Setting Up Your Environment for Policies 10-37 Using Service Identity Certification Extension For Web services that implement a message-protection policy, the Web services base64-encoded public certificate is published in the WSDL. The certificate is included for message protection policies whether or not the policy encrypts or decrypts data. The certificate in the WSDL is the services public key by default, as determined by the Encryption Key you specified when you configured the keystore as described in Configuring Keystores for Message Protection on page 10-8. If this certificate is not found in the WSDL, the keystore.recipient.alias property is used instead and the certificate must be in the clients domain-level keystore as before. Hostname Verification for the Certificate Included in WSDL The hostname verification feature ensures that a certificate retrieved from a WSDL was not the subject of a substitution attack or man in the middle attack and is indeed the expected certificate. To to this, Oracle WSM validates that the common name CN or the subject Group Base Distinguished Name DN in the certificate matches the hostname of the service. This feature depends upon the subject DN of the certificate. By default, hostname verification is disabled. Enabling or Disabling Service Identity Certificate Extension and Hostname Verification You use Fusion Middleware Control to enable or disable service identity certificate extension and hostname verification. The properties on the Identity Extension tab enable you to specify whether to enforce Web service policies by publishing the X509 certificate in the WSDL. In addition, if the X509 is published, you can also specify whether to ignore hostname verification. Service identity certificate extension is enabled by default; hostname verification is disabled by default. Note: In prior releases of Oracle WSM, for Web services that implemented a message-protection policy the Web service client needed to store the Web services public certificate in its domain-level keystore. The client then used the keystore.recipient.alias property to identify the certificate in the keystore. To do this, you either identified the keystore.recipient.alias property on the Configurations page or overrode it on a per-client basis using the Security Configuration Details control when attaching the policy or programmatically. Note: Self-signed certificates must be available in the client-side keystore to be trusted. 10-38 Oracle Fusion Middleware Security and Administrators Guide for Web Services To enable or disable service identity certificate extension and hostname verification: 1. Set the encryption key from which the public key is derived, as described in Configuring Keystores for Message Protection on page 10-8. If you use a service side override to override the encryption key or keystore for a Web service, the certificate corresponding to the overridden key is used.

2. From the navigation pane, expand WebLogic Domain.

3. Select the domain in which you want to enable or disable service identity certificate extension and hostname verification.

4. Using Fusion Middleware Control, click WebLogic Domain.

5. Select Web Services, and then select Platform Policy Configuration.

6. Select the Identity Extension tab.

7. To modify a identity extension property, select it and then click Edit. In the Edit

Property window, you can edit the Value field to change the default amount for each property. ■ wsm.ignore.identity.wsdl – Specifies whether to enable or disable the consumption of the X509 Certificate from a client-side WSDL, per domain. By default, this property is enabled false, which means that the certificate from the WSDL will be used by the client run time for encryption. You can disable the consumption of the X509 Certificate by changing the default setting to true. ■ wsm.ignore.hostname.verification – Specifies whether to ignore the hostname verification feature per domain. By default this property is disabled true. However, you can enable hostname verification by setting the property to false.

8. To delete an existing property, select it and then click Delete.

9. Click Apply to apply the property updates.

Ignoring the Service Identity Certificate Extension From the Client For a Java EE client, the value of the wsm.ignore.identity.wsdl property is read automatically and no additional configuration is required. Set this property in Fusion Middleware Control to turn identity verification on and off, as described in Enabling or Disabling Service Identity Certificate Extension and Hostname Verification on page 10-37. For a JSE client, the Web service client must take explicit action to ignore the certificate in the WSDL and rely solely on the keystore.recipient.alias property it sets. Note: Service identity certificate extension does not set the encryption key from which the public key is derived. You must first specify this key as described in Configuring Keystores for Message Protection on page 10-8. Note: By default, if the certificate is published in the WSDL, then the client override property value for keystore.recipient.alias is ignored.