Blake Dournaee – Product Manager, Intel SOA Products Group Matt Sebastian – Solution Architect, Oracle Enterprise Solutions Group How to Extend Oracle Fusion Middleware with a Security Gateway Appliance - Integration Scenarios for Securing External Web Services Presented by: September 30, 2009

Key Learning Objectives Identify which Oracle products can be leveraged by SOA Expressway to secure external web services Showcase why a Security Gateway Appliance is the recommended perimeter security model for Oracle Fusion Middleware Differentiate appliance form factors and illustrate why a Virtualized SOA Soft-appliance excels in today’s datacenter

Identify which Oracle products can be leveraged by SOA Expressway to secure external web services

Showcase why a Security Gateway Appliance is the recommended perimeter security model for Oracle Fusion Middleware

Differentiate appliance form factors and illustrate why a Virtualized SOA Soft-appliance excels in today’s datacenter

External Web Services Present a Different Challenge Internal Enterprise Need Solved XML content threats? Expose internal service externally? Partner SLAs? Expense to scale middleware? Tie-in to VDC strategy? B2B service monitoring? Consistent security policy? Credential mapping & federation? SOA Security Appliances are purpose built to address Web Service security Oracle Web Logic Suite Application & Service Deployment Oracle SOA Suite Internal Web Services Oracle Web Services Manager Internal Web Services Mgmt Oracle IdM (OID, OAM, OEM) Internal SSO, AAA, Fine Grained Authorization

XML content threats?

Expose internal service externally?

Partner SLAs?

Expense to scale middleware?

Tie-in to VDC strategy?

B2B service monitoring?

Consistent security policy?

Credential mapping & federation?

“ XML parsing and transformation is too slow to be useful for web sites; I need to process XML at wire speed.” “ I need to provide scalable XML security for my Web Services. I need validation and message level security for my XML.” “ All of my new applications require workflows that deal in XML processing or legacy integration . How did we arrive here? SOA Appliance Evolution Static XML Latency, Throughput XML Web Services Performance, Security Power Service Oriented Architecture Performance, Power, Security, VDC Ready Date Paradigm Problem Architecture/ Form Factor 2000 Data 2002-2006 Data 2008+ Data XML Proxy XML/HTTP XML HTML WS Proxy .NET AXIS IBM AAA SOA Proxy SOAP,XML/JMS,FTP,MLLP,HTTP SOAP,XML/JMS,FTP,MLLP,HTTP JVM DB AAA .NET AXIS IBM

“ XML parsing and transformation is too slow to be useful for web sites; I need to process XML at wire speed.” “ I need to provide scalable XML security for my Web Services. I need validation and message level security for my XML.” “ All of my new applications require workflows that deal in XML processing or legacy integration . How did we arrive here? SOA Appliance Evolution Static XML Latency, Throughput XML Web Services Performance, Security Power Service Oriented Architecture Performance, Power, Security, VDC Ready Date Paradigm Problem Architecture/ Form Factor 2000 Data 2002-2006 Data 2008+ Data XML Proxy XML/HTTP XML HTML WS Proxy .NET AXIS IBM AAA SOA Proxy SOAP,XML/JMS,FTP,MLLP,HTTP SOAP,XML/JMS,FTP,MLLP,HTTP JVM DB AAA .NET AXIS IBM XML Accelerator

“ XML parsing and transformation is too slow to be useful for web sites; I need to process XML at wire speed.” “ I need to provide scalable XML security for my Web Services. I need validation and message level security for my XML.” “ All of my new applications require workflows that deal in XML processing or legacy integration . How did we arrive here? SOA Appliance Evolution Static XML Latency, Throughput XML Web Services Performance, Security Power Service Oriented Architecture Performance, Power, Security, VDC Ready Date Paradigm Problem Architecture/ Form Factor 2000 Data 2002-2006 Data 2008+ Data XML Proxy XML/HTTP XML HTML WS Proxy .NET AXIS IBM AAA SOA Proxy SOAP,XML/JMS,FTP,MLLP,HTTP SOAP,XML/JMS,FTP,MLLP,HTTP JVM DB AAA .NET AXIS IBM XML Accelerator Security Gateway Hardware Appliance

“ XML parsing and transformation is too slow to be useful for web sites; I need to process XML at wire speed.” “ I need to provide scalable XML security for my Web Services. I need validation and message level security for my XML.” “ All of my new applications require workflows that deal in XML processing or legacy integration . How did we arrive here? SOA Appliance Evolution Static XML Latency, Throughput XML Web Services Performance, Security Power Service Oriented Architecture Performance, Power, Security, VDC Ready Date Paradigm Problem Architecture/ Form Factor 2000 Data 2002-2006 Data 2008+ Data XML Proxy XML/HTTP XML HTML WS Proxy .NET AXIS IBM AAA SOA Proxy SOAP,XML/JMS,FTP,MLLP,HTTP SOAP,XML/JMS,FTP,MLLP,HTTP JVM DB AAA .NET AXIS IBM XML Accelerator Security Gateway Hardware Appliance Virtualized SOA Appliance

Ref Architecture – Security Gateway Highly scalable/cost-effective SOA mediation and security solution

Core Threat Prevention Features Multi-stage Denial of Service (DoS) Protection: Multi-stage escalation and resiliency Content threats: Pre-built and extensible content filtering for the full application payload Hitless Policy Updates: Update threat signatures with zero downtime Unidirectional Protection: Protect back-end systems, partners and clients

Multi-stage Denial of Service (DoS) Protection: Multi-stage escalation and resiliency

Content threats: Pre-built and extensible content filtering for the full application payload

Hitless Policy Updates: Update threat signatures with zero downtime

Unidirectional Protection: Protect back-end systems, partners and clients

Security Gateway Benefits Single entry point (sentry) for all XML/WS traffic Edge security provides earlier threat protection Separation of concerns Consistent security policy enforcement High performance security offload Easier to manage & audit Security Gateway puts security architects in control!

Single entry point (sentry) for all XML/WS traffic

Edge security provides earlier threat protection

Separation of concerns

Consistent security policy enforcement

High performance security offload

Easier to manage & audit

XML Security Threats XML threats specific to b-to-b (services & APIs) XML upstream (browser to services) - Web 2.0 components and protocol attacks XML downstream (services to browser) - browsers and client attacks Must Now Recognize Security In Outbound Direction Application Environment & XML Streams XML Threat Dimensions Security Change:

XML threats specific to b-to-b (services & APIs)

XML upstream (browser to services) - Web 2.0 components and protocol attacks

XML downstream (services to browser) - browsers and client attacks

Continuous Platform Improvements Movement towards multi-core computing lowers costs and increases efficiency Commodity hardware and virtualization continue to proliferate New Challenges SOA applications need immediate multi-core enablement SOA needs an efficient virtualization tie-in Mission critical SOA requires efficient, continuously scalable XML processing SOA applications need all the help they can get from the platform! Moore’s Law for SOA Infrastructure Change: Lower Cost Commodity Hardware Upgrade Compute Intensive SOA/XML Servers Software’s Flexibility Multi-core Optimization CoreTM i7 processor features Streaming SIMD Extensions 4.2 Upgrade Software to take Advantage of Moore’s Law Optimizations Can Deliver 8X Performance Over Hardware Appliances

Continuous Platform Improvements

Movement towards multi-core computing lowers costs and increases efficiency

Commodity hardware and virtualization continue to proliferate

New Challenges

SOA applications need immediate multi-core enablement

SOA needs an efficient virtualization tie-in

Mission critical SOA requires efficient, continuously scalable XML processing

SOA applications need all the help they can get from the platform!

Upgrade Compute Intensive SOA/XML Servers

Multi-core Optimization

CoreTM i7 processor features

Streaming SIMD Extensions 4.2

Policy Governance: Current State Standards Vendor A App Server, Registry, or Repository Vendor Policy Vendor A SOA Appliance Vendor A Access/AAA Manager ENTERPRISE DOMAIN 1 PAP: Admin PDP: Decision PEP: Enforce Vendor B App Server, Registry, or Repository Vendor Policy Vendor B SOA Appliance Vendor B Access/AAA Manager ENTERPRISE DOMAIN 2 Current State Vendor specific policy One-off integration to use policy with other vendor’s PEP Forced to stack vendor suite approach vs best of breed runtime & design time policy framework Governance managed at domain level by vendor x Change: Web Service Client Web Service Client PAP: Admin PDP: Decision PEP: Enforce

Current State

Vendor specific policy

One-off integration to use policy with other vendor’s PEP

Forced to stack vendor suite approach vs best of breed runtime & design time policy framework

Governance managed at domain level by vendor

Vendor A App Server, Registry, or Repository Standard Policy ANY VENDOR SOA Appliance Vendor A Access/AAA Manager ENTERPRISE DOMAIN 1 PAP: Admin PDP: Decision PEP: Enforce Vendor B App Server, Registry, or Repository Standard Policy ANY VENDOR SOA Appliance Vendor B Access/AAA Manager ENTERPRISE DOMAIN 2 PAP: Admin PDP: Decision PEP: Enforce Requirements Standard Schemas (XACML,WS-Policy, WS-Mex) Seamless integration between cross-vendor PEPs & PDPs SOA Appliance integration with any IdM or PDP source. Enable True Federated Governance Model Policy Driven SOA Evolution Standards Change: Cross Domain Federated Governance Web Service Client Web Service Client

Requirements

Standard Schemas (XACML,WS-Policy, WS-Mex)

Seamless integration between cross-vendor PEPs & PDPs

SOA Appliance integration with any IdM or PDP source.

Enable True Federated Governance Model

10/08/09 Software Service Router – Security, Governance, Mediation, Virtualization Form Factor – Software (Windows, Linux, Solaris* on x86), Virtual Appliance, Hardware Appliance Optimized for Intel® Multi-Core – Scales directly on standard Intel-based servers Key Capabilities Performance – Best-in-class wire speed XML acceleration & core XML IP Service Mediation – Sophisticated service mediation with non-XML data handling Service Governance – Runtime governance for enforcing service policies & reporting Security Features – Security proxy, services firewall, AAA, TLS, trust mediation & threats Flexibility – Appliance manageability with software extensibility. Extensibility – Custom business rules, service hosting, data and messaging adapters Fast installation, open architecture= Simple overlay for Oracle deployment Introducing Intel SOA Expressway

Software Service Router – Security, Governance, Mediation, Virtualization

Form Factor – Software (Windows, Linux, Solaris* on x86), Virtual Appliance, Hardware Appliance

Optimized for Intel® Multi-Core – Scales directly on standard Intel-based servers

Key Capabilities

Performance – Best-in-class wire speed XML acceleration & core XML IP

Service Mediation – Sophisticated service mediation with non-XML data handling

Service Governance – Runtime governance for enforcing service policies & reporting

Security Features – Security proxy, services firewall, AAA, TLS, trust mediation & threats

Flexibility – Appliance manageability with software extensibility.

Extensibility – Custom business rules, service hosting, data and messaging adapters

Service Router Deployment Enterprise Perimeter (DMZ) Enterprise Applications & Services Partner Service or Client Cloud service or Application Perimeter Defense Runtime Governance Cloud Governance XML threat defense Security Gateway DoS Protection AAA Tamper Evident Runtime governance Virtual Appliance/Server Software Interoperable with any policy manager Partner service mediation Service Throttling Capacity Tuning Full Virtualization Multi-Tenancy SLA enforcement & Audit Oracle* Fusion Middleware

XML threat defense

Security Gateway

DoS Protection

AAA

Tamper Evident

Runtime governance

Virtual Appliance/Server Software

Interoperable with any policy manager

Partner service mediation

Service Throttling

Capacity Tuning

Full Virtualization

Multi-Tenancy

SLA enforcement & Audit

Expressway = Tied to Intel Chip Roadmap Performance Core Now: Up to 8x custom appliances Next: SOA Expressway will continue its leadership in performance with full optimization based on Intel multi-core, unique utilization of instruction sets and architectural roadmap On Nehalem SOA Expressway uses Intel® SSE4.2 XML/SOAP processing XML Threat detection On Westmere SOA Expressway will use Crypto Acceleration using AESNI Higher WS-Security, SSL performance Sandy Bridge SOA Expressway will use AVX optimized XML/SOAP processing ESIII Architecture ^ AESNI - Advanced Encryption Standard New Instruction AVX – Advanced Vector Extensions

On Nehalem

SOA Expressway uses

Intel® SSE4.2

XML/SOAP processing

XML Threat detection

On Westmere

SOA Expressway will use

Crypto Acceleration using AESNI

Higher WS-Security, SSL performance

Sandy Bridge

SOA Expressway will use

AVX optimized XML/SOAP processing

ESIII Architecture

Policy Driven SOA for Diverse Environment PAP 1 PAP 2 PAP 3 PAP n … Oracle OWSM 11g Policy Server Or other Reg/Rep Solution that has Vendor Policy Non-standard policy Pseudo-standard-based policy Current State

Oracle OWSM 11g Policy Server

Or other Reg/Rep Solution that has

Vendor Policy

Non-standard policy

Pseudo-standard-based policy

Policy Driven SOA for Diverse Environments PAP 1 PAP 2 PAP 3 PAP n … Security Enforcement Point Oracle OWSM 11g Policy Server Or other Reg/Rep Solution that has Vendor Policy Non-standard policy Pseudo-standard-based policy Current State SOA Expressway polls for policy changes Downloads new policy and artifacts Transforms policy Seamless transition without message loss Policy Integration

Oracle OWSM 11g Policy Server

Or other Reg/Rep Solution that has

Vendor Policy

Non-standard policy

Pseudo-standard-based policy

SOA Expressway polls for policy changes

Downloads new policy and artifacts

Transforms policy

Seamless transition without message loss

Policy Driven SOA for Diverse Environment Open, pluggable architecture supports broad integration SOAE Driven by Policies We Enforce PAP 1 PAP 2 PAP 3 PAP n … Exchange data between services inside or outside the datacenter Enforcement of SLAs, FIFO and Throttling Protection against threats not covered by firewall AAA functions: data-privacy & AuthN for message/transport Mediation QoS Threats Trust Security Enforcement Point Oracle OWSM 11g Policy Server Or other Reg/Rep Solution that has Vendor Policy Non-standard policy Pseudo-standard-based policy Current State SOA Expressway polls for policy changes Downloads new policy and artifacts Transforms policy Seamless transition without message loss Policy Integration

Exchange data between services inside or outside the datacenter

Enforcement of SLAs, FIFO and Throttling

Protection against threats not covered by firewall

AAA functions: data-privacy & AuthN for message/transport

Oracle OWSM 11g Policy Server

Or other Reg/Rep Solution that has

Vendor Policy

Non-standard policy

Pseudo-standard-based policy

SOA Expressway polls for policy changes

Downloads new policy and artifacts

Transforms policy

Seamless transition without message loss

Integration with Oracle 11g SOA Suite

Use Case 1: XML Attack Protection XML Attack Protection: When an internet /cloud service is exposed to XML content threats, such as coercive parsing or semantic threats Content Threats: Pre-built and extensible content filtering for the full application payload DoS Protection: M ulti-level, adaptive denial of service protection to block, rate-shape and alert on bad traffic Performance Side Effects from Bad XML Calls: Offload processing cycles spent by Oracle SOA or OWSM suite dealing with bad XML calls, via filtration. Use OWSM for internal services and SOA Expressway for external services

XML Attack Protection: When an internet /cloud service is exposed to XML content threats, such as coercive parsing or semantic threats

Content Threats: Pre-built and extensible content filtering for the full application payload

DoS Protection: M ulti-level, adaptive denial of service protection to block, rate-shape and alert on bad traffic

Performance Side Effects from Bad XML Calls: Offload processing cycles spent by Oracle SOA or OWSM suite dealing with bad XML calls, via filtration.

Use OWSM for internal services and SOA Expressway for external services

Use Case-2: Performance Benefits 10/08/09 Increased throughput for Critical SOA apps Optimal when transactions exceed 5,000 messages/ sec. Intel Multi-core Optimized Patented algorithms Optimized memory Only product to have sub-millisecond simple proxy performance Large Message Handling Prevent saturation/performance degradation of the Oracle Service Bus for large messages or transformations 100KB or more Best in Class Performance. Oracle Lab Tested App Servers ESBs Hardware Appliance Software Appliance Intel SOA Expressway MPS 10x-100x Improvement for XML Rich Apps

Increased throughput for Critical SOA apps

Optimal when transactions exceed 5,000 messages/ sec.

Intel Multi-core Optimized

Patented algorithms

Optimized memory

Only product to have sub-millisecond simple proxy performance

Large Message Handling

Prevent saturation/performance degradation of the Oracle Service Bus for large messages or transformations 100KB or more

Use Case-3: Oracle IdM Integration On-demand delegation of AuthN and AuthZ decisions to Oracle IDM Suite – can optionally enforce identity checks closer to the network edge. Can perform authentication by integrating directly with the Access Server portion of the Oracle Access Manager or OID Acts as Security Token Server to normalize & map inbound credentials from other domain to format needed by Oracle OWSM for web service or web SSO Preserve investment in Oracle IDM & extend externally with SOAE

On-demand delegation of AuthN and AuthZ decisions to Oracle IDM Suite – can optionally enforce identity checks closer to the network edge.

Can perform authentication by integrating directly with the Access Server portion of the Oracle Access Manager or OID

Acts as Security Token Server to normalize & map inbound credentials from other domain to format needed by Oracle OWSM for web service or web SSO

Preserve investment in Oracle IDM & extend externally with SOAE

Hardware Appliances They lose all of their capital value over a five-year period At capital replacement time, the appliance must be upgraded or retired Retained Value: 0% SOA Expressway Software Appliance Only the server hardware depreciates, software holds value At capital replacement time, general purpose servers can be repurposed Retained Value: 92% (or more) Benefits of Moore’s Law for SOA & Virtualization

Hardware Appliances

They lose all of their capital value over a five-year period

At capital replacement time, the appliance must be upgraded or retired

Retained Value: 0%

SOA Expressway Software Appliance

Only the server hardware depreciates, software holds value

At capital replacement time, general purpose servers can be repurposed

Retained Value: 92% (or more)

Oracle & Intel: The Premier Web Service Security Solution Download Eval and test Oracle specific scenarios Criteria Intel & Oracle Joint Solution Full featured Security Gateway Mature solution packed with unique features: XSLT 2.0, XPath2.0, WS*, Virtualization Performance & scale Clear leader. In production at world’s largest SOA deployments Fast, drop-in Oracle Integration Oracle lab tested & field trained Vendor viability Intel SSG is 6 th largest in software. World class support. Strategic tie-in to chip. Affordable solution Typically ½ the cost. Deploy generic hardware

Clear leader. In production at world’s largest

SOA deployments

Oracle lab tested & field trained

www.intel.com/software/soae/webinars www.intelforfusion.com Schedule a Demo [email_address] Video Usage Scenarios Eval & Fusion Sample App Evolving SOA Appliance – 3 Game Changing Innovations New White Paper A Review of Pre-tested Integration Scenarios Intel OpenWorld Booth Live Demo More Information?

Video Usage Scenarios

Eval & Fusion Sample App

Evolving SOA Appliance – 3 Game Changing Innovations

A Review of Pre-tested Integration Scenarios

Live Demo