Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Getting Started with Security for your Oracle SOA Suite Integrations

417 views

Published on

With the boom in cloud services that many companies are currently leveraging, integration between them is becoming more and more important. It is not unusual for an organization to have a combination of on-premise and cloud applications, all talking to each other. For SOA-based integrations, security becomes more critical than ever. This presentation is a technical deep-dive on how to secure your integrations via WS-Security and Oracle Web Services Manager (OWSM) for both inbound and outbound integrations. We discuss authentication, message encryption, two-way SSL certificates, and more. A brief mention on Oracle API Manager is provided as well.

Published in: Technology
  • Be the first to comment

Getting Started with Security for your Oracle SOA Suite Integrations

  1. 1. Raastech, Inc. 2201 Cooperative Way, Suite 600 Herndon, VA 20171 +1-703-884-2223 info@raastech.com Getting Started w/ Security for your Oracle SOA Suite Integrations From Transport Protection to API Management Wednesday, May 10, 2017 Session 6 11:30 am - 12:20pm Amphitheater
  2. 2. © Raastech, Inc. 2017 | All rights reserved. Slide 2 of 78@Raastech Agenda 1. Introduction 2. Security Essentials 3. Oracle Fusion Middleware Security Platform 4. Oracle Web Services Platform “Practical” Implementation 5. Oracle Web Service Manager 6. Custom Policies 7. Oracle API Gateway
  3. 3. © Raastech, Inc. 2017 | All rights reserved. Slide 3 of 78@Raastech
  4. 4. © Raastech, Inc. 2017 | All rights reserved. Slide 4 of 78@Raastech About Me ▪ Michael Mikhailidi ▪ 20+ years Oracle experience ▪ Extensive Oracle Fusion Middleware experience ▪ Oracle SOA Certified ▪ Past employment with Oracle, Rimini Street
  5. 5. © Raastech, Inc. 2017 | All rights reserved. Slide 5 of 78@Raastech What’s it all about? ▪ Information & communication protection is important as never before ▪ They tell you that all the time ▪ Security standards are old and will stay there ▪ Learning curve is steep ▪ Old formats, lack of compatibility, layers of fossils ▪ Implementation issues ▪ On a residual basis ▪ Lack of resources ▪ Errors, backdoors, support
  6. 6. © Raastech, Inc. 2017 | All rights reserved. Slide 6 of 78@Raastech
  7. 7. © Raastech, Inc. 2017 | All rights reserved. Slide 7 of 78@Raastech Key Security Terms ▪ Public Key Infrastructure ▪ Asymmetric key exchange ▪ Published by Whitfield Diffie and Martin Hellman, in 1976 ▪ Ron Rivest, Adi Shamir, and Leonard Adleman identified the same relationship in 1978 (aka RSA Corp) ▪ Standard X.509 ▪ X.509 was initially issued on July 3, 1988 ▪ Subset of X.500 standard ▪ Base for all the modern web of trust and certificates ▪ Secured Socket Layer/Transport Level Security ▪ Invented by Netscape in1994 ▪ TLS was introduced in 1999 ▪ SSL version 3 is no longer exists in public communications, TLS has version 1.2, 1.3 is coming
  8. 8. © Raastech, Inc. 2017 | All rights reserved. Slide 8 of 78@Raastech Alice’s key for Bob Certified by Rabbit Rabbit’s public key Alice & Bob Secret Correspondence
  9. 9. © Raastech, Inc. 2017 | All rights reserved. Slide 9 of 78@Raastech Transport Level Security ▪ Transport level security in the most cases ▪ No certificate (Public key) required for client ▪ Client creates temporary private key for the session ▪ Sends the key back to the server signed with Server’s public key ▪ You still need PKI to validate server credentials ▪ Protects all the data exchange between server and the client ▪ Requires configuration not development ▪ That’s why it’s the most popular solution
  10. 10. © Raastech, Inc. 2017 | All rights reserved. Slide 10 of 78@Raastech Service and Message Protection ▪ Service Protection ▪ User Authentication ▪ User Authorization ▪ Session Validation ▪ Message Protection ▪ Message encryption ▪ Message nonrepudiation (Signing) ▪ Guarantied Delivery (Reliability) ▪ Management Tasks ▪ Logging ▪ Audit ▪ Transformation
  11. 11. © Raastech, Inc. 2017 | All rights reserved. Slide 11 of 78@Raastech
  12. 12. © Raastech, Inc. 2017 | All rights reserved. Slide 12 of 78@Raastech Oracle Platform Security Service (OPSS) ▪ Authentication ▪ Single Sign-On ▪ Authorization ▪ Audit ▪ Credential Store Framework ▪ Identity Governance Framework ▪ Cryptography ▪ Management ▪ Security Providers ▪ Security Stores
  13. 13. © Raastech, Inc. 2017 | All rights reserved. Slide 13 of 78@Raastech Oracle Platform Security Service (OPSS) ▪ Users & Groups ▪ Credentials ▪ Security Providers ▪ Keystores ▪ Application Roles/Policies
  14. 14. © Raastech, Inc. 2017 | All rights reserved. Slide 14 of 78@Raastech Oracle Platform Security Service (OPSS) ▪ Users & Groups ▪ Credentials ▪ Security Providers ▪ Keystores ▪ Application Roles/Policies
  15. 15. © Raastech, Inc. 2017 | All rights reserved. Slide 15 of 78@Raastech Oracle Platform Security Service (OPSS) ▪ Users & Groups ▪ Credentials ▪ Security Providers ▪ Keystores ▪ Application Roles/Policies
  16. 16. © Raastech, Inc. 2017 | All rights reserved. Slide 16 of 78@Raastech Oracle Platform Security Service (OPSS) ▪ Users & Groups ▪ Credentials ▪ Security Providers ▪ Keystores ▪ Application Roles/Policies
  17. 17. © Raastech, Inc. 2017 | All rights reserved. Slide 17 of 78@Raastech Oracle Platform Security Service (OPSS) ▪ Users & Groups ▪ Credentials ▪ Security Providers ▪ Keystores ▪ Application Roles/Policies
  18. 18. © Raastech, Inc. 2017 | All rights reserved. Slide 18 of 78@Raastech How OWSM Works ▪ Web Service ▪ Published by web application ▪ WebLogic server runs application and WSM agent – Separate application deployments for 3rd party servers ▪ WSM Agent enforces global & local policies – Endpoints – SOA Components – Clients ▪ Web Service Client ▪ Accesses service endpoint ▪ Should follow policies to complete call ▪ WSM Policy Manager ▪ Manage policies ▪ Release policy information to agents ▪ Administrative GUI through Fusion Middleware EM Control ▪ Web Service Clients ▪ WSM common and client policies ▪ Applies policies to the service references
  19. 19. © Raastech, Inc. 2017 | All rights reserved. Slide 19 of 78@Raastech How OWSM Works 1. Client sends a request message to a web service. 2. Policy interceptors intercept and execute the policies attached to the client. 3. Request message is then sent to the web service. 4. Policy interceptors then execute any service policies attached to the web service. 5. Web service executes the request message and returns a response message. 6. Response message is intercepted by the policy interceptors which execute the service policies attached to the web service. 7. Response message is then sent to the client. 8. Policy interceptors then execute any client policies attached to the client. 9. Response message is passed to the client.
  20. 20. © Raastech, Inc. 2017 | All rights reserved. Slide 20 of 78@Raastech
  21. 21. © Raastech, Inc. 2017 | All rights reserved. Slide 21 of 78@Raastech Yet Another “Hello World” Example
  22. 22. © Raastech, Inc. 2017 | All rights reserved. Slide 22 of 78@Raastech HelloWorld WSDL
  23. 23. © Raastech, Inc. 2017 | All rights reserved. Slide 23 of 78@Raastech Let’s say “Hello”
  24. 24. © Raastech, Inc. 2017 | All rights reserved. Slide 24 of 78@Raastech Pit Stop: How to find the right policy? ▪ Large number policies are predefined and ready to use ▪ 55 security policies are predefined in OWSM ▪ Policy templates, to tailor policies that fits your requirements ▪ Oracle recommends to follow naming convention ▪ Helps you understand what policy does by name ▪ Folder-like organization keeps policies organized oracle/wss_saml_or_username_token_over_ssl_service_policy Folder Standard Policy OR policy Policy Enforcement point Transport Type
  25. 25. © Raastech, Inc. 2017 | All rights reserved. Slide 25 of 78@Raastech Apply OWSM Policy to the Service Endpoint
  26. 26. © Raastech, Inc. 2017 | All rights reserved. Slide 26 of 78@Raastech Apply OWSM Policy to the Service Endpoint
  27. 27. © Raastech, Inc. 2017 | All rights reserved. Slide 27 of 78@Raastech Apply OWSM Policy to the Service Endpoint
  28. 28. © Raastech, Inc. 2017 | All rights reserved. Slide 28 of 78@Raastech Apply OWSM Policy to the Service Endpoint
  29. 29. © Raastech, Inc. 2017 | All rights reserved. Slide 29 of 78@Raastech Apply OWSM Policy to the Service Endpoint
  30. 30. © Raastech, Inc. 2017 | All rights reserved. Slide 30 of 78@Raastech Apply OWSM Policy to the Service Endpoint
  31. 31. © Raastech, Inc. 2017 | All rights reserved. Slide 31 of 78@Raastech Apply OWSM Policy to the Service Endpoint
  32. 32. © Raastech, Inc. 2017 | All rights reserved. Slide 32 of 78@Raastech HelloWorld WSDL with Policy
  33. 33. © Raastech, Inc. 2017 | All rights reserved. Slide 33 of 78@Raastech How to say “Hello” now
  34. 34. © Raastech, Inc. 2017 | All rights reserved. Slide 34 of 78@Raastech How to say “Hello” now
  35. 35. © Raastech, Inc. 2017 | All rights reserved. Slide 35 of 78@Raastech How to say “Hello” now
  36. 36. © Raastech, Inc. 2017 | All rights reserved. Slide 36 of 78@Raastech Apply OWSM Policy at Design Time
  37. 37. © Raastech, Inc. 2017 | All rights reserved. Slide 37 of 78@Raastech Apply OWSM Policy at Design Time
  38. 38. © Raastech, Inc. 2017 | All rights reserved. Slide 38 of 78@Raastech Apply OWSM Policy at Design Time
  39. 39. © Raastech, Inc. 2017 | All rights reserved. Slide 39 of 78@Raastech Apply OWSM Policy at Design Time
  40. 40. © Raastech, Inc. 2017 | All rights reserved. Slide 40 of 78@Raastech Apply OWSM Policy at Design Time
  41. 41. © Raastech, Inc. 2017 | All rights reserved. Slide 41 of 78@Raastech Apply OWSM Policy at Design Time
  42. 42. © Raastech, Inc. 2017 | All rights reserved. Slide 42 of 78@Raastech
  43. 43. © Raastech, Inc. 2017 | All rights reserved. Slide 43 of 78@Raastech ▪ HelloWorldService reference ▪ Don’t forget to use protected URL ▪ BPEL process to call service ▪ Mediator is too simple ▪ Service Reference to expose process Not So Simple Composite
  44. 44. © Raastech, Inc. 2017 | All rights reserved. Slide 44 of 78@Raastech Not So Simple Composite ▪ Now we select service reference – apply the same policy – with client flavor
  45. 45. © Raastech, Inc. 2017 | All rights reserved. Slide 45 of 78@Raastech Not So Simple Composite ▪ Client side require bit more configuration ▪ Click on pencil icon ▪ Override cf-key value with credentials alias ▪ Let’s say wlsadmin ▪ And save policy
  46. 46. © Raastech, Inc. 2017 | All rights reserved. Slide 46 of 78@Raastech Not So Simple Composite ▪ Lock icon on the reference means: ▪ Policy has ben attached ▪ One more step before deployment
  47. 47. © Raastech, Inc. 2017 | All rights reserved. Slide 47 of 78@Raastech Not So Simple Composite ▪ Time to recall OPSS features ▪ Navigate to Weblogic Domain > Security > Credentials ▪ Create new key ▪ With еру appropriate credentials ▪ Save the key ▪ Now we are ready for deployment ▪ And if you don’t have oracle.wsm.security map: Don’t be shy – create it!
  48. 48. © Raastech, Inc. 2017 | All rights reserved. Slide 48 of 78@Raastech Not So Simple Composite ▪ Time to recall OPSS features ▪ Navigate to Weblogic Domain > Security > Credentials ▪ Create new key ▪ With еру appropriate credentials ▪ Save the key ▪ Now we are ready for deployment ▪ And if you don’t have oracle.wsm.security map: Don’t be shy – create it!
  49. 49. © Raastech, Inc. 2017 | All rights reserved. Slide 49 of 78@Raastech Let’s say hello again ▪ OWSM client call: ▪ No SSL ▪ No WS-Security
  50. 50. © Raastech, Inc. 2017 | All rights reserved. Slide 50 of 78@Raastech Let’s say hello again ▪ However service gets all necessary headers from the client policy
  51. 51. © Raastech, Inc. 2017 | All rights reserved. Slide 51 of 78@Raastech
  52. 52. © Raastech, Inc. 2017 | All rights reserved. Slide 52 of 78@Raastech What if you need the policy that differs? ▪ You found a policy, it does what you need, but not exactly… ▪ Company security rules mandate: “No clear text passwords allowed”
  53. 53. © Raastech, Inc. 2017 | All rights reserved. Slide 53 of 78@Raastech What if you need the policy that differs? ▪ The answer: Custom policies
  54. 54. © Raastech, Inc. 2017 | All rights reserved. Slide 54 of 78@Raastech Customize Predefined Policy
  55. 55. © Raastech, Inc. 2017 | All rights reserved. Slide 55 of 78@Raastech Customize Predefined Policy
  56. 56. © Raastech, Inc. 2017 | All rights reserved. Slide 56 of 78@Raastech Customize Predefined Policy
  57. 57. © Raastech, Inc. 2017 | All rights reserved. Slide 57 of 78@Raastech Customize Predefined Policy
  58. 58. © Raastech, Inc. 2017 | All rights reserved. Slide 58 of 78@Raastech Customize Predefined Policy
  59. 59. © Raastech, Inc. 2017 | All rights reserved. Slide 59 of 78@Raastech Customize Predefined Policy
  60. 60. © Raastech, Inc. 2017 | All rights reserved. Slide 60 of 78@Raastech Customize Predefined Policy
  61. 61. © Raastech, Inc. 2017 | All rights reserved. Slide 61 of 78@Raastech Customize Predefined Policy
  62. 62. © Raastech, Inc. 2017 | All rights reserved. Slide 62 of 78@Raastech Homegrown OWSM Policies ▪ 3 components: ▪ Custom assertion executor Java code, which implements your custom logic with OWSM Java API ▪ Custom policy file XML document which defines bindings, parameters, and all that to make assertion usable ▪ policy-config.xml XML document you need to attach new assertion to the OWSM repository
  63. 63. © Raastech, Inc. 2017 | All rights reserved. Slide 63 of 78@Raastech How to manage hundreds of services? ▪ You have lot of services and don’t want to enforce all the policies manually ▪ All company services should be compliant to set of policies ▪ But not all of them The answer: Globally attached policies
  64. 64. © Raastech, Inc. 2017 | All rights reserved. Slide 64 of 78@Raastech Policy Sets ▪ Contains one or more policies ▪ Defines subject to apply: ˗ SOA Component ˗ SOA Reference ˗ SOA Service ˗ Web Service Endpoint ˗ Web Service Client ˗ Web Service Connection ˗ Asynchronous Callback Client ▪ Describes subject scope ▪ Policies in set have selection filters
  65. 65. © Raastech, Inc. 2017 | All rights reserved. Slide 65 of 78@Raastech Apply Global Policies to all Services ▪ You can use WLST to create and manage policy sets
  66. 66. © Raastech, Inc. 2017 | All rights reserved. Slide 66 of 78@Raastech Apply Global Policies to all Services ▪ …or do the same from Fusion Middleware Control
  67. 67. © Raastech, Inc. 2017 | All rights reserved. Slide 67 of 78@Raastech
  68. 68. © Raastech, Inc. 2017 | All rights reserved. Slide 68 of 78@Raastech OWSM on Steroids ▪ Secure enough to protect all your services ▪ Strong enough to live in DMZ ▪ Smart enough to take a share in routing and transformation ▪ Data reduction ▪ Protocol exchange ▪ API transformation ▪ Open enough to click into existing management framework ▪ Integration with Oracle Enterprise Manager
  69. 69. © Raastech, Inc. 2017 | All rights reserved. Slide 69 of 78@Raastech API Gateway Architecture & Components ▪ Key components and tools ▪ API Gateway Manager ▪ Policy Studio ▪ API Gateway Analytics ▪ API Gateway Explorer
  70. 70. © Raastech, Inc. 2017 | All rights reserved. Slide 70 of 78@Raastech API Gateway Architecture & Components
  71. 71. © Raastech, Inc. 2017 | All rights reserved. Slide 71 of 78@Raastech API Gateway Architecture & Components ▪ API Gateway Manager ▪ Centralized web-based dashboard ▪ Control and manage API Gateways and groups in a domain ▪ Displays aggregated monitoring data from multiple API Gateway instances ▪ Including real-time statistics, traffic log, log files, and alerts ▪ Manages, monitors, and troubleshoots the API Services that are virtualized on the API Gateway
  72. 72. © Raastech, Inc. 2017 | All rights reserved. Slide 72 of 78@Raastech API Gateway Architecture & Components
  73. 73. © Raastech, Inc. 2017 | All rights reserved. Slide 73 of 78@Raastech API Gateway Architecture & Components ▪ Policy Studio ▪ Policy development and configuration for API and service protection ▪ Develops API Gateway policies and solution packs ▪ Customizes and extends the API Gateway using scripting ▪ Creates Java classes and/or custom filters using the API Gateway filter SDK ▪ Typically on a separate machine from the API Gateway
  74. 74. © Raastech, Inc. 2017 | All rights reserved. Slide 74 of 78@Raastech API Gateway Architecture & Components
  75. 75. © Raastech, Inc. 2017 | All rights reserved. Slide 75 of 78@Raastech API Gateway Architecture & Components ▪ Oracle API Gateway Analytics ▪ Generate reports and charts based on usage metrics ▪ Database integration ▪ Oracle Database ▪ MySQL Server ▪ Microsoft SQL Server ▪ Real-time and historical metrics.
  76. 76. © Raastech, Inc. 2017 | All rights reserved. Slide 76 of 78@Raastech API Gateway Architecture & Components
  77. 77. © Raastech, Inc. 2017 | All rights reserved. Slide 77 of 78@Raastech References ▪ Basics and History of PKI https://blogs.technet.microsoft.com/option_explicit/2012/03/10/basics-and-history-of-pki/ ▪ Secure Socket Layer and Transport Socket Layer, by Jinwoo Hwang http://www.ibm.com/developerworks/library/ws-ssl-security/ ▪ Sample Formats https://en.wikipedia.org/wiki/X.509 https://en.wikipedia.org/wiki/LDAP_Data_Interchange_Format ▪ WS-Security Specifications https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=wss ▪ OPSS 11g Technical Whitepaper http://www.oracle.com/technetwork/middleware/id-mgmt/opss-tech-wp-131775.pdf ▪ Understanding the OWSM Policy Framework https://docs.oracle.com/middleware/1213/owsm/concepts/owsm-policy-framework.htm ▪ OWSM Role Authorization http://www.oracle.com//technetwork/middleware/webservices-manager/soa-component-role-authz-1555950.pdf ▪ API Gateway Concepts https://docs.oracle.com/cd/E65459_01/docs.1112/e65451/Default.htm#ConceptsGuideTopics/3_overview.htm ▪ Aaron Dolan. our API’s First Line of Defense: Oracle API Gateway http://www.avioconsulting.com/blog/your-apis-first-line-defense-oracle-api-gateway
  78. 78. © Raastech, Inc. 2017 | All rights reserved. Slide 78 of 78@Raastech Q&A

×