SSL vs. Non-SSL OWSM Policies - 11g
By Prakash Yamuna on May 24, 2012
I was having a conversation with a colleague and we were discussing about OWSM SSL policies vs. Non-SSL policies. For the uninitiated - here is the OWSM documentation that talks about the pre-defined OWSM policies.
So I thought I would share that conversation with this quick post...
The first thing to note about OWSM SSL Policies (ex:oracle/wss_username_token_over_ssl_service_policy) is they don't automatically enable SSL!
You still need to enable SSL at the Application Server level ex: in WLS or WAS.
The second thing to note is that OWSM Non-SSL Policies can be used over SSL.
So if the OWSM SSL Policies don't enable SSL automatically why use them?
The OWSM SSL Policies enable three things at a very high level:
a) The SSL Policies ensure that SSL is actually enabled. If SSL is not enabled the requests will fail. Certain SSL Policies require two-way SSL (where as others required one-way SSL), for the SSL policies that require two-way SSL - they check to ensure two-way SSL is enabled - otherwise the requests will fail.
b) WS-SecurityPolicy standards compliance. WS-SecurityPolicy defines standards in terms of what exists in the WSDL when you are using SSL. The OWSM SSL Policies ensure that what is "advertized" in the WSDL is WS-SecurityPolicy compliant. This will ensure clients that understand WS-SecurityPolicy can comply with what is described in the WSDL. (ex: Microsoft)
c) In some cases the SSL Policies sign the SAML token, etc. So for ex: if you have configured oracle/wss10_saml_token_service_policy over SSL it is not equivalent to using oracle/wss_saml_token_over_ssl_service_policy
For these reasons if you are using SSL as Transport layer security - I recommend using the OWSM SSL policies rather than using the Non-SSL policies over SSL.