Configuring Message-Level Security 2-119
wssp:Target wssp:SupportedTokens
wssp:SecurityToken IncludeInMessage=true TokenType=http:schemas.xmlsoap.orgws200502scdk
DerivedFromTokenType=http:schemas.xmlsoap.orgws200502scsct wssp:Claims
wssp:LabelWS-SecureConversationWS-SecureConversationwssp:Label wssp:Length16wssp:Length
wssp:Claims wssp:SecurityToken
wssp:SupportedTokens wssp:Integrity
wssp:Confidentiality SupportTrust10=true wssp:Target
wssp:EncryptionAlgorithm URI=http:www.w3.org200104xmlencaes128-cbc
wssp:MessageParts Dialect=http:schemas.xmlsoap.org200212wssepart wsp:Bodywssp:MessageParts
wssp:Target wssp:KeyInfo
wssp:SecurityToken IncludeInMessage=true TokenType=http:schemas.xmlsoap.orgws200502scdk
DerivedFromTokenType=http:schemas.xmlsoap.orgws200502scsct wssp:Claims
wssp:LabelWS-SecureConversationWS-SecureConversationwssp:Label wssp:Length16wssp:Length
wssp:Claims wssp:SecurityToken
wssp:KeyInfo wssp:Confidentiality
wssp:MessageAge wsp:Policy
2.25.6 Wssc-sct.xml
Specifies that the client and Web service share a security context, as described by the WS-SecureConversation specification. In this case, security context tokens are used to
encrypt and sign the SOAP messages, which differs from Wssc-dk.xml Section 2.25.5,
Wssc-dk.xml in which derived key tokens are used. The Wssc-sct.xml policy file
is provided to support all the use cases of the specification; for utmost security, however, Oracle recommends you always use Wssc-dk.xml
Section 2.25.5, Wssc-dk.xml
when specifying shared security contexts due to its higher level of security.
This security policy file provides the following configuration:
■
A security context token is used to sign all system SOAP headers, the timestamp security SOAP header, and the SOAP body.
■
A security context token is used to encrypt the body of the SOAP message.
■
The lifetime of the security context is 12 hours. If you need to change the default security context and derived key behavior, you will
have to create a custom security policy file, described in later sections.
Note: If you specify this predefined security policy file, you should
not also specify any other predefined security policy file.
2-120 Securing WebLogic Web Services for Oracle WebLogic Server
Example 2–37 Wssc-sct.xml
?xml version=1.0? wsp:Policy
xmlns:wsp=http:schemas.xmlsoap.orgws200409policy xmlns:wssp=http:www.bea.comwls90securitypolicy
xmlns:wsu=http:docs.oasis-open.orgwss200401oasis-200401-wss-wssecurity-util ity-1.0.xsd
xmlns:wls=http:www.bea.comwls90securitypolicywseepart wssp:Integrity SupportTrust10=true
wssp:SignatureAlgorithm URI=http:www.w3.org200009xmldsighmac-sha1 wssp:CanonicalizationAlgorithm
URI=http:www.w3.org200110xml-exc-c14n wssp:Target
wssp:DigestAlgorithm URI=http:www.w3.org200009xmldsigsha1 wssp:MessageParts
Dialect=http:www.bea.comwls90securitypolicywseepart wls:SystemHeaders
wssp:MessageParts wssp:Target
wssp:Target wssp:DigestAlgorithm URI=http:www.w3.org200009xmldsigsha1
wssp:MessageParts Dialect=http:www.bea.comwls90securitypolicywseepart
wls:SecurityHeaderwsu:Timestamp wssp:MessageParts
wssp:Target wssp:Target
wssp:DigestAlgorithm URI=http:www.w3.org200009xmldsigsha1 wssp:MessageParts Dialect=http:schemas.xmlsoap.org200212wssepart
wsp:Body wssp:MessageParts
wssp:Target wssp:SupportedTokens
wssp:SecurityToken IncludeInMessage=true TokenType=http:schemas.xmlsoap.orgws200502scsct
wssp:SecurityToken wssp:SupportedTokens
wssp:Integrity wssp:Confidentiality SupportTrust10=true
wssp:Target wssp:EncryptionAlgorithm
URI=http:www.w3.org200104xmlencaes128-cbc wssp:MessageParts Dialect=http:schemas.xmlsoap.org200212wssepart
wsp:Bodywssp:MessageParts wssp:Target
wssp:KeyInfo wssp:SecurityToken IncludeInMessage=true
TokenType=http:schemas.xmlsoap.orgws200502scsct wssp:SecurityToken
wssp:KeyInfo wssp:Confidentiality
wssp:MessageAge wsp:Policy
3
Configuring Transport-Level Security 3-1
3
Configuring Transport-Level Security
Transport-level security refers to securing the connection between a client application and a Web service with Secure Sockets Layer SSL or HTTP Basic authentication,
either alone or in combination.
SSL provides secure connections by allowing two applications connecting over a network to authenticate the others identity and by encrypting the data exchanged
between the applications. Authentication allows a server, and optionally a client, to verify the identity of the application on the other end of a network connection. A client
certificate two-way SSL can be used to authenticate the user.
See Secure Sockets Layer SSL in Understanding Security for Oracle WebLogic Server for general information about SSL and the implementations included in WebLogic Server.
The following sections describe how to configure transport-level security for your Web service:
■
Section 3.1, Configuring Transport-Level Security Through Policy