How To Have OWSM In OSB Not Adding The Security Token Or Signature In The Response? (Doc ID 1601447.1)

Last updated on MARCH 18, 2016

Applies to:

Oracle Web Services Manager - Version 11.1.1.6.0 to 11.1.1.7.0 [Release 11gR1]
Information in this document applies to any platform.

Symptoms

A custom wss10_x509_token_with_message_integrity_service_policy OWSM policy was attached in OSB service.
This was applied to proxy service to authenticate web service consumers with x509 and wss10_message_integrity_client_policy to sign the outbound request with x509 to web service providers.

The modification to both policies are the removal of "message encrypt" (uncheck) in the Request tab and the removal of both "Message Signing" and "Message Encrypt" in response tab.

The transaction log shows that the web service provider returned valid response in clear text without "wsse:Security". However, the problem occurs when "Inbound response was sent" to the web service consumer, a wsse:security with mustUnderstand="1" was added. The web service consumer application doesn't understand the security token.

How to instruct OWSM in OSB not to add the security token or at least not set the mustUnderstand to true?
Even though the "Include Entire Body" for both Message Signing Setting and Message Encrypt Setting is unchecked under the response tab for the wss10_x509_token_with_message_integrity_service_policy, still the response that was sent included the signature.

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms