oracle JDeveloper wizard to secure the proxy by right-clicking on the proxy project and selecting Secure Proxy.

3. Click Authentication in the Proxy Editor navigation bar and set the following options:

   - Select Use SAML Token.

   - Click SAML Details.

   - Select Sender Vouches Confirmation and Use Signature.

   - Enter the username that needs to be propagated as the Default Subject Name.

   - Enter www.oracle.com as the Default Issuer Name.

4. Click Inbound Integrity in the Proxy Editor navigation bar and set the following options:

   - Select Verify Inbound Signed Request Body.

   - Select Verify Timestamp and Creation Time Required in Timestamp.

   - Enter the Expiration Time (in seconds).

   - Select all options under Acceptable Signature Algorithms.

5. Click Outbound Integrity in the Proxy Editor navigation bar and set the following options:

   - Select Sign Outbound Messages.

   - Select Add Timestamp to Outbound Messages and Creation Time Required in Timestamp.

   - Enter the Expiration Time (in seconds).

6. Click Inbound Confidentiality in the Proxy Editor navigation bar and set the following options:

   - Select Decrypt Inbound Message Content.

   - Select all options under Acceptable Signature Algorithms.

7. Click Outbound Confidentiality in the Proxy Editor navigation bar and set the following options:

   - Select Encrypt Outbound Messages.

   - Set the Algorithm to AES-128.

8. Click Keystore Options in the Proxy Editor navigation bar and Configure the keystore properties, as required.

   Ensure that you are using keystore with v3 certificates. By default, the JDK 1.5 keytool generates keystores with v3 certificates.

9. Click OK to close the wizard.

10. In the Structure pane, click <appname>Binding_Stub.xml and edit the file as described in "Editing the <appname>Binding_Stub.xml File".

Perform the following steps:

1. Use the Application Server Control to secure the deployed Web service.

2. Click Authentication in navigation bar and set the following options:

   - Select Use SAML Authentication.

   - Select Accept Sender Vouches.

   - Deselect Verify Signature.

3. Click Inbound Integrity in the navigation bar and set the following option:

   - Select Require Message Body To Be Signed.

4. Click Outbound Integrity in the navigation bar and select the following options:

   - Select Sign Body Element of Message.

   - Set the Signature Method to RSA-SHA1.

   - Select Add Timestamp and Creation Time Required in Timestamp.

   - Enter the Expiration Time (in seconds).

5. Click Inbound Confidentiality in the navigation bar and set the following option:

   - Deselect Require Encryption of Message Body.

6. Click Outbound Confidentiality in the navigation bar and set the following option:

   - Select Encrypt Body Element of Message.

   - Set the Encryption Method to AES-128.

   - Set the public key to encrypt.

7. Click Inbound Integrity in the navigation bar and set the following options:

   - Select Require Message Body to Be Signed.

   - Select Verify Timestamp and Creation Time Required in Timestamp.

   - Enter the Expiration Time (in seconds).

8. Click Outbound Integrity in the navigation bar and set the following options:

   - Select Sign Body Element of Message.

   - Set the Signature Method to RSA-SHA1.

   - Select Add Timestamp and Creation Time Required in Timestamp.

   - Enter the Expiration Time (in seconds).

9. Configure the keystore properties and identity certificates.

   Ensure that you are using keystore with v3 certificates. By default, the JDK 1.5 keytool generates keystores with v3 certificates.

10. Edit the wsmgmt.xml deployment descriptor file, as described in "Editing the wsmgmt.xml File".

Perform the following steps:

1. Create a client proxy to the OC4J 10g Web service.

2. Attach the following policy: oracle/wss10_saml_token_with_message_protection_client_policy.

   For more information about attaching the policy, see "Attaching Policies to Web Service Clients".

3. Configure the policy, as described in "oracle/wss10_saml_token_with_message_protection_client_policy".

4. Invoke the Web service.

Perform the following steps:

1. Attach the following policy to the Web service: oracle/wss10_x509_token_with_message_protection_service_policy.

   For more information about attaching the policy, see "Attaching Policies to Web Services".

Perform the following steps:

1. Create a client proxy for the Web service (above) using Oracle JDeveloper.

2. Use the Oracle JDeveloper wizard to secure the proxy by right-clicking on the proxy project and selecting Secure Proxy.

3. Click Authentication in the Proxy Editor navigation bar and set the following options:

   - Select Use X509 To Authenticate.

4. Click Inbound Integrity in the Proxy Editor navigation bar and set the following options:

   - Select Verify Inbound Signed Request Body.

   - Select Verify Timestamp and Creation Time Required in Timestamp.

   - Enter the Expiration Time (in seconds).

   - Select all options under Acceptable Signature Algorithms.

5. Click Outbound Integrity in the Proxy Editor navigation bar and set the following options:

   - Select Sign Outbound Messages.

   - Select Add Timestamp to Outbound Messages and Creation Time Required in Timestamp.

   - Enter the Expiration Time (in seconds).

6. Click Inbound Confidentiality in the Proxy Editor navigation bar and set the following options:

   - Select Decrypt Inbound Message Content.

   - Select all options under Acceptable Signature Algorithms.

7. Click Outbound Confidentiality in the Proxy Editor navigation bar and set the following options:

   - Select Encrypt Outbound Messages.

   - Set the Algorithm to AES-128.

8. Click Keystore Options in the Proxy Editor navigation bar and Configure the keystore properties, as required.

   Ensure that you are using keystore with v3 certificates. By default, the JDK 1.5 keytool generates keystores with v3 certificates.

9. Click OK to close the wizard.

10. In the Structure pane, click <appname>Binding_Stub.xml and edit the file as described in "Editing the <appname>Binding_Stub.xml File".

Perform the following steps:

1. Use the Application Server Control to secure the deployed Web service.

2. Click Authentication in the navigation bar and set the following options:

   - Select Use X509 Certificate Authentication.

3. Click Inbound Integrity in the navigation bar and set the following options:

   - Select Require Message Body to Be Signed.

   - Select Verify Timestamp and Creation Time Required in Timestamp.

   - Enter the Expiration Time (in seconds).

4. Click Outbound Integrity in the navigation bar and set the following options:

   - Select Sign Body Element of Message.

   - Set the Signature Method to RSA-SHA1.

   - Select Add Timestamp and Creation Time Required in Timestamp.

   - Enter the Expiration Time (in seconds).

5. Click Inbound Confidentiality in the navigation bar and set the following options:

   - Select Require Encryption of Message Body.

6. Click Outbound Confidentiality in the navigation bar and set the following options:

   - Select Encrypt Body Element of Message.

   - Set the Encryption Method to AES-128.

   - Set the public key to encrypt.

7. Configure the keystore properties and identity certificates.

   Ensure that you are using keystore with v3 certificates. By default, the JDK 1.5 keytool generates keystores with v3 certificates.

8. Edit the wsmgmt.xml deployment descriptor file, as described in "Editing the wsmgmt.xml File".

Perform the following steps:

1. Create a client proxy to the OC4J 10g Web service.

2. Attach the following policy: oracle/wss10_x509_token_with_message_protection_client_policy.

   For more information about attaching the policy, see "Attaching Policies to Web Service Clients".

3. Configure the policy, as described in "oracle/wss10_x509_token_with_message_protection_client_policy".

4. Invoke the Web service.

Perform the following steps:

1. Configure the server for SSL.

   For more information, see "Configuring SSL on WebLogic Server (One-Way)" and "Configuring SSL on WebLogic Server (Two-Way)".

2. Attach the following policy to the Web service: oracle/wss_username_token_over_ssl_service_policy.

   For more information about attaching the policy, see "Attaching Policies to Web Services".

Perform the following steps:

1. Create a client proxy for the Web service (above) using Oracle JDeveloper.

   Ensure that the Web service endpoint references the URL with HTTPS and SSL port configured on Oracle WebLogic Server.

2. Add the following code excerpt to initialize two-way SSL (at the beginning of the client proxy code):

   HostnameVerifier hv = new HostnameVerifier()
   httpsURLConnection.setDefaultHostnameVerifier(hv);
   System.setProperty("javax.net.ssl.trustStore","<trust_store>");
   System.setProperty("javax.net.ssl.trustStorePassword","<trust_store_password>");
   System.setProperty("javax.net.ssl.keyStore","<key_store>");
   System.setProperty("javax.net.ssl.keyStorePassword","<key_store_password>");
   System.setProperty("javax.net.ssl.keyStoreType","JKS");
   

3. Use the Oracle JDeveloper wizard to secure the proxy by right-clicking on the proxy project and selecting Secure Proxy.

4. Click Authentication in the Proxy Editor navigation bar and set the following options:

   - Select Use Username to Authenticate.

   - Deselect Add Nonce and Add Creation Time.

5. Click Inbound Integrity in the Proxy Editor navigation bar and deselect all options.

6. Click Outbound Integrity in the Proxy Editor navigation bar and deselect all options.

7. Click Inbound Confidentiality in the Proxy Editor navigation bar and deselect all options.

8. Click Outbound Confidentiality in the Proxy Editor navigation bar and deselect all options.

9. Click Keystore Options in the Proxy Editor navigation bar and Configure the keystore properties, as required.

   Ensure that you are using keystore with v3 certificates. By default, the JDK 1.5 keytool generates keystores with v3 certificates.

10. Click OK to close the wizard.

11. In the Structure pane, click <appname>Binding_Stub.xml and edit the file as described in "Editing the <appname>Binding_Stub.xml File".

Perform the following steps:

1. Configure the server for SSL.

   For more information, see http://download.oracle.com/docs/cd/B14099_19/web.1012/b14013/configssl.htm.

2. Use the Application Server Control to secure the deployed Web service.

3. Click Authentication in navigation bar and set the following options:

   - Select Use Username/Password Authentication.

4. Click Inbound Integrity in the navigation bar and deselect all options.

5. Click Outbound Integrity in the navigation bar and deselect all options.

6. Click Inbound Confidentiality in the navigation bar and deselect all options.

7. Click Outbound Confidentiality in the navigation bar and deselect all options.

8. Edit the wsmgmt.xml deployment descriptor file, as described in "Editing the wsmgmt.xml File".

Perform the following steps:

1. Create a client proxy to the OC4J 10g Web service using clientgen.

   Ensure that the Web service endpoint references the URL with HTTPS and SSL port configured on Oracle WebLogic Server.

2. Add the following code excerpt to initialize two-way SSL (at the beginning of the client proxy code):

   HostnameVerifier hv = new HostnameVerifier()
   httpsURLConnection.setDefaultHostnameVerifier(hv);
   System.setProperty("javax.net.ssl.trustStore","<trust_store>");
   System.setProperty("javax.net.ssl.trustStorePassword","<trust_store_password>");
   System.setProperty("javax.net.ssl.keyStore","<key_store>");
   System.setProperty("javax.net.ssl.keyStorePassword","<key_store_password>");
   System.setProperty("javax.net.ssl.keyStoreType","JKS");
   

3. Attach the following policy: oracle/wss_username_token_over_ssl_client_policy.

   For more information about attaching the policy, see "Attaching Policies to Web Service Clients".

4. Configure the policy, as described in "oracle/wss_username_token_over_ssl_client_policy".

5. Invoke the Web service.

Perform the following steps:

1. Configure the server for two-way SSL.

   For more information, see "Configuring SSL on WebLogic Server (Two-Way)".

2. Attach the following policy to the Web service: oracle/wss_saml_token_over_ssl_service_policy.

   For more information about attaching the policy, see "Attaching Policies to Web Services".

Perform the following steps:

1. Configure the server for two-way SSL.

   For more information, see http://download.oracle.com/docs/cd/B14099_19/web.1012/b14013/configssl.htm.

2. Create a client proxy for the Web service (above) using Oracle JDeveloper.

   Ensure that the Web service endpoint references the URL with HTTPS and SSL port configured on Oracle WebLogic Server.

3. Add the following code excerpt to initialize two-way SSL (at the beginning of the client proxy code):

   HostnameVerifier hv = new HostnameVerifier()
   httpsURLConnection.setDefaultHostnameVerifier(hv);
   System.setProperty("javax.net.ssl.trustStore","<trust_store>");
   System.setProperty("javax.net.ssl.trustStorePassword","<trust_store_password>");
   System.setProperty("javax.net.ssl.keyStore","<key_store>");
   System.setProperty("javax.net.ssl.keyStorePassword","<key_store_password>");
   System.setProperty("javax.net.ssl.keyStoreType","JKS");
   

4. Use the Oracle JDeveloper wizard to secure the proxy by right-clicking on the proxy project and selecting Secure Proxy.

5. Click Authentication in the Proxy Editor navigation bar and set the following options:

   - Select Use SAML Token.

   - Click SAML Details.

   - Select Sender Vouches Confirmation.

   - Enter a valid username as the Default Subject Name.

6. Click Inbound Integrity in the Proxy Editor navigation bar and set the following option:

   - Deselect Verify Inbound Signed Message Body.

7. Click Outbound Integrity in the Proxy Editor navigation bar and deselect all options.

8. Click Inbound Confidentiality in the Proxy Editor navigation bar and set the following option:

   - Deselect Decrypt Inbound Message Content.

9. Click Outbound Confidentiality in the Proxy Editor navigation bar and set the following option:

   - Deselect Encrypt Outbound Message.

10. Provide required information for the keystore to be used.

11. Click OK to close the wizard.

12. In the Structure pane, click <appname>Binding_Stub.xml and edit the file as described in "Editing the <appname>Binding_Stub.xml File".

Perform the following steps:

1. Configure the server for two-way SSL.

   For more information, see http://download.oracle.com/docs/cd/B14099_19/web.1012/b14013/configssl.htm.

2. Use the Application Server Control to secure the deployed Web service.

3. Click Authentication in navigation bar and set the following options:

   - Select Use SAML Authentication.

   - Select Accept Sender Vouches.

   - Deselect Verify Signature.

4. Click Inbound Integrity in the navigation bar and deselect all options.

5. Click Outbound Integrity in the navigation bar and deselect all options.

6. Click Inbound Confidentiality in the navigation bar and deselect all options.

7. Click Outbound Confidentiality in the navigation bar and deselect all options.

8. Edit the wsmgmt.xml deployment descriptor file, as described in "Editing the wsmgmt.xml File".

Perform the following steps:

1. Configure the server for two-way SSL.

   For more information, see "Configuring SSL on WebLogic Server (Two-Way)".

2. Create a client proxy to the OC4J 10g Web service.

   Ensure that the Web service endpoint references the URL with HTTPS and SSL port configured on Oracle WebLogic Server.

3. Attach the following policy: oracle/wss_saml_token_over_ssl_client_policy.

   For more information about attaching the policy, see "Attaching Policies to Web Service Clients".

4. Configure the policy, as described in "oracle/wss_saml_token_over_ssl_client_policy".

5. Invoke the Web service.

Perform the following steps:

1. Attach the following policy to the Web service: oracle/wss11_username_token_with_message_protection_service_policy.

   For more information about attaching the policy, see "Attaching Policies to Web Services".

Perform the following steps:

1. Create a client proxy for the Web service (above) using clientgen.

   For more information, see "Using the clientgen Ant Task to Generate Client Artifacts" in Oracle Fusion Middleware Getting Started With JAX-WS Web Services for Oracle WebLogic Server

2. Attach the following policies:

   - Wssp1.2-2007-Wss1.1-UsernameToken-Plain-EncryptedKey-Basic128.xml

   - Wssp1.2-2007-SignBody.xml

   - Wssp1.2-2007-EncryptBody.xml

3. Provide the configuration for the server (encryption key) in the client, as described in "Updating a Client Application to Invoke a Message-Secured Web Service" in Oracle Fusion Middleware Securing WebLogic Web Services for Oracle WebLogic Server.

   Ensure that the encryption key specified is in accordance with the encryption key configured for the Web service.

4. Invoke the Web service method from the client.

Perform the following steps:

1. Attach the following policies:

   - Wssp1.2-2007-Wss1.1-UsernameToken-Plain-EncryptedKey-Basic128.xml

   - Wssp1.2-2007-SignBody.xml

   - Wssp1.2-2007-EncryptBody.xml

   For more information, see "Updating the JWS File with @Policy and @Policies Annotations" in Oracle Fusion Middleware Securing WebLogic Web Services for Oracle WebLogic Server.

2. Configure identity and trust stores, as described "Configure identity and trust" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help

3. Configure message-level security, as described in:

   - "Configuring Message-Level Security" in Oracle Fusion Middleware Securing WebLogic Web Services for Oracle WebLogic Server

   - "Create a Web Service security configuration" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help.

   You only need to configure the Confidentiality Key for a WS-Security 1.1 policy.

4. Deploy the Web service.

   See Oracle Fusion Middleware Deploying Applications to Oracle WebLogic Server.

Perform the following steps:

1. Create a client proxy to the Web service (above).

2. Attach the following policy to the Web service client: oracle/wss11_username_token_with_message_protection_client_policy.

   For more information about attaching the policy, see "Attaching Policies to Web Service Clients".

3. Configure the policy, as described in "oracle/wss11_username_token_with_message_protection_client_policy".

4. Specify keystore.recipient.alias in the client configuration.

   Ensure that keystore.recipient.alias is the same as the decryption key specified for the Web service.

5. Ensure that the keystore.recipient.alias keys specified for the client exist as trusted certificate entry in the trust store configured for the Web service.

6. Provide a valid username and password as part of the configuration.

7. Invoke the web service method from the client.

Perform the following steps:

1. Attach the following policy to the Web service: oracle/wss10_username_token_with_message_protection_service_policy.

   For more information about attaching the policy, see "Attaching Policies to Web Services".

Perform the following steps:

1. Create a client proxy for the Web service (above) using clientgen.

   For more information, see "Using the clientgen Ant Task to Generate Client Artifacts" in Oracle Fusion Middleware Getting Started With JAX-WS Web Services for Oracle WebLogic Server

2. Attach the following policies:

   - Wssp1.2-wss10_username_token_with_message_protection_owsm_policy.xml

   - Wssp1.2-2007-SignBody.xml

   - Wssp1.2-2007-EncryptBody.xml

3. Configure the client for server (encryption key) and client certificates, as described in "Updating a Client Application to Invoke a Message-Secured Web Service" in Oracle Fusion Middleware Securing WebLogic Web Services for Oracle WebLogic Server.

   Ensure that the encryption key specified is in accordance with the decryption key configured for the Web service.

4. Invoke the Web service method from the client.

Perform the following steps:

1. Attach the following policies:

   - Wssp1.2-wss10_username_token_with_message_protection_owsm_policy.xml

   - Wssp1.2-2007-SignBody.xml

   - Wssp1.2-2007-EncryptBody.xml

   For more information, see "Updating the JWS File with @Policy and @Policies Annotations" in Oracle Fusion Middleware Securing WebLogic Web Services for Oracle WebLogic Server.

2. Configure identity and trust stores, as described "Configure identity and trust" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help

3. Configure message-level security, as described in:

   - "Configuring Message-Level Security" in Oracle Fusion Middleware Securing WebLogic Web Services for Oracle WebLogic Server

   - "Create a Web Service security configuration" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help.

4. Deploy the Web service.

   See Oracle Fusion Middleware Deploying Applications to Oracle WebLogic Server.

Perform the following steps:

1. Create a client proxy to the Web service (above).

2. Attach the following policy to the Web service client: oracle/wss10_username_token_with_message_protection_client_policy.

   For more information about attaching the policy, see "Attaching Policies to Web Service Clients".

3. Configure the policy, as described in "oracle/wss10_username_token_with_message_protection_client_policy".

4. Ensure that you use different keys for client (sign and decrypt key) and keystore recipient alias (server public key used for encryption). Ensure that the recipient alias is in accordance with the keys defined in the Web service policy security configuration.

5. Ensure that the signing and encryption keys specified for the client exist as trusted certificate entries in the trust store configured for the Web service.

6. Provide a valid username and password as part of the configuration.

7. Invoke the Web service method from the client.

Perform the following steps:

1. Attach the following policy to the Web service: oracle/wss11_saml_token_with_message_protection_service_policy.

   For more information about attaching the policy, see "Attaching Policies to Web Services".

Perform the following steps:

1. Create a client proxy for the Web service (above) using clientgen.

   For more information, see "Using the clientgen Ant Task to Generate Client Artifacts" in Oracle Fusion Middleware Getting Started With JAX-WS Web Services for Oracle WebLogic Server

2. Attach the following policies:

   - Wssp1.2-2007-Saml1.1-SenderVouches-Wss1.1-Basic128.xml

   - Wssp1.2-2007-SignBody.xml

   - Wssp1.2-2007-EncryptBody.xml

3. Edit the Wssp1.2-2007-Saml1.1-SenderVouches-Wss1.1-Basic128.xml policy to add <sp:ProtectTokens/>, as follows:

   <sp:SymmetricBinding>
      <wsp:Policy>
         <sp:ProtectTokens/>
         ...
   

4. Configure the client for server (encryption key) and client certificates, as described in "Updating a Client Application to Invoke a Message-Secured Web Service" in Oracle Fusion Middleware Securing WebLogic Web Services for Oracle WebLogic Server.

   Ensure that the encryption key specified is in accordance with the decryption key configured for the Web service.

5. Secure the Web application client using BASIC Authentication. For more information, see "Developing BASIC Authentication Web Applications" in Oracle Fusion Middleware Programming Security for Oracle WebLogic Server.

6. Deploy the Web service client.

   See "Deploying Web Services Applications".

7. Configure a SAML credential mapping provider, as described in "Configure Credential Mapping Providers" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help.

   In the WebLogic Server Administration Console, navigate to Security Realms > RealmName > Providers > Credential Mapping page and create a New Credential Mapping Provider of type SAMLCredentialMapperV2.

   Select the new provider, click on Provider Specific, and configure it as follows:

   - Set Issuer URI to www.oracle.com.

   - Set Name Qualifier to www.oracle.com.

8. Restart WebLogic Server.

9. Create a SAML relying party, as described in "Create a SAML 1.1 Relying Party" and "Configure a SAML 1.1 Relying Party" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help.

   Set the Profile to WSS/Sender-Vouches.

10. Configure the SAML relying party, as described in and "Configure a SAML 1.1 Relying Party" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help.

    Ensure the Target URL is set to the URL used for the client Web service.

11. Invoke the Web application client.

    Enter the credentials of the user whose identity is to be propagated using SAML token.

Perform the following steps:

1. Attach the following policies:

   - Wssp1.2-2007-Saml1.1-SenderVouches-Wss1.1-Basic128.xml

   - Wssp1.2-2007-SignBody.xml

   - Wssp1.2-2007-EncryptBody.xml

   For more information, see "Updating the JWS File with @Policy and @Policies Annotations" in Oracle Fusion Middleware Securing WebLogic Web Services for Oracle WebLogic Server.

2. Configure identity and trust stores, as described "Configure identity and trust" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help

3. Configure message-level security, as described in:

   - "Configuring Message-Level Security" in Oracle Fusion Middleware Securing WebLogic Web Services for Oracle WebLogic Server

   - "Create a Web Service security configuration" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help.

   Since this is a WS-Security 1.1 policy, you need to configure Confidentiality Key only.

4. Deploy the Web service.

   See Oracle Fusion Middleware Deploying Applications to Oracle WebLogic Server.

5. Create a SAMLIdentityAsserterV2 authentication provider, as described in "Configuring Authentication and Identity Assertion providers" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help.

   In the WebLogic Server Administration Console, navigate to Security Realms > RealmName > Providers > Credential Mapping page and create a New Credential Mapping Provider of type SAMLCredentialMapperV2.

6. Restart WebLogic Server.

7. Select the authentication provider created in step 5.

8. Create a SAML asserting party, as described in "Create a SAML 1.1 Asserting Party" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help.

   Set Profile to WSS/Sender-Vouches.

9. Configure the SAML asserting party, as described in and "Configure a SAML 1.1 Asserting Party" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help.

   Configure the SAML asserting party as follows:

   - Set Issuer URI to www.oracle.com.

   - Set Target URL to <url_used_to_access_Web_service>.

Perform the following steps:

1. Create a client proxy to the Web service (above).

2. Attach the following policy to the Web service client: oracle/wss11_saml_token_with_message_protection_client_policy.

   For more information about attaching the policy, see "Attaching Policies to Web Service Clients".

3. Configure the policy, as described in "oracle/wss11_saml_token_with_message_protection_client_policy".

4. Specify keystore.recipient.alias in the client configuration.

   Ensure that keystore.recipient.alias is the same as the decryption key specified for the Web service.

5. Ensure that the keystore.recipient.alias keys specified for the client exist as trusted certificate entry in the trust store configured for the Web service.

6. Provide a valid username whose identity needs to be propagated using SAML token in the client configuration.

7. Invoke the Web application client.

   Enter the credentials of the user whose identity is to be propagated using SAML token.

Perform the following steps:

1. Attach the following policy to the Web service: oracle/wss10_saml_token_with_message_protection_service_policy.

   For more information about attaching the policy, see "Attaching Policies to Web Services".

Perform the following steps:

1. Create a client proxy for the Web service (above) using clientgen.

   For more information, see "Using the clientgen Ant Task to Generate Client Artifacts" in Oracle Fusion Middleware Getting Started With JAX-WS Web Services for Oracle WebLogic Server

2. Attach the following policies:

   - Wssp1.2-wss10_saml_token_with_message_protection_owsm_policy.xml

   - Wssp1.2-2007-SignBody.xml

   - Wssp1.2-2007-EncryptBody.xml

3. Configure the client for server (encryption key) and client certificates, as described in "Updating a Client Application to Invoke a Message-Secured Web Service" in Oracle Fusion Middleware Securing WebLogic Web Services for Oracle WebLogic Server.

   Ensure that the encryption key specified is in accordance with the decryption key configured for the Web service.

4. Secure the Web application client using BASIC Authentication. For more information, see "Developing BASIC Authentication Web Applications" in Oracle Fusion Middleware Programming Security for Oracle WebLogic Server.

5. Deploy the Web service client.

   See "Deploying Web Services Applications".

6. Configure a SAML credential mapping provider, as described in "Configure Credential Mapping Providers" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help.

   In the WebLogic Server Administration Console, navigate to Security Realms > RealmName > Providers > Credential Mapping page and create a New Credential Mapping Provider of type SAMLCredentialMapperV2.

7. Select the SAMLCredentialMapperV2, click on Provider Specific, and configure it as follows:

   - Set Issuer URI to www.oracle.com.

   - Set Name Qualifier to www.oracle.com.

8. Restart WebLogic Server.

9. Create a SAML relying party, as described in "Create a SAML 1.1 Relying Party" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help.

   Set the profile to WSS/Sender-Vouches.

10. Configure the SAML relying party, as described in and "Configure a SAML 1.1 Relying Party" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help.

    Ensure the target URL is set to the URL used for the client Web service.

11. Invoke the Web application client and enter the appropriate credentials.

Perform the following steps:

1. Attach the following policies:

   - Wssp1.2-wss10_saml_token_with_message_protection_owsm_policy.xml

   - Wssp1.2-2007-SignBody.xml

   - Wssp1.2-2007-EncryptBody.xml

   For more information, see "Updating the JWS File with @Policy and @Policies Annotations" in Oracle Fusion Middleware Securing WebLogic Web Services for Oracle WebLogic Server.

2. Configure identity and trust stores, as described "Configure identity and trust" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help

3. Configure message-level security, as described in:

   - "Configuring Message-Level Security" in Oracle Fusion Middleware Securing WebLogic Web Services for Oracle WebLogic Server

   - "Create a Web Service security configuration" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help.

   Since this is a WS-Security 1.1 policy, you need to configure Confidentiality Key only.

4. Deploy the Web service.

   See Oracle Fusion Middleware Deploying Applications to Oracle WebLogic Server.

5. Create a SAMLIdentityAsserterV2 authentication provider, as described in "Configuring Authentication and Identity Assertion providers" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help.

   In the WebLogic Server Administration Console, navigate to Security Realms > RealmName > Providers > Credential Mapping page and create a New Credential Mapping Provider of type SAMLCredentialMapperV2.

6. Restart WebLogic Server.

7. Select the authentication provider created in step 5.

8. Create a SAML asserting party, as described in "Create a SAML 1.1 Asserting Party" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help.

   - Set Profile to WSS/Sender-Vouches.

9. Configure a SAML asserting party, as described in "Configure a SAML 1.1 Asserting Party" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help.

   Configure the SAML asserting party as follows (leave other values set to the defaults):

   - Set Issuer URI to www.oracle.com.

   - Set Target URL to <url_used_by_client>.

Perform the following steps:

1. Create a client proxy to the Web service (above).

2. Attach the following policy to the Web service client: oracle/wss10_saml_token_with_message_protection_client_policy.

   For more information about attaching the policy, see "Attaching Policies to Web Service Clients".

3. Configure the policy, as described in "oracle/wss10_saml_token_with_message_protection_client_policy".

4. Ensure that you use different keys for client (sign and decrypt key) and keystore recipient alias (server public key used for encryption). Ensure that the recipient alias is in accordance with the keys defined in the Web service policy security configuration.

5. Ensure that the signing and encryption keys specified for the client exist as trusted certificate entries in the trust store configured for the Web service.

6. Provide valid username whose identity needs to be propagated using SAML token in the client configuration.

7. Invoke the Web service method.

Perform the following steps:

1. Attach the following policy to the Web service: oracle/wss11_username_token_with_message_protection_service_policy.

   For more information about attaching the policy, see "Attaching Policies to Web Services".

2. Export the X.509 certificate file from the keystore on the service side to a .cer file using the following command:

   keytool -export -alias oraenc -file C:\dpcertfile.cer -keystore default-keystore.jks
   

Perform the following steps:

1. Import the certificate file (exported previously) to the keystore on the client server using Microsoft Management Console (mmc). For information, see "How to: View Certificates with the MMC Snap-in" at http://msdn.microsoft.com/en-us/library/ms788967.aspx.

   a. Open a command prompt.

   b. Type mmc and press ENTER.

   Note that to view certificates in the local machine store, you must be in the Administrator role.

   c. Select File > Add/Remove snap-in.

   d. Select Add and Choose Certificates.

   e. Select Add.

   f. Select My user account and finish.

   g. Click OK.

   h. Expand Console Root > Certificates -Current user > Personal > Certificates

   i. Right-click on Certificates and select All tasks > Import to launch Certificate import Wizard.

   j. Click Next, select Browse, and navigate to the .cer file that was exported previously.

   Click Next and accept defaults and finish the wizard.

2. Generate a .NET client using the WSDL of the Web service.

   For more information, see "How to: Create a Windows Communication Foundation Client" at http://msdn.microsoft.com/en-us/library/ms733133.aspx.

3. In the Solution Explorer of the client project, add a reference by right-clicking on references, selecting Add reference, and browsing to C:\Windows\Microsoft .NET framework\v3.0\Windows Communication Framework\System.Runtime.Serilaization.dll.

4. Edit the app.config file in the .NET project to update the certificate file and disable replays, as described in "Edit the app.config File".

5. Compile the project.

6. Open a command prompt and cd to the project's Debug folder.

7. Enter <client_project_name>.exe and press Enter.

Perform the following steps:

1. Generate a .NET service.

   For more information, see "How to: Define a Windows Communication Foundation Service Contract" at http://msdn.microsoft.com/en-us/library/ms731835.aspx.

2. Create a custom binding for the Web service using the SymmetricSecurityBindingElement. The settings should appear as follows:

   SymmetricSecurityBindingElement sm = SymmetricSecurityBindingElement.CreateUserNameForCertificateBindingElement();
   sm.DefaultAlgorithmSuite = System.ServiceModel.Security.SecurityAlgorithmSuite.Basic128;sm.SetKeyDerivation(false);
   sm.SecurityHeaderLayout = SecurityHeaderLayout.Lax;
   sm.IncludeTimestamp = true;
   sm.KeyEntropyMode = SecurityKeyEntropyMode.CombinedEntropy;
   sm.MessageProtectionOrder = MessageProtectionOrder.SignBeforeEncrypt;
   sm.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10;
   sm.RequireSignatureConfirmation = true;
   

   For more information, see "How to: Create a Custom Binding Using the SecurityBindingElement" at http://msdn.microsoft.com/en-us/library/ms730305.aspx.

3. Create and import a certificate file to the keystore on the Web service server. Using VisualStudio, the command would be similar to the following:

   makecert -r -pe -n "CN=WSMCert" -sky exchange -ss my C:\WSMCert.cer
   

   This command creates and imports a certificate in mmc.

Perform the following steps:

1. Import the certificate created on the Web service server to the client server using the keytool command. For example:

   keytool -import -alias WSMCert -file C:\WSMCert.cer -keystore <owsm_client_keystore>
   

2. Right-click on the Web service Solution project under the Solutions Explorer and click Open Folder In Windows Explorer.

3. Navigate to the bin/Debug folder.

4. Double-click on the <project>.exe file. It will run the Web service at the URL provided.

5. Create a client proxy to the Web service (above) using the WSDL of the Web service.

6. Attach the following policy to the Web service client: oracle/wss11_username_token_with_message_protection_client_policy.

   For more information about attaching the policy, see "Attaching Policies to Web Service Clients".

7. Configure the policy, as described in "oracle/wss11_username_token_with_message_protection_client_policy".

8. Provide configurations for signing and encryption key.

   Ensure that you configure the keystore.recipient.alias as the alias of the certificate imported in step 1.

Perform the steps described in the following sections.

1. Create a copy of the following policy: wss10_username_token_with_message_protection_service_policy.

   NOTE: Oracle recommends that you do not change the predefined policies so that you will always have a known set of valid policies to work with.

   Edit the policy settings, as follows:

   a. Set Encryption Key Reference Mechanism to issuerserial.

   b. Set Algorithm Suite to Basic128Rsa15 to match the algorithm suite used for Oracle Service Bus.

   c. Enable the Include Timestamp configuration setting.

   d. Set Is Encrypted to false for the Username token element only.

   For more information, see "Creating a Web Service Policy from an Existing Policy".

2. Attach the policy to the Web service.

   For more information about attaching the policy, see "Attaching Policies to Web Services".

Perform the following steps:

1. Create a copy of the Encrypt.xml and Sign.xml policy files.

   For example, copy the files to myEncrypt.xml and mySign.xml. It is not recommended to edit the predefined policy files directly.

2. Edit the encryption algorithm in myEncrypt.xml file to prevent encryption compliance failure, as follows:

   <wssp:Target>
      <wssp:EncryptionAlgorithm 
        URI="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
      <wssp:MessageParts
        Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">
         wsp:Body()
      </wssp:MessageParts>
   </wssp:Target>
   

3. Edit the mySign.xml policy file attached to the Oracle Service Bus business service request only to sign the Username token by including the following target:

   <wssp:Target>
      <wssp:DigestAlgorithm URI=
       "http://www.w3.org/2000/09/xmldsig#sha1" />
      <wssp:MessageParts Dialect=
       "http://www.bea.com/wls90/security/policy/wsee#part">
         wls:SecurityHeader(wsse:UsernameToken)
      </wssp:MessageParts>
   </wssp:Target>
   

4. Edit the mySign.xml policy file attached to the Oracle Service Bus business service response only to specify that the security token is unsigned:

   <wssp:Integrity SignToken="false"> 
   

   Also, for SOA clients only, comment out the target for system headers, as shown:

   <!-- wssp:Target>
     <wssp:DigestAlgorithm 
      URI="http://www.w3.org/2000/09/xmldsig#sha1" />
     <wssp:MessageParts 
      Dialect="http://www.bea.com/wls90/security/policy/wsee#part">
      wls:SystemHeaders()
     </wssp:MessageParts>
   </wssp:Target -->
   

Perform the following steps:

1. Create a copy of the Encrypt.xml and Sign.xml policy files.

   For example, to myEncrypt.xml and mySign.xml. It is not recommended to edit the predefined policy files directly.

2. Edit the encryption algorithm in the myEncrypt.xml file to prevent encryption compliance failure, as follows:

   <wssp:Target>
      <wssp:EncryptionAlgorithm 
        URI="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
      <wssp:MessageParts
        Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">
         wsp:Body()
      </wssp:MessageParts>
   </wssp:Target>
   

3. Edit the Sign.xml policy file attached to the proxy service request only to specify that the security token is unsigned:

   <wssp:Integrity SignToken="false"> 
   

   Also, for SOA clients only, comment out the target for system headers, as shown:

   <!-- wssp:Target>
     <wssp:DigestAlgorithm 
      URI="http://www.w3.org/2000/09/xmldsig#sha1" />
     <wssp:MessageParts 
      Dialect="http://www.bea.com/wls90/security/policy/wsee#part">
      wls:SystemHeaders()
     </wssp:MessageParts>
   </wssp:Target -->
   

Perform the steps described in the following sections.

1. Create a copy of the following policy: wss10_username_token_with_message_protection_client_policy.

   NOTE: Oracle recommends that you do not change the predefined policies so that you will always have a known set of valid policies to work with.

   Edit the policy settings, as follows:

   a. Set Encryption Key Reference Mechanism to issuerserial.

   b. Set Recipient Encryption Key Reference Mechanism to issuerserial.

   c. Set Algorithm Suite to Basic128Rsa15 to match the algorithm suite used for Oracle Service Bus.

   d. Disable the Include Timestamp configuration setting.

   e. Set Is Encrypted to false.

   f. Leave the default configuration set for message signing and encryption.

   For more information, see "Creating a Web Service Policy from an Existing Policy".

2. Attach the policy to the Web service client.

   For more information about attaching the policy, see "Attaching Policies to Web Service Clients".

Perform the steps described in the following sections.

1. Create a copy of the following policy: wss10_saml_token_with_message_protection_service_policy.

   a. Set Encryption Key Reference Mechanism to issuerserial.

   b. Set Algorithm Suite to Basic128Rsa15 to match the algorithm suite used for Oracle Service Bus.

   c. Disable the Include Timestamp configuration setting.

   d. Set Is Encrypted to false for the Username token element only.

   e. Leave the default configuration set for message signing and encryption.

   For more information, see "Creating a Web Service Policy from an Existing Policy".

2. Attach the policy to the Web service.

   For more information about attaching the policy, see "Attaching Policies to Web Services".

Perform the following steps:

1. Create a copy of the Encrypt.xml and Sign.xml policy files.

   For example, to myEncrypt.xml and mySign.xml. It is not recommended to edit the predefined policy files directly.

2. Edit the encryption algorithm in the myEncrypt.xml file to prevent encryption compliance failure, as follows:

   <wssp:Target>
      <wssp:EncryptionAlgorithm 
        URI="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
      <wssp:MessageParts
        Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">
         wsp:Body()
      </wssp:MessageParts>
   </wssp:Target>
   

3. Edit the mySign.xml file attached to the Oracle Service Bus business service request only to sign the SAML assertion by including the following target:

   <wssp:Target>
      <wssp:DigestAlgorithm URI="http://www.w3.org/2000/09/xmldsig#sha1" />
      <wssp:MessageParts Dialect=
       "http://www.bea.com/wls90/security/policy/wsee#part">
         wls:SecurityHeader(wsse:Assertion)
      </wssp:MessageParts>
   </wssp:Target>
   

4. Edit the mySign.xml file attached to the Oracle Service Bus business service response only to specify that the security token is unsigned, as follows:

   <wssp:Integrity SignToken="false">
   

   Also, for SOA clients only, comment out the target for system headers, as shown:

   <!-- wssp:Target>
     <wssp:DigestAlgorithm 
      URI="http://www.w3.org/2000/09/xmldsig#sha1" />
     <wssp:MessageParts 
      Dialect="http://www.bea.com/wls90/security/policy/wsee#part">
      wls:SystemHeaders()
     </wssp:MessageParts>
   </wssp:Target -->
   

5. Use the custom SAML policy file defined in Example 16-1.

Perform the following steps:

1. Create a copy of the Encrypt.xml and Sign.xml policy files.

   For example, to myEncrypt.xml and mySign.xml. It is not recommended to edit the predefined policy files directly.

2. Edit the encryption algorithm in the myEncrypt.xml policy file to prevent encryption compliance failure, as follows:

   <wssp:Target>
      <wssp:EncryptionAlgorithm 
        URI="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
      <wssp:MessageParts
        Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">
         wsp:Body()
      </wssp:MessageParts>
   </wssp:Target>
   

3. Edit the mySign.xml policy file attached to the proxy service request only to specify that the security token is unsigned:

   <wssp:Integrity SignToken="false"> 
   

   Also, for SOA clients only, comment out the target for system headers, as shown:

   <!-- wssp:Target>
     <wssp:DigestAlgorithm 
      URI="http://www.w3.org/2000/09/xmldsig#sha1" />
     <wssp:MessageParts 
      Dialect="http://www.bea.com/wls90/security/policy/wsee#part">
      wls:SystemHeaders()
     </wssp:MessageParts>
   </wssp:Target -->
   

4. Use the custom SAML policy file defined in Example 16-1.

Perform the steps described in the following sections.

1. Create a copy of the following policy: wss10_saml_token_with_message_protection_service_policy.

   NOTE: Oracle recommends that you do not change the predefined policies so that you will always have a known set of valid policies to work with.

   Edit the policy settings, as follows:

   a. Set Encryption Key Reference Mechanism to issuerserial.

   b. Set Recipient Encryption Key Reference Mechanism to issuerserial.

   c. Set Algorithm Suite to Basic128Rsa15 to match the algorithm suite used for Oracle Service Bus.

   d. Disable the Include Timestamp configuration setting.

   e. Leave the default configuration set for message signing and encryption.

   For more information, see "Creating a Web Service Policy from an Existing Policy".

2. Attach the policy to the Web service.

   For more information about attaching the policy, see "Attaching Policies to Web Service Clients".