Más contenido relacionado La actualidad más candente (20) Similar a Getting Started with Security for your Oracle SOA Suite Integrations (20) Más de Revelation Technologies (18) Getting Started with Security for your Oracle SOA Suite Integrations1. Raastech, Inc.
2201 Cooperative Way, Suite 600
Herndon, VA 20171
+1-703-884-2223
info@raastech.com
Getting Started w/ Security for your Oracle SOA Suite Integrations
From Transport Protection to API Management
Wednesday, May 10, 2017
Session 6
11:30 am - 12:20pm
Amphitheater
2. © Raastech, Inc. 2017 | All rights reserved. Slide 2 of 78@Raastech
Agenda
1. Introduction
2. Security Essentials
3. Oracle Fusion Middleware Security Platform
4. Oracle Web Services Platform “Practical” Implementation
5. Oracle Web Service Manager
6. Custom Policies
7. Oracle API Gateway
4. © Raastech, Inc. 2017 | All rights reserved. Slide 4 of 78@Raastech
About Me
▪ Michael Mikhailidi
▪ 20+ years Oracle experience
▪ Extensive Oracle Fusion Middleware experience
▪ Oracle SOA Certified
▪ Past employment with Oracle, Rimini Street
5. © Raastech, Inc. 2017 | All rights reserved. Slide 5 of 78@Raastech
What’s it all about?
▪ Information & communication protection is important as never before
▪ They tell you that all the time
▪ Security standards are old and will stay there
▪ Learning curve is steep
▪ Old formats, lack of compatibility, layers of fossils
▪ Implementation issues
▪ On a residual basis
▪ Lack of resources
▪ Errors, backdoors, support
7. © Raastech, Inc. 2017 | All rights reserved. Slide 7 of 78@Raastech
Key Security Terms
▪ Public Key Infrastructure
▪ Asymmetric key exchange
▪ Published by Whitfield Diffie and Martin Hellman, in 1976
▪ Ron Rivest, Adi Shamir, and Leonard Adleman identified the same relationship in 1978 (aka RSA Corp)
▪ Standard X.509
▪ X.509 was initially issued on July 3, 1988
▪ Subset of X.500 standard
▪ Base for all the modern web of trust and certificates
▪ Secured Socket Layer/Transport Level Security
▪ Invented by Netscape in1994
▪ TLS was introduced in 1999
▪ SSL version 3 is no longer exists in public communications, TLS has version 1.2, 1.3 is coming
8. © Raastech, Inc. 2017 | All rights reserved. Slide 8 of 78@Raastech
Alice’s key for Bob
Certified by Rabbit
Rabbit’s public key
Alice & Bob Secret Correspondence
9. © Raastech, Inc. 2017 | All rights reserved. Slide 9 of 78@Raastech
Transport Level Security
▪ Transport level security in the most cases
▪ No certificate (Public key) required for client
▪ Client creates temporary private key for the
session
▪ Sends the key back to the server signed with
Server’s public key
▪ You still need PKI to validate server credentials
▪ Protects all the data exchange between server
and the client
▪ Requires configuration not development
▪ That’s why it’s the most popular solution
10. © Raastech, Inc. 2017 | All rights reserved. Slide 10 of 78@Raastech
Service and Message Protection
▪ Service Protection
▪ User Authentication
▪ User Authorization
▪ Session Validation
▪ Message Protection
▪ Message encryption
▪ Message nonrepudiation (Signing)
▪ Guarantied Delivery (Reliability)
▪ Management Tasks
▪ Logging
▪ Audit
▪ Transformation
12. © Raastech, Inc. 2017 | All rights reserved. Slide 12 of 78@Raastech
Oracle Platform Security Service (OPSS)
▪ Authentication
▪ Single Sign-On
▪ Authorization
▪ Audit
▪ Credential Store Framework
▪ Identity Governance Framework
▪ Cryptography
▪ Management
▪ Security Providers
▪ Security Stores
13. © Raastech, Inc. 2017 | All rights reserved. Slide 13 of 78@Raastech
Oracle Platform Security Service (OPSS)
▪ Users & Groups
▪ Credentials
▪ Security Providers
▪ Keystores
▪ Application Roles/Policies
14. © Raastech, Inc. 2017 | All rights reserved. Slide 14 of 78@Raastech
Oracle Platform Security Service (OPSS)
▪ Users & Groups
▪ Credentials
▪ Security Providers
▪ Keystores
▪ Application Roles/Policies
15. © Raastech, Inc. 2017 | All rights reserved. Slide 15 of 78@Raastech
Oracle Platform Security Service (OPSS)
▪ Users & Groups
▪ Credentials
▪ Security Providers
▪ Keystores
▪ Application Roles/Policies
16. © Raastech, Inc. 2017 | All rights reserved. Slide 16 of 78@Raastech
Oracle Platform Security Service (OPSS)
▪ Users & Groups
▪ Credentials
▪ Security Providers
▪ Keystores
▪ Application Roles/Policies
17. © Raastech, Inc. 2017 | All rights reserved. Slide 17 of 78@Raastech
Oracle Platform Security Service (OPSS)
▪ Users & Groups
▪ Credentials
▪ Security Providers
▪ Keystores
▪ Application Roles/Policies
18. © Raastech, Inc. 2017 | All rights reserved. Slide 18 of 78@Raastech
How OWSM Works
▪ Web Service
▪ Published by web application
▪ WebLogic server runs application and WSM agent
– Separate application deployments for 3rd party servers
▪ WSM Agent enforces global & local policies
– Endpoints
– SOA Components
– Clients
▪ Web Service Client
▪ Accesses service endpoint
▪ Should follow policies to complete call
▪ WSM Policy Manager
▪ Manage policies
▪ Release policy information to agents
▪ Administrative GUI through Fusion Middleware EM Control
▪ Web Service Clients
▪ WSM common and client policies
▪ Applies policies to the service references
19. © Raastech, Inc. 2017 | All rights reserved. Slide 19 of 78@Raastech
How OWSM Works
1. Client sends a request message to a web service.
2. Policy interceptors intercept and execute the policies
attached to the client.
3. Request message is then sent to the web service.
4. Policy interceptors then execute any service policies
attached to the web service.
5. Web service executes the request message and returns
a response message.
6. Response message is intercepted by the policy
interceptors which execute the service policies
attached to the web service.
7. Response message is then sent to the client.
8. Policy interceptors then execute any client policies
attached to the client.
9. Response message is passed to the client.
21. © Raastech, Inc. 2017 | All rights reserved. Slide 21 of 78@Raastech
Yet Another “Hello World” Example
22. © Raastech, Inc. 2017 | All rights reserved. Slide 22 of 78@Raastech
HelloWorld WSDL
23. © Raastech, Inc. 2017 | All rights reserved. Slide 23 of 78@Raastech
Let’s say “Hello”
24. © Raastech, Inc. 2017 | All rights reserved. Slide 24 of 78@Raastech
Pit Stop: How to find the right policy?
▪ Large number policies are predefined and ready to use
▪ 55 security policies are predefined in OWSM
▪ Policy templates, to tailor policies that fits your requirements
▪ Oracle recommends to follow naming convention
▪ Helps you understand what policy does by name
▪ Folder-like organization keeps policies organized
oracle/wss_saml_or_username_token_over_ssl_service_policy
Folder Standard Policy OR policy Policy
Enforcement
point
Transport Type
25. © Raastech, Inc. 2017 | All rights reserved. Slide 25 of 78@Raastech
Apply OWSM Policy to the Service Endpoint
26. © Raastech, Inc. 2017 | All rights reserved. Slide 26 of 78@Raastech
Apply OWSM Policy to the Service Endpoint
27. © Raastech, Inc. 2017 | All rights reserved. Slide 27 of 78@Raastech
Apply OWSM Policy to the Service Endpoint
28. © Raastech, Inc. 2017 | All rights reserved. Slide 28 of 78@Raastech
Apply OWSM Policy to the Service Endpoint
29. © Raastech, Inc. 2017 | All rights reserved. Slide 29 of 78@Raastech
Apply OWSM Policy to the Service Endpoint
30. © Raastech, Inc. 2017 | All rights reserved. Slide 30 of 78@Raastech
Apply OWSM Policy to the Service Endpoint
31. © Raastech, Inc. 2017 | All rights reserved. Slide 31 of 78@Raastech
Apply OWSM Policy to the Service Endpoint
32. © Raastech, Inc. 2017 | All rights reserved. Slide 32 of 78@Raastech
HelloWorld WSDL with Policy
33. © Raastech, Inc. 2017 | All rights reserved. Slide 33 of 78@Raastech
How to say “Hello” now
34. © Raastech, Inc. 2017 | All rights reserved. Slide 34 of 78@Raastech
How to say “Hello” now
35. © Raastech, Inc. 2017 | All rights reserved. Slide 35 of 78@Raastech
How to say “Hello” now
36. © Raastech, Inc. 2017 | All rights reserved. Slide 36 of 78@Raastech
Apply OWSM Policy at Design Time
37. © Raastech, Inc. 2017 | All rights reserved. Slide 37 of 78@Raastech
Apply OWSM Policy at Design Time
38. © Raastech, Inc. 2017 | All rights reserved. Slide 38 of 78@Raastech
Apply OWSM Policy at Design Time
39. © Raastech, Inc. 2017 | All rights reserved. Slide 39 of 78@Raastech
Apply OWSM Policy at Design Time
40. © Raastech, Inc. 2017 | All rights reserved. Slide 40 of 78@Raastech
Apply OWSM Policy at Design Time
41. © Raastech, Inc. 2017 | All rights reserved. Slide 41 of 78@Raastech
Apply OWSM Policy at Design Time
43. © Raastech, Inc. 2017 | All rights reserved. Slide 43 of 78@Raastech
▪ HelloWorldService reference
▪ Don’t forget to use protected URL
▪ BPEL process to call service
▪ Mediator is too simple
▪ Service Reference to expose process
Not So Simple Composite
44. © Raastech, Inc. 2017 | All rights reserved. Slide 44 of 78@Raastech
Not So Simple Composite
▪ Now we select service reference – apply the same policy – with client flavor
45. © Raastech, Inc. 2017 | All rights reserved. Slide 45 of 78@Raastech
Not So Simple Composite
▪ Client side require bit more configuration
▪ Click on pencil icon
▪ Override cf-key value with credentials alias
▪ Let’s say wlsadmin
▪ And save policy
46. © Raastech, Inc. 2017 | All rights reserved. Slide 46 of 78@Raastech
Not So Simple Composite
▪ Lock icon on the reference means:
▪ Policy has ben attached
▪ One more step before deployment
47. © Raastech, Inc. 2017 | All rights reserved. Slide 47 of 78@Raastech
Not So Simple Composite
▪ Time to recall OPSS features
▪ Navigate to Weblogic Domain > Security >
Credentials
▪ Create new key
▪ With еру appropriate credentials
▪ Save the key
▪ Now we are ready for deployment
▪ And if you don’t have oracle.wsm.security
map: Don’t be shy – create it!
48. © Raastech, Inc. 2017 | All rights reserved. Slide 48 of 78@Raastech
Not So Simple Composite
▪ Time to recall OPSS features
▪ Navigate to Weblogic Domain > Security >
Credentials
▪ Create new key
▪ With еру appropriate credentials
▪ Save the key
▪ Now we are ready for deployment
▪ And if you don’t have oracle.wsm.security
map: Don’t be shy – create it!
49. © Raastech, Inc. 2017 | All rights reserved. Slide 49 of 78@Raastech
Let’s say hello again
▪ OWSM client call:
▪ No SSL
▪ No WS-Security
50. © Raastech, Inc. 2017 | All rights reserved. Slide 50 of 78@Raastech
Let’s say hello again
▪ However service gets all necessary headers from the client policy
52. © Raastech, Inc. 2017 | All rights reserved. Slide 52 of 78@Raastech
What if you need the policy that differs?
▪ You found a policy, it does what you need, but not exactly…
▪ Company security rules mandate: “No clear text passwords allowed”
53. © Raastech, Inc. 2017 | All rights reserved. Slide 53 of 78@Raastech
What if you need the policy that differs?
▪ The answer: Custom policies
54. © Raastech, Inc. 2017 | All rights reserved. Slide 54 of 78@Raastech
Customize Predefined Policy
55. © Raastech, Inc. 2017 | All rights reserved. Slide 55 of 78@Raastech
Customize Predefined Policy
56. © Raastech, Inc. 2017 | All rights reserved. Slide 56 of 78@Raastech
Customize Predefined Policy
57. © Raastech, Inc. 2017 | All rights reserved. Slide 57 of 78@Raastech
Customize Predefined Policy
58. © Raastech, Inc. 2017 | All rights reserved. Slide 58 of 78@Raastech
Customize Predefined Policy
59. © Raastech, Inc. 2017 | All rights reserved. Slide 59 of 78@Raastech
Customize Predefined Policy
60. © Raastech, Inc. 2017 | All rights reserved. Slide 60 of 78@Raastech
Customize Predefined Policy
61. © Raastech, Inc. 2017 | All rights reserved. Slide 61 of 78@Raastech
Customize Predefined Policy
62. © Raastech, Inc. 2017 | All rights reserved. Slide 62 of 78@Raastech
Homegrown OWSM Policies
▪ 3 components:
▪ Custom assertion executor
Java code, which implements your custom logic with OWSM Java API
▪ Custom policy file
XML document which defines bindings, parameters, and all that to
make assertion usable
▪ policy-config.xml
XML document you need to attach new assertion to the OWSM
repository
63. © Raastech, Inc. 2017 | All rights reserved. Slide 63 of 78@Raastech
How to manage hundreds of services?
▪ You have lot of services and don’t want to enforce all the policies
manually
▪ All company services should be compliant to set of policies
▪ But not all of them
The answer: Globally attached policies
64. © Raastech, Inc. 2017 | All rights reserved. Slide 64 of 78@Raastech
Policy Sets
▪ Contains one or more policies
▪ Defines subject to apply:
˗ SOA Component
˗ SOA Reference
˗ SOA Service
˗ Web Service Endpoint
˗ Web Service Client
˗ Web Service Connection
˗ Asynchronous Callback Client
▪ Describes subject scope
▪ Policies in set have selection filters
65. © Raastech, Inc. 2017 | All rights reserved. Slide 65 of 78@Raastech
Apply Global Policies to all Services
▪ You can use WLST
to create and
manage policy sets
66. © Raastech, Inc. 2017 | All rights reserved. Slide 66 of 78@Raastech
Apply Global Policies to all Services
▪ …or do the same from Fusion Middleware Control
68. © Raastech, Inc. 2017 | All rights reserved. Slide 68 of 78@Raastech
OWSM on Steroids
▪ Secure enough to protect all your services
▪ Strong enough to live in DMZ
▪ Smart enough to take a share in routing and transformation
▪ Data reduction
▪ Protocol exchange
▪ API transformation
▪ Open enough to click into existing management framework
▪ Integration with Oracle Enterprise Manager
69. © Raastech, Inc. 2017 | All rights reserved. Slide 69 of 78@Raastech
API Gateway Architecture & Components
▪ Key components and tools
▪ API Gateway Manager
▪ Policy Studio
▪ API Gateway Analytics
▪ API Gateway Explorer
70. © Raastech, Inc. 2017 | All rights reserved. Slide 70 of 78@Raastech
API Gateway Architecture & Components
71. © Raastech, Inc. 2017 | All rights reserved. Slide 71 of 78@Raastech
API Gateway Architecture & Components
▪ API Gateway Manager
▪ Centralized web-based dashboard
▪ Control and manage API Gateways and groups in a domain
▪ Displays aggregated monitoring data from multiple API
Gateway instances
▪ Including real-time statistics, traffic log, log files, and alerts
▪ Manages, monitors, and troubleshoots the API Services that
are virtualized on the API Gateway
72. © Raastech, Inc. 2017 | All rights reserved. Slide 72 of 78@Raastech
API Gateway Architecture & Components
73. © Raastech, Inc. 2017 | All rights reserved. Slide 73 of 78@Raastech
API Gateway Architecture & Components
▪ Policy Studio
▪ Policy development and configuration for API and service protection
▪ Develops API Gateway policies and solution packs
▪ Customizes and extends the API Gateway using scripting
▪ Creates Java classes and/or custom filters using the API Gateway filter
SDK
▪ Typically on a separate machine from the API Gateway
74. © Raastech, Inc. 2017 | All rights reserved. Slide 74 of 78@Raastech
API Gateway Architecture & Components
75. © Raastech, Inc. 2017 | All rights reserved. Slide 75 of 78@Raastech
API Gateway Architecture & Components
▪ Oracle API Gateway Analytics
▪ Generate reports and charts based on usage metrics
▪ Database integration
▪ Oracle Database
▪ MySQL Server
▪ Microsoft SQL Server
▪ Real-time and historical metrics.
76. © Raastech, Inc. 2017 | All rights reserved. Slide 76 of 78@Raastech
API Gateway Architecture & Components
77. © Raastech, Inc. 2017 | All rights reserved. Slide 77 of 78@Raastech
References
▪ Basics and History of PKI
https://blogs.technet.microsoft.com/option_explicit/2012/03/10/basics-and-history-of-pki/
▪ Secure Socket Layer and Transport Socket Layer, by Jinwoo Hwang
http://www.ibm.com/developerworks/library/ws-ssl-security/
▪ Sample Formats
https://en.wikipedia.org/wiki/X.509
https://en.wikipedia.org/wiki/LDAP_Data_Interchange_Format
▪ WS-Security Specifications
https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=wss
▪ OPSS 11g Technical Whitepaper
http://www.oracle.com/technetwork/middleware/id-mgmt/opss-tech-wp-131775.pdf
▪ Understanding the OWSM Policy Framework
https://docs.oracle.com/middleware/1213/owsm/concepts/owsm-policy-framework.htm
▪ OWSM Role Authorization
http://www.oracle.com//technetwork/middleware/webservices-manager/soa-component-role-authz-1555950.pdf
▪ API Gateway Concepts
https://docs.oracle.com/cd/E65459_01/docs.1112/e65451/Default.htm#ConceptsGuideTopics/3_overview.htm
▪ Aaron Dolan. our API’s First Line of Defense: Oracle API Gateway
http://www.avioconsulting.com/blog/your-apis-first-line-defense-oracle-api-gateway