Wednesday Dec 18, 2013

Newbie to SOA/OWSM

Just came across this blog post that provides a one minute overview in Q&A form that I thought would be useful for those who are new to Oracle SOA Suite and OWSM.

You can find other posts on SOA, BPM, OSB, etc as well on the blog: http://soawork.blogspot.com/

Sunday Aug 11, 2013

How To - Identity Propagation for REST using OWSM - 12.1.2

This is a follow up to my previous blog post, in that post I provided step by step instructions on how to secure a REST service and client built using Jersey JAX-RS technology that ships with Weblogic.

In this post I am providing a pointer to a detailed step-by-step instructions on how to do identity propagation for REST.

I strong encourage people read up on the previous How Tos covered in the following blog posts before attempting the How to provided in this post:

https://blogs.oracle.com/owsm/entry/how_to_owsm_12_1

https://blogs.oracle.com/owsm/entry/how_to_securing_rest_services

https://blogs.oracle.com/owsm/entry/how_to_securing_rest_clients

Sunday Aug 04, 2013

How To - Securing REST clients using OWSM - 12.1.2

This is a follow up to my previous blog post, in that post I provided step by step instructions on how to secure a REST service built using Jersey JAX-RS technology that ships with Weblogic.

In this post I am providing a pointer to a detailed  step-by-step instructions for securing both REST service and REST client.

In a future post I plan to cover the steps for doing identity propagation using SAML in the context of REST services & clients.

I strong encourage people read up on the previous How Tos covered in the following blog posts before attempting the How to provided in this post:

https://blogs.oracle.com/owsm/entry/how_to_owsm_12_1

https://blogs.oracle.com/owsm/entry/how_to_securing_rest_services



Friday Jul 12, 2013

How To - Securing REST services using OWSM - 12.1.2

As I mentioned in my earlier blog post - one of the features in 12.1.2 is the support for securing and managing REST services/clients similar to SOAP web services/clients.

I have posted a how to describing the steps involved in securing REST services using OWSM 12.1.2


Thursday Jul 11, 2013

How To - OWSM 12.1.2 Installation

As I mentioned in my previous blog post FMW 12.1.2 was released today. There are a few things that are different in terms of installation for OWSM in 12.1.2 compared to 11g. So I have created a fairly detailed Install How-To with screen shots. This complements the 12.1.2 Install guide.

Note: The How To does not describe all scenarios/topologies. It is mainly intended for demo installs and to give you a quick overview of key steps.

Tuesday Apr 16, 2013

.NET interoperability, Kerberos, SPNEGO, Id Propagation - All things Microsoft! - OWSM 11g - Revisited

In a previous blog post - I briefly talked about interoperability with Microsoft and support for Kerberos, SPNEGO, NTLM, etc in OWSM. So I wanted to revisit that post and address a few aspects:

SPNEGO support

In that blog post - I mentioned that SPNEGO is something we don't support in OWSM.

In PS6 with the introduction of the support for REST security - we also added support for SPNEGO. While the key driver was REST services and securing REST services - we support SPNEGO policies for HTTP/SOAP services as well.

In fact one of things customers will notice is that many of the policies introduced for securing REST services are also supported for HTTP/SOAP web services.

SPNEGO support is documented here:

http://docs.oracle.com/cd/E28280_01/web.1111/b32511/policies.htm#CHDEJIIF

http://docs.oracle.com/cd/E28280_01/web.1111/b32511/assertions.htm#CHDBICJC

http://docs.oracle.com/cd/E28280_01/web.1111/b32511/policies.htm#CJAIEDEG

Note: OWSM still doesn't support NTLM.

Interoperability with Microsoft environments.

One of the most common questions from customers is around can we use SAML to do identity propagation b/w Microsoft and Oracle based environments and the use of ADFS as the STS for enabling SAML based identity propagation.

In PS6 - we have certified with ADFS ( in addition to the certification with Oracle STS, OpenSSO STS).

Client side Kerberos support

It appears that many people looked at the figures in the previous blog post and assume we don't support Kerberos on the client side in OSB. I just wanted to clarify that we do in fact support Kerberos policies on the client side - so for - you can do the following:


The key limitation is that you cannot use kerberos across multiple hops as I mentioned in the previous blog post. However you can definitely use Kerberos policies to secure your web services clients.

Thursday Apr 04, 2013

Identity Context support in OWSM - 11g

Here is another quick post about yet another new feature in PS6. As many of you know we have supported identity propagation for a long time. However as things have evolved - it is clear that propagating just identities is not sufficient. We need to propagate additional contextual information - this may include for ex:

a) In the Mobile world - for example this can include whether the user is using a device that is jail broken or not

b) In the Banking space - the geo-location from where an ATM debit card or credit card might be getting used by the user.

In fact Marc Boroditsky spoke about this in Oracle Open World 2012.

This sets up the need for propagating not just the identity but the entire context! In PS6 we have taken a step in this direction.

Note: There are still some limitations - SOA Suite/OSB - for example don't yet support the ability to propagate the entire identity context.

Tuesday Apr 02, 2013

OSB and OWSM integration enhancements - 11g

In my previous post, I described one of the key features that we added in OWSM for PS6 was support for securing REST services. I forgot to mention that another key addition in PS6 relates to the OSB/OWSM integration. The integration has been enhanced to address some of the more common issues that were raised by customers.

Two key enhancements in this area include:

a) Support for securing OSB REST services with OWSM Policies.

Note: OSB has not certified all the REST security policies OWSM supports in PS6.

b) Support for Attachments (MTOM, SwA) and OWSM security policies

More details on what is supported in OSB in PS6 can be found here.

FMW PS6 (11.1.1.7.0) released!

Just a quick note - FMW PS6 has been released. OWSM is part of the FMW release train. As was the case with the previous FMW Patchset release - this is a feature bearing release.

The OWSM PS6 documentation describes as part of what's new section an exhaustive list of features:

The following new features and enhancements have been added to the current release of Oracle Web Services Manager:

In future blog posts I will post in more detail about some of the features - but in this blog post I wanted to highlight one particular features that I think customers are going to find very useful:

Securing REST services (a.k.a Servlet Application Security)

Customers can build REST services in one of two ways:

  • As Servlet applications without using any REST technology stack
  • Using REST stacks like Jersey JAX-RS

In PS6 - OWSM support's securing REST services built using either methodologies. So all the capabilities and power of OWSM to secure SOAP services can now be used for securing REST services.

Here is are some quick doc pointers:

http://docs.oracle.com/cd/E28280_01/web.1111/e13734/rest.htm#BHABFDGJ

http://docs.oracle.com/cd/E28280_01/web.1111/b32511/policies.htm#CHDEJIIF

Note: In this release OWSM does NOT SUPPORT securing REST clients - for example REST Clients built using the Jersey JAX-RS stack.

Friday Feb 15, 2013

Dynamic Policy Selection among alternatives - 11g - follow up

Just a couple of quick follow up points to my blog post on Dynamic Policy Selection.

First a shout out to Chris's blog post on this topic - I missed it since he blogged about it more than 2.5 years back! He is a doing a lot of creative things in that blog post. My post was more around what is supported by OWSM out of the box.

Second - a clarification - the Dynamic Policy Selection is supported only on the service side currently.

Friday Feb 08, 2013

Dynamic Policy Selection among alternatives - 11g

A few weeks back I was discussing some requirements a few teams had within Oracle and I thought it would be a good topic to address on this blog. One of the most common scenarios that customers seem to run into is the following:

Let's say you have a Web Service. The Web Service supports SAML. Now if Web Service Clients are able to support SAML you are in good shape and they can talk to your Web Services. However if a Web Service Client cannot support SAML then you have a problem. Let's assume for  a second that the Web Service Client can support Kerberos but not SAML.

This mismatch in security capabilities is a fairly common occurrence. 

Before I talk about the specific feature of Dynamic Policy Selection that is supported in OWSM - let's see what are the various ways to solve this problem:

a) Option#1: Use Oracle STS to do Token Exchange/Conversion

b) Option#2: Build SAML capability in the Web Service Client or use Web Services Security technology that supports SAML

c) Option#3: Add Kerberos support to the Web Service.

Here we have two scenarios:

Scenario#3.1: Expose two Web Service Ports one using SAML and the other using Kerberos.

Scenario#3.2: Dynamic Policy Selection on the Service

d) Option#4: Use Oracle Enterprise Gateway or Oracle Service Bus

I will describe briefly each of the options and the advantages and disadvantages of each option.

So a customer has four options. Different options have different implications on different parties.

Option#1: Use Oracle STS to do Token Exchange/Conversion

As I mentioned in a previous blog post - you can use a Oracle STS. Just to reiterate - this will look as follows:

Oracle STS - Token Exchange/Conversion

Advantages:

a) The Security story on the Web Service side is fairly simple - you can standardize on one particular token - ex: SAML that all clients need to adhere to...

Disadvantages:

a) The onus is on the Client to bridge the difference b/w what the Web Service supports and what the client supports.

b) The Client needs to have the capability to be able to talk to an STS.

Option#2: Build SAML capability in the Web Service Client or use Web Services Security technology that supports SAML

 Well this fairly self evident - if you can add the SAML support on the client - then there is not mismatch! Ex: use OWSM for example to secure your Web Service client and viola problem solved :-)

Advantages:

a) The Security story on the Web Service side is fairly simple - you can standardize on one particular token - ex: SAML that all clients need to adhere to...

b) No new components into the mix - ex: Oracle STS

Disadvantages:

a) It may not always be possible to add SAML support - depending on the technology stack being used on the Web Service Client side!

Option#3: Add Kerberos support to the Web Service

In this approach instead of client changing, the service side is modified to add Kerberos support. There are two ways to address this:

Scenario#3.1: Expose two Web Service Ports one using SAML and the other using Kerberos.

This is shown in the figure below (click for larger image).

different web service ports for different security

Advantages

a) The advantage of this approach is the clients are not impacted.

Disadvantages

a) The Web Service has to support multiple web services - one for each security token or security requirement.

b) More overhead in terms of maintaining, testing.

c) If a technology stack does not support adding Web Service Ports dynamically  - then the application has to go back to the Development and so the administrator cannot address this requirement.

d) Assumes the Web Service/Web Service Security stack on the service side can support Kerberos.

Scenario#3.2: Dynamic Policy Selection on the Service

OWSM - Dynamic Policy Selection

In this model the Web Service is configured with a policy that basically supports both SAML "OR" Kerberos [1]. When the Web Service Client invokes the Web Service - based on the contents of the message the appropriate option is selected. So if the Desktop application sends Kerberos Token - then the Kerberos Option in the policy is executed. If the On Premise App sends the SAML token in the SOAP message the SAML Option in the policy is executed.

High level Description:

So the way to achieve this in OWSM is by constructing an ExactlyOne Policy which contains two assertions - one is a SAML authentication assertion and the other is the Kerberos Authentication assertion.

<ExactlyOne>

<SAML Authentication>

<Kerberos Authentication>

</Kerberos>

You can author such a policy using Enterprise Manager Fusion Middleware Control as described in the OWSM documentation here.

Advantages:

a) No changes to the Web Service/Application itself. So a customer does not have to go back to the Development teams to add new Web Service Port every time the security requirement changes.

b) Administrator can make the changes by creating new combinations based on requirements

c) Web Service Clients  are not impacted

Disadvantages:

a) The customer hosting the Web Service has to still test two security models! So there is still some testing, maintenance overhead.

b) Assumes the Web Service/Web Service Security stack on the service side can support Kerberos and Dynamic Policy Selection.

Notes:

[1] For purposes of simplicity - I use the terminology "OR" above but "OR" operator and ExactlyOne are not identical in semantics.

[2] OWSM currently ships a few policies Out of the box (OOTB) that have this capability. Ex: See here and here. This section in the OWSM doc - describes the client policy and service policy compatibility which provides you a good overview.

Option#4: Use Oracle Enterprise Gateway or Oracle Service Bus

In this option OEG or OSB will act as an intermediary and do the token conversion - potentially in conjunction with an STS.

OEG as an intermediary for token mediation

Advantages

a) No impact for Client or the actual backend Web Service. The onus shifts to the intermediary in this case OEG or OSB.

b) If the Client cannot be modified or the backend Web Service cannot be modified - this is pretty much becomes the only option!

Disadvantages

a) You need a new component - OSB or OEG in the mix

b) The intermediary has to easily support Scenario#3.1 or Scenario#3.2 itself - otherwise we have just shifted the problem to a different layer!

 In this blog post - I took a concrete example - i.e. Kerberos and SAML - but the concept applies in general to any mismatch in security capabilities that customers may find between a Web Service Client and Web Service.

Monday Dec 03, 2012

OWSM Permission based Authorization in SOA - 11g

Just came across a nice blog post on how to do authorization in SOA using the OWSM permission based authorization policy.

One big caveat is in order: SOA does not support the concept of "Application Roles". So the grant is done to the enterprise role (i.e. ldap group). If I get sometime I will post more about the differences b/w doing grants for Application Roles vs. Enterprise Roles.

Update: So I added a big caveat while linking to the above blog post but did not add any explanation. This had folks confused - since the blog post explicitly talks about Application Roles!

Well if you look at the blog post - it talks about Application Roles in the "soa-infra" Application stripe. The "soa-infra" Application Stripe is the stripe of the SOA Suite container.

I would NOT recommend using the SOA Suite container's Application Stripe for SOA Composite Applications for a couple of reasons:

a) The lifecycle aspects become horrendously complicated when you mix Application Roles applicable for SOA Composite applications that a customer builds in the same stripe that is used by the SOA container. For ex: In a future release the SOA container might decide to use a different stripe for it's application roles - if a customer is using this stripe then all the authorizations for SOA Composite applications would start failing when they upgrade to the new release. You can potentially also cause the SOA container to stop working - if you delete or modify the Application Roles that it ships. Fundamentally - the soa-infra stripe is owned by the SOA container for it's working and customers should not be using it for their own composite apps.

The closest analogy to what is being done in the blog post would be a comparison b/w WLS Application Server and J2EE Apps. I would not recommend mixing the security artifacts that ship with the Application Server for it's own internal working with the security artifacts that is required for a customer developed J2EE application. Patching, Upgrade, T2P, etc are all very different.

b) The other reason of course is this is no really scalable. You can have hundreds of composite applications. If you use a single application stripe "soa-infra" - then there is impact when you move let's say one composite application from Test to Production. How do you move the corresponding application roles that are relevant for only that particular composite app. In addition there are performance implications - if you have hundreds of composite applications and each composite application defines it's own Application Role - then you end up defining hundreds of Application Roles.

So in order to avoid getting into the above type of issues - I recommend customers stick to enterprise roles (ldap groups).

Note: This recommendation to avoid Application Roles and use Enterprise Roles (Ldap Groups) is only for SOA composite applications. For JEE Applications - using Application Roles is beneficial and the lifecycle issues that I describe above don't exist.

In a future blog post - I will describe the advantage of Application Roles.

Wednesday Nov 14, 2012

Cloud Integration Using Oracle SOA Suite - 11g

There is a very good blog post by Rajesh Raheja on how you can use Oracle SOA Suite for Cloud Integration. He also has a link to white paper on his blog as well.

In a future blog post I will describe some of the security challenges and how to address them using OWSM for Web Services.

Thursday Aug 16, 2012

Interop with Microsoft - OWSM 11g

As they say when it rains it pours! So it has been with my blog posts:-) Anyway this is another short post - I was talking about all things Microsoft and lucky me - I found this article dealing with Microsoft silverlight and OSB and OWSM and I thought I would share a link!

Custom assertion/policy examples in the wild - OWSM 11g

Since recently i have been talking about custom assertions and policies quite a bit (here, here and here)- I thought I would share some more concrete samples (and looks like rather than me having to build it on my own - i can just point to others who have done this already!!)

So here is a quick pointer:

http://www.cohesion.com.au/articles/owsm-custom-policy-partI

http://www.cohesion.com.au/articles/owsm-custom-policy-partII

Happy coding!

Wednesday Aug 15, 2012

OWSM Gateway vs. OEG - OWSM 11g

I came across this blog post http://www.narendranaidu.com/2011/11/oracle-web-service-manager-vs-oracle.html about confusion b/w OWSM Gateway and OEG and I thought I would post a quick clarification.

I have already described earlier about OWSM vs. OEG here and Oracle's vision for layered security here. However I didn't address OWSM Gateway vs. OEG!

As many of you know in OWSM 11g - there is no OWSM Gateway - we have only OWSM Agents. The OWSM Gateway Narendra is talking about is referring to the OWSM 10g Gateway. OEG is the 11g successor to the OWSM 10g Gateway.

Hope that clarifies any confusion!

Update#1: Here is a document that describes how to migrate from OWSM 10g Gateway to OES OEG 11g.

.NET interoperability, Kerberos, SPNEGO, Id Propagation - All things Microsoft! - OWSM 11g

One of the most common questions I run into relates to .NET/WCF interoperability with OWSM.

First - officially OWSM certifies a few interop scenarios with .NET. These are covered in the OWSM Interop guide

They key scenarios certified for interop involve Username Token, X509 Token and Kerberos Token via the WS-Security Kerberos Token Profile.

The next question I hear is around how do we do Identity Propagation when we have .NET.

Scenario#1: Identity Propagation b/w WCF Client and OWSM/Fusion Middleware using Kerberos and SAML with OSB as active intermediary


Note: Instead of OSB you can use SOA Suite as well and that would work as well.

Scenario#2: Identity Propagation b/w WCF Client and OWSM/Fusion Middleware using Kerberos with OSB as passive intermediary


Note: The passive intermediary model applies for OSB (or OEG) but not for SOA, since SOA does not support passive intermediary model.

Scenario#3: Kerbeors based Multi-hop Identity Propagation b/w WCF Client & OWSM/Fusion Middleware and OSB as active intermediary


In this scenario - customer's want to use Kerberos for Identity propagation across multiple hops. This is currently not supported.

Scenario#4: Kerbeors based Multi-hop Identity Propagation b/w WCF Client & WCF Service and OSB as active intermediary


In both scenario#3 and scenario#4 in order to use Kerberos for multi-hop end-user identity propagation, you need to support either the end user TGT or the S4U Extension. Neither of these are currently supported in OWSM.

Scenario#5: Using SAML for end-to-end identity propagation.


So another way to do end-to-end identity propagation that will work with OSB or SOA Suite is to SAML. WCF/.NET supports talking to an STS to exchange a kerberos token for a SAML token and then SAML can be used across multiple hops.

Note:

1) While this scenario has not been certified explicitly by OWSM, it should work since OWSM supports WS-Trust.

2) In the diagram I use Oracle STS but any STS can be used as long as that STS supports exchanging a Kerberos token for SAML token.

I have not listed all the possible scenarios here - but hopefully this provides a sense of what is possible today and what is not possible.

SPNEGO

I also see a lot of questions around SPNEGO support. OWSM currently does not support SPNEGO. You can read all about SPNEGO here

One could build a custom assertion to add SPENGO support in OWSM. However you need to keep in mind that with SPNEGO unlike the WS-Security Kerberos Token Profile, the Kerberos Token is actually in the HTTP reader rather than in the SOAP WS-Security header.

So the Kerberos token is wrapped in the HTTP header under the auth-scheme called "Negotiate". The WWW-Authenticate and Authorization headers are used to communicate the SPNEGO token between client and service. This is explained in the steps below:

  1. The client requests access to a protected document on the server without any Authorization Header.
  2. Since there is no Authorization Header in the request, server responds with 401 Unauthorized and WWW-Authenticate: Negotiate.
  3. The client will use the user credentials to obtain the token and then send it to the server in the Authorization header of the new request.For e.g.,   Authorization: Negotiate a87421000000492aa874209
  4. The server will decode this token by passing it to the acceptSecContext() GSSAPI. If the context is not complete (in the case of Mutual Authentication) the server will respond with a 401 status code with a WWW-Authenticate header containing the GSS-API data. For e.g., WWW-Authentiate: Negotiate 74900a2a...
  5. The client will decode this data and send new data back to the server. This cycle will continue until the security context is established.

Since there is request/challenge model - typically the SPNEGO security model is harder to accomplish in intermediaries like OSB/OEG - if they are acting as "passive intermediaries". An active intermediary model maybe more appropriate.

For OSB itself there may be an alternate model to supporting SPNEGO. There is an excellent post from the A-Team on OSB & SPNEGO (Note: It deals with OSB 10gR3). Here is another post that covers SPNEGO

NTLM

The next question that often comes up is around NTLML support.OWSM currently does not support NTLM. As this wikipedia entry on SPENGO describes - NTLM is a variant.As you can see Microsoft no longer recommends NTLM. However if customers really want to support NTLM - they can build a custom policy.

Tuesday Jun 12, 2012

Identity Propagation for Web Service - 11g

I came across this post from Beimond on how to do identity propagation using OWSM.As I have mentioned in the past here, here and here - Beimond has a number of excellent posts on OWSM. However I found one part of his comment puzzling. I quote:

"OWSM allows you to pass on the identity of the authenticated user to your OWSM protected web service ( thanks to OPSS ), this username can then be used by your service. This will work on one or between different WebLogic domains. Off course when you don't want to use OWSM you can always use Oracle Access Manager OAM which can do the same." The sentence in red highlights the issue i find puzzling.

In fact I just discussed this particular topic recently here.

So let me try and clarify on a few points:

a) OAM is used for Web SSO.

b) OWSM is used for securing Web Services. You cannot do identity propagation using OAM for Web Services.

c) You use SAML to do identity propagation across Web Services. OAM also supports SAML - but that is the browser profile of SAML relevant in the context of Web SSO and is not related to the SAML Token Profile defined as part of the WS-Security spec.


Thursday May 31, 2012

Identity Propagation across Web and Web Service - 11g

I was on a customer call recently and this topic came up. In fact since this topic seems to come up fairly frequently - I thought I would describe the recommended model for doing SSO for Web Apps and then doing Identity Propagation across the Back end web services.

The Image below shows a typical flow:

Here is a more detailed drill down of what happens at each step of the flow (the number in red in the diagram maps to the description below of the behind the scenes processing that happens in the stack).

[1] The Web App is protected with OAM and so the typical SSO scenario is applicable. The Web App URL is protected in OAM. The Web Gate intercepts the request from the Browser to the Web App - if there is an OAM (SSO) token - then the Web Gate validates the OAM token. If there is no SSO token - then the user is directed to the login page - user enters credentials, user is authenticated and OAM token is created for that browser session.

[2] Once the Web Gate validates the OAM token - the token is propagated to the WLS Server where the Web App is running. You need to ensure that you have configured the OAM Identity Asserter in the Weblogic domain. If the OAM Identity Asserter is configured, this will end up creating a JAAS Subject.

Details can be found at:

http://docs.oracle.com/cd/E23943_01/doc.1111/e15478/webgate.htm#CACIAEDJ

[3] The Web Service client (in the Web App) is secured with one of the OWSM SAML Client Policies. If secured in this fashion, the OWSM Agent creates a SAML Token from the JAAS Subject (created in [2] by the OAM Identity Asserter) and injects it into the SOAP message.

Steps for securing a JEE JAX-WS Proxy Client using OWSM Policies are documented at:

http://docs.oracle.com/cd/E23943_01/web.1111/b32511/attaching.htm#BABBHHHC

Note: As shown in the diagram - instead of building a JEE Web App - you can also use WebCenter and build portlets. If you are using WebCenter then you can follow the same architecture. Only the steps for securing WebCenter Portlets with OWSM is different.

http://docs.oracle.com/cd/E23943_01/webcenter.1111/e12405/wcadm_security_wss.htm#CIHEBAHB

[4] The SOA Composite App is secured with OWSM SAML Service policy. OWSM Agent intercepts the incoming SOAP request and validates the SAML token and creates a JAAS Subject.

[5] When the SOA Composite App tries to invoke the OSB Proxy Service, the SOA Composite App "Reference" is secured with OWSM SAML Client Policy. Here again OWSM Agent will create a new SAML Token from the JAAS Subject created in [4] by the OWSM Agent and inject it into the SOAP message.

Steps for securing SOA Composite Apps (Service, Reference, Component) are documented at:

http://docs.oracle.com/cd/E23943_01/web.1111/b32511/attaching.htm#CEGDGIHD

[6] When the request reaches the OSB Proxy Service, the Proxy Service is again secured with the OWSM SAML Token Service Policy. So the same steps are performed as in [4]. The end result is a JAAS Subject.

[7] When OSB needs to invoke the Business App Web Service, it goes through the OSB Business Service. The OSB Business Service is secured with OWSM SAML Client Policy and step [5] is repeated.

Steps for securing OSB Proxy Service and OSB Business Services are document at:

http://docs.oracle.com/cd/E23943_01/admin.1111/e15867/proxy_services.htm#OSBAG1097

[8] Finally when the message reaches the Business App Web Service, this service is protected by OWSM SAML Service policy and step [4] is repeated by the OWSM Agent.

Steps for securing Weblogic Web Services, ADF Web Services, etc are documented at:

http://docs.oracle.com/cd/E23943_01/web.1111/b32511/attaching.htm#CEGCJDIF

In the above description for purposes of brevity - I have not described which OWSM SAML policies one should use; OWSM ships with a number of SAML policies, I briefly described some of the trade-offs involved with the various SAML policies here.

The diagram above and the accompanying description of what is happening in each step of the flow - assumes you are using "SAML SV" or SAML Bearer" based policies without an STS.

Monday Apr 16, 2012

Oracle BPM and OWSM - 11g

The Oracle BPM team has an article on how to use OWSM with Oracle BPM. The article covers specifically how to use OWSM SAML based identity switching policy (I briefly talked about the SAML identity switching feature in OWSM in the blog post).

Hope people find it useful! (There is a typo in the title it should say BPM 11g: Configuring SAML Web Service Clients for Identity Switching without Message Protection).

Thursday Apr 12, 2012

OEG integration with OSB/OWSM - 11g

This is a follow up to my post on Oracle's layered SOA Security vision. There is a very nice article from Fabio Mazanatti & co describing How to integrate OEG with OSB/OWSM

Check it out!

Friday Mar 30, 2012

OSB Security using OWSM - 11g

Here is a very nice video showing how OWSM can be used to secure OSB from Oracle.

Sunday Mar 18, 2012

How To - Securing a JAX-WS with OWSM Message Protection Policy in JDeveloper - 11g

As promised in this post, here is a How-To that describes how to secure a simple HelloWorld JAX-WS with OWSM message protection policy and test it with SOAP UI.

The How-To reuses the picture I posted earlier about the relationship and interplay b/w Keystore, Credential store, jps-config.xml ,etc.

One of the other more frequent requests I hear from folks within Oracle and customers is how to test OWSM with SOAP UI. SOAP UI in general works very well as testing tool for web services secure with wss10 policies.

Saturday Mar 17, 2012

Podcast on SOA Governance and OWSM - 11g

Anand Kothari the Product Manager for OWSM has a great podcast on SOA Governance and how OWSM, OEG help the SOA Governance story.


Keystore and Credential Store interplay in OWSM - 11g

One of the most common problems faced by customer's is the use of the keystore and it's interplay with the credential store.Here is a picture that describes these relationships.(Click on the picture for a larger image). The picture makes some assumptions in describing the relationship. Some of assumptions are:

a) the key used for signing and encryption are the same.

b) A keystore can have multiple keys and each key can have it's own alias. In the picture I show only a single key with alias "orakey".

c) The keystore being described here is a JKS keystore. Things can vary slightly for other type of keystores.

I hope to have a detailed How To that provides the larger picture and then shows these relationships in that context and this picture was created in the context of that How-To. However I think people will find this picture useful on a standalone basis as well. The <serviceInstance> is the entry you will find in jps-config.xml


Keystore, Credential Store, jps-config.xml

About

In this blog I will discuss mainly features supported by Oracle Web Service Manager (OWSM).

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today