1 Introducing Oracle Web Services Manager

Oracle Web Services Manager (OWSM) provides a policy framework to manage and secure Web services consistently across your organization. It provides capabilities to build, enforce, run and monitor Web service policies, such as security, reliable messaging, MTOM, and addressing policies. OWSM can be used by both developers, at design time, and system administrators in production environments.

For more information, refer to the following sections:

For definitions of unfamiliar terms found in this and other books, see the Glossary.

1.1 Overview of Oracle Web Services Manager

Oracle Web Services Manager (OWSM) provides business agility to respond to security threats and security breaches by allowing policy changes to be enforced in real time without the need to interrupt the running business processes.

As shown in Figure 1-1, OWSM provides the "first mile security" via client agents for securing Web service clients, and "last mile security" via server agents securing Web services. If your Web services are accessible only from inside the corporate intranet, they typically still require authentication and authorization. In addition, auditing is often required to address regulatory compliance.

Figure 1-1 Security Provided by OWSM Agents

OWSM allows for policy-driven centralized management of Web services with local enforcement. OWSM provides a policy framework to manage and secure Web services consistently across your organization.

The benefits of this policy driven approach include:

  • Allows security to be declarative and externalized.

  • Provides business agility to respond to security threats and security breaches by allowing policy changes to be enforced in real time without the need to interrupt the running business processes.

  • Avoids the need for developers to understand security specifications and security implementation details.

OWSM allows you to:

  • Centrally define and store declarative policies applied to the multiple Web services.

  • Locally enforce policies through configurable agents.

  • Monitor run time security events such as failed authentication or authorization.

You can use OWSM to secure the following categories of Oracle Web services:

  • Oracle Infrastructure web services—SOA, Application Development Framework (ADF and WebCenter), Oracle Service Bus, and Oracle Enterprise Scheduler services

  • Java EE web services—SOAP (JAX-WS) and RESTful (JAX-RS) web services

Companies worldwide are actively deploying service-oriented architectures (SOA) using Web services, both in intranet and internet environments. While Web services offer many advantages over traditional alternatives (for example, distributed objects or custom software), deploying networks of interconnected Web services still presents key challenges, particularly in terms of security and administration.

1.2 Overview of Oracle Web Services Manager Features

OWSM includes an extensive array of policy and management features. Security standards supported and specific tasks performed using OWSM is discussed in the following section.

Following OWSM features are included:

  • Policy Management:

    • Global and direct policy attachment.

    • Policy attachment at design time and post-deployment.

    • Ability to attach/detach multiple policies to a Web service or client.

    • Auto-select of client policies.

    • Identity propagation across multiple Web services.

    • Policy advertisement in WSDL.

  • Monitoring/Management:

    • Centralized management, auditing and reporting.

    • Policy versioning and rollback.

    • Performance management, including metrics for service, port, and operation, policy dependencies per port, number of security violations, number of invocations, and more.

    • Policy export and import.

    • Policy impact analysis.

  • Security standards supported:

    • A broad range of security standards is supported, as described in Table A-1.

    • Pre-defined, reusable policies, including security, reliability, addressing, management and MTOM policies.

    • Custom policy extensions.

OWSM supports policy attachment at both design time and post-deployment, which provides capabilities for both developers and system administrators:

  • Developers can attach OWSM policies from the Oracle JDeveloper context menu and property inspector. For more information, see "Developing and Securing Web Services" in Developing Applications with Oracle JDeveloper.

  • System administrators can leverage OWSM through the Oracle Enterprise Manager Fusion Middleware Control and WLST. They can centrally define policies using the OWSM Policy Manager and enforce OWSM polices locally at run time.

Examples of specific tasks that you can perform using OWSM include the following:

  • Handle WS-Security (for example, encryption, decryption, signing, signature validation, and so on).

  • Define authentication and authorization policies against an LDAP directory.

  • Generate standard security tokens (such as SAML tokens) to propagate identities across multiple Web services used in a single transaction.

  • Segment policies into different namespaces by creating policies within different folders.

  • Examine log files.

1.3 Overview of Oracle Web Service Manager Architecture

The Oracle Web Services Manager (OWSM) agent, policy manager, and repository are the main components in the OWSM architecture.

Figure 1-2 illustrates the interaction among the main OWSM components and the Oracle Fusion Middleware Control console.


A subset of OWSM policies are supported for RESTful Web services, as described in Which OWSM Policies Are Supported for RESTful Web Services? in Securing Web Services and Managing Policies with Oracle Web Services Manager. The subset does not include all of the policy interceptor types shown in Figure 1-2.

Figure 1-2 Components of OWSM Architecture

Table 1-1 describes the components of OWSM shown in Figure 1-2, and highlights their use in the figure.

Table 1-1 Components of OWSM Architecture

OWSM Component Description

Oracle Enterprise Manager Fusion Middleware Control

Enables administrators to access OWSM's functionality to manage, secure, and monitor Web services.

Oracle JDeveloper

Provides a full-featured Java IDE that can be used for end-to-end development of Web services. Using visual and declarative tools, developers can build Oracle SOA, ADF, WebCenter, and WebLogic Java EE Web services, automatically deploy them to an instance of Oracle WebLogic Server, and immediately test the running Web service. Alternatively, JDeveloper can be used to drive the creation of Web services from WSDL descriptions. JDeveloper is Ant-aware. You can use this tool to build and run Ant scripts for assembling the client and for assembling and deploying the service. For more information, see the Oracle JDeveloper online help.

WebLogic Scripting Tool (WLST)

Enables administrators to view and configure Web services, and manage Web service policies from the command line.

OWSM Policy Manager

Reads/writes the policies, including predefined and custom policies from the OWSM Repository.

OWSM Agent

Manages the enforcement of policies via the Policy Interceptor Pipeline.

Policy Interceptors

Enforces policies. For more information, see "Understanding How Policies are Executed".

OWSM Repository

Stores OWSM metadata, such as policies, policy sets, assertions templates, and policy usage data. The OWSM Repository is available as a database (for production use) or as files in the file system (for development use in JDeveloper).

Oracle Fusion Middleware Database

Provides database support for the OWSM Repository.

Subsequent chapters of this document describe conceptual information about the OWSM policy framework and security concepts. This document also includes a section on the security standards for Oracle Infrastructure Web Services.

The companion documents Securing Web Services and Managing Policies with Oracle Web Services Manager and Administering Web Services describe how to secure and administer Web services using OWSM, respectively.