2-76 Securing WebLogic Web Services for Oracle WebLogic Server

2.16.5 WS-SecureConversation Policies

The policies in Table 2–9 implement WS-SecureConversation 1.3 and WS-SecureConversation 20052. If you specify a WS-SecureConversation policy for your Web service, it must be at the class level. Wssp1.2-Wss1.1-X509-Ba sic256.xml This policy is similar to policy Wssp1.2-Wss1.0-X509-Basic256.xml except it uses additional WS-Security 1.1 features, including Signature Confirmation and Thumbprint key reference. Wssp1.2-Wss1.1-Encrypt edKey.xml This is a symmetric binding policy that uses the WS-Security 1.1 Encrypted Key feature for both signature and encryption. It also uses WS-Security 1.1 features, including Signature Confirmation and Thumbprint key reference. Wssp1.2-Wss1.1-Userna meToken-DK.xml WSS 1.1 X509 with derived key symmetric binding and authentication with plain-text Username Token. Wssp1.2-Wss1.1-Encrypt edKey-X509-SignedEndo rsing.xml This policy has all of the features defined in policy Wssp1.2-Wss1.1-EncryptedKey.xml, and in addition it uses senders key to endorse the message signature. The endorsing key is also signed with the message signature. Wssp1.2-Wss1.1-DK.xml This policy has all of features defined in policy Wssp1.2-Wss1.1-EncryptedKey.xml, except that instead of using an encrypted key, the request is signed using DerivedKeyToken1, then encrypted using a DerivedKeyToken2. Response is signed using DerivedKeyToken3, and encrypted using DerivedKeyToken4. Wssp1.2-Wss1.1-DK-X50 9-Endorsing.xml This policy has all features defined in policy Wssp1.2-Wss1.1-DK.xml, and in addition it uses the senders key to endorse the message signature. Wssp1.2-Wss1.1-X509-En cryptRequest-SignRespo nse.xml This policy is similar to policy Wssp1.2-Wss1.0-X509-EncryptRequest-SignResponse.xml, except that it uses additional WSS 1.1 features, including Signature Confirmation and Thumbprint key reference. Wssp1.2-Wss1.1-X509-Sig nRequest-EncryptRespon se.xml This policy is the reverse of policy Wssp1.2-Wss1.1-X509-EncryptRequest-SignResponse.xml: the request is signed and the response is encrypted. Wssp1.2-wss11_x509_ token_with_message_ protection_owsm_ policy.xml This policy endorses with the senders X509 certificate, and the message signature is protected. It requires the use of the Basic128 algorithm suite AES128 for encryption instead of the Basic256 algorithm suite AES256. Table 2–9 WS-SecureConversation Policies Policy File Description Wssp1.2-2007-Wssc1.3-B ootstrap-Https-BasicAut h.xml One way SSL with Basic Authentication. Timestamp is included. The algorithm suite is Basic256. The signature is encrypted. Wssp1.2-2007-Wssc1.3-B ootstrap-Https-ClientCer tReq.xml Two way SSL. The recipient checks for the initiators public certificate. Note that the client certificate can be used for authentication. Wssp1.2-2007-Wssc1.3-B ootstrap-Https-UNT.xml SSL Username token authentication. Table 2–8 Cont. WS-Security 1.1 Username and X509 Token Policies Policy File Description Configuring Message-Level Security 2-77 Wssp1.2-2007-Wssc1.3-B ootstrap-Https.xml WS-SecureConversation handshake RequestSecurityToken and RequestSecurityTokenResponseCollection messages occurs in https transport. The application messages are signed and encrypted with DerivedKeys. The signature is also encrypted. Wssp1.2-2007-Wssc1.3-B ootstrap-Wss1.0.xml WS-SecureConversation handshake is protected by WS-Security 1.0. The application messages are signed and encrypted with DerivedKeys. The soap:Body of the RequestSecurityToken and RequestSecurityTokenResponseCollection messages are both signed and encrypted. The WS-Addressing headers are signed. Timestamp is included and signed. The signature is encrypted. The algorithm suite is Basic256. Wssp1.2-2007-Wssc1.3-B ootstrap-Wss1.1.xml WS-SecureConversation handshake is protected by WS-Security 1.1. The application messages are signed and encrypted with DerivedKeys. The soap:Body of the RequestSecurityToken and RequestSecurityTokenResponseCollection messages are both signed and encrypted. The WS-Addressing headers are signed. Signature and encryption use derived keys from an encrypted key. Wssp1.2-Wssc1.3-Bootstr ap-Https-BasicAuth.xml One way SSL with Basic Authentication. Timestamp is included. The algorithm suite is Basic256. The signature is encrypted. Wssp1.2-Wssc1.3-Bootstr ap-Https-ClientCertReq.x ml Two way SSL. The recipient checks for the initiators public certificate. Note that the client certificate can be used for authentication. Wssp1.2-Wssc1.3-Bootstr ap-Https.xml WS-SecureConversation handshake RequestSecurityToken and RequestSecurityTokenResponseCollection messages occurs in https transport. The application messages are signed and encrypted with DerivedKeys. The signature is also encrypted. Wssp1.2-Wssc1.3-Bootstr ap-Wss1.0.xml WS-SecureConversation handshake is protected by WS-Security 1.0. The application messages are signed and encrypted with DerivedKeys. The soap:Body of the RequestSecurityToken and RequestSecurityTokenResponseCollection messages are both signed and encrypted. The WS-Addressing headers are signed. Timestamp is included and signed. The signature is encrypted. The algorithm suite is Basic256. Wssp1.2-Wssc1.3-Bootstr ap-Wss1.1.xml WS-SecureConversation handshake is protected by WS-Security 1.1. The application messages are signed and encrypted with DerivedKeys. The soap:Body of the RequestSecurityToken and RequestSecurityTokenResponseCollection messages are both signed and encrypted. The WS-Addressing headers are signed. Signature and encryption use derived keys from an encrypted key. Wssp1.2-Wssc200502-Bo otstrap-Https.xml WS-SecureConversation handshake RequestSecurityToken and RequestSecurityTokenResponse messages occurs in https transport. The application messages are signed and encrypted with DerivedKeys. Table 2–9 Cont. WS-SecureConversation Policies Policy File Description 2-78 Securing WebLogic Web Services for Oracle WebLogic Server

2.16.6 SAML Token Profile Policies