OWSM Concepts - 11g
By Prakash Yamuna-Oracle on Sep 06, 2011
Jiandong has posted a number of articles introducing OWSM 11g at http://blogs.oracle.com/wssi/.
This post elaborates on some of the aspects discussed in those posts. There are three aspects to securing a web service using OWSM
- Defining Policies
- Attaching Policies
- Setup Configuration required for Policies
Policies in OWSM are defined generically without context i.e. in general they are not App specific. There are some types of security policies that tend to be App specific - we will blog about this in a future post.
How to define policies?
You typically define policies using FMWCTL (Fusion Middleware CTL). The Security And Administrators Guide provides detailed documentation on how to define policies. (See Section Managing Web Service Policies ).
A Policy can be composed of a number of "Assertions". Typically you will have atleast one Assertion in a Policy.
Attaching Policies to Policy Subjects
Once a Policy is defined - you can "attach" the Policy to a Policy Subject. A Policy Subject is either a Web Service or a Web Service Client. OWSM supports a variety of Web Services [ex: Oracle Infrastructure Web Services, SOA Web Services, ADF BC Web Services, OSB Proxy Service, WLS JEE JAX-WS, Oracle WebCenter WSRP, etc] and Web Service Clients [ex: SOA References, ADF Web Service Data Control (WSDC), OSB Business Service, WLS JEE JAX-WS Clients, WebCenter Portal, etc]
How to attach Policies?
There are three ways to attach OWSM Policies:
a) Via IDE's - ex: JDeveloper
b) Via Command Line Tooling - ex: WLST
c) Via Web based user interface - ex: FMWCTL(b) and (c) are discussed in detail in the Security And Administrator's guide. Specifically see Section "Attaching Policies to Web Services" for details.
Note: WLST is not support for OSB and WLS Web Services/Web Service Clients as of 18.104.22.168.0.
Setup Configuration required for Policies
Most Policies (esp. "security policies" require additional configuration. For example:
- Message protection policies require Keystore setup.
- Passwords require OPSS Credential store setup,
- Authentication policies require Identity Store setup
- WS-Trust based policies require STS
This is discussed in detail in the Section "Setting Up Your Environment for Policies".
From our interactions with customers, support, etc - it appears most people seem to trip up on the last aspect. In future blog posts we will elaborate on some of the concepts introduced in this blog post as well as describe in detail the "Setting Up Your Environment for Policies".