Creating and Managing Policy Sets 9-9 5. To attach a policy to the current policy set, use the attachPolicySetPolicy command. The policy, identified by the specified URI using the uri argument, is attached to the endpoints specified in the policy set. You can repeat this command as needed to attach all the desired policies to the policy set. attachPolicySetPolicyuri For example, to attach the policy oraclewss11_saml_or_username_token_with_ message_protection_service_policy to the subjects specified in the policy set, enter the following command: wls:jrfserver_domainserverConfigattachPolicySetPolicyoraclewss11_saml_or_ username_token_with_message_protection_service_policy Policy reference added. 6. To display the configuration of the policy set during the current repository session, use the displayPolicySet command. displayPolicySetname=None Note that when you execute this command within a repository session, you do not need to specify the name argument. The current policy set is used by default. If the policy set is being modified, then the modified version is displayed. Otherwise, the latest version in the repository is displayed. For example: wls:jrfserver_domainserverConfigdisplayPolicySet Policy Set Details: ------------------- Name: all-domains-default-web-service-policies Type of Resources: Web Service Endpoint Scope of Resources: Domain Description: Default policies for web services in any domain Enabled: true Policy Reference: security : oraclewss11_saml_or_username_token_with_ message_protection_service_policy, enabled=true 7. To validate the policy set, use the validatePolicySet command. validatePolicySetname=None If a name is not provided, then the command validates the policy set being created or modified in the current session. Note that you can also execute this command outside of a repository session. If you do so, the name argument is required. For example: wls:jrfserver_domainserverConfig validatePolicySet The policy set all-domains-default-web-service-policies is valid. 8. To write the contents of the current repository session to the repository, use the commitRepositorySession command. wls:jrfserver_domainserverConfig commitRepositorySession The policy set all-domains-default-web-service-policies is valid. Creating policy set all-domains-default-web-service-policies in repository. 9-10 Oracle Fusion Middleware Security and Administrators Guide for Web Services Repository session committed successfully. Alternately, you can choose to cancel any changes by using the abortRepositorySession command, which discards any changes that were made to the repository during the session. For more information about these WLST commands and their arguments, see Web Services Custom WLST Commands in WebLogic Scripting Tool Command Reference. Creating a Policy Set from an Existing Policy Set You can use an existing policy set as the base for a new policy set. The following sections describe how to create a new policy set from an existing policy set using either Fusion Middleware Control or the command line interface WebLogic Scripting Tool, WLST. Note that when you create a policy set from an existing policy set, all values and attachments are copied into the new one. You can modify the resource scope and the policy attachments in the new policy set, but you cannot change the type of resource to which it applies. Using Fusion Middleware Control To create a policy set using an existing policy set: 1. Navigate to the Policy Set Summary page as described in Navigating to the Policy Set Summary Page on page 9-1. 2. In the Policy Set Summary page, select the policy set that you want to copy and click Create Like. 3. In the Enter General Information page, enter a new name and description for the policy set. Note the following: ■ The default new policy set name is created by appending _Copy to the base policy set name. For example, if the base policy set is named all-domains-default-web-service-policies, the name displayed for the copy is all-domains-default-web-service-policies_Copy. ■ The Resource Type field is read-only. When you clone a policy set, you can modify the scope but not the type of resources to which the policy set will be attached.

4. Select or clear the Enabled check box to enable or disable the policy set.

5. Click Next.

6. In the Enter Resource Scope page, modify the scope as desired and click Next.

7. In the Add Policy References page, modify the policy attachments as desired.

When you are finished, click Validate to verify that the combination of polices selected is valid.

8. Click Next to view the Policy Set Summary Page.

Note: To specify a resource scope, a pattern string must be provided in at least one Pattern field on this page. Creating and Managing Policy Sets 9-11 9. Review the policy set summary information. If you are satisfied with the policy set, click Save. Using WLST To create a policy set from an existing policy set: 1. Connect to the running instance of WebLogic Server as described in Accessing the Web Services Custom WLST Commands on page 1-6. 2. Begin a repository session using the beginRepositorySession command. For example: wls:jrfserver_domainserverConfig beginRepositorySession Repository session begun. 3. Use the clonePolicySet command to create a policy set using an existing policy set. clonePolicySetname, source, [attachTo=None,] [description=None], [enable=’true’] Where: ■ name represents the name of the new, cloned policy set. ■ source specifies the name of the policy set to be cloned. ■ attachTo represents the scope of resources to which the policy set will be attached. This argument, if provided, must use a supported expression that defines a valid resource scope in a supported format. You do not need to enter the exact name for the resource scope. Wildcards are permitted, as shown in the example. For more information, see Defining the Type and Scope of Resources on page 9-19. If this argument is not specified, then the expression used in the source policy set to identify the scope of resources is retained. You can also modify the resource scope using the attachPolicySet command, as described in step 5. ■ description represents an optional argument that provides a description of the cloned policy set. ■ enable specifies if the policy set is enabled or disabled. This argument is optional. For example, to clone a policy set: wls:jrfServer_domainserverConfig clonePolicySetapp-only-web-service-policies,all-domains-default-web-service -policies, None, Default policies for application jaxws-sut The policy set was cloned successfully in the session. Note that the attachTo argument was not specified in this example. For details about the arguments for this command, see Web Services Custom WLST Commands in WebLogic Scripting Tool Command Reference. 4. Optionally, you can view the configuration of the policy set using the displayPolicySet command. For example: 9-12 Oracle Fusion Middleware Security and Administrators Guide for Web Services wls:jrfServer_domainserverConfig displayPolicySet Policy Set Details: ------------------- Name: app-only-web-service-policies Type of Resources: Web Service Endpoint Scope of Resources: DomainjrfServer_domain Description: Default policies for application jaxws-sut Enabled: true Policy Reference: security : oraclewss11_saml_or_username_token_with_ message_protection_service_policy, enabled=true 5. To change the resource scope of the attachments, use the attachPolicySet command. attachPolicySetexpression Where: ■ expression is a supported expression that defines the resource scope, in a supported format, that is valid for the resource type defined in the policy set. For example, for SOA resource types, you cannot define the resource scope to be an application. The supported resource scopes for SOA resource types are Domain, Server, and Composite. For more information, see Defining the Type and Scope of Resources on page 9-19 For example, to attach the policies in the policy set only to the application named jaxws-sut, enter the following command: wls:jrfServer_domainserverConfig attachPolicySetApplicationjaxws-sut Scope of resources updated. 6. Optionally, you can view the configuration of the cloned policy set using the displayPolicySet command. For example: wls:jrfserver_domainserverConfigdisplayPolicySet Policy Set Details: ------------------- Name: app-only-web-service-policies Type of Resources: Web Service Endpoint Scope of Resources: Applicationjaxws-sut Description: Default policies for application jaxws-sut Enabled: true Policy Reference: security : oraclewss11_saml_or_username_token_with_ message_protection_service_policy, enabled=true 7. To write the contents of the current repository session to the repository, use the commitRepositorySession command. For example: wls:jrfserver_domainserverConfigcommitRepositorySession The policy set app-only-web-service-policies is valid. Creating policy set app-only-web-service-policies in repository. Repository session committed successfully.