Yes, Oracle API Gateway Can Protect Your Web Application, Too by Marcelo Parisi

November 7, 2015 Leave a comment

 

clip_image001This article by Marcelo Parisi examines basic concepts of web application security using Oracle API Gateway, using an XSS Injection issue and an SQL Injection issue to demonstrate how Oracle API Gateway can bring value to these scenarios.

The topic of Web application security never gets old. Some of the main associated challenges are related to detection and prevention of XSS Injection and SQL Injection. Such vulnerabilities are usually exploited through web application url parameters or user input fields in HTML forms.

While Oracle API Gateway has been used mainly to protect Web Services, RESTFul APIs and other kinds of services, its filtering and hardening mechanisms make it a powerful tool in a web application protection scenario.

In this article we’ll examine some basic concepts of web application security using Oracle API Gateway. We’ll work on an XSS Injection issue and on a SQL Injection issue to demonstrate how Oracle API Gateway can bring value to these scenarios.

The applications used here to demonstrate the issues were custom made for this article and are deployed in an Oracle WebLogic Server 12c environment with no clustering. The SQL Injection demonstration application uses a datasource connected to an Oracle Database 11gR2. The application reads data from the database’s simple three-column table and prints in the screen. The XSS Injection application prints only the user form input field value in the screen. These applications have no real-life use and are only some code samples for demonstration purposes.

We’ll not be covering infrastructure installation in this article. We’ll be using two servers, one with Oracle API Gateway installed on it, and the other one with the application running on Oracle WebLogic Server 12c.

Infrastructure

As mentioned before, building the infrastructure is out of this document’s scope. In this section we’ll just see what the infrastructure used to demonstrate the concepts looks like. Read the complete article here.

SOA & BPM Partner Community

For regular information on Oracle SOA Suite become a member in the SOA & BPM Partner Community for registration please visit www.oracle.com/goto/emea/soa (OPN account required) If you need support with your account please contact the Oracle Partner Business Center.

Blog Twitter LinkedIn image[7][2][2][2] Facebook clip_image002[8][4][2][2][2] Wiki

Filed under SOA Tagged with , , , , , , ,

API Gateway (OAG) : Concept & marriage with SOA & Mobile by Sudipto Desmukh

August 9, 2015 2 Comments

clip_image002

Oracle API Gateway is a standards-based, policy-driven, standalone software security solution that provides first line of defense in Service-Oriented Architecture (SOA) environments.

It enables organizations to securely and rapidly adopt Cloud, Mobile and SOA Services by bridging the gaps and managing the interactions between all relevant systems.

Oracle Web Services Manager(OWSM) is generally used for application security of a particular service,most customers have any use cases around DMZ or Perimeter Security for Web Services. This product serves as a part of the enterprise security solution.

This would be typically for customers needing access to web services from the internet, similar to how we access a web application. OAG can do a  lot of validations
and route the requests only once those checks have passed. This may also be a typical use case for Mobile Applications which use REST Web Services at the backend.

I have seen a strong value in this security product for all SOA and Mobile projects.

Here’s a high-level request flow :

There are many advantages that OAG can provide :

–   Authentication, Authorization (Leverages existing LDAP like AD ; existing IDM platforms for this – RSA AM, CA Site Minder, Oracle Access Mgr) Read the complete article here.

SOA & BPM Partner Community

For regular information on Oracle SOA Suite become a member in the SOA & BPM Partner Community for registration please visit www.oracle.com/goto/emea/soa (OPN account required) If you need support with your account please contact the Oracle Partner Business Center.

Blog Twitter LinkedIn image[7][2][2][2] Facebook clip_image002[8][4][2][2][2] Wiki

Filed under SOA Tagged with , , , , , , , ,

Implementing Oauth2.0 with Oracle Api Gateway 11.1.2.3.0 with 2 nodes by Marcelo França

July 26, 2015 Leave a comment

clip_image011Introduction

Recently I participated of a project with Oracle API Gateway it uses Oauth2.0 for authenticate and authorize partners to call some APIs. The flow is simple, the partner calls the OAG through method POST with client ID and secret ID and then return the access token with scopes. This works well while it was in Development environment with single node Gateway, but when it runs in UAT environment with two nodes Gateway not in the same machine, the client reaches node 1, everything goes well and OAG/OAuth can authenticate the user. In node 2, however, OAG can’t find the OAuth client_id and the authorization is denied.

Oracle Api Gateway by default installs and uses Cassandra database for store token, access code and client for authorization. When it need to distribute through two nodes is required a shared structure to store this information. This article describes how to create the new shared structure using the Oracle Database.

Tested Environment Requiriments

OAG-11.1.2.3.0

· oagpolicystudio

· apigateway server

Plugin Firefox

· Http Requester

Oracle Database Express Edition 11g Release 2

Setup environment

1 – Run scripts of path:

OAG_HOME/apigateway/system/conf/sql/Oracle

· kps.sql

· oauth-client.sql

· oauth-server.sql

2 – Change parameter policystudio for show hidden files

Edit the file OAG_HOME/oagpolicystudio/policystudio.ini and include the line in the end of file:

-Dshow.internal.kps.collection=true

3 – Create database connection

Initiate the Policy Studio tool connect in the gateway 1, go to the tab “Database connections” and create the new database connection with the name “OAuth KPS Database”

clip_image001

URL : jdbc:oracle:thin:@myenvironment:1521:xe and after click Test Connection, you should to see Test Connection OK.

4 – Change Data Sources OAuth

4.1 – Go at Key Property Stores > OAuth tab Data Sources click add

clip_image003

4.2 – Select the option Database, write the name “OAuth KPS Connection” and Database connection choose the value created at step 3 “OAuth KPS Database” and OK.

clip_image005

4.3 – Back to tab properties option “Default Data Source” select item created at step earlier “OAuth KPS Connection” after click Save.

clip_image007

5 – Change Data Sources API Server

Repeat the steps 4.1, 4.2 and 4.3 for item “API Server”

clip_image008

6 – Alter OAuth Stores

Go to option Libraries > OAuth2 Stores > Access Token Stores > OAuth Access Token Store, click Edit “Access Token Store“ and select “Store in a database“ choosing the item “OAuth KPS Database”.

clip_image010

7 – Repeat the step 6 for items below:

· Libraries > OAuth2 Stores > Authorization Code Stores > Authz Code Store

· Libraries > OAuth2 Stores > Client Access Token Stores > OAuth Client Access Token Store

8 – Test Configurations, Open Firefox and go to http requester plugin.

8.1 – Server 1 get token.

Call service https://server1:port/api/oauth/token

grant_type=client_credentials&client_id=SamplePublicApp&client_secret=3b001542-e348-443b-9ca2-2f38bd3f3e84&format=xml

clip_image011

clip_image012

8.2 – Server 2 with token info.

Call service https://server2:port/api/oauth/tokeninfo with token recovered at item 8.1.

access_token=Ux1PtRGmySxZ1nf1mUD2oJNqxbQ4E7ETTzKUfiHwxhwo49wutLRwMS

clip_image013

clip_image014

Conclusion

Now we be able to use Oracle API Gateway with two or more nodes, sharing the same Database repository.

References

http://docs.oracle.com/cd/E39820_01/doc.11121/gateway_docs/content/oauth_flows.html

https://docs.oracle.com/cd/E50612_01/doc.11122/oauth_guide/content/oauth_intro.html

https://docs.oracle.com/cd/E50612_01/doc.11122/oauth_guide/content/oauth_setup.html

 

Marcelo FrançaMarcelo Gimenes França

Senior Consultant

Oracle LAD Consulting

SOA & BPM Partner Community

For regular information on Oracle SOA Suite become a member in the SOA & BPM Partner Community for registration please visit www.oracle.com/goto/emea/soa (OPN account required) If you need support with your account please contact the Oracle Partner Business Center.

Blog Twitter LinkedIn image[7][2][2][2] Facebook clip_image002[8][4][2][2][2] Wiki

Filed under SOA Tagged with , , , , ,

Building a Scalable, Highly Available Oracle API Gateway 11g Infrastructure in a Cloud Environment by Marcelo Parisi

May 29, 2015 Leave a comment

clip_image002Introduction

One of the major challenges that companies face in adopting a cloud computing platform is the secure provisioning of services in the cloud. Oracle API Gateway (OAG) 11g can be a very powerful tool in this sense, since it focuses on service protection, with authentication mechanisms, message encryption, and security/policy functionalities.

In this article, we will see how to create a cloud-based OAG infrastructure, with high-availability and scalability support. Both high-availability and scalability operations will be covered here. We’ll be using virtual machines (VMs) and storage concepts, along with OAG and Oracle Traffic Director (OTD). While a physical load balancer will also be necessary, its configuration is beyond the scope of this article.

The service infrastructure—Oracle SOA Suite, Oracle Service Bus or any other kind of service provider environment that needs to be exposed in a secure manner through the environment we’ll be building—will also not be covered in this article.

This article assumes a Network File System (NFS) v4 and Network Information Service/Lightweight Directory Service Protocol (NIS/LDAP) compliant environment. If you don’t support it, the article will indicate the changes so that you can run on a NFSv3 environment without NIS/LDAP.

There is no capacity planning or sizing work done on this article. The number of CPUs, memory and filesystem size are all just for demonstration purposes and should be revisited in a production environment.

OAG and OTD documentation should always be consulted. This document is not intended to replace any of the product’s official documentation.

Finally, please note that OTD is supported only in Exalogic environments.

Infrastructure Architecture

In this article, we’re going to build a brand new infrastructure from scratch to support this environment. We’ll consider two VMs for OTD and, initially, three VMs for OAG, one of them for administration purposes only. The environment infrastructure architecture will resemble the architecture in Figure 1, below:

As you can see, we have high availability on both the OTD layer and the OAG layer. Both layers are scalable either horizontally or vertically. This article discusses scalability only on the OAG layer.

We’re going to create five VMs—three for OAG, with Oracle Linux 5.6; two with Oracle Linux 6.6 for OTD. I suggest using VM Templates or cloning to make this task easier. The VMs’ configuration should resemble the table in Figure 2, below: Read the complete article here.

SOA & BPM Partner Community

For regular information on Oracle SOA Suite become a member in the SOA & BPM Partner Community for registration please visit www.oracle.com/goto/emea/soa (OPN account required) If you need support with your account please contact the Oracle Partner Business Center.

Blog Twitter LinkedIn image[7][2][2][2] Facebook clip_image002[8][4][2][2][2] Wiki

Filed under Uncategorized Tagged with , , , , , , ,