3 Securing Oracle Infrastructure Web Services

This chapter describes how to secure Oracle Infrastructure Web services.

• Overview of Web Services Security

• Oracle WSM Predefined Security Policies and Assertion Templates

• Attaching Security Policies

• Configuring Security Policies

Overview of Web Services Security

Web services security includes several aspects:

• Authentication—Verifying that the user is who she claims to be. A user's identity is verified based on the credentials presented by that user, such as:

  1. Something one has, for example, credentials issued by a trusted authority such as a passport (real world) or a smart card (IT world).

  2. Something one knows, for example, a shared secret such as a password.

  3. Something one is, for example, biometric information.

  Using a combination of several types of credentials is referred to as "strong" authentication, for example using an ATM card (something one has) with a PIN or password (something one knows).

• Authorization (or Access Control)—Granting access to specific resources based on an authenticated user's entitlements. Entitlements are defined by one or several attributes. An attribute is the property or characteristic of a user, for example, if "Marc" is the user, "conference speaker" is the attribute.

• Confidentiality, privacy—Keeping information secret. Accesses a message, for example a Web service request or an email, as well as the identity of the sending and receiving parties in a confidential manner. Confidentiality and privacy can be achieved by encrypting the content of a message and obfuscating the sending and receiving parties' identities.

• Integrity, non repudiation—Making sure that a message remains unaltered during transit by having the sender digitally sign the message. A digital signature is used to validate the signature and provides non-repudiation. The timestamp in the signature prevents anyone from replaying this message after the expiration.

For more information about these Web services security concepts, see "Understanding Web Services Security Concepts" in Security and Administrator's Guide for Web Services.

Oracle Web Services Manager (WSM) is designed to define and implement Web services security in heterogeneous environments, including authentication, authorization, message encryption and decryption, signature generation and validation, and identity propagation across multiple Web services used to complete a single transaction. In addition, Oracle WSM provides tools to manage Web services based on service-level agreements. For example, the user (a security architect or a systems administrator) can define the availability of a Web service, its response time, and other information that may be used for billing purposes. For more information about Oracle WSM, see "Understanding Oracle WSM Policy Framework" in Security and Administrator's Guide for Web Services.

Oracle WSM Predefined Security Policies and Assertion Templates

As described in Chapter 2, "Attaching Policies to Oracle Infrastructure Web Services,", Oracle WSM provides a set of predefined policies and assertion templates that are automatically available when you install Oracle Fusion Middleware.

The following categories of security policies and assertion templates are available out-of-the-box:

• Authentication Only Policies

• Message Protection Only Policies

• Message Protection and Authentication Policies

• Authorization Only Policies

For complete details about the predefined security policies and assertion template, see the following sections in Security and Administrator's Guide for Web Services:

• "Security Policies"

• "Security Assertion Templates"

For assistance in determining which security policies to use, see "Determining Which Security Policies to Use" in Security and Administrator's Guide for Web Services.

Attaching Security Policies

You can attach security policies to Oracle Infrastructure Web services and clients at design time using Oracle JDeveloper, or runtime using the Oracle Enterprise Manager. For more information, see Chapter 2, "Attaching Policies to Oracle Infrastructure Web Services."

Configuring Security Policies

You must configure the security policies before you can use them in your environment. The steps to configure security policies are described in "Configuring Policies" in Security and Administrator's Guide for Web Services.

The following table provides references to the configuration steps for each policy category.

Table 3-1 Configuring Security Policies

Policy Category	Configuration Steps in Security and Administrator's Guide for Web Services
Authentication Only Policies	"Authentication-Only Policies and Configuration Steps"
Message Protection Only Policies	"Message Protection-Only Policies and Configuration Steps"
Message Protection and Authentication Policies	"Message Protection and Authentication Policies and Configuration Steps"
Authorization Policies	"Authorization Policies"