- oracle...access manager entitlements server identity manager fusion applications ootb security...

48
<Insert Picture Here> Oracle’s Platform Approach to Security Services

Upload: others

Post on 29-May-2020

20 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: - Oracle...Access Manager Entitlements Server Identity Manager Fusion Applications OOTB Security Architecture Oracle RDBMS Single Sign-On Fine Grained Authorization

<Insert Picture Here>

Oracle’s Platform Approach to Security Services

Page 2: - Oracle...Access Manager Entitlements Server Identity Manager Fusion Applications OOTB Security Architecture Oracle RDBMS Single Sign-On Fine Grained Authorization

This document is for informational purposes. It is not a

commitment to deliver any material, code, or

functionality, and should not be relied upon in making

purchasing decisions. The development, release, and

timing of any features or functionality described in this

document remains at the sole discretion of

Oracle. This document in any form, software or printed

matter, contains proprietary information that is the

exclusive property of Oracle. This document and

information contained herein may not be disclosed,

copied, reproduced or distributed to anyone outside

Oracle without prior written consent of Oracle. This

document is not part of your license agreement nor can

it be incorporated into any contractual agreement with

Oracle or its subsidiaries or affiliates.

2 Copyright © 2012, Oracle and/or its affiliates. All rights

reserved.

Page 3: - Oracle...Access Manager Entitlements Server Identity Manager Fusion Applications OOTB Security Architecture Oracle RDBMS Single Sign-On Fine Grained Authorization

• Security Threats and Trends

• End-to-End Application Security Development

Lifecycle

• Oracle Platform Security Services

– Overview & Strategy

– Design Pattern & Deployment Examples

– Security Platform for Fusion Applications

Agenda

3 Copyright © 2012, Oracle and/or its affiliates. All rights

reserved.

Page 4: - Oracle...Access Manager Entitlements Server Identity Manager Fusion Applications OOTB Security Architecture Oracle RDBMS Single Sign-On Fine Grained Authorization

Security Threats & Trends

Page 5: - Oracle...Access Manager Entitlements Server Identity Manager Fusion Applications OOTB Security Architecture Oracle RDBMS Single Sign-On Fine Grained Authorization

Threats

• Attacks

• Improper Access

• Infrastructure Scaling

Compliance

• Tougher Regulations

• Intrusive Audits

• Costly Burdensome Reporting

Opportunities

• Mobile Access

• Social Identity

• Cloud Computing

What Keeps You Awake?

5 Copyright © 2012, Oracle and/or its affiliates. All rights

reserved.

Page 6: - Oracle...Access Manager Entitlements Server Identity Manager Fusion Applications OOTB Security Architecture Oracle RDBMS Single Sign-On Fine Grained Authorization

The Trend is Set to Continue The Root Cause Of All Breaches Is Poor Access Control

1990 1995 2000 2005 2008

2004 2009 2011

Hacking for Fame

Total # of records compromised by breaches

Hacking for Fun

• Social Engineering Attacks (11% of all breaches)

• Hacking (up 10% from 2010)

• Privilege Abuse (17% of all breaches)

361 M

4 M

< 1M

Source: Verizon Data Breach Report 2011

6 Copyright © 2012, Oracle and/or its affiliates. All rights

reserved.

Page 7: - Oracle...Access Manager Entitlements Server Identity Manager Fusion Applications OOTB Security Architecture Oracle RDBMS Single Sign-On Fine Grained Authorization

Current Approach is Fragmented Hurts Transparency & Business Agility

• Disconnected Security Policy

• Poor Correlation for Forensics

• Fragmented View of User

• Costly Integration

Fragmentation causes Latency

• Removing separated users

• Detecting user job role change

• Restricting data access quickly

Source: The Value of Corporate Secrets by Forrester Consulting (March 2010)

7 Copyright © 2012, Oracle and/or its affiliates. All rights

reserved.

Page 8: - Oracle...Access Manager Entitlements Server Identity Manager Fusion Applications OOTB Security Architecture Oracle RDBMS Single Sign-On Fine Grained Authorization

E2E Application Lifecycle

Develop

Design

Migrate & Patch

Package

Administer &

Monitor

Deploy

Page 9: - Oracle...Access Manager Entitlements Server Identity Manager Fusion Applications OOTB Security Architecture Oracle RDBMS Single Sign-On Fine Grained Authorization

E2E Application Lifecycle Problem Statement

Develop

Deploy

Enforce

Monitor

Design

• Insufficient and non

standard security

libraries

• Poor tooling & IDE

integration

• Results in brittle,

hardcoded solutions

Package

9 Copyright © 2012, Oracle and/or its affiliates. All rights

reserved.

Page 10: - Oracle...Access Manager Entitlements Server Identity Manager Fusion Applications OOTB Security Architecture Oracle RDBMS Single Sign-On Fine Grained Authorization

Develop Package

Deploy

Enforce

Monitor

Design

• Manual & error prone

deployment and migration

process

• Ad hoc security

configuration &

integration

• Affects application

delivery and downtime

E2E Application Lifecycle Problem Statement

10 Copyright © 2012, Oracle and/or its affiliates. All rights

reserved.

Page 11: - Oracle...Access Manager Entitlements Server Identity Manager Fusion Applications OOTB Security Architecture Oracle RDBMS Single Sign-On Fine Grained Authorization

Develop Package

Deploy

Enforce

Monitor

Design

• Lack of centralized

policy management &

monitoring

• Insufficient visibility

across key enterprise

security metrics

• Impacts corporate

compliance and

ongoing business

agility

E2E Application Lifecycle Problem Statement

11 Copyright © 2012, Oracle and/or its affiliates. All rights

reserved.

Page 12: - Oracle...Access Manager Entitlements Server Identity Manager Fusion Applications OOTB Security Architecture Oracle RDBMS Single Sign-On Fine Grained Authorization

Today We Are Reactive

Harden Perimeter

Secure End-Point

Invest in Monitoring

We react...

Social Engineering Attacks

Attacks on Servers

Privileged Account Abuse

But criminals get wiser

Most traditional security solutions get

breached eventually

12 Copyright © 2012, Oracle and/or its affiliates. All rights

reserved.

Page 13: - Oracle...Access Manager Entitlements Server Identity Manager Fusion Applications OOTB Security Architecture Oracle RDBMS Single Sign-On Fine Grained Authorization

We Need to Change Our Thinking

Security should be proactive just like the body’s

immune system prevents diseases

13 Copyright © 2012, Oracle and/or its affiliates. All rights

reserved.

Page 14: - Oracle...Access Manager Entitlements Server Identity Manager Fusion Applications OOTB Security Architecture Oracle RDBMS Single Sign-On Fine Grained Authorization

Oracle Platform Security Services Overview & Strategy

Page 15: - Oracle...Access Manager Entitlements Server Identity Manager Fusion Applications OOTB Security Architecture Oracle RDBMS Single Sign-On Fine Grained Authorization

Oracle Identity Management 11g Service-Oriented Security

• Introducing Oracle Platform Security Services

• Library of security services including authentication, authorization, ID

profile, encryption, common auditing and logging etc.

• Integrated with JDeveloper for design time security development

• Services exposed through pluggable abstraction layers

• Decouple and externalize security from applications

• The security platform for Oracle’s Fusion Middleware and packaged Applications

• Available to the java development community, ISV’s, and customers

15 Copyright © 2012, Oracle and/or its affiliates. All rights

reserved.

Page 16: - Oracle...Access Manager Entitlements Server Identity Manager Fusion Applications OOTB Security Architecture Oracle RDBMS Single Sign-On Fine Grained Authorization

Oracle Platform Security Services Security Platform for Applications, Middleware & Data

AuthN AuthZ IdM

Int.

SOA

Authn Authz Creds & Keys

Audit ID Profile Trust XML Security Crypto, SSL

WebCenter ECM EPM BI RDBMS IDM

Fusion Applications Vertical Applications ISV Applications Customer Apps

OAM OES OAAM* OID, OVD ODSEE

STS OIM* OWSM

Oracle Platform Security Services

Security Service Providers

LDAP Database File Identity, Policy, Credential Store Providers

16 Copyright © 2012, Oracle and/or its affiliates. All rights

reserved.

Page 17: - Oracle...Access Manager Entitlements Server Identity Manager Fusion Applications OOTB Security Architecture Oracle RDBMS Single Sign-On Fine Grained Authorization

Platform Reduces Cost vs. Point Solutions

46%

Cost Savings

Source: Aberdeen “Analyzing point solutions vs. platform” 2011

Benefits Oracle IAM Suite

Advantage

Increased End-

User Productivity • Emergency Access

• End-user Self Service

• 11% faster

• 30% faster

Reduced Risk • Suspend/revoke/de-provision

end user access • 46% faster

Enhanced Agility • Integrate a new app faster

with the IAM infrastructure

• Integrate a new end user

role faster into the solution

• 64% faster

• 73% faster

Enhanced Security

and Compliance • Reduces unauthorized

access

• Reduces audit deficiencies

• 14% fewer

• 35% fewer

Reduced Total

Cost

• Reduces total cost of IAM

initiatives • 48% lower

48%

More

Responsive

35% Fewer Audit

Deficiencies

17 Copyright © 2012, Oracle and/or its affiliates. All rights

reserved.

Page 18: - Oracle...Access Manager Entitlements Server Identity Manager Fusion Applications OOTB Security Architecture Oracle RDBMS Single Sign-On Fine Grained Authorization

Oracle Platform Security Services Design Pattern & Deployment Examples

Page 19: - Oracle...Access Manager Entitlements Server Identity Manager Fusion Applications OOTB Security Architecture Oracle RDBMS Single Sign-On Fine Grained Authorization

E2E Application Lifecycle OPSS & Oracle Entitlements Server solution

• Rich set of standards based

security services, enabling

declarative development

• Pre-integrated with

enterprise IDM systems and

IDE tools

• Support for each phase of

the application lifecycle

• Decouples and externalizes

security from applications

Develop Package

Deploy

Enforce

Monitor

Design

19 Copyright © 2012, Oracle and/or its affiliates. All rights

reserved.

Page 20: - Oracle...Access Manager Entitlements Server Identity Manager Fusion Applications OOTB Security Architecture Oracle RDBMS Single Sign-On Fine Grained Authorization

Oracle Platform Security Services Example: Authentication, Authorization, Identity Profiles

Develop : JDeveloper

WLS Embedded LDAP

ID Store

Authentication

Form Based Authn

Test : Integrated WLS Design Time

• login()

• logout()

• getUserProfile()

• getUserGroups()

• isAuthorized()

• etc...

OPSS

• Declarative Development

• Security Wizards

• Policies packaged w. App File based

Policy Store

20 Copyright © 2012, Oracle and/or its affiliates. All rights

reserved.

Page 21: - Oracle...Access Manager Entitlements Server Identity Manager Fusion Applications OOTB Security Architecture Oracle RDBMS Single Sign-On Fine Grained Authorization

Oracle Platform Security Services Example: Authentication, Authorization, Identity Profiles

Develop : JDeveloper

Design Time

Deploy & Config : EM

Production

Oracle or 3rd Party LDAP

ID Store

Authentication

OAM or 3rd Party SSO

• Declarative Development

• Security Wizards

• Policies packaged w. App

• Deploy & Config Wizards

• Runtime Monitoring & Audit

• Automatic Policy Migration

WLS Embedded LDAP

ID Store

Authentication

Form Based Authn

File based

Policy Store

Oracle or 3rd Party DB

Policy Store

Test : Integrated WLS

• login()

• logout()

• getUserProfile()

• getUserGroups()

• isAuthorized()

• etc...

OPSS

Runtime : WLS, WAS, JBoss

OPSS

• login()

• logout()

• getUserProfile()

• getUserGroups()

• isAuthorized()

• etc...

21 Copyright © 2012, Oracle and/or its affiliates. All rights

reserved.

Page 22: - Oracle...Access Manager Entitlements Server Identity Manager Fusion Applications OOTB Security Architecture Oracle RDBMS Single Sign-On Fine Grained Authorization

Oracle Platform Security Services Example: Authentication, Authorization, Identity Profiles

Develop : JDeveloper

Design Time

Deploy & Config : EM Runtime : WLS, WAS, JBoss

Production

OPSS

• login()

• logout()

• getUserProfile()

• getUserGroups()

• isAuthorized()

• etc...

• Declarative Development

• Security Wizards

• Policies packaged w. App

• Deploy & Config Wizards

• Runtime Monitoring & Audit

• Automatic Policy Migration

WLS Embedded LDAP

ID Store

Authentication

Form Based Authn

File based

Policy Store

Oracle or 3rd Party LDAP

ID Store

Authentication

OAM or 3rd Party SSO

Oracle or 3rd Party DB

Policy Store

Test : Integrated WLS

• login()

• logout()

• getUserProfile()

• getUserGroups()

• isAuthorized()

• etc...

OPSS

22 Copyright © 2012, Oracle and/or its affiliates. All rights

reserved.

Page 23: - Oracle...Access Manager Entitlements Server Identity Manager Fusion Applications OOTB Security Architecture Oracle RDBMS Single Sign-On Fine Grained Authorization

OPSS & OES E2E Application Lifecycle

• Declarative Security Development

• Integrated Security Wizards

• Authz policies packaged w. the App

JDeveloper IDE

23 Copyright © 2012, Oracle and/or its affiliates. All rights

reserved.

Page 24: - Oracle...Access Manager Entitlements Server Identity Manager Fusion Applications OOTB Security Architecture Oracle RDBMS Single Sign-On Fine Grained Authorization

Java Application Example

• Create a JAAS subject – Principal p = new WLSUserImpl("weblogic");

– Subject user = new Subject();

– user.getPrincipals().add(p);

– In real world you actually need to authenticate the user

• The resource user is trying to Access – String resourceString = "HelloOESworld/MyResourceType/MyResource";

– It is just a string!

• Action user is trying to perform – String action = "write";

24 Copyright © 2012, Oracle and/or its affiliates. All rights

reserved.

Page 25: - Oracle...Access Manager Entitlements Server Identity Manager Fusion Applications OOTB Security Architecture Oracle RDBMS Single Sign-On Fine Grained Authorization

Anatomy of a Java SM Application

• The actual authorization request

PepResponse response = PepRequestFactoryImpl.getPepRequestFactory()

.newPepRequest(

user,

action,

resourceString,

null).decide();

• The Authorization result

– response.allowed()

25 Copyright © 2012, Oracle and/or its affiliates. All rights

reserved.

Page 26: - Oracle...Access Manager Entitlements Server Identity Manager Fusion Applications OOTB Security Architecture Oracle RDBMS Single Sign-On Fine Grained Authorization

OPSS & OES E2E Application Lifecycle

• Deploy, Configure, Migrate

• Runtime Monitoring & Audit

• Automatic Policy Migration

Enterprise Manager

26 Copyright © 2012, Oracle and/or its affiliates. All rights

reserved.

Page 27: - Oracle...Access Manager Entitlements Server Identity Manager Fusion Applications OOTB Security Architecture Oracle RDBMS Single Sign-On Fine Grained Authorization

OPSS & OES E2E Application Lifecycle

• Centralized Policy Management

• Drag & Drop Policy Authoring

• Resource Catalog

• Role Catalog & Mapping

• Delegated Administration

OES Admin Server

27 Copyright © 2012, Oracle and/or its affiliates. All rights

reserved.

Page 28: - Oracle...Access Manager Entitlements Server Identity Manager Fusion Applications OOTB Security Architecture Oracle RDBMS Single Sign-On Fine Grained Authorization

OPSS & OES E2E Application Lifecycle

• Advanced Lifecycle Management

• Policy Patching: 3-way diff / merge

OES Admin Server

28 Copyright © 2012, Oracle and/or its affiliates. All rights

reserved.

Page 29: - Oracle...Access Manager Entitlements Server Identity Manager Fusion Applications OOTB Security Architecture Oracle RDBMS Single Sign-On Fine Grained Authorization

OPSS & OES Policy Example

29 Copyright © 2012, Oracle and/or its affiliates. All rights

reserved.

Page 30: - Oracle...Access Manager Entitlements Server Identity Manager Fusion Applications OOTB Security Architecture Oracle RDBMS Single Sign-On Fine Grained Authorization

30 Copyright © 2012, Oracle and/or its affiliates. All rights

reserved.

Page 31: - Oracle...Access Manager Entitlements Server Identity Manager Fusion Applications OOTB Security Architecture Oracle RDBMS Single Sign-On Fine Grained Authorization

31 Copyright © 2012, Oracle and/or its affiliates. All rights

reserved.

Externalizing Authorization from Apps Distributed Fine-Grained Security Enforcement for Applications

Fine-Grained Authorization Policy Enforcement

Portal Users

User Provisioning

Service

Role Mgmt Service

Directory

Service

Authentication

Service Authorization

Service

Federation

Service

Oracle Platform Security Services

Policies

Oracle WebLogic Suite-based Application Grid

Ora

cle

SO

A S

uite

Ora

cle

BP

M S

uite

Ora

cle

WebC

en

ter

Shared Services Apps

• Modify Policies in response to evolving security mandates without any code changes

• Centralize Enforcement of Policies across all Apps with Centralized Admin UI

IT / Security

Deploy Application

Externalize Authorization Controls from App into XACML policies using OPSS API

App Owner • Build application

App Owner

Page 32: - Oracle...Access Manager Entitlements Server Identity Manager Fusion Applications OOTB Security Architecture Oracle RDBMS Single Sign-On Fine Grained Authorization

Oracle Platform Security Services Security Platform for Fusion Applications

Page 33: - Oracle...Access Manager Entitlements Server Identity Manager Fusion Applications OOTB Security Architecture Oracle RDBMS Single Sign-On Fine Grained Authorization

Identity Manager Entitlements Server Access Manager

Fusion Applications OOTB Security Architecture

Oracle RDBMS

Single Sign-On Fine Grained Authorization Identity & Enterprise Role Mgmt

OES Policy Store OID ID Store

Fusion Applications

OPSS

ADF, SOA, BI, WebCenter, etc

Web Services Mgr

Web Service Security

WebLogic

33 Copyright © 2012, Oracle and/or its affiliates. All rights

reserved.

Page 34: - Oracle...Access Manager Entitlements Server Identity Manager Fusion Applications OOTB Security Architecture Oracle RDBMS Single Sign-On Fine Grained Authorization

Oracle Platform Security Services Security Platform for Applications, Middleware & Data

AuthN AuthZ IdM

Int.

SOA

Authn Authz Creds & Keys

Audit ID Profile Trust XML Security Crypto, SSL

WebCenter ECM EPM BI RDBMS IDM

Fusion Applications Vertical Applications ISV Applications Customer Apps

OAM OES OAAM* OID, OVD ODSEE

STS OIM* OWSM

Oracle Platform Security Services

Security Service Providers

LDAP Database File Identity, Policy, Credential Store Providers

34 Copyright © 2012, Oracle and/or its affiliates. All rights

reserved.

Page 35: - Oracle...Access Manager Entitlements Server Identity Manager Fusion Applications OOTB Security Architecture Oracle RDBMS Single Sign-On Fine Grained Authorization

Oracle Platform Security Services Summary

Portable across development frameworks

and J2EE containers

Supports the full application life cycle

• Development, Packaging, Deployment,

Runtime, Administration

• Consistent experience for developers and

administrators through JDeveloper, Enterprise

Manager, Authorization Policy Manager

Scale up from lightweight development

environments to heterogeneous enterprise

IDM deployments

Proven technology, used by a very large # of

Oracle products

35 Copyright © 2012, Oracle and/or its affiliates. All rights

reserved.

Page 36: - Oracle...Access Manager Entitlements Server Identity Manager Fusion Applications OOTB Security Architecture Oracle RDBMS Single Sign-On Fine Grained Authorization

Questions

36 Copyright © 2012, Oracle and/or its affiliates. All rights

reserved.

Page 37: - Oracle...Access Manager Entitlements Server Identity Manager Fusion Applications OOTB Security Architecture Oracle RDBMS Single Sign-On Fine Grained Authorization

For More Information

oracle.com/identity

search.oracle.com

or

Oracle Platform Security Services

37 Copyright © 2012, Oracle and/or its affiliates. All rights

reserved.

Page 38: - Oracle...Access Manager Entitlements Server Identity Manager Fusion Applications OOTB Security Architecture Oracle RDBMS Single Sign-On Fine Grained Authorization
Page 39: - Oracle...Access Manager Entitlements Server Identity Manager Fusion Applications OOTB Security Architecture Oracle RDBMS Single Sign-On Fine Grained Authorization
Page 40: - Oracle...Access Manager Entitlements Server Identity Manager Fusion Applications OOTB Security Architecture Oracle RDBMS Single Sign-On Fine Grained Authorization

BACKUP SLIDES

• If Required, To Get More Background Information

Page 41: - Oracle...Access Manager Entitlements Server Identity Manager Fusion Applications OOTB Security Architecture Oracle RDBMS Single Sign-On Fine Grained Authorization

Oracle Platform Security Services Authentication

• JAAS / JSR 196 based framework to authenticate against

various identity stores & SSO systems

• OOTB integration with Oracle Access Manager (OAM) for Single Sign On

• Supports many 3rd party SSO solutions

• Oracle provided login modules include:

• LDAP Server authentication, RDBMS Login Module, SAML token authentication,

SPNEGO/Kerberos authentication, X.509 certificates

• Custom authentication plug-in support

• Also supports “anonymous” user/role and “authenticated” roles

• Logged in user and their Enterprise & Application roles set in the “JAAS

Subject”

Page 42: - Oracle...Access Manager Entitlements Server Identity Manager Fusion Applications OOTB Security Architecture Oracle RDBMS Single Sign-On Fine Grained Authorization

Oracle Platform Security Services ID Profile

• Enterprise User and Roles are stored in central Identity Stores

such as corporate LDAP servers and RDBMS systems

• Shared across many applications

• OPSS certified with Oracle Internet Directory, Oracle Virtual Directory, Oracle

Directory Server Enterprise Edition, MS Active Directory, Tivoli Directory

Server, Novell eDirectory, OpenLDAP

• Aris ID - Identity Governance Framework

• Abstraction layer for applications to query identity and enterprise roles from

various identity stores

• Developer declare what attributes they are interested in through metadata,

generate and leverage simple java objects for CRUD operations

• Applications get user and roles profiles in implementation/deployment neutral

format, independent of what Identity Store is used

• Ability to plug in custom providers

• Includes LibOVD for virtualization & mapping capabilities

Page 43: - Oracle...Access Manager Entitlements Server Identity Manager Fusion Applications OOTB Security Architecture Oracle RDBMS Single Sign-On Fine Grained Authorization

Oracle Platform Security Services Authorization

• Abstraction and integration layer for fine grained Authorization

• Supports Java2 / JAAS permissions, OpenAZ, JSR 115

• Registers with the container as a Java2 security provider for code

based security

• What resources (ex: files on local host and network ports) does a given

set of code have access to?

• OES 11g is the authorization provider, provides backend

implementation

• Automated Lifecycle management

• Complete application lifecycle tooling support for security policies

(design, development, deployment, patching, and administration)

43 Copyright © 2010, Oracle. All rights reserved Oracle Confidential

Page 44: - Oracle...Access Manager Entitlements Server Identity Manager Fusion Applications OOTB Security Architecture Oracle RDBMS Single Sign-On Fine Grained Authorization

Oracle Platform Security Services User Provisioning

• Enterprise Users & Roles are often administered through Oracle Identity

Manager or similar products • Can provision and reconcile users & roles to/from any number of target systems based on

provisioning policies

• OIM provides multiple integration options • Users and Enterprise Roles externalized to LDAP recommended approach (Fusion Apps)

• Use SPML interfaces for provisioning users and enterprise roles

• OIM directly manages the users and roles in the Identity Store, notifies application of

changes (if required)

• Users and Enterprise Roles externalized to LDAP, application integrated through connectors

• Application registered as a Target System in OIM

• Use the OIM LDAP connector to provision users and roles/groups in LDAP

• Shadow copy of Users and Roles in a proprietary applications repository

• Application registered as a Target System in OIM

• Develop a connector to provision users and roles in the application’s proprietary

repository

• IGF SPML adapter planned to further simplify integration

44 Copyright © 2010, Oracle. All rights reserved Oracle Confidential

Page 45: - Oracle...Access Manager Entitlements Server Identity Manager Fusion Applications OOTB Security Architecture Oracle RDBMS Single Sign-On Fine Grained Authorization

Oracle Platform Security Services Key Store Service

• Secure storage of keys, credentials, and certificates

• Provider model with support for Wallet, LDAP, RDBMS, JKS, and

commercial key management servers / hardware security modules

• Used to store certificates, DB schema passwords, LDAP server

access credentials, bootstrap credentials, store secure connection

information etc.

• Central UI for keystore import/export, backup across the domain

• Centralized trust management and policy enforcement (on key

strength/size etc.)

• Alerts on expiring certificates

• Audit of key usage

• FIPS compliant storage of Keys & Credentials

45 Copyright © 2010, Oracle. All rights reserved Oracle Confidential

Page 46: - Oracle...Access Manager Entitlements Server Identity Manager Fusion Applications OOTB Security Architecture Oracle RDBMS Single Sign-On Fine Grained Authorization

Oracle Platform Security Services Audit

• Extensible framework for applications to record audit events

• Centralized audit across multiple applications

• Audit events & context registered through metadata

• Metadata packaged in application archive, automatically

registered at time of deployment

• Provides audit data correlation for user activities across all layers

through the Execution Context ID (ECID)

• OOTB BI Publisher based audit reports for:

• Authentication, authorization policy changes, credential access,

web services policy mgmt changes, etc etc

46 Copyright © 2010, Oracle. All rights reserved Oracle Confidential

Page 47: - Oracle...Access Manager Entitlements Server Identity Manager Fusion Applications OOTB Security Architecture Oracle RDBMS Single Sign-On Fine Grained Authorization

Oracle Platform Security Services Trust Service

• Trust brokering and ID propagation for end-to-end security enforcement

• Centralized trust policy framework to manage and control ID propagation

• Consistent and comprehensive bindings (API and protocol) for token acquisition, token propagation and validation

• Supports standard & custom tokens

• SAML, Kerberos, etc

• Bindings to integrate existing platforms with the framework

• APIs for integrating existing platforms

• Integrates with Oracle & 3rd party Security Token Services

• Embedded token generation, validation capabilities for simple use cases

47 Copyright © 2010, Oracle. All rights reserved Oracle Confidential

Page 48: - Oracle...Access Manager Entitlements Server Identity Manager Fusion Applications OOTB Security Architecture Oracle RDBMS Single Sign-On Fine Grained Authorization

Oracle Platform Security Services Oracle Security Developers Toolkit

• Libraries to handle SSL, PKI, digital signatures, encryption, XML

security, SAML, OAuth, WS-Security, SwA, S/MIME, Liberty, etc.

• Based on many industry standards, including but not limited to

• JCE, JCA, JSSE

• PKCS #11, #12, #7, XKMS, OCSP, CMS, CMP/CRMF, TSP

• and more….

• Also includes C based Crypto, SSL, SASL, GSSAPI/Kerberos toolkits

• FIPS 140-2 compliant with support for Hardware Security Modules

48