2-76 Securing WebLogic Web Services for Oracle WebLogic Server
2.16.5 WS-SecureConversation Policies
The policies in Table 2–9
implement WS-SecureConversation 1.3 and WS-SecureConversation 20052.
If you specify a WS-SecureConversation policy for your Web service, it must be at the class level.
Wssp1.2-Wss1.1-X509-Ba sic256.xml
This policy is similar to policy Wssp1.2-Wss1.0-X509-Basic256.xml except it uses additional
WS-Security 1.1 features, including Signature Confirmation and Thumbprint key reference.
Wssp1.2-Wss1.1-Encrypt edKey.xml
This is a symmetric binding policy that uses the WS-Security 1.1 Encrypted Key feature for both signature and encryption. It
also uses WS-Security 1.1 features, including Signature Confirmation and Thumbprint key reference.
Wssp1.2-Wss1.1-Userna meToken-DK.xml
WSS 1.1 X509 with derived key symmetric binding and authentication with plain-text Username Token.
Wssp1.2-Wss1.1-Encrypt edKey-X509-SignedEndo
rsing.xml This policy has all of the features defined in policy
Wssp1.2-Wss1.1-EncryptedKey.xml, and in addition it uses senders key to endorse the message signature. The endorsing
key is also signed with the message signature.
Wssp1.2-Wss1.1-DK.xml This policy has all of features defined in policy
Wssp1.2-Wss1.1-EncryptedKey.xml, except that instead of using an encrypted key, the request is signed using
DerivedKeyToken1, then encrypted using a DerivedKeyToken2. Response is signed using
DerivedKeyToken3, and encrypted using DerivedKeyToken4.
Wssp1.2-Wss1.1-DK-X50 9-Endorsing.xml
This policy has all features defined in policy Wssp1.2-Wss1.1-DK.xml, and in addition it uses the senders
key to endorse the message signature. Wssp1.2-Wss1.1-X509-En
cryptRequest-SignRespo nse.xml
This policy is similar to policy Wssp1.2-Wss1.0-X509-EncryptRequest-SignResponse.xml,
except that it uses additional WSS 1.1 features, including Signature Confirmation and Thumbprint key reference.
Wssp1.2-Wss1.1-X509-Sig nRequest-EncryptRespon
se.xml This policy is the reverse of policy
Wssp1.2-Wss1.1-X509-EncryptRequest-SignResponse.xml: the request is signed and the response is encrypted.
Wssp1.2-wss11_x509_ token_with_message_
protection_owsm_ policy.xml
This policy endorses with the senders X509 certificate, and the message signature is protected. It requires the use of the
Basic128 algorithm suite AES128 for encryption instead of the Basic256 algorithm suite AES256.
Table 2–9 WS-SecureConversation Policies
Policy File Description
Wssp1.2-2007-Wssc1.3-B ootstrap-Https-BasicAut
h.xml One way SSL with Basic Authentication. Timestamp is
included. The algorithm suite is Basic256. The signature is encrypted.
Wssp1.2-2007-Wssc1.3-B ootstrap-Https-ClientCer
tReq.xml Two way SSL. The recipient checks for the initiators public
certificate. Note that the client certificate can be used for authentication.
Wssp1.2-2007-Wssc1.3-B ootstrap-Https-UNT.xml
SSL Username token authentication.
Table 2–8 Cont. WS-Security 1.1 Username and X509 Token Policies
Policy File Description
Configuring Message-Level Security 2-77
Wssp1.2-2007-Wssc1.3-B ootstrap-Https.xml
WS-SecureConversation handshake RequestSecurityToken and RequestSecurityTokenResponseCollection messages occurs in
https transport. The application messages are signed and encrypted with DerivedKeys. The signature is also encrypted.
Wssp1.2-2007-Wssc1.3-B ootstrap-Wss1.0.xml
WS-SecureConversation handshake is protected by WS-Security 1.0. The application messages are signed and
encrypted with DerivedKeys. The soap:Body of the RequestSecurityToken and
RequestSecurityTokenResponseCollection messages are both signed and encrypted. The WS-Addressing headers are signed.
Timestamp is included and signed. The signature is encrypted. The algorithm suite is Basic256.
Wssp1.2-2007-Wssc1.3-B ootstrap-Wss1.1.xml
WS-SecureConversation handshake is protected by WS-Security 1.1. The application messages are signed and
encrypted with DerivedKeys. The soap:Body of the RequestSecurityToken and
RequestSecurityTokenResponseCollection messages are both signed and encrypted. The WS-Addressing headers are signed.
Signature and encryption use derived keys from an encrypted key.
Wssp1.2-Wssc1.3-Bootstr ap-Https-BasicAuth.xml
One way SSL with Basic Authentication. Timestamp is included. The algorithm suite is Basic256. The signature is
encrypted. Wssp1.2-Wssc1.3-Bootstr
ap-Https-ClientCertReq.x ml
Two way SSL. The recipient checks for the initiators public certificate. Note that the client certificate can be used for
authentication. Wssp1.2-Wssc1.3-Bootstr
ap-Https.xml WS-SecureConversation handshake RequestSecurityToken and
RequestSecurityTokenResponseCollection messages occurs in https transport. The application messages are signed and
encrypted with DerivedKeys. The signature is also encrypted.
Wssp1.2-Wssc1.3-Bootstr ap-Wss1.0.xml
WS-SecureConversation handshake is protected by WS-Security 1.0. The application messages are signed and
encrypted with DerivedKeys. The soap:Body of the RequestSecurityToken and
RequestSecurityTokenResponseCollection messages are both signed and encrypted. The WS-Addressing headers are signed.
Timestamp is included and signed. The signature is encrypted. The algorithm suite is Basic256.
Wssp1.2-Wssc1.3-Bootstr ap-Wss1.1.xml
WS-SecureConversation handshake is protected by WS-Security 1.1. The application messages are signed and
encrypted with DerivedKeys. The soap:Body of the RequestSecurityToken and
RequestSecurityTokenResponseCollection messages are both signed and encrypted. The WS-Addressing headers are signed.
Signature and encryption use derived keys from an encrypted key.
Wssp1.2-Wssc200502-Bo otstrap-Https.xml
WS-SecureConversation handshake RequestSecurityToken and RequestSecurityTokenResponse messages occurs in https
transport. The application messages are signed and encrypted with DerivedKeys.
Table 2–9 Cont. WS-SecureConversation Policies
Policy File Description
2-78 Securing WebLogic Web Services for Oracle WebLogic Server
2.16.6 SAML Token Profile Policies