• Add the CLIENT-CERT authentication method as described in Example 8, A fragment of web.xml . • Add context parameters. Set the context parameter twowayssl.use_user to value true. • Set the context parameter twowayssl.issuer to the X.509 Issuer DN of certificates you want to allow. • You can set the context parameter twowayssl.mapping to a regular expression for matching parts of Subject DN by default, it is set to the name part of the email address in the email field. • You can set the context parameter twowayssl.debug to true for run-time information about matching. All context parameters that you set correspond to parameters in Section 8.3, SSL Client authentication with Embedded HTTPHTTPS Server . For examples of these parameters, see Example 8, A fragment of web.xml . Example 8. A fragment of web.xml login-config auth-methodCLIENT-CERTauth-method login-config context-param param-nametwowayssl.use_userparam-name param-valuetrueparam-value context-param context-param param-nametwowayssl.issuerparam-name param-valueC=CZ, ST=Czech, L=Prague, O=Example company, OU=Security Team, CN=CAparam- value context-param

8.7. Disabling Normal Authentication

After you implement a custom authentication mechanism, such as a client SSL certificate, you may want to disable normal authentication. Disable normal authentication by removing permission for the get_authToken UDDI API from the systemeveryone group. The get_authToken API has this permission by default. To remove permission for the get_authToken UDDI API from the systemeveryone group: 1. Log into the WEB UI using your administrative account and open the Management tab. 2. Open the Permissions page. 3. Select the Group radio button. 4. Edit the group systemeveryone and remove the following permissions Permission type Api name Actions: • org.systinet.uddi.security.permission.ApiUserPermission org.systinet.uddi.client.v3.UDDI_Security_PortType get_authToken, • org.systinet.uddi.security.permission.ApiUserPermission org.systinet.uddi.client.v2.Publish get_authToken, • org.systinet.uddi.security.permission.ApiUserPermission org.systinet.uddi.client.v1.PublishSoap get_authToken. Page 139

8.7. Disabling Normal Authentication

Note Remember that you cannot log in to WEB user interfaces with the normal login dialog after you disable normal authentication.

8.8. Consoles Configuration

In this section, we will show you how to configure authentication for both Registry Control and Business Service Control. The configuration of consoles is very similar to the configuration of other endpoints. Referring to jar packages The file path REGISTRY_HOMEappuddiweb.jarWASP-INFpackage.xml means the WASP-INFpackage.xml inside the jar package REGISTRY_HOMEappuddiweb.jar. For the Registry Control, modify the file REGISTRY_HOMEappuddiweb.jarWASP-INFpackage.xml with the following: service-endpoint path=web name=WebUIEndpoint1 service-instance=tns:WebUI type=raw other-methods=get accepting-security-providers=HttpBasic service-endpoint path=web name=WebUIEndpoint2 service-instance=tns:WebUI type=raw other-methods=get accepting-security-providers=HttpBasic If you want to set Netegrity SiteMinder provider, use accepting-security-providers=Siteminder For the Business Service Control do the same in the file REGISTRY_HOMEappuddibsc.jarWASP-INFpackage.xml We just set authentication providers for both HTTP and HTTPS protocols. Now, we must specify which protocol consoles will be using for user authentication. The default registry configuration is to use HTTP for browsing and searching. HTTPS is used for publishing. To avoid displaying the login dialog twice, for the first time when accessing via HTTP then the second time when accessing via HTTPS, modify the configuration to use only one protocol. For the Registry Control, modify url and secureUrl elements in the file REGISTRY_HOMEappuddiconfweb.xml to have the same value: urlhttps:servername:8443registryurl secureUrlhttps:servername:8443registrysecureUrl For the Business Service Control, make the same change in the REGISTRY_HOMEappuddibsc.jarconfweb.xml file.

8.9. Outgoing Connections Protected with SSL Client Authentication

Oracle Service Registry can be the client in SSL Client Authentication. This allows the following scenarios: • SOAP Client - This is commonly used in following scenarios • Approval process • Replications Page 140

8.9. Outgoing Connections Protected with SSL Client Authentication