4 Examining the Rearchitecture of Oracle WSM in Oracle Fusion Middleware

In Oracle Fusion Middleware 11g Release 1 (11.1.1), Oracle Web Services Manager (WSM) security and management has been completely redesigned and rearchitected. The previous release, Oracle WSM 10g, was delivered as a standalone product or as a component of the Oracle SOA Suite. In the 11g release, Oracle WSM has been integrated with Oracle WebLogic Server as part of the Oracle Fusion Middleware SOA Suite.

This chapter contains the following sections:

How Oracle WSM 10g is Redesigned in Oracle Fusion Middleware 11g Release 1 (11.1.1)

Oracle WSM 10g has been rearchitected in Oracle Fusion Middleware 11g Release 1 (11.1.1), as follows:

  • Oracle WSM Agent functionality is integrated into Oracle WebLogic Server. In Oracle Fusion Middleware 11g, the Oracle WSM 10g Agents are managed by the security and management policy interceptors.

  • Policy management and monitoring is integrated into Oracle Enterprise Manager Fusion Middleware Control. The functions of the Oracle WSM Monitor and the Web Services Manager Control have been integrated into Fusion Middleware Control. This allows you to manage your enterprise from one central location.

  • Oracle WSM Policy Manager enforces additional Web service QoS requirements. The Oracle WSM Policy Manager manages not only security policies, but it also manages other types of policies such as Message Transmission Optimization Mechanism (MTOM), Reliable Messaging, Addressing, and Management.

  • The Oracle WSM Database is replaced by the Oracle WSM Repository which stores Oracle WSM metadata such as policies, policy sets, assertions templates, and policy usage data. The Oracle WSM Repository is available as a database (for production use) or as files in the file system (for development use in JDeveloper).

  • Oracle WSM 10g policies have been replaced by Oracle WSM 11g policies. For a discussion of the differences between the policies in 10g and 11g, see "Comparing Oracle WSM 10g and Oracle WSM 11g Policies".

Some Oracle WSM 10g features will not be supported in the first release of Oracle Fusion Middleware:

  • A subset of Oracle WSM 10g components will not be supported in this first release of Oracle Fusion Middleware 11g.

    You can continue to use the Oracle WSM 10g Gateway components with Oracle WSM 10g policies in your applications. For information about Oracle WSM 10g interoperability, see "Interoperability with Oracle WSM 10g Security Environments" in Interoperability Guide for Oracle Web Services Manager.

  • Oracle WSM 10g supported policy enforcement agents for third-party application servers, such as IBM WebSphere and Red Hat JBoss. Oracle Fusion Middleware 11g Release 1 (11.1.1) only supports Oracle WebLogic Server. Support for third-party application servers will follow this release.

The comparison between 10g and 11g components is summarized in Table 4-1 and the components are identified in Figure 4-1 and Figure 4-2.

Table 4-1 Comparison of Oracle WSM 10g and Oracle Fusion Middleware 11g Release 1 (11.1.1)


Description of Functionality Oracle WSM 10g Component Oracle Fusion Middleware 11g Release 1 (11.1.1) Component

1

Policy enforcement point

Oracle WSM Server and Client Agents, Oracle WSM Gateway

Oracle WSM Agent which manages the policy interceptors There is no equivalent component for the Oracle WSM Gateway in Oracle Fusion Middleware 11g Release 1 (11.1.1).

2

GUI Component to author policies and attach policies to Web services

Web Services Manager Control

Oracle Enterprise Manager Fusion Middleware Control

3

Component to manage policies

Oracle WSM Policy Manager

Oracle WSM Policy Manager

4

Component used to monitor Web services data

Oracle WSM Monitor

Oracle Enterprise Manager Fusion Middleware Control and Oracle Enterprise Manager Grid Control

5

Policy Store

Oracle WSM Database

Oracle WSM Repository


Figure 4-1 illustrate the Oracle WSM 10g components, and the numbers in Table 4-1 identify the components in this figure.

Figure 4-1 Oracle WSM 10g Components

Description of Figure 4-1 follows
Description of "Figure 4-1 Oracle WSM 10g Components"

Figure 4-2 shows the Oracle Fusion Middleware 11g Release 1 (11.1.1) components, and the numbers in Table 4-1 correspond to the components in the figure.

Figure 4-2 Oracle Fusion Middleware 11g Web Services Security Components

Description of Figure 4-2 follows
Description of "Figure 4-2 Oracle Fusion Middleware 11g Web Services Security Components"

Comparing Oracle WSM 10g and Oracle WSM 11g Policies

In both Oracle WSM 10g and Oracle WSM 11g, policies are used to enforce security. However, the structure of the policies is somewhat different. In Oracle WSM 10g a policy consists of a Request Pipeline and a Response Pipeline, each comprised of one or more policy steps.

For example, in Figure 4-3, the Request Pipeline consists of the following policy steps: Extract Credentials, LDAP Authenticate, and LDAP Authorize. The Response Pipeline contains a different policy step, XML Encrypt. The Request Pipeline and Response Pipelines can be comprised of different policy steps, and, therefore, different behaviors can be executed in the request and response messages.

Figure 4-3 Oracle WSM 10g Policy Pipeline

Description of Figure 4-3 follows
Description of "Figure 4-3 Oracle WSM 10g Policy Pipeline"

In Oracle WSM 11g, policies are comprised of one or more assertions, and you control the assertions that are used in the request and response messages. For example, in Figure 4-4, the example 11g policy contains two assertions:

  1. wss11-username-with-certificates

  2. binding-authorization

Figure 4-4 Oracle WSM 11g Policy Pipeline

Description of Figure 4-4 follows
Description of "Figure 4-4 Oracle WSM 11g Policy Pipeline"

When the request message is sent to the Web service, the assertions are executed in the order shown. When the response message is returned to the client, the same assertions are executed, but this time in reverse order. The behavior of the assertion for the request message differs from the behavior for the response message. And, in some instances, it is possible that nothing happens on the response. For example, in the example above, the authorization assertion is only executed as part of the request.

For information about how the Oracle WSM 10.1.3 policy steps can be mapped to Oracle WSM 11g predefined policies, see "Upgrading Oracle Web Services Manager Policies" in Upgrade Guide for Oracle SOA Suite, WebCenter, and ADF Release 11g.

Comparing Oracle Application Server 10g WS-Security with Oracle WSM 11g

The following list identifies the primary enhancements to Oracle WSM 11g over Oracle Application Server 10g WS-Security:

  • Centralized policy management. Using the Oracle WSM Policy Manager, you centrally define security and management policies.

  • Custom policy support. You can create custom policies that support your security and management policy requirements, if the predefined policies do not meet your needs.

  • Toolset used to manage and attach policies. Security administrators can use Oracle Enterprise Manager Fusion Middleware Control to manage and attach Web services. Developers can attach security policies at development time, using Oracle JDeveloper or other IDE.

  • Policies managed at the enterprise level. Policies are defined at the enterprise level and not at the application level.

Interoperability and Upgrade

Oracle WSM 11g can interoperate with the following 10.1.3 components:

In addition, you can interoperate with the following components:

You can upgrade the following 10.1.3 features to Oracle Fusion Middleware 11g Release 1 (11.1.1):