Service Integration 3-11

3.3.4 Security Levels

Oracle Service Bus provides the following types of security features: ■ Authentication ■ Identity assertion ■ Authorization ■ Auditing ■ Credential mapping The following topics discuss the security features available in the Oracle Service Bus security model.

3.3.4.1 Inbound Security

Inbound Security ensures that Oracle Service Bus proxy services handle only the requests that come from authorized clients by default, any anonymous or authenticated user can connect to a proxy service. It can also ensure that no unauthorized user has viewed or modified the data as it was sent from the client. Proxy services can have two types of clients: service consumers and other proxy services. Inbound security is set up when proxy services are created and is determined by varying security requirements.For outward-facing proxy services which receive requests from service consumers, strict security requirements such as two-way SSL over HTTPS are used. For proxy services that are guaranteed to receive requests only from other Oracle Service Bus proxy services, less secure protocols are used. If a proxy service uses public key infrastructure PKI technology for digital signatures, encryption, or SSL authentication, create a service key provider to provide private keys paired with certificates. For each proxy service, the following inbound security checks can be configured: ■ Transport-level security : applies security checks as part of establishing a connection between a client and a proxy service. The security requirements that you can impose through transport-level security depend on the protocol that you configure the proxy service to use. For information about configuring transport-level security for each supported protocol, see Configuring Transport-Level Security. For more information, see Section 3.3.4.6, Transport-Level Security. ■ Custom Authentication : for message-level security and client-specified custom authentication credentials for inbound transport- and message-level requests. The custom authentication credentials can be in the form of a custom token, or a username and password. For more information, see Section 3.3.5, Custom Security Credentials. ■ Message-level security : for proxy services that are Web Services. This is part of the WS-Security specification. It applies security checks before processing a SOAP message or specific parts of a SOAP message. For more information, see Section 3.3.4.7, Message-Level Security.

3.3.4.2 Outbound Security