B Web Services Security

The ability to control user access to Web content and to protect your site against people breaking into your system is critical. This appendix describes the architecture and configuration of security for Oracle Application Server Web Services, including the Oracle Application Server UDDI Registry.

This chapter covers the following topics:

• About Web Services Security

• Configuring Web Services Security

• About Oracle Application Server UDDI Registry Security

• Configuring UDDI Security

See Also: Oracle Application Server 10g Security Guide Oracle Identity Management Concepts and Deployment Planning Guide

B.1 About Web Services Security

SOAP is the messaging protocol for Oracle Application Server Web Services. Oracle Application Server Web Services only supports HTTP (S) for a transport protocol for SOAP messages. Oracle Application Server security that applies for HTTP(S) can be leveraged for Oracle Application Server Web Services.

Oracle Application Server Web Services supports the following security features:

• Secure Connection: By securing the connection using SSL (HTTPS), one can invoke a Web Service securely.

• Authentication: Basic and Digest Access Authentication can be enforced using HTTP (S) headers. This method is not secure unless the authentication is specified in conjunction with SSL.

• Authorization: Authorization is supported by retrieving the Principal using a User Manager such as the Oracle Application Server Java Authentication and Authorization Service (JAZN) User Manager.

All the HTTP(S) transport security features are applicable to all types of Oracle Application Server Web Services implementations (including stateless and stateful java classes, stateless session bean and stateless stored procedures). In addition, if a stateless session bean is exposed as a Web Service, ACL policies can be enforced on the bean when the connection is authorized by a User Manager and a Principal object is obtained.

If a stored procedure is exposed as a Web Service, then it is secure to encrypt the password of the corresponding data source in the data-sources.xml file.

See Also: Oracle Application Server Containers for J2EE Security Guide Chapter 8, "Configuring EJB Application Security" in the Oracle Application Server Containers for J2EE Enterprise JavaBeans Developer's Guide

B.2 Configuring Web Services Security

When you run a client-side application that uses Oracle Application Server Web Services, you can access secure Web Services by setting properties in the client application. Table B-1 shows the available properties that provide credentials and other security information for Web Services clients.

In a Web Services client application, you can set the security properties shown in Table B-1 as system properties by using the -D flag at the Java command line, or you can also set security properties in the Java program by adding these properties to the system properties (use System.setProperties() to add properties). In addition, the client side stubs include the _setTranportProperties method that is a public method in the client proxy stubs. This method enables you to set the appropriate values for security properties by supplying a Properties argument.

Table B-1 Web Services HTTP Transport Security Properties

Property	Description
http.authRealm	Specifies the realm for which the HTTP authentication username/password is specified. This property is mandatory when using basic authentication.
http.authType	Specifies the HTTP authentication type. The case of the value specified is ignored. Valid values: basic, digest The value basic specifies HTTP basic authentication. Specifying any value other than basic or digest is the same as not setting the property.
http.password	Specifies the HTTP authentication password.
http.proxyAuthRealm	Specifies the realm for which the proxy authentication username/password is specified.
http.proxyAuthType	Specifies the proxy authentication type. The case of the value specified is ignored. Valid values: basic, digest Specifying any value other than basic or digest is the same as not setting the property.
http.proxyHost	Specifies the hostname or IP address of the proxy host.
http.proxyPassword	Specifies the HTTP proxy authentication password.
http.proxyPort	Specifies the proxy port. The specified value must be an integer. This property is only used when http.proxyHost is defined; otherwise this value is ignored. Default value: 80
http.proxyUsername	Specifies the HTTP proxy authentication username.
http.username	Specifies the HTTP authentication username.
java.protocol.handler.pkgs	Specifies a list of package prefixes for java.net.URLStreamHandlerFactory The prefixes should be separated by "|" vertical bar characters. This value should contain: HTTPClient This value is required by the Java protocol handler framework; it is not defined by Oracle Application Server. This property must be set when using HTTPS. If this property is not set using HTTPS, a java.net.MalformedURLException is thrown. Note: This property must be set as a system property. For example, set this property as shown in either of the following: java.protocol.handler.pkgs=HTTPClient java.protocol.handler.pkgs=sun.net.www.protocol|HTTPClient
oracle.soap.transport. allowUserInteraction	Specifies the allows user interaction parameter. The case of the value specified is ignored. When this property is set to true and either of the following are true, the user is prompted for a username and password: If any of properties http.authType, http.username, or http.password is not set, and a 401 HTTP status is returned by the HTTP server. If either of properties http.proxyAuthType, http.proxyUsername, or http.proxyPassword is not set and a 407 HTTP response is returned by the HTTP proxy. Valid values: true, false Specifying any value other than true is considered as false.
oracle.ssl.ciphers	Specifies a list of: separated cipher suites that are enabled. Default value: The list of all cipher suites supported with Oracle SSL.
oracle.wallet.location	Specifies the location of an exported Oracle wallet or exported trustpoints. Note: The value used is not a URL but a file location, for example: /etc/ORACLE/Wallets/system1/exported_wallet (on UNIX) d:\oracle\system1\exported_wallet (on Windows) This property must be set when HTTPS is used with SSL authentication, server or mutual, as the transport.
oracle.wallet.password	Specifies the password of an exported wallet. Setting this property is required when HTTPS is used with client, mutual authentication as the transport.

B.3 About Oracle Application Server UDDI Registry Security

This section covers the following topics:

• Protecting Oracle Application Server UDDI Registry Resources

• Managing and Enforcing Protected UDDI Resources

• Using Oracle Application Server Security Services

See Also: "OracleAS UDDI Registry Administration"

B.3.1 Protecting Oracle Application Server UDDI Registry Resources

Oracle Application Server UDDI resources are protected as follows.

B.3.1.1 Oracle Application Server UDDI Registry

For the OracleAS UDDI Registry, the following resources are protected:

• Data – Write access to the data stored in the OracleAS UDDI Registry is protected; this is typically metadata of Web Services.

• Functions – Administrative operations to the OracleAS UDDI Registry.

• Passwords – N/A. User passwords are protected by JAZN.

B.3.1.2 Oracle Application Server Content Subscription Manager Application

For the Oracle Application Server UDDI Content Subscription Manager application, the following resource is protected:

• Passwords – Password for the UDDI syndication subscriber are protected.

B.3.2 Managing and Enforcing Protected UDDI Resources

Protection for the following OracleAS UDDI Registry resources are managed and enforced as follows.

B.3.2.1 Oracle Application Server UDDI Registry

Oracle Application Server Java Authentication and Authorization Service (JAZN) and the UDDI application manages and enforces write access to the data stored in the OracleAS UDDI Registry. JAZN determines the identity and the security role of a user. Only the owner has rights to update data.

For administrative operations for the OracleAS UDDI Registry JAZN also manages and enforces access; in addition, JAZN protects the servlets that provide administrative operations.

B.3.2.2 Oracle Application Server Content Subscription Manager Application

The application manages the UDDI syndication subscription password used to access Oracle Application Server Syndication Services. The password, which is persistently stored in the database, is further protected by the database DBMS_OBFUSCATION PL/SQL package.

Update of the UDDI syndication subscriber password is available through a UDDI Web-based tool. The web-based tool uses JAZN to query the security role of the authenticated user. The password update facility is available only if the authenticated user has the uddiadmin security role.

B.3.3 Using Oracle Application Server Security Services

UDDI leverages the JAZN User level security features and uses SSL encryption, both server side and client side, for accessing OracleAS Infrastructure 10g options.

B.4 Configuring UDDI Security

To configure UDDI for security, consider the following areas:

• Configuring the Oracle Application Server UDDI Registry

• Configuring the UDDI Content Subscription Manager

• Configuring the UDDI Client

B.4.1 Configuring the Oracle Application Server UDDI Registry

To ensure the confidentiality of the communication between the OracleAS UDDI Registry and clients, do the following:

1. Configure the Oracle HTTP Server/SSL listener to provide HTTPS access.

2. Configure OC4J to prohibit HTTP access.

3. To ensure the communication to a UDDI replication endpoint is authorized, configure the Oracle HTTP Server/SSL listener to enable HTTPS client-certificate based authentication.

Configure all security-sensitive UDDI endpoints, including: publishing, administration, replication wallet administration, and subscription management (typically, the inquiry endpoint does not need to be confidential).

B.4.2 Configuring the UDDI Content Subscription Manager

In order to make the Oracle Application Server Content Subscription Manager functional, you must supply the proper password of the UDDI syndication subscriber.

B.4.3 Configuring the UDDI Client

If you use the UDDI Client Library to develop applications to communicate with the OracleAS UDDI Registry, you can use the Oracle Application Server Web Services security features to configure the HTTP transport properties.

See Also: "Configuring Web Services Security"