OWSM: Oracle Web Services Manager, 它是提供了一个Policy framework,用来管理web services security以及 policy,从而在组织内部使用一致的安全策略。


OWSM can be used by both developers, at design time, and system administrators in production environments

OWSM框架既可以管理Oracle Infranstucture Web Services也可以管理部署在weblogic上的Java EE web services (JAX-WS(SOAP) & JAX-RS (REST)).


本文主要整理下在weblogic server中使用OWSM的方法。主要参考文档https://docs.oracle.com/middleware/1221/owsm/security/install-owsm-wls.htm#OWSMS3982

1)Installing Oracle Web Services Manager with WebLogic Server
2)Configuring OWSM with a Domain-Wide Administration Port
3)Using Cross-Component Wiring for Auto-Discovery of Policy Manager
4)Verifying Service Table Entries and Agent Bindings
5)Modifying the Default User



OWSM can be installed on Weblogic Server. 当你安装Oracle Fusion Middleware Infrasturcure时,OWSM默认已经安装了。不过,如果在standalone Weblogic Server环境上,也可以安装OWSM来给你的web services提供安全管理。

OWSM is licensed only through SOA Suite; a standalone license is not available. For information about licensing, see Oracle Fusion Middleware Licensing Information.


  • Java Required Files (JRF) :包含一些components,为Oracle Business Applications和application frameworks提供一些common function.
  • Oracle Enterprise Manager Fusion Middleware Control: 用来secure and administer Java EE(Weblogic) web Services.

安装过程可以参考文档 https://docs.oracle.com/middleware/1221/core/INFIN/toc.htm


二)在全域管理端口配置OWSM(Configuring OWSM with a Domain-Wide Administration Port)

When your domain is configured to use an administration port, all tasks performed by administrators must go through this port. By default, the OWSM Policy Manager is targeted to a Managed Server. To use the Policy Manager with an administration port, you must target the Policy Manager to the Managed Server and the Administration Server.

OWSM的Policy Manager默认是面向一个Managed Server, 但要在一个administration端口使用Policy Manager, 就需要配置使其面向Managed Server和Administration Server.

关于什么是Domain-Wide Administration Port, 可以参考https://docs.oracle.com/middleware/1221/wls/WLACH/taskhelp/domainconfig/EnableTheDomainwideAdministrationPort.html#WLACH01108


(三)Using Cross-Component Wiring for Auto-Discovery of Policy Manager

什么是Cross-component wiring?

Cross-component wiring provides a simplified method for wiring Fusion Middleware components. It automates the wiring process, and provides the ability to diagnose wirings after they are established.

Wiring is simply a piece of configuration in one component that points to another component, such as a URL that points to the admin interface of a component. With cross-component wiring:

1)Service providers publish their endpoints to a Service Table. These endpoints can be published automatically, such as when you create or extend a domain using the Configuration Wizard, or can be published manually by the administrator.

2)Clients contain configuration that points to the service (for example, it has the service URL). The client is "bound" to the service by updating this configuration with the service information that was published to the Service Table. Binding is performed automatically when creating or extending a domain using the Configuration Wizard, or can be done manually by the administrator.

OWSM 使用 cross-component wiring 来自动发现Domain中的Policy Manager (auto-discover the Policy Manager in the domain.)


(四)Verify Service Table Entries and Agent Bindings using Fusion Middleware Control (EM)

Table Entries:

WebLogic Domain menu-> Cross Component Wiring -> Service Tables. -> Service ID urn:oracle:fmw.owsm-pm:t3 查看它的connection URL

Components page:

WebLogic Domain menu-> Cross Component Wiring -> Components-> OWSM Policy Manager -> URL urn:oracle:fmw.owsm-pm:t3 and status is Pubished

OWSM Agent:

WebLogic Domain menu-> Cross Component Wiring -> OWSM Agent-> Client ID owsm-pm-connection-t3 -> 指向正确的Policy Manger URL 并且 Status: wired


(五)Modify the Default User

The OWSM Agent run time uses the OracleSystemUser account and OracleSystemGroup, by default, to communicate to the server.

To modify the default user, perform the steps described in the following sections:

1.Configuring an Authentication Provider
2.Configuring the Credential Store Provider
3.Configuring the Policy Manager CSF Key for the Domain
4.Modifying the User's Group or Role
5.Ensuring the User Has the Required Role

1. 配置Authentication Provider

Configure an authentication provider, in WebLogic Server Administration Console.

1)Select the name of the realm you are configuring (for example, myrealm).
In the Create a New Authentication Provider page, enter the name for Authentication Provider (for example, OID) and select the type Oracle Internet Directory Authenticator.

In the Settings section, set Control Flag to OPTIONAL.

In the Provider Specific tab, enter the following:

Host: the LDAP provider URL
Port: port number
Principal: administrator user details (the new default user)
For example, CN=orcladmin,CN=Users,DC=us,DC=oracle,DC=com
Credential: password for LDAP
Confirm Credential: password for LDAP
User Base DN
For example, CN=Users,DC=us,DC=oracle,DC=com
Group Base DN
For example, CN=Groups,DC=us,DC=oracle,DC=com

2. Restart WebLogic Server.Configuring the Credential Store Provider

2. 配置Credential Store Provider

Configure the credential store provider as described in "Adding Keys and User Credentials to Configure the Credential Store" with the following parameters:

1)If a map does not already exist, select Create Map and enter the map name oracle.wsm.security.
2)In the Credential Store Provider table, select oracle.wsm.security.
3)In the Create Key dialog, enter the appropriate key; for example, OID. Enter the user name and password of the new default user (for example, orcladmin and password).

3.为Domain配置Policy Manager CSF Key 

To configure the Policy Manager CSF key for the domain, perform the following steps:

1.Log into Fusion Middleware Control with the new default user account.
2.From the navigation pane, expand WebLogic Domain and select the domain to be configured.
3.From the WebLogic Domain menu, select Web Services, then WSM Domain Configuration.
4.Select the Policy Accessor tab.
5.Configure the Policy Manager CSF key as described in Step 3 in "Configuring the Policy Manager Connection Using Fusion Middleware Control".

The CSF key that you specify in this step must match the CSF key specified for the Policy Manager administrative user in the credential store. For more information, see "Configuring the Credential Store Provider".

Using the example provided in that section, select the OID key from the PM Csf Key drop-down menu, and enter oracladmin and password as the credential/password combination.

6.Click Apply and restart WebLogic Server.


The OWSM Agent runtime uses the OracleSystemUser identity to access wsm-pm. If you define a new default user, it must be included in either the Administrator or OracleSystemGroup group (if the groups exist), or be mapped to the default OWSM logical roles defined in following Table (if the groups do not exist).

默认的OWSM Logical Role 表如下:

Role	Default User	Permissions
Role Name: policy.Updater 默认用户:Administrators 拥有的权限:Create, edit, delete, and update policies.
Role Name: policy.User    默认用户:All authenticated users 拥有的权限:Read-only permission (for example, query/view document information).
Role Name: policy.Accessor 默认用户:Administrators 和 OracleSystemGroup 拥有的权限:Used by the OWSM Policy Manager to secure EJBs that are accessed by the OWSM Agent runtime to attach policies.

5. 确保用户有所需的Role

To ensure the user has the required role, perform one of the following steps:

1)If the Administrator or OracleSystemGroup groups exist in the LDAP or identity store, perform the following steps:

In LDAP, add the user that you would like to use as a default administrative user.

In WebLogic Server Administration Console, ensure that the user exists in the Administrator group. For more information, see "Manage Users and Groups" in Oracle WebLogic Server Administration Console Online Help.

2)If the Administrator or OracleSystemGroup groups do not exist in the LDAP or identity store, you can manage application roles using one of the following OPSS scripts:

grantAppRole—Adds a principal (class and name) to a role with a given application stripe and name.
revokeAppRole—Removes a principal (class and name) to a role with a given application stripe and name.
listAppRoleMembers—Lists all members in a role with a given application stripe and role name.

For more information about these and other OPSS scripts, see "Managing the Policy Store" in Securing Applications with Oracle Platform Security Services.
The following examples illustrate how to use the OPSS scripts. Before issuing the OPSS scripts, you must start WLST and connect to the running instance of WebLogic Server, as described in "Accessing the Web Services Custom WLST Commands" in Administering Web Services.

The following command adds the policy.Accessor role to a principal named PAPUser:
grantAppRole(appStripe="wsm-pm", appRoleName="policy.Accessor",principalClass="weblogic.security.principal.WLSUserImpl", principalName="PAPUser")

The following command removes the policy.Accessor role from OracleSystemGroup:
revokeAppRole(appStripe="wsm-pm", appRoleName="policy.Accessor",principalClass="weblogic.security.principal.WLSGroupImpl", principalName="OracleSystemGroup")

The following command lists the members associated with the policy.Accessor role:

listAppRoleMembers(appStripe="wsm-pm", appRoleName="policy.Accessor")