1 Overview of Web Services Security and Administration

Companies worldwide are actively deploying service-oriented architectures (SOA) using Web services, both in intranet and internet environments. While Web services offer many advantages over traditional alternatives (for example, distributed objects or custom software), deploying networks of interconnected Web services still presents key challenges, particularly in terms of security and administration.

This chapter provides an overview of Web services security and administration in Oracle Fusion Middleware 11g.

Web Services Security and Administration in Oracle Fusion Middleware 11g

The following highlights the main features of Oracle Fusion Middleware 11g Release 1 (11.1.1):

  • Oracle Web Services Manager (WSM) security and management has been completely redesigned and rearchitected. The previous release, Oracle WSM 10g, was delivered as a standalone product or as a component of the Oracle SOA Suite. In the 11g release, Oracle WSM has been integrated into the Oracle WebLogic Server. For complete details, see "Examining the Rearchitecture of Oracle WSM in Oracle Fusion Middleware".

  • Oracle Web services can be classified into the following categories:

    For more information about the two Web service categories and the types of Web services and clients in Oracle Fusion Middleware 11g, see Oracle Fusion Middleware Introducing Web Services.

  • To support the two categories, there are two types of policies that can be attached to Web services, as defined in the following table.

    Table 1-1 Types of Web Service Policies

    Type of Policy Description

    Oracle Web Services Manager (WSM) Policy

    Policy provided by the Oracle WSM.

    You can attach Oracle WSM policies to SOA, ADF, and WebCenter Web services. You can attach Oracle WSM security policies only to WebLogic JAX-WS Web services to interface with the SOA/ADF/WebCenter Web services, for example. (You cannot attach Oracle WSM policies to JAX-RPC Web services.)

    You manage Oracle WSM policies from Oracle Enterprise Manager Fusion Middleware Control.

    WebLogic Web Service Policy

    Policy provided by WebLogic Server. For more information about the WebLogic Web service policies, see Oracle Fusion Middleware Securing WebLogic Web Services for Oracle WebLogic Server.

    A subset of WebLogic Web service policies interoperate with Oracle WSM policies. For more information, see "Interoperability with Oracle WebLogic Server 11g Web Service Security Environments".

    You manage WebLogic Web service policies from WebLogic Administration Console.


  • Application developers can use Oracle JDeveloper to leverage the security and management features of the Oracle WSM policy framework. For more information about attaching policies using Oracle JDeveloper, see the following sections:

  • System administrators can use the following tools to secure and administer Web services:

    • Oracle Enterprise Manager Fusion Middleware Control to secure and administer SOA, ADF, and WebCenter services and to monitor and test WebLogic (Java EE) Web services.

    • Oracle WebLogic Administration Console to secure and administer WebLogic (Java EE) Web services.

Web Service Security and Administration Tasks

The following provides an example of the tasks required to secure and administer Web services:

  • Deploy, configure, test, and monitor Web services.

  • Enable, publish, and register Web services.

  • Attach policies to secure and manage Web services and analyze policy usage.

  • Create new policies and assertion templates, and manage and configure existing policies.

  • Create custom assertions to meet the requirements of your application.

  • Manage policy lifecycle to transition from a test to production environment.

  • Manage your file-based and database stores in your development and production environments, respectively.

  • Test interoperability with other Web services.

  • Diagnose problems.

The steps to develop, secure, and administer Web services vary based on the Web service category in use. The following sections outline the steps required:

Securing and Administering SOA, ADF, and WebCenter Services

To secure and administer SOA, ADF, and WebCenter services:

Part II, "Basic Administration" and Part III, "Advanced Administration" describe how to secure and administer SOA, ADF, and WebCenter services in detail.

Securing and Administering WebLogic Web Services

To secure and administer WebLogic Web services:

  • At development time, application developers can attach security policies using Oracle JDeveloper or other IDE. For more information, see the following topics:

    • "Using Policies with Web Services" in the "Designing and Developing Applications" section of the Oracle JDeveloper online help.

    • "Using Oracle Web Service Security Policies" in Securing WebLogic Web Services for Oracle WebLogic Server

  • System administrators can use the following tools defined in Table 1-2 to secure and administer WebLogic Web services.

Table 1-2 Tools Used to Secure and Administer WebLogic Web Services

Use this tool . . . To perform the following tasks . . .

Oracle Enterprise Manager Fusion Middleware Control

Leverage Oracle WSM to perform the following tasks:

  • Enforce policies at runtime.

  • Test the WebLogic Web service.

  • Monitor the performance of WebLogic Web services.

For more information about Oracle WSM, see "Understanding Oracle WSM Policy Framework".

To access Oracle Enterprise Manager Fusion Middleware Control, see "Accessing Oracle Enterprise Manager Fusion Middleware Control".

For more information about Oracle Enterprise Manager Fusion Middleware Control, see "Getting Started Using Oracle Enterprise Manager Fusion Middleware Control" in Oracle Fusion Middleware Administrator's Guide.

Note: The following features are not supported for WebLogic Web services in the 11g release:

  • Centralized policy management of Oracle WSM policies.

  • Ability to advertise policies.

  • WS-SecureConversation, WS-Trust, MTOM, WS-Addressing, WS-ReliableMessaging, or WS-AtomicTransaction policies.

  • Security and administration of JAX-RPC WebLogic Web services.

Oracle WebLogic Server Administration Console

Perform all of the tasks described in "Web Service Security and Administration Tasks" to secure and manage WebLogic Web services.

To access Oracle WebLogic Server Administration Console, see "Accessing Oracle WebLogic Administration Console".

For more information about using the Oracle WebLogic Server Administration Console to secure and administer WebLogic Web services, see "Web Services" in the Oracle WebLogic Server Administration Console Online Help.


Part IV, "WebLogic Web Service Administration" provides a roadmap for securing and administering WebLogic Web services.

Accessing the Security and Administration Tools

The following sections describe how to access the security and administration tools described in the previous sections.

Accessing Oracle Enterprise Manager Fusion Middleware Control

To access Oracle Enterprise Manager Fusion Middleware Control:

  1. Start the Oracle WebLogic Server.

    For more information, see "Start and stop servers" in the Oracle WebLogic Administration Console Online Help.

  2. Open a supported Web browser and navigate to the following URL:

    http://hostname:port/em
    

    The Login page displays.

  3. Enter the username and password.

    The default user name for the administrator user is weblogic. This is the account you can use to log in to Fusion Middleware Control for the first time. The password is the one you supplied during the installation of Oracle Fusion Middleware.

  4. Click Login.

For more information, see "Getting Started Using Oracle Enterprise Manager Fusion Middleware Control" in Oracle Fusion Middleware Administrator's Guide.

Accessing Oracle WebLogic Administration Console

To access Oracle WebLogic Administration Console:

  1. Start the Oracle WebLogic Server.

    For more information, see "Start and stop servers" in the Oracle WebLogic Administration Console Online Help.

  2. Open a supported Web browser and navigate to one of the following URLs:

    http://hostname:port/console
    https://hostname:port/console
    

    hostname specifies the DNS name or IP address of the Oracle WebLogic Administration Server and port specifies the address of the port on which the Oracle WebLogic Administration Server is listening for requests (7001 by default).

    Use https if you started the Oracle WebLogic Server using the Secure Sockets Layer (SSL).

    For a list of supported browsers, see System Requirements and Supported Platforms for Oracle WebLogic Server at: http://www.oracle.com/technology/software/products/ias/files/fusion_certification.html.

    The Login page displays.

  3. Enter the username and password.

    You may have specified the username and password during the installation process. This may be the same username and password that you use to start the Oracle Administration Server. Or, a username that is granted one of the default global security roles.

  4. Click Log In.

For more information, see "Starting the Console" in the Oracle WebLogic Administration Console Online Help.