My Oracle Support Banner

Disabling the Encryption In X509 Message Security Implementation Is Not Working, It Is Still Encrypted (Doc ID 2100816.1)

Last updated on FEBRUARY 10, 2017

Applies to:

Oracle Web Services Manager - Version and later
Information in this document applies to any platform.


In SOA 12.1.3, the client requirement is to use WSS11 with Message Body Digital signature only. This works fine in WSS10 when the option of encryption is not selected in WSS10.
But in oracle/wss11_x509_token_with_message_protection_client_policy policy, it is adding the element encryption even though the encryption was not chosen.
It seems that wss11 policy is symmetric by nature where as client wants to send it in asymmetric nature. How to make this asymmetric for 1.1 WS security?

It was observed that "oracle/wss10_x509_token_with_message_protection_client_policy" is going as asymmetric by nature, but the requirement for the client is not using WS secuirty 1.0.
This behavior in wss11 causes the following error since it is adding the element encryption to the header



oracle/wss10_x509_token_with_message_protection_client_policy //provides expected behavior.

SOA 12.1.3
OS: Linux x86-64

  1. Setup x509 certificate.
  2. Clone policy "oracle/wss11_x509_token_with_message_protection_client_policy" and enable logging.
  3. Change the configuration to use the x509 certificate alias to sign.
  4. Configure your helloworld1 calling helloworld2 to use the cloned policy on helloworld2 service reference/PartnerLink.
  5. Test you simple helloworld1 calling helloworld2.
  6. Verify the server OWSM diagnostic log to see the request with policy applied when you invoke helloworld2 from helloworld1.

You should be able to see in the log that the encryption element is present in SOAP header to the request payload helloworld2
With the default policy testcase which was ran, client confirmed that it contains the Encrypted value:

Update from Client for "oracle/wss11_x509_token_with_message_protection_client_policy" default policy request.
The last request, at 10:58, regressed further with going back to adding in a symmetric encrypted key.

This confirms that out of the box policy also reproduces the issue.
The issue is not specific to customized policy.


To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!

In this Document

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.