Vikas Jain's Web Services Security (ws-security) Blog

Gartner's John Pescatore on 2010 Security Threats and Trends

2009-12-18T12:15:00.001-08:00

See what Gartner's John Pescatore has to say about emerging security threats and trends in 2010.

There are two very new challenges. What we're seeing happening right now is certainly the threats have changed, but also business processes and the demands put on the IT organization and the information security organization are changing at the same time. At the same time that threats are getting more targeted, the business, even government agencies, are demanding that users be allowed to use home PC's, their own smart phones, iPhones and the like, being allowed to work from home, being allowed to use social networks, use consumer grade things like Google apps and Skype and the like.
So at the same time that the threats are getting more focused, IT is being forced to relinquish some control over the hardware and software and services that users use to get the business done and touch privacy related information and critical business processes. So dealing with those two challenges simultaneously, we're targeted deeper threats and having to give up some levels of control. That, I believe, is the major challenge facing security programs today.

I think 2010 into 2011 will be the start where we start to see vulnerabilities found in all these virtualization and Smart Grid technologies and other forms of wireless, and inevitability new technologies new vulnerabilities, and the attackers leap on those very, very quickly. So I think that is probably some of the new things we will see.

For more details visit full article at http://www.bankinfosecurity.com/articles.php?art_id=1926&pg=4

Tutorial: Creating Oracle prebundled machine images for the cloud

2009-12-08T11:26:00.000-08:00

Here's an excellent tutorial by Kiran C. Nair on how to create a custom VM image prebundled with Oracle Weblogic Server 11g and Oracle Database XE, and utilities to run at user-defined runlevels. The created images are not restricted to AWS but are fully compatible with any cloud that uses Xen as the hypervisor layer (for example, Eucalyptus Open Cloud).

The prebundled applications and utilities may be customized according to user preferences or demands.

Kiran C. Nair specializes in JEE, client-server architecture, and performance lifecycle analysis at SETLabs, the research wing of Infosys Technologies Ltd.

Cloud Services Broker announcement from Vordel

2009-11-11T14:32:00.000-08:00

Vordel announced "Cloud Service Broker" at their annual VordelWorld user conference last week, in an attempt to bring trust and reliability to Cloud Computing. One of the major concerns customers have in adopting cloud computing is security. Hope this will solve some of those concerns bridging the gap between internal SOA apps and Cloud services, leading to broader adoption of Cloud Computing.

See http://www.reuters.com/article/pressRelease/idUS130253+05-Nov-2009+BW20091105

Oracle Fusion Middleware 11gR1 PS1 (Patchset 1) released

2009-11-11T11:04:00.000-08:00

Oracle Fusion Middleware 11gR1 PS1 (Patchset 1) aka 11.1.1.2 was released on Nov 10, 2009, and generally available now.
Many enhancements and bug fixes for OWSM went into this patchset.
Some notable ones are listed below. For a complete set of enhancements visit product documentation here.

What's new in OWSM 11gR1 PS1 (11.1.1.2)?

Common Policy Store across multiple Weblogic domains (11gR1 policy store was restricted to be one per domain)
One policy accepting multiple types of tokens such as username, SAML, X.509 through the policy alternatives feature
Ability to set up different sign/encryption keys for different services instead of all services having to use the common sign/encryption keys set at the domain level - This has been implemented using configuration overrides feature for service policies (11gR1 allowed only client side config overrides)
Ability to configure operation level authorization using Permission based authorization policies
Ease of Use features

Publishing service certificate in the WSDL - client policies can directly lookup service certificate from WSDL instead of looking up from client keystore
Policy attachment through WLST scripting - useful for creating automation scripts
Enhanced support for asynchronous services and policies for it

Certifications and Interoperability

OWSM Interoperability certified against Axis 1.4 and WSS4J 1.58 security stacks
Documentation on Interoperability with other security stacks moved to a new guide Oracle Fusion Middleware Interoperability Guide for Oracle Web Services Manager
WS-I BSP compliance
Policies can be stored in Microsoft SQL Server based MDS repository

Additionally, for a list of important OWSM bug fixes, known issues and workarounds associated with 11gR1 PS1 release, please refer to the release notes.

HowTo - OWSM 11g: Checking health of policy manager application

2009-11-09T17:14:00.001-08:00

OWSM Policy Manager is the central application that has the task of distributing policies to the OWSM agents (embedded in WLS) for enforcement. For diagnosing problems, it's important to first check if the policy manager application is running okay or not.

You can check the health of policy manager by invoking
http://:/wsm-pm/validator
It's a protected url, so you need to enter WLS adminstrator username/password.
This should return a list of all the policies and assertion templates similar to below.

Presenting at VordelWorld User Conference

2009-11-02T02:03:00.001-08:00

Vordel, and XML Gateway company, is holding it's annual user conference VordelWorld in Dublin from Nov 4-6, 2009. This year's spotlight is on SOA and cloud governance. There's a nice lineup of presentations including Burton Group's Richard Watson on "Cloud Application Architecture", Amazon Web Services Evangelist Steve Riley on "Fear the cloud no more", and Vordel CTO Mark O'Neill on "Governing Cloud Connections".

While I can't wait to hear these speakers talk on the hot topic of security and governance in the cloud, I'll be presenting on the topic of "Role of XML Gateways in Identity Management (IdM) infrastructure" and cover briefly on how XML Gateways can help mediate security to the cloud.

Enhance your career with CareerTiger's help

2009-10-27T15:35:00.000-07:00

My high school friend, Abhijeet Khadilkar, started helping people in these recessionary times through a unique intiative - helping get a job using unconventional methodologies using the latest Web 2.0 tools and tips he provides through his recently launched company CareerTiger (www.careertiger.com).

Media has already started to notice the contribution he's making.

San Jose Mercury News ran a cover page story on them
Details magazine mentioned them in their career section
MSN and CareerBuilder featured CareerTiger as one of the premier firms that helps candidates find jobs through unconventional means
One of their candidates was featured on Anderson Cooper show on CNN

Abhijeet told that over 90% of people who attend his JobPounce sessions are interviewed in the first 30 days of them attending it. And over 25% of them find a real job in 90 days...numbers that look just ok. But put those in perspective of the current economic climate, and they are stunning.

They are running a special for a limited time - participants enter the code 'legacy' during registration get 60% OFF the regular price. These prices are valid for the next 3 sessions only.

And for those that are not in the SF Bay Area, can attend one of the virtual sessions. More details at http://www.careertiger.com/jobpounce/

Introduction to OWSM 11gR1 youtube video

2009-10-21T18:41:00.000-07:00

Get introduced to Oracle Web Services Manager (OWSM) 11gR1 through this youtube video.

F5 BIG-IP integrates with Oracle Access Manager

2009-10-19T23:50:00.001-07:00

F5 Announces Plans to Unify Access Management for Web Applications Integrating with Oracle Access Manager | Reuters

Consumer Oriented Service Architecture (COSA)

2009-10-19T13:30:00.000-07:00

We are all familiar with "Service Oriented Architecture" also called SOA. Few years back it brought agility in IT by reusing legacy code and providing service interfaces to call them in a standard manner. It enabled "reuse" and "rapid development" bringing in IT efficiency and cost savings.
Now, it has reached a maturity level, where customers are deploying services in hundreds and not just dozens, and vendors have tools available to manage and secure them.

While SOA concentrated on how to make the service architecture better, it left out on the consumer focus. The consumer focus becomes especially important when services are exposed to partners.

So, I decided to capture all requirements related to this area and coined the term Consumer Oriented Service Architecture (COSA) to represent a new area for innovation.
Here are some of the challenges that I see need solutions

Consumer identification: A service consumer is a nebulous word. A consumer could be identified through a user identity(name/attributes, saml attributes), application identity, ip address, location, type of device (such as web, mobile, widget), etc.
- Vendors need to come up with a specification to standardize on how consumers are identified in their tools.
WSDL and other description languages: Today, WSDL describes the service interface only that is used by all consumers invoking it. How can I enhance this description language such that certain operations are available to some consumers, and certain operations are not available to other consumers?
- The service description language would need to be enhanced to accommodate it.
- Service registries and repositories would need to be able to understand and manage these new artifacts associated with consumers.
Contracts: How can I define and mange contracts between service providers and service consumers, and ensure that they are being complied with?
- Service repositories which manage contracts should be able to support it.

Policies (security, reliability, etc.): How can I apply security policy differently for Consumer A vs. Consumer B. I may not be trusting Consumer B as much as Consumer A, and would like to apply enhanced security for Consumer B such as using strong authentication or requiring Consumer B to send messages over higher bit encryption algorithms? Or, Consumer B may not be as technology advanced as Consumer A, and I need to allow Consumer B interact with my service using a different token (for authentication) than Consumer A.
- This would lead to enhancing WS-Policy, WS-SecurityPolicy and associated standards to bring in consumer focus to them, and vendors supporting it.
Operations (availability, routing, SLAs): How can I route/process messages coming from Consumer A preferentially over Consumer B? I may have SLAs (such as avg response time, concurrency, etc.) set for Consumer A that are different for Consumer B. How can I manage and enforce these consumer centric SLAs?
- Service Management tools need to include consumer identifier in all their metrics and have capability in alarms and rules to act upon this identifier.

Throttling/Shaping: How can I throttle or shape requests on a per consumer basis based on the SLAs defined between service provider and consumer?
- XML Gateways and service bus (ESB) should be able to perform throttling based on consumer identifier.

E2E Tracing (root cause analysis): How can I trace messages end-to-end (from consumer to service infrastructure to application to database) coming from a particular consumer of the service?
- Application and service infrastructure tools need to include the consumer identifier in all their diagnostic and audit logs.

Audit and reporting: How can I run audit reports for a particular consumer-service interaction? Audit records need to include consumer identifier.
- Audit and reporting tools need to be enhanced to include consumer identifier as one of the criteria for reports.

Provisioning: How can my tools allow provisioning of a new consumer that would invoke my service? How can I use a workflow approval process to provision such a consumer for my service? How can I provision application identitiesand certificates that relate to a particular consumer through a well defined process?
- Service provisioning and workflow tools need to include the concept of consumer provisioning (or consumer onboarding).

Social apps: How can I enable service-consumer interactions using social apps? How can I notify availability of a new version of the service using Twitter like apps? Or, let consumers share their experience and learning in using the service?
- Social tools such as wikis, discussion boards, etc. should be integrated into service infrastructure tools to provide service-consumer interaction.

If your company has similar needs, then pls share your use cases by commenting to this blog entry.

Web Application Description Language (WADL)

2009-10-19T11:12:00.000-07:00

Sun has submitted "Web Application Description Language" (WADL) spec to W3C.
It's a desription language analogous to WSDL, but for REST/API services. It's also supposed to describe relationships between the resources.
See http://www.w3.org/Submission/wadl/

Implementation: There is a current implementation of it as part of Jersey JAX-RS.

An Amazon service in WADL is represented as

 1 <application xmlns="http://wadl.dev.java.net/2009/02" 
 2   xmlns:aws="http://webservices.amazon.com/AWSECommerceService/2005-07-26" 
 3   xmlns:xsd="http://www.w3.org/2001/XMLSchema" 
 4   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
 5   xsi:schemaLocation="http://wadl.dev.java.net/2009/02 wadl.xsd"> 
 6 
 7   <grammars> 
 8     <include href="AWSECommerceService.xsd"/> 
 9   </grammars> 
10 
11   <resources base="http://webservices.amazon.com/onca/"> 
12     <resource path="xml"> 
13       <method href="#ItemSearch"/> 
14     </resource> 
15   </resources> 
16 
17   <method name="GET" id="ItemSearch"> 
18     <request> 
19       <param name="Service" style="query" 
20         fixed="AWSECommerceService"> </param> 
21       <param name="Version" style="query" fixed="2005-07-26"> </param> 
22       <param name="Operation" style="query" fixed="ItemSearch"> </param> 
23       <param name="SubscriptionId" style="query" 
24          type="xsd:string" required="true"> </param> 
25       <param name="SearchIndex" style="query" 
26          type="aws:SearchIndexType" required="true"> </param> 
27          <option value="Books"/> 
28          <option value="DVD"/> 
29          <option value="Music"/> 
30 
31       <param name="Keywords" style="query" 
32         type="aws:KeywordList" required="true"> </param> 
33       <param name="ResponseGroup" style="query" 
34         type="aws:ResponseGroupType" repeating="true"> </param> 
35          <option value="Small"/> 
36          <option value="Medium"/> 
37          <option value="Large"/> 
38          <option value="Images"/> 
39 
40     </request> 
41     <response> 
42       <representation mediaType="text/xml" 
43         element="aws:ItemSearchResponse"/> 
44     </response> 
45   </method> 
46 </application>

Would like to hear your comments on whether you find this spec useful. Currently, it doesn't have a security profile. What would you like to see defined in such security profile?

Why are businesses caring about the Cloud?

2009-10-16T15:31:00.001-07:00

Cloud computing is a buzzword these days. Every customer I meet have some pilot project going on that relates to the cloud. Here are some of the drivers for it's adoption that I see from my perspective.

Business Drivers:

CFOs love it - The "public cloud and managed private clouds" model removes technology capital expenditure (capex) from the company balance sheets. So, CFOs love the pay-as-you-go monthly subscription model that this brings in.
Reduce hardware costs: Even when companies don't want to go the public/managed cloud route yet, by adopting the private clouds, companies want to realize the benefits of eliminating unused computing power.
Go to market faster - Since, this avoids the long hardware procurement cycles, businesses can bring a solution faster to market.
Brings in new ways of interacting with customers - Cloud is bringing in new application programming models that makes it easy for companies to interact with customers using Web 2.0, mobile, widgets, social networking apps - such as Google App Engine, Google apps. A company wants to

Technical Drivers:

Parallel development: Once the company procures the software license, they want to immediately start prototyping and developing the solution (in the cloud). Once, they get hardware for it, they want to move the solution from the cloud into the datacenter for test/stage and finally taking into production.
Scales up and down to meet demand: IT doesn't have to plan for capacity and worry about expenditure on over capacity as cloud offers automatic up and down scaling based on demand.
Leverage existing functionality provided by hosted solutions: Customers are embedding certain solutions from publicly hosted solutions such as Workday, Salesforce.com into their business processes to reduce the complexity, and get to market faster.
Enables self-service: This model gives full control on how you want to manage and use resources available to you.

If you have inputs into these drivers or have others drivers that's leading to adoption in your company, pls comment to this blog entry.

OWSM presentation and demo pod at Oracle Open World (OOW) 2009 in San Francisco

2009-10-06T16:56:00.001-07:00

I'll be doing following presentations at this year's Oracle Open World 2009 (OOW)in San Francisco.

S310006

Leveraging Oracle Web Services Manager in Oracle Fusion Middleware 11g to Manage Security

Marriott Hotel Golden Gate B3

Tuesday 10/13/2009 13:00 - 14:00

Also, visit us at our Demo pod Oracle Fusion Middleware Security, Moscone West, W-111

Here are some focus on docs that might be helpful in navigating the jungle of presentations/demos.

And, all Focus On docs can be found here http://www.oracle.com/us/openworld/030606.htm

OWSM 11g resources

2009-09-30T12:44:00.001-07:00

Here are some resources on OWSM 11g that might be useful.

OTN site - contains links to download, documentation, white papers, etc. - worth bookmarking
OWSM 11g whitepaper
XML Gateway ecosystem partners - Intel, Layer7, Sonoa, Vordel (will write another blogpost covering it)
11g FAQ on Oracle Wiki - It's on public wiki, and I encourage you to contribute to it. This is in addition to FAQs I post on this blog.
Troubleshooting tips on Oracle Wiki - It's on public wiki, and I encourage you to contribute to it.
Oracle's Youtube channel - Search "OWSM" in youtube's search box

OWSM videos on youtube

2009-09-30T12:12:00.000-07:00

We'll be posting OWSM videos to youtube covering features and benefits as well as How-Tos for some common scenarios.
Take a look at the first video posted on Oracle's youtube channel OracleWebVideo. You can also search for "OWSM" directly from youtube.com

You can provide blog comments on areas you wish us to cover.

Why does STS WS-Trust spec differ for SAML usage?

2009-09-30T11:48:00.001-07:00

WS-Security SAML token profile lists usage of 3 types of tokens represented using the confirmation-method element.

bearer
sender-vouches
holder-of-key (HOK)

But, WS-Trust RST template (which is also exposed through WS-SecurityPolicy) lists the following token types - SAML 11, SAML 20. It doesn't list any confirmation methods - bearer, sender-vouches, HOK

Instead, it lists key-type with these values

Symmetric
Public
Bearer

To request STS for SAML 2 bearer token one sets

token type = SAML2

key type = Bearer

To request STS for SAML 2 HOK asymmetric token one sets

token type = SAML2

key type = Public

To request STS for SAML 2 HOK symmetric token one sets

token type = SAML2

key type = Symmetric

What does one set to get SAML sender-vouches token? WS-Trust spec doesn't handle it today.

Why did the WS-Trust spec authors come up with another representation mechanism instead of reusing the SAML token profile mechanism of representing tokens using confirmation-method?
Hope these issues can be fixed in a later version of WS-Trust spec.

FAQ - OWSM 11g: Can I deploy OWSM policy manager on a different VLAN?

2009-09-30T11:38:00.001-07:00

OWSM policy manager is a JEE application that is deployed on a Weblogic (WLS) managed server. Some customers who like to segregate deployments of security apps and integration/business apps into different VLANs, can deploy OWSM policy manager on a separate Weblogic server running in security VLAN by following these steps.

Step 1: Run RCU to install database schema required for SOA Suite install. This can be running on a server in a database VLAN
Step 2: Install SOA Suite on a server in security VLAN. This will contain OWSM policy manager running on managed server and EM FMW control running on AdminServer.
Step 3: Install WLS managed server (using SOA Suite installer) on a server in application VLAN, joining the WLS domain from step 1 install.
Step 4: Deploy SOA composite apps to the managed server in application VLAN, and start applying OWSM policies to it using EM (or in JDeveloper itself)

FAQ - OWSM 11g: What port does OWSM policy manager listen on?

2009-09-30T11:22:00.001-07:00

OWSM 11g policy manager provides an RMI interface for communicating with OWSM agents and Enterprise Manager.
On Weblogic server, it uses the configured RMI port for Weblogic which by default is 7001.
Weblogic multiplexes different protocols (incl. HTTP, RMI, etc.) on the same port.

FAQ - OWSM 11g: How does OWSM/Oracle SOA work with .NET

2009-09-30T11:18:00.000-07:00

OWSM works with .NET in 3 areas

OWSM 11g policies are WS-* standards compliant and interoperable on the wire with .NET WCF.
Oracle and Microsoft have tested interoperability at several interop events.
OWSM supports WSS 1.1 Kerberos token profile for both client and service policies to provide identity propagation using kerberos instead of SAML in .NET environments.

FAQ - OWSM 11g: What is local optimization and impact of it on OWSM policies?

2009-09-03T22:27:00.000-07:00

Oracle SOA Suite has a feature called local optimization. When it is ON (by default it's ON), a SOA composite invokes another SOA composite within the same Weblogic (WLS) server or cluster of WLS servers bypasses the whole SOAP stack, and makes a direct java call to optimize the invocation.

What is the impact of local optimization on OWSM policy execution?
When local optimization is ON, OWSM policies are bypassed and hence aren't executed.

How do I turn off local optimization?
In the SOA composite (composite.xml) which invokes another SOA composite, add the following property to the reference calling the service.

<reference>
......
<property name="oracle.webservices.local.optimization">false</property>
</reference>

Oracle Fusion Middleware 11g launched

2009-07-01T13:41:00.001-07:00

Oracle Fusion Middleware 11g has been launched today. It has been in the making for 3+ years, and is the first release after the completion of integration between Oracle and BEA products into unified suites. Also, see Q&A with Thomas Kurian, Oracle Newsroom, podcasts, and explore new videos, whitepapers, and more.

What's new in OWSM 11g?

Unified management and monitoring through Oracle Enterprise Manager.
Built-in agents (no install required)
Policy governance including reusable policies and policy impact analysis
Enhanced WS-* standards support
Interoperability with .NET and other security stacks
Automatic identity propagation through chain of services
Common authentication across web services and web applications
JDeveloper integration for policy attachment at design time
Audit and reporting with built-in correlation of audit logs for a given transaction

For further details, visit OWSM's page on Oracle Technology Network (OTN) and download the 11g whitepaper.

FAQ - OWSM 10.1.3: What are the different types of agents OWSM support?

2009-06-01T15:05:00.001-07:00

OWSM supports the following agents as of 10.1.3.4 release

Client and server agents for Oracle 10gR3 BPEL and Oracle 10gR3 ESB. The BPEL and ESB app could be running on OC4J or other supported application servers.
Client and server agents for 10gR3 OC4J application server
Client and server agents for AXIS 1.1 and 1.4 on 10gR3 OC4J
Server agents for Weblogic Server 9.2
Server agents for Websphere 6.1.x
Server agents for JBoss 4.0.5

Google Wave: Going to change the way we would communicate and collaborate

2009-06-01T03:45:00.001-07:00

Google Wave made me so excited that I couldn't stop sharing my thoughts on it. It's good in a way that it has prompted me to come out of hibernation and start blogging again.

Last week during the Google I/O conference, Google unveiled developer preview of it's new collaboration tool "Wave" that in my view is going to change the way we communicate.

It's built by the same Rasmussen brothers who built the famous Google Maps.

Check out the recorded demo on youtube here http://wave.google.com/. Wave runs entirely in a browser, is based on HTML 5 and a new protocol http://www.waveprotocol.org/.

Wave will be interacting with email, IM, blogs, wikis, social networking sites, Document sharing and revisions, all under a single Wave interface. Wikis which we find tremendously useful will become thing of the past.

I found 3 features delivering the "Wow factor"

- Sharing is as easy as drag and drop.
- Other person sees as you type eliminating wait and watch.

- Playback of change history

Also, see techcruch article covering it.

What are other notable announcements from the conference?

AppEngine for Java - Platform to write webapps in Java that runs on Google's scalable infrastructure. Google is providing it's own servlet container, datastore and service interfaces. Authentication will be provided using OAUTH , Google's authentication mechanism. For more info http://code.google.com/appengine/docs/java/overview.html
Google Elements - easy way to embed google products into websites

Complete details on the conference can be found here http://code.google.com/events/io/.

Support tribal children in India through grant from AMEX

2008-09-21T22:01:00.001-07:00

American Express is providing $2.5 million in funding to carry out winning projects, based on the total votes they receive in the final round of voting. Winning project gets $1.5 million in funding, with the rest $1 million given to the other top 4 out of 5 projects.

The Jharkand Tribal Project is an investment in a bright future for generations of tribal people - education for children and adults, caring for the environment and providing employment through organic farming practices, preserving indigenous crafts such handcrafts & weaving and preserving cultural identity and values through holistic education. We aim to strengthen the individual in every community by teaching life skills such as yoga and meditation.

The fullfilling organization for this project is "Art of Living Foundation".

Oracle WebLogic Server 10g Release 3 released

2008-08-07T13:48:00.001-07:00

After BEA's acquisition by Oracle, the first release of Weblogic server now known as "Oracle Weblogic Server" has been released as Oracle Weblogic Server 10.3. More information including download link is available here.