Web service authentication

To address web service client authentication attacks, the Oracle InForm Adapter software supports username token and X.509 client certificate authentication. To ensure the integrity of web client authentication, the proper handling of the authentication artifacts should be followed.

The ODM and Discrepancy interfaces support username token authentication. Refer to the Interfaces Guide for information on how to invoke the ODM and Discrepancy web services using username token authentication. Make sure you refer to the correct section for the interface you are calling from your client.

To ensure that the web client authentication is secure, the password for the username token should be treated with the utmost care, as password exposure can compromise the authentication mechanisms. The Oracle InForm Adapter software does not store the password in clear-text on the file system and does not log the password. As such, the client web service password should be protected in the same fashion. The password should always be stored in an encrypted form. To reduce password exposure during password exchange, do not transfer the password through unencrypted side channels between web service endpoint parties. The authentication of each side channel endpoint is also a concern during the password exchange and is open to social engineering attacks if not done properly.

The Discrepancy and ODM Export interfaces also support X.509 certificate authentication. The client application must sign the message with the X.509 private certificate and the public X.509 certificate must be installed on the Oracle InForm Adapter application server. The X.509 Certificate Authentication is based on the signature generated from SHA256 signature algorithm. For the X.509 certificate authentication, a trusted public certification authority (CA) should be used to validate the legitimacy of the organization controlling the web service client endpoint. The use of a trusted public CA reduces the chances of social engineering attacks based on username token password handling. Public CAs provide different levels of organization checks, depending on the costs of their services. More organization checks ensure fewer chances of a social engineering attack.

For examples on how to sign the message with an X.509 certificate, see the ODM Sampler's source code: SignXml method in \certificate\MyClientMessageInspector.cs.