Use this part to secure your Microservices Architecture (MA) environment.
The MA service interfaces use the REST architectural style, within an HTTP environment. As REST is a style that uses HTTP and not a distinct transfer implementation, all the security related concerns and solutions applied to HTTP apply equally to REST interfaces. This includes ensuring general security related to HTTP-based requests, responses, sessions, cookies, headers and content as well as addressing issues such as Cross Site Request Forgery, UI Redressing and delegated authentication. TLS/SSL when enabled, ensures confidentiality and optionally integrity, although typical configurations do not ensure bi-lateral integrity. Negotiating security configurations can further specify identity validation, renegotiation, and revocation requirements as allowed by Oracle security standards.
Communications Transport
TCP is used for network communication.
UDT is an additional protocol used for data conveyance. It is a high-performance, UDP-based data transfer protocol, which transfers large datasets over high-speed WAN.
WebSockets 2.0 is a not a transport protocol but a pseudo-transport that enables a server to send content to client without client solicitation, thereby enabling bi-directional messaging over a persistent connection. It operates over HTTPS ports simplifying network security management.
Communications Security
An MA server is the originator of all the response messages sent to the client when a request is sent to the server. An MA server neither serves as a proxy nor supports tunneling of response messages generated by other applications. Secured network communications use Oracle approved TLS (Transport Layer Security) or DTLS (Datagram Transport Layer Security) libraries. MA Oracle platforms uses the Oracle SSL toolkit (NZ), which includes Oracle Wallet integration.
For non-Oracle platforms, the Oracle SSL toolkit is used where available. Where the Oracle SSL Toolkit is not available, an alternate SSL toolkit is used.
All MA servers implement client and server authentication. However, client and server authentication is only available when network security is configured and enabled. MA servers can be configured with network security enabled but without using server or client authentication.
Inbound and Outbound Security Configuration
Security configuration can be inbound or outbound. Inbound configuration implies configuring specific behavior associated with a server. A server receives requests and responds with information or messages. Outbound security configuration assumes that the specific behavior is associated with a client.
A client issues requests and receives the response information from the server. Only the Distribution Server acts as a client with outbound security requirements. All other servers are server-only. For example, in MA, the Distribution Server accepts service requests from clients through inbound configured secured connections, while it connects and sends trail data to Receiver Server through secure connections with Outbound configuration.
Topics: