10-62 Oracle Fusion Middleware Security and Administrators Guide for Web Services

2. Using Fusion Middleware Control, click WebLogic Domain, then Security, and

then Security Provider Configuration. Click the plus sign + to expand the Keystore control near the bottom of the page, then click Configure. The Web Services Manager Keystore Configuration page is displayed, as shown in Figure 10–3 .

3. If it is not already enabled, click the Configure Keystore Management check box.

4. Enter the path and name for the keystore that you created. By default, the keystore name is default-keystore.jks, as used in this use case. The keystore type must be JKS. 5. Enter the password for the keystore and confirm it. 6. Enter the alias and password for the signature and encryption keys. In this use case, orakey is the alias for both the signature and encryption keys. Confirm the passwords.

7. Click OK to submit the changes.

Note that all fields on this page require a restart of Fusion Middleware Control to take effect. Store the Password for the Decryption Key in the Credential Store You must store the password for the decryption key in the credential store, as described in Adding Keys and User Credentials to the Credential Store on page 10-17. Use keystore.enc.csf.key as the key name. Attach the Policy to Your Web Service Attach wss11_saml_token_with_message_protection_service_policy to your Web service as described in Attaching a Policy to a Single Subject on page 8-3. Configure the policy assertion for message signing and message encryption. The default is to sign and encrypt the entire body for the request the response. You have the option to not do this and to instead specify the specific body elements that you want to sign and encrypt. You can also additionally specify header elements that you want to sign and encrypt. Whatever you set here mush match the client policy settings. Attach the Policy to Your Web Service Client Attach wss11_saml_token_with_message_protection_client_policy to your Web service client, as described in { Attaching Policies to Web Service Clients on page 8-11. Configure the policy assertion for message signing, message encryption, or both. Note: You can override keystore.sig.csf.key and keystore.enc.csf.key, as described in Attaching Web Service Policies Permitting Overrides on page 8-16. If you do override these values, the keys for the new values must be in the keystore. That is, overriding the values does not free you from the requirement of configuring these keys in the keystores. Setting Up Your Environment for Policies 10-63 The default is to sign and encrypt the entire body. You have the option to not do this and to instead specify the specific body elements that you want to sign and encrypt. You can also additionally specify header elements that you want to sign and encrypt. Whatever you set here must match the Web service policy settings. The Web services base64-encoded public certificate is published in the WSDL for use by the Web service client, as described in Using Service Identity Certification Extension on page 10-37. The certificate in the WSDL is the services public key by default, as determined by the encryption key you specified “orakey” when you configured the Web Services Manager keystore. Therefore, you do not need to set or change keystore.recipient.alias. You can optionally specify a value for saml.issuer.name on the Configurations page, or override it on a per-client basis using the Security Configuration Details control when you attach the policy. The saml.issuer.name property defaults to a value of www.oracle.com. See When to Override the SAML Issuer on page 10-59. You can specify a value for user.roles.include on the Configurations page, or override it on a per-client basis using the Security Configuration Details control when you attach the policy. WS-Trust Policies and Configuration Steps This section describes the predefined WS-Trust policies and how to configure and use them. The following topics are described: ■ Overview of Web Services WS-Trust on page 10-63 ■ Setting Up Automatic Policy Configuration for STS on page 10-69 ■ Programmatic Configuration Overrides for WS-Trust Client Policies on page 10-74 ■ Supported STS Servers on page 10-76 ■ Available WS-Trust Policies on page 10-74 Overview of Web Services WS-Trust The WS-Trust 1.3 specification defines extensions to WS-Security that provide a framework for requesting and issuing security tokens, and to broker trust relationships. WS-Trust extensions provide methods for issuing, renewing, and validating security tokens. To secure communication between a Web service client and a Web service, the two parties must exchange security credentials. As defined in the WS-Trust specification, these credentials can be obtained from a trusted SecurityTokenService STS, which acts as trust broker. That is, the STS must be trusted by both the Web service client and the Web service to provide interoperable security tokens. This section describes the following topics: ■ How the STS Configuration is Obtained on page 10-64 ■ Typical Token Request and Response on page 10-64 ■ Example WS-Trust Use Case on page 10-65 ■ Token Lifetime on page 10-66 ■ What Token Types Are Exchanged? on page 10-66