<Insert Picture Here> Web Services Manager in Action: zentrale Sicherheitsplattform für WS Kersten Mebus Leitender Systemberater
Agenda Web Services Security Oracle Web Service Manager Samples OWSM vs OEG DEMO Summary
Web Service Security Securing Web services using WS-Security standards: Supported by WS-SecurityPolicy standards, among others Applied to service end points, to provide: Authentication and authorization Signing and encrypting the whole message or parts thereof Integrity (reliable messaging), confidentiality, and propagation of credentials Authentication Who? WS-Security UsernameTokenProfile (sign, encrypt, propagate) Allow (Y/N)? Authenticate and authorize WS-SecurityPolicy Request Response Policy enforcement point Client Service End point
Web Services Security Approaches The standard ways of securing Web services are: Protocol based: Secure sockets layer (SSL) Secure HTTP (S-HTTP) Message based: XML digital signature XML encryption Security Assertion Markup Language (SAML) 1 2
WS-Security Fundamentals Authentication: Incorporated by using security tokens: Username token X.509 certificates SAML assertions Confidentiality: Supports the W3C XML encryption standard Supports standard key exchange mechanisms Enables encryption to be applied in parts Integrity: W3C XML signature standard Signature can be applied in parts
Oracle Web Services Manager 11g What it does: Secures services across your entire SOA infrastructure using a unified, consistent and centrally managed policy infrastructure How it works: Simply define, and apply policies, apply at design time or at runtime, apply locally or globally.
Global Policy Management: Oracle WSM Policy Manager Clearly separates process logic from security concerns Secures endpoints Sets and propagate identity Mediator BPEL/BPM 2 3 4 Human Task Policy Manager Service Infrastructure Service Component Interceptors: Authorization Web Service Interceptor: Authentication Authorization 1 SOAP SOAP 5 Web Service Interceptor: User token insertion (such as SAML) Integrity & Confidentiality (signatures, encryption/decryption) Message Integrity & Confidentiality (signatures, encryption/decryption) Publish security requirements as WS-Policy in WSDL HTTP/SOAP message HTTP/SOAP message File LDAP Java Platform Security DB SSO (Oracle Access Manager & 3 rd - Party)
OWSM Security Policies Oracle Web Server Manager policies are: oracle/wss_username_token_service_policy oracle/wss11_saml_token_client_policy oracle/wss11_message_protection_service_policy oracle/wss11_username_token_with_message_protection_service_ policy Authenticate: Sets UsernameToken values WS-Security: Carries UsernameToken WS-SecurityPolicy: The oracle/wss_username_token_service_policy policy can be used to extract token data, apply authentication and authorization, and set the Subject Request Response Policy enforcement point Client Service
Deployment Architecture SOA Domain #1 Policy Attachment Oracle EM Service Agent Agent Policies Policy Manager Policy Mgt Service SOA Domain #2 Oracle EM Policy Manager JDeveloper Policies Policies & Usage data Only supported for JDev File Policies & Usage data Policy Store (MDS) DB Only supported configuration for production
Sample: Start Business Process Web Services Security Credit Check JAX-WS Client Quote Web App WSS 1.0 SAML, ID Propagation WSS 1.1 SAML, ID Propagation Credit Service Quote Service All end points secured by OWSM Policy
Sample: Intermediate Business Process SOA Security Internal PO Web App PO Processing WSS 1.0 & WSS 1.1 SAML, ID Propagation Message Protection Role-Based Access Control Credit Service Quote Service Fulfillment Service All end points secured by OWSM Policy
Sample: End Business Process SOA & OSB Security Internal PO Web App PO Processing External System Oracle Service Bus Credit Service Quote Service Fulfillment Service AR System All end points secured by OWSM Policy JMS
Oracle Enterprise Gateway First Line Of Defense Web Services Virtualization Web Client (Browser) HTTP GET/POST Web Service Client REST Web Service Client Web Service Client XML SOAP Oracle Enterprise Gateway OSB With OWSM Extension Web Service Client JMS Internet Company s DMZ 14 Last-Mile Security OWSM Agent OWSM Agent Company s Green Zone Web Service Web Service
Oracle Enterprise Gateway Deployment Web Client (Browser) Web Client (Browser) Web Service Client Web Service Client Web Service Client HTTP GET/POST.NET WS PL/SQL WS Tibco WS, JMS WebCenter App OWSM Agents REST XML SOAP Oracle Identity Management Java EE WS ADF BC WS SOA Composite Oracle Enterprise Gateway REST SOAP Oracle Service Bus (*) Web Service Client JMS Metadata Store (MDS) Oracle Enterprise Manager OWSM Policy Manager (*): OSB can be with or without OWSM extension 15
DEMO
Summary SECURITY (WS-*) Oracle Web Services Manager Web Services SOA/OSB/BPM ADF Webcenter JAX-WS Oracle Weblogic Server
18
19