In the Navigator pane, expand WebLogic Domain to show the domain for which From the WebLogic Domain menu, select Security then Credentials.
4. Click Create Key to create new entries in the oracle.wsm.security credential
map, for example for the ServiceA and ServiceB aliases. The Create Key dialog box appears, as shown in Figure 10–7 . Figure 10–7 Create Key Dialog Boxa. From the Select Map menu, select the map name oracle.wsm.security if it is
not already selected.b. In the Key field, enter csfServiceA to create a key-value pair to access the
key store.c. From the Type menu, select Password.
d. In the User Name field, enter the alias name that you specified for the private
key in the keystore, for example ServiceA.e. In the Password and Confirm Password fields, enter the password that you
specified for the alias in the keystore, for example welcome1.f. In the Description field, enter a description of for the entry, for example, Key
for ServiceA. 10-20 Oracle Fusion Middleware Security and Administrators Guide for Web Servicesg. Click OK.
h. Click Create Key again and provide the values for any additional keystore
aliases, such as csfServiceB for the ServiceB alias.5. Optionally, click Create Key to create entries in the oracle.wsm.security
credential map for the any csf-key user credentials, for example basic.credentials, as follows:a. From the Select Map menu, select the map name oracle.wsm.security if it is
not already selected.b. In the Key field, enter basic.credentials. In this example, we use
basic.credentials but you can specify any name you choose for the key.c. From the Type menu, select Password.
d. In the User Name field, enter a valid username that exists in the OPSS identity
store, for example AppID.e. In the Password and Confirm Password fields, enter a valid password for the
user, for example AppPWord.f. In the Description field, enter a description of for the entry, for example,
Username and Password for basic.credential key.g. Click OK.
6. Restart the server. Using WLST Follow these steps to add additional keys and user credentials to the credential store using WLST commands.1. Go to the Oracle Common home directory for your installation, for example
homeOracleMiddlewareoracle_common. For information about the Oracle Common home directory and installing Oracle Fusion Middleware, see the Oracle Fusion Middleware Installation Planning Guide.2. Start WLST using the WLST.shcmd command located in the oracle_
commoncommonbin directory. For example: ■ homeOracleMiddlewareoracle_commoncommonbinwlst.sh UNIX ■ C:\Oracle\Middleware\oracle_common\common\bin\wlst.cmd Windows When executed, these commands start WLST in offline mode. To use the credential store WLST commands, you must use WLST in online mode. 3. Start Oracle WebLogic Server. For more information, see Start and stop servers in the Oracle WebLogic Server Administration Console Online Help. 4. Connect to the running WebLogic Server instance using the connect command. For example, the following command connects WLST to the Administration Server at the URL myAdminServer.oracle.com:7001 using the usernamepassword credentials weblogicwelcome1: connectweblogic,welcome1,t3:myAdminServer.oracle.com:7001 Setting Up Your Environment for Policies 10-21 5. Use the createCred command to create entries in the oracle.wsm.security credential map for the ServiceA and ServiceB aliases. For example, create an entry csfServiceA for the ServiceA alias, using a command such as the following: wls:DefaultDomainserverConfig createCredmap=oracle.wsm.security, key=csfServiceA, user=ServiceA, password=welcome1, desc=Key for ServiceA 6. Repeat step 5 to create an entry for any additional aliases, for example csfServiceB, for the ServiceB alias. 7. Use the createCred command to create entries in the oracle.wsm.security credential map for the any csf-key user credentials, for example basic.credentials. wls:DefaultDomainserverConfig createCredmap=oracle.wsm.security, key=basic.credentials, user=AppID, password=AppPWord, desc=Key for ServiceA 8. View the details about a key in the credential store using the listCred command as shown in the following example: listCredmap=oracle.wsm.security, key=csfServiceA How Oracle WSM Locates Keystore And Key Passwords Oracle WSM expects keystore and key passwords to be in the Credential Store Framework CSF. Here is how it works. ■ A JKS keystore file is protected by a keystore password. ■ A keystore file consists of zero or more private keys, and zero or more trusted certificates. Each private key has its own password, although it is common to set the key passwords to be the same as the keystore password. Oracle WSM needs to know both the keystore password and key password. ■ The CSF consists of many maps, each with a distinct name. Oracle WSM only uses the map oracle.wsm.security. ■ Inside each map is a mapping from multiple csf-key entries to corresponding credentials. A csf-key is just a simple name, but there can be many different types of credentials. The most common type of credential is a password credential which is primarily comprised of a username and a password. Oracle WSM refers to the following csf-keys inside the oracle.wsm.security map: – keystore-csf-key - This key should contain the keystore password. The username is ignored. – enc-csf-key - This key should contain the encryption key alias as the username, and the corresponding key password. – sign-csf-key - This key should contain the signature key alias as the username, and the corresponding key password. In addition to these csf-keys, you should add a csf-key entry for every new private key that you want Oracle WSM to use, for example when you want to specify signature and encryption keys in configuration overrides.Parts
» Oracle Fusion Middleware Online Documentation Library
» Click Login. Oracle Fusion Middleware Online Documentation Library
» Description of Functionality Click Log In.
» A deployment plan is an XML file that you use to configure an application for
» Click Next. Oracle Fusion Middleware Online Documentation Library
» When the operation completes, click Close.
» Using Fusion Middleware Control, click Application Deployment, then click Web
» Connect to the running instance of WebLogic Server to which the application is
» Select soa-infra, expand the SOA partition for example, the default partition and
» Select the Dashboard tab if it is not already selected.
» Click Callback Client in the upper right portion of the endpoint page.
» Navigate to the Web Service Endpoint page, or the Service Home page for SOA
» Click the Configuration tab. For SOA composites, click the Properties tab.
» For ADF and WebCenter applications, restart the Web service application. You do
» In the Metadata Exchange Enabled field, select True from the menu to enable the
» In the Schema validation field, select True from the menu to enable schema
» In the Atomic Transaction Flow Option field, select whether the transaction Click Apply.
» Set the Maximum Request Size and the Unit of Maximum Request Size and click
» In the Web Service Details section of the page, click on the plus + for the Web
» Click the name of the endpoint of the asynchronous Web service to navigate to the
» From the Web Service Endpoint page, click the Configuration tab. Click Apply.
» Click Apply. Oracle Fusion Middleware Online Documentation Library
» Click the Configuration tab.
» When you are done viewing the policy, click Return to Web Services Policies.
» From the Category menu, select the category to which this policy will belong and
» Set the Local Optimization control. See
» Click Save. Oracle Fusion Middleware Online Documentation Library
» Click Validate to verify that the policy does not contain errors. For more
» From the Web Services Policies page, click Import From File.
» In the Create Policy From File box, enter the file path of the file in the Select Policy
» Click OK. Oracle Fusion Middleware Online Documentation Library
» Click the Search Assertion Templates icon next to the Name field. Click Create Like.
» Click Edit. Oracle Fusion Middleware Online Documentation Library
» Select the assertion template to be edited as described in Click the Configurations tab.
» Select the property from the list and click Edit.
» Enter the values for your configuration and click OK.
» In the Assertions section, click Add.
» To configure the assertion, click the Settings tab and edit the settings as required.
» To edit the configuration properties, click the Configurations tab.
» Select the property to be edited and click Edit.
» Edit the Configuration properties and click OK.
» When you are done, click Save to save the policy.
» In the Assertion List section, click Add OR Group. Click OK.
» To delete an assertion from the OR group, select the assertion and click Delete. To
» In the Assertions section of the page, select the assertion to be configured in the
» Click the Settings or Configurations tab.
» Edit the Settings and Configuration properties, and click Save.
» Select Save File. Oracle Fusion Middleware Online Documentation Library
» Navigate to the Web Services Assertions Templates page, as described in
» Click Browse to navigate to the directory where the assertion template file is
» Click Delete. Oracle Fusion Middleware Online Documentation Library
» The policies appear in order in the Policy Version History table with the active
» In the Policy History table, select a policy and click Restore or click Activate
» Select a generated policy from the table and click Edit.
» Click Validate to validate your changes.
» Click Save to save the changes to your policy.
» From the Web Service Endpoint page, click the OWSM Policies tab.
» Select the policy you want to enable or disable.
» Select Enable or Disable to enable or disable the policy, respectively, and confirm
» Select a policy from the Policies table and click Edit. Click Save.
» In cases where multiple domains share the same Oracle WSM Repository to store
» Click the OWSM Policies tab.
» Navigate to the home page for the Web service, as described in
» Click the name of a endpoint to navigate to the Web Service Endpoints page for a
» Click AttachDetach. Oracle Fusion Middleware Online Documentation Library
» Select a policy from the Available Policies list, and click Attach. See
» Using Fusion Middleware Control, click WebLogic Server and then Web Services.
» From the Web Services Summary page, click Attach Policies.
» Click Back to make any changes, or click Attach to complete the bulk attachment.
» Click the Policies tab. Click AttachDetach.
» Click Validate. Oracle Fusion Middleware Online Documentation Library
» View the SOA reference, as described in
» In the Directly Attached Policies section of the page, click AttachDetach.
» From the Available Policies section of the page, select one or more policies that
» Click Attach when you are sure that you want to attach the policy or policies.
» From the Application Deployment menu, select ADF, and then Configure ADF
» On the ADF Connections Configuration page, select a row in the Web Service
» On the Web Service Client page, select the OWSM Policies tab.
» On the Available Policies section of the page, select one or more policies that you
» On the Available Policies portion of the page, select one or more policies that you
» Select the configuration property and click Edit to make the change to the action Click Save.
» Select Override Policy Configuration.
» Enter the override value in the Value field for the property and click Apply.
» Attach the policy to the service as described in
» Use the setWebServicePolicyOverride command to override policy
» For ADF DC and WebCenter client applications, restart the Web service client
» From the WebLogic Domain menu, select Web Services then Policy Sets.
» From the Policy Set Summary page, click Create.
» In the Enter Resource Scope page, enter at least one pattern string that defines the
» In the Add Policy References page, select a policy from the Available Policies list,
» Continue selecting and attaching policies. When you are finished, click Validate to
» Click Next to view the Policy Set Summary Page.
» Select or clear the Enabled check box to enable or disable the policy set.
» In the Enter Resource Scope page, modify the scope as desired and click Next.
» In the Add Policy References page, modify the policy attachments as desired.
» Navigate to the Policy Set Summary page as described in
» In the Policy Set Summary page, select the policy set that you want to edit and
» Review the policy set summary information. If you are satisfied with the policy
» Specify the policy set to be modified using the modifyPolicySet command.
» Use the enablePolicySet command to enable or disable a policy set.
» Validate the policy set using the ValidatePolicySet command.
» In the Policy Set Summary page, select a policy set from the table and click Delete.
» A dialog box displays asking you to confirm the deletion. Click OK.
» In the Navigator pane, expand WebLogic Domain to show the domain for which
» From the WebLogic Domain menu, select Security then Security Provider
» Click the plus sign + to expand the Keystore control near the bottom of the page,
» In the Keystore Type drop-down, select Java Key Store JKS, if it is not already
» Click OK to submit the changes.
» Generate the private key and self-signed certificate. The self-signed certificate will
» Generate the certificate request.
» Submit the CSR file to a CA such as VeriSign, for example. The CA will
» Import the CA root certificate which authenticates the CA’s public key.
» Replace the self-signed certificate with the trusted CA certificate issued by the CA
» Click Create Key to create new entries in the oracle.wsm.security credential
» Start WLST using the WLST.shcmd command located in the oracle_
» In the left pane of the Console, expand Environment and select Servers.
» Select Configuration, and then Keystores.
» Select Configuration, and then the SSL page, and choose the location of identity
» At the bottom of the page, click Advanced.
» Set the Two Way Client Cert Behavior control to Client Certs Requested and
» Ensure that the client application obtains a digital certificate that WebLogic Server
» Create a certificate registry that lists all the individual certificates trusted by
» Create a keystore used by the client application. Oracle recommends that you
» Create a private key and digital certificate pair, and load it into the client keystore.
» Make sure that the following properties are set in the clients JVM:
» Using Fusion Middleware Control, click WebLogic Domain, then Security, and
» In the Keystore Type drop-down, select Hardware Security Module HSM.
» After the Keystore Configuration page refreshes, enter Luna in the HSM Provider
» In the Key Alias and Crypt Alias fields, enter an alias for the signature and
» From the navigation pane, expand WebLogic Domain.
» Using Fusion Middleware Control, click WebLogic Domain.
» Select Web Services, and then select Platform Policy Configuration.
» Select the Identity Extension tab.
» To modify a identity extension property, select it and then click Edit. In the Edit
» To delete an existing property, select it and then click Delete.
» Click Apply to apply the property updates.
» Optionally, in the SAML Specific Attributes section, configure an alternate Issuer
» In the Custom Properties section of the page, configure any custom properties for
» Click Add to add a custom property.
» Restart Fusion Middleware Control.
» Configure the SAML login module, as described in
» Configure the identity assertion provider in the WebLogic Server Administration
» If you will be using policies that involve signatures related to SAML assertions
» From the System Policies page, select the arrow icon in the Permission field to
» Select one of the codebase permissions to use as a starting point and click Create
» In the Grant Details section of the page, enter
» In the Permissions section of the page, select the starting point permission class
» Attach the Kerberos policy to your Web service.
» Configure the Web service client to authenticate against the right KDC.
» Export the keytab file you created in
» Verify the keytab file using kinit:
» In the left pane select Security Realms.
» On the Settings for Realm Name page select Users and Groups and then Users.
» Click New. Oracle Fusion Middleware Online Documentation Library
» Click OK to save your changes.
» Create a new key pair and self-signed certificate.
» Generate a certificate request to the certificate authority.
» Replace import the self-signed certificate with the trusted CA certificate.
» If it is not already enabled, click the Configure Keystore Management check box.
» The Web service client invokes a Web service. The WSDL for the Web service
» The Web service client the requestor sends an authentication request, with
» The STS verifies the credentials presented by the client, and then in response
» The requestor verifies the RSTR, extracts the token, and passes it to the Web
» The Web service receives the issued token and verifies that the token was issued
» Navigate to Configuration Global Security Token Service.
» Under the On Behalf of Token section, select ldapService from the Authentication
» Select AES from the Encryption Algorithm drop-down list, and select 128 from
» Configure OpenSSO STS, as described
» Configure the STS service policy following the steps described in
» Configure OpenSSO STS. as described Configure the STS policy following the steps described in
» What are the basic requirements of your security policy? Decide if you need to
» If you require both authentication and message protection, then you need to
» Create a simple Web service that approves a credit card number cardNr. A
» Click Selected Roles. Oracle Fusion Middleware Online Documentation Library
» Click Add. Oracle Fusion Middleware Online Documentation Library
» Click OK. Click Delete. Click Selected Roles. Click Add.
» Click Add. Click OK. Click Delete.
» To add roles, click the check box next to each role you want to add in the Roles
» Select the role that you want to delete in the Selected Roles list.
» Using Fusion Middleware Control, click WebLogic Domain, then Logs and then
» Expand the test option sections by clicking the plus sign + next to the section
» In the Security section, select the security token to verify. The security setting is
» Using Fusion Middleware Control, click WebLogic Server, and then Web
» In the Web Services Details section of the Web Services summary page, select the
» Select the endpoint for which you want to display the statistics.
» Select the Operations tab if it is not already selected.
» Using Fusion Middleware Control, select WebLogic Domain then Web Services
» Click Add to register a new source. The Register New Source page appears, as
» If you selected UDDI v3 registry import, enter the following information:
» If you selected WSIL import from URL, enter the following information:
» If you selected WSIL import from File, click Browse next to the WSIL File field
» Select Register Web Services.
» Using Fusion Middleware Control, select WebLogic Domain then Web Services Do one of the following:
» Click OK in the Publish Service to UDDI window.
» Select Actions, then Publish to UDDI. See
» In the Publish Service to UDDI dialog box
» Click OK to connect to the external UDDI registry and register the Web service.
» On the Configuration tab, set the WSDL Enabled field to True or False to enable of
» In the navigator pane, expand WebLogic Domain to view the domains.
» Select WebLogic Domain Web Services Platform Policy Configuration.
» Select the tab corresponding to the component for which you want to define
» Select the Policy Accessor tab.
» Click Add to define a remote JNDI provider.
» Click Add to define a corresponding csf-key credential property. In the Add
» Select the Policy Cache tab.
» To modify an existing property, select it and then click Edit.
» Click Add to add a policy retrieval property.
» Select the Policy Interceptors tab.
» Select the Trusted SAML clients or Trusted STS servers tab, depending on
» Connect to the Administration Server using the command-line Oracle WebLogic
» After connecting to the Administration Server using WLST, start the script using
» Configure JOC for all the Managed Servers for a given cluster.
» Click Apply and restart WebLogic Server.
» Enter the name of the custom user in the JMS System User field and click Apply.
» Access the WebLogic Server Administration Console. To do so from Fusion
» Click Deployments in the Domain Structure pane and navigate to the
» In the Change Center, select Lock Edit.
» Select the MDB name for the request or response MDB. You will need to update
» In the Enterprise Bean Configuration section of the page, enter the custom user
» In the Change Center, click Activate Changes.
» Select wsm-pm. Oracle Fusion Middleware Online Documentation Library
» Use keytool to reset the passwords in the Oracle WSM keystore file. Because the
» From the WebLogic Sever menu, select Logs Log Configuration.
» Expand Root Logger. Oracle Fusion Middleware Online Documentation Library
» Expand oracle. Oracle Fusion Middleware Online Documentation Library
» Set the logging level for one or more of the following components:
» Click Apply to store the new logging level.
» Set the Logging Level field to one of the following settings: Severe, Warning,
» Click Search once you have set the fields, as desired.
» From the WebLogic Sever menu, select Logs Log Configuration. Select the Log Files tab.
» Click OK to edit the log file configuration.
» In the Navigator pane, expand Metadata Repositories and select mds-owsm, as
Show more