Securing Web Services
Oracle Service Bus is used by OIDG to expose web-services to clients and it uses OWSM to manage access to these services via access control policies. An access control policy specifies conditions under which users, groups, or roles can access a proxy service. For all proxy services, you can create a transport-level policy, which applies a security check when a client attempts to establish a connection with the proxy service.

OIDG adheres to the WS-Security standards, as developed by the OASIS Open committee, for the authentication of SOAP messages. As per this approach, consuming applications need to send the Username token as part of the SOAP security header along with the SOAP request. An OWSM user token policy is employed which only allows requests from users who are listed in the transport-level policy to proceed.
The SOAP header must include a <wsse:UsernameToken> element which holds the authentication information. Inside this element the username and password are specified with the <wsse:Username>, and <wsse:Password> elements, respectively.
TLS 1.2 is required as the method of encryption for all SOAP messages.
Access control policies are persisted in authorization providers and are managed within a design session, not outside the session. Because the changes are made within a session, you can commit or discard the changes as with other resources.
See the Service Virtualization Deployment and Configuration section of the Installation Guide for more details.