1-10 Oracle Fusion Middleware Reference for Oracle Security Developer Tools

1.5 Federation

As global businesses strive for ever-closer relationships with suppliers and customers, they face challenges in creating more intimate, yet highly secure trading relationships. Parties conducting a business transaction must be certain of the identity of the person or agent with whom they are dealing; they must also be assured that the other has the authority to act on behalf of the business with whom the transaction is being conducted. Historically, in the course of doing business with partners, companies have resorted to acquiring names, responsibilities, and other pertinent information about all entities who might act on behalf of the partner company. With changing roles and responsibilities, and particularly in large enterprises, this can create significant logistical problems as the data quickly becomes very costly to maintain and manage. Besides complexity, other challenges include cost control, enabling secure access to resources for employees and customers, and regulatory compliance, among others. These requirements are driving the move toward Federated Identity Management, in which parties establish trust relationships that allow one party to recognize and rely upon security tokens issued by another party. Key federation concepts include: ■ Principal - the key actor in a federated environment, being an entity that performs an authorized business task ■ Identity Provider - a service that authenticates a Principal’s identity ■ Service Provider - an entity that provides a service to a principal or another entity. For example, a travel agency can act as a Service Provider to a partner’s employees principals. ■ Single Sign-on - the Principal’s ability to authenticate with one system entity the Identity Provider, and have other entities the Service Providers honor that authentication The Liberty Alliance is an open organization which establishes technology and business standards for Federated Identity Management to facilitate interoperable identity services. To learn more about this topic, read the white paper Federated Identity Management, which is available on the Oracle Identity Federation page at http:www.oracle.comtechnologyproductsid_ mgmtosfsindex.html .

1.6 Overview of Oracle Security Developer Tools

This section provides an introduction to the Oracle Security Developer Tools, which are pure java tools that enable you to implement a wide range of security tasks and projects.

1.6.1 Toolkit Architecture

It is useful to consider the tools in the toolkit as a whole, and then to look at functional subsets of tools for different applications. Note: For additional information about the standards mentioned here, see Appendix A, References . Introduction to Oracle Security Developer Tools 1-11 Overall Architecture Figure 1–2 The Oracle Security Developer Tools Figure 1–2 shows the components of the Oracle Security Developer Tools. Typically, a tool will utilize functions provided by the tool immediately below it in the stack. For example, the Oracle SAML tool leverages functions provided by the Oracle XML Security tool. Note that: ■ Conceptually, the tools can be considered to be arranged in layers with the fundamental building blocks at the bottom layer; each additional layer utilizes and builds upon the the layer immediately below, to provide tools for specific security applications. ■ The figure is not intended as a hierarchy or sequence diagram. Rather, it illustrates the relationship among components and the progression from low-level tools to more specialized and application-specific components higher up the stack. Oracle Crypto and Oracle Security Engine are the basic cryptographic tools of the set. The next layer consists of Oracle CMS for message syntax, Oracle XML Security for signature encryption, and Oracle PKI SDK, which is a suite of PKI tools consisting of Oracle PKI LDAP SDK, Oracle PKI TSP SDK, Oracle PKI OCSP SDK, and Oracle PKI CMP SDK. Oracle SMIME exploits Oracle CMS to provide a toolset for secure e-mail. The next layer contains Oracle SAML and Oracle Liberty SDK, which provides structured assertion markup and federated identity management capabilities. Finally, Oracle Web Services Security provides web services security. For a description of each tool, see these sections: ■ Oracle Crypto ■ Oracle Security Engine 1-12 Oracle Fusion Middleware Reference for Oracle Security Developer Tools ■ Oracle CMS ■ Oracle SMIME ■ Oracle PKI SDK ■ Oracle XML Security ■ Oracle SAML ■ Oracle Web Services Security ■ Oracle Liberty SDK ■ Oracle XKMS Tools for XML, SAML, and Web Services Security Applications In addition to providing security for XML documents, the Oracle XML Security package provides the foundation for these components of the toolkit: ■ Oracle Web Services Security ■ Oracle SAML for developing SAML 1.0 and 2.0-compliant Java security services ■ Oracle Liberty SDK for single sign-on SSO and federated identity applications based on Liberty Alliance specifications This graphic shows that Oracle SAML, Oracle Web Services Security, and Oracle Liberty tools are built on Oracle XML Security. Note: A diagram like this is necessarily simplified; in practice the jar relationships between the Oracle Security Developer Tools are complex and dependent upon implementation details. For example, to use the SAML libraries, you actually need several components: ■ The Oracle XML Security library is needed as SAML requires signatures. ■ Oracle Security Engine provides certificate and CRL management features See Figure 1–2, The Oracle Security Developer Tools for a more complete picture of dependencies. See the subsequent tool chapters in this guide for instructions on setting up the classpath for each tool, so that you have the correct environment for each type of application. Introduction to Oracle Security Developer Tools 1-13 Tools for Public Key Cryptography PKI Applications The Oracle PKI package consists of tools for working with digital certificates within an LDAP repository, for developing timestamp services conforming to RFC 3161, for OCSP messaging compliant with RFC 2560, and tools for the certificate management protocol CMP specification. The Oracle PKI package also provides the foundation for Oracle XKMS, which enables you to develop XML transactions for digital signature processing. This graphic shows that Oracle’s XKMS tool is built on Oracle PKI tools, which consist of Oracle LDAP, Oracle TSP, Oracle OCSP, and Oracle CMP. Tools for E-mail Security Applications Oracle CMS provides tools for reading and writing CMS objects, as well as the foundation for the Oracle SMIME tools for e-mail security, including certificate parsing and verification, X.509 certificates, private key encryption, and related features. This graphic shows that Oracle’s SMIME tool is built on Oracle CMS. Tools for Low-level Cryptographic Applications Oracle Crypto provides a broad range of cryptographic algorithms, message digests, and MAC algorithms, as well as the basis for the Oracle Security Engine for X.509 certificates and CRL extensions. This graphic shows that Oracle’s Security Engine tool is built upon Oracle Crypto.

1.6.2 Supported Standards