My Oracle Support Banner

Disabling the Encryption In X509 Message Security Implementation Is Not Working, It Is Still Encrypted (Doc ID 2100816.1)

Last updated on OCTOBER 17, 2019

Applies to:

Oracle Web Services Manager - Version 12.1.3.0.0 and later
Information in this document applies to any platform.

Symptoms

In SOA 12.1.3, the client requirement is to use WSS11 with Message Body Digital signature only. This works fine in WSS10 when the option of encryption is not selected in WSS10.
But in oracle/wss11_x509_token_with_message_protection_client_policy policy, it is adding the element encryption even though the encryption was not chosen.
It seems that wss11 policy is symmetric by nature where as client wants to send it in asymmetric nature. How to make this asymmetric for 1.1 WS security?

It was observed that "oracle/wss10_x509_token_with_message_protection_client_policy" is going as asymmetric by nature, but the requirement for the client is not using WS secuirty 1.0.
This behavior in wss11 causes the following error since it is adding the element encryption to the header

ERROR


STEPS
------
  1. Setup x509 certificate.
  2. Clone policy "oracle/wss11_x509_token_with_message_protection_client_policy" and enable logging.
  3. Change the configuration to use the x509 certificate alias to sign.
  4. Configure your <SERVICE1> calling <SERVICE2> to use the cloned policy on <SERVICE2> service reference/PartnerLink.
  5. Test your simple <SERVICE1> calling<SERVICE2>.
  6. Verify the server OWSM diagnostic log to see the request with policy applied when you invoke <SERVICE2> from <SERVICE1>.

You should be able to see in the log that the encryption element is present in SOAP header to the request payload <SERVICE2>
With the default policy which was ran, it was confirmed that it contains the Encrypted value:

Update from Client for "oracle/wss11_x509_token_with_message_protection_client_policy" default policy request.
-------------------------------------------------------------------------------------
The last request, at <TIME>, regressed further with going back to adding in a symmetric encrypted key.
<encryption-key>

This confirms that out of the box policy also reproduces the issue.
The issue is not specific to customized policy.

Changes

 

Cause

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
Symptoms
Changes
Cause
Solution


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.