Archiv

Archive for the ‘Oracle SOA Suite’ Category

SOA & BPM Suite 12c – Erfahrungsberichte und Live Demos für Architekten und Entwickler

  Die neuen Oracle 12c Versionen sind da!
 

SOA Suite & BPM Suite Launch Events vom Oracle Platinum Partner OPITZ CONSULTING

    23.10.14 Düsseldorf | 28.10.14 München

Sehr geehrte Damen und Herren,

die SOA Suite ist Oracle’s Lösung für Systemintegrationen jeglicher Art. Die BPM Suite bietet alles zur Prozessautomatisierung und zum Bau von Workflowlösungen mit BPMN 2.0.

Erleben Sie in einem komprimierten Abendprogramm in lockerer Atmosphäre bei Getränken, Snacks und einem anschließenden Abendessen, warum wir als Projekthaus die neuen 12c Versionen beider Suiten für einen großen Wurf halten.

Wir bleiben dabei marketingfrei, zeigen viele Live Demos und diskutieren in den Pausen gerne bis in beliebige Tiefen der neuen Produkte.

Es erwarten Sie diese Themen:

  • Oracle SOA Suite & BPM Suite 12c: Was bringen mir die neuen Versionen?
  • Neue Features SOA Suite: Erfahrungen aus einem SOA Suite 11g Upgrade auf 12c
  • BPM Suite 12c live: Workflows erstellen auch mit komplexen Formularen
  • Internet der Dinge: Live Demo mit Raspberry Pi, SOA Suite, BPM Suite und Oracle Event Processing 12c

__________________________________________________________________

Jetzt kostenfrei anmelden:
23. Oktober 2014, Oracle Deutschland, Geschäftsstelle Düsseldorf
28. Oktober 2014, Oracle Deutschland, Geschäftsstelle München

Details und Anmeldung
__________________________________________________________________

Wir freuen uns auf Ihren Besuch!

Mit herzlichen Grüßen

Torsten Winterberg
Business Development & Innovation
OPITZ CONSULTING Deutschland GmbH
Torsten Winterberg, Business Development & Innovation, OPITZ CONSULTING


OPITZ CONSULTING

OPITZ CONSULTING, Oracle PlatinumPartner

Short recap on OFM Summer Camps 2014

Last week the Oracle Fusion Middleware summer camps took place in Lisbon. More than 100 participants attended the event, learning much new stuff about new features and enhancements, arriving with the recently available FMW 12c release. In four parallel tracks the highlights of the new major release were presented to the attendees; hands-on labs allows to get a first impression regarding the new platform features and the markedly increased productivity delivered by the enhanced, consolidated tooling.

The four tracks had different focuses, regarding the new features of the 12c release of Oracle Middleware platform:

  • SOA 12c – focusing on application integration, including Oracle Managed File Transfer (MFT), and fast data with Oracle Event Processing (OEP)
  • BPM 12c – focusing on Business Process Management, the new enhanced Business Activity Monitoring (BAM) and Adaptive Case Management (ACM)
  • SOA/BPM 12c (Fast track) – Combined track, covering the most important enhancements and concepts with reference to SOA and BPM 12c
  • Mobile Application Framework (MAF) Hackathon – Development of mobile applications using the newly released MAF (formerly known as ADF mobile)

The main topics addressed by the new OFM 12c release are:

  • Cloud integration
  • Mobile integration
  • Developer’s performance
  • Industrial SOA

Cloud integration

Integrating Cloud solutions in grown IT system landscapes is complex. With SOA Suite 12c, Oracle provides a coherent and simple approach for integrating enterprise applications with existing cloud solutions. Therefore new  JCA-based cloud adapters, e..g. for integrating with Salesforce, as well as a Cloud SDK are available. Service Bus might be used in this context to care about transformation, routing and forms the backbone of a future-oriented, flexible as well as scalable cloud application architecture.

Mobile integration

Mobile-enablement of enterprise applications is a key requirement and a necessity for application acceptance today. The new JCA REST adapter can be used to easily REST-enable existing applications. In combination with Oracle MAF and Service Bus, Oracle provides a complete Mobile Suite, where seamless development of new mobile innovations can be done.

Developer’s performance

To enhance development performance, the new SOA and BPM Quickinstalls are introduced. Using those allows the developers to have a complete SOA or BPM environment installed in 15 minutes (see the blog post of my colleague). Furthermore new debugging possibilities, different templating mechanisms (SOA project templates, Custom activity templates, BPEL subprocesses and Service Bus pipeline Templates) as well as JDeveloper as the single and only IDE deliver a maximum good development experience.

Industrial SOA

Industrializing SOA is a main goal, when starting with a SOA initiative: Transparent monitoring and management and a robust, scalable and performant platform are key to successfully implementing SOA-based applications and architectures. These points are addressed by the new OFM 12c release through the following features:

  • Lazy Composite Loading – Composites will be loaded on demand and not at platform startup
  • Modular Profiles – Different profiles provided, which enables only the features currently needed (e.g. only BPEL)
  • Improved Error Hospital and Error Handling
  • Optimized Dehydration behaviour
  • Integrated Enterprise Scheduler (ESS)

Further main enhancements that where introduced regarding SOA and BPM Suite 12c were:

  • Oracle BPM Suite 12c: Definition of Business Architecture, including definition of Key Performance Indicators (KPI) and Key Risk Indicators (KRI) to provide an integral overview from a high-level perspective; ACM enhancements in the direction of predictive analytics
  • Oralce BAM 12c: Completly re-implemented in ADF, allows operational analytics based on the defined KPIs and KRIs
  • Oracle MFT: Managed File Transfer solution for transferring big files from a specified source to a defined target; integration with SOA/BPM Suite 12c can be done by new JCA-based MFT adapters

Looking back,  a great and very interesting week lays behind me, providing a bunch of new ideas and impressions on the new Fusion Middleware 12c release. I’m looking forward to use some of this great new stuff soon, in real world’s projects.

Special thanks to Jürgen Kress for the excellent organization of the event! I’m already looking forward for next SOA Community event…

IT-Security: Part 1 to 5 as PDF file

Key words:IT-Security, Security Challenges, OPSS Architecture, WebLogic Server, JAAS, JAAS LoginModules, Authentication, Basic Authentication, Certificate Authentication, Digest Authentication, perimeter Authentication and Identity Assertion

Until now I have published five parts of a series of articles on IT-Security and Oracle Fusion Middleware:

  1. http://thecattlecrew.wordpress.com/2014/02/17/it-security-weblogic-server_1/
  2. http://thecattlecrew.wordpress.com/2014/03/05/it-security-part-2-weblogic-server-and-oracle-platform-security-services-opss-2/
  3. http://thecattlecrew.wordpress.com/2014/03/14/it-security-part-3-weblogic-server-and-java-security-features/
  4. http://thecattlecrew.wordpress.com/2014/06/05/it-security-weblogic-server-and-authentication-part-4/
  5. http://thecattlecrew.wordpress.com/2014/06/22/it-security-part-5-weblogic-server-perimeter-authentication-and-identity-assertion/

I’m going to continue the IT-Security’s articles and you can access to complete first five parts as PDF-file here:

WebLogic-Server_IT_Security_1til5

Oracle BPM 12c – Quick Start Installation (uncensored)

Getting started in 15 minutes!

One of the challenges with previous releases was, that SOA & BPM composites couldn’t be deployed and tested on the JDeveloper integrated Weblogic server. Therefore a separate installation of SOA/BPM Suite or a virtual image was necessary to start developing. Now with the new release Oracle introduced a single-click installer for SOA & BPM Suite. Among other new features (like debugging & testing capabilities, templating, optimized foodprint, etc.) this really helps to increase developer productivity.

The video below demonstrates that with Oracle SOA & BPM 12c it just takes 15 minutes to get started – install JDeveloper, start the Weblogic server, develop a simple Hello World, deploy the process and test it from Enterprise Manager.

 

Do you feel inspired? Just download the software from OTN and try it yourself (SOA-Download; BPM-Download). Have fun!

IT-Security (Part 5): WebLogic Server, perimeter Authentication and Identity Assertion

I tried to discuss about “perimeter authentication” in one extra part of IT-Security’s blogs, because this authentication’s process is an essential approach in a heterogonous world of systems, applications and technologies that they need to trust and communicate to each other.  Generally, we discussed about perimeter authentication, if a remote user requires an asserted identity and some form of proof material to an authentication server that performs the verification and then passes an artifact, or token, to the application server domain.[1]

If we want to identify a remote user outside of the WebLogic server domain, as an authentication server, then we need to another approach for authenticating’s process instead basic authentication with username and password[2]. This authentication’s process is called perimeter authentication. It establishes trust via a passphrase, e.g. tokens. Tokens will be generated as part of the authentication process of users or system processes and could have many different types and / or vendors, e.g. Kerberos and Security Assertion Markup Language (SAML). WebLogic Server is able to use the token(s) so that users are not requested to sign on more than once.

This form of authentication operates with authentication agent. It performs an authentication process that outcomes in a token. It contains the authentication information of user and guarantees for the user’s identity. The Figure1 Perimeter Authentication[3] presents the sequence of events in authenticating process:

Remote User sends a request with passphrase to Authentication Agent. It creates a token and sends to WebLogic Server to access resources and / or application(s). The WebLogic Server perform perimeter authentication via Identity Assertion.

Perimeter Authentication

Perimeter Authentication

Figure 1 Perimeter Authentication

We can define the Identity Assertion provider, as a specific form of Authentication provider that permits users or applications to assert their identity using tokens. With other words, it supports user’s mappers, which map a valid token to a WLS-User. It is possible to develop your own or use a third-party security vendor’s Identity Assertion providers. Identity assertion can use perimeter authentication schemes such as the Security Assertion Markup Language (SAML), the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO), or enhancements to protocols such as Common Secure Interoperability (CSI) v2 and support single sign-on.[4]  The WebLogic Identity Assertion providers support the following token types[5] (here is a selected list of token types):

  • AU_TYPE, for a WebLogicAuthenticatedUserused as a token.
  • X509 is an ITU-T standard for a public key infrastructure (PKI) and Privilege Management Infrastructure (PMI) and RFC 4158 provides information and guidance for certification path building.[6]
  • X509_TYPE, for an X509 client certificate used as a token:
  • CSI_X509_CERTCHAIN_TYPE, for a CSIv2 X509 certificate chain identity used as a token.

“The Negotiate Identity Assertion provider is used for SSO with Microsoft clients that support the SPNEGO protocol. The Negotiate Identity Assertion provider decodes SPNEGO tokens to obtain Kerberos tokens, validates the Kerberos tokens, and maps Kerberos tokens to WebLogic users. The Negotiate Identity Assertion provider utilizes the Java Generic Security Service (GSS) Application Programming Interface (API) to accept the GSS security context via Kerberos. The Negotiate Identity Assertion provider is for Windows NT Integrated Login.” [7]

  • AUTHORIZATION_NEGOTIATE, for a SPNEGO internal token used as a token.
  • WWW_AUTHENTICATE_NEGOTIATE, for a SPNEGO internal token used as a token.

“The SAML Identity Assertion providers handle SAML assertion tokens when WebLogic Server acts as a SAML destination site. The SAML Identity Assertion providers consume and validate SAML assertion tokens and determines if the assertion is to be trusted (using either the proof material available in the SOAP message, the client certificate, or some other configuration indicator).”[8]   I am going back to SAML topic in an additional article(s).

  • SAML_ASSERTION_B64_TYPE, for a Base64 encoded SAML.assertion used as a token.
  • SAML_ASSERTION_DOM_TYPE, for a SAML DOM element used as a token.
  • SAML_ASSERTION_TYPE, for a SAML string XML form used as a token.
  • SAML2_ASSERTION_DOM_TYPE, for a SAML2 DOM element used as a token.
  • SAML2_ASSERTION_TYPE, for a SAML2 string XML form used as a token.
  • SAML_SSO_CREDENTIAL_TYPE, for a SAML string consisting of the TARGET parameter concatenated with the assertion itself and used as a token.

I introduced about Digest Authentication[9] in previous blog and WebLogic supports für Web Service application the following Digest type:

  • WSSE_PASSWORD_DIGEST_TYPE, for a username token with a password type of password digest used as a token.

 

The Authentication and Identity Assertion Process

Now, we can compare Basic authentication Process with Identity Assertion Process. On Figure 2 Authentication Process (Principal Validation Process)[10] shows the authentication process for a fat-client login. A user attempts to log into a system using a username/password combination. WebLogic Server establishes trust by calling the configured Authentication provider’s LoginModule, which validates the user’s username and password and returns a subject that is populated with principals per Java Authentication and Authorization Service (JAAS) [11] requirements. In this way, an authentication context will be established and user can access to certain resource and / or components in WebLogic Domain.

 

Authentication Process (Principal Validation Process)

Authentication Process (Principal Validation Process)

Figure 2 Authentication Process (Principal Validation Process)

Figure 3 Perimeter Authentication presents the perimeter authentication process[12].

  1. A token from outside of WebLogic Server is passed to an Identity Assertion provider that is responsible for validating tokens of that type and that is configured as “active”.
  2. If the token is successfully validated, the Identity Assertion provider maps the token to a WebLogic Server username, and sends that username back to WebLogic Server, which then continues the authentication process as described above. It requires the same components, but also adds an Identity Assertion provider. Specifically, the username is sent via a Java Authentication and Authorization Service (JAAS)CallbackHandlerand passed to each configured Authentication provider’s LoginModule, so that the LoginModule can populate the subject with the appropriate principals.

 

Perimeter Authentication

Perimeter Authentication

Figure 3 Perimeter Authentication

If you compare the two ways of authentication, then you can find out a core security characteristic of WebLogic Server too. It is mean; WebLogic Server security architecture has a consistence modular structure and therefore can response rapid to new challenges and technologies in security area. This architecture is capable to expand its features und integrate new security components in itself.

 

[1] Oracle® Fusion Middleware: Understanding Security for Oracle WebLogic Server, 11g Release 1 (10.3.6), E13710-06

[2] For „Basic Authentication: Username/Password“ see: http://thecattlecrew.wordpress.com/2014/06/05/it-security-weblogic-server-and-authentication-part-4/

[3] Oracle® Fusion Middleware: Understanding Security for Oracle WebLogic Server, 11g Release 1 (10.3.6), E13710-06

[4] Oracle® Fusion Middleware Developing Security Providers for Oracle WebLogic Server, 11g Release 1 (10.3.6), Part Number E13718-05, http://docs.oracle.com/cd/E23943_01/web.1111/e13718/ia.htm

[5] Oracle® Fusion Middleware Developing Security Providers for Oracle WebLogic Server, 11g Release 1 (10.3.6), Part Number E13718-05, http://docs.oracle.com/cd/E23943_01/web.1111/e13718/ia.htm

[6] See: http://tools.ietf.org/html/rfc4158

[7] Oracle® Fusion Middleware Developing Security Providers for Oracle WebLogic Server, 11g Release 1 (10.3.6), Part Number E13718-05, http://docs.oracle.com/cd/E23943_01/web.1111/e13718/ia.htm

[8] Oracle® Fusion Middleware Developing Security Providers for Oracle WebLogic Server, 11g Release 1 (10.3.6), Part Number E13718-05, http://docs.oracle.com/cd/E23943_01/web.1111/e13718/ia.htm

[9] See http://thecattlecrew.wordpress.com/2014/06/05/it-security-weblogic-server-and-authentication-part-4/

[10] See: http://docs.oracle.com/cd/E23943_01/web.1111/e13718/atn.htm#i1141106

[11] IT-Security (Part 3): WebLogic Server and Java Security Features: http://thecattlecrew.wordpress.com/2014/03/14/it-security-part-3-weblogic-server-and-java-security-features/

[12] See http://docs.oracle.com/cd/E23943_01/web.1111/e13718/ia.htm

Orchestrierung der IT-Sicherheit: Wie sieht es mit der Oracle Fusion Middleware aus?

Es gab am 06. März 2014 in Hochschule für angewandte Wissenschaften München den DOAG Regionaltreffen München/Südbayern. Ich habe dort einen Vortrag über „Orchestrierung der IT-Sicherheit: Wie sieht es mit der Oracle Fusion Middleware aus?“ gehalten. Hier finden Sie mein Abstract und meine Präsentation:
Orchestrierung ist eine riesige Symphonie verschiedenster Komponenten im IT-Bereich. Die Orchestrierung der IT-Sicherheit ist daher mehr als nur eine klassische administrative Aufgabe, die auf Netzwerkebene zu realisieren ist. IT-Sicherheit ist eine Herausforderung im Zeitalter des Cloud Computing, der veränderten Herausforderungen in einer verteilten, heterogenen und noch mehr komplexen IT-Welt.
In diesem Vortrag wird gezeigt, dass allein die traditionellen IT-Sicherheitsansätze und Maßnahmen nicht ausreichen, um neue technische aber auch organisatorische Fragen zu beantworten. Nach einer kurzen Einführung in die Problematik werden Lösungsansätze von Oracle vorgestellt. Ein besonderer Fokus wird dabei auf Oracle WebLogic Server und Oracle Plattform Security Services (OPSS) gelegt.
Orchestrator_Security_V2.3_Kurz

IT-Security (Part 3): WebLogic Server and Java Security Features

WebLogic Server and Java Security Features [1]

WebLogic Server supports the Java SE and Java EE Security to protect the resources of whole system. The resources could be Web applications, Uniform Resource Locator (URL), Enterprise JavaBeans (EJBs), and Connector components.

Java SE capabilities: Security APIs

Java uses APIs to access security features and functionality and its architecture contains a large set of application programming interfaces (APIs), tools, and implementations of commonly-used security algorithms, and protocols. This delivers the developer a complete security framework for writing applications and enables them to extend the platform with new security mechanisms.[2]

Java Authentication and Authorization Services (JAAS)

WebLogic Server uses the Java Authentication and Authorization Service (JAAS) classes to consistently and securely authenticate to the client. JAAS is a part of Java SE Security APIs and a set of Java packages that enable services to authenticate and enforce access controls upon users and /or fat-client authentication for applications, applets, Enterprise JavaBeans (EJB), or servlets.

JAAS uses a Pluggable Authentication Module (PAM) framework, and permits the use of new or updated authentication technologies without requiring modifications to the application. Therefore, only developers of custom Authentication providers and developers of remote fat client applications need to be involved with JAAS directly. Users of thin clients or developers of within-container fat client applications do not require the direct use or knowledge of JAAS.

JAAS LoginModules

All LoginModules are responsible for authenticating users within the security realm (we are going to discuss about that later) and for populating a subject with the necessary principals (users/groups). LoginModules contains necessary methods for Login Context, Accounts, Credentials, configuration of them, and different ways to exception handling. Each Authentication providers will be configured in a security realm, its LoginModules will store principals within the same subject too. I try to present that with an example: Via WebLogic Server Admin Console: Home >myDomain > Domain Structure click on Security Realms and then create a new realm “Moh_Realm-0” and then click on “OK”

p3_realm_1

Figure 1 create a new Realm

Select new realm and then click on tab “provider”, and then click on “New”, in order to create a new provider:

p3_realm_2

Figure 2 open the new Realm

In this use case, we select type: “WebLogic Authentication Provider” and give a name e.g. “DefAuthN”, then “OK”.  The WebLogic Authentication provider is configured in the default security realm (myrealm). The WebLogic Authentication provider allows you to edit, list, and manage users, groups, and group membership. User and group information is stored in the embedded LDAP server.[3]

p3_AuthenticationProvider_3

 Figure 3 create a new Authentication Provider

After define “Provider”, we have to restart Admin Server. Now, we can check and compare users of new realm (Moh_Realm-0) with default realm (myrealm) of WebLogic. For myrealm, Icreated a new user named “userDOAG” and we see the following list there (Home >Summary of Security Realms >myrealm >Users and Groups)

p3_users_4

Figure 4 users of myrealm

But I didn’t create same user for Moh_Realm-0 (Home >DefAuthN>Summary of Security Realms >Moh_Realm-0 >Users and Groups):

p3_users_5

Figure 5 users of Moh_Realm-0

It shows, that we can use security provider in different gatherings und expand our security realm with additional user, groups, and security providers. We are working on it in next part of this article.

JAAS Control Flags

The JAAS Control Flag attribute determines how the LoginModule for the WebLogic Authentication provider is used in the login sequence. The values for the Control Flag attribute are as follows: Home >Summary of Security Realms > Moh_Realm-0 >Providers > DefAuthN

 p3_JAAS_ControlFlag_6

Figure 6 Control flags via Admin Consol

  • REQUIRED – This LoginModule must succeed. Even if it fails, authentication proceeds down the list of LoginModules for the configured Authentication providers. This setting is the default.
  • REQUISITE – This LoginModule must succeed. If other Authentication providers are configured and this LoginModule succeeds, authentication proceeds down the list of LoginModules. Otherwise, return control to the application.
  • SUFFICIENT – This LoginModule needs not succeed. If it does succeed, return control to the application. If it fails and other Authentication providers are configured, authentication proceeds down the LoginModule list
  • OPTIONAL – The user is allowed to pass or fail the authentication test of these Authentication providers. However, if all Authentication providers configured in a security realm have the JAAS Control Flag set to OPTIONAL, the user must pass the authentication test of one of the configured providers.[4]

Now, we can focus on two important JAAS-tasks: authentication and authorization of users…[5]

References


[4] Oracle Fusion Middleware: Understanding Security for Oracle WebLogic Server 12c Release 1, (12.1.1), E24484-02, January 2012: http://docs.oracle.com/cd/E24329_01/web.1211/e24484.pdf

Folgen

Erhalte jeden neuen Beitrag in deinen Posteingang.

Schließe dich 27 Followern an