Ganesh KirtiRoger Sullivan

Oracle Corporation

“This presentation is for informational purposes only and may not be incorporated into a contract or agreement.”

Securing Web Services in a SOA

Agenda for Today

Introduction to a Service Oriented Architecture Security in Service Oriented Architectures

(SOA) Q & A

Service Oriented Architectures

Customer NeedsOptimize Processes & Applications to Change

Share Information & Collaborate Productively

Build Flexible,AdaptableApplications

Take Decisions with Better Quality Information

Lower Technology Costs Secure Access &

Reduce Risks

Fusion Middleware

Modular & ConfigurableModular & ConfigurableApplicationsApplications SOA, Faces, EJBSOA, Faces, EJB

Flexible BusinessFlexible BusinessProcessesProcesses WSIF, ESB, BPELWSIF, ESB, BPEL

Actionable BusinessActionable BusinessIntelligenceIntelligence Hubs, BI, BAMHubs, BI, BAM

EnhancedEnhancedEmployee ProductivityEmployee Productivity

Portals, Mobile,Portals, Mobile,CollaborationCollaboration

Lowest TCOLowest TCO Grid, Systems Mgmt Grid, Systems Mgmt

Enhanced Security &Enhanced Security &ComplianceCompliance

Identity Mgmt,Identity Mgmt,Web Services MgmtWeb Services Mgmt

Web Services and Service Oriented Architectures

Web Services Security and Management Concerns

Security– “We have many web services exposed to the internet now”– “Only valid partners may access our web services”

Exception Handling– “Notify operations if a transaction stalls”– “Send any incomplete orders to customer service for fixing”

Compliance and Consistency– “All customer orders must be encrypted with 128 bit keys”– “All XML messages must follow this format”

Service Level Monitoring– “The order system must process transactions in under 2 seconds”– “If uptime falls below 98% we owe contract penalties”

Security for an SOA?

Select Lowest Offer

Handle Negative Credit Exception

Credit Rating

start

end

?

United Loan Star Loan

Get Rating

Send Loan Application

Receive Loan Offer

Send Loan Application

Receive Loan Offer

What’s Missing?

Select Lowest Offer

Handle Negative Credit Exception

Credit Rating

start

end

BPEL Flow

?

United Loan Star Loan

Get Rating

Send Loan Application

Receive Loan Offer

Send Loan Application

Receive Loan Offer

<SSN>011-22-4488</SSN>

2. SSN sent in clear text1. Anyone who can access the server can

initiate loan applications

3. Callback has to go through firewall

4. How can I be sure no other sensitive data is unprotected?

Security for an SOA

Select Lowest Offer

10:00am

Handle Negative Credit Exception

Credit Rating

start

end

BPEL Flow

?

United Loan Star Loan

Get Rating

Send Loan Application

Receive Loan Offer

03:00pm

Send Loan Application

Receive Loan Offer

1. Security: Role-based access control

2. Security: Auto-Encryption of SSN in XML message

3. Management: Service virtualization in DMZ

4. Management: System-wide service auditing

Security for an SOA: WS-Security Authentication

– Security Tokens & References– OASIS Token Profiles

UsernameToken BinarySecurityToken (X509, Kerberos)

Integrity– W3C XML Signature Standard– Signing by Parts (Element level) – Canonicalization for signature verification– Non-repudiation

Security for an SOA: WS-Security Confidentiality

– W3C XML Encryption Standard– Support for standard Key Exchange

Mechanisms– Encryption by Parts (Element level)

Threats– Replay Attacks (Timestamps)– Substitution Attacks (Signing References)– XML Injections (Validation)

Security for an SOA: Transport Security

Authentication:– HTTP basic / digest authentication / digital

certificate (https)

Confidentiality, integrity– Secure Sockets Layer (SSL)

Virtual Private Network (VPN)

Security for an SOA: Developer Toolkits

JDeveloper and OC4J– Declarative Security – WS-Security 1.0– Identity Management Association

Oracle Web Services Manager– Agents, Gateways, Management Console

Security for an SOA: Oracle Web Services Manager

Intercept SOAP messages and apply policies to pre-request, request, response and post-response. Flexible enforcement point deployment architecture as proxy or for endpoint-level security. Pre-packaged security steps. Leverage existing IdM for authentication and authorization.

Authentication

Active Directory Authenticate

File Authenticate

LDAP Authenticate

LDAP Certificate Authenticate

COREid Authenticate

SiteMinder Authenticate

Verify Certificate

Verify Signature

Authorization

COREid Authorize

Active Directory Authorize

File Authorize

LDAP Authorize

SiteMinder Authorize

Credential Management

Extract Credentials

Insert WSBASIC Credentials

Transport-specific QoS

HTTP Messenger

MQ Messenger

JMS Messenger

WS-Security

Decrypt and Verify Signature

Sign Message

Sign Message and Encrypt

XML Decrypt

XML Encrypt

Others

Content-based routing

XML Transform

Logging

Data gathering (SLA, Metering)

SAML 1.0 and 1.1

SAML Copy Token

SAML Insert Token

SAML Save Token

SAML Validate Token

SAML 1.1 Assertion

Security for an SOA: Oracle Web Services Manager

Security for an SOA: Oracle Web Services Manager

Web ServiceWeb ServiceClient

PolicyGateway

PolicyAgent

PolicyAgent

SOAPRequest

Security for an SOA: Oracle Web Services Manager

Handle Negative Credit Exception

Credit Rating

start

Get Rating

OWSM Gateway: Require Authentication and

Authorization

OWSM Agent:Encrypt SSN, Add Username

Token

Security for an SOA: Oracle Web Services Manager

Web-based tool for building policies and managing policy distribution to gateways and agents

1) Building Policies– Pick from a library of pre-built policy steps

E.g. LDAP authorization, LDAP authentication, encrypt, decrypt, verify certificate, verify signature, route message, transform, etc.

– Visually string steps together into a policy pipeline Run pipeline for all services, specific service, or subset

– Pre-request, request, response, post-response pipelines

2) Distributing Policies– Gateway/Agent pull– Track and manage versions

Security for an SOA: Oracle Web Services Manager

Automatically upload the pipeline into the WSM Agent or Gateway responsible for controlling that service

Custom policies can be added and made available to administrators through this same interface

Enforces both enterprise-wide and local best practices

Use Oracle WSM Policy Manager to configure the set of operational polices (pipeline) you want enforced for a given service

Security for an SOA: Oracle Web Services Manager

Real-time visibility into Web Service interactions

– Automate operational issue resolution by dynamically updating policies

– Proactively alerts about anomalies

– Enforces policies based on real-time monitoring data

– Validate compliance with IT best practices

Select Lowest Offer

Handle Negative Credit Exception

Credit Rating

start

end

BPEL Flow

?

Get Rating

Send Loan Application

Receive Loan Offer

03:00pm

Send Loan Application

Receive Loan Offer

United LoanStar Loan

Loan Application

Loan Offer

PeopleSoft

Add Customer

Encrypt <SSN>

Decrypt <SSN>

Authenticate/Authorize

Policy Manager Monitor

Q & A