ganesh kirti roger sullivan oracle corporation “this presentation is for informational purposes...
Post on 27-Dec-2015
216 Views
Preview:
TRANSCRIPT
Ganesh KirtiRoger Sullivan
Oracle Corporation
“This presentation is for informational purposes only and may not be incorporated into a contract or agreement.”
Securing Web Services in a SOA
Agenda for Today
Introduction to a Service Oriented Architecture Security in Service Oriented Architectures
(SOA) Q & A
Service Oriented Architectures
Customer NeedsOptimize Processes & Applications to Change
Share Information & Collaborate Productively
Build Flexible,AdaptableApplications
Take Decisions with Better Quality Information
Lower Technology Costs Secure Access &
Reduce Risks
Fusion Middleware
Modular & ConfigurableModular & ConfigurableApplicationsApplications SOA, Faces, EJBSOA, Faces, EJB
Flexible BusinessFlexible BusinessProcessesProcesses WSIF, ESB, BPELWSIF, ESB, BPEL
Actionable BusinessActionable BusinessIntelligenceIntelligence Hubs, BI, BAMHubs, BI, BAM
EnhancedEnhancedEmployee ProductivityEmployee Productivity
Portals, Mobile,Portals, Mobile,CollaborationCollaboration
Lowest TCOLowest TCO Grid, Systems Mgmt Grid, Systems Mgmt
Enhanced Security &Enhanced Security &ComplianceCompliance
Identity Mgmt,Identity Mgmt,Web Services MgmtWeb Services Mgmt
Web Services and Service Oriented Architectures
Web Services Security and Management Concerns
Security– “We have many web services exposed to the internet now”– “Only valid partners may access our web services”
Exception Handling– “Notify operations if a transaction stalls”– “Send any incomplete orders to customer service for fixing”
Compliance and Consistency– “All customer orders must be encrypted with 128 bit keys”– “All XML messages must follow this format”
Service Level Monitoring– “The order system must process transactions in under 2 seconds”– “If uptime falls below 98% we owe contract penalties”
Security for an SOA?
Select Lowest Offer
Handle Negative Credit Exception
Credit Rating
start
end
?
United Loan Star Loan
Get Rating
Send Loan Application
Receive Loan Offer
Send Loan Application
Receive Loan Offer
What’s Missing?
Select Lowest Offer
Handle Negative Credit Exception
Credit Rating
start
end
BPEL Flow
?
United Loan Star Loan
Get Rating
Send Loan Application
Receive Loan Offer
Send Loan Application
Receive Loan Offer
<SSN>011-22-4488</SSN>
2. SSN sent in clear text1. Anyone who can access the server can
initiate loan applications
3. Callback has to go through firewall
4. How can I be sure no other sensitive data is unprotected?
Security for an SOA
Select Lowest Offer
10:00am
Handle Negative Credit Exception
Credit Rating
start
end
BPEL Flow
?
United Loan Star Loan
Get Rating
Send Loan Application
Receive Loan Offer
03:00pm
Send Loan Application
Receive Loan Offer
1. Security: Role-based access control
2. Security: Auto-Encryption of SSN in XML message
3. Management: Service virtualization in DMZ
4. Management: System-wide service auditing
Security for an SOA: WS-Security Authentication
– Security Tokens & References– OASIS Token Profiles
UsernameToken BinarySecurityToken (X509, Kerberos)
Integrity– W3C XML Signature Standard– Signing by Parts (Element level) – Canonicalization for signature verification– Non-repudiation
Security for an SOA: WS-Security Confidentiality
– W3C XML Encryption Standard– Support for standard Key Exchange
Mechanisms– Encryption by Parts (Element level)
Threats– Replay Attacks (Timestamps)– Substitution Attacks (Signing References)– XML Injections (Validation)
Security for an SOA: Transport Security
Authentication:– HTTP basic / digest authentication / digital
certificate (https)
Confidentiality, integrity– Secure Sockets Layer (SSL)
Virtual Private Network (VPN)
Security for an SOA: Developer Toolkits
JDeveloper and OC4J– Declarative Security – WS-Security 1.0– Identity Management Association
Oracle Web Services Manager– Agents, Gateways, Management Console
Security for an SOA: Oracle Web Services Manager
Intercept SOAP messages and apply policies to pre-request, request, response and post-response. Flexible enforcement point deployment architecture as proxy or for endpoint-level security. Pre-packaged security steps. Leverage existing IdM for authentication and authorization.
Authentication
Active Directory Authenticate
File Authenticate
LDAP Authenticate
LDAP Certificate Authenticate
COREid Authenticate
SiteMinder Authenticate
Verify Certificate
Verify Signature
Authorization
COREid Authorize
Active Directory Authorize
File Authorize
LDAP Authorize
SiteMinder Authorize
Credential Management
Extract Credentials
Insert WSBASIC Credentials
Transport-specific QoS
HTTP Messenger
MQ Messenger
JMS Messenger
WS-Security
Decrypt and Verify Signature
Sign Message
Sign Message and Encrypt
XML Decrypt
XML Encrypt
Others
Content-based routing
XML Transform
Logging
Data gathering (SLA, Metering)
SAML 1.0 and 1.1
SAML Copy Token
SAML Insert Token
SAML Save Token
SAML Validate Token
SAML 1.1 Assertion
Security for an SOA: Oracle Web Services Manager
Security for an SOA: Oracle Web Services Manager
Web ServiceWeb ServiceClient
PolicyGateway
PolicyAgent
PolicyAgent
SOAPRequest
Security for an SOA: Oracle Web Services Manager
Handle Negative Credit Exception
Credit Rating
start
Get Rating
OWSM Gateway: Require Authentication and
Authorization
OWSM Agent:Encrypt SSN, Add Username
Token
Security for an SOA: Oracle Web Services Manager
Web-based tool for building policies and managing policy distribution to gateways and agents
1) Building Policies– Pick from a library of pre-built policy steps
E.g. LDAP authorization, LDAP authentication, encrypt, decrypt, verify certificate, verify signature, route message, transform, etc.
– Visually string steps together into a policy pipeline Run pipeline for all services, specific service, or subset
– Pre-request, request, response, post-response pipelines
2) Distributing Policies– Gateway/Agent pull– Track and manage versions
Security for an SOA: Oracle Web Services Manager
Automatically upload the pipeline into the WSM Agent or Gateway responsible for controlling that service
Custom policies can be added and made available to administrators through this same interface
Enforces both enterprise-wide and local best practices
Use Oracle WSM Policy Manager to configure the set of operational polices (pipeline) you want enforced for a given service
Security for an SOA: Oracle Web Services Manager
Real-time visibility into Web Service interactions
– Automate operational issue resolution by dynamically updating policies
– Proactively alerts about anomalies
– Enforces policies based on real-time monitoring data
– Validate compliance with IT best practices
Select Lowest Offer
Handle Negative Credit Exception
Credit Rating
start
end
BPEL Flow
?
Get Rating
Send Loan Application
Receive Loan Offer
03:00pm
Send Loan Application
Receive Loan Offer
United LoanStar Loan
Loan Application
Loan Offer
PeopleSoft
Add Customer
Encrypt <SSN>
Decrypt <SSN>
Authenticate/Authorize
Policy Manager Monitor
Q & A
top related