Wednesday, June 13, 2007

Oracle Fusion Middleware 11g Technology Previews(JDeveloper/ADF and OC4J)

Visit OTN's Java Developer Center to download Technology Previews of Oracle JDeveloper and ADF 11g and the Java EE 5.0-compliant Oracle Containers for Java 11g. These previews are designed to make it easier to develop and deploy Java EE 5, Web 2.0, and AJAX-style Rich Internet Applications.

Try the new features in web services security such as support for WS-Policy 1.1 and WS-SecurityPolicy 1.1 specifications, and how they help service providers publish their security requirements in service WSDL automatically through the WS-PolicyAttachment 1.1 specification. Both WS-Security 1.0 and WS-Security 1.1 are supported in this release.

Tuesday, June 12, 2007

How To - OWSM 10.1.3 : Implement last mile security with gateway

OWSM gateway can be used to protect web services. Since, gateway runs as a separate process, the channel between gateway and the web service can remain unsecured (also known as last mile security). Also, direct access to the web service (bypassing the gateway) should be disallowed.

Any of the following options can be implemented to secure the channel between the gateway and web service,

  1. Network level access control - Restrict the web service machine to communicate with the gateway machine only. This is a quick and dirty solution, but may not be always desirable.

  2. Use client certificate auth SSL (also known as 2 way SSL) between gateway and web service - This will ensure that only the gateway app can talk to the web service.

  3. Install server agent on the web service - After verifying security for the incoming messages, the gateway would sign the message that it forwards to the web service using it's private key. The server agent would verify the signature, and validate the certificate used for signing. This will ensure that direct access to the web service is not possible.

FAQ - OWSM 10.1.3 : What is the use of cerificate alias in Verify signature step

In OWSM 10.1.3.x, verify signature step verifies the signature using the client certificate present as Binary Security Token (BST) in the SOAP message. It doesn't use the certificate alias from step configuration for signature verification.
The certificate alias from step configuration is used for verifying the chain of the incoming certificate in BST. The alias can point to either of the following.

  • root certificate authority (CA) certificate
  • intermediate certificate authority (CA) certificate
  • "*" - The certificate chain is verified against all the trusted certs in the keystore. Any one of the trusted certs should match. This is particularly useful when you have requests coming from multiple clients that don't share the same intermediate or root CA certificate.

Saturday, June 9, 2007

Project Concordia

Worried about too many competing specifications driving the identity management landscape? Not sure which one to pick for your organization? Some of these worries are being put to rest by Project Concordia. It's a global initiative with representatives from the CardSpace, Liberty Alliance, OpenID, openLiberty.org, SAML 2.0 and WS-Federation communities to provide interoperability between these identity standards by creating profiles based on use cases. Eventually, some of these specifications should merge.

The work has already started with the first meeting between Liberty SAML 2.0 and Microsoft representatives to be held during the Burton Catalyst 2007 in San Francisco.

Thursday, June 7, 2007

How To - OWSM 10.1.3 : Use LDAP to authenticate admin users into OWSM Control(UI)

By default, OWSM uses user/group information from the users and groups tables in the configured database. In addition, the groups are linked to roles in the group_role_mappings table.

To switch the authentication identity provider from the database(default) to LDAP, follow these steps from the Admin guide.

Now, pick a group in LDAP whose members will be allowed full access to the OWSM Control. Lets say, it is owsm-administrators.

Add a group role mapping for this group in the group_role_mappings table by executing
insert into group_role_mappings values ('owsm-administrators',1,'Y');

Voila! You have successfully switched the authentication store for Control application to LDAP.
Also see this post on OTN.