2-44 Securing WebLogic Web Services for Oracle WebLogic Server ■ Additional WS-SecureConversation 1.3 policy files: – Wssp1.2-Wssc1.3-Bootstrap-Https-BasicAuth.xml – Wssp1.2-Wssc1.3-Bootstrap-Https-ClientCertReq.xml It is recommended that you use the predefined files if you want to configure security contexts, because these security policy files provide most of the required functionality and typical default values. See Section 2.16.5, WS-SecureConversation Policies for more information about these files. Code or configure your application to use the policy through policy annotations, policy attached to the applications WSDL, or runtime policy configuration.

2.9.1 Specification Backward Compatibility

WebLogic Web services implement the Web Services Trust WS-Trust 1.3 and Web Services Secure Conversation WS-SecureConversation 1.3 specifications. Take note of the following differences from the WS-SecureConversation version of 022005: ■ The Web Services Secure Conversation WS-SecureConversation 1.3 specification requires a token service to return wst:RequestedSecurityToken to the initiating party in response to a wst:RequestSecurityToken. One or more wst:RequestSecurityTokenResponse elements are contained within a single wst:RequestSecurityTokenResponseCollection. This differs from the previous version of the specification, in which wst:RequestSecurityTokenResponse was returned by the token service. The token service can return wst:RequestSecurityTokenResponse if the service policy specifies the SC10SecurityContextToken, as described in the next bullet item. ■ The WS-SecurityPolicy 1.2 Errata document describes the following change to SecureConversationToken Assertion: sp:SC10SecurityContextToken changes to sp:SC13SecurityContextToken sp:SC10SecurityContextToken continues to be supported only when used with the WS-SecureConversation version of 022005.

2.9.2 WS-SecureConversation and Clusters

WS-SecureConversation is pinned to a particular WebLogic Server instance in the cluster. If a SecureConversation request lands in the wrong server, it is automatically rerouted to the correct server. If the server instance hosting the WS-SecureConversation fails, the SecureConversation will not be available until the server instance is brought up again. Note: If you are deploying a Web service that uses shared security contexts to a cluster, then you are required to also configure cross-cluster session state replication. For details, see Failover and Replication in a Cluster in Using Clusters for Oracle WebLogic Server. Configuring Message-Level Security 2-45

2.9.3 Updating a Client Application to Negotiate Security Contexts