Advanced Administration 14-21

6. Click Apply to apply the property updates.

Defining Identity Extension Properties The properties on the Identity Extension tab enable you to specify whether to enforce Web service policies by publishing the X509 certificate in the WSDL. If there is no need to publish the X509 certificate for example, with SSL, you can override the default setting to avoid publishing the certificate. In addition, if the X509 is published, you can also specify whether to ignore the hostname verification feature. For more information, see Using Service Identity Certification Extension on page 10-37. Defining a Trusted Distinguished Name List for SAML Signing Certificates The Trusted SAML clients and Trusted STS servers tabs enable you to define a list of trusted distinguish names DNs for SAML signing certificates. By default, Oracle WSM checks the incoming issuer name against the list of configured issuers, and checks the SAML signature against the configured certificates in the Oracle WSM keystore. If you define a trusted DNs list, Oracle WSM also verifies that the SAML signature is signed by the particular certificates that is associated with that issuer. Configuration of the trusted DNs list is optional; it is available for users that require more fine-grained control to associate each issuer with a list of one or more signing certificates. If you do not define a list of DNs for a trusted issuer, then Oracle WSM allows signing by any certificate, as long as that certificate is trusted by the certificates present in the Oracle WSM keystore. Imporant Notes : ■ Using the Trusted SAML clients and Trusted STS servers tabs, you define the DNs of the signing certificates, not the certificates themselves. ■ The certificate must be imported into the Oracle WSM keystore or included in the message. If the certificate is provided in the message, its issuer must be imported into the Oracle WSM keystore. ■ For two-way SSL: – The certificate needs to be imported into the Java EE container’s trust store. – The DN of the client SSL certificates are used for validation and need to be present in the trusted DNs list. ■ In all cases, the signing certificates must be trusted by the certificates present in the OWSM keystore. To defined a trusted DNs list for SAML signing certificates: 1. Configure the trusted SAML issuers, as described in Configuring SAML on page 10-43. Optionally, you can override the SAML issuer when attaching the policy. For more information, see Attaching Client Policies Permitting Overrides on page 8-21. 2. Access the Platform Policy Configuration page, as described in Configuring Platform Policy Properties on page 14-15. 14-22 Oracle Fusion Middleware Security and Administrators Guide for Web Services

3. Select the Trusted SAML clients or Trusted STS servers tab, depending on

whether you want to define a trusted DNs list for trusted SAML clients or trusted STS servers. 4. Add one or more trusted issuers within the Trusted Issuers section of the page. Use the Add button to add a new trusted issuer. For example: www.oracle.com. 5. Select the trusted issuer for which you want to define a DN list in the Trusted Issuers section of the page. 6. Add one or more trusted DNs in the Trusted SAML clients or Trusted STS servers area of the page. Use a string that conforms to RFC 2253. For example: CN=abc. For more information about RFC 2253, see http:www.ietf.orgrfcrfc2253.txt . Setting Up the Java Object Cache To protect against replay attacks, the wss_username_token_client_policy and wss_username_token_service_policy policies provide the option to require a nonce in the username token. A nonce is a unique number that can be used only once in a SOAP request and is used to prevent replay attacks. The nonce is cached to prevent its reuse. However, in a cluster environment you must take steps to synchronize this cache across the Managed Servers. Otherwise, a request sent to a Web service running on one server can be replayed and sent to another Managed Server, where it will be processed. Oracle WSM uses an instance of Java Object Cache JOC to cache the nonce. You use the ORACLE_HOMEbinconfigure-joc.py Python script to configure the JOC on all of the Managed Servers in distributed mode. The script runs in WLST online mode and expects the Administration Server to be up and running. Running the configure-joc.py Script To enable the JOC in distributed mode, perform the following steps:

1. Connect to the Administration Server using the command-line Oracle WebLogic

Scripting Tool WLST, for example: ORACLE_HOMEoracle_commoncommonbinwlst.sh connect Enter the Oracle WebLogic Administration user name and password when prompted.

2. After connecting to the Administration Server using WLST, start the script using

the execfile command, for example: wls:mydomainserverConfigexecfileORACLE_HOMEbinconfigure-joc.py

3. Configure JOC for all the Managed Servers for a given cluster.

Enter y when the script prompts whether you want to specify a cluster name, and also specify the cluster name and discover port, when prompted. This discovers all the Managed Servers for the given cluster and configures the JOC for each Note: After configuring the Java Object Cache, restart all affected Managed Servers for the configurations to take effect.