Configuring Message-Level Security 2-119 wssp:Target wssp:SupportedTokens wssp:SecurityToken IncludeInMessage=true TokenType=http:schemas.xmlsoap.orgws200502scdk DerivedFromTokenType=http:schemas.xmlsoap.orgws200502scsct wssp:Claims wssp:LabelWS-SecureConversationWS-SecureConversationwssp:Label wssp:Length16wssp:Length wssp:Claims wssp:SecurityToken wssp:SupportedTokens wssp:Integrity wssp:Confidentiality SupportTrust10=true wssp:Target wssp:EncryptionAlgorithm URI=http:www.w3.org200104xmlencaes128-cbc wssp:MessageParts Dialect=http:schemas.xmlsoap.org200212wssepart wsp:Bodywssp:MessageParts wssp:Target wssp:KeyInfo wssp:SecurityToken IncludeInMessage=true TokenType=http:schemas.xmlsoap.orgws200502scdk DerivedFromTokenType=http:schemas.xmlsoap.orgws200502scsct wssp:Claims wssp:LabelWS-SecureConversationWS-SecureConversationwssp:Label wssp:Length16wssp:Length wssp:Claims wssp:SecurityToken wssp:KeyInfo wssp:Confidentiality wssp:MessageAge wsp:Policy

2.25.6 Wssc-sct.xml

Specifies that the client and Web service share a security context, as described by the WS-SecureConversation specification. In this case, security context tokens are used to encrypt and sign the SOAP messages, which differs from Wssc-dk.xml Section 2.25.5, Wssc-dk.xml in which derived key tokens are used. The Wssc-sct.xml policy file is provided to support all the use cases of the specification; for utmost security, however, Oracle recommends you always use Wssc-dk.xml Section 2.25.5, Wssc-dk.xml when specifying shared security contexts due to its higher level of security. This security policy file provides the following configuration: ■ A security context token is used to sign all system SOAP headers, the timestamp security SOAP header, and the SOAP body. ■ A security context token is used to encrypt the body of the SOAP message. ■ The lifetime of the security context is 12 hours. If you need to change the default security context and derived key behavior, you will have to create a custom security policy file, described in later sections. Note: If you specify this predefined security policy file, you should not also specify any other predefined security policy file. 2-120 Securing WebLogic Web Services for Oracle WebLogic Server Example 2–37 Wssc-sct.xml ?xml version=1.0? wsp:Policy xmlns:wsp=http:schemas.xmlsoap.orgws200409policy xmlns:wssp=http:www.bea.comwls90securitypolicy xmlns:wsu=http:docs.oasis-open.orgwss200401oasis-200401-wss-wssecurity-util ity-1.0.xsd xmlns:wls=http:www.bea.comwls90securitypolicywseepart wssp:Integrity SupportTrust10=true wssp:SignatureAlgorithm URI=http:www.w3.org200009xmldsighmac-sha1 wssp:CanonicalizationAlgorithm URI=http:www.w3.org200110xml-exc-c14n wssp:Target wssp:DigestAlgorithm URI=http:www.w3.org200009xmldsigsha1 wssp:MessageParts Dialect=http:www.bea.comwls90securitypolicywseepart wls:SystemHeaders wssp:MessageParts wssp:Target wssp:Target wssp:DigestAlgorithm URI=http:www.w3.org200009xmldsigsha1 wssp:MessageParts Dialect=http:www.bea.comwls90securitypolicywseepart wls:SecurityHeaderwsu:Timestamp wssp:MessageParts wssp:Target wssp:Target wssp:DigestAlgorithm URI=http:www.w3.org200009xmldsigsha1 wssp:MessageParts Dialect=http:schemas.xmlsoap.org200212wssepart wsp:Body wssp:MessageParts wssp:Target wssp:SupportedTokens wssp:SecurityToken IncludeInMessage=true TokenType=http:schemas.xmlsoap.orgws200502scsct wssp:SecurityToken wssp:SupportedTokens wssp:Integrity wssp:Confidentiality SupportTrust10=true wssp:Target wssp:EncryptionAlgorithm URI=http:www.w3.org200104xmlencaes128-cbc wssp:MessageParts Dialect=http:schemas.xmlsoap.org200212wssepart wsp:Bodywssp:MessageParts wssp:Target wssp:KeyInfo wssp:SecurityToken IncludeInMessage=true TokenType=http:schemas.xmlsoap.orgws200502scsct wssp:SecurityToken wssp:KeyInfo wssp:Confidentiality wssp:MessageAge wsp:Policy 3 Configuring Transport-Level Security 3-1 3 Configuring Transport-Level Security Transport-level security refers to securing the connection between a client application and a Web service with Secure Sockets Layer SSL or HTTP Basic authentication, either alone or in combination. SSL provides secure connections by allowing two applications connecting over a network to authenticate the others identity and by encrypting the data exchanged between the applications. Authentication allows a server, and optionally a client, to verify the identity of the application on the other end of a network connection. A client certificate two-way SSL can be used to authenticate the user. See Secure Sockets Layer SSL in Understanding Security for Oracle WebLogic Server for general information about SSL and the implementations included in WebLogic Server. The following sections describe how to configure transport-level security for your Web service: ■ Section 3.1, Configuring Transport-Level Security Through Policy