Wednesday Dec 18, 2013

Newbie to SOA/OWSM

Just came across this blog post that provides a one minute overview in Q&A form that I thought would be useful for those who are new to Oracle SOA Suite and OWSM.

You can find other posts on SOA, BPM, OSB, etc as well on the blog: http://soawork.blogspot.com/

Tuesday Dec 17, 2013

How To - Videos!!

It has been quite sometime since I have posted on the blog...but I thought I would share a How To video that we have created in Oracle to make it easier to use OWSM.

Here is a link to the you tube video. The video demonstrates how to do global policy attachments for REST services (resources) using OWSM in Enterprise Manager Fusion Middleware Control!

This video supplements some of the blog entries here, here and here on the topic of Global Policy Attachments (GPA).

We hope to have more videos soon!

Happy viewing!!

Sunday Aug 11, 2013

How To - Identity Propagation for REST using OWSM - 12.1.2

This is a follow up to my previous blog post, in that post I provided step by step instructions on how to secure a REST service and client built using Jersey JAX-RS technology that ships with Weblogic.

In this post I am providing a pointer to a detailed step-by-step instructions on how to do identity propagation for REST.

I strong encourage people read up on the previous How Tos covered in the following blog posts before attempting the How to provided in this post:

https://blogs.oracle.com/owsm/entry/how_to_owsm_12_1

https://blogs.oracle.com/owsm/entry/how_to_securing_rest_services

https://blogs.oracle.com/owsm/entry/how_to_securing_rest_clients

Sunday Aug 04, 2013

How To - Securing REST clients using OWSM - 12.1.2

This is a follow up to my previous blog post, in that post I provided step by step instructions on how to secure a REST service built using Jersey JAX-RS technology that ships with Weblogic.

In this post I am providing a pointer to a detailed  step-by-step instructions for securing both REST service and REST client.

In a future post I plan to cover the steps for doing identity propagation using SAML in the context of REST services & clients.

I strong encourage people read up on the previous How Tos covered in the following blog posts before attempting the How to provided in this post:

https://blogs.oracle.com/owsm/entry/how_to_owsm_12_1

https://blogs.oracle.com/owsm/entry/how_to_securing_rest_services



Friday Jul 12, 2013

How To - Securing REST services using OWSM - 12.1.2

As I mentioned in my earlier blog post - one of the features in 12.1.2 is the support for securing and managing REST services/clients similar to SOAP web services/clients.

I have posted a how to describing the steps involved in securing REST services using OWSM 12.1.2


Thursday Jul 11, 2013

How To - OWSM 12.1.2 Installation

As I mentioned in my previous blog post FMW 12.1.2 was released today. There are a few things that are different in terms of installation for OWSM in 12.1.2 compared to 11g. So I have created a fairly detailed Install How-To with screen shots. This complements the 12.1.2 Install guide.

Note: The How To does not describe all scenarios/topologies. It is mainly intended for demo installs and to give you a quick overview of key steps.

Tuesday Jun 18, 2013

REST security and Federation - 11g

In my previous blog post on REST security I talk about how one could do identity propagation. That post generated some comments around how one could do federation for REST services.

The short answer is it depends on the type of client:

a) For non-browser type of clients - you can leverage an STS for doing federation for REST similar to SOAP services.

b) For browser type of clients - you could leverage Web Federation models.

STS based REST federation:

REST security federation

In this model however you will need to create a SOAP RST/RSTR to talk to an STS. There are some recent standards where you can talk to Security services that provide equivalent functionality as STS via REST binding instead of SOAP binding (Open ID Connect, etc). [Note: These are currently not supported by Oracle.]

Sunday Jun 09, 2013

Identity Propgation for REST APIs - 11g

In a previous blog post - I described the support we added in OWSM for securing REST APIs. There have been a few questions about OWSM support for REST security and also how we can do identity propagation and SSO for REST APIs.

Before I dwell into how one can do Identity Propagation for REST APIs. It will help to identity the different type of clients that can invoke REST APIs. In my mind - the clients can be categorized into the following:

a) Server (JEE REST) Clients - these can be built using the standard REST stacks like Jersey JAX-RS/JBoss REST Easy/etc

b) Browser Clients

c) Thick Clients like Outlook

d) JSE Clients (or clients running in a non-server and non-browser environments)

e) Mobile Clients

The security requirements vary a bit based on the type of client.

JEE Clients - Server to Server communication

For Server to Server REST communication - if you want to do Identity Propagation - I recommend using SAML. OWSM supports SAML bearer tokens. OWSM currently doesn't support securing REST clients. However you can build REST clients using programmatic models and use libraries like OPSS Trust APIs or OpenSAML, etc to construct the necessary SAML tokens and inject it into the HTTP header. This is depicted in the picture below.

You can click on the picture to see a larger image or click here.

For those who have been following my blog - this picture is very analogous to how we handle things for SOAP as described in this blog post. The only difference is there is no OWSM Agent support for securing the REST Clients and so you need to use some other libraries/toolkit.

You actually have two variants for securing REST APIs invoked by Browser based Clients:

a) Use OAM only

b) Use OAM + OWSM

If the only client for your REST APIs is a browser based client, then OAM is sufficient to secure your REST APIs.

SSO for REST APIs

Identity Propagation vs. SSO

It is important to note that Identity Propagation and SSO are not equivalent - although many people use the terms interchangeably. Although the net effect of both is the same i.e the identity of the user is available to the application - there is one significant difference.

In the case of Identity Propagation - there is no concept of Login/Logout - which basically means there is no concept of Web SSO Sessions.

If you have different type of clients invoking your REST APIs and one of the types is a browser based clients, then OAM + OWSM is a better combination.


Thick Clients like Outlook, etc

If it is Microsoft technology based clients then instead of SAML you can use SPNEGO to perform Identity Propagation.

JSE Clients

Typically Identity Propagation is not a big use-case for JSE Clients - however you can follow a similar approach to JEE Clients.

Mobile Clients

I will address Mobile Clients in a future blog post.

Tuesday Apr 16, 2013

.NET interoperability, Kerberos, SPNEGO, Id Propagation - All things Microsoft! - OWSM 11g - Revisited

In a previous blog post - I briefly talked about interoperability with Microsoft and support for Kerberos, SPNEGO, NTLM, etc in OWSM. So I wanted to revisit that post and address a few aspects:

SPNEGO support

In that blog post - I mentioned that SPNEGO is something we don't support in OWSM.

In PS6 with the introduction of the support for REST security - we also added support for SPNEGO. While the key driver was REST services and securing REST services - we support SPNEGO policies for HTTP/SOAP services as well.

In fact one of things customers will notice is that many of the policies introduced for securing REST services are also supported for HTTP/SOAP web services.

SPNEGO support is documented here:

http://docs.oracle.com/cd/E28280_01/web.1111/b32511/policies.htm#CHDEJIIF

http://docs.oracle.com/cd/E28280_01/web.1111/b32511/assertions.htm#CHDBICJC

http://docs.oracle.com/cd/E28280_01/web.1111/b32511/policies.htm#CJAIEDEG

Note: OWSM still doesn't support NTLM.

Interoperability with Microsoft environments.

One of the most common questions from customers is around can we use SAML to do identity propagation b/w Microsoft and Oracle based environments and the use of ADFS as the STS for enabling SAML based identity propagation.

In PS6 - we have certified with ADFS ( in addition to the certification with Oracle STS, OpenSSO STS).

Client side Kerberos support

It appears that many people looked at the figures in the previous blog post and assume we don't support Kerberos on the client side in OSB. I just wanted to clarify that we do in fact support Kerberos policies on the client side - so for - you can do the following:


The key limitation is that you cannot use kerberos across multiple hops as I mentioned in the previous blog post. However you can definitely use Kerberos policies to secure your web services clients.

Wednesday Apr 03, 2013

OWSM Mobile Agent for ADF Mobile

Oracle released Mobile Application development framework - called Oracle ADF Mobile sometime back. More details about the Oracle ADF Mobile framework can be found here.

In order to secure the REST/SOAP communication b/w the ADF Mobile App and the backend services - OWSM team has developed an OWSM Mobile Agent.

The capabilities right now are fairly limited - especially when you consider what is supported in the Non-Mobile case! The OWSM Mobile Agent only supports Basic Auth and Basic Auth over SSL and WS-Security Username Token and WS-Security Username Token over SSL policies.

More details about the policies supported can be found here. The good news is building a Mobile client to backend REST/SOAP web service is very similar to how you do in the "Big ADF" world i.e. you use Web Service Data Controls!

Here is the revised layered Service security diagram that I discussed initially in this post:

layered service security

P.S:I didn't see an example of how to build a Mobile App that can make Web Service calls on the Oracle ADF Mobile page; if time permits - I will post some How To's on this front...

Update: Some folks pointed me to this blog post on ADF Mobile Introduction that actually covers how to build and secure web service clients. There is also an official ADF Mobile blog for more details...

Tuesday Apr 02, 2013

OSB and OWSM integration enhancements - 11g

In my previous post, I described one of the key features that we added in OWSM for PS6 was support for securing REST services. I forgot to mention that another key addition in PS6 relates to the OSB/OWSM integration. The integration has been enhanced to address some of the more common issues that were raised by customers.

Two key enhancements in this area include:

a) Support for securing OSB REST services with OWSM Policies.

Note: OSB has not certified all the REST security policies OWSM supports in PS6.

b) Support for Attachments (MTOM, SwA) and OWSM security policies

More details on what is supported in OSB in PS6 can be found here.

FMW PS6 (11.1.1.7.0) released!

Just a quick note - FMW PS6 has been released. OWSM is part of the FMW release train. As was the case with the previous FMW Patchset release - this is a feature bearing release.

The OWSM PS6 documentation describes as part of what's new section an exhaustive list of features:

The following new features and enhancements have been added to the current release of Oracle Web Services Manager:

In future blog posts I will post in more detail about some of the features - but in this blog post I wanted to highlight one particular features that I think customers are going to find very useful:

Securing REST services (a.k.a Servlet Application Security)

Customers can build REST services in one of two ways:

  • As Servlet applications without using any REST technology stack
  • Using REST stacks like Jersey JAX-RS

In PS6 - OWSM support's securing REST services built using either methodologies. So all the capabilities and power of OWSM to secure SOAP services can now be used for securing REST services.

Here is are some quick doc pointers:

http://docs.oracle.com/cd/E28280_01/web.1111/e13734/rest.htm#BHABFDGJ

http://docs.oracle.com/cd/E28280_01/web.1111/b32511/policies.htm#CHDEJIIF

Note: In this release OWSM does NOT SUPPORT securing REST clients - for example REST Clients built using the Jersey JAX-RS stack.

About

In this blog I will discuss mainly features supported by Oracle Web Service Manager (OWSM).

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today