Otm 2013 c13_e-13b-hagan-mark-otm-soa

download Otm 2013 c13_e-13b-hagan-mark-otm-soa

of 36

  • date post

    19-Jan-2015
  • Category

    Documents

  • view

    581
  • download

    6

Embed Size (px)

description

 

Transcript of Otm 2013 c13_e-13b-hagan-mark-otm-soa

  • 1. 1 Copyright 2012, Oracle and/or its affiliates. All rights reserved.

2. OTM and SOAMark HaganPrincipal Software EngineerOracle Product Development 3. Content What is SOA? What is Web Services Security? Web Services Security in OTM Futures3 Copyright 2012, Oracle and/or its affiliates. All rights reserved. 4. PARADIGM4 Copyright 2012, Oracle and/or its affiliates. All rights reserved. 5. Content What is SOA? What is Web Services Security? Web Services Security in OTM Futures5 Copyright 2012, Oracle and/or its affiliates. All rights reserved. 6. What is SOA?Service Oriented Architecture Term originated from IBM Web Services work in 2000? Million and one attempts to produce a catchy paragraph Strategy (both IT and Business) Services Interoperable Standards Aims to address perceived limitations in previous application integration techniques.6 Copyright 2012, Oracle and/or its affiliates. All rights reserved. 7. SOA EvolutionService Oriented Architecture Plateau of Productivity Not just about enabling a legacy application to be called as a webservice. High level business process design SOA Maturity Model Availability of tools Server : Oracle SOA Suite (+ others, I guess!) Designer : Oracle JDeveloper (ditto) SCA Service Component Architecture (OASIS Standard)7 Copyright 2012, Oracle and/or its affiliates. All rights reserved. 8. What are Web Services? Not just an API! Salient points Platform independent (XML everywhere) Transport independent (i.e. not tied to a specific protocol) Loosely coupled Contract Standards (next slide!)8 Copyright 2012, Oracle and/or its affiliates. All rights reserved. 9. What are Web Services? Gradual emergence of standards XML & XSD SOAP WSDL [Side note: even W3C gets confused between Web Service DefinitionLanguage and Web Services Description Language!] Java Platform JAX-RPC JAX-WS (initially called JAX-RPC 2.0)9 Copyright 2012, Oracle and/or its affiliates. All rights reserved. 10. Anatomy of a SOAP MessageSOAP Envelope SOAP Header SOAP BodyMessage Payload10 Copyright 2012, Oracle and/or its affiliates. All rights reserved. 11. Anatomy of a WSDLDefinition Messages Operations Ports11 Copyright 2012, Oracle and/or its affiliates. All rights reserved. 12. Content What is SOA? What is Web Services Security? Web Services Security in OTM Futures12 Copyright 2012, Oracle and/or its affiliates. All rights reserved. 13. Security Before Web Services Security Applies to OTM versions from v5.0 to v6.2 Credentials were passed according to transport protocol For example, SOAP over HTTP used Basic Authentication HTTP Header Encryption required SOAP over HTTPS Commonly include credentials in the message itself. OTM accepted Transmission Header with username/password or username and IP authentication.13 Copyright 2012, Oracle and/or its affiliates. All rights reserved. 14. Web Services Security WS-Security WSS: SOAP Message Security v1.1 OASIS Specification of an XML syntax for security related data in the SOAP Header Supports different profiles Username Token Profile SAML Token Profile X.509 Token Profile Kerberos Token Profile Rights Expression Language (REL) Token Profile14 Copyright 2012, Oracle and/or its affiliates. All rights reserved. 15. Web Services Policy WS-Policy WSP: Web Service Policy 1.5 Framework & Attachment W3C Recommendation for an XML syntax to describe the requirements and capabilities of a web service. Defines the concept of an assertion and how to declare policy alternatives. Examples :- Security Transactions Reliable Messaging Addressing15 Copyright 2012, Oracle and/or its affiliates. All rights reserved. 16. Web Services Security Policy WS-SecurityPolicy WSSP: WS-SecurityPolicy 1.3 OASIS Specification for WSS related policy assertions Service can specify which token profiles are required or supported Service can specify which transport protocols are required or supported Declared in the service WSDL16 Copyright 2012, Oracle and/or its affiliates. All rights reserved. 17. WSSP Example Username Token17 Copyright 2012, Oracle and/or its affiliates. All rights reserved. 18. Content What is SOA? What is Web Services Security? Web Services Security in OTM Futures18 Copyright 2012, Oracle and/or its affiliates. All rights reserved. 19. WSS in OTM v6.2 - Inbound Partial support for Username Token Profile Full support for HTTP and HTTPS Not declared in WSDL Password Digest was initially supported but may be removed19 Copyright 2012, Oracle and/or its affiliates. All rights reserved. 20. WSS in OTM v6.2 - Outbound Partial support for Username Token Profile Full support for HTTP and HTTPS External WSDL is not parsed for WSSP assertions Password Digest was initially supported but may be removed Requires settings on Web Service and External System records inOTM.20 Copyright 2012, Oracle and/or its affiliates. All rights reserved. 21. Web Service Manager21 Copyright 2012, Oracle and/or its affiliates. All rights reserved. 22. External System Manager22 Copyright 2012, Oracle and/or its affiliates. All rights reserved. 23. WSS in OTM v6.3 - Inbound Full support for Username Token Profile (except Password Digest type) Full support for HTTP and HTTPS Full support for Message Encryption Declares security policy in WSDL for inbound services Defaults to Username Token over HTTPS Policy can be customised23 Copyright 2012, Oracle and/or its affiliates. All rights reserved. 24. 24 Copyright 2012, Oracle and/or its affiliates. All rights reserved. 25. Custom Policy Installation deploys a policy file for each web service /glog/glog_resources/policies/-Policy.xml For example, /glog/glog_resources/policies/IntXmlService-Policy.xml To override default policy DO NOT EDIT base file Create file under configured custom directory, for example /glog/glog_resources/custom/policies/IntXmlService- Policy.xml25 Copyright 2012, Oracle and/or its affiliates. All rights reserved. 26. Custom Policy (contd.) Sample files installed otm-default-policy.xml policy installed by default (currently Username Token over HTTPS) otm-Wssp1.2-2007-Https-UsernameToken-Plain.template.xml otm-Wssp1.2-2007-UsernameToken-Plain.template.xml otm-Wssp1.2- wss10_username_token_with_message_protection_policy.template.xml26 Copyright 2012, Oracle and/or its affiliates. All rights reserved. 27. WSS in OTM v6.3 Outbound Full support for Username Token Profile (except Password Digest type) Full support for HTTP and HTTPS Full support for Message Encryption WebLogic Server handles parsing of policy assertions Requires additional WebLogic Server administration All pre-existing outbound Web Services defined in OTM will operateaccording to v6.2 logic i.e. will not automatically have access to v6.3capability27 Copyright 2012, Oracle and/or its affiliates. All rights reserved. 28. WSS in OTM v6.3 Outbound (contd.) WSDL Document content needs to be URL Existing records would not contain any WS-Policy details and so need to be reloaded. Use of Message Encryption requires additional administration tasks. Storage of external X.509 Certificate in WebLogic keystore New Web Service Security Configuration via Console (or config.xml) Configure OTM property to match keystore alias to service endpoint glog.webservice.pki.alias.myalias=https://myserver/services/myEncrypti onService28 Copyright 2012, Oracle and/or its affiliates. All rights reserved. 29. WSS in OTM v6.3 Outbound (contd.) Credential Mapping29 Copyright 2012, Oracle and/or its affiliates. All rights reserved. 30. Content What is SOA? What is Web Services Security? Web Services Security in OTM Futures30 Copyright 2012, Oracle and/or its affiliates. All rights reserved. 31. The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracles products remains at the sole discretion of Oracle.31 Copyright 2012, Oracle and/or its affiliates. All rights reserved. 32. Future Support for additional WSS profiles SAML Token X.509 Token Split GLogXML.xsd schema Namespace Versions Ability to attach client policy override to outbound services Policy attachment via WebLogic Console and/or Deployment tools32 Copyright 2012, Oracle and/or its affiliates. All rights reserved. 33. GlossaryTermDescriptionOASIS Organization for the Advancement of Structured Information StandardsXSD XML Schema DefinitionWSS Web Services SecuritySAMLSecurity Assertion Markup LanguageX.509 ISO/IETF standard format for Public Key certificates.JAX-RPC Java API for XML-based RPC (Remote Procedure Call)JAX-WSJava API for XML-based Web Services (successor to JAX-RPC)33 Copyright 2012, Oracle and/or its affiliates. All rights reserved. 34. ReferencesTermDescriptionOTM Documentation Library http://docs.oracle.com/cd/E38437_01/otm/html/docset.html(Administration Guide, Integration Guide and Security Guide)OASIS Home - https://www.oasis-open.org/standardsWSS - https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=wssWSSP - http://docs.oasis-open.org/ws-sx/ws-securitypolicy/v1.3/os/ws-securitypolicy-1.3-spec-os.htmlW3C WSDL - http://www.w3.org/TR/#tr_WSDLWSP - http://www.w3.org/TR/#tr_Web_Services_Policy34 Copyright 2012, Oracle and/or its affiliates. All rights reserved. 35. 35 Copyright 2012, Oracle and/or its affiliates. All rights reserved. 36. 36 Copyright 2012, Oracle and/or its affiliates. All rights reserved.