Thursday May 24, 2012

SSL vs. Non-SSL OWSM Policies - 11g

I was having a conversation with a colleague and we were discussing about OWSM SSL policies vs. Non-SSL policies. For the uninitiated - here is the OWSM documentation that talks about the pre-defined OWSM policies. 

So I thought I would share that conversation with this quick post...

As you can see from the list OWSM ships a bunch of policies that require SSL. The discussion we were having was what is the benefit of using OWSM SSL policies vs. using OWSM Non-SSL Policies over SSL.

The first thing to note about OWSM SSL Policies (ex:oracle/wss_username_token_over_ssl_service_policy) is they don't automatically enable SSL!

You still need to enable SSL at the Application Server level ex: in WLS or WAS.

The second thing to note is that OWSM Non-SSL Policies can be used over SSL.

So if the OWSM SSL Policies don't enable SSL automatically why use them?

The OWSM SSL Policies enable three things at a very high level:

a) The SSL Policies ensure that SSL is actually enabled. If SSL is not enabled the requests will fail. Certain SSL Policies require two-way SSL (where as others required one-way SSL), for the SSL policies that require two-way SSL - they check to ensure two-way SSL is enabled - otherwise the requests will fail.

b) WS-SecurityPolicy standards compliance. WS-SecurityPolicy defines standards in terms of what exists in the WSDL when you are using SSL. The OWSM SSL Policies ensure that what is "advertized" in the WSDL is WS-SecurityPolicy compliant. This will ensure clients that understand WS-SecurityPolicy can comply with what is described in the WSDL. (ex: Microsoft)

c) In some cases the SSL Policies sign the SAML token, etc. So for ex: if you have configured oracle/wss10_saml_token_service_policy over SSL it is not equivalent to using oracle/wss_saml_token_over_ssl_service_policy

For these reasons if you are using SSL as Transport layer security - I recommend using the OWSM SSL policies rather than using the Non-SSL policies over SSL.

About

In this blog I will discuss mainly features supported by Oracle Web Service Manager (OWSM).

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today