Wednesday May 23, 2012

WLS Custom Authenticator, OPSS Custom Identity Store Service, OWSM Custom Assertion - custom everything!! - 11g

Between WLS, OWSM, OPSS - Oracle supports a lot of flexibility in building custom security. However sometimes customer's maybe overwhelmed and find all this very confusing. This post provides a brief overview of the purpose of each and when to use them.

WLS Custom Authenticator (or Custom Authentication Provider)

Weblogic provides the ability to build Custom Authentication Providers. WLS documentation describing how to build "Security Providers" is described here.

When should you build it?

Typically you build a custom authentication provider - when your users are stored in "custom" repository.

Ex#1: Let's say you have users in a mainframe repository and you cannot use the OOTB Ldap or SQL Authentication Providers.

Ex#2: The users are stored in DB but the schema is custom and so the OOTB SQL Authentication Provider does not work.

We will use the terminology "Identity Store" to identify a repository where users are stored.

OPSS Custom Identity Store Service

OPSS supports the ability to configure the "Identity Store" service as part of a weblogic domain via the "jps-config.xml". OPSS OOTB currently does not support Oracle DB as an "Identity Store". If you have users in a DB or mainframe system - you may want to build a custom identity store service.

 

When should you build it?

The OPSS Identity Store service can be used to retrieve user profile information. Ex: If you want to retrieve the email of user in the "Identity Store".

OPSS provides what is called User/Role APIs and these APIs ultimately need to talk to the "Identity Store" to retrieve user profile information.

You can find details about the OPSS Identity Store service here.

OWSM Custom Assertion

I have briefly described about OWSM Custom Assertion/Policy support in this blog post.

When should you build it?

There are many scenarios where you may want to build a custom assertion.

Ex#1: Let's say you need to support a proprietary token (ex: CA SiteMinder Token) in your Web Services for authentication.

Ex#2: You want to support say a JWT token for your Web Services for authentication.

Hopefully this clarifies some of the confusion.

Note: There are a lot of nuances to each of the scenarios described in this post. I have tried to keep the post at a high level and gloss over many of nuances for purposes of brevity.

Sunday Mar 18, 2012

How To - Securing a JAX-WS with OWSM Message Protection Policy in JDeveloper - 11g

As promised in this post, here is a How-To that describes how to secure a simple HelloWorld JAX-WS with OWSM message protection policy and test it with SOAP UI.

The How-To reuses the picture I posted earlier about the relationship and interplay b/w Keystore, Credential store, jps-config.xml ,etc.

One of the other more frequent requests I hear from folks within Oracle and customers is how to test OWSM with SOAP UI. SOAP UI in general works very well as testing tool for web services secure with wss10 policies.

Saturday Mar 17, 2012

Keystore and Credential Store interplay in OWSM - 11g

One of the most common problems faced by customer's is the use of the keystore and it's interplay with the credential store.Here is a picture that describes these relationships.(Click on the picture for a larger image). The picture makes some assumptions in describing the relationship. Some of assumptions are:

a) the key used for signing and encryption are the same.

b) A keystore can have multiple keys and each key can have it's own alias. In the picture I show only a single key with alias "orakey".

c) The keystore being described here is a JKS keystore. Things can vary slightly for other type of keystores.

I hope to have a detailed How To that provides the larger picture and then shows these relationships in that context and this picture was created in the context of that How-To. However I think people will find this picture useful on a standalone basis as well. The <serviceInstance> is the entry you will find in jps-config.xml


Keystore, Credential Store, jps-config.xml

About

In this blog I will discuss mainly features supported by Oracle Web Service Manager (OWSM).

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today