Policy sets are assertions about how services are defined. They
are used to simplify your quality of service configuration for Web services.
Note: You can only use policy sets with Java API for XML-Based Web Services
(JAX-WS) applications. You cannot use policy sets with Java API for XML-based
RPC (JAX-RPC) applications.
Policy sets combine configuration settings, including those for transport
and message level configuration, such as WS-Addressing, WS-ReliableMessaging,
and WS-Security.
Policies are defined based on a quality of service. Policy definition is
typically based on WS-Policy standard language, for example, the WS-Security
policy is based on the current WS-SecurityPolicy from the Organization for
the Advancement of Structured Information Standards (OASIS) standards.
An instance of a policy set consists of a collection of policies. For example,
the RAMP default policy set consists of instances of the WS-Security, WS-Addressing,
and WS-ReliableMessaging policy types. A policy set is identified by a unique
name that is unique across the cell. An empty policy set is a policy set with
no policy instance defined. You can perform the following actions on policy
sets:
- create
- edit
- delete
- attach to service resources like applications
- detach from service resources like applications
- export
Note which functions you can configure using policy sets and the relationship
of the security information that is configured. A set of default policy sets
are included that you can copy and rename for reuse. The configuration can
then be altered and customized on the copy, but the default policy sets are
read only and cannot be changed. Also note that you can only copy and customize
policy sets using the administrative console or administrative commands. Policy
sets do not function correctly if they are copied manually.
On the application server, policy sets are stored at the cell level. Policy
sets are centrally located so that they are available to all applications
on the server.
The following default policy sets are provided:
- RAMP default
- This policy set provides:
- Reliable message delivery to the intended receiver by enabling WS-ReliableMessaging
- Message integrity through digital signature that includes signing the
body, time stamp, WS-Addressing headers and WS-ReliableMessaging headers using
the WS-SecureConversation and WS-Security specifications
- Confidentiality through encryption that includes encrypting the body,
signature elements, using the WS-SecureConversation and WS-Security specifications
- LTPA RAMP default
- This policy set provides:
- Reliable message delivery to the intended receiver by enabling WS-ReliableMessaging
- Message integrity through digital signature that includes signing the
body, time stamp, WS-Addressing headers and WS-ReliableMessaging headers using
the WS-SecureConversation and WS-Security specifications
- Confidentiality through encryption that includes encrypting the body,
signature elements, using the WS-SecureConversation and WS-Security specifications
- A Lightweight Third Party Authentication (LTPA) token included in the
request message to authenticate the client to the service
- Username RAMP default
- This policy set provides:
- Reliable message delivery to the intended receiver by enabling WS-ReliableMessaging
- Message integrity through digital signature that includes signing the
body, time stamp, WS-Addressing headers and WS-ReliableMessaging headers using
the WS-SecureConversation and WS-Security specifications
- Confidentiality through encryption that includes encrypting the body,
signature elements, using the WS-SecureConversation and WS-Security specifications
- A username token included in the request message to authenticate the client
to the service. The username token is encrypted in the request
- SecureConversation
- This policy set provides:
- Message integrity through digital signature that includes signing the
body, time stamp, and WS-Addressing headers using WS-SecureConversation and
WS-Security specifications
- Message confidentiality through encryption that includes encrypting the
body, signature and signature confirmation elements, using WS-SecureConversation
and WS-Security specifications
- LTPA SecureConversation
- This policy set provides:
- Message integrity through digital signature that includes signing the
body, time stamp, and WS-Addressing headers using WS-SecureConversation and
WS-Security specifications
- Message confidentiality through encryption that includes encrypting the
body, signature and signature confirmation elements, using WS-SecureConversation
and WS-Security specifications
- A Lightweight Third Party Authentication (LTPA) token included in the
request message to authenticate the client to the service
- Username SecureConversation
- This policy set provides:
- Message integrity through digital signature that includes signing the
body, time stamp, and WS-Addressing headers using WS-SecureConversation and
WS-Security specifications
- Message confidentiality through encryption that includes encrypting the
body, signature and signature confirmation elements, using WS-SecureConversation
and WS-Security specifications
- A username token included in the request message to authenticate the client
to the service. The username token is encrypted in the request
- WSAddressing default
- Enables WS-Addressing support, which uses endpoint references and message
addressing properties to facilitate the addressing of Web services in a standard
and interoperable way.
- WSHTTPS default
- Provides SSL transport security for the HTTP protocol with Web services
applications.
- WSReliableMessaging default
- This policy set enables both WS-ReliableMessaging and WS-Addressing and uses the minimum quality of service, unmanaged non-persistent. This quality of service requires minimal configuration. However, it is non-transactional and, although it allows for the resending of messages that are lost in the network, failure of a server results in lost messages. This quality of service is for single server only and does not function in a cluster.
- WSReliableMessaging persistent
- This policy set enables both WS-ReliableMessaging and WS-Addressing and uses the maximum quality of service, managed persistent. This quality of service supports asynchronous Web service invocations and uses a service integration messaging engine and message store to manage the sequence state. Messages are processed within transactions are persisted at the Web service requester server and at the Web service provider server, and are recoverable in the event of server failure.
- Because this policy set specifies managed persistent quality of service, you need to define bindings to the service integration bus and messaging engine that you want to use to manage the WS-ReliableMessaging state. For more information, see Attaching and binding a WS-ReliableMessaging policy set to a Web service application using the administrative console or using the wsadmin tool.
- WSReliableMessaging 1_0
- This policy set enables both WS-ReliableMessaging Version 1.0 and WS-Addressing and uses the minimum quality of service, unmanaged non-persistent. This quality of service requires minimal configuration. However, it is non-transactional and, although it allows for the resending of messages that are lost in the network, failure of a server results in lost messages. This quality of service is for single server only and does not function in a cluster.
- You can use this policy set with .NET-based Web services.
- WSSecurity default
- This policy set provides:
- Message integrity through digital signature (using RSA public-key cryptography)
to sign the body, time stamp, and WS-Addressing headers using WS-Security
specifications.
- Message confidentiality through encryption (using RSA public-key cryptography)
to encrypt the body, signature and signature elements using WS-Security specifications.
- LTPA WSSecurity default
- This policy set provides:
- Message integrity through digital signature (using RSA public-key cryptography)
to sign the body, time stamp, and WS-Addressing headers using WS-Security
specifications.
- Message confidentiality through encryption (using RSA public-key cryptography)
to encrypt the body, signature and signature elements using WS-Security specifications.
- A Lightweight Third Party Authentication (LTPA) token included in the
request message to authenticate the client to the service.
- Username WSSecurity default
- This policy set provides:
- Message integrity through digital signature (using RSA public-key cryptography)
to sign the body, time stamp, and WS-Addressing headers using WS-Security
specifications.
- Message confidentiality through encryption (using RSA public-key cryptography)
to encrypt the body, signature and signature elements using WS-Security specifications.
- A username token included in the request message to authenticate the client
to the service. The username token is encrypted in the request.
- WSTransaction
- Enables WS-Transaction, which provides the ability to coordinate distributed
transactional work atomically and interoperably using the WS-AtomicTransaction
specification.
- SSL WSTransaction
- Enables WS-Transaction, which provides the ability to coordinate distributed
transactional work atomically, interoperably and securely using the WS-AtomicTransaction
specification and SSL Transport security.
Policy sets do not include environment or platform-specific information,
such as keys for signing, keystore information, or persistent store information.
This type of information is defined in the binding. A policy set attachment
defines how a policy set is attached to service resources and bindings. The
attachment definition is outside the policy set definition and is defined
as meta-data associated with application data.
Bindings are made up of environment and platform-specific information.
Typically, bindings are specific to the application or the platform, and bindings
are not typically shared. There is one default binding that all policy sets
can use. However, custom bindings are defined within the application.
To enable policy sets to work with applications, bindings are needed. Use
the administrative console to configure custom bindings. Read about defining
binding information for policy sets for more information about working with
attachments and bindings.