Creating and Managing Policy Sets 9-15 Alternately, you can choose to cancel any changes by using the abortRepositorySession command, which discards any changes that were made to the repository during the session. For more information about the WLST commands and their arguments, see Web Services Custom WLST Commands in WebLogic Scripting Tool Command Reference. Disabling a Globally Attached Policy To explicitly disable a globally attached policy for specific endpoints, predefined policies that do not enforce any behavior are included with your Fusion Middleware installation. You can disable a globally, or externally, attached policy by attaching one of these predefined policies that contains the same category of assertions as the policy to be disabled. You can attach the no behavior policy either directly to an endpoint, or globally at a lower scope, such as at the application or module level. A policy that is directly attached takes precedence over a policy that is globally attached and a policy that is globally attached at a lower scope takes precedence over a policy that is globally attached at a higher scope. For more information, see Calculating the Effective Set of Policies on page 9-22. For example, if an authentication policy is globally attached to all service endpoints in a domain, you can disable it for a specific Web service endpoint by directly attaching the oracleno_authentication_service_policy to the endpoint. Alternatively, to disable the authentication policy for only an application in the domain, you can create a policy set that attaches the oracleno_authentication_ service_policy only to the service endpoints in the application. For details about directly attaching a policy to an endpoint, see Attaching a Policy to a Single Subject on page 8-3. For more information about the no behavior policies, see No Behavior Policies on page B-30. Enabling and Disabling a Policy Set The following sections describe how to enable or disable a policy set using either Fusion Middleware Control or the command line interface WebLogic Scripting Tool, WLST. Note: If the globally attached policy that you are disabling contains any other assertions, those assertions are disabled also. For example, if the global policy to be disabled is oraclewss10_saml_token_with_ message_protection_client_policy and you attach the no behavior oracleno_authentication_service_policy to an endpoint at lower scope or directly, both the authentication and the message protection assertions of the globally attached policy are disabled. Note: Do not delete these no behavior policies. All of the policies use the same no_behavior assertion. An assertion template is not provided, therefore if you delete the policies, there is no way to recreate them manually. If they are deleted by mistake, the only way to restore them is to rebuild the repository. For more information, see Rebuilding the Oracle WSM Repository on page 17-8. 9-16 Oracle Fusion Middleware Security and Administrators Guide for Web Services Using Fusion Middleware Control To enable or disable a policy set using Fusion Middleware Control, edit the policy set as described in Editing a Policy Set on page 9-13. To enable the policy set if it is disabled, select the Enabled check box. To disable the policy set, clear the Enabled check box. Note that you must click Next through steps 2 and 3, then click Save in Step 4 to save the updated policy set. Figure 9–7 Enabling and Disabling a Policy Set Using WLST To enable or disable a policy set:

1. Connect to the running instance of WebLogic Server as described in

Accessing the Web Services Custom WLST Commands on page 1-6.

2. Begin a repository session using the beginRepositorySession command.

For example: wls:jrfserver_domainserverConfig beginRepositorySession Repository session begun.

3. Specify the policy set to be modified using the modifyPolicySet command.

For example: wls:jrfServer_domainserverConfig modifyPolicySetall-domains-default-web-service-policies The policy set is ready for modification in the session.

4. Use the enablePolicySet command to enable or disable a policy set.

enablePolicySet[enable=true] Set the enable argument to true to enable a policy set if it is disabled. The default is true. Set the enable argument to false to disable a policy set. For example, to disable a policy set: wls:jrfServer_domainserverConfig enablePolicySetfalse Policy set disabled.

5. Validate the policy set using the ValidatePolicySet command.

For example: wls:jrfServer_domainserverConfig validatePolicySet Creating and Managing Policy Sets 9-17 The policy set app-only-web-service-policies is valid. 6. To write the contents of the current repository session to the repository, use the commitRepositorySession command. wls:jrfServer_domainserverConfig commitRepositorySession The policy set all-domains-default-web-service-policies is valid. Updating policy set all-domains-default-web-service-policies in repository. Repository session committed successfully. Alternately, you can choose to cancel any changes by using the abortRepositorySession command, which discards any changes that were made to the repository during the session. For more information about the WLST commands and their arguments, see Web Services Custom WLST Commands in WebLogic Scripting Tool Command Reference. Deleting a Policy Set The following sections describe how to delete a policy set using either Fusion Middleware Control or the command line interface WebLogic Scripting Tool, WLST. Using Fusion Middleware Control To delete a policy set: 1. Navigate to the Policy Set Summary page as described in Navigating to the Policy Set Summary Page on page 9-1.

2. In the Policy Set Summary page, select a policy set from the table and click Delete.

3. A dialog box displays asking you to confirm the deletion. Click OK.

Using WLST To delete a policy set: 1. Connect to the running instance of WebLogic Server as described in Accessing the Web Services Custom WLST Commands on page 1-6. 2. Begin a repository session using the beginRepositorySession command. For example: wls:jrfserver_domainserverConfig beginRepositorySession Repository session begun. 3. Optionally, list the policy sets in the repository using the listPolicySets command. wls:jrfServer_domainserverConfig listPolicySets Global Policy Sets in Repository: app-only-web-service-policies all-domains-default-web-service-policies 4. Delete the policy set using the deletePolicySet command. 9-18 Oracle Fusion Middleware Security and Administrators Guide for Web Services deletePolicySet name For example: wls:jrfServer_domainserverConfig deletePolicySetapp-only-web-service-policies The policy set was deleted successfully in the session. 5. To write the contents of the current repository session to the repository, use the commitRepositorySession command. wls:jrfServer_domainserverConfig commitRepositorySession Deleting policy set app-only-web-service-policies from repository. Repository session committed successfully. Alternately, you can choose to cancel any changes by using the abortRepositorySession command, which discards any changes that were made to the repository during the session. For more information about the WLST commands and their arguments, see Web Services Custom WLST Commands in WebLogic Scripting Tool Command Reference. Migrating Direct Policy Attachments to Global Policy Attachments You can use the migrateAttachments WLST command to migrate direct local policy attachments to external global policy attachments if they are identical. Migrating identical policy attachments improves manageability by reducing the number of physical attachments that need to be maintained. A direct policy attachment is identical if its URI is the same as one provided by a global policy attachment, and if it does not have any configuration overrides. You cannot migrate the following: ■ Programmatic policy attachments. ■ Direct or global policy attachments to SOA components To migrate policy attachments: 1. Connect to the running instance of WebLogic Server as described in Accessing the