Vikas Jain

Subscribe to Vikas Jain feed
A blog of SOA and web services security technology I'm working on ...
Updated: 5 hours 25 min ago

Moved to a new blog

Mon, 2011-11-07 16:15
I've moved to a new blogging platform provided by my employer Intel at http://blogs.intel.com/cloud-access-security/
Hope, you will follow my posts there.

Netflix in the Cloud

Thu, 2010-10-14 15:51
Netflix is adopting (public) cloud with full force. Check out these few slides around the drivers and their roadmap for such move. Does it mean in the future IaaS providers will start to provision nVidia/ATI GPU based machines for faster video codec processing?

Cloud SSO heating up

Thu, 2010-10-07 18:40
In the early part of this decade, SSO vendors (Oblix, Netegrity, Tivoli, etc.) provided solution that made life simple and brought efficiencies for both employees and IT by eliminating the need to remember and maintain/reset tens if not hundreds of username/password combinations that allowed employees to access internal applications needed for their job.

In the next wave, these SSO solutions moved into partner and consumer facing applications where federation was brought in to mediate between different security systems leading to popularization of SAML standard.

Fast forward to now - As new set of applications get delivered as SaaS, SSO had to catch-up with this new deployment model, and new products/solutions are emerging to solve these challenges.

  • TriCipher (acquired by VmWare) - VmWare saw this need early on as it tries to deliver the vCloud platform. This piece may also become the security mediator between vCloud deployments and external SaaS/cloud offerings. Will have to watch what VmWare does with it.
  • PingIdentity - The PingFederate solution addresses this need. PingIdentity has been a pioneer in the SAML federation space.
  • Symplified - Started by ex-PingIdentity folks, it has quickly earned a name for itself in this space.
  • Vordel - It's Cloud Service Broker provides solution in this space.
  • Citrix OpenCloud Access - This is the latest addition to this space, available as an optional module for Citrix Netscaler. Announced yesterday at Citrix Synergy (Citrix's annual user conference), this should also help Citrix implicitly sell more of it's GoToMeeting product line.
As you can see the market for Cloud SSO is heating up ...

Access Google address book via LDAP using OVD

Thu, 2010-10-07 17:45
My colleague Mark Wilcox who also runs a blog created an integration between Oracle Virtual Directory (OVD) and Google address book.
This solves use cases for customers who use Google Apps for business, and would also like to use Google as their source of identity instead of maintaining user profiles in their own LDAP stores. OVD provides a nice virtual LDAP interface on top of this Google identity store. Customers can leverage it for SSO of their enterprise apps using Google identities. Where there's a need to add custom attributes to the user's Google profile, OVD has a provision to allow addition of such attributes without modifying the schema of Google identity store (which anyways is inaccessible).

Note that this is different from the SAML federation that Google supports for access to "Google Apps" using enterprise identities that come from enterprise LDAP.

OWSM optimized for Oracle SPARC T3 server

Tue, 2010-09-21 02:20
Oracle's Executive VP John Fowler in his keynote at Oracle OpenWorld conference, announced release of Oracle SPARC T3 server.
The SPARC T3 processors pack 16 cores and 16 on-chip CMT crypto accelerators in a single socket.

OWSM has been optimized to take full advantage of such hardware acceleration by integrating with Solaris Cryptographic Framework that provides crypto acceleration passthrough into the hardware for both SPARC and Intel processors.

See integration whitepaper: High Performance Security for SOA and XML Web Services using Oracle Web Services Manager and Oracle SPARC Enterprise T-Series Servers

OWSM indeed is delivering the promise of Hardware and software engineered to work together.

OWSM at Oracle OpenWorld and JavaOne 2010

Wed, 2010-09-15 02:08

Oracle OpenWorld and JavaOne 2010 is coming up next week.
Listed below is OWSM's presence at the conference.

Demo Pod:

Title: SOA Security

Demo Area: Middleware
Pod #: W-177


Sessions:
ID#: S317146

Title: Securing Web Services: Solutions, Best Practices, and More

Track: OpenWorld: Middleware: Identity Management

Date: Tue, 21-Sep-10

Time: 12:30-13:30

Venue: Moscone South, Room: 309


ID#:S314100

Title: Security Threats and Countermeasures for REST and Cloud Services

Track: JavaOne: Enterprise Service Architectures and the Cloud

Date: Wed, 22-Sep-10

Time: 10:00-11:00

Venue: Parc 55

Room: Cyril Magnin II


ID#: S316710
Title: Analysis of Security & Compliance on Sun SPARC Enterprise T-Series Servers
Track: Sun SPARC Servers
Date: Thu, 23-SEP-10
Time: 12:00 - 13:00
Venue: Moscone South, Room: 252


Hands-on-Lab:

ID# S314098

Title: Securing Web Services

Track: Java One: Java EE Web Profile and Platform Technologies

Date: Wed, 22-Sep-10

Time: 12:30-14:30

Venue: Hilton San Francisco, Room: Plaza A


Focus On documents:

Highly recommended to navigate through the maze

Identity Management

Security

Service Oriented Architecture
Central link to all focus on documents


Hope to see you there.


Oracle Identity Management (IdM) 11g learn more resources

Wed, 2010-09-15 01:39
Returning back to blogging from hiatus. Have been super busy lately. Fist post after this gap has to be on Oracle IdM 11g which was released 2 months back. Note that OWSM 11g was released earlier with SOA 11g last year.
If you haven't had a chance to view details on Oracle IdM 11g, here's a quick list that can get you started.

OWSM 11g self paced online course

Thu, 2010-07-15 02:00
Oracle University (OU) has published an online course on OWSM 11g on iLearning.
  • Oracle Web Services Manager 11g: Essentials - D67432GC10

  • Oracle Web Services Manager 11g: Securing SOA Components - D67433GC10
These are self paced online courses that provide a quick way to get started on OWSM.

HowTo - OWSM 11g: Install OWSM on base Weblogic

Wed, 2010-06-30 14:56
If you have a vanilla Weblogic (WLS) environment with no Fusion Middleware components deployed such as SOA Suite, Webcenter, etc., and you have JAX-WS clients and web services deployed in such an enviornment, you can secure these clients and services using OWSM by following this guide for step-by-step instructions on how to set it up. These instructions will be included into official documentation in the near future.

Note that these are just install instructions, with no change or bearance to the licensing model. As of Jun 2010, OWSM is licensed only through SOA Suite, and doesn't come with a standalone license. In short, to secure your clients & services using OWSM on base Weblogic, you would need to acquire SOA Suite license on top of Weblogic license.


var docstoc_docid="45646770";var docstoc_title="How To install OWSM 11gR1 on base Weblogic";var docstoc_urltitle="How To install OWSM 11gR1 on base Weblogic"; How To install OWSM 11gR1 on base Weblogic
Thanks to Amit Gokhru for validating and documenting these instructions.

FAQ - Using HTTP token policies with OWSM

Wed, 2010-06-30 13:42
When using HTTP token policies with OWSM 11g, you may want to review the following to understand their implementation behavior.

What types of HTTP token policies are available?
Following pre-defined OWSM policies are available out-of-the-box.
Client policies: oracle/wss_http_token_client_policy, oracle/wss_http_token_over_ssl_client_policy
Service policies: oracle/wss_http_token_service_policy, oracle/wss_http_token_over_ssl_service_policy

What does HTTP token policies do?
On the client side, it adds base64 encoded username/password per the Basic Authentication scheme to the HTTP Authorization header according to RFC822 and RFC2617
For example, Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
On the service side, OWSM agent gets hold of this HTTP header, decodes the username/password, and uses it to authenticate against the configured identity store through OPSS login module and WLS authenticator. Additionally, if oracle/wss_http_token_over_ssl_service_policy is used, it checks if SSL connection was indeed used to connect to the service.

Is the HTTP Authorization header sent with every message? If not, how can I enable it to be sent with every message?
No. Oracle web services stack follows the challenge-response authentication mechanism wherein client doesn't send an authorization header in the initial request to which service responds back with a 401 (Unauthorized) HTTP message. Client then stuffs the Authorization header into the second request which is then processed by the service.
This default behavior can be altered such that the Authorization header is always sent by setting a property on the client side.
In the request context, set the property ClientConstants.PREEMPTIVE_BASIC_AUTH to true

How can I disable SOAP security header inclusion when using HTTP token with SSL client policy?
The out-of-box oracle/wss_http_token_over_ssl_client_policy policy is configured to include a timestamp element in the SOAP security header similar to below.
<code style="color:#000000;word-wrap:normal;"> <wsse:Security xmlns:wsse="<a href="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd</a>" env:mustUnderstand="1">  <br />      <wsu:Timestamp xmlns:wsu="<a href="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd</a>" wsu:Id="Timestamp-oq2ulH1wHpSwkqAlKMaf5Q22">  <br />           <wsu:Created>2010-06-21T15:28:02Z</wsu:Created>  <br />           <wsu:Expires>2010-06-21T15:33:02Z</wsu:Expires>  <br />      </wsu:Timestamp>  <br /> </wsse:Security  <br /></code>

This can be disabled by modifying the client policy with timestamp attribute value set to false.
Note that oracle/wss_http_token_client_policy doesn't include the SOAP header.

HowTo - OWSM 11g: Prevent PII data leakage in Oracle SOA composites

Wed, 2010-06-23 17:07
When SOA endpoint is protected using OWSM service policy, then message can be decrypted, but after that if the message contain PII attributes, they can end up in clear in logs and instance viewer in the console.
To provide security for prevention of such PII data leakage, there is an OWSM custom policy assertion available written by Robin Zimmermann and Rakesh Saha that allows selective attribute encryption within the application, and then decrypt it on the way out before it's re-encrypted using the OWSM client side policy.
See https://owsm-11g-custom-assertions.samplecode.oracle.com/

btw, Oracle BPEL 10g provided a feature for obfuscating attribute data. This solution is better than that approach as it uses digital encryption instead of obfuscation technique, and is policy based.

vmForce - adding new age features to the application platform

Thu, 2010-06-03 00:08
As VmWare and Force.com joined hands to create the vmForce platform for cloud applications it's interesting to note how some of the new age features are becoming part and parcel of the application infrastructure.

Few years back, an application server with servlet, EJB containers, connection pooling and other services was considered to be an application platform. Then with the SOA wave, features like orchestration (BPEL), service bus (for routing, transformation), adapters (for connecting apps), and governance tools became part of the platform leading to development of composite applications.
Now, vmForce is taking it another step ahead including features such as social apps like collaboration, google like search for any data, mobile access, BPM and reporting dashboards to be part of the platform, relieving application developers and administrators from integration pains with external tools providing these features.

Following vmForce feature list is extracted from Anshu's blogpost on this topic.
  • Social Profiles: Who are the users in this application so I can work with them?
  • Status Updates: What are these users doing? How can I help them and how can they help me?
  • Feeds: Beyond
    user status updates, how can I find the data that I need? How can this
    data come to me via Push? How can I be alerted if an expense report is
    approved or a physician is needed in a different room?
  • Content Sharing: How
    can I upload a presentation or a document and instantly share it in a
    secure and managed manner with the right set of co-workers?
  • Search: Ability to search any and all data in your enterprise apps
  • Reporting: Ability to create dashboards and run reports, including the ability to modify these reports
  • Mobile: Ability to access business data from mobile devices ranging from BlackBerry phones to iPhones
  • Integration: Ability to integrate new applications via standard web services with existing applications
  • Business Process Management: Ability to visually define business processes and modify them as business needs evolve
  • User and Identity Management:
    Real-world applications have users! You need the capability to add,
    remove, and manage not just the users but what data and applications
    they can have access to
  • Application Administration: Usually an afterthought, administration is a critical piece once the application is deployed

Connecting Salesforce.com from Google AppEngine using OAuth

Wed, 2010-06-02 23:47
Here's a blogpost on how to connect and authenticate salesforce.com from an application deployed on Google AppEngine using OAuth protocol.
http://blog.sforce.com/sforce/2010/04/connecting-google-app-engine-and-salesforcecom-with-oauth.html

See how the complexity of the OAuth protocol has been hidden by the helper APIs of OAuthAccessor and OauthHelperUtils.
Refer to this demo project written by Jeff Douglas.

Force.com security

Wed, 2010-06-02 23:37
You can find resources and links to Force.com platform security for secure cloud development here.
http://blog.sforce.com/sforce/2010/04/introducing-forcecom-secure-cloud-development.html

What I like is how it's organized - complete with education material, security design principles, secure coding guidelines, security testing tools, and how to perform security review - providing end to end guidance on how to implement security for apps deployed on Force.com.

Tech M&A deals of 2010

Wed, 2010-05-19 18:51
Here's some notable tech M&A activity happened till May, 2010.

In Security space,
  • Oracle IdM adding identity analytics (OIA) to it's portfolio through the broader Sun acquisition
  • Symantec enhancing encryption portfolio with PGP, GuardianEdge, and vulnerability assessment offering through Gideon Technologies
  • EMC's RSA Security Division acquired Archer Technologies for GRC across physical+virtual infrastructures
  • Trustwave acquired Intellitactics for SIEM to enhance PCI compliance offering, and BitArmor to enhance endpoint security offering
In Cloud computing space,
  • VmWare seems to be building up Cloud PaaS platform acquiring Spring Source (in 2009) , and now Zimbra, and Rabbit Technologies
  • CA acquired Nimsoft and 3Tera to manage cloud environments
  • Cisco acquired Rohati Systems for cloud security in Cisco's Nexus switch line
In Mobile space,
  • SAP planning to buy Sybase for it's mobile middleware
  • Apple getting Siri, HP getting Palm, RIM getting Viigo
References:
Network World slideshow on Tech acquisitions of 2010
PWC report on Tech M&A insights for 2010

What's new in OWSM 11gR1 PS2 (11.1.1.3.0) ?

Wed, 2010-04-28 03:21
Oracle Fusion Middleware 11gR1 PS2 (Patchset 2) aka 11.1.1.3.0 is released and generally available now.

What's new in OWSM 11gR1 PS2 (11.1.1.3.0)?
  • Agent for OSB 11gR1
  • Enhanced integration for WLS JAX-WS web services (centralized policy mgt, policy attachment through EM, policy advertisement in WSDL, and policy monitoring)
  • IBM DB2 certification of MDS backed policy store
  • WS-Security + WS-AT combination support
  • Enhanced Test-to-Production for policy attachments using deployment plans
Also see,

FAQ - OWSM 11g documentation links

Fri, 2010-03-12 03:22
Listing all OWSM 11gR1 related documentation at one place from the latest patchset.

GuideReleasePart NumberCommentsDocumentation Library Portal11gR1 PS1E15523_01Main site with links to all guidesInstallation Guide for Oracle SOA Suite11gR1 PS1 E13925-02Installing SOA SuiteOWSM Upgrade Guide - 10gR3 to 11gR111gR1 PS1E10127-01Migrating OWSM policies from 10g3 to 11gR1 releaseOWSM Admin Guide (Security and Administrator's Guide for Web Services)11gR1 PS1B32511-02Main OWSM guide covering concepts & management interfacesOWSM Developer's Guide (Securing WebLogic Web Services)11gR1 PS1 E13713-02Covers how to attach policies at design time through JDeveloperOWSM Java API Reference11gR1 PS1E10689-02For writing custom policy assertionsFusion Middleware Audit Framework (Security Guide)11gR1 PS1E10043-04OWSM leverages FMW audit frameworkOWSM Interoperability Guide11gR1 PS1E16098-01Covers  interoperable policies certified against OWSM 10g, .NET, Axis, OSB 10g, WLS native security, etc.OWSM HA Guide11gR1 PS1E10106-02Configuring OWSM for High AvailabilityEnterprise Deployment Guide (EDG) for SOA Suite11gR1 PS1 E12036-02Recommended deployment topologyOWSM Backup and Recovery (Disaster Recovery Guide)11gR1 PS1E15250-01Configuring for disaster recoveryOWSM Performance and Tuning Guide11gR1 PS1E10108-01Performance/TuningOWSM Licensing Information
E14860-07Licensing termsOracle Platform Security Services (OPSS) Guide
11gR1 PS1
E10043-04OPSS GuideOracle Access Manager 10g (10.1.4.3)10.1.4.3
OAM 10g Guides
OWSM leverages OPSS internally for authentication, CSF and few other services. So, some of the above guides/sections should be complemented with OPSS guides.

Intel's cloud chip and physicalization

Mon, 2010-02-22 01:00
Per Intel's CTO Justin Rattner, Intel is working on a single chip cloud computer
  • Parts of the chip will be powered down when not in use
  • First iteration involves a 48 core processor that consumes 25 - 125 watts
  • New term invented "physicalization" which means dedicating one or more cores to a specific application or portion of the application. This is completely opposite to "virtualization" which means running applications on whatever processor resources are available
For complete story, see this Forbes article

Oracle extends BTM and SOA Mgt through Amberpoint acquisition

Mon, 2010-02-08 13:06
Oracle's acquisition of Amberpoint extends it's capabilities around Business Transaction Monitoring (BTM), SOA Management and SOA Governance into it's SOA products offering.

Read the following resources for more info
From the FAQ,
The AmberPoint solution will provide several critical capabilities requested by customers.
• Application Discovery – Automatically discovers components and interactions and ensures visibility of the entire heterogeneous SOA environment
• Application Performance Management – Tracks end-to-end performance and availability
• Business Transaction Management – Ensures reliability of individual business transactions and tracks the progress in real time to pinpoint any issues
• SOA Governance – Provides closed-loop governance by reporting run-time results to design-time governance solutions

Integrating REST clients with STS for token exchange

Fri, 2010-02-05 17:37
Where REST services demand a particular type of token for access, REST clients can potentially integrate with an STS server to acquire the requisite token, and pass it to the service.

I haven't seen customers yet widely asking for such solutions, but need can arise where companies standardize across the applications on tokens such as SAML for access control which carries not only the username information but also attributes associated with user profile.

In such scenarios, following flow would be applicable
  1. REST client acquires token from the STS server preferably through REST binding of STS, but any other supported binding should also be okay.
  2. Once it receives the token, it adds it to the "Authorization" HTTP header of the REST request.
  3. REST service receives the request, and a security interceptor(agent) picks up the token to check for access validity. The interceptor can optionally assert the identity into the service for identity propagation needs.
I would be interested to know if you run into such scenarios, and looking for products to support it. You can leave blog comments.

Pages