View
2.706
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Security was always one of the main pain points for the IT industry, and new security challenges has been introduced with the proliferation of the service-oriented approach to building modern software. Oracle Fusion Middleware provides a wide variety of features that ease the building service-oriented solutions, but how these services can be secured? Should we implement the security features in each and every service or there’s a better way? During the webinar we are going to show how to implement non-intrusive declarative security for your SOA components by introducing the Oracle product portfolio in this area, such as Oracle Web Services Manager and Oracle Enterprise Gateway. Find out more at
Citation preview
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 1
<Insert Picture Here>
Implementing Web Services & SOA Security with Oracle Fusion Middleware
Dmitry Nefedkin
Oracle ISV Migration Center FMW Consultant
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 3
ISV Migration Center Team Who we Are: team of senior technical consultants based in Eastern and
Central Europe and represents Oracle's technical investment for partners.
Mission Statement : Enable partners to rapidly and successfully adopt and
implement Oracle latest technology
How can we assist: We offer a wide range of free services for partners such
as one2one assistance, webinars, seminars and hands-on workshops.
ISV Migration Center blog: http://blogs.oracle.com/imc
Contacts:
Thanos Terentes Printzios, ISV Migration Center Manager, EE&CIS
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 4
Program Agenda
SOA & Web Services basics – the quick refresher
Oracle Fusion Middleware 11g SOA Stack
Common security risks in the Web Services world
SOA & Web Services security standards
Implementing SOA Security with the Oracle products
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 5
What is Service Oriented Architecture?
“Service Oriented Architecture (SOA) is a strategy
for constructing business-focused, software
systems from loosely coupled, interoperable
building blocks (called Services) that can be
combined and reused quickly, within and between
enterprises, to meet business needs.”*
(*: source - Oracle® Reference Architecture Master
Glossary)
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 6
The Benefits of SOA
Improve Time-to-Market
Drive Down Costs
Improve Customer Service
Expand Channels
Drive Process Improvements
Enable Business Visibility
Comply With Regulations
Accelerate M&A Integrations
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 7
SOA != Web Services
Many approaches to implement your SOA
– “Classic” web services,
– RESTful web services
– CORBA
– …
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 8
“Classic” Web Services stack
– Rely on common standards that include:
XML for metadata
SOAP: A standard format for messaging over a network
WSDL: The language that provides a description for web services
UDDI: A web-based distributed directory to publish and locate
information about web services
– Include additional specifications (WS-*) to define functionality for
web services discovery, security, reliability, transactions, and
management
Overview
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 9
“Classic” Web Services stack
protocol specification for
exchanging structured
information in the
implementation of Web
Services.
relies on XML for its
message format
relies on Application Layer
protocols for message
transmission.
SOAP
SOAP Attachments
SOAP Envelope
<Headers/>
</Body>
Client
Application
Service
Communications Envelope
(HTTP, SMTP, FTP, etc.)
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 10
“Classic” Web Services stack
– A WSDL document
describes:
What the service does
How the service is accessed
Where the service is located
– It defines the messages and
the operations of a service
abstractly in XML.
WDSL document
Types
Messages
Bindings
Port Types
Services
Web Services Description Language (WSDL)
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 11
“Classic” Web Services stack
XML-based registry
Mechanism to register and locate web services
Has not been as widely adopted as its designers had hoped
Universal Description, Discovery, and Integration (UDDI)
Service Registry
WSDL + metadata
WSDL + metadata
Service
Development &
Management Tools SOAP
Publish Service
Discover Service
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 12
Program Agenda
SOA & Web Services basics – the quick refresher
Oracle Fusion Middleware 11g SOA Stack
Common security risks in the Web Services world
SOA & Web Services security standards
Implementing SOA Security with the Oracle products
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 13
Oracle Weblogic Server
Industry's best application server for
building and deploying enterprise Java
EE applications
Weblogic 11g supports JEE 5 - JAX-WS
2.1 for web services development
Weblogic 12c supports JEE 6, JAX-WS
2.2 for web services development
Foundation for SOA product offering
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 14
Oracle Fusion Middleware 11g SOA Stack Connect & normalize with Adapters
ERP MAINFRAME SERVICES PARTNERS DB
• Over 200 adapters • For all technologies & applications:
EBS, PSFT, Siebel, SAP, Databases, Files, FTP, JMS, MQ, etc.
• Graphical introspection of target • Abstract complexity of underlying
applications • Convert from proprietary formats to XML
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 15
Oracle Fusion Middleware 11g SOA Stack Virtualize, route, scale with Oracle Service Bus
TPS msg/s
1,000’s services
ERP MAINFRAME SERVICES PARTNERS DB
SERVICE BUS
• Foundation for your shared services infrastructure
• Convert from one protocol and format to another, on the fly (ex: consume a Mainframe service from .NET over SOAP)
• Add scalability through caching
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 16
Oracle Fusion Middleware 11g SOA Stack Orchestrate services with Standards-
based BPEL & BPMN
ERP MAINFRAME SERVICES EVENTS PARTNERS DB
BPEL & BPMN BUSINESS RULES HUMAN WORKFLOW
SERVICE BUS
• Build process logic • Involve people
(human workflow) as well as systems
• Self-describing graphical design-time environment
• Build compensation logic for non-transactional services
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 17
Oracle Fusion Middleware 11g SOA Stack
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 18
Program Agenda
SOA & Web Services basics – the quick refresher
Oracle Fusion Middleware 11g SOA Stack
Common security risks in the Web Services world
SOA & Web Services security standards
Implementing SOA Security with the Oracle products
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 19
Principles of Information Security
Core principles (CIA):
Confidentiality
Integrity
Availability
These ones are also very important:
Authenticity
Non-repudiation
Compliance
Applies to SOA and the web services as well
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 20
OWASP Top 10 Application Security Risks https://www.owasp.org/index.php/Top_10_2010-Main
1. SQL Injection
2. Cross Site Scripting (XSS)
3. Authentication and session management
4. Insecure direct object references
5. Cross Site Request Forgery (CSRF)
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 21
OWASP Top 10 Application Security Risks
6. Security Misconfiguration
7. Insecure Cryptographic Storage
8. Failure to Restrict URL access
9. Insufficient Transport Layer Protection
10.Unvalidated Redirects and Forwards
https://www.owasp.org/index.php/Top_10_2010-Main
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 22
Security Challenges for Web Services
Web services:
– Are loosely coupled
– Are based on the passing of readable and self-
describing business messages represented in XML
– Can easily bypass network firewalls
– Expose business functionality through open APIs
– Enable multi-hop composite applications
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 23
Sample Web Services Attacks & Defenses
Attack Defense
Man in the Middle Encryption, Digital Signatures
Replay Nonce in payload, throttling
XML Bomb (XML Entity Expansion) Payload analysis and validation
XML Injection Strict validation of the incoming
payload
SOAP Attachments with viruses Scan attachments through anti-virus
engine
Nice categorization of WS attacks at www.ws-attacks.org
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 24
Program Agenda
SOA & Web Services basics – the quick refresher
Oracle Fusion Middleware 11g SOA Stack
Common security risks in the Web Services world
SOA & Web Services security standards
Implementing SOA Security with the Oracle products
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 25
Web Services Security approaches
Transport-level security Message-level security
Secures only the connection itself Protects the message, not the wire
Point-to-point, does not work well
with intermediaries
Designed to support the
intermediaries
Based on Secure Sockets Layer
(SSL) or Transport Layer Security
(TLS)
Based on the set of XML
Encryption, SAML, WS-* standards
Can be used together
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 26
XML and Web Services Security Standards
General Security
XML Security
XML-based security
Web Services security
Algorithms AES, DES, RSA
Kerberos, PKI, X.509, SSL …
XML Encryption, XML
Signature …
SAML, XACML, SPML …
WS-Policy, WS-Security, WS-
Trust…
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 27
XML Signature and XML Encryption
XML Signature XML Encryption
Defines XML syntax and processing
rules for creating and representing
digital signatures
Defines a process of encryption and
decryption, also describes an XML
syntax used to represent the
encrypted content and information that
enables an intended recipient to
decrypt it
Can be used to sign an entire XML
document or selected parts (elements)
within the document
Supports the encryption of entire XML
documents or individual elements
within a document.
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 28
WS-Policy
– Defines a framework for allowing web services to
express their constraints and requirements
– Provides a model and the syntax for describing the
policies of a web service
– Is divided into subsidiary specifications:
WS-Policy: Defines a grammar that explains web service
policies
WS-PolicyAttachment: Associates policies with web services
WS-PolicyAssertions: Defines a set of general policy assertions
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 29
Example of attaching WS-Policy to WSDL
<wsdl:definitions xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/" ....>
<wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
xmlns="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:orawsp="http://schemas.oracle.com/ws/2006/01/policy"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="wss_username_token_service_policy">
<sp:SupportingTokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:UsernameToken
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssUsernameToken10/>
</wsp:Policy>
</sp:UsernameToken>
</wsp:Policy>
</sp:SupportingTokens>
</wsp:Policy>
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 30
Example of attaching WS-Policy to WSDL (cont)
<<wsdl:message name="GetCustomerAccountsAndBalancesByIdInput">...</wsdl:message>
<wsdl:message name="GetCustomerAccountsAndBalancesByIdOutput">....</wsdl:message>
<wsdl:portType name="CustomerAccountsAndBalancesService_ptt">
<wsdl:operation name="GetCustomerAccountsAndBalancesByID">
<wsdl:input message="WL5G3N2:GetCustomerAccountsAndBalancesByIdInput"/>
<wsdl:output message="WL5G3N2:GetCustomerAccountsAndBalancesByIdOutput"/>
< /wsdl:operation>
</wsdl:portType>
<wsdl:binding name="CustomerAccountsAndBalancesService_pttBinding"
type="WL5G3N2:CustomerAccountsAndBalancesService_ptt">
<wsp:PolicyReference xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
URI="#wss_username_token_service_policy" wsdl:required="false"/>
<wsdl:operation name="GetCustomerAccountsAndBalancesByID">....</wsdl:operation>
</wsdl:binding>
<wsdl:service name="Service1">...</wsdl:service>
</wsdl:definitions>
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 31
WS-PolicyAssertions
– Policy assertion:
Is a basic unit representing individual requirement in a policy
Is domain specific (security, reliability)
– Service providers use a policy assertion to convey a
condition under which they offer a web service.
– Security assertions are defined in WS-SecurityPolicy
specification
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 32
WS-Security
– Specifies rules to ensure:
Authentication—using security tokens
Confidentiality—using XML Encryption
specification
Integrity—using XML Signature
specification
– Supports multiple security tokens for
authentication: Username/password, X.509
certificate, Kerberos ticket, SAML assertion
– Defines elements for packaging security
tokens into SOAP messages
SOAP Envelope
SOAP Envelope Header
SOAP Envelope Body
WS-Security Header
Security Token
Business Payload
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 33
WS-Security header with Username token <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Header>
...
<wsse:Security soap:actor="oracle"
xmlns:wsse="http://schemas.xmlsoap.org/ws/2003/06/secext">
<wsse:UsernameToken wsu:Id="oracle"
xmlns:wsu="http://schemas.xmlsoap.org/ws/2003/06/utility">
<wsse:Username>oracle</wsse:Username>
<wsse:Password Type="wsse:PasswordText">oracle</wsse:Password>
<wsu:Created>2009-05-19T08:46:04Z</wsu:Created>
</wsse:UsernameToken>
</wsse:Security>
</soap:Header>
<soap:Body>
<getHello xmlns="http://www.oracle.com"/>
</soap:Body>
</soap:Envelope>
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 34
Security Assertion Markup Language (SAML)
– Is an open framework for exchanging security
information between different parties through XML
documents
– Conveys information about subjects (human users or
entities) with the following types of “assertions”:
Authentication
Authorization decision
Attribute
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 35
WS-Security and SAML
– WS-Security and SAML work together:
WS-Security defines how you insert the information into a
SOAP envelope.
SAML defines what the security information is.
WS-Security allows SAML assertions to be placed inside a
SOAP header.
– SAML Token Profile 1.1 specifies how SAML
assertions can be used for web services security.
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 36
WS-Security header with SAML token <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<saml1:Assertion AssertionID="21ADEB9D1C0C8E834613472791546433" IssueInstant="2012-09-10T12:12:34.643Z"
Issuer="www.oracle.com" MajorVersion="1" MinorVersion="1" xsi:type="saml1:AssertionType"
xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<saml1:Conditions NotBefore="2012-09-10T12:12:34.643Z" NotOnOrAfter="2012-09-10T12:17:34.643Z"/>
<saml1:AuthenticationStatement AuthenticationInstant="2012-09-10T12:12:34.643Z"
AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password" xsi:type="saml1:AuthenticationStatementType">
<saml1:Subject><saml1:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
NameQualifier="welcome1">AcmeUser</saml1:NameIdentifier>
<saml1:SubjectConfirmation><saml1:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:sender-
vouches</saml1:ConfirmationMethod></saml1:SubjectConfirmation>
</saml1:Subject></saml1:AuthenticationStatement></saml1:Assertion>
</wsse:Security>
</soapenv:Header>
<soapenv:Body><ser:getCustomer><arg0>1</arg0></ser:getCustomer></soapenv:Body>
</soapenv:Envelope>
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 37
WS-Security and WS-Policy used together
Web Service
Client
Web Service Policy Enforcement
Point
Request
Response
SOAP with WS-
Security token,
enrypted *, signed *
Authenticate and
authorize
WS-
SecurityPolicy
Service endpoint,
WSDL has WS-
Policies attached
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 38
Program Agenda
SOA & Web Services basics – the quick refresher
Oracle Fusion Middleware 11g SOA Stack
Common security risks in the Web Services world
SOA & Web Services security standards
Implementing SOA Security with the Oracle products
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 39
Oracle’s View: Security Inside-Out
Security
Inside-Out
Cloud
Security
Secure your hybrid infrastructure on-
premise as well as in the Cloud.
Flexibility & Agility
Secure the Enterprise from external
threats at the perimeter.
Control & Assurance Perimeter
Security
Application
Security
Provide end-point security in
heterogeneous environments.
Consistency & Manageability
Middleware
Security
Protect from internal threats, reduce
security burden on applications.
Broad & Deep integration
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 40
Oracle’s SOA Security
Enterprise
Gateway
First Line Of
Defense
Shared Services
Layer
End Point
Security
Common Policy Model
HTTP, SOAP,
REST*, XML,
JMS
3rd Party Web
Services
OWSM
Agent HTTP,
SOAP,
REST*,
XML,
JMS
Service
Bus
OWSM
Agent
Web
Services OWSM
Agent
Extranet DMZ Intranet
3rd Party Web
Services
WS-Security,
Basic Auth,
Digest,
X509, UNT,
SAML,
Kerberos
Sign & Encrypt
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 41
Oracle Web Services Manager Introduction
The Web Service Security provider of choice for Oracle’s Fusion Middleware and Oracle Fusion
Applications. • Oracle’s Unified Web Services Security Provider
• Purpose-built for the entire Fusion stack
• Prepackaged, Zero install needed
Web Services Manager
IDM Service
Fusion App Service
SOA Service
OWSM
Agent
Policy
Manager
Enforcement
Decision
Policy
Management
Enterprise
Manager
JDeveloper
Attach,
Deploy
OWSM Policy Store
Policy
Persistence
Portal Users
WS Clients
HTTP,
SOAP,
REST
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 42
Oracle Web Services Manager Introduction
Web Services
Manager
Open, Extensible
Proven standards driven interoperability and easy extensibility
to meet all security needs.
Service Security
Systematic, policy-driven, and standards based Web Service Security infrastructure for the entire Fusion stack.
Visibility, Control &
Governance
Centralized management with a single unified console for managing, monitoring,
and auditing Web Service Security.
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 43
Oracle Web Services Manager Features Systematic WS-Security for Fusion Middleware
• Policy Driven
• Declarative
• Externalized
• Re-usable
• Pre-defined policies
• Categorized - Security,
MTOM, Reliable Messaging,
WS-Addressing, Management
• Building blocks - 60+ assertion
templates to create new
reusable policies
• Custom policies
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 44
Oracle Web Services Manager Features Systematic WS-Security for Fusion Middleware
• Centralized
Management (Policy
Manager)
• Configurable policy
repository
• Authoring
• Versioning, &
Rollback
• Auditing
• Usage & Impact
analysis
• Export & Import
Billing
App
OWSM
Policy Store
Shipping
App
OWSM
Policy Store
Payable
App
OWSM
Policy Store
HR App
OWSM
Policy Store
--- OR ---
Billing
App
Shipping
App
OWSM
Policy Store
Payable
App
HR App
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 45
Oracle Web Services Manager Features Systematic WS-Security for Fusion Middleware
• Centralized
Management (Policy
Manager)
• Configurable policy
repository
• Authoring
• Versioning, &
Rollback
• Auditing
• Usage & Impact
analysis
• Export & Import
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 46
Oracle Web Services Manager Features Systematic WS-Security for Fusion Middleware
• Centralized
Management (Policy
Manager)
• Configurable policy
repository
• Authoring
• Versioning, &
Rollback
• Auditing
• Usage & Impact
analysis
• Export & Import
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 47
Oracle Web Services Manager Features Systematic WS-Security for Fusion Middleware
• Centralized
Management (Policy
Manager)
• Configurable policy
repository
• Authoring
• Versioning, &
Rollback
• Auditing
• Usage & Impact
analysis
• Export & Import
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 48
Oracle Web Services Manager Features Systematic WS-Security for Fusion Middleware
• Centralized
Management (Policy
Manager)
• Configurable policy
repository
• Authoring
• Versioning, &
Rollback
• Auditing
• Usage & Impact
analysis
• Export & Import
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 49
Oracle Web Services Manager Features Systematic WS-Security for Fusion Middleware
• Policy Attachment & Enforcement
(Agent)
• Attach locally on the service
• Attach globally for entire
enterprise, domain or application
• Pre-installed, local policy
enforcement point for Fusion Stack
• Interoperable Industry Standards
• WS-Security, WS-Policy, WS-Security Policy
Global Attachment
Local Attachment
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 50
Oracle Web Services Manager Features Policy Attachment at design-time
Attach/Detach Policies through
JDeveloper
Design-time support for
WebLogic, SOA, ADF, OSB, etc.
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 51
Oracle Web Services Manager Features Policy Attachment post deployment
Attach/Detach policies
directly on a service or
client
Attach/Detach global
policies
View policy usage
analysis
Support policy
management for
WebLogic, SOA, ADF, etc.
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 52
Oracle Web Services Manager Features Performance Monitoring
Track number of invocations,
service faults, and policy
violations
Collect violation metrics for
service, port, and operation
View number of security and
non-security violations
• Authentication and
Authorization failures
• MTOM and Reliable-
Messaging
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 53
Oracle Web Services Manager Demo
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 54
Demo Use Case
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 55
XML Gateways
.. are mainly deployed using
XML web services • Highly CPU intensive
• Involves many modern & legacy
standards and technologies
• Many types of clients
• Need SLA’s, charge for usage
…are highly exposed
• XML threats, viruses, DoS
attacks etc.
• How do we ensure
confidentiality and non
repudiation?
• Who can access the service,
under what conditions?
• What data is leaving the network
and how ?
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 56
OEG – perimeter to endpoint security
Extranet DMZ Intranet
Common Policy Model
Web Service
Client
REST
Client
Mobile
WS Client
Intrusion Detection
• SQL Injection
• DOS
• Replay Attack
• Crypto Attack
• XML Bomb
First Line Of
Defense
Enterprise
Gateway
Route
Transform
Encrypt/Decrypt
Validate
Access
HTTP,
SOAP,
REST
End Point
Security
Web
Service
OWSM
Agent
Fusion
App Svc
OWSM
Agent
HTTP,
SOAP,
REST
Service Security
• ID Propagation
• Authentication
• Authorization
• Message Confidentiality
& Integrity
• Replay Attack
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 57
Oracle Enterprise Gateway
XML INTRUSION DETECTION ACCESS ENFORCEMENT MONITORING AND AUDIT
DMZ Security
Ultra-fast XML
Processing
Integrated &
Extensible
Content Attack
Schema/DTD Attack
Crypto Attack
Virus Scanning
Service Governance
Cloud Gateway
Authentication, ID Propagation
Fine Grained AuthZ
Throttling
Transport/Message Security
Real-time Monitoring
Reporting
Audit and Compliance
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 58
Oracle Enterprise Gateway
Ultra-fast XML
Processing
DMZ Security
Integrated&
Extensible
Service Governance
Cloud Gateway
PROCESS OFFLOADING XML ACCELERATION XML ENRICHMENT
Frees Resources
Faster Applications
XML Acceleration Engine
Faster XML Validation
Faster XML queries and
transformations
Information Enrichment
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 59
Oracle Enterprise Gateway OEG
Integrated &
Extensible
IDENTITY MGMT SOA OS / HARDWARE
Service Governance
Cloud Gateway
Ultra-fast XML
Processing
DMZ SECURITY
Oracle Access Manager
Oracle Entitlements Server
Directory Services (ODS +)
Oracle STS*
Oracle SOA Suite
Oracle Service Registry
Enterprise Manager
Oracle Web Service Manager
X86 (Westmere*)
Sparc
Oracle Crypto Accelerator*
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 60
Oracle Enterprise Gateway
SOA GOVERNANCE CLOSED LOOP AUDIT & REPORT
Service Governance
Cloud Gateway
Integrated &
Extensible
DMZ Security
Ultra-fast XML
Processing
Service Access
Service Usage
Availability
Discovery & Publish to UDDI
Publish Metrics to EM
Meter Usage
Audit Trail
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 61
Oracle Enterprise Gateway
IAAS PAAS SAAS
Cloud Gateway
DMZ Security
Service Governance
Ultra-fast XML
Processing
Integrated &
Extensible
Deployments on EC2, Oracle VM Control cloud services
Regulate service usage
Continuous traffic monitoring
Data Redaction
Detect rogue usage
REST security
OAuth Support
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 62
Oracle Enterprise Gateway Architecture and Components Policy Creation, Editing, Versioning Multiple-OEG Policy Management
Load and Security Testing
Service Usage
Analysis
Policy Store
Usage Metrics Store
Web Services Management
Web Admin
Interface
Enterprise Gateway
Policy Studio
Enterprise Gateway
Policy Center
Enterprise Gateway
Service Manager
Web Services Clients
Web Service
Web Service
Enterprise Gateway
Traffic Monitor |
Real-time Monitor
Enterprise Gateway
Service Explorer
Enterprise Gateway
Service Monitor
OEG
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 63
Oracle Enteprise Gateway Demo
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 64
OEG integration with Oracle Access Manager Authentication at the service perimeter
Access Manager
DMZ
Extranet
Web Service Client
WebLogic Server
Web Service
Intranet
AUTHENTICATION AT THE SERVICE PERIMETER
Authentication against
Oracle Directory Services (OID, ODSEE, OVD) directly
Oracle Access Manager (SSO using OAM issued cookie) or 3rd party WebSSO
Non-Oracle Directory Servers and Access Management products
Token Mediation – SAML assertion generation using username from web service client
SSO Cookie
OEG
Web Service Client
(Browser)
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 65
OEG integration with Oracle Access Manager
http://bit.ly/OAM11g-OEG
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 66
OEG integration with Oracle Entitlements Server
• Name & Contact Info
• Masked SSN
• Primary Physician
• Insurance
Response
• Name & Contact Info
• Masked SSN
• Primary Physician
• Insurance
•Payment History
Response
• Name & Contact Info
• Primary Physician
• Health History
Response
OEG
Legacy Patient Record Application
Existing API Returns
Name & Contact Info
SSN
Physician Info
Existing Conditions
Prescriptions
Health Records
Insurance
Payment History
Entitlements Server
Help desk
Doctor
Accounting
PEP
PDP
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 67
OEG integration with Oracle Entitlements Server
http://bit.ly/OES11g-OEG
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 69
Q&A
Dmitry Nefedkin
Oracle ISV Migration Center FMW Consultant
ISV Migration Center blog: http://blogs.oracle.com/imc
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 70