Wednesday Aug 15, 2012

OWSM Gateway vs. OEG - OWSM 11g

I came across this blog post about confusion b/w OWSM Gateway and OEG and I thought I would post a quick clarification.

I have already described earlier about OWSM vs. OEG here and Oracle's vision for layered security here. However I didn't address OWSM Gateway vs. OEG!

As many of you know in OWSM 11g - there is no OWSM Gateway - we have only OWSM Agents. The OWSM Gateway Narendra is talking about is referring to the OWSM 10g Gateway. OEG is the 11g successor to the OWSM 10g Gateway.

Hope that clarifies any confusion!

Update#1: Here is a document that describes how to migrate from OWSM 10g Gateway to OES OEG 11g.

Thursday Apr 12, 2012

OEG integration with OSB/OWSM - 11g

This is a follow up to my post on Oracle's layered SOA Security vision. There is a very nice article from Fabio Mazanatti & co describing How to integrate OEG with OSB/OWSM

Check it out!

Wednesday Mar 21, 2012

OWSM vs. OEG - When to use which component - 11g

A lot of people both internal to Oracle and customers keep asking about when should OWSM be used vs. OEG. Sometime back I posted Oracle's vision for layered SOA security

Here is a quick summary:

Use OWSM in Green Zone

Use OEG in Red Zone (DMZ)

If you need end-to-end security in which case they will want both OWSM and OEG. This is the topology I would recommend for most customers.

If you need only Green Zone security - then use OWSM in conjunction with Oracle FMW products like SOA Suite, OSB, ADF, WLS, BI, etc both on the Client Side and Service Side (assuming you are using FMW technologies for both Clients and Services).

If you need only Red Zone security - then use OEG on the Service Side. You can use OWSM for the Client Side if you are using FMW to build your clients.

Saturday Mar 17, 2012

Podcast on SOA Governance and OWSM - 11g

Anand Kothari the Product Manager for OWSM has a great podcast on SOA Governance and how OWSM, OEG help the SOA Governance story.

Tuesday Oct 11, 2011

When to use OWSM? - 11g

I came across this interesting blog post from Gaurav Sharma that describes why he was initially skeptical of using OWSM to secure web services that are hosted in the intranet and what changed his mind.

What were the things that I found interesting?

  1. Gaurav focuses mainly on securing the message in transit
  2. His main concern even when discussing about securing messages when they are in transit is focused on apps handling sensitive information like financial information.
  3. If you are really a security fanatic - you will pick up on a third interesting tidbit - related to #2 - is that his main concern is around ensuring components outside the intranet are not in a position to access the sensitive information.
  4. Discussion about the performance implications

I think there is a broader list of security aspects that you need to consider - many of these were discussed a long time back in an article I co-authored and is available here. I have re-enumerted them here for convenience.

  • Authentication  (AuthN for short)
  • Authorization (AuthZ for short)
  • Spoofing
  • Tampering
  • Repudiation
  • Information Disclosure
  • Denial of Service
  • Replay attacks
  • Virus attacks and Intrusion Detection

The list of security issues is pretty comprehensive for the most part - but I will elaborate on two - Authentication, Authorization here:

If you need AuthN - there are some additional considerations that need to be considered in this space:

  • Does your Web Service need to support Identity propagation?.
  • Does your  Web Service need to support Brokered AuthN?
  • Does your Web Service need to support Federated Identity scenarios?

If you need AuthZ - there are few additional considerations as it relates to AuthZ:

  • Does your Web Service need to support Role based AuthZ?
  • Does your Web Service need to support Permission based AuthZ?
  • Does your Web Service need to support Fine grained AuthZ?
  • Does your Web Service need to support Context aware AuthZ and in general Context-aware Security? (Here is an article on the need for Context aware security)

Now not all of these security aspects are not necessarily relevant; if you have web services that are exposed in the intranet or these are departmental web services.

However you do need to consider the surface area of exposure for your web services - especially with what is being termed as the "Consumerization of IT" and the security challenges this presents.

Even assuming your departmental web services are do no have a large exposure and are accessible only via the corporate intranet - they typically require authentication and authorization. In addition auditing is also typically required to address compliance needs mandated by various regulatory requirements.

It is worth noting that OWSM does not necessarily address all the security issues - especially relating to Virus attacks, Throttling of requests, Intrusion Detection, etc.

Oracle's SOA Security Strategy is shown in the below embedded picture.

SOA Security Strategy

Here is a link to this image.  Hopefully this post helps people in considering the various security challenges and how the different Oracle products address these security challenges.

Updated: Corrected typos.


In this blog I will discuss mainly features supported by Oracle Web Service Manager (OWSM).


« April 2014