Partner Webcast – Implementing Web Services & SOA Security with Oracle Fusion Middleware - 20 September 2012

3,624 views

Published on

Security was always one of the main pain points for the IT industry, and new security challenges has been introduced with the proliferation of the service-oriented approach to building modern software.
Oracle Fusion Middleware provides a wide variety of features that ease the building service-oriented solutions, but how these services can be secured?

Should we implement the security features in each and every service or there’s a better way? During the webinar we are going to show how to implement non-intrusive declarative security for your SOA components by introducing the Oracle product portfolio in this area, such as Oracle Web Services Manager and Oracle Enterprise Gateway.

Find out more at

Published in: Technology
1 Comment
2 Likes
Statistics
Notes
No Downloads
Views
Total views
3,624
On SlideShare
0
From Embeds
0
Number of Embeds
845
Actions
Shares
0
Downloads
89
Comments
1
Likes
2
Embeds 0
No embeds

No notes for slide

Partner Webcast – Implementing Web Services & SOA Security with Oracle Fusion Middleware - 20 September 2012

  1. 1. 1 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  2. 2. <Insert Picture Here>Implementing Web Services & SOA Security with Oracle Fusion MiddlewareDmitry NefedkinOracle ISV Migration Center FMW ConsultantDmitry.Nefedkin@oracle.com
  3. 3. ISV Migration Center Team  Who we Are: team of senior technical consultants based in Eastern and Central Europe and represents Oracles technical investment for partners.  Mission Statement : Enable partners to rapidly and successfully adopt and implement Oracle latest technology  How can we assist: We offer a wide range of free services for partners such as one2one assistance, webinars, seminars and hands-on workshops. ISV Migration Center blog: http://blogs.oracle.com/imc Contacts: Thanos Terentes Printzios, ISV Migration Center Manager, EE&CIS thanos.terentes.printzios@oracle.com3 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  4. 4. Program Agenda  SOA & Web Services basics – the quick refresher  Oracle Fusion Middleware 11g SOA Stack  Common security risks in the Web Services world  SOA & Web Services security standards  Implementing SOA Security with the Oracle products4 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  5. 5. What is Service Oriented Architecture? “Service Oriented Architecture (SOA) is a strategy for constructing business-focused, software systems from loosely coupled, interoperable building blocks (called Services) that can be combined and reused quickly, within and between enterprises, to meet business needs.”* (*: source - Oracle® Reference Architecture Master Glossary)5 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  6. 6. The Benefits of SOA  Improve Time-to-Market  Drive Down Costs  Improve Customer Service  Expand Channels  Drive Process Improvements  Enable Business Visibility  Comply With Regulations  Accelerate M&A Integrations6 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  7. 7. SOA != Web Services  Many approaches to implement your SOA – “Classic” web services, – RESTful web services – CORBA – …7 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  8. 8. “Classic” Web Services stack Overview – Rely on common standards that include:  XML for metadata  SOAP: A standard format for messaging over a network  WSDL: The language that provides a description for web services  UDDI: A web-based distributed directory to publish and locate information about web services – Include additional specifications (WS-*) to define functionality for web services discovery, security, reliability, transactions, and management8 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  9. 9. “Classic” Web Services stack SOAP  protocol specification for Communications Envelope exchanging structured (HTTP, SMTP, FTP, etc.) information in the Client implementation of Web Application SOAP Envelope Services. <Headers/>  relies on XML for its message format </Body>  relies on Application Layer Service protocols for message SOAP Attachments transmission.9 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  10. 10. “Classic” Web Services stack Web Services Description Language (WSDL) – A WSDL document WDSL document describes:  What the service does Types  How the service is accessed Messages  Where the service is located Port Types – It defines the messages and Bindings the operations of a service Services abstractly in XML.10 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  11. 11. “Classic” Web Services stack Universal Description, Discovery, and Integration (UDDI)  XML-based registry  Mechanism to register and locate web services  Has not been as widely adopted as its designers had hoped Publish Service Discover Service Service Registry Service Development & WSDL + metadata Management Tools SOAP WSDL + metadata11 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  12. 12. Program Agenda  SOA & Web Services basics – the quick refresher  Oracle Fusion Middleware 11g SOA Stack  Common security risks in the Web Services world  SOA & Web Services security standards  Implementing SOA Security with the Oracle products12 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  13. 13. Oracle Weblogic Server Foundation for SOA product offering  Industrys best application server for building and deploying enterprise Java EE applications  Weblogic 11g supports JEE 5 - JAX-WS 2.1 for web services development  Weblogic 12c supports JEE 6, JAX-WS 2.2 for web services development13 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  14. 14. Oracle Fusion Middleware 11g SOA Stack Connect & normalize with Adapters • Over 200 adapters • For all technologies & applications: EBS, PSFT, Siebel, SAP, Databases, Files, FTP, JMS, MQ, etc. • Graphical introspection of target • Abstract complexity of underlying applications • Convert from proprietary formats to XML ERP MAINFRAME SERVICES DB PARTNERS14 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  15. 15. Oracle Fusion Middleware 11g SOA Stack Virtualize, route, scale with Oracle Service Bus • Foundation for your shared services TPS infrastructure msg/s • Convert from one protocol and format to another, on the fly (ex: consume a Mainframe service from .NET over SOAP) • Add scalability through caching SERVICE BUS 1,000’s services ERP MAINFRAME SERVICES DB PARTNERS15 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  16. 16. Oracle Fusion Middleware 11g SOA Stack Orchestrate services with Standards- based BPEL & BPMN BPEL & BPMN • Build process logic BUSINESS RULES • Involve people HUMAN WORKFLOW (human workflow) as well as systems • Self-describing SERVICE BUS graphical design-time environment • Build compensation logic for non- transactional services ERP MAINFRAME SERVICES DB PARTNERS EVENTS16 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  17. 17. Oracle Fusion Middleware 11g SOA Stack17 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  18. 18. Program Agenda  SOA & Web Services basics – the quick refresher  Oracle Fusion Middleware 11g SOA Stack  Common security risks in the Web Services world  SOA & Web Services security standards  Implementing SOA Security with the Oracle products18 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  19. 19. Principles of Information Security Applies to SOA and the web services as well Core principles (CIA):  Confidentiality  Integrity  Availability These ones are also very important:  Authenticity  Non-repudiation  Compliance19 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  20. 20. OWASP Top 10 Application Security Risks https://www.owasp.org/index.php/Top_10_2010-Main 1. SQL Injection 2. Cross Site Scripting (XSS) 3. Authentication and session management 4. Insecure direct object references 5. Cross Site Request Forgery (CSRF)20 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  21. 21. OWASP Top 10 Application Security Risks https://www.owasp.org/index.php/Top_10_2010-Main 6. Security Misconfiguration 7. Insecure Cryptographic Storage 8. Failure to Restrict URL access 9. Insufficient Transport Layer Protection 10. Unvalidated Redirects and Forwards21 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  22. 22. Security Challenges for Web Services  Web services: – Are loosely coupled – Are based on the passing of readable and self- describing business messages represented in XML – Can easily bypass network firewalls – Expose business functionality through open APIs – Enable multi-hop composite applications22 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  23. 23. Sample Web Services Attacks & Defenses Attack Defense Man in the Middle Encryption, Digital Signatures Replay Nonce in payload, throttling XML Bomb (XML Entity Expansion) Payload analysis and validation XML Injection Strict validation of the incoming payload SOAP Attachments with viruses Scan attachments through anti-virus engine Nice categorization of WS attacks at www.ws-attacks.org23 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  24. 24. Program Agenda  SOA & Web Services basics – the quick refresher  Oracle Fusion Middleware 11g SOA Stack  Common security risks in the Web Services world  SOA & Web Services security standards  Implementing SOA Security with the Oracle products24 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  25. 25. Web Services Security approaches Transport-level security Message-level security Secures only the connection itself Protects the message, not the wire Point-to-point, does not work well Designed to support the with intermediaries intermediaries Based on Secure Sockets Layer Based on the set of XML (SSL) or Transport Layer Security Encryption, SAML, WS-* standards (TLS) Can be used together25 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  26. 26. XML and Web Services Security Standards WS-Policy, WS-Security, WS- Web Services Trust… security SAML, XACML, SPML … XML-based security XML Encryption, XML Signature … XML Security Kerberos, PKI, X.509, SSL … General Security AES, DES, RSA Algorithms26 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  27. 27. XML Signature and XML Encryption XML Signature XML Encryption Defines XML syntax and processing Defines a process of encryption and rules for creating and representing decryption, also describes an XML digital signatures syntax used to represent the encrypted content and information that enables an intended recipient to decrypt it Can be used to sign an entire XML Supports the encryption of entire XML document or selected parts (elements) documents or individual elements within the document within a document.27 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  28. 28. WS-Policy – Defines a framework for allowing web services to express their constraints and requirements – Provides a model and the syntax for describing the policies of a web service – Is divided into subsidiary specifications:  WS-Policy: Defines a grammar that explains web service policies  WS-PolicyAttachment: Associates policies with web services  WS-PolicyAssertions: Defines a set of general policy assertions28 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  29. 29. Example of attaching WS-Policy to WSDL <wsdl:definitions xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/" ....> <wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:orawsp="http://schemas.oracle.com/ws/2006/01/policy" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="wss_username_token_service_policy"> <sp:SupportingTokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"> <wsp:Policy> <sp:UsernameToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient"> <wsp:Policy> <sp:WssUsernameToken10/> </wsp:Policy> </sp:UsernameToken> </wsp:Policy> </sp:SupportingTokens> </wsp:Policy>29 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  30. 30. Example of attaching WS-Policy to WSDL (cont) <<wsdl:message name="GetCustomerAccountsAndBalancesByIdInput">...</wsdl:message> <wsdl:message name="GetCustomerAccountsAndBalancesByIdOutput">....</wsdl:message> <wsdl:portType name="CustomerAccountsAndBalancesService_ptt"> <wsdl:operation name="GetCustomerAccountsAndBalancesByID"> <wsdl:input message="WL5G3N2:GetCustomerAccountsAndBalancesByIdInput"/> <wsdl:output message="WL5G3N2:GetCustomerAccountsAndBalancesByIdOutput"/> < /wsdl:operation> </wsdl:portType> <wsdl:binding name="CustomerAccountsAndBalancesService_pttBinding" type="WL5G3N2:CustomerAccountsAndBalancesService_ptt"> <wsp:PolicyReference xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" URI="#wss_username_token_service_policy" wsdl:required="false"/> <wsdl:operation name="GetCustomerAccountsAndBalancesByID">....</wsdl:operation> </wsdl:binding> <wsdl:service name="Service1">...</wsdl:service> </wsdl:definitions>30 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  31. 31. WS-PolicyAssertions – Policy assertion:  Is a basic unit representing individual requirement in a policy  Is domain specific (security, reliability) – Service providers use a policy assertion to convey a condition under which they offer a web service. – Security assertions are defined in WS-SecurityPolicy specification31 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  32. 32. WS-Security – Specifies rules to ensure: SOAP Envelope  Authentication—using security tokens SOAP Envelope Header  Confidentiality—using XML Encryption WS-Security Header specification Security Token  Integrity—using XML Signature specification – Supports multiple security tokens for SOAP Envelope Body authentication: Username/password, X.509 certificate, Kerberos ticket, SAML assertion Business Payload – Defines elements for packaging security tokens into SOAP messages32 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  33. 33. WS-Security header with Username token <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"> <soap:Header> ... <wsse:Security soap:actor="oracle" xmlns:wsse="http://schemas.xmlsoap.org/ws/2003/06/secext"> <wsse:UsernameToken wsu:Id="oracle" xmlns:wsu="http://schemas.xmlsoap.org/ws/2003/06/utility"> <wsse:Username>oracle</wsse:Username> <wsse:Password Type="wsse:PasswordText">oracle</wsse:Password> <wsu:Created>2009-05-19T08:46:04Z</wsu:Created> </wsse:UsernameToken> </wsse:Security> </soap:Header> <soap:Body> <getHello xmlns="http://www.oracle.com"/> </soap:Body> </soap:Envelope>33 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  34. 34. Security Assertion Markup Language (SAML) – Is an open framework for exchanging security information between different parties through XML documents – Conveys information about subjects (human users or entities) with the following types of “assertions”:  Authentication  Authorization decision  Attribute34 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  35. 35. WS-Security and SAML – WS-Security and SAML work together:  WS-Security defines how you insert the information into a SOAP envelope.  SAML defines what the security information is.  WS-Security allows SAML assertions to be placed inside a SOAP header. – SAML Token Profile 1.1 specifies how SAML assertions can be used for web services security.35 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  36. 36. WS-Security header with SAML token <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"> <soap:Header> <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"> <saml1:Assertion AssertionID="21ADEB9D1C0C8E834613472791546433" IssueInstant="2012-09-10T12:12:34.643Z" Issuer="www.oracle.com" MajorVersion="1" MinorVersion="1" xsi:type="saml1:AssertionType" xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <saml1:Conditions NotBefore="2012-09-10T12:12:34.643Z" NotOnOrAfter="2012-09-10T12:17:34.643Z"/> <saml1:AuthenticationStatement AuthenticationInstant="2012-09-10T12:12:34.643Z" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password" xsi:type="saml1:AuthenticationStatementType"> <saml1:Subject><saml1:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" NameQualifier="welcome1">AcmeUser</saml1:NameIdentifier> <saml1:SubjectConfirmation><saml1:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:sender- vouches</saml1:ConfirmationMethod></saml1:SubjectConfirmation> </saml1:Subject></saml1:AuthenticationStatement></saml1:Assertion> </wsse:Security> </soapenv:Header> <soapenv:Body><ser:getCustomer><arg0>1</arg0></ser:getCustomer></soapenv:Body> </soapenv:Envelope>36 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  37. 37. WS-Security and WS-Policy used together SOAP with WS- Security token, Authenticate and enrypted *, signed * authorize WS- SecurityPolicy Web Service Request Policy Enforcement Web Service Client Point Response Service endpoint, WSDL has WS- Policies attached37 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  38. 38. Program Agenda  SOA & Web Services basics – the quick refresher  Oracle Fusion Middleware 11g SOA Stack  Common security risks in the Web Services world  SOA & Web Services security standards  Implementing SOA Security with the Oracle products38 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  39. 39. Oracle’s View: Security Inside-Out Security Inside-Out Cloud Security Flexibility & Agility Secure your hybrid infrastructure on- Perimeter premise as well as in the Cloud.Control & Assurance SecuritySecure the Enterprise from externalthreats at the perimeter. Application Security Consistency & Manageability Provide end-point security in heterogeneous environments. MiddlewareBroad & Deep integration SecurityProtect from internal threats, reducesecurity burden on applications. 39 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  40. 40. Oracle’s SOA Security HTTP, SOAP, First Line Of Shared Services End Point REST*, XML, Defense Layer Security JMS OWSM Agent HTTP, SOAP, REST*, XML, JMS 3rd Party Web OWSM Web Services Agent Services OWSM Enterprise Agent Service Gateway Bus WS-Security, 3rd Party Web Basic Auth, Services Digest, X509, UNT, SAML, Extranet Kerberos Sign & Encrypt DMZ Intranet Common Policy Model40 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  41. 41. Oracle Web Services Manager Introduction The Web Service Security provider of choice for Oracle’s Fusion Middleware and Oracle Fusion Applications. • Oracle’s Unified Web Services Security Provider • Purpose-built for the entire Fusion stack • Prepackaged, Zero install needed Web Services Manager IDM Service Fusion App Service HTTP, SOAP, SOA Service Attach, WS Clients REST Deploy OWSM Agent JDeveloper Portal Users Enforcement Decision Policy Policy Management Persistence Policy Enterprise Manager OWSM Policy Manager Store41 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  42. 42. Oracle Web Services Manager Introduction Visibility, Control & GovernanceService Security Centralized management with a single Web Services unified console for managing, monitoring,Systematic, policy-driven, and standards Manager and auditing Web Service Security.based Web Service Securityinfrastructure for the entire Fusion stack. Open, Extensible Proven standards driven interoperability and easy extensibility to meet all security needs. 42 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  43. 43. Oracle Web Services Manager Features Systematic WS-Security for Fusion Middleware • Policy Driven • Declarative • Externalized • Re-usable • Pre-defined policies • Categorized - Security, MTOM, Reliable Messaging, WS-Addressing, Management • Building blocks - 60+ assertion templates to create new reusable policies • Custom policies43 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  44. 44. Oracle Web Services Manager Features Systematic WS-Security for Fusion Middleware OWSM • Centralized Policy Store Management (Policy Manager) • Configurable policy repository Billing Shipping Payable HR App App App App • Authoring • Versioning, & --- OR --- Rollback • Auditing OWSM OWSM OWSM OWSM • Usage & Impact Policy Store Policy Store Policy Store Policy Store analysis • Export & Import Billing Shipping Payable HR App App App App44 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  45. 45. Oracle Web Services Manager Features Systematic WS-Security for Fusion Middleware • Centralized Management (Policy Manager) • Configurable policy repository • Authoring • Versioning, & Rollback • Auditing • Usage & Impact analysis • Export & Import45 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  46. 46. Oracle Web Services Manager Features Systematic WS-Security for Fusion Middleware • Centralized Management (Policy Manager) • Configurable policy repository • Authoring • Versioning, & Rollback • Auditing • Usage & Impact analysis • Export & Import46 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  47. 47. Oracle Web Services Manager Features Systematic WS-Security for Fusion Middleware • Centralized Management (Policy Manager) • Configurable policy repository • Authoring • Versioning, & Rollback • Auditing • Usage & Impact analysis • Export & Import47 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  48. 48. Oracle Web Services Manager Features Systematic WS-Security for Fusion Middleware • Centralized Management (Policy Manager) • Configurable policy repository • Authoring • Versioning, & Rollback • Auditing • Usage & Impact analysis • Export & Import48 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  49. 49. Oracle Web Services Manager Features Systematic WS-Security for Fusion Middleware • Policy Attachment & Enforcement Global Attachment (Agent) • Attach locally on the service • Attach globally for entire enterprise, domain or application Local Attachment • Pre-installed, local policy enforcement point for Fusion Stack • Interoperable Industry Standards • WS-Security, WS-Policy, WS- Security Policy49 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  50. 50. Oracle Web Services Manager Features Policy Attachment at design-time  Attach/Detach Policies through JDeveloper  Design-time support for WebLogic, SOA, ADF, OSB, etc.50 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  51. 51. Oracle Web Services Manager Features Policy Attachment post deployment  Attach/Detach policies directly on a service or client  Attach/Detach global policies  View policy usage analysis  Support policy management for WebLogic, SOA, ADF, etc.51 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  52. 52. Oracle Web Services Manager Features Performance Monitoring  Track number of invocations, service faults, and policy violations  Collect violation metrics for service, port, and operation  View number of security and non-security violations • Authentication and Authorization failures • MTOM and Reliable- Messaging52 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  53. 53. Oracle Web Services Manager Demo53 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  54. 54. Demo Use Case54 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  55. 55. XML Gateways …are highly exposed .. are mainly deployed using • XML threats, viruses, DoS XML web services attacks etc. • Highly CPU intensive • How do we ensure • Involves many modern & legacy confidentiality and non standards and technologies repudiation? • Many types of clients • Who can access the service, • Need SLA’s, charge for usage under what conditions? • What data is leaving the network and how ?55 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  56. 56. OEG – perimeter to endpoint security First Line Of End Point Web Service Defense Security Client HTTP, HTTP, SOAP, SOAP, REST REST Enterprise OWSM Web Gateway Agent Service REST Client OWSM Fusion Access Intrusion Detection Agent App Svc • SQL Injection Transform • DOS Encrypt/Decrypt • Replay Attack Service Security Mobile • Crypto Attack Validate • ID Propagation WS Client • XML Bomb • Authentication Route • Authorization • Message Confidentiality & Integrity • Replay Attack Extranet DMZ Intranet Common Policy Model56 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  57. 57. Oracle Enterprise Gateway DMZ Ultra-fast XML Integrated & Extensible Service Governance Cloud Gateway Processing Security XML INTRUSION DETECTION ACCESS ENFORCEMENT MONITORING AND AUDIT  Content Attack  Authentication, ID Propagation  Real-time Monitoring  Schema/DTD Attack  Fine Grained AuthZ  Reporting  Crypto Attack  Throttling  Audit and Compliance  Virus Scanning  Transport/Message Security57 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  58. 58. Oracle Enterprise Gateway DMZ Ultra-fast Integrated Service Cloud & Security XML Extensible Governance Gateway Processing PROCESS OFFLOADING XML ACCELERATION XML ENRICHMENT  Frees Resources  XML Acceleration Engine  Information Enrichment  Faster Applications  Faster XML Validation  Faster XML queries and transformations58 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  59. 59. Oracle Enterprise Gateway OEG Ultra-fast Integrated DMZ Service Cloud SECURITY XML & Governance Gateway Processing Extensible IDENTITY MGMT SOA OS / HARDWARE  Oracle Access Manager  Oracle SOA Suite  X86 (Westmere*)  Oracle Entitlements Server  Oracle Service Registry  Sparc  Directory Services (ODS +)  Enterprise Manager  Oracle Crypto Accelerator*  Oracle STS*  Oracle Web Service Manager59 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  60. 60. Oracle Enterprise Gateway DMZ Security Ultra-fast XML Integrated Service Cloud & Gateway Processin g Extensible Governance SOA GOVERNANCE CLOSED LOOP AUDIT & REPORT  Service Access  Discovery & Publish to UDDI  Meter Usage  Service Usage  Publish Metrics to EM  Audit Trail  Availability60 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  61. 61. Oracle Enterprise GatewayDMZSecurity Ultra-fast XML Processing Integrated & Extensible Service Governance Cloud Gateway IAAS PAAS SAAS  Deployments on EC2, Oracle VM  Control cloud services  Data Redaction  Regulate service usage  Detect rogue usage  Continuous traffic monitoring  REST security  OAuth Support 61 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  62. 62. Oracle Enterprise Gateway Architecture and Components Policy Creation, Editing, Versioning Multiple-OEG Policy Management Enterprise Gateway Enterprise Gateway Policy Store Policy Studio Policy Center Web Services Management Enterprise Gateway Web Admin Load and Security Testing Service Manager Interface Web Service Enterprise Gateway Service Explorer Web Service Web Services Clients OEG Enterprise Gateway Traffic Monitor | Real-time Monitor Enterprise Gateway Service Monitor Service Usage Analysis Usage Metrics Store62 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  63. 63. Oracle Enteprise Gateway Demo63 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  64. 64. OEG integration with Oracle Access Manager Authentication at the service perimeterWeb Service Client SSO Cookie(Browser) WebLogic ServerWeb Service Client Web Service OEG DMZ Intranet Extranet Access Manager AUTHENTICATION AT THE SERVICE PERIMETER  Authentication against  Oracle Directory Services (OID, ODSEE, OVD) directly  Oracle Access Manager (SSO using OAM issued cookie) or 3 rd party WebSSO  Non-Oracle Directory Servers and Access Management products  Token Mediation – SAML assertion generation using username from web service client 64 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  65. 65. OEG integration with Oracle Access Manager http://bit.ly/OAM11g-OEG65 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  66. 66. OEG integration with Oracle Entitlements Server Existing API Returns Response Name & Contact Info • Name & Contact Info SSN • Masked SSN Physician Info • Primary Physician • Insurance Existing ConditionsHelp desk Legacy Prescriptions PEP Health Records Patient Record Response PDP Insurance Application • Name & Contact Info Payment History • Masked SSN • Primary Physician • Insurance OEGAccounting •Payment History Entitlements Server Response • Name & Contact Info • Primary Physician • Health History Doctor 66 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  67. 67. OEG integration with Oracle Entitlements Server http://bit.ly/OES11g-OEG67 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  68. 68. Q&A Dmitry Nefedkin Oracle ISV Migration Center FMW Consultant Dmitry.Nefedkin@oracle.com ISV Migration Center blog: http://blogs.oracle.com/imc69 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  69. 69. 70 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.

×