Category Archives: Enterprise Architecture (EA)

IT-Security: Part 1 to 5 as PDF file

Key words:IT-Security, Security Challenges, OPSS Architecture, WebLogic Server, JAAS, JAAS LoginModules, Authentication, Basic Authentication, Certificate Authentication, Digest Authentication, perimeter Authentication and Identity Assertion

Until now I have published five parts of a series of articles on IT-Security and Oracle Fusion Middleware:

  1. http://thecattlecrew.wordpress.com/2014/02/17/it-security-weblogic-server_1/
  2. http://thecattlecrew.wordpress.com/2014/03/05/it-security-part-2-weblogic-server-and-oracle-platform-security-services-opss-2/
  3. http://thecattlecrew.wordpress.com/2014/03/14/it-security-part-3-weblogic-server-and-java-security-features/
  4. http://thecattlecrew.wordpress.com/2014/06/05/it-security-weblogic-server-and-authentication-part-4/
  5. http://thecattlecrew.wordpress.com/2014/06/22/it-security-part-5-weblogic-server-perimeter-authentication-and-identity-assertion/

I’m going to continue the IT-Security’s articles and you can access to complete first five parts as PDF-file here:

WebLogic-Server_IT_Security_1til5

Advertisements

Orchestrierung der IT-Sicherheit: Wie sieht es mit der Oracle Fusion Middleware aus?

Es gab am 06. März 2014 in Hochschule für angewandte Wissenschaften München den DOAG Regionaltreffen München/Südbayern. Ich habe  dort einen Vortrag über „Orchestrierung der IT-Sicherheit: Wie sieht es mit der Oracle Fusion Middleware aus?“  gehalten. Hier finden Sie mein Abstract und meine Präsentation:
Orchestrierung ist eine riesige Symphonie verschiedenster Komponenten im IT-Bereich. Die Orchestrierung der IT-Sicherheit ist daher mehr als nur eine klassische administrative Aufgabe, die auf Netzwerkebene zu realisieren ist. IT-Sicherheit ist eine Herausforderung im Zeitalter des Cloud Computing, der veränderten Herausforderungen in einer verteilten, heterogenen und noch mehr komplexen IT-Welt.
In diesem Vortrag wird gezeigt, dass allein die traditionellen IT-Sicherheitsansätze und Maßnahmen nicht ausreichen, um neue technische aber auch organisatorische Fragen zu beantworten. Nach einer kurzen Einführung in die Problematik  werden Lösungsansätze von Oracle vorgestellt. Ein besonderer Fokus wird dabei auf Oracle WebLogic Server und Oracle Plattform Security Services (OPSS) gelegt.

Orchestrator_Security_V2.3_Kurz

IT-Security (Part 2): WebLogic Server and Oracle Platform Security Services (OPSS)

OPSS Architecture

As we discussed (http://modj.org/home/aktueles/it-security-weblogic-server-and-oracle-platform-security-services-opss/e17330b741d0e387ead1a36591466a7c.html), OPSS is Oracle proposals regarding enterprise security services. It is as a framework that provides a comprehensive set of security services. These services based on Java technologies and have a consistent approach for design and apply security policies to Java EE and resources. We look at OPSS architecture from two different perspectives, which are connected to each other very closely. I try to review the advantages of OPSS for developers and administrators from Application’s perspective and present the cooperating of technology components such as LDAP, Application Server and Oracle Fusion Middleware from Component’s perspective. Thereby, we can determine the main OPSS’s benefits that Oracle says:

  • Allows developers to focus on application and domain problems
  • Supports enterprise deployments
  • Supports several LDAP servers and SSO systems
  • Is certified on the Oracle WebLogic Server
  • Pre-integrates with Oracle products and technologies

Application’s point of view

Oracle Platform Security Services (OPSS) is both a security framework exposing security services and APIs, and a platform offering concrete implementation of security services. It includes these elements:

  • Common Security Services (CSS), the internal security framework on which Oracle WebLogic Server is based
  • Oracle Platform Services
  • User and Role APIs
  • Oracle Fusion Middleware Audit Framework

Figure 1 Application’s perspective  illustrations OPSS‘s architecture from application point of view. Such architecture allows OPSS to support different security and identity systems without changing the APIs. OPSS is integrated with Oracle Fusion Middleware‘s management tools to administrate and monitor the security policies implemented in the underlying identity management infrastructure.  Therefore, OFM technologies such as Oracle SOA, Oracle WebCenter Suite, Oracle Application Development Framework (ADF), Oracle Web Services Manager (OWSM) and… could use OPSS capacities.

OPSS offers abstraction layer APIs those isolate developers from security and identity management implementation details. In this way, developer can invoke the services provided by OPSS directly from the development environment (e.g. JDeveloper) using wizards. Admin can configure the services of OPSS into the WLS. As you see in Figure, the uppermost layer consists of Oracle WebLogic Server and the components and Java applications running on the server; below this is the API layer consisting of Authentication, Authorization, CSF (Credential Store Framework), and User and Role APIs, followed by the Service Provider Interface (SPI) layer and the service providers for authentication, authorization, and others. The final and bottom layer consists of repositories including LDAP and database servers.

 

Figure 1 Application's perspective

Figure 1 Application’s perspective

 

 

 OFM-Component’s point of view

Figure 2 OFM-Component’s perspective shows the various security components as layers. The top layer includes the OPSS security services; the next layer includes the service providers, and the bottom layer includes the OPSS security store with a repository of one of three kinds. OPSS provides auditing capabilities for components too.

The second layer [Security Services Provider Interface (SSPI)] has the capability that works with Java EE container security – named Java Authorization Contract for Containers (JACC) mode and in resource-based (non-JACC) mode, and resource-based authorization for the environment.

SSPI is a set of APIs for implementing pluggable security providers. A module implementing any of these interfaces can be plugged into SSPI to provide a particular type of security service. Therefore, OPSS has a consistent structure and is able to meet the requirements for integrating JEE Applications generally and specially OFM-Components and Oracle Security technologies, such as OAM, OID and so on.

 

Figure 2 OFM-Component's perspective

Figure 2 OFM-Component’s perspective

 

References

Oracle® Access Manager Integration Guide: http://docs.oracle.com/cd/E12530_01/oam.1014/e10356/weblogic.htm

IT-Security: WebLogic Server and Oracle Platform Security Services (OPSS)

IT security is popular in a way never known before! I love it!

If I discussed e.g. in a WebLogic Server workshop about that, I heard normally form administrators: That’s not my thing, forget it! But newly, everybody wants to know “how can we secure our data and our information?!”  To be honest, you need to detect your application server that you are using, and if you are not able to use WebLogic Server security features, then this could be your problem.

WebLogic Server uses a security architecture that provides a unique and secure foundation for applications that are available via the Web. It is designed for a flexible security infrastructure and enabled to response the security challenges on the Intra- and Internet. We are able to use security capacity of WebLogic Server as a standalone feature to secure WebLogic Server and/or as part of a corporation-wide, security management system.

Overview

In order to achieve a satisfactory level of security, we have to design an integrated security policy: from lack of resources till the increasing complexity of IT systems. The elementary principles in IT security are Confidentiality and/or privacy, availability and integrity. Confidentiality and/or privacy mean information that has to be protected against unauthorized disclosure. Availability means services; IT system functions and information must be available to users when they need it. Integrity means data must be complete and unaltered.  Therefore, we understand security policy as a policy that it covers protection objectives and broad-spectrum security measures in the sense of the acknowledged requirements of an organization.

Simple to say, security is the protection of information that needs to protected, from unauthorized access. IT security could be helped us through technology, processes, policies and training, so that we can be sure that data stored and secured in a computer or passed between computers is not compromised.  Therefor data encryption is the first step in the direction IT-Security. In order to access to specific resources, user needs to provide (normally) his user name and password. Data encryption is the transformation of data into a form that cannot be understood without decryption key(s).

Security Challenges

In a world that we used to work with distributed IT-landscape, we face to with different challenges, e.g. network-based Attacks, heterogeneity on application layer from user interface till to application.  It is really difficult to stay on a standard security level for all of team members of development team. We cannot awaiting all of application developers to be able develop solve the security challenges such as privacy, identity management, compliance, audit too.  Another area is interfaces between application server and backend database.

A simple case is presented on the following diagram: most applications are multi-tiered and distributed over several systems. A client invokes an application or sends a request to server. This case presents how many systems are in transaction involve.  We have to check all of critical points and interfaces: network-based attacks, user interface, application Server and so on.

Security_Challenges: Multi Tier environments

Security_Challenges: Multi Tier environments

On these grounds, we need to use an enterprise security framework that allows application developers to pick and choose from a full set of reusable and standards based security services that allow security, privacy, and audit. Oracle Platform Security Services (OPSS) is a security framework that runs on WebLogic Server and is available as part of WebLogic Server. It combines the security features of BEA‘s internal security (WLS + Oracle Entitlement Server (OES)) and the OAS (Hava Platform Security (JPS) – earlier JAZN) to provide application developers, system integrators, security administrators, and independent SW vendors with a comprehensive security platform framework for Java SE and Java EE applications. In this form, Oracle is able to suggest a uniform enterprise security policy and a self-contained and independent framework with Identity management and audit services across the enterprise. The heart of whole system beats on WebLogic Server.

WebLogic Server provides authentication, authorization, and encryption services with which you can guard these resources. These services cannot provide protection, however, from an intruder who gains access by discovering and exploiting a weakness in your deployment environment. Therefore, whether you deploy WebLogic Server on the Internet or on an intranet, it is a good idea to contact an independent security expert to go over your security plan and procedures, audit your installed systems, and recommend improvements.

References

 

„Orchestrator“: IT-Paradigmenwechsel im Zeitalter des Cloud Computing

Es gab am 6. Juni in Mainz den DOAG 2013 IMC Summit, auf dem sich unter dem Motto „Infrastruktur meets Middleware“. Ich habe  dort einen Vortrag über „Orchestrator“: IT-Paradigmenwechsel im Zeitalter des Cloud Computing gehalten, dass ich als eine Erweiterung des „DevOps“-Konzepts betrachte. Hier finden Sie mein Abstract und meine Präsentation:

Orchestration ist eine riesige Symphonie verschiedenster Komponenten im IT-Bereich. Der „Orchestrator“ ist daher mehr als nur ein klassischer Administrator. Er ist eine neue Generation von Experten im Zeitalter des Cloud Computing, der veränderten Herausforderungen in einer verteilten, heterogenen und noch mehr komplexen IT-Welt gegenüber steht.

In diesem Vortrag wird gezeigt, dass allein die traditionellen IT-Ansätze und Maßnahmen nicht ausreichen, um neue technische aber auch organisatorische Fragen im IT-Bereich zu beantworten. Obwohl Experten von unterschiedlichen Perspektiven das Problem aus betrachten können, erreichen sie meistens eine gemeinsame Lösung: Orchestration!

Themen wie (HW und SW) Virtualization, Cloud Computing, SOA, etc. aber auch die Infrastruktur sind vom IT-Paradigmenwechsel betroffen.  Nach einer kurzen Einführung in die Problematik  werden verschiedene Lösungsansätze vorgestellt. Ein besonderer Fokus wird dabei auf die Herausforderungen und Solutions gelegt, welche sich aus der Sicht der IT-Infrastruktur ergeben.

Link zu meiner Präsentation:

http://modj.org/fileadmin/user_upload/Mohammad_Esad-Djou_Orchestrator_V1.pdf