OWSM Security Policy- Configure Password Digest

A familiar constraint we encounter when using Oracle Service Bus (OSB) Business Services is that they are required to be configured with the Username Token policy, where the password should not be text-based; rather, it should be in binary format with Nonce and Creation Time. The password should also use the same Password Digest – SHA Base-64 encoded format – for enhanced security implementation.

This type of security policy is not provided out of the box by Oracle Web Services Manager (OWSM).

This post will explain how to create the correct policy in a few quick steps.

To overcome the above security configuration issue, you will need to:

1. Configure the WebLogic Server Security Realm providers to use Active types as the Password Digest.
2. Configure a custom OWSM Security Policy to accept the password type as Password Digest.

Below are the detailed steps for the two high-level processes outlined above.

1. Configure the WebLogic Server Security Realm providers to use Active types as Password Digest.
   1. Log in to WebLogic Console, and go to Summary of Security Realms >myrealm > Providers.  
   2. Create a new Provider (e.g. Custom GESB Provider) and select Type: DefaultAuthenticator.

                 c. Open the newly created provider, go to Configuration > Provider Specific tab, select the Enable Password Digest checkbox, and save changes.

d. Go to DefaultIdentityAsserter and Select wsse:PasswordDigest in Active Types.

                      e. Restart the WebLogic Server.

1. Configure out-of-the-box WSM Security Policy for Password Digest.
   1. Log in to EM Console and go to WebLogic Domain > Web Services > WSM Policies
   2. Click on “oracle/wss_username_token_client_policy”, then click Create Like button

                    c. In the General tab, provide the name of the policy, leaving the other settings as is.

                     d. In the Assertions tab, select Digest as the Password Type, then select the Nonce Required and Creation Time Required check boxes, and click Save.

1. The Policy you configured should be ready now.

1. Restart the server.

The newly created OWSM policy can now be attached to your chosen process to provide CSF Key credentials. The policy will automatically create binary passwords and other required parameters.