Fusion Middleware WebService Security whitepaper by Michel Schildmeijer

July 12, 2015 Leave a comment

 

clip_image002

Building an Oracle Fusion Middleware Platform at customers, with various products such as SOA Suite, OSB or any other product forces you to think about security integration and implementation.

In this whitepaper, I cover a basic scenario to think of and tell you how you can start securing web services making use of Oracle Web Service Manager. There’s also an explanation about how these scenarios fit in your Oracle Fusion Middleware Infrastucture. Get the whitepaper here.

SOA & BPM Partner Community

For regular information on Oracle SOA Suite become a member in the SOA & BPM Partner Community for registration please visit www.oracle.com/goto/emea/soa (OPN account required) If you need support with your account please contact the Oracle Partner Business Center.

Blog Twitter LinkedIn image[7][2][2][2] Facebook clip_image002[8][4][2][2][2] Wiki

Filed under SOA Tagged with , , , , , ,

Protecting Sensitive Data in Oracle SOA Suite 12c by Jennie DeRosa

June 1, 2015 Leave a comment

clip_image001

Given the recent security breaches, data security should always be a concern when designing and creating IT solutions. In particular, what are some considerations that should be made when implementing a solution within the Oracle SOA Suite? Is it sufficient to protect the data using WS-Security/SSL or is additional security needed? If you have sensitive data traversing through the SOA Suite then additional security must be considered.

As noted within the National Institute Standards and Technology (NIST) publication, ‘to appropriately protect the confidentiality of personally identifiable information (PII), organizations should use a risk-based approach’. To understand what is considered PII, or sensitive data, along with recommendations to protect PII read Guide to Protecting the Confidentiality of Personally Identifiable Information.

WS-Security and SSL only will protect data outside a SOA composite or Service Bus. Once the data hits either one of these, it is viewable in clear text within audit trails, console or logs. This means sensitive data is viewable within the console and log, causing this data to be unencrypted at rest. An example of this is shown below. Anyone with access to EM (Enterprise Manager) could view the sensitive data just by opening the audit trail of a process: Read the complete article here.

SOA & BPM Partner Community

For regular information on Oracle SOA Suite become a member in the SOA & BPM Partner Community for registration please visit www.oracle.com/goto/emea/soa (OPN account required) If you need support with your account please contact the Oracle Partner Business Center.

Blog Twitter LinkedIn image[7][2][2][2] Facebook clip_image002[8][4][2][2][2] Wiki

Filed under SOA Tagged with , , , , , , ,

API Catalog to Simplify API Management By Mala Ramakrishnan

January 31, 2015 1 Comment

 

Oracle is extending its API Management solution with a new product, API Catalog. This will give customers the ability to simplify the publication of API services that are developed in Oracle SOA Suite and other sources. Oracle API Catalog will be part of Oracle’s broader API Management solution portfolio. Oracle API Catalog also integrates seamlessly with with Oracle Mobile Suite portfolio of products for mobile enablement. Oracle API Catalog harvests services in Oracle Fusion Middleware to allow one-click publish, submit ratings, or manage re-use across other consuming applications. Oracle’s API Catalog is SOAP as well as REST/JSON compliant to easily support mobile mobile applications.

clip_image001

Here is a validation by one of our beta customers Peter Osborne, IT Technical Lead at LG&E and KU Services Company: "The Oracle API Catalog is a straightforward, easy-to-use governance tool for capturing what services exist, what these services do, and how they can be consumed. Within hours of installation, an organization can begin cataloging their SOAP and REST web services, regardless of the underlying service technology. The harvesting functionality provides a jump start on aggregating service details, while minimizing manual data entry and the risk of duplication and error. Finally, the included JDeveloper plug-in completes the lifecycle by providing a mechanism within JDeveloper to easily view and consume documented services."

To find out more information on Oracle API Catalog, visit us: Website and explore our Datasheet.

Thanks to Andre, Lucas and Luis for the first community feedback. Send us your feedback via twitter @soacommunity #APIcatalog12c & #OER12c

clip_image002André Evensen @anevensen ·  2h 2 hours ago

Harvesting services from WSDLs and publishing to #APIcatalog12c, works like a charm. @soacommunity #OracleSOA

clip_image004

clip_image002[1]André Evensen @anevensen ·  8h 8 hours ago

Newly released #APIcatalog12c installed on SOA Suite 12c. Next: Harvesting services! @soacommunity #OER12c

clip_image006

clip_image007Luis Augusto Weir @Luisw19 ·  10h 10 hours ago

Publish your #API in minutes with #OAC new killer tool to manage APIs @soacommunity @oracleace @OTNArchBeat http://tinyurl.com/oac12c

clip_image008Lucas Jellema @lucasjellema ·  11h 11 hours ago

Oracle Enterprise Repository 12c is available for download at http://www.oracle.com/technetwork/middleware/repository/overview/index.html … – including the brand new API Catalog @soacommunity

SOA & BPM Partner Community

For regular information on Oracle SOA Suite become a member in the SOA & BPM Partner Community for registration please visit www.oracle.com/goto/emea/soa (OPN account required) If you need support with your account please contact the Oracle Partner Business Center.

Blog Twitter LinkedIn image[7][2][2][2] Facebook clip_image002[8][4][2][2][2] Wiki

Filed under SOA Tagged with , , , , , , ,

Critical Patch Update Advisory includes SOA Suite & BPM Suite – January 2015

January 21, 2015 1 Comment

Oracle Critical Patch Update Advisory – January 2015

A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes. Please refer to: Critical Patch Updates and Security Alerts for information about Oracle Security Advisories.

Affected Products and Versions include the following Fusion Middleware solutions:

Oracle Fusion Middleware, version(s) 10.1.3.5, 11.1.1.7, 11.1.2.1, 11.1.2.2, 12.1.2, 12.1.3
Oracle Access Manager, version(s) 11.1.1.5, 11.1.1.7, 11.1.2.1, 11.1.2.2
Oracle Adaptive Access Manager, version(s) 11.1.1.5, 11.1.1.7, 11.1.2.1, 11.1.2.2
Oracle BI Publisher, version(s) 10.1.3.4.2, 11.1.1.7
Oracle Business Intelligence Enterprise Edition, version(s) 10.1.3.4.2, 11.1.1.7
Oracle Containers for J2EE, version(s) 10.1.3.5
Oracle Directory Server Enterprise Edition, version(s) 7.0, 11.1.1.7
Oracle Exalogic Infrastructure, version(s) 2.0.6.2.0 (for all X2-2, X3-2, X4-2)
Oracle Forms, version(s) 11.1.1.7, 11.1.2.1, 11.1.2.2
Oracle GlassFish Server, version(s) 3.0.1, 3.1.2
Oracle HTTP Server, version(s) 10.1.3.5.0, 11.1.1.7.0, 12.1.2.0, 12.1.3.0
Oracle OpenSSO, version(s) 8.0 Update 2 Patch 5
Oracle Real-Time Decision Server, version(s) 11.1.1.7, RTD Platform 3.0.x
Oracle Reports Developer, version(s) 11.1.1.7, 11.1.2.2
Oracle SOA Suite, version(s) 11.1.1.7, 12.1.3.0
Oracle Waveset, version(s) 8.1.1
Oracle WebCenter Content, version(s) 11.1.1.8.0
Oracle WebLogic Portal, version(s) 10.0.1.0, 10.2.1.0, 10.3.6.0
Oracle WebLogic Server, version(s) 10.0.2.0, 10.3.6.0, 12.1.1.0, 12.1.2.0, 12.1.3.0

For more information please visit the OTN here.

Note: Patch 20333237  is currently only limited available, please contact myself if you need to get access.

SOA & BPM Partner Community

For regular information on Oracle SOA Suite become a member in the SOA & BPM Partner Community for registration please visit www.oracle.com/goto/emea/soa (OPN account required) If you need support with your account please contact the Oracle Partner Business Center.

Blog Twitter LinkedIn image[7][2][2][2] Facebook clip_image002[8][4][2][2][2] Wiki

Filed under BPM, SOA Tagged with , , , , , , ,

Working with Oracle Security Token Service in an Architecture Involving Oracle WebLogic and Oracle Service Bus by Ronaldo Fernandes

April 29, 2014 Leave a comment

Using Oracle Security Token Service to generate Security Assertion Markup Language (SAML) tokens.
Downloads: Oracle Security Token Service & Oracle WebLogic Server & Oracle Service Bus.

Recently, I’ve worked on a proof of concept for the use of Oracle Security Token Service (OSTS) in an architecture involving Oracle Fusion Middleware, focused on Oracle WebLogic Server (WLS), Oracle Web Service Manager (OWSM) and Oracle Se

fernandes-osts-weblogic-osb-fig09

rvice Bus (OSB). There are many security scenarios in which OSTS can be used, but the initial objective was to provide single sign-on between WLS and OSB using OSTS to generate Security Assertion Markup Language (SAML) tokens. This article describes the steps to implement this solution.

Scenario

The solution was applied on OWSM with OSB 11g (11.1.1.6), Oracle Access Manager (OAM) 11gR2 (11.1.2) and WLS 11g (10.3.6). A Security Token Service (STS) creates and validates security tokens, using protocols such as WS-Trust, acting as a centralizer point in security infrastructure architecture and simplifying identity propagation between heterogeneous environments.

OSTS is an Oracle Identity Management access management solution. For more information on OSTS, consult the following articles by Oracle Fusion Middleware A-Team solution architect Andre Correa:

The proof of concept required a client on WLS accessing a service provided by OSB using SAML. The SAML Assertion should be generated from OSTS.

WLS can use WS-Trust policies and communicate with OSTS, but OSB 11g still doesn’t support WS-Trust policies. To work around this issue, configure OSB to trust messages signed by an OSTS certificate. Here is the complete scenario: Read the complete article here.

SOA & BPM Partner Community

For regular information on Oracle SOA Suite become a member in the SOA & BPM Partner Community for registration please visit www.oracle.com/goto/emea/soa (OPN account required) If you need support with your account please contact the Oracle Partner Business Center.

Blog Twitter LinkedIn image[7][2][2][2] Facebook clip_image002[8][4][2][2][2] Wiki

Filed under SOA Tagged with , , , , , , ,