Wednesday, June 23, 2010

HowTo - OWSM 11g: Prevent PII data leakage in Oracle SOA composites

When SOA endpoint is protected using OWSM service policy, then message can be decrypted, but after that if the message contain PII attributes, they can end up in clear in logs and instance viewer in the console.
To provide security for prevention of such PII data leakage, there is an OWSM custom policy assertion available written by Robin Zimmermann and Rakesh Saha that allows selective attribute encryption within the application, and then decrypt it on the way out before it's re-encrypted using the OWSM client side policy.
See https://owsm-11g-custom-assertions.samplecode.oracle.com/

btw, Oracle BPEL 10g provided a feature for obfuscating attribute data. This solution is better than that approach as it uses digital encryption instead of obfuscation technique, and is policy based.