Upgrading Oracle Web Services Manager Policies and OC4J Security Enviroments 13-5

13.1.3 Upgrading Oracle WSM Custom Policies

In Oracle WSM 10g, you create, develop, and deploy custom policy steps using the procedures described in the Oracle Web Services Manager Extensibility Guide in the Oracle Application Server 10g Release 3 10.1.3.1.0 documentation library at: http:www.oracle.comtechnologydocumentation In Oracle WSM 11g, you create, develop, and deploy custom policy assertions. You will need to redefine your custom policy steps as custom policy assertions using the procedures described in Creating Custom Assertions in Security and Administrator’s Guide for Oracle Web Services.

13.2 Upgrading Oracle Containers for J2EE OC4J Security Environments

In OC4J 10g, you configure your security environment by modifying the contents of the XML-based deployment descriptor files. For complete details about securing OC4J environments, see Oracle Application Server Web Services Security Guide at: http:www.oracle.comtechnologydocumentation In Oracle WSM 11g, you attach policies to Web service endpoints. Each policy consists of one or more assertions, defined at the domain-level, that define the security requirements. A set of predefined policies and assertions are provided out-of-the-box. For more details about the predefined policies, see “Predefined Policy Reference” in Security and Administrator’s Guide for Oracle Web Services. The following sections describe the most common OC4J upgrade scenarios based on the following security requirements: authentication, message protection, transport, Username token over SSL 1. Configure the application server for SSL. 2. Attach policy steps as follows: Client : Insert WSBASIC Credentials. Web service : Extract Credentials and File Authenticate. 1. Configure the application server for SSL. 2. Attach policies as follows: Client : oraclewss_username_token_ over_ssl_client_policy. Web service : oraclewss_username_ token_over_ssl_client_service_policy. 3. Disable the Include Timestamp configuration setting. ID propagation with SAML token sender vouches over SSL WS-Security 1.0 1. Configure the application server for SSL. 2. Attach policy steps as follows: Client : SAML—Insert WSS 1.0 Sender-Vouches Token. Web service : SAML—Verify WSS 1.0 Token. 1. Configure the application server for SSL. 2. Attach policies as follows: Client : oraclewss_saml_token_over_ ssl_client_policy. Web service : oraclewss_saml_token_ over_ssl_client_service_policy. 3. Disable the Include Timestamp configuration setting. Log information Attach the following policy step to the client or Web service: Log Attach the following policy to the client or Web service: oraclelog_policy Table 13–1 Cont. Upgrading Oracle WSM 10g Predefined Policies Security Requirements Oracle WSM 10 g Oracle WSM 11g 13-6 Oracle Fusion Middleware Upgrade Guide for Oracle SOA Suite, WebCenter, and ADF and logging. A comparison of the steps required to implement each security requirement in both the OC4J 10g and Oracle WSM 11g environments is provided. ■ Section 13.2.1, Before You Upgrade ■ Section 13.2.2, Anonymous Authentication with Message Protection WS-Security 1.0 ■ Section 13.2.3, Anonymous Authentication with Message Integrity WS-Security 1.0 ■ Section 13.2.4, Anonymous Authentication with Message Confidentiality WS-Security 1.0 ■ Section 13.2.5, Username Token with Message Protection WS-Security 1.0 ■ Section 13.2.6, ID Propagation Using SAML Token Sender Vouches with Message Protection WS-Security 1.0 ■ Section 13.2.7, ID Propagation Using SAML Token Holder of Key with Message Protection WS-Security 1.0 ■ Section 13.2.8, Mutual Authentication with Message Protection WS-Security 1.0 ■ Section 13.2.9, Username token over SSL ■ Section 13.2.10, ID Propagation with SAML Token Sender Vouches over SSL WS-Security 1.0 ■ Section 13.2.11, Log Information The next section describes the prerequisites required before you upgrade.

13.2.1 Before You Upgrade

Before you upgrade the OC4J security environment, you must perform the following tasks: ■ Install Oracle WSM 11g. For more information, see the Oracle Fusion Middleware Installation Guide for Oracle SOA Suite and Oracle Business Process Management Suite. ■ Review Task 6: Upgrade the Application Web Services in the Oracle Fusion Middleware Upgrade Guide for Java EE. This section provides general information about upgrading OC4J Web services to Oracle WebLogic Server.

13.2.2 Anonymous Authentication with Message Protection WS-Security 1.0

The following sections describe how to implement authentication with message protection that conforms to the WS-Security 1.0 standard, and compare the steps required for the OC4J 10g and Oracle WSM 11g environments.

13.2.2.1 OC4J 10g

Edit the deployment descriptors for the Web service and client, as described in the following sections. Note: For information about configuring attaching policies in Oracle Fusion Middleware 11g, see Oracle Fusion Middleware Security and Administrators Guide for Web Services. Upgrading Oracle Web Services Manager Policies and OC4J Security Enviroments 13-7 For more information about the deployment descriptor elements, see OracleAS Web Services Security Schema in Oracle Application Server Web Services Security Guide in the Oracle Application Server 10g Release 3 10.1.3.1.0 documentation library at: http:www.oracle.comtechnologydocumentation Web Service Client with sample data Define the signature and encrypt elements in the client deployment descriptor. For example: signature signature-methodRSA-SHA1signature-method tbs-elements tbs-element local-part=Body name-space= http:schemas.xmlsoap.orgsoapenvelope tbs-element name-space= http:docs.oasis-open.orgwss200401oasis-200401-wss-wssecurity-utility-1.0.xs d local-part=Timestamp tbs-elements add-timestamp created=true expiry=28800 signature encrypt recipient-key alias=orakey encryption-methodAES-128encryption-method keytransport-methodRSA-OAEP-MGF1Pkeytransport-method tbe-elements tbe-element local-part=Body name-space= http:schemas.xmlsoap.orgsoapenvelope mode=CONTENT tbe-elements encrypt Web Service with sample data Define the verify-signature and decrypt elements in the service deployment descriptor. For example: verify-signature tbs-elements tbs-element name-space=http:schemas.xmlsoap.orgsoapenvelope local-part=Body tbs-element name-space= http:docs.oasis-open.orgwss200401oasis-200401-wss-wssecurity-utility-1.0.xs d local-part=Timestamp tbs-elements verify-timestamp expiry=28800 created=true verify-signature decrypt tbe-elements tbe-element name-space=http:schemas.xmlsoap.orgsoapenvelope local-part=Body mode=CONTENT tbe-elements decrypt

13.2.2.2 Oracle WSM 11g

Perform the following steps: 13-8 Oracle Fusion Middleware Upgrade Guide for Oracle SOA Suite, WebCenter, and ADF 1. Attach policies as follows: Client : oraclewss10_message_protection_client_policy. Web service : oraclewss10_message_protection_service_policy. For more information about attaching policies in Oracle Fusion Middleware 11g, see Attaching Policies to Web Services in Oracle Fusion Middleware Security and Administrator’s Guide for Web Services. 2. Leave the configuration set for message body signing and encryption.

13.2.3 Anonymous Authentication with Message Integrity WS-Security 1.0

The following sections describe how to implement authentication with message integrity that conforms to the WS-Security 1.0 standard, and compare the steps required for the OC4J 10g and Oracle WSM 11g environments.

13.2.3.1 OC4J 10g

Edit the deployment descriptors for the Web service and client, as described in the following sections. For more information about the deployment descriptor elements, see OracleAS Web Services Security Schema in Oracle Application Server Web Services Security Guide in the Oracle Application Server 10g Release 3 10.1.3.1.0 documentation library at: http:www.oracle.comtechnologydocumentation Web Service Client with sample data Define the signature element in the client deployment descriptor. For example: signature signature-methodRSA-SHA1signature-method tbs-elements tbs-element local-part=Body name-space= http:schemas.xmlsoap.orgsoapenvelope tbs-element name-space= http:docs.oasis-open.orgwss200401oasis-200401-wss-wssecurity-utility-1.0.xs d local-part=Timestamp tbs-elements add-timestamp created=true expiry=28800 signature Web Service with sample data Define the verify-signature element in the service deployment descriptor. For example: verify-signature tbs-elements tbs-element name-space=http:schemas.xmlsoap.orgsoapenvelope local-part=Body tbs-element name-space= http:docs.oasis-open.orgwss200401oasis-200401-wss-wssecurity-utility-1.0.xs d local-part=Timestamp tbs-elements verify-timestamp expiry=28800 created=true verify-signature