Copyright 2012, Oracle and/or its affiliates. All rights reserved.

Similar documents
Software Requirement Specification Web Services Security

1 What Are Web Services?

Securing Web Services From Encryption to a Web Service Security Infrastructure

1 What Are Web Services?

An Oracle White Paper November Oracle Primavera P6 EPPM Integrations with Web Services and Events

IBM SPSS Collaboration and Deployment Services Version 6 Release 0. Single Sign-On Services Developer's Guide

Core Feature Comparison between. XML / SOA Gateways. and. Web Application Firewalls. Jason Macy jmacy@forumsys.com CTO, Forum Systems

This Working Paper provides an introduction to the web services security standards.

Software Design Document Securing Web Service with Proxy

WEB SERVICES. Revised 9/29/2015

Integration of Hotel Property Management Systems (HPMS) with Global Internet Reservation Systems

Improving performance for security enabled web services. - Dr. Colm Ó héigeartaigh

Oracle Service Bus. User Guide 10g Release 3 Maintenance Pack 1 (10.3.1) June 2009

Mobile Identity and Edge Security Forum Sentry Security Gateway. Jason Macy CTO, Forum Systems

CICS Web Service Security. Anthony Papageorgiou IBM CICS Development March 13, 2012 Session: 10282

The presentation explains how to create and access the web services using the user interface. WebServices.ppt. Page 1 of 14

Digital Signature Web Service Interface

AquaLogic Service Bus

Java Security Web Services Security (Overview) Lecture 9

NIST s Guide to Secure Web Services

Service Virtualization: Managing Change in a Service-Oriented Architecture

CA SOA Security Manager

New Single Sign-on Options for IBM Lotus Notes & Domino IBM Corporation

The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into

Web Services Development for IBM WebSphere Application Server V7.0. Version: Demo. Page <<1/10>>

T-Check in Technologies for Interoperability: Web Services and Security Single Sign-On

Oracle Application Server 10g Web Services Frequently Asked Questions Oct, 2006

Ameritas Single Sign-On (SSO) and Enterprise SAML Standard. Architectural Implementation, Patterns and Usage Guidelines

JVA-561. Developing SOAP Web Services in Java

Web Services Security: What s Required To Secure A Service-Oriented Architecture. An Oracle White Paper January 2008

Run-time Service Oriented Architecture (SOA) V 0.1

VALLIAMMAI ENGINEERING COLLEGE SRM NAGAR, KATTANKULATHUR DEPARTMENT OF COMPUTER APPLICATIONS SUBJECT : MC7502 SERVICE ORIENTED ARCHITECTURE

Securely Managing and Exposing Web Services & Applications

WEB SERVICES SECURITY

Secure Identity Propagation Using WS- Trust, SAML2, and WS-Security 12 Apr 2011 IBM Impact

Developing Java Web Services

Copyright 2013, Oracle and/or its affiliates. All rights reserved.

SOA CERTIFIED JAVA DEVELOPER (7 Days)

WebLogic Server 7.0 Single Sign-On: An Overview

Leveraging Service Oriented Architecture (SOA) to integrate Oracle Applications with SalesForce.com

Java Web Services Training

Web Services Advanced Topics

17 March 2013 NIEM Web Services API Version 1.0 URI:

Creating Web Services in NetBeans

Introduction to Oracle WebLogic. Presented by: Fatna Belqasmi, PhD, Researcher at Ericsson

Oracle Web Service Manager 11g Field level Encryption (in SOA, WLS) March, 2012

Szolgáltatásorientált rendszerintegráció. WS-* standards

TIBCO ActiveMatrix BPM Single Sign-On

Easy CramBible Lab DEMO ONLY VERSION Test284,IBM WbS.DataPower SOA Appliances, Firmware V3.6.0

Principles and Foundations of Web Services: An Holistic View (Technologies, Business Drivers, Models, Architectures and Standards)

Interoperable Provisioning in a Distributed World

What is a Web service?

ITS. Java WebService. ITS Data-Solutions Pvt Ltd BENEFITS OF ATTENDANCE:

Introduction into Web Services (WS)

Web Services Development In a Java Environment

CA Performance Center

Single Sign-On Implementation Guide

e-filing Secure Web Service User Manual

Driver for Oracle E-Business Suite (User Management, HR, and TCA) Implementation Guide

EBS SOA Integration Options

Apigee Gateway Specifications

DocuSign Single Sign On Implementation Guide Published: March 17, 2016

Federated Identity Management Solutions

The Primer: Nuts and Bolts of Federated Identity Management

An Oracle White Paper Dec Oracle Access Management Security Token Service

T Network Application Frameworks and XML Web Services and WSDL Tancred Lindholm

Grid Computing. Web Services. Explanation (2) Explanation. Grid Computing Fall 2006 Paul A. Farrell 9/12/2006

Web Services Implementation: The Beta Phase of EPA Network Nodes

How To Understand A Services-Oriented Architecture

REST and SOAP Services with Apache CXF

The increasing popularity of mobile devices is rapidly changing how and where we

Web Services Integration Case Study - Housing

Web Services Security: OpenSSO and Access Management for SOA. Sang Shin Java Technology Evangelist Sun Microsystems, Inc. javapassion.

Authentication and Single Sign On

An Open Policy Framework for Cross-vendor Integrated Governance

Business Process Execution Language for Web Services

WebService Security. A guide to set up highly secured client-server communications using WS-Security extensions to the SOAP protocol

David Pilling Director of Applications and Development

A standards-based approach to application integration

ActiveVOS Server Architecture. March 2009

CHAPTER - 3 WEB APPLICATION AND SECURITY

STUDY ON IMPROVING WEB SECURITY USING SAML TOKEN

JDeveloper 11g JAX-WS web services:

SOA, case Google. Faculty of technology management Information Technology Service Oriented Communications CT30A8901.

EBS - SOA Integration Options

Oracle Service Bus. Situation. Oracle Service Bus Primer. Product History and Evolution. Positioning. Usage Scenario

PARTNER INTEGRATION GUIDE. Edition 1.0

Creating a Secure Web Service In Informatica Data Services

Universal Event Monitor for SOA Reference Guide

Integrating CRM On Demand with the E-Business Suite to Supercharge your Sales Team

IUCLID 5 Guidance and Support

[MS-BDSRR]: Business Document Scanning: Scan Repository Capabilities and Status Retrieval Protocol

A Service Oriented Security Reference Architecture

INUVIKA OPEN VIRTUAL DESKTOP ENTERPRISE

Transcription:

1

OTM and SOA Mark Hagan Principal Software Engineer Oracle Product Development

Content What is SOA? What is Web Services Security? Web Services Security in OTM Futures 3

PARADIGM 4

Content What is SOA? What is Web Services Security? Web Services Security in OTM Futures 5

What is SOA? Service Oriented Architecture Term originated from IBM Web Services work in 2000? Million and one attempts to produce a catchy paragraph Strategy (both IT and Business) Services Interoperable Standards Aims to address perceived limitations in previous application integration techniques. 6

SOA Evolution Service Oriented Architecture Plateau of Productivity Not just about enabling a legacy application to be called as a web service. High level business process design SOA Maturity Model Availability of tools Server : Oracle SOA Suite (+ others, I guess!) Designer : Oracle JDeveloper (ditto) SCA Service Component Architecture (OASIS Standard) 7

What are Web Services? Not just an API! Salient points Platform independent (XML everywhere ) Transport independent (i.e. not tied to a specific protocol) Loosely coupled Contract Standards (next slide!) 8

What are Web Services? Gradual emergence of standards XML & XSD SOAP WSDL [Side note: even W3C gets confused between Web Service Definition Language and Web Services Description Language!] Java Platform JAX-RPC JAX-WS (initially called JAX-RPC 2.0) 9

Anatomy of a SOAP Message SOAP Envelope SOAP Header SOAP Body Message Payload 10

Anatomy of a WSDL Definition Messages Operations Ports 11

Content What is SOA? What is Web Services Security? Web Services Security in OTM Futures 12

Security Before Web Services Security Applies to OTM versions from v5.0 to v6.2 Credentials were passed according to transport protocol For example, SOAP over HTTP used Basic Authentication HTTP Header Encryption required SOAP over HTTPS Commonly include credentials in the message itself. OTM accepted Transmission Header with username/password or username and IP authentication. 13

Web Services Security WS-Security WSS: SOAP Message Security v1.1 OASIS Specification of an XML syntax for security related data in the SOAP Header Supports different profiles Username Token Profile SAML Token Profile X.509 Token Profile Kerberos Token Profile Rights Expression Language (REL) Token Profile 14

Web Services Policy WS-Policy WSP: Web Service Policy 1.5 Framework & Attachment W3C Recommendation for an XML syntax to describe the requirements and capabilities of a web service. Defines the concept of an assertion and how to declare policy alternatives. Examples :- Security Transactions Reliable Messaging Addressing 15

Web Services Security Policy WS-SecurityPolicy WSSP: WS-SecurityPolicy 1.3 OASIS Specification for WSS related policy assertions Service can specify which token profiles are required or supported Service can specify which transport protocols are required or supported Declared in the service WSDL 16

WSSP Example Username Token 17

Content What is SOA? What is Web Services Security? Web Services Security in OTM Futures 18

WSS in OTM v6.2 - Inbound Partial support for Username Token Profile Full support for HTTP and HTTPS Not declared in WSDL Password Digest was initially supported but may be removed 19

WSS in OTM v6.2 - Outbound Partial support for Username Token Profile Full support for HTTP and HTTPS External WSDL is not parsed for WSSP assertions Password Digest was initially supported but may be removed Requires settings on Web Service and External System records in OTM. 20

Web Service Manager 21

External System Manager 22

WSS in OTM v6.3 - Inbound Full support for Username Token Profile (except Password Digest type) Full support for HTTP and HTTPS Full support for Message Encryption Declares security policy in WSDL for inbound services Defaults to Username Token over HTTPS Policy can be customised 23

24

Custom Policy Installation deploys a policy file for each web service <otm home>/glog/glog_resources/policies/<service name>-policy.xml For example, <otm home>/glog/glog_resources/policies/intxmlservice-policy.xml To override default policy DO NOT EDIT base file Create file under configured custom directory, for example <otm home>/glog/glog_resources/custom/policies/intxmlservice- Policy.xml 25

Custom Policy (contd.) Sample files installed otm-default-policy.xml policy installed by default (currently Username Token over HTTPS) otm-wssp1.2-2007-https-usernametoken-plain.template.xml otm-wssp1.2-2007-usernametoken-plain.template.xml otm-wssp1.2- wss10_username_token_with_message_protection_policy.template.xml 26

WSS in OTM v6.3 Outbound Full support for Username Token Profile (except Password Digest type) Full support for HTTP and HTTPS Full support for Message Encryption WebLogic Server handles parsing of policy assertions Requires additional WebLogic Server administration All pre-existing outbound Web Services defined in OTM will operate according to v6.2 logic i.e. will not automatically have access to v6.3 capability 27

WSS in OTM v6.3 Outbound (contd.) WSDL Document content needs to be URL Existing records would not contain any WS-Policy details and so need to be reloaded. Use of Message Encryption requires additional administration tasks. Storage of external X.509 Certificate in WebLogic keystore New Web Service Security Configuration via Console (or config.xml) Configure OTM property to match keystore alias to service endpoint glog.webservice.pki.alias.myalias=https://myserver/services/myencrypti onservice 28

WSS in OTM v6.3 Outbound (contd.) Credential Mapping 29

Content What is SOA? What is Web Services Security? Web Services Security in OTM Futures 30

The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle s products remains at the sole discretion of Oracle. 31

Future Support for additional WSS profiles SAML Token X.509 Token Split GLogXML.xsd schema Namespace Versions Ability to attach client policy override to outbound services Policy attachment via WebLogic Console and/or Deployment tools 32

Glossary Term OASIS XSD WSS SAML Description Organization for the Advancement of Structured Information Standards XML Schema Definition Web Services Security Security Assertion Markup Language X.509 ISO/IETF standard format for Public Key certificates. JAX-RPC JAX-WS Java API for XML-based RPC (Remote Procedure Call) Java API for XML-based Web Services (successor to JAX-RPC) 33

References Term OTM Documentation Library OASIS W3C Description http://docs.oracle.com/cd/e38437_01/otm/html/docset.html (Administration Guide, Integration Guide and Security Guide) Home - https://www.oasis-open.org/standards WSS - https://www.oasisopen.org/committees/tc_home.php?wg_abbrev=wss WSSP - http://docs.oasis-open.org/ws-sx/ws-securitypolicy/v1.3/os/wssecuritypolicy-1.3-spec-os.html WSDL - http://www.w3.org/tr/#tr_wsdl WSP - http://www.w3.org/tr/#tr_web_services_policy 34

35

36

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information