Introduction to Oracle B2B 1-5 Other security features include: ■ Transport protocol-based security for HTTP, FTP, and SMTP exchanges ■ Digital envelopes and certificates ■ Digital signatures for host and remote trading partners ■ Integration with Credential Store Framework for storing all passwords and security credentials ■ Secure HTTP using Secure Socket Layer SSL ■ Encrypted Key Store password for a host trading partner See the following for more information about security: ■ Oracle Fusion Middleware Security Guide

1.4.1 Payload Obfuscation

Oracle B2B supports payload obfuscation before payloads are stored in the instance repository. The security infrastructure of Oracle Fusion Middleware is used to obfuscate, store, and retrieve the payloads, and ensure that payloads in wire messages, business messages, and application messages are visible to authorized users only. The encryption algorithm is not specifiable. Keys are stored in the Credential Store. At run time, the payload is obfuscated before it is stored in the instance repository. When this payload is retrieved from the instance store during processing, it is automatically unobfuscated so that B2B engine processes it. Similarly, in the outbound direction, if payload obfuscation is required, then the payload is obfuscated before it is stored in the instance repository. If exchange-level encryption is specified, then the payload is encrypted using the encryption scheme specified before it is put on the wire. Payload obfuscation can be configured in Oracle Enterprise Manager Fusion Middleware Control. See Oracle Fusion Middleware Administrators Guide for Oracle SOA Suite and Oracle Business Process Management Suite and Appendix B, Setting B2B Configuration Properties in Fusion Middleware Control, for more information. When you enable payload obfuscation, consider the following: ■ Large payloads, as defined in the Large Payload Size parameter on the Configuration tab, are not obfuscated because they are stored in a directory file system rather than the instance repository. Storing a large payload in the file system is a security risk. ■ The obfuscated payload can be accessed in the Oracle B2B interface only by authorized users who have access to the document type. The payload is unobfuscated and displayed in the interface for these authorized users. Other users cannot access the document type at all. The users can be provisioned to access document types. See Section 1.4.2, Restricting Access to Document Types, for information about document-type provisioning. Obfuscation is available for payloads that use multibyte characters, and is available for non-Oracle databases. Note: Oracle B2B run time does not support the CLIENT-CERT authentication method. Therefore, B2B is not able to post to OAM-SSO protected URLs.