In the Navigator pane, expand WebLogic Domain. From the WebLogic Domain menu select Security Audit Policy.
4. Select the tab corresponding to the component for which you want to define
properties: ■ Configuring a Web Service on a Remote Policy Manager and Tuning the Policy Cache on page 14-16 ■ Configuring Web Service Policy Retrieval on page 14-18 ■ Tuning Web Service Security Policy Enforcement on page 14-20 ■ Defining Identity Extension Properties on page 14-21 ■ Defining a Trusted Distinguished Name List for SAML Signing Certificates on page 14-21 Configuring a Web Service on a Remote Policy Manager and Tuning the Policy Cache By default, the Oracle Web Services Manager WSM supports an auto-discovery feature that it uses to locate and connect to an Oracle WSM Policy Manager within the same WebLogic domain. In certain scenarios auto-discovery may not work as expected. Note: When the Oracle WSM Policy Manager is deployed on a server that is configured to use SSL, the auto-discovery mechanism will only attempt to connect to Policy Managers on other SSL-configured servers. To ensure that the secure connection is maintained, Policy Managers deployed on servers that are not configured for SSL are ignored. Advanced Administration 14-17 You may want to disable the auto-discovery feature, for example, in the following scenarios: ■ Your domain is split into two or more networks, especially if a firewall exists between them. ■ You want to access an Oracle WSM Policy Manager that is running in a different domain without additional WebLogic security configuration. ■ You are running on a non-WebLogic application server that does not support the auto-discovery feature, such as WebSphere Application Server and JBOSS. ■ You prefer to override the default settings. For Oracle Infrastructure Web service policies, on the Platform Policy Configuration page: ■ The Policy Accessor tab enables you to explicitly set a remote JNDI provider URL and corresponding csf-key credentials to access a Policy Manager in a remote domain or on another platform. ■ The Policy Cache tab allows you to tune the behavior of the policy cache delay for Web service endpoints, which can help to avoid network calls and increase performance when fetching policies from a remote Oracle WSM Policy Manager. To configure a Web service on a remote Oracle WSM Policy Manager and tune the policy cache: 1. To access an Oracle WSM Policy Manager that is in a different domain—for example, if the Oracle WSM Policy Manager is in a domain that is different from the Web service client—enable cross-domain security between WebLogic Server domains, as described in Enabling Cross Domain Security Between WebLogic Server Domains in Securing Oracle WebLogic Server. Cross domain security establishes trust between two WebLogic domain pairs by using a credential mapper to configure communication between these WebLogic domains. 2. Access the Platform Policy Configuration page, as described in Configuring Platform Policy Properties on page 14-15.3. Select the Policy Accessor tab.
4. Click Add to define a remote JNDI provider.
In the Add Property window, specify the following values: a. In the Name field, enter the JNDI provider URL property as java.naming.provider.url. b. In the Value field, enter the JNDI provider’s URL for the remote domain. This specifies the location of a running Policy Manager in a different domain in order to access that Policy Manager. If this property is not specified, the auto-discovery feature attempts to look up the Policy Manager in the same domain.c. Click OK.
5. Click Add to define a corresponding csf-key credential property. In the Add
Property window, specify the following values: a. In the Name field, enter the name of the JNDI provider’s csf-key credential property as jndi.lookup.csf.key. b. In the Value field, enter the csf-key credentials.Parts
» Oracle Fusion Middleware Online Documentation Library
» Click Login. Oracle Fusion Middleware Online Documentation Library
» Description of Functionality Click Log In.
» A deployment plan is an XML file that you use to configure an application for
» Click Next. Oracle Fusion Middleware Online Documentation Library
» When the operation completes, click Close.
» Using Fusion Middleware Control, click Application Deployment, then click Web
» Connect to the running instance of WebLogic Server to which the application is
» Select soa-infra, expand the SOA partition for example, the default partition and
» Select the Dashboard tab if it is not already selected.
» Click Callback Client in the upper right portion of the endpoint page.
» Navigate to the Web Service Endpoint page, or the Service Home page for SOA
» Click the Configuration tab. For SOA composites, click the Properties tab.
» For ADF and WebCenter applications, restart the Web service application. You do
» In the Metadata Exchange Enabled field, select True from the menu to enable the
» In the Schema validation field, select True from the menu to enable schema
» In the Atomic Transaction Flow Option field, select whether the transaction Click Apply.
» Set the Maximum Request Size and the Unit of Maximum Request Size and click
» In the Web Service Details section of the page, click on the plus + for the Web
» Click the name of the endpoint of the asynchronous Web service to navigate to the
» From the Web Service Endpoint page, click the Configuration tab. Click Apply.
» Click Apply. Oracle Fusion Middleware Online Documentation Library
» Click the Configuration tab.
» When you are done viewing the policy, click Return to Web Services Policies.
» From the Category menu, select the category to which this policy will belong and
» Set the Local Optimization control. See
» Click Save. Oracle Fusion Middleware Online Documentation Library
» Click Validate to verify that the policy does not contain errors. For more
» From the Web Services Policies page, click Import From File.
» In the Create Policy From File box, enter the file path of the file in the Select Policy
» Click OK. Oracle Fusion Middleware Online Documentation Library
» Click the Search Assertion Templates icon next to the Name field. Click Create Like.
» Click Edit. Oracle Fusion Middleware Online Documentation Library
» Select the assertion template to be edited as described in Click the Configurations tab.
» Select the property from the list and click Edit.
» Enter the values for your configuration and click OK.
» In the Assertions section, click Add.
» To configure the assertion, click the Settings tab and edit the settings as required.
» To edit the configuration properties, click the Configurations tab.
» Select the property to be edited and click Edit.
» Edit the Configuration properties and click OK.
» When you are done, click Save to save the policy.
» In the Assertion List section, click Add OR Group. Click OK.
» To delete an assertion from the OR group, select the assertion and click Delete. To
» In the Assertions section of the page, select the assertion to be configured in the
» Click the Settings or Configurations tab.
» Edit the Settings and Configuration properties, and click Save.
» Select Save File. Oracle Fusion Middleware Online Documentation Library
» Navigate to the Web Services Assertions Templates page, as described in
» Click Browse to navigate to the directory where the assertion template file is
» Click Delete. Oracle Fusion Middleware Online Documentation Library
» The policies appear in order in the Policy Version History table with the active
» In the Policy History table, select a policy and click Restore or click Activate
» Select a generated policy from the table and click Edit.
» Click Validate to validate your changes.
» Click Save to save the changes to your policy.
» From the Web Service Endpoint page, click the OWSM Policies tab.
» Select the policy you want to enable or disable.
» Select Enable or Disable to enable or disable the policy, respectively, and confirm
» Select a policy from the Policies table and click Edit. Click Save.
» In cases where multiple domains share the same Oracle WSM Repository to store
» Click the OWSM Policies tab.
» Navigate to the home page for the Web service, as described in
» Click the name of a endpoint to navigate to the Web Service Endpoints page for a
» Click AttachDetach. Oracle Fusion Middleware Online Documentation Library
» Select a policy from the Available Policies list, and click Attach. See
» Using Fusion Middleware Control, click WebLogic Server and then Web Services.
» From the Web Services Summary page, click Attach Policies.
» Click Back to make any changes, or click Attach to complete the bulk attachment.
» Click the Policies tab. Click AttachDetach.
» Click Validate. Oracle Fusion Middleware Online Documentation Library
» View the SOA reference, as described in
» In the Directly Attached Policies section of the page, click AttachDetach.
» From the Available Policies section of the page, select one or more policies that
» Click Attach when you are sure that you want to attach the policy or policies.
» From the Application Deployment menu, select ADF, and then Configure ADF
» On the ADF Connections Configuration page, select a row in the Web Service
» On the Web Service Client page, select the OWSM Policies tab.
» On the Available Policies section of the page, select one or more policies that you
» On the Available Policies portion of the page, select one or more policies that you
» Select the configuration property and click Edit to make the change to the action Click Save.
» Select Override Policy Configuration.
» Enter the override value in the Value field for the property and click Apply.
» Attach the policy to the service as described in
» Use the setWebServicePolicyOverride command to override policy
» For ADF DC and WebCenter client applications, restart the Web service client
» From the WebLogic Domain menu, select Web Services then Policy Sets.
» From the Policy Set Summary page, click Create.
» In the Enter Resource Scope page, enter at least one pattern string that defines the
» In the Add Policy References page, select a policy from the Available Policies list,
» Continue selecting and attaching policies. When you are finished, click Validate to
» Click Next to view the Policy Set Summary Page.
» Select or clear the Enabled check box to enable or disable the policy set.
» In the Enter Resource Scope page, modify the scope as desired and click Next.
» In the Add Policy References page, modify the policy attachments as desired.
» Navigate to the Policy Set Summary page as described in
» In the Policy Set Summary page, select the policy set that you want to edit and
» Review the policy set summary information. If you are satisfied with the policy
» Specify the policy set to be modified using the modifyPolicySet command.
» Use the enablePolicySet command to enable or disable a policy set.
» Validate the policy set using the ValidatePolicySet command.
» In the Policy Set Summary page, select a policy set from the table and click Delete.
» A dialog box displays asking you to confirm the deletion. Click OK.
» In the Navigator pane, expand WebLogic Domain to show the domain for which
» From the WebLogic Domain menu, select Security then Security Provider
» Click the plus sign + to expand the Keystore control near the bottom of the page,
» In the Keystore Type drop-down, select Java Key Store JKS, if it is not already
» Click OK to submit the changes.
» Generate the private key and self-signed certificate. The self-signed certificate will
» Generate the certificate request.
» Submit the CSR file to a CA such as VeriSign, for example. The CA will
» Import the CA root certificate which authenticates the CA’s public key.
» Replace the self-signed certificate with the trusted CA certificate issued by the CA
» Click Create Key to create new entries in the oracle.wsm.security credential
» Start WLST using the WLST.shcmd command located in the oracle_
» In the left pane of the Console, expand Environment and select Servers.
» Select Configuration, and then Keystores.
» Select Configuration, and then the SSL page, and choose the location of identity
» At the bottom of the page, click Advanced.
» Set the Two Way Client Cert Behavior control to Client Certs Requested and
» Ensure that the client application obtains a digital certificate that WebLogic Server
» Create a certificate registry that lists all the individual certificates trusted by
» Create a keystore used by the client application. Oracle recommends that you
» Create a private key and digital certificate pair, and load it into the client keystore.
» Make sure that the following properties are set in the clients JVM:
» Using Fusion Middleware Control, click WebLogic Domain, then Security, and
» In the Keystore Type drop-down, select Hardware Security Module HSM.
» After the Keystore Configuration page refreshes, enter Luna in the HSM Provider
» In the Key Alias and Crypt Alias fields, enter an alias for the signature and
» From the navigation pane, expand WebLogic Domain.
» Using Fusion Middleware Control, click WebLogic Domain.
» Select Web Services, and then select Platform Policy Configuration.
» Select the Identity Extension tab.
» To modify a identity extension property, select it and then click Edit. In the Edit
» To delete an existing property, select it and then click Delete.
» Click Apply to apply the property updates.
» Optionally, in the SAML Specific Attributes section, configure an alternate Issuer
» In the Custom Properties section of the page, configure any custom properties for
» Click Add to add a custom property.
» Restart Fusion Middleware Control.
» Configure the SAML login module, as described in
» Configure the identity assertion provider in the WebLogic Server Administration
» If you will be using policies that involve signatures related to SAML assertions
» From the System Policies page, select the arrow icon in the Permission field to
» Select one of the codebase permissions to use as a starting point and click Create
» In the Grant Details section of the page, enter
» In the Permissions section of the page, select the starting point permission class
» Attach the Kerberos policy to your Web service.
» Configure the Web service client to authenticate against the right KDC.
» Export the keytab file you created in
» Verify the keytab file using kinit:
» In the left pane select Security Realms.
» On the Settings for Realm Name page select Users and Groups and then Users.
» Click New. Oracle Fusion Middleware Online Documentation Library
» Click OK to save your changes.
» Create a new key pair and self-signed certificate.
» Generate a certificate request to the certificate authority.
» Replace import the self-signed certificate with the trusted CA certificate.
» If it is not already enabled, click the Configure Keystore Management check box.
» The Web service client invokes a Web service. The WSDL for the Web service
» The Web service client the requestor sends an authentication request, with
» The STS verifies the credentials presented by the client, and then in response
» The requestor verifies the RSTR, extracts the token, and passes it to the Web
» The Web service receives the issued token and verifies that the token was issued
» Navigate to Configuration Global Security Token Service.
» Under the On Behalf of Token section, select ldapService from the Authentication
» Select AES from the Encryption Algorithm drop-down list, and select 128 from
» Configure OpenSSO STS, as described
» Configure the STS service policy following the steps described in
» Configure OpenSSO STS. as described Configure the STS policy following the steps described in
» What are the basic requirements of your security policy? Decide if you need to
» If you require both authentication and message protection, then you need to
» Create a simple Web service that approves a credit card number cardNr. A
» Click Selected Roles. Oracle Fusion Middleware Online Documentation Library
» Click Add. Oracle Fusion Middleware Online Documentation Library
» Click OK. Click Delete. Click Selected Roles. Click Add.
» Click Add. Click OK. Click Delete.
» To add roles, click the check box next to each role you want to add in the Roles
» Select the role that you want to delete in the Selected Roles list.
» Using Fusion Middleware Control, click WebLogic Domain, then Logs and then
» Expand the test option sections by clicking the plus sign + next to the section
» In the Security section, select the security token to verify. The security setting is
» Using Fusion Middleware Control, click WebLogic Server, and then Web
» In the Web Services Details section of the Web Services summary page, select the
» Select the endpoint for which you want to display the statistics.
» Select the Operations tab if it is not already selected.
» Using Fusion Middleware Control, select WebLogic Domain then Web Services
» Click Add to register a new source. The Register New Source page appears, as
» If you selected UDDI v3 registry import, enter the following information:
» If you selected WSIL import from URL, enter the following information:
» If you selected WSIL import from File, click Browse next to the WSIL File field
» Select Register Web Services.
» Using Fusion Middleware Control, select WebLogic Domain then Web Services Do one of the following:
» Click OK in the Publish Service to UDDI window.
» Select Actions, then Publish to UDDI. See
» In the Publish Service to UDDI dialog box
» Click OK to connect to the external UDDI registry and register the Web service.
» On the Configuration tab, set the WSDL Enabled field to True or False to enable of
» In the navigator pane, expand WebLogic Domain to view the domains.
» Select WebLogic Domain Web Services Platform Policy Configuration.
» Select the tab corresponding to the component for which you want to define
» Select the Policy Accessor tab.
» Click Add to define a remote JNDI provider.
» Click Add to define a corresponding csf-key credential property. In the Add
» Select the Policy Cache tab.
» To modify an existing property, select it and then click Edit.
» Click Add to add a policy retrieval property.
» Select the Policy Interceptors tab.
» Select the Trusted SAML clients or Trusted STS servers tab, depending on
» Connect to the Administration Server using the command-line Oracle WebLogic
» After connecting to the Administration Server using WLST, start the script using
» Configure JOC for all the Managed Servers for a given cluster.
» Click Apply and restart WebLogic Server.
» Enter the name of the custom user in the JMS System User field and click Apply.
» Access the WebLogic Server Administration Console. To do so from Fusion
» Click Deployments in the Domain Structure pane and navigate to the
» In the Change Center, select Lock Edit.
» Select the MDB name for the request or response MDB. You will need to update
» In the Enterprise Bean Configuration section of the page, enter the custom user
» In the Change Center, click Activate Changes.
» Select wsm-pm. Oracle Fusion Middleware Online Documentation Library
» Use keytool to reset the passwords in the Oracle WSM keystore file. Because the
» From the WebLogic Sever menu, select Logs Log Configuration.
» Expand Root Logger. Oracle Fusion Middleware Online Documentation Library
» Expand oracle. Oracle Fusion Middleware Online Documentation Library
» Set the logging level for one or more of the following components:
» Click Apply to store the new logging level.
» Set the Logging Level field to one of the following settings: Severe, Warning,
» Click Search once you have set the fields, as desired.
» From the WebLogic Sever menu, select Logs Log Configuration. Select the Log Files tab.
» Click OK to edit the log file configuration.
» In the Navigator pane, expand Metadata Repositories and select mds-owsm, as
Show more