At the bottom of the page, click Advanced.
1. Ensure that the client application obtains a digital certificate that WebLogic Server
automatically trusts, because it has been issued by a trusted certificate authority.2. Create a certificate registry that lists all the individual certificates trusted by
WebLogic Server, and then ensure that the client uses one of these registered certificates. To configure SSL for a Web service client:1. Create a keystore used by the client application. Oracle recommends that you
create one client keystore per application user. You can use the keytool utility to perform this step. For development purposes, the keytool utility is the easiest way to get started.2. Create a private key and digital certificate pair, and load it into the client keystore.
Make sure that the certificate’s key usage allows both encryption and digital signatures. Oracle requires a key length of 1024 bits or larger.3. Make sure that the following properties are set in the clients JVM:
■ javax.net.ssl.trustStore -- The name of the file that contains the trust store. ■ javax.net.ssl.trustStoreType -- The type of KeyStore object that you want the default TrustManager to use. ■ javax.net.ssl.trustStorePassword -- The password for the KeyStore object that you want the default TrustManager to use. ■ javax.net.ssl.keyStore -- The name of the file that contains the KeyStore object. ■ javax.net.ssl.keyStoreType -- The type of KeyStore object. ■ javax.net.ssl.keyStorePassword -- The password for the KeyStore. Note: See Configuring SOA Composite Applications for Two-Way SSL Communication in Oracle Fusion Middleware Administrators Guide for Oracle SOA Suite and Oracle Business Process Management Suite for specific configuration steps when a SOA application is the Web service client over two-way SSL. Setting Up Your Environment for Policies 10-29 Configuring SSL on Oracle HTTP Server The HTTPS protocol uses an industry standard protocol called Secure Sockets Layer SSL to establish secure connections between clients and servers. You can use the HTTPSSSL support offered by the Oracle HTTP Server as one of the communication protocols to communicate between the client and the Web service. This section describes how to set up a Web service client and a Web service using Oracle WSM policies to send requests over SSL. Oracle HTTP Server is configured as a Web proxy that intermediates between the client and Oracle WebLogic Server. SSL is enabled at Oracle HTTP Server and SSL transport is turned on between the client and Oracle HTTP Server. Communication remains non-SSL between Oracle HTTP Server and WebLogic Server. This section describes how to configure the policies that require one-way SSL and two-way SSL. For more information, see: ■ Configuring SSL in Oracle Fusion Middleware, in Oracle Fusion Middleware Administrators Guide ■ Configuring SSL in Securing Oracle WebLogic Server ■ Set Up SSL in the Oracle WebLogic Server Administration Console Help ■ Configuring Secure Sockets Layer in Oracle Fusion Middleware Administrators Guide for Oracle HTTP Server One-Way SSL For more information on the Oracle WSM policies that require one-way SSL configuration, see Which Policies Require You to Configure SSL? on page 10-23. To use one-way SSL, you need to: 1. Configure the Oracle HTTP Server as follows: a. In the file ORACLE_INSTANCEconfigOHSohs_namessl.conf, configure Oracle HTTP Server as a Web proxy and specify the list of URLs you want to access, as shown in Example 10–1 . Example 10–1 Specifying URLs in ssl.conf added properties for configuring OHS as webproxy IfModule weblogic_module WebLogicHost host WebLogicPort port SecureProxy Off WlProxySSL On Debug ALL WlLogFile tmpweblogic.log the location attributes list the urls you want to access via OHS Location myWlsService SetHandler weblogic-handler WebLogicHost host WeblogicPort port Location b. In the same file, set the following properties under virtual host configuration to ensure the client certificate information is sent to WebLogic Server: SSLVerifyClient optionalParts
» Oracle Fusion Middleware Online Documentation Library
» Click Login. Oracle Fusion Middleware Online Documentation Library
» Description of Functionality Click Log In.
» A deployment plan is an XML file that you use to configure an application for
» Click Next. Oracle Fusion Middleware Online Documentation Library
» When the operation completes, click Close.
» Using Fusion Middleware Control, click Application Deployment, then click Web
» Connect to the running instance of WebLogic Server to which the application is
» Select soa-infra, expand the SOA partition for example, the default partition and
» Select the Dashboard tab if it is not already selected.
» Click Callback Client in the upper right portion of the endpoint page.
» Navigate to the Web Service Endpoint page, or the Service Home page for SOA
» Click the Configuration tab. For SOA composites, click the Properties tab.
» For ADF and WebCenter applications, restart the Web service application. You do
» In the Metadata Exchange Enabled field, select True from the menu to enable the
» In the Schema validation field, select True from the menu to enable schema
» In the Atomic Transaction Flow Option field, select whether the transaction Click Apply.
» Set the Maximum Request Size and the Unit of Maximum Request Size and click
» In the Web Service Details section of the page, click on the plus + for the Web
» Click the name of the endpoint of the asynchronous Web service to navigate to the
» From the Web Service Endpoint page, click the Configuration tab. Click Apply.
» Click Apply. Oracle Fusion Middleware Online Documentation Library
» Click the Configuration tab.
» When you are done viewing the policy, click Return to Web Services Policies.
» From the Category menu, select the category to which this policy will belong and
» Set the Local Optimization control. See
» Click Save. Oracle Fusion Middleware Online Documentation Library
» Click Validate to verify that the policy does not contain errors. For more
» From the Web Services Policies page, click Import From File.
» In the Create Policy From File box, enter the file path of the file in the Select Policy
» Click OK. Oracle Fusion Middleware Online Documentation Library
» Click the Search Assertion Templates icon next to the Name field. Click Create Like.
» Click Edit. Oracle Fusion Middleware Online Documentation Library
» Select the assertion template to be edited as described in Click the Configurations tab.
» Select the property from the list and click Edit.
» Enter the values for your configuration and click OK.
» In the Assertions section, click Add.
» To configure the assertion, click the Settings tab and edit the settings as required.
» To edit the configuration properties, click the Configurations tab.
» Select the property to be edited and click Edit.
» Edit the Configuration properties and click OK.
» When you are done, click Save to save the policy.
» In the Assertion List section, click Add OR Group. Click OK.
» To delete an assertion from the OR group, select the assertion and click Delete. To
» In the Assertions section of the page, select the assertion to be configured in the
» Click the Settings or Configurations tab.
» Edit the Settings and Configuration properties, and click Save.
» Select Save File. Oracle Fusion Middleware Online Documentation Library
» Navigate to the Web Services Assertions Templates page, as described in
» Click Browse to navigate to the directory where the assertion template file is
» Click Delete. Oracle Fusion Middleware Online Documentation Library
» The policies appear in order in the Policy Version History table with the active
» In the Policy History table, select a policy and click Restore or click Activate
» Select a generated policy from the table and click Edit.
» Click Validate to validate your changes.
» Click Save to save the changes to your policy.
» From the Web Service Endpoint page, click the OWSM Policies tab.
» Select the policy you want to enable or disable.
» Select Enable or Disable to enable or disable the policy, respectively, and confirm
» Select a policy from the Policies table and click Edit. Click Save.
» In cases where multiple domains share the same Oracle WSM Repository to store
» Click the OWSM Policies tab.
» Navigate to the home page for the Web service, as described in
» Click the name of a endpoint to navigate to the Web Service Endpoints page for a
» Click AttachDetach. Oracle Fusion Middleware Online Documentation Library
» Select a policy from the Available Policies list, and click Attach. See
» Using Fusion Middleware Control, click WebLogic Server and then Web Services.
» From the Web Services Summary page, click Attach Policies.
» Click Back to make any changes, or click Attach to complete the bulk attachment.
» Click the Policies tab. Click AttachDetach.
» Click Validate. Oracle Fusion Middleware Online Documentation Library
» View the SOA reference, as described in
» In the Directly Attached Policies section of the page, click AttachDetach.
» From the Available Policies section of the page, select one or more policies that
» Click Attach when you are sure that you want to attach the policy or policies.
» From the Application Deployment menu, select ADF, and then Configure ADF
» On the ADF Connections Configuration page, select a row in the Web Service
» On the Web Service Client page, select the OWSM Policies tab.
» On the Available Policies section of the page, select one or more policies that you
» On the Available Policies portion of the page, select one or more policies that you
» Select the configuration property and click Edit to make the change to the action Click Save.
» Select Override Policy Configuration.
» Enter the override value in the Value field for the property and click Apply.
» Attach the policy to the service as described in
» Use the setWebServicePolicyOverride command to override policy
» For ADF DC and WebCenter client applications, restart the Web service client
» From the WebLogic Domain menu, select Web Services then Policy Sets.
» From the Policy Set Summary page, click Create.
» In the Enter Resource Scope page, enter at least one pattern string that defines the
» In the Add Policy References page, select a policy from the Available Policies list,
» Continue selecting and attaching policies. When you are finished, click Validate to
» Click Next to view the Policy Set Summary Page.
» Select or clear the Enabled check box to enable or disable the policy set.
» In the Enter Resource Scope page, modify the scope as desired and click Next.
» In the Add Policy References page, modify the policy attachments as desired.
» Navigate to the Policy Set Summary page as described in
» In the Policy Set Summary page, select the policy set that you want to edit and
» Review the policy set summary information. If you are satisfied with the policy
» Specify the policy set to be modified using the modifyPolicySet command.
» Use the enablePolicySet command to enable or disable a policy set.
» Validate the policy set using the ValidatePolicySet command.
» In the Policy Set Summary page, select a policy set from the table and click Delete.
» A dialog box displays asking you to confirm the deletion. Click OK.
» In the Navigator pane, expand WebLogic Domain to show the domain for which
» From the WebLogic Domain menu, select Security then Security Provider
» Click the plus sign + to expand the Keystore control near the bottom of the page,
» In the Keystore Type drop-down, select Java Key Store JKS, if it is not already
» Click OK to submit the changes.
» Generate the private key and self-signed certificate. The self-signed certificate will
» Generate the certificate request.
» Submit the CSR file to a CA such as VeriSign, for example. The CA will
» Import the CA root certificate which authenticates the CA’s public key.
» Replace the self-signed certificate with the trusted CA certificate issued by the CA
» Click Create Key to create new entries in the oracle.wsm.security credential
» Start WLST using the WLST.shcmd command located in the oracle_
» In the left pane of the Console, expand Environment and select Servers.
» Select Configuration, and then Keystores.
» Select Configuration, and then the SSL page, and choose the location of identity
» At the bottom of the page, click Advanced.
» Set the Two Way Client Cert Behavior control to Client Certs Requested and
» Ensure that the client application obtains a digital certificate that WebLogic Server
» Create a certificate registry that lists all the individual certificates trusted by
» Create a keystore used by the client application. Oracle recommends that you
» Create a private key and digital certificate pair, and load it into the client keystore.
» Make sure that the following properties are set in the clients JVM:
» Using Fusion Middleware Control, click WebLogic Domain, then Security, and
» In the Keystore Type drop-down, select Hardware Security Module HSM.
» After the Keystore Configuration page refreshes, enter Luna in the HSM Provider
» In the Key Alias and Crypt Alias fields, enter an alias for the signature and
» From the navigation pane, expand WebLogic Domain.
» Using Fusion Middleware Control, click WebLogic Domain.
» Select Web Services, and then select Platform Policy Configuration.
» Select the Identity Extension tab.
» To modify a identity extension property, select it and then click Edit. In the Edit
» To delete an existing property, select it and then click Delete.
» Click Apply to apply the property updates.
» Optionally, in the SAML Specific Attributes section, configure an alternate Issuer
» In the Custom Properties section of the page, configure any custom properties for
» Click Add to add a custom property.
» Restart Fusion Middleware Control.
» Configure the SAML login module, as described in
» Configure the identity assertion provider in the WebLogic Server Administration
» If you will be using policies that involve signatures related to SAML assertions
» From the System Policies page, select the arrow icon in the Permission field to
» Select one of the codebase permissions to use as a starting point and click Create
» In the Grant Details section of the page, enter
» In the Permissions section of the page, select the starting point permission class
» Attach the Kerberos policy to your Web service.
» Configure the Web service client to authenticate against the right KDC.
» Export the keytab file you created in
» Verify the keytab file using kinit:
» In the left pane select Security Realms.
» On the Settings for Realm Name page select Users and Groups and then Users.
» Click New. Oracle Fusion Middleware Online Documentation Library
» Click OK to save your changes.
» Create a new key pair and self-signed certificate.
» Generate a certificate request to the certificate authority.
» Replace import the self-signed certificate with the trusted CA certificate.
» If it is not already enabled, click the Configure Keystore Management check box.
» The Web service client invokes a Web service. The WSDL for the Web service
» The Web service client the requestor sends an authentication request, with
» The STS verifies the credentials presented by the client, and then in response
» The requestor verifies the RSTR, extracts the token, and passes it to the Web
» The Web service receives the issued token and verifies that the token was issued
» Navigate to Configuration Global Security Token Service.
» Under the On Behalf of Token section, select ldapService from the Authentication
» Select AES from the Encryption Algorithm drop-down list, and select 128 from
» Configure OpenSSO STS, as described
» Configure the STS service policy following the steps described in
» Configure OpenSSO STS. as described Configure the STS policy following the steps described in
» What are the basic requirements of your security policy? Decide if you need to
» If you require both authentication and message protection, then you need to
» Create a simple Web service that approves a credit card number cardNr. A
» Click Selected Roles. Oracle Fusion Middleware Online Documentation Library
» Click Add. Oracle Fusion Middleware Online Documentation Library
» Click OK. Click Delete. Click Selected Roles. Click Add.
» Click Add. Click OK. Click Delete.
» To add roles, click the check box next to each role you want to add in the Roles
» Select the role that you want to delete in the Selected Roles list.
» Using Fusion Middleware Control, click WebLogic Domain, then Logs and then
» Expand the test option sections by clicking the plus sign + next to the section
» In the Security section, select the security token to verify. The security setting is
» Using Fusion Middleware Control, click WebLogic Server, and then Web
» In the Web Services Details section of the Web Services summary page, select the
» Select the endpoint for which you want to display the statistics.
» Select the Operations tab if it is not already selected.
» Using Fusion Middleware Control, select WebLogic Domain then Web Services
» Click Add to register a new source. The Register New Source page appears, as
» If you selected UDDI v3 registry import, enter the following information:
» If you selected WSIL import from URL, enter the following information:
» If you selected WSIL import from File, click Browse next to the WSIL File field
» Select Register Web Services.
» Using Fusion Middleware Control, select WebLogic Domain then Web Services Do one of the following:
» Click OK in the Publish Service to UDDI window.
» Select Actions, then Publish to UDDI. See
» In the Publish Service to UDDI dialog box
» Click OK to connect to the external UDDI registry and register the Web service.
» On the Configuration tab, set the WSDL Enabled field to True or False to enable of
» In the navigator pane, expand WebLogic Domain to view the domains.
» Select WebLogic Domain Web Services Platform Policy Configuration.
» Select the tab corresponding to the component for which you want to define
» Select the Policy Accessor tab.
» Click Add to define a remote JNDI provider.
» Click Add to define a corresponding csf-key credential property. In the Add
» Select the Policy Cache tab.
» To modify an existing property, select it and then click Edit.
» Click Add to add a policy retrieval property.
» Select the Policy Interceptors tab.
» Select the Trusted SAML clients or Trusted STS servers tab, depending on
» Connect to the Administration Server using the command-line Oracle WebLogic
» After connecting to the Administration Server using WLST, start the script using
» Configure JOC for all the Managed Servers for a given cluster.
» Click Apply and restart WebLogic Server.
» Enter the name of the custom user in the JMS System User field and click Apply.
» Access the WebLogic Server Administration Console. To do so from Fusion
» Click Deployments in the Domain Structure pane and navigate to the
» In the Change Center, select Lock Edit.
» Select the MDB name for the request or response MDB. You will need to update
» In the Enterprise Bean Configuration section of the page, enter the custom user
» In the Change Center, click Activate Changes.
» Select wsm-pm. Oracle Fusion Middleware Online Documentation Library
» Use keytool to reset the passwords in the Oracle WSM keystore file. Because the
» From the WebLogic Sever menu, select Logs Log Configuration.
» Expand Root Logger. Oracle Fusion Middleware Online Documentation Library
» Expand oracle. Oracle Fusion Middleware Online Documentation Library
» Set the logging level for one or more of the following components:
» Click Apply to store the new logging level.
» Set the Logging Level field to one of the following settings: Severe, Warning,
» Click Search once you have set the fields, as desired.
» From the WebLogic Sever menu, select Logs Log Configuration. Select the Log Files tab.
» Click OK to edit the log file configuration.
» In the Navigator pane, expand Metadata Repositories and select mds-owsm, as
Show more