Securing Oracle Health Insurance Web Services

OHI web services verify the authentication of a user before executing the request. If the user cannot be authenticated, the server will not process the request and return an HTTP 401 – Not Authorized response.

OHI SOAP services and RESTful services handle the authentication differently:

  • OHI SOAP services only verify that an authenticated principal executes the request. Oracle Health Insurance does not assume nor enforce the use of a specific authentication mechanism. It is the responsibility of the customer to properly handle the authentication.

  • OHI RESTful services HTTP APIs use Basic Authentication as the default authentication mechanism. Using OAuth2 tokens is also an option. Failing to pass an “Authorization” HTTP header or using credentials that did not pass authentication will result in the server challenging the client for username & password credentials.

Authentication for web services can be enforced in many different ways. The following paragraphs describe some options.

Applying SOAP WS-Security Policies

Oracle Health Insurance support the WS-Security 1.1 standard, also known as WSS. WSS policies can be applied (or attached to the OHI Components SOAP services) in two different ways:

  • Through Oracle WebLogic WSS policies.

  • Through the use of Oracle Web Services Manager (OWSM), a separately licensed product.

    In case you use Oracle WSM, make sure you enable it on the WebLogic domain in which the Oracle Health Insurance application is executed. Note that you only need to license OWSM if you apply OWSM WSS policies. You can select OWSM upon domain creation, or add it to a domain by extending it at a later stage.

    For additional information on using WSS policies please consult the following resources:

    For WebLogic web services policies, see Securing WebLogic Web Services for Oracle WebLogic Server.

    For OWSM web services policies, see Oracle Web Services Manager.

Using an API Gateway

Where WSS policies are enforced at the WebLogic domain, API gateways like Oracle’s API Gateway offer a more centralized form of protection. The gateway is positioned at the boundary of untrusted and trusted zones and as such provides DMZ-class security at the service perimeter of service oriented environments.