Topics:
This topic describes how to protect PII with the oracle/pii_security_policy
policy.
Topics:
Note:
Configure the PII encryption key, then choose where you need to attach the oracle/pii_security_policy
policy as appropriate for your environment.
Examine the SOAP request and response messages, or the WSDL, and determine what PII data you want to protect.
There are two approaches:
Deploy the SOA application and use JDeveloper (or another mechanism) to look at the SOAP messages and determine what you need to protect.
See the SOAP message example in "PII Policy XPath Expressions".
Deploy the SOA application and look at the WSDL of the deployed application to determine what you need to protect.
You can display the WSDL document for the web service endpoint as described in "Viewing the Web Service WSDL Document" in Administering Web Services with Oracle Fusion Middleware.
You need to look at what data is being passed during both the request and response phases. That is, you may need to protect different data during the request and response.
Compose the XPath expressions to protect the PII data in both the request and response messages.
See the SOAP message example in "PII Policy XPath Expressions" in Understanding Oracle Web Services Manager for guidance.
You later specify these XPath expressions in the oracle/pii_security_policy
in the request.xpath
and response.xpath
attributes.
Configure a password CSF key to be used for generating the PII encryption key.
For more information, seeAdding Keys and User Credentials to Configure the Credential Store. The PII encryption key is derived from this password credential.
By default, oracle/pii_security_policy
expects a key value of pii-csf-key
, but you can change this.
If the web service client and the web service do not share a single credential store, then the PII encryption key must be present and identical in their respective credential stores.
Make a copy of the preconfigured oracle/pii_security_policy
and then attach the copy to your web service and client.
Perform the following steps:
You must attach the policy only at the service/reference level, and then to both the client and web service.
Consider the SOA composite represented in JDeveloper shown in Figure 8-1. For this composite, you would attach the policy to both the bpelprocess_1client_ep
client and the PartnerLink1
reference. You cannot attach the policy to a component.
Figure 8-1 Where to Attach the pii_security_policy for a SOA Composite
Perform the following steps to view the SOA composite and attach the oracle/pii_security_policy
policy.
You can attach the PII policy to JCA adapters for both SOA and Oracle Service Bus.
See "Managing Service and Reference Binding Components" in Administering Oracle SOA Suite and Oracle Business Process Management Suite for information on attaching the PII policy to JCA bindings.
See " Hiding Personally Identifiable Information in Messages" in Developing Services with Oracle Service Bus for information on how to attach oracle/pii_security_policy
to Oracle Service Bus.
You can attach the PII policy to JCA adapters for both SOA and Oracle Service Bus.
See "Managing Service and Reference Binding Components" in Administering Oracle SOA Suite and Oracle Business Process Management Suite for information on attaching the PII policy to JCA bindings.
See "Hiding Personally Identifiable Information in Messages" in Developing Services with Oracle Service Bus for information on how to attach oracle/pii_security_policy
to Oracle Service Bus.
You can override the oracle/pii_security_policy
attributes using WLST.
Perform the following steps to override the oracle/pii_security_policy
attributes using WLST:
For more information about the WLST commands and their arguments, see "Web Services Custom WLST Commands" in WLST Command Reference for WebLogic Server.
It is possible that the encrypted PII might be needed for making some decision. In this case, you must explicitly decrypt the PII with the provided API before it can be used.
For example, assume that a credit card number is marked as PII and is encrypted at the SOA service binding (entry point). If the credit card number is required inside a BPEL process to determine the type of credit card, then you must decrypt the credit card number using the API.
The oracle.security.xmlsec.pii.PIISecurity.java
class is provided for this purpose. This class has the following method:
Class: oracle.security.xmlsec.pii.PIISecurity.java /** * Converts cipher text string to plain text using password based key * derivation algorithm (PBKDF2). * * @param ciphertext text to decrypt * @param password password for key derivation * @param pbkdfAlgo key derivation algorithm which should be PBKDF2 * @param pbkdfSalt non-null and non-empty salt for key derivation * @param pbkdfIteration iteration count for key derivation * @param keySize size of key for key derivation * @param encAlg data encryption algorithm. it should be in the form: * "algorithm/mode/padding" for ex. AES/CBC/PKCS5Padding * @return plain text */ public static String decrypt(String ciphertext, char password[], String pbkdfAlgo, String pbkdfSalt, int bkdfIteration, int keySize, String encAlg);
The decrypt
method returns the decrypted value of the encrypted PII, but does not update the actual value, which remains encrypted.
For SOA, you can invoke this API using the Java Embedding feature, which is described in "Using Java Embedding in a BPEL Process in Oracle JDeveloper" in Developing SOA Applications with Oracle SOA Suite.
Note:
Do not log the decrypted value of the PII unless you are completely aware of the security ramifications of doing so.