8-22 Oracle Fusion Middleware Security and Administrators Guide for Web Services In Web service client policies, you may be able to override one or more of the properties defined in Table 8–3 , depending on the policy that you attach. If you need to clear an overridden configuration property, set it to an empty string. Before you clear it, remember that other policies could be using the same property. The properties are client-specific and there could be multiple policies that are attached to the same client that use the same property. Table 8–3 Overridable Properties in Web Service Client Policies Property Notes attesting.mapping.attribute Optional, does not have to be set. caller.principal.name Clients principal name as generated using the ktpass command and mapped to the username for which the kerberos token should be generated. Use the following format: usernameREALM NAME. Note: keytab.location and caller.principal.name are required for propagating client identity for J2EE applications. csf-key Must be set on policy Configuration page or overridden. keystore.enc.csf.key Optional, does not have to be set. Note : The keystore.enc.csf.key property puts the clients certificate in the replyTo header. For WSS11 policies, keystore.enc.csf.key is used for asynchronous clients only. For WSS10 policies, keystore.enc.csf.key is used for both asynchronous and synchronous clients. keystore.recipient.alias Can be set on policy Configuration page or overridden. Superseded by the Service Identity Certification Extension feature, as described in Using Service Identity Certification Extension on page 10-37. If the certificate is published in the WSDL, then the client override property value is ignored. keystore.sig.csf.key Optional, does not have to be set. keytab.location Location of the clients keytab file. Note: keytab.location and caller.principal.name are required for propagating client identity for J2EE applications. on.behalf.of Optional, does not have to be set. Used only when sts_trust_ config_client_policy is attached to a client Web service. saml.assertion.filename Optional, does not have to be set. saml.audience.uri Optional, does not have to be set. saml.enveloped.signature.requ ired Optional, does not have to be set. Default value is true. saml.issuer.name Optional, does not have to be set. service.principal.name Must be set on policy Configuration page or overridden. Principal name for the Web service that needs to be protected, using the format hostmachine nameREALM NAME. For example, HTTPmymachineMYREALM.COM.