The Oracle E-Business Suite Integrated SOA Gateway service-enables
Oracle E-Business Suite public APIs for Service Oriented Architecture.
This feature was released in Oracle E-Business Suite Release 12.1.1.
of the most common questions that Oracle E-Business Suite developers
have is, "How do you secure E-Business Suite web services?" Generally,
web service security consists of authentication, message integrity and
confidentiality. I'll discuss the authentication aspect of web service
security in this article.
The WS-Security specification
describes enhancements to SOAP that increase the protection and
confidentiality of messages. It provides this protection by defining
mechanisms for associating tokens with Simple Object Access Protocol
To secure and authenticate Oracle E-Business Suite web
service operations, the E-Business Suite Integrated SOA Gateway
supports Username Token-based WS-Security. In addition, it supports
SAML Token (Sender Vouches) based security in Oracle E-Business Suite
12.1.3 and higher.
An Oracle E-Business Suite Integration
Repository administrator can select the appropriate authentication type
for each Web service-enabled interface. The authentication type should
be selected before deploying the API as a standard web service.
Integration Repository administrators can grant user access to
E-Business Suite web service operations.
Username Token based security
username token carries basic authentication information. The
username-token element propagates user name and password information to
authenticate the message. The information provided in the token and
the trust relationship provides the basis for establishing the identity
of the user.
A typical WS-Security header in a SOAP Request looks like this:
invoking Oracle E-Business Suite Web services through SOA Provider
using username token-based security, these security headers should be
passed along with the SOAP request. The username/password discussed
here in wsse:security is the Oracle E-Business Suite username/password
(or the username/password created through the Users window in defining
an application user).
SAML Token-based security
security tokens (Sender Vouches) are composed of assertions: one or
more statements about a user, such as an authentication or attribute
statement. SAML tokens are attached to SOAP messages by placing
assertion elements inside the header. SAML security tokens enable
interoperable single-sign-on and federated identity for E-Business
Suite Web services.
When invoking Oracle E-Business
Suite Web services through SOA Provider using SAML Tokens, the SOAP
request should contain a sender-vouches SAML assertion. The Assertion
and the Body elements should be digitally signed. A reference to the
certificate used to verify the signature should be provided in the
header. The basis of trust is the Web service Requester's
certificate. The Requester's private key is used to sign both the SAML
Assertion and the message Body. The SOA Provider relies on the Web
service Requester, who vouches for the contents of the User message and
the SAML Assertion.
Your Feedback is Welcome
extremely interested in hearing about your use cases and your
experiences with our Integrated SOA Gateway. If you've used this
product -- or are evaluating it -- please post a comment here or drop
us a line with your thoughts.