26 Working with Security 26-1 26 Working with Security This chapter describes how to secure service endpoints for remote communication and application security context which is used for passing authorization context from the source application to the target application through the AIA layer. This chapter includes the following sections: ■ Section 26.1, Introduction to Oracle AIA Remote Security ■ Section 26.2, Implementing Security ■ Section 26.3, Security for Applications ■ Section 26.4, Deploying Security Policies ■ Section 26.5, Policy Naming Conventions ■ Section 26.6, How Does AIA Foundation Pack Help in Securing AIA Services? ■ Section 26.7, Application Security Context

26.1 Introduction to Oracle AIA Remote Security

By default all Oracle AIA services are secured. All adapter based services are security enabled using JNDI. All composite service and references using SOAP over http are secured using Oracle Web Services Manager WSM. You can override the security if the delivered security is not sufficient for your usecase.

26.1.1 Securing Service to Service Interaction

By securing service to service interaction, you: ■ Identify clients through authentication. ■ Secure messages through encryption. ■ Avoid message tampering with digital signatures. ■ Encrypt the channel through SSL. Figure 26–1 illustrates the high-level security structure for AIA. 26-2 Developers Guide for Oracle Application Integration Architecture Foundation Pack Figure 26–1 High-level Security Architecture AIA recommends using Oracle WSM to configure Web service security in Oracle AIA. To enable security on an AIA service you use Oracle WSM to assign the appropriate service policy. To call a secured service, you assign the appropriate client side policy.

26.1.2 Oracle AIA Recommendations for Securing Services

AIA makes the following recommendations for securing services: ■ All Web Services must be secured. This includes: – AIA services such as Application Business Connector Services ABCS, Enterprise Business Services EBS, and Transport Adapter Services – Other application services hosted on Oracle Fusion Middleware ■ The standard installation should deploy the services with security policies applied. ■ In this release, the minimum protection provided by AIA services is authentication. ■ You should further harden the services with message protection in the production environment.

26.1.3 Introduction to Web Service Security Using Oracle Web Services Manager

Oracle Web Services Manager WSM security and management is integrated into the Oracle WebLogic Server. For more information about Oracle Web Services Manager, see Oracle Fusion Middleware Security and Administrators Guide for Web Services. AIA recommends decoupling security logic from service development by configuring Web service security declaratively using Oracle WSM during deployment. You should use Web service security rather than SSL unless you have a compelling reason, such as participating applications that do not support it. In AIA, Oracle WSM is installed as part of SOA Suite, and there are delivered policies for most commonly used security use cases. Oracle WSM has policies for adding a particular security function as a standalone or in combination with other security functions. The policies are globally attached to services with varying degree of granularity such as: Working with Security 26-3 ■ Domain - all services in a domain ■ Instance - all services in a WLS server instance ■ Based on SOA Composite name - all services in a composite For a list of the delivered policies, see Predefined Policies in the Oracle Fusion Middleware Security and Administrators Guide for Web Services.

26.2 Implementing Security