ganesh kirti roger sullivan oracle corporation “this presentation is for informational purposes...
TRANSCRIPT
![Page 1: Ganesh Kirti Roger Sullivan Oracle Corporation “This presentation is for informational purposes only and may not be incorporated into a contract or agreement.”](https://reader035.vdocuments.us/reader035/viewer/2022062717/56649e395503460f94b2abd4/html5/thumbnails/1.jpg)
Ganesh KirtiRoger Sullivan
Oracle Corporation
“This presentation is for informational purposes only and may not be incorporated into a contract or agreement.”
Securing Web Services in a SOA
![Page 2: Ganesh Kirti Roger Sullivan Oracle Corporation “This presentation is for informational purposes only and may not be incorporated into a contract or agreement.”](https://reader035.vdocuments.us/reader035/viewer/2022062717/56649e395503460f94b2abd4/html5/thumbnails/2.jpg)
Agenda for Today
Introduction to a Service Oriented Architecture Security in Service Oriented Architectures
(SOA) Q & A
![Page 3: Ganesh Kirti Roger Sullivan Oracle Corporation “This presentation is for informational purposes only and may not be incorporated into a contract or agreement.”](https://reader035.vdocuments.us/reader035/viewer/2022062717/56649e395503460f94b2abd4/html5/thumbnails/3.jpg)
Service Oriented Architectures
![Page 4: Ganesh Kirti Roger Sullivan Oracle Corporation “This presentation is for informational purposes only and may not be incorporated into a contract or agreement.”](https://reader035.vdocuments.us/reader035/viewer/2022062717/56649e395503460f94b2abd4/html5/thumbnails/4.jpg)
Customer NeedsOptimize Processes & Applications to Change
Share Information & Collaborate Productively
Build Flexible,AdaptableApplications
Take Decisions with Better Quality Information
Lower Technology Costs Secure Access &
Reduce Risks
![Page 5: Ganesh Kirti Roger Sullivan Oracle Corporation “This presentation is for informational purposes only and may not be incorporated into a contract or agreement.”](https://reader035.vdocuments.us/reader035/viewer/2022062717/56649e395503460f94b2abd4/html5/thumbnails/5.jpg)
Fusion Middleware
Modular & ConfigurableModular & ConfigurableApplicationsApplications SOA, Faces, EJBSOA, Faces, EJB
Flexible BusinessFlexible BusinessProcessesProcesses WSIF, ESB, BPELWSIF, ESB, BPEL
Actionable BusinessActionable BusinessIntelligenceIntelligence Hubs, BI, BAMHubs, BI, BAM
EnhancedEnhancedEmployee ProductivityEmployee Productivity
Portals, Mobile,Portals, Mobile,CollaborationCollaboration
Lowest TCOLowest TCO Grid, Systems Mgmt Grid, Systems Mgmt
Enhanced Security &Enhanced Security &ComplianceCompliance
Identity Mgmt,Identity Mgmt,Web Services MgmtWeb Services Mgmt
![Page 6: Ganesh Kirti Roger Sullivan Oracle Corporation “This presentation is for informational purposes only and may not be incorporated into a contract or agreement.”](https://reader035.vdocuments.us/reader035/viewer/2022062717/56649e395503460f94b2abd4/html5/thumbnails/6.jpg)
![Page 7: Ganesh Kirti Roger Sullivan Oracle Corporation “This presentation is for informational purposes only and may not be incorporated into a contract or agreement.”](https://reader035.vdocuments.us/reader035/viewer/2022062717/56649e395503460f94b2abd4/html5/thumbnails/7.jpg)
Web Services and Service Oriented Architectures
![Page 8: Ganesh Kirti Roger Sullivan Oracle Corporation “This presentation is for informational purposes only and may not be incorporated into a contract or agreement.”](https://reader035.vdocuments.us/reader035/viewer/2022062717/56649e395503460f94b2abd4/html5/thumbnails/8.jpg)
Web Services Security and Management Concerns
Security– “We have many web services exposed to the internet now”– “Only valid partners may access our web services”
Exception Handling– “Notify operations if a transaction stalls”– “Send any incomplete orders to customer service for fixing”
Compliance and Consistency– “All customer orders must be encrypted with 128 bit keys”– “All XML messages must follow this format”
Service Level Monitoring– “The order system must process transactions in under 2 seconds”– “If uptime falls below 98% we owe contract penalties”
![Page 9: Ganesh Kirti Roger Sullivan Oracle Corporation “This presentation is for informational purposes only and may not be incorporated into a contract or agreement.”](https://reader035.vdocuments.us/reader035/viewer/2022062717/56649e395503460f94b2abd4/html5/thumbnails/9.jpg)
Security for an SOA?
Select Lowest Offer
Handle Negative Credit Exception
Credit Rating
start
end
?
United Loan Star Loan
Get Rating
Send Loan Application
Receive Loan Offer
Send Loan Application
Receive Loan Offer
![Page 10: Ganesh Kirti Roger Sullivan Oracle Corporation “This presentation is for informational purposes only and may not be incorporated into a contract or agreement.”](https://reader035.vdocuments.us/reader035/viewer/2022062717/56649e395503460f94b2abd4/html5/thumbnails/10.jpg)
What’s Missing?
Select Lowest Offer
Handle Negative Credit Exception
Credit Rating
start
end
BPEL Flow
?
United Loan Star Loan
Get Rating
Send Loan Application
Receive Loan Offer
Send Loan Application
Receive Loan Offer
<SSN>011-22-4488</SSN>
2. SSN sent in clear text1. Anyone who can access the server can
initiate loan applications
3. Callback has to go through firewall
4. How can I be sure no other sensitive data is unprotected?
![Page 11: Ganesh Kirti Roger Sullivan Oracle Corporation “This presentation is for informational purposes only and may not be incorporated into a contract or agreement.”](https://reader035.vdocuments.us/reader035/viewer/2022062717/56649e395503460f94b2abd4/html5/thumbnails/11.jpg)
Security for an SOA
Select Lowest Offer
10:00am
Handle Negative Credit Exception
Credit Rating
start
end
BPEL Flow
?
United Loan Star Loan
Get Rating
Send Loan Application
Receive Loan Offer
03:00pm
Send Loan Application
Receive Loan Offer
1. Security: Role-based access control
2. Security: Auto-Encryption of SSN in XML message
3. Management: Service virtualization in DMZ
4. Management: System-wide service auditing
![Page 12: Ganesh Kirti Roger Sullivan Oracle Corporation “This presentation is for informational purposes only and may not be incorporated into a contract or agreement.”](https://reader035.vdocuments.us/reader035/viewer/2022062717/56649e395503460f94b2abd4/html5/thumbnails/12.jpg)
Security for an SOA: WS-Security Authentication
– Security Tokens & References– OASIS Token Profiles
UsernameToken BinarySecurityToken (X509, Kerberos)
Integrity– W3C XML Signature Standard– Signing by Parts (Element level) – Canonicalization for signature verification– Non-repudiation
![Page 13: Ganesh Kirti Roger Sullivan Oracle Corporation “This presentation is for informational purposes only and may not be incorporated into a contract or agreement.”](https://reader035.vdocuments.us/reader035/viewer/2022062717/56649e395503460f94b2abd4/html5/thumbnails/13.jpg)
Security for an SOA: WS-Security Confidentiality
– W3C XML Encryption Standard– Support for standard Key Exchange
Mechanisms– Encryption by Parts (Element level)
Threats– Replay Attacks (Timestamps)– Substitution Attacks (Signing References)– XML Injections (Validation)
![Page 14: Ganesh Kirti Roger Sullivan Oracle Corporation “This presentation is for informational purposes only and may not be incorporated into a contract or agreement.”](https://reader035.vdocuments.us/reader035/viewer/2022062717/56649e395503460f94b2abd4/html5/thumbnails/14.jpg)
Security for an SOA: Transport Security
Authentication:– HTTP basic / digest authentication / digital
certificate (https)
Confidentiality, integrity– Secure Sockets Layer (SSL)
Virtual Private Network (VPN)
![Page 15: Ganesh Kirti Roger Sullivan Oracle Corporation “This presentation is for informational purposes only and may not be incorporated into a contract or agreement.”](https://reader035.vdocuments.us/reader035/viewer/2022062717/56649e395503460f94b2abd4/html5/thumbnails/15.jpg)
Security for an SOA: Developer Toolkits
JDeveloper and OC4J– Declarative Security – WS-Security 1.0– Identity Management Association
Oracle Web Services Manager– Agents, Gateways, Management Console
![Page 16: Ganesh Kirti Roger Sullivan Oracle Corporation “This presentation is for informational purposes only and may not be incorporated into a contract or agreement.”](https://reader035.vdocuments.us/reader035/viewer/2022062717/56649e395503460f94b2abd4/html5/thumbnails/16.jpg)
Security for an SOA: Oracle Web Services Manager
Intercept SOAP messages and apply policies to pre-request, request, response and post-response. Flexible enforcement point deployment architecture as proxy or for endpoint-level security. Pre-packaged security steps. Leverage existing IdM for authentication and authorization.
![Page 17: Ganesh Kirti Roger Sullivan Oracle Corporation “This presentation is for informational purposes only and may not be incorporated into a contract or agreement.”](https://reader035.vdocuments.us/reader035/viewer/2022062717/56649e395503460f94b2abd4/html5/thumbnails/17.jpg)
Authentication
Active Directory Authenticate
File Authenticate
LDAP Authenticate
LDAP Certificate Authenticate
COREid Authenticate
SiteMinder Authenticate
Verify Certificate
Verify Signature
Authorization
COREid Authorize
Active Directory Authorize
File Authorize
LDAP Authorize
SiteMinder Authorize
Credential Management
Extract Credentials
Insert WSBASIC Credentials
Transport-specific QoS
HTTP Messenger
MQ Messenger
JMS Messenger
WS-Security
Decrypt and Verify Signature
Sign Message
Sign Message and Encrypt
XML Decrypt
XML Encrypt
Others
Content-based routing
XML Transform
Logging
Data gathering (SLA, Metering)
SAML 1.0 and 1.1
SAML Copy Token
SAML Insert Token
SAML Save Token
SAML Validate Token
SAML 1.1 Assertion
Security for an SOA: Oracle Web Services Manager
![Page 18: Ganesh Kirti Roger Sullivan Oracle Corporation “This presentation is for informational purposes only and may not be incorporated into a contract or agreement.”](https://reader035.vdocuments.us/reader035/viewer/2022062717/56649e395503460f94b2abd4/html5/thumbnails/18.jpg)
Security for an SOA: Oracle Web Services Manager
Web ServiceWeb ServiceClient
PolicyGateway
PolicyAgent
PolicyAgent
SOAPRequest
![Page 19: Ganesh Kirti Roger Sullivan Oracle Corporation “This presentation is for informational purposes only and may not be incorporated into a contract or agreement.”](https://reader035.vdocuments.us/reader035/viewer/2022062717/56649e395503460f94b2abd4/html5/thumbnails/19.jpg)
Security for an SOA: Oracle Web Services Manager
Handle Negative Credit Exception
Credit Rating
start
Get Rating
OWSM Gateway: Require Authentication and
Authorization
OWSM Agent:Encrypt SSN, Add Username
Token
![Page 20: Ganesh Kirti Roger Sullivan Oracle Corporation “This presentation is for informational purposes only and may not be incorporated into a contract or agreement.”](https://reader035.vdocuments.us/reader035/viewer/2022062717/56649e395503460f94b2abd4/html5/thumbnails/20.jpg)
Security for an SOA: Oracle Web Services Manager
Web-based tool for building policies and managing policy distribution to gateways and agents
1) Building Policies– Pick from a library of pre-built policy steps
E.g. LDAP authorization, LDAP authentication, encrypt, decrypt, verify certificate, verify signature, route message, transform, etc.
– Visually string steps together into a policy pipeline Run pipeline for all services, specific service, or subset
– Pre-request, request, response, post-response pipelines
2) Distributing Policies– Gateway/Agent pull– Track and manage versions
![Page 21: Ganesh Kirti Roger Sullivan Oracle Corporation “This presentation is for informational purposes only and may not be incorporated into a contract or agreement.”](https://reader035.vdocuments.us/reader035/viewer/2022062717/56649e395503460f94b2abd4/html5/thumbnails/21.jpg)
Security for an SOA: Oracle Web Services Manager
Automatically upload the pipeline into the WSM Agent or Gateway responsible for controlling that service
Custom policies can be added and made available to administrators through this same interface
Enforces both enterprise-wide and local best practices
Use Oracle WSM Policy Manager to configure the set of operational polices (pipeline) you want enforced for a given service
![Page 22: Ganesh Kirti Roger Sullivan Oracle Corporation “This presentation is for informational purposes only and may not be incorporated into a contract or agreement.”](https://reader035.vdocuments.us/reader035/viewer/2022062717/56649e395503460f94b2abd4/html5/thumbnails/22.jpg)
Security for an SOA: Oracle Web Services Manager
Real-time visibility into Web Service interactions
– Automate operational issue resolution by dynamically updating policies
– Proactively alerts about anomalies
– Enforces policies based on real-time monitoring data
– Validate compliance with IT best practices
![Page 23: Ganesh Kirti Roger Sullivan Oracle Corporation “This presentation is for informational purposes only and may not be incorporated into a contract or agreement.”](https://reader035.vdocuments.us/reader035/viewer/2022062717/56649e395503460f94b2abd4/html5/thumbnails/23.jpg)
Select Lowest Offer
Handle Negative Credit Exception
Credit Rating
start
end
BPEL Flow
?
Get Rating
Send Loan Application
Receive Loan Offer
03:00pm
Send Loan Application
Receive Loan Offer
United LoanStar Loan
Loan Application
Loan Offer
PeopleSoft
Add Customer
Encrypt <SSN>
Decrypt <SSN>
Authenticate/Authorize
Policy Manager Monitor
![Page 24: Ganesh Kirti Roger Sullivan Oracle Corporation “This presentation is for informational purposes only and may not be incorporated into a contract or agreement.”](https://reader035.vdocuments.us/reader035/viewer/2022062717/56649e395503460f94b2abd4/html5/thumbnails/24.jpg)
Q & A
![Page 25: Ganesh Kirti Roger Sullivan Oracle Corporation “This presentation is for informational purposes only and may not be incorporated into a contract or agreement.”](https://reader035.vdocuments.us/reader035/viewer/2022062717/56649e395503460f94b2abd4/html5/thumbnails/25.jpg)