13-2 Oracle Fusion Middleware Upgrade Guide for Oracle SOA Suite, WebCenter, and ADF For more information, see Task 6: Upgrade the Application Web Services in the Oracle Fusion Middleware Upgrade Guide for Java EE.

13.1.1.1 A Note About Oracle WSM 10g Gateways

As described in Examining the Rearchitecture of Oracle WSM in Oracle Fusion Middleware in the Oracle Fusion Middleware Security and Administrators Guide for Web Services, Oracle Fusion Middleware 11g Release 1 11.1.1 does not include a Gateway component. You can continue to use the Oracle WSM 10g Gateway components with Oracle WSM 10g policies in your applications. For information about Oracle WSM 10g interoperability, see the Oracle Fusion Middleware Interoperability Guide for Oracle Web Services Manager.

13.1.1.2 A Note About Third-party Software

As described in Examining the Rearchitecture of Oracle WSM in Oracle Fusion Middleware in the Oracle Fusion Middleware Security and Administrators Guide for Web Services, Oracle WSM 10g supported policy enforcement for third-party application servers, such as IBM WebSphere and Red Hat JBoss. Oracle Fusion Middleware 11g Release 1 11.1.1 only supports Oracle WebLogic Server. You can continue to use the third-party application servers with Oracle WSM 10g policies. For information about Oracle WSM 10g interoperability, see the Oracle Fusion Middleware Interoperability Guide for Oracle Web Services Manager.

13.1.2 Upgrading Oracle WSM 10g Predefined Policies

Table 13–1 describes the most common Oracle WSM predefined policy upgrade scenarios based on the following security requirements: authentication and authorization, message protection, transport, and logging. A comparison of the steps required to implement each security requirement in both the Oracle WSM 10g and Oracle WSM 11g environments is provided. For more information about: ■ Attaching policies in Oracle Fusion Middleware 11g, see Attaching Policies to Web Services in Oracle Fusion Middleware Security and Administrator’s Guide for Web Services. ■ Oracle WSM 10g policy steps, see “Oracle Web Services Manager Policy Steps” in Oracle Web Services Manager Administrator’s Guide in the Oracle Application Server 10g Release 3 10.1.3.1.0 documentation library at: http:www.oracle.comtechnologydocumentation Upgrading Oracle Web Services Manager Policies and OC4J Security Enviroments 13-3 Table 13–1 Upgrading Oracle WSM 10g Predefined Policies Security Requirements Oracle WSM 10 g Oracle WSM 11g Anonymous authentication with message protection WS-Security 1.0 Attach policy steps as follows: ■ Client : Sign Message and Encrypt. ■ Web service : Decrypt and Verify Signature. 1. Attach policies as follows: Client : oraclewss10_message_ protection_client_policy. Web service : oraclewss10_message_ protection_service_policy. 2. Leave the default configuration set for message signing and encryption. 3. Disable the Include Timestamp configuration setting. Anonymous authentication with message integrity WS-Security 1.0 Attach policy steps as follows: ■ Client : Sign Message. ■ Web service : Verify Signature. 1. Attach policies as follows: Client : oraclewss10_message_ protection_client_policy. Web service : oraclewss10_message_ protection_service_policy. 2. Configure the policy assertion for message signing only. 3. Disable the Include Timestamp configuration setting. Anonymous authentication with message confidentiality WS-Security 1.0 Attach policy steps as follows: ■ Client : XML Encrypt. ■ Web service : XML Decrypt. 1. Attach policies as follows: Client : oraclewss10_message_ protection_client_policy. Web service : oraclewss10_message_ protection_service_policy. 2. Configure the policy assertion for message encryption only. 3. Disable the Include Timestamp configuration setting. Username token with message protection WS-Security 1.0 Attach policy steps as follows: ■ Client : Insert WSBASIC Credentials and Sign Message and Encrypt. ■ Web service : Decrypt and Verify Signature, Extract Credentials configured as WSBASIC, and FileAuthenticate. Note: You can substitute File Authenticate with LDAP Authenticate, Oracle Access Manager Authenticate, Active Directory Authenticate, or SetMinder Authenticate. 1. Attach policies as follows: Client : oraclewss10_username_ token_with_message_protection_ client_policy. Web service : oraclewss10_username_ token_with_message_protection_ service_policy. 2. Leave the default configuration set for message signing and encryption. 3. Disable the Include Timestamp configuration setting. 4. Configure the Authentication and Identity Assertion provider. 13-4 Oracle Fusion Middleware Upgrade Guide for Oracle SOA Suite, WebCenter, and ADF Username token with message protection WS-Security 1.0 and file authorization Attach policy steps as follows: ■ Client : Insert WSBASIC Credentials and Sign Message and Encrypt. ■ Web service : Decrypt and Verify Signature, Extract Credentials configured as WSBASIC, FileAuthenticate and File Authorize. Note: You can substitute File Authenticate with LDAP Authenticate, Active Directory Authenticate, or SetMinder Authenticate. Similarly, you can substitute File Authorize with LDAP Authorize, Active Directory Authorize, or SetMinder Authorize. 1. Attach policies as follows: Client : oraclewss10_username_ token_with_message_protection_ client_policy. Web service : oraclewss10_username_ token_with_message_protection_ service_policy and oraclebinding_ authorization. 2. Leave the default configuration set for message signing and encryption. 3. Disable the Include Timestamp configuration setting. 4. Configure the Authentication and Identity Assertion provider. ID propagation with SAML token sender vouches with message protection WS-Security 1.0 Attach policy steps as follows: ■ Client : SAML—Insert WSS 1.0 Sender-Vouches Token and Sign and Encrypt. ■ Web service : XML Decrypt and SAML—Verify WSS 1.0 Token. 1. Attach policies as follows: Client : oraclewss10_saml_token_ with_message_protection_client_ policy. Web service : oraclewss10_saml_ token_with_message_protection_ service_policy. 2. Disable the Include Timestamp configuration setting. 3. Leave the default configuration set for message signing and encryption. HTTP basic authentication Attach policy steps as follows: ■ Client : NA. ■ Web service : Extract Credentials configure as HTTP. Attach policies as follows: ■ Client : oraclewss_http_token_client_ policy. ■ Web service : oraclewss_http_token_ service_policy. Oracle Access Manager security WS-Security 1.0 Attach policy steps as follows: ■ Client : Insert Oracle Access Manager Token. ■ Web service : Extract Credentials and Oracle Access Manager Authenticate Authorize. Attach policies as follows: ■ Client : oraclewss_oam_token_client_ policy. ■ Web service : oraclewss_oam_token_ service_policy. Mutual authentication with message protection WS-Security 1.0 Attach policy steps as follows: ■ Client : Insert WSBASIC Credentials and Sign Message and Encrypt. ■ Web service : Decrypt and Verify Signature, Extract Credentials configured as WSBASIC, and FileAuthenticate. Note: You can substitute File Authenticate with LDAP Authenticate, Oracle Access Manager Authenticate, Active Directory Authenticate, or SetMinder Authenticate. 1. Attach policies as follows: Client : oraclewss10_x509_token_ with_message_protection_client_ policy. Web service : oraclewss10_x509_ token_with_message_protection_ service_policy. 2. Leave the default configuration set for message signing and encryption. 3. Disable the Include Timestamp configuration setting. 4. Configure the Authentication and Identity Assertion provider. Table 13–1 Cont. Upgrading Oracle WSM 10g Predefined Policies Security Requirements Oracle WSM 10g Oracle WSM 11g