1. 1 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.

2. OTM and SOA
Mark Hagan
Principal Software Engineer
Oracle Product Development

3. Content
 What is SOA?
 What is Web Services Security?
 Web Services Security in OTM
 Futures…
3 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.

4. PARADIGM
4 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.

5. Content
 What is SOA?
 What is Web Services Security?
 Web Services Security in OTM
 Futures…
5 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.

6. What is SOA?
Service Oriented Architecture
 Term originated from IBM Web Services work in 2000?
 Million and one attempts to produce a ‘catchy’ paragraph
– Strategy (both IT and Business)
– Services
– Interoperable
– Standards
 Aims to address perceived limitations in previous application
integration techniques.
6 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.

7. SOA Evolution
Service Oriented Architecture – ‘Plateau of Productivity’
 Not just about enabling a legacy application to be called as a web
service.
 High level business process design
 SOA Maturity Model
 Availability of tools
– Server : Oracle SOA Suite (+ others, I guess!)
– Designer : Oracle JDeveloper (ditto)
 SCA – Service Component Architecture (OASIS Standard)
7 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.

8. What are Web Services?
 Not just an API!
 Salient points
– Platform independent (XML everywhere…)
– Transport independent (i.e. not tied to a specific protocol)
– Loosely coupled
– Contract
– Standards (next slide!)
8 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.

9. What are Web Services?
 Gradual emergence of standards
– XML & XSD
– SOAP
– WSDL
 [Side note: even W3C gets confused between Web Service Definition
Language and Web Services Description Language!]
– Java Platform
 JAX-RPC
 JAX-WS (initially called JAX-RPC 2.0)
9 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.

10. Anatomy of a SOAP Message
SOAP Envelope
SOAP Header
SOAP Body
Message Payload
10 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.

11. Anatomy of a WSDL
Definition
Messages
Operations
Ports
11 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.

12. Content
 What is SOA?
 What is Web Services Security?
 Web Services Security in OTM
 Futures…
12 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.

13. Security Before ‘Web Services Security’
Applies to OTM versions from v5.0 to v6.2
 Credentials were passed according to transport protocol
– For example, SOAP over HTTP used Basic Authentication HTTP Header
 Encryption required SOAP over HTTPS
 Commonly include credentials in the message itself.
– OTM accepted Transmission Header with username/password or
username and IP authentication.
13 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.

14. Web Services Security – WS-Security
WSS: SOAP Message Security v1.1
 OASIS Specification of an XML syntax for security related data in the
SOAP Header
 Supports different ‘profiles’
– Username Token Profile
– SAML Token Profile
– X.509 Token Profile
– Kerberos Token Profile
– Rights Expression Language (REL) Token Profile
14 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.

15. Web Services Policy – WS-Policy
WSP: Web Service Policy 1.5 – Framework & Attachment
 W3C Recommendation for an XML syntax to describe the
requirements and capabilities of a web service.
 Defines the concept of an ‘assertion’ and how to declare policy
alternatives.
 Examples :-
– Security
– Transactions
– Reliable Messaging
– Addressing
15 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.

16. Web Services Security Policy –
WS-SecurityPolicy
WSSP: WS-SecurityPolicy 1.3
 OASIS Specification for WSS related policy assertions
 Service can specify which token profiles are required or supported
 Service can specify which transport protocols are required or
supported
 Declared in the service WSDL
16 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.

17. WSSP Example – Username Token
17 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.

18. Content
 What is SOA?
 What is Web Services Security?
 Web Services Security in OTM
 Futures…
18 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.

19. WSS in OTM v6.2 - Inbound
 Partial support for Username Token Profile
 Full support for HTTP and HTTPS
 Not declared in WSDL
 Password Digest was initially supported but may be removed
19 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.

20. WSS in OTM v6.2 - Outbound
 Partial support for Username Token Profile
 Full support for HTTP and HTTPS
 External WSDL is not parsed for WSSP assertions
 Password Digest was initially supported but may be removed
 Requires settings on Web Service and External System records in
OTM.
20 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.

21. Web Service Manager
21 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.

22. External System Manager
22 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.

23. WSS in OTM v6.3 - Inbound
 Full support for Username Token Profile (except Password Digest type)
 Full support for HTTP and HTTPS
 Full support for Message Encryption
 Declares security policy in WSDL for inbound services
– Defaults to Username Token over HTTPS
– Policy can be customised
23 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.

24. 24 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.

25. Custom Policy
 Installation deploys a policy file for each web service
– <otm home>/glog/glog_resources/policies/<service name>-Policy.xml
– For example,
 <otm home>/glog/glog_resources/policies/IntXmlService-Policy.xml
 To override default policy – DO NOT EDIT base file
– Create file under configured custom directory, for example
 <otm home>/glog/glog_resources/custom/policies/IntXmlService-
Policy.xml
25 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.

26. Custom Policy (contd.)
 Sample files installed
– otm-default-policy.xml
 policy installed by default (currently Username Token over HTTPS)
– otm-Wssp1.2-2007-Https-UsernameToken-Plain.template.xml
– otm-Wssp1.2-2007-UsernameToken-Plain.template.xml
– otm-Wssp1.2-
wss10_username_token_with_message_protection_policy.template.xml
26 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.

27. WSS in OTM v6.3 – Outbound
 Full support for Username Token Profile (except Password Digest type)
 Full support for HTTP and HTTPS
 Full support for Message Encryption
 WebLogic Server handles parsing of policy assertions
– Requires additional WebLogic Server administration
 All pre-existing outbound Web Services defined in OTM will operate
according to v6.2 logic i.e. will not automatically have access to v6.3
capability
27 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.

28. WSS in OTM v6.3 – Outbound (contd.)
 WSDL Document content needs to be URL
 Existing records would not contain any WS-Policy details and so need
to be reloaded.
 Use of Message Encryption requires additional administration tasks.
– Storage of external X.509 Certificate in WebLogic keystore
– New Web Service Security Configuration via Console (or config.xml)
– Configure OTM property to match keystore alias to service endpoint
 glog.webservice.pki.alias.myalias=https://myserver/services/myEncrypti
onService
28 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.

29. WSS in OTM v6.3 – Outbound (contd.)
Credential Mapping
29 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.

30. Content
 What is SOA?
 What is Web Services Security?
 Web Services Security in OTM
 Futures…
30 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.

31. The following is intended to outline our general product direction. It is intended
for information purposes only, and may not be incorporated into any contract.
It is not a commitment to deliver any material, code, or functionality, and should
not be relied upon in making purchasing decisions. The development, release,
and timing of any features or functionality described for Oracle’s products
remains at the sole discretion of Oracle.
31 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.

32. Future…
 Support for additional WSS profiles
– SAML Token
– X.509 Token
 Split GLogXML.xsd schema
 Namespace Versions
 Ability to attach ‘client’ policy override to outbound services
 Policy attachment via WebLogic Console and/or Deployment tools
32 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.

33. Glossary
Term Description
OASIS Organization for the Advancement of Structured Information Standards
XSD XML Schema Definition
WSS Web Services Security
SAML Security Assertion Markup Language
X.509 ISO/IETF standard format for Public Key certificates.
JAX-RPC Java API for XML-based RPC (Remote Procedure Call)
JAX-WS Java API for XML-based Web Services (successor to JAX-RPC)
33 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.

34. References
Term Description
OTM Documentation Library http://docs.oracle.com/cd/E38437_01/otm/html/docset.html
(Administration Guide, Integration Guide and Security Guide)
OASIS Home - https://www.oasis-open.org/standards
WSS - https://www.oasis-
open.org/committees/tc_home.php?wg_abbrev=wss
WSSP - http://docs.oasis-open.org/ws-sx/ws-securitypolicy/v1.3/os/ws-
securitypolicy-1.3-spec-os.html
W3C WSDL - http://www.w3.org/TR/#tr_WSDL
WSP - http://www.w3.org/TR/#tr_Web_Services_Policy
34 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.

35. 35 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.

36. 36 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.