The Oracle E-Business Suite Integrated SOA Gateway service-enables Oracle E-Business Suite public APIs for Service Oriented Architecture.  This feature was released in Oracle E-Business Suite Release 12.1.1.  One of the most common questions that Oracle E-Business Suite developers have is, “How do you secure E-Business Suite web services?”  Generally, web service security consists of authentication, message integrity and confidentiality.  I’ll discuss the authentication aspect of web service security in this article. The WS-Security specification describes enhancements to SOAP that increase the protection and confidentiality of messages. It provides this protection by defining mechanisms for associating tokens with Simple Object Access Protocol (SOAP) messages.
 
AuthenticationType.jpg
To secure and authenticate Oracle E-Business Suite web service operations, the E-Business Suite Integrated SOA Gateway supports Username Token-based WS-Security.  In addition, it supports SAML Token (Sender Vouches) based security in Oracle E-Business Suite 12.1.3 and higher. An Oracle E-Business Suite Integration Repository administrator can select the appropriate authentication type for each Web service-enabled interface.  The authentication type should be selected before deploying the API as a standard web service.  Integration Repository administrators can grant user access to E-Business Suite web service operations.  
Username Token based security
The username token carries basic authentication information.  The username-token element propagates user name and password information to authenticate the message.  The information provided in the token and the trust relationship provides the basis for establishing the identity of the user.  
A typical WS-Security header in a SOAP Request looks like this:  
wsheader.jpg
When invoking Oracle E-Business Suite Web services through SOA Provider using username token-based security, these security headers should be passed along with the SOAP request. The username/password discussed here in wsse:security is the Oracle E-Business Suite username/password (or the username/password created through the Users window in defining an application user).
 
SAML Token-based security
SAML security tokens (Sender Vouches) are composed of assertions: one or more statements about a user, such as an authentication or attribute statement.  SAML tokens are attached to SOAP messages by placing assertion elements inside the header. SAML security tokens enable interoperable single-sign-on and federated identity for E-Business Suite Web services.  
When invoking Oracle E-Business Suite Web services through SOA Provider using SAML Tokens, the SOAP request should contain a sender-vouches SAML assertion. The Assertion and the Body elements should be digitally signed.  A reference to the certificate used to verify the signature should be provided in the header.  The basis of trust is the Web service Requester’s certificate.  The Requester’s private key is used to sign both the SAML Assertion and the message Body. The SOA Provider relies on the Web service Requester, who vouches for the contents of the User message and the SAML Assertion. Your Feedback is Welcome We’re extremely interested in hearing about your use cases and your experiences with our Integrated SOA Gateway.  If you’ve used this product — or are evaluating it — please post a comment here or drop us a line with your thoughts.
 
References Related Articles