Companies worldwide are actively deploying service-oriented architectures (SOA) using Web services, both in intranet and internet environments. While Web services offer many advantages over traditional alternatives (for example, distributed objects or custom software), deploying networks of interconnected Web services still presents key challenges, particularly in terms of security and administration.
This chapter provides an overview of Web services security and administration in Oracle Fusion Middleware 11g.
Web Services Security and Administration in Oracle Fusion Middleware 11g
Securing and Administering Oracle Infrastructure Web Services
The following highlights the main features of Oracle Fusion Middleware 11g Release 1 (11.1.1):
Oracle Web Services Manager (WSM) security and management has been completely redesigned and rearchitected. The previous release, Oracle WSM 10g, was delivered as a standalone product or as a component of the Oracle SOA Suite. In the 11g release, Oracle WSM has been integrated into the Oracle WebLogic Server. For complete details, see "Examining the Rearchitecture of Oracle WSM in Oracle Fusion Middleware".
Oracle Web services can be classified into the following categories:
WebLogic (Java EE) Web services (see "Securing and Administering WebLogic Web Services")
Oracle Infrastructure Web services—SOA, ADF, and WebCenter services (see "Securing and Administering Oracle Infrastructure Web Services")
For more information about the two Web service categories and the types of Web services and clients in Oracle Fusion Middleware 11g, see Oracle Fusion Middleware Introducing Web Services.
To support the two categories, there are two types of policies that can be attached to Web services, as defined in the following table.
Table 1-1 Types of Web Service Policies
| Type of Policy | Description |
|---|---|
|
Oracle Web Services Manager (WSM) Policy |
Policy provided by the Oracle WSM. You can attach Oracle WSM policies to SOA, ADF, and WebCenter Web services. You can attach Oracle WSM security policies only to WebLogic JAX-WS Web services to interface with the SOA/ADF/WebCenter Web services, for example. (You cannot attach Oracle WSM policies to JAX-RPC Web services.) You manage Oracle WSM policies from Oracle Enterprise Manager Fusion Middleware Control and from the command line using custom WebLogic Scripting Tool (WLST) commands. |
|
WebLogic Web Service Policy |
Policy provided by WebLogic Server. For more information about the WebLogic Web service policies, see Oracle Fusion Middleware Securing WebLogic Web Services for Oracle WebLogic Server. A subset of WebLogic Web service policies interoperate with Oracle WSM policies. For more information, see "Interoperability with Oracle WebLogic Server 11g Web Service Security Environments" in Interoperability Guide for Oracle Web Services Manager. You manage WebLogic Web service policies from WebLogic Administration Console. |
Application developers can use Oracle JDeveloper to leverage the security and management features of the Oracle WSM policy framework. For more information about attaching policies using Oracle JDeveloper, see the following sections:
"Attaching Policies to Binding Components and Service Components" in Oracle Fusion Middleware Developer's Guide for Oracle SOA Suite.
"Securing Web Service Data Controls" in Oracle Fusion Middleware Fusion Developer's Guide for Oracle Application Development Framework.
"Using Oracle Web Service Security Policies" in Oracle Fusion Middleware Securing WebLogic Web Services for Oracle WebLogic Server
"Using Policies with Web Services" in the "Developing with Web Services" section of the Oracle JDeveloper online help
System administrators can use the following tools to secure and administer Web services:
Oracle Enterprise Manager Fusion Middleware Control to secure and administer SOA, ADF, and WebCenter services and to monitor and test WebLogic (Java EE) Web services.
Oracle WebLogic Administration Console to secure and administer WebLogic (Java EE) Web services.
Oracle WebLogic Scripting Tool (WLST) to view, configure, and secure SOA, ADF, and WebCenter Web services.
The following list provides an example of the tasks required to secure and administer Web services:
Deploy, configure, test, and monitor Web services.
Enable, publish, and register Web services.
Attach policies to secure and manage Web services and analyze policy usage.
Create new policies and assertion templates, and manage and configure existing policies.
Create custom assertions to meet the requirements of your application.
Manage policy lifecycle to transition from a test to production environment.
Manage your file-based and database stores in your development and production environments, respectively.
Test interoperability with other Web services.
Diagnose problems.
The steps to develop, secure, and administer Web services vary based on the Web service category in use. The following sections outline the steps required:
To secure and administer Oracle Infrastructure Web services:
At development time, application developers can attach policies, using Oracle JDeveloper or other IDE, to leverage the security and management features of the Oracle WSM policy framework. For more information about attaching policies using Oracle JDeveloper, see the following sections:
"How to Attach Policies to Binding Components and Service Components" in Oracle Fusion Middleware Developer's Guide for Oracle SOA Suite.
"Securing Web Service Data Controls" in Oracle Fusion Middleware Fusion Developer's Guide for Oracle Application Development Framework.
"Using Policies with Web Services" in the "Developing with Web Services" section of the Oracle JDeveloper online help.
System administrators can use the tools described in Table 1-2 to secure and administer Oracle Infrastructure Web services.
Table 1-2 Tools Used to Secure and Administer Oracle Infrastructure Web Services
| Use this tool... | To... |
|---|---|
|
Oracle Enterprise Manager Fusion Middleware Control |
Secure and administer SOA, ADF, and WebCenter services, performing the tasks described in "Web Service Security and Administration Tasks". To access Oracle Enterprise Manager Fusion Middleware Control, see "Accessing Oracle Enterprise Manager Fusion Middleware Control". Oracle Enterprise Manager Fusion Middleware Control leverages Oracle Web Services Manager (WSM) to centrally define security and management policies, and enforce them locally at runtime. For more information about Oracle WSM, see "Understanding Oracle WSM Policy Framework". For more information about Oracle Enterprise Manager Fusion Middleware Control, see "Getting Started Using Oracle Enterprise Manager Fusion Middleware Control" in Oracle Fusion Middleware Administrator's Guide. |
|
WebLogic Scripting Tool (WLST) |
Perform Web service configuration and policy management tasks. To access WLST, see "Accessing the Web Services Custom WLST Commands". For more information about using WLST, see "Getting Started Using the Oracle WebLogic Scripting Tool (WLST)" in Oracle Fusion Middleware Administrator's Guide. |
Part II, "Basic Administration" and Part III, "Advanced Administration" describe how to secure and administer SOA, ADF, and WebCenter services in detail.
To secure and administer WebLogic Web services:
At development time, application developers can attach security policies using Oracle JDeveloper or other IDE. For more information, see the following topics:
"Using Policies with Web Services" in the "Developing with Web Services" section of the Oracle JDeveloper online help.
"Using Oracle Web Service Security Policies" in Securing WebLogic Web Services for Oracle WebLogic Server
System administrators can use the tools defined in Table 1-3 to secure and administer WebLogic Web services.
Table 1-3 Tools Used to Secure and Administer WebLogic Web Services
| Use this tool . . . | To perform the following tasks . . . |
|---|---|
|
Oracle Enterprise Manager Fusion Middleware Control |
Leverage Oracle WSM to perform the following tasks:
For more information about Oracle WSM, see "Understanding Oracle WSM Policy Framework". To access Oracle Enterprise Manager Fusion Middleware Control, see "Accessing Oracle Enterprise Manager Fusion Middleware Control". For more information about Oracle Enterprise Manager Fusion Middleware Control, see "Getting Started Using Oracle Enterprise Manager Fusion Middleware Control" in Oracle Fusion Middleware Administrator's Guide. Note: The following features are not supported for WebLogic Web services in the 11g release:
|
|
Oracle WebLogic Server Administration Console |
Perform all of the tasks described in "Web Service Security and Administration Tasks" to secure and manage WebLogic Web services. To access Oracle WebLogic Server Administration Console, see "Accessing Oracle WebLogic Administration Console". For more information about using the Oracle WebLogic Server Administration Console to secure and administer WebLogic Web services, see "Web Services" in the Oracle WebLogic Server Administration Console Online Help. |
Part IV, "WebLogic Web Service Administration" provides a roadmap for securing and administering WebLogic Web services.
The following sections describe how to access the security and administration tools described in the previous sections.
To access Oracle Enterprise Manager Fusion Middleware Control:
Start the Oracle WebLogic Server.
For more information, see "Start and stop servers" in the Oracle WebLogic Administration Console Online Help.
Open a supported Web browser and navigate to the following URL:
http://hostname:port/em
The Login page displays.
Enter the username and password.
The default user name for the administrator user is weblogic. This is the account you can use to log in to Fusion Middleware Control for the first time. The password is the one you supplied during the installation of Oracle Fusion Middleware.
Click Login.
For more information, see "Getting Started Using Oracle Enterprise Manager Fusion Middleware Control" in Oracle Fusion Middleware Administrator's Guide.
To access Oracle WebLogic Administration Console:
Start the Oracle WebLogic Server.
For more information, see "Start and stop servers" in the Oracle WebLogic Administration Console Online Help.
Open a supported Web browser and navigate to one of the following URLs:
http://hostname:port/console https://hostname:port/console
hostname specifies the DNS name or IP address of the Oracle WebLogic Administration Server and port specifies the address of the port on which the Oracle WebLogic Administration Server is listening for requests (7001 by default).
Use https if you started the Oracle WebLogic Server using the Secure Sockets Layer (SSL).
For a list of supported browsers, see System Requirements and Supported Platforms for Oracle WebLogic Server at: http://www.oracle.com/technology/software/products/ias/files/fusion_certification.html.
The Login page displays.
Enter the username and password.
You may have specified the username and password during the installation process. This may be the same username and password that you use to start the Oracle Administration Server. Or, a username that is granted one of the default global security roles.
Click Log In.
For more information, see "Starting the Console" in the Oracle WebLogic Administration Console Online Help.
To access the Web services WLST commands:
Go to the Oracle Common home directory for your installation, for example /home/Oracle/Middleware/oracle_common.
For information about the Oracle Common home directory and installing Oracle Fusion Middleware, see the Oracle Fusion Middleware Installation Planning Guide.
Start WLST using the WLST.sh/cmd command located in the oracle_common/common/bin directory. For example:
/home/Oracle/Middleware/oracle_common/common/bin/wlst.sh (UNIX)
C:\Oracle\Middleware\oracle_common\common\bin\wlst.cmd (Windows)
When executed, these commands start WLST in offline mode. To use the Web services WLST commands, you must use WLST in online mode.
Start Oracle WebLogic Server.
For more information, see "Start and stop servers" in the Oracle WebLogic Administration Console Online Help.
Connect to the running WebLogic Server instance using the connect() command. For example, the following command connects WLST to the Admin Server at the URL myAdminServer.oracle.com:7001 using the username/password credentials weblogic/welcome1:
connect("weblogic","welcome1","t3://myAdminServer.oracle.com:7001")
For more information about using WLST, see "Using the WebLogic Scripting Tool" in Oracle Fusion Middleware Oracle WebLogic Scripting Tool.
For more information about the Web Services WLST commands, see "Web Services Custom WLST Commands" in Oracle Fusion Middleware WebLogic Scripting Tool Command Reference.