Web Services Security
OIPA uses JAS-WS for implementing Web Services. For securing web services, WS-Security standards are used to perform authentication and authorization against OIPA user accounts. The SOAP header contains the appropriate security credentials. The password can be sent as a digest or as a text.
The SOAP header with WS-Security would look like the following when a password digest is used:
<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:UsernameToken wsu:Id="UsernameToken-1" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:Username>username</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">passwordencrypted</wsse:Password>
<wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">kC5eI6iq8x17/qA3mzs6/g==</wsse:Nonce>
<wsu:Created>2010-03-22T14:12:34.223Z</wsu:Created>
</wsse:UsernameToken>
</wsse:Security>
</soapenv:Header>
By default, starting with the 10.2.2.0 release, OIPA will not allow web services to be invoked with hashed passwords. To continue using PasswordDigest, the property webservice.allowHashedPassword should be set to Yes. See the System Properties document in OTN for further details.
For more information on the WS Security standard please refer to the website:
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0.pdf
Using Cookies in the OIPA application
The OIPA application is accessed by users through a Web Browser. Because OIPA uses session cookies to manage user sessions, cookies must be enabled in the browser. To allow the use of cookies in Internet Explorer, open the Privacy tab of the Internet Options dialog, then choose the Sites popup dialog and add the OIPA server address to the list of Allowed sites.
OIPA uses 'jSessionIDHeader' in the HTTP request header to manage data associated with the user's session. When user first logs into the OIPA application successfully, system creates an unique sessionID and passes to the browser. Browser sets this to jSessionIDHeader and retains this for the duration of session. When user logs out or session expires, browser deletes this sessionID. Requests that do not contain valid session IDs are not processed by the server.
If the application server is behind any HTTP proxy server, HTTPOnly & SecureCookie flags shall be enabled for the cookies. The purpose of the secure flag is to prevent cookies from being observed by unauthorized parties due to the transmission of a the cookie in clear text.
Additional Sources of Security Information
In addition to securing the OIPA application, all infrastructure resources –Linux/Windows servers, J2EE application and database servers – that compose an OIPA environment must be secured. The following list of links should be helpful while planning how to secure an OIPA environment.
Coherence 12.2.1.1 User Guide
http://docs.oracle.com/cd/E24290_01/index.htm
Securing Oracle Coherence 12.2.1.1
http://docs.oracle.com/cd/E16655_01/network.121/e17607.pdf
http://docs.oracle.com/cd/E16655_01/network.121/e17729/toc.htm
http://docs.oracle.com/cd/E16655_01/network.121/e17731.pdf
Microsoft SQL Server 2008 Database
http://www.microsoft.com/sqlserver/2008/en/us/Security.aspx
IBM DB2 10.5 Database
http://www-01.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.kc.doc/welcome.html
Note: Note: Search for DB2 Security model or Security.
Microsoft Windows 2008 Server
http://www.microsoft.com/download/en/details.aspx?id=17606
Oracle WebLogic 12c J2EE Application Server