Ganesh Kirti Roger Sullivan Oracle Corporation “This presentation is for informational purposes only and may not be incorporated into a contract or agreement.”

Slides:



Advertisements
Similar presentations
Maximo to PeopleSoft Interfaces using Web Services
Advertisements

Web Services Security Enterprise Architect Summit – 2004 Mark O’Neill CEO.
“This presentation is for informational purposes only and may not be incorporated into a contract or agreement.”
Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.
Unissons nos Talents T O G E T H E RT A L E N T E D 1 Web Services Security – Challenges & Trends Magan Pal Singh Technical Architect, Sopra Group
0 Web Service Security JongSu Bae. 1  Introduction 2. Web Service Security 3. Web Service Security Mechanism 4. Tool Support 5. Q&A  Contents.
Lecture 23 Internet Authentication Applications
A Java Architecture for the Internet of Things Noel Poore, Architect Pete St. Pierre, Product Manager Java Platform Group, Internet of Things September.
The Business Value of CA Solutions Ovidiu VALEANU Senior Consultant DNA Software – CA Regional Representative.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Christopher Irish David Orr Sophya Kheim Adam Lange Daniel Palma
Oracle Fusion Middleware
Service Oriented Architecture Concepts March 27, 2006 Chris Armstrong
WS-Security TC Christopher Kaler Kelvin Lawrence.
Federal Student Aid Technical Architecture Initiatives Sandy England
Red Hat Linux Network. Red Hat Network Red Hat Network is the environment for system- level support and management of Red Hat Linux networks. Red Hat.
Core Web Service Security Patterns
6/4/2015Page 1 Enterprise Service Bus (ESB) B. Ramamurthy.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
Automated Policy Enforcement Adam Vincent, Layer 7 Federal Technical Director
Systems Integration & Consulting June Copyright ® 2009 Ayenda Agenda Introduction to Systems Integration System Integration Challenges and Opportunities.
CONFIDENTIAL & PROPRIETARY 1 WAF and Identity and Access Management Integration The Next Step in the Evolution of Application Security Best Practices Jan.
Web services security I
® IBM Software Group © IBM Corporation IBM Information Server Service Oriented Architecture WebSphere Information Services Director (WISD)
Lecture 12 Electronic Business (MGT-485). Recap – Lecture 11 E-Commerce Security Environment Security Threats in E-commerce Technology Solutions.
CS 4720 Security CS 4720 – Web & Mobile Systems. CS 4720 The Traditional Security Model The Firewall Approach “Keep the good guys in and the bad guys.
“This presentation is for informational purposes only and may not be incorporated into a contract or agreement.”
Copyright © 2006 CyberRAVE LLC. All rights reserved. 1 Virtual Private Network Service Grid A Fixed-to-Mobile Secure Communications Framework Managed Security.
HTTP client wide area network (Internet) HTTP proxy HTTP server HTTP gateway firewall HTTP tunnel Copyright Springer Verlag Berlin Heidelberg 2004.
Web Services Security Kerry Champion CTO, Westbridge Technology June 8, 2004.
Registration Processing for the Wireless Internet Ian Gordon Director, Market Development Entrust Technologies.
Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.
Web Services Security Standards Overview for the Non-Specialist Hal Lockhart Office of the CTO BEA Systems.
Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.
E-Commerce Security Professor: Morteza Anvari Student: Xiaoli Li Student ID: March 10, 2001.
1 Introduction to Microsoft Windows 2000 Windows 2000 Overview Windows 2000 Architecture Overview Windows 2000 Directory Services Overview Logging On to.
Service Oriented Architectures Presentation By: Clifton Sweeney November 3 rd 2008.
SOA-14: Deploying your SOA Application David Cleary Principal Software Engineer.
1 SSL - Secure Sockets Layer The Internet Engineering Task Force (IETF) standard called Transport Layer Security (TLS) is based on SSL.
Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.
SOA-39: Securing Your SOA Francois Martel Principal Solution Engineer Mitigating Security Risks of a De-coupled Infrastructure.
W3C Web Services Architecture Security Discussion Kick-Off Abbie Barbir, Ph.D. Nortel Networks.
Module 6: Managing Client Access. Overview Implementing Client Access Servers Implementing Client Access Features Implementing Outlook Web Access Introduction.
NA-MIC National Alliance for Medical Image Computing UCSD: Engineering Core 2 Portal and Grid Infrastructure.
Database Security Tampere University of Technology, Introduction to Databases. Oleg Esin.
Infrastructure Service Approach to Handling Security in Service-Oriented Architecture Business Applications Doina Iepuras.
Copyright © 2003 Jorgen Thelin / Cape Clear Software 1 A Web Services Security Framework Jorgen Thelin Chief Scientist Cape Clear Software Inc.
Deconstructing API Security
EL 10 - From IoT to Mainframe, secured and all Mobile Integration with z Systems Aymeric Affouard IT Specialist
Need for Security Control access to servicesControl access to services Ensure confidentialityEnsure confidentiality Guard against attacksGuard against.
The ERA of API in the World of IoT Jing Zhang-Lee November, 2015.
Web Services Security Patterns Alex Mackman CM Group Ltd
Jump to first page Internet Security in Perspective Yong Cao December 2000.
Presented by: Sonali Pagade Nibha Dhagat paper1.pdf.
© ETNIC l l Anne Noseda l WSGenCon 2.0 Presentation 1 WSGenCon /02/2010 E2SA – Equipe Support Standard Architecture.
Copyright © 2006, Oracle. All rights reserved Oracle Web Services Manager.
Securing the Network Perimeter with ISA 2004
IBM Certified WAS 8.5 Administrator
Enterprise Service Bus (ESB) (Chapter 9)
The new EDAMIS and its security
Presentation transcript:

Ganesh Kirti Roger Sullivan Oracle Corporation “This presentation is for informational purposes only and may not be incorporated into a contract or agreement.” Securing Web Services in a SOA

Agenda for Today  Introduction to a Service Oriented Architecture  Security in Service Oriented Architectures (SOA)  Q & A

Service Oriented Architectures

Customer Needs Optimize Processes & Applications to Change Share Information & Collaborate Productively Build Flexible, Adaptable Applications Take Decisions with Better Quality Information Lower Technology Costs Secure Access & Reduce Risks

Technology Needs  Applications Meet Business Needs – Develop Modular, Configurable Business Applications  Respond to Market Dynamics – Design, Monitor, Optimize Flexible Business Processes  Take Better Business Decisions – Deliver Consolidated, Actionable Information in Real Time  Share Information & Collaborate – Connect People, Processes, Systems in Collaborative Workplaces  Secure Access & Reduce Risks – Secure access to all business applications, processes and data  Lower Cost of Ownership – Deploy on Low Cost Hardware & Manage Across Lifecycle

Fusion Middleware Modular & Configurable Applications SOA, Faces, EJB Flexible Business Processes WSIF, ESB, BPEL Actionable Business Intelligence Hubs, BI, BAM Enhanced Employee Productivity Portals, Mobile, Collaboration Lowest TCO Grid, Systems Mgmt Enhanced Security & Compliance Identity Mgmt, Web Services Mgmt

Web Services and Service Oriented Architectures

Web Services Security and Management Concerns  Security – “We have many web services exposed to the internet now” – “Only valid partners may access our web services”  Exception Handling – “Notify operations if a transaction stalls” – “Send any incomplete orders to customer service for fixing”  Compliance and Consistency – “All customer orders must be encrypted with 128 bit keys” – “All XML messages must follow this format”  Service Level Monitoring – “The order system must process transactions in under 2 seconds” – “If uptime falls below 98% we owe contract penalties”

Security for an SOA? Select Lowest Offer Handle Negative Credit Exception Credit Rating start end ? United Loan Star Loan Get Rating Send Loan Application Receive Loan Offer Send Loan Application Receive Loan Offer

What’s Missing? Select Lowest Offer Handle Negative Credit Exception Credit Rating start end BPEL Flow ? United Loan Star Loan Get Rating Send Loan Application Receive Loan Offer Send Loan Application Receive Loan Offer SSN sent in clear text 1.Anyone who can access the server can initiate loan applications 3.Callback has to go through firewall 4.How can I be sure no other sensitive data is unprotected?

Security for an SOA 1.Security: Role-based access control 2.Security: Auto-Encryption of SSN in XML message 3.Management: Service virtualization in DMZ 4.Management: System-wide service auditing

Security for an SOA: WS- Security  Authentication – Security Tokens & References – OASIS Token Profiles  UsernameToken  BinarySecurityToken (X509, Kerberos)  Integrity – W3C XML Signature Standard – Signing by Parts (Element level) – Canonicalization for signature verification – Non-repudiation

Security for an SOA: WS- Security  Confidentiality – W3C XML Encryption Standard – Support for standard Key Exchange Mechanisms – Encryption by Parts (Element level)  Threats – Replay Attacks (Timestamps) – Substitution Attacks (Signing References) – XML Injections (Validation)

Security for an SOA: Transport Security  Authentication: – HTTP basic / digest authentication / digital certificate (https)  Confidentiality, integrity – Secure Sockets Layer (SSL)  Virtual Private Network (VPN)

Security for an SOA: Developer Toolkits  JDeveloper and OC4J – Declarative Security – WS-Security 1.0 – Identity Management Association  Oracle Web Services Manager – Agents, Gateways, Management Console

Security for an SOA: Oracle Web Services Manager  Intercept SOAP messages and apply policies to pre-request, request, response and post-response.  Flexible enforcement point deployment architecture as proxy or for endpoint-level security.  Pre-packaged security steps.  Leverage existing IdM for authentication and authorization.

Authentication Active Directory Authenticate File Authenticate LDAP Authenticate LDAP Certificate Authenticate COREid Authenticate SiteMinder Authenticate Verify Certificate Verify Signature Authorization COREid Authorize Active Directory Authorize File Authorize LDAP Authorize SiteMinder Authorize Credential Management Extract Credentials Insert WSBASIC Credentials Transport-specific QoS HTTP Messenger MQ Messenger JMS Messenger WS-Security Decrypt and Verify Signature Sign Message Sign Message and Encrypt XML Decrypt XML Encrypt Others Content-based routing XML Transform Logging Data gathering (SLA, Metering) SAML 1.0 and 1.1 SAML Copy Token SAML Insert Token SAML Save Token SAML Validate Token SAML 1.1 Assertion Security for an SOA: Oracle Web Services Manager

Web Service Client Policy Gateway Policy Agent Policy Agent SOAP Request

Security for an SOA: Oracle Web Services Manager Handle Negative Credit Exception Credit Rating start Get Rating OWSM Gateway: Require Authentication and Authorization OWSM Agent:Encrypt SSN, Add Username Token

Security for an SOA: Oracle Web Services Manager Web-based tool for building policies and managing policy distribution to gateways and agents 1) Building Policies – Pick from a library of pre-built policy steps  E.g. LDAP authorization, LDAP authentication, encrypt, decrypt, verify certificate, verify signature, route message, transform, etc. – Visually string steps together into a policy pipeline  Run pipeline for all services, specific service, or subset – Pre-request, request, response, post-response pipelines 2) Distributing Policies – Gateway/Agent pull – Track and manage versions

Security for an SOA: Oracle Web Services Manager  Automatically upload the pipeline into the WSM Agent or Gateway responsible for controlling that service  Custom policies can be added and made available to administrators through this same interface  Enforces both enterprise-wide and local best practices Use Oracle WSM Policy Manager to configure the set of operational polices (pipeline) you want enforced for a given service

Security for an SOA: Oracle Web Services Manager Real-time visibility into Web Service interactions – Automate operational issue resolution by dynamically updating policies – Proactively alerts about anomalies – Enforces policies based on real-time monitoring data – Validate compliance with IT best practices

Select Lowest Offer Handle Negative Credit Exception Credit Rating start end BPEL Flow ? Get Rating Send Loan Application Receive Loan Offer 03:00pm Send Loan Application Receive Loan Offer United Loan Star Loan Loan Application Loan Offer PeopleSoft Add Customer Encrypt Decrypt Authenticate/Authorize Policy Manager Monitor

Q & A

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.