Presentation is loading. Please wait.

Presentation is loading. Please wait.

Ganesh Kirti Roger Sullivan Oracle Corporation “This presentation is for informational purposes only and may not be incorporated into a contract or agreement.”

Published byDerick Dickerson Modified over 8 years ago

Similar presentations

Presentation on theme: "Ganesh Kirti Roger Sullivan Oracle Corporation “This presentation is for informational purposes only and may not be incorporated into a contract or agreement.”"— Presentation transcript:

1 Ganesh Kirti Roger Sullivan Oracle Corporation “This presentation is for informational purposes only and may not be incorporated into a contract or agreement.” Securing Web Services in a SOA

2 Agenda for Today  Introduction to a Service Oriented Architecture  Security in Service Oriented Architectures (SOA)  Q & A

3 Service Oriented Architectures

4 Customer Needs Optimize Processes & Applications to Change Share Information & Collaborate Productively Build Flexible, Adaptable Applications Take Decisions with Better Quality Information Lower Technology Costs Secure Access & Reduce Risks

5 Technology Needs  Applications Meet Business Needs – Develop Modular, Configurable Business Applications  Respond to Market Dynamics – Design, Monitor, Optimize Flexible Business Processes  Take Better Business Decisions – Deliver Consolidated, Actionable Information in Real Time  Share Information & Collaborate – Connect People, Processes, Systems in Collaborative Workplaces  Secure Access & Reduce Risks – Secure access to all business applications, processes and data  Lower Cost of Ownership – Deploy on Low Cost Hardware & Manage Across Lifecycle

6 Fusion Middleware Modular & Configurable Applications SOA, Faces, EJB Flexible Business Processes WSIF, ESB, BPEL Actionable Business Intelligence Hubs, BI, BAM Enhanced Employee Productivity Portals, Mobile, Collaboration Lowest TCO Grid, Systems Mgmt Enhanced Security & Compliance Identity Mgmt, Web Services Mgmt

7

8 Web Services and Service Oriented Architectures

9 Web Services Security and Management Concerns  Security – “We have many web services exposed to the internet now” – “Only valid partners may access our web services”  Exception Handling – “Notify operations if a transaction stalls” – “Send any incomplete orders to customer service for fixing”  Compliance and Consistency – “All customer orders must be encrypted with 128 bit keys” – “All XML messages must follow this format”  Service Level Monitoring – “The order system must process transactions in under 2 seconds” – “If uptime falls below 98% we owe contract penalties”

10 Security for an SOA? Select Lowest Offer Handle Negative Credit Exception Credit Rating start end ? United Loan Star Loan Get Rating Send Loan Application Receive Loan Offer Send Loan Application Receive Loan Offer

11 What’s Missing? Select Lowest Offer Handle Negative Credit Exception Credit Rating start end BPEL Flow ? United Loan Star Loan Get Rating Send Loan Application Receive Loan Offer Send Loan Application Receive Loan Offer 011-22-4488 2.SSN sent in clear text 1.Anyone who can access the server can initiate loan applications 3.Callback has to go through firewall 4.How can I be sure no other sensitive data is unprotected?

12 Security for an SOA 1.Security: Role-based access control 2.Security: Auto-Encryption of SSN in XML message 3.Management: Service virtualization in DMZ 4.Management: System-wide service auditing

13 Security for an SOA: WS- Security  Authentication – Security Tokens & References – OASIS Token Profiles  UsernameToken  BinarySecurityToken (X509, Kerberos)  Integrity – W3C XML Signature Standard – Signing by Parts (Element level) – Canonicalization for signature verification – Non-repudiation

14 Security for an SOA: WS- Security  Confidentiality – W3C XML Encryption Standard – Support for standard Key Exchange Mechanisms – Encryption by Parts (Element level)  Threats – Replay Attacks (Timestamps) – Substitution Attacks (Signing References) – XML Injections (Validation)

15 Security for an SOA: Transport Security  Authentication: – HTTP basic / digest authentication / digital certificate (https)  Confidentiality, integrity – Secure Sockets Layer (SSL)  Virtual Private Network (VPN)

16 Security for an SOA: Developer Toolkits  JDeveloper and OC4J – Declarative Security – WS-Security 1.0 – Identity Management Association  Oracle Web Services Manager – Agents, Gateways, Management Console

17 Security for an SOA: Oracle Web Services Manager  Intercept SOAP messages and apply policies to pre-request, request, response and post-response.  Flexible enforcement point deployment architecture as proxy or for endpoint-level security.  Pre-packaged security steps.  Leverage existing IdM for authentication and authorization.

18 Authentication Active Directory Authenticate File Authenticate LDAP Authenticate LDAP Certificate Authenticate COREid Authenticate SiteMinder Authenticate Verify Certificate Verify Signature Authorization COREid Authorize Active Directory Authorize File Authorize LDAP Authorize SiteMinder Authorize Credential Management Extract Credentials Insert WSBASIC Credentials Transport-specific QoS HTTP Messenger MQ Messenger JMS Messenger WS-Security Decrypt and Verify Signature Sign Message Sign Message and Encrypt XML Decrypt XML Encrypt Others Content-based routing XML Transform Logging Data gathering (SLA, Metering) SAML 1.0 and 1.1 SAML Copy Token SAML Insert Token SAML Save Token SAML Validate Token SAML 1.1 Assertion Security for an SOA: Oracle Web Services Manager

19 Web Service Client Policy Gateway Policy Agent Policy Agent SOAP Request

20 Security for an SOA: Oracle Web Services Manager Handle Negative Credit Exception Credit Rating start Get Rating OWSM Gateway: Require Authentication and Authorization OWSM Agent:Encrypt SSN, Add Username Token

21 Security for an SOA: Oracle Web Services Manager Web-based tool for building policies and managing policy distribution to gateways and agents 1) Building Policies – Pick from a library of pre-built policy steps  E.g. LDAP authorization, LDAP authentication, encrypt, decrypt, verify certificate, verify signature, route message, transform, etc. – Visually string steps together into a policy pipeline  Run pipeline for all services, specific service, or subset – Pre-request, request, response, post-response pipelines 2) Distributing Policies – Gateway/Agent pull – Track and manage versions

22 Security for an SOA: Oracle Web Services Manager  Automatically upload the pipeline into the WSM Agent or Gateway responsible for controlling that service  Custom policies can be added and made available to administrators through this same interface  Enforces both enterprise-wide and local best practices Use Oracle WSM Policy Manager to configure the set of operational polices (pipeline) you want enforced for a given service

23 Security for an SOA: Oracle Web Services Manager Real-time visibility into Web Service interactions – Automate operational issue resolution by dynamically updating policies – Proactively alerts about anomalies – Enforces policies based on real-time monitoring data – Validate compliance with IT best practices

24 Select Lowest Offer Handle Negative Credit Exception Credit Rating start end BPEL Flow ? Get Rating Send Loan Application Receive Loan Offer 03:00pm Send Loan Application Receive Loan Offer United Loan Star Loan Loan Application Loan Offer PeopleSoft Add Customer Encrypt Decrypt Authenticate/Authorize Policy Manager Monitor

25 Q & A

26

Download ppt "Ganesh Kirti Roger Sullivan Oracle Corporation “This presentation is for informational purposes only and may not be incorporated into a contract or agreement.”"

Similar presentations

Maximo to PeopleSoft Interfaces using Web Services

Maximo to PeopleSoft Interfaces using Web Services
Web Services Security Enterprise Architect Summit – 2004 Mark O’Neill CEO.

Web Services Security Enterprise Architect Summit – 2004 Mark O’Neill CEO.
“This presentation is for informational purposes only and may not be incorporated into a contract or agreement.”

“This presentation is for informational purposes only and may not be incorporated into a contract or agreement.”
Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.

Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.
Unissons nos Talents T O G E T H E RT A L E N T E D 1 Web Services Security – Challenges & Trends Magan Pal Singh Technical Architect, Sopra Group

Unissons nos Talents T O G E T H E RT A L E N T E D 1 Web Services Security – Challenges & Trends Magan Pal Singh Technical Architect, Sopra Group
0 Web Service Security JongSu Bae. 1  Introduction 2. Web Service Security 3. Web Service Security Mechanism 4. Tool Support 5. Q&A  Contents.

0 Web Service Security JongSu Bae. 1  Introduction 2. Web Service Security 3. Web Service Security Mechanism 4. Tool Support 5. Q&A  Contents.
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
A Java Architecture for the Internet of Things Noel Poore, Architect Pete St. Pierre, Product Manager Java Platform Group, Internet of Things September.

A Java Architecture for the Internet of Things Noel Poore, Architect Pete St. Pierre, Product Manager Java Platform Group, Internet of Things September.
The Business Value of CA Solutions Ovidiu VALEANU Senior Consultant DNA Software – CA Regional Representative.

The Business Value of CA Solutions Ovidiu VALEANU Senior Consultant DNA Software – CA Regional Representative.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Christopher Irish David Orr Sophya Kheim Adam Lange Daniel Palma

Christopher Irish David Orr Sophya Kheim Adam Lange Daniel Palma
Oracle Fusion Middleware

Oracle Fusion Middleware
Service Oriented Architecture Concepts March 27, 2006 Chris Armstrong

Service Oriented Architecture Concepts March 27, 2006 Chris Armstrong
WS-Security TC Christopher Kaler Kelvin Lawrence.

WS-Security TC Christopher Kaler Kelvin Lawrence.
Federal Student Aid Technical Architecture Initiatives Sandy England

Federal Student Aid Technical Architecture Initiatives Sandy England
Red Hat Linux Network. Red Hat Network Red Hat Network is the environment for system- level support and management of Red Hat Linux networks. Red Hat.

Red Hat Linux Network. Red Hat Network Red Hat Network is the environment for system- level support and management of Red Hat Linux networks. Red Hat.
Core Web Service Security Patterns

Core Web Service Security Patterns
6/4/2015Page 1 Enterprise Service Bus (ESB) B. Ramamurthy.

6/4/2015Page 1 Enterprise Service Bus (ESB) B. Ramamurthy.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

Similar presentations

Ads by Google