So far we have discussed the authentication and device registration related aspects of our Oracle Mobile Access Management solution. Organizations build Mobile Applications to enable anywhere, anytime access for business transactions and information stored in databases, content management systems, and even mainframes somewhere in the corporate network. This information and the types of transactions that users should be able to perform from mobile devices have often only up to this point been available to internal users and applications through client devices issued by the organization – as such these systems often have little, if any, security and compliance controls built in and instead relied on an implied level of trust. Now that we need to expose the corpoate systems to devices running outside the corporate network, used by internal and external users, from unknown locations, and over potentially unsecure networks it is critical we do so in a secure way and ensure that we can control what kind of business transactions can be performed and what information leaves our corporate network under what circumstances.Mobile applications typically access corporate information through lightweight REST based API’s as the devices lack support for the more full fledged application, web services, and SOA based infrastructures based on SOAP, JMS, MQ, or even FTP based technologies that existing corporate systems often are be based on.Oracle’s complete Access Management solution has been designed to help address all these challenges. With the Oracle Enterprise Gateway we can take existing internal systems and corporate data built on the technologies we discussed and expose these as fully secure REST based API’s (using JSON based payloads) without the need for any coding (by virtualizing the existing backend SOAP, JMS etc services as REST API’s). We can transform not only the transportation protocols used but also the security tokens required for authentication, identity propagation, and user claims (attribute assertions). For example : in our REST API’s we only want to accept JWT tokens issued by Oracle’s Mobile Access Management solution but once authenticated we can convert these to SAML, Kerberos, or other tokens that are required by the backend systems. With OEG we get a large number of additional capabilities for our REST API’s – we can monitor and audit all the API access, business transactions, and the data requested. We ensure that the requests from mobile clients (or business partners, cloud applications etc) are properly formed, are free from any malicious content and threats such as SQL injection attacks, denial of service attacks (even based on message payload content), viruses, and a large number of other xml, crypto, and other types of attacks. We can also define throttling policies to ensure that certain types of clients – perhaps based on their subscription (gold, silver, bronze) – can only perform a given number of transactions per day (or other time interval), charge per usage, and ensure that a rogue client doesn’t overload the system with a large number of requests. Perhaps most importantly we have integrated the gateway with all our other Access Management technologies – Oracle’s Mobile & Social solution for authentication,and validation of user tokens , fraud detection, and Identity Context propagation, Oracle Entitlements Server for authorization and audit of REST API access and selective data redaction of the response payload, Oracle STS for centralized security token management, and also our LDAP directories for user lookup and enrichment of the message payload (adding additional user information from LDAP to the payload).NOTE to the presenter, some FAQ’s :- Is Oracle Access Manager, Entitlements Server, Mobile/Social, STS, Directory required or does OEG work with 3rd party IDM infrastructure?Oracle’s Mobile Access Management solution is pre-integrated and tested to provide a complete, end to end, highly performant and scalable solution for all your Mobile needs. None of the various components are necessarily required but are engineered to work together out of the box. OEG also provides heterogeneous support and integrations with a large number of 3rd party systems such as Siteminder, various LDAP servers, SOA and web services infrastructures etc. but none of these other technologies provide an end to end solution for all your needs. - Is OEG required to use Oracle’s Mobile / Social Access solution? Oracle’s Mobile Access Management solution is pre-integrated and tested to provide a complete, end to end, highly performant and scalable solution for all your Mobile needs. None of the various components are necessarily required but are engineered to work together out of the box. There are other gateway vendors but none of them provide the complete set of OOTB integrations with Oracle’s Access Management solutions, and when they do provide integrations these are often not as good as what we offer and cannot show support for the same set of usecases. As an example there are 3rd party gateway vendors that offer integrations with Oracle Entitlements Server but this is based on network / XACML based requests as opposed to OEG / OES where we embed the OES PDP (Policy Decision Point – the authorization engine) in the gateway itself for superfast (microsecond) response times. No other gateway vendors provide an OOTB integration with Oracle Mobile / Social, and even integrations with something like Oracle Access Manager may require a fair amount of custom work.What is the difference between OEG and Vordel’s product?Both products offer the same set of capabilities. OEG releases are generally in sync with Vordel’s but undergo rebranding and additional testing before made available. Certain roadmap items are planned to be Oracle only IP. Do we offer a hardware based appliance / form factor of OEG?OEG is tested and certified on the same set of hardware as Exalogic, and we can offer low cost hardware (4170M3) if of interest. Hardware appliances were fairly popular even two-three years ago but these days most major organizations have a virtualization strategy (you can’t virtualize an applicance). OEG and virtualization technologies can run and take advantage of the latest advances in processor technologies whereas appliances such as Datapower are based on proprietary custom ASIC chips only produced in low volumes and cannot keep up. Appliances also come with some other limitations :- Cannot be deployed in the cloud whereas OEG can be deployed– for example in Amazon EC2 - when you buy an appliance (such as IBM Datapower) it has a 3-5 year expiry date on it, and you are then forced to buy a new appliance at the same price. - Do you really want to buy and deploy expensive appliances for your dev/test/qa environments?What virtualization technologies does OEG work with?OEG works with Oracle VM, Virtual Box, VMWare (standard corporate disclaimer), EC2, and othersDoesn’t my IPS (intrusion prevention system) provide sufficent support for denial of service attacks and threats?OEG provides protection by inspecting individual elements of the message packets and request/response payload wheras an IPS generally doesn’t have any understanding of the message formats and content other than looking for certain types of general signatures (assuming it even has access to the payload) or help protect against DDOS attacks etc. OEG for example can help protect against content retrieval attacks where it monitors typical access (perhaps someone normally looks at 10 documents per day of a given type) but suddenly we see 100’s or even 1000’s of documents being requested.
With Fusion Middleware, you can extend and maximize your existing technology investment with the same technologies used in Fusion Applications, including embedded analytics and social collaboration, and mobile and cloud computing. Oracle’s complete SOA platform lets your IT organization rapidly design, assemble, deploy, and manage adaptable business applications and—with Oracle’s business process management tools—even bring the task of modeling business processes directly to the business analysts. Oracle Business Intelligence foundation brings together all your enterprise data sources in a single, easy-to-use solution, delivering consistent insights whether it’s through ad hoc queries and analysis, interactive dashboards, scorecards, OLAP, or reporting. And, your existing enterprise applications can leverage the rich social networking capabilities and content sharing that users have come to expect in consumer software. Oracle Fusion Middleware is based on 100 percent open standards, so you aren’t locked into one deployment model when your business requirements change.