Vikas Jain's Web Services Security (ws-security) Blog

Moved to a new blog

2011-11-07T14:11:00.000-08:00

I've moved to a new blogging platform provided by my employer Intel at http://blogs.intel.com/cloud-access-security/

Hope, you will follow my posts there.

Netflix in the Cloud

2010-10-14T13:51:00.001-07:00

Netflix is adopting (public) cloud with full force. Check out these few slides around the drivers and their roadmap for such move. Does it mean in the future IaaS providers will start to provision nVidia/ATI GPU based machines for faster video codec processing?

Netflix in the Cloud

View more presentations from Adrian Cockcroft.

Cloud SSO heating up

2010-10-07T16:40:00.001-07:00

In the early part of this decade, SSO vendors (Oblix, Netegrity, Tivoli, etc.) provided solution that made life simple and brought efficiencies for both employees and IT by eliminating the need to remember and maintain/reset tens if not hundreds of username/password combinations that allowed employees to access internal applications needed for their job.

In the next wave, these SSO solutions moved into partner and consumer facing applications where federation was brought in to mediate between different security systems leading to popularization of SAML standard.

Fast forward to now - As new set of applications get delivered as SaaS, SSO had to catch-up with this new deployment model, and new products/solutions are emerging to solve these challenges.

TriCipher (acquired by VmWare) - VmWare saw this need early on as it tries to deliver the vCloud platform. This piece may also become the security mediator between vCloud deployments and external SaaS/cloud offerings. Will have to watch what VmWare does with it.
PingIdentity - The PingFederate solution addresses this need. PingIdentity has been a pioneer in the SAML federation space.
Symplified - Started by ex-PingIdentity folks, it has quickly earned a name for itself in this space.
Vordel - It's Cloud Service Broker provides solution in this space.
Citrix OpenCloud Access - This is the latest addition to this space, available as an optional module for Citrix Netscaler. Announced yesterday at Citrix Synergy (Citrix's annual user conference), this should also help Citrix implicitly sell more of it's GoToMeeting product line.

As you can see the market for Cloud SSO is heating up ...

Access Google address book via LDAP using OVD

2010-10-07T15:44:00.000-07:00

My colleague Mark Wilcox who also runs a blog created an integration between Oracle Virtual Directory (OVD) and Google address book.
This solves use cases for customers who use Google Apps for business, and would also like to use Google as their source of identity instead of maintaining user profiles in their own LDAP stores. OVD provides a nice virtual LDAP interface on top of this Google identity store. Customers can leverage it for SSO of their enterprise apps using Google identities. Where there's a need to add custom attributes to the user's Google profile, OVD has a provision to allow addition of such attributes without modifying the schema of Google identity store (which anyways is inaccessible).

Note that this is different from the SAML federation that Google supports for access to "Google Apps" using enterprise identities that come from enterprise LDAP.

OWSM optimized for Oracle SPARC T3 server

2010-09-20T23:27:00.000-07:00

Oracle's Executive VP John Fowler in his keynote at Oracle OpenWorld conference, announced release of Oracle SPARC T3 server.
The SPARC T3 processors pack 16 cores and 16 on-chip CMT crypto accelerators in a single socket.

OWSM has been optimized to take full advantage of such hardware acceleration by integrating with Solaris Cryptographic Framework that provides crypto acceleration passthrough into the hardware for both SPARC and Intel processors.

See integration whitepaper: High Performance Security for SOA and XML Web Services using Oracle Web Services Manager and Oracle SPARC Enterprise T-Series Servers

OWSM indeed is delivering the promise of Hardware and software engineered to work together.

OWSM at Oracle OpenWorld and JavaOne 2010

2010-09-14T23:39:00.000-07:00

Oracle OpenWorld and JavaOne 2010 is coming up next week.
Listed below is OWSM's presence at the conference.

Demo Pod:

Title: SOA Security

Demo Area: Middleware
Pod #: W-177

Sessions:
ID#: S317146

Title: Securing Web Services: Solutions, Best Practices, and More

Track: OpenWorld: Middleware: Identity Management

Date: Tue, 21-Sep-10

Time: 12:30-13:30

Venue: Moscone South, Room: 309

ID#:S314100

Title: Security Threats and Countermeasures for REST and Cloud Services

Track: JavaOne: Enterprise Service Architectures and the Cloud

Date: Wed, 22-Sep-10

Time: 10:00-11:00

Venue: Parc 55

Room: Cyril Magnin II

ID#: S316710
Title: Analysis of Security & Compliance on Sun SPARC Enterprise T-Series Servers
Track: Sun SPARC Servers
Date: Thu, 23-SEP-10
Time: 12:00 - 13:00
Venue: Moscone South, Room: 252

Hands-on-Lab:

ID# S314098

Title: Securing Web Services

Track: Java One: Java EE Web Profile and Platform Technologies

Date: Wed, 22-Sep-10

Time: 12:30-14:30

Venue: Hilton San Francisco, Room: Plaza A

Focus On documents:

Highly recommended to navigate through the maze

Identity Management

Security

Service Oriented Architecture
Central link to all focus on documents

Hope to see you there.

Oracle Identity Management (IdM) 11g learn more resources

2010-09-14T23:16:00.000-07:00

Returning back to blogging from hiatus. Have been super busy lately. Fist post after this gap has to be on Oracle IdM 11g which was released 2 months back. Note that OWSM 11g was released earlier with SOA 11g last year.
If you haven't had a chance to view details on Oracle IdM 11g, here's a quick list that can get you started.

OWSM 11g self paced online course

2010-07-15T00:00:00.001-07:00

Oracle University (OU) has published an online course on OWSM 11g on iLearning.

Oracle Web Services Manager 11g: Essentials - D67432GC10
Oracle Web Services Manager 11g: Securing SOA Components - D67433GC10

These are self paced online courses that provide a quick way to get started on OWSM.

HowTo - OWSM 11g: Install OWSM on base Weblogic

2010-06-30T12:50:00.001-07:00

If you have a vanilla Weblogic (WLS) environment with no Fusion Middleware components deployed such as SOA Suite, Webcenter, etc., and you have JAX-WS clients and web services deployed in such an enviornment, you can secure these clients and services using OWSM by following this guide for step-by-step instructions on how to set it up. These instructions will be included into official documentation in the near future.

Note that these are just install instructions, with no change or bearance to the licensing model. As of Jun 2010, OWSM is licensed only through SOA Suite, and doesn't come with a standalone license. In short, to secure your clients & services using OWSM on base Weblogic, you would need to acquire SOA Suite license on top of Weblogic license.

Thanks to Amit Gokhru for validating and documenting these instructions.

FAQ - Using HTTP token policies with OWSM

2010-06-30T11:38:00.001-07:00

When using HTTP token policies with OWSM 11g, you may want to review the following to understand their implementation behavior.

What types of HTTP token policies are available?
Following pre-defined OWSM policies are available out-of-the-box.
Client policies: oracle/wss_http_token_client_policy, oracle/wss_http_token_over_ssl_client_policy
Service policies: oracle/wss_http_token_service_policy, oracle/wss_http_token_over_ssl_service_policy

What does HTTP token policies do?
On the client side, it adds base64 encoded username/password per the Basic Authentication scheme to the HTTP Authorization header according to RFC822 and RFC2617
For example, Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
On the service side, OWSM agent gets hold of this HTTP header, decodes the username/password, and uses it to authenticate against the configured identity store through OPSS login module and WLS authenticator. Additionally, if oracle/wss_http_token_over_ssl_service_policy is used, it checks if SSL connection was indeed used to connect to the service.

Is the HTTP Authorization header sent with every message? If not, how can I enable it to be sent with every message?
No. Oracle web services stack follows the challenge-response authentication mechanism wherein client doesn't send an authorization header in the initial request to which service responds back with a 401 (Unauthorized) HTTP message. Client then stuffs the Authorization header into the second request which is then processed by the service.
This default behavior can be altered such that the Authorization header is always sent by setting a property on the client side.
In the request context, set the property ClientConstants.PREEMPTIVE_BASIC_AUTH to true

How can I disable SOAP security header inclusion when using HTTP token with SSL client policy?
The out-of-box oracle/wss_http_token_over_ssl_client_policy policy is configured to include a timestamp element in the SOAP security header similar to below.

<code style="color:#000000;word-wrap:normal;"> <wsse:Security xmlns:wsse="<a href="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd</a>" env:mustUnderstand="1">  <br />      <wsu:Timestamp xmlns:wsu="<a href="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd</a>" wsu:Id="Timestamp-oq2ulH1wHpSwkqAlKMaf5Q22">  <br />           <wsu:Created>2010-06-21T15:28:02Z</wsu:Created>  <br />           <wsu:Expires>2010-06-21T15:33:02Z</wsu:Expires>  <br />      </wsu:Timestamp>  <br /> </wsse:Security  <br /></code>

This can be disabled by modifying the client policy with timestamp attribute value set to false.
Note that oracle/wss_http_token_client_policy doesn't include the SOAP header.

HowTo - OWSM 11g: Prevent PII data leakage in Oracle SOA composites

2010-06-23T15:07:00.001-07:00

When SOA endpoint is protected using OWSM service policy, then message can be decrypted, but after that if the message contain PII attributes, they can end up in clear in logs and instance viewer in the console.
To provide security for prevention of such PII data leakage, there is an OWSM custom policy assertion available written by Robin Zimmermann and Rakesh Saha that allows selective attribute encryption within the application, and then decrypt it on the way out before it's re-encrypted using the OWSM client side policy.
See https://owsm-11g-custom-assertions.samplecode.oracle.com/

btw, Oracle BPEL 10g provided a feature for obfuscating attribute data. This solution is better than that approach as it uses digital encryption instead of obfuscation technique, and is policy based.

vmForce - adding new age features to the application platform

2010-06-02T22:07:00.000-07:00

As VmWare and Force.com joined hands to create the vmForce platform for cloud applications it's interesting to note how some of the new age features are becoming part and parcel of the application infrastructure.

Few years back, an application server with servlet, EJB containers, connection pooling and other services was considered to be an application platform. Then with the SOA wave, features like orchestration (BPEL), service bus (for routing, transformation), adapters (for connecting apps), and governance tools became part of the platform leading to development of composite applications.
Now, vmForce is taking it another step ahead including features such as social apps like collaboration, google like search for any data, mobile access, BPM and reporting dashboards to be part of the platform, relieving application developers and administrators from integration pains with external tools providing these features.

Following vmForce feature list is extracted from Anshu's blogpost on this topic.

Social Profiles: Who are the users in this application so I can work with them?
Status Updates: What are these users doing? How can I help them and how can they help me?
Feeds: Beyond
user status updates, how can I find the data that I need? How can this
data come to me via Push? How can I be alerted if an expense report is
approved or a physician is needed in a different room?
Content Sharing: How
can I upload a presentation or a document and instantly share it in a
secure and managed manner with the right set of co-workers?
Search: Ability to search any and all data in your enterprise apps
Reporting: Ability to create dashboards and run reports, including the ability to modify these reports
Mobile: Ability to access business data from mobile devices ranging from BlackBerry phones to iPhones
Integration: Ability to integrate new applications via standard web services with existing applications
Business Process Management: Ability to visually define business processes and modify them as business needs evolve
User and Identity Management:
Real-world applications have users! You need the capability to add,
remove, and manage not just the users but what data and applications
they can have access to
Application Administration: Usually an afterthought, administration is a critical piece once the application is deployed

Connecting Salesforce.com from Google AppEngine using OAuth

2010-06-02T21:47:00.001-07:00

Here's a blogpost on how to connect and authenticate salesforce.com from an application deployed on Google AppEngine using OAuth protocol.
http://blog.sforce.com/sforce/2010/04/connecting-google-app-engine-and-salesforcecom-with-oauth.html

See how the complexity of the OAuth protocol has been hidden by the helper APIs of OAuthAccessor and OauthHelperUtils.
Refer to this demo project written by Jeff Douglas.

Force.com security

2010-06-02T21:36:00.000-07:00

You can find resources and links to Force.com platform security for secure cloud development here.
http://blog.sforce.com/sforce/2010/04/introducing-forcecom-secure-cloud-development.html

What I like is how it's organized - complete with education material, security design principles, secure coding guidelines, security testing tools, and how to perform security review - providing end to end guidance on how to implement security for apps deployed on Force.com.

Tech M&A deals of 2010

2010-05-19T16:12:00.000-07:00

Here's some notable tech M&A activity happened till May, 2010.

In Security space,

Oracle IdM adding identity analytics (OIA) to it's portfolio through the broader Sun acquisition
Symantec enhancing encryption portfolio with PGP, GuardianEdge, and vulnerability assessment offering through Gideon Technologies
EMC's RSA Security Division acquired Archer Technologies for GRC across physical+virtual infrastructures
Trustwave acquired Intellitactics for SIEM to enhance PCI compliance offering, and BitArmor to enhance endpoint security offering

In Cloud computing space,

VmWare seems to be building up Cloud PaaS platform acquiring Spring Source (in 2009) , and now Zimbra, and Rabbit Technologies
CA acquired Nimsoft and 3Tera to manage cloud environments
Cisco acquired Rohati Systems for cloud security in Cisco's Nexus switch line

In Mobile space,

SAP planning to buy Sybase for it's mobile middleware
Apple getting Siri, HP getting Palm, RIM getting Viigo

References:
Network World slideshow on Tech acquisitions of 2010
PWC report on Tech M&A insights for 2010

What's new in OWSM 11gR1 PS2 (11.1.1.3.0) ?

2010-04-28T01:17:00.001-07:00

Oracle Fusion Middleware 11gR1 PS2 (Patchset 2) aka 11.1.1.3.0 is released and generally available now.

What's new in OWSM 11gR1 PS2 (11.1.1.3.0)?

Agent for OSB 11gR1
Enhanced integration for WLS JAX-WS web services (centralized policy mgt, policy attachment through EM, policy advertisement in WSDL, and policy monitoring)
IBM DB2 certification of MDS backed policy store
WS-Security + WS-AT combination support
Enhanced Test-to-Production for policy attachments using deployment plans

Also see,

Known Issues
Product documentation - 11gR1 PS2 Library , OWSM documentation links
What's new in OWSM 11gR1, and 11gR1 PS1 releases?
OWSM page on OTN

FAQ - OWSM 11g documentation links

2010-03-12T01:21:00.000-08:00

Listing all OWSM 11gR1 related documentation at one place from the latest patchset.

Guide	Release	Part Number	Comments
Documentation Library Portal	11gR1 PS1	E15523_01	Main site with links to all guides
Installation Guide for Oracle SOA Suite	11gR1 PS1	E13925-02	Installing SOA Suite
OWSM Upgrade Guide - 10gR3 to 11gR1	11gR1 PS1	E10127-01	Migrating OWSM policies from 10g3 to 11gR1 release
OWSM Admin Guide (Security and Administrator's Guide for Web Services)	11gR1 PS1	B32511-02	Main OWSM guide covering concepts & management interfaces
OWSM Developer's Guide (Securing WebLogic Web Services)	11gR1 PS1	E13713-02	Covers how to attach policies at design time through JDeveloper
OWSM Java API Reference	11gR1 PS1	E10689-02	For writing custom policy assertions
Fusion Middleware Audit Framework (Security Guide)	11gR1 PS1	E10043-04	OWSM leverages FMW audit framework
OWSM Interoperability Guide	11gR1 PS1	E16098-01	Covers interoperable policies certified against OWSM 10g, .NET, Axis, OSB 10g, WLS native security, etc.
OWSM HA Guide	11gR1 PS1	E10106-02	Configuring OWSM for High Availability
Enterprise Deployment Guide (EDG) for SOA Suite	11gR1 PS1	E12036-02	Recommended deployment topology
OWSM Backup and Recovery (Disaster Recovery Guide)	11gR1 PS1	E15250-01	Configuring for disaster recovery
OWSM Performance and Tuning Guide	11gR1 PS1	E10108-01	Performance/Tuning
OWSM Licensing Information		E14860-07	Licensing terms
Oracle Platform Security Services (OPSS) Guide	11gR1 PS1	E10043-04	OPSS Guide
Oracle Access Manager 10g (10.1.4.3)	10.1.4.3		OAM 10g Guides

OWSM leverages OPSS internally for authentication, CSF and few other services. So, some of the above guides/sections should be complemented with OPSS guides.

Intel's cloud chip and physicalization

2010-02-21T23:00:00.001-08:00

Per Intel's CTO Justin Rattner, Intel is working on a single chip cloud computer

Parts of the chip will be powered down when not in use
First iteration involves a 48 core processor that consumes 25 - 125 watts
New term invented "physicalization" which means dedicating one or more cores to a specific application or portion of the application. This is completely opposite to "virtualization" which means running applications on whatever processor resources are available

For complete story, see this Forbes article

Oracle extends BTM and SOA Mgt through Amberpoint acquisition

2010-02-08T10:57:00.000-08:00

Oracle's acquisition of Amberpoint extends it's capabilities around Business Transaction Monitoring (BTM), SOA Management and SOA Governance into it's SOA products offering.

Read the following resources for more info

Benefits of the combination from Richard Sarwal, Sr VP, Product Development, Oracle
General Presentation on Amberpoint
FAQ

From the FAQ,
The AmberPoint solution will provide several critical capabilities requested by customers.
• Application Discovery – Automatically discovers components and interactions and ensures visibility of the entire heterogeneous SOA environment
• Application Performance Management – Tracks end-to-end performance and availability
• Business Transaction Management – Ensures reliability of individual business transactions and tracks the progress in real time to pinpoint any issues
• SOA Governance – Provides closed-loop governance by reporting run-time results to design-time governance solutions

Integrating REST clients with STS for token exchange

2010-02-05T15:37:00.001-08:00

Where REST services demand a particular type of token for access, REST clients can potentially integrate with an STS server to acquire the requisite token, and pass it to the service.

I haven't seen customers yet widely asking for such solutions, but need can arise where companies standardize across the applications on tokens such as SAML for access control which carries not only the username information but also attributes associated with user profile.

In such scenarios, following flow would be applicable

REST client acquires token from the STS server preferably through REST binding of STS, but any other supported binding should also be okay.
Once it receives the token, it adds it to the "Authorization" HTTP header of the REST request.
REST service receives the request, and a security interceptor(agent) picks up the token to check for access validity. The interceptor can optionally assert the identity into the service for identity propagation needs.

I would be interested to know if you run into such scenarios, and looking for products to support it. You can leave blog comments.

RESTful STS

2010-02-03T03:27:00.001-08:00

Secure Token Service (STS) typically have a SOAP endpoint with WS-Trust standard profiling the interactions. How about taking the complexity of SOAP away, and adding simplicity of REST interface to the STS? At the end of the day, STS is a token service that applications use to acquire tokens and should be accessible through different types of bindings - SOAP, REST, etc.

What would be the interaction pattern for such RESTful STS?

Clients access RESTful STS using HTTP GET/POST method sending RequestSecurityToken (RST) as part of HTTP message.
RESTful STS sends back the requested token as RequestSecurityTokenResponse (RSTR) in the HTTP response message.
The STS endpoint could be secured similar to any HTTP resource using web access management products such as Oracle Access Manager (OAM) with username/password or certificate credentials.

RESTful STS can lead to wider adoption
Many languages/frameworks (such as Adobe Flex and Silverlight) doesn't support full capabilities of a SOAP stack. But, they support the basic HTTP interactions. Such frameworks could easily plug into a RESTful STS for their token needs.

Applicability of RESTful STS in the cloud
As cloud remains the innovation vehicle for 2010, I try to find applicability of any new concept into the cloud as well.
Today, Google, Amazon, Salesforce of the world provide RESTful APIs for all it's services. If they decide to broker trust using some sort of STS, then it makes perfect sense for them to provide RESTful STS with API keys and OpenId/OAUTH models to access it.

OER 11g released

2010-02-01T00:18:00.001-08:00

Oracle Enterprise Repository (OER) 11g is released and generally available for download now. OER alongwith OSR (UDDI registry), OWSM and EM SOA Mgt Pack Plus comprise Oracle's SOA Governance offering. Of all the new features added in this release of OER, there's one feature around closed loop governance that I would like to discuss in this blog.

Closed loop governance allows architects to review at a high-level how the system and services they designed are behaving in production, and with this knowledge further enhance the services in their subsequent versions. It provides confidence and production assurance to business people that the investments they have put in SOA is actually being put to use.

In this release of OER 11g, high-level performance metrics from Enterprise Manager (EM) and 3rd party products such as Amberpoint are rolled up into OER.

Through the same pattern, do you see a need for rolling up policy attachment info from OWSM into OER?

See more of "What's New in OER 11g" here.

Oracle + Sun: Identity Management Strategy webcast

2010-01-29T13:47:00.001-08:00

Watch Oracle + Sun identity management strategy webcast by Oracle executive Hasan Rizvi, Sr. VP
http://oracle.com.edgesuite.net/ivt/4000/8104/9236/12628/lobby_external_flash_clean_480x360/default.htm

Oracle + Sun Strategy Webcast

2010-01-27T16:57:00.001-08:00

Oracle + Sun Strategy Webcast was done by Oracle/Sun executives today.
Hope you got a chance to attend it live. If you missed it, check back the link in couple of days when the recording would be available for on demand viewing.

HowTo - OWSM 11g: Creating custom policy assertions

2010-01-27T16:53:00.001-08:00

Similar to OWSM 10gR3, you can extend OWSM in 11g using custom policy implementations.
From terminology perspective, OWSM 10g custom policy is similar to OWSM 11g custom policy assertion.
Here are some quick links that may help if you plan to implement custom policies.

Refer to Creating Custom Assertions section of OWSM product documentation
Refer to Java API reference for available APIs
Step by step How-To guide on building a sample custom assertion, deploy, and test it