Sanae BEKKAR – My Blog –

3.6.2.1.1 SSL

Policies that include the SSL option, such as oracle/wss_saml_or_username_token_over_ssl_service_policy, use one-way SSL for message protection.

When using policies of this type, you need to do the following:

• On the service side, set up private keys at the SSL termination point
• On the client side, set up the truststore to trust the service keys.

The private key is used to protect the messages for the SSL handshake, at which time the client and service agree on a shared session key. After the SSL handshake, the private key is not used, and all traffic between the client and the service are signed and encrypted using the shared session key.

For information on how to configure SSL,  in Securing Web Services and Managing Policies with Oracle Web Services Manager.

3.6.2.1.2 wss11

Policies of this type use WS-Security 1.1 for message protection.

When using wss11 policies, you need to do the following:

• On the service side, set up private keys and define as the Encryption Key Alias in the OWSM Keystore Configuration screen.
• On the client side, you need to configure the client-side trust by obtaining the server’s certificate in one of the following ways:
  • Use the service’s public certificate published in the WSDL using the Service Identity Certificate extension  in Securing Web Services and Managing Policies with Oracle Web Services Manager. You also need to import either the server certificate itself, or the root certificate from the CA that issued the server certificate, into the client truststore. You can choose any alias name for the server certificate.
  • Import the server certificate into the client keystore using any alias you choose, and specify that alias using the keystore.recipient.alias property using a configuration override when you attach the policy. For this method you need to import the actual server certificate, you cannot import the CA root certificate.

For each request, the following occurs:

1. The client creates a symmetric key, encrypts this symmetric key with the service’s public key as configured with Encryption Key Alias, and then encrypts and signs the whole message with the symmetric key.
2. When the service receives the message, it decrypts the encrypted key first, and then decrypts and verifies the whole message.
3. The Web service then uses the same symmetric key to encrypt and sign the response that it sends back to the client.

3.6.2.1.3 wss10

Policies of this type use WS-Security 1.0 for message protection.

When using wss10 policies, you need to do the following:

• Set up private keys on both the client and service side. On the client side, you need to set a signature key alias, and on the service side you need both an encryption key alias and signature key alias. Note that you can normally use the same key for both.
• On the client side, you need to configure the client-side trust by obtaining the server’s certificate in one of the following ways:
  • Use the service’s public certificate published in the WSDL using the Service Identity Certificate extension in Securing Web Services and Managing Policies with Oracle Web Services Manager. You also need to import either the server certificate itself, or the root certificate from the CA that issued the server certificate, into the client truststore. You can choose any alias name for the server certificate.
  • Import the server certificate into the client keystore using any alias you choose, and specify that alias using the keystore.recipient.alias property using a configuration override when you attach the policy. For this method you need to import the actual server certificate, you cannot import the CA root certificate.
• On the service side, you need to configure the service to trust the client, either by importing these certificates directly, or importing the CA that issued these certificates.