OTM and SOA
Mark Hagan
Principal Software Engineer Oracle Product Development
Content
What is SOA?
What is Web Services Security?
Web Services Security in OTM
Content
What is SOA?
What is Web Services Security?
Web Services Security in OTM
What is SOA?
Term originated from IBM Web Services work in 2000?
Million and one attempts to produce a ‘catchy’ paragraph
– Strategy (both IT and Business) – Services
– Interoperable – Standards
SOA Evolution
Not just about enabling a legacy application to be called as a web service.
High level business process design
SOA Maturity Model
Availability of tools
– Server : Oracle SOA Suite (+ others, I guess!) – Designer : Oracle JDeveloper (ditto)
SCA – Service Component Architecture (OASIS Standard)
What are Web Services?
Not just an API!
Salient points
– Platform independent (XML everywhere…)
– Transport independent (i.e. not tied to a specific protocol) – Loosely coupled
What are Web Services?
Gradual emergence of standards
– XML & XSD – SOAP
– WSDL
[Side note: even W3C gets confused between Web Service Definition Language and Web Services Description Language!]
– Java Platform JAX-RPC
SOAP Envelope
Anatomy of a SOAP Message
SOAP Header
SOAP Body
Anatomy of a WSDL
Definition Messages Operations Ports
Content
What is SOA?
What is Web Services Security?
Web Services Security in OTM
Security Before ‘Web Services Security’
Credentials were passed according to transport protocol
– For example, SOAP over HTTP used Basic Authentication HTTP Header
Encryption required SOAP over HTTPS
Commonly include credentials in the message itself.
– OTM accepted Transmission Header with username/password or
username and IP authentication.
Web Services Security – WS-Security
OASIS Specification of an XML syntax for security related data in the SOAP Header
Supports different ‘profiles’
– Username Token Profile – SAML Token Profile
– X.509 Token Profile – Kerberos Token Profile
Web Services Policy – WS-Policy
W3C Recommendation for an XML syntax to describe the requirements and capabilities of a web service.
Defines the concept of an ‘assertion’ and how to declare policy alternatives. Examples :- – Security – Transactions – Reliable Messaging – Addressing
Web Services Security Policy –
WS-SecurityPolicy
OASIS Specification for WSS related policy assertions
Service can specify which token profiles are required or supported
Service can specify which transport protocols are required or supported
Declared in the service WSDL
Content
What is SOA?
What is Web Services Security?
Web Services Security in OTM
WSS in OTM v6.2 - Inbound
Partial support for Username Token Profile
Full support for HTTP and HTTPS
Not declared in WSDL
WSS in OTM v6.2 - Outbound
Partial support for Username Token Profile
Full support for HTTP and HTTPS
External WSDL is not parsed for WSSP assertions
Password Digest was initially supported but may be removed
Requires settings on Web Service and External System records in OTM.
WSS in OTM v6.3 - Inbound
Full support for Username Token Profile (except Password Digest type)
Full support for HTTP and HTTPS
Full support for Message Encryption
Declares security policy in WSDL for inbound services
– Defaults to Username Token over HTTPS – Policy can be customised
Custom Policy
Installation deploys a policy file for each web service
– <otm home>/glog/glog_resources/policies/<service name>-Policy.xml – For example,
<otm home>/glog/glog_resources/policies/IntXmlService-Policy.xml
To override default policy – DO NOT EDIT base file
– Create file under configured custom directory, for example
<otm home>/glog/glog_resources/custom/policies/IntXmlService-Policy.xml
Custom Policy (contd.)
Sample files installed
– otm-default-policy.xml
policy installed by default (currently Username Token over HTTPS)
– otm-Wssp1.2-2007-Https-UsernameToken-Plain.template.xml – otm-Wssp1.2-2007-UsernameToken-Plain.template.xml
–
WSS in OTM v6.3 – Outbound
Full support for Username Token Profile (except Password Digest type)
Full support for HTTP and HTTPS
Full support for Message Encryption
WebLogic Server handles parsing of policy assertions
– Requires additional WebLogic Server administration
All pre-existing outbound Web Services defined in OTM will operate according to v6.2 logic i.e. will not automatically have access to v6.3 capability
WSS in OTM v6.3 – Outbound (contd.)
WSDL Document content needs to be URL
Existing records would not contain any WS-Policy details and so need to be reloaded.
Use of Message Encryption requires additional administration tasks.
– Storage of external X.509 Certificate in WebLogic keystore
– New Web Service Security Configuration via Console (or config.xml)
WSS in OTM v6.3 – Outbound (contd.)
Content
What is SOA?
What is Web Services Security?
Web Services Security in OTM
The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
Future…
Support for additional WSS profiles
– SAML Token – X.509 Token
Split GLogXML.xsd schema
Namespace Versions
Glossary
Term Description
OASIS Organization for the Advancement of Structured Information Standards
XSD XML Schema Definition
WSS Web Services Security
SAML Security Assertion Markup Language
X.509 ISO/IETF standard format for Public Key certificates.
JAX-RPC Java API for XML-based RPC (Remote Procedure Call)
References
Term Description
OTM Documentation Library http://docs.oracle.com/cd/E38437_01/otm/html/docset.html
(Administration Guide, Integration Guide and Security Guide)
OASIS Home - https://www.oasis-open.org/standards
WSS - https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=wss WSSP - http://docs.oasis-open.org/ws-sx/ws-securitypolicy/v1.3/os/ws-securitypolicy-1.3-spec-os.html W3C WSDL - http://www.w3.org/TR/#tr_WSDL WSP - http://www.w3.org/TR/#tr_Web_Services_Policy
