2 Replies Latest reply: Nov 15, 2012 7:35 AM by 973508 RSS

    WS-Security Timestamp without signed


      I am trying to call a external web service which is secured with ws-security, it requires timestamp and sign just the request's body, but not the timestamp. I create a proxy service and a business service into osb. I apply default policy but client doesn't sign the timestamp and proxy service throws an error about "timestamp not signed". If I delete timestamp from the policy the call works ok, but client cannot interpret the response cause no timestamp is in the response.

      Is there any way of apply a security policy to web service which require sign and Timestamp, but sign just the body but not the timestamp? I used the default OWSM "oracle/wss10_message_protection_service_policy", unckeking the crypto part and including timestamp, but it always sign the timestamp. I know timestamp should be signed but the context requiere not to be signed.

      If is not possible, is there a way of doing by hand?, it means call a java function for signing an then add it to response.


      Edited by: user13492520 on 09-nov-2012 8:37
        • 1. Re: WS-Security Timestamp without signed
          Patrick Taylor
          It should be possible to use custom policies with OWSM. You'll need to create a new policy that defines only those elements that you want to sign and apply this policy on the service.

          Did you have a look at this post - https://blogs.oracle.com/owsm/entry/custom_policies_custom_assertions_11g


          It is considered good etiquette to reward answerers with points (as "helpful" - 5 pts - or "correct" - 10pts).
          • 2. Re: WS-Security Timestamp without signed
            Hello Patrick:

            Thank for your replay.

            As you say, it is possible to use custom policies with OWSM, and that is what I did but no results at all. I create a new policy from "oracle/wss10_message_protection_service_policy" and uncheck the encryption part, both request and response. Then I delete from the sign part all element from header and check sign all body option. I leave the timestamp checked and there is no way to say if I want to sign the timestamp or not. Then I check the policy's xml and I see that message part to signed is only the body, but then when I use console for testing the service, timestamp is always signed in the response.
            So, my questión is, OSB sign always timestamp or there is a way to say that no signed timestamp is necesary

            thank a lot