SOA and web Service deployments are going all over the blue planet. (Vendor’s Sales @least didn’t talk about Mars 🙂 ) Still the major challenge is security and management.
Web service is developed through many technologies and security is a need @ both service provider and consumer (client).
There are many security layers between service consumer and provider like – perimeter security popularly known as DMZ (demilitarized zone), then comes the green zone which is behind the inner firewall and the last one is offered by the agents co-located with the web services or applications to be protected.
Why security for web services?
Web service are by nature loosely coupled and use of open access (HTTP),they put forward security as a requirements. Web service security includes –
- Authentication (username/password/SAML, Kerberos, digital certificates etc.)
- Authorization(access control – grants to specific resources) and
- Integrity (XML Signatures).
Interestingly web service security is supported by industry standards @ Transport (SSL or TLS) and Application (based on XML frameworks) levels both.
Say a 3rd part application wants to access a web service hosted by an enterprise.
What would be the path of the “Request”? Web service request, in its path have to move through security layers.
Web Service Request ——-> DMZ ——–> Green Zone
@DMZ: At DMZ, WS Request are inspected and following tasks are executed –
- Schema Validation,
- DoS through XML Bombs
- Message Throttling (To prevent maximum no. of concurrent web services requests from being exceeded),
- Authentication and
<<SLA defines the maximum number of concurrent web service requests between consumer and provider>>
@Green Zone – Post validation of the WS request, request is passed to the web service. Green Zone re-directs the web service (correct virtualization layer – offered by OSB).
What offers security to web services deployed @ Green Zone and OSB? Yes – It’s the OWSM – Oracle Web Service Manager.
What offers security to web services in the DMZ? It’s the Oracle Enterprise Gateways (OEG)…..
–> OEG works @ DMZ
OEG provides –
1. Application-level routing
2. XML conversion, validation and threat scanning 🙂
3. XML acceleration
4. Security – encryption and decryption of xml messages, signature and signature validation of xml messages
5. Monitoring – response time, logging and alerting
6. Governance – Service access and usage.
Deployment of OEG?
OEG can be deployed as a standalone or integral component of a strategic SOA infrastructure, interfacing with ESB, EM and IDM. OEG is available as a single executable for the Windows, Linux and Solaris platforms. OEGs are deployed in the DMZ.
- Connection between Client and OEG is protected by firewall and
- Connection between OEB and Web Service is by NAT firewall. (NAT = N/W Address Translation)..
Administration of OEG?
Nope it’s not EM 🙂
You can manage OEG using the Web Administration interface (WAI). WAI allows you to configure hostname, IP for OEG, DNS(Domain Name System) server to use, SSH(Secure Shell) server and system users.
Next part in this series we will look into OEG – working , integration with IDM and a case study of its implication for enterprises.