secure your integrations · 2018-06-15 · secure your integrations what do you hope to achieve?...
TRANSCRIPT
![Page 1: SECURE YOUR INTEGRATIONS · 2018-06-15 · secure your integrations what do you hope to achieve? security in different layers tls tls and java certificates keystores cipher suites](https://reader034.vdocuments.us/reader034/viewer/2022042107/5e872c832230ed5d5d0d700d/html5/thumbnails/1.jpg)
SECURE YOUR INTEGRATIONS
Maarten Smeets
07-06-2018
![Page 2: SECURE YOUR INTEGRATIONS · 2018-06-15 · secure your integrations what do you hope to achieve? security in different layers tls tls and java certificates keystores cipher suites](https://reader034.vdocuments.us/reader034/viewer/2022042107/5e872c832230ed5d5d0d700d/html5/thumbnails/2.jpg)
@MaartenSmeetsNL
https://nl.linkedin.com/in/smeetsm
About Maarten
• Integration consultant at AMIS since 2014
• Several certifications
SOA, BPM, MCS, Java, SQL, PL/SQL, Mule, AWS, etc
• Enthusiastic blogger
http://javaoraclesoa.blogspot.com
![Page 3: SECURE YOUR INTEGRATIONS · 2018-06-15 · secure your integrations what do you hope to achieve? security in different layers tls tls and java certificates keystores cipher suites](https://reader034.vdocuments.us/reader034/viewer/2022042107/5e872c832230ed5d5d0d700d/html5/thumbnails/3.jpg)
3 Membership Tiers• Oracle ACE Director• Oracle ACE• Oracle ACE Associate
bit.ly/OracleACEProgram
500+ Technical Experts Helping Peers Globally
Connect:
Nominate yourself or someone you know: acenomination.oracle.com
@oracleace
Facebook.com/oracleaces
![Page 4: SECURE YOUR INTEGRATIONS · 2018-06-15 · secure your integrations what do you hope to achieve? security in different layers tls tls and java certificates keystores cipher suites](https://reader034.vdocuments.us/reader034/viewer/2022042107/5e872c832230ed5d5d0d700d/html5/thumbnails/4.jpg)
SECURE YOUR INTEGRATIONS
WHAT DO YOU HOPE TO ACHIEVE?
SECURITY IN DIFFERENT LAYERS
TLS
TLS AND JAVA CERTIFICATESKEYSTORESCIPHER SUITES
TLS IN THE ORACLE CLOUD APPLICATION SECURITY
![Page 5: SECURE YOUR INTEGRATIONS · 2018-06-15 · secure your integrations what do you hope to achieve? security in different layers tls tls and java certificates keystores cipher suites](https://reader034.vdocuments.us/reader034/viewer/2022042107/5e872c832230ed5d5d0d700d/html5/thumbnails/5.jpg)
![Page 6: SECURE YOUR INTEGRATIONS · 2018-06-15 · secure your integrations what do you hope to achieve? security in different layers tls tls and java certificates keystores cipher suites](https://reader034.vdocuments.us/reader034/viewer/2022042107/5e872c832230ed5d5d0d700d/html5/thumbnails/6.jpg)
INTRODUCTION GDPRGENERAL DATA PROTECTION REGULATION (GDPR)
• "...implement measures to mitigate those risks, such as encryption." (P51. (83))
• "...appropriate safeguards, which may include encryption" (P121 (4.e))
• "...including inter alia as appropriate: (a) the pseudonymization and encryption of personal data." (P160 (1a))
• "...unintelligible to any person who is not authorized to access it, such as encryption" (P163 (3a))
![Page 7: SECURE YOUR INTEGRATIONS · 2018-06-15 · secure your integrations what do you hope to achieve? security in different layers tls tls and java certificates keystores cipher suites](https://reader034.vdocuments.us/reader034/viewer/2022042107/5e872c832230ed5d5d0d700d/html5/thumbnails/7.jpg)
WHAT DO YOU HOPE TO ACHIEVE?
• Confidentiality
• Integrity
• Authentication
• Identification
• Authorization
• Access to specific resources
• Entitlements
![Page 8: SECURE YOUR INTEGRATIONS · 2018-06-15 · secure your integrations what do you hope to achieve? security in different layers tls tls and java certificates keystores cipher suites](https://reader034.vdocuments.us/reader034/viewer/2022042107/5e872c832230ed5d5d0d700d/html5/thumbnails/8.jpg)
WHAT DO YOU HOPE TO ACHIEVE?CONFIDENTIALITY AND INTEGRITY: REPUDIATION OF EMISSION
Do you trust the contents of the message
Integrity and Confidentiality
![Page 9: SECURE YOUR INTEGRATIONS · 2018-06-15 · secure your integrations what do you hope to achieve? security in different layers tls tls and java certificates keystores cipher suites](https://reader034.vdocuments.us/reader034/viewer/2022042107/5e872c832230ed5d5d0d700d/html5/thumbnails/9.jpg)
WHAT DO YOU HOPE TO ACHIEVE?AUTHENTICATION AND IDENTIFICATION: REPUDIATION OF ORIGIN
Do you trust the source of the message
Authentication and Identification
![Page 10: SECURE YOUR INTEGRATIONS · 2018-06-15 · secure your integrations what do you hope to achieve? security in different layers tls tls and java certificates keystores cipher suites](https://reader034.vdocuments.us/reader034/viewer/2022042107/5e872c832230ed5d5d0d700d/html5/thumbnails/10.jpg)
SECURITY IN DIFFERENT LAYERS
Application layer
(HTTP, LDAP)
TLS/SSL layer
Transport layer
(TCP, UDP)
Network layer
(IP)
Security only in the application layer
might cause plaintext passwords or
reusable tokens to be transmitted
and potentially intercepted
![Page 11: SECURE YOUR INTEGRATIONS · 2018-06-15 · secure your integrations what do you hope to achieve? security in different layers tls tls and java certificates keystores cipher suites](https://reader034.vdocuments.us/reader034/viewer/2022042107/5e872c832230ed5d5d0d700d/html5/thumbnails/11.jpg)
SECURITY IN DIFFERENT LAYERSTLS VS APPLICATION LAYER SECURITY
• Performance
• TLS is much faster than security on message contents
• Granularity
• TLS is usually on host level
• Application security can be much more specific
• Genericity
• TLS can be used on HTTP, SMTP, T3
• Application layer security is specific for a platform / application
![Page 12: SECURE YOUR INTEGRATIONS · 2018-06-15 · secure your integrations what do you hope to achieve? security in different layers tls tls and java certificates keystores cipher suites](https://reader034.vdocuments.us/reader034/viewer/2022042107/5e872c832230ed5d5d0d700d/html5/thumbnails/12.jpg)
SECURITY IN DIFFERENT LAYERSWHICH PRODUCTS?
• Loadbalancers• For example F5 product
• Oracle Traffic Director (also used in Oracle Cloud)
• On a webserver / application server• Oracle HTTP Server
• WebLogic Server
• Using an API gateway product• API Platform Cloud Service
• API Gateway
![Page 13: SECURE YOUR INTEGRATIONS · 2018-06-15 · secure your integrations what do you hope to achieve? security in different layers tls tls and java certificates keystores cipher suites](https://reader034.vdocuments.us/reader034/viewer/2022042107/5e872c832230ed5d5d0d700d/html5/thumbnails/13.jpg)
1 2
TRANSPORT LAYER SECURITY
Concepts TLS and Java
![Page 14: SECURE YOUR INTEGRATIONS · 2018-06-15 · secure your integrations what do you hope to achieve? security in different layers tls tls and java certificates keystores cipher suites](https://reader034.vdocuments.us/reader034/viewer/2022042107/5e872c832230ed5d5d0d700d/html5/thumbnails/14.jpg)
SECURITY IN DIFFERENT LAYERSWHAT CAN YOU ACHIEVE WITH TLS?
• Secure message exchange• Confidentiality
by using symmetric cryptography• Integrity
by using message authentication codes (MAC)
• Identification
• Authentication
• Authorization
By using public key cryptography
![Page 15: SECURE YOUR INTEGRATIONS · 2018-06-15 · secure your integrations what do you hope to achieve? security in different layers tls tls and java certificates keystores cipher suites](https://reader034.vdocuments.us/reader034/viewer/2022042107/5e872c832230ed5d5d0d700d/html5/thumbnails/15.jpg)
BACKGROUND AND CONCEPTSTLS: VERSIONS
TLS version Released Most important vulnerabilities
SSL 1 No Never released due to too many issues
SSL 2 1995 DROWN
SSL 3 1996 POODLE
TLS 1.0 1999 BEAST
TLS 1.1 2006 CBC, Sweet32
TLS 1.2 2008 Logjam, FREAK, Heartbleed (OpenSSL)
TLS 1.3 TBD
Netscape
IETF
![Page 16: SECURE YOUR INTEGRATIONS · 2018-06-15 · secure your integrations what do you hope to achieve? security in different layers tls tls and java certificates keystores cipher suites](https://reader034.vdocuments.us/reader034/viewer/2022042107/5e872c832230ed5d5d0d700d/html5/thumbnails/16.jpg)
BACKGROUND AND CONCEPTS TLS: JAVA
• TLS 1.2 is supported from
• Oracle JDK 6u121
• JRockit R28.3.11
• JCE for the best cipher suites
• Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files
• JCE on JRockit and Oracle JDK
• See Oracle support Doc ID 2262067.1
• JCE is no longer required after
• Version 6u191, 7u181, 8u171, 9
![Page 17: SECURE YOUR INTEGRATIONS · 2018-06-15 · secure your integrations what do you hope to achieve? security in different layers tls tls and java certificates keystores cipher suites](https://reader034.vdocuments.us/reader034/viewer/2022042107/5e872c832230ed5d5d0d700d/html5/thumbnails/17.jpg)
BACKGROUND AND CONCEPTS
Handshake
Keystores
Certificates
Cipher suites
![Page 18: SECURE YOUR INTEGRATIONS · 2018-06-15 · secure your integrations what do you hope to achieve? security in different layers tls tls and java certificates keystores cipher suites](https://reader034.vdocuments.us/reader034/viewer/2022042107/5e872c832230ed5d5d0d700d/html5/thumbnails/18.jpg)
BACKGROUND AND CONCEPTS TLS LAYER
• Client and server perform a handshake
• During the handshake certificates are exchanged
• Certificates are stored in keystores and can be checked
• Client and server agree on further details of the connection (cipher suite)
![Page 19: SECURE YOUR INTEGRATIONS · 2018-06-15 · secure your integrations what do you hope to achieve? security in different layers tls tls and java certificates keystores cipher suites](https://reader034.vdocuments.us/reader034/viewer/2022042107/5e872c832230ed5d5d0d700d/html5/thumbnails/19.jpg)
BACKGROUND AND CONCEPTSWHAT’S IN A CERTIFICATE
• A public key
• Information on the issuer
• A serial number, unique per issuer
• A period during which the certificate is valid
• A hostname or hostname wildcard
• References to certificate revocation lists
![Page 20: SECURE YOUR INTEGRATIONS · 2018-06-15 · secure your integrations what do you hope to achieve? security in different layers tls tls and java certificates keystores cipher suites](https://reader034.vdocuments.us/reader034/viewer/2022042107/5e872c832230ed5d5d0d700d/html5/thumbnails/20.jpg)
BACKGROUND AND CONCEPTSCERTIFICATES AND TRUST
![Page 21: SECURE YOUR INTEGRATIONS · 2018-06-15 · secure your integrations what do you hope to achieve? security in different layers tls tls and java certificates keystores cipher suites](https://reader034.vdocuments.us/reader034/viewer/2022042107/5e872c832230ed5d5d0d700d/html5/thumbnails/21.jpg)
BACKGROUND AND CONCEPTSKEYSTORES
![Page 22: SECURE YOUR INTEGRATIONS · 2018-06-15 · secure your integrations what do you hope to achieve? security in different layers tls tls and java certificates keystores cipher suites](https://reader034.vdocuments.us/reader034/viewer/2022042107/5e872c832230ed5d5d0d700d/html5/thumbnails/22.jpg)
BACKGROUND AND CONCEPTSKEYSTORES: FILE BASED FORMATS
• Java Keystore / JKSFile extension: .jks
• Public-Key Cryptography Standards / PKCS #12File extension: .p12 or .pfx
• Java Cryptography Extension KeyStore / JCEKSFor storing secret keys / credentialsFile extension: .jceks
Keystore Explorer
Portecle
keytool
![Page 23: SECURE YOUR INTEGRATIONS · 2018-06-15 · secure your integrations what do you hope to achieve? security in different layers tls tls and java certificates keystores cipher suites](https://reader034.vdocuments.us/reader034/viewer/2022042107/5e872c832230ed5d5d0d700d/html5/thumbnails/23.jpg)
BACKGROUND AND CONCEPTSKEYSTORES: ORACLE PLATFORM SECURITY SERVICES (OPSS)
• KeyStoreService / KSS
• Credential Store Framework or CSF
![Page 24: SECURE YOUR INTEGRATIONS · 2018-06-15 · secure your integrations what do you hope to achieve? security in different layers tls tls and java certificates keystores cipher suites](https://reader034.vdocuments.us/reader034/viewer/2022042107/5e872c832230ed5d5d0d700d/html5/thumbnails/24.jpg)
BACKGROUND AND CONCEPTSCIPHER SUITES
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
Key exchange Signature
Bulk encryption
algorithm
Message authentication
algorithm
Repudiation of originIntegrity
Repudiation of emission
ConfidentialityAuthentication Identification
![Page 25: SECURE YOUR INTEGRATIONS · 2018-06-15 · secure your integrations what do you hope to achieve? security in different layers tls tls and java certificates keystores cipher suites](https://reader034.vdocuments.us/reader034/viewer/2022042107/5e872c832230ed5d5d0d700d/html5/thumbnails/25.jpg)
BACKGROUND AND CONCEPTSCIPHER SUITES: AGREEMENT CLIENT/SERVER DURING HANDSHAKE
I would prefer
Norwegian but since
you wouldn’t
understand me, lets
talk English!
Client Server
Hi!
I can speak Dutch
and English. Hi!
I can speak
Norwegian and
English
![Page 26: SECURE YOUR INTEGRATIONS · 2018-06-15 · secure your integrations what do you hope to achieve? security in different layers tls tls and java certificates keystores cipher suites](https://reader034.vdocuments.us/reader034/viewer/2022042107/5e872c832230ed5d5d0d700d/html5/thumbnails/26.jpg)
BACKGROUND AND CONCEPTSCIPHER SUITES: AGREEMENT CLIENT/SERVER DURING HANDSHAKE
• The server has a list of supported cipher suites in order of preference
• The server chooses the cipher suite which will be used based on what the client indicates it supports
• If the server supports a poor cipher suite (even with a low priority)the client can indicate it only supports that one and it will be used!
• Some cipher suites do not do encryption, key exchange or message integrity checking
![Page 27: SECURE YOUR INTEGRATIONS · 2018-06-15 · secure your integrations what do you hope to achieve? security in different layers tls tls and java certificates keystores cipher suites](https://reader034.vdocuments.us/reader034/viewer/2022042107/5e872c832230ed5d5d0d700d/html5/thumbnails/27.jpg)
BACKGROUND AND CONCEPTSUSING A TLS CONNECTION IS NOT SECURE BY DEFAULT!
Good idea!
Lets do that!
Lets do security!
Client Server
Lets not check each others
identity, do encryption or
integrity checks, ok?
Sure!
Yay! We’re secure!
![Page 28: SECURE YOUR INTEGRATIONS · 2018-06-15 · secure your integrations what do you hope to achieve? security in different layers tls tls and java certificates keystores cipher suites](https://reader034.vdocuments.us/reader034/viewer/2022042107/5e872c832230ed5d5d0d700d/html5/thumbnails/28.jpg)
1 2
BACKGROUND AND CONCEPTS
One way TLS Two way TLS
![Page 29: SECURE YOUR INTEGRATIONS · 2018-06-15 · secure your integrations what do you hope to achieve? security in different layers tls tls and java certificates keystores cipher suites](https://reader034.vdocuments.us/reader034/viewer/2022042107/5e872c832230ed5d5d0d700d/html5/thumbnails/29.jpg)
BACKGROUND AND CONCEPTSONE WAY
• The client does not send a certificate the server can check
• The server sends a certificate the client can check
![Page 30: SECURE YOUR INTEGRATIONS · 2018-06-15 · secure your integrations what do you hope to achieve? security in different layers tls tls and java certificates keystores cipher suites](https://reader034.vdocuments.us/reader034/viewer/2022042107/5e872c832230ed5d5d0d700d/html5/thumbnails/30.jpg)
BACKGROUND AND CONCEPTSTWO WAY
• The client sends a certificate the server can check
• The server sends a certificate the client can check
![Page 31: SECURE YOUR INTEGRATIONS · 2018-06-15 · secure your integrations what do you hope to achieve? security in different layers tls tls and java certificates keystores cipher suites](https://reader034.vdocuments.us/reader034/viewer/2022042107/5e872c832230ed5d5d0d700d/html5/thumbnails/31.jpg)
BACKGROUND AND CONCEPTSCONSIDERATIONS ONE OR TWO WAY SSL
• Do you require validation of the client?Are client and server located in the same data center?Is the server publicly exposed?
• Can you control the client? Force the client to use a client certificate?Manage client certificates next to server certificates
• Performance. • Per TLS connection extra validations need to be performed.
• More network traffic is required since the client also sends a certificate
![Page 32: SECURE YOUR INTEGRATIONS · 2018-06-15 · secure your integrations what do you hope to achieve? security in different layers tls tls and java certificates keystores cipher suites](https://reader034.vdocuments.us/reader034/viewer/2022042107/5e872c832230ed5d5d0d700d/html5/thumbnails/32.jpg)
1 2
TLS IN SOA SUITEOUTBOUND 2-WAY
Composites Service Bus
![Page 33: SECURE YOUR INTEGRATIONS · 2018-06-15 · secure your integrations what do you hope to achieve? security in different layers tls tls and java certificates keystores cipher suites](https://reader034.vdocuments.us/reader034/viewer/2022042107/5e872c832230ed5d5d0d700d/html5/thumbnails/33.jpg)
TLS IN SOA SUITE
• Composites: one client certificate for 2-way TLSper domain
• Service Bus: multiple client certificates for 2-way TLSconfigurable per service
![Page 34: SECURE YOUR INTEGRATIONS · 2018-06-15 · secure your integrations what do you hope to achieve? security in different layers tls tls and java certificates keystores cipher suites](https://reader034.vdocuments.us/reader034/viewer/2022042107/5e872c832230ed5d5d0d700d/html5/thumbnails/34.jpg)
TLS IN SOA SUITECOMPOSITES
• Configure the composite identity keystoreThis is domain level configuration! Not customizable per service
• Configure keystore password and key passwordAdd CSF entries in the folder SOA
• Configure composite reference for 2-way SSL<property name=”oracle.soa.two.way.ssl.enabled”>true</property>
![Page 35: SECURE YOUR INTEGRATIONS · 2018-06-15 · secure your integrations what do you hope to achieve? security in different layers tls tls and java certificates keystores cipher suites](https://reader034.vdocuments.us/reader034/viewer/2022042107/5e872c832230ed5d5d0d700d/html5/thumbnails/35.jpg)
TLS IN SOA SUITESERVICE BUS
• PKICredentialMapperCreate a PKICredentialMapper in WebLogic ConsoleConfigure the keystore and keystore password to use
• ServiceKeyProviderCreate a ServiceKeyProvider in a project (or a shared location)This uses the PKICredentialMapper. Contains a reference to the key and key password
http://www.redrock-it.nl/add-client-certificate-outgoing-osb-call/
![Page 36: SECURE YOUR INTEGRATIONS · 2018-06-15 · secure your integrations what do you hope to achieve? security in different layers tls tls and java certificates keystores cipher suites](https://reader034.vdocuments.us/reader034/viewer/2022042107/5e872c832230ed5d5d0d700d/html5/thumbnails/36.jpg)
1 2
TLS IN THE ORACLE CLOUD
IaaS and Compute based PaaS Non Compute based PaaS and SaaS
![Page 37: SECURE YOUR INTEGRATIONS · 2018-06-15 · secure your integrations what do you hope to achieve? security in different layers tls tls and java certificates keystores cipher suites](https://reader034.vdocuments.us/reader034/viewer/2022042107/5e872c832230ed5d5d0d700d/html5/thumbnails/37.jpg)
TLS IN THE ORACLE CLOUDIAAS AND COMPUTE BASED PAAS
• Services in which the customer can access the VMLike Java Cloud Service, Database Cloud Service
• “bring your own host name” policy
• The customer is responsible for requesting a certificate and implementing it
http://www.ateam-oracle.com/https-and-trust-in-oracle-public-cloud/
![Page 38: SECURE YOUR INTEGRATIONS · 2018-06-15 · secure your integrations what do you hope to achieve? security in different layers tls tls and java certificates keystores cipher suites](https://reader034.vdocuments.us/reader034/viewer/2022042107/5e872c832230ed5d5d0d700d/html5/thumbnails/38.jpg)
TLS IN THE ORACLE CLOUDNON COMPUTE BASED PAAS AND SAAS
• Services like• ICS• SOACS• Mobile Cloud Service• Document Cloud Service• Sales Cloud• ERP Cloud
• Oracle offers a (wildcard) certificate per cloud service per region
• Cipher suites are preconfigurednot configurable
![Page 39: SECURE YOUR INTEGRATIONS · 2018-06-15 · secure your integrations what do you hope to achieve? security in different layers tls tls and java certificates keystores cipher suites](https://reader034.vdocuments.us/reader034/viewer/2022042107/5e872c832230ed5d5d0d700d/html5/thumbnails/39.jpg)
TLS IN THE ORACLE CLOUDCIPHER SUITES
• TLS 1.2 GCM cipher suites are not
supported. These offer integrity checking.
• Several SHA cipher suites (next to SHA256).
These are vulnerable against collision attacks
• RSA key exchange does not provide forward
secrecy
• TLS_RSA_WITH_3DES_EDE_CBC_SHA
Is a weak cipher suite
• TLS 1.0 is supported
Possibly vulnerable for POODLE and BEAST
• TLS 1.2 GCM cipher suites are not
supported. These offer integrity checking.
• Several SHA cipher suites (next to SHA256).
These are vulnerable against collision attacks
• RSA key exchange does not provide forward
secrecy
https://www.ssllabs.com/ssltest
![Page 40: SECURE YOUR INTEGRATIONS · 2018-06-15 · secure your integrations what do you hope to achieve? security in different layers tls tls and java certificates keystores cipher suites](https://reader034.vdocuments.us/reader034/viewer/2022042107/5e872c832230ed5d5d0d700d/html5/thumbnails/40.jpg)
1 2
APPLICATION SECURITY
SOAP, REST WS Security in OWSM
![Page 41: SECURE YOUR INTEGRATIONS · 2018-06-15 · secure your integrations what do you hope to achieve? security in different layers tls tls and java certificates keystores cipher suites](https://reader034.vdocuments.us/reader034/viewer/2022042107/5e872c832230ed5d5d0d700d/html5/thumbnails/41.jpg)
WHAT DO YOU HOPE TO ACHIEVE?
• Confidentiality
• Integrity
• Authentication
• Identification
• Authorization
• Access to specific resources
• Entitlements
![Page 42: SECURE YOUR INTEGRATIONS · 2018-06-15 · secure your integrations what do you hope to achieve? security in different layers tls tls and java certificates keystores cipher suites](https://reader034.vdocuments.us/reader034/viewer/2022042107/5e872c832230ed5d5d0d700d/html5/thumbnails/42.jpg)
APPLICATION SECURITY
• HTTP• OAuth
• Basic authentication
• REST/JSON• JSON Web Tokens (JWT)
• JSON Object Signing and Encryption (JOSE)
• SOAP/XML• SAML
• WS-Security
Cute, but (mostly)…
- Plaintext passwords are transmitted
- Plaintext usernames are transmitted
- Re-usable tokens are exchanged
Fixes that!
![Page 43: SECURE YOUR INTEGRATIONS · 2018-06-15 · secure your integrations what do you hope to achieve? security in different layers tls tls and java certificates keystores cipher suites](https://reader034.vdocuments.us/reader034/viewer/2022042107/5e872c832230ed5d5d0d700d/html5/thumbnails/43.jpg)
APPLICATION SECURITYSECURE TOKEN SERVICE
Tokens can be transmitted
• as part of the HTTP body
• in an HTTP header
![Page 44: SECURE YOUR INTEGRATIONS · 2018-06-15 · secure your integrations what do you hope to achieve? security in different layers tls tls and java certificates keystores cipher suites](https://reader034.vdocuments.us/reader034/viewer/2022042107/5e872c832230ed5d5d0d700d/html5/thumbnails/44.jpg)
APPLICATION SECURITYSECURE TOKEN EXAMPLES
![Page 45: SECURE YOUR INTEGRATIONS · 2018-06-15 · secure your integrations what do you hope to achieve? security in different layers tls tls and java certificates keystores cipher suites](https://reader034.vdocuments.us/reader034/viewer/2022042107/5e872c832230ed5d5d0d700d/html5/thumbnails/45.jpg)
1 2
AUTHENTICATIE / IDENTIFICATIONWS SECURITY TOKENS
UsernamePassword token Digest token
![Page 46: SECURE YOUR INTEGRATIONS · 2018-06-15 · secure your integrations what do you hope to achieve? security in different layers tls tls and java certificates keystores cipher suites](https://reader034.vdocuments.us/reader034/viewer/2022042107/5e872c832230ed5d5d0d700d/html5/thumbnails/46.jpg)
APPLICATION SECURITYWEBLOGIC SERVER: ORACLE WEBSERVICE MANAGER
• Centrally define and store declarative policies applied to the multiple Web services.
• Locally enforce policies through configurable agents.
• Monitor run time security events such as failed authentication or authorization.
https://docs.oracle.com/middleware/1221/owsm/security/owsm-predefined-policies.htm
![Page 47: SECURE YOUR INTEGRATIONS · 2018-06-15 · secure your integrations what do you hope to achieve? security in different layers tls tls and java certificates keystores cipher suites](https://reader034.vdocuments.us/reader034/viewer/2022042107/5e872c832230ed5d5d0d700d/html5/thumbnails/47.jpg)
AUTHENTICATION WS-SECURITY BASED ON USERNAME/PASSWORD
• WS-Security Username Authenticationoracle/wss_username_token_client_policyoracle/wss_username_token_server_policy
![Page 48: SECURE YOUR INTEGRATIONS · 2018-06-15 · secure your integrations what do you hope to achieve? security in different layers tls tls and java certificates keystores cipher suites](https://reader034.vdocuments.us/reader034/viewer/2022042107/5e872c832230ed5d5d0d700d/html5/thumbnails/48.jpg)
AUTHENTICATION WS-SECURITY USING A DIGEST TOKEN
• WS-Security offers digest based authentication
• A digest consists of a cryptographic hash of
• A password
• A nonce: a number which can be used only once
• A timestamp
![Page 49: SECURE YOUR INTEGRATIONS · 2018-06-15 · secure your integrations what do you hope to achieve? security in different layers tls tls and java certificates keystores cipher suites](https://reader034.vdocuments.us/reader034/viewer/2022042107/5e872c832230ed5d5d0d700d/html5/thumbnails/49.jpg)
AUTHENTICATION WS-SECURITY USING DIGEST TOKEN IN WLS/OWSM
• WebLogic Server + OWSM
• Only with WLS internal LDAP Passwords should be decryptable to generate digests
• Can only authenticate users created after the digest configuration has been applied
• NonceA nonce can be cached in CoherenceMind the Coherence cluster configuration!
https://thecattlecrew.net/2017/03/22/ws-security-with-username-token-profile-on-oracle-weblogic-server/
![Page 50: SECURE YOUR INTEGRATIONS · 2018-06-15 · secure your integrations what do you hope to achieve? security in different layers tls tls and java certificates keystores cipher suites](https://reader034.vdocuments.us/reader034/viewer/2022042107/5e872c832230ed5d5d0d700d/html5/thumbnails/50.jpg)
AUTHORIZATION
• oracle/binding_authorization_template
• Role based access to a binding
• oracle/component_authorization_template
• Role based access to a component
• oracle/component_permission_authorization_template
• Authenticated subject can access component / webservice operation
![Page 51: SECURE YOUR INTEGRATIONS · 2018-06-15 · secure your integrations what do you hope to achieve? security in different layers tls tls and java certificates keystores cipher suites](https://reader034.vdocuments.us/reader034/viewer/2022042107/5e872c832230ed5d5d0d700d/html5/thumbnails/51.jpg)
INTEGRITY AND CONFIDENTIALITY
• Confidentiality: XML Encryption
• Message encryption
• Integrity: XML Signature
• Messages have not been altered since signing
• Signature can be checked to confirm the clients identity party
![Page 52: SECURE YOUR INTEGRATIONS · 2018-06-15 · secure your integrations what do you hope to achieve? security in different layers tls tls and java certificates keystores cipher suites](https://reader034.vdocuments.us/reader034/viewer/2022042107/5e872c832230ed5d5d0d700d/html5/thumbnails/52.jpg)
INTEGRITY AND CONFIDENTIALITYORACLE WEBSERVICE MANAGER: POLICIES
• oracle/wss10_message_protection_client_policyoracle/wss11_message_protection_client_policyoracle/wss10_message_protection_server_policyoracle/wss11_message_protection_server_policy
KSS keystore: Key alias
JKS keystore: CSF entry in oracle.wsm.security
![Page 53: SECURE YOUR INTEGRATIONS · 2018-06-15 · secure your integrations what do you hope to achieve? security in different layers tls tls and java certificates keystores cipher suites](https://reader034.vdocuments.us/reader034/viewer/2022042107/5e872c832230ed5d5d0d700d/html5/thumbnails/53.jpg)
CONFIDENTIALITYPERSONALLY IDENTIFIABLE INFORMATION
• oracle/pii_security_policyEncryption of Personally Identifiable Information (PII)
• Only within a composite
• Want to use the value? Decrypt! (using Java embedding)
![Page 54: SECURE YOUR INTEGRATIONS · 2018-06-15 · secure your integrations what do you hope to achieve? security in different layers tls tls and java certificates keystores cipher suites](https://reader034.vdocuments.us/reader034/viewer/2022042107/5e872c832230ed5d5d0d700d/html5/thumbnails/54.jpg)
CONFIDENTIALITYPERSONALLY IDENTIFIABLE INFORMATION
• oracle/pii_security_policyEncryption of Personally Identifiable Information (PII)
• Only within a composite
• Want to use the value? Decrypt! (using Java embedding)
![Page 55: SECURE YOUR INTEGRATIONS · 2018-06-15 · secure your integrations what do you hope to achieve? security in different layers tls tls and java certificates keystores cipher suites](https://reader034.vdocuments.us/reader034/viewer/2022042107/5e872c832230ed5d5d0d700d/html5/thumbnails/55.jpg)
1 2
Considerations Food for thought
![Page 56: SECURE YOUR INTEGRATIONS · 2018-06-15 · secure your integrations what do you hope to achieve? security in different layers tls tls and java certificates keystores cipher suites](https://reader034.vdocuments.us/reader034/viewer/2022042107/5e872c832230ed5d5d0d700d/html5/thumbnails/56.jpg)
PERFORMANCE
• WS SecureConversationThe number of authentications is reduced
• System entropy (especially on VMs)http://oraclemiddlewareblog.com/2012/10/17/how-to-improve-weblogic-servers-startup-timehttp://bugs.java.com/view_bug.do?bug_id=6521844
• Preemptive basic authenticationhttp://georgie-soablog.blogspot.nl/2013/09/bpel-calling-web-services-with-http.html
https://en.wikipedia.org/wiki/WS-Security
![Page 57: SECURE YOUR INTEGRATIONS · 2018-06-15 · secure your integrations what do you hope to achieve? security in different layers tls tls and java certificates keystores cipher suites](https://reader034.vdocuments.us/reader034/viewer/2022042107/5e872c832230ed5d5d0d700d/html5/thumbnails/57.jpg)
CONSIDERATIONS
Performance
Complexity
Coverage
DTAP
Capabilities of software
Futureproof
Sensitivity of data
License fee
Testability
Flexibility
Manageability
![Page 58: SECURE YOUR INTEGRATIONS · 2018-06-15 · secure your integrations what do you hope to achieve? security in different layers tls tls and java certificates keystores cipher suites](https://reader034.vdocuments.us/reader034/viewer/2022042107/5e872c832230ed5d5d0d700d/html5/thumbnails/58.jpg)
FOOD FOR THOUGHTGDPR
• Do you know what Personally Identifiable Information (PII) exactly is?
• Do you know which measures are required for the PII data you have?
• Do you know where your PII data is located, cached, stored (backups?), aggregated, analyzed, …?
• Do you know who can access / has accessed this data? And for what reason?
• Do you know which agreements (for storing, processing, transmitting) are required and who is responsible for them?
• Do you have data lifecycle management in place? Can you remove PII data upon request?
• Can you provide a client with all their PII data you have on them?
![Page 59: SECURE YOUR INTEGRATIONS · 2018-06-15 · secure your integrations what do you hope to achieve? security in different layers tls tls and java certificates keystores cipher suites](https://reader034.vdocuments.us/reader034/viewer/2022042107/5e872c832230ed5d5d0d700d/html5/thumbnails/59.jpg)