Attaching Policies to Web Services 8-21 You can override the properties listed in Table 8–1 and Table 8–2 , and user-defined properties as described in Configuring User-Defined Client- or Server-Side Override Properties on page 8-25. For example, to override the keystore.sig.csf.key property in the oraclewss10_message_protection_service_policy policy, use the following command: wls:wls-domainserverConfigsetWebServicePolicyOverride wls_domainAdminServerJaxwsejb30ws,jaxwsejb, web,WsdlConcreteService,WsdlConcretePort, oraclewss10_message_protection_service_ policy,[keystore.sig.csf.key,sigkey] 3. For ADF and WebCenter applications, restart the Web service application. You do not need to restart a SOA composite. For more information about this WLST command and its arguments, see Web Services Custom WLST Commands in WebLogic Scripting Tool Command Reference. Attaching Client Policies Permitting Overrides The policy configuration override feature allows you to specify certain Web service client configuration information on a per-client basis, in addition to, or in lieu of setting it globally for any attachment of the policy. This targeting of configuration information limits the number of distinct policies you need to maintain. You can define a single policy, and specify a default value for a configuration value. Rather than creating multiple policies with slightly varied configurations, you could use the same generic policy and override specific values to meet your requirements. For example, the oraclewss_http_token_client_policy policy is one example of a policy that includes the csf-key property, which has a default value of basic.credentials. The value signifies a key that maps to a usernamepassword. It might happen that you will always use the same key value any time you attach this policy to any number of Web service clients. In this case, you can specify the key value on the oraclewss_http_token_client_policy policy Configurations page and have it apply to every instance. However, you also have the option to override this key value on a per-client basis. Notes: If the policy that you specify is not attached to the port, an error message is displayed andor an exception is thrown. If you set the properties argument to None, then all policy overrides are removed. Note: You need to wait approximately 30 seconds or the equivalent of the configured Graceful Shutdown Timeout time between stopping and restarting the application. During this time, the server is allowing all global transactions to complete before shutting down the application. If you do not wait the configured Graceful Shutdown Timeout time, then the application will not be restarted appropriately and you will not be able to access it. To avoid waiting the graceful shutdown timeout period, you can restart the application twice. 8-22 Oracle Fusion Middleware Security and Administrators Guide for Web Services In Web service client policies, you may be able to override one or more of the properties defined in Table 8–3 , depending on the policy that you attach. If you need to clear an overridden configuration property, set it to an empty string. Before you clear it, remember that other policies could be using the same property. The properties are client-specific and there could be multiple policies that are attached to the same client that use the same property. Table 8–3 Overridable Properties in Web Service Client Policies Property Notes attesting.mapping.attribute Optional, does not have to be set. caller.principal.name Clients principal name as generated using the ktpass command and mapped to the username for which the kerberos token should be generated. Use the following format: usernameREALM NAME. Note: keytab.location and caller.principal.name are required for propagating client identity for J2EE applications. csf-key Must be set on policy Configuration page or overridden. keystore.enc.csf.key Optional, does not have to be set. Note : The keystore.enc.csf.key property puts the clients certificate in the replyTo header. For WSS11 policies, keystore.enc.csf.key is used for asynchronous clients only. For WSS10 policies, keystore.enc.csf.key is used for both asynchronous and synchronous clients. keystore.recipient.alias Can be set on policy Configuration page or overridden. Superseded by the Service Identity Certification Extension feature, as described in Using Service Identity Certification Extension on page 10-37. If the certificate is published in the WSDL, then the client override property value is ignored. keystore.sig.csf.key Optional, does not have to be set. keytab.location Location of the clients keytab file. Note: keytab.location and caller.principal.name are required for propagating client identity for J2EE applications. on.behalf.of Optional, does not have to be set. Used only when sts_trust_ config_client_policy is attached to a client Web service. saml.assertion.filename Optional, does not have to be set. saml.audience.uri Optional, does not have to be set. saml.enveloped.signature.requ ired Optional, does not have to be set. Default value is true. saml.issuer.name Optional, does not have to be set. service.principal.name Must be set on policy Configuration page or overridden. Principal name for the Web service that needs to be protected, using the format hostmachine nameREALM NAME. For example, HTTPmymachineMYREALM.COM.