20-6 Oracle Fusion Middleware Users Guide for Oracle B2B

20.5 Securing Oracle B2B Web Services

Web services exposed in B2B must be secured to hide the configuration details from intruders. The Oracle Web Services Manager policy approach provides the facility to secure the web services based on your requirements. Web services endpoints are registered dynamically and programmatically using the oracle.webservices.provider.ProviderConfig.addService... API. Because these endpoints are not displayed in Oracle Enterprise Manager Fusion Middleware Control Console, Oracle B2B maintains the lifecycle of web services and their policies. To specify a policy and attach it to the web services endpoints:

1. In Oracle B2B Console, go to AdministrationConfiguration tab.

2. Enter the appropriate value in the Webservice Policy field in the Non Purgeable

section. Enter either the Oracle Web Services Manager policy URI to secure just the endpoints, or enter the whole policy tag to uptake RM, Addressing, and Logging. See the examples below. See What Oracle WSM Security Policies Are Available? in Oracle Fusion Middleware Securing WebLogic Web Services for Oracle WebLogic Server for a listing of available Oracle WSM policies.

3. Click Save.

Based on the policy attached here, WSDL URL will start publishingdescribing the policy details which need to be used while creating the proxy client for this service. No restart of B2B is required to uptake the policy changes. Examples Example 1: Enter the following URI in Webservice Policy to apply security policy oraclewss_username_token_service_policy. oraclewss_username_token_service_policy Example 2: Enter the following XML in Webservice Policy, which applies Security and RM policy. B2BDocumentProtocol String DocumentProtocol name defined in Oracle B2B for the requested application document and action Yes Direction String Document direction Yes XSLTFile String XSLT file to be used by the AIA layer to generate the Oracle B2B TP document No Table 20–12 Get Trading Partner Agreement Information Fault Message Parameters Header Data Type Description ExceptionMessage String If a fault is found, the Exception Stack Trace is transmitted. Table 20–11 Cont. Get Trading Partner Agreement Information Response Parameters Header Data Type Description Required Using the Oracle B2B Web Services 20-7 policypolicy-referencespolicy-reference uri=oraclewss_username_token_ service_policy category=securitypolicy-reference uri=oraclewsrm11_policy category=wsrmpolicy-referencespolicy Limitations There is no way to control the policy only for the particular endpoint. Whatever the policy specified, it is applicable for all the endpoints. Removing already specified policy URI by clearing the Webservice Policy field does not work. You must enter some string in the field, such as none. No metrics are displayed for Oracle B2B web service usage in Oracle Enterprise Manager Fusion Middleware Control Console.