Thursday Aug 16, 2012
By Prakash Yamuna on Aug 16, 2012
Since recently i have been talking about custom assertions and policies quite a bit (here, here and here)- I thought I would share some more concrete samples (and looks like rather than me having to build it on my own - i can just point to others who have done this already!!)
So here is a quick pointer:
Wednesday Aug 15, 2012
By Prakash Yamuna on Aug 15, 2012
I came across this blog post http://www.narendranaidu.com/2011/11/oracle-web-service-manager-vs-oracle.html about confusion b/w OWSM Gateway and OEG and I thought I would post a quick clarification.
As many of you know in OWSM 11g - there is no OWSM Gateway - we have only OWSM Agents. The OWSM Gateway Narendra is talking about is referring to the OWSM 10g Gateway. OEG is the 11g successor to the OWSM 10g Gateway.
Hope that clarifies any confusion!
Update#1: Here is a document that describes how to migrate from OWSM 10g Gateway to
OES OEG 11g.
By Prakash Yamuna on Aug 15, 2012
One of the most common questions I run into relates to .NET/WCF interoperability with OWSM.
First - officially OWSM certifies a few interop scenarios with .NET. These are covered in the OWSM Interop guide
They key scenarios certified for interop involve Username Token, X509 Token and Kerberos Token via the WS-Security Kerberos Token Profile.
The next question I hear is around how do we do Identity Propagation when we have .NET.
Scenario#1: Identity Propagation b/w WCF Client and OWSM/Fusion Middleware using Kerberos and SAML with OSB as active intermediary
Note: Instead of OSB you can use SOA Suite as well and that would work as well.
Scenario#2: Identity Propagation b/w WCF Client and OWSM/Fusion Middleware using Kerberos with OSB as passive intermediary
Note: The passive intermediary model applies for OSB (or OEG) but not for SOA, since SOA does not support passive intermediary model.
Scenario#3: Kerbeors based Multi-hop Identity Propagation b/w WCF Client & OWSM/Fusion Middleware and OSB as active intermediary
In this scenario - customer's want to use Kerberos for Identity propagation across multiple hops. This is currently not supported.
Scenario#4: Kerbeors based Multi-hop Identity Propagation b/w WCF Client & WCF Service and OSB as active intermediary
In both scenario#3 and scenario#4 in order to use Kerberos for multi-hop end-user identity propagation, you need to support either the end user TGT or the S4U Extension. Neither of these are currently supported in OWSM.
Scenario#5: Using SAML for end-to-end identity propagation.
So another way to do end-to-end identity propagation that will work with OSB or SOA Suite is to SAML. WCF/.NET supports talking to an STS to exchange a kerberos token for a SAML token and then SAML can be used across multiple hops.
1) While this scenario has not been certified explicitly by OWSM, it should work since OWSM supports WS-Trust.
2) In the diagram I use Oracle STS but any STS can be used as long as that STS supports exchanging a Kerberos token for SAML token.
I also see a lot of questions around SPNEGO support. OWSM currently does not support SPNEGO. You can read all about SPNEGO here
One could build a custom assertion to add SPENGO support in OWSM. However you need to keep in mind that with SPNEGO unlike the WS-Security Kerberos Token Profile, the Kerberos Token is actually in the HTTP reader rather than in the SOAP WS-Security header.
So the Kerberos token is wrapped in the HTTP header under the auth-scheme called "Negotiate". The WWW-Authenticate and Authorization headers are used to communicate the SPNEGO token between client and service. This is explained in the steps below:
- The client requests access to a protected document on the server without any Authorization Header.
- Since there is no Authorization Header in the request, server responds with 401 Unauthorized and WWW-Authenticate: Negotiate.
- The client will use the user credentials to obtain the token and then send it to the server in the Authorization header of the new request.For e.g., Authorization: Negotiate a87421000000492aa874209
- The server will decode this token by passing it to the acceptSecContext() GSSAPI. If the context is not complete (in the case of Mutual Authentication) the server will respond with a 401 status code with a WWW-Authenticate header containing the GSS-API data. For e.g., WWW-Authentiate: Negotiate 74900a2a...
- The client will decode this data and send new data back to the server. This cycle will continue until the security context is established.
Since there is request/challenge model - typically the SPNEGO security model is harder to accomplish in intermediaries like OSB/OEG - if they are acting as "passive intermediaries". An active intermediary model maybe more appropriate.
For OSB itself there may be an alternate model to supporting SPNEGO. There is an excellent post from the A-Team on OSB & SPNEGO (Note: It deals with OSB 10gR3). Here is another post that covers SPNEGO
The next question that often comes up is around NTLML support.OWSM currently does not support NTLM. As this wikipedia entry on SPENGO describes - NTLM is a variant.As you can see Microsoft no longer recommends NTLM. However if customers really want to support NTLM - they can build a custom policy.
Tuesday Aug 14, 2012
By Prakash Yamuna on Aug 14, 2012
Another quick note on OES, OSDT and OWSM. As I have mentioned in a previous post here, OWSM provides an Extensibility Guide that allows customers to build custom policies and custom assertions.
So the question is: When should one have to build a custom assertion in OWSM 11g?
The short answer is when something is not supported in OWSM directly.
Here are a few scenarios:
a) If you want to build say OES integration for fine grained authorization based on content. OWSM in 11gR1 as of the writing of this post does not provide OES integration, but you can build an OES integration using the custom assertion support in OWSM 11g.
b) Another example would be - if you want to build OAuth support to secure your services with OAuth. OWSM 11g currently does not have OAuth support - but if you wanted to secure your services with OAuth - you could build a custom assertion to do the same.
c) Or you want to use a particular canoncalization method (ex:. The OOTB policies, assertion templates do not provide the flexibility of implementing your own canoncalization method) or want to use particular security transformations.
d) You wanted Liberty support in OWSM, etc.
In the rest of the post I will focus on building custom assertions that require a particular type of signing or encryption.
Custom Assertion, Signing, Encryption
Now one of things one has to worry about when building a custom assertion that deals with signing, encryption, etc is what XML security toolkit to use.
As you will notice - the OWSM Extensibility Guide does NOT provide any APIs that you can use for signing, encryption, etc.
The good news is you can use OSDT (Oracle Security Developer Toolkit) that actually exposes a lot of APIs to perform various XML security operations including signing, encryption, decryption, signature validation, etc.
Here are some doc pointers to OSDT:
Here are some OSDT javadocs:
Web Services Security: http://docs.oracle.com/cd/E23943_01/apirefs.1111/e10678/toc.htm
XML Security: http://docs.oracle.com/cd/E23943_01/apirefs.1111/e10680/toc.htm
JCE Crypto APIs: http://docs.oracle.com/cd/E23943_01/apirefs.1111/e10697/toc.htm
SAML related APIs: http://docs.oracle.com/cd/E23943_01/apirefs.1111/e10675/toc.htm
Liberty APIs :http://docs.oracle.com/cd/E23943_01/apirefs.1111/e10670/toc.htm
Note: The combination of OSDT and OWSM Extensibility Guide provides you a really powerful APIs and toolkits to build various types of security policies that deal with either XML security or Web Services (SOAP) security.
WARNING: You really need to know what you are doing when using these APIs. These are fairly low level APIs and the docs expect the developer using these APIs to be extremely knowledgeable about security technologies and concepts and how to use the various low level building blocks.
Hopefully this provides some guidance on how one can use OWSM custom assertion and OSDT to build various types of policies in OWSM.
In this blog I will discuss mainly features supported by Oracle Web Service Manager (OWSM).
- Newbie to SOA/OWSM
- How To - Videos!!
- How To - Identity Propagation for REST using OWSM - 12.1.2
- How To - Securing REST clients using OWSM - 12.1.2
- How To - Securing REST services using OWSM - 12.1.2
- How To - OWSM 12.1.2 Installation
- FMW 12.1.2 released!
- REST security and Federation - 11g
- Identity Propgation for REST APIs - 11g
- .NET interoperability, Kerberos, SPNEGO, Id Propagation - All things Microsoft! - OWSM 11g - Revisited