partner webcast – implementing web services & soa security with oracle fusion middleware - 20...

<Insert Picture Here>

Implementing Web Services & SOA Security with Oracle Fusion Middleware

Dmitry Nefedkin

Oracle ISV Migration Center FMW Consultant

[email protected]

mailto:[email protected]


ISV Migration Center Team Who we Are: team of senior technical consultants based in Eastern and

Central Europe and represents Oracle's technical investment for partners.

Mission Statement : Enable partners to rapidly and successfully adopt and

implement Oracle latest technology

How can we assist: We offer a wide range of free services for partners such

as one2one assistance, webinars, seminars and hands-on workshops.

ISV Migration Center blog: http://blogs.oracle.com/imc

Contacts:

Thanos Terentes Printzios, ISV Migration Center Manager, EE&CIS

[email protected]

http://blogs.oracle.com/imc



Program Agenda

SOA & Web Services basics – the quick refresher

Oracle Fusion Middleware 11g SOA Stack

Common security risks in the Web Services world

SOA & Web Services security standards

Implementing SOA Security with the Oracle products


What is Service Oriented Architecture?

“Service Oriented Architecture (SOA) is a strategy

for constructing business-focused, software

systems from loosely coupled, interoperable

building blocks (called Services) that can be

combined and reused quickly, within and between

enterprises, to meet business needs.”*

(*: source - Oracle® Reference Architecture Master

Glossary)


The Benefits of SOA

Improve Time-to-Market

Drive Down Costs

Improve Customer Service

Expand Channels

Drive Process Improvements

Enable Business Visibility

Comply With Regulations

Accelerate M&A Integrations


SOA != Web Services

Many approaches to implement your SOA

– “Classic” web services,

– RESTful web services

– CORBA

– …


“Classic” Web Services stack

– Rely on common standards that include:

XML for metadata

SOAP: A standard format for messaging over a network

WSDL: The language that provides a description for web services

UDDI: A web-based distributed directory to publish and locate

information about web services

– Include additional specifications (WS-*) to define functionality for

web services discovery, security, reliability, transactions, and

management

Overview



protocol specification for

exchanging structured

information in the

implementation of Web

Services.

relies on XML for its

message format

relies on Application Layer

protocols for message

transmission.

SOAP

SOAP Attachments

SOAP Envelope

<Headers/>

</Body>

Client

Application

Service

Communications Envelope

(HTTP, SMTP, FTP, etc.)



– A WSDL document

describes:

What the service does

How the service is accessed

Where the service is located

– It defines the messages and

the operations of a service

abstractly in XML.

WDSL document

Types

Messages

Bindings

Port Types

Services

Web Services Description Language (WSDL)



XML-based registry

Mechanism to register and locate web services

Has not been as widely adopted as its designers had hoped

Universal Description, Discovery, and Integration (UDDI)

Service Registry

WSDL + metadata

WSDL + metadata

Service

Development &

Management Tools SOAP

Publish Service

Discover Service


Program Agenda







Oracle Weblogic Server

Industry's best application server for

building and deploying enterprise Java

EE applications

Weblogic 11g supports JEE 5 - JAX-WS

2.1 for web services development

Weblogic 12c supports JEE 6, JAX-WS

2.2 for web services development

Foundation for SOA product offering

http://www.oracle.com/technetwork/java/javaee/overview/index.html

http://www.oracle.com/technetwork/java/javaee/overview/index.html


Oracle Fusion Middleware 11g SOA Stack Connect & normalize with Adapters

ERP MAINFRAME SERVICES PARTNERS DB

• Over 200 adapters • For all technologies & applications:

EBS, PSFT, Siebel, SAP, Databases, Files, FTP, JMS, MQ, etc.

• Graphical introspection of target • Abstract complexity of underlying

applications • Convert from proprietary formats to XML


Oracle Fusion Middleware 11g SOA Stack Virtualize, route, scale with Oracle Service Bus

TPS msg/s

1,000’s services

ERP MAINFRAME SERVICES PARTNERS DB

SERVICE BUS

• Foundation for your shared services infrastructure

• Convert from one protocol and format to another, on the fly (ex: consume a Mainframe service from .NET over SOAP)

• Add scalability through caching


Oracle Fusion Middleware 11g SOA Stack Orchestrate services with Standards-

based BPEL & BPMN

ERP MAINFRAME SERVICES EVENTS PARTNERS DB

BPEL & BPMN BUSINESS RULES HUMAN WORKFLOW

SERVICE BUS

• Build process logic • Involve people

(human workflow) as well as systems

• Self-describing graphical design-time environment

• Build compensation logic for non-transactional services


Program Agenda







Principles of Information Security

Core principles (CIA):

Confidentiality

Integrity

Availability

These ones are also very important:

Authenticity

Non-repudiation

Compliance

Applies to SOA and the web services as well


OWASP Top 10 Application Security Risks https://www.owasp.org/index.php/Top_10_2010-Main

1. SQL Injection

2. Cross Site Scripting (XSS)

3. Authentication and session management

4. Insecure direct object references

5. Cross Site Request Forgery (CSRF)


OWASP Top 10 Application Security Risks

6. Security Misconfiguration

7. Insecure Cryptographic Storage

8. Failure to Restrict URL access

9. Insufficient Transport Layer Protection

10.Unvalidated Redirects and Forwards

https://www.owasp.org/index.php/Top_10_2010-Main


Security Challenges for Web Services

Web services:

– Are loosely coupled

– Are based on the passing of readable and self-

describing business messages represented in XML

– Can easily bypass network firewalls

– Expose business functionality through open APIs

– Enable multi-hop composite applications


Sample Web Services Attacks & Defenses

Attack Defense

Man in the Middle Encryption, Digital Signatures

Replay Nonce in payload, throttling

XML Bomb (XML Entity Expansion) Payload analysis and validation

XML Injection Strict validation of the incoming

payload

SOAP Attachments with viruses Scan attachments through anti-virus

engine

Nice categorization of WS attacks at www.ws-attacks.org

http://www.ws-attacks.org/




Program Agenda







Web Services Security approaches

Transport-level security Message-level security

Secures only the connection itself Protects the message, not the wire

Point-to-point, does not work well

with intermediaries

Designed to support the

intermediaries

Based on Secure Sockets Layer

(SSL) or Transport Layer Security

(TLS)

Based on the set of XML

Encryption, SAML, WS-* standards

Can be used together


XML and Web Services Security Standards

General Security

XML Security

XML-based security

Web Services security

Algorithms AES, DES, RSA

Kerberos, PKI, X.509, SSL …

XML Encryption, XML

Signature …

SAML, XACML, SPML …

WS-Policy, WS-Security, WS-

Trust…


XML Signature and XML Encryption

XML Signature XML Encryption

Defines XML syntax and processing

rules for creating and representing

digital signatures

Defines a process of encryption and

decryption, also describes an XML

syntax used to represent the

encrypted content and information that

enables an intended recipient to

decrypt it

Can be used to sign an entire XML

document or selected parts (elements)

within the document

Supports the encryption of entire XML

documents or individual elements

within a document.


WS-Policy

– Defines a framework for allowing web services to

express their constraints and requirements

– Provides a model and the syntax for describing the

policies of a web service

– Is divided into subsidiary specifications:

WS-Policy: Defines a grammar that explains web service

policies

WS-PolicyAttachment: Associates policies with web services

WS-PolicyAssertions: Defines a set of general policy assertions


Example of attaching WS-Policy to WSDL

<wsdl:definitions xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/" ....>

<wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"

xmlns="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:orawsp="http://schemas.oracle.com/ws/2006/01/policy"

xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"

wsu:Id="wss_username_token_service_policy">

<sp:SupportingTokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">

<wsp:Policy>

<sp:UsernameToken

sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">

<wsp:Policy>

<sp:WssUsernameToken10/>

</wsp:Policy>

</sp:UsernameToken>

</wsp:Policy>

</sp:SupportingTokens>

</wsp:Policy>


Example of attaching WS-Policy to WSDL (cont)

<<wsdl:message name="GetCustomerAccountsAndBalancesByIdInput">...</wsdl:message>

<wsdl:message name="GetCustomerAccountsAndBalancesByIdOutput">....</wsdl:message>

<wsdl:portType name="CustomerAccountsAndBalancesService_ptt">

<wsdl:operation name="GetCustomerAccountsAndBalancesByID">

<wsdl:input message="WL5G3N2:GetCustomerAccountsAndBalancesByIdInput"/>

<wsdl:output message="WL5G3N2:GetCustomerAccountsAndBalancesByIdOutput"/>

< /wsdl:operation>

</wsdl:portType>

<wsdl:binding name="CustomerAccountsAndBalancesService_pttBinding"

type="WL5G3N2:CustomerAccountsAndBalancesService_ptt">

<wsp:PolicyReference xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"

URI="#wss_username_token_service_policy" wsdl:required="false"/>

<wsdl:operation name="GetCustomerAccountsAndBalancesByID">....</wsdl:operation>

</wsdl:binding>

<wsdl:service name="Service1">...</wsdl:service>

</wsdl:definitions>


WS-PolicyAssertions

– Policy assertion:

Is a basic unit representing individual requirement in a policy

Is domain specific (security, reliability)

– Service providers use a policy assertion to convey a

condition under which they offer a web service.

– Security assertions are defined in WS-SecurityPolicy

specification


WS-Security

– Specifies rules to ensure:

Authentication—using security tokens

Confidentiality—using XML Encryption

specification

Integrity—using XML Signature

specification

– Supports multiple security tokens for

authentication: Username/password, X.509

certificate, Kerberos ticket, SAML assertion

– Defines elements for packaging security

tokens into SOAP messages

SOAP Envelope

SOAP Envelope Header

SOAP Envelope Body

WS-Security Header

Security Token

Business Payload


WS-Security header with Username token <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">

<soap:Header>

...

<wsse:Security soap:actor="oracle"

xmlns:wsse="http://schemas.xmlsoap.org/ws/2003/06/secext">

<wsse:UsernameToken wsu:Id="oracle"

xmlns:wsu="http://schemas.xmlsoap.org/ws/2003/06/utility">

<wsse:Username>oracle</wsse:Username>

<wsse:Password Type="wsse:PasswordText">oracle</wsse:Password>

<wsu:Created>2009-05-19T08:46:04Z</wsu:Created>

</wsse:UsernameToken>

</wsse:Security>

</soap:Header>

<soap:Body>

<getHello xmlns="http://www.oracle.com"/>

</soap:Body>

</soap:Envelope>


Security Assertion Markup Language (SAML)

– Is an open framework for exchanging security

information between different parties through XML

documents

– Conveys information about subjects (human users or

entities) with the following types of “assertions”:

Authentication

Authorization decision

Attribute


WS-Security and SAML

– WS-Security and SAML work together:

WS-Security defines how you insert the information into a

SOAP envelope.

SAML defines what the security information is.

WS-Security allows SAML assertions to be placed inside a

SOAP header.

– SAML Token Profile 1.1 specifies how SAML

assertions can be used for web services security.


WS-Security header with SAML token <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">

<soap:Header>

<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"

xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">

<saml1:Assertion AssertionID="21ADEB9D1C0C8E834613472791546433" IssueInstant="2012-09-10T12:12:34.643Z"

Issuer="www.oracle.com" MajorVersion="1" MinorVersion="1" xsi:type="saml1:AssertionType"

xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">

<saml1:Conditions NotBefore="2012-09-10T12:12:34.643Z" NotOnOrAfter="2012-09-10T12:17:34.643Z"/>

<saml1:AuthenticationStatement AuthenticationInstant="2012-09-10T12:12:34.643Z"

AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password" xsi:type="saml1:AuthenticationStatementType">

<saml1:Subject><saml1:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"

NameQualifier="welcome1">AcmeUser</saml1:NameIdentifier>

<saml1:SubjectConfirmation><saml1:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:sender-

vouches</saml1:ConfirmationMethod></saml1:SubjectConfirmation>

</saml1:Subject></saml1:AuthenticationStatement></saml1:Assertion>

</wsse:Security>

</soapenv:Header>

<soapenv:Body><ser:getCustomer><arg0>1</arg0></ser:getCustomer></soapenv:Body>

</soapenv:Envelope>


WS-Security and WS-Policy used together

Web Service

Client

Web Service Policy Enforcement

Point

Request

Response

SOAP with WS-

Security token,

enrypted *, signed *

Authenticate and

authorize

WS-

SecurityPolicy

Service endpoint,

WSDL has WS-

Policies attached


Program Agenda







Oracle’s View: Security Inside-Out

Security

Inside-Out

Cloud

Security

Secure your hybrid infrastructure on-

premise as well as in the Cloud.

Flexibility & Agility

Secure the Enterprise from external

threats at the perimeter.

Control & Assurance Perimeter

Security

Application

Security

Provide end-point security in

heterogeneous environments.

Consistency & Manageability

Middleware

Security

Protect from internal threats, reduce

security burden on applications.

Broad & Deep integration


Oracle’s SOA Security

Enterprise

Gateway

First Line Of

Defense

Shared Services

Layer

End Point

Security

Common Policy Model

HTTP, SOAP,

REST*, XML,

JMS

3rd Party Web

Services

OWSM

Agent HTTP,

SOAP,

REST*,

XML,

JMS

Service

Bus

OWSM

Agent

Web

Services OWSM

Agent

Extranet DMZ Intranet

3rd Party Web

Services

WS-Security,

Basic Auth,

Digest,

X509, UNT,

SAML,

Kerberos

Sign & Encrypt


Oracle Web Services Manager Introduction

The Web Service Security provider of choice for Oracle’s Fusion Middleware and Oracle Fusion

Applications. • Oracle’s Unified Web Services Security Provider

• Purpose-built for the entire Fusion stack

• Prepackaged, Zero install needed

Web Services Manager

IDM Service

Fusion App Service

SOA Service

OWSM

Agent

Policy

Manager

Enforcement

Decision

Policy

Management

Enterprise

Manager

JDeveloper

Attach,

Deploy

OWSM Policy Store

Policy

Persistence

Portal Users

WS Clients

HTTP,

SOAP,

REST


Oracle Web Services Manager Introduction

Web Services

Manager

Open, Extensible

Proven standards driven interoperability and easy extensibility

to meet all security needs.

Service Security

Systematic, policy-driven, and standards based Web Service Security infrastructure for the entire Fusion stack.

Visibility, Control &

Governance

Centralized management with a single unified console for managing, monitoring,

and auditing Web Service Security.


Oracle Web Services Manager Features Systematic WS-Security for Fusion Middleware

• Policy Driven

• Declarative

• Externalized

• Re-usable

• Pre-defined policies

• Categorized - Security,

MTOM, Reliable Messaging,

WS-Addressing, Management

• Building blocks - 60+ assertion

templates to create new

reusable policies

• Custom policies



• Centralized

Management (Policy

Manager)

• Configurable policy

repository

• Authoring

• Versioning, &

Rollback

• Auditing

• Usage & Impact

analysis

• Export & Import

Billing

App

OWSM

Policy Store

Shipping

App

OWSM

Policy Store

Payable

App

OWSM

Policy Store

HR App

OWSM

Policy Store

--- OR ---

Billing

App

Shipping

App

OWSM

Policy Store

Payable

App

HR App



• Centralized

Management (Policy

Manager)


repository

• Authoring

• Versioning, &

Rollback

• Auditing

• Usage & Impact

analysis

• Export & Import



• Policy Attachment & Enforcement

(Agent)

• Attach locally on the service

• Attach globally for entire

enterprise, domain or application

• Pre-installed, local policy

enforcement point for Fusion Stack

• Interoperable Industry Standards

• WS-Security, WS-Policy, WS-Security Policy

Global Attachment

Local Attachment


Oracle Web Services Manager Features Policy Attachment at design-time

Attach/Detach Policies through

JDeveloper

Design-time support for

WebLogic, SOA, ADF, OSB, etc.


Oracle Web Services Manager Features Policy Attachment post deployment

Attach/Detach policies

directly on a service or

client

Attach/Detach global

policies

View policy usage

analysis

Support policy

management for

WebLogic, SOA, ADF, etc.


Oracle Web Services Manager Features Performance Monitoring

Track number of invocations,

service faults, and policy

violations

Collect violation metrics for

service, port, and operation

View number of security and

non-security violations

• Authentication and

Authorization failures

• MTOM and Reliable-

Messaging


Oracle Web Services Manager Demo


Demo Use Case


XML Gateways

.. are mainly deployed using

XML web services • Highly CPU intensive

• Involves many modern & legacy

standards and technologies

• Many types of clients

• Need SLA’s, charge for usage

…are highly exposed

• XML threats, viruses, DoS

attacks etc.

• How do we ensure

confidentiality and non

repudiation?

• Who can access the service,

under what conditions?

• What data is leaving the network

and how ?


OEG – perimeter to endpoint security

Extranet DMZ Intranet

Common Policy Model

Web Service

Client

REST

Client

Mobile

WS Client

Intrusion Detection

• SQL Injection

• DOS

• Replay Attack

• Crypto Attack

• XML Bomb

First Line Of

Defense

Enterprise

Gateway

Route

Transform

Encrypt/Decrypt

Validate

Access

HTTP,

SOAP,

REST

End Point

Security

Web

Service

OWSM

Agent

Fusion

App Svc

OWSM

Agent

HTTP,

SOAP,

REST

Service Security

• ID Propagation

• Authentication

• Authorization

• Message Confidentiality

& Integrity

• Replay Attack


Oracle Enterprise Gateway

XML INTRUSION DETECTION ACCESS ENFORCEMENT MONITORING AND AUDIT

DMZ Security

Ultra-fast XML

Processing

Integrated &

Extensible

Content Attack

Schema/DTD Attack

Crypto Attack

Virus Scanning

Service Governance

Cloud Gateway

Authentication, ID Propagation

Fine Grained AuthZ

Throttling

Transport/Message Security

Real-time Monitoring

Reporting

Audit and Compliance



Ultra-fast XML

Processing

DMZ Security

Integrated&

Extensible

Service Governance

Cloud Gateway

PROCESS OFFLOADING XML ACCELERATION XML ENRICHMENT

Frees Resources

Faster Applications

XML Acceleration Engine

Faster XML Validation

Faster XML queries and

transformations

Information Enrichment


Oracle Enterprise Gateway OEG

Integrated &

Extensible

IDENTITY MGMT SOA OS / HARDWARE

Service Governance

Cloud Gateway

Ultra-fast XML

Processing

DMZ SECURITY

Oracle Access Manager

Oracle Entitlements Server

Directory Services (ODS +)

Oracle STS*

Oracle SOA Suite

Oracle Service Registry

Enterprise Manager

Oracle Web Service Manager

X86 (Westmere*)

Sparc

Oracle Crypto Accelerator*



SOA GOVERNANCE CLOSED LOOP AUDIT & REPORT

Service Governance

Cloud Gateway

Integrated &

Extensible

DMZ Security

Ultra-fast XML

Processing

Service Access

Service Usage

Availability

Discovery & Publish to UDDI

Publish Metrics to EM

Meter Usage

Audit Trail



IAAS PAAS SAAS

Cloud Gateway

DMZ Security

Service Governance

Ultra-fast XML

Processing

Integrated &

Extensible

Deployments on EC2, Oracle VM Control cloud services

Regulate service usage

Continuous traffic monitoring

Data Redaction

Detect rogue usage

REST security

OAuth Support


Oracle Enterprise Gateway Architecture and Components Policy Creation, Editing, Versioning Multiple-OEG Policy Management

Load and Security Testing

Service Usage

Analysis

Policy Store

Usage Metrics Store

Web Services Management

Web Admin

Interface

Enterprise Gateway

Policy Studio

Enterprise Gateway

Policy Center

Enterprise Gateway

Service Manager

Web Services Clients

Web Service

Web Service

Enterprise Gateway

Traffic Monitor |

Real-time Monitor

Enterprise Gateway

Service Explorer

Enterprise Gateway

Service Monitor

OEG


Oracle Enteprise Gateway Demo


OEG integration with Oracle Access Manager Authentication at the service perimeter

Access Manager

DMZ

Extranet

Web Service Client

WebLogic Server

Web Service

Intranet

AUTHENTICATION AT THE SERVICE PERIMETER

Authentication against

Oracle Directory Services (OID, ODSEE, OVD) directly

Oracle Access Manager (SSO using OAM issued cookie) or 3rd party WebSSO

Non-Oracle Directory Servers and Access Management products

Token Mediation – SAML assertion generation using username from web service client

SSO Cookie

OEG

Web Service Client

(Browser)


OEG integration with Oracle Access Manager

http://bit.ly/OAM11g-OEG





OEG integration with Oracle Entitlements Server

• Name & Contact Info

• Masked SSN

• Primary Physician

• Insurance

Response


• Masked SSN


• Insurance

•Payment History

Response



• Health History

Response

OEG

Legacy Patient Record Application

Existing API Returns

Name & Contact Info

SSN

Physician Info

Existing Conditions

Prescriptions

Health Records

Insurance

Payment History

Entitlements Server

Help desk

Doctor

Accounting

PEP

PDP


OEG integration with Oracle Entitlements Server

http://bit.ly/OES11g-OEG





Q&A

Dmitry Nefedkin

Oracle ISV Migration Center FMW Consultant

[email protected]

ISV Migration Center blog: http://blogs.oracle.com/imc


http://blogs.oracle.com/imc

partner webcast – implementing web services & soa security with oracle fusion middleware - 20...

Technology

web services soa security

oracle andor

soa classic web services

web services uddi

restful web services

oracle products4 copyright

benefits of soa

wide range of free services