Sunday Aug 11, 2013

How To - Identity Propagation for REST using OWSM - 12.1.2

This is a follow up to my previous blog post, in that post I provided step by step instructions on how to secure a REST service and client built using Jersey JAX-RS technology that ships with Weblogic.

In this post I am providing a pointer to a detailed step-by-step instructions on how to do identity propagation for REST.

I strong encourage people read up on the previous How Tos covered in the following blog posts before attempting the How to provided in this post:

https://blogs.oracle.com/owsm/entry/how_to_owsm_12_1

https://blogs.oracle.com/owsm/entry/how_to_securing_rest_services

https://blogs.oracle.com/owsm/entry/how_to_securing_rest_clients

Sunday Aug 04, 2013

How To - Securing REST clients using OWSM - 12.1.2

This is a follow up to my previous blog post, in that post I provided step by step instructions on how to secure a REST service built using Jersey JAX-RS technology that ships with Weblogic.

In this post I am providing a pointer to a detailed  step-by-step instructions for securing both REST service and REST client.

In a future post I plan to cover the steps for doing identity propagation using SAML in the context of REST services & clients.

I strong encourage people read up on the previous How Tos covered in the following blog posts before attempting the How to provided in this post:

https://blogs.oracle.com/owsm/entry/how_to_owsm_12_1

https://blogs.oracle.com/owsm/entry/how_to_securing_rest_services



Thursday Feb 07, 2013

When to use Oracle STS (OSTS)?

I have been meaning to do a blog post on this front for quite sometime but just haven't had the cycles. So this a very rushed blog post - please excuse typos!!

The basic question that seems to come up is when to use an STS in general and OSTS in particular. So here are my thoughts on the matter.

To me there are - three main scenarios for using a STS:

  • Token Exchange/Conversion
  • Federation
  • Centralized Trust

In this post I will cover Token Exchange and Federation very briefly.

Token exchange/conversion

So the first set of scenarios is around the need to be able to exchange one kind of token with another type of token. Ex: You want to exchange a Kerberos Token with a SAML token. Here is a picture that demonstrates this scenario (click on the image for a large image):


STS Token Exchange Use-case

In the  above scenario a customer has a Desktop Application (ex: Say Outlook or some other .NET Web Service) that is talking to a backend Web Service let's say hosted on Oracle Fusion Middleware that can accept SAML Token.

User "joe" logs into his Desktop and a Kerberos Ticket is created. When user opens the Desktop application and performs an operation this results in a backend web service call and we want to propagate the identity of "joe" to the backend application. However the token we have is a Kerberos Token on the client side and the backend Web Service only accepts a SAML token. One can use an STS to do a token conversion or token exchange (assuming the STS is capable of such a conversion).

Web Service Federation

The second scenario where a STS is very useful and probably the most important scenario in my mind is when you need to do Federation. For those of you who are not familiar with Federation - I suggest reading up on Federation in general and Web Service Federation in particular. The picture below depicts this use-case.

STS - Federation Use-case

The use-case is similar to a Token Exchange use-case. We have a Desktop Application (say Outlook) that needs to invoke a backend Web Service. However the backend Web Service is running in the Cloud (Public or Private Cloud).

The key issue here is that the user "joe" is unknown in the Cloud.

There is a good reason why the user "joe" is unknown in the Cloud. Since an application running in the cloud may be used by multiple customers say "Acme Inc" or "Foobar Inc" both of which may user called "joe" the Cloud cannot have a single user named "joe" in it's Directory instead it would need to distinguish "Acme Inc" user "joe" (let's call him "acme.joe" ) from "Foobar Inc" user "joe" (let's call him "foobar.joe" ).

So now in the Cloud we actually have two users "acme.joe" and "foobar.joe" - so the Desktop Application (running within Acme Inc) needs to map "joe" to "acme.joe" - before it talks to the Cloud. This mapping is where an STS comes in handy! as shown in the picture.

So not only are we converting the token from Kerberos to SAML we are also now mapping "joe" to "acme.joe" in the STS.

Notes:
  1. The picture depicts Oracle Public Cloud - but the concept applies to any Cloud (Public/Private) or in fact across Partner systems.
  2. The picture depicts Fusion CRM - but the concept applies to any Web Service
  3. I make no guarantees that what is shown in the picture above is necessarily what is implemented in the Oracle Public Cloud and I have used the example for purely illustrative purposes!

In a future blog post I will elaborate further on some of the scenarios and also the Centralized Trust scenario.

Finally - one last parting shot - the scenarios and use-cases for an STS and OSTS are fairly extensive and in this blog post - I am trying to illustrate some very simple scenarios. Please consult the Oracle STS documentation for all the features.

Tuesday Aug 14, 2012

Custom Assertion in OWSM - OES, OSDT (Oracle Security Developer Toolkit) & OWSM - 11g

Another quick note on OES, OSDT and OWSM. As I have mentioned in a previous post here, OWSM provides an Extensibility Guide that allows customers to build custom policies and custom assertions. 

So the question is: When should one have to build a custom assertion in OWSM 11g?

The short answer is when something is not supported in OWSM directly.

Here are a few scenarios:

a) If you want to build say OES integration for fine grained authorization based on content. OWSM in 11gR1 as of the writing of this post does not provide OES integration, but you can build an OES integration using the custom assertion support in OWSM 11g.

Here is an example that illustrates OWSM-OES integration using the custom assertion support in OWSM 11g. There is another example in the OWSM Extensibility Guide.

b) Another example would be - if you want to build OAuth support to secure your services with OAuth. OWSM 11g currently does not have OAuth support - but if you wanted to secure your services with OAuth - you could build a custom assertion to do the same.

c) Or you want to use a particular canoncalization method (ex:. The OOTB policies, assertion templates do not provide the flexibility of implementing your own canoncalization method) or want to use particular security transformations.

d) You wanted Liberty support in OWSM, etc.

In the rest of the post I will focus on building custom assertions that require a particular type of signing or encryption.

Custom Assertion, Signing, Encryption

Now one of things one has to worry about when building a custom assertion that deals with signing, encryption, etc is what XML security toolkit to use.

As you will notice - the OWSM Extensibility Guide does NOT provide any APIs that you can use for signing, encryption, etc.

The good news is you can use OSDT (Oracle Security Developer Toolkit) that actually exposes a lot of APIs to perform various XML security operations including signing, encryption, decryption, signature validation, etc.

Here are some doc pointers to OSDT:

http://docs.oracle.com/cd/E23943_01/security.1111/e10037/toc.htm

Here are some OSDT javadocs:

Web Services Security: http://docs.oracle.com/cd/E23943_01/apirefs.1111/e10678/toc.htm

XML Security: http://docs.oracle.com/cd/E23943_01/apirefs.1111/e10680/toc.htm

JCE Crypto APIs: http://docs.oracle.com/cd/E23943_01/apirefs.1111/e10697/toc.htm

SAML related APIs: http://docs.oracle.com/cd/E23943_01/apirefs.1111/e10675/toc.htm

http://docs.oracle.com/cd/E23943_01/apirefs.1111/e10676/toc.htm

Liberty APIs :http://docs.oracle.com/cd/E23943_01/apirefs.1111/e10670/toc.htm

http://docs.oracle.com/cd/E23943_01/apirefs.1111/e10671/toc.htm

Note: The combination of OSDT and OWSM Extensibility Guide provides you a really powerful APIs and toolkits to build various types of security policies that deal with either XML security or Web Services (SOAP) security.

WARNING: You really need to know what you are doing when using these APIs. These are fairly low level APIs and the docs expect the developer using these APIs to be extremely knowledgeable about security technologies and concepts and how to use the various low level building blocks.

Hopefully this provides some guidance on how one can use OWSM custom assertion and OSDT to build various types of policies in OWSM.

Tuesday Oct 11, 2011

When to use OWSM? - 11g

I came across this interesting blog post from Gaurav Sharma that describes why he was initially skeptical of using OWSM to secure web services that are hosted in the intranet and what changed his mind.

What were the things that I found interesting?

  1. Gaurav focuses mainly on securing the message in transit
  2. His main concern even when discussing about securing messages when they are in transit is focused on apps handling sensitive information like financial information.
  3. If you are really a security fanatic - you will pick up on a third interesting tidbit - related to #2 - is that his main concern is around ensuring components outside the intranet are not in a position to access the sensitive information.
  4. Discussion about the performance implications

I think there is a broader list of security aspects that you need to consider - many of these were discussed a long time back in an article I co-authored and is available here. I have re-enumerted them here for convenience.

  • Authentication  (AuthN for short)
  • Authorization (AuthZ for short)
  • Spoofing
  • Tampering
  • Repudiation
  • Information Disclosure
  • Denial of Service
  • Replay attacks
  • Virus attacks and Intrusion Detection

The list of security issues is pretty comprehensive for the most part - but I will elaborate on two - Authentication, Authorization here:

If you need AuthN - there are some additional considerations that need to be considered in this space:

  • Does your Web Service need to support Identity propagation?.
  • Does your  Web Service need to support Brokered AuthN?
  • Does your Web Service need to support Federated Identity scenarios?

If you need AuthZ - there are few additional considerations as it relates to AuthZ:

  • Does your Web Service need to support Role based AuthZ?
  • Does your Web Service need to support Permission based AuthZ?
  • Does your Web Service need to support Fine grained AuthZ?
  • Does your Web Service need to support Context aware AuthZ and in general Context-aware Security? (Here is an article on the need for Context aware security)

Now not all of these security aspects are not necessarily relevant; if you have web services that are exposed in the intranet or these are departmental web services.

However you do need to consider the surface area of exposure for your web services - especially with what is being termed as the "Consumerization of IT" and the security challenges this presents.

Even assuming your departmental web services are do no have a large exposure and are accessible only via the corporate intranet - they typically require authentication and authorization. In addition auditing is also typically required to address compliance needs mandated by various regulatory requirements.

It is worth noting that OWSM does not necessarily address all the security issues - especially relating to Virus attacks, Throttling of requests, Intrusion Detection, etc.

Oracle's SOA Security Strategy is shown in the below embedded picture.

SOA Security Strategy

Here is a link to this image.  Hopefully this post helps people in considering the various security challenges and how the different Oracle products address these security challenges.

Updated: Corrected typos.

Wednesday Sep 07, 2011

OWSM Licensing - 11g

A quick note on OWSM Licensing - there are two options to license OWSM:

(1)    Get OWSM via SOA Suite, which includes full use license;

OR

(2) Get OWSM via AM Suite Plus, which includes a restricted use license. OWSM should be used in conjunction with another AM suite component.

Custom Policies & Custom Assertions - 11g

I came across this blog entry by Izzak de Hullu on OWSM Custom Policies; while I really appreciate Izzak's inventiveness and feedback and we are working on improving things here - I thought I should comment on a few things.

The first thing to note about the blog entry is you can actually sign only particular elements in the SOAP message rather than the entire body. While it is true that the out of the box policies only support signing/encrypting the body of the message, like I mentioned in the OWSM Concepts - 11g post - you can define new OWSM policies using FMWCTL.

So to achieve the use-case Izzak was attempting - To sign/encrypt particular elements - you can do the following:

  1. make a copy of "oracle/wss11_message_protection_service_policy" - let's call it "acme/wss11_message_protection_elements_service_policy". (See section "Creating a Web Service Policy from an Existing Policy"
  2. edit the policy to remove signing/encryption of the body and add elements to be signed and encrypted. This is described in the Security and Administrator's Guide unfortunately - it is in the appendix under the section "Predefined Assertion Templates". See Table titled "Request, Response, and Fault Message Signing and Encryption Settings"

The second and probably the more important thing to note is that Izzak is using some methods that are not exposed by the OWSM Extensibility Guide. This is not something I would recommend - as these methods are subject to change.

In a future post I hope to have a sample how to that describes this in detail.

Tuesday Sep 06, 2011

Handling Passwords in OWSM - Best Practices - 11g

I came across some excellent blogs on the net that talk about OWSM and how to use OWSM to secure your web services/web service clients.

Here are some examples that I see on the net:

http://biemond.blogspot.com/2010/08/things-you-need-to-do-for-owsm-11g.html by Ediwin Beimond.

http://blogs.oracle.com/wssi/entry/securing_weblogic_web_servcies_with  by Jiandong Guo

Edwin Beimond has some excellent posts in terms of providing a detailed step-by-step How To describing how to use various OWSM policies. However one of things I have noticed is that people end up specifying passwords in the clear as part of their code snippets.

This is something I would strongly discourage customer's from adopting. Passwords in the clear in code is a recipe for security vulnerabilities. It also results in brittle code - if the passwords change - you need to change code.

Oracle FMW provides a credential store framework (CSF) to enable storing passwords in a secure fashion and I encourage people to use CSF rather than specifying passwords in the clear.

In future blog posts I will discuss how to use CSF instead of clear text passwords.

OWSM Concepts - 11g

Jiandong has posted a number of articles introducing OWSM 11g at http://blogs.oracle.com/wssi/.

This post elaborates on some of the aspects discussed in those posts. There are three aspects to securing a web service using OWSM

  1. Defining Policies
  2. Attaching Policies
  3. Setup Configuration required for Policies
(Note: While this post focuses on security, this is true for other policies like WS-RM, etc as well)

Defining Policies

Policies in OWSM are defined generically without context i.e. in general they are not App specific. There are some types of security policies that tend to be App specific - we will blog about this in a future post.

How to define policies?

You typically define policies using FMWCTL (Fusion Middleware CTL). The Security And Administrators Guide provides detailed documentation on how to define policies. (See Section Managing Web Service Policies ).

A Policy can be composed of a number of "Assertions". Typically you will have atleast one Assertion in a Policy.

Attaching Policies to Policy Subjects

Once a Policy is defined - you can "attach" the Policy to a Policy Subject. A Policy Subject is either a Web Service or a Web Service Client. OWSM supports a variety of Web Services [ex: Oracle Infrastructure Web Services, SOA Web Services, ADF BC Web Services, OSB Proxy Service, WLS JEE JAX-WS, Oracle WebCenter WSRP, etc] and Web Service Clients [ex: SOA References, ADF Web Service Data Control (WSDC), OSB Business Service, WLS JEE JAX-WS Clients, WebCenter Portal, etc]

How to attach Policies?

There are three ways to attach OWSM Policies:

a) Via IDE's - ex: JDeveloper

b) Via Command Line Tooling - ex: WLST

c) Via Web based user interface - ex: FMWCTL

(b) and (c) are discussed in detail in the Security And Administrator's guide. Specifically see Section "Attaching Policies to Web Services" for details.

Note: WLST is not support for OSB and WLS Web Services/Web Service Clients as of 11.1.1.5.0.

Setup Configuration required for Policies

 Most Policies (esp. "security policies";) require additional configuration. For example:

  1. Message protection policies require Keystore setup.
  2. Passwords require OPSS Credential store setup,
  3. Authentication policies require Identity Store setup
  4. WS-Trust based policies require STS

This is discussed in detail in the Section "Setting Up Your Environment for Policies".

From our interactions with customers, support, etc - it appears most people seem to trip up on the last aspect. In future blog posts we will elaborate on some of the concepts introduced in this blog post as well as describe in detail the "Setting Up Your Environment for Policies".

About

In this blog I will discuss mainly features supported by Oracle Web Service Manager (OWSM).

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today