GENERAL
Where is the official website for OWSM?
OWSM is officially listed on Oracle Technology Network (OTN) here.

Where is the official product documentation for OWSM 11gR1?

• Security and Administrator's Guide for Web Services (B32511-01) - Main guide covering concepts & management interfaces
• Securing WebLogic Web Services for Oracle WebLogic Server (E13713-01) - Developer's guide
  
• Java API Reference for Oracle Web Services Manager (E10689-01) - for building custom policies
  

What platforms is it certified on?
Download FMW 11gR1 certification matrix, and view

• SOA Suite certification for OWSM policy manager
  
• Weblogic Server certification for applying policies to JAX-WS clients/services
  
• OPSS certification for Non-Oracle LDAP certification (authentication)

Pls elaborate on OWSM licensing

• When selling 10gR3, the only way customer acquires OWSM is through a "SOA Suite license", and installed through "SOA Suite installer".
• When selling 11gR1, OWSM is embedded in SOA Suite infrastructure, and customer don't need to buy any separate license to use it. For e.g. if they buy SOA Suite license to run BPEL, they are automatically allowed to use OWSM policies to secure it.

POLICY MANAGEMENT
How are policies represented in OWSM?
OWSM uses the WS-Policy 1.2 standard specification with Oracle extensions to represent the policies to execute. It can also advertise on-the-wire policies into the WSDL using WS-PolicyAttachment standard.

Where are OWSM policies stored?
OWSM policies are stored through the meta data store (MDS) interface into a database. Currently, there is a policy store for every Weblogic domain, but we are planning to provide ability to share the same policy store across the domains. This does not apply to OWSM policies for Weblogic JAX-WS services yet.

How are OWSM policies distributed?
OWSM policy manager application - a JEE app one per Weblogic domain - is responsible for distributing policies to the OWSM agents enforcing them. Agents query the policy manger app to receive the policies to execute, and then poll every few seconds (configurable) to receive any updates to policy definition. This does not apply to OWSM policies for Weblogic JAX-WS services yet.

How are policies managed/configured?
Enterprise Manager FMW control provides the management interface for CRUDQ (create, read, update, delete, query) operations of policies. It in turn communicates with the policy manager application (over RMI) to retrieve or update policies from the MDS based policy store.

Where are policies stored/managed for Weblogic JAX-WS services?
For Weblogic JAX-WS services, OWSM stores policies in a jar file. There is no management inteface provided to update policies in this jar, but an existing EM FMW control can be used to export the policy into an xml file, and jar tool used to update the jar with this xml file.
Note: Policy manager application integration for centralized management of policies for Weblogic JAX-WS client/services isn't available yet, but will be available in a future 11g release/patchset.

How are policies attached to clients/services?
You can attach policies to clients/services through

1. JDeveloper - Using annotations for JAX-WS clients/services, and dialogs for other services (such as SOA, ADF)
   
2. EM FMW Control - All clients/services except JAX-WS
   
3. Weblogic Admin Console - JAX-WS clients/services

Only the reference (pointer) to the policy is attached, not the policy definition itself. Policy name acts as a reference to the policy.

Where are policy attachments stored?
Policy attachments associate a policy to execute for a given client/service, and are stored in the client/service specific deployment descriptor. Only reference to the policy (policy name) is stored as part of the attachment, not the whole policy definition.

• SOA - stored in composite.xml
• ADF, JAX-WS - oracle-webservices.xml
  

Can you keep the policy in the registry?
Wire level policies (such as which token to send, how should the message be signed/encrypted) are published into the service WSDL in accordance with WS-PolicyAttachment specification, and the WSDL can be published in the registry.

Can you use scripts to update a policy?
OWSM policies are stored through the meta data store (MDS) interface into a database. You can use WLST commands provided by MDS to update the policies.

What types of policies are managed/enforced by OWSM?
OWSM manages/enforces WS-* types of policies such as WS-Security, WS-ReliableMessaging, WS-Addressing, MTOM, etc.

Are policies versioned? Can I rollback to a previous version of a policy?
Yes, all changes to the policies are versioned. You can rollback to any of the older versions through EM FMW control interface.

Are changes to policies audited?
Yes, all changes and addition/deletion of policies are audited through integration with FMW audit infrastructure. Reports can be run on policy audit events
through the BI Publisher interface.

Is there a way to tell which policy was applied by looking at a completed composite instance?
Not at this time.

POLICY ENFORCEMENT
How is authentication performed?
OWSM extracts the token from the request message, and passes it to Oracle Platform Security Services (OPSS) login modules for authentication. The login modules internally invoke the Weblogic CSS authenticator. Once, the user is authenticated, the user identity is asserted as java Subject into the application.

How is authorization performed?
OWSM supports 2 types of authorization policies, and requires that the user is already authenticated through a previous policy

• role based - allowed roles are configured as part of OWSM policy
  
• permission based - permissions to allow access are configured in OPSS
  

Will there be a gateway post 11gR1?
Yes, we are working on it. Meanwhile, you can deploy OWSM 10gR3 gateway.

GATEWAY
When will WSM Gateway in 11g be available?

MONITORING
What does OWSM monitor, and what type of graphs/charts are available?
OWSM monitors policy execution results (pass/fail) for services. It also can tell if the failure was due to authentication, authorization, signature validation or decryption events. The monitoring metrics are available as graphs/charts through Enterprise Manager Fusion Middleware (FMW) control. These metrics are in memory only. Historical monitoring and SLAs (which require metrics to be persisted in a database) will be available when EM Grid Control for FMW 11gR1 is released.

ARCHITECTURE
List the components of OWSM 11gR1.
OWSM contains

• Agents - These are built into the web services stack of Weblogic server and JRF, but are logically represented as a component that acts as a policy enforcement point (PEP), and policy access point (PAP). It does a look up of policies to enforce from the centralized policy manager application.
  
• Policy Manager - It's a JEE application one per Weblogic domain that manages policies (additions, updates go through it), and distributes policies to PEPs (agents). It exposes an RMI interface.
• MDS - This is the policy store interface which policy manager talks to. It's backed by a database.
• EM Fusion Middleware Control - Policy management and attachment is performed through EM which in turn communicates with policy manager for any updates or lookup of policies.
  

How is authentication performed?
OWSM leverages container based security for authentication. It delegates authentication to OPSS login modules which in turn calls the Weblogic authenticators. The authenticated user identity is set in the Java Subject of the web service application.

How is authorization performed?
Following types of authorization mechanisms are supported.

1. Role based - Here configured allowed roles in a policy are matched with the roles present in the authenticated user's Java Subject principals.
2. Permission based - Access can be allowed or disallowed based on java permission based model.
3. Entitlements based - Using a custom policy, OWSM can integrate with OES to provide content and context based authorization.