Configuring Message-Level Security 2-117
xmlns:wsu=http:docs.oasis-open.orgwss200401oasis-200401-wss-wssecurity-util ity-1.0.xsd
xmlns:wls=http:www.bea.comwls90securitypolicywseepart wssp:Integrity
wssp:SignatureAlgorithm URI=http:www.w3.org200009xmldsigrsa-sha1 wssp:CanonicalizationAlgorithm
URI=http:www.w3.org200110xml-exc-c14n wssp:Target
wssp:DigestAlgorithm URI=http:www.w3.org200009xmldsigsha1 wssp:MessageParts
Dialect=http:www.bea.comwls90securitypolicywseepart wls:SystemHeaders
wssp:MessageParts wssp:Target
wssp:Target wssp:DigestAlgorithm URI=http:www.w3.org200009xmldsigsha1
wssp:MessageParts Dialect=http:www.bea.comwls90securitypolicywseepart
wls:SecurityHeaderwsu:Timestamp wssp:MessageParts
wssp:Target wssp:Target
wssp:DigestAlgorithm URI=http:www.w3.org200009xmldsigsha1 wssp:MessageParts
Dialect=http:schemas.xmlsoap.org200212wssepart wsp:Body
wssp:MessageParts wssp:Target
wssp:Integrity wssp:MessageAge
wsp:Policy
2.25.4 Encrypt.xml
The WebLogic Server Encrypt.xml file specifies that the entire body of the SOAP message be encrypted. By default, the encryption token is not included in the SOAP
message.
Example 2–35 Encrypt.xml
?xml version=1.0? wsp:Policy
xmlns:wsp=http:schemas.xmlsoap.orgws200409policy xmlns:wssp=http:www.bea.comwls90securitypolicy
wssp:Confidentiality wssp:KeyWrappingAlgorithm URI=http:www.w3.org200104xmlencrsa-1_5
wssp:Target wssp:EncryptionAlgorithm
URI=http:www.w3.org200104xmlenctripledes-cbc wssp:MessageParts
Dialect=http:schemas.xmlsoap.org200212wssepart wsp:Body
wssp:MessageParts wssp:Target
wssp:KeyInfo wssp:Confidentiality
wsp:Policy
2-118 Securing WebLogic Web Services for Oracle WebLogic Server
2.25.5 Wssc-dk.xml
Specifies that the client and Web service share a security context, as described by the WS-SecureConversation specification, and that a derived key token is used. This
ensures the highest form of security.
This policy file provides the following configuration:
■
A derived key token is used to sign all system SOAP headers, the timestamp security SOAP header, and the SOAP body.
■
A derived key token is used to encrypt the body of the SOAP message. This token is different from the one used for signing.
■
Each SOAP message uses its own pair of derived keys.
■
For both digital signatures and encryption, the key length is 16 as opposed to the default 32
■
The lifetime of the security context is 12 hours. If you need to change the default security context and derived key behavior, you will
have to create a custom security policy file, described in later sections.
Example 2–36 Wssc-dk.xml
?xml version=1.0? wsp:Policy
xmlns:wsp=http:schemas.xmlsoap.orgws200409policy xmlns:wssp=http:www.bea.comwls90securitypolicy
xmlns:wsu=http:docs.oasis-open.orgwss200401oasis-200401-wss-wssecurity-util ity-1.0.xsd
xmlns:wls=http:www.bea.comwls90securitypolicywseepart wssp:Integrity SupportTrust10=true
wssp:SignatureAlgorithm URI=http:www.w3.org200009xmldsighmac-sha1 wssp:CanonicalizationAlgorithm
URI=http:www.w3.org200110xml-exc-c14n wssp:Target
wssp:DigestAlgorithm URI=http:www.w3.org200009xmldsigsha1 wssp:MessageParts
Dialect=http:www.bea.comwls90securitypolicywseepart wls:SystemHeaders
wssp:MessageParts wssp:Target
wssp:Target wssp:DigestAlgorithm URI=http:www.w3.org200009xmldsigsha1
wssp:MessageParts Dialect=http:www.bea.comwls90securitypolicywseepart
wls:SecurityHeaderwsu:Timestamp wssp:MessageParts
wssp:Target wssp:Target
wssp:DigestAlgorithm URI=http:www.w3.org200009xmldsigsha1 wssp:MessageParts Dialect=http:schemas.xmlsoap.org200212wssepart
wsp:Body wssp:MessageParts
Note: If you specify this predefined security policy file, you should
not also specify any other predefined security policy file.
Configuring Message-Level Security 2-119
wssp:Target wssp:SupportedTokens
wssp:SecurityToken IncludeInMessage=true TokenType=http:schemas.xmlsoap.orgws200502scdk
DerivedFromTokenType=http:schemas.xmlsoap.orgws200502scsct wssp:Claims
wssp:LabelWS-SecureConversationWS-SecureConversationwssp:Label wssp:Length16wssp:Length
wssp:Claims wssp:SecurityToken
wssp:SupportedTokens wssp:Integrity
wssp:Confidentiality SupportTrust10=true wssp:Target
wssp:EncryptionAlgorithm URI=http:www.w3.org200104xmlencaes128-cbc
wssp:MessageParts Dialect=http:schemas.xmlsoap.org200212wssepart wsp:Bodywssp:MessageParts
wssp:Target wssp:KeyInfo
wssp:SecurityToken IncludeInMessage=true TokenType=http:schemas.xmlsoap.orgws200502scdk
DerivedFromTokenType=http:schemas.xmlsoap.orgws200502scsct wssp:Claims
wssp:LabelWS-SecureConversationWS-SecureConversationwssp:Label wssp:Length16wssp:Length
wssp:Claims wssp:SecurityToken
wssp:KeyInfo wssp:Confidentiality
wssp:MessageAge wsp:Policy
2.25.6 Wssc-sct.xml