1. Interoperability Solutions Guide for Oracle Web Services Manager
  2. Interoperability with Axis 1.4 and WSS4J 1.5.8 Security Environments

8 Interoperability with Axis 1.4 and WSS4J 1.5.8 Security Environments

Oracle Web Services Manager (OWSM) is interoperable with Axis 1.4 and WSS4J 1.5.8 security environments. Policies that conform to the WS-Security 1.0 and 1.1 standards are attached to web services, to achieve the interoperability between OWSM and Axis 1.4 and WSS4J 1.5.8 security environments.

This chapter includes the following sections:

8.1 Understanding the Interoperability of Axis 1.4 and WSS4J 1.5.8 Security Environments

In Axis 1.4 and WSS4J 1.5.8, you configure your security environment for inbound and outbound requests using handlers and deployment descriptors.

More details on OWSM policies and interoperability scenarios are described in the following sections:

For more information, see the Axis Deployment Tutorial at http://ws.apache.org/wss4j/axis.html.

8.1.1 OWSM Policies for Axis and WSS4J

With OWSM 14c, you attach policies to web service endpoints. Each policy consists of one or more assertions, defined at the domain-level, that define the security requirements. A set of predefined policies and assertions are provided out-of-the-box.

For more information about:

8.1.2 Interoperability Scenarios for Axis and WSS4J Service Policy

You can review the different scenarios for interoperability between OWSM 14c and Axis/WSS4J.

The following table describes the OWSM 14c service policy and Axis/WSS4J client policy interoperability scenarios:

Table 8-1 OWSM 14c Service Policy and Axis WSS4J Client Policy Interoperability

Identity Token WS-Security Version Message Protection Transport Security Service Policy Client Policy

Username

1.0

Yes

No

oracle/wss10_username_token_with_message_protection_service_policy

UsernameToken Timestamp Signature Encrypt

SAML

1.0

Yes

No

oracle/wss10_saml_token_with_message_protection_service_policy

SAMLTokenUnsigned Timestamp Signature Encrypt

Username

1.0 and 1.1

No

Yes

oracle/wss_username_token_over_ssl_service_policy

UsernameToken Timestamp

SAML

1.0 and 1.1

No

Yes

oracle/wss_saml_token_over_ssl_service_policy

SAMLTokenUnsigned Timestamp

The following table describes the Axis/WSS4J service policy and OWSM 14c client policy interoperability scenarios:

Table 8-2 Axis WSS4J Service Policy and OWSM 14c Client Policy Interoperability

Identity Token WS-Security Version Message Protection Transport Security Service Policy Client Policy

Username

1.0

Yes

No

UsernameToken Timestamp Signature Encrypt

oracle/wss10_username_token_with_message_protection_client_policy

SAML

1.0

Yes

No

SAMLTokenUnsigned Timestamp Signature Encrypt

oracle/wss10_saml_token_with_message_protection_client_policy

Username

1.0 and 1.1

No

Yes

Timestamp UsernameToken

oracle/wss_username_token_over_ssl_client_policy

SAML

1.0 and 1.1

No

Yes

Timestamp SAMLTokenUnsigned

oracle/wss_saml_token_over_ssl_client_policy

8.2 Creating Required Files for Interoperability With Axis and WSS4J

The handler and property files are required in each of the Axis and WSS4J interoperability scenarios.

To create the handler and property files:

  1. Create and compile a password callback class, PWCallback.java, that can resolve passwords required by username and keystore aliases.

    The deployment descriptors defined in the following sections, contain username information, but not password information. As a best practice, you should not store sensitive information such as passwords in clear text within the deployment descriptor. To obtain the password, the Axis handler calls the password callback class. This mechanism is similar to JAAS. For more information, see the WSS4J documentation at http://ws.apache.org/wss4j.

  2. Create the keystore properties file, crypto.properties, as shown below. Include this file in the classes directory.
    org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type=jks
org.apache.ws.security.crypto.merlin.keystore.password=password
org.apache.ws.security.crypto.merlin.file=default-keystore.jks
  3. Create the saml.properties file, required for SAML interoperability scenarios only, as shown below.
    org.apache.ws.security.saml.issuerClass=org.apache.ws.security.saml.SAMLIssuerImpl
org.apache.ws.security.saml.issuer.cryptoProp.file=crypto.properties
org.apache.ws.security.saml.issuer.key.name=orakey
org.apache.ws.security.saml.issuer.key.password=orakey
org.apache.ws.security.saml.issuer=www.oracle.com
org.apache.ws.security.saml.subjectNameId.name=weblogic
org.apache.ws.security.saml.authenticationMethod=password
org.apache.ws.security.saml.confirmationMethod=senderVouches

8.3 Implementing a Username Token with Message Protection (WS-Security 1.0) for Axis and WSS4J Client

The Username Token with Message Protection policy conforms to the WS-Security 1.0 standard. This policy is implemented to achieve the interoperability of an OWSM 14c web service with an Axis and WSS4J client and the interoperability of an Axis and WSS4J web service with an OWSM 14c client.

The following topics describe how to implement username token with message protection in different interoperability scenarios:

8.3.1 Configuring an OWSM 14c Web Service and an Axis and WSS4J Client (Username Token with Message Protection)

You can implement username token with message protection that conforms to the WS-Security 1.0 standard using OWSM 14c web service and an Axis and WSS4J client.

The following topics describe how to configure an OWSM 14c web service and an Axis and WSS4J client to implement username token with message protection:

8.3.1.1 Configuring OWSM 14c Web Service for Axis and WSS4J (Username Token with Message Protection)

You can configure an OWSM 14c web service to implement username token with message protection for interoperability with an Axis and WSS4J client.

To configure the OWSM 14c web service:

  1. Attach the following policy to the web service: oracle/wss10_username_token_with_message_protection_service_policy.

    For more information, see "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager.

  2. Deploy the web service.

8.3.1.2 Configuring Axis and WSS4J Client (Username Token with Message Protection)

You can configure an Axis and WSS4J client to implement username token with message protection for interoperability with an OWSM 14c web service.

To configure an Axis and WSS4J client:

  1. Build your web service client proxy.

  2. Create the password callback class, PWCallback.java, and keystore properties file, crypto.properties.

    For more information, see Creating Required Files for Interoperability With Axis and WSS4J.

  3. Include the keystore file (for example, default-keystore.jks) and crypto.properties file directly under the classes folder.

    Ensure that you are using keystore with v3 certificates. By default, the JDK 1.5 keytool generates keystores with v1 certificates.

  4. Edit the deployment descriptor, client_deploy.wsdd, similar to the following client_deploy.wsdd deployment descriptor sample: 

    <deployment xmlns="http://xml.apache.org/axis/wsdd/"
             xmlns:java="http://xml.apache.org/axis/wsdd/providers/java">
 <transport name="http" 
  pivot="java:org.apache.axis.transport.http.HTTPSender"/>
  <globalConfiguration >
   <!-- wss10_username_token_with_message_protection -->
   <requestFlow>
     <handler type="java:org.apache.ws.axis.security.WSDoAllSender" >
       <parameter name="passwordCallbackClass" 
        value="com.oracle.xmlns.ConfigOverride_jws.CO_SOA.BPELProcess1.PWCallback"/>
       <parameter name="passwordType" value="PasswordText"/>
       <parameter name="user" value="weblogic"/>
       <parameter name="action" value="UsernameToken Timestamp Signature Encrypt"/>
       <parameter name="encryptionKeyTransportAlgorithm" 
        value="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>
       <parameter name="encryptionKeyIdentifier" value="DirectReference" />
       <parameter name="encryptionPropFile" value="crypto.properties" />
       <parameter name="encryptionUser" value="orakey" />
       <parameter name="encryptionParts" value=
    "{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}
     UsernameToken;{Content}{http://schemas.xmlsoap.org/soap/envelope/}Body" />
       <parameter name="signatureUser" value="orakey" />
       <parameter name="signaturePropFile" value="crypto.properties" />
       <parameter name="signatureKeyIdentifier" value="DirectReference" />
       <parameter name="signatureParts" value=
    "{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}
UsernameToken;{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-
1.0.xsd}
Timestamp;{Element}{http://schemas.xmlsoap.org/soap/envelope/}Body" />
     </handler>
   </requestFlow>
   <responseFlow>
     <handler type="java:org.apache.ws.axis.security.WSDoAllReceiver">
       <parameter name="passwordCallbackClass" value="com.oracle.xmlns.ConfigOverride_jws.CO
_SOA.BPELProcess1.PWCallback"/>
       <parameter name="action" value="Timestamp Signature Encrypt" />
       <parameter name="signaturePropFile" value="crypto.properties" />
       <parameter name="decryptionPropFile" value="crypto.properties" />
       <parameter name="enableSignatureConfirmation"  value="false" />
     </handler>
   </responseFlow>
  </globalConfiguration >
</deployment>

    In the example, the receiver decrypts, verifies, and validates the username token; the sender inserts a username token, timestamp, signs the body, username token, and timestamp, and encrypts the body and username token. As shown in the example, the encryption key transport is overridden to match the OWSM default requirements

  5. Set the following property within the client code to use the deployment descriptor defined in the previous step.

    System.setProperty("axis.ClientConfigFile", "client_deploy.wsdd");

  6. Deploy the web service client.

8.3.2 Configuring an Axis and WSS4J Web Service and an OWSM 14c Client (Username Token with Message Protection)

You can implement username token with message protection that conforms to the WS-Security 1.0 standard using an Axis and WSS4J web service and an OWSM 14c client.

The following topics describe how to configure an Axis and WSS4J web service and an OWSM 14c client service to implement username token with message protection:

8.3.2.1 Configuring Axis and WSS4J Web Service (Username Token with Message Protection)

You can configure an Axis and WSS4J web service to implement username token with message protection for interoperability with an OWSM 14c client.

To configure an Axis and WSS4J web service

  1. Build your web service.

  2. Create the password callback class, PWCallback.java, and keystore properties file, crypto.properties, as described in "Creating Required Files for Interoperability With Axis and WSS4J".

  3. Include the keystore file (for example, default-keystore.jks) and crypto.properties file directly under the classes folder.

    Ensure that you are using keystore with v3 certificates. By default, the JDK 1.5 keytool generates keystores with v1 certificates.

  4. Edit the deployment descriptor, server_deploy.wsdd, as shown in the following sample: 

    <ns1:service name="HelloWorld" provider="java:RPC" style="wrapped" use="literal">
<!-- wss10_username_token_with_message_protection -->
<requestFlow>
   <handler type="java:org.apache.ws.axis.security.WSDoAllReceiver">
      <parameter name="passwordCallbackClass" value="PWCallback1"/>
      <parameter name="user" value="wss4j"/>
      <parameter name="action" value="Signature UsernameToken Timestamp Encrypt"/>
      <parameter name="signaturePropFile" value="crypto.properties" />
      <parameter name="decryptionPropFile" value="crypto.properties" />
   </handler>
</requestFlow>
<responseFlow>
   <handler type="java:org.apache.ws.axis.security.WSDoAllSender" >
       <parameter name="passwordCallbackClass" value="PWCallback1"/>
       <parameter name="user" value="orakey"/>
       <parameter name="action" value="Timestamp Signature Encrypt"/>
       <parameter name="encryptionKeyTransportAlgorithm" 
          value="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>
       <parameter name="signaturePropFile" value="crypto.properties" />
       <parameter name="signatureKeyIdentifier" value="DirectReference" />
       <parameter name="signatureParts" 
value="{Element}{http://schemas.xmlsoap.org/soap/envelope/}Body;{Element}
{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp" />
       <parameter name="encryptionKeyIdentifier" value="DirectReference" />
   </handler>
</responseFlow>
</ns1:service>

    In the example, the receiver decrypts, verifies, and validates the username token; the sender inserts a username token, timestamp, signs the body, username token, and timestamp, and encrypts the body and username token. As shown in the example, the encryption key transport is overridden to match the OWSM default requirements.

    Note:

    WSS4J enforces an order to the elements in the header. Ensure action ordering is updated in server_deploy.wsdd as shown in the sample.

  5. Deploy the web service.

8.3.2.2 Configuring OWSM 14c Client for Axis and WSS4J (Username Token with Message Protection)

You can configure an OWSM 14c client to implement username token with message protection for interoperability with an Axis and WSS4J web service.

To configure an OWSM 14c client:

  1. Attach the following policy to the web service: oracle/wss10_username_token_with_message_protection_client_policy.

    For more information, see "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager.

  2. For Java SE clients only, configure the web service client properties, as follows:

    Note:

    This step is not required for Java EE clients.

    myPort.setProperty(ClientConstants.WSS_KEYSTORE_TYPE,"JKS");
myPort.setProperty(ClientConstants.WSS_KEYSTORE_LOCATION,
 "/keystore-path/default-keystore.jks");
myPort.setProperty(ClientConstants.WSS_KEYSTORE_PASSWORD, "password");
myPort.setProperty(ClientConstants.WSS_RECIPIENT_KEY_ALIAS,"orakey");
...

    Where setProperty is defined as follows: 

    public void setProperty(String name, String value) {
   ((Stub) _port)._setProperty(name, value);
}

  3. Deploy the web service client.

8.4 Implementing a SAML Token with Message Protection (WS-Security 1.0) for Axis and WSS4J Client

The SAML Token with Message Protection policy conforms to the WS-Security 1.0 standard. This policy is implemented to achieve the interoperability of an OWSM 14c web service with an Axis and WSS4J client and the interoperability of an Axis and WSS4J web service with an OWSM 14c client.

The following topics describe how to implement SAML token with message protection in different interoperability scenarios:

8.4.1 Configuring an OWSM 14c Web Service and an Axis an WSS4J Client (SAML Token with Message Protection)

You can implement SAML token with message protection that conforms to the WS-Security 1.0 standard using OWSM 14c web service and an Axis and WSS4J client.

The following topics describes how to configure OWSM 14c web service and an Axis and WSS4J client to implement SAML token with message protection:

8.4.1.1 Configuring OWSM 14c Web Service for Axis and WSS4J (SAML Token)

You can configure an OWSM 14c web service to implement SAML token for interoperability with an Axis and WSS4J client.

To configure the OWSM 14c web service:

  1. Attach the following policy to the web service: oracle/wss10_saml_token_with_message_protection_service_policy.

    For more information, see "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager.

  2. Deploy the web service.

8.4.1.2 Configuring Axis and WSS4J Client (SAML Token)

You can configure an Axis and WSS4J client to implement SAML token for interoperability with an OWSM 14c web service.

To configure an Axis and WSS4J client:

  1. Build your web service client proxy.

  2. Create the password callback class, PWCallback.java, keystore properties file, crypto.properties file, and saml.properties file, as described in Creating Required Files for Interoperability With Axis and WSS4J.

  3. Include the keystore file (for example, default-keystore.jks) and crypto.properties file directly under the classes folder.

    Ensure that you are using keystore with v3 certificates. By default, the JDK 1.5 keytool generates keystores with v1 certificates.

  4. Edit the deployment descriptor, client_deploy.wsdd, similar to the sample at the end of this procedure.

    In the example, the receiver decrypts, verifies, and validates the SAML token; the sender inserts a SAML token, timestamp, signs the body, SAML token, and timestamp, and encrypts the body. As shown in the example, the encryption key transport is overridden to match the OWSM default requirements.

  5. Set the following property within the client code to use the deployment descriptor defined in the previous step.

    System.setProperty("axis.ClientConfigFile", "client_deploy.wsdd");

  6. Deploy the web service client.

    See the following client_deploy.wsdd deployment descriptor sample: 

    <deployment xmlns="http://xml.apache.org/axis/wsdd/"
             xmlns:java="http://xml.apache.org/axis/wsdd/providers/java">
 <transport name="http" 
  pivot="java:org.apache.axis.transport.http.HTTPSender"/>
  <globalConfiguration >
<!-- wss10_saml_token_with_message_protection -->
    <requestFlow>
      <handler type="java:org.apache.ws.axis.security.WSDoAllSender" >
        <parameter name="passwordCallbackClass" 
         value="com.oracle.xmlns.ConfigOverride_jws.CO_SOA.BPELProcess1.PWCallback"/>
        <parameter name="passwordType" value="PasswordText"/>
        <parameter name="user" value="weblogic"/>
        <parameter name="action" value="Timestamp Signature SAMLTokenSigned Encrypt"/>
        <parameter name="samlPropFile" value="saml.properties"/>
        <parameter name="encryptionKeyTransportAlgorithm" 
         value="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>
        <parameter name="encryptionKeyIdentifier" value="DirectReference" />
        <parameter name="encryptionPropFile" value="crypto.properties" />
        <parameter name="encryptionUser" value="orakey" />
        <parameter name="encryptionParts" 
         value="{Content}{http://schemas.xmlsoap.org/soap/envelope/}Body" />
        <parameter name="signatureUser" value="orakey" />
        <parameter name="signaturePropFile" value="crypto.properties" />
        <parameter name="signatureKeyIdentifier" value="DirectReference" />
        <parameter name="signatureParts" value="{Element}
          {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}
          Timestamp;{Element}
          {http://schemas.xmlsoap.org/soap/envelope/}Body" />
      </handler>
    </requestFlow>
    <responseFlow>
      <handler type="java:org.apache.ws.axis.security.WSDoAllReceiver">
        <parameter name="passwordCallbackClass" 
         value="com.oracle.xmlns.ConfigOverride_jws.CO_SOA.BPELProcess1.PWCallback" />
        <parameter name="action" value="Timestamp Signature Encrypt" />
        <parameter name="signaturePropFile" value="crypto.properties" />
        <parameter name="decryptionPropFile" value="crypto.properties" />
        <parameter name="enableSignatureConfirmation" value="false" />
    </handler>
  </responseFlow>
  </globalConfiguration >
</deployment>

8.4.2 Configuring an Axis and WSS4J Web Service and an OWSM 14c Client (SAML Token with Message Protection)

You can implement SAML token with message protection that conforms to the WS-Security 1.0 standard using an Axis and WSS4J web service and an OWSM 14c client.

The following topics describe how to configure an Axis and WSS4J web service and an OWSM 14c client to implement SAML token with message protection:

8.4.2.1 Configuring Axis and WSS4J Web Service (SAML Token)

You can configure an Axis and WSS4J web service to implement SAML token with message protection for interoperability with an OWSM 14c client.

To configure Axis and WSS4J web service:

  1. Build your web service.

  2. Create the password callback class, PWCallback.java, keystore properties file, crypto.properties file, and saml.properties file as described in Creating Required Files for Interoperability With Axis and WSS4J.

  3. Include the keystore file (for example, default-keystore.jks) and crypto.properties file directly under the classes folder.

    Ensure that you are using keystore with v3 certificates. By default, the JDK 1.5 keytool generates keystores with v1 certificates.

  4. Edit the deployment descriptor, server_deploy.wsdd, as shown in the following sample: 

    <ns1:service name="HelloWorld" provider="java:RPC" style="wrapped" use="literal">
<!-- wss10_username_token_with_message_protection -->
<requestFlow>
   <handler type="java:org.apache.ws.axis.security.WSDoAllReceiver">
      <parameter name="passwordCallbackClass" value="PWCallback1"/>
      <parameter name="user" value="wss4j"/>
      <parameter name="action" value="Signature SAMLTokenUnsigned Timestamp Encrypt"/>
      <parameter name="signaturePropFile" value="crypto.properties" />
      <parameter name="decryptionPropFile" value="crypto.properties" />
   </handler>
</requestFlow>
<responseFlow>
   <handler type="java:org.apache.ws.axis.security.WSDoAllSender" >
       <parameter name="passwordCallbackClass" value="PWCallback1"/>
       <parameter name="user" value="orakey"/>
       <parameter name="action" value="Timestamp Signature Encrypt"/>
       <parameter name="encryptionKeyTransportAlgorithm" 
          value="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>
       <parameter name="signaturePropFile" value="crypto.properties" />
       <parameter name="signatureKeyIdentifier" value="DirectReference" />
       <parameter name="signatureParts" 
value="{Element}{http://schemas.xmlsoap.org/soap/envelope/}Body;{Element}
{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp" />
       <parameter name="encryptionKeyIdentifier" value="DirectReference" />
   </handler>
</responseFlow>
</ns1:service>

    In the example, the receiver decrypts, verifies, and validates the SAML token; the sender inserts a SAML token, timestamp, signs the body, SAML token, and timestamp, and encrypts the body. As shown in the example, the encryption key transport is overridden to match the OWSM default requirements.

    Note:

    WSS4J enforces an order to the elements in the header. Ensure action ordering is updated in server_deploy.wsdd as shown in the sample.

  5. Deploy the web service.

8.4.2.2 Configuring OWSM 14c Client for Axis and WSS4J (SAML Token)

You can configure an OWSM 14c client to implement SAML token SSL for interoperability with an Axis and WSS4J web service.

To configure an OWSM 14c client:

  1. Attach the following policy to the web service: oracle/wss10_saml_token_with_message_protection_client_policy.

    For more information, see "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager.

  2. For JSE clients only, configure the web service client properties, as follows:

    Note:

    This step is not required for Java EE clients.

    myPort.setProperty(ClientConstants.WSS_KEYSTORE_TYPE,"JKS");
myPort.setProperty(ClientConstants.WSS_KEYSTORE_LOCATION,
 "/keystore-path/default-keystore.jks");
myPort.setProperty(ClientConstants.WSS_KEYSTORE_PASSWORD, "password");
myPort.setProperty(ClientConstants.WSS_RECIPIENT_KEY_ALIAS,"orakey");
...

    Where setProperty is defined as follows: 

    public void setProperty(String name, String value) {
   ((Stub) _port)._setProperty(name, value);
}

  3. Deploy the web service client.

8.5 Implementing a Username Token over SSL for Axis and WSS4J Client

The Username Token over SSL policy conforms to the WS-Security 1.0 and 1.1 standards. This policy is implemented to achieve the interoperability of an OWSM 14c web service with an Axis and WSS4J client and the interoperability of an Axis and WSS4J web service with an OWSM 14c client.

The following topics describe how to implement username token over SSL in different interoperability scenarios:

8.5.1 Configuring an OWSM 14c Web Service and an Axis and WSS4J Client (Username Token Over SSL)

You can implement username token over SSL using OWSM 14c web service and an Axis and WSS4J client.

The following topics describe how to configure OWSM 14c web service and an Axis and WSS4J client:

8.5.1.1 Configuring OWSM 14c Web Service for Axis and WSS4J (Username Token Over SSL)

You can configure an OWSM 14c web service to implement username token over SSL for interoperability with an Axis and WSS4J client.

To configure OWSM 14c web service:

  1. Configure the server for SSL.

    For more information, see "Configuring Transport-Level Security (SSL)" in Securing Web Services and Managing Policies with Oracle Web Services Manager.

  2. Attach the following policy to the web service: oracle/wss_username_token_over_ssl_service_policy.

    For more information, see "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager.

  3. Deploy the web service.

8.5.1.2 Configuring Axis and WSS4J Client (Username Token Over SSL)

You can configure an Axis and WSS4J client to implement username token over SSL for interoperability with an OWSM 14c web service.

To configure an Axis and WSS4J client:

  1. Build your web service client proxy.

  2. Create the password callback class, PWCallback.java, and keystore properties file, crypto.properties, as described in Creating Required Files for Interoperability With Axis and WSS4J.

  3. Edit the deployment descriptor, client_deploy.wsdd, similar the example below. In the example, the receiver validates the username token and timestamp; the sender inserts a timestamp. 

    <deployment xmlns="http://xml.apache.org/axis/wsdd/"
             xmlns:java="http://xml.apache.org/axis/wsdd/providers/java">
 <transport name="http" 
  pivot="java:org.apache.axis.transport.http.HTTPSender"/>
<globalConfiguration >
<!-- wss_username_token -->
<requestFlow >
   <handler type="java:org.apache.ws.axis.security.WSDoAllSender" >
      <parameter name="action" value="UsernameToken Timestamp"/>
      <parameter name="user" value="weblogic"/>
      <parameter name="passwordCallbackClass" 
       value="com.oracle.xmlns.ConfigOverride_jws.CO_SOA.BPELProcess1.PWCallback"/>
      <parameter name="passwordType" value="PasswordText"/>
  </handler>
</requestFlow >
</globalConfiguration >
</deployment>

  4. Set the following property within the client code to use the deployment descriptor defined in the previous step.

    System.setProperty("axis.ClientConfigFile", "client_deploy.wsdd");

  5. Deploy the web service client.

8.5.2 Configuring an Axis and WSS4J Web Service and an OWSM 14c Client (Username Token Over SSL)

You can implement username token over SSL using an Axis and WSS4J web service and an OWSM 14c client.

The following topics describe how to configure Axis and WSS4J web service and an OWSM 14c client:

8.5.2.1 Configuring Axis and WSS4J Web Service (Username Token Over SSL)

You can configure an Axis and WSS4J web service to implement username token over SSL for interoperability with an OWSM 14c client.

To configure the Axis and WSS4J web service:

  1. Configure the server for SSL.

  2. Build your web service.

  3. Create the password callback class, PWCallback.java, and crypto.properties file, as described in Creating Required Files for Interoperability With Axis and WSS4J.

  4. Edit the deployment descriptor, server_deploy.wsdd, similar to the example below. In the example, the receiver validates the username token and the timestamp; the sender inserts a timestamp. 

    <ns1:service name="HelloWorld" provider="java:RPC" style="wrapped" 
 use="literal">
<!-- wss_username_token_over_ssl -->
  <requestFlow>
    <handler type="java:org.apache.ws.axis.security.WSDoAllReceiver">
      <parameter name="passwordCallbackClass" value="PWCallback1"/>
      <parameter name="action" value="Timestamp UsernameToken"/>
    </handler>
  </requestFlow>
  <responseFlow> 
     <handler type="java:org.apache.ws.axis.security.WSDoAllSender" >
      <parameter name="action" value="Timestamp"/>
      </handler>
  </responseFlow>
</ns1:service>

  5. Deploy the web service.

8.5.2.2 Configuring OWSM 14c Client for Axis and WSS4J (Username Token Over SSL)

You can configure an OWSM 14c client to implement username token over SSL for interoperability with an Axis and WSS4J web service.

To configure an OWSM 14c client:

  1. Attach the following policy to the web service client: wss_username_token_over_ssl_client_policy.

    For more information, see "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager.

  2. For JSE clients only, configure the web service client properties, as shown below. The username and password must be set by the client for generating the username token.

    Note:

    This step is not required for Java EE clients.

    myPort.setUsername("wss4j");
myPort.setPassword("security"););

  3. Deploy the web service client.

    When running the client, include the following client system property, where default-keystore.jks specifies the keystore that contains the certificate corresponding to the server certificate. 

    -Djavax.net.ssl.trustStore=default-keystore.jks

8.6 Implementing a SAML Token (Sender Vouches) over SSL for Axis and WSS4J Client

The SAML Token (Sender Vouches) over SSL policy conforms to the WS-Security 1.0 and 1.1 standards. This policy is implemented to achieve the interoperability of an OWSM 14c web service with an Axis and WSS4J client and the interoperability of an Axis and WSS4J web service with an OWSM 14c client.

The following topics describe how to implement SAML token (sender vouches) over SSL in different interoperability scenarios:

8.6.1 Configuring an OWSM 14c Web Service and an Axis and WSS4J Client (SAML Token Sender Vouches Over SSL)

You can implement SAML token (sender vouches) over SSL using OWSM 14c web service and an Axis and WSS4J client.

The following instructions describe how to configure an OWSM 14c web service and an Axis and WSS4J client to implement SAML token (sender vouches) over SSL:

8.6.1.1 Configuring OWSM 14c Web Service for Axis and WSS4J Client (SAML Token Sender Vouches Over SSL)

You can configure an OWSM 14c web service to implement SAML token sender vouches over SSL for interoperability with an Axis and WSS4J client.

To configure the OWSM 14c web service:

  1. Configure the server for SSL.

    For more information, see "Configuring Transport-Level Security (SSL)" in Securing Web Services and Managing Policies with Oracle Web Services Manager.

  2. Attach the following policy to the web service: wss_saml_token_over_ssl_service_policy.

    For more information, see "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager.

  3. Deploy the web service.

8.6.1.2 Configuring Axis and WSS4J Client (SAML Token Sender Vouches Over SSL)

You can configure an Axis and WSS4J client to implement SAML token sender vouches over SSL for interoperability with an OWSM 14c web service.

To configure an Axis and WSS4J client:

  1. Build your web service client proxy.

  2. Create the password callback class, PWCallback.java; keystore properties file, crypto.properties; and SAML properties file, saml.properties, as described in Creating Required Files for Interoperability With Axis and WSS4J.

  3. Edit the deployment descriptor, client_deploy.wsdd, similar the example below. In the example, the receiver validates the SAML token and timestamp; the sender inserts a timestamp. 

    <deployment xmlns="http://xml.apache.org/axis/wsdd/"
             xmlns:java="http://xml.apache.org/axis/wsdd/providers/java">
<transport name="http" 
  pivot="java:org.apache.axis.transport.http.HTTPSender"/>
 <globalConfiguration >
<!-- wss_saml_token -->
<requestFlow >
   <handler type="java:org.apache.ws.axis.security.WSDoAllSender" >
      <parameter name="action" value="SAMLTokenSigned Timestamp"/>
      <parameter name="samlPropFile" value="saml.properties"/>
      <parameter name="user" value="weblogic"/>
      <parameter name="passwordCallbackClass"
 value="com.oracle.xmlns.ConfigOverride_jws.CO_SOA.BPELProcess1.PWCallback"/>
      <parameter name="passwordType" value="PasswordText"/>
      <parameter name="signatureUser" value="orakey" />
      <parameter name="signatureKeyIdentifier" value="DirectReference" />
      <parameter name="signaturePropFile" value="crypto.properties" />
   </handler>
</requestFlow >
</globalConfiguration >
</deployment>

  4. Set the following property within the client code to use the deployment descriptor defined in the previous step.

    System.setProperty("axis.ClientConfigFile", "client_deploy.wsdd");

  5. Deploy the web service client.

8.6.2 Configuring an Axis and WSS4J Web Service and an OWSM 14c Client (SAML Token Sender Vouches over SSL)

You can implement SAML token (sender vouches) over SSL using an Axis and WSS4J web service and an OWSM 14c client.

The following topics describe how to configure an Axis and WSS4J web service and an OWSM 14c client to implement SAML token (sender vouches) over SSL:

8.6.2.1 Configuring Axis and WSS4J Web Service (SAML Token Sender Vouches Over SSL)

You can configure an Axis and WSS4J web service to implement SAML token sender vouches over SSL for interoperability with an OWSM 14c client.

To configure the Axis and WSS4J web service:

  1. Configure the server for SSL.

  2. Build your web service.

  3. Create the password callback class, PWCallback.java, and crypto.properties file, as described in Creating Required Files for Interoperability With Axis and WSS4J.

  4. Edit the deployment descriptor, server_deploy.wsdd, similar to the example below.

    In the example, the receiver validates the SAML token and the timestamp; the sender inserts a timestamp. 

    <ns1:service name="HelloWorld" provider="java:RPC" style="wrapped" 
 use="literal">
<!-- wss_saml_token_over_ssl -->
<requestFlow>
   <handler type="java:org.apache.ws.axis.security.WSDoAllReceiver">
      <parameter name="passwordCallbackClass" value="PWCallback1"/>
      <parameter name="action" value="Timestamp SAMLTokenUnsigned"/>
   </handler>
</requestFlow>
<responseFlow>
   <handler type="java:org.apache.ws.axis.security.WSDoAllSender" >
      <parameter name="action" value="Timestamp"/>
   </handler>
</responseFlow>
</ns1:service>

  5. Deploy the web service.

8.6.2.2 Configuring OWSM 14c Client for Axis and WSS4J (SAML Token Sender Vouches Over SSL)

You can configure an OWSM 14c client to implement SAML token sender vouches over SSL for interoperability with an Axis and WSS4J web service.

To configure the OWSM 14c client:

  1. Attach the following policy to the web service client: wss_saml_token_over_ssl_client_policy.

    For more information, see "Attaching Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager.

  2. For JSE clients, configure the web service client properties, as shown below. The username must be set by the client for generating the SAML assertion.

    myPort.setUsername("wss4j");

    Note:

    This step is not required for Java EE clients.

  3. Deploy the web service client.

    When running the client, include the following client system property, where default-keystore.jks specifies the keystore that contains the certificate corresponding to the server certificate. 

    -Djavax.net.ssl.trustStore=default-keystore.jks