Vikas Jain

Listing all OWSM 11gR1 related documentation at one place from the latest patchset.

GuideReleasePart NumberCommentsDocumentation Library Portal11gR1 PS1E15523_01Main site with links to all guidesInstallation Guide for Oracle SOA Suite11gR1 PS1 E13925-02Installing SOA SuiteOWSM Upgrade Guide - 10gR3 to 11gR111gR1 PS1E10127-01Migrating OWSM policies from 10g3 to 11gR1 releaseOWSM Admin Guide (Security and Administrator's Guide for Web Services)11gR1 PS1B32511-02Main OWSM guide covering concepts & management interfacesOWSM Developer's Guide (Securing WebLogic Web Services)11gR1 PS1 E13713-02Covers how to attach policies at design time through JDeveloperOWSM Java API Reference11gR1 PS1E10689-02For writing custom policy assertionsFusion Middleware Audit Framework (Security Guide)11gR1 PS1E10043-04OWSM leverages FMW audit frameworkOWSM Interoperability Guide11gR1 PS1E16098-01Covers  interoperable policies certified against OWSM 10g, .NET, Axis, OSB 10g, WLS native security, etc.OWSM HA Guide11gR1 PS1E10106-02Configuring OWSM for High AvailabilityEnterprise Deployment Guide (EDG) for SOA Suite11gR1 PS1 E12036-02Recommended deployment topologyOWSM Backup and Recovery (Disaster Recovery Guide)11gR1 PS1E15250-01Configuring for disaster recoveryOWSM Performance and Tuning Guide11gR1 PS1E10108-01Performance/TuningOWSM Licensing Information
E14860-07Licensing termsOracle Platform Security Services (OPSS) Guide
11gR1 PS1
E10043-04OPSS GuideOracle Access Manager 10g (10.1.4.3)10.1.4.3
OAM 10g Guides
OWSM leverages OPSS internally for authentication, CSF and few other services. So, some of the above guides/sections should be complemented with OPSS guides.

Per Intel's CTO Justin Rattner, Intel is working on a single chip cloud computer

• Parts of the chip will be powered down when not in use
• First iteration involves a 48 core processor that consumes 25 - 125 watts
• New term invented "physicalization" which means dedicating one or more cores to a specific application or portion of the application. This is completely opposite to "virtualization" which means running applications on whatever processor resources are available

For complete story, see this Forbes article

Oracle's acquisition of Amberpoint extends it's capabilities around Business Transaction Monitoring (BTM), SOA Management and SOA Governance into it's SOA products offering.

Read the following resources for more info

• Benefits of the combination from Richard Sarwal, Sr VP, Product Development, Oracle
• General Presentation on Amberpoint
  
• FAQ
  

From the FAQ,
The AmberPoint solution will provide several critical capabilities requested by customers.
• Application Discovery – Automatically discovers components and interactions and ensures visibility of the entire heterogeneous SOA environment
• Application Performance Management – Tracks end-to-end performance and availability
• Business Transaction Management – Ensures reliability of individual business transactions and tracks the progress in real time to pinpoint any issues
• SOA Governance – Provides closed-loop governance by reporting run-time results to design-time governance solutions

Where REST services demand a particular type of token for access, REST clients can potentially integrate with an STS server to acquire the requisite token, and pass it to the service.

I haven't seen customers yet widely asking for such solutions, but need can arise where companies standardize across the applications on tokens such as SAML for access control which carries not only the username information but also attributes associated with user profile.

In such scenarios, following flow would be applicable

1. REST client acquires token from the STS server preferably through REST binding of STS, but any other supported binding should also be okay.
2. Once it receives the token, it adds it to the "Authorization" HTTP header of the REST request.
3. REST service receives the request, and a security interceptor(agent) picks up the token to check for access validity. The interceptor can optionally assert the identity into the service for identity propagation needs.

I would be interested to know if you run into such scenarios, and looking for products to support it. You can leave blog comments.

Secure Token Service (STS) typically have a SOAP endpoint with WS-Trust standard profiling the interactions. How about taking the complexity of SOAP away, and adding simplicity of REST interface to the STS? At the end of the day, STS is a token service that applications use to acquire tokens and should be accessible through different types of bindings - SOAP, REST, etc.

What would be the interaction pattern for such RESTful STS?

1. Clients access RESTful STS using HTTP GET/POST method sending RequestSecurityToken (RST) as part of HTTP message.
2. RESTful STS sends back the requested token as RequestSecurityTokenResponse (RSTR) in the HTTP response message.
3. The STS endpoint could be secured similar to any HTTP resource using web access management products such as Oracle Access Manager (OAM) with username/password or certificate credentials.

RESTful STS can lead to wider adoption
Many languages/frameworks (such as Adobe Flex and Silverlight) doesn't support full capabilities of a SOAP stack. But, they support the basic HTTP interactions. Such frameworks could easily plug into a RESTful STS for their token needs.

Applicability of RESTful STS in the cloud
As cloud remains the innovation vehicle for 2010, I try to find applicability of any new concept into the cloud as well.
Today, Google, Amazon, Salesforce of the world provide RESTful APIs for all it's services. If they decide to broker trust using some sort of STS, then it makes perfect sense for them to provide RESTful STS with API keys and OpenId/OAUTH models to access it.

Oracle Enterprise Repository (OER) 11g is released and generally available for download now. OER alongwith OSR (UDDI registry), OWSM and EM SOA Mgt Pack Plus comprise Oracle's SOA Governance offering. Of all the new features added in this release of OER, there's one feature around closed loop governance that I would like to discuss in this blog.

Closed loop governance allows architects to review at a high-level how the system and services they designed are behaving in production, and with this knowledge further enhance the services in their subsequent versions. It provides confidence and production assurance to business people that the investments they have put in SOA is actually being put to use.

In this release of OER 11g, high-level performance metrics from Enterprise Manager (EM) and 3rd party products such as Amberpoint are rolled up into OER.

Through the same pattern, do you see a need for rolling up policy attachment info from OWSM into OER?

See more of "What's New in OER 11g" here.

Watch Oracle + Sun identity management strategy webcast by Oracle executive Hasan Rizvi, Sr. VP
http://oracle.com.edgesuite.net/ivt/4000/8104/9236/12628/lobby_external_flash_clean_480x360/default.htm

Oracle + Sun Strategy Webcast was done by Oracle/Sun executives today.
Hope you got a chance to attend it live. If you missed it, check back the link in couple of days when the recording would be available for on demand viewing.

Similar to OWSM 10gR3, you can extend OWSM in 11g using custom policy implementations.
From terminology perspective, OWSM 10g custom policy is similar to OWSM 11g custom policy assertion.
Here are some quick links that may help if you plan to implement custom policies.

1. Refer to Creating Custom Assertions section of OWSM product documentation
2. Refer to Java API reference for available APIs
3. Step by step How-To guide on building a sample custom assertion, deploy, and test it
   

New Secure Multi-tenancy Meets Virtualization and Enterprise Cloud
Security Requirements

Secure Multi-tenancy Design Architecture is an end-to-end, validated design
architecture that isolates IT resources for enhanced security in shared
virtual and enterprise cloud environments. The design architecture helps
enterprise customers, systems integrators and service providers develop
internal and external cloud services that isolate clients, business units,
departments or security zones for enhanced security across the computing,
networking, storage and management layers of a unified infrastructure. The
Secure Multi-tenancy Design Architecture provides details about
implementing and configuring the architecture, as well as best practices
for building and managing best-in-class solutions from Cisco, NetApp and
VMware. This validated design architecture significantly increases business
agility by helping IT administrators to establish the appropriate quality
of service for each resource layer and to deliver consistent service
performance levels for the applications in each layer.

The Secure Multi-tenancy Design Architecture is based on Cisco Nexus® Series Switches and the Cisco® Unified Computing System, NetApp FAS storage with MultiStore®, and VMware vSphere and vShield™ Zones. The design reference architecture has been jointly tested and validated as a Cisco Validated Design so customers can quickly assess their needs and deploy integrated solutions from Cisco, NetApp and VMware that meet the stringent requirements of their dynamic data centers. The Cisco Validated Design Guide can be viewed at www.netapp.com/us/cisco-vmware/.

"Virtualization of the network, server and storage infrastructure is
radically reshaping today's data center," said Paul Maritz, president and
CEO, VMware. "The dynamic data center built on VMware® vSphere™, along
with Cisco and NetApp® technologies, will provide the foundation for both
private and public clouds and the ability to move data and applications
between these clouds. A shared virtual infrastructure requires that
resources for different tenants are isolated while delivering on promised
service levels. We have integrated our technology with Cisco and NetApp not
only to accelerate our customers' journey through their data center
transition, but also to deliver an outstanding customer experience."

See http://money.cnn.com/news/newsfeeds/articles/marketwire/0580403.htm

Gartner, Inc. which acquired AMR Research recently for $64 million, announced that, on December 30, 2009, it acquired Burton Group, Inc. for approximately $56 million in cash.

Gene Hall, Gartner's chief executive officer, said, "Gartner has traditionally focused on providing strategic insight to CIOs and senior IT executives, while Burton Group has built a leading niche providing practical, how-to advice to front-line IT professionals. Thus, Burton Group is a great strategic fit for Gartner and should enable us to offer a more complete solution to every level and functional expert within an IT organization. By leveraging our scale and worldwide distribution capabilities, we expect to significantly grow Burton Group’s business over time."

Jamie Lewis, Burton Group’s chief executive officer, commented, “I am very excited about the opportunities for accelerated growth that Burton Group should have as part of Gartner. By combining our technical depth with Gartner’s global presence and distribution capabilities, we can reach a much broader set of clients with the most complete set of IT research and advisory services available.”

http://www.gartner.com/it/page.jsp?id=1272013

Exception handling is an often ignored area in enterprise software design. It comes out more as an after thought rather than being an integral part of initial design.
I've seen cases where

• logs are polluted with too many exceptions leading to delay in performing root cause analysis
• root cause exceptions get eaten up when thrown to upper level stacks and only a generic exception is logged
• sufficient exception details aren't recorded with the default log levels

Maybe customers should include exception handling use cases, and how well and quickly products allow root cause analysis as part of their POCs. This would lead to vendors spending resources in improving this area of their software.

Also, checkout this excellent article on "Exception management and error tracking in J2EE".

Enterprise Single Sign On (ESSO) solutions provide SSO for desktop apps such as Outlook by providing the storing the username/password securely and passing it to the desktop app when required.
Now, if the desktop app (such as Outlook) needs to go out to the cloud to fetch data, and the cloud app if federation enabled, then can such federation be extended to the desktop app?

Google has already solved it using OAuth for Installed Applications. The article doesn’t explicitly call out SAML, but if you have enabled SAML on your Google Apps deployment, it gets used instead.

Also, see Pat Patterson's blog entry on this topic.

There are many testing tools (including one bundled with Oracle Fusion Middleware Control) that allow creating WS-Security username token and inserts it into the request message. But, if the service accepts a SAML token, then such tools don't come in handy. One has to develop a client application and apply SAML client policy to add SAML token to the message.

But, there's one free tool that can come in handy for such situations. It's Vordel SOAPbox.
Checkout this blog entry from Mark O' Neill for details, and give the tool a try.

See what Gartner's John Pescatore has to say about emerging security threats and trends in 2010.
There are two very new challenges. What we're seeing happening right now is certainly the threats have changed, but also business processes and the demands put on the IT organization and the information security organization are changing at the same time. At the same time that threats are getting more targeted, the business, even government agencies, are demanding that users be allowed to use home PC's, their own smart phones, iPhones and the like, being allowed to work from home, being allowed to use social networks, use consumer grade things like Google apps and Skype and the like.
So at the same time that the threats are getting more focused, IT is being forced to relinquish some control over the hardware and software and services that users use to get the business done and touch privacy related information and critical business processes. So dealing with those two challenges simultaneously, we're targeted deeper threats and having to give up some levels of control. That, I believe, is the major challenge facing security programs today.

I think 2010 into 2011 will be the start where we start to see vulnerabilities found in all these virtualization and Smart Grid technologies and other forms of wireless, and inevitability new technologies new vulnerabilities, and the attackers leap on those very, very quickly. So I think that is probably some of the new things we will see.
For more details visit full article at http://www.bankinfosecurity.com/articles.php?art_id=1926&pg=4

Here's an excellent tutorial by Kiran C. Nair on how to create a custom VM image prebundled with Oracle Weblogic Server 11g and Oracle Database XE, and utilities to run at user-defined runlevels. The created images are not restricted to AWS but are fully compatible with any cloud that uses Xen as the hypervisor layer (for example, Eucalyptus Open Cloud).

The prebundled applications and utilities may be customized according to user preferences or demands.

Kiran C. Nair specializes in JEE, client-server architecture, and performance lifecycle analysis at SETLabs, the research wing of Infosys Technologies Ltd.