Tuesday, December 29, 2009

Best practices for exception handling in Java

Exception handling is an often ignored area in enterprise software design. It comes out more as an after thought rather than being an integral part of initial design.
I've seen cases where
  • logs are polluted with too many exceptions leading to delay in performing root cause analysis
  • root cause exceptions get eaten up when thrown to upper level stacks and only a generic exception is logged
  • sufficient exception details aren't recorded with the default log levels
Maybe customers should include exception handling use cases, and how well and quickly products allow root cause analysis as part of their POCs. This would lead to vendors spending resources in improving this area of their software.

Also, checkout this excellent article on "Exception management and error tracking in J2EE".

Wednesday, December 23, 2009

Connecting cloud apps to desktop apps using OAUTH and SAML

Enterprise Single Sign On (ESSO) solutions provide SSO for desktop apps such as Outlook by providing the storing the username/password securely and passing it to the desktop app when required.
Now, if the desktop app (such as Outlook) needs to go out to the cloud to fetch data, and the cloud app if federation enabled, then can such federation be extended to the desktop app?

Google has already solved it using OAuth for Installed Applications. The article doesn’t explicitly call out SAML, but if you have enabled SAML on your Google Apps deployment, it gets used instead.

Also, see Pat Patterson's blog entry on this topic.

Testing SAML polices

There are many testing tools (including one bundled with Oracle Fusion Middleware Control) that allow creating WS-Security username token and inserts it into the request message. But, if the service accepts a SAML token, then such tools don't come in handy. One has to develop a client application and apply SAML client policy to add SAML token to the message.

But, there's one free tool that can come in handy for such situations. It's Vordel SOAPbox.
Checkout this blog entry from Mark O' Neill for details, and give the tool a try.

Friday, December 18, 2009

Gartner's John Pescatore on 2010 Security Threats and Trends

See what Gartner's John Pescatore has to say about emerging security threats and trends in 2010.
There are two very new challenges. What we're seeing happening right now is certainly the threats have changed, but also business processes and the demands put on the IT organization and the information security organization are changing at the same time. At the same time that threats are getting more targeted, the business, even government agencies, are demanding that users be allowed to use home PC's, their own smart phones, iPhones and the like, being allowed to work from home, being allowed to use social networks, use consumer grade things like Google apps and Skype and the like.
So at the same time that the threats are getting more focused, IT is being forced to relinquish some control over the hardware and software and services that users use to get the business done and touch privacy related information and critical business processes. So dealing with those two challenges simultaneously, we're targeted deeper threats and having to give up some levels of control. That, I believe, is the major challenge facing security programs today.

I think 2010 into 2011 will be the start where we start to see vulnerabilities found in all these virtualization and Smart Grid technologies and other forms of wireless, and inevitability new technologies new vulnerabilities, and the attackers leap on those very, very quickly. So I think that is probably some of the new things we will see.
For more details visit full article at http://www.bankinfosecurity.com/articles.php?art_id=1926&pg=4

Tuesday, December 8, 2009

Tutorial: Creating Oracle prebundled machine images for the cloud

Here's an excellent tutorial by Kiran C. Nair on how to create a custom VM image prebundled with Oracle Weblogic Server 11g and Oracle Database XE, and utilities to run at user-defined runlevels. The created images are not restricted to AWS but are fully compatible with any cloud that uses Xen as the hypervisor layer (for example, Eucalyptus Open Cloud).

The prebundled applications and utilities may be customized according to user preferences or demands.

Kiran C. Nair specializes in JEE, client-server architecture, and performance lifecycle analysis at SETLabs, the research wing of Infosys Technologies Ltd.

Wednesday, November 11, 2009

Cloud Services Broker announcement from Vordel

Vordel announced "Cloud Service Broker" at their annual VordelWorld user conference last week, in an attempt to bring trust and reliability to Cloud Computing. One of the major concerns customers have in adopting cloud computing is security. Hope this will solve some of those concerns bridging the gap between internal SOA apps and Cloud services, leading to broader adoption of Cloud Computing.

See http://www.reuters.com/article/pressRelease/idUS130253+05-Nov-2009+BW20091105

Oracle Fusion Middleware 11gR1 PS1 (Patchset 1) released

Oracle Fusion Middleware 11gR1 PS1 (Patchset 1) aka was released on Nov 10, 2009, and generally available now.
Many enhancements and bug fixes for OWSM went into this patchset.
Some notable ones are listed below. For a complete set of enhancements visit product documentation here.

What's new in OWSM 11gR1 PS1 (
  • Common Policy Store across multiple Weblogic domains (11gR1 policy store was restricted to be one per domain)
  • One policy accepting multiple types of tokens such as username, SAML, X.509 through the policy alternatives feature
  • Ability to set up different sign/encryption keys for different services instead of all services having to use the common sign/encryption keys set at the domain level - This has been implemented using configuration overrides feature for service policies (11gR1 allowed only client side config overrides)
  • Ability to configure operation level authorization using Permission based authorization policies
  • Ease of Use features
    • Publishing service certificate in the WSDL - client policies can directly lookup service certificate from WSDL instead of looking up from client keystore
    • Policy attachment through WLST scripting - useful for creating automation scripts
    • Enhanced support for asynchronous services and policies for it
  • Certifications and Interoperability
Additionally, for a list of important OWSM bug fixes, known issues and workarounds associated with 11gR1 PS1 release, please refer to the release notes.

Monday, November 9, 2009

HowTo - OWSM 11g: Checking health of policy manager application

OWSM Policy Manager is the central application that has the task of distributing policies to the OWSM agents (embedded in WLS) for enforcement. For diagnosing problems, it's important to first check if the policy manager application is running okay or not.

You can check the health of policy manager by invoking
It's a protected url, so you need to enter WLS adminstrator username/password.
This should return a list of all the policies and assertion templates similar to below.

Monday, November 2, 2009

Presenting at VordelWorld User Conference

Vordel, and XML Gateway company, is holding it's annual user conference VordelWorld in Dublin from Nov 4-6, 2009. This year's spotlight is on SOA and cloud governance. There's a nice lineup of presentations including Burton Group's Richard Watson on "Cloud Application Architecture", Amazon Web Services Evangelist Steve Riley on "Fear the cloud no more", and Vordel CTO Mark O'Neill on "Governing Cloud Connections".

While I can't wait to hear these speakers talk on the hot topic of security and governance in the cloud, I'll be presenting on the topic of "Role of XML Gateways in Identity Management (IdM) infrastructure" and cover briefly on how XML Gateways can help mediate security to the cloud.

Tuesday, October 27, 2009

Enhance your career with CareerTiger's help

My high school friend, Abhijeet Khadilkar, started helping people in these recessionary times through a unique intiative - helping get a job using unconventional methodologies using the latest Web 2.0 tools and tips he provides through his recently launched company CareerTiger (www.careertiger.com).

Media has already started to notice the contribution he's making.

  • San Jose Mercury News ran a cover page story on them
  • Details magazine mentioned them in their career section
  • MSN and CareerBuilder featured CareerTiger as one of the premier firms that helps candidates find jobs through unconventional means
  • One of their candidates was featured on Anderson Cooper show on CNN

Abhijeet told that over 90% of people who attend his JobPounce sessions are interviewed in the first 30 days of them attending it. And over 25% of them find a real job in 90 days...numbers that look just ok. But put those in perspective of the current economic climate, and they are stunning.

They are running a special for a limited time - participants enter the code 'legacy' during registration get 60% OFF the regular price. These prices are valid for the next 3 sessions only.

And for those that are not in the SF Bay Area, can attend one of the virtual sessions. More details at http://www.careertiger.com/jobpounce/

Wednesday, October 21, 2009

Introduction to OWSM 11gR1 youtube video

Get introduced to Oracle Web Services Manager (OWSM) 11gR1 through this youtube video.

Monday, October 19, 2009

F5 BIG-IP integrates with Oracle Access Manager

Consumer Oriented Service Architecture (COSA)

We are all familiar with "Service Oriented Architecture" also called SOA. Few years back it brought agility in IT by reusing legacy code and providing service interfaces to call them in a standard manner. It enabled "reuse" and "rapid development" bringing in IT efficiency and cost savings.
Now, it has reached a maturity level, where customers are deploying services in hundreds and not just dozens, and vendors have tools available to manage and secure them.

While SOA concentrated on how to make the service architecture better, it left out on the consumer focus. The consumer focus becomes especially important when services are exposed to partners.

So, I decided to capture all requirements related to this area and coined the term Consumer Oriented Service Architecture (COSA) to represent a new area for innovation.
Here are some of the challenges that I see need solutions
  1. Consumer identification: A service consumer is a nebulous word. A consumer could be identified through a user identity(name/attributes, saml attributes), application identity, ip address, location, type of device (such as web, mobile, widget), etc.
    • Vendors need to come up with a specification to standardize on how consumers are identified in their tools.
  2. WSDL and other description languages: Today, WSDL describes the service interface only that is used by all consumers invoking it. How can I enhance this description language such that certain operations are available to some consumers, and certain operations are not available to other consumers?
    • The service description language would need to be enhanced to accommodate it.
    • Service registries and repositories would need to be able to understand and manage these new artifacts associated with consumers.
  3. Contracts: How can I define and mange contracts between service providers and service consumers, and ensure that they are being complied with?
    • Service repositories which manage contracts should be able to support it.

  4. Policies (security, reliability, etc.): How can I apply security policy differently for Consumer A vs. Consumer B. I may not be trusting Consumer B as much as Consumer A, and would like to apply enhanced security for Consumer B such as using strong authentication or requiring Consumer B to send messages over higher bit encryption algorithms? Or, Consumer B may not be as technology advanced as Consumer A, and I need to allow Consumer B interact with my service using a different token (for authentication) than Consumer A.
    • This would lead to enhancing WS-Policy, WS-SecurityPolicy and associated standards to bring in consumer focus to them, and vendors supporting it.
  5. Operations (availability, routing, SLAs): How can I route/process messages coming from Consumer A preferentially over Consumer B? I may have SLAs (such as avg response time, concurrency, etc.) set for Consumer A that are different for Consumer B. How can I manage and enforce these consumer centric SLAs?
    • Service Management tools need to include consumer identifier in all their metrics and have capability in alarms and rules to act upon this identifier.

  6. Throttling/Shaping: How can I throttle or shape requests on a per consumer basis based on the SLAs defined between service provider and consumer?
    • XML Gateways and service bus (ESB) should be able to perform throttling based on consumer identifier.

  7. E2E Tracing (root cause analysis): How can I trace messages end-to-end (from consumer to service infrastructure to application to database) coming from a particular consumer of the service?
    • Application and service infrastructure tools need to include the consumer identifier in all their diagnostic and audit logs.

  8. Audit and reporting: How can I run audit reports for a particular consumer-service interaction? Audit records need to include consumer identifier.
    • Audit and reporting tools need to be enhanced to include consumer identifier as one of the criteria for reports.

  9. Provisioning: How can my tools allow provisioning of a new consumer that would invoke my service? How can I use a workflow approval process to provision such a consumer for my service? How can I provision application identitiesand certificates that relate to a particular consumer through a well defined process?
    • Service provisioning and workflow tools need to include the concept of consumer provisioning (or consumer onboarding).

  10. Social apps: How can I enable service-consumer interactions using social apps? How can I notify availability of a new version of the service using Twitter like apps? Or, let consumers share their experience and learning in using the service?
    • Social tools such as wikis, discussion boards, etc. should be integrated into service infrastructure tools to provide service-consumer interaction.

If your company has similar needs, then pls share your use cases by commenting to this blog entry.

Web Application Description Language (WADL)

Sun has submitted "Web Application Description Language" (WADL) spec to W3C.
It's a desription language analogous to WSDL, but for REST/API services. It's also supposed to describe relationships between the resources.
See http://www.w3.org/Submission/wadl/

Implementation: There is a current implementation of it as part of Jersey JAX-RS.

An Amazon service in WADL is represented as

 1 <application xmlns="http://wadl.dev.java.net/2009/02" 
2 xmlns:aws="http://webservices.amazon.com/AWSECommerceService/2005-07-26"
3 xmlns:xsd="http://www.w3.org/2001/XMLSchema"
4 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
5 xsi:schemaLocation="http://wadl.dev.java.net/2009/02 wadl.xsd">
7 <grammars>
8 <include href="AWSECommerceService.xsd"/>
9 </grammars>
11 <resources base="http://webservices.amazon.com/onca/">
12 <resource path="xml">
13 <method href="#ItemSearch"/>
14 </resource>
15 </resources>
17 <method name="GET" id="ItemSearch">
18 <request>
19 <param name="Service" style="query"
20 fixed="AWSECommerceService"> </param>
21 <param name="Version" style="query" fixed="2005-07-26"> </param>
22 <param name="Operation" style="query" fixed="ItemSearch"> </param>
23 <param name="SubscriptionId" style="query"
24 type="xsd:string" required="true"> </param>
25 <param name="SearchIndex" style="query"
26 type="aws:SearchIndexType" required="true"> </param>
27 <option value="Books"/>
28 <option value="DVD"/>
29 <option value="Music"/>
31 <param name="Keywords" style="query"
32 type="aws:KeywordList" required="true"> </param>
33 <param name="ResponseGroup" style="query"
34 type="aws:ResponseGroupType" repeating="true"> </param>
35 <option value="Small"/>
36 <option value="Medium"/>
37 <option value="Large"/>
38 <option value="Images"/>
40 </request>
41 <response>
42 <representation mediaType="text/xml"
43 element="aws:ItemSearchResponse"/>
44 </response>
45 </method>
46 </application>

Would like to hear your comments on whether you find this spec useful. Currently, it doesn't have a security profile. What would you like to see defined in such security profile?

Friday, October 16, 2009

Why are businesses caring about the Cloud?

Cloud computing is a buzzword these days. Every customer I meet have some pilot project going on that relates to the cloud. Here are some of the drivers for it's adoption that I see from my perspective.

Business Drivers:
  1. CFOs love it - The "public cloud and managed private clouds" model removes technology capital expenditure (capex) from the company balance sheets. So, CFOs love the pay-as-you-go monthly subscription model that this brings in.
  2. Reduce hardware costs: Even when companies don't want to go the public/managed cloud route yet, by adopting the private clouds, companies want to realize the benefits of eliminating unused computing power.
  3. Go to market faster - Since, this avoids the long hardware procurement cycles, businesses can bring a solution faster to market.
  4. Brings in new ways of interacting with customers - Cloud is bringing in new application programming models that makes it easy for companies to interact with customers using Web 2.0, mobile, widgets, social networking apps - such as Google App Engine, Google apps. A company wants to
Technical Drivers:
  1. Parallel development: Once the company procures the software license, they want to immediately start prototyping and developing the solution (in the cloud). Once, they get hardware for it, they want to move the solution from the cloud into the datacenter for test/stage and finally taking into production.
  2. Scales up and down to meet demand: IT doesn't have to plan for capacity and worry about expenditure on over capacity as cloud offers automatic up and down scaling based on demand.
  3. Leverage existing functionality provided by hosted solutions: Customers are embedding certain solutions from publicly hosted solutions such as Workday, Salesforce.com into their business processes to reduce the complexity, and get to market faster.
  4. Enables self-service: This model gives full control on how you want to manage and use resources available to you.
If you have inputs into these drivers or have others drivers that's leading to adoption in your company, pls comment to this blog entry.

Tuesday, October 6, 2009

OWSM presentation and demo pod at Oracle Open World (OOW) 2009 in San Francisco

I'll be doing following presentations at this year's Oracle Open World 2009 (OOW)in San Francisco.

S310006Leveraging Oracle Web Services Manager in Oracle Fusion Middleware 11g to Manage SecurityMarriott Hotel Golden Gate B3Tuesday 10/13/2009 13:00 - 14:00

Also, visit us at our Demo pod Oracle Fusion Middleware Security, Moscone West, W-111

Here are some focus on docs that might be helpful in navigating the jungle of presentations/demos.
And, all Focus On docs can be found here http://www.oracle.com/us/openworld/030606.htm

Wednesday, September 30, 2009

OWSM 11g resources

Here are some resources on OWSM 11g that might be useful.
  • OTN site - contains links to download, documentation, white papers, etc. - worth bookmarking
  • OWSM 11g whitepaper
  • XML Gateway ecosystem partners - Intel, Layer7, Sonoa, Vordel (will write another blogpost covering it)
  • 11g FAQ on Oracle Wiki - It's on public wiki, and I encourage you to contribute to it. This is in addition to FAQs I post on this blog.
  • Troubleshooting tips on Oracle Wiki - It's on public wiki, and I encourage you to contribute to it.
  • Oracle's Youtube channel - Search "OWSM" in youtube's search box

OWSM videos on youtube

We'll be posting OWSM videos to youtube covering features and benefits as well as How-Tos for some common scenarios.
Take a look at the first video posted on Oracle's youtube channel OracleWebVideo. You can also search for "OWSM" directly from youtube.com

You can provide blog comments on areas you wish us to cover.

Why does STS WS-Trust spec differ for SAML usage?

WS-Security SAML token profile lists usage of 3 types of tokens represented using the confirmation-method element.
  • bearer
  • sender-vouches
  • holder-of-key (HOK)
But, WS-Trust RST template (which is also exposed through WS-SecurityPolicy) lists the following token types - SAML 11, SAML 20. It doesn't list any confirmation methods - bearer, sender-vouches, HOK

Instead, it lists key-type with these values
  • Symmetric
  • Public
  • Bearer
To request STS for SAML 2 bearer token one sets
token type = SAML2
key type = Bearer
To request STS for SAML 2 HOK asymmetric token one sets
token type = SAML2
key type = Public
To request STS for SAML 2 HOK symmetric token one sets
token type = SAML2
key type = Symmetric

What does one set to get SAML sender-vouches token? WS-Trust spec doesn't handle it today.
Why did the WS-Trust spec authors come up with another representation mechanism instead of reusing the SAML token profile mechanism of representing tokens using confirmation-method?
Hope these issues can be fixed in a later version of WS-Trust spec.

FAQ - OWSM 11g: Can I deploy OWSM policy manager on a different VLAN?

OWSM policy manager is a JEE application that is deployed on a Weblogic (WLS) managed server. Some customers who like to segregate deployments of security apps and integration/business apps into different VLANs, can deploy OWSM policy manager on a separate Weblogic server running in security VLAN by following these steps.

Step 1: Run RCU to install database schema required for SOA Suite install. This can be running on a server in a database VLAN
Step 2: Install SOA Suite on a server in security VLAN. This will contain OWSM policy manager running on managed server and EM FMW control running on AdminServer.
Step 3: Install WLS managed server (using SOA Suite installer) on a server in application VLAN, joining the WLS domain from step 1 install.
Step 4: Deploy SOA composite apps to the managed server in application VLAN, and start applying OWSM policies to it using EM (or in JDeveloper itself)

FAQ - OWSM 11g: What port does OWSM policy manager listen on?

OWSM 11g policy manager provides an RMI interface for communicating with OWSM agents and Enterprise Manager.
On Weblogic server, it uses the configured RMI port for Weblogic which by default is 7001.
Weblogic multiplexes different protocols (incl. HTTP, RMI, etc.) on the same port.

FAQ - OWSM 11g: How does OWSM/Oracle SOA work with .NET

OWSM works with .NET in 3 areas
  • OWSM 11g policies are WS-* standards compliant and interoperable on the wire with .NET WCF.
  • Oracle and Microsoft have tested interoperability at several interop events.
  • OWSM supports WSS 1.1 Kerberos token profile for both client and service policies to provide identity propagation using kerberos instead of SAML in .NET environments.

Thursday, September 3, 2009

FAQ - OWSM 11g: What is local optimization and impact of it on OWSM policies?

Oracle SOA Suite has a feature called local optimization. When it is ON (by default it's ON), a SOA composite invokes another SOA composite within the same Weblogic (WLS) server or cluster of WLS servers bypasses the whole SOAP stack, and makes a direct java call to optimize the invocation.

What is the impact of local optimization on OWSM policy execution?
When local optimization is ON, OWSM policies are bypassed and hence aren't executed.

How do I turn off local optimization?
In the SOA composite (composite.xml) which invokes another SOA composite, add the following property to the reference calling the service.

    <property name="oracle.webservices.local.optimization">false</property>

Wednesday, July 1, 2009

Oracle Fusion Middleware 11g launched

Oracle Fusion Middleware 11g has been launched today. It has been in the making for 3+ years, and is the first release after the completion of integration between Oracle and BEA products into unified suites. Also, see Q&A with Thomas Kurian, Oracle Newsroom, podcasts, and explore new videos, whitepapers, and more.

What's new in OWSM 11g?
  • Unified management and monitoring through Oracle Enterprise Manager.
  • Built-in agents (no install required)
  • Policy governance including reusable policies and policy impact analysis
  • Enhanced WS-* standards support
  • Interoperability with .NET and other security stacks
  • Automatic identity propagation through chain of services
  • Common authentication across web services and web applications
  • JDeveloper integration for policy attachment at design time
  • Audit and reporting with built-in correlation of audit logs for a given transaction
For further details, visit OWSM's page on Oracle Technology Network (OTN) and download the 11g whitepaper.

Monday, June 1, 2009

FAQ - OWSM 10.1.3: What are the different types of agents OWSM support?

OWSM supports the following agents as of release
  • Client and server agents for Oracle 10gR3 BPEL and Oracle 10gR3 ESB. The BPEL and ESB app could be running on OC4J or other supported application servers.
  • Client and server agents for 10gR3 OC4J application server
  • Client and server agents for AXIS 1.1 and 1.4 on 10gR3 OC4J
  • Server agents for Weblogic Server 9.2
  • Server agents for Websphere 6.1.x
  • Server agents for JBoss 4.0.5

Google Wave: Going to change the way we would communicate and collaborate

Google Wave made me so excited that I couldn't stop sharing my thoughts on it. It's good in a way that it has prompted me to come out of hibernation and start blogging again.

Last week during the Google I/O conference, Google unveiled developer preview of it's new collaboration tool "Wave" that in my view is going to change the way we communicate.
It's built by the same Rasmussen brothers who built the famous Google Maps.
Check out the recorded demo on youtube here http://wave.google.com/. Wave runs entirely in a browser, is based on HTML 5 and a new protocol http://www.waveprotocol.org/.
Wave will be interacting with email, IM, blogs, wikis, social networking sites, Document sharing and revisions, all under a single Wave interface. Wikis which we find tremendously useful will become thing of the past.
I found 3 features delivering the "Wow factor"
- Sharing is as easy as drag and drop.
- Other person sees as you type eliminating wait and watch.
- Playback of change history
Also, see techcruch article covering it.
What are other notable announcements from the conference?
  • AppEngine for Java - Platform to write webapps in Java that runs on Google's scalable infrastructure. Google is providing it's own servlet container, datastore and service interfaces. Authentication will be provided using OAUTH , Google's authentication mechanism. For more info http://code.google.com/appengine/docs/java/overview.html
  • Google Elements - easy way to embed google products into websites
Complete details on the conference can be found here http://code.google.com/events/io/.