Configure JOC for all the Managed Servers for a given cluster.
4. Select WebLogic Domain Web Services Platform Policy Configuration.
The Platform Policy Configuration page appears.5. Select the Policy Accessor tab.
6. Click Add in the Policy Access Properties section.
7. In the Add New Configure Property dialog, enter the following: ■ Enter the name jndi.lookup.csf.key. This property provides credential configuration java.naming.security.principal and java.naming.security.credentials and is used when an account in the LDAP directory is configured to connect with the Oracle WSM Policy Manager. ■ Enter the value in this example, OID.8. Click OK.
9. Click Apply and restart WebLogic Server.
Modify the User’s Group or Role Oracle WSM Policy Manager uses the logical role policy.Accessor to secure EJBs that are accessed by the Oracle WSM Agent runtime to access the policies. By default, the policy.Accessor role is mapped to the groups OracleSystemGroup and Administrators. Oracle WSM Agent run time uses the OracleSystemUser identity to access wsm-pm. The new default user must either be included in the Administrator or OracleSystemGroup if the groups exist, or be mapped to the logical role policy.Accessor if the Administrator or OracleSystemGroup groups do not exist. To ensure the user has the required role, perform the following steps: 1. If the Administrator or OracleSystemGroup groups exist in the LDAP or identity store, perform the following: a. In LDAP, add the user that you would like to use as a default administrative user. b. In WebLogic Server Administration Console, ensure that the user exists in the Administrator group. For more information, see Configure Authentication and Identity Assertion providers in Oracle WebLogic Server Administration Console Help. 2. If the Administrator or OracleSystemGroup groups do not exist in the LDAP or identity store, map the new user to the required logical role and redeploy the wsm-pm application using the modified deployment plan. To map the new user or existing users belonging to a group other than Administrator or OracleSystemGroup, perform the following steps: a. Create a deployment plan for deploying wsm_pm.ear. Example 14–1 describes a sample deployment plan. A sample deployment plan, shipped with WebLogic, is available in the ORACLE_HOMEmodulesoracle.wsm.pm_ 11.1.1prov folder. Modify the section to_be_replaced with the new user. Note: The csf-key that you specify in this step must match the csf-key specified for the Policy Manager administrative user in the credential store. For more information, see Configure the Credential Store Provider . 14-26 Oracle Fusion Middleware Security and Administrators Guide for Web Services Example 14–1 Sample Deployment Plan ?xml version=1.0 encoding=UTF-8? deployment-plan xmlns=http:xmlns.oracle.comweblogicdeployment-plan xmlns:xsi=http:www.w3.org2001XMLSchema-instance xsi:schemaLocation=http:xmlns.oracle.comweblogicdeployment-plan http:xmlns.oracle.comweblogicdeployment-plan1.0deployment-plan.xsd application-nameoracle.wsm.pm_11.1.1application-name variable-definition variable nameSecurityRoleAssignment_ejbRole_PrincipalNamename valueto_be_replacedvalue variable variable-definition module-override module-namewsm-pmserver-wls.jarmodule-name module-typeejbmodule-type module-descriptor external=false root-elementweblogic-ejb-jarroot-element uriMETA-INFweblogic-ejb-jar.xmluri variable-assignment nameSecurityRoleAssignment_ejbRole_PrincipalNamename xpathweblogic-ejb-jarsecurity-role-assignment[role-name=policy.Accessor] principal-namexpath operationreplaceoperation variable-assignment module-descriptor module-override deployment-plan b. Redeploy the EAR. For more information, see Deploying an Application with a Deployment Plan in Deploying Applications to Oracle WebLogic Server. Changing the JMS System User for Asynchronous Web Services By default, the JMS System User is set as the OracleSystemUser. For most users, this default value is sufficient. However, if you need to change this value to a custom user in your security realm, you can do so by changing the value of the user in Oracle Enterprise Manager Fusion Middleware Control and in the WebLogic Server Administration Console as described in the following procedure. To change the JMS System User: 1. Access the Configuration tab on the Web Service Endpoint page for the asynchronous Web service as described in Configuring Asynchronous Web Services on page 6-25.2. Enter the name of the custom user in the JMS System User field and click Apply.
See Figure 14–12 . Note: The custom user must exist in the security realm and have the permissions required to access the JMS resources. Advanced Administration 14-27 Figure 14–12 Setting the JMS System User for Asynchronous Web Services3. Access the WebLogic Server Administration Console. To do so from Fusion
Middleware Control, select the domain in the navigator pane. From the WebLogic Domain menu, select WebLogic Server Administration Console. 4. Log into the WebLogic Server Administration Console using a valid username and password with the required administrative privileges.5. Click Deployments in the Domain Structure pane and navigate to the
corresponding service_AsynchRequestProcessorMDB or service_ AsynchResponseProcessorMDB MDBs. In these MDB names, service is the name of the asynchronous service for which you are changing the user name.6. In the Change Center, select Lock Edit.
7. Select the MDB name for the request or response MDB. You will need to update
the user name for both the request and response MDBs. In the Settings page, select the Configuration tab.8. In the Enterprise Bean Configuration section of the page, enter the custom user
name in the Run As Principal Name field and click Save. See Figure 14–13 . Note that the user name you enter in this field must match the user name you entered for the JMS System User in Fusion Middleware Control. 14-28 Oracle Fusion Middleware Security and Administrators Guide for Web Services Figure 14–13 WebLogic Server Administration Console Update for JMS System User The configuration changes need to be saved in a new deployment plan. 9. Use the Save Deployment Plan Assistant to save the new deployment plan. 10. Repeat steps 7 and 8 for the second MDB. The changes are automatically saved to the new deployment plan.11. In the Change Center, click Activate Changes.
12. Redeploy the application. For more information, see Chapter 5, Deploying Web Services Applications.Parts
» Oracle Fusion Middleware Online Documentation Library
» Click Login. Oracle Fusion Middleware Online Documentation Library
» Description of Functionality Click Log In.
» A deployment plan is an XML file that you use to configure an application for
» Click Next. Oracle Fusion Middleware Online Documentation Library
» When the operation completes, click Close.
» Using Fusion Middleware Control, click Application Deployment, then click Web
» Connect to the running instance of WebLogic Server to which the application is
» Select soa-infra, expand the SOA partition for example, the default partition and
» Select the Dashboard tab if it is not already selected.
» Click Callback Client in the upper right portion of the endpoint page.
» Navigate to the Web Service Endpoint page, or the Service Home page for SOA
» Click the Configuration tab. For SOA composites, click the Properties tab.
» For ADF and WebCenter applications, restart the Web service application. You do
» In the Metadata Exchange Enabled field, select True from the menu to enable the
» In the Schema validation field, select True from the menu to enable schema
» In the Atomic Transaction Flow Option field, select whether the transaction Click Apply.
» Set the Maximum Request Size and the Unit of Maximum Request Size and click
» In the Web Service Details section of the page, click on the plus + for the Web
» Click the name of the endpoint of the asynchronous Web service to navigate to the
» From the Web Service Endpoint page, click the Configuration tab. Click Apply.
» Click Apply. Oracle Fusion Middleware Online Documentation Library
» Click the Configuration tab.
» When you are done viewing the policy, click Return to Web Services Policies.
» From the Category menu, select the category to which this policy will belong and
» Set the Local Optimization control. See
» Click Save. Oracle Fusion Middleware Online Documentation Library
» Click Validate to verify that the policy does not contain errors. For more
» From the Web Services Policies page, click Import From File.
» In the Create Policy From File box, enter the file path of the file in the Select Policy
» Click OK. Oracle Fusion Middleware Online Documentation Library
» Click the Search Assertion Templates icon next to the Name field. Click Create Like.
» Click Edit. Oracle Fusion Middleware Online Documentation Library
» Select the assertion template to be edited as described in Click the Configurations tab.
» Select the property from the list and click Edit.
» Enter the values for your configuration and click OK.
» In the Assertions section, click Add.
» To configure the assertion, click the Settings tab and edit the settings as required.
» To edit the configuration properties, click the Configurations tab.
» Select the property to be edited and click Edit.
» Edit the Configuration properties and click OK.
» When you are done, click Save to save the policy.
» In the Assertion List section, click Add OR Group. Click OK.
» To delete an assertion from the OR group, select the assertion and click Delete. To
» In the Assertions section of the page, select the assertion to be configured in the
» Click the Settings or Configurations tab.
» Edit the Settings and Configuration properties, and click Save.
» Select Save File. Oracle Fusion Middleware Online Documentation Library
» Navigate to the Web Services Assertions Templates page, as described in
» Click Browse to navigate to the directory where the assertion template file is
» Click Delete. Oracle Fusion Middleware Online Documentation Library
» The policies appear in order in the Policy Version History table with the active
» In the Policy History table, select a policy and click Restore or click Activate
» Select a generated policy from the table and click Edit.
» Click Validate to validate your changes.
» Click Save to save the changes to your policy.
» From the Web Service Endpoint page, click the OWSM Policies tab.
» Select the policy you want to enable or disable.
» Select Enable or Disable to enable or disable the policy, respectively, and confirm
» Select a policy from the Policies table and click Edit. Click Save.
» In cases where multiple domains share the same Oracle WSM Repository to store
» Click the OWSM Policies tab.
» Navigate to the home page for the Web service, as described in
» Click the name of a endpoint to navigate to the Web Service Endpoints page for a
» Click AttachDetach. Oracle Fusion Middleware Online Documentation Library
» Select a policy from the Available Policies list, and click Attach. See
» Using Fusion Middleware Control, click WebLogic Server and then Web Services.
» From the Web Services Summary page, click Attach Policies.
» Click Back to make any changes, or click Attach to complete the bulk attachment.
» Click the Policies tab. Click AttachDetach.
» Click Validate. Oracle Fusion Middleware Online Documentation Library
» View the SOA reference, as described in
» In the Directly Attached Policies section of the page, click AttachDetach.
» From the Available Policies section of the page, select one or more policies that
» Click Attach when you are sure that you want to attach the policy or policies.
» From the Application Deployment menu, select ADF, and then Configure ADF
» On the ADF Connections Configuration page, select a row in the Web Service
» On the Web Service Client page, select the OWSM Policies tab.
» On the Available Policies section of the page, select one or more policies that you
» On the Available Policies portion of the page, select one or more policies that you
» Select the configuration property and click Edit to make the change to the action Click Save.
» Select Override Policy Configuration.
» Enter the override value in the Value field for the property and click Apply.
» Attach the policy to the service as described in
» Use the setWebServicePolicyOverride command to override policy
» For ADF DC and WebCenter client applications, restart the Web service client
» From the WebLogic Domain menu, select Web Services then Policy Sets.
» From the Policy Set Summary page, click Create.
» In the Enter Resource Scope page, enter at least one pattern string that defines the
» In the Add Policy References page, select a policy from the Available Policies list,
» Continue selecting and attaching policies. When you are finished, click Validate to
» Click Next to view the Policy Set Summary Page.
» Select or clear the Enabled check box to enable or disable the policy set.
» In the Enter Resource Scope page, modify the scope as desired and click Next.
» In the Add Policy References page, modify the policy attachments as desired.
» Navigate to the Policy Set Summary page as described in
» In the Policy Set Summary page, select the policy set that you want to edit and
» Review the policy set summary information. If you are satisfied with the policy
» Specify the policy set to be modified using the modifyPolicySet command.
» Use the enablePolicySet command to enable or disable a policy set.
» Validate the policy set using the ValidatePolicySet command.
» In the Policy Set Summary page, select a policy set from the table and click Delete.
» A dialog box displays asking you to confirm the deletion. Click OK.
» In the Navigator pane, expand WebLogic Domain to show the domain for which
» From the WebLogic Domain menu, select Security then Security Provider
» Click the plus sign + to expand the Keystore control near the bottom of the page,
» In the Keystore Type drop-down, select Java Key Store JKS, if it is not already
» Click OK to submit the changes.
» Generate the private key and self-signed certificate. The self-signed certificate will
» Generate the certificate request.
» Submit the CSR file to a CA such as VeriSign, for example. The CA will
» Import the CA root certificate which authenticates the CA’s public key.
» Replace the self-signed certificate with the trusted CA certificate issued by the CA
» Click Create Key to create new entries in the oracle.wsm.security credential
» Start WLST using the WLST.shcmd command located in the oracle_
» In the left pane of the Console, expand Environment and select Servers.
» Select Configuration, and then Keystores.
» Select Configuration, and then the SSL page, and choose the location of identity
» At the bottom of the page, click Advanced.
» Set the Two Way Client Cert Behavior control to Client Certs Requested and
» Ensure that the client application obtains a digital certificate that WebLogic Server
» Create a certificate registry that lists all the individual certificates trusted by
» Create a keystore used by the client application. Oracle recommends that you
» Create a private key and digital certificate pair, and load it into the client keystore.
» Make sure that the following properties are set in the clients JVM:
» Using Fusion Middleware Control, click WebLogic Domain, then Security, and
» In the Keystore Type drop-down, select Hardware Security Module HSM.
» After the Keystore Configuration page refreshes, enter Luna in the HSM Provider
» In the Key Alias and Crypt Alias fields, enter an alias for the signature and
» From the navigation pane, expand WebLogic Domain.
» Using Fusion Middleware Control, click WebLogic Domain.
» Select Web Services, and then select Platform Policy Configuration.
» Select the Identity Extension tab.
» To modify a identity extension property, select it and then click Edit. In the Edit
» To delete an existing property, select it and then click Delete.
» Click Apply to apply the property updates.
» Optionally, in the SAML Specific Attributes section, configure an alternate Issuer
» In the Custom Properties section of the page, configure any custom properties for
» Click Add to add a custom property.
» Restart Fusion Middleware Control.
» Configure the SAML login module, as described in
» Configure the identity assertion provider in the WebLogic Server Administration
» If you will be using policies that involve signatures related to SAML assertions
» From the System Policies page, select the arrow icon in the Permission field to
» Select one of the codebase permissions to use as a starting point and click Create
» In the Grant Details section of the page, enter
» In the Permissions section of the page, select the starting point permission class
» Attach the Kerberos policy to your Web service.
» Configure the Web service client to authenticate against the right KDC.
» Export the keytab file you created in
» Verify the keytab file using kinit:
» In the left pane select Security Realms.
» On the Settings for Realm Name page select Users and Groups and then Users.
» Click New. Oracle Fusion Middleware Online Documentation Library
» Click OK to save your changes.
» Create a new key pair and self-signed certificate.
» Generate a certificate request to the certificate authority.
» Replace import the self-signed certificate with the trusted CA certificate.
» If it is not already enabled, click the Configure Keystore Management check box.
» The Web service client invokes a Web service. The WSDL for the Web service
» The Web service client the requestor sends an authentication request, with
» The STS verifies the credentials presented by the client, and then in response
» The requestor verifies the RSTR, extracts the token, and passes it to the Web
» The Web service receives the issued token and verifies that the token was issued
» Navigate to Configuration Global Security Token Service.
» Under the On Behalf of Token section, select ldapService from the Authentication
» Select AES from the Encryption Algorithm drop-down list, and select 128 from
» Configure OpenSSO STS, as described
» Configure the STS service policy following the steps described in
» Configure OpenSSO STS. as described Configure the STS policy following the steps described in
» What are the basic requirements of your security policy? Decide if you need to
» If you require both authentication and message protection, then you need to
» Create a simple Web service that approves a credit card number cardNr. A
» Click Selected Roles. Oracle Fusion Middleware Online Documentation Library
» Click Add. Oracle Fusion Middleware Online Documentation Library
» Click OK. Click Delete. Click Selected Roles. Click Add.
» Click Add. Click OK. Click Delete.
» To add roles, click the check box next to each role you want to add in the Roles
» Select the role that you want to delete in the Selected Roles list.
» Using Fusion Middleware Control, click WebLogic Domain, then Logs and then
» Expand the test option sections by clicking the plus sign + next to the section
» In the Security section, select the security token to verify. The security setting is
» Using Fusion Middleware Control, click WebLogic Server, and then Web
» In the Web Services Details section of the Web Services summary page, select the
» Select the endpoint for which you want to display the statistics.
» Select the Operations tab if it is not already selected.
» Using Fusion Middleware Control, select WebLogic Domain then Web Services
» Click Add to register a new source. The Register New Source page appears, as
» If you selected UDDI v3 registry import, enter the following information:
» If you selected WSIL import from URL, enter the following information:
» If you selected WSIL import from File, click Browse next to the WSIL File field
» Select Register Web Services.
» Using Fusion Middleware Control, select WebLogic Domain then Web Services Do one of the following:
» Click OK in the Publish Service to UDDI window.
» Select Actions, then Publish to UDDI. See
» In the Publish Service to UDDI dialog box
» Click OK to connect to the external UDDI registry and register the Web service.
» On the Configuration tab, set the WSDL Enabled field to True or False to enable of
» In the navigator pane, expand WebLogic Domain to view the domains.
» Select WebLogic Domain Web Services Platform Policy Configuration.
» Select the tab corresponding to the component for which you want to define
» Select the Policy Accessor tab.
» Click Add to define a remote JNDI provider.
» Click Add to define a corresponding csf-key credential property. In the Add
» Select the Policy Cache tab.
» To modify an existing property, select it and then click Edit.
» Click Add to add a policy retrieval property.
» Select the Policy Interceptors tab.
» Select the Trusted SAML clients or Trusted STS servers tab, depending on
» Connect to the Administration Server using the command-line Oracle WebLogic
» After connecting to the Administration Server using WLST, start the script using
» Configure JOC for all the Managed Servers for a given cluster.
» Click Apply and restart WebLogic Server.
» Enter the name of the custom user in the JMS System User field and click Apply.
» Access the WebLogic Server Administration Console. To do so from Fusion
» Click Deployments in the Domain Structure pane and navigate to the
» In the Change Center, select Lock Edit.
» Select the MDB name for the request or response MDB. You will need to update
» In the Enterprise Bean Configuration section of the page, enter the custom user
» In the Change Center, click Activate Changes.
» Select wsm-pm. Oracle Fusion Middleware Online Documentation Library
» Use keytool to reset the passwords in the Oracle WSM keystore file. Because the
» From the WebLogic Sever menu, select Logs Log Configuration.
» Expand Root Logger. Oracle Fusion Middleware Online Documentation Library
» Expand oracle. Oracle Fusion Middleware Online Documentation Library
» Set the logging level for one or more of the following components:
» Click Apply to store the new logging level.
» Set the Logging Level field to one of the following settings: Severe, Warning,
» Click Search once you have set the fields, as desired.
» From the WebLogic Sever menu, select Logs Log Configuration. Select the Log Files tab.
» Click OK to edit the log file configuration.
» In the Navigator pane, expand Metadata Repositories and select mds-owsm, as
Show more