3-2 Securing WebLogic Web Services for Oracle WebLogic Server Example 3–1 Specifying SSL in a Policy sp:TransportToken wsp:Policy sp:HttpsToken wsp:Policy sp:TransportToken If two-way SSL is required, also use the RequireClientCertificate assertion, as shown in Example 3–2 . Example 3–2 Two-Way SSL in a Policy sp:TransportToken wsp:Policy sp:HttpsToken wsp:Policy sp:RequireClientCertificate wsp:Policy sp:HttpsToken wsp:Policy sp:TransportToken The Wssp1.2-2007-Https-BasicAuth.xml policy file requires both a client certificate via SSL and HTTP BASIC Authentication, as shown in Example 3–3 . Example 3–3 SSL and HTTP Basic Authentication in a Policy sp:TransportToken wsp:Policy sp:HttpsToken wsp:Policy sp:HttpBasicAuthentication wsp:Policy sp:HttpsToken wsp:Policy sp:TransportToken

3.1.1 Configuring Transport-Level Security Through Policy: Main Steps

To configure transport-level Web services security via one or more policy files: 1. Configure SSL for the core WebLogic Server security subsystem. You can configure one-way SSL where WebLogic Server is required to present a certificate to the client application, or two-way SSL where both the client applications and WebLogic server present certificates to each other. To configure two-way or one-way SSL for the core WebLogic Server security subsystem, see Configuring SSL in Securing Oracle WebLogic Server. 2. Use Policy or Policies JWS annotations in your JWS file, or associate policy files only at runtime using the Administration Console, or specify some policy files using the annotations and then associate additional ones at runtime. See Table 2–5 for a description of the available transport-level policies. Configuring Transport-Level Security 3-3 3. If you added Policy or Policies JWS annotations in your JWS file, compile and redeploy your Web service as part of the normal iterative development process. 4. When you run the client application that invokes the Web service, specify certain properties to indicate the SSL implementation that your application should use. In particular: ■ To specify the Certicom SSL implementation, use the following properties -Djava.protocol.handler.pkgs=weblogic.net -Dweblogic.security.SSL.trustedCAKeyStore=trustStore where trustStore specifies the name of the client-side truststore that contains the list of trusted certificates one of which should be the servers certificate. To disable host name verification, also specify the following property: -Dweblogic.security.SSL.ignoreHostnameVerification=true ■ To specify Suns SSL implementation, use the following properties: -Djavax.net.ssl.trustStore=trustStore where trustStore specifies the name of the client-side truststore that contains the list of trusted certificates one of which should be the servers certificate. To disable host name verification, also specify the following property: -Dweblogic.wsee.client.ssl.stricthostchecking=false See Section 3.6, Configuring Two-Way SSL for a Client Application for details about two-way SSL.

3.2 Example of Using JWS Annotations in Your JWS File