OWSM 12c–Using Username Message Protection Policy

In this post, I will demonstrate required steps at both server and client side for the OWSM  policy oracle/wss10_username_with_message_protection_ server_policy. I will use SOAP UI to demonstrate the client side setup.

Server Side

Attach OWSM policy to service, here I will be using OSB Proxy Service for demo.


This OWSM policy requires private keys to be generated at both server and client side. So create clientkeystore.jks for SOAP UI and osbkeystore.jks for server using commands below.

keytool -genkeypair -keyalg RSA -alias localclient -keystore clientkeystore.jks -storepass cljks123 -validity 360 -keysize 2048

keytool -genkeypair -keyalg RSA -alias localosb -keystore osbkeystore.jks -storepass osbjks123 -validity 360 -keysize 2048

Export the public certificate from each keystore using following commands.

keytool -exportcert -alias localclient -keystore clientkeystore.jks -file localclient.cer

keytool -exportcert -alias localosb –keystore osbkeystore.jks -file localosb.cer

Import the certificate into each other using following commands.

keytool -importcert -alias localclient -keystore osbkeystore.jks -file localclient.cer

keytool -importcert -alias localosb –keystore clientkeystore.jks -file localosb.cer

Now add these keys in map using the following steps.



Create key keystore-csf-key as below.


Also create other 2 keys enc-csf-key and sign-csf-key similar to above using the same alias  localosb.


Now navigate to the WSM Domain Configuration as shown below to set the keystore and keys to be used by OWSM runtime.



Client Side

The SOAP UI documentation has detailed information related to ws-security setup here so I will keep my description brief and readers are recommended to go through the given link.

Double click on SOAP UI project where we can specify ws-security setup.



Add clientkeystore.jks in Keystores tab and give the key store password as shown below. Status should be shown as OK implies that it’s a valid keystore.


Incoming WS-Security configuration:

Since clientkeystore.jks has required keys for both encryption and digital signature, we have to just select this keystore in Incoming Configuration as shown below.


Outgoing WS-Security configuration:

Add Outgoing Configuration with name OutConfig as shown below.


Now we have to add the configuration for Timestamp, Username Token, Signature and Encryption in detail tabs of Outgoing Configuration as required.

  • Timestamp
    • Give 20000 as value for Time to live
    • Check Millisecond precision



  • Username Token
    • Give Username and Password
    • Check Add Nonce and Add Created
    • Select Password Type as PasswordText







Note: we should maintain the order Signature and Encryption in Outgoing Configuration as shown above.

Adding Outgoing/Incoming configuration:


With all this setup in place, when I execute the request I was getting the error saying Error getting response for […]; null. Following is the solution given in one of the forum posts here. Note that, I was using SOAP UI 5.0.0.

Replace the existing xmlsec-1.4.5.jar file in /lib folder with xmlsec-1.5.2.jar.

Replace the existing wss4j-1.6.16.jar file in /lib folder with wss4j-1.6.2.jar.

Sample Request


Sample Response


Note: We also have another way of attaching Outgoing Configuration to the request as shown below by doing right click on request window. When we do this way, don’t select Format XML option on right click which is causing digital signature verification failure.So I always recommend the above mentioned way to attach Outgoing Configuration.



Similarly, for OWSM policy oracle/wss_username_token_service_policy the above Username token setup is enough.

You can get the SOAP UI project and keystores used in this post over here.


0 Responses to “OWSM 12c–Using Username Message Protection Policy”

  1. Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s



Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 349 other followers

Enter your email address to follow this blog and receive notifications of new posts by email.