Vikas Jain

Oracle University (OU) has published an online course on OWSM 11g on iLearning.

• Oracle Web Services Manager 11g: Essentials - D67432GC10
  
  
• Oracle Web Services Manager 11g: Securing SOA Components - D67433GC10
  

These are self paced online courses that provide a quick way to get started on OWSM.

If you have a vanilla Weblogic (WLS) environment with no Fusion Middleware components deployed such as SOA Suite, Webcenter, etc., and you have JAX-WS clients and web services deployed in such an enviornment, you can secure these clients and services using OWSM by following this guide for step-by-step instructions on how to set it up. These instructions will be included into official documentation in the near future.

Note that these are just install instructions, with no change or bearance to the licensing model. As of Jun 2010, OWSM is licensed only through SOA Suite, and doesn't come with a standalone license. In short, to secure your clients & services using OWSM on base Weblogic, you would need to acquire SOA Suite license on top of Weblogic license.


var docstoc_docid="45646770";var docstoc_title="How To install OWSM 11gR1 on base Weblogic";var docstoc_urltitle="How To install OWSM 11gR1 on base Weblogic"; How To install OWSM 11gR1 on base WeblogicThanks to Amit Gokhru for validating and documenting these instructions.

When using HTTP token policies with OWSM 11g, you may want to review the following to understand their implementation behavior.

What types of HTTP token policies are available?
Following pre-defined OWSM policies are available out-of-the-box.
Client policies: oracle/wss_http_token_client_policy, oracle/wss_http_token_over_ssl_client_policy
Service policies: oracle/wss_http_token_service_policy, oracle/wss_http_token_over_ssl_service_policy

What does HTTP token policies do?
On the client side, it adds base64 encoded username/password per the Basic Authentication scheme to the HTTP Authorization header according to RFC822 and RFC2617
For example, Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
On the service side, OWSM agent gets hold of this HTTP header, decodes the username/password, and uses it to authenticate against the configured identity store through OPSS login module and WLS authenticator. Additionally, if oracle/wss_http_token_over_ssl_service_policy is used, it checks if SSL connection was indeed used to connect to the service.

Is the HTTP Authorization header sent with every message? If not, how can I enable it to be sent with every message?
No. Oracle web services stack follows the challenge-response authentication mechanism wherein client doesn't send an authorization header in the initial request to which service responds back with a 401 (Unauthorized) HTTP message. Client then stuffs the Authorization header into the second request which is then processed by the service.
This default behavior can be altered such that the Authorization header is always sent by setting a property on the client side.
In the request context, set the property ClientConstants.PREEMPTIVE_BASIC_AUTH to true

How can I disable SOAP security header inclusion when using HTTP token with SSL client policy?
The out-of-box oracle/wss_http_token_over_ssl_client_policy policy is configured to include a timestamp element in the SOAP security header similar to below.

<code style="color:#000000;word-wrap:normal;"> <wsse:Security xmlns:wsse="<a href="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd</a>" env:mustUnderstand="1">  <br />      <wsu:Timestamp xmlns:wsu="<a href="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd</a>" wsu:Id="Timestamp-oq2ulH1wHpSwkqAlKMaf5Q22">  <br />           <wsu:Created>2010-06-21T15:28:02Z</wsu:Created>  <br />           <wsu:Expires>2010-06-21T15:33:02Z</wsu:Expires>  <br />      </wsu:Timestamp>  <br /> </wsse:Security  <br /></code>

This can be disabled by modifying the client policy with timestamp attribute value set to false.
Note that oracle/wss_http_token_client_policy doesn't include the SOAP header.

When SOA endpoint is protected using OWSM service policy, then message can be decrypted, but after that if the message contain PII attributes, they can end up in clear in logs and instance viewer in the console.
To provide security for prevention of such PII data leakage, there is an OWSM custom policy assertion available written by Robin Zimmermann and Rakesh Saha that allows selective attribute encryption within the application, and then decrypt it on the way out before it's re-encrypted using the OWSM client side policy.
See https://owsm-11g-custom-assertions.samplecode.oracle.com/

btw, Oracle BPEL 10g provided a feature for obfuscating attribute data. This solution is better than that approach as it uses digital encryption instead of obfuscation technique, and is policy based.

As VmWare and Force.com joined hands to create the vmForce platform for cloud applications it's interesting to note how some of the new age features are becoming part and parcel of the application infrastructure.

Few years back, an application server with servlet, EJB containers, connection pooling and other services was considered to be an application platform. Then with the SOA wave, features like orchestration (BPEL), service bus (for routing, transformation), adapters (for connecting apps), and governance tools became part of the platform leading to development of composite applications.
Now, vmForce is taking it another step ahead including features such as social apps like collaboration, google like search for any data, mobile access, BPM and reporting dashboards to be part of the platform, relieving application developers and administrators from integration pains with external tools providing these features.

Following vmForce feature list is extracted from Anshu's blogpost on this topic.

• Social Profiles: Who are the users in this application so I can work with them?
  
• Status Updates: What are these users doing? How can I help them and how can they help me?
  
• Feeds: Beyond
  user status updates, how can I find the data that I need? How can this
  data come to me via Push? How can I be alerted if an expense report is
  approved or a physician is needed in a different room?
  
• Content Sharing: How
  can I upload a presentation or a document and instantly share it in a
  secure and managed manner with the right set of co-workers?
• Search: Ability to search any and all data in your enterprise apps
  
• Reporting: Ability to create dashboards and run reports, including the ability to modify these reports
  
• Mobile: Ability to access business data from mobile devices ranging from BlackBerry phones to iPhones
  
• Integration: Ability to integrate new applications via standard web services with existing applications
  
• Business Process Management: Ability to visually define business processes and modify them as business needs evolve
  
• User and Identity Management:
  Real-world applications have users! You need the capability to add,
  remove, and manage not just the users but what data and applications
  they can have access to
  
• Application Administration: Usually an afterthought, administration is a critical piece once the application is deployed
  

Here's a blogpost on how to connect and authenticate salesforce.com from an application deployed on Google AppEngine using OAuth protocol.
http://blog.sforce.com/sforce/2010/04/connecting-google-app-engine-and-salesforcecom-with-oauth.html

See how the complexity of the OAuth protocol has been hidden by the helper APIs of OAuthAccessor and OauthHelperUtils.
Refer to this demo project written by Jeff Douglas.

You can find resources and links to Force.com platform security for secure cloud development here.
http://blog.sforce.com/sforce/2010/04/introducing-forcecom-secure-cloud-development.html

What I like is how it's organized - complete with education material, security design principles, secure coding guidelines, security testing tools, and how to perform security review - providing end to end guidance on how to implement security for apps deployed on Force.com.

Here's some notable tech M&A activity happened till May, 2010.

In Security space,

• Oracle IdM adding identity analytics (OIA) to it's portfolio through the broader Sun acquisition
  
• Symantec enhancing encryption portfolio with PGP, GuardianEdge, and vulnerability assessment offering through Gideon Technologies
  
• EMC's RSA Security Division acquired Archer Technologies for GRC across physical+virtual infrastructures
• Trustwave acquired Intellitactics for SIEM to enhance PCI compliance offering, and BitArmor to enhance endpoint security offering
  

In Cloud computing space,

• VmWare seems to be building up Cloud PaaS platform acquiring Spring Source (in 2009) , and now Zimbra, and Rabbit Technologies
• CA acquired Nimsoft and 3Tera to manage cloud environments
• Cisco acquired Rohati Systems for cloud security in Cisco's Nexus switch line

In Mobile space,

• SAP planning to buy Sybase for it's mobile middleware
  
• Apple getting Siri, HP getting Palm, RIM getting Viigo

References:
Network World slideshow on Tech acquisitions of 2010
PWC report on Tech M&A insights for 2010

Oracle Fusion Middleware 11gR1 PS2 (Patchset 2) aka 11.1.1.3.0 is released and generally available now.

What's new in OWSM 11gR1 PS2 (11.1.1.3.0)?

• Agent for OSB 11gR1
• Enhanced integration for WLS JAX-WS web services (centralized policy mgt, policy attachment through EM, policy advertisement in WSDL, and policy monitoring)
• IBM DB2 certification of MDS backed policy store
• WS-Security + WS-AT combination support
• Enhanced Test-to-Production for policy attachments using deployment plans

Also see,

• Known Issues
  
• Product documentation - 11gR1 PS2 Library , OWSM documentation links
• What's new in OWSM 11gR1, and 11gR1 PS1 releases?
• OWSM page on OTN