web services manager in action: zentrale ... · pdf fileagenda • web services security...
TRANSCRIPT
<Insert Picture Here>
<Insert Picture Here>
Web Services Manager in Action:
zentrale Sicherheitsplattform für WS
KerstenMebus
Le
ite
nd
er
Syste
mb
era
ter
Agenda
•W
eb S
erv
ices S
ecurity
•O
racle
Web S
erv
ice M
anage
r•
Ora
cle
Web S
erv
ice M
anage
r
•S
am
ple
s
•O
WS
M v
sO
EG
•D
EM
O
•S
um
mary
Web Service Security
Securing W
eb s
erv
ices u
sin
g W
S-S
ecurity
sta
ndard
s:
•S
upport
ed b
y W
S-S
ecurity
Polic
y s
tandard
s, am
ong o
thers
•A
pplie
d to s
erv
ice e
nd p
oin
ts, to
pro
vid
e:
•A
pplie
d to s
erv
ice e
nd p
oin
ts, to
pro
vid
e:
•A
uth
entication a
nd a
uth
orization
•S
ignin
g a
nd e
ncry
pting the w
hole
message o
r part
s there
of
•In
tegrity
(re
liable
messagin
g),
confidentialit
y, and p
ropagation o
f
cre
dentials
Authentication
Who?
Allow (Y/N)?
Authenticate and authorize
WS-SecurityPolicy
WS-Security
UsernameTokenProfile
(sign, encrypt, propagate)
Client
Service
En
d p
oin
t
Request
Response
Who?
Po
licy
en
forc
em
en
t p
oin
t
WS-SecurityPolicy
(sign, encrypt, propagate)
Web Services Security Approaches
•T
he s
tandard
ways o
f securing W
eb s
erv
ices
are
:
1
are
:•
Pro
toco
l b
ase
d:
•S
ecu
re s
ocke
ts la
ye
r (S
SL
)
•S
ecu
re H
TT
P
(S-H
TT
P)
•M
essa
ge
ba
se
d:
•X
ML
dig
ita
l sig
na
ture
•X
ML
en
cry
ptio
n
2
•X
ML
en
cry
ptio
n
•S
ecu
rity
Asse
rtio
n
Ma
rku
p L
an
gu
ag
e
(SA
ML
)
WS-Security Fundamentals
•A
uth
entication: In
corp
ora
ted b
y u
sin
g s
ecurity
tokens:
•U
sern
am
e token
•X
.509 c
ert
ific
ate
s
•S
AM
L a
ssert
ions
•C
onfidentialit
y:
•S
upport
s the W
3C
XM
L e
ncry
ption s
tandard
•S
upport
s s
tandard
key e
xchange m
echanis
ms
•E
nable
s e
ncry
ption to b
e a
pplie
d in p
art
s
•In
tegrity
: •
Inte
grity
:
•W
3C
XM
L s
ignatu
re s
tandard
•S
ignatu
re c
an b
e a
pplie
d in p
art
s
Oracle Web Services Manager 11g
What it does:
Secures services across your entire
Secures services across your entire
SOA infrastructure using a unified,
consistent and centrally managed
policy infrastructure
How it works:
Simply define, and apply policies,
apply at design time or at runtime,
apply at design time or at runtime,
apply locally or globally.
Mediator
BPEL/BPM
Human
Task
Global Policy Management:
Oracle WSM Policy Manager
•C
lea
rly s
ep
ara
tes
pro
ce
ss lo
gic
fro
m
se
cu
rity
co
nce
rns
•S
ecu
res e
nd
po
ints
Service Infrastructure
Policy Manager
Mediator
BPEL/BPM
Task
SOAP
SOAP
Web Service Interceptor:
•Authentication
•Authorization
Service Component
Interceptors:
•Authorization
2233
44
5511
Web Service Interceptor:
•User token insertion (such
as SAML)
•Integrity & Confidentiality
(signatures,
encryption/decryption)
•S
ecu
res e
nd
po
ints
•S
ets
an
d p
rop
ag
ate
id
en
tity
•Authorization
•Message Integrity &
Confidentiality
(signatures,
encryption/decryption)
•Publish security
requirements as W
S-Policy
in W
SDL
HTTP/SOAP
message
HTTP/SOAP
message
encryption/decryption)
SSO
(Oracle Access
Manager & 3rd-
Party)
DB
LDAP
File
Java Platform
Security
OWSM Security Policies
Ora
cle
Web S
erv
er
Manage
r polic
ies a
re:
•ora
cle
/wss_usern
am
e_to
ken_serv
ice_polic
y
•ora
cle
/wss11_sam
l_to
ken_clie
nt_
polic
y
•ora
cle
/wss11_sam
l_to
ken_clie
nt_
polic
y
•ora
cle
/wss11_m
essage_pro
tection_serv
ice_polic
y
•ora
cle
/wss11_usern
am
e_to
ken_w
ith_m
essage_pro
tection_serv
ice_
polic
y
•…
Authenticate: Sets
UsernameToken
WS-SecurityPolicy: The
oracle/wss_username_token_service_policy
policy can be used to extract token
data, apply authentication and
WS-Security:
Carries
Client
Service
Request
Response
UsernameToken
values
Po
licy
en
forc
em
en
t p
oin
t
data, apply authentication and
authorization, and set the Subject
Carries
UsernameToken
Policy
Deployment Architecture
SOA Domain #1
Policies
Service
JDeveloper
Policy
Attachment
Policies
Policy
Mgt
SOA Domain #2
Policies
Oracle EM
Policy
Manager
Agent
Service
Agent
File
Po
licy
Sto
re
Policies &
Usage data
DB
Only
supported for
JDev
…
SOA Domain #2
…Policy
Manager
Oracle EM
Po
licy
Sto
re
(MD
S)
Policies &
Usage data
Only
supported
configuration
for production
Sample: Start Business Process
Web Services Security
Quote
Web App
Credit Check
JAX-WS
Client
Web App
Quote Service
Client
WSS 1.0
SAML, ID
Propagation
WSS 1.1
SAML, ID
Propagation
Quote Service
Credit Service
All end points secured by
OWSM Policy
Sample: Intermediate Business Process
SOA Security
PO Processing
Internal PO
Web App
•WSS 1.0 & WSS 1.1
SAML, ID Propagation
•Message Protection
Web App
•Message Protection
•Role-Based Access
Control
Credit Service
Quote Service
Fulfillment Service
All end points secured by
OWSM Policy
Sample: End Business Process
SOA & OSB Security
PO Processing
Internal PO
Web App
External System
Oracle Service Bus
JMS
Credit Service
Quote Service
Fulfillment Service
AR System
All end points secured by
OWSM Policy
Oracle Enterprise Gateway
HTTP GET/POST
First Line Of
Defense
Web Services
Virtualization
Last-Mile
Security
Web
Service
Web Service
Client
Web Client
(Browser)
Web Service
Client
Web Service
Client
Web Service
Client
Web
Service
Oracle
Enterprise
Gateway
HTTP GET/POST
REST
XML
SOAP
JMS
OSB With
OWSM
Extension
OWSM
Agent
OWSM
Agent
14
Company’s
DMZ
Internet
Company’s
“Green Zone”
Oracle Enterprise Gateway Deployment
HTTP GET/POST
.NET WS
PL/SQL WS
Tibco WS, JMS
Web Client
(Browser)
Oracle
WebCenter App
Web Service
Client
Web Client
(Browser)
Web Service
Client
Web Service
Client
Web Service
Client
REST
XML
SOAP
JMS
OWSM Agents
Java EE WS
ADF BC WS
SOA
Composite
Oracle
Identity
Management
Oracle Enterprise Gateway
Metadata Store (MDS)
(Browser)
REST
Oracle
Service
Bus (*)
SOAP
15
Oracle
Enterprise
Manager
OWSM
Policy
Manager
(*): OSB can be with or without OWSM
extension
DEMO
Summary
SECURITY (WS-*)
Oracle Web
Services
Webcenter
SOA/OSB/BPM
ADF
JAX-WS
Web Services
Services
Manager
Oracle Weblogic Server
18
19