OTM-SOA - By, Mark Hagan

OTM and SOA Mark Hagan Principal Software Engineer Oracle Product Development


Content

What is SOA?

What is Web Services Security?

Web Services Security in OTM

Futures…


PARADIGM


Content

What is SOA?



Futures…


What is SOA?

Term originated from IBM Web Services work in 2000? Million and one attempts to produce a ‘catchy’ paragraph

– Strategy (both IT and Business) – Services – Interoperable – Standards

Aims to address perceived limitations in previous application integration techniques.

Service Oriented Architecture


SOA Evolution

Not just about enabling a legacy application to be called as a web service. High level business process design SOA Maturity Model Availability of tools

– Server : Oracle SOA Suite (+ others, I guess!) – Designer : Oracle JDeveloper (ditto)

SCA – Service Component Architecture (OASIS Standard)

Service Oriented Architecture – ‘Plateau of Productivity’


What are Web Services?

Not just an API! Salient points

– Platform independent (XML everywhere…) – Transport independent (i.e. not tied to a specific protocol) – Loosely coupled – Contract – Standards (next slide!)


What are Web Services?

Gradual emergence of standards – XML & XSD – SOAP – WSDL

[Side note: even W3C gets confused between Web Service Definition Language and Web Services Description Language!]

– Java Platform JAX-RPC JAX-WS (initially called JAX-RPC 2.0)


SOAP Envelope

Anatomy of a SOAP Message

SOAP Header

SOAP Body

Message Payload


Anatomy of a WSDL

Definition

Messages

Operations

Ports


Content

What is SOA?



Futures…


Security Before ‘Web Services Security’

Credentials were passed according to transport protocol – For example, SOAP over HTTP used Basic Authentication HTTP Header

Encryption required SOAP over HTTPS Commonly include credentials in the message itself.

– OTM accepted Transmission Header with username/password or username and IP authentication.

Applies to OTM versions from v5.0 to v6.2


Web Services Security – WS-Security

OASIS Specification of an XML syntax for security related data in the SOAP Header Supports different ‘profiles’

– Username Token Profile – SAML Token Profile – X.509 Token Profile – Kerberos Token Profile – Rights Expression Language (REL) Token Profile

WSS: SOAP Message Security v1.1


Web Services Policy – WS-Policy

W3C Recommendation for an XML syntax to describe the requirements and capabilities of a web service. Defines the concept of an ‘assertion’ and how to declare policy

alternatives. Examples :-

– Security – Transactions – Reliable Messaging – Addressing

WSP: Web Service Policy 1.5 – Framework & Attachment


Web Services Security Policy – WS-SecurityPolicy

OASIS Specification for WSS related policy assertions Service can specify which token profiles are required or supported Service can specify which transport protocols are required or

supported Declared in the service WSDL

WSSP: WS-SecurityPolicy 1.3


WSSP Example – Username Token


Content

What is SOA?



Futures…


WSS in OTM v6.2 - Inbound

Partial support for Username Token Profile Full support for HTTP and HTTPS Not declared in WSDL Password Digest was initially supported but may be removed


WSS in OTM v6.2 - Outbound

Partial support for Username Token Profile Full support for HTTP and HTTPS External WSDL is not parsed for WSSP assertions Password Digest was initially supported but may be removed Requires settings on Web Service and External System records in

OTM.


Web Service Manager


External System Manager


WSS in OTM v6.3 - Inbound

Full support for Username Token Profile (except Password Digest type) Full support for HTTP and HTTPS Full support for Message Encryption Declares security policy in WSDL for inbound services

– Defaults to Username Token over HTTPS – Policy can be customised


Custom Policy

Installation deploys a policy file for each web service – <otm home>/glog/glog_resources/policies/<service name>-Policy.xml – For example,

<otm home>/glog/glog_resources/policies/IntXmlService-Policy.xml To override default policy – DO NOT EDIT base file

– Create file under configured custom directory, for example <otm home>/glog/glog_resources/custom/policies/IntXmlService-

Policy.xml


Custom Policy (contd.)

Sample files installed – otm-default-policy.xml

policy installed by default (currently Username Token over HTTPS) – otm-Wssp1.2-2007-Https-UsernameToken-Plain.template.xml – otm-Wssp1.2-2007-UsernameToken-Plain.template.xml – otm-Wssp1.2-

wss10_username_token_with_message_protection_policy.template.xml


WSS in OTM v6.3 – Outbound

Full support for Username Token Profile (except Password Digest type) Full support for HTTP and HTTPS Full support for Message Encryption WebLogic Server handles parsing of policy assertions

– Requires additional WebLogic Server administration All pre-existing outbound Web Services defined in OTM will operate

according to v6.2 logic i.e. will not automatically have access to v6.3 capability


WSS in OTM v6.3 – Outbound (contd.)

WSDL Document content needs to be URL Existing records would not contain any WS-Policy details and so need

to be reloaded. Use of Message Encryption requires additional administration tasks.

– Storage of external X.509 Certificate in WebLogic keystore – New Web Service Security Configuration via Console (or config.xml) – Configure OTM property to match keystore alias to service endpoint

glog.webservice.pki.alias.myalias=https://myserver/services/myEncryptionService


WSS in OTM v6.3 – Outbound (contd.) Credential Mapping


Content

What is SOA?



Futures…


The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.


Future…

Support for additional WSS profiles – SAML Token – X.509 Token

Split GLogXML.xsd schema Namespace Versions Ability to attach ‘client’ policy override to outbound services Policy attachment via WebLogic Console and/or Deployment tools


Glossary

Term Description OASIS Organization for the Advancement of Structured Information Standards

XSD XML Schema Definition

WSS Web Services Security

SAML Security Assertion Markup Language

X.509 ISO/IETF standard format for Public Key certificates.

JAX-RPC Java API for XML-based RPC (Remote Procedure Call)

JAX-WS Java API for XML-based Web Services (successor to JAX-RPC)


References

Term Description OTM Documentation Library http://docs.oracle.com/cd/E38437_01/otm/html/docset.html

(Administration Guide, Integration Guide and Security Guide) OASIS Home - https://www.oasis-open.org/standards

WSS - https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=wss WSSP - http://docs.oasis-open.org/ws-sx/ws-securitypolicy/v1.3/os/ws-securitypolicy-1.3-spec-os.html

W3C WSDL - http://www.w3.org/TR/#tr_WSDL WSP - http://www.w3.org/TR/#tr_Web_Services_Policy

http://docs.oracle.com/cd/E38437_01/otm/html/docset.html

https://www.oasis-open.org/standards

https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=wss

https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=wss

http://www.w3.org/TR/

http://www.w3.org/TR/

OTM-SOA - By, Mark Hagan

Technology

Transcript of OTM-SOA - By, Mark Hagan